> Take a look at Network Configurator from Netsation (www.netsation.com).
> I is pretty interesting.
Is this what MCI uses to construct and manage their entire IP network?
I doubt it.
I'm looking for a tool to do configuration management, too. But I need
one with the following:
I work at a company that has done something very similar to what
you describe.
Two terribly clever colleagues wrote (two separate) systems to
interpret our databases into router configuration scripts, for various
router vendors.
If, for example, one user is set up with a variety of access services,
and I disable or delete that user, then it should be removed from all
places where it is configured without me having to know.
This is a slightly different specification; you are talking about
deploying distributed security permissions. This could be a subfunction
of the configuration system.
Yes, I do combine my network operations and server operations together
and I want a package that allows me to fully integrate it all together
without having to have separate packages.
You will be hard pressed to find a ready-made off the shelf package
to do what you want.
<rambling opinion>
Today's internet technology is complex. Harder than rocket science,
but it appears easier because we make up with BS that which is lost
by not understanding the formulas or having granular flow statistics.
The sum complexity of a network configuration system is a function of
the router/switch interpreter, the routing policy, the routing protocols,
and the databases with which one works.
Since implementing this complexity requires adhering to standards
or understanding your own policies and protocols (which few
really do), it's difficult to make generic solutions work for
networks of a given complexity.
We worked hard with one router vendor to create such a system, but
the exponential amount of work put in resulted in only a few useful
widgetish interfaces. They just didn't get it.
This is because they don't live and breathe it; they code; they write
MIBs; they don't fantasize about pull/push/check/click *presto* it's
configged. They live in their world, and rarely is the vendor's world
the practical world of the network engineer/operator.
A smart guy who sends out reports that embarrass people once pointed
out to me: the largest internet networks all have radically different
designs, and yet they all work remarkably well.
So, until someone with enough savvy, experience, and coding skills
attempts this task, I think it will stay proprietary and internally
developed by, and for, each network.
A middleware interpretation layer (ie. sendmail's configuration
file) is needed before this generic configuration system can
be (fairly) easily implemented.
Tools exist (whose names escape me, but I'm sure bmanning
or vixie will point them out) that profess to interpret
radb configs into cisco and ascend configs, but they (in my/our
limited experience and exploration) fail to capture the IGP
variables or the various L2/L3 platform requirements.
</rambling opinion>
Writing this myself will be a big project. Well, big for one person.
I'd estimate 2 sufficiently clueful and experienced people could write a
platform specific (cisco, ascend, fore, cascade, etc..) system in about
300 man-hours total; including debugging and sparse documentation. The
iterations of the system for different platforms would take less time,
but not less than one order of magnitude.
It wouldn't be that big for a software development business that is
banking on selling it to a lot of providers.
Yes it would; read _The Mythical Man-Month_ by Brooks, pub. Addison-Wesley.
But is there even a market for this?
There certainly is; but the cost of customization may exceed the
demand.
One thing I note about Netsation's product is that they promote it as
a tool to deal with "cryptic IOS commands". IOS is _NOT_ cryptic.
I think one could say that Netstation or Netsys are good tools
for people who think IOS is cryptic. (don't flame me, dear vendors,
your tool can help mitigate detailed analysis, or help find
idiot mistakes [which we all make]; however, last time I looked
they didn't support IS-IS and choked when we tried to enter a smidgen
of our routers into the network).
Where such a product is useful is managing the huge complexity of a
large network, and in the case of what I am looking for, all of the
other services as well.
For this, I think
you
should
write
your
own
or
hire or
fund
someone.
-alan