On (2013-10-08 11:22 +0000), Sigurbjörn Birkir Lárusson wrote: > I think the best solution here is tacacs+ with command authorization where > reload in X is allowed, but all other forms are not, forcing you to
Fully agreed. > This is also highly preferable for many other things (switchport trunk > allowed vlan X instead of switchport trunk allowed vlan add X springs to > mind) Couldn't agree more. As well as 'no router isis' etc. :) Maybe worth putting up somewhere BCP TACACS deny for dangerous commands. Sadly I think it's not possible in TACACS to deny configuring member ports of port-channels. -- ++ytti _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/