Solved: NSO Template to remove additional lines from ACL

NetDevOp · ‎11-30-2021

I ran into an issue using NSO to update ACL's.

I can change any line that is referenced in the template, however if there are additional lines in that ACL on the device, they won't be removed.

Here is the template:

devices template SERVER_ACCESS
ned-id cisco-iosxr-cli-7.33
config

! Tags: replace
ipv4 access-list named-acl ALLOW_HOSTS
rule 10
line "remark permit specific servers"
!
rule 20
line "permit ipv4 host {$SERVER_1} any"
!
rule 30
line "permit ipv4 host {$SERVER_2} any"
!
!

That work's fine for changing Sequence numbers 10, 20 and 30, however, if the device config has additional lines configured in that ACL, they won't be removed as I would expect.

Thanks

NetDevOp · ‎12-08-2021

Found the issue, it was unrelated to the template. It was a typo in the device group, the original template works as expected.

For future reference, I wouldn't use a for loop in a device template as I don't think it's supported but I don't think there is an issue using the delete tag in a device template, if needed.

View solution in original post

NetDevOp · ‎12-01-2021

I have found something that seems to achieve my goal but I have questions.

If I create an xml template using foreach like this:

<config xmlns="http://tail-f.com/ns/config/1.0">
  <devices xmlns="http://tail-f.com/ns/ncs">
    <template>
      <name>SERVER_ACCESS</name>
      <ned-id>
        <id xmlns:cisco-iosxr-cli-7.33="http://tail-f.com/ns/ned-id/cisco-iosxr-cli-7.33">cisco-iosxr-cli-7.33:cisco-iosxr-cli-7.33</id>
        <config>
          <ipv4 xmlns="http://tail-f.com/ned/cisco-ios-xr">
            <access-list>
              <named-acl tags="replace">
                <name>ALLOW_HOSTS</name>
                <rule>
                  <id>10</id>
                  <line>remark permit specific servers</line>
                </rule>
                <rule>
                  <id>20</id>
                  <line>permit ipv4 host 1.1.1.1 any</line>
                </rule>
                <rule>
                  <id>30</id>
                  <line>permit ipv4 host 2.2.2.2 any</line>
                </rule>
                <?foreach {rule}?>
                  <rule tags="delete">
                    <id>{id}</id>
                  </rule>
                <?end?>
              </named-acl>
            </access-list>
          </ipv4>
        </config>
      </ned-id>
    </template>
  </devices>
</config>

From the NSO CLI, I then imported that template and it looks like the template does what I need:

eng_acct@ncs(config)# load merge test.xml
Loading.
1.83 KiB parsed in 0.05 sec (36.17 KiB/sec)
eng_acct@ncs(config)# commit
Commit complete.
eng_acct@ncs(config)# devices device CE1 apply-template template-name SERVER_ACCESS
apply-template-result {
    device CE1
    result ok
}
eng_acct@ncs(config)# show configuration
devices device CE1
 config
  ipv4 access-list ALLOW_HOSTS
   no 40 permit ipv4 host 3.3.3.3 any
   no 50 permit ipv4 host 4.4.4.4 any
  exit
 !
!

Here is my main concern. Looking at the template from the CLI, I don't see the foreach..... I don't understand how that is supposed to be readable:

eng_acct@ncs# show running-config devices template SERVER_ACCESS
devices template SERVER_ACCESS
 ned-id cisco-iosxr-cli-7.33
  config
   ! Tags: replace
   ipv4 access-list named-acl ALLOW_HOSTS
    rule 10
     line "remark NTP master servers"
    !
    rule 20
     line "permit ipv4 host 1.1.1.1 any"
    !
    rule 30
     line "permit ipv4 host 2.2.2.2 any"
    !
    ! Tags: delete
    rule {id}
    !
   !
  !
 !
!

Looks like the foreach section got boiled down to the delete tag and rule {id}?

rogaglia · ‎12-06-2021

Any reason why you are using a device template and not writing your service? some of these tags are only meant to be used on service templates.

NetDevOp · ‎12-06-2021

Hi, thanks for your response.

I had considered whether a service might be called for and it seems like creating a service would add a lot of additional steps.

When I was testing with the delete tag and for loops, it seemed like it was probably more intended for a service.

The replace tag is commonly used in config templates but I was surprised to see a config template wasn't working correctly for an ACL.

So is there no way to manage an ACL with a config template?

Thanks again

NetDevOp · ‎12-08-2021

Found the issue, it was unrelated to the template. It was a typo in the device group, the original template works as expected.

For future reference, I wouldn't use a for loop in a device template as I don't think it's supported but I don't think there is an issue using the delete tag in a device template, if needed.