RME/compliance mgmt - deploy ntp

Similar Messages

• RME - Compliance Management - Deploy strangeness

  Hi All,
  Here is an interesting one. Got a selection of Compliance management jobs and am having trouble with the deploy phase. Basically I am looking for the following on a series of devices and then removing it.
  - [#radius-server host.*#]
  So when this runs, it matches what I expect (shown below)
  no radius-server host x.x.x.x auth-port 1812 acct-port 1813 key 7 XXXXXXXXXXXX
  However when I deploy this, the line above remains on the device?
  I have tried changing the compliance check to
  - radius-server host x.x.x.x auth-port 1812 acct-port 1813 key 7 XXXXXXXXXXXX
  To see if its a regex problem of some form and the job does exactly the same, i.e. it matches the line and tries to deploy however doesn't work?
  Any ideas?

  Hi Yidabear,
  Its not a pre-requisite problem as the pre-requisites are fillfilled and hence it deploys the rest of the config to the devices in question. For some reason it is just this one line that it has a problem with. Strangely enough, we had a similar issue with the same format of TACACS server line. It seems to happen when you have the "key 7 xxxxxxxxx" value at the end? Even though it finds it and tried to remove it it fails.

• Compliance Mgmt

  Hi,
  I need Compliance mgmt help.
  I want to run a command against 2500 switches that make all Fast Ethernet ports implement as speed auto & duplex auto, except Gig port and trunk ports. Any help appreciated.
  THANKS
  I am using;
  LMS:3.2
  RME: 4.3
  CM:5.2.1

  Since you have RME 4.3, you might also consider using a Netconfig port-based job.  To do this, go to RME > Config Mgmt > Netconfig > Netconfig Jobs and create a new port-based job.  Define an custom group with the ruleset:
  Port.PortName StartsWith "Fa" AND
  Port.CM.AccessStatus = "Configured"
  Then select the Adhoc task, and enter the IOS commands:
  speed auto
  duplex auto
  Deploy that to all of the required switches and that will accomplish what you want.  Note: this requires that all switches are managed by Campus Manager.

• Ciscoworks LMS 3.2 - Compliance mgmt negation problem

  Hi,
  Strange problem, that I am sure is being caused by me.
  Basically trying to run an advanced Compliance mgmt job, looking for a set of pre-requisites (this is working) and then removing all non compliance SNMP community strings from a sample device.
  I use two lines for this removal
  - snmp-server community [#!testR[OW]mon#] [#.*#] [#.*#]
  - snmp-server community [#!SNMP#] [#.*#] [#.*#]
  From what I see, this should remove all snmp-server communities from a device other than "testROmon", "testRWmon" and "SNMP". Obvious caveat is that they would all need to have two words after this (in this case, these are ro or rw and an ACL).
  When I run this it seems to try and remove twice as many snmp community strings as there actually are on the device config? So I guess the core questions are: -
  1) Does the above look sound and would it do what I think
  2) Does the Compliance management engine parse the entire config independantly for each line of the above and hence explain why I am getting more removals than I would expect or is there a problem somewhere?
  Any help on this appreciated as its driving me nuts

  Thanks Joseph,
  So if I also wanted to remove all SNMP traps bar: -
  snmp-server host 10.10.10.x (where x is any ip in the last octet)
  From a device, would I use
  - [#snmp-server host (!#10\.10\.10\..*#).#]
  Or doesn't this make sense?

• RME Baseline Templates compliance and deploy regular expression

  Hi:
  I have a large number of 3750 stacks consisting of a variable amount  , from 1 to 6, switches. I need to add to all
  FastEthernet interfaces from 2/0/1 to n/0/24 a command , under the interface. That is on the 1st and if only one switch do nothing, and for all other switches, be it 2 or 3 etc switches under each interface add a one line command.
  I  have not found the correct syntax to have only the interfaces I need to be effected. For example:
  interface [#FastEthernet.*#]   picks all interfaces including the ones on the 1st switch which I don't want to change.
  Interface [#fastEthernet[2-9].*#]  ignores all interfaces.
  I have tried various forms of syntax for the regular expression   but either hit all interface or none.
  Does anyone know how to format the request properly.
  Thanks in advance
  Mickey

  This regexp should work:
  interface [#FastEthernet(1[0-9]+|[2-9][0-9]*)/.*#]

• Compliance Check/Deploy DCMA0058 error

  Hi
  Using LMS 3.2 RME 4.3.0. I'm trying to deploy baseline config after compliance check. When I select compliance check job and click deploy i got this error:
  "DCMA0058: Could not deploy selected Job.
  No compliance report available."
  But the report in baseline jobs window i available.
  Any ideas what should i check ??

  Please run a device update from Common Services --> Software Center --> Device Update --> Select RME under products and check for updates from Cisco.com and install all the device packages.
  Duplicate the problem again after update and post the error if it appears again.

• LMS RME Compliance Mgtm - Template Question

  Hello
  I have LMS 3.2 on Windows. I have a question about compliance template. How I can describe unknown values in template? For example: I have routers with 2 - 3 syslog server (on each router they are different) and I want remove all of them and add new.
  Regards,
  Stanislav Kuchma

  I have syslog 10.0.0.1 10.0.0.2 (and in routers config i have several "bad" syslog with "random" addresses):
  If i wrote:
  +   logging   10.0.0.1
  +   logging   10.0.0.2
  -   logging  [#?!(10\.0\.0\.1)#]
  RME tries remove all syslog servers ("good" and "bad")
  If i wrote:
  +   logging   10.0.0.1
  +   logging   10.0.0.2
  -   logging  [#(?!10\.0\.0\.1)#]
  RME says ok and don't remove "bad" servers

• What means "commandLets" in Compliance mgmt in LMS 4.1

  Hi,
  I provided a compliance check using an advanced template. This check shows me a lot of non-compliant interfaces on one device. I would like to deploy the compliant configuration's commands to the non-compliant interfaces - so I click on the button deploy. The next window shows me: device, commands and commandlets. In the commandlets frame two templates are seen: dot1 and dot2 - these templates are components of the advanced template. After these templates is some number in the parentheses like pod1(000), pod1(0045), pod2(0075). My question is what these numbers mean, because I can select one of them??
  Thank you very much
  Roman  

  Hi Leolaohoo,
  It is no duplicate post. I tried to search this problem on Cisco Support Community and there is no same problem. If are you right, so send me this link, please.
  The customer has a problem that he see no phone registered on the CUCM in the LMS 4.1. UT discovered the phone, but the customer has no detail information about this phone.
  Roman

• RME compliance - IOS 12.0 vs 12.2 username command

  The difference between IOS 12.0 and 12.2 for the username command is that 12.2 allows 'secret password'.
  I wanted to create a single template where RME would first check the 'version' statement that's in the configuration. If it's 12.2, configure a username with a secret password. If it's not 12.2, then configure the basic username with password.
  I ran the compliance check and it was not recognized by the job. Looking to see if anyone has tried something similar and can offer alternatives.
  Here's my template:
  Name: Check122     SubMode: No      isPrerequisite: Yes
  Ordered : No     Prerequisite-Commandset : none     Parent: none
    +   version   12.2
  Name: 122EnablePasword     SubMode: No      isPrerequisite: No
  Ordered : No     Prerequisite-Commandset : Check122     Parent: Check122
    +  [#username   networkadmin   privilege   15   secret   .*#]
  Name: CheckNon122     SubMode: No      isPrerequisite: Yes
  Ordered : No     Prerequisite-Commandset : none     Parent: none
    +  [#!version   12.2#]
  Name: Non122EnablePassword     SubMode: No      isPrerequisite: No
  Ordered : No     Prerequisite-Commandset : CheckNon122     Parent: CheckNon122
    +  [#username   networkadmin   password   .*#]

  What version of RME do you have?  I see one potential problems here.  Your NOT case regular expression.  Instead of [#!version 12.2#], you want:
  + version [#!12\.2#]
  But that may still cause a problem if you have any 12.3 or higher devices.  Maybe something like:
  + version [#12\.[01]#]
  Then, for the later versions:
  + version [#(15\.[0-9]|12\.[234])#]
  Please support CSC Helps Haiti
  https://supportforums.cisco.com/docs/DOC-8895
  https://supportforums.cisco.com

• LMS RME Config Mgmt Partially Successful

  Hi,
  From the various posts around here, I read that, in Config Mgmt, LMS connects through Telnet or SSH to devices, then uses TFTP to send configs.
  In my network, I run SSH on my devices. Device Credentials Verification Job is successful for sw1 and sw2, which by the way are Catalyst 4948. However, in Config Mgmt, they are displayed as Partially Successful.
  I wanted to test manually by connecting to the device through SSH then issuing TFTP copy. I found that "vlan.dat" is not under Flash; it's under  Cat4000_flash.
  So how do I tell LMS to fetch under Cat4000_flash instead of Flash, for this model of switches?
  thanks

  Have a look at this thread:
  https://supportforums.cisco.com/thread/2087520
  Don't worry about the cat4000_flash.  RME knows to use that file system.  So make sure that manual TFTP copy works.

• RME compliance negative prereq -- bug CSCsv25190

  Using Ciscoworks LMS 3.2 , RME 4.3
  Using baseline compliance to get rid of a statement in interface sub-mode:
  interface Vlan[#.*#]
  - standby [#.*#] track TenGigabitEthernet1/2 30
  the [#.*#] is needed because the standby group number is different.
  After doing a compliance check, I'm coming up with the symptoms for bug CSCsv25190.
  According to the bug ID, this should be resolved in RME 4.3.
  Just want to check if maybe the bug isn't resolved or my syntax is incorrect.

  Actually, there is another bug in RME 4.3 that occurs when using negative prereqs with regular expressions: CSCta80687.  There is currently no workaround, but a fix is execpted in LMS 4.0 due out this summer.

• Ciscoworks 3.2 RME Compliance Management w/ 802.1x Port Configs

  I am currently trying to use LMS 3.2 Compliance management to verify and alter our access port configurations for 802.1x. Below is our current configuration:
  switchport access vlan XX
  switchport mode access
  authentication control-direction in
  authentication event fail retry 0 action authorize vlan XXX
  authentication event no-response action authorize vlan XXX
  authentication port-control auto
  authentication periodic
  dot1x pae authenticator
  dot1x timeout quiet-period 10
  dot1x timeout tx-period 10
  dot1x timeout supp-timeout 10
  dot1x max-req 1
  dot1x max-reauth-req 1
  storm-control broadcast level 75.00
  spanning-tree portfast
  spanning-tree bpduguard enable
  I require the configurations to be changed to:
  switchport access vlan XX
  switchport mode access
  authentication event fail action authorize vlan XXX
  authentication event no-response action authorize vlan XXX
  authentication port-control auto
  authentication periodic
  dot1x pae authenticator
  dot1x timeout tx-period 8
  storm-control broadcast level 10.00
  storm-control multicast level 10.00
  spanning-tree portfast spanning-tree bpduguard enable
  Addtionally, I require LMS to verify that the port is indeed an access port with 802.1x already applied to it before adjusting the configurations. I have tried pushing this compliance check out with a prerequisite of having "switchport mode access" applied to it, and then having the next command set state:
  Submode: interface [#Ethernet*/*/*#]
  - dot1x max-req 1
  - dot1x max-reauth-req 1
  + no dot1x max-req 1
  + no dot1x max-reauth-req 1
  This was a simple test on a single device to see if I could remove the limits on authentication and requests entered. The job states successful and there are no devices that are non-compliant, however no changes to the device configurations have been made. I seek assistance in command syntax or if there is another way to push this out, as I have about 1k network devices to go through and make these changes.

  The following tempalte should do what you want:
  Name: Global     SubMode: No      isPrerequisite: No
  Ordered : No     Prerequisite-Commandset : none     Parent: none
  Name: Switchport     SubMode: Yes      isPrerequisite: Yes
  Ordered : No     Prerequisite-Commandset : none     Parent: none
    interface   [#FastEthernet.*#]
  +[#switchport mode access#]
  Name: 802fix     SubMode: No      isPrerequisite: No
  Ordered : No     Prerequisite-Commandset : Switchport     Parent: Switchport
  -dot1x max-req 1
  -dot1x max-reauth-req 1
  Note that I have changed to [#FastEthernet.*#] to be applied on
  FastEthernet interfaces.

• RME compliance template question

  Using LMS 3.2, I've started learning how to use the compliance templates. I have a question regarding the regex matching, and I can't seem to find
  an answer in the docs or in the forum posts. I do admit that I have not dug real deep in the forums.
  My question is: is there a regex to ignore case? For instance, if I have the line:
  clock timezone est -5           in some configs, and
  clock timezone EST -5          in others
  is there a way to tell the template that upper case and lower case are acceptable matches?
  Thanks for any help - chris

  ok, I got a handle on how the regexes work. It took about 6 or 7 edits of the template but I finally did get it right. fyi, for the above example, the template would look like:
  +clock timezone [#est|EST#] -5
  chris

• RME-Compliance check job failed and Execution status display notattempted

  Dear All,
  We did a compliance check job schedule one time/a day.but unfortunately it failed as below:
  Execution Summary
  Pending : 0
  NotAttempted : 361
  Successfull : 0
  Failed : 0
  Partial Success : 0
  How can i do?
  Thanks!

  Use this document:
  http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_resource_manager_essentials/4.0/user/guide/over.html

• Ciscoworks LMS 3.2 compliance mgmt negation problem 2

  Sorry one more question,
  If I also wanted to remove all SNMP traps bar: -
  snmp-server host 10.10.10.x (where x is any ip in the last octet)
  From a device, would I use
  - [#snmp-server host (!#10\.10\.10\..*#).#]
  Any help appreciated

  Thanks Joseph,
  But if the line is say: -
  snmp-server host 10.10.10.1 testROmon
  Would I not need the .*# for the extra word? I guess this would only be needed if I were also searching for variations in this word?