3 Replies Latest reply on Oct 16, 2019 1:29 PM by rednarb

    Policy Compliance: Cisco IOS BGP Authentication Rule

    rednarb

      Friends,

       

      I am trying to build a compliance rule to make sure that any router with BGP configured has a neighbor password set. I thought I had this nailed with the following:

       

      RegEx Config Block Start: router bgp ?\d+

      RegEx Config Block End: ^\w

      Must Contain RegEx: neighbor .*. password

       

      This works great, as long as you have only one neighbor. But in a case where there are multiple neighbors, how can I check that each one has a password set? For example:

       

      router bgp 65535

      bgp log-neighbor-changes

      neighbor 10.10.1.1 remote-as 1234

      neighbor 10.10.1.1 password 7 29WOSKXNDHFUR849384URJFGLSPQAZL

      neighbor 10.10.10.1 remote-as 65535

      neighbor 10.10.10.1 update-source Loopback0

      neighbor 10.10.10.2 remote-as 65535

      neighbor 10.10.10.2 update-source Loopback0

      neighbor 10.10.10.3 remote-as 65535

      neighbor 10.10.10.3 update-source Loopback0

       

      This example shows compliant with the check I described above but clearly it isn't. Any ideas?

       

      TIA,
      Eric