Port Policy Compliance on HP switches.

FredKamsteeg · ‎04-21-2020

I want to check port setting on HP switches. The problem is that not all port parameters are under "interface" setting like on Cisco.

So i want to check the setting when it an access port without a description (name)

The acces port statement is in the config as:

spanning-tree 1 admin-edge-port

The description is in the config as:

interface 22
   dhcp-snooping max-bindings 10
   name "description"
   qos trust dscp
   rate-limit bcast in percent 2

Since I found you can't use as variable in a ConfigBlockCheck, I made two arrays; one with ports in acces mode and one with a name.

Then I do a Foreach one the first array where I first chek if the value is in the second array and the do the check on the port parameters.

There seemes to be a fault in the checking of the _loopvalue agains the array, the lines are:

<ForEach>
    <Expr variable="access-ports"/>
    <Do>
      <If>
       <Expr expression="1 and 2">
         <Exp label='1' op='in'>
          <Expr variable='_loop_value'/>
          <Expr variable='no-name'/>
         </Expr>
          <Expr label="2" op="and">
            <ConfigFileCheck op="does-not-contain-any">
              <Expr op="concat">
                <Expr value="^interf

I get an error on the</Expr> line, is my <Exp label='1' op='in'> syntax wrong ?

RNair · ‎04-23-2020

Can you please post the entire rule and the error message?

FredKamsteeg · ‎04-24-2020

This is the error message:

Line 18:
Missing end tag for 'Exp' (got "Expr")

And the policy rule:

[ Hover for Error Info ]
        <Expr label='2' op='and'>
          <ConfigFileCheck op='does-not-contain-any'>
            <Expr op='concat'>
              <Expr value='^interface '/>
              <Expr variable='_loop_value'/>
              <Expr value='\\s+dhcp-snooping max-bindings 10\\s+name.*'/>
            </Expr>          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^spanning-tree '/>
              <Expr variable='_loop_value'/>
              <Expr value=' bpdu-protection'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access mac-based '/>
              <Expr variable='_loop_value'/>
              <Expr value=' addr-limit 8'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access mac-based '/>
              <Expr variable='_loop_value'/>
              <Expr value=' addr-moves'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access mac-based '/>
              <Expr variable='_loop_value'/>
              <Expr value=' logoff-period 86400'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access mac-based '/>
              <Expr variable='_loop_value'/>
              <Expr value=' quiet-period 30'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access mac-based '/>
              <Expr variable='_loop_value'/>
              <Expr value=' reauth-period 7200'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access authenticator '/>
              <Expr variable='_loop_value'/>
              <Expr value=' client-limit 8'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access authenticator '/>
              <Expr variable='_loop_value'/>
              <Expr value=' logoff-period 86400'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access authenticator '/>
              <Expr variable='_loop_value'/>
              <Expr value=' quiet-period 30'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access authenticator '/>
              <Expr variable='_loop_value'/>
              <Expr value=' reauth-period 7200'/>
            </Expr>
          </ConfigFileCheck>
          <ConfigFileCheck op='contains-all'>
            <Expr op='concat'>
              <Expr value='^aaa port-access '/>
              <Expr variable='_loop_value'/>
              <Expr value=' controlled-direction in'/>
            </Expr>
          </ConfigFileCheck>
        </Expr>
        <Then>
       </Then>
        <Else>
          <Expr op='push'>
            <Expr variable='missing_configuration'/>
            <Expr variable='_loop_value'/>
          </Expr>
        </Else>
      </If>
    </Do>
</ForEach>
<If>
    <Expr op='size'>
      <Expr variable='missing_configuration'/>
    </Expr>
    <Then>
      <PolicyRuleFail>
        <Expr op='concat'>
          <Expr> Missende configuratie op poort(en) : </Expr>
          <Expr op='join'>
            <Expr variable='missing_configuration'/>
            <Expr value=','/>
          </Expr>
        </Expr>
      </PolicyRuleFail>
    </Then>
    <Else>
      <PolicyRulePass>
      </PolicyRulePass>
    </Else>
</If>
</PolicyRuleLogic>

FredKamsteeg · ‎04-24-2020

Oops, when posting this I discover my typo:

This should be <Expr> label='1' op='in'>

So the statement 'in' seems to be in order.

After fixing this I got other error messages:

Line 105:
element Then: Schemas validity error : Element '{http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}Then': This element is not expected. Expected is one of ( {http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}ConfigBlockCheck, {http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}ConfigFileCheck, {http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}CPDCheck, {http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}Expr, {http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}ListSearch ).

Line 13:
element If: Schemas validity error : Element '{http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}If': Missing child element(s). Expected is ( {http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml}Then ).

Line 0:
Expression refers to invalid subexpression '1'

FredKamsteeg · ‎04-24-2020

And forget the policy rule i send before, this was a corrupted version. it should be like below. I seem te have my if statements mixed up.

<PolicyRuleLogic xmlns="http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml" editor="raw-xml">
<Expr op="array" output="access-ports"/>
<Expr op="array" output="no-name"/>
<Expr op="array" output="missing_configuration"/>
<ConfigBlockCheck block-end="$" block-start="^spanning-tree (\d{1,2}) admin-edge-port" boundary-method="regexp">
    <Expr op="push">
      <Expr variable="access-ports"/>
      <Expr variable="_start_match_1"/>
    </Expr>
</ConfigBlockCheck>
<ConfigBlockCheck block-start="^interface (.*)$" boundary-method="indent">
    <If>
      <Expr op="matches">
        <Expr variable="_block"/>
        <Expr value="^\sname.*"/>
      </Expr>
      <Then>
    </Then>
      <Else>
        <Expr op="push">
          <Expr variable="no-name"/>
          <Expr variable="_start_match_1"/>
        </Expr>
      </Else>
    </If>
</ConfigBlockCheck>
<ForEach>
    <Expr variable="access-ports"/>
    <Do>
      <If>
        <Expr expression="1 and 2">
          <Expr label="1" op="in">
            <Expr variable="_loop_value"/>
            <Expr variable="no-name"/>
          </Expr>
          <Expr label="2" op="and">
            <ConfigFileCheck op="does-not-contain-any">
              <Expr op="concat">
                <Expr value="^interface "/>
                <Expr variable="_loop_value"/>
                <Expr value="\\s+dhcp-snooping max-bindings 10\\s+name.*"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^spanning-tree "/>
                <Expr variable="_loop_value"/>
                <Expr value=" bpdu-protection"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access mac-based "/>
                <Expr variable="_loop_value"/>
                <Expr value=" addr-limit 8"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access mac-based "/>
                <Expr variable="_loop_value"/>
                <Expr value=" addr-moves"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access mac-based "/>
                <Expr variable="_loop_value"/>
                <Expr value=" logoff-period 86400"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access mac-based "/>
                <Expr variable="_loop_value"/>
                <Expr value=" quiet-period 30"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access mac-based "/>
                <Expr variable="_loop_value"/>
                <Expr value=" reauth-period 7200"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access authenticator "/>
                <Expr variable="_loop_value"/>
                <Expr value=" client-limit 8"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access authenticator "/>
                <Expr variable="_loop_value"/>
                <Expr value=" logoff-period 86400"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access authenticator "/>
                <Expr variable="_loop_value"/>
                <Expr value=" quiet-period 30"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access authenticator "/>
                <Expr variable="_loop_value"/>
                <Expr value=" reauth-period 7200"/>
              </Expr>
            </ConfigFileCheck>
            <ConfigFileCheck op="contains-all">
              <Expr op="concat">
                <Expr value="^aaa port-access "/>
                <Expr variable="_loop_value"/>
                <Expr value=" controlled-direction in"/>
              </Expr>
            </ConfigFileCheck>
          </Expr>
          <Then>
       </Then>
          <Else>
            <Expr op="push">
              <Expr variable="missing_configuration"/>
              <Expr variable="_loop_value"/>
            </Expr>
          </Else>
        </Expr>
      </If>
    </Do>
</ForEach>
<If>
    <Expr op="size">
      <Expr variable="missing_configuration"/>
    </Expr>
    <Then>
      <PolicyRuleFail>
        <Expr op="concat">
          <Expr> Missende configuratie op poort(en) : </Expr>
          <Expr op="join">
            <Expr variable="missing_configuration"/>
            <Expr value=","/>
          </Expr>
        </Expr>
      </PolicyRuleFail>
    </Then>
    <Else>
      <PolicyRulePass>
      </PolicyRulePass>
    </Else>
</If>
</PolicyRuleLogic>

RNair · ‎05-13-2020

I wrote the same in Raw-xml viewer and fixed a couple of mixed statements. This works now:

FredKamsteeg · ‎05-29-2020

I have solved this issue myself by building on OR function before the parameter tests which check if thereis a name (description) configured.

THE GAME HAS CHANGED

Network Change & Configuration Management

Port Policy Compliance on HP switches.

esRe: Port Policy Compliance on HP switches.

Re: esRe: Port Policy Compliance on HP switches.

Re: esRe: Port Policy Compliance on HP switches.

Re: esRe: Port Policy Compliance on HP switches.

Re: esRe: Port Policy Compliance on HP switches.

Re: Port Policy Compliance on HP switches.