NCM Compliance Rule: Config block - contains only feature

keicamw

Hi Guys,

I have spent some time looking for a solution to may problem on this forum and on google. But unfortunately I was not able to find a way to sort it out with a set of features which are currently offered in NCM.

Task:

Scan for config block and make sure that only requested set of command lines are present if any additional line of config is present pick it up and report it.

Example:

1. Lets assume we have some interface config:

interface GigabitEthernet1/0/23

description TrunkPort

switchport access vlan 197

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 16,58,59,160-163,166,204

switchport mode trunk

speed 1000

spanning-tree portfast

!

in a search block which start from:

    ^interface (GigabitEthernet|TenGigabitEthernet)\d+\/\d+\/\d+\s+description\sTrunkPort

ends with:

     !

search for anything what is not

   switchport trunk encapsulation dot1q

   switchport trunk allowed vlan.*

   switchport mode trunk

now it would be nice to have "must contain only" like feature in NCM

which would lookup through the config file and would report all the lines which are not those three lines for trunk port. (for now you have only must contain and must not contain)

Cheers!

Ps.

I was able to setup some workaround rules which are at least alerting that there are some other staff on the interface but to actually check what is extra configured on that particular interface you need to visit configuration file each time what is really not an optimal way of handling this kind of staff.

kraskik

I really need this for PCI compliance reporting.  I can show that our required configuration is there, but have no way of showing unauthorized configuration lines.

For example, someone has added an ACL line they shouldn't have, or added another unauthorized login name, AAA server, whatever.