Ciscoworks LMS 3.2 Compliance Mgmt
Would it be possible to create a template do the following?
1. check all interfaces, include Ethernet, FastEthernet, GigabitEthernet, Serial, Token, etc
2. if the interface is found to have "ip helper-address", it must match x.x.x.x and y.y.y.y
The reason is that I am running this search and replace script, and I need to verify afterward.
Name: ChkHelpers SubMode: Yes isPrerequisite: Yes
Ordered : No Prerequisite-Commandset : none Parent: none
interface [#.*#]
+ ip helper-address [#10\.\d\.\d\.\d\#]
Name: ReplOldHelpers SubMode: No isPrerequisite: No
Ordered : No Prerequisite-Commandset : ChkHelpers Parent: ChkHelpers
- ip helper-address 10.a.a.a
- ip helper-address 10.b.b.b
+ ip helper-address x.x.x.x
+ ip helper-address y.y.y.y
There are a few typos where, but in general what you have it correct.
Name: ChkHelpers
IsPrereq: yes
Submode: interface [INTF]
Body:
+ ip helper-address [#10\.\d+\.\d+\.\d+#]
Name: ReplOldHelpers
Prereq: ChkHelpers
Parent: ChkHelpers
Body:
- ip helper-address 10.a.a.a
- ip helper-address 10.b.b.b
+ ip helper-address x.x.x.x
+ ip helper-address y.y.y.y
Similar Messages
-
Ciscoworks LMS 3.2 - Compliance mgmt negation problem
Hi,
Strange problem, that I am sure is being caused by me.
Basically trying to run an advanced Compliance mgmt job, looking for a set of pre-requisites (this is working) and then removing all non compliance SNMP community strings from a sample device.
I use two lines for this removal
- snmp-server community [#!testR[OW]mon#] [#.*#] [#.*#]
- snmp-server community [#!SNMP#] [#.*#] [#.*#]
From what I see, this should remove all snmp-server communities from a device other than "testROmon", "testRWmon" and "SNMP". Obvious caveat is that they would all need to have two words after this (in this case, these are ro or rw and an ACL).
When I run this it seems to try and remove twice as many snmp community strings as there actually are on the device config? So I guess the core questions are: -
1) Does the above look sound and would it do what I think
2) Does the Compliance management engine parse the entire config independantly for each line of the above and hence explain why I am getting more removals than I would expect or is there a problem somewhere?
Any help on this appreciated as its driving me nutsThanks Joseph,
So if I also wanted to remove all SNMP traps bar: -
snmp-server host 10.10.10.x (where x is any ip in the last octet)
From a device, would I use
- [#snmp-server host (!#10\.10\.10\..*#).#]
Or doesn't this make sense? -
Ciscoworks LMS 3.2 compliance mgmt negation problem 2
Sorry one more question,
If I also wanted to remove all SNMP traps bar: -
snmp-server host 10.10.10.x (where x is any ip in the last octet)
From a device, would I use
- [#snmp-server host (!#10\.10\.10\..*#).#]
Any help appreciatedThanks Joseph,
But if the line is say: -
snmp-server host 10.10.10.1 testROmon
Would I not need the .*# for the extra word? I guess this would only be needed if I were also searching for variations in this word? -
Ciscoworks LMS 4.0 – Fault Device Details Issue
We currently use Ciscoworks LMS 4.0 but when I go into, Monitor > Fault Settings > Setup > Fault Device Details
I get the following message (see attached document with screenshot) and being a LMS newbie am unsure what to do? As have tried to search for this
file but no luck.
So thanks in advance for any advice.Check if the fault management rediscovery page shows device as discovered and known or does it have any errors?
Are you able to generate any fault management reports and view other pages?
Just try to reboot the server/restart daemon to see if it is goes away.
Else it is mostly corrupt FM DB. Which would need to be re-initialized.
Fault Mgmt reinitialize is very simple task, which doesnt removes a lot of data, except past 31 days of FM history and custom notifications, if configured.
Thanks
Vinod
**Rating Encourages contributors, and its really free. ** -
Using Ciscoworks to update netmask on mgmt interface for multiple switches
Is it possible to user Ciscoworks LMS 3.2 to update the netmask for a management interface on multiple switches? For example, say I have a 3750 access switch management network, 172.28.185.0/27 (default gateway 172.28.185.1) that we're resizing to a /26. Is there a simple way to update just the netmask for the management interface on those devices using Netconfig?
-DavidUnfortunately not. You could use Netconfig or even baseline compliance for this, but since you need to know each interface's IP, that means you'd have to create parameterized templates. Therefore, you would have to create a template "answer" file for each device in this subnet which had their IP address for the interface in question.
Baseline compliance might be a little easier with a template like:
Commandlet : CheckIP
IsPrereq : Yes
Submode : interface [#.*Ethernet.*#]
+ ip address [#172.58.185.\d+#] 255.255.255.224
Commandlet : ReplaceIP
Parent : CheckIP
+ ip address [IP] 255.255.255.192
You would still need to provide a value for [IP] for each device when performing a deployment. -
Ciscoworks LMS RME / ASA Firewall configuration pre-shared key savings
Does anybody know the concept about saving pre-shared by Ciscoworks LMS /RME ?
Is there a way to get the unencrypted values from Ciscoworks LMS /RME for an ASA Firewall ?
ASA config. saved with RME
pre-shared-key *
ASA config. saved to TFTP from ASA
pre-shared-key 1ZdmaKVwEkQ66nD37d9kA9fj9z75If you enable "shadow directory" (RME - Admin - Config Mgmt - Archive Mgmt - Archive Settings), you can find the raw configs in locations such as /var/adm/CSCOpx/files/rme/dcma/shadow/Security_and_VPN/PRIMARY on Solaris, or its Windows equivalent, after one requisite cycle of Periodic Polling and/or Periodic Collection. That's the same config one'd get saving to TFTP manually.
However, I don't recall how to unscramble the "asterisks" in the RME GUI, if at all possible. -
Hi,
Currently we have CiscoWorks LMS 2.6 and looking to buy or if possible upgrade to latest version of CiscoWorks LMS 4.1
I need confirmation is this LMS 4.1 is a bundle? Like including RME, Common Services, CiscoView, Device fault Manager, Campus Manager and etc.,?
Naidu.An upgrade from LMS 2.x to LMS 4.1 is possible. With LMS 2.6 there was no device count restriction but the next major release (LMS 3.0) introduced licensing based on device count. So you have to determine which device count you need. Available licenses are for example:
LMS41-300-UP-K9 Upgrade LMS 2.x 3.x to 4.1 Base DVD for 300 devices
LMS41-1.5K-UP-K9 Upgrade LMS 2.x 3.x to 4.1 Base DVD for 1500 devices
LMS 4.1 is a bundle and - under the cover - still contains CS, CiscoView, RME, CM, DFM and meanwhile also IPM (Internetwok Performance Monitor) and HUM (Health and Utilization Monitor); With LMS 4.x they cannot be installed as standalone applications as it was with LMS 2.x/ 3.x; Also the GUI has undergone a complete re-write (and thus re-organization) - see the link to the data sheets below.
There will be some changes with LMS because it will be merged together with "Cisco Prime Network Control System" into "Cisco Prime Infrastructure".
Thus the latest release of LMS (LMS 4.2) is available in the "Cisco Prime Infrasturcture" Bundle which contains both these products:
Cisco Prime Network Control System 1.1 (Mgmt for Wireless Products)
Cisco Prime LAN Management Solution 4.2 (Mgmt for Network devices)
Data sheets for LMS 4.2 and LMS 4.1 are available here:
http://www.cisco.com/en/US/customer/products/ps11200/products_data_sheets_list.html
Ordering and licensing guide for "Cisco Prime Infrasturcture" is here:
http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps12239/ordering_guide_c07-697784_ps11686_Products_Data_Sheet.html -
Hi,
I need Compliance mgmt help.
I want to run a command against 2500 switches that make all Fast Ethernet ports implement as speed auto & duplex auto, except Gig port and trunk ports. Any help appreciated.
THANKS
I am using;
LMS:3.2
RME: 4.3
CM:5.2.1Since you have RME 4.3, you might also consider using a Netconfig port-based job. To do this, go to RME > Config Mgmt > Netconfig > Netconfig Jobs and create a new port-based job. Define an custom group with the ruleset:
Port.PortName StartsWith "Fa" AND
Port.CM.AccessStatus = "Configured"
Then select the Adhoc task, and enter the IOS commands:
speed auto
duplex auto
Deploy that to all of the required switches and that will accomplish what you want. Note: this requires that all switches are managed by Campus Manager. -
We have ciscoworks LMS 3.2 which we have recently updated to ciscoworks 3.2.1 using the ciscoworks 3.2 Service Pack 1 patch file. In the "Readme for CiscoWorks LAN Management Solution 3.2 Service Pack 1" document, it says that you have to install the Remote Syslog Collector 4.3.2 separately. It says the file (setup.exe) is located at disk1/RSAC. However, ciscoworks 3.2 Service Pack 1 only appears to be a patch file and when we ran the patch file on our Remote Syslog Collector server, the version remained at 4.3.0. When I looked at the server where RME is installed (version 4.3.2), it says that Syslog Analyzer is 4.3.2 and Syslog Collector is version 4.3.0. The patch file doesn't look like it has the installation files for RSAC 4.3.2 and there doesn't seem to be a directory that was created on the RME server to install the updated RSAC from, so how do you upgrade from RSAC 4.3.0 to RSAC 4.3.2?
I opened up a TAC case, worked with TAC, and was able to update RSAC to version 4.3.2. The procedure is:
1. Download the ciscoworks LMS 3.2.1 patch file to the remote syslog server.
2. Create a temporary directory on the remote syslog server (ex. c:\test)
3. Go into the directory with the extracted LMS 3.2.1 patch file and type the command:
Ciscoworks_LMS_3.2.1.exe /extract_all:c:\test
4. Go into the c:\test directory and find the RSAC folder. In the RSAC folder is a setup file. Run setup and install RSAC 4.3.2 over RSAC 4.3.0 (if you uninstall RSAC 4.3.0, you will get a message saying that RSAC 4.3.0 must be installed before installing RSAC 4.3.2)
5. Check the installation by going to Common Services->Software Center->Software Update on the remote syslog server. The version should be RSAC 4.3.2. -
User tracking not finding any hosts in Ciscoworks LMS 3.1
L.S.
Our test-configuration is as follows:
Application versions:
Ciscoworks LMS 3.1
Ciscoworks Common Services 3.2.0
Campus Manager 5.1.4
We have 31 managed devices in Campus Manager (data has been collected on all),
Edit: All of them show up green in the topology window.
The device are: 2 6509 cores (running IOS s72033_rp-IPSERVICESK9_WAN-M version 12.2(18)SXF8), 1 ASA firewall (running ASA-OS version 8.0.5) and 29 switches (2960 and 3560 models both running ios version 12.2(52)SE). The switches are connected as follows:
User tracking jobs are running normally, but aren't finding any end-hosts or IP phones at all (I suspect around 250-500 hosts+ on these switches)
We are running SNMP v3 on the switches and have added the following configuration items to all the switches:
snmp-server group readonly v3 auth context vlan-1
<repeat for all present snmp-contexts as shown in show snmp context output>
snmp-server group readonly v3 auth context vlan-83
Debugging is enabled in CM->Admin->Debugging Options->User Tracking Server
This is the UT.log file of the last major acquisition:
messages will remian logged to file: D:\PROGRA~1\CSCOpx\log\ut.log
2010/01/13 14:00:01 main MESSAGE ProcessInitializer: Properties will be read from D:\PROGRA~1\CSCOpx\campus\etc\cwsi\ut.properties
I= 0value *.*.*.*
I= 1value 6
I= 2value 1
2010/01/13 14:00:01 main MESSAGE DBConnection: Created new Database connection [hashCode = 10969598]
PartialOrderNode tree dump: time base = VMPSMajor
<root>
VMPSMajor: <root>
VMPSMajor: VMPSMajor.GetXMLData
VMPSMajor: VMPSMajor.PingSweep
VMPSMajor: VMPSMajor.PopulateFromDCR
VMPSMajor: VMPSMajor.GetPortStatus
VMPSMajor: VMPSMajor.GetBridgeTable
VMPSMajor: VMPSMajor.Sweep
VMPSMajor: VMPSMajor.GetIpXlateTable
VMPSMajor: VMPSMajor.GetIpv6XlateTable
VMPSMajor: VMPSMajor.GenerateTable6
VMPSMajor: VMPSMajor.GenerateTable
SMFunction evaluation order: time base = VMPSMajor
VMPSMajor.GetXMLData Major
VMPSMajor.PingSweep Minor
VMPSMajor.PopulateFromDCR Major
VMPSMajor.GetPortStatus Minor
VMPSMajor.Sweep Major
VMPSMajor.GetBridgeTable Minor
VMPSMajor.GetIpXlateTable Minor
VMPSMajor.GetIpv6XlateTable Minor
VMPSMajor.GenerateTable6 Major
VMPSMajor.GenerateTable Major
Time base VMPSMajor has 5 major nodes and 3 minor traversals.
log4j:ERROR No appenders could be found for category (CTM.common).
log4j:ERROR Please initialize the log4j system properly.
In classlist loader
In classlist loader processing sub classes
updation done
In classlist loader completed
2010/01/13 14:00:03 main MESSAGE DBConnection: Created new Database connection [hashCode = 12524859]
Calling default
Subnet to SubnetData Map Size :73
2010/01/13 14:01:31 DBConnecton-Reaper MESSAGE DBConnection: Closed Database connection [hashCode = 12524859]
2010/01/13 14:01:31 DBConnecton-Reaper MESSAGE DBConnection: Closed Database connection [hashCode = 10969598]
2010/01/13 14:04:50 main MESSAGE DCRDevWrapper: Closing DCRProxy
I'm slowly getting to a dead end here. What am I missing?Well, our problem was resolved finally through a weird coincendence after having a websession with a Cisco TAC engineer (TAC case SR 613376661)
We changed the
snmp-server group readonly v3 auth context vlan-xxxx
commands in the switches to:
snmp-server group writeonly v3 auth context vlan-xxxx
that is: use the writestring in the snmp-server groups instead of the read string.
After we changed that, all of the User Tracking mysteriously started working.
As far as I know, the writestring should not be needed, but apparently it is....
Is there any explanation for this? -
Dear All
We are running CiscoWorks LMS 2.6
I have scheduled a backup in Common Services > Server > Admin > Backup
My question is, what does this backup actually do?
Does it just backup the CW configuration?
Or does it include data such as devices configuration archive, reports, jobs, device inventory etc
If it does not, anyone have a suggestion of how this can be achieved?
I am looking into DR scenario - i.e. how we can restore net devices if the device AND CW server is destroyed.
Thanks
PhilPhil;
You may want to move this thread to the Network Infrastructure>Network Management community; they focus on LMS there.
Scott -
Custom device prompt in Ciscoworks LMS
Hello,
In emerging network infrastructure of our client we decided to use some custom promps at device VTY (SSH and Telnet). Console users are network authenticated by means of ACS, and in case ACS is not reachable, we decided to use login prompts as follows:
Username(local):
Password(local):
In this local mode, when CiscoWorks LMS (3.1) tries to collect configuration of switches, VLAN configuration exactly, we got such error messages in LMS interface:
TELNET: Failed to establish TELNET connection to 10.52.0.1 - Cause: Authentication failed on device 3 times. VLAN Config fetch is not supported using TFTP. Command failed VLAN Config fetch is not supported using RCP.
Of course, we have checked the possibility to got from LMS host to these devices by SSH and Telnet, credentials are correct, only login prompts are as described earlier.
I conclude, we need to tell LMS to accept our custom prompts. Is there any possibility and how to achieve this?If you're sure the failure is due to the custom prompt, yes, you can simply follow the steps in the following document to let LMS know about that:
http://www.cisco.com/en/US/products/sw/cscowork/ps2073/products_tech_note09186a00801442c9.shtml -
Ciscoworks 3.2 RME Compliance Management w/ 802.1x Port Configs
I am currently trying to use LMS 3.2 Compliance management to verify and alter our access port configurations for 802.1x. Below is our current configuration:
switchport access vlan XX
switchport mode access
authentication control-direction in
authentication event fail retry 0 action authorize vlan XXX
authentication event no-response action authorize vlan XXX
authentication port-control auto
authentication periodic
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 10
dot1x timeout supp-timeout 10
dot1x max-req 1
dot1x max-reauth-req 1
storm-control broadcast level 75.00
spanning-tree portfast
spanning-tree bpduguard enable
I require the configurations to be changed to:
switchport access vlan XX
switchport mode access
authentication event fail action authorize vlan XXX
authentication event no-response action authorize vlan XXX
authentication port-control auto
authentication periodic
dot1x pae authenticator
dot1x timeout tx-period 8
storm-control broadcast level 10.00
storm-control multicast level 10.00
spanning-tree portfast spanning-tree bpduguard enable
Addtionally, I require LMS to verify that the port is indeed an access port with 802.1x already applied to it before adjusting the configurations. I have tried pushing this compliance check out with a prerequisite of having "switchport mode access" applied to it, and then having the next command set state:
Submode: interface [#Ethernet*/*/*#]
- dot1x max-req 1
- dot1x max-reauth-req 1
+ no dot1x max-req 1
+ no dot1x max-reauth-req 1
This was a simple test on a single device to see if I could remove the limits on authentication and requests entered. The job states successful and there are no devices that are non-compliant, however no changes to the device configurations have been made. I seek assistance in command syntax or if there is another way to push this out, as I have about 1k network devices to go through and make these changes.The following tempalte should do what you want:
Name: Global SubMode: No isPrerequisite: No
Ordered : No Prerequisite-Commandset : none Parent: none
Name: Switchport SubMode: Yes isPrerequisite: Yes
Ordered : No Prerequisite-Commandset : none Parent: none
interface [#FastEthernet.*#]
+[#switchport mode access#]
Name: 802fix SubMode: No isPrerequisite: No
Ordered : No Prerequisite-Commandset : Switchport Parent: Switchport
-dot1x max-req 1
-dot1x max-reauth-req 1
Note that I have changed to [#FastEthernet.*#] to be applied on
FastEthernet interfaces. -
CiscoWorks LMS 4.0 No muestra los dispositivos
Buenas.
Tengo el CiscoWorks LMS 4.0, y de un momento a otro me dejo de mostrar los dispositivos que me habia reconocido, hice de todo y nada, por ultimo desinstale e instale nuevamente y lo mismo, me reconoce los dispositivos pero no me los muestra.
Quien me puede guiar para saber que problema estoy experimentando.
Gracias.
Jose Luis Diaz Ortega
Ingeniero de Sistemas.
Administrador de redes.Gracias.
Si antes me mostraba en el inventario todo los dispositivos y en la opcion de monitor igualmente, pero cuando trataba de hacer una modificacion en la parte de configuracion no me desplegaba los dispositivo. Como tenia este problema lo que hice fue instalar nuevamente la aplicaciones, hice en descubrimiento me reconoce los dispositivo pero ahora no me muestra nada en inventario al igual que en la opcion de monitor.
Siempre he trabajado con la verison LMS 4.
opcion de inventario
opcion de monitor
En la imagen siguiente son los dispositivos que fueron reultado del descubrimiento realizado, esto sigmifica que los encuentra pero no me muestra informacion en la opcion de inventario y monitor.
Jose Luis Diaz Ortega
Ingeniero de Sistemas.
Administrador de redes. -
CiscoWorks LMS 4.0 Time Zone Problem
Hi,
CiscoWorks LMS 4.0 timezone is VET. I know that LMS time is syncronized with system time. Hovewer, system time is correct but LMS's time is wrong.
-I restarted LMS CW Deamon Manager
-I re-installed LMS
My problem still exists.
What should I do to syncronize the time?
Thank you for your help.My setup files were corrupted. I tried new setup and LMS succesfully installed.
Maybe you are looking for
-
How do i get my sound back when the audio jack is trapped and prevents soun
my macbook dropped on the floor and there was a wire linking the laptop to speakers. however a piece of wire from this lead was stuck in the macbook making the computer think that there is an audio out when there isn't. without having to change the w
-
Creating multiple web sites for separate domain names
Is it possible to create a different web site using a different web address in IWeb 06? A friend asked me to make a web site for them....can/how do I publish it to a different address? Thanks for the help!
-
I have a MacBook Air with OS X Yosemite 10.10.2. The "cut" function is available in "Edit" but not active upon any file selection. What to do to have it active?
-
X509v3 key usage in JWS 1.4.2
I'm experiencing problem loading signed jar in 1.4.2. The same jar is working fine with JWS 1.0.1. Webstart loads the jar then complain with a message box "Warning: Failed to verify the authenticity of this certificate because there was an error pars
-
Repeatable row disabled by default. Need to enable all rows based on value in XML.
I have a repeatable row in a table that is defaulted to read only. If a certain value doesn't exist in the XML (populated != x), I want to make add / remove buttons visible and and make the text fields in the row and all subsequent instances Open.