Automation

We have an EX8200 series chassis.

I have a SLAX script to add a firewall rule, something like

<firewall> { <family> {  <inet> { <filter> { <name> "block"; <term> { <name> "badhosts"; <from> {

  <source-address> $host;  } <then> { <reject>;  }

..... <interfaces> { <interface> { <name>fe-0/0/2 ; <unit> { <name> "0"; <family> {  <inet> { <filter> { <input> {
        <filter-name> "block"; ........

It works, but it's very slow indeed - between 6 and 40 seconds.

Why is this so slow ? Is there some way to speed it up, or another method that would be faster ?

We need to trigger this action using an SSH command from a remote machine.

Hi,

How long does it take to execute the same change issuing it from the switch's CLI (i.e., without using the script) ?

If you are getting the same delay in the CLI, you have to investigate why that is happening because the issue is not your script.

However, if you are only getting the delay when using the script, I would suggest to enable traceoptions in the scripts to identify which part is delaying its execution.

This is also a good opportunity to use the profiler available in juise. To read more about juise, check the URLs below:

https://github.com/Juniper/juise/wiki

http://forums.juniper.net/t5/Service-Support/It-s-juise-time/ba-p/166310

HTH

./diogo -montagner

Thank you for the reply.

Yes, I think the issue is with the router rather than SLAX - a "hello world" script executes rapidly.

We have in fact a pair of EX8200's in a redundant master-slave configuration with a controller, and right now we have an unresolved problem on one of the pair, so I can't immediately test from the CLI. But the router logs show some problems synchronizing the two chassis, so that may be the source of the delay.

How much time should I expect these operations to take with a good system ?

It always depend on the size/touching-points of the change you are doing and also on the size of the existing configuration. 

Also, remember switches have less powerful RE than routers.