This article stems from a colleague’s request to automate the configuration compliance checks for hundreds of switches spread across the globe.

Introduction

Ensuring configuration compliance is essential for:

• Verifying that devices meet expected configurations.
• Detecting unauthorized changes (out-of-process modifications).
• Measuring compliance levels.

In this guide, we’ll outline an integration that uses templates to check device configurations and generate reports with:

• A list of ports reviewed, showing their compliance status.
• A summary of the number of compliant and non-compliant ports per device.

We’ll focus on readability rather than advanced code optimization.

Using Catalyst Center

Our scenario assumes all devices are managed via Cisco Catalyst Center  (formerly Cisco DNA Center). If you don’t have a local instance, you can use the sandbox environment available at sandboxdnac2.cisco.com  with the credentials:

• User: devnetuser
• Password: Cisco123!

If we navigate to Provision → Inventory, we get a list of managed devices:

Clicking on a device opens a small popup that lets us access its detailed page:

By going to Interfaces → Ethernet Ports → GigabitEthernet1/0/4, we can view the interface details:

We can see that the window displays some information, but it is rather limited.

Next, let’s navigate to Configuration to check the interface configuration:

From this, we can draw some initial conclusions:

• Catalyst Center contains the configurations (running-config) for all our devices.
• Catalyst Center provides high-level information about interface configurations, but details (e.g., STP, Port Security, QoS) are only accessible by examining the running-config.

This situation arises because we are still heavily reliant on the CLI for managing switches. It’s fair to say that these devices are CLI-first. Orchestrators like Catalyst Center tend to provide a limited view, leaving the CLI as the primary tool for accessing detailed information.

Continue reading the post on Patreon .