I'm using NCM's Compliance feature to discover and remediate Cisco switch ports that are incorrectly configured to trust DHCP. The command the Compliance Script is looking for is:
ip dhcp snooping trust
I have it searching blocks of config that begin with
switchport mode access
and that end with
!
I've defined that block of config this way because I do not want Compliance to discover and/or remediate ports that are trunked ports or port-channels or members of port-channels. Those trunked or port-channelled interfaces must have the command on them for DHCP to work for all other access ports on the switches.
An example of the Compliance Check Rule and Remediation follows:
So far so good--the part above works perfectly, and it reports all instances of the script that should be removed.
This section does NOT remove the problem lines from the config:
As per below, it DOES discover the problem lines:
Notice the Remediation Script Preview does NOT show specific Interfaces mentioned. That seems to be why the remediation fails.
Implementing or testing the Remediation reveals that no Interface is defined for each line:
So I thought the problem was caused by my definition of the "block", so I tested it differently, since this particular switch uses 10 Gig uplink ports for its trunks that can have ip dhcp snooping trust present. Therefore I built the block to begin with "interface GigabitEthernet", since this switch uses Ten Gig interfaces for uplinks or downlinks. (This would be a problem for other switches that use GigabitEthernet interfaces for access ports and trunked uplink ports. The remediation would disable DHCP trust on the uplinks, and that's not a good thing.)
I tested it with the new block defined: as follows:
and again it failed--with the exact same output:
Here are examples of interfaces that should NOT be remediated or discovered:
interface Port-channel1
switchport
switchport trunk allowed vlan x,z
switchport trunk allowed vlan add r-t
switchport trunk native vlan p
switchport mode trunk
switchport nonegotiate
flowcontrol receive on
ip dhcp snooping trust
interface TenGigabitEthernet5/1
switchport trunk allowed vlan x,y
switchport mode trunk
switchport nonegotiate
logging event link-status
channel-group 1 mode on
ip dhcp snooping trust
And here is an example of an access port that is not in compliance due to its last line. This port SHOULD be discovered and automatically remediated to remove that last line:
!
interface GigabitEthernet7/20
switchport access vlan x
switchport mode access
spanning-tree portfast edge
ip dhcp snooping trust
!
I found this online resource for Compliance, Searches, Blocks, and Remediation: Create and manage policy rules In it I saw this section:
Is my block definition, which begins with "interface GigabitEthernet: the problem? Is this one of those "multiline regular expressions" that I must NOT use to define the beginning of a block? If so, is what I want to do even possible with Compliance and automatic Remediation without also impacting the uplink ports that need "ip dhcp snooping trust" enabled on them?
1. Why is this failing?
2. How can I get the script to work as desired? It must discover and remove "ip dhcp snooping trust" from access ports, but not from port-channels or interfaces that are trunk ports that do NOT have "switchport mode trunk" configured on them?
