[c-nsp] "reload" command doesn't check command line parameters

Peter Rathlev peter at rathlev.dk
Tue Oct 8 17:34:49 EDT 2013

On Tue, 2013-10-08 at 10:44 -0500, Josh wrote:
> In reply to Saku Ytti, I know of at least one tacacs implementation
> that allows for restricting configuration of members of a port
> channel.
> https://rubyforge.org/projects/tacacs-plus/

I haven't delved deeply into the code, but I'm almost certain it cannot
do that. What Saku describes demands that the TACACS+ server keeps state
between commands, saying you cannot do e.g. "switchport trunk allowed
vlan add <n>" after "interface GigabitEthernet<n>/<m>" if the latter has
"channel-group <n> [mode <s>]" as part of its configuration. Otherwise
you can.

Saku's sentence could be expanded a bit:

   I think it's not possible in TACACS to deny configuring member
   ports of port-channels [and not deny configuring regular physical
   interfaces that are not member ports].

It's technically not impossible to do, but since standard TACACS+ allows
for two back to back requests to be sent to two different servers it is
also not an easily solved problem.


More information about the cisco-nsp mailing list