Network Device Compliance

Network device compliance is based on the configuration of network devices, hardware status, and other information written to memory.

NetDev compliance will use all the information accessible from a network device.

Below the diagram shows you the structure of the compliance module:

../../../_images/OnNet_NDC_structure.png

NetDevice tests

When loaded into Network Device Compliance module, you will see differents tabs as show in next picture:

../../../_images/OnNet_NDC.png

Network Devices Rules

In Rules tab you will find some configured rules for several vendors.

../../../_images/OnNet_NDC_rules.png

You can create or clone new rules and define them as static or dynamic rules.

The next picture shows you the information you need to create a new static rule:

../../../_images/OnNet_NDC_staticrule.png

  • Tag (without prefix): If the rule pass successfully, a new tag will be added to this network device object in the CMDB. The tag consists of a name and a prefix. Two prefixes are possible:

    CRP: Compliance Rule Passed

    CRF: Compliance Rule Failed

  • Type: The purpose of a static rule is to verify into configuration file a specific information, like hostname, a banner, ACL.. etc. Dynamic rules are executed from the information we receive when executing a specific command on the network device and allow us to get information that is not found in the configuration file that we retrieve using a static rule, like ports state or IOS release.

  • Vendors: You need to define a vendor and configure the regular expression. You can also define a remediation in case of failure of the rule and this will appear on the NetDev compliance dashboard. Depending on the complexity of the rule, a precondition may also be defined. As an example, you can check is a specific VLAN ID is configured on all port and so, the precondition is to execute the rule on access port and not trunk port.

Network Devices Tests

Several rules form a Test. You can have different rules to check a single service like 802.1X or SNMP configuration which represent multiple checks.

../../../_images/OnNet_NDC_tests.png

You can create or clone new test and setup the required information:

../../../_images/OnNet_NDC_test1.png

Each test must be created with a tag, like a rule. Two prefixes are possible:

  • Tag (without prefix): If the test pass successfully, a new tag will be added to this network device object in the CMDB. Two prefixes are possible:

    CTP: Compliance Test Passed

    CTF: Compliance Test Failed

Select the rules and click on “Add row” to add the selected rules in the new test. You can uncheck also the flag “All rules must pass to pass the test” if you decide that not all rules must comply to pass the test.

Network Devices Test Groups

Several tests form a group. By default, groups are organized according to level of importance, but you can create and customize your own group with tests you need.

../../../_images/OnNet_NDC_groups.png

To create or clone a new group, click on the corresponding button and setup the information required:

../../../_images/OnNet_NDC_group1.png

Each group must be created with a tag. Two prefix are possible:

  • Tag (without prefix): If the group pass successfully, a new tag will be added to this network device object in the CMDB. Two prefixes are possible:

    CGP: Compliance Group Passed

    CGF: Compliance Group Failed

For review an entire example including output Network Device Compliance Checks.