Reply

Need assistance with Compliance Check script

DSmith_1
Techie
Posts: 14
4247     0

I'm new to both CPD and RegEx. In writing rules for compliance checking I've run into a problem determining how to write a rule.

What I want to do is find any interface on a Cisco Switch which a description containing one of serveral words AND check that interface block to make sure that the command "no cdp enable" is NOT in the interface block. If the interface DOES NOT contain a description containing one of those several words, then it should either contain "no cdp enable" or "shutdown".

I have used this in HPNA because HPNA has an easy way to define and check a config block defined by how it begins and ends. You can then use logic to check whether certain commands are in that block.

I've tried this in NetMRI using command logic, but the rule fails. Any assistance would be appreciated.

This is possible using CPD,

Expert
Posts: 185
4248     0

This is possible using CPD, probably would be best to split into 2 separate rules.  Can you provide an example of the interfaces you mentioned and the keywords?

-Lon.

Sample interfaces

DSmith_1
Techie
Posts: 14
4248     0

Here is a sample. Not every router has a multilink interface, but some do. I want to be able to check all serial and multilink interfaces, if they exist, on the router and make sure they either have the command "crypto map getvpn-map" OR if not they have one of several other commands that would make that command unnecessary, like "no ip address" or "shutdown" or "voice". The purpose is to make sure the WAN interface is configured for encryption.

I have a way to do that using RexEx, but it simply checks and when it finds a match it stops. So, for example, once it finds one serial interface that matches the criteria, it stops even though there are multiple serial interfaces on the router. Also, although I have copied the RegEx exactly and simply sumstituted "Multilink" for "Serial", if fails on the Multilink interface even though it includes "crypto map getvpn-map". I can't determine why.

I have other rules for which I need to check multiple instances of a certain interface type for a command or sequence of commands, such as ethernet interfaces for a "no cdp enable" command. Under some circumstances that command is okay, under others it's not.

 

interface Multilink1
 bandwidth 3072
 ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
 no ip redirects
 no ip unreachables
 ip flow ingress
 ip flow egress
 no peer neighbor-route
 ppp chap hostname 
 ppp multilink
 ppp multilink links minimum 1
 ppp multilink group 1
 ppp multilink fragment disable
 service-policy output br-qos-policy
!
interface Serial0/0/0:0
 bandwidth 1536
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 encapsulation ppp
 load-interval 30
 no peer neighbor-route
 ppp chap hostname 
 ppp multilink
 ppp multilink group 1
 hold-queue 1000 in
 hold-queue 1000 out
!
interface Serial0/0/1:0
 bandwidth 1536
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 encapsulation ppp
 load-interval 30
 no peer neighbor-route
 ppp chap hostname 
 ppp multilink
 ppp multilink group 1
 hold-queue 1000 in
 hold-queue 1000 out
!
interface Serial0/3/1:23
 description 
 no ip address
 encapsulation hdlc
 isdn switch-type primary-ni
 isdn incoming-voice voice
 isdn bind-l3 ccm-manager
 no cdp enable
 !
!
interface Serial2/0:23
 description 
 no ip address
 encapsulation hdlc
 isdn switch-type primary-ni
 isdn incoming-voice voice
 isdn bind-l3 ccm-manager
 no cdp enable
 !        
!
interface Serial2/0:23
 description 
 no ip address
 encapsulation hdlc
 isdn switch-type primary-ni
 isdn incoming-voice voice
 isdn bind-l3 ccm-manager
 no cdp enable
 !
!
interface Serial2/1:23
 no ip address
 encapsulation hdlc
 isdn switch-type primary-5ess
 isdn incoming-voice voice

Sorry this took so long to

Expert
Posts: 185
4248     0

Sorry this took so long to get back to, but try something like the CPD rule below for what you are attempting.  The Invalid-Block is critical to add in order for the whole thing to work properly.  You must identify all of the possible options previous to the Invalid-Block.

Required-Block:
    interface (Mu|Se).*
        ip address.*
        crypto map getvpn-map

Optional-Block:
    interface (Mu|Se).*
        ...other command
        
Optional-Block:
    interface (Mu|Se).*
        no ip address

Optional-Block:
    interface (Mu|Se).*
        shutdown

Optional-Block:
    interface (Mu|Se).*
        voice

Invalid-Block:
    interface (Mu|Se).*

Doesn't seem to work

DSmith_1
Techie
Posts: 14
4248     0

I took the example listed above and removed "no ip address" from each of the serial interfaces and "crypto map getvpn-map" from the multilink interface. That should have caused the rule to fail, but it didn't, it passed.

I appreciate the work though.

Hi Dennis,

Expert
Posts: 185
4248     0

Hi Dennis,

Something must be missing somewhere.  I tested my example and it appeared to have worked.  What version of NetMRI are you using?  Could you attach an export of the sample config you are using and an export of the rule?

Thanks,

Lon.

I've tried this, still failing, still working on it.

DSmith_1
Techie
Posts: 14
4248     0

I think the issue now is identifying the interfaces I want to check. Some consistentcy would help.

 

#Section: CDP Enabled
#Description:
#Check for CDP enabled on certain interfaces

Required-Block:
    interface .*Ethernet.*
        description [Rtr|rtr|ROUTER|Router|router|SW|Sw|sw|FW].*
        .+
        !
        
Optional-Block:
    interface .*Ethernet.*
        description [Rtr|rtr|ROUTER|Router|router|SW|Sw|sw|FW].*
        .+
        cdp enable

Optional-Block:
    interface .*Ethernet.*
        description [Rtr|rtr|ROUTER|Router|router|SW|Sw|sw|FW].*
        .+
        shutdown

Invalid-Block:
    interface .*Ethernet.*
        description [Rtr|rtr|ROUTER|Router|router|SW|Sw|sw|FW].*
        .+
        no cdp enable

This seems to work, but.....

DSmith_1
Techie
Posts: 14
4248     0

#Section: CDP Enabled
#Description:
#Check for CDP enabled on certain interfaces

Required-Block:
    interface .*Ethernet.*
        description [Rtr|rtr|ROUTER|Router|router|SW|Sw|sw|FW].*
        .+
        !

Optional-Block:
    interface .*Ethernet.*
        .+
        encapsulation .*

Optional-Block:
    interface .*Ethernet.*
        .+
        ip helper-address .*
        .+
        !

Optional-Block:
    interface .*Ethernet.*
        description [Rtr|rtr|ROUTER|Router|router|SW|Sw|sw|FW].*
        no ip address
        

Optional-Block:
    interface .*Ethernet.*
        description [Rtr|rtr|ROUTER|Router|router|SW|Sw|sw|FW].*
        .+
        shutdown

Invalid-Block:
    interface .*Ethernet.*
        description [Rtr|rtr|ROUTER|Router|router|SW|Sw|sw|FW].*
        .+
        no cdp enable

The issue is that the router does not contain the "required block" because the ethernet interface does not have a description that matches the one in the rule, BUT the ethernet interface DOES match one of the optional blocks. Perhaps this is the way that is intended to work.

Working as designed

Expert
Posts: 263
4248     0

Yes, "required" means exactly that.  The config is scanned to match each Required pattern.  When a match is found, those statements are in effect masked out / ineligible for subsequent pattern matches.  That's why the Invalid must be the last check so it operates only on the leftover statements.

There are several caveats due

ERupert Employee
Employee
Posts: 4
4248     0

There are several caveats due to bugs in the CPD editor.  One of them is that you should not mix required and optional.  In my experience, using optional with a catch all of "invalid" is the best approach.  Just like the other parts of the policy engine, the tool works on a first match basis.  so, list all your optionals as discreet matches and then a broader invalid.  This logic is "If it's not A or B or C, then it must be invalid".  I've found this works best.  

 

 

NetMRI 6.9 policy engine has

Adviser
Posts: 357
4248     0

NetMRI 6.9 policy engine has a new ConfigBlockCheck XML element that will handle this. It provides a variety of means to delineate the end of the block, and thus is MUCH more flexible (and understandable) than CPD.

Showing results for 
Search instead for 
Do you mean 

Recommended for You