Sergej Khackimullin - Fotolia
The recent surge of network automation tools has marked a shift in how administrators build and manage networks. While server and application automation tools have been around for some time, few tools of this type have been available for networks. Manual processes had largely accomplished configuration setup and ongoing network changes, but network automation tools have since emerged to reduce these manual steps.
Even though network automation tools might take different approaches toward automation, they all aim to reduce admin time spent on simple and repetitive configuration processes. In this article, we look at the benefits of network automation tools, how to differentiate three distinct types of network automation platforms and eight popular multivendor network automation tools.
Features of network automation tools
Every network automation tool in this list of the top eight can automate configuration changes in multivendor environments. The tools accomplish this through the automation of command-line syntax and then push those changes to each device that requires the change. Instead of having a network admin install Secure Socket Shell (SSH) into every router, switch and firewall to manually modify the text-based configurations, automation tools create configuration scripts that accomplish the same goal in far less time and with fewer mistakes.
Another popular method for network automation tools to access and automate network device configurations is through an API. This more modern and elegant way of interacting with network equipment can reduce admin time spent making frequent network changes.
Some network automation tools go beyond the process of simply automating configuration changes. Examples of other network automation features include the following:
- Configuration backups. Regularly scheduled backups are encrypted and stored safely in case a network component configuration needs to roll back or restore.
- Tool access control. This feature manages who has the authority to push configuration changes across certain segments of the network. An accounting log also generates to show the complete history of changes.
- Compliance monitoring and verification. Admins can automate the process of determining if a network device meets preestablished compliance and regulation standards.
- Vulnerability assessments. This automated process identifies firmware and configuration settings that are known to be vulnerable.
- Performance monitoring. IT can read and analyze network performance insights on certain vendor hardware to provide configuration recommendations to further improve performance.
- Network orchestration. This feature auto discovers network devices for the centralized control and end-to-end coordination of LAN configuration additions and changes.
The 3 types of network automation tools
Network automation tools can fall into one of three categories. The first category is tools that were primarily built for server and application automation but have expanded to include the network. Many enterprise IT shops may already have some of these tools in use for infrastructure and DevOps purposes. The benefit with these tools is they're already in-house and IT staff may be well versed on how to use them. Thus, adding network automation processes into an existing tool would not be much of a stretch from a cost, implementation and learning curve perspective. That said, some of these infrastructure automation tools are light on network automation features and compatibility with various network hardware and software.
Another type of network automation platform is tools that are purpose-built for the network. These tools offer the most network-specific features and functionalities. The caveat, of course, is that it's yet another one-off tool for this specific purpose. IT shops with tool glut may want to look elsewhere.
Lastly, software-defined platforms create a software overlay across LAN hardware. This overlay enables admins to centrally manage and orchestrate configurations from a single management pane, masking the underlying configuration commands that are happening within the underlay. This option is great for simplifying multivendor environments that require frequent changes to LAN configuration settings.
Evaluating top network automation tools
Ansible is an open source platform that was originally built as an automation tool for Linux-based systems. The platform was acquired by Red Hat in 2015. Since then, Red Hat has expanded Ansible capabilities to automate other parts of enterprise IT infrastructure, including network devices. Ansible Tower is the commercial version of the product. This enterprise-grade tool set includes access controls, security, and auditing and reporting features that are necessary for most IT departments.
Because Ansible uses an agentless architecture, it works well when automating hardened and proprietary systems, such as network appliances. Thus, interactions between the Ansible Tower platform and any network equipment it automates is performed via SSH or through an open API. Additionally, Ansible offers hundreds of prebuilt network modules that do much of the heavy lifting for creating automation processes. Prebuilt modules include automation templates for multiple vendors, such as A10, Cisco, Dell and Fortinet. Ansible Tower is a particularly good option if it's already in use by server, application and development teams.
BeyondEdge Networks -- formerly iPhotonix -- got its start in carrier access networking technologies. Anticipating the evolving landscape for network architecture, the company acquired software-defined WAN technology from Netsocket to further advance how it manages networks with its software-defined network vision. Taking the framework and experience from the software-defined market, the company expanded its product into enterprise LAN. The result is a software-defined LAN (SD-LAN) platform that can overlay across any existing switching vendor or white box technologies. Because the platform is vendor-agnostic, it can operate on top of virtually any underlying network, including copper or fiber. Thus, it gives businesses the network automation capabilities inherent in software-defined networks at a lower cost.
BeyondEdge SD-LAN auto discovers all Layer 2 connectivity on a network, dynamically stitching the underlying topology of the network into a visual model. At the same time, network automation templates are used to configure the LAN services directly to their respective endpoints. Once complete, network admins can centrally manage network-wide changes directly from the BeyondEdge UI.
BMC TrueSight Automation for Networks
BMC's TrueSight Automation for Networks is a stand-alone, purpose-built platform that generally takes a security-focused approach to network automation. The tool set can integrate into the larger BMC TrueSight AIOps platform, which includes tools for operations management, network orchestration and server automation.
Automation for Networks also includes tools that automate network equipment vulnerabilities, compliance checks, configuration verifications and other security-minded provisioning tasks. The product integrates with network discovery tools, including the BMC Discovery product, as well as third-party options from Cisco, Entuity and Ipswitch.
From a network vendor compatibility perspective, TrueSight supports a wide range of vendors, including Arista, Check Point, Cisco, Dell, Hewlett Packard Enterprise (HPE) and Juniper. It can also integrate and automate processes within software-defined networks, including VMware NSX and Cisco Application Centric Infrastructure.
Chef Enterprise Automation Stack
Chef is a completely open source automation tool set. However, most enterprises that are looking at network automation should consider the commercially available Chef Enterprise Automation Stack as it adds many features that are necessary in today's IT departments, including professional support. The tool set helps admins streamline and manage various server, application and network policies, both on premises and in the cloud. Chef has been a popular choice for server and development teams, so some teams within IT may already use Chef Enterprise Automation Stack.
Unlike others on this list, Chef uses agents that are installed on network devices. The agents work with the Chef platform to automate various network configuration tasks, such as making changes to router/switch ports and virtual LANs or modifying quality-of-service policies across a network. Because of the requirement of an installed agent, Chef supports fewer network vendors compared to others, although it is compatible with some of the larger network vendors, including Arista, Cisco, Juniper and F5.
ManageEngine Network Configuration Manager
A division of Zoho Corporation, ManageEngine designs enterprise-grade IT management platforms. The company's Network Configuration Manager is a purpose-built platform with several useful features. Besides being a multivendor network configuration automation platform, the product has tools to manage and control network changes, securely store configurations, and create and enforce network compliance and auditing. ManageEngine supports router, switch, firewall and other network device automation from vendors, including Cisco, Dell, Juniper and Fortinet.
Network Configuration Manager uses the concept of configlets, which are automation templates that admins can build to automate many repetitive tasks. The tool can also automate many compliance monitoring and verification processes for Sarbanes-Oxley Act, Payment Card Industry and HIPAA purposes. It can also generate detailed reports when admin-defined configuration policies are violated. An example of this would be to verify that Simple Network Management Protocol communities are set using the appropriate password strength.
The platform even offers a smartphone app, where you can manage configuration automation and compliance on the go. ManageEngine has been in the network automation business for a long time and has a large customer base.
Puppet is another infrastructure automation tool that's popular in the server and app dev world. For network admins looking to consolidate tools, Puppet Enterprise may help as other IT teams within the company may already use it, taking the installation of one or more networking modules to squeeze some basic network automation features out of the platform. Puppet is open source, but most organizations have likely opted to use the paid Puppet Enterprise. The enterprise version is also necessary to obtain the add-on network automation modules. Additionally, while Puppet is largely agent-based, the network automation modules are fully agentless.
Current network automation modules include support for Cisco Internetwork Operating System, IOS XE and Nexus hardware. Other modules exist for Palo Alto PAN-OS firewalls, Lenovo switches and F5 Local Traffic Manager load balancers. While this list isn't as extensive as some of the others, it may serve as a low-cost option for organizations that have already purchased Puppet Enterprise and run a network largely composed of their network gear.
SaltStack develops and sells IT operations and security software tools that aim to simplify infrastructure management and data security. The SaltStack Enterprise product is built on Python-based automation software known as Salt. SaltStack is another one of those infrastructure automation platforms -- similar to Puppet, Chef and Ansible -- that have added a level of network automation to their tool set. Thus, while it may not have all the capabilities of purpose-built network automation tools, it may provide admins with just enough.
SaltStack Enterprise is also focused on security. It offers users the ability to run firmware checks against known vulnerable versions, as well as scour command-line network configurations to identify network configurations that have gone out of compliance.
SolarWinds Network Configuration Manager
SolarWinds has been in the network automation business long before it became mainstream. Its Network Configuration Manager product is compatible with several network vendors, but advanced features tend to skew toward Cisco and Palo Alto. Other supported vendors include Juniper, HPE/Aruba, Dell and F5.
Like ManageEngine, SolarWinds also includes several security features, in addition to typical network automation capabilities. One of the more unique features of SolarWinds Network Configuration Manager is the integration with the National Vulnerability Database. With this continuously updated database, the platform can automate the identification of unsafe firmware or enable services on networked devices.
Network Configuration Manager integrates with other SolarWinds tools in the vendor's product portfolio, including its Network Performance Monitor tool.