Cisco CCIE Security 350-701 – Network Automation Tools Part 2
4. Agent Based vs Agentless
Now in this video we’ll try to understand the difference between the management tools, the confirmation management tools which are agent based and agent list. So in the previous topics, if you remember we have already discussed the basic difference between the master and the agent. The master is a device where you actually install the software, where the software is actually installed and from this master or it is going to control the nodes.
Or we can say the master is responsible for sending out the configurations to the end devices or the nodes. Now probably these nodes or the devices, it can be a router switch or any device. So probably these devices will have something called agent software installed on the respective devices and these agents are going to get the information or the configuration information from the server. And again with the help of this agent based software, they are going to talk to the server. Okay, basically here we’ll see.
So this is the same thing, what is called agent based. But again we’ll also see the agent list option. So let’s quickly see or review the agent based option. The same thing what we covered earlier. So in the agent based tools. Now there are some tools which requires an agent or the software to be installed on the nodes. So probably these are the nodes like the devices, the end devices, the router switch or any servers. So they need to have some kind of software or the piece of code installed on those devices in order to get a communication with the server. So without that agent installed, probably the software or these tools which are agent based, they will not be able to talk or communicate with the server. So you need an agent software to be installed on the nodes.
That’s the first thing. And these agents are required. Again, these agents are responsible for communication process. As I said, the agents will be communicating with the master devices with the help of this tool and all the configurations will be present on your master and the master is going to send out you the configurations back to the agent. Okay? So the master is going to make the changes securely to the devices or to the end devices which has the agent installed.
Now some of the examples here like Puppet Chef and Salt Tag, these are some of the management tools which uses agent based so which means they require an agent software to be running on the end devices. Now one of the problem with this agent based tool is a lot of people are actually concerned about the agent, the behavior of these tools. Like I said, all the end devices or the nodes requires an agent software must be supported or installed on that. So there are many devices they do not natively support the agent software. Okay? But again, if you talk about these tools, what we have covered here, they require an agent software. So basically there is an agent software required on the end devices for communication process. So maybe there are some routers features to support this agent software, some may not. So there is no support for this agent software on each and every device. So now the problem is how to overcome that.
So to overcome that, we have some other tools from different vendors. The management tools which requires no agent software and technically we call them as agent list tools. Like in the agent list tools it is quite opposite to that. The end devices are the nodes we call them as. And these nodes requires no agent to be installed. Means they are just like a normal you can take just like a normal route or normal switch and they don’t really have any option or any special code installed on their devices to communicate with the server.
Okay? So there is no requirement of agent to be installed on the end devices. But now the question is how the software is going to communicate. It uses some of the supported features like SSH or the Windows Remote management options. So basically SSH is a command line interface secured command line interface to access the remote devices like most of the routers which is they need to support this. And again most of the Windows like Windows Remote management allows the administrator to remotely run some management scripts. Okay? So with the help of these tools, you don’t need an agent.
So they will be using like the pre in supported tools like SSH or Windows Reward management. Now what is the alternative? So apart from that, if they need to support an agent, they will be using something called AJ proxy agent. Now, proxy agent is something like it’s a kind of middleman sitting in between your software or the management tool and the notes. So by default if there is no agent here, which means there is no way you interact with the server. So this proxy agent is going to act as a middleman between your software and the nodes which don’t have any agent. Okay? So some of the examples will be like ansible ansible uses SSH for remote access which is again an agent list configuration tool.
And also we have something like a variation in the puppet. We have something called puppet bolt. Now this Puppet Bolt is again to automate the same task in a smaller infrastructure and it is a very simple agent less software you can install and again it is an open source option. So depending upon the software you select, it can be either agent based or agentless. So now you need to figure out whether whatever the management tool you have decided, you have to first figure out whether it does support an agent or agent list. So if it is an agent based means your end devices or the Notes requires an agent code to be installed.
5. Push-Pull Model
Will try to understand the difference between the push and the pull models. So these are the two different configuration approaches used by different management config management tools. So let me just quickly basics in the previous topics we have seen we do have a server or the master and this master is responsible for storing the configurations and sending out the configurations to the nodes. And these nodes may not have agents installed depending upon the type of the configuration management tool you are using. So the configurations will be sent to the nodes. Now there are two ways the nodes will be getting the configurations. Either the server is going to push down the configurations that is what we call as push model where the server is going to initiate the configuration configurations probably to the end devices or the other way is something like pullmoder where the nodes are going to going to extract or pull the configurations from the server. So there are two different ways the simple approach. So let’s try to get into details of these two models. Like the first one we’ll start with push model. Now, the push model.
The simple master pushes the configurations down to the nodes, which means the master or we can say the master or the server is going to send out the configurations or push the configurations or any other changes down to the nodes because all the configurations are stored on the server and the server or the master is going to push down the configurations back to the node. Now this node again maybe they are agent or agentless. So already I have discussed the difference between the agent or agentless options in the previous topics. So this is actually a good method especially for the software which are having no agent component because sometimes like if you are taking ansible, probably the ansible software where the agent is not required which means these are just the nodes and these nodes requires to be configured without any agent. Okay so if there is no agent probably this is going to be a best way where the server is going to reach out the end devices and the server is going to push the configurations down to the end devices which means you may have an agent.
But again it is a more suited model in the software where agent is not a requirement or agent is not required. But it does support for both agent as well as the agent list. The configurations can be either pushed manually or you can also schedule that. Now this actually means you can go to the server and you can go and connect to these devices and you can execute the set of commands at that particular point of time manually where you can do it manually from the software. Or maybe sometimes you don’t want to make the changes immediately. You may want that to occur probably maybe 03:00 in the morning or maybe sometime maybe later one day. In that kind of scenario you can go ahead and schedule that. So when you schedule that probably those configurations will be scheduled and that will be changed at that particular point of time when it was scheduled. So it can be like basic testing commands you want to do at the 300 clock where you want to execute some basic show commands to test or generate some ping request or ping request to be sent to selected devices. So most of the people prefer to use this model. Again the examples are Ansible and Salt stack. They use the push model and mainly in Ansible because it is an agent list.
So in the agent list you need to go with a push model only. So Salt tag do support agent based option or agent list a little bit slightly different. So most of the people prefer this push model because you always want to make the changes immediately because in the pull model the client is going to request in the pull model again when the client requests then only it is going to get that I’ll talk more on the pull model later. But you really want to make the changes immediately.
So you go to the server or where the software is installed and you prepare a configuration file and you want that confirmation to be pushed immediately without any delay. Like it can be adding some kind of VLANs or maybe you want to shut down a specific interface like there are a few tasks you want to be immediately done at that particular point of time. So in that scenario you always prefer to use the push model. So Ansible and Solstek as I said both uses the push model to make any changes for the configuration management and again Ansible doesn’t need any agent. So this is an agent list and Salstack do use an agent. So technically in Solstac it’s called as minions. Minions. Those are the agent terminology used in the Salt tax software. So in both the softwares, probably in both of these tools the master is going to communicate or initiate the process. So the master is going to initiate the process here and send out the configuration data to the end devices and those end devices may have an agent or may not have an agent.
The next one there is something called pullmodel. Now in this pull model the nodes or the agent is going to pull the configuration from the server. So which means it is exactly opposite to the push model which we discussed. Now these are the nodes. Now this node requires an agent software compulsory so must be running and from the nodes they are going to request or get the configurations using something called pull model. So here the server is not going to initiate the connection, so who is going to initiate the connection? The connection is initiated from the node, from the node or we can say agent because the agent software is installed on that particular node. So that small software must be installed on each and every node. So most of the agent based, we can say agent based, they use pull model but not in all the cases. Okay, so this agent is going to frequently pull the master.
There’s nothing but it’s going to frequently ask the master if there are any kind of changes or is there any change in the configuration file that has to update. Okay, so whatever the configuration files it is going to get from the server it is going to compare with the existing and make sure that both are same. So if both are not same or if there is any mismatch, it is going to update the confirmation file which it receives from the server. And then after sometime again there is a timer. After some time again it will initiate the process again. That will vary probably like in Puppet I think there is something called 30 minutes timeout or it will vary again based on the tools, whatever the tools you are actually using over there. Now you can now here you need to understand that always the agent is going to initiate the connection, not the server. So the agent is going to initiate the request to the server. That’s the first step. And the server is going to send out the configurations back to the nodes. So the examples are like Shift and the Puppet are the good examples of the full configuration management tools. And this requires an agent who is going to initiate the connection.
So you need to have an agent and agent is going to initiate the connection in all the pool models. Now if you compare these two models, pull model has some slight disadvantages. Or we can say, let’s say the drawback is now the first drawback is you need to have an agent. Of course agent must be installed in the pool model. That’s the first thing. And the next thing is agent is going to initiate or pull as I said, it is going to frequently pull the server asking for the configurations. And there is a different timer in general here like the Puppet uses let’s say 30 minutes.
Now the question is now the problem here is this particular request is going to be sent at a specific interval time. What if there are some changes need to be done immediately? Like let’s say you want to change the routing table, forwarding table. Or maybe you just want to immediately shut down the interface. And the problem is unless and until the agent or the node the agent and agent, the node agent installed with an agent software is going to request the confirmations are not going to be sent to the nodes. Okay? So in the pull model the agent need to send out a query after at a specific time intervals. So that’s one kind of limitation we can say with the pull model. Now, again, it depends upon which tool uses which model.
6. Configuration Files
Will try to understand some overview on the concentration files. The confession files, as you can see it is a way you apply the configurations to the devices. Okay, so you can see these are some of the sample screenshots of the concentration files. What you will see. Now this concentration files need to be defined inside the software. So probably what we are going to do is we do have a master server or the server where the software is installed and depending upon which software you’re actually using, you will be creating the confirmation files. Like the format will be different in different softwares. Of course the way you write the coding totally depending upon the software and the language used inside that software. Now these things refers to the confession files and now these confession files are defined on the master and then they are being sent to the end devices or the nodes. Okay, so now this confession files includes a lot of things like whatever the changes you want to apply.
Like it can be some OSPF configurations or maybe if you are talking about Cisco, it can be like routing configurations or applying some ACL or changing some IP addressing or even it can include some other things like the packages or the upgrades or the image updates. Whatever you want to do specifically written in that particular language which that particular software understands. And again, these configuration files have different names like in some softwares we call it as a manifest. Like Puppet uses a terminology called manifest and again Ansible uses the same name as configuration files or config file. And again if you’re using Chef automation tool it is called as recipe. So different tools uses different naming, but at the end they all are like the core files or the configuration files where you are going to create on the server and then push those configuration in the form of a file to the end devices. Now the complexity of writing this confirmation files, it totally depends upon what tool you are using. So it totally varies on different automation tools, the complexity, because every software use their own language like the Ansible and source tag uses something called YAML.
YAML, is YAML? Again, it’s kind of easy and human readable and it is easy to understand and work. A lot of people prefer this ansible end salt tag because of the configuration files are easy to understand. But whereas if you’re using some kind of Puppet or Chef configuration software, probably they will be using something called Ruby language. Now this Ruby language or the configuration files inside this Puppet and Chef are a little bit more complex because of the language used. That is a Ruby here, which is a little bit not user friendly or not much human readable compared to this one. Okay? But again, now the question is like do you need to configure or create these files from the scratch? Of course you don’t need to do that because most of the time if you go to the specific websites, let’s say if you go to a Puppet website, there is something called Ford puppet. com. Probably what you have is they do have a pre configured templates or pre configured files depending upon the vendor, depending upon the type of the configurations.
So what you can do is you can just get those files like every tool, every software have their own pre configured templates on their own websites. Now what I can do is I can use that specific template, let’s say I want to make any changes to specific Cisco. Like what I can do is again in that Cisco I want to make changes to the operating system, let’s say iOS. Again, you can download those specific kind of pre configured files and you can tweak them, you can make some slight changes as per your requirement and then you can apply back those or use those concretion files back with the software.
So that’s how it is going to be. So you don’t need to really know each and every line of this, but as long as you know that, okay, I need to change the IP here, IP helper address commands I need to change here. And of course the interface is where you want to apply. So you can see there are little bit readable options, you just replace those options with your requirements. So that is something how you are going to use this confusion files. So basically you don’t need to be an expert in creating files, but at then you also need to know how to visit that particular software website.
Interesting posts
The Growing Demand for IT Certifications in the Fintech Industry
The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »
CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared
In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »
The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?
If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »
SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification
As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »
CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?
The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »
Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?
The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »