Use NQE to grab Helper IP's from Interfaces

  • 12 June 2024
  • 1 reply

Userlevel 4
Badge +2

Apologies - This isn’t a question, and I can’t change it to a conversation -

With recent changes in our NAC servers, we needed to check that our ‘ip helper-addresses’ were consistent to our regional standards. This is something we usually did with Python, but here’s a simple script to grab the helpers on each of the interfaces.  I got the script working, but had some formatting issues, and thankfully a colleague was able to use some logic to format (@danny,Ramirez) via this statement:

let ips = (foreach ip in ServerIP where == select distinct toString(

Ideally, we would would define the NAC servers per region, and export them as a check, but I haven’t gotten there yet ;-)

pattern = ```
interface {IntName:string}
ip helper-address {helper:ipv4Address}

foreach device in network.devices
// Feel free to trim the scope with a where
// where "Branch" in device.tagNames && "Core" in device.tagNames && "C9500" in device.tagNames
let outputs = device.outputs
foreach command in outputs.commands
where command.commandType == CommandType.CONFIG
let parsed = parseConfigBlocks(OS.IOS_XE , command.response)
foreach match in blockMatches(parsed, pattern)
let ServerIP = blockMatches(device.files.config, pattern)
// Thanks Danny !
let ips = (foreach ip in ServerIP where == select distinct toString(

select distinct{,,
Tag: device.tagNames

resulting in a list of device interfaces and the helpers:


1 reply

Userlevel 3
Badge +1

You could consider creating a lists such as ...

validservers = ["address 1", "address 2", "address 3"]

for each region then in your code compare each IP helper address to this list

validIP(device, ip) =
min(for each x in [0]
// any logic for which device is appropriate for a given list of valid servers would be put here. For example use tagNames on devices to select the right list
// define as true when the ip is not in the list
let violation = ip not in validservers
select violation

You’d need to alter the logic for the final area of the script so that you run the validIP function, which provides a true value for any IP not in the valid server list. 


(i’ve not built this, so it may contain typo’s)