Network Change & Configuration Management

Reply

NetMRI policy rule for Capturing a Configured VLAN and corresponding IP address

ferewoni
Techie
Posts: 2
2870     0

Hello,

 

We have a few load balancers we are creating rules/policies for in rawXML to audit devices in our network. One of the rules is for the NetScaler load balancer. The rule is that a management VLAN must be configured on the device(out of a list), and then a corresponding IP address in that management VLAN must exist. This is how these two configurations may look like :

 

add vlan # -aliasName MGMTName

 

set ns config -IPAddress 10.18.24.1 -netmask 255.255.255.0

 

There will be many different VLANS configured on the device and I want to check the running configuration that one of those VLANs configured matches my list of correct management VLANs. And then after that is successful I want to check through the running configuration again that the command "set ns config -IPAddress .." specifies an IP address from within one of the few management VLAN networks(out of a list). Heres what I have sofar any help will be much appreciated.

 

 

 

<PolicyRuleLogic editor="raw-xml" xmlns='http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml'>
  <Expr op='array' output='good-ifcs'/>
  <Expr op='array' output='bad-ifcs'/>
  <ConfigBlockCheck block-start='add vlan' boundary-method='indent'>
    <If>
      <Expr expression='1'>
        <Expr label='1' op='matches'>
          <Expr variable='_block'/>
          <Expr value='^add vlan (288|299|301) .*'/>
        </Expr>
      </Expr>
      <Then>
        <If>
         <ConfigFileCheck op='contains-some'>set ns config -IPAddress 10.(67|77|87)\.(12|34|55|133)\.*</ConfigFileCheck>
          <Then>
            <Expr op='push'>
              <Expr variable='good-ifcs'/>
              <Expr variable='_start_match_1'/>
            </Expr>
          </Then>
          <Else>
            <Expr op='push'>
              <Expr variable='bad-ifcs'/>
              <!-- Say which line number it is on -->
              <Expr op='concat'>
                <Expr variable='_start_match_1'/>
                <Expr value=' (line '/>
                <Expr variable='_block_lineno'/>
                <Expr value=')'/>
              </Expr>
            </Expr>
          </Else>
        </If>
      </Then>
    </If>
  </ConfigBlockCheck>
  <If>
    <!-- 0 is false, more than 0 is true -->
    <Expr op='size'>
      <Expr variable='bad-ifcs'/>
    </Expr>
    <Then>
      <PolicyRuleFail>
        <Expr op='concat'>
          <Expr value='The following Do not have a valid IP Address or Mgmt network: '/>
          <Expr op='join'>
            <Expr variable='bad-ifcs'/>
            <Expr value=', '/>
          </Expr>
          <Expr value='.'/>
        </Expr>
      </PolicyRuleFail>
    </Then>
    <Else>
      <PolicyRulePass>
        <Expr op='concat'>
          <Expr value='The following Do have a valid IP Address or Mgmt network: '/>
          <Expr op='join'>
            <Expr variable='good-ifcs'/>
            <Expr value=', '/>
          </Expr>
          <Expr value='.'/>
        </Expr>
      </PolicyRulePass>
    </Else>
  </If>
</PolicyRuleLogic>

 

Re: NetMRI policy rule for Capturing a Configured VLAN and corresponding IP address

Adviser
Posts: 357
2871     0
This looks like a good start. Is there some specific question or problem you are having?

Re: NetMRI policy rule for Capturing a Configured VLAN and corresponding IP address

ferewoni
Techie
Posts: 2
2871     0

My issue that this rule is passing for all the devices, even the ones that should failed. I want it to find one management VLAN (ex./ vlan 234 or 111) from the config file "add vlan # -aliasName MGMTName". And when it finds that VLAN for it to check that the management IP configured on the device is within a correct management network. Like for example the config file there should only be one "set ns config -IPAddress 10.18.24.1 -netmask 255.255.255.0", and it should match one of the specied networks (ex./ 10.2.34.0 or 10.11.34.0).

Re: NetMRI policy rule for Capturing a Configured VLAN and corresponding IP address

Adviser
Posts: 357
2871     0

Ok, a couple things:

 

1) Use the "Debug" option in the rule test to see the details of the evaluation of each element. If something is evaluating in a way you don't expect, this will help you catch it.

 

2) If a specific VLAN goes with a specific subnet, then you'll want to construct the contents of your ConfigFileCheck based upon the specific captured text in the ConfigBlockCheck. There is an example of doing that here:

 

https://github.com/infobloxopen/netmri-toolkit/blob/master/policy/verify-users.xml

 

John

 

Showing results for 
Search instead for 
Do you mean 

Recommended for You