Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Example: Protecting the Junos OS Configuration from Modification or Deletion

This example shows how to use the protect and unprotect commands in the configuration mode to protect and unprotect the CLI configuration.

Requirements

This example uses the following hardware and software components:

  • An M Series, MX Series, PTX Series, or T Series device

  • Junos OS 11.2 or later running on all devices

Overview

The Junos OS enables you to protect the device configuration from being modified or deleted by other users. This can be accomplished by using the protect command in the configuration mode of the CLI. Likewise, you can also unprotect a protected configuration by using the unprotect command.

These commands can be used at any level of the configuration hierarchy—a top-level parent hierarchy or a configuration statement or an identifier within the lowest level of the hierarchy.

If a configuration hierarchy is protected, users cannot perform the following activities:

  • Deleting or modifying a hierarchy or a statement or identifier within the protected hierarchy

  • Inserting a new configuration statement or an identifier within the protected hierarchy

  • Renaming a statement or identifier within the protected hierarchy

  • Copying a configuration into a protected hierarchy

  • Activating or deactivating statements within a protected hierarchy

  • Annotating a protected hierarchy

Topology

Protecting a Parent-Level Hierarchy

Procedure

Step-by-Step Procedure

To protect a configuration at the top level of the hierarchy:

Identify the hierarchy that you want to protect and issue the protect command for the hierarchy at the [edit] hierarchy level.

For example, if you want to protect the entire [edit access] hierarchy level, use the following command:

Results

Protects all elements under the parent hierarchy.

Note:

If you issue the protect command for a hierarchy that is not used in the configuration, the Junos OS CLI displays the following error message:

Protecting a Child Hierarchy

Procedure

Step-by-Step Procedure

To protect a child hierarchy contained within a parent hierarchy:

Navigate to the parent container hierarchy. Use the protect command for the hierarchy at the parent level.

For example, if you want to protect the [edit system syslog console] hierarchy level, use the following command at the [edit system syslog] hierarchy level.

Results

Protects all elements under the child hierarchy.

Protecting a Configuration Statement Within a Hierarchy

Procedure

Step-by-Step Procedure

To protect a configuration statement within a hierarchy level:

Navigate to the hierarchy level containing the statement that you want to protect and issue the protect command for the hierarchy.

For example, if you want to protect the host-name statement under the [edit system] hierarchy level, use the following command:

Results

Protecting a List of Identifiers for a Configuration Statement

Procedure

Step-by-Step Procedure

Some configuration statements can take multiple values. For example, the address statement at the [edit system login deny-sources] hierarchy level can take a list of hostnames, IPv4 addresses, or IPv6 addresses. Suppose you have the following configuration:

To protect all the addresses for the address statement, use the following command at the [edit] level:

Results

All the addresses ([172.17.28.19 172.17.28.20 172.17.28.21 172.17.28.22]) for the address statement are protected.

Protecting an Individual Member from a Homogenous List

Procedure

Step-by-Step Procedure

Suppose you have the following configuration:

To protect one or more individual addresses for the name-server statement, issue the following command at the [edit] level:

Results

Addresses 10.1.2.1 and 10.1.2.4 are protected.

Unprotecting a Configuration

Procedure

Step-by-Step Procedure

Suppose you have the following configuration at the [edit system] hierarchy level:

To unprotect the entire [edit system] hierarchy level, issue the following command at the [edit] level:

Results

The entire system hierarchy level is unprotected.

Verification

Verify That a Hierarchy Is Protected Using the show Command

Purpose

To check that a configuration hierarchy is protected.

Action

In the configuration mode, issue the show command at the [edit] hierarchy level to see all the configuration hierarchies and configuration statements that are protected.

Note:

All protected hierarchies or statements are prefixed with a protect: string.

Verify That a Hierarchy Is Protected by Attempting to Modify a Configuration

Purpose

To verify that a configuration is protected by trying to modify the configuration using the activate, copy, insert, rename, and delete commands.

Action

To verify that a configuration is protected:

  1. Try using the activate, copy, insert, rename, and delete commands for a top-level hierarchy or a child-level hierarchy or a statement within the hierarchy.

    For a protected hierarchy or statement, the Junos OS displays an appropriate warning that the command has not executed. For example:

  2. To verify that the hierarchy is protected, try issuing the activate command for the domain-search statement:

    [edit system]

    The Junos OS CLI displays an appropriate message:

Verify Usage of the protect Command

Purpose

To view the protect commands used for protecting a configuration.

Action

  1. Navigate to the required hierarchy.

  2. Issue the show | display set relative command.

View the Configuration in XML

Purpose

To check if the protected hierarchies or statements are also displayed in the XML. Protected hierarchies, statements, or identifiers are displayed with the | display xml attribute in the XML.

Action

To view the configuration in XML:

  1. Navigate to the hierarchy you want to view.

  2. Use the show command with the pipe symbol and option | display xml:

    [edit system]

    Note:

    Loading an XML configuration with the unprotect="unprotect" tag unprotects an already protected hierarchy. For example, suppose you load the following XML hierarchy:

    The [edit protocols] hierarchy becomes unprotected if it is already protected.