09-27-2007 12:14 AM
Hi,
I have just installed LMS 3.0 in the hope that the upgrade costs would mean that a whole lot of new features would be apparant.
On the whole the main interface looks a little more polished , and its usefull that the product now works correctly with Firefox and IE7 and possible more fluid in changing between screens. Other than that its a lot of money to spend on the front end interface, with the same backend applications as in LMS2.6. It seems a bit premature to call this LMS3.0 it should have been called a conservative 2.8.
Anyways back to my topic, The Baseline Template for Compliance checking does not seem to work as desired if a all.
Even trying the built in Templates yeilds success on configs which should fail.
It seems that if you do a check for access list statements the job will be successful if just the access-list is configured no matter what condidtions follow the access-list.
Eg:
im doing a check for:
access-list 81 permit 10.10.10.10
so following the template example I copy the template with the required changes.
When run on a config that has:
access-list 81 permit 11.11.11.11
it will come back as successful.
When run on a config that has:
access-list 82 permit 11.11.11.11
It is still successful.
This isnt to say that I only get successes, if trying the template 2 with Class statements the only time it fails is if the config does not exist.
Surely this feature would have been greatly improved/functional considering the charge for the software, and it does mean unfortunately that I would have to invest in a config/compliance application.
I do like the individual application summary screens , which has given dfm a little more use, however the alerts and activities is still inefficient in being the type of screen that you can use as your main display for realtime alerts, as opposed to the original screen a couple years back where you could create a type of portal interface with different windows for different groups, and had alerts flash up.
Just my thoughts;-)
Im sure if there was more money internally for the development of this product it would have the possibility to be the one stop NMS shop for Cisco Products however, were still having to use one 3rd Partyapplication for real time monitoring , Ciscoworks for Configuration/Software management.
09-27-2007 10:30 AM
What you are seeing is NOT expected. Please provide the template you are using as well as a sample config. There must be a template issue as:
+ access-list 80 permit 10.10.10.10
Will NOT match:
access-list 80 permit 11.11.11.11
09-28-2007 01:02 PM
Hi,
The template I am using is a copy of the inbuilt template:
Name: Global SubMode: No isPrerequisite: No
Ordered : No Prerequisite-Commandset : none Parent: none
Name: accesslist SubMode: No isPrerequisite: No
Ordered : Yes Prerequisite-Commandset : none Parent: none
+ access-list 82 permit 10.10.10.10
General Info
----------------------------------------------------------------------------------------------
JobId: 1082
Owner: admin
Description: test2
Schedule Type: Immediate
Job Type: Compliance Check
Baseline Template Name: AccessList_82_6500
Job Policies
----------------------------------------------------------------------------------------------
E-mail Notification:
Job Based Password: Disabled
Device Details
----------------------------------------------------------------------------------------------
Device Commands
access-list 82 permit 10.10.10.10
SW.DIST.6509.LEFT
access-list 82 remark This list Specifies Allowed TFTP Servers
access-list 82 permit 12.12.12.12
Job Summary
Status: Successful
Start Time: Fri Sep 28 21:52:13 BST 2007
End Time: Fri Sep 28 21:52:16 BST 2007
Device Summary
Successful: 1
Failed: 0
Partially Successful: 0
Pending: 0
Not Attempted: 0
Execution Message
Pre-Execution:
Post-Execution:
09-28-2007 01:30 PM
I don't see any indication that the device was compliant with this template. Just because the job completes successfully doesn't mean the device was compliant.
09-29-2007 02:03 AM
Hi,
Where is the result of the compliance supposed to be displayed other than in the work log?
Miron
09-29-2007 09:14 AM
RME--> Config Mgmt--> Archive Mgmt--> Baseline Templates--> Baseline Jobs
(click on the results listed under Compliant/Deployed Device(s))
HTH,
-J
09-30-2007 11:41 PM
J,
Thanks mate, that explains a lot. Thats quite embarrassing to miss the obvious.
Thanks
10-01-2007 12:52 AM
Follow on Question.
If you have an access list with a remark statement
access-list 80 remark This access Is a test
access-list 80 permit 10.10.10.10
with a template of
+[#access-list 80 remark This access Is a test#]
+access-list 80 permit 10.10.10.10
I am able to run this against a compliant config and get a compliant result, however if I attempt to deploy it against an uncompliant config the job runs unsuccessfully, after correctly deciding that the config is uncompliant it only manages to add the
"access-list 80 permit 10.10.10.10"
statement.
It seems that it is a problem with the regex expressions being applied.
Anyone have any thoughts
10-01-2007 07:58 AM
Anything in [] must be replaced by an actual command in order for it to be deployed. See the online help regarding substituting parameters. You will either need to do this in the GUI when deploying your template or via a parameter file.
10-04-2007 01:56 AM
Hi,
Thanks for that advice, I did look at that before however its didnt seem to behave as expected.
I have a template which includes two command sets for two different access-lists.
However I had to make the one a prerequisite or it would do a compliancy check against it. The complaincy check works using regex in both however the deploy would only allow you to change the regex on the one that was not a prerequisite.
If you take off the prerequisite requirement, the compliance no longer works correctly, and you get an error when you attempt to edit the regex of the first commandlet.
Is it recommended to check different access-lists in the same or different command sets?
Regards
Miron
10-04-2007 04:33 PM
Unfortunately, the ACL management capabilities of baseline compliance are fairly weak compared to the old Access List Manager product. It sounds like you need to separate these command sets into different templates. But without seeing the specific template as well as the intended goal, I cannot say for certain.
As for the behavior of not being able to deploy a prereq, this is expected.
10-05-2007 05:46 AM
j,
Thanks mate, good to know.
I have had to create templates for each access list. However unfortunately it appears that if you have an acces list with an ACE that you do not want, you have to include the negative statements in the deploy statements before any positive statement(makes sense if it is just pasting in the commands)
However if you try and do a compliance check using the template it will fail or do a deploy of the template and then do a compliacny check it will fail. Seems a bit pointless if the deploy statement will not result in a compliant device.
This is quite a pain really. I may have to have separate comply and deploy templates.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide