What is Reddit's opinion of
NetBox?
From 3.5 billion Reddit comments
➔ NetBox website
By popularity on Reddit, this Service is:
42 reviews of this app found across Reddit:
Have a look at netbox https://netbox.readthedocs.io/en/stable/core-functionality/ipam/ i put in at home first to get the hand of it but then i quickly implemented this at work to replace dreadful spreadsheets that previous admin kept.
From their docs: >The following are optional settings which may be declared in netbox/netbox/configuration.py. ...
>LOGIN_REQUIRED
>Default: False
>Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users are permitted to access most data in NetBox (excluding secrets) but not make any changes.
I tried phpIPAM but wasn't sold on it completely, but I liked the feature set. From a design standpoint I think NetboxNetbox is much prettier. Anybody using either in their sysadmin job? What else is worth a look?
There's several layers here.
- Management of bare metal.
- VM lifecycle.
- Software on the VMs.
Building this is going to require either some very large, expensive, software suites. Or a number of smaller, specialized open source components.
Personally, I like to stick with open source compoents.
I've built VM clusters with Ganeti, there's also Proxmox. Stay away from OpenStack.
You'll also probably want an IPAM, like Netbox. And of course, Ansible to push changes around.
Hey, NetBox maintainer here! I'd estimate at least 80% of the issues we see people run into during installation can be traced back to one of the following:
- Skipping a step accidentally
- Skipping a step because they thought it wasn't necessary
- Entering a command with the wrong parameters
- Making a change not instructed in the documentation
- Ignoring an error from the previous step and continuing anyway
- Complications from using SELinux (though those don't seem as common anymore)
Our installation docs try to be as thorough as feasible while still being maintainable with the resources we have. (You just met our entire QA team at the beginning of my post.) There's even a video on the installation page of me walking through an entire installation from scratch following the documentation, though admittedly it's a bit out of date now.
Unfortunately, we can only improve shortcomings in the docs when we know where people are struggling. While I can appreciate the need to vent, posts like this one aren't actionable from our side because I have no idea what problem(s) you ran into.
So what I ask of users is to get detailed, actionable feedback to us as soon as they encounter a problem. This could be a GitHub discussion or, if you'd like to recommend a specific change to the documentation, a documentation change issue. Then, we can determine how the documentation might be improved to save future users from the same headache.
Netbox is a tool that is popular and can help
https://netbox.readthedocs.io/en/stable/
a mix is fine, as long as you treat it as the single source of truth.
Netbox! https://netbox.readthedocs.io/en/stable/
I use it to document my network at home and I use it at the office for the corporate network. Very easy to install in a Linux VM.
If it's a small homelab, just keep a small 3-ring binder beside or on top of your equipment. Some like blank paper, some like graph paper. Understand that your software setup will change more rapidly than you can, but make sure you note every time you move wires around and keep that updated.
Draw boxes representing your switches and number the ports. Draw the back of each sever and little squares to represent physical ports. Give it a name like "eth0" or 'nic 1", even though different operating systems will call it a different name (eth0, p5p1, vmnic0).
If you get a label maker, label each end of a cable. Don't try to label what it's connected to. "sw01 port 5 -> vhost01 ipmi" is a horrible label. Just put a serial number on it. In your notebook, when you annote where a port is connected to, you can write in a serial number.
If you move a cable, go to your notebook first find the references to that connection. Draw a line through it so you can still read the old connection and know that it has been changed. Then move your cable and write down the new ones. If you do a major rewire, cross out the page and do a new one.
If you get a stable system, then I recommend you install netbox and then you can record all your inventory, racks, switches, servers, and wiring in one web interface.
If Netbox fits your needs, use Netbox, then use the API to build a shitty little dashboard with some javascript and that displays pretty pictures for your manager.
Just my opinion, but if a product checks all my boxes except one management wants but likely won't ever look at, I go with the product that does what I need then give management whatever extra crap they want.
As far as NetBox goes, the project has grown a ton since nautobot was forked from v2.10.4. You can find all the recent additions in the project's release notes; most prominent is the completely overhauled UI. I'm actually about to release the first beta for v3.1, which includes a round of new features such as contact modeling, FHRP groups, single sign-on (SSO) support, conditional webhooks, and a bunch more.
NetBox's development is informed primarily by community demand, adjusted for feasibility given the resources available at the time. We've identified some milestone for v3.2 so far, but need to work on planning out more future releases once v3.1 has been finalized.
If there's a specific feature you'd like to see, please do submit a feature request!
Care to expand on that? I'm just getting started with Netbox myself and I would have bought into the Tenant = Customer story as that's what Netbox advertises: "Typically, tenants are used to represent individual customers or internal departments within an organization." (https://netbox.readthedocs.io/en/stable/core-functionality/tenancy/)
Where does this go wrong?
Hi there! You can find the documentation for NetBox's REST API on ReadTheDocs. You'll likely need an API token for authentication, which you can create yourself (if the NetBox admin has granted you permission to do so).
Also check out the pynetbox Python client for the NetBox API.
I know this doesn’t address your question, but I know I was helped when I read the what NetBox is not section of their documentation:
> NetBox intends to represent the desired state of a network versus its operational state. As such, automated import of live network state is strongly discouraged. All data created in NetBox should first be vetted by a human to ensure its integrity. NetBox can then be used to populate monitoring and provisioning systems with a high degree of confidence.
Essentially: the way things are now aren’t necessarily how you want them to be. NetBox focuses on the latter.
It's absolute overkill - but Netbox is awesome for managing all the relationships. There may or may not be a diagram export available, can't recall...
(And thanks for the reminder that I need to implement Netbox at home, hahaha!)
I made Netbox work with LDAPS. It was a pain in the ass, but when you get it working, life in Netbox get so much more easier.
Here is how I made LDAPS work in Netbox: https://netbox.readthedocs.io/en/stable/installation/6-ldap/
I second this. I recently switched to Netbox from phpIPAM that I was using just for IPAM capabilities, but if you enter in the data Netbox works as so much more. The Ansible integration is great to use as a source of truth in playbooks/roles too.
LDAP configuration — https://netbox.readthedocs.io/en/stable/installation/6-ldap/
dnf install -y openldap-devel
cd /opt/netbox/
source venv/bin/activate
(venv) # pip install --upgrade pip (venv) # pip3 install django-auth-ldap (venv) # echo django-auth-ldap >> local_requirements.txt
vim /opt/netbox/netbox/netbox/configuration.py:
REMOTE_AUTH_ENABLED = True TIME_ZONE = 'Asia/Bagdad' SHORT_DATE_FORMAT = 'd-N-Y' SHORT_DATETIME_FORMAT = 'd-N-Y H:i' NAPALM_USERNAME = 'username' NAPALM_PASSWORD = 'xxxxx'
vim /opt/netbox/netbox/netbox/ldap_config.py:
import ldap from django_auth_ldap.config import LDAPSearch from django_auth_ldap.config import LDAPSearch, GroupOfNamesType AUTH_LDAP_SERVER_URI = "ldaps://ldap.example.com/" AUTH_LDAP_CONNECTION_OPTIONS = { ldap.OPT_REFERRALS: 0 } AUTH_LDAP_BIND_DN = "CN=netbox,CN=Users,DC=example,DC=com" AUTH_LDAP_BIND_PASSWORD = "password" LDAP_IGNORE_CERT_ERRORS = True AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=Users,dc=staff,dc=example,dc=com", ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)") AUTH_LDAP_USER_ATTR_MAP = { "first_name": "givenName", "last_name": "sn", "email": "mail" } AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=Groups,dc=staff,dc=example,dc=com", ldap.SCOPE_SUBTREE, "(objectClass=group)") AUTH_LDAP_GROUP_TYPE = GroupOfNamesType() AUTH_LDAP_REQUIRE_GROUP = "CN=net,ou=Groups,dc=staff,dc=example,dc=com" AUTH_LDAP_MIRROR_GROUPS = True AUTH_LDAP_USER_FLAGS_BY_GROUP = { "is_active": "CN=net,ou=Groups,dc=staff,dc=example,dc=com", "is_staff": "CN=net,ou=Groups,dc=staff,dc=example,dc=com", "is_superuser": "CN=net,ou=Groups,dc=staff,dc=example,dc=com" } AUTH_LDAP_FIND_GROUP_PERMS = True AUTH_LDAP_CACHE_TIMEOUT = 3600
systemctl restart netbox
tail -f /var/log/messages
Did the same, assuming you want everything intact as far as DB/stats go, you need to run netbox on latest 2.11.X line to upgrade the DB scheme; then 3.0 then 3.1.1. There is a upgrade guide on their release notes for 3.0.0
https://netbox.readthedocs.io/en/stable/release-notes/version-3.0/
I also use NetBox by Digital Ocean (free!) for network, virtual, and site infrastructure. It manages my VLANs, switchports, power feeds, Visio diagrams, and more.
The secrets functionality was moved out of NetBox core in v3.0 per the release notes. It wasn't a very popular feature, and frankly a subpar implementation compared to something Hashicorp Vault, which is what I'd recommend to replace it.
At some point I'd like to work on more closely integrating Vault with NetBox, as that seems like the ideal setup.
Depends. If you're using a public cloud provider this basically becomes irrelevant. E.g. in full AWS environments, just use their API combined with tags to track whatever you need.
If you're using hybrid cloud, multi-cloud, or fully on prem, I'd probably reach for something like Netbox which was build by DigitalOcean for this purpose, at least for the infrastructure layer of it.
As for accounts and access... My go to is to use a central identify store like Keycloak, and then use OIDC or LDAP to auth to everything, including servers and whatever else.
You can render a nagios config template via netbox, check out the documentation here which even has an export example for basic nagios hosts https://netbox.readthedocs.io/en/stable/additional-features/export-templates/
If relatively flat network and doesn't change much, an excel spreadsheet would be adequate.
If you are storing multiple customer's network information then a purpose built documentation tool like ITGlue or Hudu might be worth a look.
If just IP addressing, a free or open source IPAM like phpIPAM (https://phpipam.net/) or Netbox (https://netbox.readthedocs.io/) could work too.
This thread has some commentary and other options https://www.reddit.com/r/networking/comments/4vpgq7/whats_your_favorite_freeopensource_ipam_solution/
Unfortunately you need to keep a copy of the password around for this, there is no way around it. This isn't that unusual, basically every ISP needs to keep your password as plaintext so PAP can be used to authenticate for your adsl/vdsl internet.
The simplest way is to just put it in the same database. If no one else has access to the database or server then it should be secure enough. However for for larger companies or certain industries (financial, healthcare), it might not meet your security requirements.
Another option is to use a secret store, something like netbox might be useful here. It can store your secrets encrypted, and only allow authorised users access. Your application would be one such authorised user. You want to create a separate backend script that actually connects to the switches, give this the ability to login to netbox and fetch secrets.
A year ago I tried to do something similar to what you are doing by creating a python script to pull data from our switches. While that is something that I am still interested in doing, the answer to your question about, "why?" lies in Netbox's readthedocs here. https://netbox.readthedocs.io/en/stable/
Specifically, you should read their "design philosophy" section which says, "
Serve as a "Source of Truth"
NetBox intends to represent the desired state of a network versus its operational state. As such, automated import of live network state is strongly discouraged. All data created in NetBox should first be vetted by a human to ensure its integrity. NetBox can then be used to populate monitoring and provisioning systems with a high degree of confidence."
I like that they know what they want their tool to do and not do, even if that is different than what I would like it to do.
Tangentially related, I highly recommend you download and configure netbox, so you can keep track of what is what on your server rack. This is much nicer than using physical labels which are impossible to read in a thicket of cat5 cables.
>Setup Netbox and pull in your switch details to generate Netbox devices for documentation. Then for future devices add to Netbox and deploy to the new device.
Serve as a "Source of Truth" NetBox intends to represent the desired state of a network versus its operational state. As such, automated import of live network state is strongly discouraged. All data created in NetBox should first be vetted by a human to ensure its integrity. NetBox can then be used to populate monitoring and provisioning systems with a high degree of confidence. https://netbox.readthedocs.io/en/stable/
Prometheus user and contributor here. It's a completely general use monitoring system, not K8s specific at all. I use it with Kubernetes, Chef, and Ansible based deployments.
You're right, Prometheus doesn't have mapping. It works the opposite way, it uses "Service Discovery".
IMO, "network mapping" is the wrong way to do any kind of monitoring. You should already have a map of your network in a managed way. Prometheus service discovery assumes you already have a "Source of Truth" about what is in your infrastructure. Without a source of truth, how do you know the mapping is correct?
Something like NetBox is good for managing network devices.
If you don't have configuration management, Ansible is a good start. Combine that with Consul and you now have an API to drive Prometheus discovery.
I've used phpIPAM and NetBox. I'd say it depends on your use case. They're both about the same difficulty as far as deployment goes. I personally prefer the tech that goes into NetBox (Python with Django) over PHP. Once deployed phpIPAM is a bit easier to set up. It allows you to perform host discovery scans out of the box, and you can use those to describe the different pieces of the network. However, there is a util that claims to be able to do the same, but I haven't tried it.
I personally use NetBox currently because it has virtualization features. Most of my network is virtualized, and I like being able to define all of the virtual machines (or LXC containers on Proxmox in my case). You can also define services on each of your VMs (i.e. I have a container running Minecraft. I can define the service and the port it listens on). You might be able to configure something similar on phpIPAM, but I haven't tried.
More great cheat sheets from Jeremy Stretch here: https://packetlife.net/library/cheat-sheets/
Fun fact: @jstrech85 is also the founder of netbox, a great FREE IPAM and net documentation tool: https://netbox.readthedocs.io/en/stable/
No need to re-invent the wheel
You have a few sites and a small team?
- Shared Excel spreadsheet
Growing company with lots of sites and give this a VM?
- PHPIPAM
In a multi-client/MSP-type situation?
- IT Glue, SI Portal
Need automation and integration (API) and powerful DCIM capability?
- Netbox
Large team, many (hundreds) of sites and willing to pay for a commercial solution?
- Infoblox DDI
You could also use any number of existing Wiki/doc products that your team is using, like OneNote, DocuWiki, Confluence etc. IPAM (IP Address Management) is built-in to Windows Server 2016, but... I'd use PHPIPAM or Netbox over that
It's not a password manager per-se, in that it doesn't autofill for you, but as far as tracking IP's, your network configuration, and passwords, check out https://netbox.readthedocs.io/en/stable/
Netbox; I use it at work and at home (docker in AWS). I've tried a lot but Netbox is dead simple, and it's not trying to be anything other than a IPAM. It also has a great API for customization and automation
The naming convention for our network switches is build/floor/DC/rack/unit-within-rack. Once you have that you can use LLDP and something like (e.g.) LibreNMS to query you network devices: you want to do that anyways for traffic stats, so might as well get a network map.
DigitalOcean's also has NetBox, which may be of some use:
I would rather go with something that is essentially built for this from the start, like Netbox. There are a few modules for working with Netbox but also a way to use it as an inventory source. Advantage here is that you can ask Netbox for the next free IP from a specified ip-net.
There might be others that suites you better so look around the module listings and the inventory plugin list. Foreman might be a good alternative, but I haven't worked with it.
You want Netbox, not diagrams and spreadsheets.
I used to work for a place where the colo was a couple hour flight away.
Everything we did was completely automated. All racks were wired up with top-of-rack switches, all severs were racked by contractors. At this job, we used Collins to make the whole thing into an API driven cloud-like setup. Today you can do things like this with Netbox, MaaS, etc.
When new hardware was rolled in, all nodes were powered up by the vendor, inventoried by a PXE boot image and the network discovery done with LLDP. After inventory, the machines automatically powered off. When we needed them, Collins would power them on over IPMI, bootstrap them, and put them into service.
What you need is a management IPAM/inventory that includes a state machine. Basically building your own bare metal cloud. There are a few good options here.
I've personally worked with Collins. We used it at my last job to build a fully automated datacenter of ~2000+ bare metal nodes. Basically Collins knows what "state" a machine is in. It would intake a node via special PXE image, inventory it with a script, and then power it off. When you ask Collins to provision a node, it would boot it, install Debian (or whatever), and then the final step it would install Chef client that would finish the work. The last thing in the Chef client would be to ping Collins saying "I'm done, everything worked" and the machine would be marked "Allocated" in the state machine.
There's also MaaS, which might be a little more streamlined than Collins. But I haven't used it myself.
There are other similar tools out there, and you could maybe also build something with Netbox, but I haven't done the proper research for this kind of thing in a few years.
Exactly.
It (still?) doesn't support drawing of the wiring diagrams (though you can try your luck with the built-in graphviz support), but for documenting (or even better - implementing) your connections - this is one of the best free tools.
Read their Introduction (https://netbox.readthedocs.io/en/stable/#what-is-netbox) this will answer many of your questions. And search for the screenshots, most of the things can be seen on them.
Netbox is a pretty popular one, so is phpipam. Not sure if there's a single application that will encompass everything, but for free resources Netbox will probably come the closest.