IOS XR 5.3+: How to check configuration changes before commit/commit replace

mstoica · ‎09-23-2016

In order to check the configurations before a commit or a commit replace, one can see what is being added, removed or replaced in the configuration.

The commands to do the checks are:

show commit changes diff
show configuration
show configuration changes diff

Below you will find the explanation for each of them and when to use them.

show commit changes diff

It will show what is being added to or removed from the config if the commit is done.

The added parts will have a "+" and the removed parts will have a "-".

RP/0/RSP0/CPU0:ASR9001-1(config)#sh commit changes diff
Fri Sep 23 08:03:07.485 UTC
Building configuration...
!! IOS XR Configuration 5.3.3
-  interface Loopback1000
-   description test
-   ipv4 address 10.10.0.1 255.255.255.255
   !
+  multicast-routing
+   address-family ipv4
+    interface Loopback0
+     enable
     !
    !
   !
+  multicast-routing
   !
end

show configuration

It will show what is being added to or removed from the config if the commit is done.

The added or removed parts are shown as text.

RP/0/RSP0/CPU0:ASR9001-1(config)#sh configuration
Fri Sep 23 08:31:17.333 UTC
Building configuration...
!! IOS XR Configuration 5.3.3
no interface Loopback1000
multicast-routing
 address-family ipv4
  interface Loopback0
   enable
  !
 !
!
multicast-routing
!
end

show configuration changes diff

It will show what is being added to or removed from the config if the commit replace is done.

The added parts will have a "+" and the removed parts will have a "-", while the changed configuration lines will have a "#".

RP/0/RSP0/CPU0:ASR9001-1(config)#sh configuration changes diff
Fri Sep 23 08:57:41.575 UTC
Building configuration...
!! IOS XR Configuration 5.3.3
#  hostname ASR9001-1
#  hostname new-hostname
-  cdp
-  vrf mgmt
-   address-family ipv4 unicast
<omitted>
+  multicast-routing
+   address-family ipv4
+    interface Loopback0
+     enable
+    !
+   !
+  !
+  multicast-routing
+  !
-  lldp
-  netconf-yang agent
-   ssh
-  !
-  ssh server v2
-  ssh server vrf mgmt

Note that all the 3 commands can be run only from global configuration mode and not from any sub-config mode. For this the "root" command can be used.

RP/0/RSP0/CPU0:ASR9001-1(config-if)#root ?
  <cr>  Exit to the global configuration mode

jaime botello · ‎06-25-2019

I personally don't like how Cisco report changes to the config data stores.

Why having the #, and not just + and -? in this case

!! IOS XR Configuration 5.3.3
-  hostname ASR9001-1
+  hostname new-hostname

also, why full config replace seems that it re-apply access-list and route policies? when building automation around these, it makes confusing.

For example, if I copy the running configuration to a backup.cfg file

RP/0/RP0/CPU0:edge01.lab01#
RP/0/RP0/CPU0:edge01.lab01#copy running-config backup.cfg
Tue Jun 25 20:08:16.710 UTC
Destination file name (control-c to abort): [/backup.cfg]?
The destination file already exists. Do you want to overwrite? [no]: yes
Building configuration.
327 lines built in 1 second
[OK]
RP/0/RP0/CPU0:edge01.lab01#conf
Tue Jun 25 20:08:22.379 UTC
loRP/0/RP0/CPU0:edge01.lab01(config)#load backup.cfg
Loading.
7816 bytes parsed in 1 sec (7777)bytes/sec
RP/0/RP0/CPU0:edge01.lab01(config)#
RP/0/RP0/CPU0:edge01.lab01(config)#show configuration changes diff 
Tue Jun 25 20:08:42.215 UTC
Building configuration...
!! IOS XR Configuration version = 6.5.2
#  ipv4 access-list INBOUND_INTERNET_V4
#   10 remark $Id:$
#   20 remark Denies all traffic to internal IPs except established tcp replies.
#   30 remark Also denies access to certain public allocations.
#   40 remark Ideal for some internal lab/testing types of subnets that are
#   50 remark not well trusted, but allowing internal users to access.
#   60 remark Apply to ingress interface (to filter traffic coming from lab)
#   70 remark accept-dhcp
#   80 remark Optional - allow forwarding of DHCP requests.
#   90 permit udp any any eq bootps
#   100 permit udp any any eq bootpc
#   110 remark accept-to-honestdns
#   120 remark Allow name resolution using honestdns.
#   130 permit udp any host 8.8.4.4 eq domain
#   140 permit udp any host 8.8.8.8 eq domain
#   150 remark accept-tcp-replies
#   160 remark Allow tcp replies to internal hosts.
#   170 permit tcp any 10.0.0.0 0.255.255.255 established
#   180 permit tcp any 172.16.0.0 0.15.255.255 established
#   190 permit tcp any 192.168.0.0 0.0.255.255 established
#   200 remark deny-to-internal
#   210 remark Deny access to rfc1918/internal.
#   220 deny ipv4 any 10.0.0.0 0.255.255.255
#   230 deny ipv4 any 172.16.0.0 0.15.255.255
#   240 deny ipv4 any 192.168.0.0 0.0.255.255
#   250 remark deny-to-specific_hosts
#   260 remark Deny access to specified public.
#   270 deny ipv4 any host 200.1.1.1
#   280 deny ipv4 any host 200.1.1.2
#   290 deny ipv4 any 200.1.1.4 0.0.0.1
#   300 remark permit-offices
#   310 remark Allow Remote Offices
#   320 permit ipv4 any 200.1.0.0 0.0.31.255
#   330 permit ipv4 any 200.2.1.0 0.0.0.255
#   340 permit ipv4 any 200.5.1.0 0.0.0.255
#   350 permit ipv4 any 201.1.1.0 0.0.0.255
#   360 remark permit-login-queue
#   370 remark Allow Login Queue Servers
#   380 permit tcp any 10.20.30.0 0.0.0.7 eq www
#   390 permit tcp any 10.20.30.0 0.0.0.7 eq 443
#   400 remark permit-chat-queue
#   410 remark Allow Chat Servers
#   420 permit tcp any 10.20.50.0 0.0.1.255 eq 4000
#   430 remark permit-apps-servers
#   440 remark Allow Apps Servers
#   450 permit udp any 100.10.10.0 0.0.0.255 range 5100 5400
#   460 permit udp any 10.20.30.0 0.0.1.255 range 5100 5400
#   470 remark default-deny
#   480 remark Deny what's left.
#   490 deny ipv4 any any
#  !
+  interface MgmtEth0/RP0/CPU0/0
+  !
+  interface GigabitEthernet0/0/0/0
+  !
+  interface GigabitEthernet0/0/0/1
+  !
+  interface GigabitEthernet0/0/0/2
+  !
+  interface GigabitEthernet0/0/0/3
+  !
#  !
#  route-policy export_ibgp
#    pass
#  end-policy
#  route-policy export_ibgp
#    pass
#  end-policy
#  route-policy import_ibgp
#    pass
#  end-policy
#  route-policy import_ibgp
#    pass
#  end-policy
#  route-policy EXPORT_RR_V4
#    pass
#  end-policy
#  route-policy EXPORT_RR_V4
#    pass
#  end-policy
#  route-policy IMPORT_RR_V4
#    pass
#  end-policy
#  route-policy IMPORT_RR_V4
#    pass
#  end-policy
#  route-policy TEMP_DENY_ALL
#    drop
#  end-policy
#  route-policy TEMP_DENY_ALL
#    drop
#  end-policy
#  route-policy export_transit_a
#    pass
#  end-policy
#  route-policy export_transit_a
#    pass
#  end-policy
#  route-policy import_transit_a
#    pass
#  end-policy
#  route-policy import_transit_a
#    pass
#  end-policy
#  route-policy EXPORT_TRANSIT_V4
#    pass
#  end-policy
#  route-policy EXPORT_TRANSIT_V4
#    pass
#  end-policy
#  route-policy IMPORT_TRANSIT_V4
#    pass
#  end-policy
#  route-policy IMPORT_TRANSIT_V4
#    pass 
#  end-policy
#  route-policy export_public_peering_ix_a
#    pass
#  end-policy
#  route-policy export_public_peering_ix_a
#    pass
#  end-policy
#  route-policy export_public_peering_ix_b
#    pass
#  end-policy
#  route-policy export_public_peering_ix_b
#    pass
#  end-policy
#  route-policy import_public_peering_ix_a
#    pass
#  end-policy
#  route-policy import_public_peering_ix_a
#    pass
#  end-policy
#  route-policy import_public_peering_ix_b
#    pass
#  end-policy
#  route-policy import_public_peering_ix_b
#    pass
#  end-policy
end

In my opinion, this should return an empty string

In the case we run a show commit change diff, I personally not sure what the output means in this case.

RP/0/RP0/CPU0:edge01.lab01(config)# show commit changes diff 
Tue Jun 25 20:11:49.850 UTC
Building configuration...
!! IOS XR Configuration version = 6.5.2
   ipv4 access-list INBOUND_INTERNET_V4
<-  10 remark $Id:$
<-  20 remark Denies all traffic to internal IPs except established tcp replies.
<-  30 remark Also denies access to certain public allocations.
<-  40 remark Ideal for some internal lab/testing types of subnets that are
<-  50 remark not well trusted, but allowing internal users to access.
<-  60 remark Apply to ingress interface (to filter traffic coming from lab)
<-  70 remark accept-dhcp
<-  80 remark Optional - allow forwarding of DHCP requests.
<-  90 permit udp any any eq bootps
<-  100 permit udp any any eq bootpc
<-  110 remark accept-to-honestdns
<-  120 remark Allow name resolution using honestdns.
<-  130 permit udp any host 8.8.4.4 eq domain
<-  140 permit udp any host 8.8.8.8 eq domain
<-  150 remark accept-tcp-replies
<-  160 remark Allow tcp replies to internal hosts.
<-  170 permit tcp any 10.0.0.0 0.255.255.255 established
<-  180 permit tcp any 172.16.0.0 0.15.255.255 established
<-  190 permit tcp any 192.168.0.0 0.0.255.255 established
<-  200 remark deny-to-internal
<-  210 remark Deny access to rfc1918/internal.
<-  220 deny ipv4 any 10.0.0.0 0.255.255.255
<-  230 deny ipv4 any 172.16.0.0 0.15.255.255
<-  240 deny ipv4 any 192.168.0.0 0.0.255.255
<-  250 remark deny-to-specific_hosts
<-  260 remark Deny access to specified public.
<-  270 deny ipv4 any host 200.1.1.1
<-  280 deny ipv4 any host 200.1.1.2
<-  290 deny ipv4 any 200.1.1.4 0.0.0.1
<-  300 remark permit-offices
<-  310 remark Allow Remote Offices
<-  320 permit ipv4 any 200.1.0.0 0.0.31.255
<-  330 permit ipv4 any 200.2.1.0 0.0.0.255
<-  340 permit ipv4 any 200.5.1.0 0.0.0.255
<-  350 permit ipv4 any 201.1.1.0 0.0.0.255
<-  360 remark permit-login-queue
<-  370 remark Allow Login Queue Servers
<-  380 permit tcp any 10.20.30.0 0.0.0.7 eq www 
<-  390 permit tcp any 10.20.30.0 0.0.0.7 eq 443
<-  400 remark permit-chat-queue
<-  410 remark Allow Chat Servers
<-  420 permit tcp any 10.20.50.0 0.0.1.255 eq 4000 
<-  430 remark permit-apps-servers 
<-  440 remark Allow Apps Servers 
<-  450 permit udp any 100.10.10.0 0.0.0.255 range 5100 5400 
<-  460 permit udp any 10.20.30.0 0.0.1.255 range 5100 5400
<-  470 remark default-deny
<-  480 remark Deny what's left.
<-  490 deny ipv4 any any
   !
end