Junos Automation (Scripting)
Reply
Contributor
stephen.gradzki
Posts: 11
Registered: ‎05-28-2012
0
Accepted Solution

SLAX script to build a firewall policer if the referenced one does not exist

Hello All

 

I am trying to build a SLAX commit script to create firewall policers on demand on a device running JUNOS 12.1R1.9.  This is to avoid having to pre-configure all possible policer profiles that we might want to apply to a customer interface.

 

The script logic is meant to detect a policer being added to an interface and then build the referenced policer.  However I am finding that the commit fails due to the missing policer before the commit script runs, eg 

# commit check
error: Referenced policer rate_limiter_400m not defined
error: configuration check-out failed

 

I have added this line of config to the device "set system scripts commit file test.slax" but regardless of the script's contents the commit fails straight away.

 

Any help would be much appreciated.

 

Regards

 

Stephen

Recognized Expert
Mattia
Posts: 198
Registered: ‎03-17-2010
0

Re: SLAX script to build a firewall policer if the referenced one does not exist

Hi Stephen, could you please attach the script code? Thanks!

 

.................................................................................
JNCIP-ENT, JNCIP-SEC, JNCIS-SP
(If this post helped you, please mark it as an "Accepted Solution"; kudos are also appreciated!)


Contributor
stephen.gradzki
Posts: 11
Registered: ‎05-28-2012
0

Re: SLAX script to build a firewall policer if the referenced one does not exist

Script attached as requested.  Thanks

Recognized Expert
Mattia
Posts: 198
Registered: ‎03-17-2010
0

Re: SLAX script to build a firewall policer if the referenced one does not exist

[ Edited ]

Thanks for sharing the code; I tried it and the script actually runs before the configuration checkout.

It's not showing any output when it finds an added filter, due to a typo: the <xnm:warningerror>  should be a <xnm:warning> instead!

Now the outpus shows as expected:

 

warning: Found, added rate limiter+                   output rate_limiter_700m;

 

Just a question: the script code is meant only to raise a warning as for now, without trying to automatically build the referenced filter, is that correct? So the configuration check.out will still fail after the warning messages are displayed.

.................................................................................
JNCIP-ENT, JNCIP-SEC, JNCIS-SP
(If this post helped you, please mark it as an "Accepted Solution"; kudos are also appreciated!)


Contributor
stephen.gradzki
Posts: 11
Registered: ‎05-28-2012
0

Re: SLAX script to build a firewall policer if the referenced one does not exist

Thanks for the reply.  I have corrected the typo and have changed the warning to an error (to get the commit to fail based on the commit script) but am still finding that the unless the firewall policer has already been defined then the commit fails before the script gets a chance to run.

 

Here is the output from the device where I have tested with two policers.  rate_limiter_100m already exists in the config and rate_limiter_110m does not.  I have also attached the updated script, not sure what I am missing and any help is much appreciated.

 

T4000# commit check                                                                          

re0:

configuration check succeeds

re1:

error: Found, added rate limiter+                   output rate_limiter_100m;

error: 1 error reported by commit scripts

error: commit script failure

re0:

error: remote commit-configuration failed on re1

 

{master}[edit]

T4000# set interfaces xe-7/1/11 unit 0 family inet policer output rate_limiter_110m          

 

{master}[edit]

T4000# commit check                                                                   

error: Referenced policer rate_limiter_110m not defined

error: configuration check-out failed

Recognized Expert
Mattia
Posts: 198
Registered: ‎03-17-2010
0

Re: SLAX script to build a firewall policer if the referenced one does not exist

Just to be sure, did you update the script version on both the routing engine (a quick way is to use the "file copy" operational command)? And you could add some debugging code, just to check that the script has started, like the following at the beginning of the script:

 

	    <xnm:warning> {
        <message> "Script test2.slax started.";
    }
	

Let me know if the commit still seems to fail before the execution of the script!

 

 

.................................................................................
JNCIP-ENT, JNCIP-SEC, JNCIS-SP
(If this post helped you, please mark it as an "Accepted Solution"; kudos are also appreciated!)


Contributor
stephen.gradzki
Posts: 11
Registered: ‎05-28-2012
0

Re: SLAX script to build a firewall policer if the referenced one does not exist

Yeap I copied the updated script to both REs and have also added the debug message.  I get the debug message but still not the error message from my script, looks like the config check process gets in first.

 

T4000# run file copy /var/db/scripts/commit/test.slax re1:/var/db/scripts/commit/test.slax   

{master}[edit]
T4000# commit check                                                                           
warning: Script test.slax started.
configuration check succeeds
re1: 
warning: Script test2.slax started.
error: Found, added rate limiter+                   output rate_limiter_100m;
error: 1 error reported by commit scripts
error: commit script failure
re0: 
error: remote commit-configuration failed on re1

{master}[edit]
T4000# set interfaces xe-7/1/11 unit 0 family inet policer output rate_limiter_110m           

{master}[edit]
T4000# commit check                                                                    
warning: Script test.slax started.
error: Referenced policer rate_limiter_110m not defined
error: configuration check-out failed

{master}[edit]
T4000#

 

Recognized Expert
Mattia
Posts: 198
Registered: ‎03-17-2010
0

Re: SLAX script to build a firewall policer if the referenced one does not exist

I tried the last version you updated and it seems to work as expected. I still have doubts that the script loaded on re1 and the one loaded on re0 are different; also the warning messages displayed are different:

 

T4000# commit check                                                                           
warning: Script test.slax started.
configuration check succeeds
re1: 
warning: Script test2.slax started.
error: Found, added rate limiter+     

 To check that the files have been loaded correctly, type the operational command "file show re0:/var/db/scripts/commit/test2.slax" and "file show re1:/var/db/scripts/commit/test2.slax"


.................................................................................
JNCIP-ENT, JNCIP-SEC, JNCIS-SP
(If this post helped you, please mark it as an "Accepted Solution"; kudos are also appreciated!)


Contributor
stephen.gradzki
Posts: 11
Registered: ‎05-28-2012
0

Re: SLAX script to build a firewall policer if the referenced one does not exist

I have re-copied the file and using the suggested command have confirmed their contents are the same.  I still have the same behaviour - adding config that references a profile that does not exist triggers a config check out error before the logic in the script gets invoked.

 

T4000# set interfaces xe-7/1/11 unit 0 family inet policer output rate_limiter_100m 

{master}[edit]
T4000# commit check 
warning: Script test2.slax started.
configuration check succeeds
re1: 
warning: Script test2.slax started.
error: Found, added rate limiter+                   output rate_limiter_100m;
error: 1 error reported by commit scripts
error: commit script failure
re0: 
error: remote commit-configuration failed on re1

{master}[edit]
T4000# set interfaces xe-7/1/11 unit 0 family inet policer output rate_limiter_110m    

{master}[edit]
T4000# commit check                                                                    
warning: Script test2.slax started.
error: Referenced policer rate_limiter_110m not defined
error: configuration check-out failed

 

Recognized Expert
Mattia
Posts: 198
Registered: ‎03-17-2010
0

Re: SLAX script to build a firewall policer if the referenced one does not exist

[ Edited ]
Ok, thanks for double-checking it :-)
The warning message "script started" confirms that the script is being run, so probably something is going wrong during the execution...
Now I would configure traceoptions in order to debug the script more deeply, this way:

# set system scripts commit traceoptions file CSCRIPT_TRACE
# set system scripts commit traceoptions flag all

Then you can repeat the test (commit, add filter, commit again), and inspect the logs (" > show log CSCRIPT_TRACE") for any errors. If you attach the log file I will have a look at it too!
.................................................................................
JNCIP-ENT, JNCIP-SEC, JNCIS-SP
(If this post helped you, please mark it as an "Accepted Solution"; kudos are also appreciated!)


Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.