Junos - How to limit arguments to ping CLI command

The most elegant approach I've found so far is to explicitly allow "ping" arguments that need to be allowed (and the safest, I would say).

Code:

allow-commands = "(^show route)|(^show route .*)|(^quit)|(^ping (r[^a]|s[^i]|c|tt|no-re|.*host.*).*)|(^traceroute .*)|(^show bgp summary)"

And the outcome:

Code:

juniper@CORE_R1> ping ?
Possible completions:
  <host>               Hostname or IP address of remote host
  count                Number of ping requests to send (1..2000000000 packets)
  no-resolve           Don't attempt to print addresses symbolically
  record-route         Record and report packet's path (IPv4)
  routing-instance     Routing instance for ping attempt
  source               Source address of echo request
  strict               Use strict source route option (IPv4)
+ strict-source        Intermediate strict source route entry (IPv4)
  ttl                  IP time-to-live value (IPv6 hop-limit value) (1..255 hops)

So above directive allows
- "ping r" commands, but not "ping ra"
- "ping s" commands, but not "ping si"
- "ping c" commands
- "ping tt" commands
- "ping no-re" commands
- "ping <host>". This is important otherwise you won't be able to use a destination IP/hostname for ping.

Topics related to - "Junos - How to limit arguments to ping CLI command"

Topics

Author

Replies

Views

Last post

Junos restricted user disallow "ping rapid" and "ping size" operational commands

Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

Junos - How to limit arguments to ping CLI command

Junos - How to limit arguments to ping CLI command