cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 10

Policy Compliance: Cisco IOS BGP Authentication Rule

Friends,

I am trying to build a compliance rule to make sure that any router with BGP configured has a neighbor password set. I thought I had this nailed with the following:

RegEx Config Block Start: router bgp ?\d+

RegEx Config Block End: ^\w

Must Contain RegEx: neighbor .*. password

This works great, as long as you have only one neighbor. But in a case where there are multiple neighbors, how can I check that each one has a password set? For example:

router bgp 65535

bgp log-neighbor-changes

neighbor 10.10.1.1 remote-as 1234

neighbor 10.10.1.1 password 7 29WOSKXNDHFUR849384URJFGLSPQAZL

neighbor 10.10.10.1 remote-as 65535

neighbor 10.10.10.1 update-source Loopback0

neighbor 10.10.10.2 remote-as 65535

neighbor 10.10.10.2 update-source Loopback0

neighbor 10.10.10.3 remote-as 65535

neighbor 10.10.10.3 update-source Loopback0

This example shows compliant with the check I described above but clearly it isn't. Any ideas?

TIA,
Eric

Tags (2)
0 Kudos
3 Replies

As the password is associated with an AS neighbour entry, could you adjust the start block accordingly and focus on the neighbor line. This will require some additional Regex to exclude non-relevant entries such as those above to Loopback, but this may work for you.

0 Kudos

I've tried various things but can't seem to get the rule to recognize each neighbor statement group programmatically and then verify if there is a password statement. The neighbor IP will vary with each router so I can't look for a specific IP. If using the neighbor statement as a block start, I do not know how to make a block-end that does encompass the same IP as the block start to really define the unique block to then search for,

The rule needs to be that if there is a BGP neighbor, there must be a password set for that neighbor.

0 Kudos
Level 10

Do I get a special prize for stumping the pros?

0 Kudos