[j-nsp] Virtual Router

[nachocheeze at gmail.com]

You can set up some tacacs or radius AAA stuff that would allow them
view/configure access to various sections of the logical router only,
if that's what you are trying to do.  Using a combo of various user
privs in the router system/login section and various allow/deny
statements in a tacacs.conf file, I've done this successfully on a
very limited basis.

Small test example; I don't recommend using this verbatim either, but
might help  as a starting point.

user = blah {

        login = blah

        service = junos-exec {

        allow-commands = "^configure.*$|^commit.*$|^show.*$|^rollback.*$"

        deny-commands = "^request.*$|^op.*$|^test.*$|^file
delete.*$|^delete logical-routers.*$"

        allow-configuration = "logical-routers <LR>"

        deny-configuration = "delete logical-routers"

    }

}


On 5/29/07, Chuck Anderson <cra at wpi.edu> wrote:
> On Wed, May 30, 2007 at 12:21:50PM +0800, wang yi wrote:
> > I have put some physical interface into my logical router. When I telnet to
> > it even with the logical router argument, I still get into the physical
> > router.  How can I allowing people to telnet/ssh to the logical router so
> > that the user is not aware of the existence of the physical router?
>
> logical-routers do not provide full isolation of the management
> interfaces, configuration mode, etc. so you cannot use them to give a
> logical router to a customer, for example.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>