Discussion:
[rancid] Question and potential feature request
Matthew Twomey
2008-03-06 20:51:55 UTC
Permalink
Greetings,

I have been a long time user of Rancid and I've always thought it was a
fantastic tool. Recently I've been revamping our backups and that has gotten
me to thinking about a couple of things:

1. We backup literally hundred of devices with Rancid and due to
inconsistency across Cisco IOS releases we are struggling to keep ahead of
the curve when it comes to specifying autoenable 1 or autoenable 0. I don't
always manage the routers I backup, so an updated IOS often reverses this
requirement (e.g. used to work with autoenable on and now it needs it off).
This also often happens when router administrators enable/disable/make
certain changes to tacacs. In any event I'm wondering if anyone has thought
of a way to autodetect the autoenable state of a device?

2. I'm guessing this has been asked before, but I find myself often wishing
there was a grouping feature in the .cloginrc file so that you could define
a group of routers or globs and then apply commands to the group. Something
like:

add group tacacs_ios_cisco_routers r1.aaa.com, r2.aaa.com s3.bbb.com,
s4.bbb.com

add autoenable tacacs_ios_cisco_routers 1
add password tacacs_ios_cisco_routers mypasswd

Has this idea been considered or is there something else which might get me
closer to this?

Thanks!

-Matt
Sam Munzani
2008-03-06 21:49:28 UTC
Permalink
Matthew,

We have a lot of device types too. Below is how we get around these
challenges.
Post by Matthew Twomey
Greetings,
I have been a long time user of Rancid and I've always thought it was a
fantastic tool. Recently I've been revamping our backups and that has gotten
1. We backup literally hundred of devices with Rancid and due to
inconsistency across Cisco IOS releases we are struggling to keep ahead of
the curve when it comes to specifying autoenable 1 or autoenable 0. I don't
always manage the routers I backup, so an updated IOS often reverses this
requirement (e.g. used to work with autoenable on and now it needs it off).
This also often happens when router administrators enable/disable/make
certain changes to tacacs. In any event I'm wondering if anyone has thought
of a way to autodetect the autoenable state of a device?
Our rancid box runs net-snmp package too. Using snmptrap command, we
send out a trap to our monitoring station if the backup failed to a
device. The trap we send passes the IP address of failed device so the
NetCool associates alert to the failed device. Then somebody can look at
the log and find out if the password changed or account got locked out etc.
Post by Matthew Twomey
2. I'm guessing this has been asked before, but I find myself often wishing
there was a grouping feature in the .cloginrc file so that you could define
a group of routers or globs and then apply commands to the group. Something
add group tacacs_ios_cisco_routers r1.aaa.com, r2.aaa.com s3.bbb.com,
s4.bbb.com
add autoenable tacacs_ios_cisco_routers 1
add password tacacs_ios_cisco_routers mypasswd
This kind of feature is surely helpful but we found the RegEx mostly
addresses our needs.
add autoenable r*.com 1 etc.
Post by Matthew Twomey
Has this idea been considered or is there something else which might get me
closer to this?
Thanks!
-Matt
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Steve Snodgrass
2008-03-07 02:45:03 UTC
Permalink
Post by Matthew Twomey
Greetings,
I have been a long time user of Rancid and I've always thought it was a
fantastic tool. Recently I've been revamping our backups and that has gotten
1. We backup literally hundred of devices with Rancid and due to
inconsistency across Cisco IOS releases we are struggling to keep ahead of
the curve when it comes to specifying autoenable 1 or autoenable 0. I don't
always manage the routers I backup, so an updated IOS often reverses this
requirement (e.g. used to work with autoenable on and now it needs it off).
This also often happens when router administrators enable/disable/make
certain changes to tacacs. In any event I'm wondering if anyone has thought
of a way to autodetect the autoenable state of a device?
This might be nice for me too. I'm bringing up a rancid install for the
first time and I was banging my head on the wall today because I can't
figure out any way to get my ASAs to log directly into enable mode like
I do on the IOS boxes using a TACACS server. Obviously I could manually
specify autoenable 0 for the ASAs, but this would be a cool feature.
--
Steve Snodgrass * ***@pheran.com * Network/Security/Linux/Perl Geek
"If you want to be somebody else, change your mind." -Sister Hazel
Lance Vermilion
2008-03-07 03:57:34 UTC
Permalink
All,

Correct me if I am wrong but RANCID is suppose to backup your
configurations. It does that very well. Having to all this extra
figuring out etc can add extra fat in the scripts to make it figure
what it should be doing and yet it still may not always work. If
something fails you will get an email from RANCID. That should be a
pretty good heads up that something has been changed. To me that is
when I also go and verify nothing else has changed. As a network admin
I like to know what is changing.

Sam pointed a very simple solution to bring it front and center and
allow it to get a ticket opened on it etc. Then again it does require
some knowledge of programming.

Just my two cents.

-Lance
Post by Steve Snodgrass
Post by Matthew Twomey
Greetings,
I have been a long time user of Rancid and I've always thought it was a
fantastic tool. Recently I've been revamping our backups and that has gotten
1. We backup literally hundred of devices with Rancid and due to
inconsistency across Cisco IOS releases we are struggling to keep ahead of
the curve when it comes to specifying autoenable 1 or autoenable 0. I don't
always manage the routers I backup, so an updated IOS often reverses this
requirement (e.g. used to work with autoenable on and now it needs it off).
This also often happens when router administrators enable/disable/make
certain changes to tacacs. In any event I'm wondering if anyone has thought
of a way to autodetect the autoenable state of a device?
This might be nice for me too. I'm bringing up a rancid install for the
first time and I was banging my head on the wall today because I can't
figure out any way to get my ASAs to log directly into enable mode like
I do on the IOS boxes using a TACACS server. Obviously I could manually
specify autoenable 0 for the ASAs, but this would be a cool feature.
--
"If you want to be somebody else, change your mind." -Sister Hazel
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Matthew Twomey
2008-03-07 14:11:32 UTC
Permalink
I agree that it does it well, but that doesn't mean new capabilities or
features can't be added. We don't have an issue getting notified when
backups fail, we're just trying to reduce the number of occurrences of this
as well as reduce the windows of "unprotected time" that take place between
the time a backup failed and the appropriate corrections are made. Reducing
the likelihood of a backup failure would help with this.

Thanks,

-Matt

-----Original Message-----
From: ***@gheek.net [mailto:***@gheek.net] On Behalf Of Lance
Vermilion
Sent: Thursday, March 06, 2008 9:58 PM
To: Steve Snodgrass
Cc: Matthew Twomey; Rancid-***@shrubbery.net
Subject: Re: [rancid] Re: Question and potential feature request

All,

Correct me if I am wrong but RANCID is suppose to backup your
configurations. It does that very well. Having to all this extra
figuring out etc can add extra fat in the scripts to make it figure
what it should be doing and yet it still may not always work. If
something fails you will get an email from RANCID. That should be a
pretty good heads up that something has been changed. To me that is
when I also go and verify nothing else has changed. As a network admin
I like to know what is changing.

Sam pointed a very simple solution to bring it front and center and
allow it to get a ticket opened on it etc. Then again it does require
some knowledge of programming.

Just my two cents.

-Lance
Post by Steve Snodgrass
Post by Matthew Twomey
Greetings,
I have been a long time user of Rancid and I've always thought it was a
fantastic tool. Recently I've been revamping our backups and that has gotten
1. We backup literally hundred of devices with Rancid and due to
inconsistency across Cisco IOS releases we are struggling to keep ahead of
the curve when it comes to specifying autoenable 1 or autoenable 0. I don't
always manage the routers I backup, so an updated IOS often reverses this
requirement (e.g. used to work with autoenable on and now it needs it off).
This also often happens when router administrators enable/disable/make
certain changes to tacacs. In any event I'm wondering if anyone has thought
of a way to autodetect the autoenable state of a device?
This might be nice for me too. I'm bringing up a rancid install for the
first time and I was banging my head on the wall today because I can't
figure out any way to get my ASAs to log directly into enable mode like
I do on the IOS boxes using a TACACS server. Obviously I could manually
specify autoenable 0 for the ASAs, but this would be a cool feature.
--
"If you want to be somebody else, change your mind." -Sister Hazel
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
john heasley
2008-03-11 18:58:19 UTC
Permalink
The tool/computer should do the work for you, if possible.

I suppose there is no reason it couldn't do this, at least for cisco, and
procket. if it considers all the possible prompts and can determine which
are enabled and not enabled, then it should be ok.

Perhaps something like the attached.
Post by Lance Vermilion
All,
Correct me if I am wrong but RANCID is suppose to backup your
configurations. It does that very well. Having to all this extra
figuring out etc can add extra fat in the scripts to make it figure
what it should be doing and yet it still may not always work. If
something fails you will get an email from RANCID. That should be a
pretty good heads up that something has been changed. To me that is
when I also go and verify nothing else has changed. As a network admin
I like to know what is changing.
Sam pointed a very simple solution to bring it front and center and
allow it to get a ticket opened on it etc. Then again it does require
some knowledge of programming.
Just my two cents.
-Lance
Post by Steve Snodgrass
Post by Matthew Twomey
Greetings,
I have been a long time user of Rancid and I've always thought it was a
fantastic tool. Recently I've been revamping our backups and that has gotten
1. We backup literally hundred of devices with Rancid and due to
inconsistency across Cisco IOS releases we are struggling to keep ahead of
the curve when it comes to specifying autoenable 1 or autoenable 0. I don't
always manage the routers I backup, so an updated IOS often reverses this
requirement (e.g. used to work with autoenable on and now it needs it off).
This also often happens when router administrators enable/disable/make
certain changes to tacacs. In any event I'm wondering if anyone has thought
of a way to autodetect the autoenable state of a device?
This might be nice for me too. I'm bringing up a rancid install for the
first time and I was banging my head on the wall today because I can't
figure out any way to get my ASAs to log directly into enable mode like
I do on the IOS boxes using a TACACS server. Obviously I could manually
specify autoenable 0 for the ASAs, but this would be a cool feature.
--
"If you want to be somebody else, change your mind." -Sister Hazel
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Loading...