Network Configuration

For starters, because every switch and router uses TFTP to update the OS images necessary for patch management, even basic products include embedded TFTP servers, accessible from within a GUI. This makes uploading and downloading OS images somewhere between a right click and a drag-and-drop. Configurations are retrieved using good old telnet or SSH and, more often than not, SNMP. SNMP is used to set a target in the switch's or router's built-in TFTP server, which then is sent the configuration. Frequently, Web interfaces are being applied to configuration-management products, but you'll likely find such interfaces only on enterprise versions.

Note also that basic configuration management isn't just about keeping errors out of the network. It's also about making sure the configuration that's running is the one you think is running. The configuration app's interface should display the devices and all their associated configurations. These include configurations currently running on the device, those that have been uploaded into the configuration software and those that have been modified. There are two ways to get devices into the configuration software: Define the IP address, telnet/SSH access and SNMP community strings for each device, one by one; or import a CSV file formatted with the same information. Autodiscovery of devices is left to enterprise products, but that's no great loss because they suffer from the same errors that plague network-monitoring products (see "Ping Me ... We'll Do Lunch,").

When a device is selected, its associated configurations will be listed; you can then review and edit configs. The included editing functions will format the configuration but will not attempt to determine the syntax of the commands or whether the commands are applicable within the configuration. For example, an enterprise-class product might pick up an incorrectly defined Cisco Systems ACL, but basic configuration products aren't going to know bad IOS syntax from the International Organization of Standards.

All configuration products have edit features that attempt to format configurations in an organized, easy-to-read manner. They also will display multiple versions or different configuration files side by side, highlighting the variations. Enterprise products take this one step further, knowing that a particular file is a subsequent version of another configuration file: The edit program will show highlighted passages as added and/or deleted, further defining what has changed between the two versions.

If you're worried about others being able to edit and change your configurations (and who isn't?), most basic configuration programs apply access controls limiting who can read and write configurations on a per-device basis.

Some enterprise-class configuration products attempt to provide syntax checks and even wizards to automate the creation of accurate configurations; but this isn't so for basic configuration products. Why? The fly in the syntax-checking ointment is that not all vendors use the same syntax. For that matter, some who shall remain nameless (Cisco) don't have consistent syntax from one product to the next. This means the configuration-management vendor has to understand the peculiarities of each vendor, product, model and OS version.

This situation is made more difficult when you consider that in enterprise-configuration products, load balancers, firewalls, VPN concentrators and sometimes Unix systems are part of the management mix. Inexpensive configuration-management products aren't going to have this kind of breadth. But don't think that without syntax checking, there's no point in using configuration products--the value lies in the consistent editing, scheduling and controlling of configurations.

The work-around for most low-end products is to limit support for Cisco devices. So if your switches come from a third-tier or even second-tier vendor, check that the configuration-management product you're considering supports your specific makes, models and OS versions.

On the bright side, grouping by type of device--for example, all routers or all Extreme switches--is available in some affordable products. Using groups is a best practice because it lets you make the most of your configuration-management product. For example, you can update or retrieve a configuration across all the members of a group with a single action--a group that contains all your Cisco routers running IOS 12.2 could be updated with a new ACL simply by specifying that the group receive a new configuration. In inexpensive products, grouping is often static, meaning you'll have to add and remove devices manually. But for smaller networks, that's not a deal breaker. Enterprise-configuration products will enter devices into groups via a query of device properties, making membership in the group dynamic.

Automating actions, like sending a new configuration file to a number of switches as a single unit rather than multiple tasks, is also a big win when using configuration-management products. Tasks can be scheduled to run automatically via a GUI. This not only makes after-hour updates possible, but it also means that periodic collection of configurations for archival is easy. Once you've collected configurations, these products generally archive and catalog them. Naming is accomplished by automatically assigning the date collected, or you can define a paradigm that suits your organization. Configuration annotation--allowing for a description or notation describing a particular configuration's purpose--is also a must-have. Finally, checking configurations for changes and notifying administrators, via the GUI or e-mail, when changes are detected is a key feature.We don't know of any services that do only configuration management per se, but plenty of MSPs (Management Service Providers) include configuration management as part of their network monitoring offerings. Unfortunately, we're not talking a few hundred dollars a month--they usually cost thousands of dollars, making the choice to do it yourself the only justifiable one, from an affordability standpoint.