Gluware (optional) Watchdog Agent provides independent monitoring of unauthorized changes, ensures connectivity and enables rollback

Gluware is a Software Defined Network Orchestration (SDNO) platform used to enable centralized control of the underlying network. One of the primary functions of an orchestration platform is flexible configuration management from the initial provisioning through ongoing lifecycle management. Orchestration platforms differ greatly from legacy systems that deploy a “load and pray” style where blocks of CLI are pushed down to one or more devices, instead, orchestration systems use intent-driven logic built around network engineering models that ensure that device changes are performed with network architecture awareness.  Gluware is one of the few options in the market that does not need an agent on the device to perform the necessary operations. It’s advanced method of provisioning by running the discovery engine and only applying the required changes ensures highly reliable change management to ensure centralized policy is enforced.

There are cases, however, where an agent can be deployed advantageously. For example, if a device is losing connection to the orchestration system after a recent configuration change, an agent can work independently and revert the configuration automatically. The same is true for monitoring device for manually changes done outside of the orchestration system. These can only be detected by independent local running agent.  The agent provides an automated communication process by which information collected at the device is fed back to Gluware Control enabling close loop telemetry.

For Cisco devices, Glue Networks has developed an optional “Watchdog Agent” which enables automatic rollback from a failed provisioning activity and monitors for unauthorized configuration changes.  This agent is event driven and keeps track of the IP address to ensure that Gluware Control can reach the device.  For connectivity, the agent monitors for when a user changes the IP on the node manually or when the DHCP lease expires and a new address is allocated.  If the IP address changes it will notify Gluware Control so that it can re-establish connectivity.  Through monitoring the IP address, it ensures Gluware Control can connect to the device. During provisioning activity, the agent creates a backup of the current configuration, called a checkpoint, and enables a rollback timer. If provisioning fails and Gluware Control loses connectivity to the node the agent will restore the old configuration so that connectivity can be re-established.

Provisioning-log-1

Gluware Control Provisioning Log Showing Creation of Checkpoint

Provisioning-log-2

Upon Successful Provisioning the Rollback is Canceled

The Gluware Watchdog Agent is also monitoring for any configuration changes and if any unauthorized changes are made (outside of Gluware Control) the agent notifies Gluware Control of who made the change along with a time-stamp. This enables IT operations to re-provision the node with a single click and remediate unauthorized changes within minutes dramatically reducing troubleshooting and potential downtime the change may have caused. Upon the re-provisioning the Gluware Engine runs “discovery” examining every line of the configuration under management and will add removed lines or remove lines which are not supposed to be there. This ensures centralized policy management to ensure that network compliance against intended policy, and allows for easier network audits.

manual-change

Gluware Watchdog Agent Provides Visibility to Unauthorized Changes in Gluware Control

Use of the Gluware Watchdog Agent is optional to use and no additional cost. Many production network customers choose to use the agent, especially when command line access to devices is still allowed, or when complex changes are necessary to ensure the reliability of the network connectivity during provisioning. Monitoring of unauthorized changes is also a compelling capability. The agent requires no special configuration and, when enabled, is loaded on each device upon initial provisioning.