Product Blog

3 Posts authored by: jpetkevich Employee

The Ghosts of Config Past, Present, and Future (Well, Sort Of)

 

The scene is set: the curtains open to a person in bed trying to get a good night’s sleep during a dark and windy night. The hair on the back of their neck is standing on end, and with one big gust their worst features come true! In bursts, a flurry of emails demanding proof for configs of old.

 

Okay, okay, while I’m no Hemingway, I can tell you that we’ve all experienced the nightmare of being visited by configs of old. Being bothered to prove an older configuration was in compliance is a real pain, and the thought of doing this manually makes skin crawl. Enter SolarWinds® Network Configuration Manager (NCM) network configuration management software v7.9 and the Favorite config.

 

Being a “favorite” is always a good thing, and the same can be said for Favorite configs inside of Network Configuration Manager. Just as any favorite gets special handling, Favorite configs are granted special privileges within compliance policies. Compliance Policies are always evaluating the most recent version of a configuration file. If you’re trying to prove compliance of an old file, you need to tell NCM to use that file instead. You do that by setting the config as Favorite.

 

If you set one config from each node as Favorite, then those Favorites will forever be the most recent. This means that you, as the user, would be able to prove these configs’ compliance at any point in the future from that day without any extraordinary effort. The best part of getting this setup is that it can be fairly easy, if you have established rules and policies.

 

Simply mark a config as Favorite either through the UI or, for the savvy user, through the SDK. This is done by navigating to the Configuration Management page and expanding the list of configs nested under a node.

 

Once this is done, you need to make sure to set up or modify your Policies to use this config type.

 

After the policies are set, just add these policies to a Compliance Report. 

 

 

After the Compliance Report is set up, update the report and click on it to see the output. You can verify that this is evaluating the correct config by drilling into any violation and clicking the “View Config” link.

 

If everything is set up correctly, you will see the details for the Favorite config. 


 

And there you have it! You’ll no longer be pressed to manually evaluate older configs for audit review or documentation. If you find this useful, have any comments, or would like to see how this can be done through the SDK, please let me know below!

Network Configuration Manager (NCM) v7.9 is available today on the customer portal! For a broad overview of this release, the release notes are a great place to start. This is a particularly pleasing release as we are delivering a feature that has received over 470 votes: Multi-Device Baselines.

 

What are Configuration Baselines?

Baselines are often attached to the act of measuring and rating the performance of a given object (interface, device, or similar) in real time. In configuration management terms, baselines are used to provide a framework for change control and management. The configuration baselines measure and evaluate the content set within the config and indicate whether the content is aligned to the baseline or not.      

 

Given that configuration changes over time are more difficult to directly observe and more complex to manage, this means that baselines play a role in monitoring and preventing unwanted changes. I find that this definition of baselines from Techopedia is interesting and accurate:

“It is the center of an effective configuration management program whose purpose is to give a definite basis for change control in a project by controlling various configuration items like work, features, product performance and other measurable configuration.”

 

This means that monitoring may be possible for a small number of nodes, but it is not practical nor is it reasonable to scale this type of manual monitoring framework. Actively monitoring each device’s config makes the validation of consistency and alignment to corporate or regulatory requirements reliable and possible.

 

Baselines

The great news is that NCM already helps with mitigating the challenges related to monitoring configuration drift by providing config change reports, Real Time Change Detection, rules and policies that monitor configurations based on a set of user-defined conditions, and a one-to-one configuration baselining. What we implemented in the latest version of NCM extends and improves configuration baselines to include:

  1. Creating new baseline(s) through
    1. Promoting an existing config to be a baseline, or
    2. Creating a new baseline by copy/paste or loading a file
  2. Ignoring unnecessary configuration lines (or lines unique to each device)
  3. Applying baseline(s) to a single node or multiple nodes

 

<New!> Baseline Management

In this release, there is a new list view of all baselines that have been created or migrated from an upgrade. From this new page, users can create new baselines, edit existing, apply or remove nodes for a given baseline, enable or disable a baseline, update the status of the baseline, or delete a baseline.

 

<New!> Updated Diff Viewer

A major improvement in this release is the implementation of a new diff viewer for baselines. This new diff viewer will collapse lines that are unchanged, highlight ignored lines as gray, and mark all changes as yellow.

 

 

More Ways to Create a Baseline

The process of creating baselines should be easy—take an existing config and simply apply it against a set of nodes, right? In NCM, you can do just that by promoting an existing configuration, loading a config from file, or copying and pasting.

 

Promoting a config is now nested under the node and in the baseline column:

 

Creating a new baseline can be done through the new Baseline Management Page:

 

No matter the steps to create the baseline, each will ultimately lead to applying the baseline to the nodes and configs.

 

Ignoring Extraneous Config Lines

One of the key challenges with baselines is being able to get an accurate assessment of the config and not having false positives for config lines that are unique to a node or not relevant to the baseline. In NCM v7.9, we have introduced an ignore line capability that allows users to click through lines that are not relevant to the baseline to aid in reducing false positives. To read more on this, check out this link.

 

Baseline Status Indicators

To monitor whether or not a node (config) is in compliance with a baseline or baselines, there needs to be a visual and written indication. Baseline Management, Configuration Management, and ‘Baseline vs. Config Conflicts’ report all now have visual and written indicators. On the Configuration Management page, there is a new baseline column that contains the visual and written indication of whether or not that node is in alignment with the baselines applied.

 

For each status, there is a hover that provides a list of all the baselines and their associated status for that node.

 

The new Baseline Management view provides a complete list view of all baselines that have been created. This view is meant to show the alignment of all the nodes that are applied against a single baseline.

 

Each baseline can be expanded to show the status for different nodes to which it is applied (similar to the hover for Configuration Management). Each one of the statuses is clickable and will load the diff of that baseline vs. the config selected.

 

Lastly, the “Baseline vs. Config Conflicts” report also inherits the visual indicators and now shows the status of a node to one or many baselines.

 

This is a major step forward for baselines and the monitoring of configuration drift within NCM. Of course, please be sure to create new feature requests for any additional functionality you would like to see with baselines or NCM in general.

 

Helpful Links:

NCM v7.9 Releases Notes

NCM Support Documentation

Network Configuration Management Software

I am very excited to announced that Solarwinds NCM 7.8 is available for download in the Customer Portal! This release brings many valuable features and the release notes are a great resource for these.

 

Network Insight for Cisco Nexus
This is the third iteration in our Network Insight series and in this release we have extended those insights to Cisco Nexus. We understand that your Cisco Nexus devices are a sizable investment and come with a host of valuable features and that you also expect deeper insight from your Solarwinds monitoring and management tools as a result. This meant that we had to go back and develop some new features and expand on existing ones to ensure that the relevant information you need is presented properly. It means that your workflows are logical and more time efficient.

 

 

Virtual Port Channels

One of the really awesome features of a Cisco Nexus, that comes with a good deal of complexity, is the ability to create and deploy vPCs. vPCs operate as a single logical interface, but are actually just a group of interfaces working together. What this means is that managing vPCs can become a time drain, as the number of vPCs increases and as the number of interfaces on each vPC pair increases. Network Insight provides a view to show each vPC and the member interfaces in each of those vPCs. This is covered in the NPM v12.3 release blog.

 

In addition to this view, there is another layer of detail that shows the configuration of each vPC and its member interfaces. To see this detail you will click on "View Configs" on the vPC page. This page displays the configuration details for each of the side of the vPC and the configurations of each member interface. This allows you to save time by more efficiently identifying configuration errors within the vPC and the member interfaces. I think we can all agree that not having to hop across multiple windows and execute manual searches or commands to find issues is a major workflow improvement!

 

The example below is a vPC with multiple member interfaces:

 

Virtual Device Contexts

As it is covered here, each VDC is essentially a VM on a Cisco Nexus (also Cisco ASAs!) and each context is configured separately and provides its own set of services. These configurations are downloaded and backed up by NCM. They are also referenced for all the features in this release.

 

To manage a context in NCM, one just needs to click "Monitor Node" and it will walk through node addition process, after that has concluded each configuration is downloaded and stored separately.

 

Access Control Lists

ACLs define what to do with the network traffic. ACLs are very complicated to manage because within each ACL are rules (Access Control Elements) and within these are object groups. The object groups are containers that house specific information for the given rule like the interfaces that you might block a particular MAC address from traversing. The layering creates some problems. Manually you need to verify the rules are handling traffic by examining the hit counts, and that none of the rules are shadowed or redundant. Lastly, to ensure we met all of your needs for ACLs we extended the existing functionality of Access Control Lists (ACLs) beyond Port Access Control Lists (PACLs) and VLAN Access Control Lists (VACLs), to include MAC ACLs and non-contiguous subnet masks.

 

ACLs are super easy to add and once the Nexus nodes are added to NCM, it will automatically discover ACLs and grant you access to all the information available inside those ACLs. You won't need to spend copious amounts of time digging into each ACL, determining if changes occurred, and what changes occurred.

 

To see the list of ACLs for a particular Nexus, mouse over the entities on the side panel and select “Access Lists.”

Access Control List Entity View

 

With this view you are able to see the historical record of ACLs, including the date and time of each revision, and if there are any overlapping rules inside of each version of the ACL. To expose the previous version for viewing just expand the view. From this same screen you are able to view the ACL details and also compare against the next most recent, older revision, or a different nodes ACL.

ACL detail view and rule alerts

 

When you navigate into the ACL, each of the rules in that ACL are displayed including all the syntax for that ACL. In this view each rule provides a hit counter, making it easy to see which rules are impacting traffic and which ones are not. You are also able to drill down into the object groups.

 

Viewing conflicting rules is simple in NCM. Expanding on the alert, you can see the shadowed or redundant rules.

  • Redundant: a rule earlier in the list overlaps this rule, and does the same action to the matched traffic.
  • Shadowed: a rule earlier in the list overlaps this rule, and does the opposite action.

 

Interface Config Snippets???

At some point during the course of your day you will have identified one or many interfaces that warrant deeper inspection. Based on feedback from many of you, we discovered that once you reached this point you needed to see more information. Specifically, information about that interface and the interface configuration information. Normally you would have had to dig into overall running or startup configs requiring you to navigate away from the interface screen. This is why we created where interface config snippets and this is probably one of my favorite features in this Network Insight release.

 

These snippets are the running configurations of the specific interface you are viewing.

Interface Config Snippet


Once you have found the snippet on the page, you are able to verify which configuration this snippet is pulled from and the date and time of when it was downloaded.

Interface Config Snippet details + history

 

Conclusion

That is all I have for now on this release but I recommend you go check out our online demo and visit the customer portal to click through this functionality and see all the great features available in this release. My fellow cohort cobrien put together a great blog on Network Performance Monitor's v12.3 release for Network Insight and I highly recommend that you head over and give it a read! I look forward to hearing your feedback once you have this new release up and running in your environment!

Filter Blog

By date: By tag:

SolarWinds uses cookies on its websites to make your online experience easier and better. By using our website, you consent to our use of cookies. For more information on cookies, see our cookie policy.