Re: configuration sanity check

[Chuck Anderson]

On Thu, Oct 29, 2015 at 09:16:48AM +0100, marcel.durega...@yahoo.fr wrote:
> Hi Nanogers,
> 
> Any recommendation about a software which check the live config of
> cisco/juniper devices against some templates ?
> 
> The goal is to have a template about different function device, like:
> - CORE device must have this bloc and this clock
> - PE device must have at least that and that
> - CPE must have this and that
> - Distrib switch block 1 and block2
> - etc...
> 
> And the software run once every day to check which device do not
> comply with those rules and generate an alert.

For Juniper at least, you can use "commit scripts" to enforce these
rules in real time each time a configuration commit is performed--if
the candidiate configuration change doesn't follow the rules, the
commit fails (or the configuration can be changed automatically to do
something).  For example "all interfaces must have a description on
them", or "changes to MSTI configuration are not allowed".

RE: configuration sanity check

[Naslund, Steve]

I use a system called Device Expert that does exactly what you say below.  I am 
not affiliated with them just a satisfied customer.

https://www.manageengine.com/network-configuration-manager/

Steven Naslund
Chicago IL

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of 
marcel.durega...@yahoo.fr
Sent: Thursday, October 29, 2015 3:17 AM
To: nanog
Subject: configuration sanity check

Hi Nanogers,

Any recommendation about a software which check the live config of 
cisco/juniper devices against some templates ?

The goal is to have a template about different function device, like:
- CORE device must have this bloc and this clock
- PE device must have at least that and that
- CPE must have this and that
- Distrib switch block 1 and block2
- etc...

And the software run once every day to check which device do not comply with 
those rules and generate an alert.

Thank,
- Marcel

Re: configuration sanity check

[chip]

I've used ansible for this and generated config based on roles.  It's a
little weird to get started but allows modularization of config.  You can
then go so far as have the same "functions" for different platforms and
software versions.  To be clear, this was just for config generation, not
verifying it was on the device or pushing it to the device.

--chip

On Thu, Oct 29, 2015 at 4:16 AM, marcel.durega...@yahoo.fr <
marcel.durega...@yahoo.fr> wrote:

> Hi Nanogers,
>
> Any recommendation about a software which check the live config of
> cisco/juniper devices against some templates ?
>
> The goal is to have a template about different function device, like:
> - CORE device must have this bloc and this clock
> - PE device must have at least that and that
> - CPE must have this and that
> - Distrib switch block 1 and block2
> - etc...
>
> And the software run once every day to check which device do not comply
> with those rules and generate an alert.
>
> Thank,
> - Marcel
>



-- 
Just my $.02, your mileage may vary,  batteries not included, etc

Re: configuration sanity check

[Justin Seabrook-Rocha]

On Oct 29, 2015, at 01:16, marcel.durega...@yahoo.fr wrote:
> 
> Hi Nanogers,
> 
> Any recommendation about a software which check the live config of 
> cisco/juniper devices against some templates ?
> 
> The goal is to have a template about different function device, like:
> - CORE device must have this bloc and this clock
> - PE device must have at least that and that
> - CPE must have this and that
> - Distrib switch block 1 and block2
> - etc...
> 
> And the software run once every day to check which device do not comply with 
> those rules and generate an alert.
> 
> Thank,
> - Marcel

We implemented an in-house solution using Cisco Template Manager 
(http://www.gelogic.net/cisco-template-manager/). Its basically a bunch of 
bash/perl scripts doing regex matching against the saved configs from RANCID. 
Works fine for both Cisco and Juniper.

It requires some hand tooling, but we have it doing exactly what you want 
(checking against different device function templates).

Justin Seabrook-Rocha
-- 
Xenith || xen...@xenith.org || http://xenith.org/
Jabber: xen...@xenith.org

Re: configuration sanity check

[Jason Lixfeld]

Either of these might come in handy..

https://www.nanog.org/meetings/abstract?id=2673
https://www.nanog.org/meetings/abstract?id=2678

> On Oct 29, 2015, at 4:16 AM, marcel.durega...@yahoo.fr wrote:
> 
> Hi Nanogers,
> 
> Any recommendation about a software which check the live config of 
> cisco/juniper devices against some templates ?
> 
> The goal is to have a template about different function device, like:
> - CORE device must have this bloc and this clock
> - PE device must have at least that and that
> - CPE must have this and that
> - Distrib switch block 1 and block2
> - etc...
> 
> And the software run once every day to check which device do not comply with 
> those rules and generate an alert.
> 
> Thank,
> - Marcel

Re: configuration sanity check

[Michal Loncek]

On 10/29/2015 09:16 AM, marcel.durega...@yahoo.fr wrote:

Hi Nanogers,

Any recommendation about a software which check the live config of 
cisco/juniper devices against
some templates ?

The goal is to have a template about different function device, like:
- CORE device must have this bloc and this clock
- PE device must have at least that and that
- CPE must have this and that
- Distrib switch block 1 and block2
- etc...

And the software run once every day to check which device do not comply with 
those rules and
generate an alert.

Thank,
- Marcel




http://www.gelogic.net/cisco-template-manager/

Re: configuration sanity check

[Paul Ferguson]

Be careful in your search for RATs -- in the security world it also stands for 
Remote Access Trojan. :-)

- ferg 


On October 29, 2015 3:06:23 PM EDT, Jesse McGraw  wrote:
>Historically there was RAT (Router Audit Tool).  You'll have to do some
>
>googling to see where it's hosted now and whether or not it's still 
>being developed as I haven't looked at it in years.
>
>
>On 10/29/2015 04:16 AM, marcel.durega...@yahoo.fr wrote:
>> Hi Nanogers,
>>
>> Any recommendation about a software which check the live config of 
>> cisco/juniper devices against some templates ?
>>
>> The goal is to have a template about different function device, like:
>> - CORE device must have this bloc and this clock
>> - PE device must have at least that and that
>> - CPE must have this and that
>> - Distrib switch block 1 and block2
>> - etc...
>>
>> And the software run once every day to check which device do not 
>> comply with those rules and generate an alert.
>>
>> Thank,
>> - Marcel
>>

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: configuration sanity check

[Jesse McGraw]

Historically there was RAT (Router Audit Tool).  You'll have to do some 
googling to see where it's hosted now and whether or not it's still 
being developed as I haven't looked at it in years.



On 10/29/2015 04:16 AM, marcel.durega...@yahoo.fr wrote:

Hi Nanogers,

Any recommendation about a software which check the live config of 
cisco/juniper devices against some templates ?


The goal is to have a template about different function device, like:
- CORE device must have this bloc and this clock
- PE device must have at least that and that
- CPE must have this and that
- Distrib switch block 1 and block2
- etc...

And the software run once every day to check which device do not 
comply with those rules and generate an alert.


Thank,
- Marcel

RE: configuration sanity check

[Andrew Bosch]

What is the opinion about CatTools?


> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of
> marcel.durega...@yahoo.fr
> Sent: Thursday, October 29, 2015 3:17 AM
> To: nanog
> Subject: configuration sanity check
> 
> Hi Nanogers,
> 
> Any recommendation about a software which check the live config of
> cisco/juniper devices against some templates ?
> 
> The goal is to have a template about different function device, like:
> - CORE device must have this bloc and this clock
> - PE device must have at least that and that
> - CPE must have this and that
> - Distrib switch block 1 and block2
> - etc...
> 
> And the software run once every day to check which device do not comply with
> those rules and generate an alert.
> 
> Thank,
> - Marcel

Re: configuration sanity check

[Daniel Corbe]

"marcel.durega...@yahoo.fr"  writes:

> Hi Nanogers,
>
> Any recommendation about a software which check the live config of
> cisco/juniper devices against some templates ?
>
> The goal is to have a template about different function device, like:
> - CORE device must have this bloc and this clock
> - PE device must have at least that and that
> - CPE must have this and that
> - Distrib switch block 1 and block2
> - etc...
>
> And the software run once every day to check which device do not
> comply with those rules and generate an alert.
>
> Thank,
> - Marcel

You can also catch and minimize mistakes in real-time by:

1) Implementing and enforcing a proper change control system

2) Implementing tools like Rancid, which are designed to scrape router
configs and E-Mail changes in the format of a unified diff to everyone
in your engineering team.

3) Make liberal use of tools like RtConfig so routine changes aren't a
painful (read: manual) time-consuming process.

Re: configuration sanity check

[Joe Abley]

Salut Marcel,

On Oct 29, 2015, at 04:16, "marcel.durega...@yahoo.fr"
 wrote:

> Any recommendation about a software which check the live config of 
> cisco/juniper devices against some templates ?
>
> The goal is to have a template about different function device, like:
> - CORE device must have this bloc and this clock
> - PE device must have at least that and that
> - CPE must have this and that
> - Distrib switch block 1 and block2
> - etc...

Not precisely what you wanted but some pointers for doing it yourself:

https://www.nanog.org/meetings/nanog26/presentations/stephen.pdf

The example code was still on ftp.isc.org last time I checked.


Joe

Aue Te Ariki! He toki ki roto taku mahuna!