On Tue, Oct 20, 2009 at 11:11 AM, Luke Quattrochi <luke.quattro...@gmail.com > wrote:
> ... our IT department is brutally small for the size of our company. We > don't have a network admin. Unfortunately I'm not one of those brilliant do > it all types, and I am best kept out of the Cisco equipment. Any type of > network configuration is done by consultant (meaning they are rare, and this > is limiting). This means even if I buy a cheap $400 router for site to site > VPN I have to pay an expensive hourly rate to get it configured. > That's actually very common, and it's one of my reasons for creating the open source Netomata Config Generator tool ( http://www.netomata.com/products/ncg). With a tool like NCG, you could hire a consultant once to set up the templates for your VPN configs, and then be able to easily add more sites yourself whenever needed. You would add the descriptive info for the new site (its name, WAN-side IP address, range of addresses you're assigning to the LAN there, etc.) to a simple file, then do "make", and NCG would spit out new configs for everything involved: the central VPN concentrator, the remote router, DHS, DHCP, Nagios, MRTG, whatever; everything that your consultant had created templates for. One of my goals in creating NCG is to create a tool that makes routine changes like this (i.e., "add one more VPN site") as simple and error-free as possible. One of the ways you do that is by simplifying the the information you need to provide each time, and the way in which you provide it. For example, if I were the one setting up the templates for a VPN cluster like this, I'd arrange things so that there was a master list of remote VPN sites: a file with one line per remote site, with tabs separating each column on each line, with the following columns: Remote site name Remote site number Remote site WAN IP address Remote site LAN IP network address and netmask It would look something like this: % name id wan_ip lan_ip lan_netmask dallas 1 198.102.244.36 10.9.16.0 /24 tucson 2 128.32.152.11 192.168.101.0 /24 fresno 3 72.18.24.39 172.16.24.128 /26 Thus, adding one more site would be as simple as adding one more line to that file, then typing "make" to regenerate all the configs for all the devices and services. Generating all your configs programatically, this way, also has the benefit that your configs are complete, correct, and consistent. That both improves the reliability of your network (inconsistencies in configuration are a significant source of network problems), and makes it easier to troubleshoot when there _are_ problems (you won't have to wonder if the differences between two configs are intentional or relevant). You'd end up hiring a network consultant once, to create your templates, rather than hiring one every time you needed to add one more site. Plug: I'll be teaching a full-day class about automating network configuration in general, and about NCG in particular, at the USENIX LISA Conference in Baltimore in a couple of weeks; it's not too late to register! http://www.usenix.org/events/lisa09/training/tutonefile.html#m3 Plug 2: Of course, I'd also be happy to be the network consultant who you hire once, to set up up NCG and your templates, so that you don't have to keep hiring a consultant every time you want to make a straightforward change like adding one more site to your VPN... -Brent -- Brent Chapman <br...@netomata.com> Netomata, Inc. -- www.netomata.com Making networks more cost-effective, reliable, and flexible by automating network configuration
_______________________________________________ Discuss mailing list Discuss@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
