CLI Ordering

Ordering in Golden Config

Golden Configuration ("Golden Config") enables us to check for the existence of a line and then determine whether the existence of that line (or lack thereof) is a compliance failure. However, Golden Config strictly checks whether a line is present or not, it has no concept of whether the line is in the correct order. In scenarios with ACLs (access control lists), native existence checks may not be sufficient since the order of the configuration elements (IP Addresses) is paramount.

This is where CLI Ordering extends the functionality of Golden Config. It allows you to define a configuration scope where ordering of the elements needs to be accounted for. In this article, you will learn how to enable order checking and how to exclude certain elements from order checking.

First it is important to know the difference between the two supported types of ordering: strict ordering and loose ordering.

Strict Ordering

Strict ordering declares that the order of the configuration elements must be exactly as defined and it must also be consecutive. Meaning that every element starting from the first element must match the defined order along with every consecutive element in the configuration.

For example, let's observe this Golden Configuration snippet where a configuration scope is defined to have strict ordering, denoted by the {lso/} (list strictly ordered) tag.

{lso/}ip access-list extended 101
 permit tcp any host 192.168.2.15
 permit udp any host 10.20.30.40
 deny ip any host 172.16.5.100
 permit ip any any

This configuration expects the device to contain an ip access-list extended 101 in which the first element to the fourth element must be exactly as stated in the declaration. Any element that does not match the desired index will generate a compliance failure indicating that array ordering rules were not met for the specific elements that were out of order.

Loose Ordering

Similarly, loose ordering is defined using the tag {llo/} (list loosely ordered). Loose ordering checks that the order you define in Golden Config is met but as long as each consecutive configuration element exists anywhere after the current element, then the ordering is satisfied.

Let's take the same configuration as Strict Ordering from above but let's assign it the loose ordering tag.

{llo/}ip access-list extended 101
 permit tcp any host 192.168.2.15
 permit udp any host 10.20.30.40
 deny ip any host 172.16.5.100
 permit ip any any

This loose ordering would indicate that:

• permit tcp any host 10.20.30.40 must exist somewhere after permit udp any host 192.168.2.15
• deny ip any host 172.16.5.100 must exist somewhere after permit tcp any host 10.20.30.40
• permit ip any any must exist somewhere after deny ip any host 172.16.5.100

Loose ordering does not require these elements to be consecutive. Meaning that as long as the order is satisfied from one line to the next, the existence of elements between them will not generate a compliance failure.

With that stated, the following configuration would pass the loose ordering test based on the declaration above.

{llo/}ip access-list extended 101
 permit tcp any host 192.168.2.15 <- our first expected config line
 permit tcp any host 192.168.3.25
 permit udp any host 10.30.40.50
 permit udp any host 10.20.30.40 <- our second expected config line
 deny ip any host 172.17.8.90
 deny ip any host 172.16.5.100 <- our third expected config line
 permit tcp any host 192.168.4.60
 permit udp any host 10.40.50.70
 deny ip any host 172.18.9.120
 permit ip any any <- our fourth expected config line

Exclude Item From List Ordering

You may run into a scenario where you want to check the ordering of items within a scope but you also want to check the existence of other items where ordering is not important.

In our ACL example, if you want to check the ordering of elements in the ACL but also want to add a remark to add a description to the ACL then the remark is not relevant to the ordering of the configuration. You can exclude items in an ordered configuration scope by using the tag {lx/} (list exclude).

Take the following example of an ACL declaration where we also add in a remark and exclude the remark from order checking.

{lso/}ip access-list extended 101
 {lx/}remark this is my example ACL
 permit tcp any host 192.168.2.15
 permit udp any host 10.20.30.40
 deny ip any host 172.16.5.100
 permit ip any any

Since we excluded the remark, it will get checked for existence, whereas the remaining configuration will also get checked for ordering.

Assigning Ordering Rules

Ordering Rules can be assigned from the toolbar menu in the Configuration tab of a Golden Configuration:

1. Select the parent configuration line whose child elements you want to check the ordering of.

   

2. Hover over the List Operations menu in the toolbar (denoted by three stacked horizontal lines) and select the ordering you want to assign - strict or loose.

   

3. Verify the appropriate tag was added to the configuration line.

   

Assigning Ordering Exclusion Rule

To exempt a configuration line from order checking you can add the exclusion rule through the same menu:

1. Select the child configuration line you want to exempt from order checking.

   

2. Hover over the List Operations menu in the toolbar and select Exclude item from list ordering.

   

3. Verify the appropriate tag {lx/} was added to the configuration line.

   

CLI Exclusivity

You may run into a scenario where you want to check the existence of the elements you defined but also want to automatically disallow anything else that you did not specifically define. This concept can be referred to as Ghost Configuration. Golden Configuration now enables you to check for Ghost Configurations using the {only/} tag.

Ghost Configuration checking rules can only be assigned to a parent configuration line; therefore only child elements can be identified as ghost elements.

In the following example we state that we want to check for Ghost Configuration by assigning the {only/} tag to the parent ACL element. This will ensure the three (3) IP addresses you have defined in your configuration exist and any other configurations found in the scope of that ACL will be automatically get tagged for removal in a compliance report.

{only/}ip access-list extended Standard-ACL
  permit ip 10.0.1.0 0.0.0.255 any
  permit ip 10.0.2.0 0.0.0.255 any
  permit ip 10.0.3.0 0.0.0.255 any

Assigning CLI Exclusivity

Exclusivity can be assigned from the toolbar menu in the Configuration tab of a Golden Configuration:

1. Select the parent configuration line whose child elements you want to check the ghost configuration of.

   

2. Hover over the List Operations menu in the toolbar and select Exclude item from list ordering.

   

3. Verify the appropriate tag {only/} was added to the parent configuration line.