How do I check or retrieve configuration files for a device?

Pattern matching and policy files

To identify device configuration change

To identify policy violations

To prepare for checking or retrieving configuration files for a device

To check or retrieve configuration files for a device

Results of the configuration retrieval

Archiving retrieved configuration files

To view device configuration information by View

 

 ENA retrieves and interprets device configuration files through 3 types of configuration:

• retrieval task.
• exclude differences.
• policy rules.

ENA associates device and vendor sysOids to the appropriate retrieval script, excluded differences and policy rule files, e.g.:

cisco-generic-exclusions.cfg(.1.3.6.1.4.1.9)
.
.
cisco-generic-policies.cfg(.1.3.6.1.4.1.9)
hp-generic-policies.cfg(.1.3.6.1.4.1.11)

Devices that support configuration retrieval are then discovered as part of ENA's standard discovery process. ENA first attempts to match on the specific device sysOID. If that fails, it attempts to match on a vendor sysOID. If that fails then a configuration file is not associated with the device. You can amend the default association through ENA, but you must be careful to avoid making an invalid association.

 

Pattern matching and policy files

Before using configuration management to monitor network device configurations, you should amend pattern matching behavior and policy to meet your requirements, so that you can identify device configuration change and policy violations. You can set up pattern matching and policy through:

• generic exclusions files.
  • these specify text patterns that configuration management can safely ignore when trying to identify important configuration changes, e.g. timestamp changes.
  • ENA includes example generic exclusions files, e.g. cisco-generic-exclusions.cfg.
• policy files.
  • these specify configuration lines to which good and bad configurations should conform.
  • ENA supplies example example generic policy files for Cisco, HP and Juniper devices, the content of which you can amend to meet your requirements: cisco-generic-policies.cfg, hp-generic-policies.cfg.

Note, when amending exclusion and policy files, you should rename them to ensure your changes are not overwritten during your next ENA upgrade.

 

To identify device configuration change:

When you retrieve device configuration information, ENA compares the retrieved file with the previously retrieved file. ENA configuration management includes exclusion files to avoid flagging trivial changes in the configuration file, e.g. timestamp changes. You can specify default patterns that configuration management must ignore through these files.

The pattern matching file is parsed when saved to the device. It takes one discovery cycle for changes to be included to ENA. The patterns are stored in the ENA database, although updates must be amended in the pattern matching file.

Trivial changes

1. Different configuration changes made to any line, or group of lines, that match one of the ignore patterns are not considered a change to the configuration file. These changes are considered as trivial.
2. Where the only difference between a newly retrieved configuration file and the last archived file are trivial, the newly retrieved file is treated as thought it is an exact copy of the archived one and is discarded. ENA does not raise a change event.

Pattern matching rules are global, and applied to both network device startup configurations and running configurations.

Device configuration changes are displayed in the device's Device Configurations dashlet table, which is in the device's Configuration Monitor dashboard.

 

To identify policy violations:

ENA configuration management checks configuration files for policy violations, which are specified by policy files. Policy files can be specified on a device via the device's Configuration Monitor dashboard, under its Settings (Configuration Monitor Settings) dashlet.

• Policy files specify configuration lines to which good and bad configurations should conform.
• ENA supplies example example generic policy files for Cisco, HP and Juniper devices, the content of which you can amend to meet your requirements.

Policy violations are identified through two sections in the file:

• Include patterns, which identifies patterns that must be included to a configuration file.
• Exclude patterns, which identifies patterns that must be excluded from a configuration file.

You can amend policy files through a text editor, external to ENA.

Policy violations

When configuration management identifies policy violations, it can invoke policy violation events. Each policy definition includes a policy name, and when violated the policy name is included to the event.

• When the Include section is violated, ENA raises a CM Configuration Missing Policy Mandated Statement event on the first match of a particular violation.
• When the Exclude section is violated, ENA raises a CM Configuration Includes Policy Exclusions event.

Policy violation events have configurable expiry times, and corresponding clearing events that are raised when the configuration is found to have been edited to fix the violation.

 

To prepare for checking or retrieving configuration files for a device:

There are some stages you need to complete before you can check/retrieve the latest running/startup configuration for a device:

1. Click Main Menu and then Administration. Click Device Inventory.
2. On the Device Inventory page, navigate to and select the device you want to check. Click Modify at the bottom of the window.
3. This will open the Modify Devices window. Under the CLI Access section:
   1. select an access method in the Method dropdown field, either Telnet or SSH.
   2. select the Port on the device.
   3. enter the Username and Password that you would use to access the device itself. You might require a second password for admin or 'enable' rights.
   4. click OK.
4. Navigate to the Configuration Monitor dashboard of the selected device. In the Configuration Monitor Settings dashlet, click Edit Settings. This will open the Configuration Monitor Settings form. Here you can specify the parameters for configuration file retrieval, relating to the 3 types of configuration retrieval detailed below. Once you have completed this form, click Done in the top right of the form to return to the Configuration Monitor dashboard.

 

To check or retrieve configuration files for a device:

Once you have prepared the device for configuration retrieval, ENA provides 3 mechanisms through which you can retrieve device configuration:

• manual retrieval.
• scheduled retrieval.
• change-based retrieval.

Manual retrieval:

1. Navigate to the Configuration Monitor dashboard of the device you want to check.
2. Click Check Configuration Now via either the button in the top right of the dashlet, the dashlet Overflow Menu, or the device's Context Menu.
3. ENA will then retrieve the latest running/startup configuration from the device, and if it is different to the currently recorded version, it will update the device's Device Configurations dashlet table with the new file. If the number of configuration files in the table exceeds the specified Number of Archives listed in the device's Configuration Monitor Settings dashlet, the table will remove the oldest of these configuration files from the table.

Scheduled retrieval:

By default, ENA does not activate scheduled retrieval of device configuration.

1. Navigate to the Configuration Monitor dashboard of the device you want to check.
2. In the Configuration Monitor Settings dashlet, click Edit Settings to open the Configuration Monitor Settings form.
3. Turn on the slider in the Nightly Retrieval field. When enabled, ENA will retrieve configuration files daily at 02:00. ENA creates a queue and then, at one minute intervals, retrieves the configuration files from each monitored device in turn.
4. Click Done in the top right of the form to save your changes.

Change-based retrieval:

You can configure ENA to check for changes in either the startup or running configuration files' timestamps. A change in the timestamp indicates a change in the device configuration. After identifying a timestamp change:

1. ENA waits until 2 consecutive polls return unchanged timestamps.
2. ENA then waits a set period as defined through lcm.SNMPTriggerHoldOffTime in entuity.cfg.
3. After the hold time elapses, ENA checks the latest poll of the device. If the timestamp remains unchanged (which indicates updates to the configuration are complete), ENA then initiates a configuration retrieval.

To enable change-based retrieval:

1. Navigate to the Configuration Monitor dashboard of the device you want to check.
2. In the Configuration Monitor Settings dashlet, click Edit Settings to open the Configuration Monitor Settings form.
3. Turn on the slider in the Change Based Retrieval field.
4. Click Done in the top right of the form to save your changes.

 

Results of the configuration retrieval:

If the configuration retrieval fails, ENA raises the CM Startup Configuration Retrieval Failed event or CM Running Configuration Retrieval Failed event.

• In the Configuration Monitor Status dashlet, the Last Attempted field displays the time of the failed retrieval attempt and Last Retrieval Outcome is set to Failed. 
• You can view the task history to see its diagnostic data and understand the details of retrieval's failure.
• You can also check for other events that are raised against the device, e.g. Network Outage, to identify whether retrieval failure is a symptom of a more widespread problem or whether it is the real issue.
• You might also want to identify whether this event is raised against one or more devices:
  • if it is raised against one device, then it may be an issue specific to the device, e.g. the device is down. However, if you have initiated a manual retrieval, it may be a more widespread issue that is yet to show itself.
  • if it is raised against many devices:
    • check the transfer servers - although configuration monitor is configured to work with the specified server, it does not check that the server is running when attempting a retrieval. If the server is not running, the retrieval will fail. You can configure transfer servers (including OpenTFTPserver) to run in logging mode. You can then use the transfer server log files to identify the success of file uploads and troubleshoot any issues.
    • check that the specified transfer and archive folders exist and that they permit your transport servers to write to them.
    • check CLI credential sets are still valid.

If the configuration retrieval succeeds and identifies a configuration change, ENA raises an appropriate event:

• CM Startup Configuration Changed event.
• CM Running Configuration Changed event.
• CM Unsaved Configuration event.
• CM Firmware Version Changed event.

If the configuration retrieval succeeds and does not identify a configuration change, ENA updates the Last Attempted field to display the time of the successful retrieval attempt, and Last Retrieval Outcome is set to Succeeded.

• If the device configuration was previously identified as not being saved but is now saved, then ENA will raise a CM Previously Unsaved Configuration Saved event.

You can also refer to the configuration monitor reports:

• Configuration Monitor Settings report - summarizes the current configuration monitor settings of devices.
• Device Configuration Status report - details the last attempt at configuration retrieval.
• Device Configuration Summary report - summarizes the device configuration of the reporting period.

 

Archiving retrieved configuration files:

When the retrieval successfully completes, ENA only archives the files if they include a non-trivial change when compared to the previously archived files, or a specified policy violation. Newly archived files appear as a new row in the device’s Web UI Archived Configuration Files table.

By default, ENA retains a maximum of 4 archived configuration versions, including the current configuration. You can amend this number in the # of Archives field in the Configuration Monitor Settings form, setting it to a value between 1 and 10.

The below table details the configuration structure:

Attribute	Description
$ARCHIVEDIR	directory chosen for the archives during configure.
$DEVICE_ID	numeric StormWorks identifier.
$CONFIG_TYPE	either running or startup.
$CONFIG_FILE	the file itself.

A configuration file has the format:

$DEVICE_ID_$CONFIG_TYPE_$TIMESTAMP

where $TIMESTAMP is the time that configuration was triggered.

If a device signals an error condition during an attempted configuration check, ENA raises CM Startup Configuration Retrieval Failed and CM Running Configuration Retrieval Failed incidents and event. The details string identifies the device and the configuration file. If the retrieval failure is a symptom of other problems with the network or the device itself, other components of ENA should alert the user to the probable cause.

 

To view device configuration information by View:

You can see individual device configuration information by View via the Device Configurations Summary dashlet. This can be accessed either via:

• Configuration Monitor dashboard for a View.
• by adding a Device Configurations Summary dashlet to a custom dashboard and then accessing that custom dashboard in the context of your desired View.