01-06-2020 04:14 AM - edited 01-06-2020 04:14 AM
I encounter something weird.
When i try to check if a specific ACL exist with the specific settings i get incorrect successes.
i have the following
condition 1
Condition scope: Configration Block Start Expression: ip access-list standard (.*) Advance block Option: Rule Passed if Any Sub block is passed Operator: Matches the expression Value: ip access-list standard ntp_deny Action: Does not match Action select Action: Raise a Violation and Continue
condition 2
Condition scope: Previously Matched Blocks Block Start Expression: Operator: Matches the expression Value: \sdeny\s\s\sany Action: Does not match Action select Action: Raise a Violation and Continue
I do this while the following config is present on the switch.
ip access-list standard server01 remark Cisco Prime permit 192.168.1.50 ip access-list standard ntp_deny deny any
It returns a succes when use condition 2. But also when i have the condition configured as followed
Condition scope: Previously Matched Blocks Block Start Expression: Operator: Matches the expression Value: remark Cisco Prime Action: Does not match Action select Action: Raise a Violation and Continue
I seem to be unable to target a specific ACL.
When i change the "Advance block Option:" to: Rule Passed only if All Sub block are passed" It returns warnings for every unmatched ACL.
I also tried to just check the whole thing like this.
Condition scope: Configration Block Start Expression: Operator: Matches the expression Value: ip access-list standard ntp_deny\n\sdeny\s\s\sany Action: Does not match Action select Action: Raise a Violation and Continue
This also this isn't flawless. In cases where i have multiple settings inside the ACL it always failes when i check it. It will only succeed when i remove the last setting from the check.
Is this a bug or am i doing something wrong.
09-24-2020 10:31 PM
DId you get this to work. I'm trying to verify an ACL only contains the expected permited subnets. But it also fails for the expected permited subnets.
10-29-2020 08:53 AM
No unfortunatly not.
In the end I gave up on using the compliance tool because it doesn't work properly (or as you expect).
I'm now using Prime 3.8 and nothing has changed so I don't expect any improvements from cisco on this.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: