cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Network Configuration Management - Benefits and Operations

Level 10

Happy Monday Everybody!

In my last two blog posts we talked about network configuration management. I talked about my previously experience with various tools and techniques, and how my needs have changed over the years as my job and networks evolved.  We then went into a kicking the tires exercise and talked about one scripting-based methodology for performing basic configuration archival, and hopefully gave you a glimpse of just a small sample of things that are possible with network configuration management techniques.  In this post, I’d like to talk about some of the benefits for implementing a network configuration management solution, types of information you can collect, and how we can use this information that we’ve gathered.

Configuration Archival

First and foremost, one of the areas of focus we commonly explore with a network configuration management strategy is that of configuration archival.  This can be something as simple as daily or weekly configuration backups into a repository for ‘just in case the device dies’ recovery, or it can be far more complex and deal with being able to go back in the past and review prior configuration revisions, whatever the reason.  I can’t tell you how many times I wish I had a reference point for how something used to work.  Even configurations I created myself as much as a decade or more ago can have value in the things I do today.

Bulk Change Deployment

Don’t think of configuration management as being a one-way task.  It’s not just about pulling information from devices, but can be a very valuable tool for pushing configuration to devices.  When I left a previous company where I had been for 8+ years, it would have been negligent had the employer not insisted that all critical passwords be changed.  The keys I held to that environment were pretty powerful.  I hate to laugh about it, but we didn’t have the best configuration management tools in that environment, and somebody had to manually touch a few hundred devices and change passwords.  With a little bit of scripting, or an off the shelf product, that task could have been greatly simplified.   Deploying even the most trivial or the most advanced of changes using a configuration management solution can pay off in spades.

Maintaining Standards / Detecting Unauthorized Changes

Especially if you have a mid-size or larger network, it’s likely that you employ some sort of ‘configuration standards’ or configuration consistencies that need to be maintained across a multitude of devices.  Maybe this policy based, or maybe it’s purely technical in nature, but with proper configuration management tools, you can audit your devices and make sure that things are being done ‘the way we planned’.  This can go a long way in ensuring operational availability of your environment.  You can also use this same logic to detect when policy violations may have occurred by detecting anomalous configurations. 

Assist with Inventory Management and Asset Control

Finally, but certainly not the least important, a network configuration management strategy can greatly help audit device inventory and assist with asset control.  Being able to pull a list of all active devices on your network sure helps come maintenance renewal time.  Don’t ask me how many times I’ve had to have an engineer perform a physical inventory because we weren’t 100% sure of what was installed in a particular location.

I’ve touched on many of the network configuration management benefits and key pieces of information that I use in my operations – tell me about yours, how you use the network configuration management tools that you have implemented in your network, and how it benefits running your operation. 

@ciscovoicedude

22 Comments
Level 9

I like how you used "a repository for ‘just in case the device dies’ recovery" instead of "The 'Oh @^#$' repository".

Level 11

Our NCM implementation isnt that old yet and so its kind of got a "just out of the box" kind of feel to it.  I do have it downloading the configurations of most of our routers and switches in case we need to go back to a configuration to configure a new device.  We also have created some compliance scripts to run and verify that our ACLs are up to date.  This was very challenging in that it doesnt seem that I am able to compare a block text to a downloaded configuration very easy.  Simple comparisons are easy, but not complex ones.  So, in my case I simply compare the version "a commented field" and if it is the right version then I call it good.  Asset management is something I am interested in.

Jim

MVP
MVP

We have NCM that is downloading all our network equipment configuration constantly, especially if there is any changes to that configuration. We also use CATTOOLS to make another back up of our local Network equipment so we can back that up to our disk pools and tape. The reason we backup the local configurations, is because all sites come through us to get access to applications and the internet. We are playing it safe by having two software applications backing up the same configurations, that way if one happens to go down, we have the other as a backup. We are playing it safe.

Level 12

our NCM does a nightly download of all the configs for that OH $*%# moments. we basically use it as our puppet system for our network device's

Level 11

Will try as you said...

Level 20

We use custom developed in house application for this but considering that we have many other modules I've always considered NCM.

Level 10

From now on, I'm going to refer to it as 'Oh @#$! backups" 

Level 10

Nothing wrong with playing it safe.  Don't ask me about the time I didn't have a config for a device a 12 hour international flight away...     Thanks for chiming in!

Level 13

I think you spelled $*%# wrong or possibly you meant !t-$#e

Level 13

what kind of application? what language? what do you use to get the configs?

Level 9

Static routes can be a nightmare in a poorly managed/documented network. We have come into cases of networks like this and NCM definitely has proven to be a powerful tool to get things in order: just add nodes, download configs into the database, and then everything  is searchable. So no more "where is that static route configured" or "where is that IP referenced" when changes need to be done.

MVP
MVP

I've been using NCM for a while now and I have it doing weekly startup and running config backups. First I backup the startup config and an hour later I backup the running config. As part of the running config backup, I also have the job compare the startup to the running config and email me if they differ. This will mean that if someone hasn't written the config off when they last made a change, it will show up on the report.

I've got realtime detection turned on which backs up the running config each time a change is made. Very handy when trouble shooting.

And lastly I have NCM purge configs which are older than 6 months. I run this job once a week.

Level 17

superfly99 just about summed it up, except we are not setup to back up each time a change it made.

I am beginning to setup a few more policy reports to show off problem area's or things that are not setup correctly.

Inventory is a must as well, and reports to no end, especially when combining custom polled fields to pull chassis inventory.

Level 11

cool read.

Level 10

Excellent write-up. I really liked it. I feel we would use NCM if it worked for SonicWALLS. We have other equipment, but we primarily have those...........

Level 11

lol

Level 21

Our NCM implementation is primarily focused on configuration archival and auditing for the sake of maintaining standards.  We have had NCM for a long time and our network team is just now beginning to look at more ways to leverage it for deployment automation in an attempt to replace old legacy systems we have used for that.

MVP
MVP

I can attest to the volume of work to change passwords on 5000+ devices...and none can be the same.

Perl is your friend.

Level 12

I think the compliance reporting feature of NCM is one of the most useful after, of course, the 'just in case' backups.  Unfortunately, it is also one of the most underutilized features among the customers I have worked with.

Level 13

At a previous employer I kept pushing for a config management solution, or at least some kind AAA, so we could easily push changes or update authentication credentials if needed.  Those requests kept falling on deaf ears.  That is, until I gave my notice and they started to realize how many customer networks and devices I had access to.

At this employer having device backups has been handy for 2 main reasons.  First is making sure standards (i.e. ACLs and application, AAA config, NTP, logging, etc.) are maintained, auditable, and easily correctable.  Second is being able to show an unhappy customer that their network port or firewall ACL did not change despite how much they want to blame the network for their application breaking.

MVP
MVP

This is one of the products we want to look at. Got to finish implementing all the ones we do own first

Level 15

Thanks for the post and the discussion.

About the Author
I'm a Unified Communications engineer by trade, but I've got a background (and passion for) in systems management technologies of all kinds.