Features of Cisco Network Compliance Manager (NCM)

1. Bare Metal Provisioning: This feature allows NCM to configure a device from scratch. The assumption is that the device console port is connected to a terminal server. NCM connects to the terminal server and discovers the device through the console port. It then pushes a config to the device and sets it up for use on the network
2. Device Configuration Template: This is a full configuration for a device that can be used as your “golden config”. Every time a new device is configured, it can use this device configuration template as a baseline for the configuration. Unique portions, such as IP addresses, can be added through device variables that are defined at implementation time.
3. Command scripts: These are code snippets that can be run as a script. This is a great way to allow NOC personnel to safely execute commands without worrying about misconfigurations. The command scripts can even be forced to go through a workflow process. This could ensure that a higher level engineer reviews the command script before it is sent out.
4. Policies: These are checks that are done against the device snapshots that are periodically taken. This is one of the strongest features of NCM. There are number of different ways that policies can be used. One way is to check for stale configurations that should not exist. An example of this would be old SNMP server configurations that should be removed. The policy can also be configured to auto-remediate the problem and remove the stale configuration. To make this safer, the auto-remediation could be sent through a workflow for approval before it is actually implemented as a task. The second benefit of policies is standards based policy compliance checks. These would be policies, such as SOX and PCI. The third benefit of policies is automated checking of software vulnerabilities. This is provided with NCM Alert center. This is a subscription based service that is used to check for software vulnerabilities in Cisco devices. When a Cisco vulnerability announcement is released, Cisco creates an NCM policy to check for the software vulnerability. NCM downloads that policy, from Cisco, and uses it to check the devices it supports. If a vulnerability is found, it shows up in the police compliance report. The great thing about this is that the Cisco created policy checks for both the software version and the feature that causes the vulnerability. If the feature is not used, the device will not show up as vulnerable. This granularity ensures that only the devices truly vulnerable to a PSIRT are flagged.
5. Software Image Management (SWIM): NCM collects all the information that is needed to determine the software version that should be used on the devices. By using SWIM, downloading updated software images from Cisco is just a matter of a few mouse clicks. Deployment of the software images is also just a few mouse clicks.
6. Searching: The search functionality built into NCM is excellent. The searches are extremely flexible. When trying to search for a set of information about devices I usually find an extremely easy way of creating the search. Additionally, searches can be saved as a user report. This saves a lot of time. An initial search may take awhile to define which fields should show up and what information should be searched on. Once this is defined and saved as a user report, the information can be retrieved in a few mouse clicks.
7. Inventory for Cisco SW Maintenance: By using the search functionality, a comprehensive list of devices and serial numbers can be retrieved. This information can be used to define the devices that need to be covered under Cisco SW maintenance for the upcoming year.
8. Reporting: There are a number of great reports that NCM generates that show management level reports as well as detailed reports about the network environment
9. Diagrams: NCM can create L2, L3, L3 port, and other diagrams that show the network in a JPG, interactive JPG, or Visio format. You can also define which devices show up in the diagram to provide unique views showning the connectivity of different devices in the network.

I’ll be providing further blogs, in the future, showing screenshots of the features listed above. Feel free to shoot me an email if there’s a specific topic you wanted me to cover.