NCM Enablement in Secure Domain

DX NetOps Spectrum
now supports Network Configuration Manager (NCM) operations (for example, load, sync, capture configurations) on the Secure Domain Connector (SDC)-managed models; that is, devices under a private network.
The following diagram shows the high-level representation:
NCM-SDC
In 10.4.1, when you install SDC, NCM is automatically installed as part of SDC; it is installed as a service.
  • Windows:
    On Windows SDC, the SpectrumNCM service is installed for NCM. The following screenshot shows the service:
    NCM-SDC
    Note that the Secure Domain Connector service is also available.
  • Linux:
    On Linux SDC, use the following command to find out the SDC and NCM services:
    [[email protected] ~]# /etc/init.d/sdmconnector status
    SdmConnectorService (pid 16467) is running...
    NCM Service is running pid - 16480
In an upgraded 10.4.1 environment (for example, upgraded from 10.3.2 SS and SDC to 10.4.1), devices that have been modeled through SDC before the upgrade do not move on their own to the SSH-capable family. However, when the Re-evaluate NCM Device Family action is performed, they move to the SSH-capable device family as expected.
SDC–NCM Support on Devices in Existing Device Family
Cisco devices that are modeled through SDC support SSH/SCP as a primary communication mode from the “Cisco IOS – SSH Capable” device family.
The following screenshot shows the required information:
NCM-SDC
Devices modeled through SDC do not support script operations.
NCM Self-Certification Supporting SDC–NCM
As part of NCM self-certification, it supports SSH as the only supported communication mode. In case of a new device family for NCM self-certification:
  • Create a new device family.
  • Add the new device modeled into it.
  • Add the supported running, startup, and load commands from the newly created device family.
The following screenshot shows the required information:
NCM-SDC
How to Sync Startup Configuration with Running Configuration
For a custom device family, you can use a script to sync the startup configuration with the running configuration. However, currently,
DX NetOps Spectrum
does not support the script operation for devices that are managed through SDC. In such cases, you can use appropriate commands to sync the startup configuration with the running configuration.
In case of a Cisco device, the "write" command performs this job. Now, suppose you want to sync after you perform an upload task, there are two ways in which you can do this:
Using Command List
For the device family, navigate to
Information
tab
->
General Configuration
. Under "
Load Commands
", give the following command list:
config t
exit
write
This ensures that every time you do any upload task, the startup configuration is synced with the running configuration. 
The following screenshot shows the required information:
Through Command List
Using Task
When you create an upload task, you add the following lines at the end of the upload content:
Verify that the config t command is already added to the Load Commands list.
exit
write
This ensures that every time you run that upload task, the startup configuration is synced with the running configuration.
The following screenshot shows the required information:
Through Task
Commit to Startup
is not applicable for self-certification, because it is taken care of by the proper sequence of the commands that users enter to perform the sync task. It is not done by enabling this option.
Configure the Secure Domain Time-out
You can now configure the secure domain time-out setting based on your requirements. By default, the value is set to 300 seconds. You can specify any value between 60 seconds to 7200 seconds. 
Follow these steps:
  1. In the
    Explorer
    tab, navigate to
    Secure Domain Manager
    .
  2. Click the
    Information
    tab in the right pane.
  3. Expand the
    Configuration
    section.
  4. Locate the
    Secure Domain Timeout
    option.
  5. Click
    set
    and enter the required value.
You have successfully configured the time-out value.
The following screenshot shows the
Secure Domain Timeout
option:
NCM-SDC
Scenario: NCM Down on SDC
If NCM is down on SDC, it creates a critical alarm on NCM down. In the case of the SDC service being down, it raises two critical alarms, where SDC down is the root cause and NCM down is the symptom.
Furthermore, if SDC is configured in a Fault-Tolerant (FT) environment, then the behavior is as follows:
  • When NCM is down on the primary SDC, NCM on the secondary SDC starts working. But it will raise a major alarm on the
    DX NetOps Spectrum
    side stating that on the primary SDC, NCM is down and it has switched to the secondary SDC.
  • If both NCMs are down, a critical alarm is raised.
The following screenshot shows the root cause as SDC and the symptom as NCM:
NCM-SDC