Hi all, does anyone have a working ydk python script to remove an ACL entry in an existing ACL on IOS-XR 6.1.3. Have tried using CRUD DELETE and ydk.types DELETE, both to no avail. Using Cisco-IOS-XR-ipv4-acl-cfg.yang model.
you can use this sample app to delete ACL entries.
The above mentioned APP can be used as a sample app to delete the whole ACL, but not just an ACL entry in an ACL. Looking for a sample app to delete an ACL entry without having to delete the whole ACL.
Try something like this:
the ace we want to delete
d_ace = Cisco_IOS_XR_ipv4_acl_cfg.Ipv4AclAndPrefixList.Accesses.Access.AccessListEntries.AccessListEntry()
d_ace.sequence_number = 10
the ACL we want to delete an entry from
d_acl = Cisco_IOS_XR_ipv4_acl_cfg.Ipv4AclAndPrefixList.Accesses.Access()
d_acl.access_list_name = 'FOO'
add the ace to the acl
Below is the error message when trying the above code.
ydk.errors.YPYServiceProviderError: Server reported an error while committing change.
error-path: ns1:ipv4-acl-and-prefix-list/ns1:accesses/ns1:access[access-list-name = 'ACL1']/ns1:access-list-entries/ns1:access-list-entry[sequence-number = '20']
error-message: File exists: ACL is being used by the following clients,Detach the access list from all the clients and then remove ACL
error-message: process : pkg/bin/netio pid : 327775 node : node0_0_CPU0
The configuration on the IOS-XR device when the code is attempted is below
RP/0/0/CPU0:xrv1#sh run ipv4 access-list
Fri Jun 23 13:53:53.130 UTC
ipv4 access-list ACL1
10 remark x
20 permit tcp host 172.31.255.1 any match-any +ack +fin +psh +syn +urg
ipv4 access-list ACL2
10 remark acl2
RP/0/0/CPU0:xrv1#sh run int g0/0/0/0
Fri Jun 23 14:00:58.201 UTC
ipv4 access-group ACL1 egress
The IOS-XR device tries to remove the ACL upon receiving the request
This is a semantic restriction in IOS-XR. The restriction is that you may not delete all ACEs from an ACL that is in-use. You will get exactly the same error if you tried the same operation via the CLI. you have a remark in the ACL also, but remark entries do not count in this case. The error is actually coming form the underlying logic that deals with activating the ACL. When you try to bind an ACL with only a remark statement in it to an interface, we see this error:
RP/0/RP0/CPU0:r622prod(config-if)#show configuration failed
Fri Jun 23 13:30:17.034 UTC
!! SEMANTIC ERRORS: This configuration was rejected by
!! the system due to semantic errors. The individual
!! errors with each failed configuration command can be
!! found below.
ipv4 access-group FOO ingress
!!% 'pfilter-ma' detected the 'warning' condition 'The verification of the specified access list failed because either it's empty or it has remark ACEs only.'
Note that if the ACL wasn't attached to any target this wouldn't be an issue.
Unfortunately, this kind of restriction can be hard to express in YANG constraints, and so currently we have nothing in the model to describe this.
As a workaround, and depending on what your overall ACL policy is, can suggest having ether a trailing "deny ip any any" or a trailing "permit ip any any" that is left in place always to allow you to manipulate all other ACEs.
- Is there a way to use ydk to ask for all targets that an ACL is applied on. Instead of modifying a living ACL, able to detach the ACL from all targets, remove the ACL, re-create the ACL with new content and apply the new ACL on all targets therefore it'd be useful to retrieve existing targets of an ACL from the device.
What you need to use as a query if you're doing netconf directly, is a subtree filter like this:
When my configuration looks like:
ipv4 address 10.1.2.1 255.255.255.0
ipv4 access-group FOO ingress
ipv4 access-group FOO ingress
...this subtree filter will return something like:
(v) â /opt/git-repos/ncc-devnet master ↓·1
16:13 $ python ncc.py --host=127.0.0.1 --port=8300 -g --named-filter ingress-acl-interfaces
<data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
ncc.py is a Python script you can find at https://github.com/CiscoDevNet/ncc
- Unable to run ncc.py to retrieve running-config. It throws the error below. I've always had this issue with ncclient to retrieve full running-config, while retrieving a filtered running-config or retrieving capabilities is ok. .
- lxml.etree.XMLSyntaxError: Input is not proper UTF-8, indicate encoding !
Looking at the debug logs, we can see that the secret leaf is probably the culprit:
The problem is how the secret is encoded. It is being embedded using characters that are not legal for the XML character set. I would agree that this is an XR issue. I'll forward on to the AAA team.
This issue can be worked around somewhat by dealing with the returned payload directly and potentially using a different XML parser from what is used by ncclient, or possibly by using the same parser with a different configuration. I looked around a bit, and found some articles talking about similar issues, like:
However, we need to fix XR to return data with a valid encoding.
The issue is on an IOS-XRv version 22.214.171.124I in the lab. Tried pulling running-config from an IOS-XRv 9000 version 6.1.2 and don't see the issue. Below is the output of the authentication config from IOS-XRv 9000 in the lab.
There may have already been a fix for this issue that went into 126.96.36.199I. Can you upgrade your image and see if the issue has been addressed?
Have tried loading IOX XRv 6.1.2 and there is no XML encoding issue. will use XRv 6.1.2 from now.
Seen that error when retrieving operational data, but not configuration. It could be a defect on IOS XR side.
from ydk.services import CRUDService
from ydk.providers import NetconfServiceProvider
from ydk.models.cisco_ios_xr import Cisco_IOS_XR_ifmgr_cfg \
provider = NetconfServiceProvider(address=device.hostname,
# create CRUD service
crud = CRUDService()
interface_configurations = xr_ifmgr_cfg.InterfaceConfigurations() # create object
interface_foo = xr_ifmgr_cfg.InterfaceConfigurations.InterfaceConfiguration()
# read data from NETCONF device
interface_configurations = crud.read(provider, interface_configurations)
Something like the above is the equivalent YDK python script for a CRUD read of the data.
You can perform a CRUD read to read specific data from the targeted device. See this example: ydk-py-samples/nc-read-xr-ipv4-acl-cfg-10-ydk.py at master · CiscoDevNet/ydk-py-samples · GitHub
Note that in the above sample, you need to uncomment the line 78 and add your code to process the read data on line 42.