[74153] in North American Network Operators' Group
Re: Network Configuration Management Practices
daemon@ATHENA.MIT.EDU (Austin Schutz)
Wed Sep 15 13:19:43 2004
Date: Wed, 15 Sep 2004 02:25:41 -0700
From: Austin Schutz <tex@off.org>
To: Alexei Roudnev <alex@relcom.net>
Cc: Scott Weeks <surfer@mauigateway.com>,
"Carl W.Kalbfleisch" <c.kalbfleisch@comcast.net>, nanog@merit.edu
In-Reply-To: <06e401c49af5$702e6410$6401a8c0@alexh>
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, Sep 15, 2004 at 12:27:20AM -0700, Alexei Roudnev wrote:
>
> One more thing. We tried to review _proposed changes_ and _changed applied_.
> Practice showed, that it is impossible to see errors in proposed updates,
> even if 3 - 4 engineers review it (not design flaws, but syntac and
> semantics errors), so we did not got many use from pre-change reviews
> (except design ones). But we got extremely high profit from post-change
> reviews (verifying, what really changed on the router / firewall after
> maintanance window) - it allows to see some unwanted changes and avoid few
> possible service disruptions.
>
This doesn't seem to scale too well. When you have frequent changes
(i.e. many access devices) the diff load becomes unmanageably large.
My ideal would be to have a network monitoring tool which compares the
actual network against a configured baseline. The presumption would be that
if the network matches what have been set forth as engineering rules, I don't
really care what the specific settings are.
Currently we do something sort of halfway: archive the actual configs
and then run audit scripts against them, which parse the configs. Definitely
not ideal but it helps catch simpler errors. One of these days when I have
extra cycles.. (yeah, right)
Austin
