CTM is a set of tools which will help you to keep your Cisco configurations consistent and in accordance to pre-defined templates. You can check the configuration per device type or per device role. Since one device can serve in various roles in your network – e.g. Catalyst 3750ME can be defined as an L2 access switch, L3 IP router or a MPLS router, CTM will allow you to define different templates for each role.
With CTM you will have a unified configuration in your entire network, which is the basic building block of operational stability and security.
CTM consists of four main scripts for managing your templates:
The ctm-conf-checker.sh is the main script for checking Cisco configurations stored on local filesystem (not on Cisco device). The script checks your configuration against the pre-defined template(s) and prints the missing command(s) or command(s) that should be excluded and/or included in the configuration. The script does not make any changes in your config, just prints a report. It is then up to the user to make changes directly on the device.
The ctm-show-global-template.sh is a support script that will print selected global configuration template.
The ctm-show-template.sh will print an interface template. With small changes you can just copy-and-paste the interface configuration template to the device.
This tool will show the template consistency report for all devices and roles. It supports two tests. The first mode called “report” will do the consistency check of the following issues:
The second mode called “duplicates” will do the following:
From the main point of view it is important to have unified configuration in entire network. If you have duplicated content in multiple templates it is very tricky to keep the template up-to-date when you are trying to implement e.g. new rule to templates.
Use symbolic links from main template to the template(s) with the same content.
Cisco Template Manager, will continuously check Cisco’s configuration in the following steps:
Template directory is specified in configuration file /etc/ctm/ctm.conf. The directory structure has the following meaning:
$TEMPLATE_DIR -> DEVICE -> ROLE -> TEMPLATES/SECTIONS
this should be intepreted as:
/etc/ctm/templates/ -> ME-C3750-24TE -> MPLS -> TEMPLATES/SECTIONS
in the real directory structure:
/etc/ctm/templates/ME-C3750-24TE/MPLS/global.template or global.model /etc/ctm/templates/ME-C3750-24TE/MPLS/sections/line_vty_0_4
The ctm-show-global-template.sh and ctm-show-template.sh scripts are looking for available templates in $TEMPLATE_DIR.
DEVICE ROLE(s) – You can define your own roles for one device e.g.
"l2switch" - L3 switch with only L2 functions enabled (no ip routing) "l3switch" - ROUTING SWITCH - L3 device with ip routing enabled "MPLS" - MPLS router in your core or aggregation part of network
To run CTM, one file must be present in template directory “global.template”. If the optional file “global.exclude” exists, check of the excluded command(s) is also executed. Model file “global.model”, where the template itself is defined is needed by ctm-show-global-template.sh script.
NOTE: Be sure to enter new line after the end of the template file. It is necessary to have a new line after the last line to accept all configuration lines.
The templates of sections are stored in subdirectory called “sections”. The section names are derived from sub-configuration modes e.g. “line vty/router ospf/…”. The Cisco configuration file is parsed to separated files/sections. In the current version the following sections are supported:
^interface .* ^router .* ^line .* ^router-map .* ^ipv6 router .* ^class-map .* ^policy-map .* ^object-group .*
Section characters ‘ ‘ or ‘/’ are translated to character “_”. Example:
from: interface GigabitEthernet1/1/2 <- Interface configuration section to : interface_GigabitEthernet1_1_2 <- filename where the section template is stored
In configuration template are stored commands which are required. Also commands which should be excluded from the configuration are supported, just add a template “.exclude” suffix e.g. “interface_GigabitEthernet1_1_2.exclude”. The template files supports regular expressions regexp (man egrep).
Configuration template file names supports the following wildcard characters (not supported for exclude function):
"_" -> any character (only one character)
Example: If you want to check the ospf process 100, 150, 333 and 400 with one template you do not need to create four templates. Rather use wildcard characters in template name e.g. “router_ospf____” this will match any ospf process number from “router ospf 000” to “router ospf 999” by one template.
The CTM supports following ACL types:
Main difference between common section files and ACL files is the way of checking. From CTM version 0.3.0 the template ACL and cisco ACL is compared with diff command which will ensure the right squence of every ACL line. The older stable versions 0.2.x were comparing only if the template line is located in “global.template” not the right sequence of the line which is imporant in the ACL definition.
Interface templates are stored in “services” directory because an interface is usually the connection point , where a particular service (for your employees, customers or for internal purpose) is provisioned. Name of the service is called “Service ID”. NOTE: CTM will check the service(s) configuration only on administratively enabled interfaces (e.g “no shutdown”). Selected interfaces have to have a tag in the description field with a defined service identification between [] braces. With following directives you are able to define which interface will CTM check for SERVICE_ID tag:
NOTE: For security implications, the script is checking Vlan ID 1 (if a template is defined) even though is administratively shutdowned.
Three mandatory and one optional file must exist in order for the script to start checking the services:
Model service configuration for and interface. This is the model (template) configuration for an interface.
(no suffix) Mandatory interface configuration is stored in this file. Every line defined in this file must be present in the interface configuration section.
Definition file with the “.def” suffix has the following format:
FORMAT="" EXAMPLE=""
real example:
FORMAT="^### [[:alpha:]]*_[[:digit:]]{4}, [[:digit:]]{1,3}.bps, [ELINE_L3] ###$" EXAMPLE="### NAME_XXXX, nnnMbps, [ELINE_L3] ###"
Optional:
“.exclude”
list of command(s) that should be excluded from configuration
Example of naming convections for SERVICE ID “ELAN”:
ELAN_L2 <- Template file ELAN_L2.def <- Definition file ELAN_L2.model <- Model service configuration for interface ELAN_L2.exclude <- Exclude file
Now it is time to align your configuration with self-defined templates using CTM.
The best way how to create a new global, section or interface template is to use “parseonly” argument in ctm-conf-checker.sh script. This option will only parse the cisco configuration file and make separated files in your home directory.
These files can be used as a global, section or service_id templates.
Please create your own templates global, section(s) or service(s). Take an inspiration from EXAMPLE sub-directory under the template directory or from the cymru web page if you are looking for a perfect and secure template. The fastest way to create all templates for your network with many device types is to create just templates for your main devices. For other devices with similar configuration or services just create symbolic link. E.g. If you already have configuration for a C3560 for example and the configuration is similar to other network devices, just create a symlink.
1. Copy EXAMPLE directory in the template path and select a name with your device type
e.g. “C3750ME”:
# cd /etc/ctm/templates # cp EXAMPLE C3750ME
2. Copy/Rename the example role MPLS to your own role name e.g. “L2”
# cd C3750ME # cp MPLS L2
3. Edit global template and model configuration (optional also .exclude)
4. Edit or create new services in the “services” sections in “sections”.
The report is devided into three parts:
In the “()” brackets is displayed sum of the error line(s) in section e.g.:
GLOBAL configuration:
=====================
(3) Missing command(s):
ip domain-lookup
system mtu routing 1600
ip routing
(1) Other note(s):
Incorrect format of description
Your conf: "description ### Example XXX, [NNI_AA_Access] ###"
Should be: "description ### Example XYZ, [NNI_AA_Access] ###"
Report mode: COPY-AND-PASTE
Default report of error(s) and warning(s) is interpreted in “human” format to be easily readable by operator or administrator like this:
---%<--- (3) Missing command(s): ip domain-lookup system mtu routing 1600 ip routing ---%<---
When the copy-and-paste mode is enabled, the report is ready to be copied and pasted directly to the terminal:
---%<--- configure terminal ip domain-lookup system mtu routing 1600 ip routing exit ---%<---
You can also specify pre-exec and post-exec commands variables. Pre-execution command(s) can be specified by one or multiple lines of variable COPY_AND_PASTE_PRE_EXEC[0] where the zero “0” is the first line. To enter more commands just copy the variable to the next line and increment the number in [] brackets.
Example:
COPY_AND_PASTE_PRE_EXEC[0]="enable" COPY_AND_PASTE_PRE_EXEC[1]="configure terminal"
The default COPY_AND_PASTE_PRE_EXEC[0] is set to “configure terminal”.
Post-execution command(s) can be specified by one or multiple lines of variable COPY_AND_PASTE_POST_EXEC[0]=””
Example:
COPY_AND_PASTE_POST_EXEC[0]="end" COPY_AND_PASTE_POST_EXEC[1]="write" COPY_AND_PASTE_POST_EXEC[2]="quit"
The default COPY_AND_PASTE_POST_EXEC[0] is set to “end”.
This mode is supported from version 0.3.2 and higher. If you want to enable COPY-AND-PASTE mode, set the COPY_AND_PASTE_MODE option to “1” in the configuration file ctm.conf.
By default this option is disabled to be compatibile with previous versions. We recommend to have “copy and paste” mode enabled.