close

keyboard_arrow_left

Table of Contents Expand all

play_arrow Overview
- play_arrow Junos Automation Scripts Overview
- play_arrow Junos XML Management Protocol and Junos XML API Overview
play_arrow Automation Scripting Using XSLT
- play_arrow XSLT Overview
- play_arrow Standard XPath and XSLT Functions Used in Automation Scripts
- play_arrow Standard XSLT Elements and Attributes Used in Automation Scripts
play_arrow Automation Scripting Using SLAX
- play_arrow SLAX Overview
- play_arrow SLAX Statements
- play_arrow The libslax Distribution for Automation Scripting
play_arrow Automation Scripting Using Python
- play_arrow Python Overview
play_arrow Automation Script Input
- play_arrow Global Parameters in Automation Scripts
  - Global Parameters and Variables in Junos OS Automation Scripts
play_arrow Extension Functions and Named Templates for Automation Scripts
play_arrow Manage Automation Scripts
- play_arrow Store and Enable Scripts
- play_arrow Configure a Remote Source for Scripts
- play_arrow Configure the Session Protocol for Scripts
  - Understanding the Session Protocol in Automation Scripts
  - Example: Specify the Session Protocol for a Connection within Scripts
- play_arrow Control Execution of Scripts
- play_arrow Synchronize Scripts Between Routing Engines
- play_arrow Convert Scripts Between SLAX and XSLT
  - Convert Scripts Between SLAX and XSLT
play_arrow Commit Scripts
- play_arrow Commit Scripts Overview
  - Commit Script Overview
  - How Commit Scripts Work
- play_arrow Create and Execute Commit Scripts
- play_arrow Generate a Custom Warning, Error, or System Log Message Using Commit Scripts
- play_arrow Generate Persistent or Transient Configuration Changes Using Commit Scripts
- play_arrow Create Custom Configuration Syntax with Commit Script Macros
- play_arrow Commit Script Examples
- play_arrow Junos XML and XSLT Tag Elements Used in Commit Scripts
- play_arrow Troubleshoot Commit Scripts
play_arrow Op Scripts
- play_arrow Op Scripts Overview
  - Op Script Overview
  - How Op Scripts Work
- play_arrow Create and Execute Op Scripts
- play_arrow Op Script Examples
- play_arrow Provision Services Using Service Template Automation
  - Service Template Automation Overview
  - Example: Configure Service Template Automation
- play_arrow Troubleshoot Op Scripts
  - Trace Op Script Processing on Devices Running Junos OS
  - Trace Script Processing on Devices Running Junos OS Evolved
play_arrow Event Policies and Event Scripts
play_arrow SNMP Scripts
- play_arrow SNMP Scripts Overview
  - SNMP Scripts Overview
- play_arrow Create and Execute SNMP Scripts
- play_arrow SNMP Script Example
  - Example: Process Unsupported OIDs with an SNMP Script
- play_arrow Troubleshoot SNMP Scripts
  - Trace SNMP Script Processing on Devices Running Junos OS
  - Trace Script Processing on Devices Running Junos OS Evolved
play_arrow Configuration Statements and Operational Commands
- Junos CLI Reference Overview

list Table of Contents

English

Example: Prevent Import of the Full Routing Table

date_range 14-Jul-21

arrow_backward

arrow_forward

In the Junos OS routing policy, if you configure a policy with no match conditions and a terminating action of then accept, and then apply the policy to a routing protocol, the protocol imports the entire routing table. This example shows how to use a commit script to prevent this scenario.

Requirements

This example uses a device running Junos OS.

Overview and Commit Script

This example inspects the import statements configured at the [edit protocols ospf] and [edit protocols isis] hierarchy levels to determine if any of the named policies contain a then accept term with no match conditions. The script protects against importing the full routing table into these interior gateway protocols (IGPs).

The example script is shown in both XSLT and SLAX syntax:

XSLT Syntax

content_copy zoom_out_map
<?xml version="1.0" standalone="yes"?>
<xsl:stylesheet version="1.0"
    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
    xmlns:junos="http://xml.juniper.net/junos/*/junos"
    xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm"
    xmlns:jcs="http://xml.juniper.net/junos/commit-scripts/1.0">
    <xsl:import href="../import/junos.xsl"/>
 
    <xsl:param name="po"
                  select="commit-script-input/configuration/policy-options"/>
    <xsl:template match="configuration">
        <xsl:apply-templates select="protocols/ospf/import"/>
        <xsl:apply-templates select="protocols/isis/import"/>
    </xsl:template>
    <xsl:template match="import">
        <xsl:param name="test" select="."/>
        <xsl:for-each select="$po/policy-statement[name=$test]">
            <xsl:choose>
                <xsl:when test="then/accept and not(to) and not(from)">
                    <xnm:error>
                        <xsl:call-template name="jcs:edit-path">
                            <xsl:with-param name="dot" select="$test"/>
                        </xsl:call-template>
                        <xsl:call-template name="jcs:statement">
                            <xsl:with-param name="dot" select="$test"/>
                        </xsl:call-template>
                        <message>policy contains bare 'then accept'</message>
                    </xnm:error>
                </xsl:when>
            </xsl:choose>
        </xsl:for-each>
    </xsl:template>
</xsl:stylesheet>

SLAX Syntax

content_copy zoom_out_map
version 1.0;
ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
import "../import/junos.xsl";
 
param $po = commit-script-input/configuration/policy-options;
match configuration {
    apply-templates protocols/ospf/import;
    apply-templates protocols/isis/import;
}
match import {
    param $test = .;
    for-each ($po/policy-statement[name=$test]) {
        if (then/accept and not(to) and not(from)) {
            <xnm:error> {
                call jcs:edit-path($dot = $test);
                call jcs:statement($dot = $test);
                <message> "policy contains bare 'then accept'";
            }
        }
    }
}

Configuration

Procedure

Step-by-Step Procedure

To download, enable, and test the script:

Copy the script into a text file, name the file import.xsl or import.slax as appropriate, and copy it to the /var/db/scripts/commit/ directory on the device.
Select the following test configuration stanzas, and press Ctrl+c to copy them to the clipboard.

If you are using the SLAX version of the script, change the filename at the [edit system scripts commit file] hierarchy level to import.slax.
```
system {
    scripts {
        commit {
            file import.xsl;
        }
    }
}
protocols {
    ospf {
        import bad-news;
    }
}
policy-options {
    policy-statement bad-news {
        then accept;
    }
}
```
In configuration mode, issue the load merge terminal command to merge the stanzas into your device configuration.
```
[edit]
user@host# load merge terminal
[Type ^D at a new line to end input]
... Paste the contents of the clipboard here ...
```
1. At the prompt, paste the contents of the clipboard by using the mouse and the paste icon.
2. Press Enter.
3. Press Ctrl+d.
Commit the configuration.
```
user@host# commit
```

Verification

Purpose

Verify that the script behaves as expected.

Action

Review the output of the commit command. The sample configuration configures an import statement at the [edit protocols ospf] hierarchy level. Because the policy contains a then accept term with no match conditions, the script generates an error, and the commit operation fails. The following output appears after issuing a commit command:

content_copy zoom_out_map
[edit]
user@host# commit
[edit protocols ospf]
    'import bad-news;'
    policy contains bare 'then accept'
error: 1 error reported by commit scripts
error: commit script failure

arrow_backward PREVIOUS Example: Prepend a Global Policy

NEXT arrow_forward Example: Require Internal Clocking on T1 Interfaces

Automation Scripting User Guide

ON THIS PAGE