Quick Network Automation post on Cisco NSO Compliance Reporting.

What is compliance reporting.

Network Configuration compliance is very important for all business entities for various purposes like external or internal audits, maintaining standards within the org etc. However, it is not that easy to maintain the uniformly complaint configuration when you have thousands of devices scattered globally serving in different business domains.

In compliance reporting is a form of audit where we check if all the devices in the network are running the standard required configuration or not. Now suppose you are a NOC manager undergoing the audit and suddenly auditor asks for the configuration reports from all the devices in the network where they want to see if SNMP community string is configured and it is something other than “public.” Or the auditor may ask if your router has aaa new-model enabled or not. Now if you are a NOC manager you will certainly know the pain to verify this, it is humanly impossible for you or your team to login to all 1000s of devices and check it. That is where people resort to automation, and here Cisco NSO helps you big time with its inbuilt compliance reporting.Lets see how it is done.

How to do compliance reporting with Cisco NSO?

Here I am going to show a CLI method to do a quick reporting. I am going to run a compliance report for two of my devices where I need to check if Loopback 0 is configured as a source interface or not.

Step-1 : Make a device-group.

By creating a group for all the devices where we need to run compliance we are creating a single object to execute the reporting. Like below we have grouped two devices in one object XR-Routers. 

nso@ncs# show running-config devices device-group XR-Routers
!
devices device-group XR-Routers
device-name [ NCS1 NCS2 ]
!

Step-2 : Create a config template.

Config template is a set of configuration that needs to be checked in compliance reporting. 

nso@ncs# show running-config devices template XR-logging-config
!
devices template XR-logging-config
ned-id cisco-iosxr-cli-7.33
config
logging source-interface Loopback 0
!

Creating and executing Compliance reports.

This is a two step process, in first step we need to create report by filling in parameters like “what is the template” and “which is the device-group” etc. And in second step we need to run the report.

!
nso@ncs# show running-config compliance reports
compliance reports report logging-report
compare-template XR-logging-config XR-Routers
!

Running the report: 

nso@ncs(config)# compliance reports report logging-report run outformat html
id 10
compliance-status violations
info Checking 2 devices and no services
location https://localhost:8888/compliance-reports/report_10_nso_1_2022-12-21T16:3:6:0.html
nso@ncs(config)#

We get the above url for the report and you can see the report by visiting this URL. Report looks something like below.

Here, it shows that NCS1 and NCS2 has discrepancies and at the bottom it also shows the config discrepancy.

How to fix the (non-compliance)Discrepancy.

After identifying the discrepancy we need need a quick way to resolve it. That is where we can rely again on NSO. Now we need to execute the intended commands to the group of devices where the discrepancy was found. 

nso@ncs(config)# devices device-group XR-Routers apply-template template-name XR-logging-config
apply-template-result {
    device NCS1
    result ok
}
apply-template-result {
    device NCS2
    result ok
}

nso@ncs(config)# commit dry-run outformat native
native {
    device {
        name NCS1
        data logging source-interface Loopback0
    }
    device {
        name NCS2
        data logging source-interface Loopback0
    }
}

nso@ncs(config)# commit
Commit complete.
nso@ncs(config)# devices device-group XR-Routers apply-template template-name XR-logging-config
apply-template-result {
    device NCS1
    result ok
}
apply-template-result {
    device NCS2
    result ok
}

nso@ncs(config)# commit dry-run outformat native
native {
    device {
        name NCS1
        data logging source-interface Loopback0
    }
    device {
        name NCS2
        data logging source-interface Loopback0
    }
}

nso@ncs(config)# commit
Commit complete.

We have executed the commands against two systems now if we run the compliance reporting again we should not get any discrepancies. 

nso@ncs(config)# compliance reports report logging-report run outformat html
id 11
compliance-status no-violation
info Checking 2 devices and no services
location https://localhost:8888/compliance-reports/report_11_nso_0_2022-12-21T17:25:23:0.html
nso@ncs(config)#

Conclusion:

NSO has simplified many automation challenges for the end user and compliance reporting is one of those challenge. This method provides a very good way to control your network configuration.

Leave a Reply