As Arica shared with us previously in
I wanted to expand on a customer request to show another example from a customer.
They want to make sure all their BGP Peers are also IPsec Peers.
This is a great way to demonstrate Custom Commands, Data Model and Functions.
Notice up at the top we have the Pattern to match with
pattern2 = ```
interface: {int:string}
PERMIT, {flags:string}
#send errors {sErrs:string} #recv errors {rErrs:string}
local crypto endpt.: {localIP:string} remote crypto endpt.: {peer: ipv4Address} ```;
Then we have a function to take a device and return all its IPsec peers
peerIpsec(deviceName) =
foreach device in network.devices where deviceName == device.name
let outputs = device.outputs foreach command in outputs.commands
where command.commandText == "show crypto ipsec sa"
let ipsecOutput = parseConfigBlocks(OS.IOS_XE, command.response)
// this is for testing with sample show command output
//let ipsecOutput = parseConfigBlocks(OS.IOS_XE, ipsec)
foreach peer in blockMatches(ipsecOutput, pattern2)
select peer.data.peer;
Then we have the query to pull in the BGP neighbors (as copied from the data model) and see if that neighbor is in the list of IPsec peers.
foreach device in network.devices
where device.platform.os == OS.IOS_XE
where isPresent(device.bgpRib) let bgpRib = device.bgpRib
foreach afiSafi in bgpRib.afiSafis
foreach neighbor in afiSafi.neighbors
let ipsec_list = peerIpsec(device.name, neighbor.neighborAddress)
select {
deviceName: device.name,
afiSafiAfiSafiName: afiSafi.afiSafiName,
neighborNeighborAddress: neighbor.neighborAddress,
peerIpsec: neighbor.neighborAddress in ipsec_list,
peerIpsecList: ipsec_list }
I always suggest to have a sample command output for testing and in this case that’s what the commented out line is above.
Have fun NQE-ing!