What's New

NSO now supports a new confirm-network-state commit mode for improved interoperation in the face of out-of-band changes. Using this commit mode, it is now possible to avoid provisioning pre-checks and pre-provisioning sync-from operations, even if there are out-of-band changes on NSO-managed devices.

Additionally, NSO introduces support for policy-defined handling of configuration data that overlaps with NSO-configured services. This eases coexistence with other systems and protects already provisioned services from unwanted modification.

Documentation Updates:

• Added a new section called Out-of-band Interoperation.

NSO supports serving web traffic from multiple domains and IP addresses. This functionality is configured by server-name and server-alias settings in the ncs.conf file. In addition, the web server refuses to serve requests to other domain names and addresses by default, in order to not expose the system to redirect-related attacks. This functionality can be disabled, but that is strongly discouraged.

In NSO 6.5, we are introducing support for installing NSO in a FIPS-compliant mode. With this update, you can now install (or upgrade) NSO in the usual standard mode or in a more targeted FIPS mode to meet the specific crypto requirements of the FIPS 140-3 standard in your organization. Bear in mind that FIPS mode targets a very specific use case and should only be used in FIPS-restricted setups. For most installs, the standard mode is the way to go.

Be advised as well that Cisco's FIPS support is currently limited only to installer-based setups and not available on Cisco-provided containers, but you do have the option to pursue a FIPS-compliant container setup independently.

Documentation Updates:

• Updated the Installation and Deployment sections to add new details about installing and upgrading NSO in a FIPS-compliant setup. Specific details are covered in the sections for System Install, Local Install, and Upgrade NSO.

This release brings more improvements to extend the design and functionality of the NSO Web UI. This time, we have implemented substantial new updates in the Web UI tools, namely the Package Manager (now called Packages), Alarms, and Compliance Reporting. More specifically:

• The Packages tool now benefits from an all-new design coherent with Cisco's design philosophy. It also includes new feature updates to handle package management in the Web UI in a more detailed and appealing manner.

• The Alarms tool now offers a vastly updated design as well as improved functionality to handle NSO alarms. Users will see enhancements in the information and options to interact with alarms.

• New improvements have also been made in the Compliance Reporting tool to offer more visual details via graphs in report results.

Documentation Updates:

• Updated the Web UI's Tools section to document new updates in the Packages, Alarms, and Compliance Reporting sections.

Added new ncs.conf configuration to modify read-set and write-set size limits for transaction checkpoints.

Documentation Updates:

• Added a new transaction checkpoint limits section to the NSO Concurrency Model chapter.

NSO is now installed with the --run-as-user option for build and production containers to run NSO from the non-root nso user that belongs to the nso user group.

Documentation Updates:

• Added a new NSO Runs from a Non-Root User section to the Containerized NSO chapter.

Implemented support for RFC 8650, "Dynamic Subscription to YANG Events and Datastores over RESTCONF." This update enables subscribed notifications and Yang-Push functionality for RESTCONF. For more details, refer to RFC 8650 and the NSO documentation. Note that subtree filtering and JSON format are not yet supported and are planned for a future release.

Documentation Updates:

• Added a new section, Dynamic Subscriptions, in the RESTCONF API documentation.

SSH connections by the built-in NETCONF client are now logged in the device and cluster traces, including details for successful connections and errors when establishing SSH connections and why an SSH connection was terminated.

See the Tracing Device Communication section for details on enabling NED traffic tracing.

Support has been added in compliance templates to read the live status of devices. This feature is optional and requires opting in. To activate this functionality, NEDs must be recompiled using the new ncsc flag --ncs-with-operational-compliance.

Documentation Updates:

• Updated the Compliance Reporting section in Operation and Usage to add new details about live-status checks.

This release introduces new compliance template enhancements:

• A new allow-empty tag allows empty nodes to be considered compliant. Configurations that do not match will still fail.

• Support for enabling or disabling strict mode on parts of a compliance template. The strict tag can now be applied to sub-trees, allowing fine-grained control over strict compliance checking.

Updated Documentation:

• Updated the Compliance Reporting section in Operation and Usage to add new details about the tags.

Added two new methods ncs.maagic.set_values_xml() and ncs.maagic.shared_set_values_xml(), making it possible to set large amounts of data using an XML document as input.

The examples.ncs/scaling-performance/perf-bulkcreate example has been updated to use the new ncs.maagic.shared_set_values_xml() method.

Added CLI functionality to display dry-run output and prompt the user to confirm before the commit operation or actions using the ncs-commit-params grouping.

Documentation Updates:

• New parameters added to the ncs.conf(5) man page

  • /ncs-config/cli/commit-prompt/enabled

  • /ncs-config/cli/commit-prompt/dry-run/duration

  • /ncs-config/cli/commit-prompt/dry-run/outformat

• Added new CLI settings commands to configuring the new functionality per session.

  • commit-prompt

  • dry-run-duration

  • dry-run-outformat

Added and extended support for generating templates based on device configuration structures:

• New Action: /devices/create-template enables creation of device templates from user-defined config paths.

• Extended Action: /compliance/create-template now supports generating compliance templates from specified config paths.

• New Action: /services/create-template allows creation of service templates and infers a resource-facing service model from config path structures. Outputs include the template and service model, optionally exportable as a service package.

Documentation Updates:

• Updated the Device Manager, Templates, and Compliance Reporting sections to add new details about this functionality.

The JSON parser has been improved from a non-streaming model to a streaming one. This reduces memory usage, especially for large inputs.

NSO now supports the option to use SFTP to transfer files between NSO and devices in addition to SCP.

Documentation Updates:

• Updated the scp-from and scp-to device actions section.

Added leaf 'device-select' and leaf-list 'device-group' to the input of the following actions:

• /devices/connect

• /devices/disconnect

• /devices/check-sync

• /devices/sync-to

• /devices/sync-from

• /devices/check-yang-modules

• /devices/fetch-ssh-host-keys

• /devices/apply-template

• /devices/migrate

• /devices/scp-to

• /devices/clear-trace

Documentation Updates:

• Updated the Device Actions section.

The device auto-configure feature in NSO is now more robust and reliable, with enhanced retry mechanisms to handle common deployment challenges. This update ensures smoother and more successful device onboarding in a wider range of network environments.

• Automatic Retry on Failure: The auto-configure process now automatically retries in scenarios where:

  • The device requires a commit operation before configuration can be copied.

  • The device is unreachable.

  • Concurrent auto-configuration processes are running for other devices.

• Granular Control: New global settings under /devices/global-settings/auto-configure allow administrators to fine-tune the retry behavior, controlling the number of attempts and the interval between them.

• Proactive Alerting: A new auto-configure-failed alarm is raised when the maximum number of retry attempts is exhausted, providing immediate notification of persistent auto-configuration failures.

Documentation Updates:

• Updated the Device Manager chapter to add details about auto-configure.

This release adds label and comment as commit parameters across all northbound interfaces and actions supporting the ncs-commit-params grouping in the tailf-ncs-devices YANG module. These parameters will appear in rollback files, be propagated through the NSO cluster, and applied to devices where needed.

This update removes the need for the tag parameter in the commit queue, with label now serving as the primary method for event correlation. label will replace commit-queue/tag in all northbound events, allowing for better event tracking across NSO nodes.

While rollback-label and rollback-comment remain for rollback files, their use is discouraged in favor of the new label and comment parameters.

Documentation Updates:

• Updated the JSON-RPC API 'transaction' section to update details about this change.

Each modified path in the schema diff for /packages/reload, /packages/ha/sync, /devices/migrate, /devices/device-group/ned-id/migrate, and /devices/device/migrate actions now contain a list of all modifications done to the node. This includes all added, removed, or modified constraints, for example, when or must expressions.

NSO has added support for OpenSSL 3.0 in this release. The Cisco SSL library in this regard has been updated to version 3.0.15.8.0.221 (ciscossl-3.0.15.8.0.221).

Added support for entering an array of keys to get detected as a range. If the list supports ranges for keys, these can be entered similarly to 'foo key1,key2,key3 bar', and all the keys will be used for the range.