What's wrong with provisioning tools?

Thu Jun 13 15:49:23 UTC 2002

On Wed, 12 Jun 2002, Stephen Griffin wrote:

> In the referenced message, David Daley said:
> <snip>
> > 4) There isn't anything to track non sanctioned changes to the network
> > (i.e.: hacker induced re-configurations)
>
> I would be really surprised if anything other than mom-and-pop shops
> didn't have _at least_ this.
>
> rtrmon or rancid can do great config archiving and provide difference
> output.

I didn't find anything that really suited my needs at the time (late
2000/early 2001), so I ended up writing my own archiver.  From time to
time I've thought about adding it to the COSI-NMS project on Sourceforge,
but never gotten around to it.  I've also other similar tools outside of
Sourceforce, such as Pancho (http://pancho.lunarmedia.net/).

I wrote the code behind mine to be fairly modular, so that adding a module
to back up a config from a new device is pretty easy.  It currently backs
up these devices using either SNMP or Expect scripts for devices that
require it:

Cisco IOS <12.0
Cisco IOS >=12.0
Cisco CatOS
Cisco 5000 VPN concentrators (the Compatible Systems ones, not Altiga)
Cisco LocalDirectors
Lucent TAOS (Max TNTs)
Alteon WebOS (ACEdirectors)
Redback AOS
Nortel BayRS (Bay Networks nee Wellfleet) <-config is binary
other odds and ends as they come up, like Netopia routers, etc.

I haven't written anything to back up Junipers yet because I don't have
any to test against.  Aside from the Nortel routers, I support versioning
on everything else.

Keep in mind this is only one piece of the puzzle - backing up what's
already out there.  I intentionally left out the functionality to allow a
config to be uploaded to one of the devices above for reasons already
specified in this thread - it's just too dangerous.  You can melt down a
whole network really quickly if you're not careful.

jms