Little background, we have a centralized network team that handles almost all of our network equipment. Some of our larger locations have their own IT staff (that generally only handle servers and desktops) that are allowed them some limited access into the network devices (logins controlled via ACS).
We have a Access List that we apply to all of our vtp interfaces to manage access and we want to make sure it is the same across our network. So I went in and created a template with the access list in it, made it "Order Sensitive" and ran a compliance check, it seemed to run just fine, reported a lot of changes (not surprising) that it needed to make. All seemed to work fine.
Our larger sites that have their own IT staff, we need to get them added to this remote access ACL. Currently with the ordered set they would lose their ability to remotely connect to the device. For example, the current template looks like:
+ access-list 12 permit 10.0.0.0 0.0.255.255
+ access-list 12 permit 10.16.1.53
+ access-list 12 permit 10.16.6.0 0.0.0.255
+ access-list 12 permit 10.16.8.0 0.0.0.255
+ access-list 12 permit 10.16.192.0 0.0.0.255
+ access-list 12 permit 10.115.40.7
But for some devices I also need to have a line:
+ access-list 12 permit 10.5.1.0 0.0.0.255
On some other devices I will need (instead of the above):
+ access-list 12 permit 10.12.1.0 0.0.0.255
If I wasn't using an ordered set, I think I could do something like:
- access-list 12 permit [#!(10.16.6.0|10.5.1.0|10.12.1.0|etc)#] 0.0.0.255
I don't think its a big deal that this list would get really long, but because its an ordered set, I don't think it would work?
I guess the one thing I have working for me is I am relying on the implicit 'deny any any' so if I had to I could remove the ordered set part of it, but I would rather not because I think this requirement will change in the near future and at the very least, I will be forced to use a 'deny any any log' which I will then be forced to use an ordered sensitive template.
Just looking for some ideas on where to go.
First, do not make the deployable commandsets children of the prereqs as they will inherit the prereq submode. Second, this hostname example technically is compliant since you forgot to mark the deployable commandset ordered.