GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: protect lab from "cop run start" [7:84166] posted 02/12/2004
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Priscilla,

I think I can solve your problem.  Tell me when and where your next class
meets and I'll have my Uncle Guido & Cousin Vinny stop in and have a
talk with your students.  There will, of course, be a slight fee involved. :)

--
Prof. Tom Lisa, CCAI
Community College of Southern Nevada
Cisco ATC/Regional Networking Academy
"Cunctando restituit rem"

Priscilla Oppenheimer wrote:

> That's an intriguing idea. Is null a special keyword? Does it do what it
> sounds like it does? Then how would we every copy when we really needed to?
> I couldn't find any documenation on null as a parameter to the alias
command.
>
> I like the concept though. We could alias the risky commands to something
> that the smart-aleks wouldn't know!
>
> But would the alias command show up in the config, which they can see, of
> course? Hmm.
>
> Thanks,
>
> Priscilla
>
> Brian McGahan wrote:
> >
> > Priscilla,
> >
> >       You could create exec aliases for the commands copy and write
> > (and
> > all non-ambiguous abbreviations of them) to null commands.
> > Here's an
> > example:
> >
> > alias exec cop null
> > alias exec copy null
> > alias exec wr null
> > alias exec wri null
> > alias exec writ null
> > alias exec write null
> >
> > Rack12R2#wr
> > Translating "wr"
> >
> > Translating "wr"
> > % Unknown command or computer name, or unable to find computer
> > address
> > Rack12R2#write mem
> > write mem
> >  ^
> > % Invalid input detected at '^' marker.
> >
> > Rack12R2#copy run start
> > copy run start
> >  ^
> > % Invalid input detected at '^' marker.
> >
> > Rack12R2#copy running-config startup-config
> > copy running-config startup-config
> >  ^
> > % Invalid input detected at '^' marker.
> >
> >       As long as they don't take those aliases out then you're safe.
> >
> >
> > HTH,
> >
> > Brian McGahan, CCIE #8593
> > bmcgahan@xxxxxxxxxxxxxxxxxxxxxx
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987 x 705
> > Outside US: 775-826-4344 x 705
> >
> >
> > > -----Original Message-----
> > > From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx]
> > > Sent: Tuesday, February 10, 2004 7:02 PM
> > > To: cisco@xxxxxxxxxxxxxx
> > > Subject: protect lab from "cop run start" [7:84166]
> > >
> > > Hello colleagues,
> > >
> > > I would be eternally grateful for any suggestions regarding
> > the following
> > > problem and my proposed solution.
> > >
> > > In our college lab we don't teach our students the "copy
> > running-config
> > > startup-config" command. (We aren't teaching them to be real
> > network
> > > admins.
> > > They are mostly programmer types.) We do let them do lots of
> > > configuration,
> > > just not save their work. But some of them arrive at college
> > having taken
> > > Cisco Networking Academy. They learned lots of commands.
> > >
> > > What would be the easiest way to not allow them to enter "copy
> > > running-config startup-config"?
> > >
> > > I'm thinking of implementing username and privilege levels. I
> > don't want
> > > to
> > > use a server-based solution because they could easily mess up
> > the
> > > internetwork so that the routers can't get to a server.
> > >
> > > But what if I added a new username, password, and privilege
> > level at say
> > > 14.
> > > Then I will move a bunch of commands that we do allow them to
> > do to that
> > > level, but make sure to keep "copy running-config
> > startup-config" at
> > > privilege level 15 with a protected password that the
> > students don't know.
> > >
> > > It would go something like this:
> > >
> > > username student privilege 14 password student
> > > username 98oiu90 privilege 15 password 9078kwo
> > >
> > > privilege exec level 14 show
> > > privilege exec level 14 telnet
> > > privilege exec level 14 config
> > > etc.
> > >
> > > It would be quite a bit of configuration up front, but just a
> > one-time
> > > pain.
> > > Will this work? Are there easier ways to accomplish the goal?
> > >
> > > THANK-YOU.
> > >
> > > Priscilla
> > > **Please support GroupStudy by purchasing from the GroupStudy
> > Store:
> > > http://shop.groupstudy.com
> > > FAQ, list archives, and subscription info:
> > > http://www.groupstudy.com/list/cisco.html
> **Please support GroupStudy by purchasing from the GroupStudy Store:
> http://shop.groupstudy.com
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=84296&t=84166
--------------------------------------------------
**Please support GroupStudy by purchasing from the GroupStudy Store:
http://shop.groupstudy.com
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html