Creating compliance definitions using device models

Modeled definitions are based on modeled device configurations. Modeled definitions are all based on XPaths. An XPath is a search mechanism used in XML, and models an XML document as a tree of nodes. Use this procedure to create Compliance Definitions using device models.

Before you begin

A compliance definition created based on one device schema may be used against devices that are modeled using a different device schema, as long as those schemas share the nodes included in the compliance definition With other words the scope of a compliance definition using a device model is not limited to the devices defined by the VTMOS that was used to retrieve the schema based on which the definition was built.

Read the following information about parameters before beginning this procedure:

  • Parameters defined in Modelled Definitions will automatically be passed to remedial actions, if configured to do so.
  • Parameters passed to remedial actions can be viewed in the Remedial queue under the “parameters” column.
  • Parameters defined in remedial commandsets need to have the same name as parameters defined in remedial command sets in ITNCM - Base.
    Note: Placing a parameter inside another parameter is not supported.

It is simple for a user to copy an existing definition, and modify some of its components to create a new definition.

Use the Create a Definition window of the User Interface to create a new compliance definition using device models.

About this task

Follow these steps to create a Compliance Definition using device models.

Procedure

  1. Select Create->Compliance Definition.

    The Create a Definition window displays.

  2. Use the following descriptions as a guide to entering the appropriate information in the Create a Definition window.
    Name
    Name chosen to identify the compliance definition. The maximum number of characters for the name is 255. This is a mandatory field.
    Description
    Brief narrative attached to the compliance definition to be created that explains its function and use. The maximum number of characters is 4000.
    Revision
    This number is automatically assigned and initially given a value of 1. Each time the compliance definition is edited, the revision number increments by 1. This is for versioning control. The revision changes only if the entity is active.
    Select Definition Type
    Radio buttons that allow you to create the following types of compliance definitions:
    Radio button Description
    Create compliance definition using CLI configuration lines Select this definition type if you want to define a Compliance Definition with a native definition that uses a stored configuration. Selecting this option causes the Enter Native Definition Details (CLI configuration lines) window to display.
    Create compliance definition using Native Commands Select this definition type if you want to define a Compliance Definition with Native Commands. Selecting this option causes the Enter Native Definition Details (Native Commands) window to display.
    Create compliance definition using a Device Model Select this definition type if you want to define a Compliance Definition with a modeled definition. Selecting this option causes the Enter Modeled Definition Details window to display.
    Create compliance definition using a Script Select this definition type if you want to define a Compliance Definition with a script. Selecting this option causes the Enter Script-Based Definition Details window to display.
    Create compliance definition using a Golden Configuration Select this definition type if you want to define a Compliance Definition using a device’s golden configuration as a template for automatically generating evaluations. Selecting this option causes the Select a Golden Device window to display.
    Prev
    Go to the previous selection.
    Next
    Go to the next selection.
    Finish
    Complete process.
    Cancel
    Cancel activities.
  3. Select the Create compliance definition using a Device Model radio button, and then click Next.

    The Enter Modeled Definition Details window displays.

  4. Use the following descriptions as a guide to entering the appropriate information in the Enter Modeled Definition Details window.
    VTMOS
    Choose a device schema by selecting VTMOS combination.
    Retrieve Model
    Selecting the Retrieve Model button, will present an XML model (or device schema) of all configurable parameters available for the VTMOS selected.
    Modeled Definition
    Direct XPath is more commonly used in a simple definition, where only one logical entity is being searched for. If the entity is not unique, or there are more than one nodes, only the first occurrence of the entity being searched for will be tested. The schema should be chosen using the node navigation tree.

    Contextual XPath should be used to test all nodes of a certain type, for example, test all FastEthernet Interfaces where the context becomes FastEthernet. The context should be chosen using the node navigation tree in the left hand window pane. Once the context of the validation has been set the nodes must be selected in the right hand pane that will be validated within this context.

    XPath
    XPath will be populated with the schema path chosen.
    Add Evaluation
    This button invokes the wizard for adding a modeled definition evaluation.
    Evaluation List
    Lists all XPaths alongside test conditions and match criteria.
    Evaluation List Criteria
    Use the following evaluation list criteria.
    • Match All — Match All evaluations added to the Compliance Definition.
    • Match Any — Match Any of the evaluations added to the Compliance Definition.
    • Match None — Match None of the evaluations added must be found in the Device Configuration.
    • Match One — Match only One of the evaluations added to the Definition. If more than one of the evaluations are matched, the match fails.
    • Match Exactly — Identically match all evaluations added to the definition; including the number of evaluations selected.
      Note: When using Match Exactly logic with an extraction or group parameter, the XPath option 'matches' must be selected. This is only applicable to modeled definitions.
    • Match Specific Number — Matches a specific number of evaluations as defined by the user. For example, Match 2 out of the 6 evaluations listed. This choice activates an integer field called Specific Number.
    Number
    This is activated when the Match Specific Number is chosen. An integer must be entered here.
    Manual Override
    This allows the XPath to be overridden through a process of manually altering the Context/Defined XPath.
    Update
    Updates screen.
    Edit
    Edits current selection.
    Delete
    Deletes current selection.
    Test
    The definition test button is enabled when editing or creating a definition, but not when opening a definition. Also, it is only available for modeled and native definitions (not scripts).
    You use the definition test functionality to execute a definition against all open tabs, and view the results.
    You can test definitions using native CLI configuration lines, native commands or device models. You can view results in the evaluation list either in detail, or as a summary.
    Definition Test window elements Description
    Definition Test window

    When you click Test, the Definition Test window is displayed (it resembles the Regex Tool window).

    When you import definitions from a device, the type of definition you are creating determines what content is imported from the device:
    For modeled and golden configuration definitions
    Imports the xml configuration from the device.
    For native CLI definitions
    Imports the CLI configuration for the device.
    For native commands definitions
    Imports the show commands from the device into the text area in the tab.
    Warning: Importing a text file from a file with an xml extension may result in an error when you execute the test.

    Tabs

    You can add as many tabs as your memory allows. The definition is applied to each tab and the results are flagged on the tabs.
    Green flag
    Passed
    Red flag
    Failed
    Yellow flag
    Not assessed
    Evaluation list
    Results are displayed in the Evaluation list under a number of columns.
    Evaluation
    532: Is the same as XPath
    533: Is the same as Evaluation Line
    534: Is the same as Evaluation Line
    This is the search criteria for the Definition or the XPath to search for in the case of Device Models
    Match Criteria
    The criteria used to match the device configuration: Match All, Match Any, None, One, Exactly, Specific Number
    Match Criteria Argument
    532: Is the same as Number
    533: Is the same as Number
    534: Is the same as Number
    Only available on group parameters and extractions. Same as Match Specific Number.
    Default Result
    The default result is the value defined in the Evaluation Result if Context not found option, that is, one of Fail, Pass, Not Assessed, and Not Applicable.
    Note: If there are a number of different results, the overall result will be Pass as long as there are no Fails in the result. For example you may have two Not Applicable result and one Pass, or all Not Applicable; the overall result will be Pass.
    User can opt to choose the result they wish to receive if the context is not found. The options are: Fail, Pass, Not Assessed, Not Applicable.
    If there are a number of different results, the overall result will be Pass as long as there are no Fails in the result. For example you may have two Not Applicable result and one Pass, or all Not Applicable; the overall result will be Pass.
    Result
    Green text = Pass, Red text = Fail, Yellow text = Not Assessed/Not Applicable, Blue text =Error
    Restriction: Script parameters and extractions are not supported in test evaluation lists. If any are found in the evaluation they will not be assessed during the test, and the overall definition result will be not assessed.
    Details mode You can toggle between Details and Summary mode to select the level of detail displayed in the test results. When in Summary mode, you can click on each evaluation to display detailed results.
    Clear all Clears the results from the Evaluation List and tabs.
    Test Click to run the test
    Close
    Closes the Definition Test window.
    Note: The test tabs are only available when the window is open.
    Menu bar

    All options described are also available from the menu bar (File, Edit, Mode, Tabs).

  5. If you clicked the Add Evaluation button, the Add Modelled Definition Evaluation window displays. The fields on this window allow the user to define the parameters to the command. Use the following descriptions as a guide to filling in the fields displayed in the Add Modelled Definition Evaluation window.
    Node
    The node chosen for the modeled definition.
    Node description
    The description of the logical entity and name of the node selected are automatically populated here. This information is retrieved from the device schema based on the XPATH defined in the previous step and cannot be changed by the user.
    XPath Function
    The following table describes the syntax associated with an XPath Function:
    XPath syntax Description

    =

    Equal to

    !=

    Not equal to

    >

    Greater than

    >=

    Greater than or equal to

    <

    Less than

    <=

    Less than or equal to

    Matches

    Allows Regex to be entered.

    Contains

    Indicates that the specified argument is contained in the string.

    Starts-with

    The string starts with the specified argument.

    Ends-with

    The string ends with the specified argument.

    Argument
    The value you want to search on specifically. This can be left empty to find all.
    Show CLI Text Boxes
    When selected this will show unmodeled commands. Normally the node will be ARG.999.
    Parameters
    This is an optional field. This field provides a drop down list for the type of parameter you want. There is also an Insert Parameter button used to insert the parameter.
    Note: Placing a parameter inside another parameter is not supported.

    When an argument in the Argument List is selected, the Argument Details in the lower section of the screen is populated. If changes are required to the Argument Details, they can be made at this point. Select Update to save amendments to the argument.

  6. Click Next to continue.

    The Enter test condition window displays. The test conditions are used to decide whether you want to test for the presence or absence of the CLI, or in the case of some CISCO commands, to check for the presence of the no form of the command (for example, no ip http server).

  7. Use the following descriptions as a guide to filling in the fields displayed in the Enter test condition window.
    Test Condition
    Specifies one of the following test conditions that you can select from the dropdown list:
    Test condition Description

    Present in Config

    Searches to locate the test condition in the configuration.

    Not Present in Config

    Search to ensure that the test condition does not appear in the configuration.

    Present and Disabled in Config

    Search to locate the test condition in the configuration. However, contrary to the Present in Config condition, this search looks for conditions in the configuration that are present but are disabled. For instance, in most CISCO devices entities are prefixed by "no" if they are disabled but present, for example, 'no ip proxy-arp' or 'no ip bootp' server.

    Match Criteria
    The following table describes the Match Criteria syntax:
    • Match All - Match all hits in the target device configuration. For example, if a contextual XPath gets 3 hits in a target device configuration, each hit must satisfy the defined XPath, or the match will fail.
    • Match Any - Match any of the hits in the target device configuration.
    • Match None - Match none of the hits in the target device configuration.
    • Match One - Match any of the hits in the target device configuration. If more than one are matched, the match fails.
    • Match Exactly - Identically match all hits in the target device configuration.
    • Match Specific Number - Matches a specific number of hits in the target device configuration as defined by the user. For example, Match 2 out of the 6 hits listed. This choice activates an integer field called Specific Number.
    Specific Number
    This is activated when the Match Specific Number is chosen. An integer must be entered here.
    Evaluation result if context not found
    Specifies the result to receive if the context is not found. The options are: Fail, Pass, Not Assessed, and Not Applicable.

    If there are a number of different results, the overall result will be Pass as long as there are no Fails in the result. For example you may have two Not Applicable result and one Pass, or all Not Applicable; the overall result will be Pass.

  8. Click Finish to complete the Modeled Definition Evaluation.

    The Enter Modeled Definition Details window displays again.

  9. Click Next to continue.

    The Choose a Save Location window displays.

  10. Navigate through the tree structure, and choose the location to which you want to save the Compliance Definition. Otherwise, it is possible to create a new folder from here if required.
  11. Click Finish to complete the creation of the Compliance Definition.

What to do next

You can create another Compliance Definition using a device model by following the instructions in this procedure.