[j-nsp] command authorization and tacacs
Pierfrancesco Caci
pf at caci.it
Wed Dec 12 11:30:34 EST 2018
Hi Timur
>>>>> "Timur" == Timur Maryin <timamaryin at mail.ru> writes:
Timur> Hello!
Timur> On 11-Dec-18 15:33, Pierfrancesco Caci wrote:
>>
>> I have not found a way to prevent a user from accidentally delete entire
>> bgp config, but still allowing him to operate on single neighbors. Or
>> other similar situation involving top level configuration vs details
>> inside each block.
Timur> There are several ways to achieve that, for example:
Timur> 1. protect (kb.juniper.net/KB25493)
Thanks for pointing me to this feature, but it doesn't do what I need.
With this config:
routing-instances {
TEST {
instance-type vrf;
[...]
protocols {
protect: bgp {
group TRANSIT {
neighbor 198.51.100.0 {
[...]
I get this:
[edit routing-instances TEST protocols bgp]
pf_auto at var-mx204# set group TRANSIT description PIPPOPIPPO
warning: [routing-instances TEST protocols bgp] is protected, 'routing-instances TEST protocols bgp group TRANSIT description' cannot be created
I.e., it protects everything below the level where the protect label is
applied. It doesn't let me change the content *inside* the section.
Timur> 2. commit script which checks presence of certain parts of config.
I'll need to refresh myself on this and see if I can use this
technique.
Thanks
Pf
--
Pierfrancesco Caci
More information about the juniper-nsp
mailing list