Table Of Contents
Using Baseline Templates to Check Configuration Compliance
What is a Baseline Template?
Features of Baseline Templates
Baseline Template Management Window
Editing a Baseline Template
Exporting a Baseline Template
Deleting a Baseline Template
Creating a Baseline Template
Creating a Basic Baseline Template
Creating a Basic Baseline Template - an Example
Creating an Advanced Baseline Template
Creating an Advanced Baseline Template— Example
Importing a Baseline Template
Running Compliance Check
Understanding the Baseline Compliance Report
Deploying a Baseline Template
Deploying a Baseline Template Using User Interface
Deploying a Baseline Template Using File System
Using Compliance and Deploy Jobs Window
Deploying the Commands
Deleting the Compliance Jobs
Using Baseline Templates to Check Configuration Compliance
This chapter contains the following:
•
What is a Baseline Template?
•Features of Baseline Templates
•Baseline Template Management Window
•Running Compliance Check
•Deploying a Baseline Template
•Using Compliance and Deploy Jobs Window
What is a Baseline Template?
Baselining refers to identifying a set of standardized policy based commands that you would want to have on a set of devices. You can create a Baseline template which is a set of commands identified through the baselining process. This template contains placeholders for device-specific values to be substituted.
For example:
set vtp domain [name] password [xxx]
set snmp community read-write [Read write community string]
Where name, xxx and Read write community string are variables that are substituted with the values you provide.
You can compare the Baseline template with the configuration of devices in the archive. You can also generate a non-compliance configuration report and deploy this template onto the devices to make it compliant. You can deploy a Baseline template to a group of devices by just scheduling one job.
When you add a new device of the same type to the network, you can use the existing Baseline template, which consists of two parts, command and values. You can create configurations for any device of the same type to the network by specifying the values for the variables in the Baseline template.
Features of Baseline Templates
The features of Baseline templates are:
•You can use this Baseline template to compare with other device configuration and generate a report that lists all the devices which are non-compliant to the Baseline template.
•You can easily deploy the Baseline template to the same category of devices in the network.
•You can schedule a compliance check job and deploy the Baseline template onto the non-compliant devices. This can be performed as a single job or as a separate job.
•You can import or export a Baseline template. This template is stored in XML format.
The rules for specifying the Baseline templates are:
•All the commands that are disallowed should begin with a "-".
•All commands that are mandatory should begin with a "+".
•All comment entries should begin with a "#".
•Commands that do not begin with (- or +) are considered as comments and ignored.
•The command values can be a wildcard match.
+ ip address [ip-address] [netmask]
+ ip address [#10\.76\.38\..*#] [netmask]
+ ip address [#10\.72\..*\..*#] [netmask]
To find a match for any octet in an IP address you must use \..*.
In the examples shown above, the command will apply for all the devices with the IP address starting with 10.76.38.* [netmask] and 10.72.*.* [netmask].
•The regular expressions must be enclosed with #.
For example:
snmp-server location [#.*#]
This command will fail compliance check for snmp-server location loc1 loc2 loc3, because the check will be performed only for one word after snmp-server location.
To overcome this, you have to define the command as:
+ [# snmp-server location .*#]
Then the compliance check will be performed for all forms of snmp-server commands like snmp-server location loc1 loc2.....n,etc.
•Negation in Regular expressions :
Example 1: When there are more than one entry in the configuration files.
Let us say, the commands in the device configuration are:
logging name1
logging name2
logging name3
The command available in the template is:
+logging [#!name1#]
Based on the commands in the template, the negation of the name1 is done. This returns true as there are other logging commands present with other names. So the template is compliant.
Example 2: When there is only one entry in the device configuration file.
Let us say, the command in the device configuration is:
logging name1
The command available in the template is:
+logging [#!name1#]
Based on the commands in the template, the negation of the name1 is done. This returns False, as there is no other command in the device configuration file with logging statement except logging name1. So the template is non-compliant.
Example 3: When there are no logging commands in the device configuration files.
Let us say, the command in the device configuration is:
No logging commands
The command available in the template is:
+ logging [# !name1 #]
Based on the commands in the template, the negation of the name1 is done. This returns False, as there are no login commands. So the template is non-compliant.
•The Baseline template uses java.util.regex engine for regular expressions. For more information, see the regex API guide for Java 1.4.2 from Sun:
http://java.sun.com/j2se/1.4.2/docs/api/java/util/regex/Pattern.html
•Submode commands are provided only if the commands are to be compared inside a submode.
For example:
interface [#Ethernet.*#]
+ no shutdown
The no shutdown command will apply to all Ethernet interfaces.
Defining Commandsets
The commandsets are a set of one or more CLI commands. You can define a commandset while creating a Baseline template in the Advanced mode.
The features of the commandsets are:
•If the commands in commandset are in a submode (ip/interface etc.) a submode command must be specified for such a commandset.
•Commandsets can have one or more child commandsets.
•Child commandsets inherit parent's sub-mode command.
You can define commandsets that have to be checked before running the actual commands.
The features of the prerequisite commandsets are:
•A commandset can have another commandset as its prerequisite.
•A prerequisite commandset is used only for comparison and is not deployed onto the device.
•A commandset is compared with the config only if its prerequisite condition is satisfied.
The RME evaluates the commandsets in different ways depending on whether you have defined the commandset as Parent or Prerequisite.
For example assume that you have defined two commandsets, commandset1 and commandset2:
•Commandset defined as Prerequisite
commandset1 as the Prerequisite of commandset2. While RME evaluates the Baseline template, commandset1 is evaluated first and commandset2 is evaluated next.
If commandset1 does not contain submode and is not present in a device, then commandset2 is not evaluated and the device is displayed in excluded list in compliance report.
If commandset1 contains submode and is not present in applicable submodes, then commandset2 is not evaluated and the device is displayed in excluded list in compliance report.
•Commandset defined as Parent
commandset1 as the Parent of commandset2. While RME evaluates the Baseline template, commandset1 is evaluated first and commandset2 is evaluated next.
If either of these commandsets is missing, the template is considered non-compliant.
Baseline Template Management Window
To access the Baseline Template Management Window go to RME > Config Mgmt > Compliance Mgmt > Template Mgmt
This window lists all the user-defined Baseline templates. It also displays the following details of the Baseline template:
Column Name
|
Description
|
Name
|
Name of the Baseline template.
The following template examples are displayed, by default:
•CISF_DHCP_Snooping—Template for Catalyst Integrated Security Feature
•TemplateExample1—Basic template with Regular expression
•TemplateExample2—Advanced template with Submode and Parent, child options
•TemplateExample3—Advanced template with prerequisite options
•TemplateExample4—Advanced template with ordered set options
•VRFCompliance—Template for VRF Compliance
Click the template name to view the command sets. For more information, see Command Sets.
|
Device Type
|
Type of the device for which the defined Baseline template can be used.
|
Description
|
Description of the Baseline template.
If you have imported Baseline templates, the description given is Imported baseline.
|
Created On
|
Displays the Baseline template creation date and time.
|
You can click on any column to sort the information by that column. If you double-click a heading, the order is reversed.
This window contains the following buttons:
Command Sets
To view the template command sets:
Step 1 Go to RME > Config Mgmt > Compliance Mgmt > Template Mgmt.
The Baseline Templates window appears, displaying the list of all the user-defined Baseline templates.
Step 2 Click the template name. For example, CISF_DHCP_Snooping.
The BaseLine Config Viewer window appears, displaying the command sets used in the template.
Table 9-1 provides information on the command sets used in the template examples.
Table 9-1 Command Sets
Template
|
Command Sets
|
CISF_DHCP_Snooping
|
Name: Commands SubMode: No isPrerequisite: No Ordered: No Prerequisite-Commandset: none Parent: none
+ ip dhcp snooping
|
TemplateExample1
|
Name: Commands SubMode: No isPrerequisite: No Ordered: No Prerequisite-Commandset: none Parent: none
+ snmp-server community [#.*#] RW
|
TemplateExample2
|
Name: Global SubMode: No isPrerequisite: No Ordered: No Prerequisite-Commandset : none Parent: none
Name: parent SubMode: Yes isPrerequisite: No Ordered: No Prerequisite-Commandset: none Parent: none policy-map V3PN-teleworker
Name: child SubMode: Yes isPrerequisite: No Ordered: No Prerequisite-Commandset: none Parent: parent class VOICE
+ priority 64
|
TemplateExample3
|
Name: Global SubMode: No isPrerequisite: No Ordered: No Prerequisite-Commandset: none Parent: none
Name: prereq SubMode: No isPrerequisite: Yes Ordered: No Prerequisite-Commandset: none Parent: none
+ class-map match-all GOLD
Name: parent SubMode: Yes isPrerequisite: No Ordered: No Prerequisite-Commandset: prereq Parent: none policy-map GSB_Policy
Name: child SubMode: Yes isPrerequisite: No Ordered: No Prerequisite-Commandset: none Parent: parent class GOLD
+ bandwidth percent 25
|
TemplateExample4
|
Name: Global SubMode: No isPrerequisite: No Ordered: No Prerequisite-Commandset: none Parent: none
Name: acceslist SubMode: No isPrerequisite: No Ordered: Yes Prerequisite-Commandset: none Parent: none
+ access-list 101 deny tcp 10.77.209.0 0.0.0.255 any
+ access-list 101 deny tcp any gt 1023 host 10.1.1.1 eq 23
+ access-list 101 permit ip any any
|
VRFCompliance
|
Name: Commands SubMode: Yes isPrerequisite: No Ordered: No Prerequisite-Commandset: none Parent: none interface [#.*#]
+ ip vrf forwarding [#red|green|blue#]
|
Editing a Baseline Template
You can edit all Baseline template fields except for Template Name.
Note View Permission Report (Common Services > Server > Reports) to check if you have the required privileges to perform this task.
To edit the Baseline templates:
Step 1 Select Resource Manager Essentials > Config Mgmt > Compliance Mgmt > Template Mgmt.
The Baseline Templates dialog box appears.
Step 2 Select a Baseline template.
Step 3 Click Edit.
The Select Creation Mode dialog box appears. The mode that you have selected while creating the Baseline template is retained. You cannot change this mode.
•You can provide a description in the Description text field.
•You can select or deselect devices in the Device Type Selector listbox.
Step 4 Click Next.
The Add Template Details dialog box appears.
Step 5 Select the commandset which you want to edit.
Step 6 Edit the required information.
See Creating an Advanced Baseline Template for more information on field descriptions for the fields that appear in the Add Template Details dialog box.
Step 7 Click Finish.
A message appears, Template is modified. Do you wish to save the changes?
Step 8 Click OK.
A notification appears, Successfully updated the template BaselineTemplateName.
Step 9 Click OK to save changes.
Exporting a Baseline Template
You can export a Baseline template. The exported file is in XML format.
Note View Permission Report (Common Services > Server > Reports) to check if you have the required privileges to perform this task.
To export a Baseline Template:
Step 1 Select Resource Manager Essentials > Config Mgmt > Compliance Mgmt > Template Mgmt.
The Baseline Templates dialog box appears.
Step 2 Select one or many Baseline templates and click Export.
The Export a Baseline Template dialog box appears.
Step 3 Either:
•Enter the folder name. The file will be exported on the RME server.
or
a. Click Browse.
The Server Side File Browser dialog box appears.
b. Select a folder.
c. Click OK.
Step 4 Click OK.
A message appears, Template exported as \User_Specificed_Directory\Template Name.xml
The naming convention followed for the baseline parameter file is Template Name.xml.
The file will be exported on the RME server at the specified path.
Deleting a Baseline Template
To delete a baseline template:
Note View Permission Report (Common Services > Server > Reports) to check if you have the required privileges to perform this task.
Step 1 Select Resource Manager Essentials > Config Mgmt > Compliance Mgmt > Template Mgmt.
The Baseline Templates dialog box appears.
Step 2 Select one or more Baseline templates and click Delete.
A message appears, The selected Template will be permanently deleted.
Step 3 Click OK.
A message appears, Successfully deleted the template.
Step 4 Click OK.
The selected Baseline Template is removed from the Baseline Templates window
Note You can also delete Example Templates.
Creating a Baseline Template
You can create a Baseline Template by:
•Creating a Basic Baseline Template
•Creating an Advanced Baseline Template
There are few example templates which are available. You can use these templates as a base to create new templates.
•Creating a Basic Baseline Template - an Example
•Creating an Advanced Baseline Template— Example
Note View Permission Report (Common Services > Server > Reports) to check if you have the required privileges to perform this task.
Creating a Basic Baseline Template
To create a Basic Baseline template:
Step 1 Select Resource Manager Essentials > Config Mgmt > Compliance Mgmt > Template Mgmt.
The Baseline Templates window appears.
Step 2 Click Create.
The Select Creation Mode dialog box appears.
Step 3 In the Template Details section, select Basic as the mode.
Step 4 Enter the following information:
Field
|
Description
|
Name
|
Name of the Baseline template.
You can enter only alphanumeric characters (including spaces) up to 254 characters. Do not enter any special characters. This includes underscores and hyphens.
|
Description
|
Description for the Baseline template. You can enter up to 254 characters.
|
Device Type Selector
|
Device family for which you can apply this template.
Click the check box to select the device family.
|
Step 5 Click Next.
The Add Template Details dialog box appears.
Step 6 Enter the following in the Baseline Template page.
Field
|
Description
|
Conditional Block
|
Check for compliance only if the following condition is satisfied.
|
Check this option if you want to run a compliance check based on any condition.
|
Global
|
Select this option if you want to check the conditional commands in Global mode.
This option is activated only if Check for compliance only if the following condition is satisfied is checked.
|
Submode
|
Select this option if you want to check the conditional commands in a specific submode.
If you select this option, the textbox next to this option is activated. Enter the command for the required submode.
For example:
interface [#Ethernet.*#]
This option is activated only if the Check for compliance only if the following condition is satisfied option is checked.
|
CLI Commands
|
Enter the conditional CLI commands in this text area.
This option is activated only if Check for compliance only if the following condition is satisfied is checked.
Enter the Conditional CLI commands.
For example:
Routers CLI Commands
+ set snmp community read-write [read-write-community-name-string]
- set snmp community read-only public
Explanation:
•The first line is considered as a comment since it does not begin with either "+" or "-".
•The second line is mandatory since it begins with "+".
•The third line is disallowed since it begins with "-".
In the above example, read-write-community-name-string is a command value. The command value should not contain spaces.
|
Compliance Block
|
Global
|
Select this option if you want to check the compliance commands in global mode.
|
Use the SubMode of above condition
|
This option is activated only if the Conditional Block options, Check for compliance only if the following condition is satisfied and the Submode options are selected.
The submode command entered in the submode textbox under the Conditional Block appears in the submode textbox of Compliance Block. So the submode command of the Conditional Block is used by the Compliance Block.
You cannot edit the submode commands in the Compliance Block. However, you can edit the submode commands in the Conditional Block, this updates the submode commands in the Compliance Block.
|
Submode
|
Select this option if you want to check the compliance commands in a specific submode.
If you select this option, the textbox next to this option is activated. Enter the command for the required submode.
The compliance command will be checked for the submode that you enter.
|
CLI Commands
|
Enter the Compliance CLI commands. This is a mandatory field.
For example, you can enter:
Routers CLI Commands
# this is the Compliance Block
+ set snmp community read-write [read-write-community-name-string]
- set snmp community read-only public
Explanation:
•The first line is considered as a comment since it does not begin with either "+" or "-".
•The second line is also considered as a comment since it begins with an "#".
•The third line is mandatory since it begins with "+".
•The fourth line is disallowed since it begins with "-".
In the above example, read-write-community-name-string is a command value. The command value should not contain spaces.
|
Order Sensitive
|
Select this option to make the system consider the order of the commands while performing a compliance check.
In other words, the commands in the device config should appear in the same order as that of the CLI commands definition order in the Command Set.
|
•If you want to preview the changes to the template command details before the template is created, click Preview. The changed template details are displayed in a window.
•If you want to reset the changes click Reset.
•If you want to know about the options and the functionality of Basic flow click Help.
You can perform a Compliance check without using the Conditional Block.
A message appears, Successfully created the template BaselineTemplateName.
Where BaselineTemplateName is the Template Name as given by you.
Step 7 Click OK.
The Baseline Templates window appears with the newly created Baseline template.
Creating a Basic Baseline Template - an Example
You want to create a baseline template to check whether all Ethernet interfaces which are up and running has "10.77.*.*" ipaddress configured with the subnet mask 255.255.255.128.
To perform this, you must create a template that checks for the following compliances:
•Whether the interfaces that do not contain the shutdown command.
and
•Whether all Ethernet interfaces are configured with IP address 10.77.*.* 255.255.255.128. T.
You can create a Basic Baseline Template by entering the condition check, as well as the compliance check.
To create a Basic Baseline Template for the above scenario:
Step 1 Select Resource Manager Essentials > Config Mgmt > Compliance Mgmt > Template Mgmt.
The Baseline Templates window appears.
Step 2 Click Create.
The Select Creation Mode dialog box appears.
Step 3 In the Template Details section, select Basic as the mode.
Step 4 Enter the following information:
Field
|
Description
|
Name
|
Enter NewBaseline
NewBaseline is the name of the new template.
|
Description
|
Enter the following description:
This is a Basic Baseline template which checks whether all Ethernet interface are up and running and has "10.77.*.*" ipaddress configured with the subnet mask 255.255.255.128
|
Device Type Selector
|
Check the Routers checkbox to select all routers.
|
Step 5 Click Next.
The Add Template Details dialog box appears.
Step 6 Select Check for compliance only if the following condition is satisfied so that you can enter the condition to be checked.
Step 7 Select Submode
The textbox next to Submode is activated.
Step 8 Enter the following command in the Submode textbox:
interface [#Ethernet.*#]
Step 9 Enter the following Conditional CLI commands in the Conditional Block CLI command text area:
- shutdown
This command indicates that shutdown should not be present in the Ethernet interfaces.
Step 10 Go to Compliance Block
The Use the SubMode of above condition option is selected automatically.
Step 11 Enter the following CLI commands in the Compliance Block CLI command text area:
+ ip address [#10.77.*.*#] 255.255.255.128
This command helps you to ascertain whether the following IP Addresses are configured on the Ethernet interfaces.
Step 12 Click Finish
A message appears, Successfully created the template NewBaseline.
Where NewBaseline is the Template Name as entered by you.
Step 13 Click OK.
The Baseline Templates window appears with the newly created Baseline template.
Creating an Advanced Baseline Template
To create an Advanced Baseline template:
Step 1 Select Resource Manager Essentials > Config Mgmt > Compliance Mgmt > Template Mgmt.
The Baseline Templates dialog box appears.
Step 2 Click Create.
The select Creation Mode dialog box appears.
Step 3 Select Advance as the mode from the Template Details section.
Step 4 Enter the following information:
Field
|
Description
|
Name
|
Name of the Baseline template.
You can enter only alphanumeric characters (including spaces) up to 254 characters. Do not enter any special characters. This includes underscores and hyphens.
|
Description
|
Description for the Baseline template. You can enter up to 254 characters.
|
Device Type Selector
|
Device family for which you can apply this template.
Check the check box to select the device family.
|
Step 5 Click Next.
The Add Template Details dialog box appears.
Step 6 Enter the following information:
Field
|
Description
|
Commandset Options
|
Name
|
Name of the commandset.
You can enter only alphanumeric characters up to 254 characters. Do not enter any special characters. This includes spaces, underscores and hyphens.
|
Parent
|
Enter the parent name for the commandset, if required. This is case sensitive.
You can also use this to logically group the commandsets.
For example: To work on ATM permanent virtual connections (PVCs) commands, you must first get into the interface mode from the global mode and then run the PVC specific-commands.
Commandset 1: ATM
interface [#atm.*#]
+ ip address [ip-addr] [net-mask]
Commandset 2: PVC
[#pvc.*#]
+ encapsulation aal5 [encap-type]
+ abr [output-pcr1] [output-mcr]
+ ubr [output-pcr2]
+ vbr-nrt [output-pcr3] [output-scr] [output-mbs]
+ vbr-rt [peak-rate] [average-rate] [burst]
+ protocol ip [proto-ip] [type]
+ exit
Here, commandset 1 is the parent for commandset 2.
While RME evaluates the Baseline template, commandset1 is evaluated first and commandset2 is evaluated next. If either of these commandsets is missing, the template is considered non-compliant.
|
Prerequisite
|
Select the mandatory commandset name that you must enter before running the current commandset.
In the example (See Mark as Prerequisite row), if you had marked commandset 1 as the Prerequisite, you can select commandset 1: IntCheck from the drop-down menu.
Before running the commandset 2, the commandset 1 is run. That is, commandset1 is evaluated first and commandset2 is evaluated next.
If there is no commandset1 or commandset1 failed, commandset2 is not evaluated and the devices will be moved to excluded state. The template will be considered as non-compliant.
|
Mark as Prerequisite
|
1. Select the checkbox to mark a particular commandset as a prerequisite.
For example,
Commandset 1: IntCheck
interface [intname]
+ ip address [#10\.76\.38\..*#] [net-mask]
(To find a match for any octet in an IP address you must use \..*.)
2. Select the Mark as Prerequisite check box for the Commandset 1: IntCheck.
For example,
Commandset 2: IntDownload
interface [intname]
+ no cdp enable
3. Select the Prerequisite from the dropdown menu for the Commandset 2: IntDownload.
If a commandset has a Prerequisite commandset, you cannot select the Mark as Prerequisite check box for that particular commandset.
That is, in the above example, you cannot select the checkbox Mark as Prerequisite for Commandset 2:IntDownload.
|
CLI Commands
|
Submode
|
Enter the command to get into interface mode from the global mode.
For example: interface [intname]
Here, interface is a command keyword and intname is command value. The command value should not contain spaces.
You can also run the command for a set of interfaces.
For example: interface [#Ethernet.*#]
Here, the command will be executed on all the interfaces having Ethernet.
|
Ordered Set
|
Select this option to make the system consider the order of the commands while performing compliance check.
In other words, the commands in the device config should appear in the same order as that of the CLI commands definition order in the Command Set.
See, Behavior of Ordered Set for Access Lists for more details on the behavior of Ordered Set for Access Lists.
|
CLI Commands
|
Enter the CLI commands.
For example:
# Routers CLI Commands
+ set snmp community read-write [read-write-community-name-string]
- set snmp community read-only public
Explanation:
•The first line is considered as a comment since it begins with a "#".
•The second line is mandatory as it begins with "+".
•The third line is disallowed as it begins with "-".
There should be a space between the commands and the "-" or "+". If there is no space, the commands are considered as comments and ignored.
In the above example, read-write-community-name-string is a command value. The command value should not contain spaces.
|
•If you want to add a new commandset to the template click Add. The CLI Commands window is displayed with the default help comments. These help comments serve as guidelines to create commandsets.
•If you want to delete a Commandset from the Command set list, click Delete.
•If you want to preview the changes to the Commandset details before finishing up the creation of the template, click Preview. The changed Commandset details is displayed in a window.
•If you click Save, for the first time, a message appears,
Do you wish to create a new template?.
•If you click Save, for the second time, a message appears,
Successfully updated the template BaselineTemplateName.
Note If the Commandsets consist of Prerequisite commandset then these commandsets appear in red color in the Preview details.
•If you want to reset the changes made to a Commandset, click Reset
Step 7 Click OK.
A message appears,
Successfully created the template BaselineTemplateName.
Where BaselineTemplateName is the name of the Baseline Template.
Step 8 Click OK.
If you want to add one more commandset repeat this procedure from Step 4.
Step 9 Click Finish.
A message appears,
Do you wish to save the changes?.
Step 10 Click OK.
A message appears,
Successfully created the template.
Step 11 Click OK.
The Baseline Configs window appears with all the available Baseline templates.
Creating an Advanced Baseline Template— Example
This section consists of two examples:
•Example 1
•Example 2
Example 1
This is a procedure to create a Baseline template to disable CDP on an interface that belongs to a specific subnet.
Step 1 Select Resource Manager Essentials > Config Mgmt > Compliance Mgmt > Template Mgmt.
The Baseline Templates dialog box appears.
Step 2 Click Create.
The Select Creation Mode dialog box appears.
Step 3 Select Advanced and click Next.
The Create a Baseline dialog box appears.
Step 4 Enter the following information:
Field
|
User data
|
Template Name
|
DisablingCDP
You can enter only alphanumeric characters up to 254 characters. Do not enter any special characters except underscores.
|
Device Type
|
Routers
|
Description
|
Baseline Template for DisablingCDP
|
Commandset Option
|
Name
|
PrerequisiteCheck.
You can enter only alphanumeric characters up to 254 characters. Do not enter any special characters. This includes spaces, underscores and hyphens.
|
Parent
|
Global
|
Prerequisite
|
Do not select any value.
|
Mark as Prerequisite
|
Select the check box to mark the commandset as prerequisite.
|
CLI Commands
|
Submode
|
interface [intname]
Where, intname is a variable. The variables should not contain spaces.
|
Ordered Set
|
Select this so that the system considers ordering of commands while performing compliance check.
See, Behavior of Ordered Set for Access Lists for more details on the behavior of Ordered Set for Access Lists.
|
CLI Commands
|
+ ip address [#10\.76\.38\...*#] [netmask]
To find a match for any octet in an IP address you must use \..*.
This checks for subnet mask with IP address starting from 10.76.38.*.
|
Step 5 Click Save.
A confirmation message appears that the template will be created.
Step 6 Click OK.
A confirmation message appears that the template is created.
Step 7 Click OK.
To add another commandset within the same Baseline template, Disabling-CDP, enter the following information.
Field
|
User Data
|
Commandset Option
|
Name
|
DisableCDP.
You can enter only alphanumeric characters up to 254 characters. Do not enter any special characters. This includes spaces, underscores and hyphens.
|
Parent
|
Global
|
Prerequisite
|
Select the PrerequisiteCheck from the dropdown menu.
|
Mark as Prerequisite
|
Do not select the checkbox.
|
CLI Commands
|
Submode
|
interface [intname]
|
Ordered Set
|
Select this so that the system considers ordering of commands while performing compliance check.
|
CLI Commands
|
+ no cdp enable
This will disable the CDP in all the interfaces even if any one interface contains the subnet mask starting with IP address 10.76.38.*.
|
Step 8 Click Save.
A confirmation message appears that the template is updated.
Step 9 Click OK.
Step 10 Click Finish.
A confirmation message appears that the template will be saved.
Step 11 Click OK.
A confirmation message appears that the template is updated.
Step 12 Click OK.
The Baseline Configs window appears with the details of Disabling-CDP Baseline template.
Example 2
This is a procedure to create an Advanced Baseline Template to check the presence of the command "ip address 10.77.209.8 255.255.255.224" in the Ethernet interfaces which has cdp disabled.
Step 1 Select Resource Manager Essentials > Config Mgmt > Compliance Mgmt > Template Mgmt.
The Baseline Templates dialog box appears.
Step 2 Click Create.
The Select Creation Mode dialog box appears.
Step 3 Select Advanced and click Next.
The Create a Baseline dialog box appears.
Step 4 Enter the following information:
Field
|
User Data
|
Template Name
|
CheckIPTemplate
You can enter only alphanumeric characters up to 254 characters. Do not enter any special characters except underscores.
|
Device Type
|
Routers
|
Description
|
Baseline Template for Interface level check.
|
Commandset Option
|
Name
|
PrerequisiteCheck.
You can enter only alphanumeric characters up to 254 characters. Do not enter any special characters. This includes spaces, underscores and hyphens.
|
Parent
|
Do not enter anything.
|
Prerequisite
|
Do not select any value.
|
Mark as Prerequisite
|
Select the check box to mark the commandset as prerequisite.
|
CLI Commands
|
Submode
|
interface [#Ethernet.*#]
|
Ordered Set
|
Do not select the checkbox.
|
CLI Commands
|
+ no cdp enable
|
Step 5 Click Save.
A confirmation message appears that the template will be created.
Step 6 Click OK.
A confirmation message appears that the template is created.
Step 7 Click OK.
To add another commandset within the same Baseline template, CheckIPTemplate, enter the following information.
Field
|
User data
|
Commandset Option
|
Name
|
IPCheck.
You can enter only alphanumeric characters up to 254 characters. Do not enter any special characters. This includes spaces, underscores and hyphens.
|
Parent
|
PrerequisiteCheck
|
Prerequisite
|
Select the PrerequisiteCheck from the dropdown menu.
|
Mark as Prerequisite
|
Do not select the checkbox.
|
CLI Commands
|
Submode
|
Do not enter anything
|
Ordered Set
|
Do not select the checkbox.
|
CLI Commands
|
+ ipaddress 10.77.209.8 255.255.255.224
The above command will be deployed in the Ethernet interfaces which have the CDP disabled.
|
Step 8 Click Save.
A confirmation message appears that the template is updated.
Step 9 Click OK.
Step 10 Click Finish.
A confirmation message appears that the template will be saved.
Step 11 Click OK.
A confirmation message appears that the template is updated.
Step 12 Click OK.
The Baseline Configs window appears with the details of CheckIPTemplate Baseline template.
Behavior of Ordered Set for Access Lists
1. Create a baseline template with few commands and ordered set option checked.
2. Compare the configurations in the device with the baseline template, to check for Compliance
The commands available in the device is compared in the same order as available in the Baseline template.
3. If the commands found in the device is not compliant with the Baseline template, the same configlet commands available in the device is negated first and then the commands available in the Baseline template is deployed on to the device.
This is the recommended behavior for Access lists. This behavior is also supported by the submodes.
Importing a Baseline Template
To import a Baseline Template:
Note View Permission Report (Common Services > Server > Reports) to check if you have the required privileges to perform this task.
Step 1 Select Resource Manager Essentials > Config Mgmt > Compliance Mgmt > Template Mgmt.
The Baseline Templates dialog box appears.
Step 2 Select a Baseline template and click Import.
The Import a Baseline Template dialog box appears.
Step 3 Enter the name of the Template file.
The file will be imported.
or
a. Click Browse.
The Server Side File Browser dialog box appears.
b. Select the XML file.
c. Click OK.
Step 4 Click OK.
A message appears, Template successfully imported.
Step 5 Click OK.
The imported file appears in the Baseline Templates window with the description, Imported baseline.
Running Compliance Check
To run a compliance check:
Step 1 Select Resource Manager Essentials > Config Mgmt > Compliance Mgmt > Compliance Check.
The Baseline Templates dialog box appears.
Step 2 Select the template and click Compliance Check.
The Select Devices dialog box appears.
Step 3 Select either:
•Device Selector, if you want to schedule a job for static set of devices. See Using RME Device Selector for information on how to use RME Device Selector.
Or
•Group Selector, if you want to schedule a job for dynamic group of devices.
The job is scheduled only for the devices that are present in the selected group at the time when the job is run. The customizable group selector for jobs evaluate static groups also as dynamic during run time.
Step 4 Click Next.
The Schedule dialog box appears.
Step 5 Enter the following information:
Field
|
Description
|
Scheduling
|
Run Type
|
You can specify when you want to run the Baseline template compliance job.
To do this, select one of these options from the drop-down menu:
•Immediate—Runs this task immediately.
•Once—Runs this task once at the specified date and time.
•Daily—Runs daily at the specified time.
•Weekly—Runs weekly on the day of the week and at the specified time.
•Monthly—Runs monthly on the day of the month and at the specified time.
The subsequent instances of periodic jobs will run only after the earlier instance of the job is complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has completed.
If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, the next job will start only at 10:00 a.m. on November 3.
|
Date
|
You can select the date and time (hours and minutes) to schedule.
The Date field is enabled only if you have selected an option other than Immediate in the Run Type field.
|
Job Info
|
Job Description
|
Enter a description for the job. This is mandatory. You can enter only alphanumeric characters.
|
E-mail
|
Enter e-mail addresses to which the job sends messages at the beginning and at the end of the job.
You can enter multiple e-mail addresses separated by commas.
Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Common Services > Server > Admin > System Preferences).
We recommend that you configure the CiscoWorks E-mail ID in the View / Edit System Preferences dialog box (Common Services > Server > Admin > System Preferences). When the job starts or completes, an e-mail is sent with the CiscoWorks E-mail ID as the sender's address.
|
Attachment
|
Check this option if you want the job notification mail to consist of attachments in either CSV or PDF format.
Either select:
•CSV if you want the attachment in CSV format.
Or
•PDF if you want the attachment in PDF format. This is the default format.
The CSV and PDF radio options will be enabled only if the Attachment checkbox is checked.
If the Attachment option is disabled, go to Common Services to change the settings. For more information on configuring attachment settings as well as the maximum size of attachments allowed in notification mails, see Common Services Online Help
|
Job Options
|
Check compliance and deploy
|
Enable this to check the compliance of the archived file with that of the Baseline template and deploy the commands if it non-compliant.
|
Copy Running Config to Startup
|
This option is active only if you select the Check compliance and deploy option.
Select to make the job to write the Running configuration to the Startup configuration on each device after configuration changes are made successfully.
Does not apply to Catalyst OS devices.
|
Job Password
|
•If you have enabled the Job Password option and disabled the User Configurable option in the Job Policy dialog box (Resource Manager Essentials > Admin > Config Mgmt > Config Job Policies) enter the device login user name and password and device Enable password.
•If you have enabled the Enable Job Password option and enabled the User Configurable option in the Job Policy dialog box (Resource Manager Essentials > Admin > Config Mgmt > Config Job Policies) either:
–Enter the device login user name and password and device Enable password
Or
–Disable the Job Password option in the Job Schedule and Options dialog box.
|
Step 6 Click Next.
The Job Work Order window appears with the job details that you have selected.
Step 7 Click Finish.
A message appears, Job JobID is created successfully.
Where JobID is a unique Job number.
Step 8 Click OK.
You can check the status of your scheduled job by selecting Config Mgmt > Archive Mgmt > Baseline Template > Compliance or Config Mgmt > Archive Mgmt > Archive Mgmt Jobs.
Note•View Permission Report (Common Services > Server > Reports) to check if you have the required privileges to perform this compliance check task.
•The compliance check job requires approval if you have enabled Job Approval during the compliance check job scheduling.
Understanding the Baseline Compliance Report
The Baseline Compliance Report contains the following information:
Field Name
|
Description
|
Summary
|
Template Name
|
Name of the Baseline template entered at the time of creating the Baseline template.
|
Number of Non-Compliant devices
|
Number of devices that are non-compliant.
|
Number of Compliant devices
|
Number of devices that are compliant.
|
Number of Excluded devices:
|
List of devices where the job did not run. The jobs may have failed either because:
•The device configuration was not archived.
Or
•The device was not reachable.
The further details of the failed job is given in the Config Mgmt > Archive Mgmt > Archive Mgmt Jobs (See Using Archive Management Job Browser).
|
Compliant Devices
|
Device Name
|
Device Display Name as entered in Device and Credential Repository.
|
Latest Version
|
Version of configuration file against which the compliance was checked.
Click on the version to display Config Viewer (see Understanding the Config Viewer Window). This shows the contents of corresponding configuration file against which the compliance was checked.
|
Created On
|
Date and time configuration file was created.
|
Non-Compliant Devices
|
Device Name
|
Device Display Name as entered in Device and Credential Repository.
|
Latest Version
|
Version of configuration file against which the compliance was checked.
Click on the version to display Config Viewer (see Understanding the Config Viewer Window). This shows the contents of corresponding configuration file against which the compliance was checked.
|
Created On
|
Date and time configuration file was created.
|
Commands to Deploy
|
List the commands where the device configuration is non-compliant.
|
Excluded Devices
|
Device Name
|
Device Display Name as entered in Device and Credential Repository.
|
Reason for Exclusion
|
Displays the cause for exclusion.
|
In addition, this report contains two buttons:
Button
|
Description
|
Export to File
(Icon)
|
Exports this report in either PDF or CSV format.
|
Print
(Icon)
|
Generates a format that can be printed.
|
Deploying a Baseline Template
When you add a new device of the same type to the network, you can use the existing Baseline template. This template consists of two parts, command and values.
You can create configurations for any device of the same type to the network by specifying the values for the variables in the Baseline template.
You can deploy Baseline template on the RME devices in two ways:
•User Interface (See Deploying a Baseline Template Using User Interface for the procedure.)
•File System (See Deploying a Baseline Template Using File System for the procedure.)
View Permission Report (Common Services > Server > Reports) to check if you have the required privileges to perform this task.
The deployment job requires approval if you have enabled Job Approval during the deployment job scheduling.
Deploying a Baseline Template Using User Interface
To deploy a Baseline template using User Interface:
Step 1 Select Resource Manager Essentials > Config Mgmt > Compliance Mgmt > Direct Deploy.
The Baseline Templates dialog box appears.
Step 2 Select a Baseline template and click Deploy.
The Deploy Input Options dialog box appears.
Step 3 Select Enter Data From User Interface and click Next.
The Select Devices dialog box appears.
The device list contains only that particular Device Type devices that you have selected while creating the Baseline Template.
For example, if you have selected Device Type as Router, only routers are listed.
Step 4 Select devices under the following tabs:
•In the All tab,
Devices are grouped under All Applicable Devices and All Applicable Device Groups. All Applicable Device Groups categorizes devices under Routers, Switches, and so on.
•In the Search Results tab,
The results of simple search and advanced search are listed here. For details on Search, see Using RME Device Selector, page 3-74
•In the Selection tab,
All the devices that are selected are listed and you can deselect the devices.
Step 5 Click Next.
The Commands Generation dialog box appears.
Step 6 Perform the following tasks:
Field Name
|
Description and Action
|
Device list
|
This pane lists the selected devices that you have selected in the Select Devices dialog box.
Select the device for which you want to deploy the Baseline template.
|
Edit
|
Select a device from the device drop down list and click on Edit button to edit information for the device.
|
Save
|
Click Save to save the changes made for the selected device.
You can change the details for multiple devices in one go, by using the Save button.
|
Device
|
The selected device in the Device List pane is displayed in this text box.
|
Commandsets
|
The pane contains all the commandsets that are defined in the Baseline template.
Select a commandset.
While creating the Baseline template, if you have defined the multiple occurrences as the commandset feature, after selecting that particular commandset, the Add Instance button is activated.
|
Add Instance
|
This button is active only if you have selected a commandset with multiple occurrences.
The occurrences of a commandset are defined while creating the Baseline template.
When you click on the Add Instance button, one more instance of multiple commandset is added in the Commandsets pane.
Enter the command value for that commandset in the Device Data pane.
|
Delete Instance
|
Use the Delete Instance button to delete the instance after selecting the instance from the Commansets pane. You can select one or more instances and click on the Delete Instance button to delete the instances.
You can delete the selected instances. The exception being that at least one instance of the commandset is available.
|
Templates
|
The pane contains the CLI commands for the selected commandset.
You cannot modify the commands in this pane.
|
Device Data
|
The field displays the command values that you have defined in your Baseline template.
The command value is appended with a unique number.
Enter the command value.
For example: If your Baseline template contains this command:
Interface [#Ethernet[.*]#]
+ no shutdown
Then, #Ethernet[.*]# is the command value.
The Device Data field names appear as:
#Ethernet.*[0]
If the commandset is a prerequisite commandset, you do not need to specify parameter values for the Device data field as they are not deployed.
|
Step 7 Click Next.
The Job Schedule dialog box appears.
Step 8 Enter the following information:
Field
|
Description
|
Scheduling
|
Run Type
|
You can specify when you want to run the Baseline template deploy job.
To do this, select one of these options from the drop-down menu:
•Immediate—Runs this task immediately.
•Once—Runs this task once at the specified date and time.
•Daily—Runs daily at the specified time.
•Weekly—Runs weekly on the day of the week and at the specified time.
•Monthly—Runs monthly on the day of the month and at the specified time.
The subsequent instances of periodic jobs will run only after the earlier instance of the job is complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has completed.
If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, the next job will start only at 10:00 a.m. on November 3.
|
Date
|
You can select the date and time (hours and minutes) to schedule.
The Date field is enabled only if you have selected an option other than Immediate in the Run Type field.
|
Job Info
|
Job Description
|
Enter a description for the job. This is mandatory. You can enter only alphanumeric characters.
|
E-mail
|
Enter e-mail addresses to which the job sends messages at the beginning and at the end of the job.
You can enter multiple e-mail addresses separated by commas.
Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Common Services > Server > Admin > System Preferences).
We recommend that you configure the CiscoWorks E-mail ID in the View / Edit System Preferences dialog box (Common Services > Server > Admin > System Preferences). When the job starts or completes, an e-mail is sent with the CiscoWorks E-mail ID as the sender's address.
|
Job Options
|
Approver Comments
|
Enter comments for the job approver.
This field appears only if you have enabled job approval for Archive Management.
|
Maker E-Mail
|
Enter the e-mail-ID of the job creator. This is a mandatory field.
This field appears only if you have enabled job approval for Archive Management.
|
Copy Running Config to Startup
|
Select to cause job to write the running configuration to the startup configuration on each device after configuration changes are made successfully.
Does not apply to Catalyst OS devices.
|
Job Password
|
•If you have enabled the Enable Job Password option and disabled the User Configurable option in the Job Policy dialog box (Resource Manager Essentials > Admin > Config Mgmt > Config Job Policies) enter the device login user name and password and device Enable password.
•If you have enabled the Enable Job Password option and enabled the User Configurable option in the Job Policy dialog box (Resource Manager Essentials > Admin > Config Mgmt > Config Job Policies) either:
–Enter the device login user name and password and device Enable password
Or
–Disable the Job Password option in the Job Schedule and Options dialog box.
|
Step 9 Click Next.
The Work Order dialog box appears with job details that you have entered.
Step 10 Click Finish.
A message appears, Job JobID is created successfully.
Where JobID is a unique Job number.
Step 11 Click OK.
You can check the status of your scheduled job using Config Mgmt > Archive Mgmt > Archive Mgmt Jobs. The Job Type for this deploy job is Deploy Baseline template result.
Deploying a Baseline Template Using File System
You can deploy a Baseline template using the Baseline Parameter file.
See Exporting a Baseline Template for further information.
To deploy a Baseline template using File System:
Step 1 Select Resource Manager Essentials > Config Mgmt > Compliance Mgmt > Direct Deploy.
The Baseline Templates dialog box appears.
Step 2 Select a Baseline template and click Deploy.
The Deploy Input Options dialog box appears.
Step 3 Select Enter Data From File System and click Next.
The Select Input File dialog box appears.
Step 4 Enter the folder name and the file name with the file format extension XML.
or
a. Click Browse.
The Server Side File Browser dialog box appears.
b. Select the XML file.
c. Click OK.
The Select Input File dialog box appears with the selected Baseline Parameter file.
Step 5 Click Next.
The Job Schedule dialog box appears.
Step 6 Enter the following information:
Field
|
Description
|
Scheduling
|
Run Type
|
You can specify when you want to run the Baseline template deploy job.
To do this, select one of these options from the drop-down menu:
•Immediate—Runs this task immediately.
•Once—Runs this task once at the specified date and time.
•Daily—Runs daily at the specified time.
•Weekly—Runs weekly on the day of the week and at the specified time.
•Monthly—Runs monthly on the day of the month and at the specified time.
The subsequent instances of periodic jobs will run only after the earlier instance of the job is complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has completed.
If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, the next job will start only at 10:00 a.m. on November 3.
|
Date
|
You can select the date and time (hours and minutes) to schedule.
The Date field is enabled only if you have selected an option other than Immediate in the Run Type field.
|
Job Info
|
Job Description
|
Enter a description for the job. This is mandatory. You can enter only alphanumeric characters.
|
E-mail
|
Enter e-mail addresses to which the job sends messages at the beginning and at the end of the job.
You can enter multiple e-mail addresses separated by commas.
Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Common Services > Server > Admin > System Preferences).
We recommend that you configure the CiscoWorks E-mail ID in the View / Edit System Preferences dialog box (Common Services > Server > Admin > System Preferences). When the job starts or completes, an e-mail is sent with the CiscoWorks E-mail ID as the sender's address.
|
Job Options
|
Approver Comments
|
Enter comments for the job approver.
This field appears only if you have enabled job approval for Archive Management.
|
Maker E-Mail
|
Enter the e-mail-ID of the job creator. This is a mandatory field.
This field appears only if you have enabled job approval for Archive Management.
|
Copy Running Config to Startup
|
Select to make the job to write the Running configuration to the Startup configuration on each device after configuration changes are made successfully.
Does not apply to Catalyst OS devices.
|
Job Password
|
•If you have enabled the Enable Job Password option and disabled the User Configurable option in the Job Policy dialog box (Resource Manager Essentials > Admin > Config Mgmt > Config Job Policies) enter the device login user name and password and device Enable password.
•If you have enabled the Enable Job Password option and enabled the User Configurable option in the Job Policy dialog box (Resource Manager Essentials > Admin > Config Mgmt > Config Job Policies) either
–Enter the device login user name and password and device Enable password
Or
–Disable the Job Password option in the Job Schedule and Options dialog box.
|
Step 7 Click Next.
The Work Order dialog box appears with job details that you have entered.
Step 8 Click Finish.
A message appears, Job JobID is created successfully.
Where JobID is a unique Job number.
If you have specified incorrect filename/XML file format or if the hostname field is not updated, an error message appears, Specified file could not be read. Please specify a valid file name.
See Exporting a Baseline Template for further information.
Check the XML file format or update the hostname field and restart this procedure from Step 2.
Step 9 Click OK.
You can check the status of your scheduled job using Config Mgmt > Archive Mgmt > Archive Mgmt Jobs. The Job Type for this deploy job is Deploy Baseline template result.
Using Compliance and Deploy Jobs Window
You can check the status of the Baseline jobs using Config Mgmt > Compliance Mgmt > Compliance/Deploy Jobs.
This section contains:
•Deploying the Commands
•Deleting the Compliance Jobs
This window contains the following information:
Field Name
|
Description
|
Job ID
|
Unique number assigned to the job when it is created.
For periodic jobs such as Daily, Weekly, etc., the job IDs are in the number.x format. The x represents the number of instances of the job. For example, 1001.3 indicates that this is the third instance of the job ID 1001.
|
Description
|
Job description entered during job definition.
|
Compliant/Deployed Devices
|
Displays how many devices are compliant out of total number of devices that were selected while creating the compliance job.
Click on the link to view the Baseline Compliance Report (see Understanding the Baseline Compliance Report).
|
Status
|
Status of the job. The displayed job states are Successful, Failed, and Running.
The jobs may have failed either because:
•The device configuration is not archived.
Or
•The device is not reachable.
The further details of the failed job is given in the Config Mgmt > Archive Mgmt > Archive Mgmt Jobs (see Using Archive Management Job Browser).
You can also check the status of the Baseline job at Config Mgmt > Archive Mgmt > Archive Mgmt Jobs (see Using Archive Management Job Browser).
|
The Baseline Jobs window contains the following buttons:
Buttons
|
Description
|
Deploy
|
You can schedule a job to deploy the standard configuration to all non-compliant devices.
This button is activated only after selecting a Job.
See Deploying the Commands.
|
Retry
|
You can reschedule a failed job using this button.
This button is activated only on selecting a Failed job.
Reschedule the deployment job by providing the required information.
|
Delete
|
You can delete the compliance jobs.
This button is activated only after selecting a Compliance Jobs.
See Deleting the Compliance Jobs
|
Refresh
(Icon)
|
Click on this icon to refresh the Compliance Jobs Window.
|
For usecases and examples on Baseline Templates, refer to the Baseline Template Whitepaper
Deploying the Commands
You can deploy the commands on the devices that are non-complaint.
Before you use this Deploy button, you must run the Compliance Report,
•If there are any non-complaint device, you must select the relevant compliance job and deploy the baseline template.
•If there are no non-complaint device and if you click on the Deploy button, a message appears,
Could not deploy selected Job.
Reason: No Non-Compliant devices present in the report.
Click on the Job ID to view the Baseline Compliance Report. See Understanding the Baseline Compliance Report for further details.
Note View Permission Report (Common Services > Server > Reports) to check if you have the required privileges to perform this task.
To deploy the commands:
Step 1 Select Resource Manager Essentials > Config Mgmt > Compliance Mgmt > Compliance/Deploy Jobs.
The Compliance Jobs dialog box appears.
Step 2 Select a Compliance Job.
Step 3 Click Deploy.
The Substitute Parameters for Devices dialog box appears.
Step 4 Perform the following:
Field Name
|
Description and Action
|
Device list
|
The list contains all the devices which are non-complaint.
Select a device.
|
Device
|
The selected device in the Device List pane appears in this text box.
|
Commandsets
|
The pane contains all the commandsets that are defined in the Baseline template.
In the Baseline template, if you have defined the multiple occurrences as the commandset feature then based on the compliance check, the commandset will appear more than once.
Select a commandset.
|
Templates
|
The pane contains the CLI commands for the selected commandset.
You cannot modify the commands in this pane.
|
Device Data
|
The field displays the command values that you have defined in your Baseline template.
The command value is appended with a unique number.
Enter the command value.
For example: If your Baseline template contains this command:
+ ip address [#10\.76\.38\..*#] [netmask]
Then, #10\.76\.38\..*# and netmask are the command values.
The Device Data field names appear as:
#10\.76\.38\..*#[1000]
netmask[1000]
|
If you have more than one device to deploy then you have to repeat Step 4 for all the devices.
Step 5 Click Next.
The Job Schedule dialog box appears.
Step 6 Enter the following information:
Field
|
Description
|
Scheduling
|
Run Type
|
You can specify when you want to run the deploy configuration job.
To do this, select one of these options from the drop-down menu:
•Immediate—Runs this task immediately.
•Once—Runs this task once at the specified date and time.
|
Date
|
You can select the date and time (hours and minutes) to schedule.
The Date field is enabled only if you have selected an option other than Immediate in the Run Type field.
|
Job Info
|
Job Description
|
Enter a description for the job. This is mandatory. You can enter only alphanumeric characters.
|
E-mail
|
Enter e-mail addresses to which the job sends messages at the beginning and at the end of the job.
You can enter multiple e-mail addresses separated by commas.
Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Common Services > Server > Admin > System Preferences).
We recommend that you configure the CiscoWorks E-mail ID in the View / Edit System Preferences dialog box (Common Services > Server > Admin > System Preferences). When the job starts or completes, an e-mail is sent with the CiscoWorks E-mail ID as the sender's address.
|
Attachment
|
Check this option if you want the job notification mail to consist of attachments in either CSV or PDF format.
Either select:
•CSV if you want the attachment in CSV format.
Or
•PDF if you want the attachment in PDF format. This is the default format.
The CSV and PDF radio options will be enabled only if the Attachment checkbox is checked.
If the Attachment option is disabled, go to Common Services to change the settings. For more information on configuring attachment settings as well as the maximum size of attachments allowed in notification mails, see Common Services Online Help.
|
Job Options
|
Approver Comments
|
Enter comments for the job approver.
This field appears only if you have enabled job approval for Archive Management.
|
Maker E-Mail
|
Enter the e-mail-ID of the job creator. This is a mandatory field.
This field appears only if you have enabled job approval for Archive Management.
|
Copy Running Config to Startup
|
Select to make the job to write the Running configuration to the Startup configuration on each device after configuration changes are made successfully.
Does not apply to Catalyst OS devices.
|
Job Password
|
•If you have enabled the Enable Job Password option and disabled the User Configurable option in the Job Policy dialog box (Resource Manager Essentials > Admin > Config Mgmt > Config Job Policies) enter the device login user name and password and device Enable password.
•If you have enabled the Enable Job Password option and enabled the User Configurable option in the Job Policy dialog box (Resource Manager Essentials > Admin > Config Mgmt > Config Job Policies) either:
–Enter the device login user name and password and device Enable password
Or
–disable the Job Password option in the Job Schedule and Options dialog box.
|
Step 7 Click Next.
The Work Order dialog box appears with job details that you have entered.
Step 8 Click Finish.
A message appears, Job ID is created successfully.
Where ID is a unique Job number.
Step 9 Click OK.
You can check the status of your scheduled job using Config Mgmt > Archive Mgmt > Archive Mgmt Jobs. The Job Type for this deploy job is Deploy Baseline comparison result.
Deleting the Compliance Jobs
You can delete the job that have been completed or stopped. You cannot delete a running job.
Note View Permission Report (Common Services > Server > Reports) to check if you have the required privileges to perform this task.
To delete Compliance jobs:
Step 1 Select Resource Manager Essentials > Config Mgmt > Compliance Mgmt > Compliance/Deploy Jobs.
The Compliance Jobs dialog box appears.
Step 2 Select a job and click Delete.
A message appears, The selected job will be deleted.
Step 3 Click OK.
The selected Compliance job is removed from the Compliance Jobs window.
You can also delete the compliance jobs from Config Mgmt > Archive Mgmt > Archive Mgmt Jobs window (see Using Archive Management Job Browser)
