[j-nsp] "load replace" junoscript login class permissions

Phil Shafer phil at juniper.net
Mon Feb 22 21:22:55 EST 2016


Jared Mauch writes:
>Try "load update" first.
>That should be much faster than load replace.

"load update" is faster than "load override", since under the covers,
it keeps the old config and finds the delta between the new config
and the old, allowing the system to see only the changed bits of
the config.  "load override" wipes the old and loads the new.

"load merge" is identical to "load replace", with the exception
that "load replace" honors "replace:" tags, where "merge" ignores
them.

> On Feb 22, 2016, at 9:06 PM, Chuck Anderson <cra at WPI.EDU> wrote:
>Otherwise we get a failure trying to replace the prefix-list.  I don't
like this because now a rogue script could mess with the entire
policy-options hierarchy.

Consider using a config group, where the group would be completely
"owned" by this app, and the junoscript user would be able to only
write to that group, but to the entire contents.  Then only apply
that group where appropriate.  If your "AUTO-*" list is static, you
could put "apply-groups auto-app" under each specific prefix list;
otherwise, you'd need to put in under policy-options.

Thanks,
 Phil


More information about the juniper-nsp mailing list