This is possible using CPD, probably would be best to split into 2 separate rules.  Can you provide an example of the interfaces you mentioned and the keywords?

-Lon.

Here is a sample. Not every router has a multilink interface, but some do. I want to be able to check all serial and multilink interfaces, if they exist, on the router and make sure they either have the command "crypto map getvpn-map" OR if not they have one of several other commands that would make that command unnecessary, like "no ip address" or "shutdown" or "voice". The purpose is to make sure the WAN interface is configured for encryption.

I have a way to do that using RexEx, but it simply checks and when it finds a match it stops. So, for example, once it finds one serial interface that matches the criteria, it stops even though there are multiple serial interfaces on the router. Also, although I have copied the RegEx exactly and simply sumstituted "Multilink" for "Serial", if fails on the Multilink interface even though it includes "crypto map getvpn-map". I can't determine why.

I have other rules for which I need to check multiple instances of a certain interface type for a command or sequence of commands, such as ethernet interfaces for a "no cdp enable" command. Under some circumstances that command is okay, under others it's not.

interface Multilink1
 bandwidth 3072
 ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
 no ip redirects
 no ip unreachables
 ip flow ingress
 ip flow egress
 no peer neighbor-route
 ppp chap hostname 
 ppp multilink
 ppp multilink links minimum 1
 ppp multilink group 1
 ppp multilink fragment disable
 service-policy output br-qos-policy
!
interface Serial0/0/0:0
 bandwidth 1536
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 encapsulation ppp
 load-interval 30
 no peer neighbor-route
 ppp chap hostname 
 ppp multilink
 ppp multilink group 1
 hold-queue 1000 in
 hold-queue 1000 out
!
interface Serial0/0/1:0
 bandwidth 1536
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 encapsulation ppp
 load-interval 30
 no peer neighbor-route
 ppp chap hostname 
 ppp multilink
 ppp multilink group 1
 hold-queue 1000 in
 hold-queue 1000 out
!
interface Serial0/3/1:23
 description 
 no ip address
 encapsulation hdlc
 isdn switch-type primary-ni
 isdn incoming-voice voice
 isdn bind-l3 ccm-manager
 no cdp enable
 !
!
interface Serial2/0:23
 description 
 no ip address
 encapsulation hdlc
 isdn switch-type primary-ni
 isdn incoming-voice voice
 isdn bind-l3 ccm-manager
 no cdp enable
 !        
!
interface Serial2/0:23
 description 
 no ip address
 encapsulation hdlc
 isdn switch-type primary-ni
 isdn incoming-voice voice
 isdn bind-l3 ccm-manager
 no cdp enable
 !
!
interface Serial2/1:23
 no ip address
 encapsulation hdlc
 isdn switch-type primary-5ess
 isdn incoming-voice voice

Sorry this took so long to get back to, but try something like the CPD rule below for what you are attempting.  The Invalid-Block is critical to add in order for the whole thing to work properly.  You must identify all of the possible options previous to the Invalid-Block.

Required-Block:
    interface (Mu|Se).*
        ip address.*
        crypto map getvpn-map

Optional-Block:
    interface (Mu|Se).*
        ...other command
        
Optional-Block:
    interface (Mu|Se).*
        no ip address

Optional-Block:
    interface (Mu|Se).*
        shutdown

Optional-Block:
    interface (Mu|Se).*
        voice

Invalid-Block:
    interface (Mu|Se).*

I took the example listed above and removed "no ip address" from each of the serial interfaces and "crypto map getvpn-map" from the multilink interface. That should have caused the rule to fail, but it didn't, it passed.

I appreciate the work though.

Hi Dennis,

Something must be missing somewhere.  I tested my example and it appeared to have worked.  What version of NetMRI are you using?  Could you attach an export of the sample config you are using and an export of the rule?

Thanks,

Lon.

I think the issue now is identifying the interfaces I want to check. Some consistentcy would help.

#Section: CDP Enabled
#Description:
#Check for CDP enabled on certain interfaces

Required-Block:
    interface .*Ethernet.*
        description [Rtr|rtr|ROUTER|Router|router|SW|Sw|sw|FW].*
        .+
        !
        
Optional-Block:
    interface .*Ethernet.*
        description [Rtr|rtr|ROUTER|Router|router|SW|Sw|sw|FW].*
        .+
        cdp enable

Optional-Block:
    interface .*Ethernet.*
        description [Rtr|rtr|ROUTER|Router|router|SW|Sw|sw|FW].*
        .+
        shutdown

Invalid-Block:
    interface .*Ethernet.*
        description [Rtr|rtr|ROUTER|Router|router|SW|Sw|sw|FW].*
        .+
        no cdp enable

#Section: CDP Enabled
#Description:
#Check for CDP enabled on certain interfaces

Required-Block:
    interface .*Ethernet.*
        description [Rtr|rtr|ROUTER|Router|router|SW|Sw|sw|FW].*
        .+
        !

Optional-Block:
    interface .*Ethernet.*
        .+
        encapsulation .*

Optional-Block:
    interface .*Ethernet.*
        .+
        ip helper-address .*
        .+
        !

Optional-Block:
    interface .*Ethernet.*
        description [Rtr|rtr|ROUTER|Router|router|SW|Sw|sw|FW].*
        no ip address
        

Optional-Block:
    interface .*Ethernet.*
        description [Rtr|rtr|ROUTER|Router|router|SW|Sw|sw|FW].*
        .+
        shutdown

Invalid-Block:
    interface .*Ethernet.*
        description [Rtr|rtr|ROUTER|Router|router|SW|Sw|sw|FW].*
        .+
        no cdp enable

The issue is that the router does not contain the "required block" because the ethernet interface does not have a description that matches the one in the rule, BUT the ethernet interface DOES match one of the optional blocks. Perhaps this is the way that is intended to work.

Yes, "required" means exactly that.  The config is scanned to match each Required pattern.  When a match is found, those statements are in effect masked out / ineligible for subsequent pattern matches.  That's why the Invalid must be the last check so it operates only on the leftover statements.

There are several caveats due to bugs in the CPD editor.  One of them is that you should not mix required and optional.  In my experience, using optional with a catch all of "invalid" is the best approach.  Just like the other parts of the policy engine, the tool works on a first match basis.  so, list all your optionals as discreet matches and then a broader invalid.  This logic is "If it's not A or B or C, then it must be invalid".  I've found this works best.  

NetMRI 6.9 policy engine has a new ConfigBlockCheck XML element that will handle this. It provides a variety of means to delineate the end of the block, and thus is MUCH more flexible (and understandable) than CPD.