What's wrong with provisioning tools?
Streiner, Justin
streiner at stargate.net
Thu Jun 13 15:49:23 UTC 2002
On Wed, 12 Jun 2002, Stephen Griffin wrote:
> In the referenced message, David Daley said:
> <snip>
> > 4) There isn't anything to track non sanctioned changes to the network
> > (i.e.: hacker induced re-configurations)
>
> I would be really surprised if anything other than mom-and-pop shops
> didn't have _at least_ this.
>
> rtrmon or rancid can do great config archiving and provide difference
> output.
I didn't find anything that really suited my needs at the time (late
2000/early 2001), so I ended up writing my own archiver. From time to
time I've thought about adding it to the COSI-NMS project on Sourceforge,
but never gotten around to it. I've also other similar tools outside of
Sourceforce, such as Pancho (http://pancho.lunarmedia.net/).
I wrote the code behind mine to be fairly modular, so that adding a module
to back up a config from a new device is pretty easy. It currently backs
up these devices using either SNMP or Expect scripts for devices that
require it:
Cisco IOS <12.0
Cisco IOS >=12.0
Cisco CatOS
Cisco 5000 VPN concentrators (the Compatible Systems ones, not Altiga)
Cisco LocalDirectors
Lucent TAOS (Max TNTs)
Alteon WebOS (ACEdirectors)
Redback AOS
Nortel BayRS (Bay Networks nee Wellfleet) <-config is binary
other odds and ends as they come up, like Netopia routers, etc.
I haven't written anything to back up Junipers yet because I don't have
any to test against. Aside from the Nortel routers, I support versioning
on everything else.
Keep in mind this is only one piece of the puzzle - backing up what's
already out there. I intentionally left out the functionality to allow a
config to be uploaded to one of the devices above for reasons already
specified in this thread - it's just too dangerous. You can melt down a
whole network really quickly if you're not careful.
jms
More information about the NANOG
mailing list