While most of you may never touch it, I was just explaining how CPD works and it occurred to me that it probably would be helpful to share this as it took me quite awhile to wrap my head around how to write proper rules with the CPD editor.
As you should already know, the policy engine simple and rule-logic builder tools are only good for global checks (something that only occurs once in a config). The CPD tool is necessary for checking things like interfaces or ACL lists where you need to match more than one time.
Generally, I design an interface check rule as “it has to be this or this or that or it’s a problem,” Here’s a simple example; Customer would like to have a policy that states that any interface that is configured as an access port needs to have port security enabled. Here’s the CPD text to go with it.
Optional-Block: interface (Gi|Fa) .+ switchport mode access switchport port-security Invalid-Block: interface (Gi|Fa) .+ switchport mode access logic is:
Find a match on interfaces that start with the text “interface Gi” or “interface Fa” (GigabitEthernet and FastEthernet Interfaces) that also contain the line “switchport mode access” and the line “switchport mode port-security”. (the tab indents are import as this is how the engine knows what block of lines in the config to work with).
IF it’s not a match, that’s ok (it’s optional). However, the invalid says, if I find an interface that starts with the text “interface Gi” or “interface Fa” and contains the line “switchport mode access”, flag it as a violation.
Since this works just like rule logic, evaluated in order, any GigabitEthernet or FastEthernet interface that doesn’t match the optional but does match the invalid will be flagged. All other interfaces will be ignored because they do not match either rule.
Let me know what you think!