TechLibrary

Table of Contents

Guide That Contains This Content

[+] Expand All

[-] Collapse All

Creating a Configuration File

The /SDK/scriptServices/dpiScriptService/resource/dpiConf.xml file found in the SDK+AppSupport+Demos+Samples.tar.gz file contains a sample configuration file for the script service that demonstrates service activation and deactivation using Junos XML management protocol and Telnet commands.

The configuration file is in the form of an XML document with these sections:

Optimization parameters—Optional section to optimize batch parameters for committing configuration changes
Policy templates—Mandatory section for specifying the policy rules that will be added to or removed from network devices during service activation or deactivation

The configuration file has this basic structure:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE dpi-configuration SYSTEM "dpi-configuration.dtd" > 
<configuration> 
  <batch <!-– batch parameters specified as attributes -–> />
  <policy-templates> 
    <!-– policy template specification -–>
  </policy-templates> 
</configuration>

Tasks to create a configuration file are:

Configuring Batch Parameters

To avoid the overhead of individual commits for policy changes that occur close together, the script service groups the policy changes for a network device into a batch so that the commits can happen at the same time.

To optimize the batch parameters, you can specify these timing attributes for the <batch/> element:

wait-time—Time to wait for the next command for each device before committing the configuration. The default value is 60 seconds.
max-commit-delay—Maximum time to wait before committing the configuration. The default value is 120 seconds.

For example, to specify a wait-time of 15 seconds and max-commit-delay of 30 seconds:

  <batch wait-time="15" max-commit-delay="30" />

Substituting Parameters in Policy Templates

The SRC software can substitute values for variables in the policy templates. The following variables are supported in the policy templates:

Attributes of the ServiceSessionInfo object in the SAE script service API
Variables from parameter acquisition
Variables defined in the dpiRules parameter that are acquired in the context of a <for-each-rule> element

Note: If the same variable is defined in both the ServiceSessionInfo interface and parameter acquisition, the value in the ServiceSessionInfo interface is used. However, the value defined in the dpiRules parameter override the other values.

For information about the ServiceSessionInfo interface, see the script service documentation in the SAE core API documentation on the Juniper Networks website at https://www.juniper.net/techpubs/software/management/src/api-index.html.

The value of the variable can be used in the policy templates as defined. You can also specify how to use the value of a variable by extracting part of the value from the variable or replacing nonalphanumeric characters in the value with underscores.

To extract part of the value from the variable, follow the variable with a tilde (~) and a Java regular expression pattern. The regular expression is matched against the value of the variable, and the value of the last capture group is the result of instantiating the variable expression. For more information about using regular expressions, see http://java.sun.com/javase/6/docs/api/java/util/regex/Pattern.html.
For example: [[[ variable~[^.]+\.(\d+) ]]]
If we replace variable with interfaceName and the value of interfaceName is ge-1/2/3.4, then this expression would evaluate to 4.
To replace all nonalphanumeric characters in the value with underscores, follow the variable with an underscore (_).
For example: [[[ variable_ ]]]
If we replace variable with interfaceName and the value of interfaceName is ge-1/2/3.4, then this expression would evaluate to ge_1_2_3_4.

Note: You can use the underscore and the tilde expressions together, but the underscore must precede the tilde in the expression.

Configuring Policy Templates

The policy templates are used to define the policy rules that are inserted or removed from network devices. Templates are combined with parameters from the service activation context to generate Junos XML management protocol and Telnet commands that add and remove service policies.

The policy templates section has this basic structure:

  <policy-templates> 
    <target interface-class="<!-– interface class name -–>">
      <activation> 
        <junoscript> 
            <!-– JUNOScript API statements -–>
          <for-each-rule>
              <!-– Can have multiple for-each-rule -–>
          <if test="expression">
              <!-– Can have conditional expressions -–>
          </if>
          </for-each-rule>
          <for-each-rule test="expression">
              <!-– Can have multiple for-each-rule -–>
              <!-– For each single rule, can include test conditions -–>
          </for-each-rule>
        </junoscript> 
        <telnet host="<!-– hostname -–>"> 
          <prompt>login:</prompt>
          <command>joe</command>
          <prompt>password:</prompt>
          <command>abc123</command>
                <!-– Can have many prompt/command pairs -–>
            <for-each-rule test="expression">
                <!-– For each single rule, can include conditions 
                       and have prompt/command pairs -–>
            </for-each-rule>
       </telnet> 
      </activation> 
      <deactivation> 
          <!-– Structure same as for activation -–>
      </deactivation> 
    </target>
  </policy-templates>

Table 1 describes the policy template elements in the configuration file.

Table 1: Policy Template Elements for Configuration File

Element	Description
<target interface-class= "interface-class-name">	Defines a single policy template, which is selected by matching the interface-class attribute with the value found in the dpiInterfaceClasses parameter. If the interface-class attribute is not provided or its value is "", the target applies to all interfaces. For example: <target interface-class="MXEnterprise">
<activation>	Defines what the script service should do when activating or modifying a session. This element is triggered when the dpiAdminState parameter changes from "disabled" to "enabled".
<deactivation>	Defines what the script service should do when deactivating a session. This element is triggered when the dpiAdminState parameter changes from "enabled" to "disabled".
<junoscript>	Contains a sequence of Junos XML management protocol commands to manage policies on routers running Junos OS. This element can contain <if> and <for-each-rule> elements, delimited variables, literal text, and XML elements, which are not interpreted.
<telnet host="hostname">	Contains a sequence of prompt and command pairs to match on the Telnet device, similar to an expect script. The host attribute is a variable that can include a regular expression to extract a part of the value from the variable. See the <variable> element. For example: <telnet host="deviceIP"> This element can contain <if>, <for-each-rule>, <prompt>, and <command> elements. The <prompt> and <command> elements must alternate, and the sequence must start with the <prompt> element. This element can also contain delimited variables and literal text.
<variable-delimiters start="delimiter" end="delimiter">	Specifies the delimiters for variables in the configuration file. The default delimiters enclose the variable within three square brackets ([[[ variable ]]]). If you want to specify a different delimiter, you must specify the <variable-delimiters> element immediately after the opening tag for the <junoscript> or <telnet> element. The delimiters apply to the contents of the <junoscript> or <telnet> element. Any other occurrences of the <variable-delimiters> element within that element are ignored. For example: <variable-delimiters start="(" end=")">
<if test= "variableName~pattern">	Defines conditional expressions used to generate configuration commands. The test attribute is a variable expression without delimiters. The test is true if the variable has a value and if the optional regular expression matches the variable. For example, the forwarding-class statement would be added to the body only if the map expression contained the fcl key to satisfy the test condition: <if test="fcl"> forwarding-class [[[ fcl ]]]; </if>
<for-each-rule>	Creates the specified body in the policy template for instantiating each map expression found in the dpiRules parameter. For example, if you have two map expressions in the dpiRules parameter, the policy template would generate the body of the <for-each-rule> element once for each map expression. The <for-each-rule> element has a ruleNumber variable to sequentially track the processing of each map expression. You can use the test attribute to provide a condition for the rule; using this attribute would be the same as adding an <if> element.

Note: When using special XML characters as part of the policy templates, they must be coded in XML. For example, the left angle bracket (<) must be coded as <.

The following example uses some elements to show a policy template that activates application-aware access list (AACL) services and service sets on an MX Series router by loading the configuration in text format using Junos XML management protocol.

 <policy-templates> 
    <target interface-class="MXEnterprise">
      <activation> 
        <junoscript> 
          <rpc>
            <load-configuration action="replace" format="text">
              <configuration-text>
services {
    aacl { 
        rule AACL_[[[ interfaceName_ ]]] { 
            match-direction input-output;
          <for-each-rule>
            term [[[ ruleNumber ]]] { 
                from { 
                    application junos:[[[ app ]]]; 
                } 
                then { 
            <if test="fcl">
                    forwarding-class [[[ fcl ]]]; 
            </if> 
            <if test="action~accept">
                    count application; 
            </if> 
                    [[[ action ]]]; 
                }
            } 
          </for-each-rule>
        } 
    } 
    service-set SSET_[[[ interfaceName_ ]]] { 
        aacl-rules AACL_[[[ interfaceName_ ]]]; 
        interface-service { 
           service-interface ms-1/[[[ interfaceName~[^.]+-\d+/(\d+/\d+\.\d+) ]]]; 
        } 
    } 
} 
interfaces { 
    [[[ interfaceName~[^.]+)\.\d+ ]]] {
        unit [[[ interfaceName~[^.]+)\.(\d+) ]]] { 
            family inet { 
                service { 
                    input { 
                         service-set SSET_[[[ interfaceName_ ]]]
                    }
                   output { 
                         service-set SSET_[[[ interfaceName_ ]]]
                    }
                }
            } 
        }
    }
}
              </configuration-text>
            </load-configuration> 
          </rpc> 
        </junoscript> 
      </activation> 
    </target>
  </policy-templates>

If the example uses the following dpiRules substitution:

dpiRules=[{app="rtsp", action="accept", fcl="expedited-forwarding"}, 
                {app="bittorrent", action="discard"}]

The two map expressions in the dpiRules parameter might generate the following target configuration (with two terms) from the policy template example:

services {aacl {rule AACL_xe_8_3_0_1001 {match-direction input-output;term 1 {from {applications junos:rtsp;}then {forwarding-class expedited-forwarding;count application;accept;}}term 2 {from {applications junos:bittorrent;}then {discard;}}}}service-set SSET_xe_8_3_0_1001 {aacl-rules AACL_[[[ interfaceName_ ]]];interface-service {service-interface ms-1/3/0.1001;}}}interfaces {xe-8/3/0 {unit 1001 {family inet {service {input {service-set SSET_xe_8_3_0_1001;}output {service-set SSET_xe_8_3_0_1001;}}}}}}