rConfig vs Netshot part 2

You may remember from our last blog that we decided to replace SolarWinds’ NCM product. Let’s not dwell on the past but instead move on to bigger and brighter alternatives.

We started with open source projects that are free to set up and use to get an idea of our options and what features we can’t live without. The top contenders in this field are Rancid, Oxidized, Trigger, Rconfig, and Netshot. My first requirement is a Web UI eliminating Rancid, Oxidized, and Trigger off the hop. Off to a good start! Let’s check out the remaining two:

Rconfig

  • Mostly coded in PHP, but also uses YAML for templates.

  • Additional templates available.

  • No updates since July 2020 so it’s been about 7 months and counting with no development.

  • Minimum Requirement of Centos 7+

    • Script to install requires Centos 6 or 7.

  • Rconfig v5 may be an excellent product but we tested version 3 since it’s the free one.

  • UI cluttered with not useful stuff.

This product had some hiccups along the way, most notably it lacks explicit support for IOS XR. GitHub user Rwhinery’s unanswered IOS_XR concerns are almost a year old now. I had the same problem at first but was able to resolve it and pull XR configurations after some investigation.

Unfortunately it also struggled to work with HP ProCurves, Brocade switches, and Cisco ASAs as each required a customised connection template. The Rconfig community appears nonexistent so you must fix it yourself.

Ultimately I managed to get through the problems with config backups. The next step was setting up the compliance tools but I couldn’t get them functioning and was rather disappointed after all that work for nothing.

Netshot

  • Mostly coded in Javascript and Java.

  • No support for HP ProCurve.

  • Actively developed with day old changes.

  • Issues addressed rapidly by the developer.

  • I like the Web GUI.

  • Install went smoothly and supports any Linux distro.

    • Upgrade was easy. More on this below.

I had several hiccups in setup but the underlying problem was the recent release of the software was buggy and unusable. The developer fixed the issue but did not release a new version. Version 0.16.1 turned around in less than a day and it worked perfectly.

All of our Cisco devices auto-configured - classic IOS, IOS XE, IOS XR, ASA, all of them. All I needed to do was input the device IP and it pulled model information via SNMP to fill out the device profile.

Onboarding Brocade devices wasn’t quite as smooth. The SNMP auto-discovery selected the correct model but the driver didn’t actually pull the configuration. After debugging the process I found the driver hung at the enable password prompt so I fixed it and reported the issue. The developer issued a fix in less than a day.

Then I moved onto HP and had to write the driver mostly from scratch. This was extra difficult because I haven’t worked with Javascript before. After some sweat I put together a working driver but it didn’t quite fill in all the fields. I also couldn’t get SNMP auto-discovery working though, to be fair, HP MIBs are pretty lacklustre. That said I successfully pulled configs so it works.

Compliance is less than effective. It mainly checks software versions and puts EOL dates on hardware. Both are good features but I’m looking for a deeper dive into the configs for things like ‘No cisco 7 passwords’ or ‘make sure enable secret and not enable password is in use’. Ideally I’d like to go even further and be able to verify/validate ACLs on SSH access for example. Basically I want it to check the config against the hardening guide for me.

Conclusion:

Netshot is far better than Rconfig v3. I wish I could test out v5 of Rconfig but they don’t seem to have a demo.

At least I’m starting to compile our base requirements:

  1. Web GUI behind login screen

    • Possibility of two factor auth, radius, or Active directory authentication would be nice to have.

  2. Profiles/drivers for different hardware types.

  3. Device credentials.

  4. SSH and ability to run commands.

  5. Save the output.

Compliance is obviously also important but it’s not base as we have no chance of doing compliance properly if we can’t first pull and save device info and config.

One of my personal goals has been to learn one of the popular Python WEB frameworks. Django, Turbogears and web2py are the common popular and my python projects would benefit from a web GUI. These frameworks teamed up with Netmiko for SSH connections allow me to build the basic app. I guess this means I’m starting my own NCM project? LARG*ncm? Comment with name ideas and stay tuned!

LARG*netComment