Solved: Re: Q: LMS 3.1 compliance template with condition

ww9rivers · ‎12-13-2010

Hello, forum,

I am trying to create a template to change TACACS settings on our devices, which I would like to work on both routers and switches.

The part for switching tacacs-server is straightforward. Then I would like all the routers to source its tacacs traffic via the Loopback0 interface.

Essentially, what I try to do is to apply the "ip tacacs source-interface Loopback0" command depending on the existance of the "interface Loopback0" in the device's configuration.

I thought that should be easy but I am not having any luck at all. Help would be greatly appreciated.

Regards,

--

Wei

Joel Monge · ‎02-15-2011

Date Created: 12-FEB-2011 02:07 AM Created By: Reyes, Veronica(VERREYES,265015)

After installing the patch correctly, we created the template as follows:

interface [#Loopback.*#]

+ ip tacacs source-interface loopback0

It ran ok in the customer's devices.

View solution in original post

ww9rivers · ‎12-14-2010

From reading the details on the "Creating an Advanced Baseline Template" section in the online help, it seems that what I wanted to do is not there in LMS 3.1.

Is that a correct understanding?

It seems to me that, by adding a simple check to mark a Prerequisite a condition-only, that would have been possible. That way, a Prerequisite is only a condition for evaluating the next element that has it as prerequisite, but does not invalidate the entire template.

Joe Clarke · ‎12-14-2010

Trying do this instead:

Name: CheckLoopback

IsPrereq: true

Submode: interface Loopback0

Body:

+ [#ip address .*#]

ww9rivers · ‎12-15-2010

I understand that's what "submode" means to do. But that's not what I want.

After talking to TAC, we basically concluded that, what I wanted was not possible, however simple it may be.

Joe Clarke · ‎12-15-2010

My example should work, and I think it will do exactly what you want. That is, if the device has a Loopback0 interface with an IP address, then the condition will be true. You can then use that condition to apply the source interface command for TACACS+. Am I misunderstanding your intention?

ww9rivers · ‎12-16-2010

Your example works the way you describe it. Mine does that, too, although mine does not check for the existence of an IP address on the Loopback interface -- In our network, that is standard practice.

The difference is this: The template will apply the IP sourcing command for TACACS+ traffic on those devices that have a Loopback0 interface, not on those that don't. AND, the result of evaluating this task will be success on those with a Loopback0 interface and failure with those that don't.

So that means this task has to be made a separate template and executed by itself -- it can not be part of another advanced template because it will stop any subsequent components of the advanced template from being executed. In the end, it means more mandatory human interference in the process.

Joe Clarke · ‎12-18-2010

Okay, I understand now. What you're seeing is a bug. I fixed this for sub-mode commandlets, but not for global commandlets. I played around with your template, and I got it working in LMS 3.2 and 4.0. If you can upgrade to 3.2 (you can download the update from http://www.cisco.com/go/nmsevals), click the Open Service Request button in the Action panel of this thread, and I will provide the patch to your engineer.

ww9rivers · ‎01-10-2011

Joe, thanks!

I have upgraded to LMS 3.2 and entered a TAC case (SR 616449315).

Joel Monge · ‎02-15-2011

Date Created: 12-FEB-2011 02:07 AM Created By: Reyes, Veronica(VERREYES,265015)

After installing the patch correctly, we created the template as follows:

interface [#Loopback.*#]

+ ip tacacs source-interface loopback0

It ran ok in the customer's devices.