Solved: Re: Baseline Templates - Access Lists

matt.karsten · ‎02-18-2009

LMS: 3.1

IPM: 4.1.0

Little background, we have a centralized network team that handles almost all of our network equipment. Some of our larger locations have their own IT staff (that generally only handle servers and desktops) that are allowed them some limited access into the network devices (logins controlled via ACS).

We have a Access List that we apply to all of our vtp interfaces to manage access and we want to make sure it is the same across our network. So I went in and created a template with the access list in it, made it "Order Sensitive" and ran a compliance check, it seemed to run just fine, reported a lot of changes (not surprising) that it needed to make. All seemed to work fine.

The problem:

Our larger sites that have their own IT staff, we need to get them added to this remote access ACL. Currently with the ordered set they would lose their ability to remotely connect to the device. For example, the current template looks like:

+ access-list 12 permit 10.0.0.0 0.0.255.255

+ access-list 12 permit 10.16.1.53

+ access-list 12 permit 10.16.6.0 0.0.0.255

+ access-list 12 permit 10.16.8.0 0.0.0.255

+ access-list 12 permit 10.16.192.0 0.0.0.255

+ access-list 12 permit 10.115.40.7

But for some devices I also need to have a line:

+ access-list 12 permit 10.5.1.0 0.0.0.255

On some other devices I will need (instead of the above):

+ access-list 12 permit 10.12.1.0 0.0.0.255

If I wasn't using an ordered set, I think I could do something like:

- access-list 12 permit [#!(10.16.6.0|10.5.1.0|10.12.1.0|etc)#] 0.0.0.255

I don't think its a big deal that this list would get really long, but because its an ordered set, I don't think it would work?

I guess the one thing I have working for me is I am relying on the implicit 'deny any any' so if I had to I could remove the ordered set part of it, but I would rather not because I think this requirement will change in the near future and at the very least, I will be forced to use a 'deny any any log' which I will then be forced to use an ordered sensitive template.

Just looking for some ideas on where to go.

Joe Clarke · ‎02-19-2009

First, do not make the deployable commandsets children of the prereqs as they will inherit the prereq submode. Second, this hostname example technically is compliant since you forgot to mark the deployable commandset ordered.

View solution in original post

matt.karsten · ‎02-18-2009

I don't know why I posted my IPM version, I have RME 4.2.0.

Joe Clarke · ‎02-18-2009

Can you build a prerequisite, and then create multiple templates? For example, match on devices which contain a certain IP address, interface, etc.?

If so, then you could still preserve the ordered list. You would essentially have a prereq commandset defined, and if that prereq is met, then one ACL commandset would be evaluated.

matt.karsten · ‎02-18-2009

Very interesting idea. I tried building this and failed. It came back with everything compliant, which I know it isn't.

Basically what I wanted it to do, in D05Loopback, check and see if the loopback address is 10.253.5.x. If so, run the D05ACL Commandset. In D12Loopback, check and see if the loopback is 10.253.12.x, if it is, do the D12ACL commandset. In OtherLoopback, if the loopback is anything else but those IPs, run the OtherACL commandset.

Below is what I came up with, it makes sense to me, but then again, this is the first prereq template I have built.

--------------------

Name: Global SubMode: No isPrerequisite: No

Ordered : No Prerequisite-Commandset : none Parent: none

Name: D05Loopback SubMode: Yes isPrerequisite: Yes

Ordered : No Prerequisite-Commandset : none Parent: none

Loopback0

+ ip address [#10.253.5.*#] 255.255.255.255

Name: D05ACL SubMode: No isPrerequisite: No

Ordered : Yes Prerequisite-Commandset : D05Loopback Parent: D05Loopback

+ access-list 12 permit 10.0.0.0 0.0.255.255

+ access-list 12 permit 10.16.1.53

+ access-list 12 permit 10.16.6.0 0.0.0.255

+ access-list 12 permit 10.16.8.0 0.0.0.255

+ access-list 12 permit 10.16.192.0 0.0.0.255

+ access-list 12 permit 10.115.40.7

+ access-list 12 permit 10.5.0.0 0.0.255.255

Name: D12Loopback SubMode: Yes isPrerequisite: Yes

Ordered : No Prerequisite-Commandset : none Parent: none

Loopback0

+ ip address [#10.253.12.*#] 255.255.255.255

Name: D12ACL SubMode: No isPrerequisite: No

Ordered : Yes Prerequisite-Commandset : D12Loopback Parent: D12Loopback

+ access-list 12 permit 10.0.0.0 0.0.255.255

+ access-list 12 permit 10.16.1.53

+ access-list 12 permit 10.16.6.0 0.0.0.255

+ access-list 12 permit 10.16.8.0 0.0.0.255

+ access-list 12 permit 10.16.192.0 0.0.0.255

+ access-list 12 permit 10.115.40.7

+ access-list 12 permit 10.12.0.0 0.0.255.255

Name: OtherLoopback SubMode: Yes isPrerequisite: Yes

Ordered : No Prerequisite-Commandset : none Parent: none

Loopback0

+ ip address [#!(10.253.(5|12).*)#] 255.255.255.255

Name: OtherACL SubMode: No isPrerequisite: No

Ordered : Yes Prerequisite-Commandset : OtherLoopback Parent: OtherLoopback

+ access-list 12 permit 10.0.0.0 0.0.255.255

+ access-list 12 permit 10.16.1.53

+ access-list 12 permit 10.16.6.0 0.0.0.255

+ access-list 12 permit 10.16.8.0 0.0.0.255

+ access-list 12 permit 10.16.192.0 0.0.0.255

+ access-list 12 permit 10.115.40.7

matt.karsten · ‎02-18-2009

I realized I needed to enter 'interface Loopback0' instead of just 'Loopback0' in the Submode section. This did not fix the problem though, it still comes back with everything compliant.

Joe Clarke · ‎02-18-2009

If you have all of these commandsets in the same template, you will encounter CSCsx53067. A patch is available by contacting the TAC. As a workaround, separate these commandsets into different templates (include one prereq and one deployable commandset per template).

You might also want to change your regular expressions. For example:

10.253.12.*

Will match 10.253.123.1 and 10.253.12.1. This may not be what you want. A better expression might be:

10\.253\.12\..*

And as you already noted, you need:

interface Loopback0

As your submode.

Beyond that, a config will be considered compliant if it does not match the prereq, or if it does match the prereq, and the deployable commands are all present. If everything else checks out, it would be helpful to see a configuration from a device which is being reported as compliant when it is not.

matt.karsten · ‎02-19-2009

I opened a TAC case on the bug this morning. Waiting to hear back on that.

You are correct on the regular expressions on what I want to match. I have made that modification.

While waiting on the bug fix, I broke out the command sets into their own templates (one prereq, one deployable) and still had the same issue. Just wondering if I still had a problem with the submode, I created another template based on the hostname and I still had the problem.

This is the new template that only has 1 prereq and 1 deployable:

--------------------

Name: Global SubMode: No isPrerequisite: No

Ordered : No Prerequisite-Commandset : none Parent: none

Name: D05LoopbackAddy SubMode: Yes isPrerequisite: Yes

Ordered : No Prerequisite-Commandset : none Parent: none

Interface Loopback0

+ ip address [#10\.253\.5\..*#] 255.255.255.25

Name: D05ACLChanges SubMode: No isPrerequisite: No

Ordered : No Prerequisite-Commandset : D05LoopbackAddy Parent: D05LoopbackAddy

+ access-list 12 permit 10.0.0.0 0.0.255.255

+ access-list 12 permit 10.16.1.53

+ access-list 12 permit 10.16.6.0 0.0.0.255

+ access-list 12 permit 10.16.8.0 0.0.0.255

+ access-list 12 permit 10.16.192.0 0.0.0.255

+ access-list 12 permit 10.115.40.7

+ access-list 12 permit 10.5.0.0 0.0.255.25

--------------------

This is the modified one that checked on hostname instead:

--------------------

Name: Global SubMode: No isPrerequisite: No

Ordered : No Prerequisite-Commandset : none Parent: none

Name: D05Hostname SubMode: No isPrerequisite: Yes

Ordered : No Prerequisite-Commandset : none Parent: none

+ hostname [#d05.*#]

Name: D05ACLs SubMode: No isPrerequisite: No

Ordered : No Prerequisite-Commandset : D05Hostname Parent: D05Hostname

+ access-list 12 permit 10.0.0.0 0.0.255.255

+ access-list 12 permit 10.16.1.53

+ access-list 12 permit 10.16.6.0 0.0.0.255

+ access-list 12 permit 10.16.8.0 0.0.0.255

+ access-list 12 permit 10.16.192.0 0.0.0.255

+ access-list 12 permit 10.115.40.7

+ access-list 12 permit 10.5.0.0 0.0.255.255

--------------------

A stripped down config from a device that should not be compliant:

--------------------

!

hostname d05sw001

!

interface Loopback0

ip address 10.253.5.6 255.255.255.255

!

access-list 12 permit 10.115.40.7

access-list 12 permit 10.16.6.0 0.0.0.255

access-list 12 permit 10.16.192.0 0.0.0.255

access-list 12 permit 10.16.1.0 0.0.0.255

access-list 12 permit 10.0.0.0 0.0.255.255

access-list 12 permit 10.207.0.0 0.0.255.255

access-list 12 permit 10.5.0.0 0.0.255.255

--------------------

Thanks for the help so far.

Joe Clarke · ‎02-19-2009

First, do not make the deployable commandsets children of the prereqs as they will inherit the prereq submode. Second, this hostname example technically is compliant since you forgot to mark the deployable commandset ordered.

matt.karsten · ‎02-20-2009

When I fixed those 2 things it worked exactly as you suggested. Thanks for the help. It will be a couple of extra templates, but thats okay, I am just concerned with it managing that information for me.