We're using a certain service which creates a service instance on an interface on an ASR920. The service instance uses the command mac security sticky in order to restrict the device able to connect to the circuit. When first deployed on the service instance, the mac security sticky command is standalone. When traffic is detected on the interface, the device adds the command mac security sticky address xxxx.xxxx.xxxx where xxxx.xxxx.xxxx is the MAC address of the device detected.

We have an issue where once the MAC address is populated, the device goes out of sync. We are able to perform sync-from on the device to bring in the MAC to the CDB, but this then takes the service out of sync. A re-deploy dry-run shows that the service wants to remove the mac security sticky address command from the service instance.

Our default interface configuration does not include the service instance, so the service is responsible for creating the service instance and everything beneath it in the configuration tree. It seems to me that the service expects to be in control of the entire tree, so when a configuration is added to the tree that it did not create it wants to remove it.

Is there a way to have the service ignore this particular part of the configuration? I am aware of template tag operations, but based on the documentation I wasn't sure that any of them applied. We periodically check for out of sync services so that differences can be resolved. We'd like this service to show in-sync even with the mac security sticky address command added since it is expected that the device will create this configuration automatically.