- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Need assistance with Compliance Check script
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
04-17-2014 07:54 AM
I'm new to both CPD and RegEx. In writing rules for compliance checking I've run into a problem determining how to write a rule.
What I want to do is find any interface on a Cisco Switch which a description containing one of serveral words AND check that interface block to make sure that the command "no cdp enable" is NOT in the interface block. If the interface DOES NOT contain a description containing one of those several words, then it should either contain "no cdp enable" or "shutdown".
I have used this in HPNA because HPNA has an easy way to define and check a config block defined by how it begins and ends. You can then use logic to check whether certain commands are in that block.
I've tried this in NetMRI using command logic, but the rule fails. Any assistance would be appreciated.
This is possible using CPD,
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
04-25-2014 06:05 AM
This is possible using CPD, probably would be best to split into 2 separate rules. Can you provide an example of the interfaces you mentioned and the keywords?
-Lon.
Sample interfaces
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
04-25-2014 10:53 AM
Here is a sample. Not every router has a multilink interface, but some do. I want to be able to check all serial and multilink interfaces, if they exist, on the router and make sure they either have the command "crypto map getvpn-map" OR if not they have one of several other commands that would make that command unnecessary, like "no ip address" or "shutdown" or "voice". The purpose is to make sure the WAN interface is configured for encryption.
I have a way to do that using RexEx, but it simply checks and when it finds a match it stops. So, for example, once it finds one serial interface that matches the criteria, it stops even though there are multiple serial interfaces on the router. Also, although I have copied the RegEx exactly and simply sumstituted "Multilink" for "Serial", if fails on the Multilink interface even though it includes "crypto map getvpn-map". I can't determine why.
I have other rules for which I need to check multiple instances of a certain interface type for a command or sequence of commands, such as ethernet interfaces for a "no cdp enable" command. Under some circumstances that command is okay, under others it's not.
interface Multilink1
bandwidth 3072
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
no ip redirects
no ip unreachables
ip flow ingress
ip flow egress
no peer neighbor-route
ppp chap hostname
ppp multilink
ppp multilink links minimum 1
ppp multilink group 1
ppp multilink fragment disable
service-policy output br-qos-policy
!
interface Serial0/0/0:0
bandwidth 1536
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
encapsulation ppp
load-interval 30
no peer neighbor-route
ppp chap hostname
ppp multilink
ppp multilink group 1
hold-queue 1000 in
hold-queue 1000 out
!
interface Serial0/0/1:0
bandwidth 1536
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
encapsulation ppp
load-interval 30
no peer neighbor-route
ppp chap hostname
ppp multilink
ppp multilink group 1
hold-queue 1000 in
hold-queue 1000 out
!
interface Serial0/3/1:23
description
no ip address
encapsulation hdlc
isdn switch-type primary-ni
isdn incoming-voice voice
isdn bind-l3 ccm-manager
no cdp enable
!
!
interface Serial2/0:23
description
no ip address
encapsulation hdlc
isdn switch-type primary-ni
isdn incoming-voice voice
isdn bind-l3 ccm-manager
no cdp enable
!
!
interface Serial2/0:23
description
no ip address
encapsulation hdlc
isdn switch-type primary-ni
isdn incoming-voice voice
isdn bind-l3 ccm-manager
no cdp enable
!
!
interface Serial2/1:23
no ip address
encapsulation hdlc
isdn switch-type primary-5ess
isdn incoming-voice voice
Sorry this took so long to
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
05-01-2014 05:26 AM
Sorry this took so long to get back to, but try something like the CPD rule below for what you are attempting. The Invalid-Block is critical to add in order for the whole thing to work properly. You must identify all of the possible options previous to the Invalid-Block.
Required-Block:
interface (Mu|Se).*
ip address.*
crypto map getvpn-map
Optional-Block:
interface (Mu|Se).*
...other command
Optional-Block:
interface (Mu|Se).*
no ip address
Optional-Block:
interface (Mu|Se).*
shutdown
Optional-Block:
interface (Mu|Se).*
voice
Invalid-Block:
interface (Mu|Se).*
Doesn't seem to work
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
05-01-2014 05:49 AM
I took the example listed above and removed "no ip address" from each of the serial interfaces and "crypto map getvpn-map" from the multilink interface. That should have caused the rule to fail, but it didn't, it passed.
I appreciate the work though.
Hi Dennis,
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
05-01-2014 06:12 AM
Hi Dennis,
Something must be missing somewhere. I tested my example and it appeared to have worked. What version of NetMRI are you using? Could you attach an export of the sample config you are using and an export of the rule?
Thanks,
Lon.
I've tried this, still failing, still working on it.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
06-25-2014 05:47 AM
I think the issue now is identifying the interfaces I want to check. Some consistentcy would help.
#Section: CDP Enabled
#Description:
#Check for CDP enabled on certain interfaces
Required-Block:
interface .*Ethernet.*
description [Rtr|rtr|ROUTER|Router|router|SW|Sw|sw|FW].*
.+
!
Optional-Block:
interface .*Ethernet.*
description [Rtr|rtr|ROUTER|Router|router|SW|Sw|sw|FW].*
.+
cdp enable
Optional-Block:
interface .*Ethernet.*
description [Rtr|rtr|ROUTER|Router|router|SW|Sw|sw|FW].*
.+
shutdown
Invalid-Block:
interface .*Ethernet.*
description [Rtr|rtr|ROUTER|Router|router|SW|Sw|sw|FW].*
.+
no cdp enable
This seems to work, but.....
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
06-25-2014 05:58 AM
#Section: CDP Enabled
#Description:
#Check for CDP enabled on certain interfaces
Required-Block:
interface .*Ethernet.*
description [Rtr|rtr|ROUTER|Router|router|SW|Sw|sw|FW].*
.+
!
Optional-Block:
interface .*Ethernet.*
.+
encapsulation .*
Optional-Block:
interface .*Ethernet.*
.+
ip helper-address .*
.+
!
Optional-Block:
interface .*Ethernet.*
description [Rtr|rtr|ROUTER|Router|router|SW|Sw|sw|FW].*
no ip address
Optional-Block:
interface .*Ethernet.*
description [Rtr|rtr|ROUTER|Router|router|SW|Sw|sw|FW].*
.+
shutdown
Invalid-Block:
interface .*Ethernet.*
description [Rtr|rtr|ROUTER|Router|router|SW|Sw|sw|FW].*
.+
no cdp enable
The issue is that the router does not contain the "required block" because the ethernet interface does not have a description that matches the one in the rule, BUT the ethernet interface DOES match one of the optional blocks. Perhaps this is the way that is intended to work.
Working as designed
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
06-25-2014 12:45 PM
Yes, "required" means exactly that. The config is scanned to match each Required pattern. When a match is found, those statements are in effect masked out / ineligible for subsequent pattern matches. That's why the Invalid must be the last check so it operates only on the leftover statements.
There are several caveats due
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
06-27-2014 09:45 AM
There are several caveats due to bugs in the CPD editor. One of them is that you should not mix required and optional. In my experience, using optional with a catch all of "invalid" is the best approach. Just like the other parts of the policy engine, the tool works on a first match basis. so, list all your optionals as discreet matches and then a broader invalid. This logic is "If it's not A or B or C, then it must be invalid". I've found this works best.
NetMRI 6.9 policy engine has
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
11-07-2014 07:15 AM
NetMRI 6.9 policy engine has a new ConfigBlockCheck XML element that will handle this. It provides a variety of means to delineate the end of the block, and thus is MUCH more flexible (and understandable) than CPD.