04-22-2016 08:21 AM - edited 03-10-2019 11:42 PM
Hi guys,
i am want to configure the tacacs+ server and want to add a rule that if user dont use the "add" command in defining the new vlan on the trunk it should get denied.
for example
switchport trunk allowed vlan add xx
He should not be able to use the simple command without add.
How can i write this rule and how i can implement this rule on the users for all network devices.
i need some simple examples to understand this.
Thanks in advance
Faraz
04-22-2016 12:53 PM
hello!
You might want to post this on the switch / security forums.
04-25-2016 05:40 AM
Hi
If you have a trunk with vlans specified you need to use add syntax if you don't it will wipe the other vlans from the trunk and only use the last one you specified so you will break the trunk link as they wont6 match any longer on each side
Not sure what that has to do with tacacs though as tacacs is for access ?
04-25-2016 06:07 AM
Hi Mark,
Thanks for the reply. My question is regarding AAA authorization.
As you mention if we dont use the "add" parameter, than it will wipe out all other vlan configuration on the trunk.
I want to avoid that mistake by putting the tacacs+ authorization rule. As it happen before that we have for example 10 vlans on a trunk and we want add another one. By mistake we didnt use the "add" command and it wipe out all other vlan information on the trunk.
So the rule should be like this
if "add" is not use in the switchport trunk allowed vlan command -> deny to add the vlan.
I hope now i explain what you can understand :)
Best Regards
Faraz
04-25-2016 07:19 AM
I have never seen that done through authorisation after being logged in , AAA is not capable of making sure a user doesn't make a mistake like that its just for access security
If you were trying to do it from prime 3.0 or above through compliance it could probably be done as you can build rule bases against access and configuration to do it but not under cli in router/switch
AAA is for access , you can put the user in a low end privilege group so he cant make changes like that again preventing this from happening but it does not have the feature of preventing mistakes as far as im aware
04-25-2016 12:41 PM
Hi Marks
Thanks alot of the clearing the confusion.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide