no mac-address-table static h.h.h vlan <1-4096> drop privilege level
mac-address-table static h.h.h vlan <1-4096> drop to block mac address in certain VLAN in IOS Version 12.2(18)SXF7.. That's working great. New employee comes, we want new guy to be able to show the mac-address-table static and no mac-address-table h.h.h vlan <1-4096>. I configured privilege exec level 7 config terminal/show run/no mac-address-table static, and also privilege config level 7 no mac-address-table static. The new guy can sign in and show run the all mac-address-table static, when conf t, no mac-address-table h.h.h, there is no vlan option for him. Am I missing something for the priviledge 7?
Re: no mac-address-table static h.h.h vlan <1-4096> drop privile
What you want using local authentication is very difficult.
As you want the user to be able to show all the configs, that might not be possible. Reason for that is, in sh run, we have complete config, and most of the commands are at level 15, even though you bring down the level of command, in order to show everything, you would be required to bring all the commands down to level 7.
Which is not a feasible thing.
What you want to accomplish is possible using TACACS+ (ACS).
In which you can configure command authorization on the device, and restrict a user/group to only have access to do,
"sh run" and "no mac-address-table static h.h.h vlan <1-4096>"
and no other command.
And have one user/group to have access to all the command set on the device. You can have any combination that you want.
The second part that you need,
To let user be able to type command "no mac-address-table static h.h.h vlan <1-4096>"
this may be possible, but for that you would also be required to bring the level of vlan down to 7
you can give it a try.
But I'll go for command authorization.
But in case that is not even near to be feasible, then you can see if this work around works for you,
Please see one example below, and you do not require to alter the privilege level of commands too in command authorization as well as in the example below,
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...