Maintenance is complete- We've moved from the saas.hpe.com domain to softwaregrp.com click to read more
As part of our journey to complete our separation work and our future integration with Micro Focus, we've now updated our domain for the community. This is an interim step, which will be followed by a series of future update / improvements: - Piloting Idea boards - Refreshing the entire UI. (more to come later) - and more
Network Automation Practitioners Forum
cancel

How can I make a policy that will check for a combo of items that do and don't exist?

lacrosse1991
Trusted Contributor.

How can I make a policy that will check for a combo of items that do and don't exist?

Hello,

I'm trying to make a config block policy that searches through cisco interface configurations. My config start and end blocks are:

start: ^interface .*
end: !

I'm trying to match on interface config blocks that meet all of the following conditions:

Contains A
Contains B
Does not contain C
Does not contain D

I tried setting this up using 4 different conditions in a rule, but I'm not getting the results that I expected. Instead of reporting config blocks that match all four of those conditions, HPNA is reporting interface configs as long as each condition is matched at least once in any of the config blocks for a device. So for example, interface 1  could meet condition A, interface 2 could meet condition B, interface 3 could match condition C, and interface 4 could match condition D. Even though none of the interfaces meet all 4 conditions, HPNA will still mark the intefaces as having failed the policy check. What I'm really trying to do is make HPNA report on interfaces that meet all 4 conditions, so a single configuration block would have to meet A, B, C, and D. 

Is it possible to do perform this kind of check using HPNA's policy system, or will I just have to script together a solution instead? 

Thank you

5 REPLIES
Huy_V
Super Contributor.

Re: How can I make a policy that will check for a combo of items that do and don't exist?

It would be helpful and easier to analyze, if you can list:

- what's in A, B, C, and D,

- your portion of the config.

- Are they all ANDs or some ANDs and ORs?

- Also, what version of HPNA?

Thanks,

lacrosse1991
Trusted Contributor.

Re: How can I make a policy that will check for a combo of items that do and don't exist?

Hi Huy,

- Also, what version of HPNA?
10.11.02 on our production systems, and 10.30.01 on the lab systems (testing on both)

- what's in A, B, C, and D

A: Does not contain shutdown
B: Does not contain authentication port-control auto
C: Contains switchport mode access
D: Contains switchport access vlan

- Are they all ANDs or some ANDs and ORs?
The conditions are all ANDs

- your portion of the config.
The config that I'll be running the policy against will just be cisco switch interface configuration blocks, an example would be:
interface gigabitethernet0/0
    description test interface
    switchport mode access
    .....
!

The interface configurations can contain other lines as well, the one common thing all of them will have will be the starting pattern (interface <insert interface name>) and the ending pattern (!). This will be run against cisco interface configurations (up to a couple hundred per switch) on a large number of switches.

lacrosse1991
Trusted Contributor.

Re: How can I make a policy that will check for a combo of items that do and don't exist?

I've added the NA versions to my original reply

Huy_V
Super Contributor.

Re: How can I make a policy that will check for a combo of items that do and don't exist?

It works fine on my 10.30 NA.

Please see test result.

My policy:

Define Text Block:

Block Start Pattern: Interface .*

Block End Pattern: !

Condition A: Config Block    must not contain      shutdown

Condition B: Config Block     must not contain     authentication port-control auto

Condition C: Config Block     must contain            switchport mode access    

Condition D: Config Block     must contain           switchport access vlan

Boolean Expression: A and B and C and D

Not sure if you know that you don't have to test on a real device. From Policies --> Test Policy Compliance:

 Select "Selected policies" that you use for this test

Check on "Test policy against text", then paste your block of config there. Just edit the text block for next tests.

Select Device Family (Cisco IOS), then click on "Perform Test"

Please see my test result.

Hope this helps, 

Huy

....

 

lacrosse1991
Trusted Contributor.

Re: How can I make a policy that will check for a combo of items that do and don't exist?

Hello,

Would there be a way to change that so that the in compliance interfaces would be marked as out of compliance instead? Ideally, I'd be able to retrieve a list of interfaces that meet all 4 conditions.

At the moment, I have a workaround set up where I'll run a diagnostic against the devices that strips out everything but the lines I'm looking for:

show run | i ^interface|!|shutdown|switchport mode access|switchport access vlan|authentication port-control auto

and then I run the attached policy check against the diagnostic, after which I'll go through HPNA's events and pick out all interfaces that failed the policy check. The original setup I asked about on this post would be much more versatile, but the setup I'm using now is getting the job done at least.image.png