Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
653
Views
7
Helpful
4
Replies

How to send config(like ansible) without to save it in the CDB

BasharAziz
Level 1
Level 1

‎04-20-2023 06:56 AM

Device configured by NSO with basic config and  managed by customer.

How to send config(like ansible) without to saving that config in the CDB. 

Labels:
0 Helpful
4 Replies 4

snovello
Cisco Employee
Cisco Employee

‎04-20-2023 07:50 AM

Since it is the changes in the CDB, that trigger NSO to send the minimum diff config changes to the device, the best you can do is to save the changes and then roll them back.
So you make your changes and commit them
Then you load the last rollback file
Then you commit it using the no-networking flag, so the devices are not touched.

In the final state your changes are on the device, but the cdb is unchanged, so your devices are now out of sync.

It could be useful for example if you are building an automated test, and you want to simulate someone going to the device cli and making a change.

What is your reason for wanting to make a device change without saving in cdb?

BasharAziz
Level 1
Level 1
In response to snovello

‎04-21-2023 01:17 AM

For two reasons:

  1. After creating an instance (Fortigate VDOM), the device generates its own configuration which will make it out of sync when we perform a sync-from operation.

  2. The instance owner is the customer, who may have ongoing changes.

The best scenario is to skip the self-generated config or provision the instance without tracking the CLI config.

 

rogaglia
Cisco Employee
Cisco Employee
In response to BasharAziz

‎04-21-2023 07:52 AM

This is unfortunately common. In general the NED should deal with this problem and I have see many cases (like IOS vlans ranges or other macros). So, my first take is to grab your traces and request the TAC to improve the fortigate NED with your use case, if it can be done in the NED, it is your best option.

For example, the IOS NED has several ways to fix this problem (ned-settings in README file):

6.3.1 ned-settings cisco-ios read replace-config

6.3.2 ned-settings cisco-ios read inject-config

6.4.2. ned-settings cisco-ios write inject-command

- auto interface-range-write true|false(default)

Enable use of 'interface range' config command when modifying
multiple existing interfaces with the same sub-mode config.
Notice: for some obscure reason IOS does not allow service
instance to be modified with interface range command, hence
interfaces with such config modifications are excluded from this
feature.

 

u.avsec
Spotlight
Spotlight

‎04-21-2023 06:53 AM - edited ‎04-21-2023 06:54 AM

Hey,

the way I see it, while use-case is valid, it goes completely against the NSO general philosophy. NSO deals with current run config and workarounds would mean always having to do commit no-out-of-sync check at best and having to battle broken configs at worst.

That would be the usual situation.

To address the Fortigate issue properly I imagine the NED would have to work in a special way. Basically lie to NSO everything is ok and act as fire and forget script on commit.

Customers Also Viewed These Support Documents