Login
Contents x
Golden Configuration (IOS) - Golden Configuration Template
  • 18 Oct 2024
  • Dark
    Light
  • PDF
Contents

Golden Configuration (IOS) - Golden Configuration Template

  • Updated on 18 Oct 2024
  • Dark
    Light
  • PDF
Article summary

We are now ready to create a Golden Configuration.  We will begin by creating a simple Golden Configuration Tree, pulling in the current configuration of our device.  

Basic Golden Configuration Video  

Step 1

From Configuration Manager, click the + in the upper left navigation menu to open the Create Window.

Step 2

From the dropdown, select Golden Configuration.  Enter Lab - Golden Configuration – XX for the name and select cisco-ios from the OS Type dropdown. Click Create.

Step 3

The Golden Configuration opens with a base node.  This will provide a base configuration to all child nodes that are added to the base node.  Golden Configurations have 3 available tabs: Node Details, Configuration, and Devices and Groups.

  • The Node Details tab displays information about the current state of the selected node.
  • The Configuration tab allows you to define the node’s baseline configuration.
  • The Devices and Groups tab allows you to add and manage devices or device groups for the selected node.

Select the Configuration tab.

Step 4

Click the Import Configuration button in the toolbar to open the Import Device Configuration window.  

Step 5

Locate the IOS device and click the to add the device configuration to the Configuration tab.  

Step 6

Click Save to save the configuration.  Next, we need to add devices.  Click the Devices and Groups tab.

 Step 7

We would like to add an individual device to our Golden Configuration.  On the Devices tab, click the Add Devices button.   Locate the IOS device and select it. Click Add.

Step 8

The IOS device has been added to the Golden Configuration.  Hover your cursor over the ellipses for the IOS device and select Run Compliance.  IAP will run a compliance check on the IOS device configuration against the base node configuration.

Step 9

Once the compliance check is complete, you will see a compliance bar graph next to the device that visually illustrates it is in full compliance.  Hover your mouse over the ellipses and click View Compliance.

Step 10

The Compliance and Reporting window provides the total number of rules evaluated, and if there are any Error, Warning, or Info severity alerts.  It also provides an overall pass or fail grade for the compliance report.  Click the Bar Graph icon in the upper right corner.

Step 11

Hover your mouse over the bar graph.  The Compliance History graph shows how many rules had warning, info, or error alerts, and how many rules passed. The blue line represents the compliance score for the compliance report.  

Step 12

When run, additional compliance reports will be shown that provide a graphical representation of either configuration drift or progress towards network compliance over time.  

Step 13 

Clicking the table icon in the upper right corner will take you back to the Compliance and Reporting window.  Click Cancel.

Step 14

Now that we have built out the basic configuration for our device, let’s make some changes to the Golden Configuration to see what it looks like when a device is out of compliance.   Click the Configuration tab.

Step 15

In line 2 of the configuration, click on version 17.3.  Then hover your cursor over the Evaluation Mode icon in the toolbar and select Disallow {d/}, which means the line must not exist in the device’s running configuration.

Note:  The default severity level, which reflects a weight value used when calculating a devices configuration grade, is set to Warning.

Step 16

Next, click on hostname in line 10 of the configuration.  Hover your cursor over the Evaluation Mode icon in the toolbar and select Disallow {d/}.  Hover your cursor over the Severity Level icon in the toolbar and select Error <e/>.   Click Save and then navigate to the Devices and Groups tab.

 Step 17

Hover your cursor over the ellipses for the IOS device and select Run Compliance

Step 18

The Compliance bar graph now shows that some of the rules have errors and warnings.   Hover your mouse over the ellipses and click View Compliance.

Step 19

The Compliance and Reporting window again provides the total number of rules evaluated, the number of violations, and an overall pass or fail grade.  You can use the check boxes in the Configuration Errors section to filter violations by severity or evaluation mode, which can be remediated by a workflow.

 Step 20

Click the bar graph icon in the upper right of the window.  The Compliance History graph presents both compliance reports completed against the IOS device. You can see the gradual configuration drift represented in the graph by the blue line at the top of the graph decreasing from 100% to 98%.  

Step

Hover your cursor over the second bar graph.  Here you can see the specifics of the report, including the number of rules that passed, and those with an alert status of info, warning, and error.  It will also show you the overall score of your compliance report.   

Click Cancel.

Next, we will look at an advanced Golden Configuration.

Advanced Golden Configuration Video

Step 21

For the final exercise, we will create a more advanced Golden Configuration that involves variables and Jinja2 templating. Click the in the upper left navigation menu. 

Step 22

In the Create window, select Golden Configuration from the dropdown.  Enter Lab - Advanced Golden Configuration – XX for the name, and select cisco-ios from the OS Type dropdown.   Click Create.

Step 23

Next, you will add two child nodes.  Child nodes inherit the configuration of their parent node by default and can also be specialized after creation.  Hover your mouse over the ellipses to the right of the base node and select Add child to add a child node.  Repeat the process to add a second child node.

Step 24

Hover your mouse over the ellipses to the right of the first child node and select Rename.  Enter East for the name and click the blue check mark to save the changes.  Repeat the process to name the second child node West

Step 25

Select the base node, and then the Configuration Tab.  Copy the configuration data provided and paste it into the Configuration window.  Click Save.

service password-encryption
<e/>hostname {{hostname}}
version {/17.[2-8]/}
ip ssh rsa keypair-name ssh-key
ip ssh version 2
line vty 0 4
 transport input ssh
{d/}vlan 1031
   {d/}name vlan1031
{% for i in interfaces %}
interface GigabitEthernet{{i.id}}
 ip address dhcp
 ip nat outside
 {d/}negotiation auto
 {d/}no mop enabled
 no mop sysid
{% endfor %}


Step 26

Click on the East node, and then the Configuration tab.  Notice the configuration from the base node has been inherited.  Copy the configuration data provided and paste it into the Configuration window below the existing configuration.  The blue vertical line shows the configuration inherited from the base node, and the green vertical line shows the configuration specific to the East node.   Click Save.

snmp-server community east01 RO

Step 27

You can add flexibility to your configuration by defining variables for values that may be dynamic, such as hostnames and interface numbers.  To do so, click the Show Variables icon in the upper right of the Configuration window.  Copy the variables provided and paste them into the Variables window on the right side of the page.  

{
  "hostname": "test",
  "interfaces": [
    {
      "id": "1"
    },
    {
      "id": "2"
    }
  ]
}

Step 28

Click the Save icon in the upper right of the Variables window and then navigate to the Devices and Groups tab for the East node.

Step 29

Click the Add Devices button on the Devices tab.  Locate the IOS device and select it.  Click Add.

Step 30

Hover your mouse over the ellipses and click Run Compliance.  

Step 31

The Compliance bar graph shows that some of the rules have errors and warnings.  Hover your cursor over the ellipses and click View Compliance.

Step 32

The Compliance and Reporting window again provides the total number of rules evaluated, the number of violations, and an overall pass or fail grade.  You can use the check boxes in the Configuration Errors section to filter down violations by severity or evaluation mode, which can be remediated by a workflow.

Step 33

Click the Bar Graph icon in the upper right.

Step 34

The Compliance History graph shows how many rules had warning, info, or error alerts, and how many rules passed.  The blue line represents the compliance score for the compliance report.  

Step 35

When run, additional compliance checks will be shown that provide a graphical representation of either configuration drift or progress towards network compliance over time.  

Step 36

Hover your mouse over the bar graph.  Here you can see the specifics of the report including the number of rules that passed, and those with an alert status of info, warning, and error.  It will also show you the overall score of your compliance report.  Click Cancel.  

This concludes the Golden Configuration use-case.

Was this article helpful?
What's Next
Privacy Policy
Cookie Policy
Terms of Use
EULA
Copyright © 2022 Itential for Developers
Change password!
Changing your password will log you out immediately. Use the new password to log back in.
Change profile
Success!
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
Logout