cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Automated Config clean up

Jump to solution

I am trying to clean up my switch configurations. There are a lot of old outdated ntp servers and snmp trap servers and other stale info with in the configuration. I have been trying to find a way to remove all of these old server then run a script to only have the correct ones. Any ideas or do I need to go through each device and remove them individually ? I wouldnt mind if the new server was list and got removed.

Example would be:

ntp server 1.1.1.1

ntp server 1.2.2.2

ntp server 3.3.3.3

runs the following

no ntp server 1.1.1.1

no ntp server 1.2.2.2

no ntp server 3.3.3.3    --- This is fine if it does this.

ntp server 3.3.3.3

Labels (1)
1 Solution

I believe I know what you mean, that you want to remove any other NTP server than the one you want defined, regardless of it's IP address.   So you don't have an actual list of them sitting there of what other NTP servers there are...

I have a bit of a hack based on the newest NCM that can work for you.  This is how you set it up.

In the "STRING MATCHING" section configure it as follows with the IP address of the NTP server you want to be set...

StringMatching.jpg

Then, in the "search config file/block" set it up as follows, the "config block end" could probably be "^.*" also (ie: ANYTHING), we are mainly interested in setting the start of the config block to be the line that contains the specific NTP server on that specific line.  More on that below...

ConfigBlock.jpg

Now for the magic / hack.   Set your remediation script as follows:

remediation.jpg

The first line is doing a "no" of the "ConfigBlock" start line I mentioned above, which will be set to any NTP server that you DON'T want.   It will ignore the NTP server you do want.   The second line is optional, setting the NTP server that you do want.   If you just want to remove unwanted NTP servers the first line will suffice.

The one drawback of this is if no NTP server is defined at all, the config will be in compliance, you will need another rule to make sure the NTP server you want is defined, but that's quite simple.

This is kind of hacking the new ability to run your script on each config block that is in violation a bit, this feature was never intended to work this way.  But my devious mind wanted this for the ability to do things like remove unwanted SNMP communities and such.  So, no promise it will always work, but I believe it should work at least in the present.  Let me know your results and TEST first on a small subset of devices!!!

Any relation to Mark?  🙂  

HTH!!

    "I'm just working in the coal mines..."

View solution in original post

18 Replies

I believe I know what you mean, that you want to remove any other NTP server than the one you want defined, regardless of it's IP address.   So you don't have an actual list of them sitting there of what other NTP servers there are...

I have a bit of a hack based on the newest NCM that can work for you.  This is how you set it up.

In the "STRING MATCHING" section configure it as follows with the IP address of the NTP server you want to be set...

StringMatching.jpg

Then, in the "search config file/block" set it up as follows, the "config block end" could probably be "^.*" also (ie: ANYTHING), we are mainly interested in setting the start of the config block to be the line that contains the specific NTP server on that specific line.  More on that below...

ConfigBlock.jpg

Now for the magic / hack.   Set your remediation script as follows:

remediation.jpg

The first line is doing a "no" of the "ConfigBlock" start line I mentioned above, which will be set to any NTP server that you DON'T want.   It will ignore the NTP server you do want.   The second line is optional, setting the NTP server that you do want.   If you just want to remove unwanted NTP servers the first line will suffice.

The one drawback of this is if no NTP server is defined at all, the config will be in compliance, you will need another rule to make sure the NTP server you want is defined, but that's quite simple.

This is kind of hacking the new ability to run your script on each config block that is in violation a bit, this feature was never intended to work this way.  But my devious mind wanted this for the ability to do things like remove unwanted SNMP communities and such.  So, no promise it will always work, but I believe it should work at least in the present.  Let me know your results and TEST first on a small subset of devices!!!

Any relation to Mark?  🙂  

HTH!!

    "I'm just working in the coal mines..."

View solution in original post

WORKED LIKE A CHAMP

you have made my life much easier thanks

Thanks

0 Kudos
Level 18

Excellent! cnorborg‌ is our star!

I must admit I didn't realize until today that the block remediation enhancement of NCM 7.4 could be used for thing like this.

Jiri

0 Kudos

Have to keep you guys on your toes!!  🙂  Teach you how to use your product once in awhile...  😄

Hopefully this will illustrate how we need this type of feature.   Not only to check that something exists (ie: NTP server, SNMP community, etc), or that something specific doesn't exist (ie: "public" or "private" SNMP community), but that it would also be nice to know that nothing beyond what we specified exists.   ie: no new NTP servers, no new SNMP communities...  Would be nice to have this without having to hack at it a bit!!

rmothersbaugh and all, might have figured out a solution that works in all cases, go check this thread for my response on groups and lookbehind regex's...

Filtering for incorrect logging hosts

Can easily be modified for SNMP communities, that was actually the test case I initially used on it.   Note the example below probably is probably not as well written as the example in the other discussion...

snmp_lookbehind.jpg

0 Kudos
Level 18

Hmm, interesting use case for the block inspection. I'm curious to see if it works.

Jiri

0 Kudos

cvachovecj

cnorborg‌ usually seems to know what he is talking about, at least all of the times he has helped me. If he says it works, I would bet it does.

Seems like this could be a useful tool, whether intended or not. Maybe SolarWinds can implement it into the system as its own feature/purpose.

0 Kudos
Level 18

Of course cnorborg‌ knows what he is talking about. (I nominated him for the MVP status as a recognition.) I appreciate that he found a use case that I didn't have in mind when we implemented this enhancement.

What I meant by being curious if it works is the fact that sometimes, configs contain different kinds of whitespace, so tuning a regex rule so that it works unviversally may need some playing around.

Jiri

0 Kudos

Hmm... I found a use case where my solution doesn't work cvachovecj  Was trying to weed out unknown SNMP communities on routers of a company we just merged with.   I modified this to look for "^snmp-server community .*" instead of the NTP.   Had it look for either community in the config block and ran it.   Worked for most of the communities on my test router, except for one.   Tried a couple different things and couldn't get it to work.   I end up with in the config:

!  1- unrelated config lines.

snmp-server community badcommunity RO

snmp-server community validcommunity1 RO

snmp-server community validcommunity2 RW

! 2 - unrelated config lines

What I think is happening is that a config block has to be at least 2 lines, not sure if this part is true or not.  So, I have it starting with "^snmp-server community" and ending with basically anything (ie: ".*", have tried a couple things).  So, I'm thinking it iterates through 3 blocks.  The first one starting with "snmp-server community badcommunity" and ending with the next line (snmp-server community validcommunity1").   Now, since I'm looking for "snmp-server community validcommunity1" in the config block and its there, this passes (even though I don't want it to).   The next 2 times it iterates through, it uses the other snmp-server community lines as start lines and the next lines as stop, and they also pass.

So, the problem is that I really only want to look at one line in the config, not 2.  But I don't think I can get a config-block to be only one line.   Hmm..   You know there are probably a couple other things to try, if any of them work I'll post here...  But, as of now I don't think this will work.

However,  I am sure you can see the way that we NEED this ability, and I'd preferably have it done in a way that isn't kind of "hacking" the server!!

Thoughts?!   (I will let you know if any of my other potential hacks work, I don't expect them to)...

0 Kudos
Level 18

cnorborg‌, your assumption is correct; "config block end" must be on a different line in the current implementation. At least we have a candidate for an interesting extension of the compliance engine.

Jiri

cvachovecj

Then it is settled. cnorborg‌ is hired!

Now, with Jiri & Craig teamed up, the NCM team is unstoppable...

Yeah, I know what you meant, I was just messing around. But, it is really cool that a user can find a new, and unintended, way to use a tool, and then the staff just comes right on board to investigate the potential. Soooooooo much better than taking months and years to lobby for this and that with other vendors, just to get them to start looking...

-Will

0 Kudos

Well, thanks for the votes of confidence guys!!  This "feature" is actually one I've wanted for quite some time, not necessarily for NTP servers, but for SNMP communities and such.

As an FYI - this actually does work, I'm using it.  But, especially when I'm telling someone to basically hack the way the system is working, I like to give disclaimers!!  Definitely need to be careful when doing things globally based off regular expressions...

Yea, my first post on this subject was way back in Oct 2006 I think (Is is possible?), and I asked another similar question in Feb 2011 (Policy Manager - Is there a way to...) from which fcaron supposedly created an "enhancement" #46497.   I assume this was the predecessor to voting on feature enhancements?  Maybe I should go put one in...

0 Kudos
Level 18

Actually we hired quite a few customers and typically, they were very active on thwack.

rmothersbaugh

I would recommend starting with a compliance policy/report.

This will tell you which devices contain, or do not contain, a specific, user specified, string.

From there, you can create a "Fix" to be applied to the devices when found.

Give me a few minutes, and I will find you some links to some examples.

-Will

0 Kudos

I am doing them but I dont see a way to remove the old ones with gathering the info from the configuration. I mean I can go through and grab all the server ip address and just make a single script. But i was hoping to do it automatically just in case a person makes a change it would run the policy and remove the added server only.

0 Kudos

rmothersbaugh

do you have a list of the other, possible, ntp servers, or are you thinking they could just be anything?

If you have a list of known ntp servers that you do not want to use, then you could create a separate rule for each each server, and then put all of those rules into the same report.

You could then assign a corrective action to those rules that would remove each one, if found.

Example:

Rule ntpserver1:

looks for this line in the config

ntp server 1.1.1.1

and, if found, performs this corrective action to remove it

no ntp server 1.1.1.1

Rule ntpserver2:

looks for this line in the config

ntp server 1.2.2.2

and, if found, performs this corrective action to remove it

no ntp server 1.2.2.2

Rule ntpserver3:

looks for this line in the config

ntp server 3.3.3.3

and, if NOT found, performs this corrective action to add it

ntp server 3.3.3.3

Or, can you just run a script on all of the switches, through the "Configuration Management" section under the NCM tab, that would just "no ntp server", then "ntp server 3.3.3.3"?

How about changing the rule to include a block of text from the config, matching it on the lines before and after "ntp server 3.3.3.3".

This way if it matches the config, you know you only have the 1 entry.

Otherwise, if it doesn't match, and you need it to cover possible ntp servers you may not be aware of, it simply removes everything, and only re-adds the one you need.

As another example, if this is how all of your devices/configs should look, then anything with more than those 3 lines, regardless of server IP, would trigger the policy violation, and then you could remediate with your "no ntp"/"ntp server 3.3.3.3" script.

!

ntp clock-period 36029396

ntp server 3.3.3.3

end

I hope I am not too far off base on this with you, but I do know I am not the best explainer.

-Will

0 Kudos

I will test this today and let you know thanks,.

0 Kudos

rmothersbaugh

Maybe better idea to test out cnorborg‌'s idea. I think his would be the better solution.

0 Kudos