Take this GUI and shove it

In many cases, a command-line interface makes life easier than some fancy GUI. Here's why

Page 2 of 3

Let me offer an example. I recently had a relatively complex meshed VPN network to construct using Cisco ASA security appliances. Using the CLI, I configured one ASA5520 with everything I needed: IP addresses, routes, a tunneled OSPF configuration, VPN tunnel definitions, a bevy of QoS rules, access-lists, remote and local administration rules, SNMP strings, logging, a new firmware version, the whole works.

I was then able to copy off that text-based configuration and run it through sed to do a search and replace on IP addresses and network definitions, and within a minute or two I had a complete configuration for the other ASA5520s. All I had to do to get them running was log into them, copy over the right firmware and their configuration file, and reboot them. By any definition, that's a highly simple and effective method, and one possible due to the simplicity of the CLI and the text-based configs.

But then I came across the Cisco SA520. While the ASA5520s are full-blown ASA appliances, the SA520 is dubbed a "Small Business Pro security appliance." It was for one site that didn't need the horsepower of the ASA5520, and the specs of the SA520 fell into line with the planned service to that site.

The SA520 doesn't have a CLI, or even a serial console for that matter. All it has is a Web UI.

So rather than being able to configure this device in a matter of a minute or two as I had with its bigger brothers, I had to wade through the Web UI to build essentially the same configuration as the other ASAs had, specific to the site. This process took longer than the entirety of the time I spent configuring all the other ASAs. Nominally, you'd think that having a Web UI would be easier than a CLI, but that certainly wasn't true in this case.

To be fair, the SA520 is designed for small businesses and meant to be used by those that would have no idea what to do with a real Cisco IOS CLI. Sadly, Cisco used to make the PIX 501 that was produced for the same market, ran PIXOS and had a fully functional CLI. For the SA520, however, the Web UI is really the only method of configuration possible. The lack of a complete underlying CLI interface renders the device more difficult to use in many cases.

For another example, say that you need to do an external re-IP on a large corporate firewall that has to happen as fast as possible to minimize downtime. There are a few ways to do this. The costliest would be to purchase another firewall, configure it with all the new addresses, translations, rules, and whatnot, and then simply turn it on and turn the old one off.

If the firewall does not have a CLI, that might be the only option, because otherwise you have to feverishly click through page after page of a Web UI or a text-based menuing interface, or run through a fat GUI client to make all the necessary changes on the fly. Depending on the size of the task, this could take a very long time indeed.

Alternatively, if there's a strong CLI, you simply open up a text editor, dump in the relevant portions of the configuration, run a search and replace for the IP addresses, make a few routing changes, and when the time comes to make the switch, you literally just paste the configuration into the firewall. All done in a matter of seconds.

| 1 2 3 Page 2
From CIO: 8 Free Online Courses to Grow Your Tech Skills
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies