Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1006
Views
0
Helpful
4
Replies

How can we avoid someone from entering config mode without restricting config access ?

Network.Learner
Level 1
Level 1

‎10-01-2020 04:52 AM

Hi Team , 

 

Without removing the config mode access how can we prevent someone from entering into config mode ?

Can you please share some idea's ?

 

Requirement :

L1 team got access to config mode , but we don't want them to enter into config mode and run any commands ..without restricting the config access to entire team how can we achieve it ? 

0 Helpful
4 Replies 4

Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎10-02-2020 12:01 AM

Hi @Network.Learner 

Since you wrote in the DC Switches topic category, I suppose you have a Nexus switch. 

The Nexus switches uses RBAC for limiting access to operations for different user accounts. Using this functionality, you can basically create a role of L1+user and all L1 team members to be a L1_user.

Example:

role name L1user
  rule 1 deny command configure terminal

username user1 password $tr0ngP@ssw0rd role L1user

Stay safe,

Sergiu

0 Helpful

Network.Learner
Level 1
Level 1

‎10-02-2020 03:09 AM

@Sergiu.Daniluk ,

 

Thanks for your suggestion ...

Actually we do not want to restrict the config access to anyone  , but if we think in logical way  ...How can we avoid someone doing the mistake in config mode ...May be the various process which we can apply to avoid the config mistakes ..

 

1.Like 4 eye process( meaning when engineer-1 is doing the change in config mode the Engineer-2 also has to see the screen and validate to avoid any typo or other mistakes )...Similarly is there any other process which we can get in as per your experiences ...

 

 

0 Helpful

Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎10-02-2020 04:16 AM

I see. So basically you are looking for a process in which you want config validation by a sr engineer before the cfg is pushed to devices.

Well, I can only say this: welcome to NetDevOps!

You can change the config to code (concept called Network as Code), and have a version-control system, like Git, where you keep track of changes. Your junior network engineers can make the changes, push it to git, after which the sr engineers can verify the changes, validate it and then push it to network. I would suggest the following blogs to read for a better understanding of the concept:

https://blogs.cisco.com/developer/what-does-network-as-code-mean

https://blogs.cisco.com/developer/anatomy-of-netdevops

There are lots of orchestration tools which can help you with adopting a NetDevOps in your organization, but I would suggest you start exploring: Ansible and/or PyATS + genie.

 

Hope it helps,

Sergiu

0 Helpful

Network.Learner
Level 1
Level 1

‎10-02-2020 07:03 AM

@Sergiu.Daniluk

 

Thanks for your suggestion..

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card