Even if you have tools in place to automate your network configuration, there’s a good chance that someone has made some manual changes. Perhaps some of your routers were overlooked the last time you send out that access-list, or a new site has been deployed using an old template. In those situations you want to audit the configuration of your network devices. Network configuration audit is one of the features of Nelkit.
You define the audit rules in a yaml file. The first initial release lets you set a configuration directory, or a list of configuration directories using the “configs:” key as in:
Then you setup a number of rules under a “rules:” key. These can be of the type match where the comparison is done line by line. The second option is to use the between rules where you match all the configuration between two lines. A very basic rules file might look like this.
configs: '/opt/network/configs' rules: - match: string: '^snmp-server' exclude: '^snmp-server location'
This would read all the configuration files in the /opt/network/configs directory, currently the first file will be used as the baseline. In a later version you will be able to specify which devices or file you want to use as the baseline. The file has one rule of the match type will will match all the lines starting with snmp-server. However it will ignore the line starting with snmp-server location as this setting might be different by design on your various sites.
You run the comparision by pointing at the rules file:
nk-compare-configs -c base_rules.yml
Aside from the basic match rule you can choose to sort the configuration lines prior to doing the comparison. This is useful on some devices which stores the configuration in the order you entered it. So even though the configuration appears to be different when you compare different devices it could actually be the same.
An example would be if device A looks like this:
service timestamps debug datetime msec localtime service timestamps log datetime msec localtime service password-encryption service linenumber service internal service sequence-numbers
And then device B looks like this:
service timestamps debug datetime msec localtime service timestamps log datetime msec localtime service linenumber service password-encryption service internal service sequence-numbers
A regular comparison between the two would show that the configurations differ from each other. You can tell Nelkit to ignore these scenarios when you configure your rule.
- match: string: '^service' sort: 'true'
The other rule you can configure is the between rule which compares all of the configuration between two lines. This could be used to match IOS style extended access-lists. For example if you have this test access-list.
ip access-list extended test permit tcp any any eq www deny any any !
There are two ways you can use the between rule in order to match this access-list, using end or until_not.
- between: start: '^ip access-list extended test' end: '^!' - between: start: '^ip access-list extended test' until_not: '^ '
The first example matches from a line starting with “ip access-list extended test” and includes all of the lines until it finds a line starting with “!”. The second example instead matches all of the lines until a line doesn’t start with a space “ “.
You then build your rules file by using several rules. So a longer rules file could look like this.
configs: '/opt/network/configs' rules: - match: string: '^snmp-server' exclude: '^snmp-server location' - between: start: '^ip access-list extended test' until_not: '^ ' - match: string: '^aaa |^service |^domain ' - between: start: '^logging archive$' until_not: '^ '