Auditing network configurations with Nelkit

Audit Checklist Form

Even if you have tools in place to automate your network configuration, there’s a good chance that someone has made some manual changes. Perhaps some of your routers were overlooked the last time you send out that access-list, or a new site has been deployed using an old template. In those situations you want to audit the configuration of your network devices. Network configuration audit is one of the features of Nelkit.

About Nelkit

Nelkit is a Python toolkit for network engineers and comes with the program nk-compare-configs.

Configuring the audit rules

You define the audit rules in a yaml file. The first initial release lets you set a configuration directory, or a list of configuration directories using the “configs:” key as in:

configs: '/opt/network/configs'</p>

Then you setup a number of rules under a “rules:” key. These can be of the type match where the comparison is done line by line. The second option is to use the between rules where you match all the configuration between two lines. A very basic rules file might look like this.

base_rules.yml

configs: '/opt/network/configs'

rules:
 - match:
    string: '^snmp-server'
    exclude: '^snmp-server location'

This would read all the configuration files in the /opt/network/configs directory, currently the first file will be used as the baseline. In a later version you will be able to specify which devices or file you want to use as the baseline. The file has one rule of the match type will will match all the lines starting with snmp-server. However it will ignore the line starting with snmp-server location as this setting might be different by design on your various sites.

Comparing configurations

You run the comparision by pointing at the rules file:

nk-compare-configs -c base_rules.yml

Sorting configuration

Aside from the basic match rule you can choose to sort the configuration lines prior to doing the comparison. This is useful on some devices which stores the configuration in the order you entered it. So even though the configuration appears to be different when you compare different devices it could actually be the same.

An example would be if device A looks like this:

service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service linenumber
service internal
service sequence-numbers

And then device B looks like this:

service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service linenumber
service password-encryption
service internal
service sequence-numbers

A regular comparison between the two would show that the configurations differ from each other. You can tell Nelkit to ignore these scenarios when you configure your rule.

 - match:
    string: '^service'
    sort: 'true'

Matching between configuration lines

The other rule you can configure is the between rule which compares all of the configuration between two lines. This could be used to match IOS style extended access-lists. For example if you have this test access-list.

ip access-list extended test
 permit tcp any any eq www
 deny any any
!

There are two ways you can use the between rule in order to match this access-list, using end or until_not.

 - between:
     start: '^ip access-list extended test'
     end: '^!'
 - between:
     start: '^ip access-list extended test'
     until_not: '^ '

The first example matches from a line starting with “ip access-list extended test” and includes all of the lines until it finds a line starting with “!”. The second example instead matches all of the lines until a line doesn’t start with a space ” “.

Using several rules in your configuration file

You then build your rules file by using several rules. So a longer rules file could look like this.

configs: '/opt/network/configs'

rules:
 - match:
     string: '^snmp-server'
     exclude: '^snmp-server location'
 - between:
     start: '^ip access-list extended test'
     until_not: '^ '
 - match:
     string: '^aaa |^service |^domain '
 - between:
     start: '^logging archive$'
     until_not: '^ '

Bugs, feature requests and help

The source code for Nelkit is available on Github. If you find any bugs or have feature requests, please open an issue.