Building Network Automation Solutions
6 week online course starting in September 2017

I’m too old … I prefer CLI over GUI

I was delighted when I got access to Cisco’s Application Control Engine (ACE) XML Gateway/Web Application Firewall (WAF) box. This box is the perfect intersection of three fields that really interest me: networking, security and Web programming. To my huge disappointment, though, all the real configuration can only be done through the Web interface. I understand that casual users of a device prefer a graphical user interface (GUI) over text commands (and Generation Z has never seen a terminal window, DOS prompt or, God forbid, an actual terminal), but you can achieve so much more with a simple text-based configuration approach:

Working is more efficient. Unless you use only one index finger (positioned on the mouse) to work with your computer, you work faster in text-only mode once you become proficient with the device. If you know the configuration commands, you just type them; there’s no need to navigate a complex hierarchy of menus, forms and drop-down options. Just imagine the mental pain you would experience if you had to configure the BGP routing on a Cisco router through a menu interface.

Troubleshooting is easier. If you’re faced with a dire network-down situation, you can quickly adapt the configuration of an actual device by using the command line. With the GUI and distributed Manager/Gateway architecture, you have to log into the Web interface of the Manager device, work your way through the menus while the ringing phone is jumping up and down on your desk, make the changes you think might solve the problem and deploy the changes to the actual Gateway devices.

Configuration backup is easy. Once you configure a device that uses text-based configuration, you can store the configuration in a text file, having an almost perfect backup of the state of the working device (private keys might be an exception). I haven’t found a good way to back up the whole configuration of an ACE XML Gateway that would allow me to drop a replacement box in the network with a simple copy/paste operation from the console terminal.

You can identify the changes. Given two text-form device configuration files (a working one and a broken one), it’s feasible to use simple text-comparison tools to spot major differences and use your common sense to work from there. GUI interfaces have no such highly adaptable tool. The GUI solutions might give you reporting and configuration-comparison tools, but you never know whether they really consider all configuration parameters in the reports.

You can develop a library of “configlets.” Numerous blogs describe various aspects of Cisco IOS configuration, and you have probably built your own private library of useful configuration bits and pieces. These tools are useful because they can present the relevant information in highly condensed form: text configuration commands that you can immediately test and use. If I want to give you a useful tip about WAF configuration, I can describe the menu paths to get to the setting you need to change and post some screenshots. It might get the job done, but it will never be as fast and efficient as posting a few lines of text.

Don’t get me wrong; I understand that some people need GUIs and that the vendors need to implement a GUI to retain (or increase) market share. But the minimum we should get is a dual-interface solution, like the Cisco IOS/Secure Device Manager (SDM) or Wide Area Application Services (WAAS) configuration.

The original version of this post published in Fragments (blog platform formerly used by www.nil.com) has earned me another affectionate nickname from Red Pineapple. On top of holy cow (not to mention Pineapple Certified Religious Bovine Professional) I became telnet jockey. On a more serious note, I agree with him on the need of visualization, but most GUIs I’ve seen look more like eye candy than a useful visualization tool.

10 comments:

  1. Sorry about giving you a hard time, Ivan. You are the most knowledgeable and helpful Cisco Blogger on the web.

    ReplyDelete
  2. Don't worry, I thorougly enjoy your comments. You usually look at the same problem from a completely different (and always quite valid) perspective. The interesting verbalization of your point-of-view is just the icing on the cake :))

    ReplyDelete
  3. I'm right there with ya. I stick to the CLI too.

    ReplyDelete
  4. I have the same problem with Cisco ASA, where some WebVPN options are only available via GUI. It is very hard to apply similar configs to many firewalls...

    /mspoerr

    ReplyDelete
  5. Yep, GUIs are OK, but the end result of the GUI should always be a text config, and you should be able to edit that directly if needed/desired. Having managed a couple of large WANs, there's nothing like being able to have the maintenance tech connect the new router's console to the modem, letting you drop in the backed-up configuration in a few seconds with no errors.

    ReplyDelete
  6. Regarding mspoerr's comment--the same issue that Ivan mentions regarding backups applies to the ASA. I have not found any way to completely back up an ASA that has a complex WebVPN config, since the GUI-only features create hidden directories and files in flash that can't be referenced from the CLI.

    ReplyDelete
  7. I totally agree. CLI is the way to go, plus it makes automated tasks via scripting, rancid, or expect much easier

    ReplyDelete
  8. @jswan: there is an option in ASDM where you can backup the whole config. But unfortunately this option is not available under CLI.

    /mspoerr

    ReplyDelete
  9. I really think it depends on what you're wanting to manage.

    Yes, Cisco routers (and perhaps network gear in general) is easier to manage on the commandline. IOS is a wonderful, efficient tool, and I am thankful every day for it.

    However, I can think of stuff I wouldn't want to work on via terminal, VMWare ESX is one product that springs to mind. The comamndline for that is awful. VirtualBox Headless is quite well written, but I'd still prefer a GUI for managing VMs.

    Horses for courses.

    ReplyDelete
  10. This is what my ASA5505 do when I ordered full backup from GUI:
    %ASA-7-111009: User 'Uname' executed cmd: show running-config
    %ASA-7-111009: User 'Uname' executed cmd: show import webvpn translation-table
    %ASA-7-111009: User 'Uname' executed cmd: show import webvpn customization
    %ASA-7-111009: User 'Uname' executed cmd: show import webvpn plug-in
    %ASA-7-111009: User 'Uname' executed cmd: show import webvpn url-list
    %ASA-7-111009: User 'Uname' executed cmd: show import webvpn webcontent
    %ASA-7-111009: User 'Uname' executed cmd: show running-config
    %ASA-7-111009: User 'Uname' executed cmd: show running-config
    %ASA-7-111009: User 'Uname' executed cmd: show running-config
    %ASA-7-111009: User 'Uname' executed cmd: show running-config
    %ASA-7-111009: User 'Uname' executed cmd: show running-config

    After that it complain that:
    No plug-in entries / configurations available
    No webcontent entries / configurations available
    No APCF entries / configurations available
    No certificates available
    No Proxy PAC entries / configurations available

    so command that do it may be missing from the log.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.