Hi Dave, Take a look at Network Configurator from Netsation (www.netsation.com). I is pretty interesting. Paul Quinn, CCIE MCI Systemhouse
-----Original Message----- From: Dave Van Allen [SMTP:dave@fast.net] Sent: Friday, November 28, 1997 12:12 PM To: nanog@merit.edu Subject: Cisco config generator
Happy holidays!
Has anyone found a good way (read program) to manage cisco configs? I rolled me own but it's crude at best. I was hoping for some recent tool that can handle multiple routers with common ACL's, etc.
Best regards,
David Van Allen - FASTNET(tm) / You Tools Corporation dave@fast.net (888)321-FAST(3278) http://www.fast.net FASTNET - Business and Personal Internet Solutions
Hi Dave,
Take a look at Network Configurator from Netsation (www.netsation.com). I is pretty interesting.
Paul Quinn, CCIE MCI Systemhouse
Is this what MCI uses to construct and manage their entire IP network? I'm looking for a tool to do configuration management, too. But I need one with the following: 1. Knows how to configure Cisco/IOS 2. Knows how to configure Ascend/MAX and Ascend/GRF/gated 3. Configures lots of other things, too: a. Radius for all Ascend and Livinston servers (MAX, PM) b. All users in all POP servers for all domains we serve c. Mail forwarders d. Web sites, whether domain, subdirectory, or userid based e. Shell accounts If, for example, one user is set up with a variety of access services, and I disable or delete that user, then it should be removed from all places where it is configured without me having to know. Yes, I do combine my network operations and server operations together and I want a package that allows me to fully integrate it all together without having to have separate packages. Writing this myself will be a big project. Well, big for one person. It wouldn't be that big for a software development business that is banking on selling it to a lot of providers. But is there even a market for this? One thing I note about Netsation's product is that they promote it as a tool to deal with "cryptic IOS commands". IOS is _NOT_ cryptic. Anyone who thinks it is after proper training shouldn't be in the technical end of this business. OTOH, that comes from a quote from PC Week magazine, and I'm not surprised they find it cryptic. Where such a product is useful is managing the huge complexity of a large network, and in the case of what I am looking for, all of the other services as well. -- Phil Howard | stop4ads@noplace8.com eat3this@no8place.net end3ads7@anyplace.net phil | crash466@s9p7a2m3.org blow4me5@dumb7ads.edu stop8it9@spammer2.edu at | w1x8y0z8@lame5ads.org die5spam@spam1mer.com die9spam@no4place.com milepost | a5b7c6d5@anyplace.edu suck7it2@dumb6ads.net no15ads7@no0where.org dot | stop4ads@anywhere.edu stop8it7@spam4mer.net eat07me9@no2where.com com | stop2it9@dumb2ads.com eat5this@lame2ads.org stop3340@dumbads4.org
Take a look at Network Configurator from Netsation (www.netsation.com). I is pretty interesting.
Is this what MCI uses to construct and manage their entire IP network?
I doubt it.
I'm looking for a tool to do configuration management, too. But I need one with the following:
I work at a company that has done something very similar to what you describe. Two terribly clever colleagues wrote (two separate) systems to interpret our databases into router configuration scripts, for various router vendors.
If, for example, one user is set up with a variety of access services, and I disable or delete that user, then it should be removed from all places where it is configured without me having to know.
This is a slightly different specification; you are talking about deploying distributed security permissions. This could be a subfunction of the configuration system.
Yes, I do combine my network operations and server operations together and I want a package that allows me to fully integrate it all together without having to have separate packages.
You will be hard pressed to find a ready-made off the shelf package to do what you want. <rambling opinion> Today's internet technology is complex. Harder than rocket science, but it appears easier because we make up with BS that which is lost by not understanding the formulas or having granular flow statistics. The sum complexity of a network configuration system is a function of the router/switch interpreter, the routing policy, the routing protocols, and the databases with which one works. Since implementing this complexity requires adhering to standards or understanding your own policies and protocols (which few really do), it's difficult to make generic solutions work for networks of a given complexity. We worked hard with one router vendor to create such a system, but the exponential amount of work put in resulted in only a few useful widgetish interfaces. They just didn't get it. This is because they don't live and breathe it; they code; they write MIBs; they don't fantasize about pull/push/check/click *presto* it's configged. They live in their world, and rarely is the vendor's world the practical world of the network engineer/operator. A smart guy who sends out reports that embarrass people once pointed out to me: the largest internet networks all have radically different designs, and yet they all work remarkably well. So, until someone with enough savvy, experience, and coding skills attempts this task, I think it will stay proprietary and internally developed by, and for, each network. A middleware interpretation layer (ie. sendmail's configuration file) is needed before this generic configuration system can be (fairly) easily implemented. Tools exist (whose names escape me, but I'm sure bmanning or vixie will point them out) that profess to interpret radb configs into cisco and ascend configs, but they (in my/our limited experience and exploration) fail to capture the IGP variables or the various L2/L3 platform requirements. </rambling opinion>
Writing this myself will be a big project. Well, big for one person.
I'd estimate 2 sufficiently clueful and experienced people could write a platform specific (cisco, ascend, fore, cascade, etc..) system in about 300 man-hours total; including debugging and sparse documentation. The iterations of the system for different platforms would take less time, but not less than one order of magnitude.
It wouldn't be that big for a software development business that is banking on selling it to a lot of providers.
Yes it would; read _The Mythical Man-Month_ by Brooks, pub. Addison-Wesley.
But is there even a market for this?
There certainly is; but the cost of customization may exceed the demand.
One thing I note about Netsation's product is that they promote it as a tool to deal with "cryptic IOS commands". IOS is _NOT_ cryptic.
I think one could say that Netstation or Netsys are good tools for people who think IOS is cryptic. (don't flame me, dear vendors, your tool can help mitigate detailed analysis, or help find idiot mistakes [which we all make]; however, last time I looked they didn't support IS-IS and choked when we tried to enter a smidgen of our routers into the network).
Where such a product is useful is managing the huge complexity of a large network, and in the case of what I am looking for, all of the other services as well.
For this, I think you should write your own or hire or fund someone. -alan
Phil Howard | phil | at | milepost | dot | com |
Alan Hannan writes...
If, for example, one user is set up with a variety of access services, and I disable or delete that user, then it should be removed from all places where it is configured without me having to know.
This is a slightly different specification; you are talking about deploying distributed security permissions. This could be a subfunction of the configuration system.
Among other things, yes. But I don't see it as exactly a subfunction. I see it as one complete system.
Yes, I do combine my network operations and server operations together and I want a package that allows me to fully integrate it all together without having to have separate packages.
You will be hard pressed to find a ready-made off the shelf package to do what you want.
I figured so, but I should check anyway.
<rambling opinion>
Today's internet technology is complex. Harder than rocket science, but it appears easier because we make up with BS that which is lost by not understanding the formulas or having granular flow statistics.
The sum complexity of a network configuration system is a function of the router/switch interpreter, the routing policy, the routing protocols, and the databases with which one works.
Since implementing this complexity requires adhering to standards or understanding your own policies and protocols (which few really do), it's difficult to make generic solutions work for networks of a given complexity.
We worked hard with one router vendor to create such a system, but the exponential amount of work put in resulted in only a few useful widgetish interfaces. They just didn't get it.
This is because they don't live and breathe it; they code; they write MIBs; they don't fantasize about pull/push/check/click *presto* it's configged. They live in their world, and rarely is the vendor's world the practical world of the network engineer/operator.
You've hit the nail on the head. That probably explains why lots of the software on the market is lacking in being a complete solution.
A smart guy who sends out reports that embarrass people once pointed out to me: the largest internet networks all have radically different designs, and yet they all work remarkably well.
So, until someone with enough savvy, experience, and coding skills attempts this task, I think it will stay proprietary and internally developed by, and for, each network.
Probably will.
A middleware interpretation layer (ie. sendmail's configuration file) is needed before this generic configuration system can be (fairly) easily implemented.
Among other things.
Tools exist (whose names escape me, but I'm sure bmanning or vixie will point them out) that profess to interpret radb configs into cisco and ascend configs, but they (in my/our limited experience and exploration) fail to capture the IGP variables or the various L2/L3 platform requirements.
Lots of tools exist, but do they work to gether and cover everything? I tend to doubt it. And will the database even include it all?
It wouldn't be that big for a software development business that is banking on selling it to a lot of providers.
Yes it would; read _The Mythical Man-Month_ by Brooks, pub. Addison-Wesley.
I was incomplete in what I was saying. You are right for the real case. What I meant to refer to was what would be the case if things were done right.
But is there even a market for this?
There certainly is; but the cost of customization may exceed the demand.
Customization in terms of the variety of platforms? Or the variety of policies?
One thing I note about Netsation's product is that they promote it as a tool to deal with "cryptic IOS commands". IOS is _NOT_ cryptic.
I think one could say that Netstation or Netsys are good tools for people who think IOS is cryptic. (don't flame me, dear vendors, your tool can help mitigate detailed analysis, or help find idiot mistakes [which we all make]; however, last time I looked they didn't support IS-IS and choked when we tried to enter a smidgen of our routers into the network).
Imagine how you will feel when you see a copy of "Cisco Routers for Dummies" show up in the bookstore.
Where such a product is useful is managing the huge complexity of a large network, and in the case of what I am looking for, all of the other services as well.
For this, I think you should write your own or hire or fund someone.
It might happen. -- Phil Howard | no9way87@dumbads6.org ads1suck@s5p9a4m7.com a3b2c7d8@spam0mer.net phil | stop2991@lame6ads.edu eat5this@nowhere6.org stop0it3@s6p4a3m6.net at | suck3it9@anyplace.net a0b0c2d3@no7place.com stop8it9@s2p6a5m6.org milepost | no8way47@spam7mer.net no9spam6@no4place.net eat11me0@spam4mer.net dot | stop9it9@spammer8.net suck6it4@s8p8a3m7.net eat95me3@no9place.org com | stop8it7@lame6ads.org stop7ads@dumbads8.com eat50me9@s7p4a6m4.com
participants (3)
-
Alan Hannan
-
Phil Howard
-
QUINN, Paul