[c-nsp] "reload" command doesn't check command line parameters

Saku Ytti saku at ytti.fi
Tue Oct 8 07:51:29 EDT 2013


On (2013-10-08 11:22 +0000), Sigurbjörn Birkir Lárusson wrote:

> I think the best solution here is tacacs+ with command authorization where
> reload in X is allowed, but all other forms are not, forcing you to

Fully agreed.

> This is also highly preferable for many other things (switchport trunk
> allowed vlan X instead of switchport trunk allowed vlan add X springs to
> mind)

Couldn't agree more. As well as 'no router isis' etc. :)


Maybe worth putting up somewhere BCP TACACS deny for dangerous commands. Sadly
I think it's not possible in TACACS to deny configuring member ports of
port-channels.

-- 
  ++ytti


More information about the cisco-nsp mailing list