The recent surge of network automation tools has marked a shift in how administrators build and manage networks. While server and application automation tools have been around for some time, network-focused tools have only become popular in the last couple of years.
Traditionally, manual processes have largely accomplished configuration setup and ongoing network changes, but network automation tools have since emerged to reduce these manual steps. Although network automation tools might take different approaches toward automation, they all aim to reduce admin time spent on simple and repetitive configuration processes.
In this article, we look at the benefits of network automation tools, how to differentiate three types of network automation platforms and eight popular multivendor network automation tools.
Features of network automation tools
Every network automation tool in this list of eight can automate configuration changes in multivendor environments. The tools accomplish this by automating command-line syntax and then pushing those changes to each device that requires the change. Instead of having a network admin launch a Secure Socket Shell (SSH) session into every router, switch and firewall to modify the text-based configurations manually, automation tools create configuration scripts that accomplish the same goal in far less time and with fewer mistakes.
Another popular method for network automation tools to access and automate network device configurations is through an API. This more modern and elegant way of interacting with network equipment can reduce admin time spent making frequent network changes.
Some network automation tools go beyond the process of simply automating configuration changes. Examples of other network automation features include the following:
- Configuration backups. Regularly scheduled backups are encrypted and stored safely in case a network component configuration needs to roll back or restore.
- Tool access control. This feature manages who has the authority to push configuration changes across certain segments of the network. An accounting log also generates to show the complete history of changes.
- Compliance monitoring and verification. Admins can automate the process of determining if a network device meets preestablished compliance and regulation standards.
- Vulnerability assessments. This automated process identifies firmware and configuration settings that are known to be vulnerable.
- Performance monitoring. IT can read and analyze network performance insights on certain vendor hardware to provide configuration recommendations to further improve performance.
- Network orchestration. This feature auto discovers network devices for the centralized control and end-to-end coordination of LAN configuration additions and changes.
3 types of network automation tools
Network automation tools can fall into one of three categories: infrastructure automation tools, purpose-built network automation and software-defined platform tools.
The first category includes tools that were primarily built for server and application automation but have expanded to include the network. Many enterprise IT shops may already have some of these tools in use for infrastructure and DevOps purposes. The benefit with these tools is they're already in-house and IT staff may be well versed on how to use them. Thus, adding network automation processes into an existing tool would not be much of a stretch from a cost, implementation and learning curve perspective. That said, some of these infrastructure automation tools are light on network automation features and compatibility with various network hardware and software.
Another type of network automation platform includes tools that are purpose-built for the network. These tools offer the most network-specific features and functionalities. The caveat, of course, is the tool becomes yet another one-off tool for a specific purpose. IT shops experiencing what's known as tool glut -- which happens when too many administration tools are in play -- may want to look elsewhere.
Lastly, software-defined platforms create a logical overlay across LAN hardware. This overlay enables admins to centrally manage and orchestrate configurations from a single management pane, masking the underlying configuration commands that are happening within the underlay. This option is great for simplifying multivendor environments that require frequent changes to LAN configuration settings.
Evaluating top network automation tools
Editor's note: The following tools are listed in alphabetical order.
1. Ansible for Network Automation
Ansible is an open source platform that was originally built as an automation tool for Linux-based systems. The platform was acquired by Red Hat in 2015. Since then, Red Hat has expanded Ansible capabilities to automate other parts of enterprise IT infrastructure, including network devices. Ansible includes special modules for the automation of a wide variety of network vendors and devices. These modules include automated network functions, such as network device discovery, configuration, testing/validation and configuration drift identification.
Because Ansible uses an agentless architecture, it works well when automating hardened and proprietary systems, such as network appliances. Thus, interactions between the Ansible platform and any network equipment it automates is performed via SSH or through an open API.
Additionally, Ansible offers hundreds of pre-built network modules that do much of the heavy lifting for creating automation processes. Pre-built modules include automation templates for multiple vendors, such as A10, Cisco, Dell, Extreme, Juniper and Fortinet. Ansible for Network Automation is a particularly good option if it's already in use by server, application and development teams.
2. BeyondEdge Networks
BeyondEdge Networks -- formerly iPhotonix -- got its start in carrier access networking technologies. Anticipating the evolving landscape and growing complexity for enterprise network architecture, the company acquired software-defined technology to further advance the ability to manage networks with its software-defined network vision.
Taking the framework and experience from the software-defined market, the company expanded its product into enterprise LAN. The result is a software-defined LAN (SD-LAN) platform that can overlay across any existing switching vendor or white box technologies. Because the platform is vendor-agnostic, it can operate on top of virtually any underlying network, including copper or fiber. Thus, it gives businesses the network automation capabilities inherent in software-defined networks at a lower cost.
BeyondEdge SD-LAN auto discovers all Layer 2 connectivity on a network, dynamically stitching the underlying topology of the network into a visual model. At the same time, network automation templates are used to configure the LAN services directly to their respective endpoints. Once complete, network admins can centrally manage networkwide changes directly from the BeyondEdge UI.
3. BMC TrueSight Automation for Networks
BMC's TrueSight Automation for Networks is a standalone, purpose-built platform that generally takes a security-focused approach to network automation. The tool set can integrate into the larger BMC TrueSight AIOps platform, which includes tools for operations management, network orchestration and server automation.
Automation for Networks also includes tools that automate network equipment vulnerabilities, compliance checks, configuration verifications and other security-minded provisioning tasks. The product integrates with network discovery tools, including the BMC Discovery product, as well as third-party options from Cisco, Entuity and Ipswitch.
From a network vendor compatibility perspective, TrueSight supports a wide range of vendors, including Arista Networks, Check Point, Cisco, Dell, HPE and Juniper. It can also integrate and automate processes within software-defined networks, including VMware NSX and Cisco Application Centric Infrastructure.
4. Chef Enterprise Automation Stack
Chef is a completely open source automation tool set. However, most enterprises that are looking at network automation should consider the commercially available Chef Enterprise Automation Stack (EAS), as it adds many features that are necessary in today's IT departments, including professional support.
The tool set helps admins streamline and manage various server, application and network policies, both on premises and in the cloud. Chef has been a popular choice for server and development teams, so some teams within IT may already use Chef EAS.
Unlike others on this list, Chef requires that client software be installed directly on network devices. The client software works with the Chef platform to automate various network configuration tasks, such as making changes to router/switch ports and virtual LANs or modifying quality of service policies across a network.
Because of the requirement of an installed agent, Chef supports fewer network vendors compared to others, although it is compatible with some of the larger network vendors, including Arista, Cisco, F5 and Juniper.
5. ManageEngine Network Configuration Manager
A division of Zoho Corporation, ManageEngine designs enterprise-grade IT management platforms. The company's Network Configuration Manager is a purpose-built platform with several useful features. Besides being a multivendor network configuration automation platform, the product has tools to manage and control network changes, securely store configurations, and create and enforce network compliance and auditing. ManageEngine supports router, switch, firewall and other network device automation from vendors, including Cisco, Dell, Fortinet and Juniper.
Network Configuration Manager uses the concept of configlets, which are automation templates that admins can build to automate many repetitive tasks. The tool can also automate many compliance monitoring and verification processes for Sarbanes-Oxley Act, Payment Card Industry and HIPAA purposes. It can also generate detailed reports when admin-defined configuration policies are violated. An example of this would be to verify that Simple Network Management Protocol communities are set using the appropriate password strength.
The platform even offers a smartphone app, where admins can manage configuration automation and compliance on the go. ManageEngine has been in the network automation business for a long time and has a large customer base.
6. Puppet Enterprise
Puppet is another infrastructure automation tool that's popular in the server and app dev world. For network admins looking to consolidate tools, Puppet Enterprise may help, as other IT teams within the company may already use it. It does require the installation of one or more networking modules to squeeze some basic network automation features out of the platform.
Puppet is open source, but most organizations have likely opted to use the paid Puppet Enterprise. The enterprise version is also necessary to obtain the add-on network automation modules. Additionally, while Puppet is largely agent-based, the network automation modules are fully agentless.
Current network automation modules include support for Cisco Internetwork Operating System, IOS XE and Nexus hardware. Other modules exist for Palo Alto PAN-OS firewalls, Lenovo switches and F5 Local Traffic Manager load balancers. While this list isn't as extensive as some of the others, it may serve as a low-cost option for organizations that have already purchased Puppet Enterprise and run a network largely composed of their network gear.
7. SolarWinds Network Configuration Manager
SolarWinds was in the network automation business long before it became mainstream. Its Network Configuration Manager product is compatible with several network vendors, but advanced features tend to skew toward Cisco and Palo Alto. Other supported vendors include Dell, Extreme Networks, F5, Foundry, HPE/Aruba, Juniper and Lenovo.
Like ManageEngine, SolarWinds also includes several security features, in addition to typical network automation capabilities. One of the more unique features of SolarWinds Network Configuration Manager is the integration with the National Vulnerability Database. With this continuously updated database, the platform can perform vulnerability assessments and automate the identification of unsafe firmware or enable services on networked devices.
Network Configuration Manager integrates with other SolarWinds tools in the vendor's product portfolio, including its Network Performance Monitor tool.
8. VMware vRealize Automation
After finalizing the acquisition of SaltStack in late 2020, VMware made modifications to the automation tool set. These modifications were done so security and network automation tasks could be integrated seamlessly alongside the company's popular NSX software-defined network overlay platform. The automation component has been rebranded as vRealize Automation, and its purpose is to rapidly set up and manage NSX-controlled hybrid and multi-cloud data center environments.
VRealize includes tools that automate and provide self-service portal access to other aspects of the data center, including VMs, Kubernetes clusters/namespaces and security policies. It also includes a single point of management from which to automate the creation of virtual networks and associated network security policies. These polices can then be pushed across multiple public and private clouds within the NSX overlay. This provides assurance that network and network security policies are consistent across all apps and services, as well as on-premises or cloud locations where those services are located.
For organizations that rely heavily on VMware NSX, vRealize Automation is an easy way to ensure that network and network security services are automatically deployed and managed in lockstep with the applications and services they support.