My “this is why you need automation” blog post triggered numerous comments and tweets. I loved this one:
What if the mistake was embedded into the automation process/tool (designed by humans) in the first place? Now you have a video series titled "Automation Gone Wild".
I guess this tweet is a priceless answer to that question:
To make error is human. To propagate error to all server in automatic way is #devops.— DevOps Borat (@DEVOPS_BORAT) February 26, 2011
Automating Cisco IOS Software Updates
A large financial organization automated IOS software updates – routers across hundreds of branch offices were regularly upgraded to latest software release overnight.
Everything worked great until someone made a typo and specified an .md5 file instead of a .bin file in the upgrade request, bricking hundreds of remote routers.
The next few days were spent frantically running around and downloading the software to the routers through the console port.
Lesson Learned: check the inputs. Make changes gradually (Tom Hollingsworth recommends Fibonacci sequences).
Automating Firewall Policy Deployment
A retail organization used vendor firewall management tool to manage firewalls on hundreds of small sites around the country. They also used that tool to deploy changes to firewall and VPN policies.
The network administrator assumed that the software might fail, so he split the sites into a dozen of groups, and spread sites in each group around the country, so that a failure of one group wouldn’t bring a whole region down.
Not surprisingly, a failure did happen due to some weird glitch in the management software, and updating one of the groups failed, leaving those firewalls in some weird inaccessible state.
Now the resilience built into the whole system worked against the poor network admin – he had to travel around the whole country fixing firewalls belonging to that particular group. Fortunately, the country in question wasn’t US or China ;)
Lesson Learned: things will fail. Always have a Plan B which does not involve driving around. reload in 5 is your friend.
Based on horror stories like this, you might conclude that you don’t want to touch the network automation with a 10-foot pole. I’m positive the bank tellers had the same reaction when banks introduced the first computers; how could you possibly trust that thing to balance the books properly.
In the meantime, we made huge progress in software development processes, and if you want to have a better chance of a working solution you should use those processes when developing your network automation solutions.
Just because we know how to develop software properly doesn’t mean that your organization is doing it, or that people aren’t cutting corners. Then there are the expert beginners and software development horror stories.
Summary: You MUST treat the network automation like any other mission-critical application and use the same processes in its development (source code/version control, unit tests, integration tests...); implementing it with a series of scripts hacked together by a programmer wannabe (aka networking engineer) over a weekend will get you the results you deserve.