Configuration Management: What’s Your Approach?
Device configuration management can be a complicated beast. Have you tamed it? Do your IT policies enforce archive retention periods, audit trails, security compliance, or secure transfer methods? Do your change management policies mandate the ability to quickly perform configuration rollback?
Whether you’ve got configuration management licked or whether you’re lucky to remember to execute “copy run start,” we would like to gain a better understanding of the approach you’ve taken to device configuration management.
Many organizations have their device configurations managed by a Cisco Remote Management Service. For those of you using a commercial or open source package, what is your tool of choice?
- Cisco Network Management Product Portfolio
- EMC NCM (VoyenceControl)
- Kiwi CatTools
- Solarwinds Orion NCM
- ManageEngine DeviceExpert
Have you rolled your own configuration archive tool because the available configuration management packages (above) lack functionality, or because of a lack IT funds or resources to administer? if you’ve rolled your own configuration archive tool, what combination of languages and frameworks are you using?
- shell scripts
- net-ssh (ruby)
- expect (tcl)
- expect (python)
- sharpssh (c#)
- jsch (java)
It’s not uncommon for our customers to use insecure protocols when transferring configuration files to and from their devices. Granted, they may restrict such file transfers to their intranet. What combination of communication and transfer protocols are you using to archive configs?
- Terminal session logging
Cisco IOS Software includes a number of native configuration management utilities. Are you employing these tools in your environment?
- Configuration Archive – the archive config command allows you to save Cisco IOS configurations in the local configuration archive using a standard location and filename prefix that is automatically appended with an incremental version number (and optional timestamp) as each consecutive file is saved.
- Contextual Configuration Diff Utility performs a line-by-line comparison of any two configuration files and generates a list of the differences between them.
- Configuration Change Notification and Logging allows the tracking of configuration changes entered on a per-session and per-user basis by implementing a configuration log and adds a notification mechanism that sends asynchronous notifications to registered applications whenever the configuration log changes.
- Configuration Replace and Configuration Rollback provides the capability to replace the current running configuration with any saved Cisco IOS configuration file. This functionality can be used to revert to a previous configuration state, effectively rolling back any configuration changes that were made since that configuration file was saved.
- Command Scheduler (kron policies) provides the ability to schedule some EXEC command-line interface (CLI) commands to run at specific times or at specified intervals. An example being the archive config command mentioned above.
- Configuration Logger Persistency implements a “quick-save” functionality. When configured, Cisco IOS Software saves only the commands entered since the last startup-config file was generated, rather than saving the entire startup configuration.
After the hard part is done and configurations have been archived, does your organization utilize a source control system to keep revisions of configuration changes? If so, which one?
Cognizant of the plethora of device configuration management tools available to Cisco customers, including commercial, open source, and homegrown tools, we’re very interested to hear which ones you have found to be the best fit in your environment.