• State Not Answered
  • Locked Locked
  • Replies 17 replies
  • Subscribers 25 subscribers
  • Views 3313 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

A solution to multi-context config download with NCM (Cisco ASA, FWSM...)

fcaron

NCM 7.x has several node management improvements (common with Orion Core/NPM, new Discovery Sonar…).
Due to these changes, NCM 7.x has stricter rules related to node uniqueness and duplicate nodes are not allowed anymore in NCM 7.0 (because NCM nodes are being handled by Orion Core, which does not support duplicate nodes).

This NCM 6.x capability was sometimes used to deal with devices such as the Cisco ASA, which require management of multiple contexts.

The solution in NCM 7.x (can work in NCM 6.1 as well) uses multiple Config Types:

Solution:

1.       In Win32 NCM application, add a new Config Type for each context (for example Context1, Context2).

2.       Specify in your device template, how to switch to each context (see example below).

3.       Include the ${ConfigType} macro in the Reset Command.

4.       Make sure to specify the RegEx value in the Reset command. Depending on your prompt settings, the value should be '#', '>', ']', etc.

5.       Avoid using ${ConfigType} macro in the DownloadConfig command. Make sure the command is the right one, e.g. "show running-config".

Device Template Example:
<Command Name="RESET" Value="${ConfigType}" RegEx="#" />
<Command Name="Context1" Value="command to switch to Context1"  />
<Command Name="Context2" Value="command to switch to Context2 "/>
<Command Name="DownloadConfig" Value="show running-config"/>
Explanation:
When NCM downloads a configuration, the first command issued is the ‘Reset’ command defined in the device template.
The ${ConfigType} macros will be replaced by the appropriate switch context command, based on the config type selected for the dowload.
The context will be dynamically switched before the download command is executed.
When the context is changed, so is the prompt. In order to recognize the prompt, a regular expression (RegEx) must be used to ignore the variable part of the prompt.

Example:
Let’s assume the command mode prompt after login is : Tex-3750#

-          After switching to Context1, the command mode prompt becomes Tex-3750-Context1#.

-          After switching to Context2, the command mode prompt becomes Tex-3750-Context2#.

The RegEx to use in the reset command should match the common portion of the prompt in both contexts. In this example this could be RegEx="#".

An NCM user shared the result of his work (FWSM on NCM 6.1):
Should work the same in NCM 7.0. Thanks

Message was edited by: Jiri Cvachovec

  • 0

    Francois,

    I was actually using following for RESET command, but not entirely sure to what extend it helped

    <Command Name="RESET" Value="terminal width 0${CRLF}terminal length 0${CRLF}${ConfigType}"/>

  • 0 in reply to oiram

    You have to use the command for switching the context for your particular device. If the device command (like for ASA) is

    changeto context mycontext1

    then the Reset command should read

    <Command Name="RESET" Value="terminal width 0${CRLF}changeto context ${ConfigType}"/>

    and you have to create new config type "mycontext1".

    Regards,

    Jiri

  • 0 in reply to cvachovecj

    Unless you follow with Francois suggestion of replacing ConfigType with whole context change command, like:

    <Command Name="Context1" Value="changeto Context1"  />


    Its really up to user at that point I suppose

  • 0 in reply to oiram

    Sorry, I don't really understand your comment. You have to define new config types that correspond with the contexts and then the Reset command as outlined above.

    Jiri

  • 0 in reply to cvachovecj

    Yes of course but as Francois suggested you can actually use whole command as a value instead of just context's name. So in fact you have 2 options

    <Command Name="RESET" Value="terminal width 0${CRLF}terminal length 0${CRLF}${ConfigType}" RegEx="#" />

    <Command Name="Context1" Value="changeto Context1"  />

    or

    <Command Name="RESET" Value="terminal width 0${CRLF}terminal length 0${CRLF}changeto ${ConfigType}" RegEx="#" />

    <Command Name="Context1" Value="Context1"  />

    final result should be the same

  • 0

    My understanding of the idea of creating a new config type is so that NCM knows where to store the downloaded config in its repository. Am I correct in saying this? eg if it has downloaded a config from "con1" when it trys to store it in config repository it'll see that there are only 2 (default) types of config (containers?) to store it in: Running or Startup.

    Also regarding the Device Template itself I have a question about how it actually works. How does NCM know in what order to execute the commands? I can see from the structure of the template it provides an instruction set however if it was to work its way down the instruction set sequentially it wouldn't make sense.

    Hence I have arrived at the conclusion that there is an intelligence built into the generic download config job you can schedule in NCM that knows what commands to run and in what order but a modified or custom device template will provide NCM with the native commands it is not aware of.

    How does NCM know how many contexts there is in a multi context firewall? My guess is that NCM just goes by the amount you declare in the bespoke template? If you delcare 3 contexts and name them accordingly NCM will attempt to change to each context variable that has been declared eg if your template includes

    <Command Name="Context1" Value="command to switch to Context1" />

    <Command Name="Context2" Value="command to switch to Context2 "/>

    <Command Name="Context3" Value="command to switch to Context3 "/>

    it will try to find each of these contexts and download each. Am I correct in saying this? Any help is greatly appreciated. TIA!

  • 0 in reply to noobes

    Hi Wayne Barry,

    Your hypotheses are mostly correct. Let me add some details.

    NCM handles the storage of downloaded configs automatically. You don't have to worry about that. Create a new config type, download the config and you'll see the exact structure yourself.

    You should look at the device template not as a script but rather a repository of commands. NCM business logic needs different commands at different stages and the device template tells it what the command for a particular device looks like.

    That's why the order of the commands generally doesn't matter; there are some exeptions though. (E.g. the order of Pre-commands does matter.)

    You have to enter all the contexts/config types manually in the template; your assumption is correct. A natural feature request is to download (if not discover) all the contexts at once.

    Regards,

    Jiri

  • 0

    Just adding my 2c.

    Using Multiple Context ASA, but I wanted to get the equivalent on "more system:xxxx".

    The more commands is ONLY supported in the system context, so obviously changing to each individual context and running the command doesnt work.

    Below is the solution I found that works for me...

    It's not perfect, as it only really pulls the startup configs that are saved to the flash but it allows us to backup the system context and all respective passwords etc.

    Thought I would share as I'm sure others would have a similar issue.

    Regards,

    Marcus

    <!--SolarWinds Network Management Tools-->

    <!--Copyright 2007 SolarWinds.Net All rights reserved-->

    <!--Custom Collections for Multiple Context ASA and Specialist Configurations-->

    <Configuration-Management Device="Cisco ASA Multi Context" SystemOID=" 1.3.6.1.4.1.9.1.669">

      <Commands>

      <Command Name="MenuBased" Value="false"/>

      <Command Name="System" Value="more system:running-config"/>

      <Command Name="Context-1" Value="more disk0:/context1.cfg"/>

      <Command Name="Context-2" Value="more disk0:/context2.cfg"/>

      <Command Name="Context-X" Value="more disk0:/contextX.cfg"/>

      <Command Name="RESET" Value="terminal pager 0${CRLF}changeto context system${CRLF}" RegEx="#"/>

      <Command Name="Reboot" Value="reload noconfirm"/>

      <Command Name="EnterConfigMode" Value="config terminal"/>

      <Command Name="ExitConfigMode" Value="quit"/>

      <Command Name="Startup" Value="show startup"/>

      <Command Name="Running" Value="show running"/>

      <Command Name="DownloadConfig" Value="${ConfigType}"/>

      <Command Name="UploadConfig" Value="${EnterConfigMode}${CRLF}${ConfigText}${CRLF}${ExitConfigMode}"/>

      <Command Name="DownloadConfigIndirect" Value="write net ${StorageAddress}:/${StorageFilename}"/>

      <Command Name="UploadConfigIndirect"/>

      <Command Name="EraseConfig" Value="write erase${CRLF}Yes"/>

      <Command Name="SaveConfig" Value="write memory all${CRLF}Yes"/>

      <Command Name="Version" Value="show version"/>

      </Commands>

    </Configuration-Management>

  • 0

    Hi All,

    Thank you for sharing every thing to date.  I have tried both methods and I still only download a single "system" configuration.  I've shown the two scripts below and would appreciate any feedback.  I must admit I don't know much about scripting so I've copied and pasted what I think should be the right text after reading through this solution.

    Script 1

    <!-- edited with XML Spy v4.4 U (http://www.xmlspy.com) by () -->
    <!--SolarWinds Network Management Tools-->
    <!--Copyright 2005 SolarWinds.Net All rights reserved-->
    <Configuration-Management Device="Cisco PIX" SystemOID=" 1.3.6.1.4.1.9.1.451">
    <Commands>
      <Command Name="RESET" Value="terminal width 0${CRLF}terminal length 0${CRLF}${ConfigType}" RegEx="p06cd01-ghe-int-fw-01" />
                    <Command Name="Context1" Value="changeto context system"  />
                    <Command Name="Context2" Value="changeto context mgmt"  />
                    <Command Name="Context3" Value="changeto context Production"  />
                    <Command Name="Context4" Value="changeto context Preprod"  />
                    <Command Name="Context5" Value="changeto context Cert"  />
                    <Command Name="Context6" Value="changeto context Perf"  />
                    <Command Name="Context7" Value="changeto context Admin"  />
      <Command Name="Reboot" Value="reload noconfirm"/>
      <Command Name="EnterConfigMode" Value="config terminal"/>
      <Command Name="ExitConfigMode" Value="quit"/>
      <Command Name="Startup" Value="startup"/>
      <Command Name="Running" Value="running"/>
      <Command Name="DownloadConfig" Value="show running-config"/>
      <Command Name="UploadConfig" Value="${EnterConfigMode}${CRLF}${ConfigText}${CRLF}${ExitConfigMode}"/>
      <Command Name="DownloadConfigIndirect" Value="write net ${StorageAddress}:/${StorageFilename}"/>
      <Command Name="UploadConfigIndirect"/>
      <Command Name="EraseConfig" Value="write erase${CRLF}Yes"/>
      <Command Name="SaveConfig" Value="write memory"/>
      <Command Name="Version" Value="show version"/>
    </Commands>
    </Configuration-Management>

    ###################################

    Script 2

    <!-- edited with XML Spy v4.4 U (http://www.xmlspy.com) by () -->
    <!--SolarWinds Network Management Tools-->
    <!--Copyright 2005 SolarWinds.Net All rights reserved-->
    <Configuration-Management Device="Cisco ASA Multi Context" SystemOID=" 1.3.6.1.4.1.9.1.669">
    <Commands>
                    <Command Name="System" Value="more system:running-config"/>
                    <Command Name="Context1" Value="more disk0:/admin.cfg"/>
                    <Command Name="Context2" Value="more disk0:/mgmt.cfg"/>
                    <Command Name="Context3" Value="more disk0:/production.cfg"/>
                    <Command Name="Context4" Value="more disk0:/preprod.cfg"/>
                    <Command Name="Context5" Value="more disk0:/cert.cfg"/>
                    <Command Name="Context6" Value="more disk0:/perf.cfg"/>

                    <Command Name="MenuBased" Value="false"/>

      <Command Name="RESET" Value="terminal pager 0${CRLF}changeto context system${CRLF}" RegEx="p06cd01-ghe-int-fw-01"/>
                     <Command Name="Reboot" Value="reload noconfirm"/>
                     <Command Name="EnterConfigMode" Value="config terminal"/>
                     <Command Name="ExitConfigMode" Value="quit"/>
                     <Command Name="Startup" Value="show startup"/>
                     <Command Name="Running" Value="show running"/>
                     <Command Name="DownloadConfig" Value="${ConfigType}"/>
                     <Command Name="UploadConfig" Value="${EnterConfigMode}${CRLF}${ConfigText}${CRLF}${ExitConfigMode}"/>
                     <Command Name="DownloadConfigIndirect" Value="write net ${StorageAddress}:/${StorageFilename}"/>
                     <Command Name="UploadConfigIndirect"/>
                     <Command Name="EraseConfig" Value="write erase${CRLF}Yes"/>
                     <Command Name="SaveConfig" Value="write memory all${CRLF}Yes"/>
                     <Command Name="Version" Value="show version"/>
    </Commands>
    </Configuration-Management>

  • 0 in reply to deee-blue

    Hi,

    Just to make sure -- have you created custom config types for all the contexts?

    Jiri

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.