This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Configuration Compliance - Flagging due to unknown additional config

Like to ask if there is a way to design a logic that that it can flag out "additional" configurations that is not defined in a set of compliance rules/policies that we have set?

Because of the vast amounts and combinations of cli commands (i.e. Cisco) on global/interface levels, i presume we cannot define all the possible set of rules to intentionally sieve out the "excess" configurations that we do not want, but yet it was accidentally configured by an engineer.

Any recommendations? Thanks.

  • It might be simpler to list all possible commands for a device (show running-config all), send it to a spreadsheet, and start highlighting lines you expect or don't expect.  Once you have the list of lines, and it may well be a long one, you might build a compliance report that alerts on specific lines you don't want.  Or alerts if specific desired lines are missing.

    I appreciate your request, and I suspect the processing and logic may be available.  I'm not ashamed (yet) to admit I don't know how to accomplish your specific task.  In this case, it actually becomes possible to prove a negative, and that's interesting! 

  • thanks @rschroeder for your suggestion.

    by the way my team just clarified that actually they just need a checking mechanism for any deviation from a configuration template.

    which I think i might have an idea to address it.

  • That's MUCH easier to accomplish.  Simply use NCM to create a baseline for every device it backs up.  NCM can alert you, can show graphs, e-mail reports, etc., that will list all devices that have deviated from their baseline.

  • My team's concern to address, is that there is a need to check the initial base (i.e. baseline) configuration from our corporate's checklist. Reason being is because the base configuration is complied by another team during the initial commission. Hence there is a trust relationship issue with the baseline before even proceeding further.