[c-nsp] switchport trunk allowed vlan
Jeremy Bresley
brez at brezworks.com
Mon Nov 1 12:35:46 EDT 2010
On 11/1/2010 7:16 AM, Tim Durack wrote:
> On Mon, Nov 1, 2010 at 7:58 AM, Phil Mayers<p.mayers at imperial.ac.uk> wrote:
>> On 31/10/10 15:39, Keegan Holley wrote:
>>> If you are simply trying to disable a command have you thought about doing
>>> so in tacacs? It sounds like it would be simpler and it also has the
>>> benefit of being centralized so you won't need to configure it on each
>>> individual router.
>> It also has the disadvantage of being centralised, so each router has to be
>> configured to talk to a central point-of-failure.
>>
>> :o)
>>
>> +1 for wanting to disable this w/o TACACS
> Exactly. In my book, "simple" = less operational dependencies. (Plus
> configuration management system carries the burden of making these
> changes anyway.)
>
Every Cisco device I've used TACACS on (which is a pretty long list)
supports redundant TACACS servers for failover. If you have a
geographically dispersed network, put a TACACS server in a management
network in multiple sites/cities/states and you have geographic
redundancy. Treat the TACACS servers like you do your DNS/NTP servers.
If the primary server goes unavailable, it will go down the list trying
each of the other servers.
In a properly designed network, the only times I've had to use the
locally configured username/password is when the links into the site are
all down, or when routing to all of the TACACS servers is broken. With
TACACS command authorization and ACS, what you want to do is fairly
straightforward. I know it is possible to do on the freebie tac_plus as
well, as we were doing it 8 or 9 years ago back in IOS 10.3/11.X days
with it.
Hope this helps.
Jeremy "TheBrez" Bresley
brez at brezworks.com
More information about the cisco-nsp
mailing list