Solved: Re: custom report

shinji7800 · ‎04-22-2011

Hello everyone,

I'm French, so I appologies if my english is not suffisant.

I would like to create a custom report : in this report, I would like that the result of this report is the list of all the equipments whose one specific IP adress is not present in their access-list.

it is possible ?

thanks a lot for your help

best regards

Joe Clarke · ‎05-20-2011

For that you could use the search archive capability. Using the Search Archive function, select your target devices, and fill in the following in one of the fields:

access-list 175 permit ip any 192.168.0.15 0.0.0.31

Then select the Does Not Contain option from the Search Criteria pull-down. The resulting report will show you those device that do not contain that ACE.

View solution in original post

Joe Clarke · ‎04-23-2011

It depends. If you are looking to see if one IP address is covered by an existing ACE (e.g. find out if 192.168.1.213 is covered by 192.168.0.0/22), then no, that is not possible. However, if you're looking to see if one particular ACE exists in an ACL, then that can be done with RME baseline compliance. You can build a template that looks for that ACE in a given ACL. For example:

Name: CheckACEInACL

Body:

+ access-list 100 permit ip host 192.168.1.213 any

shinji7800 · ‎05-06-2011

Thank you for answering.

I try

Name:Commands SubMode:No isPrerequisite:No

Ordered:No Prerequisite-Commandset:none Parent:None

#To check for existence of command enter

# +

#To check for non existance of command enter

# -

- access-list 199 permit ip *.*.*.* 0.0.0.* 192.168.0.0 0.0.0.63

So with this template I would try to found which routers don't have this line :

access-list 199 permit ip *.*.*.* 0.0.0.* 192.168.0.0 0.0.0.63

in their ACL 199

but when I launch the template with "direct deploy", all ACL 199 was deleted on ALL routers

where I did something wrong ?

Joe Clarke · ‎05-08-2011

The negation code in LMS removes the entire ACL instead of a single ACE as you can't do random access ACL editing directly. Your template would need to include the ACL 199 exactly how you want it to appear using the Ordered checkbox. Note: the ACE the way you have it written is invalid. Are you trying to do a regular expression match, or do you want to specify an exact ACE?

shinji7800 · ‎05-20-2011

Hello,

I'm not sure to understand, I'm really sorry.

I rephrase my question.

I would like to do something like a " custom report template" for make an Audit.

I shall like finding all the equipments which does not possess a certain address of network in the ACL 175.

For example:

Find every router who not have network 192.168.0.15 0.0.0.31 in your ACL 175

thanks a lot

Joe Clarke · ‎05-20-2011

For that you could use the search archive capability. Using the Search Archive function, select your target devices, and fill in the following in one of the fields:

access-list 175 permit ip any 192.168.0.15 0.0.0.31

Then select the Does Not Contain option from the Search Criteria pull-down. The resulting report will show you those device that do not contain that ACE.

shinji7800 · ‎05-24-2011

Thank you this is exactly what I want.

just a little issue,

the line I'm looking for in ACL is like

access-list 175 permit ip x.x.x.x 0.0.0.y 192.168.0.1 0.0.0.63

with "x" and "y" are differant all the time.

For the moment by using the function " search archive capability.", I am looking for all the equipments with an ACL 175. It reduces the number of equipments to 172 (initially there is more than 450).

I make it because apparently it is not possible to look for lines which are alike. It is necessary to type the complete line.

Am I wrong? may be there is another solution ?

thank you

Joe Clarke · ‎05-25-2011

Searching for the individual patterns is the only way to do it.

shinji7800 · ‎05-25-2011

Thank you so much for your help.

just to be shure.

for what I do with "search Archive", can I do the same with a "baseline template" without modify the configuration of my equipments ?

Joe Clarke · ‎05-25-2011

You can use baseline compliance without modifying the config on the devices, but for what you want to do, I don't think it will be any easier for you. You want to find devices that match the pattern. For this, search archive is really the easiest. Baseline will not give you that nice device list.

shinji7800 · ‎05-25-2011

Thank you so much !

I think you can close the topic.

shinji7800 · ‎05-26-2011

I have a question about "baseline template"

I try know to find if some interfaces don't have OSPF key.

I create my basic template like this :

Conditional Block

sub mode

interface [#FastEthernet0/2/*#]

CLI commands

- shutdown

with that I try to found all interface Fa begin with 0/2/...

so for continue

Compliance Block (Use the Submode of above condition is checked)

CLI commands

+ ip ospf message-digest-key [#*#]

and like this it doesn't works...

so I wonder how does works "stars *", "sharps #" ect ect ...

I try this because in the manual guide they use this, but I think I don't use them properly

thank you for answering me

Joe Clarke · ‎05-26-2011

Please start a new thread for this as we've moved away from the original issue.

shinji7800 · ‎06-03-2011

I'm sorry, I start a nex thread