[j-nsp] "load replace" junoscript login class permissions

Jared Mauch jared at puck.nether.net
Mon Feb 22 21:08:04 EST 2016


> On Feb 22, 2016, at 9:06 PM, Chuck Anderson <cra at WPI.EDU> wrote:
> 
> Historically, we've implemented scripts to sync prefix-lists with
> Junoscript perl using this method:
> 
> 1. get_configuration of the prefix-list
> 2. compare prefix list in router to our local copy
> 3. "load merge" config to delete prefixes that exist in the router but not locally
> 4. "load merge" config to add prefixes that exist locally but not in the router
> 5. commit
> 
> The reason for this was because we wanted to lock down the junoscript
> account like this:
> 
>> show configuration system login class prefix-list
> permissions [ configure view view-configuration ];
> allow-commands junoscript;
> allow-configuration "policy-options prefix-list AUTO-.*";
> 
> So any rogue junoscript could only ever change the contents of
> prefix-lists whose names begin with "AUTO-".
> 
> However, this method is very slow.  So I tried going back to the
> "replace" method:
> 
> 1. "load replace" config with the new prefix list contents
> 2. commit


Try ‘load update’ first.

That should be much faster than load replace.

- jared



More information about the juniper-nsp mailing list