Cisco optimize

What's the best Cisco router configuration and management tool?

It's rare to be able to accomplish everything you need using only the Cisco IOS; the reality is that additional tools are necessary. Because of the plethora of tools available, the challenge is selecting the <i>right</i> tools. David Davis is on a mission to compile the ultimate list of Cisco administration tools -- but he needs your help.

When it comes to network monitoring and administration tools, the options are plentiful -- and often overwhelming. Even after a few months of installing recommended tools, I often forget which ones do what and how to use them. And I know I'm not the only one.

In my weekly Cisco Routers and Switches column, I frequently introduce a tool that helps improve and simplify Cisco router and switch management and configuration. I've heard from readers about their own experiences and favorite tools, which has often inspired me to write columns about some of the more handy choices.

But now, I want to create a definitive list of Cisco management tools that should be in every administrator's toolbox, and I need your help. Readers, which tools can't you live without?

Before you answer, let's look at some of the tools I've discussed in the past:

These are all great tools, and there are plenty more out there. For example, what about SolarWinds Engineer's Toolkits and CiscoWorks?

But how many network tools can you really use? How many tools do you have installed that you actually use consistently? The reality is that, while there are many helpful tools available, we often stick to a few tried-and-true picks.

In my case, just after installing a Syslog server (Kiwi), TFTP server (tftpd32), SSH/Telnet client (SecureCRT), network monitoring (WhatsUp), protocol analysis (Wireshark/Ethereal), and network performance tool (PRTG), I'm exhausted. It can be difficult to recall what all the tools were and how they function -- and even more difficult to keep them all up to date with the latest version. In the case of the more complex tools, you may need a class or a large book to learn how to use the tool.

My Start menu is so full of tools that it's beginning to take over my 19-inch monitor when I click Start. Why do I need so many tools?

I can't be the only one overwhelmed by all these tools, and it's time to narrow it down. Here's what I want to know:

  • Which tools do you use every day?
  • What critical tools have I left out of this discussion?
  • Is there a tool that you feel can really "do it all," or is that unrealistic?
  • What's your take on CiscoWorks? Is it the one that really can "do it all"?
  • If you were training a new administrator on managing, configuring, and troubleshooting the network, which three tools would you say to use?

I want to hear from you! Jump into this article's discussion, and weigh in with your thoughts and experiences. It's rare to be able to do everything you need to do on a network using only the Cisco IOS. The reality is that additional tools are necessary. However, because of the plethora of tools available, the challenge is selecting the right tools.

Miss a column?

Check out the Cisco Routers and Switches Archive, and catch up on David Davis' most recent columns.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.

32 comments
curtis
curtis

I'm running NetworkAuthorityInventory/Ziptie, Cisco Network Assistant, Wireshark, Putty, What'sUp Gold, and Solarwinds Netflow monitor. There is very little I can't do with these tools.

FAST!!!
FAST!!!

I suffered through CiscoWorks for a couple years and gave up at last after demoing SolarWinds Orion network monitor and Cirrus config mgmt. I've since purchased them and was up and running in no time. Our ERP system admin really likes the Windows server monitoring built into Orion as well. Performance is a zillion times better than CW and the setup is incredibly simple. One complaint I have is that these tools are not integrated but I'm sure that will change in future releases. I also have been using PRTG for a couple years to monitor bandwidth, top talkers and protocols and other SNMP device trends. Ethereal/Wireshark for packet captures and analysis. For free it can't be beat! SolarWinds Engineers Toolset is the swiss army knife of network tools. I use the Switch Port Mapper tool in it often to track down what devices are connected to what ports. CiscoWorks WLSE (Wireless LAN Solution Engine) is actually a very good product for autonomous WAP management. Although eventually this will be replaced with wireless controllers. But it has served it's purpose very well for the last 4 years. This product is nothing like CW LAN management - it works!

jm9475
jm9475

I provide training for the Army's new communications platform, the JNN. It is a collection of off-the-shelf equipment, including Cisco Routers, Netscreen Firewalls, and Call Manager servers. Obviously, we need a system that can manage all of this equipment. The problem, is there is no "silver bullet" to do so. The reality is, no network is in a vacuum. If you've plugged your network into the outside, it MUST be taken into account. The biggest challenge I've had with educating these newly-minted network managers is that there is no one single solution, nor is each tool or product a standalone device. Many of our tools overlap in capability but are generally good at at least one aspect of management. One trap we're falling in now is that in the last two years we've doubled the number of software platforms that we've added, while taking away none of the previous platforms. What this means is we've got almost 15 tools, from 10 different vendors that we must work with in order to attempt to manage the network. To go along with that trap is the fact that each division is given approximately 200 snmp-enabled machines at the various echelons within, but are not told exactly what to do with them. This means they sometimes have 4-5 snmp polls all asking the same information to the same routers at 30 sec intervals over satellite links. This leads to the network being "managed to death", where a significant portion of bandwidth is taken up just in SNMP or ICMP traffic! I believe the first discussion must be "how do we manage the network", rather than "what software is the best to do it with."

ddavis
ddavis

I want to take a moment to tell all of you who posted THANK YOU for your comments! I value your input and will be doing a summary article these discussions and an article or more on some of the tools that you'all recommended. Thank you for reading TechRepublic and especially the Cisco Routers and Switches newsletter - please tell your friends about it! Thanks, David

subramanian
subramanian

We take pleasure in introducing DeviceExpert to you. DeviceExpert is a web-based Network Change & Configuration Management solution for Routers, Switches, Firewalls, AccessPoints and others from multiple vendors. Following are some of the features: * Real-time configuration tracking and effective change management policies * Quick restoration to trusted configurations through a few simple steps * Altering mechanism to monitor configuration changes * Rollingback unauthorized configuration changes through change management policies * Templates for commonly used configurations * Scripting support to automate time consuming tasks like password change operation * Contextual, side-by-side comparison of any two configuration * Provision for searching devices and configuration * Detailed Audit Trails * Discovery and manual addition of network devices * Detailed reports on Inventory and configuration changes * Encrypted storage of device configuration in database * Built-in disaster recovery mechanism to recover system in the event of failure * Role-based access control for device configuration & approval mechanism for changes * Support for over 300 device models from 16 vendors, including Cisco For more details visit http://www.deviceexpert.com Regards, Subramanian T

samuellthomasjr
samuellthomasjr

David, I concur of the CiscoWorks ... but Has anyone worked with a Cisco MARS "appliance"? Cisco touts it as the best thing since sliced bread, for management of network structures. This slice exceeds $30K ...ouch! SolarWinds presents two packages, Cirrus and Orion, for change & configuration and monitoring & management, respectively. Here are the tools that I do / have used: SolarWinds Engineer Edition + provides a free TFTP server, WOL and subnet calculator HP Openview management EtherReal sniffer various telnet software, PuTTY being my current favorite. Most network management packages, that I have encountered, rely on SNMP to access devices & perform tasks. Is there a cohesive package that does it all?

james.sirrett
james.sirrett

Bunch of free tools used every day. Tera Term - Free Wireshark - Free STG - Free - SNMP Traffic Grapher 0.01s poll (mrtg chap) NMIS - Free - Monitoring, Health, bandwidth, Uptime Rancid - Free - Config Backup and version history winMTR - Free - Ping and Trace in one package Also Netcat is handy when got firewall testing head on.

johnwcannon
johnwcannon

We are a small business with about 20 switches, 8 routers, and a few PIX. There is no one single tool that handles everything, but these make life easier: 1. PumpKIN TFTP [www.klever.net] (FREE) Small, lightweight, reliable TFTP server 2. Cisco Network Assistant [cisco.com/go/cna] (FREE) Easiest way to upgrade IOS on multiple devices, price is right 3. WRQ Reflections [wrq.com] ($250>) Great alternative to HyperTerm, scriptable with VBA, .NET 4. Wireshark [wireshark.org] (FREE) Best free packet sniffer, hands down 5. PRTG [paessler.com/prtg] (FREE & $$) Basic edition is free for three SNMP sensors, makes a great bandwidth monitor 6. Microsoft Excel [microsoft.com] ($150>) Gotta keep your network map somewhere, and with a small network, a single spreadsheet can suffice. 7. Training - Gotta know what you are doing before you do it, so get some training before you start messing with some of these routers and switches. These aren't your Linksys routers at home, they are enterprise class devices with lots of bells and whistles. Hope this helps someone.

CG IT
CG IT

telnet Hyperterminal pumpKIN TFTP Server Ethereal SNMP Don't use Ciscoworks or Cisco Network Assistant... they are ok tools but not something I would use. Call me old fashion but I'd rather create a config, test it, then upload it. I'd rather see what's going on rather an have a program try to tell me what might be wrong.

bdmeyer44
bdmeyer44

SecureCRT - I store the config on a file share, and point to it. Anyone else using SecureCRT has all the latest devices already to select from with macro's. Anything any of us do is also logged to the fileshare, which is backed each night. If someone makes a major oops, we can view the last log for that device, and know what to fix. It supports SSH and Telnet and more. WhatsUp Gold v11. - This software has such a huge wealth of capabilities, it deserves it's own article. I use to receive all passive alerts 9Syslog, SNMO, EventLog, and then email relevant people for the event noted. (user x just got locked out of their account -Eventlog, UPS just failed a self test -snmp, Router CPU load just went through the roof-syslog) and that only three of hundreds of automated tasks the new WhatsUp Gold version does. EditPad Pro and Regex Buddy (-notepad on viagra yup, it's all that) SwitchInspector 1.3.1 add a router, community string, and switch, and it will map out every port telling you what machine, the username, ip, mac, port speed duplex, how many devices (and all their info) it finds on every port. Nice way to spot rogue machines, and track down a device. Exports to pdf, excel, more. Nessus, Wireshark, Nmap, - Detection and Analysis Kiwi Cattools for nightly backups and config comparisons. PRTG I keeps a baseline available, and it is great when troubleshooting 'why is my network slow' I can get graphs for every port on every switch in a location. netflow, and sniffing. (not Wireshark type sniffing) Cisco Network Assistant (Updated IOS version, not an old IOS.) Books: Cisco IOS Cookbook CCIE practical studies: security , no, I am not studying to be a CCIE, but the book has great explanations, and lots of samples. Ok, that's the short list, I'll quit now.... Bruce D. Meyer

flhtc
flhtc

tcpdump: It's kind of like watching the Matrix, but you get used to it. ManageEngine Netflow Analyzer(Free Version): Good for determining what and where problems are. It also helps in tracking past events. Cacti/MRTG: are very valuable tools for bandwidth monitoring. I've also written a few scripts for monitoring host availability, disk usage, router error collection via snmp, etc... I really didn't need all the info from BigBrother. Result: The combination of these four tools can detect, pinpoint, and let us correct most problems within 15 minutes. 99.7% of the time, before an outage. The .3% was when the cleaning crew "tried" to help the IT dept. They saw a network cable hanging from a switch in the wiring closet, so they plugged it in to another switch causing a loop. They said the thought they knocked it out. We took their keys to the computer room. Other than that, It's saved us from virus infected machines, bad NIC cards, etc. more than a few times. Just another 2 cents.

bart.thoen
bart.thoen

We use basically the same tools mentioned earlier: - KiwiCat (change Management), - SNMPc (monitoring), - PuTTY / SecureCRT (IOS configuration) - Cisco ACS (TACACS/RADIUS management) - in house developed tools for configuration management (VCS) (although KiwiCat can do the same) We stopped using Concords eHealth a few years ago since it was way to expensive (we only used it to view bandwidth usage. We're using Cacti instead now. We've also invested in AirWave for our Wireless Access Points Management. And like someone stated before, the plain old OS build in tools (ping, tracert, pathping, etc)

WANToolsMan
WANToolsMan

The answer to this depends on your situation, and how much money you can invest into the tools. If you can afford the "big boys", then I think these tools are invaluable: HP Openview NNM CiscoWorks Netcool eNetAware If you have to be a bit more frugal, I would go with these: Nagios/Big Brother MRTG OpenNMS ZipTie/Zenoss However, regardless of your money situation, there are a few things that I think EVERY company should have available to network engineer and network management engineers: Perl Expect Tcl Scotty Cacti/RRD Wireshark/Ethereal puTTY (or similar client, NOT HyperTerm) Chris Ivey Information Management Senior Analyst Enterprise Management Integration Services ACS, Inc. - TWDC

essickj
essickj

What works the best for me are Telnet ver 4.0.1371.1, PumpKIN, ver 2.0.0.0 and Hyperterminal. They are what I use most of the time. Hyperterminal does have a draw back when trying to copy more than 20 or 30 lines. I work in a fairly small organization. We only have about 200 routers and close to 4000 switches.

nigel
nigel

You can't get away from extra tools on your PC but about 6 should be sufficient. For any config/management lab work you need 5 - tftp server eg Solarwinds - ssh client eg TeraTerm - packet sniffer eg Ethereal for free or Sniffer if the company can afford it - Cisco Network Assistant - a must for new switches - Cisco ASDM - a must for new ASA security boxes Cisco are their own worst enemy with the number of product specific tools they release, but network assistant/ASDM installed on PC are better than old Java plug ins for switches and PIXes Sixth but not least, for any production network need a monitoring tool for availabilty, bandwidth, latency - Big Brother and MRTG have proved a good mix for me I've also seen lots of GUI ping/trace tools but never found one I use regularly - good old command line usually does the trick! Big tools like Cisco Works, HP Open View etc are best left for the Big boys - big corporates and service providers.

keith.heward
keith.heward

Cisco Works, or rather if you wait long enough it might! With only 1 user on a mid range server with 4G of ram, the performance sucks to such an extent I gave up and used some of my other tools. Kiwi products, syslog and cattools work well as does PRTG, which I use at all my customers. Wireshark is excellent, wish I'd found it before I bought Sniffer. Nessus is also a usefull tool to use before a audit.

j
j

And its why we all have jobs when everyone else is losing theirs! Was Navy IT admin (aircraft carrier); landed a sweet gig for a fortune500 w/7000 employees globally and SURPRISE! 5 IT groups, 2 divisions(10 groups) each burining $$$ on redundant monitoring voice/vid/data/security like u say - all worried to report upper IT mgmt we're only getting 99.78% uptime globally..!?

j
j

IMO - Cisco lost traction on development of CiscoWorks 5 years ago and missed the train(like CIsco IPTV). Cacti + Nagios = pretty d@mn near the best set - for free. But... got some friends that work at Cisco, have played with the MARS box, seen it live onsite... 2 words friends: Friggin sweet! Get into your local Cisco office's lab and be wow'd.

JoeBeckner
JoeBeckner

I've been to a couple of Cisco seminars with demos on MARS. Its expensive, but it borders on magic. MARS is a like an intelligent syslog server, it collects logs and events from hundreds of routers, switches, firewalls, IPS/IDS, servers, etc. (not just Cisco devices, the product was from a Cisco acquisition). The software then correlates hundreds or thousands of events from different devices and provides alarms and alerts regarding security events along with recommended actions.

harry.kuykendall
harry.kuykendall

CiscoWorks saved me today. My 6509 lost a Sup card and its configs because of a power outage over the weekend and I was able to reload the configs from CiscoWorks with 15 minutes. Yes it can be little complex to operate but for med to large networks, it is a must.

tq.twaha
tq.twaha

all those tools are great, i find LANsurveyor handy to automatically diagram my networks.

djdawson
djdawson

I've found that my Mac makes a pretty good platform for working on Cisco boxes from the command line, and I can even use the latest versions of ASDM. OS X includes built- in versions of SSH, FTP, TFTP, and all the nice UNIX text processing tools that make CLI use easy. I've even slapped together a simple AWK script for cleaning up PIX/ ASA configs so they're easier to read. On the PC side, I've found that I prefer PuTTY over the other SSH/Telnet clients, though the latest version of TeraTerm from http://sourceforge.jp/projects/ttssh2/ is pretty good, too. For copying large image files across slow WAN links I've found that using the largely ignored HTTP, FTP, or SCP protocols is a godsend, since they use TCP and are much more reliable and faster than the traditional UDP-based TFTP. 3Com has a nice, small server that includes an FTP server (http://support. 3com.com/software/utilities_for_windows_32_bit.htm or Google "3Com FTP Daemon"). Most recent Cisco boxes support at least one of these protocols, so there's seldom a situation where TFTP is your only option. I do mostly support customer support and don't have to monitor devices on an ongoing basis, so I don't have a lot of use for things like MRTG and the like, but I am starting to believe that there are usually free utilities that can do much of what a small to medium sized organization needs. Just my 2 cents. Dana

mauricio.nunez
mauricio.nunez

Hi Keith, I totally agree with your comment, but let me tell you that I used to support that tool and you had the lowest RAM needs so that is totally normal if you had more than a 100 devices. It's a great tool if you have the enough hardware to work and also if you have the time to dig into all the applications that it has.. Greetings!

ckgilliam
ckgilliam

Has anyone heard of Emprisa Networks, E-Netaware product?

NetizenX
NetizenX

Not free, but much less expensive than CiscoWorks. A great commercial tool set for the network admin. It's about $1400US and yeah, you can roll-your-own set of free tools, but this is an great package of almost 50 different tools.

zloeber
zloeber

I've seen a lot of references for paid products here and have learned a bit about them and where they may be appropriate. That being said, I use all free, linux based, products including: Cacti: The best bandwidth monitor and MRTG replacement. Is capable of monitoring ANY snmp device (so monitoring disk and processor usage on that server is easy to do as well). Netdisco: Map out your entire network. Know just which devices are attached to that switch. After doing this I discovered that 1 of 3 switches on one floor was highly under utilized. Arpwatch-ng: Someone pops onto the network. You get e-mailed their IP address and MAC pairing. Someone's IP address changes, you get e-mailed a "flip flop" warning for that address pairing change. If a baddie is on the network and wants to do a man in the middle attack, I will know immediately! RANCID with CVSweb: Really Awsome Network ConfIguration Differ. Keeps a CVS of all network device configuration changes. Works very well on most devices. Not so good on our Foundry stuff as they cannot make up their mind on thier interfaces. You get e-mailed when something changes. Good for accountability! Putty: Not Linux based but still very handy windows based free ssh/telnet client Syslog-ng with phpsyslog-ng: I use this to assist in gathering the event logs from my devices so that if there is an issue I will know with a quick centralized search which devices failed to contact their neighbor. This one has some manual setup involved to get the logs into a mysql database via a pipe but it is worth it. SNMP: Very generic but with this you can automate changes accross the board on a bunch of devices. (examples can be found in the highly recommended book "The cisco cookbook" by o'reily). This is what gives most of the other tools their data. Learn to secure it. If you don't use v3 (not many people do) then at least use a simple access list to restrict snmp access to your devices "access-list ip snmp-server permit" If you do convert an old workstation into your network monitoring device (running linux). Then also install webmin to make setting up things like sendmail aliases more visually pleasing (and a bit quicker as the interface is quite intuitive). Since many of the tools I've mentioned are web based and run off of apache you should get a feel for setting up directory (.htaccess) security as well so that no average joe (no offense to people named "joe") can access such vital information about your infrastructure.

steven.bamford
steven.bamford

Time to upgrade to a 24" from HP eh! No seriously, really helpful ta

hastingb
hastingb

Impossible to tune, slow, and way overpriced.

d.e.glover
d.e.glover

Here's my $.02, Cisco Network Assistant - GUI and configuration setups and IOS upgrading. I do wish that this application was capable of handling more than 16 switches per community (would make my life a bit easier...). SolarWinds - Monitoring of switches SecureCRT - for CLI stuff (I use HyperTerminal when I'm not @ my desk). I mostly look after the switches (I'm studying for my CCNA.)

hastingb
hastingb

No doubt putty, ssh and yes even telnet are fine and lovely. Now imagine having 500 plus network devices on your network and twenty or so network engineers who all do things a little different when it comes to configuring a router. Man! we need an automated baseline configuration tool that will scan the network generate a compliancy report and then automagically fix those configs plus push out the latest IOS image. CiscoWorks as much as I hate it comes the closest to doing all of that.

FAST!!!
FAST!!!

I absolutely hated ciscoworks! Solarwinds can do everything you need. It's not completely automagic but personally I do not like the "auto" part.