cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1572
Views
0
Helpful
2
Replies

unable to target specific ACL with compliance tool cisco prime 3.7

NicP
Level 1
Level 1

I encounter something weird.
When i try to check if a specific ACL exist with the specific settings i get incorrect successes.
i have the following

condition 1

Condition scope: Configration
Block Start Expression: ip access-list standard (.*)
Advance block Option: Rule Passed if Any Sub block is passed
Operator: Matches the expression
Value: ip access-list standard ntp_deny
Action: Does not match Action
select Action: Raise a Violation and Continue

 

condition 2

Condition scope: Previously Matched Blocks
Block Start Expression:
Operator: Matches the expression
Value: \sdeny\s\s\sany
Action: Does not match Action
select Action: Raise a Violation and Continue

I do this while the following config is present on the switch.

ip access-list standard server01
 remark Cisco Prime
 permit 192.168.1.50
ip access-list standard ntp_deny
 deny   any

It returns a succes when use condition 2. But also when i have the condition configured as followed

Condition scope: Previously Matched Blocks
Block Start Expression:
Operator: Matches the expression
Value: remark Cisco Prime
Action: Does not match Action
select Action: Raise a Violation and Continue

I seem to be unable to target a specific ACL.

When i change the "Advance block Option:" to: Rule Passed only if All Sub block are passed" It returns warnings for every unmatched ACL.

I also tried to just check the whole thing like this.

Condition scope: Configration
Block Start Expression: 
Operator: Matches the expression
Value: ip access-list standard ntp_deny\n\sdeny\s\s\sany
Action: Does not match Action
select Action: Raise a Violation and Continue

 

This also this isn't flawless. In cases where i have multiple settings inside the ACL it always failes when i check it. It will only succeed when i remove the last setting from the check.

Is this a bug or am i doing something wrong.

2 Replies 2

msanchez
Level 1
Level 1

DId you get this to work.  I'm trying to verify an ACL only contains the expected permited subnets.  But it also fails for the expected permited subnets.

No unfortunatly not. 

In the end I gave up on using the compliance tool because it doesn't work properly (or as you expect). 

I'm now using Prime 3.8 and nothing has changed so I don't expect any improvements from cisco on this.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: