Golden Configuration (IOS) - Golden Configuration Template
  • 18 Oct 2024
  • Dark
    Light
  • PDF

Golden Configuration (IOS) - Golden Configuration Template

  • Dark
    Light
  • PDF

Article summary

CG Title

In this module, we will begin by creating a simple Golden Configuration Tree and pulling in the current configuration on our device.

 

Basic Golden Configuration Video  

Step 1

From the Configuration Manager page, click the + in the upper left navigation menu. 

(Note: This will open the Configuration Manager Create window which can be accessed from any page within Configuration Manager).

Step 2

The Create window opens. Click on the dropdown and select Golden Configuration.

Step 3

Enter Lab-Golden Configuration-XX (XX represent your initials). Select Cisco-IOS from the OS Type dropdown. Click Create.

Step 4

The Golden Configuration opens with a base node. This will provide a base configuration to all child nodes. You'll note the page includes three tabs, Node Details, Configuration and Manage Devices. Additional information for each is provided below:

  • The Node Details tab provides a Node Compliance bar that shows the compliance percentage for all devices in the node combined. Hovering over the bar displays a list of devices that failed or succeeded in meeting compliance.
  • The Configuration tab allows you to edit the Golden Configuration associated with a selected node, as well as the Configuration Variables for the tree.
  • The Manage Devices tab allows you to associate network devices with the selected Configuration Node.

Click the Configuration tab.

Step 5

Click the Import Configuration button in the tool bar.

Step 6

Click the + button for the IOS device. 

Step 7

Click the Save Icon. Next, Click the Manage Devices tab.

Step 8

Click the Add Devices Button. 

Step 9

Click the + to add the IOS Device, then click Apply at the bottom of the window. 

Step 10

To the right of IOS, hover your mouse over the ellipses and click Run Compliance. IAP will run a compliance check of the IOS device's configuration against the Base Node configuration. 

Step 11

Once the compliance check is complete, you will see a compliance bar chart next to the device that visually illustrates it's percent configuration compliance of the most recent compliance report. Click the ellipses and click View Compliance.

Step 12

The Compliance and Reporting window provides the total number of rules evaluated and if any included Error, Warning, or Info severity alerts. It also provides an overall pass or fail grade for this compliance report. Click the Bar Graph icon in the upper right. 

Step 13

Hover your mouse over the bar chart. The Compliance History graph shows how many warnings, issues, errors and passes were computed in the compliance report. The blue line represents the percentage of rules in compliance for each compliance report. Additional compliance reports will be shown that will provide you with a graphical representation of either configuration drift or progress towards network compliance over time. Clicking the table icon in the upper will take you back to the Compliance and Reporting window. Click Cancel.

Step 14

Now that we have built out the basic configuration for our device, let's make some changes to the Golden Configuration to show what it looks like when a device is out of compliance.

Click the Configuration tab.

Step 15

In line 2 of the configuration, click on version 17.3. Then hover your cursor over the Evaluation Mode icon in the tool bar and select Disallow {d/}. Note, the default severity level for this is Warn

Step 16

Next, click on hostname in line 10 of the configuration. Hover your cursor over the Evaluation Mode icon in the tool bar and select Disallow {d/}. Next, hover your cursor over the Severity Level icon in the tool bar and select Error <e/>. 

Step 17

Click the Save icon, then click the Manage Devices tab.

Step 18

To the right of IOS, hover your mouse over the ellipses and click Run Compliance

Step 19

The Compliance bar chart now shows that some of the reports have errors and warnings. Hover your mouse over the ellipses and click View Compliance

Step 20

The Compliance and Reporting window provides you with specific information on the reports with an Error and Warning status. You can use the check boxes in the Configuration Errors section to filter down tickets for a specific reporting status. 

Click the dropdown to the right of the first Configuration Error

Step 21

Remediation options to return this device to a compliant state are provided. Click the Bar Graph icon in the upper right. 

Step 22

The Compliance History graph presents both of the compliance reports completed against the IOS device. You can see the gradual configuration drift represented in the graph by the blue line at the top of the graph decreasing from 100% to 97.92%. 

Step 23

Hover your cursor over the second bar graph. Here you can see the specifics of the report including the number of reports that passed, those with an alert status of info, warning and error. It will also show you the overall score of your compliance report. Click Cancel.

   

Advanced Golden Configuration Video 

Step 24

For the final exercise, you will create a more advanced Golden Configuration that involves variables and Jinja2 templating. 

Click the + in the upper left navigation menu. 

Step 25

The Create window opens. Click on the dropdown and select Golden Configuration.

Step 26

Enter Lab-Advanced Golden Configuration-XX (XX represent your initials). Select Cisco-IOS from the OS Type dropdown. Click Create.

Step 27

Next, you will add two child nodes. Hover your mouse over the ellipses to the right of the Base Node. Click Add Child to add a Child Node. Add a second Child Node.

Step 27

Hover your mouse over the ellipses to the right of the first Child Node. Click Rename. Enter East for the name and click the blue check mark icon to save it.

Step 28

Hover your mouse over the ellipses to the right of the second Child Node. Click Rename. Enter West for the name and click the blue check mark icon to save it.

Step 29

Click on the Base Node, then Configuration Tab

Step 30

Copy the configuration data provided below and paste into the Configuration Window. Click the Save Icon.

service password-encryption
<e/>hostname {{hostname}}
version {/17.[2-8]/}
ip ssh rsa keypair-name ssh-key
ip ssh version 2
line vty 0 4
 transport input ssh
{d/}vlan 1031
   {d/}name vlan1031
{% for i in interfaces %}
interface GigabitEthernet{{i.id}}
 ip address dhcp
 ip nat outside
 {d/}negotiation auto
 {d/}no mop enabled
 no mop sysid
{% endfor %}

Step 31

Click on the East Node, then Configuration tab. Copy the configuration data provided below and paste into the Configuration Window below the existing configuration. The blue vertical line in the configuration window shows the configuration that was inherited from the Base Node. The green vertical line shows the configuration specific to the East Node

Click the Save Icon. 

snmp-server community east01 RO

Step 32

Click on the Show Variables icon in the upper right of the Configuration Window.

Step 33

Copy the variables provided below. Paste them into the Variables window on the right side of the page. 

{
  "hostname": "test",
  "interfaces": [
    {
      "id": "1"
    },
    {
      "id": "2"
    }
  ]
}

Step 34

Click the Save icon in the upper right of the Variables window, then click the Manage Devices tab for the East Node

Step 35

Then click Add Devices

Step 36

Click the next to the IOS Device. Then click Apply.

Step 37

Hover your mouse over the ellipses to the right of the IOS Device and click Run Compliance


Step 38

The chart lists the number of compliance reports that passed in addition to warnings and errors. Hover your mouse over the ellipses to the right of the IOS Device and click View Compliance

Step 39

The Compliance and Reporting window provides the list of reports with error and warning statuses. It also shows an overall grade for the compliance report, in this case Fail. 

You can use the check boxes in the Configuration Errors section to filter down tickets for a specific reporting status.

Click the Bar Graph icon in the upper right. 

 

Step 40

The Compliance History graph shows how many warnings, issues, errors and passes were computed in the compliance report. The blue line represents the percentage of rules in compliance for each compliance report. Additional compliance reports will be shown that will provide you with a graphical representation of either configuration drift or progress towards network compliance over time.

Hover your mouse over the bar graph.

Step 41

 Here you can see the specifics of the report including the number of reports that passed, those with an alert status of info, warning and error. It will also show you the overall score of your compliance report. Click Cancel





Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.