Git for Network Engineers: Version Control Meets Configuration Control - Packet Flow: Journey to Network & Cybersecurity Expertise

Every network outage has a story. Git just makes sure you never forget who wrote it

Before You Begin

Before diving into Git, let’s get a few things straight:

You’ll need administrative or privileged access to your network device. Without it, you can’t export or back up configurations.
Ensure your device supports SSH or SCP for secure transfers. If it doesn’t, use a Python-based tool (like Netmiko) or an automation platform like Ansible.
Git is the version control system, the command-line tool that tracks your changes.
GitHub, GitLab, or Bitbucket are hosting platforms that store your repositories online. Git works independently; those platforms just make sharing and collaboration easier.

Think of Git as the engine, and GitHub as the garage where you park your work.

Why Git Belongs in Networking

If you’ve ever asked “Who changed this?” or “Why is this VLAN missing?”, you already understand the need for version control.

Networks evolve daily, new devices, new policies, new mistakes. Git ensures those changes are recorded, recoverable, and reviewable. It transforms configuration chaos into configuration history.

Installation

Ubuntu

sudo apt update
sudo apt install git -y

Windows

Download Git for Windows. It includes Git Bash, a Linux-like shell.
Alternative: Use Windows Terminal for a more modern interface, it supports Git commands and integrates well with PowerShell or WSL (Windows Subsystem for Linux).

macOS

brew install git

Then configure your identity:

git config --global user.name "Your Name"
git config --global user.email "[email protected]"
git config --global init.defaultBranch main

main represents your stable network baseline, the “known good” configuration.

Creating and Tracking Configurations

Create a repository for your configuration backups:

mkdir network-backups
cd network-backups
git init

Export or copy your configuration file into it. Depending on your vendor, I only have Cisco, for other vendors please check your manuals.

Cisco IOS: Use show running-config and redirect to a file.

Then track it:

git add r1.cfg
git commit -m "Initial commit - added R1 configuration"

Every commit is a snapshot, a record of your network’s state in time.

Reviewing and Understanding Changes

Before committing updates, always inspect what changed:

git diff

Git shows additions in green, deletions in red, your “before and after.”

Once verified:

git commit -am "Updated VLAN assignments and ACLs"

Tip: The -am flag is a shortcut, it stages only modified, already-tracked files and commits them.
It’s roughly equivalent to running:

git add .
git commit -m "message"

…but it will not include brand new files.

To see your commit history:

git log

To restore a previous version of a configuration:

git restore --source 2f4e1b9 r1.cfg

2f4e1b9 is the start of a commit hash, find the full hash using git log.

Branching for Change Management

Branches let you test safely without touching production configurations.

git checkout -b vlan-upgrade

You can experiment here without fear. When the change is tested:

git switch main
git merge vlan-upgrade

This merges the tested configuration into your stable baseline.

If a merge conflict appears:

<<<<<<< HEAD
ip route 0.0.0.0 0.0.0.0 192.168.1.1
=======
ip route 0.0.0.0 0.0.0.0 10.0.0.1
>>>>>>> vlan-upgrade

Git flags both versions. Choose the correct one, delete the conflict markers, then:

git add r1.cfg
git commit -m "Resolved route conflict"

Best Practice: For teams, follow a naming convention—
feature/vlan-upgrade, bugfix/acl-adjustment, hotfix/firewall-policy.
If your team grows, consider structured workflows like GitFlow or trunk-based development.

Automating with Git (Securely)

Automation can save you hours. But security must come first.

Here’s a simple backup automation script for reference:

#!/bin/bash
# backup-configs.sh - nightly Cisco IOS/IOS-XE config backup
# Requires SSH key authentication (NO plaintext passwords)
# Tip: add a Host entry in ~/.ssh/config for router01 if needed.

set -euo pipefail

DATE="$(date +'%Y-%m-%d_%H-%M-%S')"
BACKUP_DIR="/configs"
DEVICE_HOST="router01"           # SSH Host or alias
DEVICE_USER="admin"              # SSH user
OUTPUT_FILE="r1-running.cfg"     # Local filename

cd "$BACKUP_DIR"

# 1) Sync latest from remote (beginner-safe: merge if needed)
git pull origin main

# 2) Fetch running-config from Cisco device over SSH
#    - 'terminal length 0' disables paging so the full config prints
#    - capture stdout to the local file
ssh -o BatchMode=yes "${DEVICE_USER}@${DEVICE_HOST}" \
  'terminal length 0 ; show running-config' > "${OUTPUT_FILE}.tmp"

# 3) Optionally normalize/clean output (uncomment if you want to strip headers)
# sed -i '/^Building configuration/d;/^Current configuration/d' "${OUTPUT_FILE}.tmp"

# 4) Only commit if there is a change (prevents empty commits)
if ! test -f "${OUTPUT_FILE}" || ! cmp -s "${OUTPUT_FILE}.tmp" "${OUTPUT_FILE}"; then
  mv "${OUTPUT_FILE}.tmp" "${OUTPUT_FILE}"
  git add "${OUTPUT_FILE}"
  git commit -m "Automated Cisco backup on ${DATE}"
  git push origin main
else
  rm -f "${OUTPUT_FILE}.tmp"
  echo "No changes detected; nothing to commit."
fi

Security Warning: Never hardcode passwords into scripts. Use SSH keys for authentication.
Generate them safely:

ssh-keygen -t ed25519 -C "[email protected]"
cat ~/.ssh/id_ed25519.pub

Add the public key to your GitHub or GitLab account under Settings → SSH Keys.

Note: Different vendors export configs differently. For Cisco, use show running-config via Python (Netmiko).

No one-size-fits-all exists, automate responsibly and test before deploying.

Production Consideration: Add error handling for failed SCP transfers, connectivity loss, or permission issues. Even a simple if [ $? -ne 0 ]; then echo "Backup failed"; fi check helps prevent silent data loss.

Working with Remote Repositories (and SSH Setup)

To push your backups to a secure remote:

git remote add origin https://github.com/yourname/network-backups.git
git push -u origin main

Switch to SSH for automation and security:

git remote set-url origin [email protected]:yourname/network-backups.git

Reminder:
SSH setup requires key generation and registration:

Generate an SSH key: ssh-keygen -t ed25519 -C "[email protected]"
Add the public key (~/.ssh/id_ed25519.pub) to your GitHub or GitLab profile.
Test with: ssh -T [email protected]

Once configured, automation scripts can sync repositories securely without storing credentials.

Why a Central Repository Matters

Your remote repository becomes your single source of truth.
It ensures every engineer works from the same configuration baseline.

Benefits:

No more “latest-final.cfg” confusion.
Full audit trail of every edit.
Easy peer review before production deployment.

Clarification: Git is the engine; GitHub and GitLab are hosting garages. You can self-host your own “Git server” if your environment is security-sensitive.

Rollbacks and Recovery

If a new configuration breaks production, revert with confidence:

Recommended:

git revert 2f4e1b9

This creates a new commit that safely undoes the previous one while preserving history.

Use with caution:

git reset --hard 2f4e1b9
git push --force

This wipes commits after the target and rewrites history, safe for local repos, dangerous for shared ones.

Always prefer revert over reset for production repositories. It’s safer, cleaner, and auditable.

The Git Mental Model (For Network Engineers)

Commit: A configuration snapshot in time.
Branch: A sandbox for experimentation.
Merge: Combining tested changes into production.
Remote: A backup or collaboration hub for your configurations.

Git doesn’t just store files, it stores your network’s evolution.

Visual Learning Aids

Visuals make Git intuitive. Add:

Screenshot: git status showing untracked vs. staged files.
Animated GIF: Demonstrating the cycle of git add → git commit → git push.
Diff Diagram: Visualizing red and green changes.
Branch Tree Graphic: Showing main, feature, and merged branches.

For network engineers, a diagram often teaches faster than documentation.

The Takeaway

Git brings discipline to the command line.
It makes your network auditable, recoverable, and collaborative.

Once you start using Git for your configurations, you’ll never again wonder, “Who changed this?”, because Git will tell you, line by line.