Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

LMS 3.2 Checking compliance for a single access list

Hello,

I'm trying to figure out how to check compliance for only one access list in cisco works.

Example:

I want to run a compliance template that only check access-list 13 to make sure it has the following and nothing else:

access-list 13 permit 1.1.1.1

access-list 13 permit 10.1.0.0 0.0.0.127

If something else is listed, then I'll deploy the template and it will remove any other entry besided the two above.

I have tried a Global config compliance on + access-list 13 permit 1.1.1.1 and it comes back and says it's not compliant and wants to remove everything else, which is every other access list.  I have tried submodes thinking that it could check under ip access-list standard 13, but that didn't work either.

Any pointers that can lead me in the right direction?

Thank you for your time.

6 REPLIES
New Member

Re: LMS 3.2 Checking compliance for a single access list

If you state that :

+ access-list 13 permit 1.1.1.1

doesnt mean that every other variation of acl 13 is covered.

this is like e regulartory expression, so you need to take into account that many different possible combinations of acl 13 can occur.

Also the syntax is somewhat wierd in regards to "wildcards"

I found that this was needed to find devices with no password in the cfg:

- enable password 7 [.*]

I would try to make more tests, and to start with, dont take any actions, but simply try to find the syntax for the thins you need to find.

once you have that, you can add actions

Also I think you need to set the "Ordered" option, if yoiu need to check on the correct order of ACL entries.

Try to see

TemplateExample4

in the template manager

HTH

New Member

Re: LMS 3.2 Checking compliance for a single access list

Thank you for your response; I appreciate it.

So I did some more research and I have a Condition Block set to check if there is an access-list 13 on the device and proceed if there is:

+ [#access-list 13.*#]

Then, in the compliance Block I'm checking the Global config to see if these entries are there and Order Sensitive:

+ access-list 13 permit 1.1.1.1

+ access-list 13 permit 10.1.0.0 0.0.0.127

The issue I'm having now is trying to figure out how to negate or not change anything other than access-list 13.  I run a compliance check and this is what I get.

-ip sla enable reaction-alerts
-logging source-interface Vlan2
-logging 1.1.1.4
-access-list 13 permit 1.1.1.2
-access-list 13 permit 1.1.1.3
-access-list 13 permit 2.0.0.0 0.0.0.127
-access-list 14 permit 2.0.0.1
-access-list 14 deny any
-access-list 23 permit 3.0.0.1
-access-list 23 permit 3.0.0.0 0.0.0.255
-access-list 23 permit 4.0.0.0 0.0.0.255
-access-list 23 permit 5.0.0.0 0.0.0.255
-access-list 23 permit 6.0.0.0 0.0.0.255
-access-list 23 deny any
+access-list 13 permit 1.1.1.1

+access-list 13 permit 10.0.0.0  0.0.0.127

EDIT:  Changing logic here...  the command needs to be + ip access-list standard 13 permit 1.1.1.1 and + ip access-list standard 13 permit 10.1.0.0 0.0.0.127.  More edits to come as I try and figure this out.

Message was edited by: Steven Palfreyman

New Member

Re: LMS 3.2 Checking compliance for a single access list

I think right now, I'm going to have to do this in two stages:

1. Use Compliance Mgmt to check if the access list 13 exists and what else is there.

2. If the access list 13 exists, use NetConfig to deploy the new access list 13.

Thank you for all of your help.

New Member

LMS 3.2 Checking compliance for a single access list

New discovery for me, but already noted in the forums to some extent when talking about ordered lists.

If you have ip sla enable reaction-alerts on your device, the Compliance check comes back like this (shows all ACLs):

-ip sla enable reaction-alerts
-logging source-interface Vlan2
-logging 1.1.10.1
-access-list 13 permit 10.1.3.3

-access-list 13 permit 10.1.4.4

-access-list 13 permit 12.5.0.0 0.0.0.127

-access-list 14 permit 172.35.0.101
-access-list 14 deny any
-access-list 23 permit 192.168.0.101
-access-list 23 permit 192.168.19.0  0.0.0.255
-access-list 23 permit 1.1.0.0 0.0.0.255
-access-list 23 permit 1.1.3.0 0.0.0.255
-access-list 23 permit 1.1.0.0  0.0.0.255
-access-list 23 deny any
+access-list 13 permit 1.1.1.1

+access-list 13 permit 10.0.0.0  0.0.0.127

If you DO NOT have ip sla enable reaction-alerts on your device, the Compliance check works and you can deploy (only showing the ACL you checked for compliance).

-access-list 13 permit 10.1.3.3
-access-list 13 permit 10.1.4.4
-access-list 13 permit 12.5.0.0  0.0.0.127
+access-list 13 permit 1.1.1.1
+access-list 13 permit 10.0.0.0  0.0.0.127



New Member

LMS 3.2 Checking compliance for a single access list

oh my ...

Nice finding !

Thanks for sharing

Bronze

LMS 3.2 Checking compliance for a single access list

Hi Steven,

I had the same requirement: Checking whether an ACL exists and contains exactly two entries and nothing else.

I'm using "negative lookahead" regex to kick out any line of the ACL other than the two desired lines.

If you didn't see it already, here is my posting: https://supportforums.cisco.com/thread/2155402

The solution is exact, it catches every possibility and corrects it. You will need to adapt it a little if you don't want to use the syntax "ip access-list ..."

725
Views
0
Helpful
6
Replies
CreatePlease login to create content