> when a TAC engineer wanted to bounce our Voice VLAN SVI in the middle of an > *airport* production day. > I about turned over my desk trying to wrest the remote control session back > from him before he hit enter > on the shut. Since then, I have had to go through a not insignificant > evaluation period of TAC engineers > before I let them take control of a remote session, and it is now simply pure > instinct to log SSH sessions.
Picture it, Cisco TAC, on a troubleshooting call, runs 'no ip routing' and hits enter before our engineer could scream "NO" at 11:30AM on a core L3 on a college campus. RCA afterwards: 1. "Always log all terminals (we prefer SecureCRT) from Windows bastion host to OneDrive or Google Drive" 2. New CiscoTAC TACACS login created allowing Enable but Denying "configure" as a command. When you troubleshoot, you log in as CiscoTAC. The CiscoTAC tacacs profile description in Clearpass makes it clear why it's there. I left the curse words out. -J John C. Lyden Associate Director, Network Operations Division of Information Resources & Technology Rowan University
