[Infrastructures] using IA methodologies to build network element configuration

Brent Chapman Brent@GreatCircle.COM
Fri, 1 Apr 2005 15:09:48 -0800 

At 4:51 AM +0530 3/30/05, Devdas Bhagat wrote:
>However, I think that most routers will /not/ have similar
>configurations anyway, except maybe passwords (and you can farm those
>out to tacacs/radius) and console limits.

That's exactly the mistake that many folks make in designing their 
networks, thinking "these devices have almost nothing in common, so 
we'll just maintain them all by hand as a bunch of one-offs".  Well, 
you might only have one Internet router originally, and one VPN 
concentrator, but if your network grows then you're _going_ to end up 
with several of each (at different sites, or for different ISPs at 
the same site), plus a bunch of other devices (firewalls, load 
balancers, caching engines, monitoring systems, etc.), all of which 
will need different (but overlapping) subsets of common knowledge 
about your network (what your interior subnet addresses are, which of 
those are "special" in some way, what your DNS and SNMP server 
addresses are, etc.).  And if you're trying to maintain all those 
configs by hand, then they're _all_ going to be incomplete and 
incorrect to various degrees, with resulting unreliability and 
unpredictability in your network, and lots of time devoted to an 
ongoing housekeeping effort.

>BTW, http://www.shrubbery.net/rancid/ *may* be something like what you
>want.

Rancid is useful, but I think it's exactly backwards from where you 
_really_ want to be.  Rancid says "let's keep configuring everything 
by hand, but just make it easier to make backups and tell what's been 
changed".  That's good, that's useful, if you're maintaining configs 
by hand and _don't_ have a good backup/audit process.  However, if 
you really want to get out of the swamp, then you need to turn the 
model on its head: push generated (and thus consistent) configs to 
the network devices, rather than pulling them from the devices.


-Brent
-- 
Brent Chapman <brent@greatcircle.com> -- Great Circle Associates, Inc.
Specializing in network infrastructure for Silicon Valley since 1989
For info about us and our services, please see http://www.greatcircle.com/
Network Automation blog: http://www.greatcircle.com/blog/network_automation