On Thu, Feb 04, 2016 at 05:52:54PM +0100, Randy Bush wrote:
We record the customer ASN and the AS-SET for each AFI (v4|v6) and expand these and push updated lists to devices daily or on demand based on customer need.
do you trust the state of the acl on the router and only send a delta, or do you send the whole acl?
We send the whole ACL.
(infact, we send the full router config each time).
i bet that scales well. though i would not trust the router either.
it works well enough, software bugs aside. much better than wondering what state a device is in. our customer migration team was able to use this toolization to move over 200 discrete interfaces in one night without error recently. having the proper tooling and inventory of customers is key here. when turning up the first few customers, i get having a manual process but the ROI on automation is well worth it. there's many variations of this graphic out there but it's important when justifying why you have a network engineer who can also code and do more than one thing: http://www.geeksaresexy.net/2012/01/05/geeks-vs-non-geeks-picture/ there's also this related item, you do have to maintain it: https://xkcd.com/1319/ if you avoid feature creep the tools can be done properly. I've seen many a project delayed by someone trying to wedge something in, or alter a schema from one that works to one that is more technically pure and make it harder to do work. you must also have the culture that works with the tools, it can't be the one tool that $powerUser operates, it has to be part of the busines process. - Jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.