Automation

So here’s one of the configlet’s I’ve been working on. A basic overview:

 

We have hub-and-spoke VPN tunnels between corporate and our remote locations. As we build/add more locations, we enable BGP. I have a CLI configlets which adds all the config to the remote locations no problem. I am working on one to do the same thing at corporate, but it doesn’t seem to be working *quite* how I want it.

 

When new tunnels are built on our corporate SRX, they are added to st0.2 multipoint interface:

 

interfaces {
    st0 {
        unit 2 {
            multipoint;
            family inet {
               --- output truncated ---
                next-hop-tunnel 10.250.250.3 ipsec-vpn st901fw_Store-VPN;
                next-hop-tunnel 10.250.250.5 ipsec-vpn st909fw_Store-VPN;
                address 10.250.250.1/23;
            }
        }
    }
}

 I want to scrape this config, and given the input of a store/location number, add the new BGP peer IP to the configuration:

 

routing-instances {
    vpn {
        protocols {
            bgp {
              --- output truncated ---
               group Store-901 {
                    peer-as 63901;
                    neighbor 10.250.250.3;
                }
                group Store-909 {
                    peer-as 63909;
                    neighbor 10.250.250.5;
                }
            }
        }
    }
}

 

The only problem that I’m having is grabbing the IP address from the “next-hop-tunnel” config. I have attached the CLI configlet, interface XML that I am going after...and here’s the XPath search that I’m using to get the IP address (referencing the $STORE variable):

 

/device/configuration/interfaces/interface[name='st0']/unit[name='2']/family/inet/next-hop-tunnel[matches(ipsec-vpn, '$STORE')]/name/text()

 

I'm looking for some expert guidance 🙂 Thanks in advance!

 

P.S. I'm running Junos Space 13.3R1.9

I think the ability to use a variable name inside an XPath is not yet supported. If I remember correctly, you can only use certain predefined variable names inside XPath. So, you may need to get all next-hop-tunnels, iterate over them and find the matching one using VTL directives...

 

Anyways, I will check internally and get back...

 

Thanks, Roshan for your response! I've found the VTL documentation to be somewhat...lacking, but I'll keep digging.

Someone told me that you had plans to support values in a CSV files or were working on using something like that with CLI configlets. Do you know if that still holds true?

As Roshan has indicated in his reply, the approach that would most likely work would be with the use of a few VTL directives.

 

Take for example the following configlet text:

 

routing-instances {
    vpn {
        protocols {
            bgp {
#foreach ($STORE in $LOCATIONS.split(", "))
#set($i=0)
                group Store-$STORE {
                    peer-as 63$STORE;
#foreach ($IP in $IPSEC)
#if ($IP.contains($STORE))
                    neighbor $NEXTHOPTUNNEL.get($i);
#end
#set($i = $i + 1)
#end
                }
#end
            }
        }
    }
}

Not the most elegant of approaches, but something that I think could be a basis for a solution.

So the changes that I have made from your original configlet is to add some additional parameters and a little bit of VTL logic.

 

I've created a counter $i which is an invisible parameter, and is just used to count the position within a foreach statement as it loops. 

 

$IPSEC is also an invisible parameter and this has an XPath /device/configuration/interfaces/interface[name='st0']/unit[name='2']/family/inet/ipsec-vpn/text()

which will return all values.

This parameter is then parsed using #foreach and then there is an if statement to check to see if the current $STORE value is contained within $IP, which is similar to the approach that you had attempted to use in your initial configlet contains(ipsec-vpn, '$STORE').

 

If a match is found, then the correct next-hop-tunnel address is returned using the following:

neighbor $NEXTHOPTUNNEL.get($i);

In this case, $NEXTHOPTUNNEL is another invisible parameter that is derived using the XPath /device/configuration/interfaces/interface[name='st0']/unit[name='2']/family/inet/next-hop-tunnel/name/text()

 

Because the $NEXTHOPTUNNEL parameter could contain multiple entries, to return the correct entry the $i counter is used as that should return the required entry.   $NEXTHOPTUNNEL.get($i)

 

Then the if statement is terminated, and the counter $i can be incremented, and the process continues.

 

Unfortunately, I've not had time to test this properly as I didn't have a valid configuration to test against, but I think that this should work.

 

Regards,

Andy

 

 

 

Andy,

Thank you for taking the time to help on this. Your solution worked exactly how I had wanted! Thanks for the detailed description as well. I've been going over the Velocity docs but this really helps as well!