We have a requirement to ensure that all the switches and routers in the network must have at least 2 out of the 3 possible NTP servers listed. The goal is for the rule to call out any configuration that either does not have the IPs listed or has additional IPs listed besides the authorized 3. The order in which the IPs are listed does not matter but the expected IPs should be present and no other IP is allowed.
In other words, say the list of ntp servers is:
ntp server 1.2.3.4
ntp server 5.6.7.8
ntp server 9.10.11.12
we want to verify that 2 of the above are on each switch.
But if a switch has the following config it should fail since it has the IPs we are looking for PLUS others we don't want:
ntp server 1.2.3.4
ntp server 5.6.7.8
ntp server 9.10.11.12
ntp server 13.14.15.16
ntp server 10.25.41.254
We tried the following rule (see attached) but it does not complain when additional IPs are present. Any idea on how we can be more restrictive to make this rule work?
