cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 7

Scripting

Hi,

I have a kind of complicated script I need to run and I'm not sure if it's possible or the best way to do it. I need to update NTP servers across every device (about 500). All devices are Cisco but there are some Switches (nexus and catalyst), routers and ASA. I have no problem adding the new servers, in fact this has mostly been done already, but I'm having issues removing the old one as there was no standard before so there is no way of just stating something like "if RegEx expression 'NTP server 1.1.1.1' is found, run script 'no NTP server 1.1.1.1" as the IP I need to remove can vary.

So let's say the new NTP servers have an IP of 10.0.0.1 and 10.0.0.2. Is there a way of running something to search for instances of "ntp server" but ignore the "ntp server 10.0.0.1" and "ntp server 10.0.0.2", and then to take that output and "no" them?

Cheers,

Paolo

Labels (2)
0 Kudos
3 Replies
Level 12

This is fairly simply to due with compliance policies. I only use 2 rules to fix this for all of my Cisco IOS/IOS XE devices.

First rule is to remove any non-approved NTP servers

pastedImage_0.png

The other is to input the new correct servers.

pastedImage_1.png

Setup in this way I have been able to turn on auto-remediation for them and having had an issue since. Just make sure you don't apply this policy to your NTP servers if you are using a router for that.

Let me know if this works out for you!

Level 8

I don't know the exact SW command syntax, but if the old servers are all in private IP space, you can search for ranges of IP addresses to remove, and just avoid the new addresses.

10.0.0.3 - 10.0.0.254 (skip .1 and .2) = 10\.0\.0\.([3-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-4])

Thankfully there is an online tool for creating IP ranges here: https://www.analyticsmarket.com/freetools/ipregex

It puts a ^ at the beginning and a $ at the end of each expression. They specify 'start of line' and 'end of line' respectively. You probably want to leave those off.

The longer the range of IPs, the longer the expression, so if the old servers use random Internet-routable IPs, this method might get a little crazy. In that case, it might be better to simply search for all entries (ntp server .*) and save them to a list. Then you can create multiple smaller ranges and make a few passes.

Just for fun ...

1.0.0.1 - 9.255.255.254:

(1(\.0){2}\.([1-9]|[1-9]\d|[12]\d\d)|1\.0\.([1-9]|[1-9]\d|[12]\d\d)\.([1-9]?\d|[12]\d\d)|1\.([1-9]|[1-9]\d|[12]\d\d)(\.([1-9]?\d|[12]\d\d)){2}|9(\.255){2}\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-4])|9\.255\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-4])\.([1-9]?\d|[12]\d\d)|9\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-4])(\.([1-9]?\d|[12]\d\d)){2}|[2-8](\.([1-9]?\d|[12]\d\d)){3})

0 Kudos
Community Manager
Community Manager

I'm sure that there's a way to do it, but when I did this for TACACS+ servers at my last company, I elected to do it the simple way.

My script was basically:

no ntp server 10.0.0.1
no ntp server 10.0.0.2
no ntp server 10.0.0.3
(repeat for however many you might have)
ntp server 10.1.1.1
ntp server 10.2.2.2
ntp server 10.3.3.3
(repeat for the new ones and put them in the preferred order)
"Shoot for the stars to reach the moon"