[j-nsp] Network automation vs. manual config

Antti Ristimäki antti.ristimaki at csc.fi
Fri Aug 17 06:54:27 EDT 2018 

Hi colleagues,

This is something that I've been thinking quite a lot, so I would be delighted to hear some comments, experiences or recommendations. 

So, now that more and more of us are automating their network, there will be the question about how to manage the configurations, if they are partially automated and partially manually maintained. This will be the case especially while transitioning from a pure CLI jockey network towards a more automated one. There are probably multiple approaches to solve this, but below are a few of them:

One option is to generate the whole config automatically e.g. from a template or a database and just _not_accepting_ any manual configurations at all. Then when there are needs to do something custom not yet supported by the automation tools, instead of manually configuring it one would take some additional time and build the support into the automation tools. The cost for this might be that deploying something new/custom/tailor-made might take a bit more time compared to just manually configuring it, but in a long run the benefits are obvious. I'm personally preferring this approach.

Generating the _whole_ configuration automatically off-line from the scratch makes it also easy to remove elements from the configuration, as the auto-generated config can completely replace the existing running-config.

If the above mentioned is not doable for the entire configuration, one can take one configuration hierarchy level at a time and automate it, after which no manual configurations will be accepted under that hierarchy. This is rather trivial especially for those configuration hierarchies that tend to be static most of the time.

Another option is to apply the auto-generated configuration via apply-groups and apply all manual configurations explicitly so that the automatic and manual configurations merge with each other. The positive side of this approach is that it makes easy to develop the automation tools so that manual configs are not overridden by auto-generated config, but I personally see somewhat inconvenient that one really doesn't see the effective running-config when using apply-groups, unless one remembers to display inheritance.

Any thoughts appreciated.

Antti

More information about the juniper-nsp mailing list