Automation

We've got this great script we've been using that transitively disables any unconfigured interface.  While I think its excelent to admin up interfaces by default, most NMS's assume there is a problem with an interface in up/down status, so in order to avoid alarms, we've been using this script:

/*
 * This script transiently disables all unconfigured ge interfaces.
 */

version 1.0;

ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";

import "../import/junos.xsl";

match configuration {

    /* Get the current interface list  */
    var $interfaces = jcs:invoke( "get-interface-information" );

    /* Only ge and xe interfaces */
    var $ge-interfaces = $interfaces/physical-interface[starts-with(name, "ge-") or starts-with(name, "xe-")];

    var $interface-hierarchy = interfaces;

    /* Go through each ge interface, if it isn't within the configuration than transiently disable it */
    for-each( $ge-interfaces ) {

        if( jcs:empty( $interface-hierarchy/interface[name == current()/name ] ) ) {
            <transient-change> {
                <interfaces> {
                    <interface> {
                        <name> name;
                        <disable>;
                    }
                }
            }
        }
    }
}

 This works really well, with one exception.  After a power failure, the transient change is lost, and all unconfigured interfaces are in up/down status until someone logs in and does a commit.

What I'm interested in doing is changing the script so it is not transient (instead it actually changes the config and saves it)  Below is the config I'm trying to apply (I use the group so during configuration later, all child units are also disabled, which has more to do with our internal processes than anything technical)

interfaces {
    <*> {
        disable;
        unit <*> {
            disable;
        }
    }
}
interfaces {
    ge-0/0/0 {
        apply-groups DISABLEIF;
    }
} 

 Here is the script I've tried to use.  I don't get any errors or anything, but config does not get generated for the previously unconfigured interfaces as I'd expect.

/*
 * This script transiently disables all unconfigured ge interfaces.
 */

version 1.0;

ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";

import "../import/junos.xsl";

match configuration {

    /* Get the current interface list  */
    var $interfaces = jcs:invoke( "get-interface-information" );

    /* Only ge and xe interfaces */
    var $ge-interfaces = $interfaces/physical-interface[starts-with(name, "ge-") or starts-with(name, "xe-")];

    var $interface-hierarchy = interfaces;

    /* Go through each ge interface, if it isn't within the configuration than apply-group DISABLEIF */
    for-each( $ge-interfaces ) {

        if( jcs:empty( $interface-hierarchy/interface[name == current()/name ] ) ) {
           var $message = "Disabling unconfigured interface: " _ interface;
                <interfaces> {
                    <interface> {
                        <name> name;
                        <apply-groups> DISABLEIF;
                    }
                }
        }
    }
}

 What am I missing here?  I'd expect this to work.  I'm FAR from familiar with Junoscript (either flavor), and am just beginning to learn about it.  

I'd appreciate any direction from someone with some experience w/this,

-Josh

Hi,

it is great to see people using JunosScripts! I think the problem is that your group trying to match units. However, no units  exists. Group is not applied. Try to change your group to:

interfaces {
    <*> {
        disable;
    }
}

Do not forget that ist is not directly visible with "show" command! You have to use "| display inheritance" to see changes done by apply-groups.

lab@M7i-bottom# show interfaces ge-0/0/4 | display inheritance
##
## 'disable' was inherited from group 'TEST'
##
disable;
 

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it. 

Kind Regards

Michael Pergament

Josh,

Configuration changes in commit scripts only work when enclosed within either a <change> or a <transient-change> element.  <change> is for permanent changes, <transient-change> is for transient changes.  This should work:

<change> {

    <interfaces> {

        <interface> {

            <name> name;

            <apply-groups> DISABLEIF;

        }    

    }

}

Your var $message won't do anything, you need to assign it to a result tree element if you want JUNOS to display it.

<syslog>  {

    <message> "Disabling unconfigured interface: " _ name;

}

 Will write it to the syslog, or

<xnm:warning> {

    <message> "Disabling unconfigured interface: " _ name;

}

Will write it as a warning to the console of the committing user.

---

@mikep wrote:
I think the problem is that your group trying to match units. However, no units  exists. Group is not applied.

I don't believe this is an issue.

{master}[edit]
joshrogers@ausatxmd-pe-ced01# show interfaces ge-0/0/0
apply-groups DISABLEIF;

joshrogers@ausatxmd-pe-ced01# run show interfaces ge-0/0/0 terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                down  down

 This works fine, even if there is not unit.

---

ccall@  wrote:

 Your var $message won't do anything, you need to assign it to a result tree element if you want JUNOS to display it.

 

---

Yep, I tried your suggested xnm:warning because I want it to print to tty, and it worked wonderfully.

---

ccall@  wrote:

Configuration changes in commit scripts only work when enclosed within either a <change> or a <transient-change> element.  <change> is for permanent changes, <transient-change> is for transient changes.  This should work:

 

---

I tried making the suggested changes, and am not having any errors, but the configuration isn't getting applied.  Below is the current script and the show interfaces output after a successful commit:

{master}[edit]
joshrogers@foo-pe-ced01# run file show /var/db/scripts/commit/interface-disable.slax
/*
 * This script disables all unconfigured ge interfaces.
 */

version 1.0;

ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";

import "../import/junos.xsl";

match configuration {

    /* Get the current interface list  */
    var $interfaces = jcs:invoke( "get-interface-information" );

    /* Only ge and xe interfaces */
    var $ge-interfaces = $interfaces/physical-interface[starts-with(name, "ge-") or starts-with(name, "xe-")];

    var $interface-hierarchy = interfaces;

    /* Go through each ge interface, if it isn't within the configuration than apply-group DISABLEIF */
    for-each( $ge-interfaces ) {

        if( jcs:empty( $interface-hierarchy/interface[name == current()/name ] ) ) {
 <xnm:warning> {
		<message> "Disabling unconfigured interface: " _ name;
 }
 <change> {
                <interfaces> {
                    <interface> {
                        <name> name;
                        <apply-groups> DISABLEIF;
                    }
                }
 }
        }
    }
}
joshrogers@foo-pe-ced01# show interfaces
ge-0/0/0 {
    apply-groups DISABLEIF;
}
ge-0/0/1 {
    description "CUST:foo";
    flexible-vlan-tagging;
    encapsulation flexible-ethernet-services;
    unit 99 {
        description foo;
        encapsulation vlan-bridge;
        vlan-id 99;
    }
    unit 1239 {
        description foo;
        vlan-id 1239;
        family inet {
            address 1.2.3.4/30;
        }
    }
    unit 1328 {
        description foo;
        vlan-id 1328;
        family inet {
            address 5.6.7.8/30;
        }
    }
}
xe-0/2/0 {
    description foo;
    mtu 9192;
    unit 0 {
        family inet {
            no-redirects;
            address 9.10.11.12/31;
        }
        family mpls;
    }
}
xe-0/3/0 {
    description foo;
    mtu 9192;
    unit 0 {
        family inet {
            no-redirects;
            address 13.14.15.16/31;
        }
        family mpls;
    }
}
fxp0 {
    description foo;
    unit 0 {
        family inet {
            address 192.168.100.1/24;
        }
    }
}
irb {
    unit 99 {
        description foo;
        family inet {
            filter {
                inactive: output PROTECT-CPE;
            }
            address 10.1.1.225/27;
        }
    }
}
lo0 {
    description foo;
    unit 0 {
        family inet {
            filter {
                inactive: input PROTECT-RE;
            }
            address 127.0.0.1/32;
            address 17.18.19.20/32;
        }
    }
}

 I would expect that ge-0/0/2 through ge-0/1/9 would all have apply-groups DISABLEIF configured (since this isn't transient)

You need to enclose DISABLEIF in quotes.  Otherwise SLAX thinks that it is a location path instead of a string:

<apply-groups> DISABLEIF;