02-11-2014 03:02 PM
I'm working on a Baseline Template for compliance. One of the interfaces that we use across all our routers is Loopback 1. I want to use a baseline template to check if Loopback 0 exists and then if it exists, I want to check certain lines in its interface config. Here is how I have my Template configured:
Prerequisite Command Set - checkLoopback
+interface Loopback1
Subordinate Command Set - checkLoopbackConfig
+description Network Management Interface
+ip address [#172\.16\..*\..*#] [255.255.255.0]
Basically I want to confirm that Loopback 1 exists and then check that the standard description has been used and that the IP Address is within a certain range.
Whether the interfrace is configured or not, when I run the compliance check it reports that the device is compliant. I've also tried "-interface Loopback1" in the Prerequisite Command Set and the result still reports the device is compliant.
How can I accomplish my goal of checking that the interface exists first then check the config of the interface?
Thanks for the help.
02-11-2014 05:00 PM
Hi ,
You need to create Parent & Child Template to achive your goal.
check the below link ( look at the Case 4(a) Replacing IP helper addresses on all interfaces )
Thanks-
Afroz
[Do rate the useful post]
****Ratings Encourages Contributors ****
02-11-2014 07:28 PM
Use the Advance Template as below :
Name: new SubMode: Yes isPrerequisite: No
Ordered : No Prerequisite-Commandset : none Parent: none
interface [#.*#]
+interface loopback1
Name: new2 SubMode: Yes isPrerequisite: No
Ordered : No Prerequisite-Commandset : none Parent: new
interface loopback1
+description Network Management Interface
+ip address [#172\.16\..*\..*#] [255.255.255.0]
Note : make sure you have space after the + sign while creating the Template.
Thanks-
Afroz
[Do rate the useful post]
****Ratings Encourages Contributors ****
02-13-2014 06:20 AM
I created parent/child command sets as recommended above. Even with Loopback1 configuration cleared and shutdown (no loopback1), the compliance check reports that the device is compliant. I've tried hundreds of commandset configurations and the results are always the same, the device shows as being compliant. I'm beginning to think that the baseline compliance command sets won't check Loopback interfaces.
Any thoughts??
02-20-2014 07:50 AM
I figured out what my problem is. After each configuration change on the router device, I need to synchronize the configuration. Meaning, PrimeLMS does not compare to the running config on the device but rather the running config that had been collected at the last configuration archive…..
Once I began synch’ing the config after each configuration change and before running the compliance check, I started achieving the desired results.
I didn't realize Prime used the archived configuration instead of the running configuration on the device.
02-12-2014 06:19 AM
You can use commandsets. The commandsets are a set of one or more CLI commands. You can define a commandset while creating a Baseline template in the Advanced mode.
The features of the commandsets are:
•If the commands in commandset are in a submode (ip/interface etc.) a submode command must be specified for such a commandset.
•Commandsets can have one or more child commandsets.
•Child commandsets inherit parent's sub-mode command.
You can define commandsets that have to be checked before running the actual commands.
The features of the prerequisite commandsets are:
•A commandset can have another commandset as its prerequisite.
•A prerequisite commandset is used only for comparison and is not deployed onto the device.
•A commandset is compared with the config only if its prerequisite condition is satisfied.
LMS evaluates the commandsets in different ways depending on whether you have defined the commandset as Parent or Prerequisite.
For example, assume that you have defined two commandsets, commandset1 and commandset2:
•Commandset defined as Prerequisite
- commandset1 as the Prerequisite of commandset2. When LMS evaluates the Baseline template, it evaluates commandset1 first, and commandset2 next.
- If commandset1 does not contain submode and is not present in a device, then commandset2 is not evaluated and the device is displayed in the excluded list in the compliance report.
- If commandset1 contains submode and is not present in applicable submodes, then commandset2 is not evaluated and the device is displayed in the excluded list in the compliance report.
•Commandset defined as Parent
- commandset1 as the Parent of commandset2. When LMS evaluates the Baseline template, it evaluates commandset1 first, and commandset2 next.
- If either of these commandsets is missing, the template is considered non-compliant.
-Joe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide