Configuration management's quiet revolution

If you list the network management topics that excite you, configuration management probably isn't one of them. Tell me about containers, network virtualization, hybrid cloud, but configuration management?

Config management is less than exhilarating; until something goes "thud!"

Maybe a core router loses its memory, or a bleary-eyed, third-shift technician deletes a key ACL. And just like that, your biggest customer goes off line. Suddenly, config management becomes interesting.

Or perhaps you're tasked with deploying 1,000 edge devices. They're all basically the same, but there are variants for each region, application and customer. Again, config management becomes a topic of interest.

Itential is one of the software companies I turn to for operations and network automation solutions. A colleague knew that I work with the Itential Automation Platform (IAP) and asked me about its configuration management capabilities. That's when I began to realize the significance of Itential's Golden Config offering.

I knew Golden Config was a very innovative config management feature, but I had no idea just how big of a business driver it is for Itential's customers.

I reached out to Itential's director of partnerships and asked him about Golden Config. He told me nearly all of their customers use it, including four of the top tier-1 service providers in the world. In fact, one service provider made a major investment in Cisco Network Service Orchestrator (NSO) for the express purpose of supporting Golden Config.

There are millions, if not billions, of dollars of network assets supported and deployed via Itential's Golden Config.

Changing the game for configuration management

Config management solutions range from notepad and Excel Spread sheets (the world's most widely used operational support system) to large-scale enterprise systems like MicroFocus Network Automation. In many cases, enterprise systems rely on two key functions:

  • Banks of text files with versions of a given device config
  • Some kind of scripting engine to automate config sweeps and config deployment

The biggest problem with this method is the sheer volume of config files. System operators and network engineers must sift through thousands of config files, hoping they got the right version for the right device. Plus, the operator must contend with scripts for automation, which often creates complexity and requires development support.

Itential Automation Platform changes the config management game by addressing these challenges.

How Itential Automation platform works

IAP provides the network operator an operations automation environment with a "dashboard," offering various services and use case focused applications. Two of those applications are Configuration Manager and Operations Manager. Both applications can change the way you manage config in large-scale networks.

 

 

 

Figure 1: IAP Ecosystem and the IAP Dashboard

Configuration manager

The typical use case for Golden Config is a single standard config that's used as a baseline for a class of devices. Usually the Golden Config contains standard settings for routing, services and access control. These settings would be considered "universal" for a class of devices.

For example, you may have a Golden Config for your network core devices and then a different G for your access devices, and so on.  But you may have to make variants of those Golden Configs based on country, region and customer.

The result is a golden config that isn't really golden – that is, it's not universal.  You end up with many "golden configs" for the same device depending on where and for what purpose it's deployed.

Itential upped the game on this with their implementation of Golden Configuration in IAP.

The golden config tree

 

 

Figure 2: Golden Config tree

Once you've developed your Golden Config tree, now you can assign devices to all, or just parts, of that tree.

Because IAP provides a consolidated view of all the devices in your entire network, you simply link devices to their respective spot on the tree.

Instead of dealing with a stack of configs loosely mapped to a stack of devices, you now have a single config tree that propagates root configurations to child nodes. Configurations are derived from the parent node and users can write or copy native device configuration onto nodes. You can choose to use all or just parts of the tree against any given device.

Adding in IAP workflow automation

For each device type, the customer defines a standard compliance automation process, visualized as a workflow. The workflow compares the nodes on the tree to the attached inventory. For each device, you get a percentage of compliance.  A single click brings up the "Fix" function, which will then show you the lines which are out of compliance and attempt to remedy the discrepancies.

Logic controls enhance the capability to manage each config line. For each line there is an =, ≠ or "match expression" operand. This allows you to do sweeps based on criteria like, "find all devices matching this ACL" or "throw a compliance error for each device that has this terminal setting". Logic controls extend your power to manage configurations beyond just "does it match the template or not?"

 

 

Figure 3: Configuration lines in Golden Config

The power of Itential's operations automation

Consistent best practices are the cornerstone of good network operations. Relying on written procedures (and everyone following them) could cost you a customer. Itential's Automation Platform empowers you to turn your written procedures into one-click executions.

Operations automation enables you to create a "stack of commands" to be run in sequence against a given device or inventory. You can create a "Command Template" with one or dozens of commands, all with logic controls (=, ≠ or match expression). The Command Template can be used as an automated check. For instance, you may have a pre-action check and a post-action check Command Template.

Let's say you plan to do a golden config sweep on a given device, but, before you do, you want to collect all the current routes and link states. In this case, you run a pre-action Command Template, then execute your golden config sweep / fix, then your post-action check. If there are any discrepancies, you can roll the device back to the last working config.

What's also great about Command Templates is that they're very easy to create. IAP gives you a graphical workspace where you input the commands, the logic operands and the expected results. This is as easy as building the maintenance procedure in an Excel Spreadsheet.  From there, they can be run directly through the user interface, called via IAP's northbound API, or incorporated into an  operation workflow so that entire processes can be automated.

 

Figure 4: MOP Command Template

One very powerful use case for Command Templates would be an automated "mass upgrade" workflow.

Say a workflow is built to handle a mass rollout of an IOS upgrade to routers, but the workflow is designed to handle numerous fallout conditions. Command Templates can be used throughout the workflow to trigger code pulls from TFTP servers and then check devices for routes and link states pre- and post-upgrade. The workflow can then compile a list of devices that passed the upgrade, those that didn't and were rolled back, and those which need immediate attention.

Eliminating human error with IAP's workflow engine

Having a dashboard loaded with helpful "one-click" features is a great help to operations, but to really change the config management game, we need a way to automate as many human actions as possible. IAP ties it all together with the workflow engine.

One of IAP's most beneficial feature is its graphical "low code" workflow engine.

Most workflow tools require extensive professional services engagement to stand up and operate.  Itential took a different approach. The company's product philosophy is to make their software highly flexible and rich in integration but do so with the least amount of "coding" on the operator's part.

IAP gives you a graphical workflow creation environment where you can drag / drop pre-built workflow functions to a canvas. You then set the data inputs / outputs for each functional block. The canvas allows you to draw lines between the blocks to determine the flow of variables from block to block. The result is a rich workflow design environment that doesn't require you to code or script.

 

 

Figure 5: Example IAP workflow

Now Command Templates and Golden Config functions can be folded into your workflow, and this is what makes the Itential Automation Platform so powerful.

Tying it all together

On their own, Golden Config and Command Templates are tremendous operations tools, but in a workflow, these tools become fully automated for a "zero-touch," end-to-end flow. You can even reuse workflows as sub-workflows within larger flows, which scales the ability to automate and create value.

To complete the picture, IAP uses off-the-shelf device controllers like Cisco's NSO or Red Hat's Ansible.  These systems act as "device adapters" that translate the intent of the workflow to actual device configs, commands and controls.

For example, IAP uses your Ansible Engine instance (and its associated modules) to talk to any device Ansible does. Likewise, with NSO, IAP leverages the network element drivers (NEDs) to do the same.

In both cases, IAP can dynamically discover modules, playbooks and service models, which allows you to build a rich operations-facing automation on top of your existing orchestrators.

There's much more to be said about IAP's ability to combine device configuration and control with workflow using an impressive API integration capability (AAA, Inventory, AD, ServiceNow, etc.). But, I'll save that for another article.

The important thing for now is that if you're using orchestrators today (NSO or Ansible, for example), you may want to consider the Itential Automation Platform. You can turn your stand-alone orchestrations into complete end-to-end operational process automations. If you're doing configuration management manually or with outdated tools, IAP can reduce the number of templates and replace scripting with true graphical workflow capability.

I think Itential is worth considering as part of any organization's config management and automation strategy. Feel free to drop me a line and I can provide more information about what I enjoy about Itential's software and how we've seen customers incorporate Itential solutions into their organizations.

 

Technologies