Think of NetYCE as your ultimate platform to support network staff with all their tasks related to network configuration, compliance & automation. Instead of logging into production devices, jobs can now be scheduled via the NetYCE platform. Engineers can choose to keep on doing what they do today (device-based syntax changes) or use the enhanced NetYCE features to perform more 'smarter' and 'intended' jobs and scenarios and deal with automatic rollback scenarios. One of our customers described NetYCE as the ultimate scripting engine that does not require any software development. We have made it easy for engineers to use in their day to day work.
Also included are a logical inventory database and a rich GUI and templating system. This means you can make planned changes, prepare migrations, perform reconciliations, keep track of your network administration, and store all of your staff's engineering logic. Basically, all your network information and support processes in one place to prepare 'intended' changes before you deploy them. All this works seamlessly to keep your 'deployed' production network in sync with your intended changes.
You can use the platform to standardize and enforce design rules, design options, design logic and design changes down to the network. Here your design and automation logic can be modeled. NetYCE will automatically hand out all variables and parameters as per your design and keep a full administration of it. So no need for excel files and separate databases.
Finally, all this can be done via the GUI, but also via the NetYCE API. This will further streamline automation and orchestration with 3rd party systems such for IPAM, DHCP, DNS, OSS or other NMS systems.
NetYCE supports all major network vendors such as Cisco, Juniper, HPE, Avaya, Ciena, Huawei, Checkpoint, Fortinet, Palo Alto, Brocade and more, with each vendor module supporting all devices within that OS 'family'. New vendors are added as we go along based on customer requests. The typical lead time for a new vendor module is 5-10 days.
The vendor modules allow for SSH/Telnet/Netconf/API connectivity in a standardized and fully automated way. NetYCE takes care of committing changes, deals with error handling, backup and restore functionality etc. In addition, NetYCE supports any vendor, API or cloud module developed by the Ansible Open Source community using the NetYCE Ansible plugin. Or by using any Python code with the NetYCE script_exec plugin. This allows for unlimited automation capabilities within a robust and secure enterprise platform.
What makes NetYCE unique is that engineers are not restricted to any preconfigured settings. All engineering logic and device-specific OS capabilities are stored separately in NetYCE templates that can be easily managed by engineers including conditions, exceptions, logic, functions, multi-vendor support, etc. With this approach you are not dependent on the networking vendor and/or NetYCE to change the automation logic.For more detailed information, please check out the NetYCE Wiki:
Supported devices: https://wiki.netyce.com/doku.php/guides:reference:vendors:supported_devices
We add network vendors all the time! The only two criteria whether we can support a new vendor is how we get access to the device (either remotely via VPN or you send us one) and if it supports any CLI or API-based communication protocols. Devices that only support GUI-based configuration changes are more complex to automate. Please reach out to us to see what the options are.
Furthermore, many processes can already be optimized and automated without the need for a new vendor module. The vendor modules only deal with connectivity to the test & production devices (either virtual or physical). For any type of device, it's possible to create a new model in NetYCE (so without a supported vendor module) and use of all of NetYCE's functionality.
Perhaps you already have developed scripts yourself. These days most probably those are written in Python. It would be a shame not to reuse those. This is easy in NetYCE.
You can use NetYCE scenarios to create your own scripts with a simplified scripting language. Simply combine the order and logic of any process you want to automate, all again fully integrated with the NetYCE database, templates, engine and process control.
These NetYCE scenarios contain rich programming capabilities with extensive options and plugins without being a programmer. For more advanced users and Python developers, any script can be called upon with the “script_exec” command. This supports command-line arguments to pass on your variables and have NetYCE engine orchestrate the execution of your scripts in a data-driven way. The same applies to scripts in other programming languages.
Once you put your logic and code in NetYCE, everything is now fully API enabled. Simply call upon the NetYCE API to orchestrate any changes in a controllable way.
Both Ansible Tower and NetYCE are platforms for automation. The key difference is that Ansible Tower originated from server automation and therefore lacks many of the network capabilities. Needless to say, a network is so much more than (individual) devices and therefore requires additional ways to incorporate and manage parameters, dependencies, relations, and design specific logic. With Ansible, engineers are either forced to add all this logic in individual playbooks or become a software developer to integrate 3rd party tools, like inventory databases, ipam systems, workflow, jinja templates etc. In addition, Ansible playbooks do not support native CLI syntax automation. All this makes network automation challenging. As formulated in a tweet by a network engineer using Ansible: the engineer becomes the ‘control logic’ instead of the application”.
The NetYCE platform was built from the ground up for automating networks. You can use Ansible playbooks and integrate with the Ansible engine while NetYCE takes care of the complexity. This means you can (re-)use Ansible playbooks with version-controlled templates. But it also allows the automatic generation of standardized playbooks with inventory data and design logic that is easily managed elsewhere in the NetYCE platform. All with the added value of NetYCE's GUI, integrated inventory, flexible workflows, approvals, role-based access, logging, easy API orchestration and many more.
In summary, Ansible and NetYCE complement each other whereby NetYCE solves the challenge of managing complexity. It’s not the engineer anymore but the application that stores your ‘control logic’, in a structured and transparent way. This allows you to automate many more use cases that can be managed easily. For more information, check this blog: Why Ansible and Python are not enough for enterprise network automation.
More about the Ansible plugin:
https://wiki.netyce.com/doku.php/menu:operate:scenarios:commands#ansible_exec and
https://wiki.netyce.com/doku.php/maintenance:general:install_ansible#ansible_scenario
Templates are the main item to keep track of over time. Version control is the integrated solution to do so. All changes are stored in the database and the status is represented as “production”, “planned” or “historic”. Of course these are tagged with the user who changed them.
The same is on the roadmap for the scenarios, since these are used more and more for a multitude of tasks.
Network engineers can create as much different vendor templates as they want to store any vendor-specific configuration- and engineering design logic. The NetYCE templating system offers many extra features to manage configuration generation in a smart way. E.g. by using parameter substitution (from the NetYCE database or via API), using relationships or conditionals and many additional functions (to e.g. count or calculate things).
NetYCE differentiates two types of templates. First, there are the 'Configuration templates' to automatically generate configurations (full or partial). These configuration templates can be organised in a hierarchical tree structure, calling upon smaller templates with specific functions (VLAN's, ACL, port, etc..). As these templates can be made smart, they can be reused throughout the entire network and will generate specific outcomes per device/customer/etc.
Second are the 'Parsing templates' that can be used to retrieve specific information from production devices (using command parsing) or its configurations (config parsing). These templates can be used in combination with the job scenarios to validate changes on production nodes 'at run time' when deploying the intended/desired change.
From a process point of view, the NetYCE platform is set up in such a way that you (can) first prepare changes before you deploy anything into production and that what gets built is fully compliant with your design. So you prepare your intended state of the network, based on your design rules and then deploy it to production with automatic validation. This is done by combining the three layers within NetYCE: 'Design', 'Build', 'Operate'.
The 'Build' layer lets you prepare any type of change. You then use the 'Operate' tools to deploy your intended changes to production. Within the 'Operate' tools, you (can) then use 'scenarios' (to be used in combination with each job) to validate production settings as these might be different to what you expect. So to guarantee that nothing gets broken in production, the scenarios let you define how to automatically roll-back when some criteria are not met.
To guarantee that whatever gets built within the NetYCE database is based on your (high- and low-level) design rules, you (can) use the 'Design' tools. Here you set the rules to auto-populate parameters (e.g. handing out IP addresses or VLAN numbers) and automate any sequential number of engineering steps that you could also do through the GUI (or API).
To guarantee intent, these 3 layers are used in combination, whereby the 'Design' set-up is typically configured once for each network.
Also, these layers can be used separately. So just use the 'Operate' or 'Build' tools. This all depends on your use desired case, experience and/or maturity level as an organization.
To be able to identify who did what over time is key. Everyone needs their own account. These can be added as local accounts supporting a variety of controls to confirm to, like length and variety of passwords over time.
A connection to a central LDAP (Lightweight Directory Access Protocol) is also possible, integrating your users with the existing environment. There are many options to control who has which type of access, explained on the very detailed LDAP integration page. The LDAP integration includes Microsoft Active Directory (AD) as well.
The authentication is of course not only applied to the GUI, but also to the API.
All of the users belong to groups, to simplify access control.
You can deploy NetYCE is a variety of architectures.
- Single Server, running both the FrondEnd and BackEnd servers on one physical or virtual machine
- Dual Server, High Availability mode with a hot standby of a second server
- Distributed architecture, splitting the FrondEnd server from the BackEnd servers. BackEnd servers will run in High Availability mode and you can add multiple FrondEnd servers depending on the scale you need or depending on your security requirements (per domain). Each FrondEnd server can be configured to deal with thousands of jobs each if needed.
See picture below:
In short, NetYCE doesn't do network discovery on its own. There are different ways to achieve network discovery.
Network discovery is one of the key functionalities of monitoring tools. So if you have an existing network inventory either from monitoring tools or any such tool, NetYCE can import the device database from it in CSV format.
What if I don't have any network inventory?
Then, NetYCE can be integrated with network discovery tools like netdisco to accomplish this.
Yes, NetYCE supports zero-touch provisioning.
NetYCE needs to be pointed as TFTP server using option 150 in DHCP server.
The unique configuration for the host is determined by any of the factors like serial number, mac address. It is an on-demand config generation using the build information(templates, domain values).
Here is the tech-talk about the ZTP, besides a demo, this also discusses One-touch provisioning for devices which do not have ZTP capability.