CiscoConfParse Style Configuration Rules and Templates

Implement compliance reporting rules and configuration templates based on CiscoConfParse and netaddr python style syntax (nested object based configuration parsing)
http://www.pennington.net/py/ciscoconfparse/api_IOSCfgLine.html
Example Usage: A Contrived Configuration Audit — ciscoconfparse 1.2.38 documentation

It's difficult to construct compliance rules for many of our production configuration defects using the string and RegEx search syntax available in compliance reporting. Adopting the CiscoConfParse nested object model with basic scripting would simplify many tasks and allow for more complex matching and actions....

interfaces_with_ip_addresses = config.find_objects_w_child(r'^interface ', r'ip address \d+\.\d+\.\d+\.\d+')

for interface in interfaces_with_ip_addresses:

<do somthing>

Remediation could be specified per matching section easily...

 line vty 0 4

          timeout 60
     line vty 5
          timeout 120
     line vty 6 15
         transport input ssh

vtys_without_transport_ssh = config.find_objects_wo_child(r'^line vty', r'transport input .*ssh')

for vty in vtys_without_transport_ssh:

vty.remediate_under_section("transport input ssh")

Would generate the following remediation commands on the device....

line vty 0 4

          transport input ssh
     line vty 5
          transport input ssh

Using CiscoConfParse and python via orionsdk it's easier to check for advanced issues such as ip helper addresses to destinations inside the same VLAN. It's not currently possible to check for this via the existing NCM Compliance rule syntax.

interface Vlan11
ip address 192.168.0.1 255.255.255.0
ip helper-address 192.168.32.5
ip helper-address 192.168.0.5 # Inside 192.168.0.1/255.255.255.0
ip helper-address 192.168.13.124
no ip redirects
no ip unreachables
no ip proxy-arp

Adopting this approach could also provide a method to implement other feature requests (diff of two CiscoConfParse trees) COMPARE CONFIG AGAINST MASTER TEMPLATE