Skip to main content

Apologies - This isn’t a question, and I can’t change it to a conversation -

With recent changes in our NAC servers, we needed to check that our ‘ip helper-addresses’ were consistent to our regional standards. This is something we usually did with Python, but here’s a simple script to grab the helpers on each of the interfaces.  I got the script working, but had some formatting issues, and thankfully a colleague was able to use some logic to format (@danny,Ramirez) via this statement:

let ips = (foreach ip in ServerIP where match.data.IntName == ip.data.IntName select distinct toString(ip.data.helper))

Ideally, we would would define the NAC servers per region, and export them as a check, but I haven’t gotten there yet ;-)

pattern = ```
interface {IntName:string}
ip helper-address {helper:ipv4Address}
```;

foreach device in network.devices
// Feel free to trim the scope with a where
// where "Branch" in device.tagNames && "Core" in device.tagNames && "C9500" in device.tagNames
let outputs = device.outputs
foreach command in outputs.commands
where command.commandType == CommandType.CONFIG
let parsed = parseConfigBlocks(OS.IOS_XE , command.response)
foreach match in blockMatches(parsed, pattern)
let ServerIP = blockMatches(device.files.config, pattern)
// Thanks Danny !
let ips = (foreach ip in ServerIP where match.data.IntName == ip.data.IntName select distinct toString(ip.data.helper))

select distinct{
Hostname:device.name,
Intf:match.data.IntName,
Helpers:ips,
Tag: device.tagNames
}

resulting in a list of device interfaces and the helpers:

 

You could consider creating a lists such as ...

validservers = ["address 1", "address 2", "address 3"]

for each region then in your code compare each IP helper address to this list

validIP(device, ip) =
min(for each x in [0]
// any logic for which device is appropriate for a given list of valid servers would be put here. For example use tagNames on devices to select the right list
// define as true when the ip is not in the list
let violation = ip not in validservers
select violation
};

You’d need to alter the logic for the final area of the script so that you run the validIP function, which provides a true value for any IP not in the valid server list. 

 

(i’ve not built this, so it may contain typo’s)


Reply