Are your BGP Peers also IPSEC Peers? - An expansion on Custom Command Parsing

  • 21 June 2024
  • 0 replies

As Arica shared with us previously in 

I wanted to expand on a customer request to show another example from a customer.

They want to make sure all their BGP Peers are also IPsec Peers. 

This is a great way to demonstrate Custom Commands, Data Model and Functions.


Notice up at the top we have the Pattern to match with

pattern2 = ```

interface: {int:string}

   PERMIT, {flags:string}

    #send errors {sErrs:string} #recv errors {rErrs:string}

     local crypto endpt.: {localIP:string} remote crypto endpt.: {peer: ipv4Address} ```;


Then we have a function to take a device and return all its IPsec peers

peerIpsec(deviceName) = 

foreach device in network.devices where deviceName ==

let outputs = device.outputs foreach command in outputs.commands

where command.commandText == "show crypto ipsec sa"

let ipsecOutput = parseConfigBlocks(OS.IOS_XE, command.response)

// this is for testing with sample show command output

//let ipsecOutput = parseConfigBlocks(OS.IOS_XE, ipsec)

foreach peer in blockMatches(ipsecOutput, pattern2)



Then we have the query to pull in the BGP neighbors (as copied from the data model) and see if that neighbor is in the list of IPsec peers.

foreach device in network.devices

where device.platform.os == OS.IOS_XE

where isPresent(device.bgpRib) let bgpRib = device.bgpRib

foreach afiSafi in bgpRib.afiSafis

foreach neighbor in afiSafi.neighbors

let ipsec_list = peerIpsec(, neighbor.neighborAddress)

select {  


afiSafiAfiSafiName: afiSafi.afiSafiName,  

neighborNeighborAddress: neighbor.neighborAddress,  

peerIpsec: neighbor.neighborAddress in ipsec_list,  

peerIpsecList: ipsec_list }


I always suggest to have a sample command output for testing and in this case that’s what the commented out line is above.

Have fun NQE-ing!

0 replies

Be the first to reply!