05-28-2018 02:49 AM - edited 02-21-2020 10:57 AM
05-28-2018 05:41 AM
Hi
First of all, in your authorization policy, you need to uncheck the box "Permit any command that is not listed below" which means all commands not configured will be denied.
Then you can add permit for command interface without any arguments. If you want to specify only specific interfaces, you can add a regex argument like GigabitEthernet 0/[0-3] if you want to give access to interface g0/0, g0/1, g0/2 and g0/3.
Then you can add a line with permit shut and another with permit command no and argument shut.
After building up this authz policy, commands like router [ospf|bgp|...], description aren't present then no authz granted for those.
Thanks
05-28-2018 06:45 AM
05-28-2018 04:03 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide