Automation

last person joined: yesterday 

Ask questions and share experiences about Apstra, Paragon, and all things network automation.

  • 1.  How to insert a term in policy-statement (or firewall rules, nat rules etc) using ansible/pyez over netconf

    Posted 09-01-2016 22:43

    Hi, 

     

    I am using Ansible/netconf to automate Junos configuration, I am facing a problem I could not find easy solution for, in some scenarios I need to insert a term to a specific position of a policy-statement which is used to control BGP route advertisement to a peer (often times the term just need to be before the "reject" term at the very end), however I can not use "insert" command in the config as it is not a valid "configuration", netconf would throw an error. Similar problem with firewall rules and nat rules, I can not put a term/rule at the specific position via netconf.

     

    I am sure many people faced this same problem, but surprisingly I can not find an answer on the web.

     

    Thanks



  • 2.  RE: How to insert a term in policy-statement (or firewall rules, nat rules etc) using ansible/pyez over netconf

     
    Posted 09-01-2016 23:31

    Hi,

     

    Just a thought of maybe using .set extension template for this, commands sent in "set" format.

    "When configuring a device with the junos_install_config module through NETCONF, supported formats for the configuration data include ASCII text, Junos XML elements, and Junos OS set commands."

    http://www.juniper.net/techpubs/en_US/junos-ansible1.0/topics/example/junos-ansible-playbooks-device-configuring.html

     

    I also tried to figure this out but didn't have opportunity to try it.

    Cheers,

    Ashvin



  • 3.  RE: How to insert a term in policy-statement (or firewall rules, nat rules etc) using ansible/pyez over netconf
    Best Answer

     
    Posted 09-02-2016 02:01

    With Junos 15.1 you could do this in a single operation in XML with the following:

     

    <configuration>
  <firewall>
    <family>
      <inet>
        <filter>
          <name>ham</name>
          <term operation="create" insert="before" name="spam">
            <name>eggs</name>
            <from>
              ...
            </from>
          </term>
        </filter>
      </inet>
    </family>
  </firewall>
</configuration>

    For earlier versions of Junos, then it would require a two step approach with the playbook, e.g. first create the term, and then another to move the term.

    ---
    - hosts: all
      connection: local
      roles:
      - Juniper.junos

      tasks:
      - name: install_config
    ignore_errors: false
    junos_install_config:
      host: "{{ inventory_hostname }}"
      user: "{{user}}"
      passwd: "{{passwd}}"
      overwrite: "no"
      file: "config1.xml"
  - name: move_config
    ignore_errors: false
    junos_install_config:
      host: "{{ inventory_hostname }}"
      user: "{{user}}"
      passwd: "{passwd}}"
      overwrite: "no"
      file: "config2.xml"

    config1.xml

    <configuration>
  <firewall>
    <family>
      <inet>
        <filter>
          <name>ham</name>
          <term>
            <name>eggs</name>
            <from>
              ...
            </from>
          </term>
        </filter>
      </inet>
    </family>
  </firewall>
</configuration>

     

    config2.xml

    <configuration>
  <firewall>
    <family>
      <inet>
        <filter>
          <name>ham</name>
          <term insert="before" name="spam">
            <name>eggs</name>
          </term>
        </filter>
      </inet>
    </family>
  </firewall>
</configuration>

     

    Regards,

    Andy



  • 4.  RE: How to insert a term in policy-statement (or firewall rules, nat rules etc) using ansible/pyez over netconf

    Posted 09-02-2016 17:28

    Thank you so much, I am trying your way out, however, junos_install_config always complains about the following XML file, "Unable to load config: ConfigLoadError",  I can not find anything obviously wrong, I got the XML format from "show config ... | display xml",  using .xml to set system host name works fine, and it definately is not a permission problem, the problem is with the following XML

    <configuration>
    <policy-options>
        <policy-statement>
            <name>messaging_carrier_backup</name>
                <term>
                    <name>telenor</name>
                    <from>
                        <protocol>bgp</protocol>
                        <router-filter>
                            <address>11.22.33.0/24</address>
                            <exact/>
                        </router-filter>
                    </from>
                    <then>
                        <as-path-prepend>65203 65203</as-path-prepend>
                        <accept/>
                    </then>
                </term>
        </policy-statement>
    </policy-options>
</configuration>

     

    @asharp wrote:

    With Junos 15.1 you could do this in a single operation in XML with the following:

     

    <configuration>
  <firewall>
    <family>
      <inet>
        <filter>
          <name>ham</name>
          <term operation="create" insert="before" name="spam">
            <name>eggs</name>
            <from>
              ...
            </from>
          </term>
        </filter>
      </inet>
    </family>
  </family>
</configuration>

     



  • 5.  RE: How to insert a term in policy-statement (or firewall rules, nat rules etc) using ansible/pyez over netconf

    Posted 09-02-2016 20:48

    Debug netconf on router (SRX) revealed that I had a stupid typo in the XML file,  it should be <route-filter> while I had <router-filter>, things worked as expected, thank you @asharp very much for your help.