Changing the configuration using event policy action
Starting with 12.1, JunOS allows you to change the configuration by the event policy.
In the past this was possible only by using the event policy along with an event script. The first one was detecting that a configuration change had to be done and the second one was commiting the configuration change.
Let’s see this in action.
This is topology used:
(lo0-10.255.21.243/32)R1(ge-0/0/0-1.1.1.1/24) ———- (ge-0/0/0-1.1.1.2/24)R2(lo0-10.255.26.130/32)
R1 has a static route to R2 lo0 interface:
[edit] root@R1# show routing-options static { route 10.255.26.130/32 next-hop 1.1.1.2; } [edit] root@R1# run ping 10.255.26.130 PING 10.255.26.130 (10.255.26.130): 56 data bytes 64 bytes from 10.255.26.130: icmp_seq=0 ttl=64 time=2.351 ms 64 bytes from 10.255.26.130: icmp_seq=1 ttl=64 time=2.969 ms ^C --- 10.255.26.130 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 2.351/2.660/2.969/0.309 ms [edit] root@R1# Using the below event-options configuration and the RPM configuration, you can have the router to deactivate the static route in case the IP from R2 is not reachable anymore:
[edit] root@R1# show event-options policy PING_NOT_OK { events PING_TEST_FAILED; attributes-match { ping_test_failed.test-owner matches PING-Lo0; ping_test_failed.test-name matches to-R2; } then { change-configuration { commands { "deactivate routing-options static route 10.255.26.130/32"; "deactivate event-options policy PING_NOT_OK"; "activate event-options policy PING_OK"; } } } } policy PING_OK { events PING_TEST_COMPLETED; attributes-match { ping_test_completed.test-owner matches PING-Lo0; ping_test_completed.test-name matches to-R2; } then { change-configuration { commands { "activate routing-options static route 10.255.26.130/32"; "deactivate event-options policy PING_OK"; "activate event-options policy PING_NOT_OK"; } } } } [edit] root@R1# [edit] root@R1# show services rpm { probe PING-Lo0 { test to-R2 { probe-type icmp-ping; target address 1.1.1.2; probe-interval 1; test-interval 5; } } } [edit] root@R1#
Using this configuration, the router is monitoring only PING_NOT_OK policy as long as the route is active. If the route is inactive, then the router is monitor the policy PING_OK.
As you can see the R2’s Loopback interface is reachable from R1 according from RPM results:
[edit] root@R1# run show services rpm probe-results Owner: PING-Lo0, Test: to-R2 Target address: 10.255.26.130, Probe type: icmp-ping, Test size: 1 probes Probe results: Response received, Tue Jul 22 12:08:43 2013, No hardware timestamps Rtt: 2965 usec Results over current test: Probes sent: 1, Probes received: 1, Loss percentage: 0 Measurement: Round trip time Samples: 1, Minimum: 2965 usec, Maximum: 2965 usec, Average: 2965 usec, Peak to peak: 0 usec, Stddev: 0 usec, Sum: 2965 usec Results over last test: Probes sent: 1, Probes received: 1, Loss percentage: 0 Test completed on Tue Jul 22 12:08:43 2013 Measurement: Round trip time Samples: 1, Minimum: 2965 usec, Maximum: 2965 usec, Average: 2965 usec, Peak to peak: 0 usec, Stddev: 0 usec, Sum: 2965 usec Results over all tests: Probes sent: 465, Probes received: 350, Loss percentage: 24 Measurement: Round trip time Samples: 350, Minimum: 1957 usec, Maximum: 40622 usec, Average: 2961 usec, Peak to peak: 38665 usec, Stddev: 2171 usec, Sum: 1036345 usec [edit] root@R1# run show services rpm probe-results Owner: PING-Lo0, Test: to-R2 Target address: 10.255.26.130, Probe type: icmp-ping, Test size: 1 probes Probe results: Response received, Tue Jul 22 12:08:58 2013, No hardware timestamps Rtt: 3073 usec Results over current test: Probes sent: 1, Probes received: 1, Loss percentage: 0 Measurement: Round trip time Samples: 1, Minimum: 3073 usec, Maximum: 3073 usec, Average: 3073 usec, Peak to peak: 0 usec, Stddev: 0 usec, Sum: 3073 usec Results over last test: Probes sent: 1, Probes received: 1, Loss percentage: 0 Test completed on Tue Jul 22 12:08:58 2013 Measurement: Round trip time Samples: 1, Minimum: 3073 usec, Maximum: 3073 usec, Average: 3073 usec, Peak to peak: 0 usec, Stddev: 0 usec, Sum: 3073 usec Results over all tests: Probes sent: 468, Probes received: 353, Loss percentage: 24 Measurement: Round trip time Samples: 353, Minimum: 1957 usec, Maximum: 40622 usec, Average: 2962 usec, Peak to peak: 38665 usec, Stddev: 2163 usec, Sum: 1045596 usec [edit] root@R1#
so this means that PING_OK policy should be deactivated:
[edit] root@R1# show event-options policy PING_NOT_OK { events PING_TEST_FAILED; attributes-match { ping_test_failed.test-owner matches PING-Lo0; ping_test_failed.test-name matches to-R2; } then { change-configuration { commands { "deactivate routing-options static route 10.255.26.130/32"; "deactivate event-options policy PING_NOT_OK"; "activate event-options policy PING_OK"; } } } } inactive: policy PING_OK { events PING_TEST_COMPLETED; attributes-match { ping_test_completed.test-owner matches PING-Lo0; ping_test_completed.test-name matches to-R2; } then { change-configuration { commands { "activate routing-options static route 10.255.26.130/32"; "deactivate event-options policy PING_OK"; "activate event-options policy PING_NOT_OK"; } } } } [edit] root@R1#
Let’s deactivate unit 0 from ge-0/0/0 interface of R2:
[edit] root@R2# deactivate interfaces ge-0/0/0.0 [edit] root@R2# commit commit complete [edit] root@R2#
and let’s try to ping R2 from R1:
[edit] root@R1# run ping 10.255.26.130 PING 10.255.26.130 (10.255.26.130): 56 data bytes ping: sendto: No route to host ping: sendto: No route to host ^C --- 10.255.26.130 ping statistics --- 2 packets transmitted, 0 packets received, 100% packet loss [edit] root@R1#
We should confirm that the configuration of event-options has changed and the static route has been deactivated:
[edit] root@R1# show event-options inactive: policy PING_NOT_OK { events PING_TEST_FAILED; attributes-match { ping_test_failed.test-owner matches PING-Lo0; ping_test_failed.test-name matches to-R2; } then { change-configuration { commands { "deactivate routing-options static route 10.255.26.130/32"; "deactivate event-options policy PING_NOT_OK"; "activate event-options policy PING_OK"; } } } } policy PING_OK { events PING_TEST_COMPLETED; attributes-match { ping_test_completed.test-owner matches PING-Lo0; ping_test_completed.test-name matches to-R2; } then { change-configuration { commands { "activate routing-options static route 10.255.26.130/32"; "deactivate event-options policy PING_OK"; "activate event-options policy PING_NOT_OK"; } } } } [edit] root@R1# show routing-options static { inactive: route 10.255.26.130/32 next-hop 1.1.1.2; } [edit] root@R1#
When the commit has happened, this was seen in the logs:
Jul 22 12:15:27 R1 eventd: EVENTD_CONFIG_CHANGE_SUCCESS: Configuration change successful: while executing policy PING_NOT_OK with user root privileges
The following two tabs change content below.
Paris ARAU
Paris ARAU is a networking professional with strong background on routing and switching technologies. He is a holder of CCIE R&S and dual JNCIE(SP and ENT). The day to day work allows him to dive deeply in networking technologies. Part of the continuously training, he is focusing on Software Defined Network and cloud computing.
Latest posts by Paris ARAU (see all)
- Junos Fusion – Part IV – Satellite policies and uplink failure detection - 30 July 2018
- Junos Fusion – Part III – Satellite commands and traffic forwarding - 16 July 2018
- Junos Fusion – Part II – Configuration, Administration and Operation - 16 July 2018
- Junos Fusion – Part I – Overview, Components, Ports and Software - 11 July 2018
- Vagrant – Part IV – Network topology using Juniper and Cumulus - 26 April 2018
Nice post! But in my case was not working unless I added to rpm:
thresholds {
successive-loss 1;
}
Hi,
Maybe, do you work making correlation of two events?.
Thanks.
Hi Paris,
Very useful post. :)
I should try to replicate it in a real situation.
Thanks,
Petru
http://www.gulian.ro
Thanks Petru.
Let me know if you encounter any issues.
Thanks,
Paris
hi,
is this config supported on Ex switches ? this can be used as a replacement for IP monitoring services which is not supported in EX switches .
Yes, this config is supported on EX switches.
Actually the post is based on a config tested on EX4200.
Thanks,
Paris
Hi !
your rpm config tests for the wrong address ( destination of static route instead of next-hop of static route)
the probe should test the 1.1.1.2 address ( next-hop of the static route)
it cannot test the destination loopback as there is no route to that address when the interface has been switched off and later switched on.
Thanks Alexander. This is correct. I corrected this.
Thanks,
Paris
Hi,
Was wondering if it is possible to configure the same, but for rpm http get probe ?
Regards
Pawel
Hi Pawel,
I haven’t tried this combination, but unless you don’t get an error when you are trying to commit the configuration, it should work.
Thanks,
Paris
Hi Paris,
Thanks for your replay.
Would you have any idea which attributes-match should I use to match the http get request ?
Pawel
Hi Pawel,
I spent some time going through the attributes-match options(in 15.1R5), but none of them seemed to be the one you are looking for.
However, it’s possible that the option is there, but not with a self-descriptive name, hence I couldn’t find it.
Thanks,
Paris
Where events PING_TEST_FAILED is read? is it a problem if I avoid this event to be write in log messages?
Hi,
They are related to the RPM test.
Thanks,
Paris
Hi Paris,
I need to change configuration when BGP state changes. Here is my configuration. The log message show the BGP state change, but the configuration has been not changed.
lab@vMX-10> show configuration event-options
policy TEST-BGP {
events rpd_bgp_neighbor_state_changed;
attributes-match {
rpd_bgp_neighbor_state_changed.peer-name matches 10.10.10.1;
rpd_bgp_neighbor_state_changed.event-type matches HoldTime;
rpd_bgp_neighbor_state_changed.old-state matches Established;
rpd_bgp_neighbor_state_changed.new-state matches Idle;
rpd_bgp_neighbor_state_changed.instance matches master;
}
then {
change-configuration {
commands {
“deactivate routing-options static route 192.168.100.10/32”;
}
commit-options {
log “Deactive route VNH”;
}
}
}
}
lab@vMX-10> show configuration routing-options static
route 192.168.100.10/32 next-hop 10.10.10.1;
lab@vMX-10> show configuration protocols bgp
group EBGP {
type external;
traceoptions {
file trace-bgp size 1m;
flag state detail;
}
local-address 10.10.10.2;
peer-as 45888;
neighbor 10.10.10.1 {
log-updown;
}
}
lab@vMX-10>
Hi Phuoc,
I never used multiple match statements and I think there is an “AND” between them(all conditions must match).
Can you try with only one match command to see if the configuration is changed?
Thanks,
Paris
EVENTD_CONFIG_CHANGE_FAILED: Configuration change failed: rpc to management daemon failed while executing policy PING_NOT_OK with user root privileges
I’ve tried every user possible, and it still fails, any idea?
set event-options policy PING_NOT_OK events ping_test_failed
set event-options policy PING_NOT_OK attributes-match ping_test_failed.test-owner matches PING-Lo0
set event-options policy PING_NOT_OK attributes-match ping_test_failed.test-name matches to-R2
set event-options policy PING_NOT_OK then change-configuration commands “deactivate routing-options static route 8.8.8.0/24 next-hop 10.255.255.59”
set event-options policy PING_NOT_OK then change-configuration commands “deactivate event-options policy PING_NOT_OK”
set event-options policy PING_NOT_OK then change-configuration commands “activate event-options policy PING_OK”
set event-options policy PING_NOT_OK then change-configuration user-name ansible
set event-options policy PING_NOT_OK then change-configuration commit-options synchronize
set event-options policy PING_NOT_OK then change-configuration commit-options force
set event-options policy PING_OK events ping_test_completed
set event-options policy PING_OK attributes-match ping_test_completed.test-owner matches PING-Lo0
set event-options policy PING_OK attributes-match ping_test_completed.test-name matches to-R2
set event-options policy PING_OK then change-configuration commands “activate routing-options static route 8.8.8.0/24 next-hop 10.255.255.59”
set event-options policy PING_OK then change-configuration commands “deactivate event-options policy PING_OK”
set event-options policy PING_OK then change-configuration commands “activate event-options policy PING_NOT_OK”
set event-options policy PING_OK then change-configuration user-name ansible
set event-options policy PING_OK then change-configuration commit-options synchronize
set event-options policy PING_OK then change-configuration commit-options force
“rpc to management daemon failed while executing policy ” means that some Junos command-line are misspelt in the section “change-configuration commands ” check that out and you’ll get it right