Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1784
Views
0
Helpful
2
Replies

unable to target specific ACL with compliance tool cisco prime 3.7

NicP
Level 1
Level 1

‎01-06-2020 04:14 AM - edited ‎01-06-2020 04:14 AM

I encounter something weird.
When i try to check if a specific ACL exist with the specific settings i get incorrect successes.
i have the following

condition 1

Condition scope: Configration
Block Start Expression: ip access-list standard (.*)
Advance block Option: Rule Passed if Any Sub block is passed
Operator: Matches the expression
Value: ip access-list standard ntp_deny
Action: Does not match Action
select Action: Raise a Violation and Continue

 

condition 2

Condition scope: Previously Matched Blocks
Block Start Expression:
Operator: Matches the expression
Value: \sdeny\s\s\sany
Action: Does not match Action
select Action: Raise a Violation and Continue

I do this while the following config is present on the switch.

ip access-list standard server01
 remark Cisco Prime
 permit 192.168.1.50
ip access-list standard ntp_deny
 deny   any

It returns a succes when use condition 2. But also when i have the condition configured as followed

Condition scope: Previously Matched Blocks
Block Start Expression:
Operator: Matches the expression
Value: remark Cisco Prime
Action: Does not match Action
select Action: Raise a Violation and Continue

I seem to be unable to target a specific ACL.

When i change the "Advance block Option:" to: Rule Passed only if All Sub block are passed" It returns warnings for every unmatched ACL.

I also tried to just check the whole thing like this.

Condition scope: Configration
Block Start Expression: 
Operator: Matches the expression
Value: ip access-list standard ntp_deny\n\sdeny\s\s\sany
Action: Does not match Action
select Action: Raise a Violation and Continue

 

This also this isn't flawless. In cases where i have multiple settings inside the ACL it always failes when i check it. It will only succeed when i remove the last setting from the check.

Is this a bug or am i doing something wrong.

1 person had this problem
Labels:
0 Helpful
2 Replies 2

msanchez
Level 1
Level 1

‎09-24-2020 10:31 PM

DId you get this to work.  I'm trying to verify an ACL only contains the expected permited subnets.  But it also fails for the expected permited subnets.

0 Helpful

NicP
Level 1
Level 1
In response to msanchez

‎10-29-2020 08:53 AM

No unfortunatly not. 

In the end I gave up on using the compliance tool because it doesn't work properly (or as you expect). 

I'm now using Prime 3.8 and nothing has changed so I don't expect any improvements from cisco on this.

0 Helpful
Customers Also Viewed These Support Documents