NSO IOS Template Insert ACL rule BEFORE deny any

marioderosa2008 · ‎10-19-2021

Hi team, i m trying to write a device template so i can edit ACLs on all my ASR1K devices safely knowing that even if the ACL numbering is not exactly the same across all devices, i can insert the rules before the deny any statement at the end of a standard named ACL. Currently i am getting an error in NSO when doing this.

NED version 6.71

NSO version 5.4.2

XML retrieved from doing a device sync-from is below...

result-xml <ip xmlns="urn:ios">
              <access-list>
                <standard>
                  <std-named-acl>
                    <name>SNMP-ACL</name>
                    <std-access-list-rule xmlns:yang="urn:ietf:params:xml:ns:yang:1"
                                          xmlns:ios="urn:ios"
                                          yang:insert="after"
                                          yang:key="[ios:rule='permit 3.3.3.3']">
                      <rule>permit 1.1.1.1</rule>
                    </std-access-list-rule>
                    <std-access-list-rule xmlns:yang="urn:ietf:params:xml:ns:yang:1"
                                          xmlns:ios="urn:ios"
                                          yang:insert="after"
                                          yang:key="[ios:rule='permit 1.1.1.1']">
                      <rule>permit 2.2.2.2</rule>
                    </std-access-list-rule>
                  </std-named-acl>
                </standard>
              </access-list>
            </ip>

Firstly, if i add that to a template and try to load merge, it fails with this error message...

load merge test.xml 
Error: on line 17: missing element: std-access-list-rule in /ncs:devices/ncs:template[ncs:name='test']/ncs:ned-id[ncs:id='cisco-ios-cli-6.71:cisco-ios-cli-6.71']/ncs:config/ios:ip/ios:access-list/ios:standard/ios:std-named-acl[ios:name='SNMP-ACL']/ios:std-access-list-rule[ios:rule='permit 1.1.1.1']
[error][2021-10-19 06:57:11]

So the template push fails without me modifying anything that has come directly from staging the config on the actual device and doing a sync-from...

If i try and manipulate it so that yang:insert = before and yang:key = 'deny any'... i get the same error when doing a load merge...

XML template in full is below...

<config xmlns="http://tail-f.com/ns/config/1.0">
  <devices xmlns="http://tail-f.com/ns/ncs">
    <template>
      <name>test</name>
      <ned-id>
        <id xmlns:cisco-ios-cli-6.71="http://tail-f.com/ns/ned-id/cisco-ios-cli-6.71">cisco-ios-cli-6.71:cisco-ios-cli-6.71</id>
        <config>
          <ip xmlns="urn:ios">
            <access-list>
              <standard>
                <std-access-list-rule xmlns:yang="urn:ietf:params:xml:ns:yang:1" xmlns:ios="urn:ios" yang:insert="after" yang:key="[ios:rule='permit 3.3.3.3']">
                  <rule>permit 1.1.1.1</rule>
                </std-access-list-rule>
                <std-access-list-rule xmlns:yang="urn:ietf:params:xml:ns:yang:1" xmlns:ios="urn:ios" yang:insert="after" yang:key="[ios:rule='permit 1.1.1.1']">
                  <rule>permit 2.2.2.2</rule>
                </std-access-list-rule>
              </standard>
            </access-list>
          </ip>
        </config>
      </ned-id>
    </template>
  </devices>
</config>

can anyone spot what i am doing wrong here?

thanks

Mario

Alexander Stevenson · ‎11-02-2021

Hello @marioderosa2008,

The XML is valid in form, according to the online checkers I used. Although, one such checker mentioned this line is missing:

<?xml version="1.0" encoding="UTF-8"?>

Beyond that, I would check the Cisco Bug Search Tool

Best regards,

Alex