[c-nsp] "reload" command doesn't check command line parameters
Saku Ytti
saku at ytti.fi
Tue Oct 8 07:51:29 EDT 2013
On (2013-10-08 11:22 +0000), Sigurbjörn Birkir Lárusson wrote:
> I think the best solution here is tacacs+ with command authorization where
> reload in X is allowed, but all other forms are not, forcing you to
Fully agreed.
> This is also highly preferable for many other things (switchport trunk
> allowed vlan X instead of switchport trunk allowed vlan add X springs to
> mind)
Couldn't agree more. As well as 'no router isis' etc. :)
Maybe worth putting up somewhere BCP TACACS deny for dangerous commands. Sadly
I think it's not possible in TACACS to deny configuring member ports of
port-channels.
--
++ytti
More information about the cisco-nsp
mailing list