Features of Cisco Network Compliance Manager (NCM)

  1. Bare Metal Provisioning: This feature allows NCM to configure a device from scratch. The assumption is that the device console port is connected to a terminal server. NCM connects to the terminal server and discovers the device through the console port. It then pushes a config to the device and sets it up for use on the network
  2. Device Configuration Template: This is a full configuration for a device that can be used as your “golden config”. Every time a new device is configured, it can use this device configuration template as a baseline for the configuration. Unique portions, such as IP addresses, can be added through device variables that are defined at implementation time.
  3. Command scripts: These are code snippets that can be run as a script. This is a great way to allow NOC personnel to safely execute commands without worrying about misconfigurations. The command scripts can even be forced to go through a workflow process. This could ensure that a higher level engineer reviews the command script before it is sent out.
  4. Policies: These are checks that are done against the device snapshots that are periodically taken. This is one of the strongest features of NCM. There are number of different ways that policies can be used. One way is to check for stale configurations that should not exist. An example of this would be old SNMP server configurations that should be removed. The policy can also be configured to auto-remediate the problem and remove the stale configuration. To make this safer, the auto-remediation could be sent through a workflow for approval before it is actually implemented as a task. The second benefit of policies is standards based policy compliance checks. These would be policies, such as SOX and PCI. The third benefit of policies is automated checking of software vulnerabilities. This is provided with NCM Alert center. This is a subscription based service that is used to check for software vulnerabilities in Cisco devices. When a Cisco vulnerability announcement is released, Cisco creates an NCM policy to check for the software vulnerability. NCM downloads that policy, from Cisco, and uses it to check the devices it supports. If a vulnerability is found, it shows up in the police compliance report. The great thing about this is that the Cisco created policy checks for both the software version and the feature that causes the vulnerability. If the feature is not used, the device will not show up as vulnerable. This granularity ensures that only the devices truly vulnerable to a PSIRT are flagged.
  5. Software Image Management (SWIM): NCM collects all the information that is needed to determine the software version that should be used on the devices. By using SWIM, downloading updated software images from Cisco is just a matter of a few mouse clicks. Deployment of the software images is also just a few mouse clicks.
  6. Searching: The search functionality built into NCM is excellent. The searches are extremely flexible. When trying to search for a set of information about devices I usually find an extremely easy way of creating the search. Additionally, searches can be saved as a user report. This saves a lot of time. An initial search may take awhile to define which fields should show up and what information should be searched on. Once this is defined and saved as a user report, the information can be retrieved in a few mouse clicks.
  7. Inventory for Cisco SW Maintenance: By using the search functionality, a comprehensive list of devices and serial numbers can be retrieved. This information can be used to define the devices that need to be covered under Cisco SW maintenance for the upcoming year.
  8. Reporting: There are a number of great reports that NCM generates that show management level reports as well as detailed reports about the network environment
  9. Diagrams: NCM can create L2, L3, L3 port, and other diagrams that show the network in a JPG, interactive JPG, or Visio format. You can also define which devices show up in the diagram to provide unique views showning the connectivity of different devices in the network.

I’ll be providing further blogs, in the future, showing screenshots of the features listed above. Feel free to shoot me an email if there’s a specific topic you wanted me to cover.

Leave a Reply


Nick Kelly

Cybersecurity Engineer, Cisco

Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.


Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.


John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.