Configuration / Policy-Based Configuration / Configuration Blocks
Configuration Blocks
A configuration policy is defined in JSON schema format. This file is made up of one or more configuration blocks. A configuration block is a group of configuration settings.
SANnav Management Portal compares the configuration settings on a switch with the configuration settings in the configuration policy, to determine if drifts have occurred.
When checking for drifts, you might want to monitor only for certain settings, and not the entire configuration. In this case, you can create a configuration file with only the configuration blocks that you want to monitor.
The following table lists the configuration blocks that are supported and provides examples for each. You can find a complete template in the following location: <install_HOME>/conf/cfgmgmt/CompassTemplate.txt.
Configuration Block
Property
Supported Fabric OS Versions
Notes and Examples
AAAConfig:authSpec
authMode
8.2.1+
The activateNoLogout property cannot be imported from the switch and is not included in drift detection.
Example:
"AAAConfig": {
"authSpec": {
"authMode": "ldap;local",
"backup": false,
"activateNoLogout": false,
"primaryLogMessages": true
}
},
backup
8.2.1+
activateNoLogout
8.2.1+
primaryLogMessages
8.2.1+
AAAConfig:LDAP
ipAddress
All
Example:
"AAAConfig": {
"LDAP": [
{
"port": 389,
"domain": "ldapsecurity.example.com",
"ipAddress": "10.40.60.12",
"timeout": 3
}
]
},
port
All
timeout
All
domain
All
AAAConfig:RADIUS
ipAddress
All
The secret property cannot be imported from the switch and is not included in drift detection. The secret must be encrypted in the JSON text when saved in the configuration policy.
Example:
"AAAConfig": {
"RADIUS": [
{
"ipAddress": "10.40.80.12",
"port": 1812,
"timeout": 3,
"secret": "thZi3XgrAbH+h5gyJu+I7g==",
"encryptionLevel": "NONE",
"authentication": "CHAP"
}
]
},
port
All
timeout
All
secret
All
encryptionLevel
All
authentication
All
AAAConfig:TACACS+
ipAddress
All
The secret property cannot be imported from the switch and is not included in drift detection. The secret must be encrypted in the JSON text when saved in the configuration policy.
Example:
"AAAConfig": {
"TACACS+": [
{
"ipAddress": "10.40.70.12",
"port": 49,
"timeout": 3,
"secret": "thZi3XgrAbH+h5gyJu+I7g==",
"encryptionLevel": "NONE",
"authentication": "CHAP"
}
]
},
port
All
timeout
All
secret
All
encryptionLevel
All
authentication
All
ACL
ipAddress
All
Example:
"ACL": [
{
"ipAddress": "10.50.1.12",
"control": "read-write"
},
{
"ipAddress": "10.50.1.13",
"control": "read-write"
}
],
control
All
AuditCfg
severity
8.2.1+
Example:
"AuditCfg": {
"severity": "INFO",
"enable": true,
"class": [
"zone",
"security",
"configuration",
"firmware",
"fabric",
"ls",
"cli",
"maps"
]
},
enable
8.2.1+
class
8.2.1+
Banner
Banner
8.2.1+
Example:
"Banner": "This is a test banner",
Chassis
haEnabled
8.2.1+
The Chassis configuration block is for director class switches only.
haEnabled is a read-only property. Changes made in the JSON text of the policy will not be reflected on the switch.
Example:
"Chassis": {
"haEnabled": true
},
FTP
host
All
The password must be encrypted in the JSON text when saved in the configuration policy. You cannot import the password property from the switch. The password property is not included in drift detection.
Example:
"FTP": {
"password": "jP6gyHn8DTty9oyf93Rujw==",
"protocol": "FTP",
"remoteDirectory": "/home/support/uploads",
"serverConnectivityCheckIntervalInHours": 1,
"host": "supportFtpServer",
"username": "admin"
},
username
All
password
All
remoteDirectory
All
protocol
All
serverConnectivityCheckIntervalInHours
All
IPFilter
name
8.2.1+
Example:
"IPFilter": [
{
"ipVersion": "ipv4",
"name": "default_ipv4",
"active": true,
"rules": [
{
"destinationIp": "any",
"destinationEndPort": "22",
"protocol": "tcp",
"sourceIp": "any",
"destinationStartPort": "22",
"index": 1,
"action": "permit",
"trafficType": "input"
}
]
}
],
ipVersion
8.2.1+
active
8.2.1+
rules
8.2.1+
LDAPRoleMap
ldapRole
8.2.1+
Example:
"LDAPRoleMap": [
{
"ldapRole": "FabricAdmin",
"switchRole": "fabricAdmin=1-128",
"homeVirtualFabric": 128,
"chassisAccessRole": "admin"
},
{
"ldapRole": "",
"switchRole": "",
"homeVirtualFabric": 128,
"chassisAccessRole": ""
}
],
switchRole
8.2.1+
homeVirtualFabric
8.2.1+
chassisAccessRole
8.2.1+
NTP_TimeServer
ipAddress
All
Example:
"NTP_TimeServer": [
{
"ipAddress": "10.40.10.10"
},
{
"ipAddress": "10.40.10.11"
}
],
NTP_TimeZone
hourOffset
All
Example:
"NTP_TimeZone": {
"timeZoneName": "America/Los_Angeles",
"hourOffset": 0,
"minOffset": 0
},
minOffset
All
timeZoneName
8.2.1+
PasswordCfg
minimumLength
8.2.1+
The resetPasswordCfgToDefault and enforceExpire properties cannot be imported from the switch, and are not included in drift detection.
Example:
"PasswordCfg": {
"minimumLength": 8,
"characterSet": 0,
"userNameAllowed": true,
"reverseUserNameAllowed": false,
"minLowercaseChar": 0,
"minUppercaseChar": 0,
"minNumericChar": 0,
"minSpecialChar": 0,
"pastPasswordHistory": 1,
"minPasswordAge": 0,
"maxPasswordAge": 0,
"warnOnExpire": 0,
"lockoutThreshold": 0,
"lockoutDuration": 30,
"enableAdminLockout": false,
"repeatCharLimit": 1,
"sequenceCharLimit": 1,
"hashType": "sha512",
"manualHashEnabled": false,
"minimumDifference": 0,
"enforceExpire": false,
"resetPasswordCfgToDefault": false
},
characterSet
8.2.1+
userNameAllowed
8.2.1+
reverseUserNameAllowed
8.2.1+
minLowercaseChar
8.2.1+
minUppercaseChar
8.2.1+
minNumericChar
8.2.1+
minSpecialChar
8.2.1+
pastPasswordHistory
8.2.1+
minPasswordAge
8.2.1+
maxPasswordAge
8.2.1+
warnOnExpire
8.2.1+
lockoutThreshold
8.2.1+
lockoutDuration
8.2.1+
enableAdminLockout
8.2.1+
repeatCharLimit
8.2.1+
sequenceCharLimit
8.2.1+
hashType
8.2.1+
manualHashEnabled
8.2.1+
minimumDifference
8.2.1+
enforceExpire
8.2.1+
resetPasswordCfgToDefault
8.2.1+
PortConfiguration
portnameMode
8.2.1+
Example:
"PortConfiguration": {
"portnameMode": "default",
"dynamicDPortEnabled": true,
"onDemandDPortEnabled": false,
"dynamicPortnameFormat": "S.T.I.A"
},
dynamicPortnameFormat
8.2.1+
dynamicDPortEnabled
8.2.1+
onDemandDPortEnabled
8.2.1+
SNMPv3
recipients.host
All
Example:
"SNMPv3": {
"recipients": [
{
"notifyType": "trap",
"port": 162,
"trapLevel": "4-Info",
"host": "10.50.1.12",
"index": 1
},
{
"notifyType": "trap",
"port": 162,
"trapLevel": "4-Info",
"host": "10.50.1.13",
"index": 2
}
],
"enableInforms": false
},
recipients.port
All
recipients.index
All
recipients.notifyType
All
recipients.trapLevel
All
enableInforms
All
SwitchConfiguration
wwnPortIdMode
8.2.1+
Example:
"SwitchConfiguration": {
"edgeHoldTime": 220,
"wwnPortIdMode": false
},
edgeHoldTime
8.2.1+
Syslog
ipAddresses.ipAddress
All
Example:
"SYSLOG": {
"ipAddresses": [
{
"port": 514,
"ipAddress": "10.50.1.12",
"secureMode": false
},
{
"port": 514,
"ipAddress": "10.50.1.17",
"secureMode": false
}
],
"facility": "LOG_LOCAL7"
},
ipAddresses:port
8.2.1+
ipAddresses:secureMode
8.2.1+
facility
8.2.1+
Users
username
All
The password must be encrypted in the JSON text when saved in the configuration policy.
The password property is used from JSON only when adding a new user. It cannot be used to modify the password of an existing user account.
Example:
"Users": [
{
"username": "root",
"password": "",
"role": "SAN System Administrator",
"accountDescription": "root",
"accountEnabled": true,
"passwordChangeEnforced": false,
"accountLocked": false,
"accessStartTime": "",
"accessEndTime": "",
"homeVirtualFabric": 128,
"chassisAccessRole": "root",
"virtualFabricRoleList": [
{
"role": "root",
"fabricIds": "1-128"
}
]
}
],
password
8.2.1+
role
8.2.1+
accountDescription
8.2.1+
accountEnabled
8.2.1+
passwordChangeEnforced
8.2.1+
accountLocked
8.2.1+
accessStartTime
8.2.1+
accessEndTime
8.2.1+
homeVirtualFabric
8.2.1+
chassisAccessRole
8.2.1+
virtualFabricRoleList
8.2.1+