In the frenetic world of network engineers, we often must have a “Get Stuff Done” attitude that can make it difficult to spend any time or focus on figuring how to solve bigger issues or make an impact on larger initiatives, which I know firsthand can be one of the frustrating aspects of the job. Getting through the daily backlog of network changes has become the top priority for many teams and addressing any shortfalls or areas of improvement in the process becomes less of a priority.
One of the more universal annoyances among network engineers that becomes bigger and bigger as they’re working through their backlog of network changes is the lack of any configuration standardization on network devices. As this is an issue I’ve experienced firsthand, I was very excited to cover this topic during a recent Networking Field Day (NFD) session to share how network engineers can start to tackle configuration standardization across their ENTIRE networks.
The Reality of Today’s Configuration Management Process
Before we dive into the issue at hand, it’s important to understand why it’s become an issue. Every network device feels like a uniquely configured device — a snowflake in a snowstorm of network routers, switches, load balancers, firewalls, and more. Add on top of that the fact that these devices can be physical, virtual, or cloud-based and you have a full-on blizzard. In fact, networks tend to look a bit like this today.
Terrifying, I know.
To be fair, every network device will have sections of unique configurations with elements such as IP addresses and distinct services, but a large portion of a device’s configuration should adhere to a set of standards based on regulatory policies, best practices, or operational procedures. While these seem like small annoyances at first, the reality is that over time the lack of defined standards and the inability to apply those standards to the network becomes something that quickly snowballs out of control and can potentially become an avalanche of risks to an organization.
The only way to avoid this avalanche is by ensuring configuration standardization across every device, across both physical and cloud.
How Configuration Standardization Can Ease the Frustration
How do we identify and define these standards to begin easing the burden network teams deal with every day? Selfishly, we should start from the center and work outward.
As a network engineer, it’s refreshing when I’m troubleshooting a network problem and a device I’m logged into has accurate, up-to-date port descriptions. That simple thing makes troubleshooting immediately that much easier because I don’t have to reference that information from some other source, and I can continue to focus on the issue at hand – troubleshooting. Having accurate, up-to-date port descriptions is more than just a quality of life tweak, it can actually make resolving network issues occur even faster (and help keep some sanity). So selfishly, I’d love that to not be the exception, but the rule. Every device you log into should have up-to-date port descriptions and ideally formatted in a way that makes it easy to understand.
Let me share another scenario I’m sure you’ve considered; When trying to troubleshoot an issue across multiple routers, it’s helpful to log messages to a server, except when no log server is defined, or it’s an old server, or a server with no connectivity to the router. In parallel to that, if you have misconfigured time zones and time servers on network devices, correlating events based on the time they occurred can be frustrating. Defining and applying configuration standards for common services like time servers, DNS, and syslog benefit more than just the network engineer, they benefit anyone on the network team who may need to tread through those devices.
Sometimes these standards can also originate from outside the network team, especially when it comes to security. Whether or not your organization must adhere to strictly defined regulatory policies like HIPAA, PCI, or GDPR, it’s a good idea to define and apply baseline security standards for every network device. These can cover anything from what network management services are enabled or disabled — telnet bad, secure-shell good, and what subnets can access those network services — management subnets and specific secured ‘jump-box’ servers only. Access to and from certain subnets may also be standardized as part of the overall security posture for the network and access to applications, which would involve standardized access control lists on all network devices in the potential path of the client and application.
Putting Configuration Standardization into Practice Across Your Entire Network Relies on Automation
Identifying and defining standards are the first step, but that leads into the next step of putting into practice the application of the standards to the network — and by the network, we mean the ENTIRE network. Every router, switch, load balancer, firewall, virtual network device, or cloud-native network services. Without consistent application to the entire network, network teams will suffer from continued organizational inefficiencies and potential security risks.
In order to keep up with evolving standards, a growing list of network devices, and a seemingly unending backlog of day-to-day network changes, automation must be part of the solution. But not just automation alone, as integrating legacy network configuration compliance solutions do not provide a scalable solution for the entire network, only parts of it.
Instead of cobbling together two different tools, I’ve seen firsthand how our customers have found success leveraging Itential’s automation products that includes a modern set of tools and functionality for configuration management that can be easily built into our workflow canvas allowing network engineers to not only define configuration standards but also create network automations that can directly access and utilize those standards. When Itential is put in the hands of network engineers, it empowers them to build automations that can ensure the entire network is in configured properly, report on non-compliant devices and services, and even remediate the changes that you approve.
Our products also enable the network team to build automations that can make changes to any part of the network and validate that any proposed change maintains compliance before it is applied, making sure that once your network is standardized, it stays standardized. If you feel stuck in the snow and spinning your wheels, Itential can help — you can see for yourself in a demo I recently presented at NFD 27.
To learn more about how to automate configuration standardization and get a demo of Itential’s configuration management capabilities, check out my full NFD 27 session. If you’re ready to give it a try for yourself, create your free Itential account here.
Rich Martin
Director of Technical Marketing ‐ Itential
Rich Martin is the Director of Technical Marketing at Itential. Previously, Rich has worked at several networking vendors as a both a Pre-Sales Systems Engineer and Systems Engineering Manager but started his career with a background in software development and Linux. He has a passion for automation in the networking domain, and at Itential he helps networking teams to get started quickly and move forward successfully on their network automation journey.
