[Infrastructures] using IA methodologies to build network element configuration

Devdas Bhagat Infrastructures <infrastructures@TerraLuna.Org>
Sat, 2 Apr 2005 13:17:36 +0530 

CC'ed to another networking mailing list I'm on. Hopefully we can get
some input on this from the network folks.
Reply-To is set to the infrastructures list.

The thread is about maintaining large network farms. 
I have a comment/question in the middle.

Devdas Bhagat

On 01/04/05 15:09 -0800, Brent Chapman wrote:
> At 4:51 AM +0530 3/30/05, Devdas Bhagat wrote:
> >However, I think that most routers will /not/ have similar
> >configurations anyway, except maybe passwords (and you can farm those
> >out to tacacs/radius) and console limits.
> 
> That's exactly the mistake that many folks make in designing their 
> networks, thinking "these devices have almost nothing in common, so 
> we'll just maintain them all by hand as a bunch of one-offs".  Well, 
> you might only have one Internet router originally, and one VPN 
> concentrator, but if your network grows then you're _going_ to end up 
> with several of each (at different sites, or for different ISPs at 
> the same site), plus a bunch of other devices (firewalls, load 
> balancers, caching engines, monitoring systems, etc.), all of which 
> will need different (but overlapping) subsets of common knowledge 
> about your network (what your interior subnet addresses are, which of 
> those are "special" in some way, what your DNS and SNMP server 
> addresses are, etc.).  And if you're trying to maintain all those 
> configs by hand, then they're _all_ going to be incomplete and 
> incorrect to various degrees, with resulting unreliability and 
> unpredictability in your network, and lots of time devoted to an 
> ongoing housekeeping effort.
> 

My questions are: 
What percentage of your device configuration is common?
When something is different, how different is it?

Where I am coming from is this (drawing inspiration from RDBMS theory):

We have a group configuration, and then a per host/service configuration.
In the infrastructures world, we are normalising the configuration
database, and ensuring that with appropriate foreign keys, the data is
consistent.

In the networking world (I am not including firewalls in this), I have 
not yet seen that much data is duplicated and needs to be normalised.
If you think that normalisation will help, I am for it.

> >BTW, http://www.shrubbery.net/rancid/ *may* be something like what you
> >want.
> 
> Rancid is useful, but I think it's exactly backwards from where you 
> _really_ want to be.  Rancid says "let's keep configuring everything 
> by hand, but just make it easier to make backups and tell what's been 
> changed".  That's good, that's useful, if you're maintaining configs 
> by hand and _don't_ have a good backup/audit process.  However, if 
> you really want to get out of the swamp, then you need to turn the 
> model on its head: push generated (and thus consistent) configs to 
> the network devices, rather than pulling them from the devices.
> 
> 
> -Brent
> -- 
> Brent Chapman <brent@greatcircle.com> -- Great Circle Associates, Inc.
> Specializing in network infrastructure for Silicon Valley since 1989
> For info about us and our services, please see http://www.greatcircle.com/
> Network Automation blog: http://www.greatcircle.com/blog/network_automation
> _______________________________________________
> Infrastructures mailing list
> Infrastructures@mailman.terraluna.org
> http://mailman.terraluna.org/mailman/listinfo/infrastructures