[j-nsp] Network Configuration Management

Warren Kumari warren at kumari.net
Mon Jun 18 11:16:42 EDT 2007 

For config backups and revisioning I usually use RANCID combined with  
some scripts that parse the downloaded configs, pull the serial  
number data out and stick it in a database somewhere -- this is  
primarily to make sure that I don't redeploy a known defective card  
(or a card that gets shipped back via an RMA).

As for implementing config changes, that all depends on what the  
changes are and what the situation is:
If it is a simple, non-critical change that has no logic involved  
(eg: changing all of your NTP servers) I usually just throw together  
a shell script that calls jlogin (from RNACID) directly, something  
along the lines of:
for router in `ls`
   do
     jlogin -c "<Commands to be run>" $router
     sleep 2
  done

If it is a more complex change (eg: If interface description contains  
"blah" then set foo) I usually throw together something in perl /  
python.

I started writing a program at one stage that would take some  
conditions to check for and commands to run if those conditions  
match, but it quickly developed feature creep and ended up trying to  
do to much (eg: "FIND interface WHERE neighbor_as = 123 AND DO SET  
INTERFACE_DESCRIPTION TO BE "Connects to AS123" ON ALL ROUTERS LIKE  
"peer*.*" STOP) -- I found myself spending so much time debugging the  
program and trying to remember the syntax that I had created that I  
deleted it in disgust!

Keep in mind that if you have been sloppy or if your current configs  
are somewhat messy performing automated changes can be very dangerous  
-- I used to work at a cisco shop that used numbered access lists --  
someone decided to script pushing out a new version of the SNMP  
access list, which *should* have been 161 on all routers..... Except  
for the 30 or so that used that to lock down the management interface  
and the 15 or so that used that as an edge ACL....

Warren
www.kumari.net




On Jun 17, 2007, at 10:45 PM, Kevin Oberman wrote:

>> From: phil colbourn <phil.colbourn at railcorp.nsw.gov.au>
>> Date: Mon, 18 Jun 2007 10:43:06 +1000
>> Sender: juniper-nsp-bounces at puck.nether.net
>>
>> I would be interested in knowing what configuration management  
>> systems
>> (commercial, open source or home-grown) that you use or have used to
>> implement router/switch config changes, upload/download configs,  
>> track
>> versions and track assets.
>
> I use a modified version of rancid (http://www.shrubery.net/rancid).
> Free and very widely used.
> -- 
> R. Kevin Oberman, Network Engineer
> Energy Sciences Network (ESnet)
> Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
> E-mail: oberman at es.net			Phone: +1 510 486-8634
> Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

--
If the bad guys have copies of your MD5 passwords, then you have way  
bigger problems than the bad guys having copies of your MD5 passwords.
-- Richard A Steenbergen

More information about the juniper-nsp mailing list