Re: [netmod] Netmod ACL - Can "access-lists" be set up as a "grouping"

"Einar Nilsen-Nygaard (einarnn)" <> Mon, 08 January 2018 15:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 694A3129C6E for <>; Mon, 8 Jan 2018 07:52:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.53
X-Spam-Status: No, score=-14.53 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3DtLb3A0qNKg for <>; Mon, 8 Jan 2018 07:52:01 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 72D04126579 for <>; Mon, 8 Jan 2018 07:51:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=27508; q=dns/txt; s=iport; t=1515426719; x=1516636319; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=U3uo7w8Bmmus0yIyb6vk+qkDaWHfa7hnpPVltmvEfvs=; b=GpfcTHKKHnnRPpSkIxfIrhQ4x74kbMRtOQ9jLMszKVK+VA9eiBuajtpM WRHrvtcJRvTVn/YkvWMEWm1PtFCSzUyBEdPL+SQ2h955EnaEKzkdQOeSu BCTIOMxD6fl8J3E9zmENyOOOz+H9ZO188udmwrTHISwUGWIBD76iGFiGk U=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos; i="5.46,330,1511827200"; d="scan'208,217"; a="53763170"
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 08 Jan 2018 15:51:58 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id w08Fpw1Z008235 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 8 Jan 2018 15:51:58 GMT
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1320.4; Mon, 8 Jan 2018 10:51:57 -0500
Received: from ([]) by ([]) with mapi id 15.00.1320.000; Mon, 8 Jan 2018 10:51:56 -0500
From: "Einar Nilsen-Nygaard (einarnn)" <>
To: "Robert Wilton -X (rwilton - ENSOFT LIMITED at Cisco)" <>, Jon Shallow <>, "Mahesh Jethanandani" <>
CC: "" <>
Thread-Topic: [netmod] Netmod ACL - Can "access-lists" be set up as a "grouping"
Thread-Index: AdOIbvlU0QBjg+SHRESC+Oh6XUPoRwATLimAAAD9eAAAALiggA==
Date: Mon, 8 Jan 2018 15:51:56 +0000
Message-ID: <>
References: <012301d3886e$f96f08e0$ec4d1aa0$> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-mailer: Apple Mail (2.3445.5.20)
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_A6455D8AE85C411A8B115B15EA0D9AB9ciscocom_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [netmod] Netmod ACL - Can "access-lists" be set up as a "grouping"
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 08 Jan 2018 15:52:03 -0000

On 8 Jan 2018, at 15:31, Robert Wilton -X (rwilton - ENSOFT LIMITED at Cisco) <<>> wrote:

Hi Einar, Jon, Mahesh,

My gut instinct is that making this a grouping might not be a good idea:

1) If somebody updates the core ACL model, will then need to check that anyone using it should be similarly updated (unless they use import-by-revision).

Groupings and typedefs are subject to the same backwards-compatibility constraints as any other data. Thus updates to the model should always be trouble-free if the updates conform to RFC 6020/7950 backwards-compatibility rules for model updates.

2) Does it make sense to define ACLs in separate places.  Would like be more simple if ACLs were defined in a central place and then just referenced by other protocols as required.

Jon clearly has a case he is thinking about, and making an access list container reusable doesn’t seem like an intrinsically bad idea to me. What may be an irritating thing is if there are >1 use case for this and each use case is in effect required to define it’s own idea of a list of access list definitions.

3) I think that groupings are probably overused and I think that they can detract from the readability of the model.  (I regard the OpenConfig YANG models as an extreme example of this, where it is necessary to compile the modules together to figure out where everything fits together).

I’m not going to disagree with your comments on the overuse of groupings. We could also refer to Cisco IOS-XR native models, where we have some models with 8 levels (perhaps more?) of nested groupings ;-)

Having said that, I don't think that this issue is important enough to have a long discussion about ...

Likewise. I have no objection to this change, but no strong vested interest either. What I’m most interested in is getting to an agreed model at this point, and this change wouldn’t impact that as it doesn’t change the actual model.

Jon — could you perhaps articulate your use case(s)? And perhaps update with them?




On 08/01/2018 15:02, Einar Nilsen-Nygaard (einarnn) wrote:
Since this is a 7-line change, I see no harm in it if no-one objects? Mahesh has the token for rolling in updates discussed just prior to the end of 2017.

Here’s a possible diff:

$ git diff -b
diff --git a/src/yang/ietf-access-control-list.yang b/src/yang/ietf-access-control-list.yang
index 4d698c9..b1a173f 100644
--- a/src/yang/ietf-access-control-list.yang
+++ b/src/yang/ietf-access-control-list.yang
@@ -402,6 +402,10 @@ module ietf-access-control-list {
    * Configuration data nodes
+  grouping access-lists-top {
+    description
+      "Grouping to allow reuse of access lists container elsewhere.";
     container access-lists {
         "This is a top level container for Access Control Lists.
@@ -576,6 +580,9 @@ module ietf-access-control-list {
+  }
+  uses access-lists-top;
   augment "/if:interfaces/if:interface" {
       "Augment interfaces to allow ACLs to be associated in either the



On 8 Jan 2018, at 10:53, Jon Shallow <<>> wrote:

Hi There,

I appreciate that this is late to the table, but is it possible to set up “access-lists” as a “grouping” in the YANG data model so that “access-lists” can be included by “uses” in a higher level YANG data model?

I have raised this as issue #22 at


netmod mailing list<>

netmod mailing list<>