NCM 7.x has several node management improvements (common with Orion Core/NPM, new Discovery Sonar…).
Due to these changes, NCM 7.x has stricter rules related to node uniqueness and duplicate nodes are not allowed anymore in NCM 7.0 (because NCM nodes are being handled by Orion Core, which does not support duplicate nodes).

This NCM 6.x capability was sometimes used to deal with devices such as the Cisco ASA, which require management of multiple contexts.

The solution in NCM 7.x (can work in NCM 6.1 as well) uses multiple Config Types:

Solution:

1.       In Win32 NCM application, add a new Config Type for each context (for example Context1, Context2).

2.       Specify in your device template, how to switch to each context (see example below).

3.       Include the${ConfigType} macro in the Reset Command.

4.       Make sure to specify the RegEx value in the Reset command. Depending on your prompt settings, the value should be '#', '>', ']', etc.

5.       Avoid using ${ConfigType} macro in the DownloadConfig command. Make sure the command is the right one, e.g. "show running-config".

Device Template Example:

<Command Name="RESET" Value="${ConfigType}" RegEx="#" />

<Command Name="Context1" Value="command to switch to Context1"  />

<Command Name="Context2" Value="command to switch to Context2 "/>

<Command Name="DownloadConfig" Value="show running-config"/>

Explanation:

When NCM downloads a configuration, the first command issued is the ‘Reset’ command defined in the device template.

The ${ConfigType} macros will be replaced by the appropriate switch context command, based on the config type selected for the dowload.

The context will be dynamically switched before the download command is executed.

When the context is changed, so is the prompt. In order to recognize the prompt, a regular expression (RegEx) must be used to ignore the variable part of the prompt.

Example:

Let’s assume the command mode prompt after login is : Tex-3750#

-          After switching to Context1, the command mode prompt becomes Tex-3750-Context1#.

-          After switching to Context2,the command mode prompt becomes Tex-3750-Context2#.

The RegEx to use in the reset command should match the common portion of the prompt in both contexts. In this example this could be RegEx="#".

An NCM user shared the result of his work (FWSM on NCM 6.1):

Should work the same in NCM 7.0. Thanks csowerby

Cisco FWSM Virtual Context Template

Message was edited by: Jiri Cvachovec

I would like to find out details on use cases for network automation, especially in the context of configuration and change management. Please vote and ideally, leave a comment.

Recently I have been receiving a java error, while attempting to add a node. This is frustrating because I am just now noticing this is happening all over my network. I am running the java 8u45 (64-bit) on all of my servers.

JavaScript error:Sys.WebForms.PageRequestManagerServerErrorException

Sys.WebForms.PageRequestManagerServerErrorException: Object reference not set to an instance of an object.

undefined

500

Does anyone have any ideas?

Also as an FYI, I tried the following ((This article is also available for viewing online at http://knowledgebase.solarwinds.com/kb/questions/2399/ )).

Hi,

I am having issues ever since a recent update to IOS 15 on Cisco Catalyst 3750 devices.

Since then it seems that the NCM Comparison criteria, I have in place to ignore parts of the running and startup config, are not applied properly.

I have reapplied the regex exclusion criteria as per the article @ https://thwack.solarwinds.com/thread/33543, but still each comparison I perform is throwing out errors when a running/startup config is compared against each other.

In essence, the SSL certificate is not being ignored properly or the regex expressions are not used by the application to ignore parts of the config.

I am attaching below an example and the regex comparison criteria applied on the Solarwinds NCM instance.

I have also raised case # 856810 with Solarwinds support.

Hi

Can NCM help with duplicate IP in config ?

It's some loopback or interfaces IP that I dont monitor with NPM.

Alert or compliance report?

Hello All,

I have a custom script that I'm currently trying to implement to backup the configs on some ALU 7750's on our network. The 7750 uses admin display-config in the CLI to display the running configuration. When I try to download the config using NCM, I get an error stating that "Connection Refused Device IP: x.y.z.a"

I've run a session trace and here's what I get:

*** [172.29.60.87] OnClose received, err = 10060

*** [172.29.60.87] OnConnect received, err = 0
TiMOS-C-6.0.R2 cpm/hops ALCATEL SR 7750 Copyright (c) 2000-2008 Alcatel-Lucent.
All rights reserved. All use subject to applicable license agreements.
Built on Thu Mar 27 13:04:54 PDT 2008 by builder in /rel6.0/b1/R2/panos/main
WARNING! THIS IS A PRIVATE NETWORK AND IS FOR EXCLUSIVE USE BY AUTHORIZED PERSONNEL. Use of this service constitutes consent to monitoring.  Unauthorized use may result in prosecution under the Computer Fraud and Abuse Act of 1986 or other applicable statutes and regulations.

*A:7750-01#

*A:7750-01#

*A:7750-01#


            
7750-01# admin display-config
# TiMOS-C-6.0.R2 cpm/hops ALCATEL SR 7750 Copyright (c) 2000-2008 Alcatel-Lucent.

# All rights reserved. All use subject to applicable license agreements.

# Built on Thu Mar 27 13:04:54 PDT 2008 by builder in /rel6.0/b1/R2/panos/main


# Generated WED DEC 02 17:24:07 2009 UTC

exit all
configure
#--------------------------------------------------
echo "System Configuration"
#--------------------------------------------------
    system
        name "7750-01"
        contact ""
        location ""
        snmp
            packet-size 9216
        exit
        login-control
            telnet
                inbound-max-sessions 7
                outbound-max-sessions 7
Press any key to continue (Q to quit)
*** [172.29.60.87] OnClose received, err = 10060

and from what it looks like, the CLI is waiting for "any key" input to continue parsing through the config but for some reason NCM doesn't like that.

Here's what my device template looks like:

<!-- edited with XML Spy v4.4 U (http://www.xmlspy.com) by () -->
<!--SolarWinds Network Management Tools-->
<!--Copyright 2005 SolarWinds.Net All rights reserved-->
<Configuration-Management Device="Lucent Devices" SystemOID=" 1.3.6.1.4.1.6527.1.3.3">
    <Commands>
        <Command Name="RESET" Value=""/>
        <Command Name="ExitConfigMode" Value="exit"/>
        <Command Name="DownloadConfig" Value="admin display-config"/>
        <Command Name="Version" Value="show system information"/>
        <Command Name="DownloadConfigIndirect" Value="admin display-config"/>
    </Commands>
</Configuration-Management>

What do I need to add to the script to have NCM parse through the config without timing out ?

Any input would be gladly appreciated.

I'm creating a custom Health report and I'm trying to clean up the report.  I am trying to filter out lines that has specific keywords in the effort to clean up.  I think I have the filter in place but when I run the report, the keyword "SNY ACK" is still in the report.  What am I doing wrong?

and....

SQL output doesn't have "SNY ACK" filter:

SELECT Nodes.Caption AS NodeName,

Nodes.Location AS Location,

Nodes.StatusLED AS Status_Icon,

SysLog_SysLogSeverities.SeverityName AS Severity,

SysLog.Message AS Message

FROM

((SysLog INNER JOIN SysLogFacilities SysLog_SysLogFacilities ON (SysLog.SysLogFacility = SysLog_SysLogFacilities.FacilityCode)) INNER JOIN SysLogSeverities SysLog_SysLogSeverities ON (SysLog.SysLogSeverity = SysLog_SysLogSeverities.SeverityCode)) LEFT OUTER JOIN Nodes ON (SysLog.IP = Nodes.IP_Address)

WHERE

( DateTime BETWEEN 42239.5391782407 AND 42239.5833333333 )

AND 

(

  (

   (SysLog_SysLogSeverities.SeverityName = 'Error') OR

   (SysLog_SysLogSeverities.SeverityName = 'Warning'))

)

Hi,

I faced one problem with a report. The task is simple: I need to know if there is stormcontrol on interfaces. I check it on all network devices. But there is a problem, cause some interfacces on devices don't have stormcontrol. So, to filter devices, I want to get information from report, when a device has less than 4 violations on interfaces I get only Informational Alert, but when it's more than 4 violations, I want to get Critical Alert. There are pictures attached to clarify the situation. So, I want to get only informational Alert in the case of pic1, and Critical Alert in the 2nd case. How can I do it? Maybe not Info and Critical Alert, but somehow divide them from each other. If it's not possible in NCM, I am not interesting in a nice output with different alert levels, but I do need the number of interfaces, info I could get and analyze in Excel, for instance, where I could put threshold by myself. How can I get number "4" from the 1st pic, and "23" from the 2nd one?

Thank you in advance.

Hi,

We would like to use CCT to update interface configuration settings by first line, for example access vlan.

There for we would like to limit the ports where this CCT can be executed to, for example only access ports (never on trunk ports).

This there any functionality in CCT to implement this limitation? We prefer to not work based on port description but on port interface configuration ( ==switchport access or !=switchport trunk).

Even better would be to not show all ports in the selection list - I've been testing with tags and other things, none of these are working.

Kind regards,

• Steven.

Hi

I have a temp. that work just take too long to download the config.

I know that all the info I need from the router is in 2 or 3 commands.

How do I add those commands

Temp1 work take 15 min per node

<Configuration-Management Device="ALU 7360 ISAM" SystemOID="1.3.6.1.4.1.6527">

  <Commands>

    <Command Name="ALLOCATEPTY" Value="True" />

    <Command Name="MENUBASED" Value="False" />

    <Command Name="RESET" Value="environment inhibit-alarms mode batch prompt :--: />

    <Command Name="DOWNLOADCONFIG" Value="info configure " />

  </Commands>

</Configuration-Management>

Need this one to work

<Configuration-Management Device="ALU 7360 ISAM" SystemOID="1.3.6.1.4.1.6527">

  <Commands>

    <Command Name="ALLOCATEPTY" Value="True" />

    <Command Name="MENUBASED" Value="False" />

    <Command Name="RESET" Value="environment inhibit-alarms mode batch prompt :--:" RegEx=":--:" />

    <Command Name="DOWNLOADSYSTEM" Value="info configure system flat " />

    <Command Name="DOWNLOADSERVICE" Value="info configure service  flat" />

  </Commands>

</Configuration-Management>

I need a report that will show the number of violations each device has.

I need to inventory the various profiles currently configured on nearly 700 devices. (All devices are from the same vendor, and the majority as the same, or very similar models... if it were to matter...)

Currently, I have only been able to find a report that will count, and show me the devices/nodes that match the policy rule to the device config.

Currently, I am able to get a total count of devices/nodes that contain at least 1 violation.

In the screenshot below, I can see that 60 devices, out of nearly 700, are in violation.

I can click on the little blue icon, and expand out the tree to see a bit more info.

Everything up to this point is perfectly fine, as it is, and works as it should.

Now, I can see the numerous violations for that single device I clicked the icon for.

I need a count of those violations, per device.

So, in the example screenshot below, there are 60 devices in violation.

Device 1 of 60 has 15 individual violations of the policy.

So, each device has XX number of violations of the policy.

Now, for the sake of the example, let's say each of the 60 devices contain 15 violations.

This report would need to show me that we have 60 devices in violation (out of 685), and within those 60 devices, we have a total of 900 individual violations.

device1 =15 violations

device2 =15 violations

device3 =15 violations

etc...

This would allow us to see potential customer impact, per each different profile, if maintenance were to be performed.

This would also allow us to find, fix, and remove leftover, incorrect, and old profiles.

I have included a small example of a sample config for the devices requiring this policy report.

There are a total of 48 DSL interfaces.

A device could possibly have 0-48 violations.

The goal is to create various rules, one per each of the different dsl and access profiles.

This should give us approximately 20 different rules.

I need to be able to see the number of devices/nodes that currently have any violations. (This part already works, as it is the default behavior)

Also, I need to be able to see the number of times each rule is violated per device.

EXAMPLE RULES/VIOLATIONS:

dsl profile STANDARD

dsl profile BB1.5M

dsl profile BB5

access profile BASIC

access profile BB1.5

access profile BB5

EXPECTED RESULTS:

dsl profile STANDARD    3

dsl profile BB1.5M           2

dsl profile BB5                0 (In the case where a profile did not exist on the node, it would be preferred to simply omit the rule from the results, if possible)

access profile BASIC     3

access profile BB1.5      2

access profile BB5         1

interface dsl 19
 info Description "text possibly entered here"
 dsl profile STANDARD  service 1   pvc 0/35   access profile BASIC   override profile mac limit 2   shutdown  exit
 shutdown
exit
!
interface dsl 20
 info Description "Sometimes there is a name here"
 info Description2 "Sometimes there are numbers here"
 info Description3 "Sometimes there is nothing here, as seen below, on ports 21 & 22"
 dsl profile STANDARD  service 1   pvc 0/35   access profile BASIC   override profile mac limit 2   shutdown  exit
 shutdown
exit
!
interface dsl 21
 shutdown
exit
!
interface dsl 22
 dsl profile BB1.5M  service 1   pvc 0/35   access profile BASIC   override profile mac limit 2   no shutdown  exit
 no shutdown
exit
!
interface dsl 23
 dsl profile STANDARD  service 1   pvc 0/35   access profile BB1.5   override profile mac limit 2   no shutdown  exit
 no shutdown
exit
!
interface dsl 24
 dsl profile BB1.5M  service 1   pvc 0/35   access profile BB5   override profile mac limit 2   no shutdown  exit
 no shutdown
exit
!

The standard, default, compliance report ALMOST does this, out of the box.

The only thing I think it is missing, is counting the number of lines/violations per device, when you expand the tree on the results.

If anyone out there know how to calculate that last step, please let me know.

If there is already a way to get these results, then I surely apologize for being a big ol' dummy.

Either way, I am thankful for the assistance.

Thank you,

-Will

What version of SNMP do you use on your devices? 

SolarWinds Network Configuration Manager (NCM)

Compliance Simplified

                Security is at an all-time high for many network engineers.  Either being asked “are we good?”, “How’s our security policies?”, or “Hey do we have any security policies in place??”  We wanted to be able to resolve these questions and back them with reports to prove your network is compliant!

I’ve been working on an ebook to help unlock the mystery within NCM. Something that would help users and prospects to reach their full NCM potential. The attached documents are simply a chapter from this book that will help simplify compliance once and for all. 

In the Compliance Head Geek episode we went over basic to advanced ways of using this feature.  However, if you really want to dive in then please download the provided compliance documentation and follow the step by step with screenshots.

I've even provided a RegEx help document to bridge a gap from beginner to advanced users.  This will help you to fine tune your searches and get the matches you need.  You could say I have been in a cave for a long time writing and screenshotting…  Seriously, it’s been intense!

The ultimate goal behind these documents is to provide users information that can be used at any level of product knowledge.  Standardization and security needs is a perfect place to start with NCM in general.  These guides will help you to leverage the power of NCM through compliance remediation reporting.

• Compliance Reports Simplified
• RegEx Help

If you're curious about compliance or other features, then by all means download a free 30 day trial and check it out today!

Thank you,

~ Dez

I would like to find out details on use cases for network automation, especially in the context of configuration and change management. Please vote and ideally, leave a comment.

I want to create a policy to check "IP helper addresses", but I am struggling with the logic.

Basically, I am only interested in interfaces that already have "ip helper" configured, so IF "ip helper-address" exists on an interface, I want to check for 2 specific addresses. It is okay if numerous other addresses are configured (for now) as long as these 2 main ones exist. In the example below, how do I create a policy to check for 3.3.3.3 and 4.4.4.4 that would flag in interfaces Vlan200 & 300, but ignore 100 (because it is correct) and 500 (because it does not have ip helper configured at all)?

interface Vlan100

ip address 1.2.3.4 255.255.255.0

ip helper-address 1.1.1.1

ip helper-address 2.2.2.2

ip helper-address 3.3.3.3

ip helper-address 4.4.4.4

!

interface Vlan200

ip address 2.3.4.5 255.255.255.0

ip helper-address 1.1.1.1

!

interface Vlan300

ip address 3.4.5.6 255.255.255.0

ip helper-address 1.1.1.1

ip helper-address 4.4.4.4

!

interface Vlan500

ip address 2.3.4.5 255.255.255.0

!

Has anyone created a template to download configs from Transition switches?? I'm using NCM 7.3.2  and used the template utility available from Solarwinds. I'm able to test my connection with no problem but the template does not download the config.

I know there have been several discussions on how to backup multi-context ASA firewalls.

I am pretty sure I can script this.

login
enable
changeto system context
show context list send to NCM
copy running-config tftp://tftpserver/devicename/running-config
copy flash:context1 tftp://tftpserver/devicename/context1
copy flash:context2 tftp://tftpserver/devicename/context2
exit

But what I really want is to loop through each context name and send the configs.  They come and go at a regular pass, using a static script will always need maintenance.

Ideas? Open to other solutions.

Tim

While doing NCM configuration for a client, I needed a list of nodes which did not have a connection profile.  I like having every NCM node use a connection profile and a quick script gave me the info I wanted.  I'm sure we can group it and tweak it as needed.

select n.caption as Node_Name, n.IP_Address, n.vendor as Vendor

, isnull((select Name from NCM_ConnectionProfiles NCMp where NCMp.id = NCM.COnnectionProfile),'<No Profile>') as Connection_Profile

,NCM.DeviceTemplate

from nodes n

join (

  select CoreNodeID, devicetemplate, ConnectionProfile

  from NCM_nodes

  ) NCM on NCM.CoreNodeID=n.NodeID

Thanks

Amit shah

Loop1 Systems

Hello,

I have several nodes polling temperature sensors in our datacenter. Then I have mapped those temp sensor values to a map to display on the main page of Orion.

What I would like to do next is create an Average Datacenter Temperature and stick it on my map.

I looked in UnDP but it looks like through the GUI I can only do an Transform on SNMP values from a single node? Is there a hidden command like there is for Network Atlas ?

Anyone tried this before? Thoughts?

Thanks!