Script to find all the interfaces having ip address from the node to push particular command on that interface
I was looking back at this and I modified the Config Block start check. I think the below would provide a bit better matches, but it may need tweaking for you environment if you have different characters in your interface descriptions.
^interface.*[.\r\n\s\w\-\:\(\)\,]*ip address [0-9\.]{7,15} [0-9\.]{7,15}[\r\n]?$
I have a current Compliance Check set up to check for some configuration items on Layer 3 only interfaces. I will give a general screenshot below of the setup that you can re-purpose to push your configs to that interface.
First go to the Confgs tab, then click on Compliance, and then click on Manage Policy Reports.
Then you will click on Manage Rules and click on Add New Rule.
Inside the Rule you will give it a name and save it into a folder on the top section. Here I just called it Layer 3 Interface Check and saved it in a folder with the same name.
Next you will define the configuration that you are checking for. This is important because if you execute the Remediation Script that is created later it will only be executed on interfaces that fail this check. Here is where you will put the exact commands that will show up in the configuration after the remediation script is ran. In this case I am using no ip proxy-arp as an example. You can have multiple lines here if there are multiple commands, this is where it can get a bit tricky with regular expression matching to ensure that you get everything. If you need help with that part you can let us know what you are trying to do.
The next part is defining where it will search in the configurations. In this example I am checking the entire configuration, but filtering it down to only interfaces with IP address configured on them. The actual regular expression is this:
Config block start:
(^interface\s.*[\r\n]\s{0,1}ip address [0-9\.]{7,15} [0-9\.]{7,15}[\r\n]*$|^interface\s.*[\r\n]\s{0,1}description.*[\r\n]*\s{0,1}ip address [0-9\.]{7,15} [0-9\.]{7,15}[\r\n]*$)
This will check for either of the below
interface (any type)
ip address (any ip address)
or
description (any description)
Once you have that defined you can set up your remediation script. Here you will define what you want to configure if the above rule is violated. In this case I just want it to configure no ip proxy-arp on that interface.
The actual items in the script are below, but they can be whatever you need them to be. The first line (${ConfigBlockStartLine}) is a variable that will be translated to any interface that fails the rule check. So this remediation script will only run on the Layer 3 interfaces that fail the rule check, the ones that pass will be left alone.
${ConfigBlockStartLine}
no ip proxy-arp
Once the above is done you will need to assign the rule to a policy and then assign that policy to a report. Once the report is created you will have to then update all of the reports to get your violation report. If you have some questions, need some further clarification, or need some assistance in tweaking your rule let me know. I can try to help you out the best that I can.
Thank you chris for providing the script.
Chris.... hats off to you!!!!!
Hi Chris can you provide the script to fetch the source interface name from "ip tacacs source-interface Loopback0"
ex Loopback0
It should be something like this I think.
This is the filter pattern that should work for you. If it doesn't let me know and I can adjust it.
^\s*ip tacacs source\-interface.*[\r\n]*$
This will do a show run on the device but filter the output in the job log to only have the lines that include ip tacacs source-interface in it and will give you the interface that it is sourcing it from. It won't give you the IP address of the interface though so if that is needed that makes it more difficult.
I want to push "ip pim register-source %%source_interface%%” " on all the devices .So is there any way to fetch the source interface and push the commands directly on selected nodes
I think that I may have found a way to do this, but it is not elegant. Can you start a new thread for this part so that others can comment as well. They may not come into this one as it has been marked resolved. Once it is open I will put my proposed solution in there. Thanks.
@Chris T
Very good work, I am trying to add 'no ip proxy-arp' to interfaces that...
As you can see my config block identifier is not as complex as yours - can you see any holes with that?
Here's my remediation script below. I'm not too sure how to use the variables. Are they necessary seeing as we've already targeted the config block in violation?
Ok I see what you are trying to do and that is fairly straightforward actually. For the remediate script you do not need to include the conf t or interfance in there or anything else. I would just leave it as the ${ConfigBlockStartLine}. The rule I think that would work best is like the below.
The rule above will match all of your conditions like this.
It will loop through all interfaces on the device.
If the interface has an IP Address
The interface must also contain "no ip proxy-arp" configured on it or the rule will fail.
If the interface contains "switchport" at all in the configuration it will pass.
If the interface is shutdown it will pass.
christopher.a.thornton@gmail.com Thanks for the help @Chris T
I have a real zinger now though.
I recreated your rule and the strange thing is that it is finding violations in the config but not identifying where they are, ie. in which config block. Here's your rule I copied...
This is an excerpt of the config I am testing your rule against
And here is the result when I test your rule against that config...
As you can see it's finding violations, but not where they are, so if I try to use the remediation script by clicking on the 'info' icon on the report output I can see that no remediation script is generated.
No script is generated, I assume it's because there are no config blocks to target...
Here's the excerpt from the config that's being tested again
Here's my version of the rule which seems to target the correct interfaces for remediation...
The results when tested against the same config...
returns the correct interfaces to remediate
You can see that FastEthernet1/0/46, FastEthernet1/0/47 & FastEthernet1/0/48 are all in scope for remediation because they have an IP configured but no 'no ip proxy-arp'. Vlan900 is also in scope because it has an IP but no 'no ip proxy-arp'. However, and here's the rub.....Gig 1/0/1, Gig 1/0/2, Gig 1/0/3 & Gig 1/0/4 all have NO config on them, so according to my rule they are in scope and yes I would try to just configure 'no ip proxy arp' on these interfaces regardless but because they are on a switch and have never been configured they must just default to a layer 2 interface and will not accept the command 'no ip proxy-arp'.
So I need to do one of two things, either I find a regex that will identify an interface that has no config applied and give it a pass or configure each interface with no config with 'shutdown', which kinda brings me back around to the same problem, that I'd need to create a rule to find these first before I configure 'shutdown' on these.
If you understand all that you deserve a medal or at least a t-shirt. So the crux of the matter is how can I use a regex to identify an interface with no config, I've tried em all this morning....
Loads of possible ways listed here...
Regex to *not* match any characters - Stack Overflow
None of em worked!
