07-21-2008 05:23 AM - edited 03-10-2019 03:59 PM
I'm trying to setup a Shell command auth set for clearing interface counters but I can't think of a way to do so. Is there a way to do something like:
"permit counters interface *"?
TIA
07-21-2008 05:45 AM
try this...
privilege exec level 2 clear counters
07-21-2008 06:05 AM
I'm not sure i understand what ya mean with this suggestion. We allow the user in to priv 15 but limit all commands typed. For example they might need to show the running config for an interface or something like that. Thus when they login they have priv 15 but don't have config term rights.
07-21-2008 07:52 AM
I'm assuming you are using CSACS (not indicated) for defining your command sets.
e.g.:
"Deny" radio button selected (i.e.: only listed commands will be authorized).
Command List:
clear
disable
enable
show
"Clear" command argument(s) set as follows:
(a) Deselect the "Permit Unmatched Args" checkbox.
(b) Enter the following argument(s) into the list:
permit counters
... or, to be more specific:
permit counters Ethernet 0
permit counters FastEthernet 0
This should result in the ability to clear all counters, or the counters of specific interfaces (if you define them).
Notes:
(1) Command arguments are case sensitive and may differ from how they are entered at the CLI.
(2) A sniffer is helpful in determining proper case.
(3) Wireshark is capable of decrypting TACACS+ packets if you configure the application with the password.
07-21-2008 08:51 AM
Hi,
I had mentioned it for the command line.
If suppose you have local users with Privelege level 2 and 15, then
username admin2 privilege 2 password cisco
username admin15 privilege 15 password cisco
privelege exex level 2 ping
privilege exec level 2 clear counter
privelege exec level 15 telnet
privelege exec level 15 show config
privelege exec level 15 show logging
07-21-2008 10:29 AM
Yes, I'm using CACS, sorry for not specifying.
So if i put "clear" in as the command and then put: "permit counters FastEthernet 0" will that allow all fa0/1 - x interfaces or do I have to put them in individually? I'm really looking for a way to allow it on all fa and gi interfaces if possible but w/o putting each interface into acs.
07-21-2008 12:56 PM
If you are willing to permit the clearing of counters for "all" interface types (do a "clear counters ?", to see the list), use:
permit counters
If you only want to permit all FastEthernet and GigabitEthernet interfaces, use:
permit counters FastEthernet
permit counters GigabitEthernet
The inclusion of "FastEthernet 0" in my previously posted example was for a specific interface, where "FastEthernet 0" was a complete interface name (on a different platform), and was not intended to specify FastEthernet 0/1 - x.
Edit: If you want to control specific interfaces, make sure to use the appropriate white-space in your command set argument definitions.
E.g.: permit counters FastEthernet 0 1
The "FastEthernet", "0", and "1", are all separate arguments.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: