5 Replies Latest reply on Jul 12, 2019 1:04 PM by sja

    Advanced automation using NCM and other Orion tools.


      Wanted to reach out to the community to see if anyone has taken the tools provided in Orion and developed any functional automation off of them? I understand that the compliance tool is there and can check the stored running configuration but the logic it has is limited and does not seem to lend itself toward easy automation and remediation of issues.

      For example, we want to audit X variable in our configuration that is a standard in our organization. However between the various platforms in our network IOS, IOS-XE, NXOS and others the configuration is not going to appear the same in each "running-config". To match this example you would need to check the device type and software then match the proper config to that device once the variables are matched and execute remediation.  I understand you can build groups to sort devices into and then run compliance reports against each group, however, this requires a ton of manual work to identify the unique charactierstics of each group to match with the compliance report being built. In many ways having to sort into groups to match the report being built truly defeats the goal of automating these task as so much manual work would have to be done for each possible combination.

      If anyone has any insight or example of how they've done this in their own organization that they would like to share that would be great.

        • Re: Advanced automation using NCM and other Orion tools.

          Are you interested in having the rules run remediation scripts or are you just validating what content the config has in it against the rules criteria?

          We have baselines that are easy to setup and apply against large groups of nodes and monitor drift/changes, but does not allow for remediation scripts.

          We have a lot of great folks on here who can share their automation with NCM experience with you.

            • Re: Advanced automation using NCM and other Orion tools.

              Both, we will need to audit all devices in our environment for certain standards then take steps either through NCM or sending commands to external tools such as Ansible.  I am fairly new to the current version of Orion so my knowledge on all it offers function wise is limited.

              If I were to tackle this in say Python I'd build a series of logical steps that have matching if statements that if matched take action. However, from what I have observed in NCM it's looking solely at the config file which is missing info such as the OS and OS Version that you would normally see in say a show run or from the Orion DB directly.  What I see thus far is a simple logic and/or gate that is looking for if or if not contains "string" or RegEx in the config file then flag a violation.

              You can then based on the violations take action with a remediation script using NCM which from my limited knowledge and experience is basically a "script" of commands the user would type into the device if they were doing it by hand. While this is fine for small adjustments having the ability to use for instance a Yang data model to structure standards and have that be pushed as a template would be more efficient for large scale pushes.

              Using a Yang model we simply set the variables such as our NTP server, Syslog server and more than the automated process would apply that standard to each device being aware of the difference in the command structure and making accommodations for them. This could also be done by Orion flagging the failed devices and sending through the remediation script a list of failed devices to say Ansible who would then execute the changes using the Yang model.  But I am unsure if Orion can support this type of logic and operation at this time, hence seeking help on the community from more experienced users.