cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
768
Views
8
Helpful
9
Replies
Highlighted

Are their any examples of NSO tfcp:policy rule syntax?

I'm having no success in finding examples of how to write a tfcp:policy rule syntax in the ncs_cli or the NSO web interface?

Would someone point me in the right direction or provide some simple examples?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Interesting...

So... i went and tried this (yours...) it fails...

Went to look for more details... (tail -f *.* in logs ) and all that... saw some errors..

17-Aug-2017::10:58:46.491 Evaluating XPath for policy: foo:

  /ios:interface[type = 'GigabitEthernet']

keypath not found: "/ios:interface"

Decided (after trying a few things) to look for more guidance...

Noticed that there is a section in the NSO Users Guide (e.g. nso_user_guide-4.4.2.pdf)

on page 85.... This guide provides an example that differs somewhat from the one in the YANG file

Example 19. Policies

ncs(config)# policy rule gb-one-zero

ncs(config-rule-gb-one-zero)# foreach /ncs:devices/device[starts-with(name,'ce')]/config

ncs(config-rule-gb-one-zero)# expr ios:interface/ios:GigabitEthernet[ios:name='0/1']

ncs(config-rule-gb-one-zero)# warning-message "{../name} should have 0/1 interface"

ncs(config-rule-gb-one-zero)# commit

zork(config-rule-gb-one-zero)# top

I "tested" it...  modified slightly to have "error-message" instead of "warning-message"

admin@ncs% switch cli

admin@ncs(config)# policy rule foo

Value for 'expr' (<string>):

admin@ncs(config-rule-foo)# foreach /ncs:devices/device[starts-with(name,'c')]/config

admin@ncs(config-rule-foo)# expr ios:interface/ios:GigabitEthernet[ios:name='0/1']

admin@ncs(config-rule-foo)# error-message "{../name} should have 0/1 interface"

admin@ncs(config-rule-foo)# commit

Commit complete.

admin@ncs(config-rule-foo)#

trying this out...

admin@ncs(config)# no devices device c0 config ios:interface GigabitEthernet 0/1

admin@ncs(config)# validate

Failed: c0 should have 0/1 interface

admin@ncs(config)# commit

Aborted: c0 should have 0/1 interface

admin@ncs(config)#

that seems to work...

(have not tried to re-format the MTU example you had...)

cheers

gregg

View solution in original post

9 REPLIES 9
Highlighted
Cisco Employee

Hi Eric

never tried this - but...

a) found the YANG file... often times good/interesting info is directly incorporated here...

E.g. (for me)

./nso-4.4.2/src/ncs/configuration_policy/tailf-configuration-policy.yang

which includes:

  description

    "This module defines configuration policies.  A configuration policy

     enforces custom validation rules on the configuration data.

     These rules assert that the user-defined conditions are always

     true in committed data.  If a configuration change is done such

     that a policy rule would evaluate to false, the configuration

     change is rejected by the system.";

and:

        description

          "An XPath 1.0 expression that is evaluated when the configuration

           is validated, either when a validate operation is performed,

           or at commit time.

           The result of the expression is converted to a boolean using

           the standard XPath rules.  If the result is 'false', validation

           fails with an error or a warning, as specified in the 'action'

           choice.

           For example, in order to verify that no ethernet interface has

           a MTU other than 1500, the following expression can be given:

     foreach '/interfaces/interface[type = ethernet]'

     expr 'mtu != 1500'

     error 'Ethernet interface {name} must have MTU 1500'

So i tried that... (had to use " and not ')

admin@ncs% set policy rule foo foreach "/interfaces/interface[type = ethernet]" expr "mtu != 1500" error-message "Ethernet interface {name} must have MTU 1500"

[ok][2017-08-17 08:48:20]

[edit]

admin@ncs%

admin@ncs% commit

Commit complete.

[ok][2017-08-17 08:48:35]

[edit]

admin@ncs%

admin@ncs% show policy rule

rule foo {

    foreach       "/interfaces/interface[type = ethernet]";

    expr          "mtu != 1500";

    error-message "Ethernet interface {name} must have MTU 1500";

}

[ok][2017-08-17 08:48:50]

[edit]

admin@ncs%

admin@ncs% delete policy rule foo

[ok][2017-08-17 08:49:52]

[edit]

admin@ncs% commit

Commit complete.

[ok][2017-08-17 08:49:53]

[edit]

admin@ncs%

perhaps this helps...

Cheers

gregg

Highlighted

This can be very useful at times.

And, you forgot single quotes around 'ethernet' (or whatever value you want to compare against, e.g. 'ethernetCsmacd') in the foreach expression.

Highlighted

Thanks Jan

good comment - i just pulled the example from the YANG file description field... - to help the original poster.

didn't actually try it fully -- but it is an interesting !

thanks

gregg

Highlighted

Thanks for the quick replies

I've been trying to test (fail) the policy by the following:

---

foreach       "/ios:interface[type = GigabitEthernet]";

expr          "mtu != 1500";

error-message "Ethernet interface {name} must have MTU 1500";

---

set devices device s00-rtr config ios:interface GigabitEthernet 0/0/3 mtu 4400

---

... but it allows it to configure and commit.

Any ideas?

Highlighted

Interesting...

So... i went and tried this (yours...) it fails...

Went to look for more details... (tail -f *.* in logs ) and all that... saw some errors..

17-Aug-2017::10:58:46.491 Evaluating XPath for policy: foo:

  /ios:interface[type = 'GigabitEthernet']

keypath not found: "/ios:interface"

Decided (after trying a few things) to look for more guidance...

Noticed that there is a section in the NSO Users Guide (e.g. nso_user_guide-4.4.2.pdf)

on page 85.... This guide provides an example that differs somewhat from the one in the YANG file

Example 19. Policies

ncs(config)# policy rule gb-one-zero

ncs(config-rule-gb-one-zero)# foreach /ncs:devices/device[starts-with(name,'ce')]/config

ncs(config-rule-gb-one-zero)# expr ios:interface/ios:GigabitEthernet[ios:name='0/1']

ncs(config-rule-gb-one-zero)# warning-message "{../name} should have 0/1 interface"

ncs(config-rule-gb-one-zero)# commit

zork(config-rule-gb-one-zero)# top

I "tested" it...  modified slightly to have "error-message" instead of "warning-message"

admin@ncs% switch cli

admin@ncs(config)# policy rule foo

Value for 'expr' (<string>):

admin@ncs(config-rule-foo)# foreach /ncs:devices/device[starts-with(name,'c')]/config

admin@ncs(config-rule-foo)# expr ios:interface/ios:GigabitEthernet[ios:name='0/1']

admin@ncs(config-rule-foo)# error-message "{../name} should have 0/1 interface"

admin@ncs(config-rule-foo)# commit

Commit complete.

admin@ncs(config-rule-foo)#

trying this out...

admin@ncs(config)# no devices device c0 config ios:interface GigabitEthernet 0/1

admin@ncs(config)# validate

Failed: c0 should have 0/1 interface

admin@ncs(config)# commit

Aborted: c0 should have 0/1 interface

admin@ncs(config)#

that seems to work...

(have not tried to re-format the MTU example you had...)

cheers

gregg

View solution in original post

Highlighted

SUPER APPRECIATE!!!!

Your latest gets me through the front door. 

Highlighted

awesome!

(I learned new things today too!  thanks for asking the question)

Highlighted
Cisco Employee

hi Eric,

Here some of the examples I use for IOS/XR/Juniper in my demos:

1) I force the loopback 0 to never be in shutdown mode.

2) I force the ISIS metric to be always greater than 99.

I hope this helps!

Roque

tfcp:policy {

    tfcp:rule loopback-up-ios {

        tfcp:foreach  /devices/device;

        tfcp:expr     not(config/ios:interface/ios:Loopback[ios:name='0']/ios:shutdown);

        tfcp:error-message "Loopback 0 is cannot be shutdown";

    }

    tfcp:rule loopback-up-juniper {

        tfcp:foreach  /devices/device/config/junos:configuration/interfaces/interface[name='lo0'];

        tfcp:expr     not(disable);

        tfcp:error-message "Loopback 0 cannot be shutdown";

    }

    tfcp:rule loopback-up-ios-xr {

        tfcp:foreach  /devices/device/config/cisco-ios-xr:interface/Loopback[id='0'];

        tfcp:expr     not(shutdown);

        tfcp:error-message "Loopback 0 cannot be shutdown";

    }

    tfcp:rule isis-metric-juniper {

        tfcp:foreach  /devices/device/config/junos:configuration/protocols/isis/interface/level/metric;

        tfcp:expr     .>99;

        tfcp:error-message "ISIS metric MUST be larger than 100";

    }

    tfcp:rule isis-metric-iosxr {

        tfcp:foreach  /devices/device/config/cisco-ios-xr:router/isis/tag/interface/address-family/ipv4/unicast/metric;

        tfcp:expr     .>99;

        tfcp:error-message "ISIS metric MUST be larger than 100";

    }

    tfcp:rule isis-metric-ios {

        tfcp:foreach  /devices/device/config/ios:interface/GigabitEthernet/isis/metric;

        tfcp:expr     .>99;

        tfcp:error-message "ISIS metric MUST be larger than 100";

    }

}

Highlighted

Thanks again, you've been a HUGE help!!!