Compliance Template
I'm trying to setup and compliance template to check and deploy a configuration change based upon the following criteria
All Switches, any fastethernet interface with a interface description containing the string "bmg" should have the command no snmp trap link-status.
anbody help please??
I want to do something very similar to this. I need to add the logging event link-status command to any interface that has a description that begins with LWAP:
This example seems to suggest 2 separate templates. Are these 2 Advanced templates? The example in the help file suggests Command Sets within one template. Any guidance would be appreciated, thanks.
Similar Messages
-
LMS 4.2.3 baseline compliance template and standard ACL
When using a baseline compliance template to check and deploy a standard ACL, I encountered what seems to be a bug:
I configured a template with these commands:
+ip access-list standard 21
+; Hosts allowed access
+ permit host 10.20.30.40
+ permit host 40.30.20.10
+ deny any log
When I do compliance check and deployment, the last line is dropped by LMS.
In fact, when I look into the job's "Work Order", the commands are:
ip access-list standard 21
; Hosts allowed access
permit host 10.20.30.40
permit host 40.30.20.10
After the job run, "show running-config" shows the access list matching the "Work Order" (without the "deny any log" command.)
Is this a bug?Doesnt have any issues on my Lab 4.2.4. following is the Job Work order :
Name:
Archive Mgmt Job Work Order
Summary:
General Info
JobId: 2704
Owner: admin
Description: test_acl
Schedule Type: Immediate
Job Type: Compliance Check
Baseline Template Name: test_acl
Attachment Option: Disabled
Report Type: NAJob Policies
----------------------------------------------------------------------------------------------E-mail Notification: Not Applicable
Job Based Password: DisabledDevice Details
Device
Commands
Sup_2T_6500
ip access-list standard 21
permit host 10.20.30.40
permit host 40.30.20.10
deny any log
10.104.149.180
ip access-list standard 21
permit host 10.20.30.40
permit host 40.30.20.10
deny any log
Check your template, or export it and share, i will try it on my LMS server. also, check the same complaince job on other devices if you have such issues.
-Thanks
Vinod
**Rating Encourages contributors, and its really free. ** -
LMS 3.2 Compliance Template syntax help
I want to add the command "no logging event link-status" to all switchport mode access ports EXCEPT for the ones with the following switchport access vlans: 4022,4032,4042,4052,4072 & 4082. How do I create a compliance template to do this?
LMS 3.2, RME 4.3.1Tried it & it didn't work. Here is a sample config of the ports. Command should not deploy on ports fa1 & 3 & gi1 but should deploy on fa2,4-8.
interface FastEthernet0/1
description NetOps Data/VoIP
switchport access vlan 4082
switchport mode access
switchport nonegotiate
switchport voice vlan 4083
snmp trap mac-notification change added
spanning-tree portfast
ip dhcp snooping trust
interface FastEthernet0/2
description NetOps Data/VoIP
switchport access vlan 661
switchport mode access
switchport nonegotiate
switchport voice vlan 4083
snmp trap mac-notification change added
spanning-tree portfast
interface FastEthernet0/3
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
spanning-tree bpduguard disable
ip dhcp snooping trust
interface FastEthernet0/4
description NetOps Data/VoIP
switchport access vlan 661
switchport mode access
switchport nonegotiate
switchport voice vlan 4083
ip access-group POLICY in
authentication order dot1x mab webauth
authentication port-control auto
authentication fallback WEB_AUTH_PROFILE
mab
snmp trap mac-notification change added
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 5
no lldp transmit
spanning-tree portfast
interface FastEthernet0/5
description NetOps Data
switchport access vlan 661
switchport mode access
switchport nonegotiate
interface FastEthernet0/6
description NetOps Data/VoIP
switchport access vlan 661
switchport mode access
switchport nonegotiate
switchport voice vlan 4083
snmp trap mac-notification change added
spanning-tree portfast
interface FastEthernet0/7
description VoIP Phone 43170
switchport access vlan 661
switchport mode access
switchport nonegotiate
switchport voice vlan 4083
snmp trap mac-notification change added
interface FastEthernet0/8
description Docking Station
switchport access vlan 661
switchport mode access
switchport nonegotiate
switchport voice vlan 4083
snmp trap mac-notification change added
interface GigabitEthernet0/1
description Feed from c3750uhs011a fa3/0/30
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
rmon collection history 10101 owner campusmanager buckets 10 interval 300
spanning-tree portfast trunk
spanning-tree bpduguard disable
ip dhcp snooping trust -
RME compliance template question
Using LMS 3.2, I've started learning how to use the compliance templates. I have a question regarding the regex matching, and I can't seem to find
an answer in the docs or in the forum posts. I do admit that I have not dug real deep in the forums.
My question is: is there a regex to ignore case? For instance, if I have the line:
clock timezone est -5 in some configs, and
clock timezone EST -5 in others
is there a way to tell the template that upper case and lower case are acceptable matches?
Thanks for any help - chrisok, I got a handle on how the regexes work. It took about 6 or 7 edits of the template but I finally did get it right. fyi, for the above example, the template would look like:
+clock timezone [#est|EST#] -5
chris -
LMS 3.1 Assistance with compliance template
I need to add the logging event link-status command to any interface that has a description that begins with LWAP
This is what I have, but it does not work:
Name: Global SubMode: No isPrerequisite: No
Ordered : No Prerequisite-Commandset : none Parent: none
Name: CheckDescr SubMode: Yes isPrerequisite: Yes
Ordered : No Prerequisite-Commandset : none Parent: Global
interface [#GigabitEthernet.*#]
#To check for existence of command enter
+ [#description .*LWAP.*#]
Name: AddLoggingEventLinkStatus SubMode: No isPrerequisite: No
Ordered : No Prerequisite-Commandset : CheckDescr Parent: CheckDescr
+ logging event link-status
Thanks for any help.Looks like a problem with virus scanning on the server side. Here are the contents of the template:
<?xml version="1.0" encoding="UTF-8"?>
[#description .*WLAN.*#]
interface [#FastEthernet.*#]
logging event link-status
CheckDescr -
LMS RME Compliance Mgtm - Template Question
Hello
I have LMS 3.2 on Windows. I have a question about compliance template. How I can describe unknown values in template? For example: I have routers with 2 - 3 syslog server (on each router they are different) and I want remove all of them and add new.
Regards,
Stanislav KuchmaI have syslog 10.0.0.1 10.0.0.2 (and in routers config i have several "bad" syslog with "random" addresses):
If i wrote:
+ logging 10.0.0.1
+ logging 10.0.0.2
- logging [#?!(10\.0\.0\.1)#]
RME tries remove all syslog servers ("good" and "bad")
If i wrote:
+ logging 10.0.0.1
+ logging 10.0.0.2
- logging [#(?!10\.0\.0\.1)#]
RME says ok and don't remove "bad" servers -
LMS 4.0 Prequisites of baseline templates are ignored if used for direct deploy
Hi all,
I'm want to use baseline templates for conditionally configuring several hundert access-switches.
What I expect to work:
Write a baseline template with prerequisites and parameters and use
Configuration> Compliance> Compliance Templates> Direct Deploy
The baseline template works perfect for
Configuration> Compliance> Compliance Templates> Compliance Check
if I use regex instead of parameters
- compliant devices are detected
- commands are generated only for non compliant devices
But I don't want to enter several hundert parameters manually if
I want to deploy the job after compliance chek...
If I change the regex into a parameter then direct deploy will unconditionally
generate the commands, regardless whether the prerequisites are met or not.
Is this by design or a bug?
My task is simple:
If interface Vlan1 has an IP address matching a certain pattern I want to deploy the global command
ip default gateway [same-prefix-as-interface-vlan1].1
Like I mentioned above: the regexes are OK: compliance check works as expected
When the regexes are changed to a parameter the command ip default-gateway will
always be generated regardles wether the prequisite is met or not.
Any thoughts or insight?
Regards, MiKaSolution was simple:
In one of the old release notes (Cisco Ressource Manager Essentials, around 2009) I found a note that prerequisites in templates are not supported with direct deploy. There are no notes for newer releases but the behaviour is exactly like described.
Another documentation error...
Rgds, MiKa -
Compliance Management in LMS 3.2
I'm having a hard time getting Compliance Manager to accept a "banner login" command I'm attempting to use on 6500 IOS switches. I've edited the template, tried cut-&-paste, looked for the archive file on the server to directly modify it (without success), among other things. I have this feature functioning correctly on CatOS switches, but can't seem to get it properly set on IOS switches. What's the limit, as far as the template is concerned, on the number of characters with this type of command? Where are the archive configs located on the server; in the "shadow" directory?
Thanks,
RickNot sure what you mean when you say "not accepting", but I had some trouble with compliance templates and checking banners. My issue was with multi-line commands as mentioned in the last post of this thread: https://supportforums.cisco.com/message/638950#638950
Once I put the in the template it worked fine. The thread is discussing LMS 2.6 but was applicable in my 3.2 environment. Hope that helps. -
How to determine which processes are using a module?
I want to find out which processes are using a kernel module.
However this info is shown neither with ``lsmod'' nor in
/sys/modules/<mod_name>/.
It's needed to reload certain modules which are acting buggy,
in a bash script. Right now I just keep a list of processes which
use the module and try to kill'em all, not exactly a beautiful
solution.
To work around it I compiled a kernel with
``CONFIG_MODULE_FORCE_UNLOAD=y'', however actually
trying to unload anything with this results in an unstable system.
Suggestions?After successfully syncing the configuration database I ran the configuration compliance job once more, however with the same (misleading) results. Cross-checking the configuration reveals that none of the devices marked as compliant are actually having the "ip helper-address" configured.
Maybe it is something wrong with the input data I specified for the compliance template (ref step 1-6 in my first post)?
Or maybe the Compliance Jobs arent the best ways to determine whether or not my devices are having the "ip helper-address" configuration defined? -
Using VCM to compare hardware metrics on physical servers
Hi,
I have a large physical server estate (mix of Win, RHEL and Solaris) which all have had the latest VCM agent installed.
What I want to do with VCM is to select one physical machine and make it a baseline, then compare other physical servers to that baseline. Physical servers will be grouped into clusters (per application) and then into tiers (e.g. Test). I want to be able to check compliance of a clustered application against a single baseline physical server, then other application clusters within a tier, then tiers against other tiers.
Can anyone give me a started for 10 on creating a compliance template from an existing physical machine?
Note: I'm interested in hardware only at this point (driver metrics, BIOS etc) - OS comparison will come down the line.
Many thanks in advance,
Cheers.
Jeremy.If you want to keep the data from the baseline machine(s), even if the machines themselves change, or are removed, later, you should create VCM Snapshots for them.
These are managed under Administration\Machines Manager\VCM Snapshots. The Help for this node provides more detail about this feature. Basically, you first need to collect all the data you will be interested in including in the baseline, and then create a Snapshot to make a static copy of the data in the VCM database that will act like another machine entry.
To compare machines to a baseline machine, or to a baseline VCM Snapshot, use the Compare Machines action from Compliance\Machine Group Compliance\Templates node. Again, the Help provides a lot more information about this feature. -
Netconfig job on the interface level
I am trying to create a netconfig job to remove ip helpers from my vlan interfaces. Is this possible? How can this be accomplished? Thank you for your input.
This might be better accomplished with a baseline compliance template instead of a Netconfig job. Create a new advanced baseline template with the following configuration:
Submode: interface [#Vlan.*#]Body:- ip helper-address [HELPER]
That should remove all ip helper-address entries from all Vlan interfaces. -
Upgrading from LMS 4.1 to Cisco Prime Infrastructure
Looking for some information and confirmation on the upgrade process.
Currently we are running LMS 4.1 with a valid SAS Service Contract which will allow me to upgrade to Prime Infrastructure 1.1 or Prime Infrastructure 1.2 using the upgrade tool at no charge. After using the tool I am given access to download PI1.1 or PI1.2, however, it only actually let me download PI1.1 but said i do not have the proper permissions to download the 1.2 license. I also noticed that the software images for 1.2 are not available ont he ciso download page.
I am wondering what the latest version of Prime Infrastructure I will be able to upgrade to without an additional purchase. Can I upgrade up to all the way up to 1.4 or can I only go up to 1.2 (but then where is the download for the software).
If i can upgrade to 1.4 then what path should I take? 1.1 to 1.3 to 1.4? Just skip 1.2 since the download is not available and it will not let me download the license file?
Thank you for your helpLMS 4.x to Prime 1.x would not be considered a functional or recommended "upgrade" for most intents as you would lose several major capabilities (Topology, Ciscoview, many reports, compliance templates, etc.). Your best path right now would be to move your LMS along to the current version - 4.2.4. The release notes explain the upgrade path for that.
Licensing and upgrade eligibility-wise you need SASU for PI (not plain SAS for LMS) for major upgrades (i.e to go to 2.0). An LMS SAS contract entitles you to migrate to PI 1.2 which in effect means 1.3 although Cisco had some issues with updating the ordering system so there was not actually a SKU for PI 1.3 sold - only the 1.2 version which, when combined with your LMS SAS service contract, entitles you to move to PI 1.3 (or 1.4 but that's not generally recommended). More details are in the Prime Ordering and Licensing Guides here.
Personally, I recommend customers with existing LMS 4.x installations wait until PI 2.1 comes out to consider the upgrade. 2.0 still misses several tools present in LMS 4.x.
If you really want to move over to PI, you can export the data from LMS 4.2.4 and import into PI 1.3 (or 2.0). -
Create a single e-mail for a datastore 5GB free
Have created a Compliance Template to check if a datastore has less than 5GB free space, an Alert and configured the alert (VE Alert Configuration).
Issue is that it sends an e-mail for every host that is connected to a given datastore.
Want just a single e-mail per Datastore.
Thoughts?You can configure it using:
Get one host of cluster to create a filter
Filter -
Host = 'CCC'
and create a rule using:
Data Type: vCenter – Hosts – Storage – Summary
Rule Type: Conditional (if/then)
IF
Datastore name = 'xxxxx' OR
Datastore name = 'yyyyyyy' OR
Datastore name = 'zzzzz' OR
THEN
Free Space (GB) > '5'
After complete , run a template to test and see results. -
Regular Expression for physical interfaces only
Working on creating a compliance template to make sure NetFlow is enabled on physical router interfaces.
My initial expression is -- interface [#Serial.*|.*Ethernet.*|ATM.*#]
This expression works in that it checks all Serial, FastEthernet, GigabitEthernet, and all ATM interfaces. It also checks sub-interfaces.
I would like to alter my template to ignore sub-interfaces like:
Serial 0/0.100
FastEthernet 0/0.500
I'm not sure how to setup expression to ignore interfaces that has a "." (dot) in the interface name. Maybe there's another solution that doesn't need regexp?
Thanks.What about:
[#(Serial|.*Ethernet|ATM)[0-9/]+#] -
Hi All,
I'm not able to delete a forward/back button pair from a template (compliance template, I think). I WAS able to delete those buttons on the first slide where they appeared, but they are appearing on 2 other later slides, and I can't delete those, or even go into their properties.
When I right click them, I go to slide properties. I've played with various options in Settings, to no avail. Any help appreciated!
Kelly
Hi All,
I'm not able to delete a forward/back button pair from a template (compliance template, I think). I WAS able to delete those buttons on the first slide where they appeared, but they are appearing on 2 other later slides, and I can't delete those, or even go into their properties.
When I right click them, I go to slide properties. I've played with various options in Settings, to no avail. Any help appreciated!
KellyHi there
If you click the Eye icon in the Timeline to hide all abjects, do the buttons disappear then?
Cheers... Rick
Helpful and Handy Links
Captivate Wish Form/Bug Reporting Form
Adobe Certified Captivate Training
SorcerStone Blog
Captivate eBooks
Maybe you are looking for
-
Single Sign-On (Portal to R/3 Backend)
Hi all, Iu2019m trying to implement Single Sign On (SSO) between our SAP portal (front end) and SAP R/3 ECC 6.0 Backend. Keep in mind this has nothing to do with Active Directory. I read posting after posting from this site and I canu2019t tell you
-
HP photosmart D110 Mac OSX 10.8.5
I have had to reload my printers into my Macbook pro. I have loaded the HP photosmart D110 in the print/scan utility and can see the printer. I also can print a test page. When I go to print a document, I get the following message "printing-printe
-
How can i find out the original network/carrier of my iphone4 ??
how can i find out the original network/carrier of my iphone4 ??
-
Compaq Presario CQ56-115DX Problems
Hello, I have a Compaq Presario CQ56-115DX Laptop. It is still under warranty. Within the last week the power of the laptop has been messed up. When I have the laptop unplugged, which I don't very often, the laptop shuts down after an hour without an
-
IDOC_INPUT_DEBITOR not giving sucees Message
Hi , We are using FM 'IDOC_INPUT_DEBITOR' for posting customer. Inside this FM, SAP does Call Transaction XD01 and collects the messages in BDCMSGCOLL. Our logic is based on the Success message that this FM generates and that found in this BDCMSGCOLL