- Network
- A
Network Equipment Configuration Management Eltex | Oxidized
Every system/network administrator sooner or later faces a situation: someone edited the config, but it is not very clear who and when. There were no differential backups, syslog was not recorded.
How to find out what has been changed?
Looked for a suitable solution for a long time. Found it.
Goals
Find a free or OpenSource solution for backing up network equipment configurations.
Implement and use.
Technical details
We use a fairly large stack of equipment from Eltex. There are also remnants of Cisco, Nortel, Avaya, some Mikrotik.
The need has arisen to implement configuration management for this zoo. Moreover, regionally (throughout the Russian Federation), import-substituted and, of course, free of charge.
Asked google gemini
Question - Orchestration systems compatible with Eltex equipment
Answer Gemini - Great question! The choice of an orchestration system for Eltex equipment directly depends on the scale of your network, specific requirements, and automation goals.
Built-in Eltex tools
First of all, it is worth paying attention to the built-in management tools of the Eltex equipment itself. Many models support:
SNMP: A standard protocol for monitoring and managing network devices.
Read also:CLI: Command line for performing various configuration actions.
Web interface: A graphical interface for managing the device through a web browser.
These tools allow for basic orchestration and automation, especially in small networks or for performing routine tasks.
Some popular orchestration systems compatible with Eltex equipment:
Ansible: A highly automated configuration management system that uses a simple language to describe the desired state of the infrastructure.
Puppet: An open-source configuration system that uses a declarative language to manage infrastructure.
Chef: Another popular open-source configuration system that uses infrastructure as code.
SaltStack: A configuration management system that uses a master-agent architecture to manage remote systems.
CloudForms: A comprehensive platform for managing cloud infrastructure that includes orchestration features.
Reviewed the proposed options
Ansible - missed, successful implementation options for Eltex switches - either none, or I did not find.
Eltex ECCM - good in all respects, but not free, plus it is impossible to connect equipment from other vendors (most likely).
Oxidized - compatible, free (https://github.com/ytti/oxidized), trying.
About the solution
Oxidized - this is a universal solution that supports more than 130 types of devices from various vendors, so it is enough to install and configure it once and then use it regardless of the equipment used. This is much more convenient than solutions designed for the equipment of any particular manufacturer.
LET'S GET STARTED
For the setup, we will use Ubuntu 22.04 LTS, Eltex 2308B switch.
Oxidized is written in Ruby and therefore its installation is different from what Debian users are used to. Let's start by installing the necessary dependencies:
apt install ruby ruby-dev libsqlite3-dev libssl-dev pkg-config cmake libssh2-1-dev libicu-dev zlib1g-dev g++ libyaml-dev
Install Oxidized via RubyGems
gem install oxidized
gem install oxidized-script oxidized-web
gem install psych
Next, install Git to store configurations and control changes in them:
apt install git
Create a user for oxidized
useradd -s /bin/bash -m oxidized
Make a test login
su oxidized
oxidized
exit
First of all, set the default username and password with which oxidized will connect to network devices. I recommend using a separate user with a non-standard name for this, which should then be created on all network devices.
In our case
0xidiZed // P@$$w0rD
Don't forget to add privileges to the user on the switch, otherwise it won't work.
username 0xidiZed password P@$$w0rD privilege 15
Edit the Oxidized configuration file at
~oxidized/.config/oxidized/config
correct username | password
change model:eltex
change the request intervals (interval:86400) to save the configuration once a day
input - change from telnet to ssh, as it is more secure
output is responsible for storing the configuration information collected from the devices, we will use Git, so the configuration will look like this:
output:
default: git
git:
user: oxidized
email: [email protected]
repo: "/home/oxidized/.config/oxidized/devices.git"
We set the IP addresses of the switches in the router database file (in other words, csv file with delimiter : ) located at
"/home/oxidized/.config/oxidized/router.db"
create the necessary file
mcedit ~oxidized/.config/oxidized/router.db
Add our switch to this file
TstRouter:192.168.72.1
If you need to set authorization parameters different from the global ones, set them
TstRouter:192.168.72.1:User:Password
Next, we need to create a Systemd unit to work as a service, for this we copy the ready-made template:
cp /var/lib/gems/3.0.0/gems/oxidized-0.30.1/extra/oxidized.service /etc/systemd/system
Pay close attention to the version number, in our case oxidized-0.30.1
Reload the systemd content:
systemctl daemon-reload
Create a directory in /run:
mkdir /run/oxidized
And make the oxidized user its owner:
chown oxidized:oxidized /run/oxidized
Add the service to autostart:
systemctl enable oxidized
And start it:
systemctl start oxidized
Check the service status
systemctl status oxidized
Also check that the service is running on the correct port
ss -tpln
Configure git:
git config --global user.name "oxidized"
git config --global user.email "[email protected]"
git init oxidized.git
Install and configure NGINX (oxidized does not have its own web server).
apt install nginx
overwrite the default configuration
cat /var/lib/gems/3.0.0/gems/oxidized-0.30.1/extra/oxidized.nginx > /etc/nginx/sites-available/default
restart nginx
nginx -s reload
Go to the oxidized page
If everything is set up correctly, you will see a similar picture.
Check the operation (save the router configuration, change the configuration, save the configuration again)
That's all for now.
Later it will be necessary to add equipment from other vendors, configure encryption, TLS, divide equipment into groups, etc.
To be continued.
Write comment