Last week we wrote about server configuration management evolution, and touched on the fact that network engineers are largely left out of the loop. There is one vendor, however, that realized this gap and took advantage of it. In this article we will provide an overview of the differences between server and network management, and then explore how Orion NCM seems to understand and fulfill the need of configuration management for network devices.
Generally speaking, configuration management serves two purposes: ease of management, and documentation. A true configuration management system will allow administrators to apply changes to a large number of devices from a central management point. Those changes will be kept track of in a self-documenting way, which allows administrators to more easily understand the global design, since the information is all in a single place. It also provides a revision history, so you can see when/what/how a change took place, which is great for regulatory compliance.
The only way you can really know that your server or network devices are running the configuration you think they are supposed to be running is with a robust configuration management system. It can both ensure that the stored configuration is what’s running currently, and notify you when changes occur. Without that type of system, device configurations quickly drift without anyone remembering they made changes, and reliability, performance, and maintenance suffers.
Server vs. Networks
These types of features have existed in server configuration management for a long time now, in open source products like Cfengine and Puppet. The problem they were trying to solve was much more complex. A “configuration” was not just a single file, like it is in the network world. Server configurations are thousands of files for the thousands of aspects of a server that need configuring. It is surprising then, that server configuration management existed long before network configuration management.
In reality, network configuration management did exist. Each vendor offers its own unique, expensive, and proprietary system. Ciscoworks, from Cisco, fulfills some of the need, but is expensive and cumbersome to use. You cannot configure every aspect of a switch with SNMP, so the implementation of network configuration management is not simple. In the server world we’d just run a daemon that could listen for the configuration management master node to send it a request, but you cannot install and run random software on most network gear (which is why they are remarkably stable).
Building a network configuration management system means that something must SSH into a switch or router, and interactively run commands. RANCID did this with an expect script to grab the configuration for storage in a source control system. Other open source network management systems also implement SSH-in functionality, but none are really focused on centralized configuration management.
Orion NCM implements all of the features that many people have been yearning for. Its dashboard provides a central point to control configuration changes and monitor network health. While monitoring the health of the network would seem best accomplished with the myriad of other focused monitoring solutions, a NCM is well positioned to provide critical information. The majority of outages are a result of a configuration change, so being able to quickly correlate a change with an outage means accountability and quick problem resolution.
Orion also comes with an Inventory interface, which provides a wide range of information. Instead of just listing serial numbers and SNMP location information, Orion NCM delves much deeper into the configuration and state of each device. It can list down nodes, ARP tables, backup configurations, list routing tables, and much more. Here is where it crosses the boundary into Network Management System (NMS) territory, but it’s always nice to have a single interface for all this information.
The core functionality, the NCM, is definitely full-featured. You can manage devices, or groups of devices, from a single interface. What isn’t shown is the configuration editor. Instead of logging into the network device manually, you can bring up the configuration file within Orion and view or edit it, then apply the changes. If you need to gather information, for example what switch port a MAC address is on, you can tell Orion to run ‘sh mac-addr |i’ on every Cisco device at once. Finally, and most importantly, Orion allows you to view the complete history of changes on a device.
Some organizations may be deeply interested in regulatory compliance: HIPAA, SOX, and CISP reports can easily be generated from the Web interface. Since Orion has access to all your configurations, it can easily audit them for compliance with various encryption and password strength regulations.
By all accounts, people seem to be quite happy with Orion NCM. It successfully manages Cisco, Juniper, Foundry and many other devices. Pricing start at $3,000 for 50 devices, $10,000 for 1000 devices, and maxes out at $30,000 for an unlimited number of managed devices. This is much cheaper than Ciscoworks, it works with more vendors, and is highly intuitive.
Hopefully this product will prompt open source developers to innovate in the same area. OpenNMS, for example, has many of these features, but it doesn’t focus on the extremely important configuration management aspect.
Charlie Schluting is the author of Network Ninja, a must-read for every network engineer.