Baseline Compliance Check Loopback0

I'm working on a Baseline Template for compliance.  One of the interfaces that we use across all our routers is Loopback 1.  I want to use a baseline template to check if Loopback 0 exists and then if it exists, I want to check certain lines in its interface config.  Here is how I have my Template configured:
Prerequisite Command Set - checkLoopback
+interface Loopback1
Subordinate Command Set - checkLoopbackConfig
+description Network Management Interface
+ip address [#172\.16\..*\..*#] [255.255.255.0]
Basically I want to confirm that Loopback 1 exists and then check that the standard description has been used and that the IP Address is within a certain range.
Whether the interfrace is configured or not, when I run the compliance check it reports that the device is compliant.  I've also tried "-interface Loopback1" in the Prerequisite Command Set and the result still reports the device is compliant.
How can I accomplish my goal of checking that the interface exists first then check the config of the interface?
Thanks for the help.

You can use commandsets. The commandsets are a set of one or more CLI commands. You can define a commandset while creating a Baseline template in the Advanced mode.
The features of the commandsets are:
•If the commands in commandset are in a submode (ip/interface etc.) a submode command must be specified for such a commandset.
•Commandsets can have one or more child commandsets.
•Child commandsets inherit parent's sub-mode command.
You can define commandsets that have to be checked before running the actual commands.
The features of the prerequisite commandsets are:
•A commandset can have another commandset as its prerequisite.
•A prerequisite commandset is used only for comparison and is not deployed onto the device.
•A commandset is compared with the config only if its prerequisite condition is satisfied.
LMS evaluates the commandsets in different ways depending on whether you have defined the commandset as Parent or Prerequisite.
For example, assume that you have defined two commandsets, commandset1 and commandset2:
•Commandset defined as Prerequisite
- commandset1 as the Prerequisite of commandset2. When LMS evaluates the Baseline template, it evaluates commandset1 first, and commandset2 next.
- If commandset1 does not contain submode and is not present in a device, then commandset2 is not evaluated and the device is displayed in the excluded  list in the compliance report.
- If commandset1 contains submode and is not present in applicable submodes, then commandset2 is not evaluated and the device is displayed in the excluded list in the compliance report.
•Commandset defined as Parent
- commandset1 as the Parent of commandset2. When LMS evaluates the Baseline template, it evaluates commandset1 first, and commandset2 next.
- If either of these commandsets is missing, the template is considered non-compliant.
-Joe

Similar Messages

  • Checking aaa configuration using LMS Baseline Compliance Checks

    Hi, I'm trying to setup a baseline configuration check for our devices that will cover both "types" of aaa accounting commands. Some devices have the commands spread over mutliple lines and some have them in single lines as per the examples below. I can't seem to make an "or" check that will cover both types. Can anyone please assist? I am using Ciscoworks 4.2.
      aaa accounting exec default
      action-type start-stop
      group tacacs+
      aaa accounting commands 0 default
      action-type start-stop
      group tacacs+
      aaa accounting commands 15 default
      action-type start-stop
      group tacacs+
      aaa accounting connection default
      action-type start-stop
      group tacacs+
    OR
    aaa accounting commands 0 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting connection default start-stop group tacacs+
    aaa accounting exec default start-stop group tacacs+

    Compliance check uses the same devices as everything else in RME.  However, you need to make sure your template is configured to match the specific device types that you want to check.  When you define your baseline template, you must choose one or more device types.  Make sure you've checked all of the appropriate boxes (e.g. Routers and Switches and Hubs).

  • LMS 4.2.3 baseline compliance template and standard ACL

    When using a baseline compliance template to check and deploy a standard ACL, I encountered what seems to be a bug:
    I configured a template with these commands:
    +ip access-list standard 21
    +; Hosts allowed access
    +  permit host 10.20.30.40
    +  permit host 40.30.20.10
    +  deny any log
    When I do compliance check and deployment, the last line is dropped by LMS.
    In fact, when I look into the job's "Work Order", the commands are:
    ip access-list standard 21
    ; Hosts allowed access
      permit host 10.20.30.40
      permit host 40.30.20.10
    After the job run, "show running-config" shows the access list matching the "Work Order" (without the "deny any log" command.)
    Is this a bug?

    Doesnt have any issues on my Lab 4.2.4. following is the Job Work order :
    Name:
    Archive Mgmt Job Work Order
    Summary:
    General Info
    JobId: 2704
    Owner: admin
    Description: test_acl
    Schedule Type: Immediate
    Job Type: Compliance Check
    Baseline Template Name: test_acl
    Attachment Option: Disabled
    Report Type: NAJob Policies
    ----------------------------------------------------------------------------------------------E-mail Notification: Not Applicable
    Job Based Password: DisabledDevice Details
    Device
    Commands
    Sup_2T_6500
      ip access-list standard 21
      permit host 10.20.30.40
      permit host 40.30.20.10
      deny any log
    10.104.149.180
      ip access-list standard 21
      permit host 10.20.30.40
      permit host 40.30.20.10
      deny any log
    Check your template, or export it and share, i will try it on my LMS server. also, check the same complaince job on other devices if you have such issues.
    -Thanks
    Vinod
    **Rating Encourages contributors, and its really free. **

  • LMS 4.2 Compliance check extended access-list

    Hi,
    I would like to check of our router has one specific line in an extended access-list. I have tried to use the 'baseline compliance' to get the output, but can't get the syntax right.
    I would like to avoid checking on the line number in the access-list, because this is not the same on all the routers.
    I have made a new compliance check like this:
    'submode': ip access-list extended 'acl-name'
    +deny tcp any any eq smtp
    But that is not working, Can some one show me the 'right path'?
    Thanks
    Soren                 

    Doesnt have any issues on my Lab 4.2.4. following is the Job Work order :
    Name:
    Archive Mgmt Job Work Order
    Summary:
    General Info
    JobId: 2704
    Owner: admin
    Description: test_acl
    Schedule Type: Immediate
    Job Type: Compliance Check
    Baseline Template Name: test_acl
    Attachment Option: Disabled
    Report Type: NAJob Policies
    ----------------------------------------------------------------------------------------------E-mail Notification: Not Applicable
    Job Based Password: DisabledDevice Details
    Device
    Commands
    Sup_2T_6500
      ip access-list standard 21
      permit host 10.20.30.40
      permit host 40.30.20.10
      deny any log
    10.104.149.180
      ip access-list standard 21
      permit host 10.20.30.40
      permit host 40.30.20.10
      deny any log
    Check your template, or export it and share, i will try it on my LMS server. also, check the same complaince job on other devices if you have such issues.
    -Thanks
    Vinod
    **Rating Encourages contributors, and its really free. **

  • Compliance Check/Deploy DCMA0058 error

    Hi
    Using LMS 3.2 RME 4.3.0. I'm trying to deploy baseline config after compliance check. When I select compliance check job and click deploy i got this error:
    "DCMA0058: Could not deploy selected Job.
    No compliance report available."
    But the report in baseline jobs window i available.
    Any ideas what should i check ??

    Please run a device update from Common Services --> Software Center --> Device Update --> Select RME under products and check for updates from Cisco.com and install all the device packages.
    Duplicate the problem again after update and post the error if it appears again.

  • Ciscoworks showing + and - when running a compliance check

    I am trying to write a compliance check for switches. The issue I am getting now is that when the template runs I am getting notices stating that non the of switches are compliant, when they are. In the output after it runs I am seeing items in red with - and items in green with +. I thought the items in green with the + and items that are needed in the switches. Am I correct in assuming this? What are the items in red with the -?
    The problem seems to be with ACLs they first show up in red (-) and then again in green (+) even though they are correct in the switch. Any ideas?

    In the run.log, your device has an ACL:
    access-list 101 remark Permit SSH from admin systems and other switches
    access-list 101 permit tcp 172.20.2.0 0.0.1.255 any eq 22 log
    access-list 101 permit tcp 192.168.10.0 0.0.1.255 any eq 22 log
    access-list 101 deny   ip any any log
    But your template requires:
    access-list 101 remark Permit SSH from admin systems and other switches
    access-list 101 permit tcp 172.20.2.0 0.0.1.255 any eq 22 log
    access-list 101 permit tcp 192.168.10.0 0.0.1.255 any eq 22 log
    access-list 101 permit tcp 192.168.12.0 0.0.1.255 any eq 22 log
    access-list 101 deny   ip any any log
    The test.log device has "ip sla enable reaction-alerts" which will trigger a parse error in baseline.  If you remove this line, re-archive the config, then run a new compliance test, it should show as being compliant (from the ACL standpoint).

  • Compliance Checking

    +
    Using RME version 4.3.0, I'd like to run compliance checks against devices, but when searching for devices to run these checks against, they're not found, even though these devices have been verified that they're in the DCR and have been recently archived. Each time I try to schedule a Compliance Check, only a few devices show in the search out of many that are in the DCR.
    Does the Compliance Check run against a different database than the DCR, or am I just missing something??
    As an FYI, this instance of CiscoWorks LMS was installed and set up by someone that's long gone by now.
    Thanks in advance for any help.

    Compliance check uses the same devices as everything else in RME.  However, you need to make sure your template is configured to match the specific device types that you want to check.  When you define your baseline template, you must choose one or more device types.  Make sure you've checked all of the appropriate boxes (e.g. Routers and Switches and Hubs).

  • Ciscoworks2000 Compliance check

    Hi..
    Question: I want to Check Particular command is present in switches through ciscoworks2000.
    See i checked that it is possible in LMS 3.1 via RME-Compliace check and i have already did that but  i want to achieve Same function in ciscoworks 2000.

    "CiscoWorks 2000" is not a version.  It was the name of a product - a very old product.  In order to provide an accurate answer, I need to know the specific version of Resource Manager Essentials that you have.  If you have RME 3.x, then, no, the baseline compliance feature that that is available in RME 4.x is not present.

  • Java Web Start error message when trying to run vSphere1.2 compliance checker

    It installed fine but a javaws usage message displayed when attempting to run. Seems like this might be some kind of Java environment problem on the Windows 7 Pro desktop. Not very familiar with Microsoft, any ideas and/or suggestion?.

    Thanks for your suggestions, I will look into them.
    One assumption I made is since the install completed without incident the program was able to locate any needed resources.
    Another assumption is since I received an error message from javaws then itself was being located - just lacking something else it needed.
    Ran javaws from command prompt, received same usage message. Apparently using 64 bit 1.7.0_13, didn't see a Java folder in the 32 bit Program Files so would that be the problen? That 32 bit Java version is needed to run this?  Java Web State 10.13.3.20-fcs.
    I'm the administrator of the system, so privilege is not an issue
    In Properties/Shortcut, verified that the .jar file was pathed correctly
    Target ->  "C:\Program Files\Java\jre7\bin\javaws.exe" -jar "C:\Program Files (x86)\VMware\VMware Compliance Checker for vSphere\vmcc.jar"
    Start in -> "C:\Program Files (x86)\VMware\VMware Compliance Checker for vSphere\"

  • Why system is capturing Log for Document transfer and Compliance check

    Hi All
    Although I have removed
    TD_MAP Movement Data : Document Replication Mapping (Live)
    TD_CCH Movement Data : Compliance check Document (Live)
    in custom document configuration , then also system is capturing log for document transfer and Compliance check result.
    If my understanding is wrong then what is the use of Log control in customs document configuration for
    Document Transfer
    Document Check
    Thanks
    Akhil..

    Hi Akhil,
    For some situations, GTS allows you some control over the logging by specifying the Profile to use.  But if you do not specify a Profile, logging still occurs using the default values in the standard code.
    Regards,
    Dave

  • Adobe Section 508 compliance check question

    I've run the Adobe Section 508 compliance check on a document.  The only errors I receive now are 5 tables without designated table headers.  I click on the link to these tables, but nothing happens.  It doesn't point me to the tables with the errors.  Any help would be greatly appreciated.  I'm using Adobe Pro v9.2.0.

    I work at a college and have to create complex Section 508-compliant PDFs throughout the year. Though you've probably upgraded to CS6 or higher, I thought I'd share info on an ID plug-in that is very helpful with determining and setting the reading order from within ID. It is called "FrameMaker," by Rorohiko, and it puts a tiny label on each frame of a page. For example, if I select a frame, the reading order "number" will show on the top right of the frame. So I'll know immediately that I need to fix the order before creating a pdf.
    Very inexpensive. Definitely worth the money.
    http://www.rorohiko.com/wordpress/2013/09/17/easily-edit-stacking-order-of-page-items/
    BTW: If you have to create text files from large ID files, their TextExporter is fabulous.

  • VMware Compliance Checker 5.0 Support ESXi 5.1

    Hi,
    VMware Compliance Checker support ESXi 5.1 ?
    Regards,
    Gopi

    Hi Pravin
    Do you know when it will be released?
    Regards
    André

  • Compliance Checker for Vsphere 5.5 Not working /connecting

    I am trying to run the Compliance Checker for VSphere 5.5 woth no luck.
    I run the program from the Vcenter server and get nothing.
    I have run from a pc and gotten "cannot connect"
    I have tried every possible username and PW combination we have.
    Any help would be greatly appreciated

    This is the error I receive,
    Error connecting to host service instance (IP Address xxxxxxxxxxx; User ID: [email protected])
    Also I can log into the vsphere server at the console using root but cannot login using the vsphere client using root
    it tells me root does not have permission. Not sure if this may have be some of the issue with the compliance checker
    or a function of Vcenter 5.5.

  • RME-Compliance check job failed and Execution status display notattempted

    Dear All,
    We did a compliance check job schedule one time/a day.but unfortunately it failed as below:
    Execution Summary
    Pending : 0
    NotAttempted : 361
    Successfull : 0
    Failed : 0
    Partial Success : 0
    How can i do?
    Thanks!

    Use this document:
    http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_resource_manager_essentials/4.0/user/guide/over.html

  • Compliance Check

    I am trying to run Compliance Check and when I am try to use user defined group created on CS it's empty.(actually I have 10 groups under CS) and all  all the groups I have created under CM didn't display at all. the only groups showing are a groups created under RME only. haveing say that on all other RME tools like RME job, net config job..so on I can access a user defined group created on all applications(cm,cs,rme). the only problem I have with Compliance Check. I am wondering why only with compliance check.please check the screen shoot.  thanks

    This does work for me locally, but I seem to recall you've had grouping issues before.  Perhaps there is still a problem with the CMFOGSServer.  If you cannot post the actual device details in these groups as well as the template which is triggering this, then open a TAC service request.  For analysis of this kind of problem, I would need to see the CMFOGSServer.log and RMEOGSServer.log with appropriate debugging enabled.  I would also need to see the OGS rules which defined the CMF groups as well as a list of devices in those groups and proof showing those same devices are managed by RME.

Maybe you are looking for

  • How do i get my old firefox bookmarks back after uninstalling firefox

    how do i get my old firefox bookmarks back after uninstalling firefox and then reinstalling it from scratch. I did a system restore, but i only retrieved my old tabs, no book marks :(

  • Xsl parameters and java

    Can someone post a sample code of java where a oracle.xml.parser.v2.XSLProcessor send a parameter to a xsl file. It could be fine to see how the XSL file declares and uses this parameter. Thanks

  • Business delegate to servlet

    I have a business delegate that delegates to a servlet from outside the           servlet container. For the actual servlet interaction, I'm using basically           URLConnection connection = ,,,           connection.openConnection()           read

  • How to Use INR (Indian Rupee) Character in Adobe Livecycle?

    hey guys, just wanted to know how to use new character of indian rupee in Adobe Livecycle ES2?

  • NI-DAQmx Counter Frequency Measurement

    I need to measure the number of pulses obtained within a time period (3 secs). So if i use channel 0 to generate a gate pulse for channel 1 how can i do other other things while waiting for my 3 seconds to be up ? Has anyone got any VB6 code to do it