Baseline template

Similar Messages

• LMS 4.0 Prequisites of baseline templates are ignored if used for direct deploy

  Hi all,
  I'm want to use baseline templates for conditionally configuring several hundert access-switches.
  What I expect to work:
  Write a baseline template with prerequisites and parameters and use
  Configuration> Compliance> Compliance Templates> Direct Deploy
  The baseline template works perfect for
  Configuration> Compliance> Compliance Templates> Compliance Check
  if I use regex instead of parameters
  - compliant devices are detected
  - commands are generated only for non compliant devices
  But I don't want to enter several hundert parameters manually if
  I want to deploy the job after compliance chek...
  If I change the regex into a parameter then direct deploy will unconditionally
  generate the commands, regardless whether the prerequisites are met or not.
  Is this by design or a bug?
  My task is simple:
  If interface Vlan1 has an IP address matching a certain pattern I want to deploy the global command
  ip default gateway [same-prefix-as-interface-vlan1].1
  Like I mentioned above: the regexes are OK: compliance check works as expected
  When the regexes are changed to a parameter the command ip default-gateway will
  always be generated regardles wether the prequisite is met or not.
  Any thoughts or insight?
  Regards, MiKa

  Solution was simple:
  In one of the old release notes (Cisco Ressource Manager Essentials, around 2009) I found a note that prerequisites in templates are not supported with direct deploy. There are no notes for newer releases but the behaviour is exactly like described.
  Another documentation error...
  Rgds, MiKa

• Baseline template - look for specific loopback interface when specifying "ip tftp source-interface"

  Hello all
  I'm new to regex and I'm trying to make a baseline template, that will check our network devices for our required basic configuration.
  What I'm trying to do is to make a template that will look for either a loopback0 or loopback1 interface.
  If eíther one is found (the loopback interfaces will not be there at the same time) it must apply the following command:
  ip tftp source-interface loopback0 (or loopback1)
  Is it even possible to make an if-then statement using regex?
  Thank you in advance.
  Best regards
  Jesper Ross Petersen
  Message was edited by: Jesper Ross Petersen

  Yes, this can be done
  #Go to the tcl shell of the device.
  C1811#tclsh
  C1811(tcl)#
  #copy and paste this at the tcl prompt.
  proc intf {} {
  set runningcfg [exec show run | inc ^interface Loopback]
  foreach line [split $runningcfg \n] {
  if {[regexp {interface (Loopback[0-1])} $line -> interface] } {
  ios_config "ip tftp source-interface $interface"
  return "ip tftp source-interface $interface"
  # now type the name of the proc (intf) at the tcl prompt.
  C1811(tcl)#intf
  # If loopback0 or 1 is present the tftp source interface is added to the running config.
  ip tftp source-interface Loopback0
  C1811(tcl)#

• How to see data of an AWR Baseline Template after it is expired

  Hi,
  I have a query on AWR baseline templates in 11GR2
  I create a baseline template on a range which is a future date range(single).
  It will show the baseline created in AWR Baseline Templates page.
  Now after the range time gets over, I want to see the details which I am not able to see in EM(no charts nothing, just a page with discription of it, THe page says rage is expired).
  I want to compare this baseline with other. How can I do that?

  Hi Akulala,
  Click on your fields; go to the Source heading and make Source Used: Only when current value in session state is null
  Go to your branches and make sure that the "reset pagination for this page" boxes are not ticked. and the branch points are: On submit: after computation, validation & processing.
  Mike

• LMS 3.1 Baseline Template Fails

  NEED HELP! :-)
  I made a baseline template that basicaly says: If you encounter an interface with a vlan24, apply a port-security mac-address sticky command. TEMPLATE FOLLOWS:
  In Conditional Block's SUBMODE:
  interface [#.*Ethernet.*#]
  CLI Command (of conditional block is):
  + switchport access vlan [#(24)#]
  Use the SubMode of above condition (yes)
  CLI Command:
  + switchport port-security mac-address sticky
  UNFORTUNATELY, THE MESSAGE I GET AFTER THE DIRECT DEPLOY IS:
  *** Device Details for cdp-aa-sw-c02-02 ***
  Protocol ==> Unknown / Not Applicable
  Selected Protocols with order ==> SSH
  Execution Result:
  CM0150 Deploy Baseline template to PRIMARY config on device failed Cause: CM0070 Copy Config to device failed on cdp-aa-sw-c02-02 Cause: Action: Check device credentials and reachability.
  CM0100 Copy PRIMARY Running Config to PRIMARY Startup Config on device not attempted
  CM0089 Config archival successful for cdp-aa-sw-c02-02
  Do you have a clue what is wrong with this immediate job deployment??? Can you help me fix it so it applies correctly!?
  Thanx in advance,
  WANimal

  Post the job directory for this job. The directory is found under NMSROOT/files/rme/jobs/ArchiveMgmt on Windows and /var/adm/CSCOpx/files/rme/jobs/ArchiveMgmt on Solaris.

• How to find routers with multiple bgp neighbors using baseline templates?

  Running LMS 4.1 5k on Windows
  We have around 400 routers on a MPLS network. Only few of these have more than one BGP neighbor. We need to enable some bgp traps so we know when a bgp neighbor is down. How would I write a baseline template to check if a router has more than one bgp neighbor?
  basically I want to know if a router has more than one statement of the following kind:
  router bgp xxxxx
  neighbor x.x.x.x remote-as xxxxx   <-- 1st neighbor
  neighbor y.y.y.y remote-as yyyyy    <-- 2nd neighbor

  Yes, it looks like the bug I mentioned previously.  The bug has nothing to do with RME.  You can use RME or not, and this bug will still be triggered.  While an upgrade is recommended, the Release notes detail a workaround:
  The 1711 router gives traceback when we process an snmpwalk at OID
  "cInetIcmpMsgOutPkts" (1.3.6.1.4.1.9.10.86.1.3.2.1.6) from CISCO-IETF-IP-MIB or
  when ciscoDslCpeMIB is queried (1.3.6.1.4.1.9.20.1.1).
  12.2(15) works well
  12.3(8)T4 and 12.0(3)T are giving this problem.
  Didn4t find a similar problem reported to this one.
  Workaround:
  The problem lies in CISCO-DSL-CPE-MIB, so if you don't need this mib you can
  exclude it from the default or created snmp view, thereby preventing the
  traceback. Here is an example of 1) changing default view and 2) creating a new
  view.
  -- change the default snmp view to exclude CISCO-DSL-CPE-MIB
  conf term
  snmp-server view v1default ciscoDslCpeMIB excluded
  end
  show snmp view
  -- create a new snmp view that excludes CISCO-DSL-CPE-MIB
  conf term
  no snmp-server view nodslmib
  snmp-server view nodslmib iso included
  snmp-server view nodslmib internet.6.3.15 excluded
  snmp-server view nodslmib internet.6.3.16 excluded
  snmp-server view nodslmib internet.6.3.18 excluded
  snmp-server view nodslmib ciscoMgmt.252 excluded
  snmp-server view nodslmib ciscoDslCpeMIB excluded
  no snmp-server community public
  snmp-server community public view nodslmib ro
  end
  show snmp view

• LMS 4.2.4 Baseline template deploy fails for 2960X

  Hello,
  we have Cisco Prime LMS 4.2.4 and I added a new switch type C2960X-24TS-L with IOS Version 15.0.2-EX1.
  I'd like to deploy a baseline template, but it fails:
  Protocol ==> Unknown / Not Applicable
  Selected Protocols with order ==> SSH,Telnet,TFTP
  Execution Result:
  CM0150 Deploy Baseline template to PRIMARY config on device failed Cause: Operation not supported for generic support devices
  CM0056 Config fetch failed for xxxxx Cause:
  PRIMARY-RUNNING config Fetch Operation failed for TFTP.
  SSH: Failed to establish SSH connection to 10.xxx.xxx.xxx - Cause: Authentication failed on device 3 times.
  Action: Check if protocol is supported by device and required device package is installed.
  The device is reachable via telnet.
  I think that I installed the latest device packages for LMS 4.2.4.
  What could be the problem here?
  Thanks,
  Kerstin

  Hi Afroz,
  when I checked the ssh-credentials, I got a failure on ssh enable.
  The failure message on ACS is "missing user password".
  I reentered the credentials, but the error persists.
  I tried to login with the credentials manually, and it works. So the credentials are correct.
  Last I deleted and re-added the device, but nothing has changed.
  Other devices (not 2960X) working correct.
  So I think maybe I haven't the latest device packages for 2960X-Switches. But here is the next problem, I can't check for latest packages:
  [ Tue Apr 07 12:19:10 CEST 2015 ] INFO   [DownloadManager : queryAllPkgs]  : Going to collect download packages...
  [ Tue Apr 07 12:19:12 CEST 2015 ] ERROR  [RemoteRepSync : downloadPsuHeadersAsXml]  : VDSException thrown com.cisco.nm.xms.vds.VDSException: CcoDownloadAdapter::getXmlFileList():IOException:tools.cisco.com
  Regards,
  Kerstin

• Baseline Template Query LMS 4.2 - IP address

  Does anyone know how to create a baseline template that would validate a configuration to ensure that it only has 1 IP address terminating on it?  The IP address may terminate on an SVI or an interface, but must only have the 1 IP address on the device
  Any information or suggestion would be appreciated.

  Hi Afroz,
  Thanks for the link however I was unable to find any information that would help me with my query.
  Here's the issue. Multilayer switches can have multiple IP interfaces on them and on certain devices on our network, I want to ensure that there is only 1 IP interface. So, if the device only has 1 IP interface, the configuration is compliant. If the device has multiple IP interfaces, the configuration is non-compliant.
  The other factor that would complicate things is that on some devices, the IP interface would be an SVI while on others the IP interface would be on an Ethernet port.
  I hope this helps clarify my query.
  Thanks,
  H

• Using RME baseline templates to find non-compliant SNMP strings

  Running LMS3.2.1
  A. Can I run a compliance check using RME baseline template to find devices which have non standard SNMP strings IN ADDITION to the correct one?
  How will the regular expression look like if we want to say
  + snmp-server community cisco123 ro
  + snmp-server community cisco456 rw 1
  - snmp-server community [anything else] ro
  - snmp-server community [anything else] rw [#.*#]
  B. Is it possible to run a clean up job on the violating devices by using DEPLOY (or NetConfig, etc.)?

  - [#snmp-server community (?!cisco123|cisco456).*#]
  + snmp-server community cisco123 RO
  + snmp-server community cisco456 RW
    From the compliance job result GUI, you can deploy the job directly after verifying the results.  When you deploy this template, it will remove any community that does not match "cisco123" or "cisco456", and then add them if the device does not already have them.

• How to import DSIA STIG baselines/templates into SCM?

  Hello,
  I have been playing with both Security Compliance Manager as well as System Center ConfigMgr Extensions for SCAP tools to determine how I can import DISA STIG Inf files. 
  My end goal is to be able to use SCCM DCM to check/manage compliance for some of these pre-defined security standards such as DISA STIGs.
  I read in an earlier post that MSFT is currently looking into allowing INF imports into SCM.  Is there any idea on when this might be available or IS there another approach I can take?
  Thank you,
  Manoj

  Jason/ Experts,
  I see you marked this as answer. I am trying to use Windows 2008 R2 STIG -Version 1, Release 12
  from http://iase.disa.mil/stigs/os/windows/Pages/2008r2.aspx. On extracting the file u_windows_2008_r2_v1r12_stig,
  I get the folders and files as below:
  I extract the U_Active_Directory_Domain_v2r4_Manual_STIG and see the files as DoD-DISA-logos-as-JPEG(jpeg), STIG_unclass (XSL) and U_Active_Directory_Domain_v2r4_STIG_Manual-xccdf (XML)
  I am using Microsoft Security Compliance Manager (3.0.xx) to import the GPO. The DC folder has no .inf files that Microsoft claims to be load to SCM (from v2 onwards). However there is a templates folder, Templates - 2008 R2 that has setup files
  as seen below. These cannot be loaded to SCM with the Import GPO function.
  Now I am not sure how this is marked an answer and I can't find a solutions from Microsoft on how to import the settings to load the DISA STIGS into a Group Policy. If the solution is to MANUALLY enter the policies and export into a GPO Pack and
  Import, it is time consuming though it can be done and will take considerable amount of time. I can't see Microsoft providing that as a solution. So how could I get this? Is there a tool to do this?
  I will appreciate a solution/ suggestion/ advice that will enable us to load the DISA STIGS to group policy that can be applied to AD DC.
  Thanks
  TIA TP

• RME Baseline Templates compliance and deploy regular expression

  Hi:
  I have a large number of 3750 stacks consisting of a variable amount  , from 1 to 6, switches. I need to add to all
  FastEthernet interfaces from 2/0/1 to n/0/24 a command , under the interface. That is on the 1st and if only one switch do nothing, and for all other switches, be it 2 or 3 etc switches under each interface add a one line command.
  I  have not found the correct syntax to have only the interfaces I need to be effected. For example:
  interface [#FastEthernet.*#]   picks all interfaces including the ones on the 1st switch which I don't want to change.
  Interface [#fastEthernet[2-9].*#]  ignores all interfaces.
  I have tried various forms of syntax for the regular expression   but either hit all interface or none.
  Does anyone know how to format the request properly.
  Thanks in advance
  Mickey

  This regexp should work:
  interface [#FastEthernet(1[0-9]+|[2-9][0-9]*)/.*#]

• LMS 4.2.3 baseline compliance template and standard ACL

  When using a baseline compliance template to check and deploy a standard ACL, I encountered what seems to be a bug:
  I configured a template with these commands:
  +ip access-list standard 21
  +; Hosts allowed access
  +  permit host 10.20.30.40
  +  permit host 40.30.20.10
  +  deny any log
  When I do compliance check and deployment, the last line is dropped by LMS.
  In fact, when I look into the job's "Work Order", the commands are:
  ip access-list standard 21
  ; Hosts allowed access
    permit host 10.20.30.40
    permit host 40.30.20.10
  After the job run, "show running-config" shows the access list matching the "Work Order" (without the "deny any log" command.)
  Is this a bug?

  Doesnt have any issues on my Lab 4.2.4. following is the Job Work order :
  Name:
  Archive Mgmt Job Work Order
  Summary:
  General Info
  JobId: 2704
  Owner: admin
  Description: test_acl
  Schedule Type: Immediate
  Job Type: Compliance Check
  Baseline Template Name: test_acl
  Attachment Option: Disabled
  Report Type: NAJob Policies
  ----------------------------------------------------------------------------------------------E-mail Notification: Not Applicable
  Job Based Password: DisabledDevice Details
  Device
  Commands
  Sup_2T_6500
    ip access-list standard 21
    permit host 10.20.30.40
    permit host 40.30.20.10
    deny any log
  10.104.149.180
    ip access-list standard 21
    permit host 10.20.30.40
    permit host 40.30.20.10
    deny any log
  Check your template, or export it and share, i will try it on my LMS server. also, check the same complaince job on other devices if you have such issues.
  -Thanks
  Vinod
  **Rating Encourages contributors, and its really free. **

• How to create bulk configuration files from a template for staging?

  Hello,
  We have created a sample configuration for ISRG2 2901 Router.  The sample configuration is long, and with copy/paste it is possible to skip some lines, and it is difficult to ensure the configuration of every device is standardized due to this error possibility. What we are trying to achieve is first create a template from this sample configuration file, and then create configuration files for each device seperately and automatically. After creating this configuration instances, we want to be able to distribute the configuration files (and possibly the ios) to the devices during the staging phase. Since there are about 1000 2901 routers, creating configuration files is important?
  From searching we have found the following tools:
  1) CCE (Cisco Configuration Engine): This tool seems to be very efficient for distributing the created configuration files. We may use the serial number of the device, and it provides almost zero touch provisioning of the configuration files to the devices. Creating the configuration file from the template seems to be manual, i.e enter the ip addresses of the interfaces, the routing tables one by one for each device. How can we use velocity template for device configs?
  2) Ciscoworks LMS Prime: It is possible to create a baseline template for the devices, and after getting the backup configuration of the routers, it is possible to compare the actual configuration of the device with the baseline template, and understand if there is any difference with each other. This is indeed very useful in order to keep the configuration standardized, we again could not find a way to create bulk configuration files from the baseline template.
  3)  Solarwinds Config Generator: This tool is useful for creating a configuration file from a template, but again not for automatically creating configuration files, and needs manual intervention.
  4) Excel Macro: It seems that some people have achived to automatically create configuration files with using an excel macro, but we could not find a procedure or tip of how to achieving this.
  5) Pearl or TCL/TK Script: Again since we are not software developers but from networking field, it is difficult to achieve a working form of this scripts or codes due to to lack of documentation and development experience.
  So our problem comes down to creating a template from a sample configuration, and creating bulk configuration files from the template. Is there a specific tool or procedure to achive this purpose?
  Thanks in Advance,
  Best Regards,

  Hi,
  Try this one http://www.gen-it.net
  Regards,
  Stuart

• LMS 4.2.2 CLI TEMPLATE CREATION

  Is there a way to apply the template based on the response of the IOS CLI?
  Example:
  Var1 = "show dot1x"
  if var1 = disabled
  then
  dot1x system-auth-control
  end
  if
  Thanks
  Emiliano

  thx Marvin for the reply, but I cant see the attachment.
  I dont mean the own declared variables and I dont mean the compliance baseline templates. I mean the Template Center templates (analogue PI) and the global built-in variables that are also not documented inline in the ootb templates:
  One example is $(interface) for the current deployed interface I got answered in a diferent threat in the past from Joe Clark.
  But such important information belongs to a public product documentation. And that Im looking for.

• Checking aaa configuration using LMS Baseline Compliance Checks

  Hi, I'm trying to setup a baseline configuration check for our devices that will cover both "types" of aaa accounting commands. Some devices have the commands spread over mutliple lines and some have them in single lines as per the examples below. I can't seem to make an "or" check that will cover both types. Can anyone please assist? I am using Ciscoworks 4.2.
    aaa accounting exec default
    action-type start-stop
    group tacacs+
    aaa accounting commands 0 default
    action-type start-stop
    group tacacs+
    aaa accounting commands 15 default
    action-type start-stop
    group tacacs+
    aaa accounting connection default
    action-type start-stop
    group tacacs+
  OR
  aaa accounting commands 0 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting connection default start-stop group tacacs+
  aaa accounting exec default start-stop group tacacs+

  Compliance check uses the same devices as everything else in RME.  However, you need to make sure your template is configured to match the specific device types that you want to check.  When you define your baseline template, you must choose one or more device types.  Make sure you've checked all of the appropriate boxes (e.g. Routers and Switches and Hubs).