Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Evolution of Network Configuration: A Tale of Two Campuses Hyojoon Kim †, Theophilus Benson ‡ Aditya Akella ‡, Nick Feamster † † Georgia Tech ‡ University.

Published byMeagan Simon Modified over 9 years ago

Similar presentations

Presentation on theme: "The Evolution of Network Configuration: A Tale of Two Campuses Hyojoon Kim †, Theophilus Benson ‡ Aditya Akella ‡, Nick Feamster † † Georgia Tech ‡ University."— Presentation transcript:

1 The Evolution of Network Configuration: A Tale of Two Campuses Hyojoon Kim †, Theophilus Benson ‡ Aditya Akella ‡, Nick Feamster † † Georgia Tech ‡ University of Wisconsin, Madison 1

2 What is Network Configuration? Collection of configuration files Express network policy Determines the overall network behavior 2

3 The Network State Changes Topology change Policy change Configuration change 3 How does network configuration change over time? How does network configuration change over time? Growth of firewalls in Georgia Tech

4 Configuration Changes 4 Georgia Tech Network Devices Number of line changes Routers326,458 Firewalls539,171 Switches353,420 Total1,219,049 Line changes in the past 5 years What are causing the changes? Where are the changes happening? Is there a noticeable pattern?

5 Our Contribution Examine change patterns over time Look at many different types of devices Provide better understanding – Help develop better configuration tools e.g., Change recommendations, feedbacks – Reduce misconfigurations 5

6 Our Data Configuration data from two campus networks – 5 years of accumulated configuration files Tools – CVS – RANCID (Really Awesome New Cisco confIg Differ) 6

7 Collecting Configuration Files 7 Pull configuration CVS Server CVS commit … RANCID Remote login (telnet, ssh)

8 Revision Control on Configuration Files When is the change? What changed? Regenerate each revision 8... 1.51 log @Fri Feb 5 15:04:28 EST 2010 @ text @a141 1 port-object range bootps bootpc a160 4 object-group service 12-123-12-13-any-udp udp port-object range bootps bootpc object-group service 12-123-12-14-any-udp udp port-object range bootps bootpc d173 16 a188 9 object-group service 13-14-15-16-any-udp udp port-object range bootps bootpc object-group service 14-15-16-17-any-udp udp... RCS Format

9 Our Approach 9 Data (RCS) Revisions Snapshot Analysis Snapshot Analysis Change Analysis Longitudinal Analysis Longitudinal Analysis Correlation Analysis Correlation Analysis Group simultaneous changes Take latest snapshot Compare revisions Sort revisions by time

10 Classifying Configuration lines 10 logging buffered 1024000 enable secret [deleted] username [deleted] aaa new-model … Interface Port-channel1 description WiSM-A virtual channel switchport trunk encapsulation dot1q switchport trunk allowed vlan 316,805,807-809,816,1296,1312 switchport mode trunk … router ospf xxxx router-id x.x.x.x … ip access-list extended access-vty-in permit tcp x.x.0.0 0.0.255.255 any range 22 telnet log-input … Management Layer 1 Layer 2 VLAN Layer 3 ACL Security Control Filter QoS

11 Overview of Results Routers are multi-functional – Univ. of Wisc: Layer 3 changes are 30% of total changes – Georgia Tech: Layer 3 changes are 5% of the total changes Firewall changes are concentrated on ACL – Around 87% of the total changes – Steep increase in the access control list lines Switches are about providing connectivity – Port-centric changes 11

12 Change Analysis on Routers 12 Number of line changes in all routers over 5 years - GT Static ARP 78%

13 Change Analysis on Firewalls 13 Number of changes in all Georgia Tech firewalls over 5 years Access Control 87%

14 Longitudinal Analysis on Firewalls 14 Change in number of Lines in all Georgia Tech firewalls Change in number of firewalls in Georgia Tech

15 Change Analysis on Switches 15 Number of line changes in all switches in Univ. of Wisconsin snmp trap

16 Correlation Analysis on Switches 16 Univ. of Wisconsin Switches Correlated changes% ACL, L124% L1, VLAN11% L1, L2, MGT11% MGT, L110% VLAN, MGT9%

17 Conclusion Study on how network configuration changes over time Reveal interesting characteristics about network changes – Magnitude and frequency of changes – Causes of changes 17

18 Conclusion Provide better understanding Improve current methods of configuring and managing network devices – Change recommendations – Reduce misconfigurations – More automation Questions? joonk@gatech.edu 18

19 Georgia Tech Network 19 RoutersFirewallsSwitches Total 16365716 1,097

Download ppt "The Evolution of Network Configuration: A Tale of Two Campuses Hyojoon Kim †, Theophilus Benson ‡ Aditya Akella ‡, Nick Feamster † † Georgia Tech ‡ University."

Similar presentations

Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Point Protection 111. Check List AAA to the Network Devices Controlling Packets Destined to the Network Devices Config Audits.

Point Protection 111. Check List AAA to the Network Devices Controlling Packets Destined to the Network Devices Config Audits.
Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.

Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.
Mitigating Layer 2 Attacks

Mitigating Layer 2 Attacks
LAN Segmentation Virtual LAN (VLAN).

LAN Segmentation Virtual LAN (VLAN).
Securing the Router Chris Cunningham.

Securing the Router Chris Cunningham.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implement Inter- VLAN Routing LAN Switching and Wireless – Chapter 6.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implement Inter- VLAN Routing LAN Switching and Wireless – Chapter 6.
Virtual LANs.

Virtual LANs.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Configuring IP ACLs.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 VLANs LAN Switching and Wireless – Chapter 3.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 VLANs LAN Switching and Wireless – Chapter 3.
Implementing a Highly Available Network

Implementing a Highly Available Network
Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.

Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.
Layer 2: Redundancy and High Availability Part 1: General Overview on Assignment 1.

Layer 2: Redundancy and High Availability Part 1: General Overview on Assignment 1.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
Theophilus Benson Aditya Akella David A Maltz

Theophilus Benson Aditya Akella David A Maltz
NMS Labs Mikko Suomi LAB1 Choose SNMP device managment software Features: –Gives Nice overview of network –Bandwith monitoring –Multible.

NMS Labs Mikko Suomi LAB1 Choose SNMP device managment software Features: –Gives Nice overview of network –Bandwith monitoring –Multible.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management.
© 1999, Cisco Systems, Inc. 11-1 Chapter 10 Controlling Campus Device Access Chapter 11 Controlling Access to the Campus Network © 1999, Cisco Systems,

© 1999, Cisco Systems, Inc Chapter 10 Controlling Campus Device Access Chapter 11 Controlling Access to the Campus Network © 1999, Cisco Systems,
Cisco PIX firewall Set up 3 security zones ***CS580*** John Trafecanty Jules R. Nya Baweu August 23, 2005.

Cisco PIX firewall Set up 3 security zones ***CS580*** John Trafecanty Jules R. Nya Baweu August 23, 2005.

Similar presentations

Ads by Google