[48720] in North American Network Operators' Group
Re: What's wrong with provisioning tools?
daemon@ATHENA.MIT.EDU (Streiner, Justin)
Thu Jun 13 11:52:48 2002
Date: Thu, 13 Jun 2002 11:49:23 -0400 (EDT)
From: "Streiner, Justin" <streiner@stargate.net>
To: nanog@merit.edu
In-Reply-To: <200206122226.SAA25814@elektra.ultra.net>
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, 12 Jun 2002, Stephen Griffin wrote:
> In the referenced message, David Daley said:
> <snip>
> > 4) There isn't anything to track non sanctioned changes to the network
> > (i.e.: hacker induced re-configurations)
>
> I would be really surprised if anything other than mom-and-pop shops
> didn't have _at least_ this.
>
> rtrmon or rancid can do great config archiving and provide difference
> output.
I didn't find anything that really suited my needs at the time (late
2000/early 2001), so I ended up writing my own archiver. From time to
time I've thought about adding it to the COSI-NMS project on Sourceforge,
but never gotten around to it. I've also other similar tools outside of
Sourceforce, such as Pancho (http://pancho.lunarmedia.net/).
I wrote the code behind mine to be fairly modular, so that adding a module
to back up a config from a new device is pretty easy. It currently backs
up these devices using either SNMP or Expect scripts for devices that
require it:
Cisco IOS <12.0
Cisco IOS >=12.0
Cisco CatOS
Cisco 5000 VPN concentrators (the Compatible Systems ones, not Altiga)
Cisco LocalDirectors
Lucent TAOS (Max TNTs)
Alteon WebOS (ACEdirectors)
Redback AOS
Nortel BayRS (Bay Networks nee Wellfleet) <-config is binary
other odds and ends as they come up, like Netopia routers, etc.
I haven't written anything to back up Junipers yet because I don't have
any to test against. Aside from the Nortel routers, I support versioning
on everything else.
Keep in mind this is only one piece of the puzzle - backing up what's
already out there. I intentionally left out the functionality to allow a
config to be uploaded to one of the devices above for reasons already
specified in this thread - it's just too dangerous. You can melt down a
whole network really quickly if you're not careful.
jms
