get yourself a linux box and rancid (http://www.shrubbery.net/rancid/), it will do cisco and many other brands of switches/routers, is stable, maintained, you will get free version control on top of it.
RANCID - http://www.shrubbery.net/rancid/
It stores your configuration changes in an SVN repository and is very clean. You can set it up to email you when a change occurs. I've even set it up to open a ticket in a CMS, so changes can be looked over for consistency, etc.
There is also a variation for it to use GIT, if you prefer it over SVN
https://github.com/dotwaffle/rancid-git
Use rancid for your backups. Run it every day in cron. The nice part is that it will send you diffs of your network configs via email and store in source control so you can see what has changed and go back in time and identify when things changed.
What network gear are you working with?
One free option is Rancid that supports multiple types of hardware
http://www.shrubbery.net/rancid/
If you want to pay for something
Yeah, take a look at RANCID http://www.shrubbery.net/rancid/ before you devote more time to this project. Its clogin command lets you login and execute a script on a device automatically. Pair it up with simple bash loop and you are good to go.
RANCID is open source, free and the most well-known. It's also not "sexy" at all. I saw someone use Nagios to catch snmp traps on configuration writes and then use an event handler to make rancid save this particular router's configuration. You can make it use SVN instead of the standard CVS.
NetMRI is rather nice if you have the budget, in particular with respect to automation. But if this is a lab environment, it's clearly overkill.
Nobody in this thread has mentioned version control. Use whatever version control system you want (git is popular), but put everything in there.
If it isn't in version control, it's half lost already.
One big advantage with Cattools and other such products is that they can email you config diffs.
And of course there is the classic open source RANCID - Really Awesome New Cisco confIg Differ. http://www.shrubbery.net/rancid/
Might I suggest something like [RANCID[(http://www.shrubbery.net/rancid/) for your configs. Run it on a daily schedule and it will pull the current running config from any cisco device you point it at (and can do some other manufacturers as well) and store it in a CVS or SVN repository. Tie it together with something like ViewCVS and you've got a web interface with easy to see logs and diffs of changes.
So I was hoping for Git support and dug into the change log.
I found this under version 3.2 > add support for git. See the UPGRADING file. Based on Jeffrey C. Ollie's patch & thanks Dan Lowe, Job Snijders and a number of folks on rancid-discuss.
Rancid is the old open source standard tool for doing this. It can log into lots of different kinds of network gear and backs up the configs into CVS. I doubt it does ESXi though - does it even have a single config? It can also email out any changes which is great so everyone on the team can see what is going on and when changes are made. Usually you run it every hour, I wouldn't wait for a day or week to go by.
Not topical to this post necessarily, but if grabbing configs for your switches, routers, etc. is part of the game plan, I'd suggest trying Rancid (http://www.shrubbery.net/rancid/). It's not as fun or educational as building your own system, but it sure beats re-inventing the wheel in this case.
rancid is older (and the code is uglier), but it does exactly that as its main function. Fetch configs, store them in a versioning repo, and email you deltas. notch is more modern, but has as its main function to "do stuff on switches and routers". That can then include showing the configuration, saving that output, and storing it somewhere.
If you don't need versioning or advanced storage and notification options, you can also trivially do this with just plain old expect and its recording tool: log into each switch once and have it record the steps, and schedule the resulting script.
All those tools require *nix. It makes the most sense to do this on *nix because network configurations are text based. You want an OS that can easily search and otherwise manipulate the resulting text files.
The only time I don't use the Linux server is when I am on a broken WAN site and need to load the last known good config to bring it back online or I am upgrading firmwares offsite. I also run a Windows only org but I keep a Linux server around for a web server running php which has a heap of testing scripts I wrote, tftp, Nessus and a range of other network testing/security tools.
Sysadmins shouldn't be scared of using the right tool for the right job, and I'm afraid, playing the "I need XP for tftp" is like saying you still need that big old rusty wrench for a hammer, it might work, but it's not the right tool for the job.
Edit: To give you a good case to put a Linux server on your network, if you use any of the following devices:
> Cisco routers, Juniper routers, Catalyst switches, Foundry switches, Redback NASs, ADC EZT3 muxes, MRTd (and thus likely IRRd), Alteon switches, and HP Procurve switches and a host of others.
Then I would recommend you setup a Linux box with Shrubbery's Rancid which is a config differ, it monitors your devices configs when when it notices a change (including hardware changes), it downloads your config and adds it to a CVS. Combine that with CVSWeb and you have one of the best config file managers I have ever used, it's awesome for those "Since about three weeks ago, it hasn't been the same" ... browse three weeks ago, notice a stupid ACL mistake, presto fixed in minutes.
>It's really all about usage patterns and expectations
It sure is. Git is simply not a replacement for SVN in a lot of areas in which is is used. I can't see any compelling reason to switch over things like configuration repositories to git (things like RANCiD).
What's your config backup situation look like? Can you add it in as a cammand when saving config backups? Otherwise, just use jlogin from rancid and parallelize it:
cat switches.txt | parallel --jobs 10 --progress jlogin -c "show ethernet-switching table | match <MACADDRESS>" {}
The switches.txt files contains a list of all your switches, and parallel allows you to run the same command across 10 switches at a time.
That is how it works, the only way to stop users going into enable mode is by setting a separate password. Really you should not have users on your device unless you trust them in either user or enable levels. If you need support staff to be able to run query commands but not have access to the CLI you can do this with RANCID and looking glass.
Edit: Link to lg rancid http://www.shrubbery.net/rancid/man/lg_intro.1.html
Is this a problem of security / best practice, or one of scale? It seems like your issue isn't whether or not to trunk things, its pushing changes to 40 switches.
Potentially, you could script this via expect scripts, or.. Setup RANCID (http://www.shrubbery.net/rancid/), and then use it's "clogin" script to push the change. i.e. you have a list of your device IP's / hostnames in a file and then run this command on the box you setup rancid on:
while read i; do clogin -c "conf t;int e 1/0/12;switchport trunk allowed vlan add 200;end;copy run start" $i;done<HOSTS.TXT
That I know of, there's RANCID, Project Illuminati, and Oxidized.
They'll cover the "what's changed" aspect of analyzing device configurations.
Or did you mean like a Best Practices analyzer?
Try RANCID - it's a great system to backup CISCO Routers and Switches configuration. It even give you an option to track changes.
We are using this for a very long time to backup more than 100 network devices.
Yeah it is called rancid
We use that for switches/routers, it is old and ugly but it gets job done.
"Commit-after-save" is WiP, I also plan to send a message on jabber to other SAs when it is updates (we already have that for git commits to Puppet repository)
That after I put our firewall logs into elasticsearch/kibana... and that is after IDS/IPS... and in meantime I need to find a cinderella that is called "SA who can code" or kidnap one of programmers...
If you are just looking to backup configs, RANCID is worth a look. Open source and pretty widely used, so finding guides etc should be simple enough.
RANCID syncs to an SVN/CVS repository. You can then connect to the SVN repository with any SVN client, and download the latest copy. Searching through config with something like notepad++ and find in files (crtl+shift+f) will let you search through all config files for a specific string / regex.
I've also used IBM Tivoli Network Configuration Manager. It's (very) expensive, but has a ton of extra features. Compliance checks, job rollouts (like cisco works), a decent API, job templates etc.
What about something like RANCID? I don't have more than 10 switches anymore so I no longer worry about it, but writing to a config file and uploading is another option.
> However for config backup/deployment, you're SOL there. You'll probably have to make something home grown (I suggest looking into HTML::Template + Perl + YAML).
For config backup and revision control, RANCID is it. http://www.shrubbery.net/rancid/
Rancid currently supports Cisco routers, Juniper routers, Catalyst switches, Foundry switches, Redback NASs, ADC EZT3 muxes, MRTd (and thus likely IRRd), Alteon switches, and HP Procurve switches and a host of others.
any chance your admin had backup configs anywhere? maybe you have rancid http://www.shrubbery.net/rancid/ or something similar running somewhere keeping configs that you cuold compare the existing config to?
I don't understand what you are asking? The syntax for ftp from a switch is nearly identical to tftp except for the addition of the ftp credentials. Installing a FTP server such as Filezilla is trivial, much easier than getting the IIS FTP server working (https://filezilla-project.org/download.php?type=server). Installing an FTP server on Linux is also very easy (https://help.ubuntu.com/lts/serverguide/ftp-server.html.en). Other people in this thread have suggested FTP over TFTP. Having a working FTP server available is so much better than TFTP.
Most scripting tools have the means to capture responses to a file, you can use some variation of "term len 0" then "sh run".
You could pull the sources for RANCID and see how it works, or install it and run it. (http://www.shrubbery.net/rancid/).
If that is the only goal, then RANCID has always been a very stable platform in my experience. I would be focusing on moving to NETCONF for anything new, but if you have older systems RANCID is sold. Build out your templates, and configure cron jobs to push them using the preconfigured scripts, check state into local CVS/GIT or hosted.
Probably not quite what you're after but I used to bulk manage cisco devices from rancid. Its primary use is as a configuration differ - great for maintaining version history of your configs with a simple way to see what change between 2 revisions. Can be easily leveraged to push configuration scripts to multiple devices.
Besides documenting everything, MONITOR everything. If there is no monitoring system in place then set one up. This includes all servers: Windows, Linux, ESX, etc.; all network devices: switches, routers, etc.
Set up config management on all the network devices. I use a combination of open source stuff to do all this, so it just takes your time to do it.
Monitoring - Nagios with Check_MK plugin http://mathias-kettner.com/check_mk.html Network Discover - netdisco https://metacpan.org/pod/App::Netdisco Device config management - rancid http://www.shrubbery.net/rancid/
Set the device configs to sync to an off-site location. I use an s3 bucket.
Setting up all this stuff will help you to learn all the servers & systems and start to understand the complexities of what you are getting into.
As you get more into the job start looking for any repetitive tasks which can be automated or scripted. To start down that path try to do everything from the cli on your workstation, not connected to the server GUI.
Learn powershell (Learn Windows Powershell in a Month of Lunches) & bash.
Have fun!
I believe you can customize what you want each of those programs to execute. I've never done it in Oxidized but I've done it in RANCID. though for the most part you shouldn't need to modify RANCID, It's pretty good at doing everything you need based on the device type that you provide it, e.g sw1;cisco;up, sw1;cisco-nx;up. I'm using Cisco as an example because that's what I'm running at my job but it supports just about every vendor, here's a list http://www.shrubbery.net/rancid/man/router.db.5.html
I would just use RANCID from shrubbery networks(http://www.shrubbery.net/rancid/), and use a Linux BASH script to cycle through the devices. All models should have relatively the same syntax. Just as a heads up, the 4500s needed the boot var changed when I had to do this.
> and my junior techs couldn't figure out how to reach the wiki for documentation
I really like using ikiwiki for my documentation for this reason. The wiki is based on git, and I use the nice git sync features to keep copies of the repository on my desktop, and couple computers that staff can easily get direct access to. Also since the underlying format is all text files in the markdown format pretty much everything is human readable.
And if you are asking about my network device 'configuration' specifically. I basically use a script that I wrote that is kinda similar to rancid but is also git based. It runs daily and runs a backup of my switch/router configs. That config repo is also sync'd to the same places as my documentation wiki.
Some of the management tools that I have in my engineering labs right now are
Version control and config managment Rancid
Both work pretty well and it's a small investment of a server (or even better a VM) and some time to configure the apps and import/hand enter/network scan for the data. Not a full CMDB by any means but it's a start down the right path to control your IP space and begin to handle change management.
It tracks the running-config, not startup-config. However, the backend scripts can be used to run commands on individual devices or groups of devices. It's more powerful than it seems on the surface
When in doubt, I can run a single bash command which iterates through my device list so they all get these commands:
copy run start exit
...and then I get an emailed report telling me which devices it couldn't log into either due to incorrect user/pass or timeout which gives me clues to fix those individual hosts or clean out any entries for retired devices. Any device not mentioned in the report is assumed to have run the commands successfully, so no news is good news and I can just go on with my day.
Huge +1 for Rancid. See below.
Rancid currently supports Allied Telesis switches running AW+, Cisco routers, Juniper routers, Catalyst switches, Foundry switches (now Brocade), Redback NASs, ADC EZT3 muxes, MRTd (and thus likely IRRd), Alteon switches, and HP Procurve switches and a host of others.
I'm not 100% sure what you are looking for. Solarwinds NCM and RANCID are the most popular network-specific network management programs I have heard of. You might look to them for ideas?
http://www.solarwinds.com/network-configuration-manager.aspx
http://www.shrubbery.net/rancid/
Also, your question isn't really specific to networking so you'll probably have better luck in /r/sysadmin.
90's or not, if it works why not use it? Of course, it isn't working how I want which is why I posted, so thanks for your response.
I'm assuming RANCID is this http://www.shrubbery.net/rancid/
Do you have a link about trigger? I must be googling wrong because I am not finding anything useful in relation to backing up my configs.
Rancid can make it simpler.
$ apt-get install rancid
- or -
$ yum install rancid
- then -
$ clogin -c 'show running' myrouter > config.cfg
http://www.shrubbery.net/rancid/
Was originally developed for Cisco, but we use it with Juniper and Dell networking equipment.. Really handy when you have more than one IT guy, you can tell if/when others have made changes.
It's been over 6 years since I've used RANCID. When I was using it for config changes and back ups, it would also send out e-mail when a whole card died (e.g., http://www.shrubbery.net/rancid/#sample) and if memory serves me correctly, when a power supply had issues or died.
I would go download and read their documentation to be totally sure. http://www.shrubbery.net/rancid/
It has support for a number of devices, I can't say definitively if SonicOS is supported. Here's a couple links:
Can't help you with the Windows side (Linux shop) but for Cisco configs then I use http://www.shrubbery.net/rancid/
They may be other similar things around for Windows (or you might be able to get it working in cygwin)
Personally I prefer to automate everything possible and store changes in some sort of VCS rather than write it up since then you always know exactly what's changed rather than what they user think they changed.
Interesting idea, but its not a fully formed project like RANCiD. I'm not sure how useful this would be without a back end to store/diff configs in. I suppose you could hack this into RANCiD, but it seems more like a solution looking for a problem. SSH works just fine to grab configs.