Baseline Template.

georgeef1 · ‎03-06-2009

Hi,

We are using baseline template to validate conformity of our configuration of all of our

switch in our network. We have already have different baseline when switch base modele is

different from the other and where switch are in one specific zone. But, all other are

used in the same way and all of them should use same set of baseline base only on there

plate-forme.

On each site, 1st switch have is IP address end by some specific IP. I had create and

CommandSet to verify the IP address of the VLAN interface. When I run my command set on

all my switches, most of devices appear are not meet the prerequisite and for this reason

the command set comparison as failed. But, in the same command set, I use prerequisite to

test interface state (where in some deviced none are meet this prerequisite) and this is

not make my device to be exclude.

I would like to have the same result for my prerequisite is testing the 1st switch of each

site...

Also, I whould like to understand when is it important to create my commandset as a child

of a other and when I should not ! Most of the configuration is verify under "Global"

where we verify logging, banner, account, snmp, etc... I should create child CommandSet to

verify line console and vty configuration. But to verify interface configuration, I

should not create the CommandSet as a child of the "Global" CommandSet. I would like to

understand why exactly.

Thanks.

Joe Clarke · ‎03-07-2009

I'm having a hard time picturing exactly what you want to achieve. It would be helpful to see your current baseline template and examples of both a compliant and non-compliant device.

Whenever you make a commandset a child of another commandset, that child inherits the parent's submode. This is required to go deeper than one submode. For example:

interface ATM1/0

--pvc 0 15

----ip address 10.1.1.1

To get to the pvc submode, you would need a child of a commandset using the interface ATM1/0 submode.

Parent/child relationships are also useful when checking for prerequisites within submodes. For example, if you only want to operate on access ports, you would use a prerequisite with a parent/child. See case 4b in this whitepaper:

http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2073/prod_white_paper0900aecd8068cc98.pdf

In that example, you only want to operate on interfaces which have an ip helper-address configured.

georgeef1 · ‎03-11-2009

The prerequiste "verifHostName" should always be meet by tested switches, in the case were not, a completly different baseline should be used for thoses switches. In case of which failed to meet "verifHostName" prerequisite have to see as excluded because they failed to meet prerequisite requirement. (That is working well, if I try to test INT-01 switch, that switch is exclude because : "Device compliance comparison failed:CM0152 Prerequisite Commands does not exist in device archive.")

in files site1-sw1 and site1-sw2 those 2 switch are in same site physical site, switch site1-sw1 is the 1st in the site it's IP address end by .4 and is successfully tested by the baseline, the switch site1-sw2 is the second switch in the same site it's IP address is ending .5 and is not teste at all by the base line (it should only exclude check-up verification in CheckConfigPort1Switch1 commandSet, but the rest of the baseline should be tested)

in comparaison we have another prerequisite set GigaUpCheck & GigaDownCheck in the same baseline, switch most of your switches are'nt meet both of them, and are'nt exclude fortunately from the compliance test of the rest of the baseline.

The switches site1-sw1 & site1-sw2 should passed prerequisite : "GigaUpCheck" and failed prerequisite "GigaDownCheck".

the switch site1-sw1 pass prerequisite "GigaDownCheck" and failed prerequisite : "GigaUpCheck". thats is working properly but I don't understand if this is working why my CheckConfigPort1Switch1 prerequisite is not working as I hope !

Joe Clarke · ‎03-11-2009

This might make sense to you since you're looking at the templates, but this is very hard for me to picture. Please post your templates and the configs of these two switches.

georgeef1 · ‎03-18-2009

Hi jclarke,

Please check and suggest !

Thanks.

georgeef1 · ‎03-18-2009

Requested files.

Joe Clarke · ‎03-18-2009

The GigaUpCheck prereq is a negative prereq, and will not work properly due to CSCsv25190. A patch is available from the TAC for that bug.

CheckConfigPort1Switch1 is not a prereq, but uses the 1erSwitch prereq. I don't see any problems with this. The 1erSwitch prereq should match site1-sw1. However, I see you're making these commandlets children of Global. This is not recommended. They should be parentless.