Cisco Prime Nerk 43 User Guide
Have a look at the manual Cisco Prime Nerk 43 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
9-63 Cisco Prime Network 4.3.2 User Guide Chapter 9 Manage Device Configurations and Software Images Making Sure Devices Conform to Policies Using Compliance Audit Violations by Device Figure 9-18 displays the violations at a device level. Table 9-6 Job Details and Violations Summary- Fields Field Description Audited/Non-Audited DevicesThis displays the number of audited and non-audited devices. For more details on devices, click the hyperlinked count of audited and non-audited devices. The device name and audit status are displayed when you click the hyperlinked count of audited devices. Non-audited devices include the count of the following. The devices that were within the scope of the user while scheduling the job, but has since changed. At the time job ran, these devices were not within the scope of the user. The devices that were down or were not reachable when the job ran. CPT device not in IOS mode. These devices are not audited because they do not contain running configuration, which is required for Compliance Manager. Third Party Devices. Device not in sync with Compliance server—that is, the device element type is not available in the Compliance server. Devices of which backup running configuration cannot be fetched from CCM. Selected Rules Number of rules selected in a policy at the time the policy profile was created. This may be subset of the total number of rules defined for the policy. Compliance State Displays Pass or Fail. All rules in policy for all devices must confirm for the state to display Pass. Violation Count This lists the number of distinct violations (for a particular policy, for the number of devices) that were observed in each job. For example, if a particular policy is violated in 100 devices, the violation count is only 1. Instance Count Summation of the violation count for all the device. For example, if a particular policy is violated in 100 devices, the instance count is 100. Highest Severity The highest severity of the various rules comprising the policy. The highest (as decided at the time of creating rules) is shown. This overrides the lower severity items. Ignore Count This is the count of rules ignored due to devices falling outside the scope of platforms defined against the rule. Export XLS Click to export the compliance audit violation details to the XLS file. Export CSV Click to export the compliance audit violation details to the CSV file. View Click to view the compliance audit violation details as an HTML page. Export Audit Click to export the compliance audit details to the XLS file.
9-64 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 9 Manage Device Configurations and Software Images Making Sure Devices Conform to Policies Using Compliance Audit Figure 9-18 Violations by Device Select the devices that require the fix CLI to be applied. The check box for a device will be enabled when: a fix CLI is available for the device. the violation is not fixed on the device. no fix job is running for the violation. Click the running config link under the Configurations column to view the running configurations of the device. If a Show command is used in the compliance policy, the output of the Show command is also displayed. If a violation has already been fixed or a fix job has been scheduled, the Fix Job column displays the name of the fix job with a hyperlink. Click the hyperlink to view the compliance fix details. The check box for that violation will be disabled. Click Next. Fix Type Rule Inputs This window is applicable only if you have a fix type input for the violation. Enter the required rule input to fix the violation. Click Next. See Figure 9-19.
9-65 Cisco Prime Network 4.3.2 User Guide Chapter 9 Manage Device Configurations and Software Images Making Sure Devices Conform to Policies Using Compliance Audit Figure 9-19 Fix Type Rule Input Preview Fix Commands Figure 9-20 displays the preview of the fix CLI that will be applied to the device when you schedule a fix job. If you are using the predefined command that is available in the Command Manager to fix the violation, the command builder script name with a hyperlink is displayed. Click the hyperlink to view the values that will be executed on the device to fix the compliance violation. Click Next. Figure 9-20 Preview Fix Commands Schedule Set the scheduling options such as the job name, start time, and email ID. Click Fix Job to schedule the job. The details of the fix job can be viewed from Compliance Audit > Jobs. The job type is Compliance-Fix. See Figure 9-21.
9-66 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 9 Manage Device Configurations and Software Images Using Compliance Audit for Device Compliance Figure 9-21 Schedule You can view the status of a fix job after the job completes. Click the hyperlinked status to view the results of the fix job. Using Compliance Audit for Device Compliance NoteStarting in Prime Network 4.1, Configuration Audit is being replaced by Compliance Audit. In Prime Network 4.3.2, Configuration Audit is deprecated. However, if you enabled the option to retain Configuration Audit during an upgrade procedure from Prime Network 3.11 (or earlier), the feature will still available from CCM. For more information on Compliance Audit, see Making Sure Devices Conform to Policies Using Compliance Audit, page 9-41. These topics describe how to use Compliance Audit: Managing Compliance Audit Policies, page 9-67 Scheduling a Compliance Audit, page 9-68 Viewing Compliance Audit Jobs and Audit Results, page 9-69 The CCM Compliance Audit feature checks device compliance to ensure they comply to a compliance policy file (the baseline or expected configuration). Each compliance policy is a set of CLI commands that define a desired baseline or expected configuration. Compliance policies can also be configured using valid, Java-based regular expressions. Ta b l e 9 - 7 provides examples of compliance policy CLIs. Table 9-7 Configuration Policy CLI Examples Policy Name Policy Description Policy CLI SamplePolicy1 Sample policy for global configuration auditing spanning-tree mode rapid-pvst SamplePolicy2 Sample policy for global regex and first sub level cli matching auditinterface GigabitEthernet(.*) port-type nni
9-67
Cisco Prime Network 4.3.2 User Guide
Chapter 9 Manage Device Configurations and Software Images
Using Compliance Audit for Device Compliance
Sample Compliance Policy
The following example shows a policy that performs audit for BGP configuration for a Cisco IOS router:
#BGP Compliance Audit
router bgp (.*)
neighbor (.*) remote-as (.*)
address-family ipv4
If you want an audit check for specific BGP AS or neighbor IP address, the above CLI can be changed
accordingly. For example:
router bgp 65000
neighbor (.*) remote-as 65001
address-family ipv4
You can combine multiple different configurations into one policy. For example:
#BGP Compliance Audit
router bgp (.*)
neighbor (.*) remote-as (.*)
address-family ipv4
# Interface MEP check
interface GigabitEthernet(.*)
ethernet (.*)
mep domain UP (.*)
Compliance audit can be scheduled against multiple configuration files to obtain an audit report that
indicates the existence of configuration sequences stated in the baseline policy and any deviations from
the baseline.
You can define a compliance policy, select the devices that need to be audited against the policy, and
schedule the audit job to run immediately or at a later point in time. The audit job compares the CLI
commands (as part of the configuration policy) against the actual running configuration on the device to
identify the discrepancies.
You can view the status of all the scheduled compliance audit jobs in the Job Manager page. The
compliance audit results are in the form of a report indicating the discrepancies (missing configuration
commands on the device) in red and the matching commands in green.
Managing Compliance Audit Policies
CCM allows you to create, modify, view, and delete configuration policies. Choose Compliance Audit >
Compliance Policies. The Configuration Policies page provides the list of existing policies. You can
search the configuration policies by CLI strings.
Creating a Compliance Policy
To create a compliance policy:SamplePolicy3 Sample policy for global regex,
first sub level cli matching, and
second sub level regex matching
router (.*)
address-family ipv4 unicast
network (.*)
SamplePolicy4 Sample policy for fixed cli
matchinginterface GigabitEthernet3/4
address-family ipv4 unicast
Table 9-7 Configuration Policy CLI Examples
Policy Name Policy Description Policy CLI
9-68 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 9 Manage Device Configurations and Software Images Using Compliance Audit for Device Compliance Step 1In the Configuration Policies page, click the Create icon. Step 2Provide the policy name and description. Step 3Enter the CLI commands to set up a baseline configuration for that policy. This can also be a valid, Java-based regular expression. See Ta b l e 9 - 7 for sample configuration CLIs. Step 4Make sure you follow the guide4.3.2 while entering the CLI commands. Click Guide4.3.2 to view these guide4.3.2 as shown in Figure 9-22. Figure 9-22 Create Configuration Policy-Showing Guide4.3.2 Editing, Viewing, and Deleting Compliance Policy In the Compliance Policies page, you can also do the following: Select a policy and click Edit to modify the policy description and CLI commands. You cannot modify the policy name. Keep in mind the policy guide4.3.2 while modifying the CLI commands. Select a policy and click View to view the policy name, description, and CLI commands. Select a policy or multiple policies and click Delete to delete the configuration policies. You cannot delete a policy if it is part of a scheduled audit job. Scheduling a Compliance Audit You can schedule compliance audit jobs to run immediately or at a later point in time. NoteOnly a maximum of 10 policies and 500 devices can be used for scheduling an audit job. To schedule a compliance audit job:
9-69 Cisco Prime Network 4.3.2 User Guide Chapter 9 Manage Device Configurations and Software Images Using Compliance Audit for Device Compliance Step 1Choose Compliance Audit > Basic Audit. The Select Configuration Policies page lists the available configuration policies. You can search the configuration policies by using CLI strings. Step 2Select the desired configuration policy from the available list and click Next. Step 3In the Select Devices page, select the devices that must be audited against the selected configuration policy, and then click Next. Step 4In the Schedule Audit page, provide a job name and the scheduling information for the compliance audit job. You can choose to run the audit job immediately or at a later point in time. A popup with the gateway time is available to assist you in setting up the time for scheduling the audit job. Step 5Click Audit. You will be redirected to the Compliance Audit Jobs page. NoteOnce scheduled, you cannot edit the policies or devices that are part of the scheduled job. Viewing Compliance Audit Jobs and Audit Results The Compliance Audit Jobs page (Compliance Audit > Compliance Audit Jobs) provides the following details: Jobs—This table lists all compliance audit jobs submitted by the login user. The ‘root’ user can view jobs submitted by other users, by selecting the username from the table header. History—For a selected job in the Jobs table, this table lists all the instances. You can select only one job at a time to view the history details. You can select a job and click View to view the associated devices and policies, and the schedule for the selected audit job. You can also use this page to suspend, resume, cancel, delete, or reschedule a job. To view the compliance audit job details and the audit result: Step 1Click the hyperlinked LastRun Result (Success/Partial Success/Failure) against a particular job in the Jobs table. The Compliance Audit Job Details dialog box displays the job details and the audit results for a device and policy combination, as shown in Figure 9-23. The Job Results table includes the device audited, policy against which the device was audited, audit status, and the running configuration version used for the audit. A blue tick mark in the Status column indicates ‘Audit Pass’, and a red X indicates ‘Audit Fail’. Click the hyperlinked policy name to view the configuration policy details, with updates if the policy has been modified. NoteFor Cisco Nexus devices, the VDC name is also displayed in the Device Name column.
9-70 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 9 Manage Device Configurations and Software Images Using Compliance Audit for Device Compliance Figure 9-23 Compliance Audit Job Details Step 2 Click on the hyperlinked Status (Pass/Fail icon) in the Job Results table. Or, click the hyperlinked Success or Failure hyperlink in the Result field of the History table. The Compliance Audit Result dialog box displays the audit result with matching commands (for ‘Audit Pass’) and discrepancies or missing commands (for ‘Audit Fail’) between the policy and the running configuration on the device. See Figure 9-24 for an example of the Compliance Audit Result dialog box for an ‘Audit Fail’ scenario. Figure 9-24 Compliance Audit Result - Audit Fail
9-71 Cisco Prime Network 4.3.2 User Guide Chapter 9 Manage Device Configurations and Software Images Checking Image Management, Device Management, and Compliance Audit Jobs The matching commands are displayed in green (see Figure 9-25), while the discrepancies are displayed in red (see Figure 9-24). For a failed job, the Audit Result section also displays the reason why the audit was not successful as shown in Figure 9-24. Some reasons for audit failure are: Failed to back up running configuration of the device Device not reachable Unable to download running configuration Device not under the scope of the user Policy is not available Invalid regular expression in the CLI Figure 9-25 Compliance Audit Result - Audit Pass Step 3 Click Export in the Job Results table to export the audit job results to a .csv file. You can view the job details and audit results in the exported file. Checking Image Management, Device Management, and Compliance Audit Jobs When a job is created, Prime Network assigns it a job specification ID and attaches a time stamp, indicating when the job was created. Only the job creator and users with Administrator privileges can change the job settings.
9-72 Cisco Prime Network 4.3.2 User Guide EDCS-1524415 Chapter 9 Manage Device Configurations and Software Images NoteWhenever a CCM job is scheduled to run immediately, you will be prompted, either to stay in the same page or to be redirected to the Jobs page. CCM also facilitates automatic e-mail notification of the status of the CCM jobs upon completion based on the e-mail option you set up in the Image Management Settings page. The notification is sent to a list of e-mail IDs configured either in the settings page or while scheduling the job. Keep these items in mind when managing jobs: All jobs are scheduled based on the gateway time. If you choose two or more jobs and click Reschedule, the option defaults to Start as Soon as Possible. To view the original time and then reschedule, choose only one job and click Reschedule. Job properties cannot be edited; you must delete the old job and create a new one. Jobs are persisted even if the gateway server is restarted. Only the job creators and users with Administrator and Configurator privileges can perform the actions provided on the Jobs page (suspend, resume, reschedule, cancel, delete, refresh). Configuration and CCM jobs fail under the following conditions: –If the device is not under the scope of the user to perform the config or image operation. –If the user is not authorized to perform the config or image operation. Running jobs cannot be suspended or canceled; you must let them complete. System-generated jobs cannot be modified. To change the settings, go to Settings > Global Settings > Period Export Options, and modify the options accordingly. Cancel stops all future instances of a job. To stop a job and resume it later, use Suspend and Resume To view the history of a job, choose a job and view the history from the History tab at the bottom of the page. You cannot view history of multiple jobs at the same time; choose only one job at a time. Messages that can be used for debugging are saved in NETWORKHOME/XMP_Platform/logs/JobManager.log. See these topics for job examples: Viewing the Results of a Compliance Audit Job and Running Fixes for Violations, page 9-60 Viewing Compliance Audit Jobs and Audit Results, page 9-69