One of the coolest feature in the cisco ACS reports, you can determine what cmd-set allows or dis-allowed a certain command.
By running the report AAA protocol > Authorization you can use the output to see what command-set(s) allowed the cmd.
Take myself activating the fex locator-id
Now if I deny that command in my cmd-set "DCENGLVL3_cmd" watch the new output;
and the authorization report;
Keep in mind with policies with multiple command-sets allowed, that you need to be aware of what's being allowed and deny in each command-set. In rule id #3 we have allowed 3 command-sets with "DCENGLVL3" being a "ANY-ALL commands". So this command deny locator-led fex was only enabled in the DCENGLVL3 command-set since it trumped all of the lower numbered cmd-sets.
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
=( @ @ )=