I could use some help with creating a regular expression that the config change report ignores during it's comparison. Basically, I have Cirrus comparing the most recent config downloaded with the latest baseline. The problem is that the running configuration of my cisco devices has the crypto key listed in the config, and in the startup, the crypto key doesn't exist. I would like to exclude this section from even being compared, but my regular expression knowledge is severely lacking. I'm guessing there is a way for me to exclude the following:
crypto ca certificate chain TP-self-signed-1667691779 certificate self-signed 01 3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 31363637 36393137 3739301E 170D3036 30383036 31303234 35365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36363736 39313737 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B4CA F3563FC5 43010A48 B075619E A7DE4790 AF982EF5 5402B501 207DB313 67C78E80 CCD4CBA7 D2214222 055D8CBF A676A6A3 64C0B6C2 2247D76C C4C60202 EFCA453E 5848D707 16D2940D C7384BBE 6BA52028 5F1CD47F C66CFD7B EF51188D 8AF9B9E9 D4DFB645 1D36E2B0 1D2B6BDE CF00F2FB 149AA487 7CF2FD66 74A4D032 CDFB0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304 18301680 14797F79 CD395C9D 9BBBF477 BE2CB863 2BD9D2B3 DA301D06 03551D0E 04160414 797F79CD 395C9D9B BBF477BE 2CB8632B D9D2B3DA 300D0609 2A864886 F70D0101 04050003 8181007B 9EB45922 73A18372 A31736D2 DA9089FD 760DE6D1 0B50007E 05BA8328 D8A48A76 5B68D3EE 69BA29BD 89D63CE8 6BEF5ECE 05DC7804 FAE7DA90 716CB0C5 40BBCB21 8BFDE99D AF3E4D35 796BFA05 FF5F3000 78368944 B9BA15C8 F017126D 7AF337D0 88F38689 57F73A18 7509491A F3060E3A D0F1BCE8 4C110ECF 9A016242 7758E3 quit
Is there a way to exclude everything to "quit" and what would it look like? Any help would be appreciated.
Actually I'm haivng the same issue. I've tried several things that I thought SHOULD work but none have been successful.
Has anyone come up with an answer to this? I have a few dozen 3750 stacks that I get an e-mail every morning that say something has changed when it hasn't. I need to find a way to ignore this when the comparison is run.
Make sure you baseline the startup config and then have the change report do the comparison on the baseline config.
pyro13g:I'm convinced the regular expressions don't work for config compares. I can't even get it to ignore the certificate self-signed line.
Just to clarify, in Config Comparison Criteria, multi-line regular expressions are not currently possible. However, single line ignores should work just fine.
The every-changing certificate self-signed line in your Cisco configs is something we're working on explicitly addressing as part of 5.1.
Hang on, got it to ignore it. Forgot that there are special rules with config compares. Something about an ignored line above or below a non ignored line results in both lines being printed
I created three rules:
certificate
quit
\d*
Now the change is not reported. Guess I eat crow! lol.
Uh Oh, scratch that, \d* ignores every line. Back to drawing board
I have an open ticket regarding this problem (#63311). I fired off an email to support on 10/21 regarding a possible work around that I found in one of the Cisco TAC newsletters, but haven't heard anything back yet. Here's what I found:
1. Type "term len 0" in privileged mode to set your terminal to display without any breaks.2. Type "show run" or "show start" to show the applicable config. The config will display without any breaks or pauses. To display the config without lengthy certificate data, use "show run brief". This is useful for capturing the complete config for documentation purposes, especially if you do not have access via TFTP or the like. - Ryan Sweet, Aubeta Networks, Seattle, WA, USA
To display the config without lengthy certificate data, use "show run brief".
This is useful for capturing the complete config for documentation purposes, especially if you do not have access via TFTP or the like.
- Ryan Sweet, Aubeta Networks, Seattle, WA, USA
This only works on my 3550 and 3750 switches and not for the 2900/2950/3500XL series. Any idea how we could put this to work in OrionNCM before a possible fix for v5.1?
--greg
If you want to use "show run brief" instead of "show running" for your config file, you can edit the appropriate Cisco device template (<install dir>\Configuration Management\DeviceTypes).
Change this line:
<Command Name="Running" Value="running"/>
To:
<Command Name="Running" Value="running-brief"/>
NOTE: Based on my research, the "show running-brief" command is only available for IOS 12.3(7)T release or later.
Does Cirrus V4 not support true regex? I've tried creating all of the following strings, but it does not ignore the cert (And even more basic variations of the regex, such as [A-F0-9]+ don't seem to match):
certificate self-signed[A-F0-9]{8} [A-F0-9]{8} [A-F0-9]{8} [A-F0-9]{8} [A-F0-9]{8} [A-F0-9]{8} [A-F0-9]{8} [A-F0-9]{8} [A-F0-9]{8} [A-F0-9]{8} [A-F0-9]{8} [A-F0-9]{8} [A-F0-9]{4} quit
As noted in my earlier post above:
The four lines above were created as separate regex filters in the config change report; I would think that each line would be treated and processed individually. On Cirrus 4.01, it appears that the regular expressions may be broken (Unless you can spot a problem).