Idea Details

NCM policies - add support for if, and, and or within multi-line blocks

Last activity 28 days ago
mwegner's profile image
07-25-2013 03:02 PM

In Spectrum's NCM, we can define multi-line configuration blocks for NCM policies.  Within the block, NCM allows us to define policy criteria that must be there or that must not be there.  This is very useful for applying policies to interfaces, but it could be made much better by adding conditional rules.


We frequently have per-interface policies that we cannot implement in NCM, such as:

- Find all blocks that start with 'interface *' and end with '!', and IF this interface is tagged as being in VLAN 66, make sure that the port speed and duplex is set to 10 half.

- Find all blocks that start with 'interface *' and end with '!', and IF this interface has helper address X, make sure that it also has helper address Y.

- Find all blocks that start with 'interface TenGigabitEthernet*' and end with '!', and IF this interface is defined as being part of a port channel, enable link state traps for the interface.


NCM should allow us to define a multi-line configuration block, and then within the block allow us to define policy criteria that if X then Y, if not X then not Y, and if X then not Y.  These criteria would be evaluated within the block, so that if X is true within the block, Y is only evaluated within the block as well.


A specific example.  Given this bit of configuration:

interface GigabitEthernet1/0/11

switchport access vlan 66

switchport mode access

speed 10

duplex full


interface GigabitEthernet1/0/12

switchport access vlan 66

switchport mode access


interface GigabitEthernet1/0/13

switchport access vlan 20

switchport mode access



I would like to be able to define an NCM policy that forces all interface blocks that contain the line "switchport access vlan 66" to also contain the lines "speed 10" and "duplex full", but leave all other interface blocks set up to auto-negotiate (no specified speed or duplex).  With current NCM rules, this is not possible.  I would like to be able to build more complex comparison criteria within configuration blocks, such as the ones used in event condition rules, like this:




05-09-2018 04:57 AM

Hi All,


Thanks for this idea, we are reviewing it, will update the latest status in couple of weeks.




04-09-2017 02:36 AM

It's very new in geological terms

04-07-2017 11:21 AM

Why is this idea still listed as new with 38 votes?

07-31-2016 10:10 AM

Hi everyone


Any news regarding this idea?

01-10-2016 09:37 AM

I opened up a similar idea very recently which involves regex, mwegner  was kind enough to show me it was suggested back in 2013.


This functionality can make NCM policies practical for configuration compliance. As it stands, they are not useful unless your configuration is nearly identical across all interfaces.

10-28-2015 08:32 AM

yes, need this kind of configuration...i am in need of one similar kind of requirement where i want to sub-filter the block definition based on the switchport mode access but as of now Spectrum don't have option to achieve this..

10-28-2015 06:14 AM

I also request this feature for currently 2 customers who need this feature.


I have tried to edit the "Start tag" like this

for Policy_IF_Test           -> (?m)^interface.*(test|duplex auto|no ip address).* <- by "End tag" -> (?m)^! <-

for Policy_IF_Switchport  -> (?m)^interface.*(switchport|load-interval 30).* <- by "End tag" -> (?m)^! <-

So the policy only applys when the block starts with interface and the block contains test, auto or no ip.



interface FastEthernet0/0

description this is a testing interface

ip address

duplex auto

speed auto


interface Port-channel5

description Anbindung Nexus (vPC)


switchport trunk encapsulation dot1q

switchport trunk allowed vlan 11-31,61,70,601-603,700,701

switchport mode trunk

load-interval 30


mls qos trust dscp

macro description server-access | server-access

storm-control broadcast level 1.00



But a Start Tag like this does not work.

10-21-2015 09:28 AM

I totally agree with aurimasp. We need to automate as much as we can to ensure compliance.


Another thing would be to have that interface configuration text shown inside the Information pane in OneClick along with the NCM policy violation info and Repair button.

08-16-2015 08:38 AM

These conditional rules are needed very much, because now NCM is useless for checking compliance on interfaces. Interfaces have different purposes with different configurations and those configs have to comply.