As part of a network initiative, I’m sharing all the scripts that I have worked on to create an audit program. These files feed are then fed into PowerBi for better visualization by engineers and mgmt.
First step is create a utility called, “tag_var_util” to grab tags, of which, will be used as part of the logic to assign a template to different sets of attribtues.
This utility will then be imported on all other NQE Audit Scripts.
// Create a new NQE Function called: tag_var_util
// Add the following utility to extract tags given to devices in Forward Networks Sources
// TAGS to identify Environment
export get_env_from_tags(tags: Bag)=
get_list_match_from_tags(tags, [
"DC",
"CoLo",
"Branch",
"AWS"]);
// TAGS to identify a sub category of location
export get_SubDc_from_tags(tags: Bag)=
get_list_match_from_tags(tags, [
"Branch",
"DC01",
"DC02" ]);
// TAGS to identify which managers owns the product
export get_mgr_from_tags(tags: Bag)=
get_list_match_from_tags(tags, [
"Moe",
"Larry",
"Curly"
]);
// TAGS to identify which region a device resides
export get_region_from_tags(tags: Bag)=
get_list_match_from_tags(tags, [
"EMEA",
"AMRS",
"APAC",
"LATM"
]);
// TAGS to identify what function a device performs
export get_function_from_tags(tags: Bag)=
get_list_match_from_tags(tags, [
"Firewall",
"LB",
"Proxy",
"WLC",
"Router",
"Switch",
"Controller"
]);
// TAGS to identify if a VRF is associated with Mgmt_interface for a device
export return_vrf_from_tags(tags: Bag)=
get_list_match_from_tags(tags, [
"vrf_1",
"vrf_NM",
"vrf_None",
"vrf_mgmt"
]);
// TAGS to identify the management interface for a device
export return_mgmt_from_tags(tags: Bag)=
get_list_match_from_tags(tags, [
"mgmt_mgmt0",
"Mgmt_Lo0",
"Mgmt_Ma0",
"Mgmt_Gi0"
]);Arista NQE for NTP
/*** * @intent NTP Validation (eos)
* @description Validates Arista EOS NTP configs and extracts server/source details.
* * LOGIC SUMMARY:
* 1. Checks device against regional patterns (AMRS, vrf_NM, etc).
* 2. Outputs a clean table with missing lines, extra lines and current settings.
***/
import "Standards_Network/NetworkVars/tag_var_util";
// =============================================================================
// SECTION 1. Helper Functions
// =============================================================================
getConfigAsString(device) =
max(foreach command in device.outputs.commands
where command.commandType == CommandType.CONFIG
select command.response);
// =============================================================================
// SECTION 2. Config Patterns
// =============================================================================
eosDiffPatternDefault = ```
Investigate
```;
eosDiffPatternAMRS_Lo0 = ```
ntp local-interface Loopback0
ntp server 7.6.254.123
ntp server 7.6.255.123
ntp server 7.10.254.123
ntp server 7.10.255.123
```;
eosDiffPatternAMRS_vrfNM_Ma1 = ```
ntp local-interface vrf NM Management1
ntp server vrf NM 7.6.254.123
ntp server vrf NM 7.6.255.123
ntp server vrf NM 7.10.254.123
ntp server vrf NM 7.10.255.123
```;
// =============================================================================
// SECTION 3. RegEx Patterns
// =============================================================================
reNtpServerPattern = re`\nntp server[^\n]*`;
reNtpSourcePattern = re`\nntp source[^\n]*`;
reNtpLocalPattern = re`\nntp local-interface[^\n]*`;
// =============================================================================
// SECTION 4. Main
// =============================================================================
main =
foreach device in network.devices
where device.platform.os == OS.ARISTA_EOS
where device.name == device.system.physicalName
// STEP 1: Get the Config as a String (for Regex use)
let configResponse = getConfigAsString(device)
let configAsString = if isPresent(configResponse) then configResponse else ""
// STEP 2: Collect tags
let region = get_region_from_tags(device.tagNames)
let deviceFunc = get_function_from_tags(device.tagNames)
let environment = get_env_from_tags(device.tagNames)
let vrf = return_vrf_from_tags(device.tagNames)
let manager = get_mgr_from_tags(device.tagNames)
let mgmtSource = return_mgmt_from_tags(device.tagNames)
let ip = device.snapshotInfo.collectionIp
// STEP 3: Select compliance template based on region/vrf/mgmt/eos
// Each branch returns {block: <template>, name: "<templateName>"}
let selected =
// --- Ma1 vrf_NM ---
if region == "AMRS" && mgmtSource == "Mgmt_Ma1" && vrf == "vrf_NM" then {block: eosDiffPatternAMRS_vrfNM_Ma1, name: "eosDiffPatternAMRS_vrfNM_Ma1"}
// --- Lo0 vrf_None ---
else if region == "AMRS" && mgmtSource == "Mgmt_Lo0" && vrf == "vrf_None" then {block: eosDiffPatternAMRS_Lo0, name: "eosDiffPatternAMRS_Lo0"}
// --- Default / Investigate ---
else {block: eosDiffPatternDefault, name: "Dummy_Investigate"}
let eosDiffPattern = selected.block
let patternName = selected.name
// STEP 4: Determine valid lines from the selected template using regex
let patternStr = replace(toString(eosDiffPattern), "```", "")
let validLines =
(foreach r in regexMatches(patternStr, reNtpServerPattern) select r.string) +
(foreach r in regexMatches(patternStr, reNtpSourcePattern) select r.string) +
(foreach r in regexMatches(patternStr, reNtpLocalPattern) select r.string)
// STEP 5: Calculate compliance diffs (missing lines)
let blockDiffResult = blockDiff(device.files.config, eosDiffPattern)
// STEP 6: Extract actual NTP lines from the device config
let configuredLines =
(foreach r in regexMatches(configAsString, reNtpServerPattern) select r.string) +
(foreach r in regexMatches(configAsString, reNtpSourcePattern) select r.string) +
(foreach r in regexMatches(configAsString, reNtpLocalPattern) select r.string)
// STEP 7: Extra = lines on device not in the selected template
let extraLines = configuredLines - validLines
// STEP 8: Format extraction lists for display columns
let ntpServerList = (foreach r in regexMatches(configAsString, reNtpServerPattern)
select replace(r.string, "\n", ""))
let ntpSourceList = (foreach r in regexMatches(configAsString, reNtpSourcePattern)
select replace(r.string, "\n", ""))
let ntpLocalList = (foreach r in regexMatches(configAsString, reNtpLocalPattern)
select replace(r.string, "\n", ""))
let allNtpLines = ntpServerList + ntpSourceList + ntpLocalList
// =============================================================================
// SECTION 5. Select
// =============================================================================
select {
// violation: blockDiffResult.diffCount > 0 || length(extraLines) > 0,
violation: if blockDiffResult.diffCount > 0 || length(extraLines) > 0 then "Fail" else "Pass",
device: device.name,
ip: ip,
auth: auth,
os: device.platform.osVersion,
model: device.platform.model,
pattern: patternName,
missing: if blockDiffResult.diffCount == 0
then "None"
else toString(blockDiffResult.blocks),
extra: if length(extraLines) == 0
then "None"
else join("\n", order(foreach line in extraLines
select replace(line, "\n", ""))),
NTP_Config: if length(allNtpLines) == 0
then "None"
else join("\n", order(allNtpLines)),
region: region,
vrf: vrf,
mgmtSource: mgmtSource,
eos: eos,
environment: environment,
SubEnv: subDc,
function: deviceFunc,
manager: manager,
};
export eos_ntp_compliance = main();
main()
IOS-XE NQE for NTP
/***
* @intent NTP Compliance Audit (IOS-XE SD-WAN)
* @description Validates Cisco IOS-XE NTP server and source-interface config against regional standards.
***/
import "Standards_Network/NetworkVars/tag_var_util";
// =============================================================================
// SECTION 1 — HELPER FUNCTIONS
// =============================================================================
getConfigAsString(device) =
max(foreach command in device.outputs.commands
where command.commandType == CommandType.CONFIG
select command.response);
// =============================================================================
// SECTION 2 — COMPLIANCE PATTERNS
// =============================================================================
ntpPatternDefault = ```
Investigate
```;
// --- AMRS ---
AMRS_Lo0_vrfNone = ```
ntp server 1.1.1.1
ntp server 1.1.1.2
ntp server 1.1.1.3
ntp server 1.1.1.4
ntp source Loopback0
```;
AMRS_Gi0_vrfMgmtintf = ```
ntp source GigabitEthernet0
ntp server vrf Mgmt-intf 1.1.1.1
ntp server vrf Mgmt-intf 1.1.1.2
ntp server vrf Mgmt-intf 1.1.1.3
ntp server vrf Mgmt-intf 1.1.1.4
```;
// --- APAC ---
APAC_Lo0_vrfNone = ```
ntp source Loopback0
ntp server 1.1.1.1
ntp server 1.1.1.2
ntp server 1.1.1.3
ntp server 1.1.1.4
```;
APAC_Gi0_vrfMgmtintf = ```
ntp source GigabitEthernet0
ntp server vrf Mgmt-intf 1.1.1.1
ntp server vrf Mgmt-intf 1.1.1.2
ntp server vrf Mgmt-intf 1.1.1.3
ntp server vrf Mgmt-intf 1.1.1.4
```;
// --- EMEA ---
EMEA_Lo0_vrfNone = ```
ntp server 1.2.1.1
ntp server 1.2.2.1
ntp source Loopback0
```;
EMEA_Gi0_vrfMgmtintf = ```
ntp source GigabitEthernet0
ntp server vrf Mgmt-intf 1.2.1.1
ntp server vrf Mgmt-intf 1.2.1.2
```;
// --- LATM ---
LATM_Lo0_vrfNone = ```
ntp server 1.1.1.1
ntp server 1.1.1.2
ntp server 1.1.1.3
ntp server 1.1.1.4
ntp source Loopback0
```;
// =============================================================================
// SECTION 3 — REGEX PATTERNS
// =============================================================================
reNtpServerPattern = re`ntp server[^\n]*`;
reNtpSourcePattern = re`ntp source[^\n]*`;
// =============================================================================
// SECTION 4 — MAIN
// =============================================================================
main =
foreach device in network.devices
where device.platform.os == OS.IOS_XE || device.platform.os == OS.IOS
where device.name == device.system.physicalName
// STEP 1: Get config as string
let configResponse = getConfigAsString(device)
let configAsString = if isPresent(configResponse) then configResponse else ""
// STEP 2: Collect tag-based metadata
let region = get_region_from_tags(device.tagNames)
let deviceFunc = get_function_from_tags(device.tagNames)
let environment = get_env_from_tags(device.tagNames)
let vrf = return_vrf_from_tags(device.tagNames)
let manager = get_mgr_from_tags(device.tagNames)
let subDc = get_SubDc_from_tags(device.tagNames)
let mgmtSource = return_mgmt_from_tags(device.tagNames)
let auth = get_auth_from_tags(device.tagNames)
let ip = device.snapshotInfo.collectionIp
let sd = get_wanFunc_from_tags(device.tagNames)
// STEP 3: Compliance template selection
let selected =
// --- AMRS ---
if region == "AMRS" && vrf == "vrf_Mgmt-intf" then { block: AMRS_Gi0_vrfMgmtintf, name: "AMRS_Gi0_vrfMgmtintf" }
else if region == "AMRS" then { block: AMRS_Lo0_vrfNone, name: "AMRS_Lo0_vrfNone" }
// --- APAC ---
else if region == "APAC" && vrf == "vrf_Mgmt-intf" then { block: APAC_Gi0_vrfMgmtintf, name: "APAC_Gi0_vrfMgmtintf" }
else if region == "APAC" then { block: APAC_Lo0_vrfNone, name: "APAC_Lo0_vrfNone" }
// --- EMEA ---
else if region == "EMEA" && vrf == "vrf_Mgmt-intf" then { block: EMEA_Gi0_vrfMgmtintf, name: "EMEA_Gi0_vrfMgmtintf" }
else if region == "EMEA" then { block: EMEA_Lo0_vrfNone, name: "EMEA_Lo0_vrfNone" }
// --- LATM ---
else if region == "LATM" then { block: LATM_Lo0_vrfNone, name: "LATM_Lo0_vrfNone" }
// --- Fallback ---
else { block: ntpPatternDefault, name: "Investigate" }
// Extract values from the matched record
let ntpPattern = selected.block
let patternName = selected.name
// STEP 4: Extract valid lines from the selected template
let patternStr = replace(toString(ntpPattern), "```", "")
let validLines =
(foreach r in regexMatches(patternStr, reNtpServerPattern) select r.string) +
(foreach r in regexMatches(patternStr, reNtpSourcePattern) select r.string)
// STEP 5: Run blockDiff against selected pattern
let blockDiffResult = blockDiff(device.files.config, ntpPattern)
// STEP 6: Extract actual NTP lines from device config
let configuredLines =
(foreach r in regexMatches(configAsString, reNtpServerPattern) select r.string) +
(foreach r in regexMatches(configAsString, reNtpSourcePattern) select r.string)
// STEP 7: Extra = lines on device not in the selected template
let extraLines = configuredLines - validLines
// STEP 8: Build display columns
let ntpServerList = (foreach r in regexMatches(configAsString, reNtpServerPattern)
select replace(r.string, "\n", ""))
let ntpSourceList = (foreach r in regexMatches(configAsString, reNtpSourcePattern)
select replace(r.string, "\n", ""))
let allNtpLines = ntpServerList + ntpSourceList
// =============================================================================
// SECTION 5 — OUTPUT
// =============================================================================
select {
violation: if blockDiffResult.diffCount > 0 || length(extraLines) > 0 then "Fail" else "Pass",
device: device.name,
ip: ip,
auth: auth,
OS: device.platform.osVersion,
model: device.platform.model,
pattern: patternName,
missing: if blockDiffResult.diffCount == 0 then "None"
else toString(blockDiffResult.blocks),
extra: if length(extraLines) == 0 then "None"
else join("\n", order(foreach line in extraLines
select replace(line, "\n", ""))),
currentConfig: if length(allNtpLines) == 0 then "None"else join("\n", order(allNtpLines)),
region: region,
vrf: vrf,
mgmtSource: mgmtSource,
environment: environment,
SubEnv: subDc,
sd: sd,
function: deviceFunc,
manager: manager,
};
export xe_ntp_compliance = main();
main()NXOS NQE for NTP
/***
* @intent NTP Validation (NX-OS)
* @description Validates Cisco NX-OS NTP configs and extracts server/source details.
* LOGIC SUMMARY:
* 1. Filters out Cisco ACI nodes (NX-OS hardware but incompatible NTP config).
* 2. Checks device against regional patterns (AMRS VRF mgmt0, AMRS Loopback0).
* 3. Outputs a clean table with missing lines, extra lines and current settings.
***/
import "Standards_Network/NetworkVars/tag_var_util";
// =============================================================================
// SECTION 1. NQE Patterns
// =============================================================================
// Used by patternMatches() against device.files.config for extraction
ntpServerPattern = `ntp server {string}`;
ntpSourcePattern = `ntp source-interface {string}`;
// =============================================================================
// SECTION 2. RegEx Patterns
// =============================================================================
// Used by regexMatches() against configAsString (String). Regex handles variables that {string} cannot fully capture.
// Matches "ntp server ..." lines (IP + use-vrf )
reNtpServer = re`ntp server[^\n]*`;
reNtpSource = re`ntp source-interface\s+\S+`;
reNtpAuthenticate = re`ntp authenticate[^\n]*`;
reNtpAuthKey = re`ntp authentication-key[^\n]*`;
reNtpTrustedKey = re`ntp trusted-key[^\n]*`;
reNtpMaster = re`ntp master[^\n]*`;
// =============================================================================
// SECTION 3. Functions
// =============================================================================
// Extracts the full device configuration as a String. Required because regexMatches() only accepts String.
getConfigAsString(device) =
max(foreach command in device.outputs.commands
where command.commandType == CommandType.CONFIG
select command.response);
// Identifies ACI-managed Nexus nodes (APIC-controlled) so they must be excluded to avoid false violations.
isAciNode(device) =
CommandType.CISCO_ACI_FABRIC_VRFS in
(foreach command in device.outputs.commands
select command.commandType);
// =============================================================================
// SECTION 4. Config Patterns
// =============================================================================
ntpAMRS_vrfCORPWAN_Lo0 = ```
ntp server 1.1.1.1 use-vrf CORPWAN
ntp server 1.1.1.2 use-vrf CORPWAN
ntp server 1.1.1.3 use-vrf CORPWAN
ntp server 1.1.1.4 use-vrf CORPWAN
ntp source-interface loopback0
```;
ntpAMRS_vrf_Mgmt0 = ```
ntp server 1.1.1.1 use-vrf management
ntp server 1.1.1.2 use-vrf management
ntp server 1.1.1.3 use-vrf management
ntp server 1.1.1.4 use-vrf management
ntp source-interface mgmt0
```;
// AMRS 4a — devices sourcing NTP via Loopback0 (default VRF)
ntpAMRS_Lo0 = ```
ntp server 1.1.1.1 use-vrf default
ntp server 1.1.1.2 use-vrf default
ntp server 1.1.1.3 use-vrf default
ntp server 1.1.1.4 use-vrf default
ntp source-interface loopback0
```;
// AMRS 4a— devices sourcing NTP via VlanXXX (default VRF)
ntpAMRS_v211 = ```
ntp server 1.1.1.1 use-vrf default
ntp server 1.1.1.2 use-vrf default
ntp server 1.1.1.3 use-vrf default
ntp server 1.1.1.4 use-vrf default
ntp source-interface Vlan211
```;
// Aussie
ntpAPAC_Aussie_vrfManagement = ```
ntp server 1.1.1.1 use-vrf management
ntp server 1.1.1.2 use-vrf management
ntp server 1.1.1.3 use-vrf management
ntp server 1.1.1.4 use-vrf management
```;
// Dummy pattern — fallback when no tags match.
ntpDummy = ```
NO_MATCH
```;
// =============================================================================
// SECTION 5. Main
// =============================================================================
main =
foreach device in network.devices
where device.platform.os == OS.NXOS
// Exclude ACI nodes
where !isAciNode(device)
where device.name == device.system.physicalName
// STEP 1: Get config as String (for regex extraction only)
let configResponse = getConfigAsString(device)
let configAsString = if isPresent(configResponse) then configResponse else ""
// STEP 2: Collect tag-based metadata
let deviceFunc = get_function_from_tags(device.tagNames)
let environment = get_env_from_tags(device.tagNames)
let manager = get_mgr_from_tags(device.tagNames)
let vrf = return_vrf_from_tags(device.tagNames)
let region = get_region_from_tags(device.tagNames)
let subDc = get_SubDc_from_tags(device.tagNames)
let mgmtSource = return_mgmt_from_tags(device.tagNames)
// STEP 3: Select compliance template
// Each branch returns {block: <template>, name: "<templateName>"} let selected =
// --- AMRS ---
if region == "AMRS" && vrf == "vrf_management" && mgmtSource == "Mgmt_Ma0" then {block: ntpAMRS_vrf_Mgmt0, name: "ntpAMRS_vrf_Mgmt0"}
else if (region == "AMRS" || region == "LATM") && vrf == "vrf_None" && mgmtSource == "Mgmt_Lo0" then {block: ntpAMRS_Lo0, name: "ntpAMRS_Lo0"}
else if region == "AMRS" && vrf == "vrf_None" && mgmtSource == "Mgmt_v211" then {block: ntpAMRS_v211, name: "ntpAMRS_v211"}
// --- Aussie ---
else if region == "APAC" && vrf == "vrf_None" then {block: ntpAPAC_Aussie_vrfNone, name: "ntpAPAC_Aussie_vrfNone"}
// --- No Match / Investigate ---
else {block: ntpDummy, name: "No_Pattern_Matched"}
let NxosNtpDiffPattern = selected.block
let patternName = selected.name
// STEP 4: Run blockDiff against the selected pattern & Parse the pattern into a config block for valid-line extraction
let blockDiffResult = blockDiff(device.files.config, NxosNtpDiffPattern)
let patternAsConfig = parseConfigBlocks(OS.OTHER, replace(toString(NxosNtpDiffPattern), "```", ""))
// Extract valid server + source lines from the winning pattern // These are subtracted from the device's actual config to find extra lines
let validLines =
(foreach patternMatch in patternMatches(patternAsConfig, ntpServerPattern) select patternMatch.line.text) + (foreach patternMatch in patternMatches(patternAsConfig, ntpSourcePattern) select patternMatch.line.text)
// STEP 5: Collect actual NTP lines from the device using regex
let serverList = (foreach r in regexMatches(configAsString, reNtpServer) select r.string)
let sourceList = (foreach r in regexMatches(configAsString, reNtpSource) select r.string)
let authenticateList = (foreach r in regexMatches(configAsString, reNtpAuthenticate) select r.string)
let authKeyList = (foreach r in regexMatches(configAsString, reNtpAuthKey) select r.string)
let trustedKeyList = (foreach r in regexMatches(configAsString, reNtpTrustedKey) select r.string)
let masterList = (foreach r in regexMatches(configAsString, reNtpMaster) select r.string)
// STEP 6: Compute extra lines
let configuredLines = serverList + sourceList
let extraLines = configuredLines - validLines
// STEP 7: Combine NTP lines into one deduplicated ordered list
let ntpConfigList = distinct(
serverList + sourceList + authenticateList + authKeyList + trustedKeyList + masterList)
// =============================================================================
// SECTION 6 — OUTPUT
// =============================================================================
select {
violation: if blockDiffResult.diffCount > 0 || length(extraLines) > 0 then "Fail" else "Pass",
device: device.name,
os: device.platform.osVersion,
model: device.platform.model,
pattern: patternName,
missingConfig: blockDiffResult.blocks,
extraConfig: if length(extraLines) == 0
then "None"
else join("\n", order(extraLines)),
existingConfig: if length(ntpConfigList) == 0
then "None"
else join("\n", order(ntpConfigList)),
region: region,
environment: environment,
location: subDc,
mgmtIntf: mgmtSource,
vrf: vrf,
function: deviceFunc,
manager: manager
};
export nxos_ntp_compliance = main();
main()
