Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1878
Views
8
Helpful
9
Replies

Are their any examples of NSO tfcp:policy rule syntax?

Go to solution
eric.n.dunn.ctr
Level 1
Level 1

‎08-17-2017 06:10 AM - edited ‎03-01-2019 03:57 AM

I'm having no success in finding examples of how to write a tfcp:policy rule syntax in the ncs_cli or the NSO web interface?

Would someone point me in the right direction or provide some simple examples?

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
gschudel
Cisco Employee
Cisco Employee
In response to eric.n.dunn.ctr

‎08-17-2017 12:03 PM

Interesting...

So... i went and tried this (yours...) it fails...

Went to look for more details... (tail -f *.* in logs ) and all that... saw some errors..

17-Aug-2017::10:58:46.491 Evaluating XPath for policy: foo:

  /ios:interface[type = 'GigabitEthernet']

keypath not found: "/ios:interface"

Decided (after trying a few things) to look for more guidance...

Noticed that there is a section in the NSO Users Guide (e.g. nso_user_guide-4.4.2.pdf)

on page 85.... This guide provides an example that differs somewhat from the one in the YANG file

Example 19. Policies

ncs(config)# policy rule gb-one-zero

ncs(config-rule-gb-one-zero)# foreach /ncs:devices/device[starts-with(name,'ce')]/config

ncs(config-rule-gb-one-zero)# expr ios:interface/ios:GigabitEthernet[ios:name='0/1']

ncs(config-rule-gb-one-zero)# warning-message "{../name} should have 0/1 interface"

ncs(config-rule-gb-one-zero)# commit

zork(config-rule-gb-one-zero)# top

I "tested" it...  modified slightly to have "error-message" instead of "warning-message"

admin@ncs% switch cli

admin@ncs(config)# policy rule foo

Value for 'expr' (<string>):

admin@ncs(config-rule-foo)# foreach /ncs:devices/device[starts-with(name,'c')]/config

admin@ncs(config-rule-foo)# expr ios:interface/ios:GigabitEthernet[ios:name='0/1']

admin@ncs(config-rule-foo)# error-message "{../name} should have 0/1 interface"

admin@ncs(config-rule-foo)# commit

Commit complete.

admin@ncs(config-rule-foo)#

trying this out...

admin@ncs(config)# no devices device c0 config ios:interface GigabitEthernet 0/1

admin@ncs(config)# validate

Failed: c0 should have 0/1 interface

admin@ncs(config)# commit

Aborted: c0 should have 0/1 interface

admin@ncs(config)#

that seems to work...

(have not tried to re-format the MTU example you had...)

cheers

gregg

View solution in original post

9 Replies 9

Go to solution
gschudel
Cisco Employee
Cisco Employee

‎08-17-2017 08:56 AM

Hi Eric

never tried this - but...

a) found the YANG file... often times good/interesting info is directly incorporated here...

E.g. (for me)

./nso-4.4.2/src/ncs/configuration_policy/tailf-configuration-policy.yang

which includes:

  description

    "This module defines configuration policies.  A configuration policy

     enforces custom validation rules on the configuration data.

     These rules assert that the user-defined conditions are always

     true in committed data.  If a configuration change is done such

     that a policy rule would evaluate to false, the configuration

     change is rejected by the system.";

and:

        description

          "An XPath 1.0 expression that is evaluated when the configuration

           is validated, either when a validate operation is performed,

           or at commit time.

           The result of the expression is converted to a boolean using

           the standard XPath rules.  If the result is 'false', validation

           fails with an error or a warning, as specified in the 'action'

           choice.

           For example, in order to verify that no ethernet interface has

           a MTU other than 1500, the following expression can be given:

     foreach '/interfaces/interface[type = ethernet]'

     expr 'mtu != 1500'

     error 'Ethernet interface {name} must have MTU 1500'

So i tried that... (had to use " and not ')

admin@ncs% set policy rule foo foreach "/interfaces/interface[type = ethernet]" expr "mtu != 1500" error-message "Ethernet interface {name} must have MTU 1500"

[ok][2017-08-17 08:48:20]

[edit]

admin@ncs%

admin@ncs% commit

Commit complete.

[ok][2017-08-17 08:48:35]

[edit]

admin@ncs%

admin@ncs% show policy rule

rule foo {

    foreach       "/interfaces/interface[type = ethernet]";

    expr          "mtu != 1500";

    error-message "Ethernet interface {name} must have MTU 1500";

}

[ok][2017-08-17 08:48:50]

[edit]

admin@ncs%

admin@ncs% delete policy rule foo

[ok][2017-08-17 08:49:52]

[edit]

admin@ncs% commit

Commit complete.

[ok][2017-08-17 08:49:53]

[edit]

admin@ncs%

perhaps this helps...

Cheers

gregg

Go to solution
Jan Lindblad
Cisco Employee
Cisco Employee
In response to gschudel

‎08-17-2017 09:23 AM

This can be very useful at times.

And, you forgot single quotes around 'ethernet' (or whatever value you want to compare against, e.g. 'ethernetCsmacd') in the foreach expression.

0 Helpful

Go to solution
gschudel
Cisco Employee
Cisco Employee
In response to Jan Lindblad

‎08-17-2017 09:27 AM

Thanks Jan

good comment - i just pulled the example from the YANG file description field... - to help the original poster.

didn't actually try it fully -- but it is an interesting !

thanks

gregg

0 Helpful

Go to solution
eric.n.dunn.ctr
Level 1
Level 1
In response to gschudel

‎08-17-2017 10:43 AM

Thanks for the quick replies

I've been trying to test (fail) the policy by the following:

---

foreach       "/ios:interface[type = GigabitEthernet]";

expr          "mtu != 1500";

error-message "Ethernet interface {name} must have MTU 1500";

---

set devices device s00-rtr config ios:interface GigabitEthernet 0/0/3 mtu 4400

---

... but it allows it to configure and commit.

Any ideas?

0 Helpful

Go to solution
gschudel
Cisco Employee
Cisco Employee
In response to eric.n.dunn.ctr

‎08-17-2017 12:03 PM

Interesting...

So... i went and tried this (yours...) it fails...

Went to look for more details... (tail -f *.* in logs ) and all that... saw some errors..

17-Aug-2017::10:58:46.491 Evaluating XPath for policy: foo:

  /ios:interface[type = 'GigabitEthernet']

keypath not found: "/ios:interface"

Decided (after trying a few things) to look for more guidance...

Noticed that there is a section in the NSO Users Guide (e.g. nso_user_guide-4.4.2.pdf)

on page 85.... This guide provides an example that differs somewhat from the one in the YANG file

Example 19. Policies

ncs(config)# policy rule gb-one-zero

ncs(config-rule-gb-one-zero)# foreach /ncs:devices/device[starts-with(name,'ce')]/config

ncs(config-rule-gb-one-zero)# expr ios:interface/ios:GigabitEthernet[ios:name='0/1']

ncs(config-rule-gb-one-zero)# warning-message "{../name} should have 0/1 interface"

ncs(config-rule-gb-one-zero)# commit

zork(config-rule-gb-one-zero)# top

I "tested" it...  modified slightly to have "error-message" instead of "warning-message"

admin@ncs% switch cli

admin@ncs(config)# policy rule foo

Value for 'expr' (<string>):

admin@ncs(config-rule-foo)# foreach /ncs:devices/device[starts-with(name,'c')]/config

admin@ncs(config-rule-foo)# expr ios:interface/ios:GigabitEthernet[ios:name='0/1']

admin@ncs(config-rule-foo)# error-message "{../name} should have 0/1 interface"

admin@ncs(config-rule-foo)# commit

Commit complete.

admin@ncs(config-rule-foo)#

trying this out...

admin@ncs(config)# no devices device c0 config ios:interface GigabitEthernet 0/1

admin@ncs(config)# validate

Failed: c0 should have 0/1 interface

admin@ncs(config)# commit

Aborted: c0 should have 0/1 interface

admin@ncs(config)#

that seems to work...

(have not tried to re-format the MTU example you had...)

cheers

gregg

Go to solution
eric.n.dunn.ctr
Level 1
Level 1
In response to gschudel

‎08-17-2017 12:24 PM

SUPER APPRECIATE!!!!

Your latest gets me through the front door. 

0 Helpful

Go to solution
gschudel
Cisco Employee
Cisco Employee
In response to eric.n.dunn.ctr

‎08-17-2017 12:32 PM

awesome!

(I learned new things today too!  thanks for asking the question)

0 Helpful

Go to solution
rogaglia
Cisco Employee
Cisco Employee

‎08-18-2017 03:43 AM

hi Eric,

Here some of the examples I use for IOS/XR/Juniper in my demos:

1) I force the loopback 0 to never be in shutdown mode.

2) I force the ISIS metric to be always greater than 99.

I hope this helps!

Roque

tfcp:policy {

    tfcp:rule loopback-up-ios {

        tfcp:foreach  /devices/device;

        tfcp:expr     not(config/ios:interface/ios:Loopback[ios:name='0']/ios:shutdown);

        tfcp:error-message "Loopback 0 is cannot be shutdown";

    }

    tfcp:rule loopback-up-juniper {

        tfcp:foreach  /devices/device/config/junos:configuration/interfaces/interface[name='lo0'];

        tfcp:expr     not(disable);

        tfcp:error-message "Loopback 0 cannot be shutdown";

    }

    tfcp:rule loopback-up-ios-xr {

        tfcp:foreach  /devices/device/config/cisco-ios-xr:interface/Loopback[id='0'];

        tfcp:expr     not(shutdown);

        tfcp:error-message "Loopback 0 cannot be shutdown";

    }

    tfcp:rule isis-metric-juniper {

        tfcp:foreach  /devices/device/config/junos:configuration/protocols/isis/interface/level/metric;

        tfcp:expr     .>99;

        tfcp:error-message "ISIS metric MUST be larger than 100";

    }

    tfcp:rule isis-metric-iosxr {

        tfcp:foreach  /devices/device/config/cisco-ios-xr:router/isis/tag/interface/address-family/ipv4/unicast/metric;

        tfcp:expr     .>99;

        tfcp:error-message "ISIS metric MUST be larger than 100";

    }

    tfcp:rule isis-metric-ios {

        tfcp:foreach  /devices/device/config/ios:interface/GigabitEthernet/isis/metric;

        tfcp:expr     .>99;

        tfcp:error-message "ISIS metric MUST be larger than 100";

    }

}

Go to solution
eric.n.dunn.ctr
Level 1
Level 1
In response to rogaglia

‎08-18-2017 06:15 AM

Thanks again, you've been a HUGE help!!!

0 Helpful
Customers Also Viewed These Support Documents