• State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 26 subscribers
  • Views 1157 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Advanced automation using NCM and other Orion tools.

jesse.ford

Wanted to reach out to the community to see if anyone has taken the tools provided in Orion and developed any functional automation off of them? I understand that the compliance tool is there and can check the stored running configuration but the logic it has is limited and does not seem to lend itself toward easy automation and remediation of issues.

For example, we want to audit X variable in our configuration that is a standard in our organization. However between the various platforms in our network IOS, IOS-XE, NXOS and others the configuration is not going to appear the same in each "running-config". To match this example you would need to check the device type and software then match the proper config to that device once the variables are matched and execute remediation.  I understand you can build groups to sort devices into and then run compliance reports against each group, however, this requires a ton of manual work to identify the unique charactierstics of each group to match with the compliance report being built. In many ways having to sort into groups to match the report being built truly defeats the goal of automating these task as so much manual work would have to be done for each possible combination.

If anyone has any insight or example of how they've done this in their own organization that they would like to share that would be great.




  • 0

    Are you interested in having the rules run remediation scripts or are you just validating what content the config has in it against the rules criteria?

    We have baselines that are easy to setup and apply against large groups of nodes and monitor drift/changes, but does not allow for remediation scripts.


    We have a lot of great folks on here who can share their automation with NCM experience with you.

  • 0 in reply to jpetkevich

    Both, we will need to audit all devices in our environment for certain standards then take steps either through NCM or sending commands to external tools such as Ansible.  I am fairly new to the current version of Orion so my knowledge on all it offers function wise is limited.

    If I were to tackle this in say Python I'd build a series of logical steps that have matching if statements that if matched take action. However, from what I have observed in NCM it's looking solely at the config file which is missing info such as the OS and OS Version that you would normally see in say a show run or from the Orion DB directly.  What I see thus far is a simple logic and/or gate that is looking for if or if not contains "string" or RegEx in the config file then flag a violation.

    You can then based on the violations take action with a remediation script using NCM which from my limited knowledge and experience is basically a "script" of commands the user would type into the device if they were doing it by hand. While this is fine for small adjustments having the ability to use for instance a Yang data model to structure standards and have that be pushed as a template would be more efficient for large scale pushes.

    Using a Yang model we simply set the variables such as our NTP server, Syslog server and more than the automated process would apply that standard to each device being aware of the difference in the command structure and making accommodations for them. This could also be done by Orion flagging the failed devices and sending through the remediation script a list of failed devices to say Ansible who would then execute the changes using the Yang model.  But I am unsure if Orion can support this type of logic and operation at this time, hence seeking help on the community from more experienced users.






  • 0 in reply to jesse.ford

    I will say that ncm is not going to have the full range of capabilities that you would be able to leverage from something like hand crafted scripts and ansible playbooks.  Like you mentioned, you primarily have to work with the existing saved configs so you can't just pick a series of if statements and run different cli depending on the output of some show commands and their outputs.   The work around I've seen is to create additional config types for each of those show commands.   The problem is that you aren't really working in real time, you run a stack of "config backups" that are actually the show commands you want, then after all of them are collected you can cook up some logic to piece them all together and determine which scripts you want to run or what policies need to be applied.   Ultimately something like this tends to get pretty complex in ncm and if you are already geared up to do it in ansible then doing it in NCM will probably seem clunky by comparison. 

    With that said, I did have a client who had leveraged ncm to build his routers by pulling a bunch of ncm data out to powershell, did his logic all there to build the necessary configs, then just piped that into the ncm verbs to run whatever lines of config his powershell had assembled.   He could have probably just bypassed ncm completely for the remediation stuff really but he liked to use the reporting there and he liked having ncm available for more basic things his junior techs needed to be able to do in the gui.

  • 0 in reply to jesse.ford

    Hi jesse.ford

    NCM is not supporting NetConf there’s a feature request please vote

    ;-)

    I still think you can mange quite a lot by using all the features that are there..

    I use compliance quite often and you can use that also for costume show | xzy

    Using Compliance Reporting to Verify Juniper Alternate Slice Version

    Cisco Devices template with "show Module"

    Use propetys to call NTP/DNS/TFTP

    Success Center

    We use NCM as Some kind of CMDB and share all the backup jobs drive with Linux server

    All that data is reachable with grep from the Linux station and your Ansible could reuse that share..

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.