I did see a few false positives too with Nipper. What do you think about Router Audit Tool (RAT) instead? I downloaded ncat (aka RAT), but it does not have a global configuration file which I can use for all the routers and switches I have. Any tips on ncat/RAT configuration? I could not find any examples on using ncat.
Subba Rao
I did see a few false positives too with Nipper. What do you think about
Router Audit Tool (RAT) instead?
RAT is the approved IOS security audit tool at $work, so it doesn't
matter what I think about it 
But it is fairly nice ... as long as you keep in mind it's limitations.
I looked at Nipper a while back; it had some nice features but not
enough to keep me from uninstalling it.
The problem I have with both RAT and Nipper is they're geared towards
security and I'm more interested in verifying that the routers are
configured correctly. What kind of tools are people using for that?
For an example of the type of thing I'm interested in, see
filter_audit in the presentation at
http://www.nanog.org/mtg-0210/abley.html
I downloaded ncat (aka RAT), but it does
not have a global configuration file which I can use for all the routers and
switches I have.
Works for me.. just remember that RAT is pretty old & fails
miserably on things like 6500s that are both routers and switches. So
figure out what's common to all your routers and configure RAT to
check that set of parameters. Then create another RAT config for
L2/L3 switches that doesn't check as much (eg. don't check for
proxy-arp being disabled)
Regards,
Lee
The problem I have with both RAT and Nipper is they're geared towards
security and I'm more interested in verifying that the routers are
configured correctly. What kind of tools are people using for that?
For an example of the type of thing I'm interested in, see
filter_audit in the presentation at
http://www.nanog.org/mtg-0210/abley.html
Homebrew: pull configs on a regular basis. Decompose monolithic
configs into a file tree of "configlets."
Diff configlet tree against peer and template devices. "Invert" device
specific configlet tree into element specific tree. This helps diffs
stand out for config elements that should be consistent.
Put it all into a git repository for revision control. Run git-web for
the user interface.
Catches most of the obvious stuff, and gives a nice history of
changes. The configlet tree also gets used for "grep | xarg" style
pipelines for automation scripts.
Would like to improve the diff process to mask out common information
(ip address, hsrp priority etc.) This would help reduce the amount of
diff noise for interfaces.
We looked at free (RANCID, Ziptie) and expen$ive (Opsware) but none of
them really did what we wanted.
Tim:>