gelogic@gelogic.net

Documentation

Cisco Template Manager Documentation v0.3.3

Requirements

  • Unix/Linux compatible operating system with basic commands

Description of CTM

CTM is a set of tools which will help you to keep your Cisco configurations consistent and in accordance to pre-defined templates. You can check the configuration per device type or per device role. Since one device can serve in various roles in your network – e.g. Catalyst 3750ME can be defined as an L2 access switch, L3 IP router or a MPLS router, CTM will allow you to define different templates for each role.

With CTM you will have a unified configuration in your entire network, which is the basic building block of operational stability and security.

CTM consists of four main scripts for managing your templates:

  • ctm-conf-checker.sh
  • ctm-show-global-template.sh
  • ctm-show-template.sh
  • ctm-check-templates.sh

ctm-conf-checker.sh

The ctm-conf-checker.sh is the main script for checking Cisco configurations stored on local filesystem (not on Cisco device). The script checks your configuration against the pre-defined template(s) and prints the missing command(s) or command(s) that should be excluded and/or included in the configuration. The script does not make any changes in your config, just prints a report. It is then up to the user to make changes directly on the device.

ctm-show-global-template.sh

The ctm-show-global-template.sh is a support script that will print selected global configuration template.

ctm-show-template.sh

The ctm-show-template.sh will print an interface template. With small changes you can just copy-and-paste the interface configuration  template to the device.

ctm-check-templates.sh

This tool will show the template consistency report for all devices and roles. It supports two tests. The first mode called “report” will do the consistency check of the following issues:

  • check if the “device” directory is not empty
  • check if the “device” directory has at least one “role” directory
  • check if the global.model file exists
  • check if the global.template file exists
  • look for empty lines in files global(.model|.template|.exclude)
  • template files must contain “$” and/or “^” character
  • check if “sections” directory exists
  • check if “services” directory exists and is not empty
  • check if template triples are defined (.template, .model and .def)
  • check if .def file contains SERVICE_ID in FORMAT and EXAMPLE variables
  • check if .def file contains “FORMAT” variable
  • check if .def file contains “EXAMPLE” variable

The second mode called “duplicates” will do the following:

  • check for duplicated content between all templates. Use symbolic links to prevent duplicates.

From the main point of view it is important to have unified configuration in entire network. If you have duplicated content in multiple templates it is very tricky to keep the template up-to-date when you are trying to implement e.g. new rule to templates.

Use symbolic links from main template to the template(s) with the same content.

ctm-scheme-plain

Cisco Template Manager, will continuously check Cisco’s configuration in the following steps:

  1. Global configuration
  2. Section configuration(s)
  3. Interface configuration(s)

 

TEMPLATES

Template directory is specified in configuration file /etc/ctm/ctm.conf. The directory structure has the following meaning:

$TEMPLATE_DIR -> DEVICE -> ROLE -> TEMPLATES/SECTIONS

this should be intepreted as:

/etc/ctm/templates/ -> ME-C3750-24TE -> MPLS -> TEMPLATES/SECTIONS

in the real directory structure:

 /etc/ctm/templates/ME-C3750-24TE/MPLS/global.template or global.model
 /etc/ctm/templates/ME-C3750-24TE/MPLS/sections/line_vty_0_4

The ctm-show-global-template.sh and ctm-show-template.sh scripts are looking for available templates in $TEMPLATE_DIR.

 

DEVICE ROLE(s) – You can define your own roles for one device e.g.

"l2switch" - L3 switch with only L2 functions enabled (no ip routing)
"l3switch" - ROUTING SWITCH - L3 device with ip routing enabled
"MPLS"     - MPLS router in your core or aggregation part of network

 

GLOBAL TEMPLATES

To run CTM, one file must be present in template directory “global.template”.  If the optional file “global.exclude” exists,  check of the excluded command(s) is also executed. Model file “global.model”, where the template itself is defined is needed by ctm-show-global-template.sh script.

NOTE: Be sure to enter new line after the end of the template file. It is necessary to have a new line after the last line to accept all configuration lines.

 

SECTIONS

The templates of sections are stored in subdirectory called “sections”. The section names are derived from sub-configuration modes e.g. “line vty/router ospf/…”. The Cisco configuration file is parsed to separated files/sections. In the current version the following sections are supported:

^interface .*
^router .*
^line .*
^router-map .*
^ipv6 router .*
^class-map .*
^policy-map .*
^object-group .*

Section characters ‘ ‘ or ‘/’ are translated to character “_”. Example:

from: interface GigabitEthernet1/1/2  <- Interface configuration section
to  : interface_GigabitEthernet1_1_2  <- filename where the section template is stored

In configuration template are stored commands which are required. Also commands which should be excluded from the configuration are supported, just add a template “.exclude” suffix e.g. “interface_GigabitEthernet1_1_2.exclude”.  The template files supports regular expressions regexp (man egrep).

 

WILDCARDS

Configuration template file names supports the following wildcard characters (not supported for exclude function):

"_" -> any character (only one character)

Example: If you want to check the ospf process  100, 150, 333 and 400 with one template you do not need to create four templates. Rather use wildcard characters in template name e.g. “router_ospf____” this will match any ospf process number from “router ospf 000” to “router ospf 999” by one template.

Access List (ACL) Section

The CTM supports following ACL types:

  • access-list
  • ip access-list
  • ipv6 access-list
  • mac access-list

Main difference between common section files and ACL files is the way of checking. From CTM version 0.3.0 the template ACL and cisco ACL is compared with diff command which will ensure the right squence of every ACL line. The older stable versions 0.2.x were comparing only if the template line is located in “global.template”  not the right sequence of the line which is imporant  in the ACL definition.

 

INTERFACES AND SERVICES

Interface templates are stored in “services” directory because an interface is usually the connection point , where a particular service (for your employees, customers or for internal purpose) is provisioned. Name of the service is called “Service ID”. NOTE: CTM will check the service(s) configuration only on administratively enabled interfaces (e.g “no shutdown”). Selected interfaces have to have a tag in the description field with a defined service identification between [] braces. With following directives you are able to define which interface will CTM check for SERVICE_ID tag:

  • CHECK_IFACE_ETHERNET      (default enabled)
  • CHECK_IFACE_SERIAL      (default enabled)
  • CHECK_IFACE_VLAN      (default enabled)
  • CHECK_IFACE_PORT_CHANNEL  (default enabled)
  • CHECK_IFACE_LOOPBACK
  • CHECK_IFACE_TUNNEL
  • CHECK_IFACE_VIRT_TEMPLATE

 

NOTE: For security implications, the script is checking Vlan ID 1 (if a template is defined) even though is administratively shutdowned.

Three mandatory and one optional file must exist in order for the script to start checking the services:

“SERVICE_ID.model”

Model service configuration for and interface. This is the model (template) configuration for an interface.

“SERVICE_ID”

(no suffix) Mandatory interface configuration is stored in this file. Every line defined in this file must be present in the interface configuration section.

“SERVICE_ID.def”

Definition file with the “.def” suffix has the following format:

     FORMAT=""
     EXAMPLE=""

real example:

FORMAT="^### [[:alpha:]]*_[[:digit:]]{4}, [[:digit:]]{1,3}.bps, [ELINE_L3] ###$"
EXAMPLE="### NAME_XXXX, nnnMbps, [ELINE_L3] ###"

Optional:
“.exclude”

list of command(s) that should be excluded from configuration

Example of naming convections for SERVICE ID  “ELAN”:

ELAN_L2         <- Template file
ELAN_L2.def     <- Definition file
ELAN_L2.model   <- Model service configuration for interface
ELAN_L2.exclude <- Exclude file

Now it is time to align your configuration with self-defined templates using CTM.

 

First steps after installation:

The best way how to create a new global, section or interface template is to use “parseonly” argument in ctm-conf-checker.sh script. This option will only parse the cisco configuration file and make separated files in your home directory.
These files can be used as a global, section or service_id templates.

Please create your own templates global, section(s) or service(s). Take an inspiration from EXAMPLE sub-directory under the template directory or from the cymru web page if you are looking for a perfect and secure template. The fastest way to create all templates for your network with many device types is to create just templates for your main devices. For other devices with similar configuration or services just create symbolic link. E.g. If you already have configuration for a C3560 for example and the configuration is similar to other network devices, just create a symlink.

 

1. Copy EXAMPLE directory in the template path and select a name with your device type
e.g. “C3750ME”:

# cd /etc/ctm/templates
# cp EXAMPLE C3750ME

2. Copy/Rename the example role MPLS to your own role name e.g. “L2”

# cd C3750ME
# cp MPLS L2

3. Edit global template and model configuration (optional also .exclude)

4. Edit or create new services in the “services” sections in  “sections”.

 

Detailed look at the report:

The report is devided into three parts:

  • GLOBAL configuration
  • SECTION configuration
  • SERVICE configuration

In the “()” brackets is displayed sum of the error line(s) in section e.g.:

 GLOBAL configuration:
===================== 
(3) Missing command(s):
     ip domain-lookup
     system mtu routing 1600
     ip routing
(1) Other note(s):
     Incorrect format of description
     Your conf: "description ### Example XXX,  [NNI_AA_Access] ###"
     Should be: "description ### Example XYZ, [NNI_AA_Access] ###"

Report mode: COPY-AND-PASTE

Default report of error(s) and warning(s) is interpreted in “human” format to be easily readable by operator or administrator like this:

---%<---
(3) Missing command(s):
     ip domain-lookup
     system mtu routing 1600
     ip routing
---%<---

When the copy-and-paste mode is enabled, the report is ready to be copied and pasted directly to the terminal:

---%<---
 configure terminal
  ip domain-lookup
  system mtu routing 1600
  ip routing
 exit
---%<---

You can also specify pre-exec and post-exec commands variables. Pre-execution command(s) can be specified by one or multiple lines of variable COPY_AND_PASTE_PRE_EXEC[0] where the zero “0” is the first line. To enter more commands just copy the variable to the next line and increment the number in [] brackets.

Example:

COPY_AND_PASTE_PRE_EXEC[0]="enable"
COPY_AND_PASTE_PRE_EXEC[1]="configure terminal"

The default COPY_AND_PASTE_PRE_EXEC[0] is set to “configure terminal”.

Post-execution command(s) can be specified by one or multiple lines of variable COPY_AND_PASTE_POST_EXEC[0]=””

Example:

COPY_AND_PASTE_POST_EXEC[0]="end"
COPY_AND_PASTE_POST_EXEC[1]="write"
COPY_AND_PASTE_POST_EXEC[2]="quit"

The default COPY_AND_PASTE_POST_EXEC[0] is set to “end”.

This mode is supported from version 0.3.2 and higher. If you want to enable COPY-AND-PASTE mode, set the COPY_AND_PASTE_MODE option to “1” in the configuration file ctm.conf.

By default this option is disabled to be compatibile with previous versions. We recommend to have “copy and paste” mode enabled.