[c-nsp] Controlling allowed VLANs, alternatives?

Saku Ytti saku at ytti.fi
Wed Feb 17 05:07:25 EST 2010

On (2010-02-17 09:33 +0000), Phil Mayers wrote:

> alias interface tagvlan switchport trunk allowed vlan add
> alias interface detagvlan switchport trunk allowed vlan remove

> ...because forgetting that "add" and "remove" can do really really
> really bad things...

Agreed. Alternatives are using EEM or TACACS to deny execution of dangerous
commands. It is hard to find people who've worked with Cisco switches for
few years who haven't made this mistake.
Also very common mistake we've denied in TACACS is 'no router isis', people
sometimes type that in interface, forgetting the 'ip'.

While Cisco does provide rather poor quality software it is still the
operator who breaks the network most typically. Hardware faults are far
distant 3rd.  Yet when we design networks, we concentrate on avoiding
downtime from hardware faults.


More information about the cisco-nsp mailing list