RME Ordered set and device templates

Answered Question
Aug 19th, 2010
User Badges:

Hello,


When I select the ordered set option in an ACL template under RME compliance management it not possible to remove acl command with the - statement.

This message appears:

Negation is not possible if order sensitive is selected



Allright so far, but when I run the compliance job you would expect then that the application understands that an "ordered set" typically for ACL's really puts the ACL in this order in the configuration, thus removes any old ACL statements from the config and then adds the ordered set.


But it doesn't why not..... please help.

This is what happends:


access-list 10 permit 1.1.1.1 0.0.0.0
access-list 10 deny any log

access-list 10 permit 1.1.1.1 0.0.0.0

access-list 10 permit 2.2.2.2 0.0.0.0

access-list 10 deny any log


And this is what I want:


access-list 10 permit 1.1.1.1 0.0.0.0

access-list 10 permit 2.2.2.2 0.0.0.0

access-list 10 deny any log

Correct Answer by Joe Clarke about 6 years 11 months ago

Ah, you're seeing CSCtf82992.  If you contact TAC, they can provide you a patch for this.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joe Clarke Fri, 08/20/2010 - 21:52
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

What does your template look like, and what does the running config look like?

orsonjoon Sun, 08/22/2010 - 22:53
User Badges:

This is in the config of the switch:


access-list 10 permit 1.1.1.1 0.0.0.0
access-list 10 deny any log


And this is what I want:


access-list 10 permit 1.1.1.1 0.0.0.0

access-list 10 permit 2.2.2.2 0.0.0.0

access-list 10 deny any log



The basic template looks like this with ordered set selected in global config mode:


+ access-list 10 permit 1.1.1.1 0.0.0.0

+ access-list 10 permit 2.2.2.2 0.0.0.0

+ access-list 10 deny any log



And this is what happends:


access-list 10 permit 1.1.1.1 0.0.0.0
access-list 10 deny any log

access-list 10 permit 1.1.1.1 0.0.0.0

access-list 10 permit 2.2.2.2 0.0.0.0

access-list 10 deny any log

Joe Clarke Fri, 08/27/2010 - 23:35
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

I was able to get this template to work.  I created it for the Switches & Hubs group, and tested a 3560 with your config.  This is how I expect things to work.

orsonjoon Mon, 08/30/2010 - 06:06
User Badges:

Hello Joe,


Thanks for the effort.


I tested this also on a 3560 switch, in this way:


I imported your template, modified the ACL in the template to the real deal, selected one 3560 switch and ran a compliance job with the deploy option selected.


What happend next was unreal, it almost took out the complete switch config (see below)..

I deleted the sensitive stuff from the report, but you should get the picture.

What could have caused this, your template was very simple?


Page 1

Baseline Compliance Report

Generated on Aug 30 2010 14:09:02

Summary

Template Name ACLOrderTest1

Number of Compliant device(s) 0

Number of Non-Compliant device(s) 1

Number of Excluded device(s) 1

Compliance Details

Compliant Devices

Device Name Latest Version Created On

No records.

Non-Compliant Devices

Device Name Latest Version Created On Command(s) to Deploy

switch3560 41 Aug 24 2010 15:03:24

-ip sla enable reaction-alert

-logging trap notifications

-logging **********************************************

-logging **********************************************

-logging **********************************************

-logging **********************************************

-access-list 1 remark **********************************************

-access-list 1 permit **********************************************

-access-list 9 permit **********************************************

-access-list 9 permit **********************************************

-access-list 9 permit **********************************************

-access-list 9 permit **********************************************

-access-list 9 permit **********************************************

-access-list 9 permit **********************************************

-access-list 9 deny any log

-access-list 19 permit **********************************************

-access-list 19 permit **********************************************

-access-list 19 permit **********************************************

-access-list 19 permit **********************************************

-access-list 19 permit **********************************************

-access-list 19 permit **********************************************

-access-list 19 deny ip any any log

-snmp-server community ******** **********************************************

-snmp-server community ******** **********************************************

-snmp-server location **********************************************

-snmp-server system-shutdown

-snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

-snmp-server enable traps tty

-snmp-server enable traps cluster

-snmp-server enable traps entity

-snmp-server enable traps cpu threshold

-snmp-server enable traps vtp

-snmp-server enable traps vlancreate

-snmp-server enable traps vlandelete

-snmp-server enable traps flash insertion removal

-snmp-server enable traps port-security

-snmp-server enable traps envmon fan shutdown supply temperature status

-snmp-server enable traps config-copy

-snmp-server enable traps config

-snmp-server enable traps hsrp

-snmp-server enable traps bridge newroot topologychange

-snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency

-snmp-server enable traps syslog

-snmp-server enable traps mac-notification change move threshold

-snmp-server enable traps vlan-membership

-snmp-server host **********************************************

-snmp-server host **********************************************

-tacacs-server host *********************************************

-tacacs-server timeout 3

-tacacs-server directed-request

-tacacs-server key ******** **********************************************

+access-list 19 permit **********************************************

+access-list 19 permit **********************************************

+access-list 19 permit **********************************************

+access-list 19 permit **********************************************

+access-list 19 permit **********************************************

+access-list 19 permit **********************************************

+access-list 19 deny ip any any log

Page 2

Excluded Devices

Device Name Reason for Exclusion

switch3560 Device config not compliantCM0108 Deploy Baseline comparison result to PRIMARY Running config on

device successful (Primary Login Succeeded

/ Primary Enable Succeeded

)

CM0056 Config fetch failed for switch3560 Cause: SSH: Failed to establish SSH connection to **********************************************

-

Cause: Authentication failed on device 3 times.

PRIMARY-RUNNING config Fetch Operation failed for TFTP.

TELNET: Failed to establish TELNET connection to **********************************************-

Cause: connect timed out.

Action: Check if protocol is supported by device and required device package is installed.

Correct Answer
Joe Clarke Mon, 08/30/2010 - 11:42
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Ah, you're seeing CSCtf82992.  If you contact TAC, they can provide you a patch for this.

orsonjoon Mon, 08/30/2010 - 22:59
User Badges:

Why am I not surprised!


Thanks for the info Joe

Actions

This Discussion