Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1337
Views
0
Helpful
6
Replies

LMS 3.2 Checking compliance for a single access list

Steven Palfreyman
Level 1
Level 1

‎04-30-2012 03:22 PM

Hello,

I'm trying to figure out how to check compliance for only one access list in cisco works.

Example:

I want to run a compliance template that only check access-list 13 to make sure it has the following and nothing else:

access-list 13 permit 1.1.1.1

access-list 13 permit 10.1.0.0 0.0.0.127

If something else is listed, then I'll deploy the template and it will remove any other entry besided the two above.

I have tried a Global config compliance on + access-list 13 permit 1.1.1.1 and it comes back and says it's not compliant and wants to remove everything else, which is every other access list.  I have tried submodes thinking that it could check under ip access-list standard 13, but that didn't work either.

Any pointers that can lead me in the right direction?

Thank you for your time.

Labels:
0 Helpful
6 Replies 6

mbilgrav
Level 3
Level 3

‎05-01-2012 01:15 AM

If you state that :

+ access-list 13 permit 1.1.1.1

doesnt mean that every other variation of acl 13 is covered.

this is like e regulartory expression, so you need to take into account that many different possible combinations of acl 13 can occur.

Also the syntax is somewhat wierd in regards to "wildcards"

I found that this was needed to find devices with no password in the cfg:

- enable password 7 [.*]

I would try to make more tests, and to start with, dont take any actions, but simply try to find the syntax for the thins you need to find.

once you have that, you can add actions

Also I think you need to set the "Ordered" option, if yoiu need to check on the correct order of ACL entries.

Try to see

TemplateExample4

in the template manager

HTH

0 Helpful

Steven Palfreyman
Level 1
Level 1
In response to mbilgrav

‎05-01-2012 10:43 AM

Thank you for your response; I appreciate it.

So I did some more research and I have a Condition Block set to check if there is an access-list 13 on the device and proceed if there is:

+ [#access-list 13.*#]

Then, in the compliance Block I'm checking the Global config to see if these entries are there and Order Sensitive:

+ access-list 13 permit 1.1.1.1

+ access-list 13 permit 10.1.0.0 0.0.0.127

The issue I'm having now is trying to figure out how to negate or not change anything other than access-list 13.  I run a compliance check and this is what I get.

-ip sla enable reaction-alerts
-logging source-interface Vlan2
-logging 1.1.1.4
-access-list 13 permit 1.1.1.2
-access-list 13 permit 1.1.1.3
-access-list 13 permit 2.0.0.0 0.0.0.127
-access-list 14 permit 2.0.0.1
-access-list 14 deny any
-access-list 23 permit 3.0.0.1
-access-list 23 permit 3.0.0.0 0.0.0.255
-access-list 23 permit 4.0.0.0 0.0.0.255
-access-list 23 permit 5.0.0.0 0.0.0.255
-access-list 23 permit 6.0.0.0 0.0.0.255
-access-list 23 deny any
+access-list 13 permit 1.1.1.1

+access-list 13 permit 10.0.0.0  0.0.0.127

EDIT:  Changing logic here...  the command needs to be + ip access-list standard 13 permit 1.1.1.1 and + ip access-list standard 13 permit 10.1.0.0 0.0.0.127.  More edits to come as I try and figure this out.

Message was edited by: Steven Palfreyman

0 Helpful

Steven Palfreyman
Level 1
Level 1
In response to Steven Palfreyman

‎05-01-2012 12:32 PM

I think right now, I'm going to have to do this in two stages:

1. Use Compliance Mgmt to check if the access list 13 exists and what else is there.

2. If the access list 13 exists, use NetConfig to deploy the new access list 13.

Thank you for all of your help.

0 Helpful

Steven Palfreyman
Level 1
Level 1
In response to Steven Palfreyman

‎05-01-2012 02:02 PM

New discovery for me, but already noted in the forums to some extent when talking about ordered lists.

If you have ip sla enable reaction-alerts on your device, the Compliance check comes back like this (shows all ACLs):

-ip sla enable reaction-alerts
-logging source-interface Vlan2
-logging 1.1.10.1
-access-list 13 permit 10.1.3.3

-access-list 13 permit 10.1.4.4

-access-list 13 permit 12.5.0.0 0.0.0.127

-access-list 14 permit 172.35.0.101
-access-list 14 deny any
-access-list 23 permit 192.168.0.101
-access-list 23 permit 192.168.19.0  0.0.0.255
-access-list 23 permit 1.1.0.0 0.0.0.255
-access-list 23 permit 1.1.3.0 0.0.0.255
-access-list 23 permit 1.1.0.0  0.0.0.255
-access-list 23 deny any
+access-list 13 permit 1.1.1.1

+access-list 13 permit 10.0.0.0  0.0.0.127

If you DO NOT have ip sla enable reaction-alerts on your device, the Compliance check works and you can deploy (only showing the ACL you checked for compliance).

-access-list 13 permit 10.1.3.3
-access-list 13 permit 10.1.4.4
-access-list 13 permit 12.5.0.0  0.0.0.127
+access-list 13 permit 1.1.1.1
+access-list 13 permit 10.0.0.0  0.0.0.127



0 Helpful

mbilgrav
Level 3
Level 3
In response to Steven Palfreyman

‎05-02-2012 01:35 AM

oh my ...

Nice finding !

Thanks for sharing

0 Helpful

m.kafka
Level 4
Level 4

‎06-21-2012 12:09 AM

Hi Steven,

I had the same requirement: Checking whether an ACL exists and contains exactly two entries and nothing else.

I'm using "negative lookahead" regex to kick out any line of the ACL other than the two desired lines.

If you didn't see it already, here is my posting: https://supportforums.cisco.com/thread/2155402

The solution is exact, it catches every possibility and corrects it. You will need to adapt it a little if you don't want to use the syntax "ip access-list ..."

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents