In reply to Saku Ytti, I know of at least one tacacs implementation that allows for restricting configuration of members of a port channel.
https://rubyforge.org/projects/tacacs-plus/ -J On Tue, Oct 8, 2013 at 6:59 AM, <[email protected]> wrote: > Send cisco-nsp mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > https://puck.nether.net/mailman/listinfo/cisco-nsp > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of cisco-nsp digest..." > > > Today's Topics: > > 1. Re: "reload" command doesn't check command line parameters > (Octavio Alvarez) > 2. Re: "reload" command doesn't check command line parameters > (Pete Lumbis) > 3. freezing ASR1002 when generating RSA keys (Darius Seroka) > 4. IP SLA FTP doesn't finish the download? (Luis Miguel Cruz Miranda) > 5. Re: "reload" command doesn't check command line parameters > (Octavio Alvarez) > 6. Re: "reload" command doesn't check command line parameters > (Sander Steffann) > 7. Re: "reload" command doesn't check command line parameters > (Saku Ytti) > 8. Re: "reload" command doesn't check command line parameters > (Saku Ytti) > 9. Re: "reload" command doesn't check command line parameters > (Sigurbj?rn Birkir L?russon) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 07 Oct 2013 08:46:43 -0700 > From: Octavio Alvarez <[email protected]> > To: Pete Lumbis <[email protected]> > Cc: "[email protected]" <[email protected]> > Subject: Re: [c-nsp] "reload" command doesn't check command line > parameters > Message-ID: <[email protected]> > Content-Type: text/plain; charset=ISO-8859-1 > > On 10/07/2013 05:30 AM, Pete Lumbis wrote: > > If we fix the behavior what does the fix look like? Do we not allow any > > reason that starts with "i"(in) "c" (cancel) or "a"(at)? But then what if > > you want a reload reason of "reload installing new software"? Should this > > be blocked? > > Create "reload reason blahblah" and deprecate "reload blahblah". Issue a > warning each time "reload blahblah" happens. > > Also have different confirmation messages. "Reload in 10" could have > "Proceed with reload in 10?" while the other could be "Proceed with > immediate reload?" > > > > ------------------------------ > > Message: 2 > Date: Mon, 7 Oct 2013 15:05:16 -0400 > From: Pete Lumbis <[email protected]> > To: Octavio Alvarez <[email protected]> > Cc: "[email protected]" <[email protected]> > Subject: Re: [c-nsp] "reload" command doesn't check command line > parameters > Message-ID: > <CAB0xJrMFS7= > [email protected]> > Content-Type: text/plain; charset=ISO-8859-1 > > The two outputs do have different warnings: > > reload reason: > =========================== > Router#reload > Proceed with reload? [confirm] > =========================== > > =========================== > Router#reload in 5 > Reload scheduled in 5 minutes by console > Reload reason: Reload Command > Proceed with reload? [confirm] > =========================== > > > > On Mon, Oct 7, 2013 at 11:46 AM, Octavio Alvarez > <[email protected]>wrote: > > > On 10/07/2013 05:30 AM, Pete Lumbis wrote: > > > If we fix the behavior what does the fix look like? Do we not allow any > > > reason that starts with "i"(in) "c" (cancel) or "a"(at)? But then what > if > > > you want a reload reason of "reload installing new software"? Should > this > > > be blocked? > > > > Create "reload reason blahblah" and deprecate "reload blahblah". Issue a > > warning each time "reload blahblah" happens. > > > > Also have different confirmation messages. "Reload in 10" could have > > "Proceed with reload in 10?" while the other could be "Proceed with > > immediate reload?" > > > > > > > ------------------------------ > > Message: 3 > Date: Tue, 8 Oct 2013 09:43:49 +0200 > From: Darius Seroka <[email protected]> > To: [email protected] > Subject: [c-nsp] freezing ASR1002 when generating RSA keys > Message-ID: > <CAJeUwaabmTs= > [email protected]> > Content-Type: text/plain; charset=ISO-8859-1 > > Hi, > > Has anyone experienced an issue where generating keys on an ASR1002 just > freezes the box? I am configuring it through the console port. The software > is the 15.1(3) xe-rommon stuff. Does cisco do anything weird with their > images like Junos does here ssh is available only on the domestic images? > I've generated theys keys a lot in the past past but have not seen this > yet, usually its instantanous. Have tried three times now with each time > needing a power cycle to get life into the box again. There nothing in the > logs to indicate what could be going wrong. > > > asr1002-r01(config)#crypto key generate rsa general-keys modulus 2048 > The name for the keys will be: asr1002-r01 > > % The key modulus size is 2048 bits > % Generating 2048 bit RSA keys, keys will be non-exportable...Oct 8 > 09:14:18 ts01 event_notify: EVT[4]:Session terminated. Command issued by > user: ?. Terminated user: root. > Connection to ts1 closed. > > -- > Regards, > Darius > > > ------------------------------ > > Message: 4 > Date: Tue, 08 Oct 2013 09:51:39 +0200 > From: Luis Miguel Cruz Miranda <[email protected]> > To: "[email protected]" <[email protected]> > Subject: [c-nsp] IP SLA FTP doesn't finish the download? > Message-ID: <[email protected]> > Content-Type: text/plain; charset=ISO-8859-1 > > Ok, > > The situations is this... > Router 3825 running 12.4(24)T5 advipsrv., with several VRFs. > Each vrf is connected to a different modem, configured in a different > service. > > The router has configured several IP SLAs... icmp, http, and off course > ftp. > All those probes are being monitored over SNMP to obtain perfomance > metrics. > > The issue is related with the IP SLA FTP... > For an unknown reason is mostly failing, from the output of "ip sla > stats 50", the line "Number of failures" is not 0. > > Well, said that, it could be and end-to-end issue... I discarded it, > there is no packet loss between the remote router and the ftp server. > > The weird thing is... > I am downloading a 5MB.zip file which is exacly... > -rwxrwxrwx 1 aaaa aaaa 5242880 Apr 14 2011 5MB.zip > > The log of the FTP server (pure-ftpd) is showing... > > cat /var/log/syslog | grep bytes > Oct 7 16:19:48 DEV012002 pure-ftpd: ([email protected]) [NOTICE] > //home/aaaa/possiblesources.pcap downloaded (1705710 bytes, 105.25KB/sec) > Oct 7 16:25:22 DEV012002 pure-ftpd: ([email protected]) [NOTICE] > //home/aaaa/5MB.zip downloaded (2621440 bytes, 97.14KB/sec) > Oct 7 16:35:22 DEV012002 pure-ftpd: ([email protected]) [NOTICE] > //home/aaaa/5MB.zip downloaded (2621440 bytes, 97.24KB/sec) > Oct 7 16:45:22 DEV012002 pure-ftpd: ([email protected]) [NOTICE] > //home/aaaa/5MB.zip downloaded (2490368 bytes, 96.52KB/sec) > Oct 7 16:55:22 DEV012002 pure-ftpd: ([email protected]) [NOTICE] > //home/aaaa/5MB.zip downloaded (2621440 bytes, 97.52KB/sec) > Oct 7 17:05:22 DEV012002 pure-ftpd: ([email protected]) [NOTICE] > //home/aaaa/5MB.zip downloaded (2621440 bytes, 98.08KB/sec) > Oct 7 17:15:22 DEV012002 pure-ftpd: ([email protected]) [NOTICE] > //home/aaaa/5MB.zip downloaded (2490368 bytes, 96.54KB/sec) > Oct 7 17:25:22 DEV012002 pure-ftpd: ([email protected]) [NOTICE] > //home/aaaa/5MB.zip downloaded (2621440 bytes, 98.38KB/sec) > Oct 7 17:35:22 DEV012002 pure-ftpd: ([email protected]) [NOTICE] > //home/aaaa/5MB.zip downloaded (2621440 bytes, 96.98KB/sec) > Oct 7 17:45:22 DEV012002 pure-ftpd: ([email protected]) [NOTICE] > //home/aaaa/5MB.zip downloaded (2490368 bytes, 96.48KB/sec) > Oct 7 17:55:22 DEV012002 pure-ftpd: ([email protected]) [NOTICE] > //home/aaaa/5MB.zip downloaded (2359296 bytes, 86.69KB/sec) > Oct 7 18:05:22 DEV012002 pure-ftpd: ([email protected]) [NOTICE] > //home/aaaa/5MB.zip downloaded (2490368 bytes, 96.06KB/sec) > Oct 7 18:15:23 DEV012002 pure-ftpd: ([email protected]) [NOTICE] > //home/aaaa/5MB.zip downloaded (2621440 bytes, 99.28KB/sec) > Oct 7 18:25:23 DEV012002 pure-ftpd: ([email protected]) [NOTICE] > //home/aaaa/5MB.zip downloaded (2621440 bytes, 96.46KB/sec) > Oct 7 18:35:22 DEV012002 pure-ftpd: ([email protected]) [NOTICE] > //home/aaaa/5MB.zip downloaded (2621440 bytes, 97.27KB/sec) > Oct 7 18:45:22 DEV012002 pure-ftpd: ([email protected]) [NOTICE] > //home/aaaa/5MB.zip downloaded (2490368 bytes, 95.46KB/sec) > Oct 7 18:55:22 DEV012002 pure-ftpd: ([email protected]) [NOTICE] > //home/aaaa/5MB.zip downloaded (2621440 bytes, 97.22KB/sec) > Oct 7 19:05:22 DEV012002 pure-ftpd: ([email protected]) [NOTICE] > //home/aaaa/5MB.zip downloaded (2490368 bytes, 94.53KB/sec) > Oct 7 19:15:22 DEV012002 pure-ftpd: ([email protected]) [NOTICE] > //home/aaaa/5MB.zip downloaded (2490368 bytes, 96.48KB/sec) > Oct 7 19:25:22 DEV012002 pure-ftpd: ([email protected]) [NOTICE] > //home/aaaa/5MB.zip downloaded (2490368 bytes, 93.80KB/sec) > Oct 7 19:35:23 DEV012002 pure-ftpd: ([email protected]) [NOTICE] > //home/aaaa/5MB.zip downloaded (2621440 bytes, 97.53KB/sec) > Oct 7 19:45:22 DEV012002 pure-ftpd: ([email protected]) [NOTICE] > //home/aaaa/5MB.zip downloaded (2490368 bytes, 96.46KB/sec) > Oct 7 19:55:22 DEV012002 pure-ftpd: ([email protected]) [NOTICE] > //home/aaaa/5MB.zip downloaded (2621440 bytes, 98.43KB/sec) > > The router never downloads the complete file. > Futher more, the sniffer capture shows multiple RST, then FP, more RST, > in that order, from router to the ftp. > > Other info is... > Timeout for SLA operation is big enough to download the file, that was > checked manually. > FTP passive is always used, and it is working fine too, checked manually > too. > > any idea? > > > > ------------------------------ > > Message: 5 > Date: Tue, 08 Oct 2013 00:53:50 -0700 > From: Octavio Alvarez <[email protected]> > To: Pete Lumbis <[email protected]> > Cc: "[email protected]" <[email protected]> > Subject: Re: [c-nsp] "reload" command doesn't check command line > parameters > Message-ID: <[email protected]> > Content-Type: text/plain; charset=ISO-8859-1 > > Wait a minute... My router supports "reload reason" already and rejects > "reload int 10". > > Check later IOS versions. > > On 10/07/2013 12:05 PM, Pete Lumbis wrote: > > The two outputs do have different warnings: > > > > reload reason: > > =========================== > > Router#reload > > Proceed with reload? [confirm] > > =========================== > > > > =========================== > > Router#reload in 5 > > Reload scheduled in 5 minutes by console > > Reload reason: Reload Command > > Proceed with reload? [confirm] > > =========================== > > > > > > > > On Mon, Oct 7, 2013 at 11:46 AM, Octavio Alvarez > > <[email protected] <mailto:[email protected]>> wrote: > > > > On 10/07/2013 05:30 AM, Pete Lumbis wrote: > > > If we fix the behavior what does the fix look like? Do we not > > allow any > > > reason that starts with "i"(in) "c" (cancel) or "a"(at)? But then > > what if > > > you want a reload reason of "reload installing new software"? > > Should this > > > be blocked? > > > > Create "reload reason blahblah" and deprecate "reload blahblah". > Issue a > > warning each time "reload blahblah" happens. > > > > Also have different confirmation messages. "Reload in 10" could have > > "Proceed with reload in 10?" while the other could be "Proceed with > > immediate reload?" > > > > > > > > ------------------------------ > > Message: 6 > Date: Tue, 8 Oct 2013 10:57:02 +0200 > From: Sander Steffann <[email protected]> > To: Pete Lumbis <[email protected]> > Cc: "[email protected]" <[email protected]> > Subject: Re: [c-nsp] "reload" command doesn't check command line > parameters > Message-ID: <[email protected]> > Content-Type: text/plain; charset=us-ascii > > Hi, > > > The two outputs do have different warnings: > > > > reload reason: > > =========================== > > Router#reload > > Proceed with reload? [confirm] > > =========================== > > If this warning would be changed to: > =========================== > Router#reload int 5 > Proceed with IMMEDIATE reload? [confirm] > =========================== > > Then it would be much clearer. > > Cheers, > Sander > > > > ------------------------------ > > Message: 7 > Date: Tue, 8 Oct 2013 13:55:26 +0300 > From: Saku Ytti <[email protected]> > To: [email protected] > Subject: Re: [c-nsp] "reload" command doesn't check command line > parameters > Message-ID: <[email protected]> > Content-Type: text/plain; charset=us-ascii > > On (2013-10-08 10:57 +0200), Sander Steffann wrote: > > > > The two outputs do have different warnings: > > > > > > reload reason: > > > =========================== > > > Router#reload > > > Proceed with reload? [confirm] > > > =========================== > > > > If this warning would be changed to: > > =========================== > > Router#reload int 5 > > Proceed with IMMEDIATE reload? [confirm] > > =========================== > > > > Then it would be much clearer. > > Implication here is, you made typo in the original command and you are > aware > of it. I guess if you are aware of the typo, you didn't make it. > If you are not aware of the typo you made, you'll just punch the 'y' from > muscle memory without looking at the display. > > I don't think it would actually help. What does help, is taking humans our > of > the equation as much as possible. Break network less often but more > thoroughly > through automation. > > -- > ++ytti > > > ------------------------------ > > Message: 8 > Date: Tue, 8 Oct 2013 14:51:29 +0300 > From: Saku Ytti <[email protected]> > To: "[email protected]" <[email protected]> > Subject: Re: [c-nsp] "reload" command doesn't check command line > parameters > Message-ID: <[email protected]> > Content-Type: text/plain; charset=iso-8859-1 > > On (2013-10-08 11:22 +0000), Sigurbj?rn Birkir L?russon wrote: > > > I think the best solution here is tacacs+ with command authorization > where > > reload in X is allowed, but all other forms are not, forcing you to > > Fully agreed. > > > This is also highly preferable for many other things (switchport trunk > > allowed vlan X instead of switchport trunk allowed vlan add X springs to > > mind) > > Couldn't agree more. As well as 'no router isis' etc. :) > > > Maybe worth putting up somewhere BCP TACACS deny for dangerous commands. > Sadly > I think it's not possible in TACACS to deny configuring member ports of > port-channels. > > -- > ++ytti > > > ------------------------------ > > Message: 9 > Date: Tue, 8 Oct 2013 11:22:40 +0000 > From: Sigurbj?rn Birkir L?russon <[email protected]> > To: Saku Ytti <[email protected]>, "[email protected]" > <[email protected]> > Subject: Re: [c-nsp] "reload" command doesn't check command line > parameters > Message-ID: > <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > I think the best solution here is tacacs+ with command authorization where > reload in X is allowed, but all other forms are not, forcing you to > authenticate as a higher privilege user to be able to do that, that way > tacacs+ will simply prevent you from making a mistake. > > This is also highly preferable for many other things (switchport trunk > allowed vlan X instead of switchport trunk allowed vlan add X springs to > mind) > > Kind regards, > Sibbi > > On 8.10.2013 10:55, "Saku Ytti" <[email protected]> wrote: > > >On (2013-10-08 10:57 +0200), Sander Steffann wrote: > > > >> > The two outputs do have different warnings: > >> > > >> > reload reason: > >> > =========================== > >> > Router#reload > >> > Proceed with reload? [confirm] > >> > =========================== > >> > >> If this warning would be changed to: > >> =========================== > >> Router#reload int 5 > >> Proceed with IMMEDIATE reload? [confirm] > >> =========================== > >> > >> Then it would be much clearer. > > > >Implication here is, you made typo in the original command and you are > >aware > >of it. I guess if you are aware of the typo, you didn't make it. > >If you are not aware of the typo you made, you'll just punch the 'y' from > >muscle memory without looking at the display. > > > >I don't think it would actually help. What does help, is taking humans > >our of > >the equation as much as possible. Break network less often but more > >thoroughly > >through automation. > > > >-- > > ++ytti > >_______________________________________________ > >cisco-nsp mailing list [email protected] > >https://puck.nether.net/mailman/listinfo/cisco-nsp > >archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > cisco-nsp mailing list > [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > > ------------------------------ > > End of cisco-nsp Digest, Vol 131, Issue 17 > ****************************************** > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
