Junos Automation (Scripting)
Reply
Contributor
stephen.gradzki
Posts: 11
Registered: ‎05-28-2012
0

Re: SLAX script to build a firewall policer if the referenced one does not exist

I have added the traceoptions and have attached 2 log files.  In one I have added the config to reference an existing profile and in the other I have referenced a profle that does not exist.  The log files look similar to me.

Recognized Expert
Mattia
Posts: 198
Registered: ‎03-17-2010
0

Re: SLAX script to build a firewall policer if the referenced one does not exist

[ Edited ]

Hi, in the trace I see the output "......config out removed" instead of the candidate configuration (in the xml element <commit-script-input>). Did you edit the file? If not, if you read the trace from the CLI, typing "show log <log file name>" do you see the same output?

Here it is what it should look like:

[...]
Jun  7 22:13:46 post:  paging: faults 0, reclaims 189, swaps 0
Jun  7 22:13:46 post:  other: inb 0, outb 2, snd 1, rcv 1, sig 0, csw 2, icsw 8
Jun  7 22:13:46 commit script input
Jun  7 22:13:46 begin dump
<?xml version="1.0"?>
<commit-script-input xmlns:junos="http://xml.juniper.net/junos/*/junos">
 
<configuration junos:changed-seconds="1339107013" junos:changed-localtime="2012-06-07 22:10:13 UTC">
<version>10.4R1.9</version>
<system>
[...]

 I also compared your output with mine: the configuration-output variable is empty in your log, while it's showing the added configuration in mine:

 

<rpc-reply xmlns:junos="http://xml.juniper.net/junos/10.4R1/junos" xmlns="">
<configuration-information>
<configuration-output>
[edit interfaces ge-1/0/0 unit 0 family inet]
+       policer {
+           output rate_limiter_400m;
+       }
</configuration-output>
</configuration-information>

So it's like the script is not detecting the configuration change, thus it's not matching the added policer...In order to confirm that, I would like to see the <commit-script-input>!

 

i would also suggest you to copy the content of same of the script variables to the result-tree, using the copy-of statement, like this:

 

    var $changed-config = jcs:invoke($get-config-rpc);
    copy-of $changed-config;
    var $changed-lines = jcs:break-lines($changed-config/configuration-output);
    copy-of $changed-lines;

This should generate the following output in the trace file:

 

  <configuration-output>+           output rate_limiter_400m;</configuration-output>
  <configuration-output>+       }</configuration-output>

 

 

.................................................................................
JNCIP-ENT, JNCIP-SEC, JNCIS-SP
(If this post helped you, please mark it as an "Accepted Solution"; kudos are also appreciated!)


Contributor
stephen.gradzki
Posts: 11
Registered: ‎05-28-2012
0

Re: SLAX script to build a firewall policer if the referenced one does not exist

I did edit the file as the whole config was included.  I have updated the scripts to use copy-of as suggested and have attached new log files.  Again the files contained the whole config which I have removed but have kept the lines tagged as changed, eg:

 

<name junos:changed="changed">xe-7/1/11</name>
<unit junos:changed="changed">
<name junos:changed="changed">0</name>
<family junos:changed="changed">
<inet junos:changed="changed">
<policer junos:changed="changed">
<output junos:changed="changed">rate_limiter_100m</output>

 

<interface junos:changed="changed">
<name junos:changed="changed">xe-7/1/11</name>
<unit junos:changed="changed">
<name junos:changed="changed">0</name>
<family junos:changed="changed">
<inet junos:changed="changed">
<policer junos:changed="changed">
<output junos:changed="changed">rate_limiter_110m</output>

  

Again the configuration-output variable is still empty, this happens both cases (adding an existing profile or adding a non existing profile).

 

T4000# commit check 
warning: Script test2.slax started.
configuration check succeeds
re0: 
warning: Script test2.slax started.
error: Found, added rate limiter+                   output rate_limiter_100m;
error: 1 error reported by commit scripts
error: commit script failure
re1: 
error: remote commit-configuration failed on re0

 and

 

T4000# commit check 
warning: Script test2.slax started.
error: Referenced policer rate_limiter_110m not defined
error: configuration check-out failed

 

Recognized Expert
Mattia
Posts: 198
Registered: ‎03-17-2010

Re: SLAX script to build a firewall policer if the referenced one does not exist

[ Edited ]

Hi, this is weird... It looks like the rpc-reply is not returning anything in the expected output. I also don't understand why the script seems to behave differently on re0 and re1 when you run the commit-check. Maybe other users can provide help on this.

 

I edited the script in order to work around the issue, using a probably "cleaner" logic. The attached script raises a warning whenever you add a policer; it does not perform any other check, but it can be completed if it's working.

 

It works fine on my testbed:

 

[edit]   ---> No policer is applied on interfaces

 root@TEST# show | match policer | display set set firewall policer rate_limiter_100m if-exceeding bandwidth-limit 100m set firewall policer rate_limiter_100m if-exceeding burst-size-limit 150k set firewall policer rate_limiter_100m then discard [edit] root@TEST# commit warning: Test4.slax script started. commit complete [edit] ---> I apply a policer root@TEST# top set interfaces ge-0/0/0 unit 0 family inet policer output rate_limiter_100m [edit] root@TEST# commit warning: Test4.slax script started. [edit interfaces interface ge-0/0/0] warning: Found policer ---> the script detects the added policer rate_limiter_100m commit complete

 Let me know if it works also on your device!

.................................................................................
JNCIP-ENT, JNCIP-SEC, JNCIS-SP
(If this post helped you, please mark it as an "Accepted Solution"; kudos are also appreciated!)


Contributor
stephen.gradzki
Posts: 11
Registered: ‎05-28-2012
0

Re: SLAX script to build a firewall policer if the referenced one does not exist

The new script is great, it correctly detects the new policer reference and gives me the chance to include the logic to build the referenced policer.  Dont know why mine did not work as expected but yours gives me a great platform to work with.  Many thanks for your help with this.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.