Admins/Engineers: CLI or GUI?

CoolAsAFan

I am curious about what most network guys use to configure devices on their job, CLI or GUI (CCP/ASDM/CSM)?

In my CCNA-Sec studies, the instructor says that most professionals, especially in environments with many devices, like to use a GUI to streamline their commands, put it in a text file, customize the text file, then push/enter it at the CLI. Is this typical?

I kind of imagine for simple tweaks on a small number of devices that people would just use the CLI and maybe for more complex tweaks on a larger number of devices they use the GUI?

Also, is CCNP-Sec similar to CCNA-Sec in pushing the GUI, or does it dive deeper into the CLI I hope?

Thanks!

pevangel

We use GUI for our MetroE, ATM, SONET, and some TDM gear but use CLI for everything else. We have several hundred devices on the network. I think it's actually close to a thousand. We don't have a lot of Cisco gear though (less than 100) and don't use CCP, ASDM, or CSM.

colemic

GUI for me, for Ironport and ASDM/AnyConnect. So, so much easier to see and understand for me.

shodown

Generally on firewalls I use a GUI unless I have the commands ready. For Routers and Switches I use Excel to get my configs ready and then I copy and paste into the device or run a script to log into several devices and do it at 1 time. If you are in a large enterprise you can get tools do this for you, but as an consultant the price of these tools would be close to 10K for me.

docrice

I always prefer the CLI as it's generally less overhead to manage with and often easier to "read" on the screen for me. There are cases where a GUI is preferred, but as a general rule I reach for the command line first if I have a choice. As soon as I have to manage something through a web UI, I have to consider the potential of web-based attacks, browser plugins, etc. which increases the attack surface.

In addition, if a network device has a web management interface available, it immediately becomes a candidate for web application scanning which adds more time to a vuln scan.

ande0255

Always CLI for Firewalls and troubleshooting voice routers, CCA or CCP I'll use for an advanced setup but I use CLI for adding ephones or dn's.

pitviper

Voice/Routing/Switching 100% CLI. Same for ASA unless I’m implementing something new – If so, I’ll use the GUI and analyze the configuration changes, then use the CLI (like your instructor mentioned).

Zone-Based Firewalls are a different story if you started out with a GUI generated config – they are a nightmare to work on via the CLI after that.

CoolAsAFan

Very interesting replies, it is cool to get an insight into how you guys do your jobs because hopefully I will be there one day!

xnx

docrice wrote: »

I always prefer the CLI as it's generally less overhead to manage with and often easier to "read" on the screen for me. There are cases where a GUI is preferred, but as a general rule I reach for the command line first if I have a choice. As soon as I have to manage something through a web UI, I have to consider the potential of web-based attacks, browser plugins, etc. which increases the attack surface.

In addition, if a network device has a web management interface available, it immediately becomes a candidate for web application scanning which adds more time to a vuln scan.

Yes, especially if your Front end code is as bad as Asus and D-Link..

matai

We're 99% GUI due to Merakis which I like a lot.

maharaliel

We are using GUI ASDM with ASA firewall configuration and CLI when configuring router or switches.

matt333

CLI 99.9% of the time Routing/switching and Gui for firewalls/ASA 80% of the time.

GreenLantern

I work with Cisco,Juniper,brocade,riverbed,mcafee. The only time I have used a GUI is when changing an image on a Juniper.
I have never used the CCP except to practice for the CCNA:SECURITY exam.

JDMurray

I used the command line for years before I saw a GUI (Windows 1.0 and 2.0, Macintosh, and the X Window System) and didn't think much of them. I still prefer the CLI for tools with simple and list output (Nmap, tracert, etc.). However, you can't beat grids and tables in a Web browser-based GUI for carving and massaging log and packet data. The right tool for the right job.

MAC_Addy

100% command line for (cisco) routers, switches, and ASA's. Even on the voice routers I prefer CLI. Though, when it comes to HP and other products, I always use GUI.

cisco_trooper

I use CLI for all cutovers. I will use the ASDM to just look at things sometimes, but never for configuration. I don't like what it does to the configuraton, and there still to this day is not 100% parity with the CLI.

With the CLI, you can **** a full configuration to text, throw it on a lab device if needed, make all cutover specific changes and have a full cutover config ready to go. All you do is hit enter or maybe copy it to startup and reload. This is the easiest and most painless way to handle a cutover.

Customer: How long is this going to take?
Me: You can go get coffee, but we will be done before you get back.
Customer:

cisco_trooper

BUT, start gearing yourself up for some GUI work. TRUST me on that.