11-30-2021 07:48 AM - edited 12-01-2021 05:25 AM
I ran into an issue using NSO to update ACL's.
I can change any line that is referenced in the template, however if there are additional lines in that ACL on the device, they won't be removed.
Here is the template:
devices template SERVER_ACCESS
ned-id cisco-iosxr-cli-7.33
config
! Tags: replace
ipv4 access-list named-acl ALLOW_HOSTS
rule 10
line "remark permit specific servers"
!
rule 20
line "permit ipv4 host {$SERVER_1} any"
!
rule 30
line "permit ipv4 host {$SERVER_2} any"
!
!
That work's fine for changing Sequence numbers 10, 20 and 30, however, if the device config has additional lines configured in that ACL, they won't be removed as I would expect.
Thanks
Solved! Go to Solution.
12-08-2021 12:47 PM
Found the issue, it was unrelated to the template. It was a typo in the device group, the original template works as expected.
For future reference, I wouldn't use a for loop in a device template as I don't think it's supported but I don't think there is an issue using the delete tag in a device template, if needed.
12-01-2021 06:41 AM - edited 12-01-2021 06:43 AM
I have found something that seems to achieve my goal but I have questions.
If I create an xml template using foreach like this:
<config xmlns="http://tail-f.com/ns/config/1.0"> <devices xmlns="http://tail-f.com/ns/ncs"> <template> <name>SERVER_ACCESS</name> <ned-id> <id xmlns:cisco-iosxr-cli-7.33="http://tail-f.com/ns/ned-id/cisco-iosxr-cli-7.33">cisco-iosxr-cli-7.33:cisco-iosxr-cli-7.33</id> <config> <ipv4 xmlns="http://tail-f.com/ned/cisco-ios-xr"> <access-list> <named-acl tags="replace"> <name>ALLOW_HOSTS</name> <rule> <id>10</id> <line>remark permit specific servers</line> </rule> <rule> <id>20</id> <line>permit ipv4 host 1.1.1.1 any</line> </rule> <rule> <id>30</id> <line>permit ipv4 host 2.2.2.2 any</line> </rule> <?foreach {rule}?> <rule tags="delete"> <id>{id}</id> </rule> <?end?> </named-acl> </access-list> </ipv4> </config> </ned-id> </template> </devices> </config>
From the NSO CLI, I then imported that template and it looks like the template does what I need:
eng_acct@ncs(config)# load merge test.xml Loading. 1.83 KiB parsed in 0.05 sec (36.17 KiB/sec) eng_acct@ncs(config)# commit Commit complete. eng_acct@ncs(config)# devices device CE1 apply-template template-name SERVER_ACCESS apply-template-result { device CE1 result ok } eng_acct@ncs(config)# show configuration devices device CE1 config ipv4 access-list ALLOW_HOSTS no 40 permit ipv4 host 3.3.3.3 any no 50 permit ipv4 host 4.4.4.4 any exit ! !
Here is my main concern. Looking at the template from the CLI, I don't see the foreach..... I don't understand how that is supposed to be readable:
eng_acct@ncs# show running-config devices template SERVER_ACCESS devices template SERVER_ACCESS ned-id cisco-iosxr-cli-7.33 config ! Tags: replace ipv4 access-list named-acl ALLOW_HOSTS rule 10 line "remark NTP master servers" ! rule 20 line "permit ipv4 host 1.1.1.1 any" ! rule 30 line "permit ipv4 host 2.2.2.2 any" ! ! Tags: delete rule {id} ! ! ! ! !
Looks like the foreach section got boiled down to the delete tag and rule {id}?
12-06-2021 07:22 AM
Any reason why you are using a device template and not writing your service? some of these tags are only meant to be used on service templates.
12-06-2021 08:01 AM
Hi, thanks for your response.
I had considered whether a service might be called for and it seems like creating a service would add a lot of additional steps.
When I was testing with the delete tag and for loops, it seemed like it was probably more intended for a service.
The replace tag is commonly used in config templates but I was surprised to see a config template wasn't working correctly for an ACL.
So is there no way to manage an ACL with a config template?
Thanks again
12-08-2021 12:47 PM
Found the issue, it was unrelated to the template. It was a typo in the device group, the original template works as expected.
For future reference, I wouldn't use a for loop in a device template as I don't think it's supported but I don't think there is an issue using the delete tag in a device template, if needed.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the NSO Developer community: