Netcordia's NetMRI 1.5p1

NetCordia has improved NetMRI, its network configuration management software. Version 1.5p1 has an easier and more flexible policy engine to help companies maintain compliance with directives like Sarbanes-Oxley. The updated policy engine, which compares actual network device configurations to Configuration Policy Definition (CPD) files, now can check policy conformance by device groups.

NetMRI, which I tested at our Syracuse University Real-World Labs®, gathers, stores and compares data for Cisco and Juniper devices, providing daily alerts on changes in configurations or performance, and errors. NetCordia says it is continuing to add support for other vendors' networking hardware. NetMRI monitors over SNMP and CLI (telnet/SSH), and its reporting ranges from high-level health overviews to categorized lists of actionable problems and diagnostic suggestions. You don't get real-time notification of changes, though, and NetMRI is not tied to external service-desk applications for change control and workflow processes.

In a perfect world NetMRI would have all these operational functions and more extensive hardware support. As it is, the product's strengths are its improved policy engine, ease of use, and lower cost compared to many other network-configuration-management offerings. NetMRI runs from $25,000 for a few hundred managed devices to about $150,000 for a few thousand devices. That's reasonable, especially for big Cisco and Juniper installations.

The product includes four preconfigured CPD files, three of them aimed at Cisco security policies, including the NSA router policy, and one Juniper router DISA (Defense Information Systems Agency) security policy. NetCordia says it will update its built-in CPD files, and you can import new CPD files as well. However, there's a problem for users of earlier versions of the software--they can't reuse CPD files they've already created, because the new product isn't backward-compatible.

CPD files are created using a text editor, and getting the syntax right is key. There is a syntax checker but even so, it's hard to avoid formatting errors. A better solution, embraced by some other network-configuration products, is to use template creation forms to improve syntax accuracy when creating policies.

NetMRI has moved from using a simple matching approach in comparing CPD files and configurations to one that relies on more complex expressions using selection criteria and Boolean operators. In a CPD file, combinations can select specific devices and interfaces for very specific policies.

The daily analysis of CPDs is performed against the most recent configuration file, which is collected with a command-line save function. I made checks against archived and future configuration files on an as-needed basis.NetMRI's reports showed me devices with different running configurations than they had at start-up, logs of changes to particular devices, and attempts of bad user IDs or password entries, or extended-time views of configuration activity. For example, I viewed configuration change activity over the period of 30 days, which really gave me a perspective on the changes in the network and how they might correlate to problems or instabilities. NetMRI includes a utility for comparing configuration files.

NetMRI's device-discovery process has a low impact on the network compared to most network management products. With SNMP access, ARP cache is learned, creating less than one-tenth of 1 percent utilization on a 100 MB network. I had some switches in the lab that were not showing up due to almost nonexistent traffic during implementation, so I had to ping the devices to get them in the default router's cache. But in comparison to what most network-management products do to discover the network--running ping sweeps followed by SNMP MIB walks--the network impact is much less. Devices on the production network showed up right away, without any problem.

One of the checks NetMRI makes is the membership of switches in VLANs and the root Spanning Tree Bridge. On the production network I tested NetMRI on, running this check discovered mis-configured switches that were not participating in the assigned VLANs for specific subnets.

Another nice usability feature is the option to suppress reporting on certain information. On a single screen, all the issues the product can report on are displayed, and all I had to do was click the ones I didn't care about to make them go away. This removes these issues from the analysis and as factors in the determination of your overall network's health score. NetMRI publishes a numeric overview "Scorecard" of network health, comprised of the overall "Correctness and Stability" of the network based on all the network factors it checks. The grading is on a 1 to 10 scale.

NetCordia says it plans to add multi-tenancy and OS patch updates in a future release. While the product lacks some of the features of some competitive offerings, its small footprint on your network and flexible policy engine give it an edge.Bruce Boardman, executive editor of Network Computing, tests and writes about network and systems management. Write to him at [email protected].