Historically, we've implemented scripts to sync prefix-lists with Junoscript perl using this method:
1. get_configuration of the prefix-list 2. compare prefix list in router to our local copy 3. "load merge" config to delete prefixes that exist in the router but not locally 4. "load merge" config to add prefixes that exist locally but not in the router 5. commit The reason for this was because we wanted to lock down the junoscript account like this: > show configuration system login class prefix-list permissions [ configure view view-configuration ]; allow-commands junoscript; allow-configuration "policy-options prefix-list AUTO-.*"; So any rogue junoscript could only ever change the contents of prefix-lists whose names begin with "AUTO-". However, this method is very slow. So I tried going back to the "replace" method: 1. "load replace" config with the new prefix list contents 2. commit This is nice and fast (3-10 times faster). But it doesn't work with the login class restrictions above. Instead we have to open it up: > show configuration system login class prefix-list permissions [ configure view view-configuration ]; allow-commands junoscript; allow-configuration "policy-options .*"; Otherwise we get a failure trying to replace the prefix-list. I don't like this because now a rogue script could mess with the entire policy-options hierarchy. Is there a solution that allows fast on-box merging (load update?) without requiring wide-open permissions? Thanks. _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp