No, you can't use a variable in the attribute. I don't think it would be necessary in this case though. Instead, I am thinking you should next the ConfigBlockChecks. I'm not clear on what you're trying to do exactly. Can you provide a little more detail?

Sorry, that should be "nest the ConfigBlockChecks".

I'm trying to check the interface configurations on Cisco 2960s switches.

Items we know-

On all switches, ports 1 and 2 are trunks.

On 24 port switches, ports 25-26 are trunks and 3-24 are access ports

On 48 port switches, ports 49-50 are trunks and 3-48 are access ports.

We don't know if a switch is a 24 port or 48 port just by name or address, so the policy needs to figure it out and process them accordingly.

Ok, so, the issue is that you want to know whether it's a 24 or 48 so you know what config to check on ports 25-26?

So, instead of stuffing away each port number in an array, you should be able to do something like this:

<ConfigFileCheck op="contains-some" output="is48ports">interface GigabitEthernet././47</ConfigFileCheck>​

Then, later you can use the variable "is48ports" inside the ConfigBlockCheck in an <If>, something like:

<ConfigBlockCheck block-end='^!$' block-start='^interface GigabitEthernet1/0/([0-9]+)' boundary-method='regexp' end-on-block-start='true'>
    <If>
        <Expr op="matches">
            <Expr variable="_start_match_1"/>
            <Expr value="(25|26)"/>
        </Expr>
        <Then>
            <If>
                <Expr variable="is48ports"/>
                <Then>
                    <ConfigFileCheck op="contains-all">switchport access vlan</ConfigFileCheck>
                </Then>
                <Else>
                    <ConfigFileCheck op="contains-all">switchport mode trunk</ConfigFileCheck>
                </Else>
            </If>
        </Then>
        <ElseIf>
        ...
        </ElseIf>
        <Else>
        </Else>
    </If>
</ConfigBlockCheck>

Note that <ConfigFileCheck> in the context of a <ConfigBlockCheck> will look at the *block* not the whole file.

Thanks John.

That got me pretty far, but my variable isn't populating according the the debug output.

It wou;dnt let me assign output in the ConfigFileCheck so it had to be moved out.

Script below-

<PolicyRuleLogic editor="raw-xml" xmlns='http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml'>
  <If>
    <ConfigFileCheck op='contains-some'>interface GigabitEthernet././47</ConfigFileCheck>
    <Then>
      <Expr output='is48port' value='1'/>
    </Then>
  </If>
  <Expr op='array' output='intPass'/>
  <Expr op='array' output='intFail'/>
  <ConfigBlockCheck block-end='^!$' block-start='^interface GigabitEthernet1/0/(\d+)$' boundary-method='regexp' end-on-block-start='true'>
    <If>
      <Expr op='matches'>
        <Expr variable='_start_match_1'/>
        <Expr value='(^1$|^2$|^49$|^50$)'/>
      </Expr>
      <Then>
        <If>
          <ConfigFileCheck op='contains-all'>switchport mode trunk</ConfigFileCheck>
          <Then>
            <Expr op='push'>
              <Expr variable='intPass'/>
              <Expr variable='_start_match_1'/>
            </Expr>
          </Then>
          <Else>
            <Expr op='push'>
              <Expr variable='intFail'/>
              <Expr variable='_start_match_1'/>
            </Expr>
          </Else>
        </If>
      </Then>
      <ElseIf>
        <Expr op='and'>
          <Expr op='matches'>
            <Expr variable='_start_match_1'/>
            <Expr value='(^25$|^26$)'/>
          </Expr>
          <Expr op='defined'>
            <Expr variable='is48port'/>
          </Expr>
        </Expr>
        <Then>
          <If>
            <ConfigFileCheck op='contains-all'>switchport mode access</ConfigFileCheck>
            <Then>
              <Expr op='push'>
                <Expr variable='intPass'/>
                <Expr variable='_start_match_1'/>
              </Expr>
            </Then>
            <Else>
              <Expr op='push'>
                <Expr variable='intFail'/>
                <Expr variable='_start_match_1'/>
              </Expr>
            </Else>
          </If>
        </Then>
      </ElseIf>
      <ElseIf>
        <Expr op='matches'>
          <Expr variable='_start_match_1'/>
          <Expr value='(^25$|^26$)'/>
        </Expr>
        <Then>
          <If>
            <ConfigFileCheck op='contains-all'>switchport mode trunk</ConfigFileCheck>
            <Then>
              <Expr op='push'>
                <Expr variable='intPass'/>
                <Expr variable='_start_match_1'/>
              </Expr>
            </Then>
            <Else>
              <Expr op='push'>
                <Expr variable='intFail'/>
                <Expr variable='_start_match_1'/>
              </Expr>
            </Else>
          </If>
        </Then>
      </ElseIf>
      <ElseIf>
        <ConfigFileCheck op='contains-all'>switchport mode access</ConfigFileCheck>
        <Then>
          <Expr op='push'>
            <Expr variable='intPass'/>
            <Expr variable='_start_match_1'/>
          </Expr>
        </Then>
      </ElseIf>
      <Else>
        <Expr op='push'>
          <Expr variable='intFail'/>
          <Expr variable='_start_match_1'/>
        </Expr>
      </Else>
    </If>
  </ConfigBlockCheck>
</PolicyRuleLogic>

Here is the debug output for a my variable 'is48port' and ports 25/26.  (changed the code sligthly to use 'assign' to see if it made a difference- it didn't)

<If>
    <ConfigFileCheck op='contains-some'>
    </ConfigFileCheck> result value <true>
    <Then>
      <Assign variable='is48port'>
        <Expr value='1'>
        </Expr> result value <1>
      </Assign> result value <1>
    </Then> result value <1>
  </If> result value <1>

....skipped....

    <If>
      <Expr op='matches'>
        <Expr variable='_start_match_1'>
        </Expr> result value <25>
        <Expr value='(^1$|^2$|^49$|^50$)'>
        </Expr> result value <(^1$|^2$|^49$|^50$)>
      </Expr> result value <false>
      <ElseIf>
        <Expr op='and'>
          <Expr op='matches'>
            <Expr variable='_start_match_1'>
            </Expr> result value <25>
            <Expr value='(^25$|^26$)'>
            </Expr> result value <(^25$|^26$)>
          </Expr> result value <true>
          <Expr op='defined'>
            <Expr variable='is48port'>
            </Expr> result value <>
          </Expr> result value <>
        </Expr> result value <false>
      </ElseIf> result value <false>
      <ElseIf>
        <Expr op='matches'>
          <Expr variable='_start_match_1'>
          </Expr> result value <25>
          <Expr value='(^25$|^26$)'>
          </Expr> result value <(^25$|^26$)>
        </Expr> result value <true>
        <Then>
          <If>
            <ConfigFileCheck op='contains-all'>
            </ConfigFileCheck> result value <false>
            <Else>
              <Expr op='push'>
                <Expr variable='intFail'>
                </Expr> result value <[]>
                <Expr variable='_start_match_1'>
                </Expr> result value <25>
              </Expr> result value <["25"]>
            </Else> result value <["25"]>
          </If> result value <["25"]>
        </Then> result value <["25"]>
      </ElseIf> result value <["25"]>
    </If> result value <["25"]>
    <If>
      <Expr op='matches'>
        <Expr variable='_start_match_1'>
        </Expr> result value <26>
        <Expr value='(^1$|^2$|^49$|^50$)'>
        </Expr> result value <(^1$|^2$|^49$|^50$)>
      </Expr> result value <false>
      <ElseIf>
        <Expr op='and'>
          <Expr op='matches'>
            <Expr variable='_start_match_1'>
            </Expr> result value <26>
            <Expr value='(^25$|^26$)'>
            </Expr> result value <(^25$|^26$)>
          </Expr> result value <true>
          <Expr op='defined'>
            <Expr variable='is48port'>
            </Expr> result value <>
          </Expr> result value <>
        </Expr> result value <false>
      </ElseIf> result value <false>
      <ElseIf>
        <Expr op='matches'>
          <Expr variable='_start_match_1'>
          </Expr> result value <26>
          <Expr value='(^25$|^26$)'>
          </Expr> result value <(^25$|^26$)>
        </Expr> result value <true>
        <Then>
          <If>
            <ConfigFileCheck op='contains-all'>
            </ConfigFileCheck> result value <false>
            <Else>
              <Expr op='push'>
                <Expr variable='intFail'>
                </Expr> result value <["25"]>
                <Expr variable='_start_match_1'>
                </Expr> result value <26>
              </Expr> result value <["25", "26"]>
            </Else> result value <["25", "26"]>
          </If> result value <["25", "26"]>
        </Then> result value <["25", "26"]>
      </ElseIf> result value <["25", "26"]>
    </If> result value <["25", "26"]>

I thought output was available on all the objects, I am surprised that didn't work. I'll have to look into it.

The issue is probably scoping, though by default I believe the Assign was supposed to create a variable in the global scope. Try adding:

scope="root"

as an attribute of the <Assign> and see if that fixes it.

Ok, the variable is now seen, but its still resulting in a <false>

        <Expr op='and'>
          <Expr op='matches'>
            <Expr variable='_start_match_1'>
            </Expr> result value <26>
            <Expr value='(^25$|^26$)'>
            </Expr> result value <(^25$|^26$)>
          </Expr> result value <true>
          <Expr op='defined'>
            <Expr variable='is48port'>
            </Expr> result value <1>
          </Expr> result value <false>
        </Expr> result value <false>
      </ElseIf> result value <false>

Ok. Not sure why, "1" should be seen as true. Can you not use 'defined' and instead just do <Expr variable='is48port'/>    ?

You can also try to force it to boolean <Expr type="boolean" variable="is48port"/>

Changing the code from <Expr op='defined'> to just <Expr variable='is48port'/>  in addition to the scope change looks to have fixed it, based on limited tests just now.  I'll let you know if anything unexpected occurs.

Thanks John!

For the most part, the policy is working but i'm getting a strange result from 24 port switches.  All tests are passing, but it is passing with the message 'Running config file does not contain any of the specified lines'

Full policy below:

<PolicyRuleLogic editor="raw-xml" xmlns='http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml'>
  <If>
    <ConfigFileCheck op='contains-some'>interface GigabitEthernet././47</ConfigFileCheck>
    <Then>
      <Assign scope='root' variable='is48port'>
        <Expr value='1'/>
      </Assign>
    </Then>
  </If>
  <Expr op='array' output='intPass'/>
  <Expr op='array' output='intFail'/>
  <ConfigBlockCheck block-end='^!$' block-start='^interface GigabitEthernet1/0/(\d+)$' boundary-method='regexp' end-on-block-start='true'>
    <If>
      <Expr expression='(1 and 2) or 3'>
        <Expr label='1' op='&lt;'>
          <Expr variable='_start_match_1'/>
          <Expr value='51'/>
        </Expr>
        <Expr label='2' variable='is48port'/>
        <Expr label='3' op='&lt;'>
          <Expr variable='_start_match_1'/>
          <Expr value='27'/>
        </Expr>
      </Expr>
      <Then>
        <If>
          <Expr op='matches'>
            <Expr variable='_start_match_1'/>
            <Expr value='(^1$|^2$|^49$|^50$)'/>
          </Expr>
          <Then>
            <If>
              <ConfigFileCheck op='contains-all'>switchport mode trunk</ConfigFileCheck>
              <Then>
                <Expr op='push'>
                  <Expr variable='intPass'/>
                  <Expr variable='_start_match_1'/>
                </Expr>
              </Then>
              <Else>
                <Expr op='push'>
                  <Expr variable='intFail'/>
                  <Expr variable='_start_match_1'/>
                </Expr>
              </Else>
            </If>
          </Then>
          <ElseIf>
            <Expr op='and'>
              <Expr op='matches'>
                <Expr variable='_start_match_1'/>
                <Expr value='(^25$|^26$)'/>
              </Expr>
              <Expr variable='is48port'/>
            </Expr>
            <Then>
              <If>
                <ConfigFileCheck op='contains-all'>switchport mode access</ConfigFileCheck>
                <Then>
                  <Expr op='push'>
                    <Expr variable='intPass'/>
                    <Expr variable='_start_match_1'/>
                  </Expr>
                </Then>
                <Else>
                  <Expr op='push'>
                    <Expr variable='intFail'/>
                    <Expr variable='_start_match_1'/>
                  </Expr>
                </Else>
              </If>
            </Then>
          </ElseIf>
          <ElseIf>
            <Expr op='matches'>
              <Expr variable='_start_match_1'/>
              <Expr value='(^25$|^26$)'/>
            </Expr>
            <Then>
              <If>
                <ConfigFileCheck op='contains-all'>switchport mode trunk</ConfigFileCheck>
                <Then>
                  <Expr op='push'>
                    <Expr variable='intPass'/>
                    <Expr variable='_start_match_1'/>
                  </Expr>
                </Then>
                <Else>
                  <Expr op='push'>
                    <Expr variable='intFail'/>
                    <Expr variable='_start_match_1'/>
                  </Expr>
                </Else>
              </If>
            </Then>
          </ElseIf>
          <ElseIf>
            <ConfigFileCheck op='contains-all'>switchport mode access</ConfigFileCheck>
            <Then>
              <Expr op='push'>
                <Expr variable='intPass'/>
                <Expr variable='_start_match_1'/>
              </Expr>
            </Then>
          </ElseIf>
          <Else>
            <Expr op='push'>
              <Expr variable='intFail'/>
              <Expr variable='_start_match_1'/>
            </Expr>
          </Else>
        </If>
      </Then>
    </If>
  </ConfigBlockCheck>
  <If>
    <Expr op='&gt;'>
      <Expr op='size'>
        <Expr variable='intFail'/>
      </Expr>
      <Expr value='0'/>
    </Expr>
    <Then>
      <Return>
        <PolicyRuleFail/>
      </Return>
    </Then>
    <Else>
      <Return>
        <PolicyRulePass/>
      </Return>
    </Else>
  </If>
</PolicyRuleLogic>

Each ConfigFileCheck will set the policy result message. Since your <PolicyRulePass/> and <PolicyRuleFail/> do not explicitly contain a message, the message used is the one from the last run ConfigFileCheck. You can fix this by just adding a message. For example:

<PolicyRulePass>The switch has proper trunk and access port configurations.</PolicyRulePass>

and

<PolicyRuleFail><Expr op="concat"><Expr>These ports are incorrectly configured: </Expr><Expr op="join"><Expr variable="intFail"/><Expr value=","/></Expr><Expr value="."/></Expr></PolicyRuleFail>

Hi, i just read your (old) reply that you can't use a variablein a ConfigBlockCheck.

I suppose that also means i can't use a _loop_value from an array :

<ConfigBlockCheck block-start='^interface _loop_value' boundary-method='indent'>

Problem is that I only wan't yo check the access ports on a HP switch, the access port parameter is not whitin the port settings, but in global config : spanning-tree 1 admin-edge-port.

What I did was fill an array containing access ports and check every value in a ConfigBlockCheck.

That seames to be not feasable.

Can you hint me to another solution ?

Please start a new thread with what you are trying to accomplish

Not jus via XML but the end goal of your rule checking 

How do i start a new thread here ?