Solved: NSO Template to remove additional lines from ACL

NetDevOp · ‎11-30-2021

I ran into an issue using NSO to update ACL's.

I can change any line that is referenced in the template, however if there are additional lines in that ACL on the device, they won't be removed.

Here is the template:

devices template SERVER_ACCESS
ned-id cisco-iosxr-cli-7.33
config

! Tags: replace
ipv4 access-list named-acl ALLOW_HOSTS
rule 10
line "remark permit specific servers"
!
rule 20
line "permit ipv4 host {$SERVER_1} any"
!
rule 30
line "permit ipv4 host {$SERVER_2} any"
!
!

That work's fine for changing Sequence numbers 10, 20 and 30, however, if the device config has additional lines configured in that ACL, they won't be removed as I would expect.

Thanks

NetDevOp · ‎12-08-2021

Found the issue, it was unrelated to the template. It was a typo in the device group, the original template works as expected.

For future reference, I wouldn't use a for loop in a device template as I don't think it's supported but I don't think there is an issue using the delete tag in a device template, if needed.

View solution in original post

NetDevOp · ‎12-01-2021

I have found something that seems to achieve my goal but I have questions.

If I create an xml template using foreach like this:

<config xmlns="http://tail-f.com/ns/config/1.0">
  <devices xmlns="http://tail-f.com/ns/ncs">
    <template>
      <name>SERVER_ACCESS</name>
      <ned-id>
        <id xmlns:cisco-iosxr-cli-7.33="http://tail-f.com/ns/ned-id/cisco-iosxr-cli-7.33">cisco-iosxr-cli-7.33:cisco-iosxr-cli-7.33</id>
        <config>
          <ipv4 xmlns="http://tail-f.com/ned/cisco-ios-xr">
            <access-list>
              <named-acl tags="replace">
                <name>ALLOW_HOSTS</name>
                <rule>
                  <id>10</id>
                  <line>remark permit specific servers</line>
                </rule>
                <rule>
                  <id>20</id>
                  <line>permit ipv4 host 1.1.1.1 any</line>
                </rule>
                <rule>
                  <id>30</id>
                  <line>permit ipv4 host 2.2.2.2 any</line>
                </rule>
                <?foreach {rule}?>
                  <rule tags="delete">
                    <id>{id}</id>
                  </rule>
                <?end?>
              </named-acl>
            </access-list>
          </ipv4>
        </config>
      </ned-id>
    </template>
  </devices>
</config>

From the NSO CLI, I then imported that template and it looks like the template does what I need:

eng_acct@ncs(config)# load merge test.xml
Loading.
1.83 KiB parsed in 0.05 sec (36.17 KiB/sec)
eng_acct@ncs(config)# commit
Commit complete.
eng_acct@ncs(config)# devices device CE1 apply-template template-name SERVER_ACCESS
apply-template-result {
    device CE1
    result ok
}
eng_acct@ncs(config)# show configuration
devices device CE1
 config
  ipv4 access-list ALLOW_HOSTS
   no 40 permit ipv4 host 3.3.3.3 any
   no 50 permit ipv4 host 4.4.4.4 any
  exit
 !
!

Here is my main concern. Looking at the template from the CLI, I don't see the foreach..... I don't understand how that is supposed to be readable:

eng_acct@ncs# show running-config devices template SERVER_ACCESS
devices template SERVER_ACCESS
 ned-id cisco-iosxr-cli-7.33
  config
   ! Tags: replace
   ipv4 access-list named-acl ALLOW_HOSTS
    rule 10
     line "remark NTP master servers"
    !
    rule 20
     line "permit ipv4 host 1.1.1.1 any"
    !
    rule 30
     line "permit ipv4 host 2.2.2.2 any"
    !
    ! Tags: delete
    rule {id}
    !
   !
  !
 !
!

Looks like the foreach section got boiled down to the delete tag and rule {id}?

rogaglia · ‎12-06-2021

Any reason why you are using a device template and not writing your service? some of these tags are only meant to be used on service templates.

NetDevOp · ‎12-06-2021

Hi, thanks for your response.

I had considered whether a service might be called for and it seems like creating a service would add a lot of additional steps.

When I was testing with the delete tag and for loops, it seemed like it was probably more intended for a service.

The replace tag is commonly used in config templates but I was surprised to see a config template wasn't working correctly for an ACL.

So is there no way to manage an ACL with a config template?

Thanks again

NetDevOp · ‎12-08-2021

Found the issue, it was unrelated to the template. It was a typo in the device group, the original template works as expected.

For future reference, I wouldn't use a for loop in a device template as I don't think it's supported but I don't think there is an issue using the delete tag in a device template, if needed.

Security, compliance, or privacy concerns
Skills or knowledge gaps among staff
Data quality and completeness issues
Lack of trust in AI recommendations
Organizational resistance to change
AI decisions being a “black box”
Other
Fear of automation causing outages or misconfigurations