Junos OS

Hello All,

    I am tring to find out what is the best way to prevent someone from issuing the command "delete interface" on the Mseries routers. I still want them to be able to issue "delete interface fe-0/0/0" for example just not the whole interface stanza.

I am sure there is a commit script but is there another way?  Like something under the "system login class X" ?

Thank you

Hi,

yes here we go. I just wrote it for you :).

1) Put this script into /var/db/scripts/commit directiry on Junos device

2)Configure to use it:

lab@austria# show system scripts
commit {
    file checkinterfaces.slax;
} 

lab@austria# delete interfaces

[edit]
lab@austria# commit confirmed 1
You are not allowed to delete all interfaces!!!
  missing mandatory configuration statement
error: 1 error reported by commit scripts
error: commit script failure
 

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it. 

Kind Regards

Michael Pergament

Worked great in 8.5 Thank you so very much. 

I did notice that the commit script does not work in 7.4 and I am not sure the exact reason.

Hi,

I suppose it was not supported in 7.4.

Kind Regards

Michael Pergament

Hi Micheal,

Thanks for the script,it is very usefull.Is it possible to prevent delete interfaces lo0 with this scripts?

Best Regards

TAYFUN SARI

> Thanks for the script,it is very usefull.Is it possible to prevent delete interfaces lo0 with this scripts?

I changed mine in this way:

    call error-if-missing($must = interfaces/*/description, $statement = "You are not allowed to delete all interfaces!!!");

 to do the same for Lo0.0 (I believe, please test/confirm):

    call error-if-missing($must = interfaces/[name == "Lo0"], $statement = "You are not allowed to delete the Loopback interface!!!");