Ethernet Switching
Highlighted
Ethernet Switching

Allow-configuration class / Correct regular expression

‎01-28-2015 12:39 PM

Does anyone know how to set corretly a regular expression to let an user class enable any poe interface and change any vlan in the Switch including voip vlan.

 

This is the current configuration, however I haven´t been able to enable poe on the interfaces nor configure vlans in the Switch.

 

#run show configuration system login
class prestador {
permissions [ configure interface-control view view-configuration ];
allow-configuration "(poe interface)|(ethernet-switching-options voip interface)";
deny-configuration "(ge-./1/.)";

 

Thanks

2 REPLIES 2
Highlighted
Ethernet Switching

Re: Allow-configuration class / Correct regular expression

‎01-28-2015 07:19 PM

Not sure what version you're running, but I tested your config on 12.3R8 on a EX8200 and it mostly worked.  For some reason ethernet-switching-options still showed the uac-policy option.

 

 

I tried using the allow-configuration-regexps option instead.  That one worked properly, only giving access to the configuration levels specified.  To restrict access to the uplink ports like you were trying to do I listed them out.

class prestador {
permissions [ configure interface-control view view-configuration ];
allow-configuration-regexps [ "poe interface" "ethernet-switching-options voip interface" ];
deny-configuration-regexps [ "poe interface ge-./1/." "ethernet-switching-options voip interface ge-./1/." "interfaces ge-./1/." ];
}

 

I tried the exact same config on 12.3R7 on a EX4200 and it didn't work.  All of the top level configuration items were visible to "set ?", but trying to go into any that were not allowed failed.  Command completion didn't work for any of the items.  Typing out the ones manually allowed did work.  After upgrading the EX4200 to 12.3R8, it worked correctly.  The broken behavior is probably due to PR931415 even though the PR is listed for MX and SRX only.

 

Note that the uplink interfaces are still visible if you do ? in eth-switching voip interface, but it won't allow them to be specified.

 

-Chad

Highlighted
Ethernet Switching

Re: Allow-configuration class / Correct regular expression

‎01-28-2015 07:41 PM

Here's a (somewhat) simpler alternative, with a caveat. 

 

class prestador {
    permissions [ configure interface-control view view-configuration ];
    allow-configuration-regexps [ "poe interface ge-./0/." "ethernet-switching-options voip interface ge-./0/." ];
    deny-configuration-regexps "interfaces ge-./1/.";
}

 

Caveat:  When inside "ethernet-switching-options vlan voip", ? doesn't expand to a list of interfaces with this config.  Instead, you have to manually type out the interface.  If you want the automatic expansion then you'd have to do a mix of the prior and this one.  Drop the interface from the eth-switching allow item and add back the deny eth-switching interface item.

 

Oh, and the allow/deny-configuration-regexps says it was added in 11.2.  If you're on an older version I strongly recommend upgrading.

 

-Chad