LMS 3.2.1 - Compliance Template Range Statement

efairbanks · ‎06-06-2013

I am trying to create a very basic template in compliance manager that checks for interfaces that aren't members of specific VLANs. VLAN 10 being one of them. I want to match interfaces assigned to VLAN 20. According to the documentation I have read, the following range statement should work because 10 falls between 3 and 19:

Submode: interface [#.*Ethernet.*#]

- switchport access vlan [#[3-19]#]

With the preceeding statement, however, interfaces assigned to both VLAN 10 and VLAN 20 are matching the rule. If I comment out the above rule, and just specify VLAN 10 using the following, the check works correctly:

Submode: interface [#.*Ethernet.*#]

- switchport access vlan 10

With this specific rule (not a range), only interfaces w/VLAN 20 are processed by the template, which is expected.

We actually have numerous VLANs that we want to exclude/include. I only mentioned VLANs 10 and 20 for brevity.

Anyone have any idea what is wrong with the statement?

Thanks in advance.

-Erik

efairbanks · ‎06-09-2013

I figured it out and am posting the solution for the benefit of the community.

The following verbiage in the following Cisco document appears to be incorrect:

"The preceding template command provides a strict matching. However, you could use a range of addresses through regular expressions. Suppose you wanted to allow any address between 2 to 15 in the 48 subnet; then you could modify the preceding command as:

+ access-list 2 permit 36.48.0.[#[2-15]#]"

http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/white_paper_c11-529569.html#wp9000311

I ended up using the following statement, which checks for any switchport assigned to any vlan between 21 and 75.

- switchport access vlan [#(2[1-9]|3[0-9]|4[0-9]|5[0-9]|6[0-9]|7[0-5])#]

HTH

-Erik