Configuration Management with Cisco Prime LAN Management Solution 4.1
Chapter 6: Using Baseline Templates to Check Configuration Compliance
Downloads: This chapterpdf (PDF - 402.0KB) The complete bookPDF (PDF - 7.53MB) | Feedback

Using Baseline Templates to Check Configuration Compliance

Table Of Contents

Using Baseline Templates to Check Configuration Compliance

What is a Baseline Template?

Features of Baseline Templates

Baseline Template Management Window

Editing a Baseline Template

Exporting a Baseline Template

Deleting a Baseline Template

Creating a Baseline Template

Creating a Basic Baseline Template

Creating a Basic Baseline Template - an Example

Creating an Advanced Baseline Template

Creating an Advanced Baseline Template— Example

Importing a Baseline Template

Running Compliance Check

Understanding the Baseline Compliance Report

Deploying a Baseline Template

Deploying a Baseline Template Using User Interface

Deploying a Baseline Template Using File System

Using Compliance and Deploy Jobs Window

Deploying the Commands

Deleting the Compliance Jobs


Using Baseline Templates to Check Configuration Compliance


This chapter contains the following:

What is a Baseline Template?

Features of Baseline Templates

Baseline Template Management Window

Running Compliance Check

Deploying a Baseline Template

Using Compliance and Deploy Jobs Window

What is a Baseline Template?

Baselining refers to identifying a set of standardized policy based commands that you would want to have on a set of devices. You can create a Baseline template containing a set of commands identified through the baselining process. This template contains placeholders for device-specific values to be substituted.

For example:

set vtp domain [name] password [xxx]

set snmp community read-write [Read write community string]

Where name, xxx and Read write community string are variables that are substituted with the values you provide.

You can compare the Baseline template with the configuration of devices in the archive. You can also generate a non-compliance configuration report and deploy this template onto the devices to make it compliant. You can deploy a Baseline template to a group of devices by just scheduling one job.

When you add a new device of the same type to the network, you can use the existing Baseline template, which consists of two parts, command and values. You can create configurations for any device of the same type in the network by specifying the values for the variables in the Baseline template.

Sample Input file for Baseline Template

You can use the following input file for creating Baseline template:

<?xml version="1.0" encoding="UTF-8" ?> 
- <ConfigTemplate Name="Banner1" DeviceFamily="268437899,268438038" Version="1">
- <Commandlet Name="Commands" ControlStmt="false" Parent="none" Submode="false" 
Condition="false" Ordered="false">
- <CommandInfo CheckType="1">
  <Command>banner motd "******************** WARNING ***************************** 
<NL>This is a private system and only authorized individuals are allowed!<NL>All 
others will be prosecuted to the fullest extent of the law! 
<NL>*************************************************************************"****
</Command> 
  </CommandInfo>
  <ContextModeCommand /> 
  <PreCondition /> 
  </Commandlet>
  </ConfigTemplate>
Handling Multi-line Commands in Baseline

Multi-line commands should be separated with <NL> tag and should be in the same line within the template.

You can use the following command to run the compliance check. This is considered as a single line command:

Below is the command that the customer can use in the compliance check for this use case. Please note this is a single line command.

+ banner motd "************************* WARNING ************************************** 
<NL>This is a private system and only authorized individuals are allowed!<NL>All others 
will be prosecuted to the fullest extent of the law! 
<NL>*************************************************************************"

Features of Baseline Templates

The features of Baseline templates are:

You can use this Baseline template to compare with other device configurations and generate a report that lists all the devices that are non-compliant with the Baseline template.

You can easily deploy the Baseline template to the same category of devices in the network.

You can schedule a compliance check job and deploy the Baseline template on the non-compliant devices. This can be performed as a single job or as a separate job.

You can import or export a Baseline template. This template is stored in XML format.

The rules for specifying the Baseline templates are:

All the commands that are disallowed should begin with a "-".

All commands that are mandatory should begin with a "+".

All comment entries should begin with a "#".

Commands that do not begin with (- or +) are considered as comments and ignored.

The command values can be a wildcard match.

+ ip address [ip-address] [netmask]

+ ip address [#10\.76\.38\..*#] [netmask]

+ ip address [#10\.72\..*\..*#] [netmask]

To find a match for any octet in an IP address you must use \..*.

In the examples shown above, the command will apply for all the devices with the IP address starting with 10.76.38.* [netmask] and 10.72.*.* [netmask].

The regular expressions must be enclosed with #.

For example:

snmp-server location [#.*#]

This command will fail compliance check for snmp-server location loc1 loc2 loc3, because the check will be performed only for one word after snmp-server location.

To overcome this, you have to define the command as:

+ [# snmp-server location .*#]

Then the compliance check will be performed for all forms of snmp-server commands like snmp-server location loc1 loc2.....n,etc.

Negation in Regular expressions :

Example 1: When there are multiple entries in the configuration files.

Let us say, the commands in the device configuration are:

logging name1

logging name2

logging name3

The command available in the template is:

+logging [#!name1#]

Based on the command in the template, the negation of name1 is done. This returns true as there are other logging commands present with other names. So the template is compliant.

Example 2: When there is only one entry in the device configuration file.

Let us say, the command in the device configuration is:

logging name1

The command available in the template is:

+logging [#!name1#]

Based on the command in the template, the negation of name1 is done. This returns False, as there is no other command in the device configuration file with logging statement except logging name1. So the template is non-compliant.

Example 3: When there are no logging commands in the device configuration files.

Let us say, the command in the device configuration is:

No logging commands

The command available in the template is:

+ logging [# !name1 #]

Based on the command in the template, the negation of name1 is done. This returns False, as there are no login commands. So the template is non-compliant.

The Baseline template uses java.util.regex engine for regular expressions. For more information, see the regex API guide for Java 1.4.2 from Oracle:

http://download.oracle.com/javase/1.4.2/docs/api/java/util/regex/Pattern.html

Submode commands are provided only if the commands are to be compared inside a submode.

For example:

interface [#Ethernet.*#]

+ no shutdown

The no shutdown command will apply to all Ethernet interfaces.

Defining Commandsets

The commandsets are a set of one or more CLI commands. You can define a commandset while creating a Baseline template in the Advanced mode.

The features of the commandsets are:

If the commands in commandset are in a submode (ip/interface etc.) a submode command must be specified for such a commandset.

Commandsets can have one or more child commandsets.

Child commandsets inherit parent's sub-mode command.

You can define commandsets that have to be checked before running the actual commands.

The features of the prerequisite commandsets are:

A commandset can have another commandset as its prerequisite.

A prerequisite commandset is used only for comparison and is not deployed onto the device.

A commandset is compared with the config only if its prerequisite condition is satisfied.

LMS evaluates the commandsets in different ways depending on whether you have defined the commandset as Parent or Prerequisite.

For example, assume that you have defined two commandsets, commandset1 and commandset2:

Commandset defined as Prerequisite

commandset1 as the Prerequisite of commandset2. When LMS evaluates the Baseline template, it evaluates commandset1 first, and commandset2 next.

If commandset1 does not contain submode and is not present in a device, then commandset2 is not evaluated and the device is displayed in the excluded list in the compliance report.

If commandset1 contains submode and is not present in applicable submodes, then commandset2 is not evaluated and the device is displayed in the excluded list in the compliance report.

Commandset defined as Parent

commandset1 as the Parent of commandset2. When LMS evaluates the Baseline template, it evaluates commandset1 first, and commandset2 next.

If either of these commandsets is missing, the template is considered non-compliant.

Baseline Template Management Window

To access the Baseline Template Management Window go to Configuration > Compliance > Compliance Templates > Templates.

This window lists all the system-defined and user-defined Baseline templates. It also displays the following details of the Baseline template:

Column Name
Description

Name

Name of the Baseline template.

The following template examples are displayed, by default:

CISF_DHCP_Snooping—Template for Catalyst Integrated Security Feature

TemplateExample1—Basic template with Regular expression

TemplateExample2—Advanced template with Submode and Parent, child options

TemplateExample3—Advanced template with prerequisite options

TemplateExample4—Advanced template with ordered set options

VRFCompliance—Template for VRF Compliance

Click the template name to view the command sets. For more information, see Command Sets.

Device Type

Type of device for which the defined Baseline template can be used.

Description

Description of the Baseline template.

If you have imported Baseline templates, the description given is Imported.

Created On

Displays the Baseline template creation date and time.


You can click on any column to sort the information by that column. If you double-click a heading, the order is reversed.

This window contains the following buttons:

Button
Description

Edit

Edit a Baseline template.

This button is active only after you select a Baseline Template.

See Editing a Baseline Template for further details

Export

Export a Baseline template file.

This button is active only after you select a Baseline Template.

See Exporting a Baseline Template for further details.

Delete

Delete a Baseline template.

This button is active only after you select a Baseline Template.

See Deleting a Baseline Template for further details.

Create

Create a Baseline template.

See Creating a Baseline Template for further details.

Import

Import a Baseline template file.

See Importing a Baseline Template for further details.


Command Sets

To view the template command sets:


Step 1 Go to Configuration > Compliance > Compliance Templates > Templates.

The Baseline Templates window appears, displaying the list of all the user-defined Baseline templates.

Step 2 Click the template name. For example, CISF_DHCP_Snooping.

The BaseLine Config Viewer window appears, displaying the command sets used in the template.

Table 6-1 provides information on the command sets used in the template examples.

Table 6-1 Command Sets

Template
Command Sets

CISF_DHCP_Snooping

Name: Commands SubMode: No isPrerequisite: No Ordered: No Prerequisite-Commandset: none Parent: none

+ ip dhcp snooping

TemplateExample1

Name: Commands SubMode: No isPrerequisite: No Ordered: No Prerequisite-Commandset: none Parent: none

+ snmp-server community [#.*#] RW

TemplateExample2

Name: Global SubMode: No isPrerequisite: No Ordered: No Prerequisite-Commandset : none Parent: none

Name: parent SubMode: Yes isPrerequisite: No Ordered: No Prerequisite-Commandset: none Parent: none policy-map V3PN-teleworker

Name: child SubMode: Yes isPrerequisite: No Ordered: No Prerequisite-Commandset: none Parent: parent class VOICE

+ priority 64

TemplateExample3

Name: Global SubMode: No isPrerequisite: No Ordered: No Prerequisite-Commandset: none Parent: none

Name: prereq SubMode: No isPrerequisite: Yes Ordered: No Prerequisite-Commandset: none Parent: none

+ class-map match-all GOLD

Name: parent SubMode: Yes isPrerequisite: No Ordered: No Prerequisite-Commandset: prereq Parent: none policy-map GSB_Policy

Name: child SubMode: Yes isPrerequisite: No Ordered: No Prerequisite-Commandset: none Parent: parent class GOLD

+ bandwidth percent 25

TemplateExample4

Name: Global SubMode: No isPrerequisite: No Ordered: No Prerequisite-Commandset: none Parent: none

Name: acceslist SubMode: No isPrerequisite: No Ordered: Yes Prerequisite-Commandset: none Parent: none

+ access-list 101 deny tcp 10.77.209.0 0.0.0.255 any

+ access-list 101 deny tcp any gt 1023 host 10.1.1.1 eq 23

+ access-list 101 permit ip any any

VRFCompliance

Name: Commands SubMode: Yes isPrerequisite: No Ordered: No Prerequisite-Commandset: none Parent: none interface [#.*#]

+ ip vrf forwarding [#red|green|blue#]


Editing a Baseline Template

You can edit all Baseline template fields except for Template Name.


Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.


To edit the Baseline templates:


Step 1 Select Configuration > Compliance > Compliance Templates > Templates.

The Baseline Templates dialog box appears.

Step 2 Select a Baseline template.

Step 3 Click Edit.

The Select Creation Mode dialog box appears. The mode that you have selected while creating the Baseline template is retained. You cannot change this mode.

You can provide a description in the Description text field.

You can select or deselect devices in the Device Type Selector listbox.

Step 4 Click Next.

The Add Template Details dialog box appears.

Step 5 Select the commandset that you want to edit.

Step 6 Edit the required information.

See Creating an Advanced Baseline Template for more information on field descriptions for the fields that appear in the Add Template Details dialog box.

Step 7 Click Finish.

A message appears, Template is modified. Do you wish to save the changes?

Step 8 Click OK.

A notification appears, Successfully updated the template BaselineTemplateName.

Step 9 Click OK to save changes.


Exporting a Baseline Template

You can export a Baseline template. The exported file is in XML format.

The default path in the LMS Server to which the XML file is exported to is:

NMSROOT\files\rme\dcma\baselinetemplates (On Windows)

/var/adm/CSCOpx/files/rme/dcma/baselinetemplates (On Solaris and Soft Appliance)

Where, NMSROOT is the LMS installed directory.

You cannot change the default export path in the LMS Server. If you do so, an error message will be displayed.


Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.


To export a Baseline Template:


Step 1 Select Configuration > Compliance > Compliance Templates > Templates.

The Baseline Templates dialog box appears.

Step 2 Select one or more Baseline templates and click Export.

The Export a Baseline Template dialog box appears.

Step 3 Click Browse.

The Server Side File Browser dialog box appears.

Step 4 Select a folder.

Step 5 Click OK in the Server Side File Browser dialog box.

Step 6 Click OK.

A message appears, CMA0086: Selected Template(s) are successfully exported.

The naming convention followed for the baseline parameter file is Template Name.xml.

The file will be exported to the default location at the specified path in XML format.


Deleting a Baseline Template

To delete a baseline template:


Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.



Step 1 Select Configuration > Compliance > Compliance Templates > Templates.

The Baseline Templates dialog box appears.

Step 2 Select one or more Baseline templates and click Delete.

A message appears, The selected Template will be permanently deleted.

You can delete only user-defined templates and not system-defined templates.

Step 3 Click OK.

A message appears, Successfully deleted the template.

Step 4 Click OK.

The selected Baseline Template is removed from the Baseline Templates window



Note You cannot delete Example Templates.


Creating a Baseline Template

You can create a Baseline Template by:

Creating a Basic Baseline Template

Creating an Advanced Baseline Template

There are few example templates that are available. You can use these templates as a base to create new templates.

Creating a Basic Baseline Template - an Example

Creating an Advanced Baseline Template— Example


Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.


Creating a Basic Baseline Template

To create a Basic Baseline template:


Step 1 Select Configuration > Compliance > Compliance Templates > Templates.

The Baseline Templates window appears.

Step 2 Click Create.

The Select Creation Mode dialog box appears.

Step 3 In the Template Details section, select Basic as the mode.

Step 4 Enter the following information:

Field
Description

Name

Name of the Baseline template.

You can enter up to 254 alphanumeric characters (including underscores). Do not enter special characters, including spaces and hyphens.

Description

Description for the Baseline template. You can enter up to 254 characters.

Device Type Selector

Device family to which you can apply this template.

Click the check box to select the device family.


Step 5 Click Next.

The Add Template Details dialog box appears.

Step 6 Enter the following in the Baseline Template page.

Field
Description
Conditional Block

Check for compliance only if the following condition is satisfied.

Check this option if you want to run a compliance check based on any condition.

Global

Select this option if you want to check the conditional commands in Global mode.

This option is activated only if Check for compliance only if the following condition is satisfied is checked.

Submode

Select this option if you want to check the conditional commands in a specific submode.

If you select this option, the textbox next to this option is activated. Enter the command for the required submode.

For example:

interface [#Ethernet.*#]

This option is activated only if the Check for compliance only if the following condition is satisfied option is checked.

CLI Commands

Enter the conditional CLI commands in this text area.

This option is activated only if Check for compliance only if the following condition is satisfied is checked.

Enter the Conditional CLI commands.

For example:

# Routers CLI Commands

+ set snmp community read-write [read-write-community-name-string]

- set snmp community read-only public

Explanation:

The first line is considered as a comment as it does not begin with either "+" or "-".

The second line is mandatory as it begins with "+".

The third line is disallowed as it begins with "-".

In the above example, read-write-community-name-string is a command value. The command value should not contain spaces.

Compliance Block

Global

Select this option if you want to check the compliance commands in global mode.

Use the SubMode of above condition

This option is activated only if the Conditional Block options, Check for compliance only if the following condition is satisfied and the Submode options are selected.

The submode command entered in the submode textbox under the Conditional Block appears in the submode textbox of Compliance Block. So, the submode command of the Conditional Block is used by the Compliance Block.

You cannot edit the submode commands in the Compliance Block. However, you can edit the submode commands in the Conditional Block, which in turn updates the submode commands in the Compliance Block.

Submode

Select this option if you want to check the compliance commands in a specific submode.

If you select this option, the textbox next to this option is activated. Enter the command for the required submode.

The compliance command will be checked for the submode that you enter.

CLI Commands

Enter the Compliance CLI commands. This is a mandatory field.

For example, you can enter:

Routers CLI Commands

# this is the Compliance Block

+ set snmp community read-write [read-write-community-name-string]

- set snmp community read-only public

Explanation:

The first line is considered as a comment as it does not begin with either "+" or "-".

The second line is also considered as a comment as it begins with a "#".

The third line is mandatory as it begins with "+".

The fourth line is disallowed as it begins with "-".

In the above example, read-write-community-name-string is a command value. The command value should not contain spaces.

Order Sensitive

Select this option to make the system consider the order of the commands while performing a compliance check.

In other words, the commands in the device config should appear in the same order as that of the CLI commands definition order in the Command Set.


If you want to preview the changes to the template command details before the template is created, click Preview. The changed template details are displayed in a window.

If you want to reset the changes click Reset.

If you want to know about the options and the functionality of Basic flow click Help.

You can perform a Compliance check without using the Conditional Block.

A message appears, Successfully created the template BaselineTemplateName.

Where BaselineTemplateName is the Template Name as given by you.

Step 7 Click OK.

The Baseline Templates window appears with the newly created Baseline template.


Creating a Basic Baseline Template - an Example

You want to create a baseline template to check if all Ethernet interfaces that are up and running have "10.77.*.*" IP Address configured with the subnet mask 255.255.255.128.

To perform this task, you must create a template that checks for the following compliances:

If there are interfaces that do not contain the shutdown command.

and

If all Ethernet interfaces are configured with IP address 10.77.*.* 255.255.255.128.

You can create a Basic Baseline Template by entering the condition check, as well as the compliance check.

To create a Basic Baseline Template for the above scenario:


Step 1 Select Configuration > Compliance > Compliance Templates > Templates.

The Baseline Templates window appears.

Step 2 Click Create.

The Select Creation Mode dialog box appears.

Step 3 In the Template Details section, select Basic as the mode.

Step 4 Enter the following information:

Field
Description

Name

Enter NewBaseline

NewBaseline is the name of the new template.

Description

Enter the following description:

This is a Basic Baseline template that checks if all Ethernet interface are up and running and have "10.77.*.*" IP address configured with the subnet mask 255.255.255.128

Device Type Selector

Check the Routers checkbox to select all routers.


Step 5 Click Next.

The Add Template Details dialog box appears.

Step 6 Select Check for compliance only if the following condition is satisfied so that you can enter the condition to be checked.

Step 7 Select Submode

The textbox next to Submode is activated.

Step 8 Enter the following command in the Submode textbox:

interface [#Ethernet.*#]

Step 9 Enter the following Conditional CLI commands in the Conditional Block CLI command text area:

- shutdown

This command indicates that shutdown should not be present in the Ethernet interfaces.

Step 10 Go to Compliance Block

The Use the SubMode of above condition option is selected automatically.

Step 11 Enter the following CLI commands in the Compliance Block CLI command text area:

+ ip address [#10.77.*.*#] 255.255.255.128

This command helps you to ascertain if the specified IP addresses are configured on the Ethernet interfaces.

Step 12 Click Finish

A message appears, Successfully created the template NewBaseline.

Where NewBaseline is the Template Name as entered by you.

Step 13 Click OK.

The Baseline Templates window appears with the newly created Baseline template.


Creating an Advanced Baseline Template

To create an Advanced Baseline template:


Step 1 Select Configuration > Compliance > Compliance Templates > Templates.

The Baseline Templates dialog box appears.

Step 2 Click Create.

The select Creation Mode dialog box appears.

Step 3 Select Advanced as the mode from the Template Details section.

Step 4 Enter the following information:

Field
Description

Name

Name of the Baseline template.

You can enter up to 254 alphanumeric characters (including spaces). Do not enter any special characters, including underscores and hyphens.

Description

Description for the Baseline template. You can enter up to 254 characters.

Device Type Selector

Device family for which you can apply this template.

Check the check box to select the device family.


Step 5 Click Next.

The Add Template Details dialog box appears.

Step 6 Enter the following information:

Field
Description
Commandset Options

Name

Name of the commandset.

You can enter only alphanumeric characters up to 254 characters. Do not enter any special characters. This includes spaces, underscores and hyphens.

Parent

Enter the parent name for the commandset, if required. This is case sensitive.

You can also use this to logically group the commandsets.

For example: To work on ATM permanent virtual connections (PVCs) commands, you must first get into the interface mode from the global mode and then run the PVC specific-commands.

Commandset 1: ATM

interface [#atm.*#]

+ ip address [ip-addr] [net-mask]

Commandset 2: PVC

[#pvc.*#]

+ encapsulation aal5 [encap-type]

+ abr [output-pcr1] [output-mcr]

+ ubr [output-pcr2]

+ vbr-nrt [output-pcr3] [output-scr] [output-mbs]

+ vbr-rt [peak-rate] [average-rate] [burst]

+ protocol ip [proto-ip] [type]

+ exit

Here, commandset 1 is the parent for commandset 2.

LMS evaluates the Baseline template, commandset1 is evaluated first and commandset2 is evaluated next. If either of these commandsets is missing, the template is considered as non-compliant.

Prerequisite

Select the mandatory commandset name that you must enter before running the current commandset.

In the example (See Mark as Prerequisite row), if you had marked commandset 1 as the Prerequisite, you can select commandset 1: IntCheck from the drop-down menu.

Before running the commandset 2, the commandset 1 is run. That is, commandset1 is evaluated first and commandset2 is evaluated next.

If there is no commandset1 or commandset1 failed, commandset2 is not evaluated and the devices will be moved to excluded state. The template will be considered as non-compliant.

Mark as Prerequisite

1. Select the checkbox to mark a particular commandset as a prerequisite.

For example,

Commandset 1: IntCheck

interface [intname]

+ ip address [#10\.76\.38\..*#] [net-mask]

(To find a match for any octet in an IP address you must use \..*.)

2. Select the Mark as Prerequisite check box for the Commandset 1: IntCheck.

For example,

Commandset 2: IntDownload

interface [intname]

+ no cdp enable

3. Select the Prerequisite from the dropdown menu for the Commandset 2: IntDownload.

If a commandset has a Prerequisite commandset, you cannot select the Mark as Prerequisite check box for that particular commandset.

That is, in the above example, you cannot select the checkbox Mark as Prerequisite for Commandset 2:IntDownload.

CLI Commands

Submode

Enter the command to get into interface mode from the global mode.

For example: interface [intname]

Here, interface is a command keyword and intname is command value. The command value should not contain spaces.

You can also run the command for a set of interfaces.

For example: interface [#Ethernet.*#]

Here, the command will be executed on all the interfaces having Ethernet.

Ordered Set

Select this option to make the system consider the order of the commands while performing compliance check.

In other words, the commands in the device config should appear in the same order as that of the CLI commands definition order in the Command Set.

See, Behavior of Ordered Set for Access Lists for more details on the behavior of Ordered Set for Access Lists.

CLI Commands

Enter the CLI commands.

For example:

# Routers CLI Commands

+ set snmp community read-write [read-write-community-name-string]

- set snmp community read-only public

Explanation:

The first line is considered as a comment as it begins with a "#".

The second line is mandatory as it begins with "+".

The third line is disallowed as it begins with "-".

There should be a space between the commands and the "-" or "+". If there is no space, the commands are considered as comments and ignored.

In the above example, read-write-community-name-string is a command value. The command value should not contain spaces.


If you want to add a new commandset to the template click Add. The CLI Commands window is displayed with the default help comments. These help comments serve as guidelines to create commandsets.

If you want to delete a Commandset from the Command set list, click Delete.

If you want to preview the changes to the Commandset details before finishing up the creation of the template, click Preview. The changed Commandset details is displayed in a window.

If you click Save, for the first time, the following message appears,
Do you wish to create a new template?.

If you click Save, for the second time, the following message appears,
Successfully updated the template BaselineTemplateName.


Note If the Commandsets consist of Prerequisite commandset then these commandsets appear in red color in the Preview details.


If you want to reset the changes made to a Commandset, click Reset

Step 7 Click OK.

A message appears,

Successfully created the template BaselineTemplateName.

Where BaselineTemplateName is the name of the Baseline Template.

Step 8 Click OK.

If you want to add one more commandset repeat this procedure from Step 4.

Step 9 Click Finish.

A message appears,

Do you wish to save the changes?.

Step 10 Click OK.

A message appears,

Successfully created the template.

Step 11 Click OK.

The Baseline Configs window appears with all the available Baseline templates.


Creating an Advanced Baseline Template— Example

This section consists of two examples:

Example 1

Example 2

Example 1

This is a procedure to create a Baseline template to disable CDP on an interface that belongs to a specific subnet.


Step 1 Select Configuration > Compliance > Compliance Templates > Templates.

The Baseline Templates dialog box appears.

Step 2 Click Create.

The Select Creation Mode dialog box appears.

Step 3 Select Advanced and click Next.

The Create a Baseline dialog box appears.

Step 4 Enter the following information:

Field
User data

Template Name

DisablingCDP

You can enter up to 254 alphanumeric characters. Do not enter any special characters, except underscores.

Device Type

Routers

Description

Baseline Template for DisablingCDP

Commandset Option

Name

PrerequisiteCheck.

You can enter up to 254 alphanumeric characters. Do not enter any special characters including spaces, underscores and hyphens.

Parent

Global

Prerequisite

Do not select any value.

Mark as Prerequisite

Select the check box to mark the commandset as prerequisite.

CLI Commands

Submode

interface [intname]

Where, intname is a variable. The variables should not contain spaces.

Ordered Set

Select this so that the system orders commands while performing compliance check.

See, Behavior of Ordered Set for Access Lists for more details on the behavior of Ordered Set for Access Lists.

CLI Commands

+ ip address [#10\.76\.38\..*#] [netmask]

To find a match for any octet in an IP address you must use \.[0-9]{1,3}.

This checks for subnet mask with IP address starting from 10.76.38.*.


Step 5 Click Save.

A message appears to say that the template will be created.

Step 6 Click OK.

A message appears to say that the template is created.

Step 7 Click OK.

To add another commandset to the same Baseline template, Disabling-CDP, enter the following information.

Field
User Data
Commandset Option

Name

DisableCDP.

You can enter up to 254 alphanumeric characters. Do not enter any special characters. This includes spaces, underscores and hyphens.

Parent

Global

Prerequisite

Select the PrerequisiteCheck from the dropdown menu.

Mark as Prerequisite

Do not select the checkbox.

CLI Commands

Submode

interface [intname]

Ordered Set

Select this so that the system orders commands while performing compliance check.

CLI Commands

+ no cdp enable

This will disable the CDP in all the interfaces even if any one interface contains the subnet mask starting with IP address 10.76.38.*.


Step 8 Click Save.

A message appears to say that the template is updated.

Step 9 Click OK.

Step 10 Click Finish.

A message appears to say that the template will be saved.

Step 11 Click OK.

A message appears to say that the template is updated.

Step 12 Click OK.

The Baseline Configs window appears with the details of Disabling-CDP Baseline template.


Example 2

This is a procedure to create an Advanced Baseline Template to check the presence of the command "ip address 10.77.209.8 255.255.255.224" in the Ethernet interfaces that have CDP disabled.


Step 1 Select Configuration > Compliance > Compliance Templates > Templates.

The Baseline Templates dialog box appears.

Step 2 Click Create.

The Select Creation Mode dialog box appears.

Step 3 Select Advanced and click Next.

The Create a Baseline dialog box appears.

Step 4 Enter the following information:

Field
User Data

Template Name

CheckIPTemplate

You can enter up to 254 alphanumeric characters. Do not enter any special characters except underscores.

Device Type

Routers

Description

Baseline Template for Interface level check.

Commandset Option

Name

PrerequisiteCheck.

You can enter up to 254 alphanumeric characters. Do not enter any special characters including spaces, underscores and hyphens.

Parent

Do not enter anything.

Prerequisite

Do not select any value.

Mark as Prerequisite

Select the check box to mark the commandset as prerequisite.

CLI Commands

Submode

interface [#Ethernet.*#]

Ordered Set

Do not select the checkbox.

CLI Commands

+ no cdp enable


Step 5 Click Save.

A message appears to say that the template will be created.

Step 6 Click OK.

A message appears to say that the template is created.

Step 7 Click OK.

To add another commandset to the same Baseline template, CheckIPTemplate, enter the following information.

Field
User data
Commandset Option

Name

IPCheck.

You can enter up to 254 alphanumeric characters. Do not enter any special characters including spaces, underscores and hyphens.

Parent

PrerequisiteCheck

Prerequisite

Select the PrerequisiteCheck from the dropdown menu.

Mark as Prerequisite

Do not select the checkbox.

CLI Commands

Submode

Do not enter anything

Ordered Set

Do not select the checkbox.

CLI Commands

+ ipaddress 10.77.209.8 255.255.255.224

The above command will be deployed on the Ethernet interfaces that have CDP disabled.


Step 8 Click Save.

A message appears to say that the template is updated.

Step 9 Click OK.

Step 10 Click Finish.

A message appears to say that the template will be saved.

Step 11 Click OK.

A message appears to say that the template is updated.

Step 12 Click OK.

The Baseline Configs window appears with the details of CheckIPTemplate Baseline template.


Behavior of Ordered Set for Access Lists

1. Create a baseline template with few commands and ordered set option checked.

2. Compare the configurations in the device with the baseline template, to check for Compliance

The commands available in the device is compared in the same order as available in the Baseline template.

3. If the commands found in the device are not compliant with the Baseline template, the same configlet commands available in the device are negated first and then the commands available in the Baseline template are deployed on the device.

This is the recommended behavior for Access lists. This behavior is also supported by the submodes.

Importing a Baseline Template

You can import a template as Baseline template. The imported file must be in XML format.

The default path in the LMS Server from which the XML file is imported is

NMSROOT\files\rme\dcma\baselinetemplates (On Windows)

/var/adm/CSCOpx/files/rme/dcma/baselinetemplates (On Solaris and Soft Appliance)

Where, NMSROOT is the LMS installed directory.

You cannot change the default import path in the LMS Server. If you do so, an error message will be displayed

To import a Baseline Template:


Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.



Step 1 Select Configuration > Compliance > Compliance Templates > Templates.

The Baseline Templates dialog box appears.

Step 2 Select a Baseline template and click Import.

The Import a Baseline Template dialog box appears.

Click Browse.

The Server Side File Browser dialog box appears.

Step 3 Select the XML file.

Step 4 Click OK in the Server Side File Browser dialog box.

Step 5 Click OK.

A message appears, Template successfully imported.

Step 6 Click OK.

The imported file appears in the Baseline Templates window with the description, Imported baseline.


Running Compliance Check

To run a compliance check:


Step 1 Select Configuration > Compliance > Compliance Templates > Compliance Check.

The Baseline Templates dialog box appears.

Step 2 Select the template and click Compliance Check.

The Select Devices dialog box appears.

Step 3 Select either:

Device Selector, if you want to schedule a job for a static set of devices. See Inventory Management with Cisco Prime LAN Management Solution 4.1 for information on how to use the Device Selector.

Or

Group Selector, if you want to schedule a job for a dynamic group of devices.

The job is scheduled only for the devices that are present in the selected group at the time when the job is run. The customizable group selector for jobs evaluate static groups also as dynamic during run time.

Step 4 Click Next.

The Schedule dialog box appears.

Step 5 Enter the following information:

Field
Description
Scheduling

Run Type

You can specify when you want to run the Baseline template compliance job.

To do this, select one of these options from the drop-down menu:

Immediate—Runs this task immediately.

Once—Runs this task once at the specified date and time.

Daily—Runs daily at the specified time.

Weekly—Runs weekly on the specified day of the week and at the specified time.

Monthly—Runs monthly on the specified day of the month and at the specified time.

The subsequent instances of periodic jobs will run only after the earlier instance of the job is complete.

For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has completed.

If the 10.00 a.m. November 1 job has not been completed before 10:00 a.m. November 2, the next job will start only at 10:00 a.m. on November 3.

Date

You can select the date and time (hours and minutes) at which to schedule.

The Date field is enabled only if you have selected an option other than Immediate in the Run Type field.

Job Info

Job Description

Enter a description for the job. This is mandatory. You can enter only alphanumeric characters.

E-mail

Enter e-mail addresses to which the job sends messages at the beginning and at the end of the job.

You can enter multiple e-mail addresses separated by commas.

Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences).

We recommend that you configure the LMS E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with the LMS E-mail ID as the sender's address.

Attachment

Check this option if you want the job notification mail to consist of attachments in either CSV or PDF format.

Select either:

CSV if you want the attachment in CSV format.

Or

PDF if you want the attachment in PDF format. This is the default format.

The CSV and PDF radio options will be enabled only if the Attachment checkbox is checked.

If the Attachment option is disabled, go to Admin > System > System Preferences to change the settings. For more information on configuring attachment settings as well as the maximum size of attachments allowed in notification mails, see Administration Online Help.

Job Options

Check compliance and deploy

Enable this to check the compliance of the archived file with that of the Baseline template and deploy the commands if it is non-compliant. This option is not supported for Group selector.

Copy Running Config to Startup

This option is active only if you select the Check compliance and deploy option.

Select to make the job write the Running configuration to the Startup configuration on each device after configuration changes are made successfully.

Does not apply to Catalyst OS devices.

Job Password

If you have enabled the Job Password option and disabled the User Configurable option in the Job Policy dialog box (Admin > Network > Configuration Job Settings > Config Job Policies) enter the device login user name and password and device Enable password.

If you have enabled the Enable Job Password option and enabled the User Configurable option in the Job Policy dialog box (Admin > Network > Configuration Job Settings > Config Job Policies) either:

Enter the device login user name and password and device Enable password

Or

Disable the Job Password option in the Job Schedule and Options dialog box.


Step 6 Click Next.

The Job Work Order window appears with the job details that you have selected.

Step 7 Click Finish.

A message appears, Job JobID is created successfully.

Where JobID is a unique Job number.

Step 8 Click OK.

You can check the status of your scheduled job by selecting Configuration > Job Browsers > Configuration Archive.



Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this compliance check task.


The compliance check job requires approval if you have enabled Job Approval during the compliance check job scheduling.

For further details on the baseline template, see Understanding the Baseline Compliance Report.

Understanding the Baseline Compliance Report

The Baseline Compliance Report contains the following information:

Field Name
Description
Summary

Template Name

Name of the Baseline template entered at the time of creating the Baseline template.

Number of Non-Compliant devices

Number of devices that are non-compliant.

Number of Compliant devices

Number of devices that are compliant.

Number of Excluded devices:

List of devices in which the job did not run. The jobs may have failed either because:

The device configuration was not archived.

Or

The device was not reachable.

Further details of the failed job are given in the Configuration > Job Browsers > Configuration Archive (See Using Configuration Archive Job Browser).

Compliant Devices

Device Name

Device Display Name as entered in Device and Credential Repository.

Latest Version

Version of configuration file against which the compliance was checked.

Click on the version to display Config Viewer (see Understanding the Config Viewer Window). This shows the contents of the corresponding configuration file against which the compliance was checked.

Created On

Date and time at which the configuration file was created.

Non-Compliant Devices

Device Name

Device Display Name as entered in Device and Credential Repository.

Latest Version

Version of configuration file against which the compliance was checked.

Click on the version to display Config Viewer (see Understanding the Config Viewer Window). This shows the contents of the corresponding configuration file against which the compliance was checked.

Created On

Date and time at which the configuration file was created.

Commands to Deploy

List the commands where the device configuration is non-compliant.

Excluded Devices

Device Name

Device Display Name as entered in Device and Credential Repository.

Reason for Exclusion

Displays the cause for exclusion.


In addition, this report contains two buttons:

Button
Description

Export to File

(Icon)

Exports this report in either PDF or CSV format.

Print

(Icon)

Generates a format that can be printed.


Deploying a Baseline Template

When you add a new device of the same type to the network, you can use the existing Baseline template. This template consists of two parts, command and values.

You can create configurations for any device of the same type in the network by specifying the values for the variables in the Baseline template.

You can deploy Baseline template on the devices in two ways:

User Interface (See Deploying a Baseline Template Using User Interface for the procedure.)

File System (See Deploying a Baseline Template Using File System for the procedure.)

View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.

The deployment job requires approval if you have enabled Job Approval during the deployment job scheduling.

Deploying a Baseline Template Using User Interface

To deploy a Baseline template using User Interface:


Step 1 Select Configuration > Compliance > Compliance Templates > Direct Deploy.

The Baseline Templates dialog box appears.

Step 2 Select a Baseline template and click Deploy.

The Deploy Input Options dialog box appears.

Step 3 Select Enter Data From User Interface and click Next.

The Select Devices dialog box appears.

The device list contains only devices of the type devices selected while creating the Baseline Template.

For example, if you have selected Device Type as Router, only routers are listed.

Step 4 Select devices under the following tabs:

In the All tab,

Devices are grouped under All Applicable Devices and All Applicable Device Groups. All Applicable Device Groups categorizes devices under Routers, Switches, and so on.

In the Search Results tab,

The results of simple search and advanced search are listed here.

In the Selection tab,

All the devices that are selected are listed and you can deselect the devices.

Step 5 Click Next.

The Commands Generation dialog box appears.

Step 6 Perform the following tasks:

Field Name
Description and Action

Device list

This pane lists the selected devices that you have selected in the Select Devices dialog box.

Select the device for which you want to deploy the Baseline template.

Edit

Select a device from the device drop down list and click Edit to edit information for the device.

Save

Click Save to save the changes made for the selected device.

You can change the details for multiple devices in one go, by using the Save button.

Device

The selected device in the Device List pane is displayed in this text box.

Commandsets

The pane contains all the commandsets that are defined in the Baseline template.

Select a commandset.

While creating the Baseline template, if you have defined the multiple occurrences as the commandset feature, after selecting that particular commandset, the Add Instance button is activated.

Add Instance

This button is active only if you have selected a commandset with multiple occurrences.

The occurrences of a commandset are defined while creating the Baseline template.

When you click on the Add Instance button, one more instance of multiple commandset is added in the Commandsets pane.

Enter the command value for that commandset in the Device Data pane.

Delete Instance

Use the Delete Instance button to delete the instance after selecting the instance from the Commansets pane. You can select one or more instances and click on the Delete Instance button to delete the instances.

You can delete the selected instances. The exception being that at least one instance of the commandset is available.

Templates

The pane contains the CLI commands for the selected commandset.

You cannot modify the commands in this pane.

Device Data

The field displays the command values that you have defined in your Baseline template.

The command value is appended with a unique number.

Enter the command value.

For example: If your Baseline template contains this command:

Interface [#Ethernet[.*]#]

+ no shutdown

Then, #Ethernet[.*]# is the command value.

The Device Data field names appear as:

#Ethernet.*[0]

If the commandset is a prerequisite commandset, you do not need to specify parameter values for the Device data field as they are not deployed.


Step 7 Click Next.

The Job Schedule dialog box appears.

Step 8 Enter the following information:

Field
Description
Scheduling

Run Type

You can specify when you want to run the Baseline template deploy job.

To do this, select one of these options from the drop-down menu:

Immediate—Runs this task immediately.

Once—Runs this task once at the specified date and time.

Daily—Runs daily at the specified time.

Weekly—Runs weekly on the specified day of the week and at the specified time.

Monthly—Runs monthly on the specified day of the month and at the specified time.

The subsequent instances of periodic jobs will run only after the earlier instance of the job is complete.

For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has completed.

If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, the next job will start only at 10:00 a.m. on November 3.

Date

You can select the date and time (hours and minutes) to schedule the job.

The Date field is enabled only if you have selected an option other than Immediate in the Run Type field.

Job Info

Job Description

Enter a description for the job. This is mandatory. You can enter only alphanumeric characters.

E-mail

Enter e-mail addresses to which the job sends messages at the beginning and at the end of the job.

You can enter multiple e-mail addresses separated by commas.

Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences).

We recommend that you configure the LMS E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with the LMS E-mail ID as the sender's address.

Job Options

Approver Comments

Enter comments for the job approver.

This field appears only if you have enabled job approval for Configuration Archive.

Maker E-Mail

Enter the e-mail-ID of the job creator. This is a mandatory field.

This field appears only if you have enabled job approval for Configuration Archive.

Copy Running Config to Startup

Select to cause the job to write the running configuration to the startup configuration on each device after configuration changes are made successfully.

Does not apply to Catalyst OS devices.

Job Password

If you have enabled the Enable Job Password option and disabled the User Configurable option in the Job Policy dialog box (Admin > Network > Configuration Job Settings > Config Job Policies) enter the device login user name and password and device Enable password.

If you have enabled the Enable Job Password option and enabled the User Configurable option in the Job Policy dialog box (Admin > Network > Configuration Job Settings > Config Job Policies) either:

Enter the device login user name and password and device Enable password

Or

Disable the Job Password option in the Job Schedule and Options dialog box.


Step 9 Click Next.

The Work Order dialog box appears with job details that you have entered.

Step 10 Click Finish.

A message appears, Job JobID is created successfully.

Where JobID is a unique Job number.

Step 11 Click OK.

You can check the status of your scheduled job using Configuration > Job Browsers > Configuration Archive. The Job Type for this deploy job is Deploy Baseline template result.


Deploying a Baseline Template Using File System

You can deploy a Baseline template using the Baseline Parameter file.

The parameter file specifies the variable values for template deployment. To generate the parameter file:


Step 1 Select Configuration > Compliance > Compliance Templates > Templates.

Step 2 Click the hyperlink of the required template. The Baseline Config Viewer popup appears.

Step 3 Click Generate Param File. A popup appears.

Step 4 Click Browse to specify the folder with the parameter file.


See Exporting a Baseline Template for further information.

To deploy a Baseline template using File System:


Step 1 Select Configuration > Compliance > Compliance Templates > Direct Deploy.

The Baseline Templates dialog box appears.

Step 2 Select a Baseline template and click Deploy.

The Deploy Input Options dialog box appears.

Step 3 Select Enter Data From File System and click Next.

The Select Input File dialog box appears.

Step 4 Enter the folder name and the file name with the file format extension XML.

or

a. Click Browse.

The Server Side File Browser dialog box appears.

b. Select the XML file.

c. Click OK.

The Select Input File dialog box appears with the selected Baseline Parameter file.

Step 5 Click Next.

The Job Schedule dialog box appears.

Step 6 Enter the following information:

Field
Description
Scheduling

Run Type

You can specify when you want to run the Baseline template deploy job.

To do this, select one of these options from the drop-down menu:

Immediate—Runs this task immediately.

Once—Runs this task once at the specified date and time.

Daily—Runs daily at the specified time.

Weekly—Runs weekly on the specified day of the week and at the specified time.

Monthly—Runs monthly on the specified day of the month and at the specified time.

The subsequent instances of periodic jobs will run only after the earlier instance of the job is complete.

For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has completed.

If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, the next job will start only at 10:00 a.m. on November 3.

Date

You can select the date and time (hours and minutes) to schedule the job.

The Date field is enabled only if you have selected an option other than Immediate in the Run Type field.

Job Info

Job Description

Enter a description for the job. This is mandatory. You can enter only alphanumeric characters.

E-mail

Enter e-mail addresses to which the job sends messages at the beginning and at the end of the job.

You can enter multiple e-mail addresses separated by commas.

Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences).

We recommend that you configure the LMS E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with the LMS E-mail ID as the sender's address.

Job Options

Approver Comments

Enter comments for the job approver.

This field appears only if you have enabled job approval for Configuration Archive.

Maker E-Mail

Enter the e-mail-ID of the job creator. This is a mandatory field.

This field appears only if you have enabled job approval for Configuration Archive.

Copy Running Config to Startup

Select to make the job write the Running configuration to the Startup configuration on each device after configuration changes are made successfully.

Does not apply to Catalyst OS devices.

Job Password

If you have enabled the Enable Job Password option and disabled the User Configurable option in the Job Policy dialog box (Admin > Network > Configuration Job Settings > Config Job Policies) enter the device login user name and password and device Enable password.

If you have enabled the Enable Job Password option and enabled the User Configurable option in the Job Policy dialog box (Admin > Network > Configuration Job Settings > Config Job Policies) either

Enter the device login user name and password and device Enable password

Or

Disable the Job Password option in the Job Schedule and Options dialog box.


Step 7 Click Next.

The Work Order dialog box appears with job details that you have entered.

Step 8 Click Finish.

A message appears, Job JobID is created successfully.

Where JobID is a unique Job number.

If you have specified incorrect filename/XML file format or if the hostname field is not updated, an error message appears, Specified file could not be read. Please specify a valid file name.

See Exporting a Baseline Template for further information.

Check the XML file format or update the hostname field and restart this procedure from Step 2.

Step 9 Click OK.

You can check the status of your scheduled job using Configuration > Job Browsers > Configuration Archive. The Job Type for this deploy job is Deploy Baseline template result.


Using Compliance and Deploy Jobs Window

You can check the status of the Baseline jobs using Configuration > Compliance > Compliance Templates > Jobs.

This section contains:

Deploying the Commands

Deleting the Compliance Jobs

This window contains the following information:

Field Name
Description

Job ID

Unique number assigned to the job when it is created.

For periodic jobs such as Daily, Weekly, the job IDs are in the number.x format. The x represents the number of instances of the job. For example, 1001.3 indicates that this is the third instance of the job ID 1001.

Description

Job description entered during job definition.

Compliant/Deployed Devices

Displays the number of devices that are compliant out of the total number of devices that were selected while creating the compliance job.

Click on the link to view the Baseline Compliance Report (see Understanding the Baseline Compliance Report).

Status

Status of the job. The states can be Successful, Failed, and Running.

The jobs may have failed either because:

The device configuration is not archived.

Or

The device is not reachable.

Further details of the failed job are given in the Configuration > Job Browsers > Configuration Archive.

You can also check the status of the Baseline job at Configuration > Job Browsers > Configuration Archive.


The Baseline Jobs window contains the following buttons:

Buttons
Description

Deploy

You can schedule a job to deploy the standard configuration on all non-compliant devices.

This button is active only after selecting a Job.

See Deploying the Commands.

Retry

You can reschedule a failed job using this button.

This button is active only on selecting a Failed job.

Reschedule the deployment job by providing the required information.

Delete

You can delete the compliance jobs.

This button is active only after selecting a Compliance Jobs.

See Deleting the Compliance Jobs

Refresh

(Icon)

Click on this icon to refresh the Compliance Jobs Window.


For usecases and examples on Baseline Templates, refer to the Baseline Template Whitepaper

Deploying the Commands

You can deploy the commands on the devices that are non-complaint.

Before you use this Deploy button, you must run the Compliance Report,

If there are any non-complaint device, you must select the relevant compliance job and deploy the baseline template.

If there are no non-complaint device and if you click on the Deploy button, a message appears,

Could not deploy selected Job.
Reason: No Non-Compliant devices present in the report.

Click on the Job ID to view the Baseline Compliance Report. See Understanding the Baseline Compliance Report for further details.


Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.


To deploy the commands:


Step 1 Select Configuration > Compliance > Compliance Templates > Jobs.

The Baseline Jobs dialog box appears.

Step 2 Select a Compliance Job.

Step 3 Click Deploy.

The Substitute Parameters for Devices dialog box appears.

Step 4 Perform the following:

Field Name
Description and Action

Device list

The list contains all the devices which are non-complaint.

Select a device.

Device

The selected device in the Device List pane appears in this text box.

Commandsets

The pane contains all the commandsets that are defined in the Baseline template.

In the Baseline template, if you have defined the multiple occurrences as the commandset feature then based on the compliance check, the commandset will appear more than once.

Select a commandset.

Templates

The pane contains the CLI commands for the selected commandset.

You cannot modify the commands in this pane.

Device Data

The field displays the command values that you have defined in your Baseline template.

The command value is appended with a unique number.

Enter the command value.

For example: If your Baseline template contains this command:

+ ip address [#10\.76\.38\..*#] [netmask]

Then, #10\.76\.38\..*# and netmask are the command values.

The Device Data field names appear as:

#10\.76\.38\..*#[1000]

netmask[1000]


If you have more than one device to deploy then you have to repeat Step 4 for all the devices.

Step 5 Click Next.

The Job Schedule dialog box appears.

Step 6 Enter the following information:

Field
Description
Scheduling

Run Type

You can specify when you want to run the deploy configuration job.

To do this, select one of these options from the drop-down menu:

Immediate—Runs this task immediately.

Once—Runs this task once at the specified date and time.

Date

You can select the date and time (hours and minutes) to schedule.

The Date field is enabled only if you have selected an option other than Immediate in the Run Type field.

Job Info

Job Description

Enter a description for the job. This is mandatory. You can enter only alphanumeric characters.

E-mail

Enter e-mail addresses to which the job sends messages at the beginning and at the end of the job.

You can enter multiple e-mail addresses separated by commas.

Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin > System > System Preferences).

We recommend that you configure the LMS E-mail ID in the View / Edit System Preferences dialog box (Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with the LMS E-mail ID as the sender's address.

Attachment

Check this option if you want the job notification mail to consist of attachments in either CSV or PDF format.

Either select:

CSV if you want the attachment in CSV format.

Or

PDF if you want the attachment in PDF format. This is the default format.

The CSV and PDF radio options will be enabled only if the Attachment checkbox is checked.

If the Attachment option is disabled, go to Admin > System > System Preferences to change the settings. For more information on configuring attachment settings as well as the maximum size of attachments allowed in notification mails, see Administration Online Help.

Job Options

Approver Comments

Enter comments for the job approver.

This field appears only if you have enabled job approval for Configuration Archive.

Maker E-Mail

Enter the e-mail-ID of the job creator. This is a mandatory field.

This field appears only if you have enabled job approval for Configuration Archive.

Copy Running Config to Startup

Select to make the job to write the Running configuration to the Startup configuration on each device after configuration changes are made successfully.

Does not apply to Catalyst OS devices.

Job Password

If you have enabled the Enable Job Password option and disabled the User Configurable option in the Job Policy dialog box (Admin > Network > Configuration Job Settings > Config Job Policies) enter the device login user name and password and device Enable password.

If you have enabled the Enable Job Password option and enabled the User Configurable option in the Job Policy dialog box (Admin > Network > Configuration Job Settings > Config Job Policies) either:

Enter the device login user name and password and device Enable password

Or

disable the Job Password option in the Job Schedule and Options dialog box.


Step 7 Click Next.

The Work Order dialog box appears with job details that you have entered.

Step 8 Click Finish.

A message appears, Job ID is created successfully.

Where ID is a unique Job number.

Step 9 Click OK.

You can check the status of your scheduled job using Configuration > Job Browsers > Configuration Archive. The Job Type for this deploy job is Deploy Baseline comparison result.


Deleting the Compliance Jobs

You can delete the job that have been completed or stopped. You cannot delete a running job.


Note View Permission Report (Reports > System > Users > Permission) to check if you have the required privileges to perform this task.


To delete Compliance jobs:


Step 1 Select Configuration > Compliance > Compliance Templates > Jobs.

The Compliance Jobs dialog box appears.

Step 2 Select a job and click Delete.

A message appears, The selected job will be deleted.

Step 3 Click OK.

The selected Compliance job is removed from the Compliance Jobs window.


You can also delete the compliance jobs from Configuration > Job Browsers > Configuration Archive window (see Using Configuration Archive Job Browser)