[nsp] pushing config changes out to routers

Streiner, Justin streiner at stargate.net
Wed Aug 6 12:39:45 EDT 2003


While we're more or less on the subject, I'd be curious to see how various
networks manage pushing mass configuration changes (BGP filters, regular
password changes, updates to standard configs, etc) out to their boxes.
>From past experience I'll hazard a guess that this is largely custom
applications that people have specifically tailored to their needs.

Specifically, I'm interested in what safeguards people put in place to
1) hopefully prevent a typo in a master config database from getting
	pushed out to lots of devices, possible causing a large outage,
	and
2) integrity checking of the pending config beyond things like making sure
	that a static route has the correct next-hop address, e.g. things
	like if interface X has access-group Y applied to it, make sure
	that access-list Y actually exists...

Awhile back I wrote a fairly extensive system for backing up configurations
from network devices I'm responsible for and storing them in a journaled
format so I can pull an old revision if needed.  While it wouldn't be
especially tough to add the functionality in it to allow the system to
upload a modified config to a router, I specifically left that piece out
because I was still grappling with the safeguard issue.

Thoughts/insight are greatly appreciated.

jms


More information about the cisco-nsp mailing list