Learn How We Can Help You Keep Teleworkers Protected During the COVID-19 Crisis

Network Change & Configuration Management

Reply
Highlighted
Accepted Solution

Automate large number of configuration changes based upon regex match on current configuration

[ Edited ]
Techie
Posts: 2
4002     0

I'm completely new to Infoblox/NetMRI.

 

In the environment that I'm working in, network devices (~3500) are configured to send log/SNMP trap data to one of two forwarders. Currently, this is severely out of balance, and it's my task to bring it closer to 50/50.

 

I've put together a Perl script using NetMRI::API to retrieve all of the devices:

 

 my @devices = $client->broker->device->index(
        select => [qw(DeviceID DeviceName)]
    ); 

Which I then iterate, pull the config, and execute a simple regex match against:

 

    foreach my $device (@devices) {
        print($device->running_config_text()->{running_config_text} =~ /10\.10\.10\.10/);
    }

 

Already however, this is very slow, and I'll have more pattern matching and replacement to do later on if I continue with this solution.

 

Are there other, possibly better (faster/easier) approaches that I should be considering?

Highlighted

Re: Automate large number of configuration changes based upon regex match on current configuration

Adviser
Posts: 353
4003     0
One option: You could go into the Config Management -> Config Search and do the search from there (say, ”logging 10.10.10.10”). Then, you can select the all the devices from the list and just do ”Execute Command”.

Another: You could define some criteria for which devices get which logging statement, than create a policy rule to valid that it set correctly. For those that do not match, a Policy Violation issue will be raised. You can select those and run a job. Or, you can create a Triggered Job to correct the value when it is not set properly.

John
Highlighted

Re: Automate large number of configuration changes based upon regex match on current configuration

[ Edited ]
Techie
Posts: 2
4003     0

So, in the former case, I'd select approximately half of the search results? I have several variants of the logging statement, how can I ensure that the correct variant remains consistent before/after command execution if I used that approach?

 

The ultimate goal is to have each forwarder taking approximately half of the load from the devices. Do you have any examples of criteria that might split network devices down the middle?

 

The real answer of course is load balancing, but that's been taken off the table, for reasons that I don't understand/agree with.

Highlighted

Re: Automate large number of configuration changes based upon regex match on current configuration

Adviser
Posts: 353
4003     0
I don’t have any really specific criteria I can give you. It would really depend on your environment. If you want to split the load roughly in half, and the IPs of the devices are relatively random, you could do something like odd-numbered machines go to one and even-numbered to the other. Or maybe there is some function of the device name that could roughly split them. The main thing is you want it to stay consistent for a specific device, so that there is no flapping of the setting.

Another option would be to add a custom field to the device, and explicitly set that value that should be used. Or create a list with each device IP, and in the policy rule, look up the device in the list and run the command to set it properly. If you have several variants, you could possible specify that in the list too, so that the policy rule could check the configuration of each variant.
Highlighted

Re: Automate large number of configuration changes based upon regex match on current configuration

Expert
Posts: 235
4003     0

In the manual config search, you can specify any combination of criteria that will match as you wish, including regex.  The matching statements will be displayed in the lower results table and you can sort that by name, IP, matching string, etc.  If you sort by the latter, that will group all of the statements of the same syntax together which would make it easier to select them for "Execute Command" (actually run script Adhoc Batch).  There will be a count at the bottom of that table of the number of matching lines, if that helps.  You can also enter a free-form search string fragment to quickly display subsets of that table.

 

That's all manual, which might be fine if this is a one-time correction and there won't be much churn in the future.  To make this more automatic, you'll need some kind of discriminator that will produce an approximately 50% split.  That might be some portion of the IP address, the device name, or other attribute.  Once you have that you could use it to create two basic device groups, which would make it easy to compare counts and members.  You could use Config Search separately on each device group and execute the Adhoc script on the ones that need to be changed.  For ongoing checks, as John suggested, you can write a simple policy with the wizard that will verify that the correct statements are present and no extraneous ones.  You would examine the list of devices failing the policy and Execute Command to manually fix them.

 

If you're going to want this policy check to be continually repeated, then you might find it worth writing a short Perl (or CCS) script that is triggered by the policy violation issue firing.  That single script could have a section for each device group that would perform the same validation as the policy, and correct as necessary.  It could fire a custom issue that would report on the devices that required correction, as well as what was changed.

 

Since you're new to NetMRI, much of this probably doesn't make complete sense without some reading in the Admin guide and walking through examples.

Showing results for 
Search instead for 
Do you mean 

Recommended for You