Solved: Cisco Prime Compliance Policies

Andrew Clark · ‎10-03-2016

Hello - I'm making a compliance policy in PI for QoS checking. I would like to create a policy that would look to make sure that QoS is applied appropriately to all of the switch interfaces. Is there a way that PI can do this within the Compliance Policies configuration?

luijimen · ‎10-04-2016

Andrew,

The attached XML file contains the definition for a Compliance Policy that will review the desired commands on ports that are configured as Access, Trunk or Port-channel.

Extract it and import it under Configuration > Compliance > Policies.

Next, create the Profile under Config > Compliance > Profiles and add the Policy to it. From there you can run it on the desired devices.

Please rate the thread if this helps.

Luis

View solution in original post

Marvin Rhoads · ‎10-05-2016

Andrew,

You should be able to edit the rule and add a new condition. Make the condition scope "Device Properties", device property "OS Version". Condition match criteria is "Evaluate expression" with value <_IOS_Version> >= <15.0>.

Luis - feel free to set me straight if I'm not quite correct - I'm learning this bit. :)

View solution in original post

luijimen · ‎10-03-2016

Hi Andrew,

PI should be able to check the desired interfaces for the commands you need. However, a few details need to be known.

For example, do you mean all interfaces including physical and logical? SVIs, Port-Channels, etc?

Are the same QoS commands consistently configured in all of them or is there something that changes, like a policy-name or similar?

The reason for these questions is because we can configure the policy to look for a static command, or use regex to match certain expressions.

Thanks,

Luis

Andrew Clark · ‎10-04-2016

Here is the standard's conguration that they want me to check against.

Trunk >

auto qos voip trust

mls qos trust dscp

priority-queue out

Port-Channel>

srr-queue bandwidth share 1 30 35 5

priority-queue out

mls qos trust dscp

Access>

auto qos voip cisco-softphone

mls qos trust dscp

priority-queue out

luijimen · ‎10-04-2016

Andrew,

The attached XML file contains the definition for a Compliance Policy that will review the desired commands on ports that are configured as Access, Trunk or Port-channel.

Extract it and import it under Configuration > Compliance > Policies.

Next, create the Profile under Config > Compliance > Profiles and add the Policy to it. From there you can run it on the desired devices.

Please rate the thread if this helps.

Luis

Andrew Clark · ‎10-04-2016

This is perfect. Thank you.

Andrew Clark · ‎10-05-2016

Just out of curiosity is there a way to ensure that this runs only on IOS version 15+? Is that done in the report setup when you select the devices, or can you make that in the policy itself?

The reason I'm asking is that the syntax changes a bit between IOS.

Marvin Rhoads · ‎10-05-2016

Andrew,

You should be able to edit the rule and add a new condition. Make the condition scope "Device Properties", device property "OS Version". Condition match criteria is "Evaluate expression" with value <_IOS_Version> >= <15.0>.

Luis - feel free to set me straight if I'm not quite correct - I'm learning this bit. :)

Andrew Clark · ‎10-05-2016

that's it, perfect!

dperowne · ‎11-03-2016

I've been doing a fair bit with compliance with interactive rules and multiline working OK, but I need a rule that applies two different lines based on IOS version. I have 12.x and 15.x so wanted to do "if 15.x run a, otherwise it's 12 so check command present and run y" ... Possible?