This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.

You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Scripting

psolari over 4 years ago

Hi,

I have a kind of complicated script I need to run and I'm not sure if it's possible or the best way to do it. I need to update NTP servers across every device (about 500). All devices are Cisco but there are some Switches (nexus and catalyst), routers and ASA. I have no problem adding the new servers, in fact this has mostly been done already, but I'm having issues removing the old one as there was no standard before so there is no way of just stating something like "if RegEx expression 'NTP server 1.1.1.1' is found, run script 'no NTP server 1.1.1.1" as the IP I need to remove can vary.

So let's say the new NTP servers have an IP of 10.0.0.1 and 10.0.0.2. Is there a way of running something to search for instances of "ntp server" but ignore the "ntp server 10.0.0.1" and "ntp server 10.0.0.2", and then to take that output and "no" them?

Cheers,

Paolo

Top Replies

0 KMSigma.SWI over 4 years ago

I'm sure that there's a way to do it, but when I did this for TACACS+ servers at my last company, I elected to do it the simple way.

My script was basically:

no ntp server 10.0.0.1
no ntp server 10.0.0.2
no ntp server 10.0.0.3
(repeat for however many you might have)
ntp server 10.1.1.1
ntp server 10.2.2.2
ntp server 10.3.3.3
(repeat for the new ones and put them in the preferred order)

0 sfreemire over 4 years ago

I don't know the exact SW command syntax, but if the old servers are all in private IP space, you can search for ranges of IP addresses to remove, and just avoid the new addresses.
10.0.0.3 - 10.0.0.254 (skip .1 and .2) = 10\.0\.0\.([3-9]|[1-9]\d|1\d\d|2[0-4]\d|25[0-4])
Thankfully there is an online tool for creating IP ranges here: https://www.analyticsmarket.com/freetools/ipregex
It puts a ^ at the beginning and a $ at the end of each expression. They specify 'start of line' and 'end of line' respectively. You probably want to leave those off.
The longer the range of IPs, the longer the expression, so if the old servers use random Internet-routable IPs, this method might get a little crazy. In that case, it might be better to simply search for all entries (ntp server .*) and save them to a list. Then you can create multiple smaller ranges and make a few passes.
Just for fun ...
1.0.0.1 - 9.255.255.254:
(1(\.0){2}\.([1-9]|[1-9]\d|[12]\d\d)|1\.0\.([1-9]|[1-9]\d|[12]\d\d)\.([1-9]?\d|[12]\d\d)|1\.([1-9]|[1-9]\d|[12]\d\d)(\.([1-9]?\d|[12]\d\d)){2}|9(\.255){2}\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-4])|9\.255\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-4])\.([1-9]?\d|[12]\d\d)|9\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-4])(\.([1-9]?\d|[12]\d\d)){2}|[2-8](\.([1-9]?\d|[12]\d\d)){3})
Cancel
Vote Up 0 Vote Down

Cancel
0 jkrenzien over 4 years ago

This is fairly simply to due with compliance policies. I only use 2 rules to fix this for all of my Cisco IOS/IOS XE devices.
First rule is to remove any non-approved NTP servers
The other is to input the new correct servers.
Setup in this way I have been able to turn on auto-remediation for them and having had an issue since. Just make sure you don't apply this policy to your NTP servers if you are using a router for that.
Let me know if this works out for you!
Cancel
Vote Up +1 Vote Down

Cancel