Creating Policies with Cisco NCM


Do you have security policy requirements that need to be enforced on your routers and switches?  One option to accomplish this task is to periodically check the configurations of all routers and switches. This approach is painful and time consuming.  Another option is to use an application to automate this process.  This is one of the areas where Cisco Network Compliance Manager (NCM) can assist.  With NCM you can create policies that regularly check for elements of your security policy and alert you if they are not being met.  NCM does this by first grabbing the router and switch configurations on a periodic basis.  NCM then matches these configurations against the NCM policies that you create to meet your security policy.  Here’s an example showing how this would be configured within NCM.

In this example, we’re assuming that security policy states that SNMP access to routers and switches must be limited by an access control list (ACL).  The overall steps are listed below.  We’ll go into each step in detail.

  1. Create a policy and define which devices the policy applies to
  2. Assign rules to the policy
  3. Test the policy
  4. Configure the policy to run on at schedule intervals

Creating the Policy

1.  Access “Policies > New Policy”

2.  Fill in the name of the policy and the device groups that will be checked with this policy

3.  Click on “New Rule” to create a rule that defines the policy requirements.

4.  In our case, we will be creating a rule for Cisco IOS devices that enforces an ACL to be applied to all SNMP community strings.   This will control the IP addresses that can access the IOS devices via SNMP.  The first step is to create a rule name and define the rule type.  In our case, we will be looking at the configuration, so we will choose the “Configuration” type shown below.  This will be the rule type used in most cases.

5.  In the next section of the rule configuration, choose the device drivers that this applies to.  In this example all device drivers that apply to Cisco IOS are chosen.  This is shown below

6.  In the next section of the rule configuration, we define the rule.  This rule should ensure that when an SNMP community string is defined in IOS, there is an associated ACL applied to limit which IP addresses can access the device via SNMP.  An example of this command would be “snmp-server community MYSNMPSTRING RO 55”.  In this example, the community string is MYSNMPSTRING, the SNMP community is read-only, and the ACL is 55.  We must create a regular expression that will match that string as well as other valid strings.  The full regular expression is shown below.

“snmp-server community [a-zA-Z0-9_]+ (RO|RW) [a-zA-Z0-9]+”

This regular expression starts with the fixed string “snmp-server community”.  This is followed by a regular expression that allows lower case, upper case, numbers, and _ in it.  This should match the community string.  This is followed by either RO or RW.  Finally, another lower case, upper case, and numeric regular expression follows that defines a named or numbered standard ACL.

One important item is that the regular expression checkbox must be checked.  If this is not checked, the regular expression, in the text box, will not be evaluated.  Also highlighted, in the screenshot below, is the get help link.  This link provides additional help information on regular expressions.

7.  At the bottom of the rule creation screen, there are additional comments that can be added.  Once those are added, click “Save”

8.  Clicking “Save” brings you back to the policy configuration screen.  At the bottom of this screen, add any additional comments and click “Save”

9.  Clicking “Save” on the policy configuration screen brings you back to the policy list.  From here we can test the newly created policy.  One method of testing is to click on the “Test” action on far right column of the policy row.  This is shown below.

10.   Clicking on “Test” displays another screen where the devices to test the policy on are chosen.  Choose a device and click the “>>>” button to add the device.  Then click “Perform Test” to run the policy against the device.  This will happen quickly, because it operates on the last saved configuration that was retrieved from the device.

11.  If the test fails, check the device configuration to see if it is in compliance.  If the device is in compliance, check for errors in the regular expression.  The screenshot below shows an example of a failed policy check.

12.  Another method of testing the policy is to click on “Policies > Test Policy Compliance”.  This method has the added benefit of allowing commands to be entered into a text field and run the policy check against those commands.  This is a quicker and easier way to troubleshoot issues with a policy.

13.  In the “Test Policy Compliance” screen that appears, choose the policy that was just created, enter a sample SNMP string into the text box, and choose the device family.  Then click “Perform Test”

14.  Using this method, you can easily check a number of different scenarios to make sure the policy rule is working as it should.  The screenshot below shows the result from a successful policy check.

Scheduling the Policy to Run

At this point, the policy has been defined.  It still needs to be scheduled to run before it takes effect.  As an analogy, this state is similar to defining an ACL, but not applying it to an interface.  The policy is scheduled by creating a new task.  The steps for doing this are shown below.

1.  Create a new task by accessing “Devices > Device Tasks > Check Policy Compliance”

2.  Fill in the fields, to run on the appropriate group, check configuration policy compliance, and run daily.  This is shown below with the important fields in red

3.  Click on “Save Task”.  Now the SNMP policy, that was just created, will run on a recurring daily basis.  This also means that any new configuration policies assigned to the inventory group will also run on a daily basis.

2 responses to “Creating Policies with Cisco NCM

  1. Thanks for sharing. It is really important for people to know the importance of network security.

Leave a Reply


Nick Kelly

Cybersecurity Engineer, Cisco

Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.


Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.


John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.