Assertions

Assertions define what your network state should look like. Each assertion targets a gNMI path and validates the value.

Basic Structure

targets:
  - host: spine1:6030
    assertions:
      - name: Ethernet1 is UP
        path: interface[Ethernet1]/state/oper-status
        equals: "UP"

      - name: BGP peer established
        path: bgp[default]/neighbors/neighbor[neighbor-address=10.0.0.2]/state/session-state
        equals: "ESTABLISHED"

Assertion Types

Short Paths

OpenConfig paths can be verbose. netsert supports short paths that expand automatically:

Paths starting with / are treated as absolute OpenConfig paths.

Examples

Interface Status

assertions:
  - name: Ethernet1 admin enabled
    path: interface[Ethernet1]/config/enabled
    equals: "true"

  - name: Ethernet1 operationally up
    path: interface[Ethernet1]/state/oper-status
    equals: "UP"

  - name: Ethernet1 has IP
    path: interface[Ethernet1]/subinterfaces/subinterface[index=0]/ipv4/addresses/address[ip=10.0.0.1]/config/ip
    exists: true

BGP State

assertions:
  - name: BGP peer 10.0.0.2 established
    path: bgp[default]/neighbors/neighbor[neighbor-address=10.0.0.2]/state/session-state
    equals: "ESTABLISHED"

  - name: BGP peer in correct AS
    path: bgp[default]/neighbors/neighbor[neighbor-address=10.0.0.2]/config/peer-as
    equals: "65001"

  - name: Received at least 10 prefixes
    path: bgp[default]/neighbors/neighbor[neighbor-address=10.0.0.2]/state/messages/received/UPDATE
    gte: "10"

OSPF Neighbors

assertions:
  - name: OSPF neighbor exists
    path: ospf[default]/areas/area[identifier=0.0.0.0]/interfaces/interface[id=Ethernet1]/neighbors/neighbor[router-id=10.255.0.2]/state/adjacency-state
    equals: "FULL"

EVPN/VXLAN

Validate EVPN overlay peering and AFI-SAFI state:

assertions:
  # EVPN overlay session
  - name: EVPN peer 10.255.0.1 established
    path: bgp[default]/neighbors/neighbor[neighbor-address=10.255.0.1]/state/session-state
    equals: "ESTABLISHED"

  # L2VPN_EVPN address family active
  - name: EVPN peer 10.255.0.1 L2VPN_EVPN enabled
    path: bgp[default]/neighbors/neighbor[neighbor-address=10.255.0.1]/afi-safis/afi-safi[afi-safi-name=L2VPN_EVPN]/state/active
    equals: "true"

  # EVPN peer using correct peer group
  - name: EVPN peer in SPINE-EVPN group
    path: bgp[default]/neighbors/neighbor[neighbor-address=10.255.0.1]/config/peer-group
    equals: "SPINE-EVPN"

  # eBGP multihop for loopback peering
  - name: EVPN peer multihop enabled
    path: bgp[default]/neighbors/neighbor[neighbor-address=10.255.0.1]/ebgp-multihop/config/enabled
    equals: "true"

Validate VXLAN tunnel endpoints:

assertions:
  # VTEP interface exists
  - name: Vxlan1 interface exists
    path: interface[Vxlan1]/state/oper-status
    equals: "UP"

  # VTEP source interface
  - name: VTEP source is Loopback1
    path: interface[Vxlan1]/config/source-interface
    equals: "Loopback1"

System Checks

assertions:
  - name: Hostname set correctly
    path: system/config/hostname
    equals: "spine1"

  - name: NTP server configured
    path: system/ntp/servers/server[address=10.0.0.100]/config/address
    exists: true

Multiple Targets

Test the same assertions across multiple devices:

targets:
  - host: spine1:6030
  - host: spine2:6030
assertions:
  - name: Loopback0 exists
    path: interface[Loopback0]/state/oper-status
    equals: "UP"

Credentials Per Target

Override credentials for specific devices:

targets:
  - host: spine1:6030
    username: admin
    password: secret123
  - host: spine2:6030
    # uses default credentials
assertions:
  - name: Check something
    path: system/config/hostname
    exists: true