[c-nsp] switchport trunk allowed vlan

Keegan Holley keegan.holley at sungard.com
Mon Nov 1 10:08:59 EDT 2010


On Mon, Nov 1, 2010 at 8:16 AM, Tim Durack <tdurack at gmail.com> wrote:

> On Mon, Nov 1, 2010 at 7:58 AM, Phil Mayers <p.mayers at imperial.ac.uk>
> wrote:
> > On 31/10/10 15:39, Keegan Holley wrote:
> >>
> >> If you are simply trying to disable a command have you thought about
> doing
> >> so in tacacs?  It sounds like it would be simpler and it also has the
> >> benefit of being centralized so you won't need to configure it on each
> >> individual router.
> >
> > It also has the disadvantage of being centralised, so each router has to
> be
> > configured to talk to a central point-of-failure.
> >
> > :o)
> >
> > +1 for wanting to disable this w/o TACACS
>
> Exactly. In my book, "simple" = less operational dependencies. (Plus
> configuration management system carries the burden of making these
> changes anyway.)
>
>
I'm not sure I understand the drawback of TACACS.  It's obvious that
redundancy is needed there.  If you're already using TACACS it seems easier
to place it there.  I'm not sure I like the idea of a network using local
auth everywhere but to each his own.  If you use EEM what's to stop other
"senior" engineers from just removing the script temporarily?


More information about the cisco-nsp mailing list