[j-nsp] Virtual Router

Guy Davies aguydavies at gmail.com
Wed May 30 11:19:23 EDT 2007 

As Chuck pointed out, though, the separation is far from complete.
For example, if user A logs into logical-router A and starts modifying
the config for logical-router A, then user B logs into logical-router
B and modifies the config for logical-router B then does a commit, he
will commit *all* changes to the config including those made by user
A.  If those changes are syntactically incomplete, the commit may
fail.  But worse, if they are syntactically correct but not correct in
terms of the intended behaviour, you'll get the incorrect behaviour.

For this reason, it is a *bad plan* to give access to logical-routers
with config/commit permissions.  I'd recommend making config/commit
changes from the master routing instance only and only permit users
with administrative access to the master routing instance to make
those changes.

Rgds,

Guy

On 30/05/07, nachocheeze at gmail.com <nachocheeze at gmail.com> wrote:
> You can set up some tacacs or radius AAA stuff that would allow them
> view/configure access to various sections of the logical router only,
> if that's what you are trying to do.  Using a combo of various user
> privs in the router system/login section and various allow/deny
> statements in a tacacs.conf file, I've done this successfully on a
> very limited basis.
>
> Small test example; I don't recommend using this verbatim either, but
> might help  as a starting point.
>
> user = blah {
>
>         login = blah
>
>         service = junos-exec {
>
>         allow-commands = "^configure.*$|^commit.*$|^show.*$|^rollback.*$"
>
>         deny-commands = "^request.*$|^op.*$|^test.*$|^file
> delete.*$|^delete logical-routers.*$"
>
>         allow-configuration = "logical-routers <LR>"
>
>         deny-configuration = "delete logical-routers"
>
>     }
>
> }
>
>
> On 5/29/07, Chuck Anderson <cra at wpi.edu> wrote:
> > On Wed, May 30, 2007 at 12:21:50PM +0800, wang yi wrote:
> > > I have put some physical interface into my logical router. When I telnet to
> > > it even with the logical router argument, I still get into the physical
> > > router.  How can I allowing people to telnet/ssh to the logical router so
> > > that the user is not aware of the existence of the physical router?
> >
> > logical-routers do not provide full isolation of the management
> > interfaces, configuration mode, etc. so you cannot use them to give a
> > logical router to a customer, for example.
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list