Interface Security - NCM Compliance Reports

I’m trying to create a compliance report rule that would look for “switchport port-security”, at the same time, I do not want it to flag “switchport mode tunnel” and other interfaces with certain descriptions. For a start, I started with the “switchport mode tunnel” filter. This is what I have:

I can’t figure out what I’m doing wrong with the regular expressions or my selections due to my lack of knowledge in Regex, it keeps flagging all interfaces with no port security, including the ones where the “switchport mode tunnel” configuration is found on the interface. I want to exclude tunnel ports.

Find more posts tagged with

compliance reports

config blocks

port security

ncm

cisco

Accepted answers

All comments

mesverrum

I don't have a test environment handy to figure out the regex for you, but I will say that any time I am struggling with these I typically just take snippets of my config from ncm and paste it into http://regexr.com to write my logic against.

At a glance it seems like your config block start and stops wouldn't be correct, at least not the stop because the stop should be at the line with just ! on it right?

dgsmith80

My immediate thought was the same, your start and stop are identical, if you're looking to search all interfaces then your stop would be ! and then it will search each Interface as a block.

tigerr

Yes, this was one of the tries, I have ^\! config block end most of the time, nothing seems to be giving the desired output, sometimes it just skips a couple interfaces even though I know they all don't have port security and there are only two tunnel interfaces that I want to exclude.

dgsmith80

If you could give an example block of what you're looking to capture as a violation, and an example of what you would want it to exclude I will try and have a go. I did a simulation on my lab but we don't use mode tunnel so have no example.

tigerr

Alright, this an example config of a couple interfaces, 1/0/4 already has security so it should pass, 1/0/5 is a tunnel so it should be excluded and the others have security configured but not enabled with the "switchport port-security" statement

interface GigabitEthernet1/0/4

switchport access vlan 103

switchport mode access

switchport voice vlan 203

switchport port-security

switchport port-security maximum 3

switchport port-security aging time 1

switchport port-security violation protect

switchport port-security aging type inactivity

no logging event link-status

priority-queue out

storm-control broadcast level 0.50

storm-control multicast level 1.00

storm-control action shutdown

storm-control action trap

spanning-tree portfast

spanning-tree bpduguard enable

service-policy input Untrusted-Port

interface GigabitEthernet1/0/5

switchport access vlan 203

switchport mode tunnel

switchport voice vlan 103

switchport port-security maximum 3

switchport port-security aging time 1

switchport port-security violation protect

switchport port-security aging type inactivity

no logging event link-status

priority-queue out

storm-control broadcast level 0.50

storm-control multicast level 1.00

storm-control action shutdown

storm-control action trap

spanning-tree portfast

spanning-tree bpduguard enable

service-policy input Untrusted-Port

interface GigabitEthernet1/0/6

description User22

switchport access vlan 103

switchport mode access

switchport voice vlan 203

switchport port-security maximum 3

switchport port-security aging time 1

switchport port-security violation protect

switchport port-security aging type inactivity

no logging event link-status

priority-queue out

storm-control broadcast level 0.50

storm-control multicast level 1.00

storm-control action shutdown

storm-control action trap

spanning-tree portfast

spanning-tree bpduguard enable

service-policy input Untrusted-Port

interface GigabitEthernet1/0/7

switchport access vlan 103

switchport mode access

switchport voice vlan 203

switchport port-security maximum 3

switchport port-security aging time 1

switchport port-security violation protect

switchport port-security aging type inactivity

no logging event link-status

priority-queue out

storm-control broadcast level 0.50

storm-control multicast level 1.00

storm-control action shutdown

storm-control action trap

spanning-tree portfast

spanning-tree bpduguard enable

service-policy input Untrusted-Port

Also, this is what I have at the moment but I'm not sure how to exclude trunks, or maybe apply the statements only to those with access mode, simply adding those things in the must contain or must not contain doesn't work as it just adds another check.

Thank you!