No one?

Hello,

entering:

username john level 2 password 0 cisco

!
privilege exec level 2 configure terminal

privilege configure level 2 ip route

!

line vty 0 15

login local

will allow level 2 users to use all subcommands of 'ip route'. However, as I understand it, you want to force users to name the routes ?

George,

Thank you very much for answering.

Yes, if I do privilege configure level 2 ip route, users with priv2  can create static route but cannot add a name after it... That creates a mess on our transport 6509 switches. Subcommand all is missing.

privilege configure all level 2 ip route would allow them to name the routes, but the command is simply missing.

R2D2-NEW(config)#privilege interface ?
  level  Set privilege level of command
  reset  Reset privilege level of command
Notice how 'all' sub-command is missing.

So the result for a user with priv 2 is this:

R2D2-NEW(config)#ip route 1.1.1.1 255.255.255.255 2.2.2.2 ?
  <1-255>  Distance metric for this route
  <cr>

But if I login with my full priv level:

R2D2-NEW(config)#ip route 1.1.1.1 255.255.255.255 2.2.2.2 ?
  <1-255>    Distance metric for this route
  name       Specify name of the next hop
  permanent  permanent route
  tag        Set tag for this route
  track      Install route depending on tracked item
  <cr>

Any workaround for this?

Hello,

I am testing this in GNS3 with 12.4. It allows me to add the 'all' keyword (see below)...

username john level 2 password 0 cisco

!
privilege exec level 2 configure terminal

privilege configure all level 2 ip route

!

line vty 0 15

login local

Georg, thank you for time and effort to try this.

I know, that is very strange. The official Cisco document about 12.0 IOS clearly states the 'all' command should be there. However it's missing on our 65XX series.

R2D2#sh vers
Cisco IOS Software, s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-M), Version 12.2(33)SXI9, RELEASE SOFTWARE (fc2)
cisco WS-C6513 (R7000) processor (revision 1.0) with 983008K/65536K bytes of memory.

Cisco IOS Software, s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-M), Version 12.2(33)SXI13, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport

cisco WS-C6506 (R7000) processor (revision 3.0) with 458720K/65536K bytes of memory.

I would never get a green light to upgrade IOS on the production switches with hundreds of customers so we'd rather have to replace them with newer ones.

However this is really bugging me...

ObiWan(config)#ip route 1.1.1.1 255.255.255.255 2.2.2.2 name?
% Unrecognized command

ObiWan(config)#ip route 1.1.1.1 255.255.255.255 2.2.2.2 ?
  <1-255>  Distance metric for this route
  <cr>

Thank you, Georg.

Just can't believe Cisco failed to include such a thing. Just hoped there is some workaround... Too bad if there isn't.

Thanks again!                       

Hello,

a 'workaround' albeit an indirect one would be to use an external TACACS server. There are numerous free ones out there, so there is no cost involved. If that is an option in your environment, I can check out the details.

Well,

We use Radius in combination with Active Directory, so we log in with our AD credentials. So I'm not sure how TACACS would go with that?

Also, thinking about it, some kind of a TCL script could be an option? Or it would still be overridden by their privilege level? 

Hello Knezevic,

I have got similar problem with sub commands  (all) while configuring privilege levels in my network switch. Did you find any solution for it? I do have similar infrastructure as yours having a Radius authentication server linked with AD.

My problem is i can't upgrade IOS as well as we don't have any service contract. My organization is a non-profit organization with much of the infrastructure donated. 

Also, i wanted to know if it is legal to download IOS images from Cisco website and use it in my organization.

Thank You

Yes, the workaround is to upgrade IOS to 15. :)

"Also, i wanted to know if it is legal to download IOS images from Cisco website and use it in my organization."

Good luck with that.