Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Bronze

Cisco LMS 4.0.1 Compliance Templates Example for class map ACL (updated, regex bug)

Hi All,

I hope this is helpful for you:

I had some steep learning curves with configuration compliance templates and want to share it with you.

I mastered conditional (prerequesites) templates recently but it was a little bit more difffcult to get "excluding" expressions to work.

In regex it's called "negative lookahead" and will match anything *except* your string.

Task is simple: an ACL for a class map (used for QoS) should contain *only* two specific lines which are mandatory, all other lines should be removed.

Compliance Template is:

Name:  Global   SubMode:  No   isPrerequisite:  No  Ordered :  No    

Prerequisite-Commandset :  none  Parent:   none

+ip access-list extended ACL_VoicePayload

Name: AclVoipPayload   SubMode:  Yes  isPrerequisite:   No    Ordered :   No    

Prerequisite-Commandset :   none     Parent:    Global

  ip access-list extended ACL_VoicePayload

+permit udp any any range 29100 30099 dscp ef

+permit udp any any range 20000 20499 dscp ef

-[#^(?!permit udp any any range 29100 30099 dscp ef|permit udp any any range 20000 20499 dscp ef|ip access-list extended ACL_VoicePayload)#]

ACL on switch is:

ip access-list extended ACL_VoicePayload

permit udp any any range 29100 30099 dscp ef

permit udp any any range 20000 20499 dscp ef

remark test for config compliance templates

Result of Compliance Check is (showing non compliant commands):

Device Details
------------------------------------------------------------------
Device Commands

switch2001    ip access-list extended ACL_VoicePayload
    remark test for config compliance templates

Explanation of the template:

+permit udp any any range 29100 30099 dscp ef  ! Command is required

+permit udp any any range 20000 20499 dscp ef  ! command is required

-[#^(?!permit udp any any range 29100 30099 dscp ef|permit udp any any range 20000 20499 dscp ef|ip access-list extended ACL_VoicePayload).*#]

-       ! this command may not appear in the configuration

[#      ! LMS needs this to encapsulate a regex

^       ! the string should be at the beginning of the line

(?!     ! start a "negative lookahead" group. the following expression should *not* appear,

        ! the vertical bars separate three alternative litaral srtings (for some reason the

        ! negative lookahead is greedy and also captures the name of the access-list itself so

        ! the acl command must be included -looks to me like a bug)

permit udp any any range 29100 30099 dscp ef|

permit udp any any range 20000 20499 dscp ef|

ip access-list extended ACL_VoicePayload

)       ! close the negative lookahead

.*      ! there should be actually any character on the line except our negative lookahead

#]      ! tell LMS the regex is finished

Hope this helps and best regards,

MiKa

Edited by Michael Kafka

Everyone's tags (2)
878
Views
0
Helpful
0
Replies