- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Port Policy Compliance on HP switches.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-21-2020 04:54 AM
I want to check port setting on HP switches. The problem is that not all port parameters are under "interface" setting like on Cisco.
So i want to check the setting when it an access port without a description (name)
The acces port statement is in the config as:
spanning-tree 1 admin-edge-port
The description is in the config as:
interface 22
dhcp-snooping max-bindings 10
name "description"
qos trust dscp
rate-limit bcast in percent 2
Since I found you can't use as variable in a ConfigBlockCheck, I made two arrays; one with ports in acces mode and one with a name.
Then I do a Foreach one the first array where I first chek if the value is in the second array and the do the check on the port parameters.
There seemes to be a fault in the checking of the _loopvalue agains the array, the lines are:
<ForEach>
<Expr variable="access-ports"/>
<Do>
<If>
<Expr expression="1 and 2">
<Exp label='1' op='in'>
<Expr variable='_loop_value'/>
<Expr variable='no-name'/>
</Expr>
<Expr label="2" op="and">
<ConfigFileCheck op="does-not-contain-any">
<Expr op="concat">
<Expr value="^interf
I get an error on the</Expr> line, is my <Exp label='1' op='in'> syntax wrong ?
Solved! Go to Solution.
esRe: Port Policy Compliance on HP switches.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2020 07:59 AM
Can you please post the entire rule and the error message?
Re: esRe: Port Policy Compliance on HP switches.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-24-2020 01:14 AM
This is the error message:
Line 18:
Missing end tag for 'Exp' (got "Expr")
And the policy rule:
<PolicyRuleLogic editor="raw-xml" xmlns='http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml'>
<Expr op='array' output='access-ports'/>
<Expr op='array' output='missing_configuration'/>
<ConfigBlockCheck block-end='$' block-start='^spanning-tree (\d{1,2}) admin-edge-port' boundary-method='regexp'>
<Expr op='push'>
<Expr variable='access-ports'/>
<Expr variable='_start_match_1'/>
</Expr>
</ConfigBlockCheck>
<ForEach>
<Expr variable='access-ports'/>
<Do>
<If>
<Expr expression='1 and 2'>
<Exp label='1' op='in'>
<Expr variable='_loop_value'/>
<Expr variable='no-name'/>
</Expr>
[ Hover for Error Info ]
<Expr label='2' op='and'>
<ConfigFileCheck op='does-not-contain-any'>
<Expr op='concat'>
<Expr value='^interface '/>
<Expr variable='_loop_value'/>
<Expr value='\\s+dhcp-snooping max-bindings 10\\s+name.*'/>
</Expr> </ConfigFileCheck>
<ConfigFileCheck op='contains-all'>
<Expr op='concat'>
<Expr value='^spanning-tree '/>
<Expr variable='_loop_value'/>
<Expr value=' bpdu-protection'/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op='contains-all'>
<Expr op='concat'>
<Expr value='^aaa port-access mac-based '/>
<Expr variable='_loop_value'/>
<Expr value=' addr-limit 8'/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op='contains-all'>
<Expr op='concat'>
<Expr value='^aaa port-access mac-based '/>
<Expr variable='_loop_value'/>
<Expr value=' addr-moves'/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op='contains-all'>
<Expr op='concat'>
<Expr value='^aaa port-access mac-based '/>
<Expr variable='_loop_value'/>
<Expr value=' logoff-period 86400'/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op='contains-all'>
<Expr op='concat'>
<Expr value='^aaa port-access mac-based '/>
<Expr variable='_loop_value'/>
<Expr value=' quiet-period 30'/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op='contains-all'>
<Expr op='concat'>
<Expr value='^aaa port-access mac-based '/>
<Expr variable='_loop_value'/>
<Expr value=' reauth-period 7200'/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op='contains-all'>
<Expr op='concat'>
<Expr value='^aaa port-access authenticator '/>
<Expr variable='_loop_value'/>
<Expr value=' client-limit 8'/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op='contains-all'>
<Expr op='concat'>
<Expr value='^aaa port-access authenticator '/>
<Expr variable='_loop_value'/>
<Expr value=' logoff-period 86400'/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op='contains-all'>
<Expr op='concat'>
<Expr value='^aaa port-access authenticator '/>
<Expr variable='_loop_value'/>
<Expr value=' quiet-period 30'/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op='contains-all'>
<Expr op='concat'>
<Expr value='^aaa port-access authenticator '/>
<Expr variable='_loop_value'/>
<Expr value=' reauth-period 7200'/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op='contains-all'>
<Expr op='concat'>
<Expr value='^aaa port-access '/>
<Expr variable='_loop_value'/>
<Expr value=' controlled-direction in'/>
</Expr>
</ConfigFileCheck>
</Expr>
<Then>
</Then>
<Else>
<Expr op='push'>
<Expr variable='missing_configuration'/>
<Expr variable='_loop_value'/>
</Expr>
</Else>
</If>
</Do>
</ForEach>
<If>
<Expr op='size'>
<Expr variable='missing_configuration'/>
</Expr>
<Then>
<PolicyRuleFail>
<Expr op='concat'>
<Expr> Missende configuratie op poort(en) : </Expr>
<Expr op='join'>
<Expr variable='missing_configuration'/>
<Expr value=','/>
</Expr>
</Expr>
</PolicyRuleFail>
</Then>
<Else>
<PolicyRulePass>
</PolicyRulePass>
</Else>
</If>
</PolicyRuleLogic>
Re: esRe: Port Policy Compliance on HP switches.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-24-2020 01:26 AM
Oops, when posting this I discover my typo:
<Exp label='1' op='in'>
This should be <Expr> label='1' op='in'>
So the statement 'in' seems to be in order.
After fixing this I got other error messages:
Line 105:
element Then: Schemas validity error : Element '{http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}Then': This element is not expected. Expected is one of ( {http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}ConfigBlockCheck, {http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}ConfigFileCheck, {http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}CPDCheck, {http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}Expr, {http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}ListSearch ).
Line 13:
element If: Schemas validity error : Element '{http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}If': Missing child element(s). Expected is ( {http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}Then ).
Line 0:
Expression refers to invalid subexpression '1'
Re: esRe: Port Policy Compliance on HP switches.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-24-2020 01:54 AM
And forget the policy rule i send before, this was a corrupted version. it should be like below. I seem te have my if statements mixed up.
<PolicyRuleLogic xmlns="http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml" editor="raw-xml">
<Expr op="array" output="access-ports"/>
<Expr op="array" output="no-name"/>
<Expr op="array" output="missing_configuration"/>
<ConfigBlockCheck block-end="$" block-start="^spanning-tree (\d{1,2}) admin-edge-port" boundary-method="regexp">
<Expr op="push">
<Expr variable="access-ports"/>
<Expr variable="_start_match_1"/>
</Expr>
</ConfigBlockCheck>
<ConfigBlockCheck block-start="^interface (.*)$" boundary-method="indent">
<If>
<Expr op="matches">
<Expr variable="_block"/>
<Expr value="^\sname.*"/>
</Expr>
<Then>
</Then>
<Else>
<Expr op="push">
<Expr variable="no-name"/>
<Expr variable="_start_match_1"/>
</Expr>
</Else>
</If>
</ConfigBlockCheck>
<ForEach>
<Expr variable="access-ports"/>
<Do>
<If>
<Expr expression="1 and 2">
<Expr label="1" op="in">
<Expr variable="_loop_value"/>
<Expr variable="no-name"/>
</Expr>
<Expr label="2" op="and">
<ConfigFileCheck op="does-not-contain-any">
<Expr op="concat">
<Expr value="^interface "/>
<Expr variable="_loop_value"/>
<Expr value="\\s+dhcp-snooping max-bindings 10\\s+name.*"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^spanning-tree "/>
<Expr variable="_loop_value"/>
<Expr value=" bpdu-protection"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access mac-based "/>
<Expr variable="_loop_value"/>
<Expr value=" addr-limit 8"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access mac-based "/>
<Expr variable="_loop_value"/>
<Expr value=" addr-moves"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access mac-based "/>
<Expr variable="_loop_value"/>
<Expr value=" logoff-period 86400"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access mac-based "/>
<Expr variable="_loop_value"/>
<Expr value=" quiet-period 30"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access mac-based "/>
<Expr variable="_loop_value"/>
<Expr value=" reauth-period 7200"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access authenticator "/>
<Expr variable="_loop_value"/>
<Expr value=" client-limit 8"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access authenticator "/>
<Expr variable="_loop_value"/>
<Expr value=" logoff-period 86400"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access authenticator "/>
<Expr variable="_loop_value"/>
<Expr value=" quiet-period 30"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access authenticator "/>
<Expr variable="_loop_value"/>
<Expr value=" reauth-period 7200"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access "/>
<Expr variable="_loop_value"/>
<Expr value=" controlled-direction in"/>
</Expr>
</ConfigFileCheck>
</Expr>
<Then>
</Then>
<Else>
<Expr op="push">
<Expr variable="missing_configuration"/>
<Expr variable="_loop_value"/>
</Expr>
</Else>
</Expr>
</If>
</Do>
</ForEach>
<If>
<Expr op="size">
<Expr variable="missing_configuration"/>
</Expr>
<Then>
<PolicyRuleFail>
<Expr op="concat">
<Expr> Missende configuratie op poort(en) : </Expr>
<Expr op="join">
<Expr variable="missing_configuration"/>
<Expr value=","/>
</Expr>
</Expr>
</PolicyRuleFail>
</Then>
<Else>
<PolicyRulePass>
</PolicyRulePass>
</Else>
</If>
</PolicyRuleLogic>
Re: esRe: Port Policy Compliance on HP switches.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-13-2020 02:10 PM
I wrote the same in Raw-xml viewer and fixed a couple of mixed statements. This works now:
<PolicyRuleLogic xmlns="http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml" editor="raw-xml">
<Expr op="array" output="access-ports"/>
<Expr op="array" output="no-name"/>
<Expr op="array" output="missing_configuration"/>
<ConfigBlockCheck block-end="$" block-start="^spanning-tree (\d{1,2}) admin-edge-port" boundary-method="regexp">
<Expr op="push">
<Expr variable="access-ports"/>
<Expr variable="_start_match_1"/>
</Expr>
</ConfigBlockCheck>
<ConfigBlockCheck block-start="^interface (.*)$" boundary-method="indent">
<If>
<Expr op="matches">
<Expr variable="_block"/>
<Expr value="^\sname.*"/>
</Expr>
<Then>
</Then>
<Else>
<Expr op="push">
<Expr variable="no-name"/>
<Expr variable="_start_match_1"/>
</Expr>
</Else>
</If>
</ConfigBlockCheck>
<ForEach>
<Expr variable="access-ports"/>
<Do>
<If>
<Expr expression="1 and 2">
<Expr label="1" op="in">
<Expr variable="_loop_value"/>
<Expr variable="no-name"/>
</Expr>
<Expr label="2" op="and">
<ConfigFileCheck op="does-not-contain-any">
<Expr op="concat">
<Expr value="^interface "/>
<Expr variable="_loop_value"/>
<Expr value="\\s+dhcp-snooping max-bindings 10\\s+name.*"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^spanning-tree "/>
<Expr variable="_loop_value"/>
<Expr value=" bpdu-protection"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access mac-based "/>
<Expr variable="_loop_value"/>
<Expr value=" addr-limit 8"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access mac-based "/>
<Expr variable="_loop_value"/>
<Expr value=" addr-moves"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access mac-based "/>
<Expr variable="_loop_value"/>
<Expr value=" logoff-period 86400"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access mac-based "/>
<Expr variable="_loop_value"/>
<Expr value=" quiet-period 30"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access mac-based "/>
<Expr variable="_loop_value"/>
<Expr value=" reauth-period 7200"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access authenticator "/>
<Expr variable="_loop_value"/>
<Expr value=" client-limit 8"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access authenticator "/>
<Expr variable="_loop_value"/>
<Expr value=" logoff-period 86400"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access authenticator "/>
<Expr variable="_loop_value"/>
<Expr value=" quiet-period 30"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access authenticator "/>
<Expr variable="_loop_value"/>
<Expr value=" reauth-period 7200"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access "/>
<Expr variable="_loop_value"/>
<Expr value=" controlled-direction in"/>
</Expr>
</ConfigFileCheck>
</Expr>
</Expr>
<Then>
</Then>
<Else>
<Expr op="push">
<Expr variable="missing_configuration"/>
<Expr variable="_loop_value"/>
</Expr>
</Else>
</If>
</Do>
</ForEach>
<If>
<Expr op="size">
<Expr variable="missing_configuration"/>
</Expr>
<Then>
<PolicyRuleFail>
<Expr op="concat">
<Expr value="missing configuration:"/>
<Expr op="join">
<Expr variable="missing_configuration"/>
<Expr value=","/>
</Expr>
</Expr>
</PolicyRuleFail>
</Then>
<Else>
<PolicyRulePass>
</PolicyRulePass>
</Else>
</If>
</PolicyRuleLogic>
Re: Port Policy Compliance on HP switches.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-29-2020 04:51 AM
I have solved this issue myself by building on OR function before the parameter tests which check if thereis a name (description) configured.