Configuration Compliance Manager for Cisco DNA Center
This is currently a proof of concept, not a full featured tool. Created during SEVT Hackathon. This code will pull all device configurations from Cisco DNA Center's inventory, and check configuration against compliance rules formatted in json.
- Technology stack: Python
- Status: Alpha, designed to prove the ability and openess of Cisco DNA Center.
Customers need a way to prove configuration compliance for IOS / IOS-XE / IOS-XR / NX-OS devices. These devices may very well be Brownfield and while they are imported into Cisco DNA Center, are not provisioned by Cisco DNA Center. Because of this brownfield requirement, a separate tool is desirable, even as Cisco DNA Center is roadmapped to receive configuration compliance features for devices that are provisioned by CDNAC.
Customers need a way to write their own rules for configuration compliance, and have them vetted against running configuration on a schedule and generate a report, by site and device type / device tag.
A Python program that verifies devices against compliance rules. Compliance rules are defined in JSON, as are device groups. The program pulls device inventory from CDNAC, matches compliance rules per device group (defined by site, type, tag), and reports on, and possibly alerts on, compliance violation, with a severity that is defined in the compliance rules.
The current PoC needs to be expanded to include:
- Better backend logic, expand compliance rules and introduce device rules
- Refactor to use CDNAC SDK
- Severity and syslog implemented as a first pass
- CSV to JSON converter
- Web frontend
- Reporting
- Alerting
Our solution will levegerage the following Cisco technologies
- Thorsten Behrens [email protected] - GES NE Americas
- Jorge Banegas [email protected] - GVE DevOps / CSAP
- Oren Brigg [email protected] - GEO Israel - Data Center AF
- Tomer Kopel [email protected] - GEO Israel - Shared
- Alif Mousa [email protected] - APO - Engineering - HQ
- Mentor: Gabi Zapodeanu [email protected] - ENB - TME
- Python + Flash
- CDNAC SDK
- ciscoconfparse
- FrontEnd TBD - could be Bootstrap or Heroku, depending on team skillset and agile direction
- Docker TBD - if time allows, docker-compose would make deployment of the tool very easy
python ios-compliance.py --rulesfile <JSON rule file> --syslog_ip <IP address of the syslog server> --syslog_port <syslog port, if not 514>
- rulesfile - path to the JSON file containing the compliance rules.
- syslog_ip - IP address of a syslog server (optional) to send the results to.
- syslog_port - In case the syslog server is listening to a port other than 514 - specify which
Currently, to be amended as project progresses:
- Install Git
- Install Python 3 / Pip 3
- Pull project from github
pip3 install -r requirements.txt
- The data model, to be expanded for better compliance rules and device groups.
- Sample compliance rules for reference.
Provided under Cisco Sample Code License, for details see LICENSE
Our code of conduct is available here
See our contributing guidelines here