Query all configration files stored in NPM/NCM for any line with the below: mac-address dynamic __:__:__:__:__:__ drop vlan XX

Hi All

I was wondering as I was asked this question today as we came across a scenario where a static mac-address dynamic __:__:__:__:__:__ drop vlan xx was blocking the device from getting network. Had to use netscoute on interface to identify where the location was as we have over 2000 devices/6000-7000 objects and over 1000 switches. Is there a way to setup NCM when it does a config backup setup for each evening that a scheduled task is setup to query all ncm files for that day if there is any mac address that is being blocked and to report the device details.

  • I must be able to query for "latest available config" on NCM to check for a "DENY" or "DROP" with a "Role Function" of device to not include firewalls but only Access/Distribution and Core Function Devices on network.

  • beyond doing a simple search for "static mac-address dynamic", I don't believe the search functions in SW will be of use.

    But, you can do compliance rules which have a richer set of regular expressions you can use.

    Making a compliance rule and setting it to regular expressions and then doing something like

    static mac-address dynamic [0-9a-f]{4}\.[0-9a-f]{4}\.[0-9a-f]{4} drop vlan [0-9].*

    You might want to anchor it at the beginning with a "^" or the end with a "$", might take some playing around to get it right.

    I'm assuming the mac address format is actually something like 0a1b.2c3d.4f5a rather than 0A:1B:2C:3D:4F:5A, if it is that you might have to use something like this to match your mac address instead.

    static mac-address dynamic [0-9A-F]{2}:[0-9A-F]{2}:[0-9A-F]{2}:[0-9A-F]{2}:[0-9A-F]{2}:[0-9A-F]{2}:  drop vlan [0-9].*

    Once you have the rule assigned, put it in a policy (existing or new) and assign it to a report (existing or new) and when you update the cache, you should find the devices with this in it.   If you want to remove them, you can write a remediation rule to get rid of what it found.

    The rule would look something like this, note that the syntax on my switches that I was testing on was a bit different than the syntax you gave.


  • You could either do two rules, one for 'deny' and one for 'drop', or you could do a regex to match both, ie: "(deny|drop)".

    Not sure what you mean by "role function", is that a custom property you set up to distinguish between device types or something?   You set up what devices you want the report to target in the "Policy" part of the compliance section.   ie: you assign the rule (shown above) to a policy, and that policy has the ability to choose what devices you want to run it on.

    If you have a custom property named "RoleFunction", you would simply choose "Dynamic selection" of nodes, choose your custom property "RoleFunction" in the dropdown and choose "is" and type in whatever it needs to match in the last box.   If you have multiple things it needs to match, do an "or" with another rule below it with what else it needs to match.   Alternatively you could do a single rule that instead of saying "is", you could do "is not" and put in "Firewall" or whatever you use for firewalls there.

    I used the "MachineType" myself, which is the model of the device as its contained in SW.   But how you do it is your choice.