[c-nsp] switchport trunk allowed vlan

Phil Mayers p.mayers at imperial.ac.uk
Mon Nov 1 10:33:56 EDT 2010


On 01/11/10 14:08, Keegan Holley wrote:
> On Mon, Nov 1, 2010 at 8:16 AM, Tim Durack<tdurack at gmail.com>  wrote:
>
>> On Mon, Nov 1, 2010 at 7:58 AM, Phil Mayers<p.mayers at imperial.ac.uk>
>> wrote:
>>> On 31/10/10 15:39, Keegan Holley wrote:
>>>>
>>>> If you are simply trying to disable a command have you thought about
>> doing
>>>> so in tacacs?  It sounds like it would be simpler and it also has the
>>>> benefit of being centralized so you won't need to configure it on each
>>>> individual router.
>>>
>>> It also has the disadvantage of being centralised, so each router has to
>> be
>>> configured to talk to a central point-of-failure.
>>>
>>> :o)
>>>
>>> +1 for wanting to disable this w/o TACACS
>>
>> Exactly. In my book, "simple" = less operational dependencies. (Plus
>> configuration management system carries the burden of making these
>> changes anyway.)
>>
>>
> I'm not sure I understand the drawback of TACACS.  It's obvious that
> redundancy is needed there.  If you're already using TACACS it seems easier
> to place it there.  I'm not sure I like the idea of a network using local
> auth everywhere but to each his own.  If you use EEM what's to stop other
> "senior" engineers from just removing the script temporarily?

Common sense?

There are places (e.g. where I work) where there is no senior/junior/ops 
hierarchy, and all people with access to routers are trusted 
approximately equivalently. Those places don't get a lot of value from 
TACACS for authorisation, and might therefore want the ability to filter 
"dangerous" commands (i.e. commands that trip you up) without the hassle 
of implementing TACACS.

Obviously many places will want TACACS for other reasons, and can get 
dangerous command filtering "for free".


More information about the cisco-nsp mailing list