- 18 Oct 2024
-
DarkLight
-
PDF
Golden Configuration (IOS) - Golden Configuration Template
- Updated on 18 Oct 2024
-
DarkLight
-
PDF
We are now ready to create a Golden Configuration. We will begin by creating a simple Golden Configuration Tree, pulling in the current configuration of our device.
Basic Golden Configuration Video
Step 1
From Configuration Manager, click the + in the upper left navigation menu to open the Create Window.
Step 2
From the dropdown, select Golden Configuration. Enter Lab - Golden Configuration – XX for the name and select cisco-ios from the OS Type dropdown. Click Create.
Step 3
The Golden Configuration opens with a base node. This will provide a base configuration to all child nodes that are added to the base node. Golden Configurations have 3 available tabs: Node Details, Configuration, and Devices and Groups.
- The Node Details tab displays information about the current state of the selected node.
- The Configuration tab allows you to define the node’s baseline configuration.
- The Devices and Groups tab allows you to add and manage devices or device groups for the selected node.
Select the Configuration tab.
Step 4
Click the Import Configuration button in the toolbar to open the Import Device Configuration window.
Step 5
Locate the IOS device and click the + to add the device configuration to the Configuration tab.
Step 6
Click Save to save the configuration. Next, we need to add devices. Click the Devices and Groups tab.
Step 7
We would like to add an individual device to our Golden Configuration. On the Devices tab, click the Add Devices button. Locate the IOS device and select it. Click Add.
Step 8
The IOS device has been added to the Golden Configuration. Hover your cursor over the ellipses for the IOS device and select Run Compliance. IAP will run a compliance check on the IOS device configuration against the base node configuration.
Step 9
Once the compliance check is complete, you will see a compliance bar graph next to the device that visually illustrates it is in full compliance. Hover your mouse over the ellipses and click View Compliance.
Step 10
The Compliance and Reporting window provides the total number of rules evaluated, and if there are any Error, Warning, or Info severity alerts. It also provides an overall pass or fail grade for the compliance report. Click the Bar Graph icon in the upper right corner.
Step 11
Hover your mouse over the bar graph. The Compliance History graph shows how many rules had warning, info, or error alerts, and how many rules passed. The blue line represents the compliance score for the compliance report.
Step 12
When run, additional compliance reports will be shown that provide a graphical representation of either configuration drift or progress towards network compliance over time.
Step 13
Clicking the table icon in the upper right corner will take you back to the Compliance and Reporting window. Click Cancel.
Step 14
Now that we have built out the basic configuration for our device, let’s make some changes to the Golden Configuration to see what it looks like when a device is out of compliance. Click the Configuration tab.
Step 15
In line 2 of the configuration, click on version 17.3. Then hover your cursor over the Evaluation Mode icon in the toolbar and select Disallow {d/}, which means the line must not exist in the device’s running configuration.
Note: The default severity level, which reflects a weight value used when calculating a devices configuration grade, is set to Warning.
Step 16
Next, click on hostname in line 10 of the configuration. Hover your cursor over the Evaluation Mode icon in the toolbar and select Disallow {d/}. Hover your cursor over the Severity Level icon in the toolbar and select Error <e/>. Click Save and then navigate to the Devices and Groups tab.
Step 17
Hover your cursor over the ellipses for the IOS device and select Run Compliance
Step 18
The Compliance bar graph now shows that some of the rules have errors and warnings. Hover your mouse over the ellipses and click View Compliance.
Step 19
The Compliance and Reporting window again provides the total number of rules evaluated, the number of violations, and an overall pass or fail grade. You can use the check boxes in the Configuration Errors section to filter violations by severity or evaluation mode, which can be remediated by a workflow.
Step 20
Click the bar graph icon in the upper right of the window. The Compliance History graph presents both compliance reports completed against the IOS device. You can see the gradual configuration drift represented in the graph by the blue line at the top of the graph decreasing from 100% to 98%.
Step
Hover your cursor over the second bar graph. Here you can see the specifics of the report, including the number of rules that passed, and those with an alert status of info, warning, and error. It will also show you the overall score of your compliance report.
Click Cancel.
Next, we will look at an advanced Golden Configuration.
Advanced Golden Configuration Video
Step 21
For the final exercise, we will create a more advanced Golden Configuration that involves variables and Jinja2 templating. Click the + in the upper left navigation menu.
Step 22
In the Create window, select Golden Configuration from the dropdown. Enter Lab - Advanced Golden Configuration – XX for the name, and select cisco-ios from the OS Type dropdown. Click Create.
Step 23
Next, you will add two child nodes. Child nodes inherit the configuration of their parent node by default and can also be specialized after creation. Hover your mouse over the ellipses to the right of the base node and select Add child to add a child node. Repeat the process to add a second child node.
Step 24
Hover your mouse over the ellipses to the right of the first child node and select Rename. Enter East for the name and click the blue check mark to save the changes. Repeat the process to name the second child node West.
Step 25
Select the base node, and then the Configuration Tab. Copy the configuration data provided and paste it into the Configuration window. Click Save.
service password-encryption
<e/>hostname {{hostname}}
version {/17.[2-8]/}
ip ssh rsa keypair-name ssh-key
ip ssh version 2
line vty 0 4
transport input ssh
{d/}vlan 1031
{d/}name vlan1031
{% for i in interfaces %}
interface GigabitEthernet{{i.id}}
ip address dhcp
ip nat outside
{d/}negotiation auto
{d/}no mop enabled
no mop sysid
{% endfor %}
Step 26
Click on the East node, and then the Configuration tab. Notice the configuration from the base node has been inherited. Copy the configuration data provided and paste it into the Configuration window below the existing configuration. The blue vertical line shows the configuration inherited from the base node, and the green vertical line shows the configuration specific to the East node. Click Save.
snmp-server community east01 RO
Step 27
You can add flexibility to your configuration by defining variables for values that may be dynamic, such as hostnames and interface numbers. To do so, click the Show Variables icon in the upper right of the Configuration window. Copy the variables provided and paste them into the Variables window on the right side of the page.
{
"hostname": "test",
"interfaces": [
{
"id": "1"
},
{
"id": "2"
}
]
}
Step 28
Click the Save icon in the upper right of the Variables window and then navigate to the Devices and Groups tab for the East node.
Step 29
Click the Add Devices button on the Devices tab. Locate the IOS device and select it. Click Add.
Step 30
Hover your mouse over the ellipses and click Run Compliance.
Step 31
The Compliance bar graph shows that some of the rules have errors and warnings. Hover your cursor over the ellipses and click View Compliance.
Step 32
The Compliance and Reporting window again provides the total number of rules evaluated, the number of violations, and an overall pass or fail grade. You can use the check boxes in the Configuration Errors section to filter down violations by severity or evaluation mode, which can be remediated by a workflow.
Step 33
Click the Bar Graph icon in the upper right.
Step 34
The Compliance History graph shows how many rules had warning, info, or error alerts, and how many rules passed. The blue line represents the compliance score for the compliance report.
Step 35
When run, additional compliance checks will be shown that provide a graphical representation of either configuration drift or progress towards network compliance over time.
Step 36
Hover your mouse over the bar graph. Here you can see the specifics of the report including the number of rules that passed, and those with an alert status of info, warning, and error. It will also show you the overall score of your compliance report. Click Cancel.
This concludes the Golden Configuration use-case.