Are you interested in our Early Access Program (EAP)? This program allows you to preview code, test in your lab and provide feedback prior to General Availability (GA) release of all Infoblox products. If so, please click the link here.

Network Change & Configuration Management

Reply

Port Policy Compliance on HP switches.

Techie
Posts: 6
3212     0

I want to check port setting on HP switches. The problem is that not all port parameters are under "interface" setting like on Cisco.

So i want to check the setting when it an access port without a description (name)

 

The acces port statement is in the config as:

spanning-tree 1 admin-edge-port

 

The description is in the config as:

interface 22
   dhcp-snooping max-bindings 10
   name "description"
   qos trust dscp
   rate-limit bcast in percent 2

 

Since I found you can't use as variable in a ConfigBlockCheck, I made two arrays; one with ports in acces mode and one with a name.

Then I do a Foreach one the first array where I first chek if the value is in the second array and the do the check on the port parameters.

 

There seemes to be a fault in the checking of the _loopvalue agains the array, the lines are:

 

<ForEach>
    <Expr variable="access-ports"/>
    <Do>
      <If>
        <Expr expression="1 and 2">
         <Exp label='1' op='in'>
          <Expr variable='_loop_value'/>
          <Expr variable='no-name'/>
         </Expr>
          <Expr label="2" op="and">
            <ConfigFileCheck op="does-not-contain-any">
              <Expr op="concat">
                <Expr value="^interf

 

I get an error on the</Expr> line, is my <Exp label='1' op='in'> syntax wrong ?

esRe: Port Policy Compliance on HP switches.

Techie
Posts: 3
3212     0

Can you please post the entire rule and the error message?

Re: esRe: Port Policy Compliance on HP switches.

Techie
Posts: 6
3212     0

This is the error message:

Line 18:
Missing end tag for 'Exp' (got "Expr")

 

And the policy rule:

 

<PolicyRuleLogic editor="raw-xml" xmlns='http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml'>
  <Expr op='array' output='access-ports'/>
  <Expr op='array' output='missing_configuration'/>
  <ConfigBlockCheck block-end='$' block-start='^spanning-tree (\d{1,2}) admin-edge-port' boundary-method='regexp'>
    <Expr op='push'>
      <Expr variable='access-ports'/>
      <Expr variable='_start_match_1'/>
    </Expr>
  </ConfigBlockCheck>
  <ForEach>
    <Expr variable='access-ports'/>
    <Do>
      <If>
        <Expr expression='1 and 2'>
         <Exp label='1' op='in'>
          <Expr variable='_loop_value'/>
          <Expr variable='no-name'/>
         </Expr>

[ Hover for Error Info ]
        <Expr label='2' op='and'>
          <ConfigFileCheck op='does-not-contain-any'>
            <Expr op='concat'>
              <Expr value='^interface '/>
              <Expr variable='_loop_value'/>
              <Expr value='\\s+dhcp-snooping max-bindings 10\\s+name.*'/>
            </Expr>          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^spanning-tree '/>
              <Expr variable='_loop_value'/>
              <Expr value=' bpdu-protection'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access mac-based '/>
              <Expr variable='_loop_value'/>
              <Expr value=' addr-limit 8'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access mac-based '/>
              <Expr variable='_loop_value'/>
              <Expr value=' addr-moves'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access mac-based '/>
              <Expr variable='_loop_value'/>
              <Expr value=' logoff-period 86400'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access mac-based '/>
              <Expr variable='_loop_value'/>
              <Expr value=' quiet-period 30'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access mac-based '/>
              <Expr variable='_loop_value'/>
              <Expr value=' reauth-period 7200'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access authenticator '/>
              <Expr variable='_loop_value'/>
              <Expr value=' client-limit 8'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access authenticator '/>
              <Expr variable='_loop_value'/>
              <Expr value=' logoff-period 86400'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access authenticator '/>
              <Expr variable='_loop_value'/>
              <Expr value=' quiet-period 30'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access authenticator '/>
              <Expr variable='_loop_value'/>
              <Expr value=' reauth-period 7200'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access '/>
              <Expr variable='_loop_value'/>
              <Expr value=' controlled-direction in'/>
            </Expr>
          </ConfigFileCheck>
        </Expr>
        <Then>
       </Then>
        <Else>
          <Expr op='push'>
            <Expr variable='missing_configuration'/>
            <Expr variable='_loop_value'/>
          </Expr>
        </Else>
      </If>
    </Do>
  </ForEach>
  <If>
    <Expr op='size'>
      <Expr variable='missing_configuration'/>
    </Expr>
    <Then>
      <PolicyRuleFail>
        <Expr op='concat'>
          <Expr> Missende configuratie op poort(en) : </Expr>
          <Expr op='join'>
            <Expr variable='missing_configuration'/>
            <Expr value=','/>
          </Expr>
        </Expr>
      </PolicyRuleFail>
    </Then>
    <Else>
      <PolicyRulePass>
      </PolicyRulePass>
    </Else>
  </If>
</PolicyRuleLogic>

Re: esRe: Port Policy Compliance on HP switches.

Techie
Posts: 6
3212     0

Oops, when posting this I discover my typo:

<Exp label='1' op='in'>

This should be <Expr> label='1' op='in'>

 

So the statement 'in' seems to be in order.

 

After fixing this I got other error messages:

 

Line 105:
element Then: Schemas validity error : Element '{http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}Then': This element is not expected. Expected is one of ( {http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}ConfigBlockCheck, {http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}ConfigFileCheck, {http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}CPDCheck, {http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}Expr, {http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}ListSearch ).

Line 13:
element If: Schemas validity error : Element '{http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}If': Missing child element(s). Expected is ( {http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}Then ).

Line 0:
Expression refers to invalid subexpression '1'

 

Re: esRe: Port Policy Compliance on HP switches.

Techie
Posts: 6
3212     0

And forget the policy rule i send before, this was a corrupted version. it should be like below. I seem te have my if statements mixed up.

 

<PolicyRuleLogic xmlns="http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml" editor="raw-xml">
  <Expr op="array" output="access-ports"/>
  <Expr op="array" output="no-name"/>
  <Expr op="array" output="missing_configuration"/>
  <ConfigBlockCheck block-end="$" block-start="^spanning-tree (\d{1,2}) admin-edge-port" boundary-method="regexp">
    <Expr op="push">
      <Expr variable="access-ports"/>
      <Expr variable="_start_match_1"/>
    </Expr>
  </ConfigBlockCheck>
  <ConfigBlockCheck block-start="^interface (.*)$" boundary-method="indent">
    <If>
      <Expr op="matches">
        <Expr variable="_block"/>
        <Expr value="^\sname.*"/>
      </Expr>
      <Then>
    </Then>
      <Else>
        <Expr op="push">
          <Expr variable="no-name"/>
          <Expr variable="_start_match_1"/>
        </Expr>
      </Else>
    </If>
  </ConfigBlockCheck>
  <ForEach>
    <Expr variable="access-ports"/>
    <Do>
      <If>
        <Expr expression="1 and 2">
          <Expr label="1" op="in">
            <Expr variable="_loop_value"/>
            <Expr variable="no-name"/>
          </Expr>
          <Expr label="2" op="and">
            <ConfigFileCheck op="does-not-contain-any">
              <Expr op="concat">
                <Expr value="^interface "/>
                <Expr variable="_loop_value"/>
                <Expr value="\\s+dhcp-snooping max-bindings 10\\s+name.*"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^spanning-tree "/>
                <Expr variable="_loop_value"/>
                <Expr value=" bpdu-protection"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access mac-based "/>
                <Expr variable="_loop_value"/>
                <Expr value=" addr-limit 8"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access mac-based "/>
                <Expr variable="_loop_value"/>
                <Expr value=" addr-moves"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access mac-based "/>
                <Expr variable="_loop_value"/>
                <Expr value=" logoff-period 86400"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access mac-based "/>
                <Expr variable="_loop_value"/>
                <Expr value=" quiet-period 30"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access mac-based "/>
                <Expr variable="_loop_value"/>
                <Expr value=" reauth-period 7200"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access authenticator "/>
                <Expr variable="_loop_value"/>
                <Expr value=" client-limit 8"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access authenticator "/>
                <Expr variable="_loop_value"/>
                <Expr value=" logoff-period 86400"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access authenticator "/>
                <Expr variable="_loop_value"/>
                <Expr value=" quiet-period 30"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access authenticator "/>
                <Expr variable="_loop_value"/>
                <Expr value=" reauth-period 7200"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access "/>
                <Expr variable="_loop_value"/>
                <Expr value=" controlled-direction in"/>
              </Expr>
            </ConfigFileCheck>
          </Expr>
          <Then>
       </Then>
          <Else>
            <Expr op="push">
              <Expr variable="missing_configuration"/>
              <Expr variable="_loop_value"/>
            </Expr>
          </Else>
        </Expr>
      </If>
    </Do>
  </ForEach>
  <If>
    <Expr op="size">
      <Expr variable="missing_configuration"/>
    </Expr>
    <Then>
      <PolicyRuleFail>
        <Expr op="concat">
          <Expr> Missende configuratie op poort(en) : </Expr>
          <Expr op="join">
            <Expr variable="missing_configuration"/>
            <Expr value=","/>
          </Expr>
        </Expr>
      </PolicyRuleFail>
    </Then>
    <Else>
      <PolicyRulePass>
      </PolicyRulePass>
    </Else>
  </If>
</PolicyRuleLogic>

Re: esRe: Port Policy Compliance on HP switches.

Techie
Posts: 3
3212     0

I wrote the same in Raw-xml viewer and fixed a couple of mixed statements. This works now:

 

<PolicyRuleLogic xmlns="http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml" editor="raw-xml">
<Expr op="array" output="access-ports"/>
<Expr op="array" output="no-name"/>
<Expr op="array" output="missing_configuration"/>
<ConfigBlockCheck block-end="$" block-start="^spanning-tree (\d{1,2}) admin-edge-port" boundary-method="regexp">
<Expr op="push">
<Expr variable="access-ports"/>
<Expr variable="_start_match_1"/>
</Expr>
</ConfigBlockCheck>
<ConfigBlockCheck block-start="^interface (.*)$" boundary-method="indent">
<If>
<Expr op="matches">
<Expr variable="_block"/>
<Expr value="^\sname.*"/>
</Expr>
<Then>
</Then>
<Else>
<Expr op="push">
<Expr variable="no-name"/>
<Expr variable="_start_match_1"/>
</Expr>
</Else>
</If>
</ConfigBlockCheck>
<ForEach>
<Expr variable="access-ports"/>
<Do>
<If>
<Expr expression="1 and 2">
<Expr label="1" op="in">
<Expr variable="_loop_value"/>
<Expr variable="no-name"/>
</Expr>
<Expr label="2" op="and">
<ConfigFileCheck op="does-not-contain-any">
<Expr op="concat">
<Expr value="^interface "/>
<Expr variable="_loop_value"/>
<Expr value="\\s+dhcp-snooping max-bindings 10\\s+name.*"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^spanning-tree "/>
<Expr variable="_loop_value"/>
<Expr value=" bpdu-protection"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access mac-based "/>
<Expr variable="_loop_value"/>
<Expr value=" addr-limit 8"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access mac-based "/>
<Expr variable="_loop_value"/>
<Expr value=" addr-moves"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access mac-based "/>
<Expr variable="_loop_value"/>
<Expr value=" logoff-period 86400"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access mac-based "/>
<Expr variable="_loop_value"/>
<Expr value=" quiet-period 30"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access mac-based "/>
<Expr variable="_loop_value"/>
<Expr value=" reauth-period 7200"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access authenticator "/>
<Expr variable="_loop_value"/>
<Expr value=" client-limit 8"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access authenticator "/>
<Expr variable="_loop_value"/>
<Expr value=" logoff-period 86400"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access authenticator "/>
<Expr variable="_loop_value"/>
<Expr value=" quiet-period 30"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access authenticator "/>
<Expr variable="_loop_value"/>
<Expr value=" reauth-period 7200"/>
</Expr>
</ConfigFileCheck>
<ConfigFileCheck op="contains-all">
<Expr op="concat">
<Expr value="^aaa port-access "/>
<Expr variable="_loop_value"/>
<Expr value=" controlled-direction in"/>
</Expr>
</ConfigFileCheck>
</Expr>
</Expr>
<Then>
</Then>
<Else>
<Expr op="push">
<Expr variable="missing_configuration"/>
<Expr variable="_loop_value"/>
</Expr>
</Else>
</If>
</Do>
</ForEach>
<If>
<Expr op="size">
<Expr variable="missing_configuration"/>
</Expr>
<Then>
<PolicyRuleFail>
<Expr op="concat">
<Expr value="missing configuration:"/>
<Expr op="join">
<Expr variable="missing_configuration"/>
<Expr value=","/>
</Expr>
</Expr>
</PolicyRuleFail>
</Then>
<Else>
<PolicyRulePass>
</PolicyRulePass>
</Else>
</If>
</PolicyRuleLogic>

Re: Port Policy Compliance on HP switches.

Techie
Posts: 6
3212     0

I have solved this issue myself by building on OR function before the parameter tests which check if thereis a name (description) configured.

Showing results for 
Search instead for 
Did you mean: 

Recommended for You