Junos Automation (Scripting)
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 15
Registered: ‎05-28-2012
0 Kudos
Accepted Solution

SLAX script to build a firewall policer if the referenced one does not exist

Hello All

 

I am trying to build a SLAX commit script to create firewall policers on demand on a device running JUNOS 12.1R1.9.  This is to avoid having to pre-configure all possible policer profiles that we might want to apply to a customer interface.

 

The script logic is meant to detect a policer being added to an interface and then build the referenced policer.  However I am finding that the commit fails due to the missing policer before the commit script runs, eg 

# commit check
error: Referenced policer rate_limiter_400m not defined
error: configuration check-out failed

 

I have added this line of config to the device "set system scripts commit file test.slax" but regardless of the script's contents the commit fails straight away.

 

Any help would be much appreciated.

 

Regards

 

Stephen

Recognized Expert
Posts: 198
Registered: ‎03-17-2010
0 Kudos

Re: SLAX script to build a firewall policer if the referenced one does not exist

Hi Stephen, could you please attach the script code? Thanks!

 

.................................................................................
JNCIP-ENT, JNCIP-SEC, JNCIS-SP
(If this post helped you, please mark it as an "Accepted Solution"; kudos are also appreciated!)


Contributor
Posts: 15
Registered: ‎05-28-2012
0 Kudos

Re: SLAX script to build a firewall policer if the referenced one does not exist

Script attached as requested.  Thanks

Recognized Expert
Posts: 198
Registered: ‎03-17-2010
0 Kudos

Re: SLAX script to build a firewall policer if the referenced one does not exist

[ Edited ]

Thanks for sharing the code; I tried it and the script actually runs before the configuration checkout.

It's not showing any output when it finds an added filter, due to a typo: the <xnm:warningerror>  should be a <xnm:warning> instead!

Now the outpus shows as expected:

 

warning: Found, added rate limiter+                   output rate_limiter_700m;

 

Just a question: the script code is meant only to raise a warning as for now, without trying to automatically build the referenced filter, is that correct? So the configuration check.out will still fail after the warning messages are displayed.

.................................................................................
JNCIP-ENT, JNCIP-SEC, JNCIS-SP
(If this post helped you, please mark it as an "Accepted Solution"; kudos are also appreciated!)


Contributor
Posts: 15
Registered: ‎05-28-2012
0 Kudos

Re: SLAX script to build a firewall policer if the referenced one does not exist

Thanks for the reply.  I have corrected the typo and have changed the warning to an error (to get the commit to fail based on the commit script) but am still finding that the unless the firewall policer has already been defined then the commit fails before the script gets a chance to run.

 

Here is the output from the device where I have tested with two policers.  rate_limiter_100m already exists in the config and rate_limiter_110m does not.  I have also attached the updated script, not sure what I am missing and any help is much appreciated.

 

T4000# commit check                                                                          

re0:

configuration check succeeds

re1:

error: Found, added rate limiter+                   output rate_limiter_100m;

error: 1 error reported by commit scripts

error: commit script failure

re0:

error: remote commit-configuration failed on re1

 

{master}[edit]

T4000# set interfaces xe-7/1/11 unit 0 family inet policer output rate_limiter_110m          

 

{master}[edit]

T4000# commit check                                                                   

error: Referenced policer rate_limiter_110m not defined

error: configuration check-out failed

Recognized Expert
Posts: 198
Registered: ‎03-17-2010
0 Kudos

Re: SLAX script to build a firewall policer if the referenced one does not exist

Just to be sure, did you update the script version on both the routing engine (a quick way is to use the "file copy" operational command)? And you could add some debugging code, just to check that the script has started, like the following at the beginning of the script:

 

	    <xnm:warning> {
        <message> "Script test2.slax started.";
    }
	

Let me know if the commit still seems to fail before the execution of the script!

 

 

.................................................................................
JNCIP-ENT, JNCIP-SEC, JNCIS-SP
(If this post helped you, please mark it as an "Accepted Solution"; kudos are also appreciated!)


Contributor
Posts: 15
Registered: ‎05-28-2012
0 Kudos

Re: SLAX script to build a firewall policer if the referenced one does not exist

Yeap I copied the updated script to both REs and have also added the debug message.  I get the debug message but still not the error message from my script, looks like the config check process gets in first.

 

T4000# run file copy /var/db/scripts/commit/test.slax re1:/var/db/scripts/commit/test.slax   

{master}[edit]
T4000# commit check                                                                           
warning: Script test.slax started.
configuration check succeeds
re1: 
warning: Script test2.slax started.
error: Found, added rate limiter+                   output rate_limiter_100m;
error: 1 error reported by commit scripts
error: commit script failure
re0: 
error: remote commit-configuration failed on re1

{master}[edit]
T4000# set interfaces xe-7/1/11 unit 0 family inet policer output rate_limiter_110m           

{master}[edit]
T4000# commit check                                                                    
warning: Script test.slax started.
error: Referenced policer rate_limiter_110m not defined
error: configuration check-out failed

{master}[edit]
T4000#

 

Recognized Expert
Posts: 198
Registered: ‎03-17-2010
0 Kudos

Re: SLAX script to build a firewall policer if the referenced one does not exist

I tried the last version you updated and it seems to work as expected. I still have doubts that the script loaded on re1 and the one loaded on re0 are different; also the warning messages displayed are different:

 

T4000# commit check                                                                           
warning: Script test.slax started.
configuration check succeeds
re1: 
warning: Script test2.slax started.
error: Found, added rate limiter+     

 To check that the files have been loaded correctly, type the operational command "file show re0:/var/db/scripts/commit/test2.slax" and "file show re1:/var/db/scripts/commit/test2.slax"


.................................................................................
JNCIP-ENT, JNCIP-SEC, JNCIS-SP
(If this post helped you, please mark it as an "Accepted Solution"; kudos are also appreciated!)


Contributor
Posts: 15
Registered: ‎05-28-2012
0 Kudos

Re: SLAX script to build a firewall policer if the referenced one does not exist

I have re-copied the file and using the suggested command have confirmed their contents are the same.  I still have the same behaviour - adding config that references a profile that does not exist triggers a config check out error before the logic in the script gets invoked.

 

T4000# set interfaces xe-7/1/11 unit 0 family inet policer output rate_limiter_100m 

{master}[edit]
T4000# commit check 
warning: Script test2.slax started.
configuration check succeeds
re1: 
warning: Script test2.slax started.
error: Found, added rate limiter+                   output rate_limiter_100m;
error: 1 error reported by commit scripts
error: commit script failure
re0: 
error: remote commit-configuration failed on re1

{master}[edit]
T4000# set interfaces xe-7/1/11 unit 0 family inet policer output rate_limiter_110m    

{master}[edit]
T4000# commit check                                                                    
warning: Script test2.slax started.
error: Referenced policer rate_limiter_110m not defined
error: configuration check-out failed

 

Recognized Expert
Posts: 198
Registered: ‎03-17-2010
0 Kudos

Re: SLAX script to build a firewall policer if the referenced one does not exist

[ Edited ]
Ok, thanks for double-checking it :-)
The warning message "script started" confirms that the script is being run, so probably something is going wrong during the execution...
Now I would configure traceoptions in order to debug the script more deeply, this way:

# set system scripts commit traceoptions file CSCRIPT_TRACE
# set system scripts commit traceoptions flag all

Then you can repeat the test (commit, add filter, commit again), and inspect the logs (" > show log CSCRIPT_TRACE") for any errors. If you attach the log file I will have a look at it too!
.................................................................................
JNCIP-ENT, JNCIP-SEC, JNCIS-SP
(If this post helped you, please mark it as an "Accepted Solution"; kudos are also appreciated!)


Highlighted
Contributor
Posts: 15
Registered: ‎05-28-2012
0 Kudos

Re: SLAX script to build a firewall policer if the referenced one does not exist

I have added the traceoptions and have attached 2 log files.  In one I have added the config to reference an existing profile and in the other I have referenced a profle that does not exist.  The log files look similar to me.

Recognized Expert
Posts: 198
Registered: ‎03-17-2010
0 Kudos

Re: SLAX script to build a firewall policer if the referenced one does not exist

[ Edited ]

Hi, in the trace I see the output "......config out removed" instead of the candidate configuration (in the xml element <commit-script-input>). Did you edit the file? If not, if you read the trace from the CLI, typing "show log <log file name>" do you see the same output?

Here it is what it should look like:

[...]
Jun  7 22:13:46 post:  paging: faults 0, reclaims 189, swaps 0
Jun  7 22:13:46 post:  other: inb 0, outb 2, snd 1, rcv 1, sig 0, csw 2, icsw 8
Jun  7 22:13:46 commit script input
Jun  7 22:13:46 begin dump
<?xml version="1.0"?>
<commit-script-input xmlns:junos="http://xml.juniper.net/junos/*/junos">
 
<configuration junos:changed-seconds="1339107013" junos:changed-localtime="2012-06-07 22:10:13 UTC">
<version>10.4R1.9</version>
<system>
[...]

 I also compared your output with mine: the configuration-output variable is empty in your log, while it's showing the added configuration in mine:

 

<rpc-reply xmlns:junos="http://xml.juniper.net/junos/10.4R1/junos" xmlns="">
<configuration-information>
<configuration-output>
[edit interfaces ge-1/0/0 unit 0 family inet]
+       policer {
+           output rate_limiter_400m;
+       }
</configuration-output>
</configuration-information>

So it's like the script is not detecting the configuration change, thus it's not matching the added policer...In order to confirm that, I would like to see the <commit-script-input>!

 

i would also suggest you to copy the content of same of the script variables to the result-tree, using the copy-of statement, like this:

 

    var $changed-config = jcs:invoke($get-config-rpc);
    copy-of $changed-config;
    var $changed-lines = jcs:break-lines($changed-config/configuration-output);
    copy-of $changed-lines;

This should generate the following output in the trace file:

 

  <configuration-output>+           output rate_limiter_400m;</configuration-output>
  <configuration-output>+       }</configuration-output>

 

 

.................................................................................
JNCIP-ENT, JNCIP-SEC, JNCIS-SP
(If this post helped you, please mark it as an "Accepted Solution"; kudos are also appreciated!)


Contributor
Posts: 15
Registered: ‎05-28-2012
0 Kudos

Re: SLAX script to build a firewall policer if the referenced one does not exist

I did edit the file as the whole config was included.  I have updated the scripts to use copy-of as suggested and have attached new log files.  Again the files contained the whole config which I have removed but have kept the lines tagged as changed, eg:

 

<name junos:changed="changed">xe-7/1/11</name>
<unit junos:changed="changed">
<name junos:changed="changed">0</name>
<family junos:changed="changed">
<inet junos:changed="changed">
<policer junos:changed="changed">
<output junos:changed="changed">rate_limiter_100m</output>

 

<interface junos:changed="changed">
<name junos:changed="changed">xe-7/1/11</name>
<unit junos:changed="changed">
<name junos:changed="changed">0</name>
<family junos:changed="changed">
<inet junos:changed="changed">
<policer junos:changed="changed">
<output junos:changed="changed">rate_limiter_110m</output>

  

Again the configuration-output variable is still empty, this happens both cases (adding an existing profile or adding a non existing profile).

 

T4000# commit check 
warning: Script test2.slax started.
configuration check succeeds
re0: 
warning: Script test2.slax started.
error: Found, added rate limiter+                   output rate_limiter_100m;
error: 1 error reported by commit scripts
error: commit script failure
re1: 
error: remote commit-configuration failed on re0

 and

 

T4000# commit check 
warning: Script test2.slax started.
error: Referenced policer rate_limiter_110m not defined
error: configuration check-out failed

 

Recognized Expert
Posts: 198
Registered: ‎03-17-2010

Re: SLAX script to build a firewall policer if the referenced one does not exist

[ Edited ]

Hi, this is weird... It looks like the rpc-reply is not returning anything in the expected output. I also don't understand why the script seems to behave differently on re0 and re1 when you run the commit-check. Maybe other users can provide help on this.

 

I edited the script in order to work around the issue, using a probably "cleaner" logic. The attached script raises a warning whenever you add a policer; it does not perform any other check, but it can be completed if it's working.

 

It works fine on my testbed:

 

[edit]   ---> No policer is applied on interfaces

 root@TEST# show | match policer | display set set firewall policer rate_limiter_100m if-exceeding bandwidth-limit 100m set firewall policer rate_limiter_100m if-exceeding burst-size-limit 150k set firewall policer rate_limiter_100m then discard [edit] root@TEST# commit warning: Test4.slax script started. commit complete [edit] ---> I apply a policer root@TEST# top set interfaces ge-0/0/0 unit 0 family inet policer output rate_limiter_100m [edit] root@TEST# commit warning: Test4.slax script started. [edit interfaces interface ge-0/0/0] warning: Found policer ---> the script detects the added policer rate_limiter_100m commit complete

 Let me know if it works also on your device!

.................................................................................
JNCIP-ENT, JNCIP-SEC, JNCIS-SP
(If this post helped you, please mark it as an "Accepted Solution"; kudos are also appreciated!)


Contributor
Posts: 15
Registered: ‎05-28-2012
0 Kudos

Re: SLAX script to build a firewall policer if the referenced one does not exist

The new script is great, it correctly detects the new policer reference and gives me the chance to include the logic to build the referenced policer.  Dont know why mine did not work as expected but yours gives me a great platform to work with.  Many thanks for your help with this.