[c-nsp] Disallowing "sw tru all vlan X" w/o "add" or "remove" (was: Maximum spannig tree instances)
Peter Rathlev
peter at rathlev.dk
Tue Jul 14 14:40:17 EDT 2009
On Tue, 2009-07-14 at 18:05 +0200, Gert Doering wrote:
> Mmmmh. If one does TACACS command authentication, one could
> investigate whether disallowing the "without-add/-delete" form of the
> command via TACACS works...
It does indeed. We use something similar to the configuration below for
"operators" who can do simple maintenance chores.
group = operator {
default service = deny
login = PAM
service = exec {
priv-lvl = 15
}
...
cmd = switchport {
permit "^trunk allowed vlan add 1[0-9][0-9] <cr>$"
permit "^trunk allowed vlan remove 1[0-9][0-9] <cr>$"
...
}
...
}
Regards,
Peter
More information about the cisco-nsp
mailing list