To configure the router using the MD-CLI, the user must enter a configuration mode using the explicit or implicit configuration workflow.
The configuration workflow (implicit or explicit) determines if the user is restricted to the configure branch or if the user can navigate freely while in configuration mode. For more information about configuration workflows, see Implicit and explicit configuration workflows.
The configuration mode determines the interaction with other simultaneous configuration sessions. Table: Configuration mode overview provides an overview of the available configuration modes:
private configuration mode
See Private configuration mode for details.
exclusive configuration mode
See Exclusive configuration mode for details.
global configuration mode
See Global configuration mode for details.
read-only configuration mode
See Read-only configuration mode for details.
Private configuration mode | Exclusive configuration mode | Global configuration mode | Read-only configuration mode | |
---|---|---|---|---|
Candidate configuration accessed |
Private candidate configuration |
Global candidate configuration |
Global candidate configuration |
Global candidate configuration |
Single vs multiple users |
Multiple users can simultaneously configure their own private candidate |
Only one user can configure the global candidate |
Multiple users can simultaneously configure the shared global candidate |
Multiple users can have simultaneous read-only access to the global candidate |
Privacy |
User can see own changes. Changes are not visible for read-only sessions. |
User can see own changes. Changes are visible for read-only sessions. |
User can see changes from other global configuration sessions. Changes are visible for read-only sessions. |
Users can see changes from global or exclusive configuration sessions |
Commits |
Own changes are committed |
Own changes are committed. Commits from other configuration changes are blocked. |
Changes made by all global configuration sessions are committed |
Users cannot commit |
Update needed? |
Yes - baseline can become out-of-date when another private or global configuration session commits |
No - baseline is always up-to-date. Other configuration sessions cannot commit. |
Yes - baseline can become out-of-date when a private configuration session commits |
No - updates are not allowed in read-only configuration mode |
Private candidate configurations are not visible over NETCONF or gRPC.
An equivalent function of the MD-CLI update command to manage an out-of-date baseline is not available in NETCONF or gRPC.
As introduced in Transactional configuration method, configuration changes are made in a candidate configuration and copied in the running configuration when the configuration changes are committed and become active.
This section describes:
how the running configuration and a candidate configuration interact using a running datastore, a baseline datastore, and a candidate datastore
how simultaneous configuration sessions access one or multiple candidate configurations as a function of their configuration mode
The following figure shows multiple candidate configurations.
The running configuration is the active configuration of the router and is stored in the running datastore. There is only one running configuration in the router and therefore, only one running datastore. The running datastore is always instantiated.
The candidate configuration is a working configuration that contains changes before they are activated in the router. A candidate configuration uses two datastores:
a baseline datastore that contains a snapshot copy of the running datastore at a specific moment in time
a candidate datastore that contains changes relative to its associated baseline datastore
Multiple candidate configurations can exist simultaneously in the router with one of the following:
a single global candidate configuration that is accessed by one of the following:
a single session in exclusive configuration mode
one or multiple sessions in global configuration mode
one or multiple sessions in read-only configuration mode
An exclusive and global configuration session are mutually exclusive. Read-only configuration sessions can coexist with an exclusive configuration session or with one or multiple global configuration sessions.
The global baseline datastore and global candidate datastore are always instantiated.
up to eight private candidate configurations. A private candidate configuration is accessed by a single session in private configuration mode. The private baseline datastore and private candidate datastore are instantiated when the user enters the private configuration mode and the datastores are deleted from the router when the user exits the private configuration mode.
one single private exclusive candidate configuration for system use only. Only one exclusive session can be active in the router at a time: either a user-started exclusive configuration session accessing the global candidate configuration, or a system-started private exclusive configuration session accessing a private candidate configuration. For more information, see Exclusive private configuration session.
When a configuration session commits its candidate configuration, the router performs the following actions:
verifies the running configuration has not been changed by another configuration session
validates the candidate configuration by verifying the logic, constraints, and completeness of the candidate configuration
activates the candidate configuration by sending the new candidate configuration to the corresponding applications
After a successful commit, the changes are copied to the running datastore, the baseline datastore contains a new copy of the running datastore, and the candidate datastore is empty.
Furthermore, when simultaneous configuration sessions access different candidate configurations:
Multiple private configuration sessions each access their own private candidate configuration.
One or multiple private configuration sessions each access their own private candidate configuration and one or multiple global configuration sessions all access the global candidate configuration.
One or multiple private configuration sessions each access their own private candidate configuration and one exclusive configuration session accesses the global candidate configuration.
One or multiple private configuration sessions each access their own private candidate configuration and one private exclusive configuration session accesses a private candidate configuration.
Each configuration session adds changes in the candidate datastore relative to the baseline associated with the candidate configuration. The baseline datastore contains a snapshot copy of the running datastore at a specific time. Therefore, multiple, simultaneous configuration sessions that are active in the router and that access different candidate configurations have their own unique view of the candidate configuration and cannot see other users’ changes, as shown in the following figure.
Changes in a candidate configuration can only be committed when the running configuration has not been changed or touched after the baseline snapshot was taken. In other words, the baseline must be up to date to commit the changes.
The following figure shows how the baseline datastore of user-2’s candidate configuration is out-of-date after user-1 committed its changes. An exclamation mark (!) is shown in the prompt to indicate an out-of-date baseline status.
Because the baseline is out-of-date, user-2 must update its candidate configuration before committing. An update copies a new snapshot from the running datastore to the baseline datastore and merges the changes from the candidate datastore, as shown in the following figure.
With more than one user working on the same part of the configuration, conflicts can occur when committed changes of one user’s configuration session are merged into another user’s candidate configuration. A merge conflict occurs when a configuration element is added, deleted, or modified in the candidate configuration and the same configuration element is also added, deleted, or modified in the running configuration after the baseline snapshot was taken. With the update command, the router resolves each merge conflict and installs the result in the candidate configuration, as shown in the following figure.
When a commit operation is executed in a configuration session while the baseline is out-of-date, the router first attempts to automatically update the candidate configuration. If a merge conflict is detected, the commit operation is canceled, to allow the administrator to resolve the merge conflicts manually. The candidate configuration remains in the same state as before the commit operation.
In configuration mode, the administrator can use the following tools to check and resolve potential merge conflicts:
compare baseline running
This tool lists the changes that were made in the running datastore after a snapshot copy was stored in the baseline datastore.
compare baseline candidate or compare
This tool lists the candidate configuration changes.
update check
This tool performs a dry run update. The router reports all merge conflicts as if an update was performed. The candidate configuration, that is, the baseline candidate datastore, is not changed with this command.
Conflict detection and resolution is detailed in Updating the candidate configuration.
In private configuration mode, a private candidate configuration is reserved for editing by a single private configuration session. Each private configuration session works on its own copy of the running configuration. Only the changes made in the private configuration session are visible and can be committed. Private configuration mode can be used when multiple users are configuring simultaneously on different parts of the router configuration.
A private configuration session has the following characteristics:
Each private configuration session accesses its own private candidate configuration. The private candidate configuration is instantiated when the user enters private configuration mode and is deleted form the router when the user exits private configuration mode.
Changes can only be entered in its own private candidate configuration.
Configuration changes are visible only in the private candidate configuration in which the changes are entered.
Uncommitted changes in the private candidate configuration cannot be seen by other private, exclusive, global, or read-only configuration sessions.
When the commit command is issued, only those changes entered in its own private candidate configuration are committed.
When a private configuration session is started, a new private candidate configuration is instantiated and has no uncommitted changes.
When a user leaves private configuration mode, uncommitted changes are discarded and the private candidate configuration is deleted. The user is prompted for confirmation to exit when uncommitted changes are present.
For simultaneous configuration sessions:
Up to eight simultaneous private configuration sessions can coexist. Each private configuration session accesses its own private candidate configuration. Private candidate configurations can have uncommitted changes when another private configuration session starts. A private configuration session can edit and commit its private candidate configuration while another private configuration session is active.
An exclusive configuration session can coexist with a private configuration session. The private candidate configuration can have uncommitted changes when an exclusive configuration session starts. The exclusive session can edit and commit changes while a private configuration session is active. The private configuration session can still edit the private candidate configuration, but changes cannot be committed because the exclusive session holds a lock on the running datastore.
Multiple global configuration sessions can coexist with a private configuration session. A global configuration session accesses the global candidate configuration. The private candidate configuration can have uncommitted changes when the global configuration session starts.
Multiple read-only configuration sessions can coexist with a private configuration session. Read-only configuration sessions access the global candidate configuration. A read-only configuration session cannot view the changes in the private candidate configuration. The private candidate configuration can have uncommitted changes when a read-only configuration session starts.
Datastore interactions include the following characteristics:
The private baseline datastore becomes out-of-date when another private, exclusive, global, or private exclusive configuration session commits changes to the running datastore after the private baseline snapshot was taken. An out-of-date baseline is indicated in the prompt with an exclamation mark.
An update of the private candidate configuration is needed when its private baseline datastore is out-of-date. An update copies a new snapshot of the running datastore in the private baseline datastore and merges the changes from the private candidate datastore. Merge conflicts detected in a manual update are reported and resolved. Merge conflicts detected in an automatic update as part of a commit operation result in the cancellation of the commit operation.
A snapshot of the running datastore is copied in the private baseline datastore:
at instantiation of the private candidate configuration when a user enters the private configuration mode
when a manual update is performed
after a commit, when no merge conflicts are detected during the automatic update and the updated candidate configuration is valid
When entering private configuration mode, the following messages are displayed:
[/]
A:admin@node-2# configure private
INFO: CLI #2070: Entering private configuration mode
INFO: CLI #2061: Uncommitted changes are discarded on configuration mode exit
When leaving private configuration mode, the following messages are displayed:
without uncommitted changes in the private candidate configuration:
[pr:/configure]
A:admin@node-2# exit all
INFO: CLI #2074: Exiting private configuration mode
with uncommitted changes present in the private candidate configuration:
*[pr:/configure]
A:admin@node-2# exit all
INFO: CLI #2071: Uncommitted changes are present in the candidate configuration.
Exiting private configuration mode will discard those changes.
Discard uncommitted changes? [y,n] n
INFO: CLI #2072: Exit private configuration mode canceled
*[pr:/configure]
A:admin@node-2# exit all
INFO: CLI #2071: Uncommitted changes are present in the candidate configuration.
Exiting private configuration mode will discard those changes.
Discard uncommitted changes? [y,n] y
WARNING: CLI #2073: Exiting private configuration mode - uncommitted changes are discarded
Private candidate configurations are not visible over NETCONF or gRPC.
An equivalent function of the MD-CLI update command to manage an out-of-date baseline is not available in NETCONF or gRPC.
In exclusive configuration mode, the global configuration is reserved for editing by a single read-write configuration session. In addition, the running datastore is locked such that no other configuration session can commit changes. Exclusive configuration mode can be used when important router configuration changes must be implemented that cannot be interrupted or delayed, and to avoid the risk of committing other users’ partial completed changes.
An exclusive configuration session has the following characteristics:
An exclusive configuration session accesses the global candidate configuration.
Only one user can enter exclusive configuration mode at a time.
Configuration changes in the global candidate can only be entered by the user in exclusive configuration mode.
Configuration changes in the global candidate are visible for read-only configuration sessions.
Changes in the global candidate configuration can only be committed by the user in exclusive configuration mode
Uncommitted changes cannot be present in the global candidate configuration when an exclusive configuration session starts.
Uncommitted changes are discarded from the global candidate configuration when a user leaves the exclusive configuration mode. The user is prompted for confirmation to exit when uncommitted changes are present.
For simultaneous configuration sessions:
Multiple private configuration sessions can coexist with an exclusive configuration session. Each private configuration session accesses its own private candidate configuration. The global candidate configuration can have uncommitted changes when a private configuration session starts. A private configuration session can edit its private candidate configuration but cannot commit the changes while an exclusive configuration session is active.
Only one exclusive configuration session can be active in the router at a time.
An exclusive and global configuration session are mutually exclusive.
Multiple read-only configuration sessions can coexist with an exclusive configuration session. Read-only configuration sessions access the same global candidate configuration. The global candidate configuration can have uncommitted changes when a read-only configuration session starts.
Datastore interactions include the following characteristics:
The global baseline datastore is always up to date. Commits from other configuration sessions are blocked while an exclusive configuration session is active.
An update of the global candidate configuration is not needed in exclusive configuration mode.
When entering exclusive configuration mode, the following messages are displayed:
with a global configuration session active:
[/]
A:admin@node-2# configure exclusive
MINOR: MGMT_CORE #2052: Exclusive datastore access unavailable - model-driven interface editing global candidate
with uncommitted changes present in the global candidate configuration:
[/]
A:admin@node-2# configure exclusive
MINOR: MGMT_CORE #2052: Exclusive datastore access unavailable - model-driven interface has uncommitted changes in global candidate
with a private configuration session active:
[/]
A:admin@node-2# edit-config exclusive
INFO: CLI #2060: Entering exclusive configuration mode
INFO: CLI #2061: Uncommitted changes are discarded on configuration mode exit
MGMT_CORE #2052 is shown only when applicable.
To display the current active configuration sessions in the router, use the command show system management-interface configuration-sessions.
When leaving exclusive configuration mode, the following messages are displayed:
without uncommitted changes in the global candidate configuration:
[ex:/configure]
A:admin@node-2# exit all
INFO: CLI #2064: Exiting exclusive configuration mode
with uncommitted changes in the global candidate configuration:
*[ex:/configure]
A:admin@node-2# exit all
INFO: CLI #2063: Uncommitted changes are present in the candidate configuration.
Exiting exclusive configuration mode will discard those changes.
Discard uncommitted changes? [y,n] n
INFO: CLI #2065: Exit exclusive configuration mode canceled
*[ex:/configure]
A:admin@node-2# exit all
INFO: CLI #2063: Uncommitted changes are present in the candidate configuration.
Exiting exclusive configuration mode will discard those changes.
Discard uncommitted changes? [y,n] y
WARNING: CLI #2062: Exiting exclusive configuration mode - uncommitted changes are discarded
In global configuration mode, the global configuration is shared with all global configuration sessions. When a user commits their changes, the changes from all users are also committed. Global configuration mode can be used when multiple users are working together on the same part of the router configuration but is generally not recommended because it can cause unintended configuration to be committed.
A global configuration session has the following characteristics:
A global configuration session accesses the global candidate configuration.
Multiple users can enter global configuration mode simultaneously.
Configuration changes made by one user are visible to all other users in global or read-only configuration mode. Configuration changes in private candidate configurations are not visible.
All changes in the global candidate configuration, from all users, are committed to the running configuration when one user commits the global candidate configuration.
Uncommitted changes can be present in the global candidate configuration when a global configuration session starts.
Uncommitted changes are kept in the global candidate configuration when a user leaves the global configuration mode.
For simultaneous configuration sessions:
Multiple private configuration sessions can coexist with a global configuration session. Each private configuration session accesses its own private candidate configuration. The global candidate configuration can have uncommitted changes when a private configuration session starts.
An exclusive and global configuration session are mutually exclusive.
Multiple global configuration sessions can coexist. All global configuration sessions access the same global candidate configuration. The global candidate configuration can have uncommitted changes when another global configuration session starts.
Multiple read-only configuration sessions can coexist with a global configuration session. Read-only configuration sessions access the same global candidate configuration. The global candidate configuration can have uncommitted changes when a read-only configuration session starts.
Datastore interactions include the following characteristics:
The global baseline datastore becomes out-of-date when another private or private exclusive configuration session commits changes to the running datastore after the global baseline snapshot was taken. An out-of-date baseline is indicated in the prompt with an exclamation mark.
An update of the global candidate configuration is needed when its global baseline datastore is out-of-date. An update copies a new snapshot of the running datastore in the global baseline datastore and merges the changes from the global candidate datastore. Merge conflicts detected in a manual update are reported and resolved. Merge conflicts detected in an automatic update as part of a commit operation result in the cancellation of the commit operation.
The baseline datastore tracks the running datastore, that is, changes in the running datastore are automatically copied in the baseline datastore:
after a router reboot
after a successful commit
after a discard with an up to date global baseline
A snapshot copy of the running datastore is copied in the global baseline datastore and tracking stops when the global candidate is touched, for example, when a configuration element has been added, deleted, or modified. A new snapshot of the running datastore is copied to the global baseline datastore when a manual update is performed.
When entering global configuration mode, the following messages are displayed:
[/]
A:admin@node-2# configure global
INFO: CLI #2054: Entering global configuration mode
INFO: CLI #2055: Uncommitted changes are present in the candidate configuration
INFO: CLI #2075: Other global configuration sessions are active
CLI #2055 and CLI #2075 are shown only when applicable.
To display the current active configuration sessions in the router, use the command show system management-interface configuration-sessions.
When leaving global configuration mode, the following messages are displayed:
*[gl:/configure]
A:admin@node-2# exit all
INFO: CLI #2056: Exiting global configuration mode
INFO: CLI #2057: Uncommitted changes are kept in the candidate configuration
In read-only configuration mode, no changes can be made to the global candidate configuration and no changes can be committed to the running configuration. Read-only configuration mode can be used when reviewing or monitoring configuration changes from other users in the global candidate configuration.
A read-only configuration session has the following characteristics:
A read-only configuration session accesses the global candidate configuration.
Multiple users can enter read-only configuration mode simultaneously.
All configuration changes in the global candidate configuration are visible. Configuration changes in private candidate configurations are not visible.
The global configuration cannot be edited and changes in the global configuration cannot be committed.
Uncommitted changes can be present in the global candidate configuration when a read-only configuration session starts.
Uncommitted changes are kept in the global candidate configuration when a user leaves a read-only configuration mode.
For simultaneous configuration sessions:
Multiple private configuration sessions can coexist with a read-only configuration session. Each private configuration session accesses its own private candidate configuration. The global candidate configuration can have uncommitted changes when a private configuration session starts.
An exclusive configuration session can coexist with a read-only configuration session. The exclusive configuration session accesses the same global candidate configuration. The global candidate configuration cannot have uncommitted changes when an exclusive configuration session starts.
Multiple global configuration sessions can coexist with a read-only configuration session. Global configuration sessions access the same global candidate configuration. The global candidate configuration can have uncommitted changes when another global configuration session starts.
Multiple read-only configuration sessions can coexist. Read-only configuration sessions access the same global candidate configuration. The global candidate configuration can have uncommitted changes when another read-only configuration session starts.
When entering read-only configuration mode, the following message is displayed:
[/]
A:admin@node-2# configure read-only
INFO: CLI #2066: Entering read-only configuration mode
When leaving read-only configuration mode, the following message is displayed:
*[ro:/configure]
A:admin@node-2# exit all
INFO: CLI #2067: Exiting read-only configuration mode
Exclusive, global, and read-only configuration sessions that access the global candidate configuration can transition between these configuration modes without exiting and re-entering the configuration mode.
Transitions from and to private configuration mode are not allowed.
The following summarizes the configuration mode transitions and transitions to operational mode.
Configuration and operational mode transition |
To |
|||||
---|---|---|---|---|---|---|
Global |
Exclusive |
Read-only |
Private |
Operational mode |
||
From |
Global |
X1 |
Allowed; no other exclusive or global configuration session can be active; uncommitted changes are kept |
Allowed; uncommitted changes are kept |
X |
Allowed; uncommitted changes are kept |
Exclusive |
Allowed; uncommitted changes are discarded |
X1 |
Allowed; uncommitted changes are discarded |
X |
Allowed; uncommitted changes are discarded |
|
Read-only |
Allowed; no exclusive configuration session can be active; uncommitted changes are kept |
Allowed; no other exclusive or global configuration session can be active; uncommitted changes are kept |
X1 |
X |
Allowed; uncommitted changes are kept |
|
Private |
X |
X |
X |
X1 |
Allowed; uncommitted changes are discarded |
|
Operational mode |
Allowed |
Allowed |
Allowed |
Allowed |
X |
Transitioning from exclusive to global or read-only configuration mode causes the candidate changes to be discarded.
[/]
A:admin@node-2# edit-config exclusive
INFO: CLI #2060: Entering exclusive configuration mode
INFO: CLI #2061: Uncommitted changes are discarded on configuration mode exit
(ex)[/]
A:admin@node-2# configure router interface my-int
*(ex)[/configure router "Base" interface "my-int"]
A:admin@node-2# edit-config global
INFO: CLI #2063: Uncommitted changes are present in the candidate configuration.
Exiting exclusive configuration mode will discard those changes.
Discard uncommitted changes? [y,n] n
INFO: CLI #2065: Exit exclusive configuration mode canceled
*(ex)[/configure router "Base" interface "my-int"]
A:admin@node-2# edit-config read-only
INFO: CLI #2063: Uncommitted changes are present in the candidate configuration.
Exiting exclusive configuration mode will discard those changes.
Discard uncommitted changes? [y,n] y
WARNING: CLI #2062: Exiting exclusive configuration mode - uncommitted changes are discarded
INFO: CLI #2066: Entering read-only configuration mode
(ro)[/configure router "Base" interface "my-int"]
A:admin@node-2#
Switching from global or read-only to exclusive configuration mode is allowed when no other global or exclusive configuration session is active. Uncommitted changes in the global candidate configuration are kept.
In the following example, the admin disconnect command is used to disconnect another active global configuration session before the current session can switch to exclusive configuration.
[/]
A:admin@node-2# edit-config global
INFO: CLI #2054: Entering global configuration mode
INFO: CLI #2075: Other global configuration sessions are active
(gl)[/]
A:admin@node-2# configure router interface new-int
*(gl)[/configure router "Base" interface "new-int"]
A:admin@node-2# edit-config exclusive
MINOR: MGMT_CORE #2052: Exclusive datastore access unavailable - model-driven interface editing global candidate
*(gl)[/configure router "Base" interface "new-int"]
A:admin@node-2# /show system management-interface configuration-sessions
===============================================================================
Session ID Region Datastore Lock State
Username Session Mode Idle Time
Session Type From
-------------------------------------------------------------------------------
#22 configure Candidate Unlocked
admin Global 0d 00:00:00
MD-CLI 135.244.144.235
23 configure Candidate Unlocked
user-1 Global 0d 00:00:42
MD-CLI 135.244.144.235
-------------------------------------------------------------------------------
Number of sessions: 2
'#' indicates the current active session
===============================================================================
*(gl)[/configure router "Base" interface "new-int"]
A:admin@node-2#
*(gl)[/configure router "Base" interface "new-int"]
A:admin@node-2# /admin disconnect session-id 23
*(gl)[/configure router "Base" interface "new-int"]
A:admin@node-2# edit-config exclusive
INFO: CLI #2056: Exiting global configuration mode
INFO: CLI #2057: Uncommitted changes are kept in the candidate configuration
INFO: CLI #2060: Entering exclusive configuration mode
INFO: CLI #2061: Uncommitted changes are discarded on configuration mode exit
*(ex)[/configure router "Base" interface "new-int"]
A:admin@node-2#
An exclusive private configuration session is reserved for system internal use.
Router configuration changes are made via an exclusive private configuration session as a result of the following scenarios:
When the management interface configuration mode is set to mixed, with one of the following actions:
any configuration performed in the classic CLI engine
a gNMI configuration operation
When the management interface configuration mode is set to model-driven, with the following action:
a gNMI configuration operation
a password command execution which causes the system to update the configuration
It is important to be aware that an exclusive private configuration session can exist, as it interacts with other active configuration sessions in the following ways:
An exclusive configuration session and a private exclusive configuration session are mutually exclusive, as they both require a lock on the running datastore.
The global candidate configuration and private candidate configurations can become out-of-date when changes are committed via an exclusive private configuration session.
Commits from global and private configuration sessions are blocked when an exclusive private configuration session is active.
An exclusive private configuration session accesses its own private candidate configuration. Changes are not visible to other configuration sessions until they are committed and become active in the running configuration.
It may be desirable to deny a user the ability to use specific configuration modes. For example, denying the use of exclusive configuration mode prevents the user from locking the configuration datastore, or denying the use of the global configuration mode forces the user to work in a private candidate datastore.
It is possible to use AAA to deny access to particular configuration modes, as illustrated in the following configuration example.
In this example, the user pr-user has profile admin-private. Entries 3 and 4 in the local profile effectively deny users in the admin-private profile from entering the exclusive configuration mode in the MD-CLI.
[ex:/configure system security aaa local-profiles profile "admin-private"]
A:admin@node-2# info detail
## cli-session-group
default-action permit-all
---snip---
entry 3 {
## apply-groups
## description
action deny
match "edit-config exclusive"
}
entry 4 {
## apply-groups
## description
action deny
match "configure exclusive"
}
[/]
A:pr-user@node-2# configure exclusive
MINOR: MGMT_CORE #2020: Permission denied - unauthorized use of 'configure'
[/]
A:pr-user@node-2# configure ?
configure
Configuration modes:
global - Enter global (shared) mode for candidate configuration.
private - Enter private mode for candidate configuration.
read-only - Enter read-only mode for candidate configuration.
- Enter a candidate li configuration mode
[/]
A:pr-user@node-2# edit-config exclusive
MINOR: MGMT_CORE #2020: Permission denied - unauthorized use of 'edit-config'
[/]
A:pr-user@node-2# edit-config ?
edit-config
Configuration modes:
global - Enter global (shared) mode for candidate configuration.
private - Enter private mode for candidate configuration.
read-only - Enter read-only mode for candidate configuration.
li - Enter a candidate li configuration mode
The following additional entries to the profile deny users from entering the global configuration mode in the MD-CLI.
[ex:configure system security aaa local-profiles profile "admin-pr"]
A:admin@node-2# info detail
---snip---
entry 5 {
## apply-groups
## description
action deny
match "configure global"
}
entry 6 {
## apply-groups
## description
action deny
match "edit-config global"
}
[]
A:pr-user@node-2# configure ?
configure
Configuration modes:
private - Enter private mode for candidate configuration.
read-only - Enter read-only mode for candidate configuration.
[]
A:pr-user@node-2# edit-config ?
edit-config
Configuration modes:
private - Enter private mode for candidate configuration.
read-only - Enter read-only mode for candidate configuration.
li - Enter a candidate li configuration mode
[]
A:pr-user@node-2# configure global
MINOR: MGMT_CORE #2020: Permission denied - unauthorized use of 'configure'
[]
A:pr-user@node-2# edit-config global
MINOR: MGMT_CORE #2020: Permission denied - unauthorized use of 'edit-config'