no mac-address-table static h.h.h vlan <1-4096> drop privilege level

Unanswered Question
Jul 9th, 2007

Hi,

We use

mac-address-table static h.h.h vlan <1-4096> drop to block mac address in certain VLAN in IOS Version 12.2(18)SXF7.. That's working great. New employee comes, we want new guy to be able to show the mac-address-table static and no mac-address-table h.h.h vlan <1-4096>. I configured privilege exec level 7 config terminal/show run/no mac-address-table static, and also privilege config level 7 no mac-address-table static. The new guy can sign in and show run the all mac-address-table static, when conf t, no mac-address-table h.h.h, there is no vlan option for him. Am I missing something for the priviledge 7?

Thanks.

schilling

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
sding2006 Tue, 07/10/2007 - 10:14

IOS (tm) s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(18)SXF7, RELEASE SOFTWARE (fc1)

aaa new-model

aaa authentication login default local

aaa authorization exec default local

privilege configure level 7 mac-address-table

privilege configure level 7 mac-address-table static

privilege exec level 7 show startup

privilege exec level 7 show running-config

privilege exec level 7 clear counter

privilege exec level 7 sho run

privilege exec level 7 sho conf

privilege exec level 7 sho arp

privilege exec level 7 sho ver

privilege exec level 7 sho access-lists

privilege exec level 7 configure terminal

basically, I just want users with priviledge level 7 to be able to show all the configs, and no mac-address-table static h.h.h vlan <1-4096>

Thanks.

Premdeep Banga Tue, 07/10/2007 - 15:27

What you want using local authentication is very difficult.

As you want the user to be able to show all the configs, that might not be possible. Reason for that is, in sh run, we have complete config, and most of the commands are at level 15, even though you bring down the level of command, in order to show everything, you would be required to bring all the commands down to level 7.

Which is not a feasible thing.

What you want to accomplish is possible using TACACS+ (ACS).

In which you can configure command authorization on the device, and restrict a user/group to only have access to do,

"sh run" and "no mac-address-table static h.h.h vlan <1-4096>"

and no other command.

And have one user/group to have access to all the command set on the device. You can have any combination that you want.

The second part that you need,

To let user be able to type command "no mac-address-table static h.h.h vlan <1-4096>"

this may be possible, but for that you would also be required to bring the level of vlan down to 7

you can give it a try.

But I'll go for command authorization.

But in case that is not even near to be feasible, then you can see if this work around works for you,

Please see one example below, and you do not require to alter the privilege level of commands too in command authorization as well as in the example below,

menu HELPDESK text 1 Running config

menu HELPDESK command 1 show runn

menu HELPDESK options 1 pause

menu HELPDESK text 2 Route

menu HELPDESK command 2 show ip route

menu HELPDESK options 2 pause

menu HELPDESK text 3 Interfaces

menu HELPDESK command 3 show interfaces

menu HELPDESK options 3 pause

menu HELPDESK text 4 Exit

menu HELPDESK command 4 exit

username password

username privilege 15

username autocommand menu HELPDESK

Regards,

Prem

Actions

This Discussion