Discussion:
[rancid] Pulling down context configs from a Cisco FWSM
Justin Shore
2007-03-26 15:02:36 UTC
Permalink
Does anyone have any tricks for using RANCID to pull down Cisco firewall
(Pix/ASA or FWSM) contexts to stuff them into CVS? I don't know when a
contexts has been added so I would expect the script would have to
connect to the admin context, changeto the system context and then run
"show contexts" and parse the output of the first column to find out
what contexts are available. It would then have to changeto each
context, pull down the data and move on to the next context. For that
matter I'd like to get the content of the system context as well.

Does anyone have any tricks for working with firewalls that have more
than one context? I'm guessing that I'm not the only person with such a
beast. :-)

Thanks
Justin
Lance
2007-03-26 15:54:48 UTC
Permalink
Justin,

Great idea. To add to it, you don't want to include the admin context.
Any others including system which does not show up in a "show
contexts". I am not sure how the config looks for the admin view with
multiple contexts, but we have only the admin and system contexts and
the configs are the same that I can tell.

act/hq-pix-1/admin# show context
Context Name Class Interfaces URL
*admin default GigabitEthernet0/0, disk0:/admin.cfg
GigabitEthernet0/1,
GigabitEthernet0/2,
GigabitEthernet1/0,
GigabitEthernet1/1,
Management0/0
-------- Original Message --------
Subject: [rancid] Pulling down context configs from a Cisco FWSM
Date: Mon, March 26, 2007 8:02 am
Does anyone have any tricks for using RANCID to pull down Cisco firewall
(Pix/ASA or FWSM) contexts to stuff them into CVS? I don't know when a
contexts has been added so I would expect the script would have to
connect to the admin context, changeto the system context and then run
"show contexts" and parse the output of the first column to find out
what contexts are available. It would then have to changeto each
context, pull down the data and move on to the next context. For that
matter I'd like to get the content of the system context as well.
Does anyone have any tricks for working with firewalls that have more
than one context? I'm guessing that I'm not the only person with such a
beast. :-)
Thanks
Justin
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Lance Vermilion
2007-03-26 15:53:13 UTC
Permalink
Justin,

Great idea. To add to it, you don't want to include the admin context.
Any others including system which does not show up in a "show
contexts". I am not sure how the config looks for the admin view with
multiple contexts, but we have only the admin and system contexts and
the configs are the same that I can tell.

act/hq-pix-1/admin# show context
Context Name Class Interfaces URL
*admin default GigabitEthernet0/0, disk0:/admin.cfg
GigabitEthernet0/1,
GigabitEthernet0/2,
GigabitEthernet1/0,
GigabitEthernet1/1,
Management0/0
-------- Original Message --------
Subject: [rancid] Pulling down context configs from a Cisco FWSM
Date: Mon, March 26, 2007 8:02 am
Does anyone have any tricks for using RANCID to pull down Cisco firewall
(Pix/ASA or FWSM) contexts to stuff them into CVS? I don't know when a
contexts has been added so I would expect the script would have to
connect to the admin context, changeto the system context and then run
"show contexts" and parse the output of the first column to find out
what contexts are available. It would then have to changeto each
context, pull down the data and move on to the next context. For that
matter I'd like to get the content of the system context as well.
Does anyone have any tricks for working with firewalls that have more
than one context? I'm guessing that I'm not the only person with such a
beast. :-)
Thanks
Justin
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Rob Shepherd
2007-03-27 10:24:29 UTC
Permalink
Post by Lance
Justin,
Great idea. [...] I am not sure how the config looks for the admin view with
multiple contexts, but we have only the admin and system contexts and
the configs are the same that I can tell.
Here is the output from my system with multiple contexts.
Post by Lance
cast-tec-mr2-c5-fsm1/cast# changeto system
cast-tec-mr2-c5-fsm1# show context
Context Name Class Interfaces URL
*cast cast vlan3,164,501,511 disk:/cast.cfg
university university vlan216,316,416,501,511 disk:/university.cfg
inspired-broadcast inspired-b vlan217,317,417,501,511 disk:/inspired-broadcast.cfg
bdex default vlan218,318,418,501,511 disk:/bdex.cfg
cast-shared-servers cast vlan102,511 disk:/cast-shared-servers.cfg
alcatel-ipt alcatel-ip vlan511,601,616-626,632 disk:/alcatel-ipt.cfg
netability netability vlan219,319,419,501,511 disk:/netability.cfg
etl etl vlan223,323,423,501,511 disk:/etl.cfg
celeritas celeritas vlan220,320,420,501,511 disk:/celeritas.cfg
brandsauce brandsauce vlan221,321,421,501,511 disk:/brandsauce.cfg
eon eon vlan222,322,422,501,511 disk:/eon.cfg
neat3d neat3d vlan224,324,424,501,511 disk:/neat3d.cfg
lightwave-technologies lightwave- vlan225,325,425,501,511 disk:/lightwave-technologies.cfg
guest-networks guest-netw vlan426,501,504-505,508,511 disk:/guest-networks.cfg
event-networks event-netw vlan501,506-507,511 disk:/event-networks.cfg
wag wag vlan226,326,501,511 disk:/wag.cfg
Total active Security Contexts: 16
cast-tec-mr2-c5-fsm1#
So, in through system context (*).....

login
enable
changeto system
show context | awk '{print $1}' | sed -e 's/\*//g' | while read CTXT
do
changeto context $CTXT
// normal RANCID operations
changeto system
done

I would be very interested in having this functionality.
I would also be interested in helping to code up the changes necessary. However I've never coded in perl, so I can't understand most of rancid.

Does somebody who knows the architecture have the time to block diagram the required changes? And mock up the process by which multiple context
outputs can go to different files in the repository, just like separate hosts.

I'm eager to get a reliable backup system for my multi context FWSMs.

I've also got Standby-Failover FWSMs, but that a headache for another day.....

Cheers

Rob
--
Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd
Technium CAST | LL57 4HJ | http://www.techniumcast.com
***@techniumcast.com | 01248 675024 | 077988 72480
Lance
2007-03-27 14:55:40 UTC
Permalink
In my opinion it shouldn't be too hard. The hardest part would be
looking at the output from "show contexts" and substringing or
delimiting the line via expect and then dynamically changing to each
one and doing the commands needed needed. The perl part I would like to
think would be the easy part. With some work I am sure I could come up
with something. I am just wrapped up in another project with IP Plan.
Once I finish that I would love to attempt this.

Ed Ravin should be able to code something pretty quick. He has solid
coding skills and should be able to do this in a matter of a few hours
max I would think. That is up to him though.


Other options are Austin Schutz and John Heasley. I know their work is
solid as well.

-Lance
-------- Original Message --------
Subject: [rancid] Re: Pulling down context configs from a Cisco FWSM
Date: Tue, March 27, 2007 3:24 am
Post by Lance
Justin,
Great idea. [...] I am not sure how the config looks for the admin view with
multiple contexts, but we have only the admin and system contexts and
the configs are the same that I can tell.
Here is the output from my system with multiple contexts.
Post by Lance
cast-tec-mr2-c5-fsm1/cast# changeto system
cast-tec-mr2-c5-fsm1# show context
Context Name Class Interfaces URL
*cast cast vlan3,164,501,511 disk:/cast.cfg
university university vlan216,316,416,501,511 disk:/university.cfg
inspired-broadcast inspired-b vlan217,317,417,501,511 disk:/inspired-broadcast.cfg
bdex default vlan218,318,418,501,511 disk:/bdex.cfg
cast-shared-servers cast vlan102,511 disk:/cast-shared-servers.cfg
alcatel-ipt alcatel-ip vlan511,601,616-626,632 disk:/alcatel-ipt.cfg
netability netability vlan219,319,419,501,511 disk:/netability.cfg
etl etl vlan223,323,423,501,511 disk:/etl.cfg
celeritas celeritas vlan220,320,420,501,511 disk:/celeritas.cfg
brandsauce brandsauce vlan221,321,421,501,511 disk:/brandsauce.cfg
eon eon vlan222,322,422,501,511 disk:/eon.cfg
neat3d neat3d vlan224,324,424,501,511 disk:/neat3d.cfg
lightwave-technologies lightwave- vlan225,325,425,501,511 disk:/lightwave-technologies.cfg
guest-networks guest-netw vlan426,501,504-505,508,511 disk:/guest-networks.cfg
event-networks event-netw vlan501,506-507,511 disk:/event-networks.cfg
wag wag vlan226,326,501,511 disk:/wag.cfg
Total active Security Contexts: 16
cast-tec-mr2-c5-fsm1#
So, in through system context (*).....
login
enable
changeto system
show context | awk '{print $1}' | sed -e 's/\*//g' | while read CTXT
do
changeto context $CTXT
// normal RANCID operations
changeto system
done
I would be very interested in having this functionality.
I would also be interested in helping to code up the changes necessary. However I've never coded in perl, so I can't understand most of rancid.
Does somebody who knows the architecture have the time to block diagram the required changes? And mock up the process by which multiple context
outputs can go to different files in the repository, just like separate hosts.
I'm eager to get a reliable backup system for my multi context FWSMs.
I've also got Standby-Failover FWSMs, but that a headache for another day.....
Cheers
Rob
--
Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd
Technium CAST | LL57 4HJ | http://www.techniumcast.com
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Ed Ravin
2007-03-27 15:45:12 UTC
Permalink
Post by Lance
In my opinion it shouldn't be too hard. The hardest part would be
looking at the output from "show contexts" and substringing or
delimiting the line via expect and then dynamically changing to each
one and doing the commands needed needed.
The problem is that we're asking the *login scripts to do something
that is outside their model - normally the *rancid scripts send the
list of exact commands to run, the *login scripts run them and put the
output in a file, and then the *rancid scripts parse the output.

There's just no hook for dynamic / interactive commands, or returning
multiple files. You've got the ability to "plugin" an external script,
maybe that would be the place to start, to write a TCL script that can
be called with the "-s" option to clogin, that would deliver the
individual files for each context.

But then we have to get the files into the *rancid program. It
would be nice to do this without some ugly hack, like the ones I
usually code to get around RANCID's limitations.
Post by Lance
Ed Ravin should be able to code something pretty quick. He has solid
coding skills and should be able to do this in a matter of a few hours
max I would think. That is up to him though.
Thanks for the flowers, but you are being awfully generous with my time!
I have a suspicion that Austin and John are also otherwise engaged.
Rob Shepherd
2007-03-28 10:16:52 UTC
Permalink
Post by Ed Ravin
Post by Lance
In my opinion it shouldn't be too hard. The hardest part would be
looking at the output from "show contexts" and substringing or
delimiting the line via expect and then dynamically changing to each
one and doing the commands needed needed.
The problem is that we're asking the *login scripts to do something
that is outside their model - normally the *rancid scripts send the
list of exact commands to run, the *login scripts run them and put the
output in a file, and then the *rancid scripts parse the output.
There's just no hook for dynamic / interactive commands, or returning
multiple files. You've got the ability to "plugin" an external script,
maybe that would be the place to start, to write a TCL script that can
be called with the "-s" option to clogin, that would deliver the
individual files for each context.
But then we have to get the files into the *rancid program. It
would be nice to do this without some ugly hack, like the ones I
usually code to get around RANCID's limitations.
Post by Lance
Ed Ravin should be able to code something pretty quick. He has solid
coding skills and should be able to do this in a matter of a few hours
max I would think. That is up to him though.
Thanks for the flowers, but you are being awfully generous with my time!
I have a suspicion that Austin and John are also otherwise engaged.
1) An option would be to have a seperate component for discovering the contexts and laying them out in a file like hosts are at present.

I'd be happy to do this manually as I only add contexts every 3-4 months anyway.

2) An additional command, after "enable" select the correct context.

...would this be a variation of clogin?

I guess clogin can perform the enable command... and enter the password. Does it detect the change in prompt? to decide if it's in enable mode?

The prompt changes also when in context mode....

Here's the output of a login session. it goes straight to the admin context, then I switch to the system context, then to another context.
Post by Ed Ravin
Type help or '?' for a list of available commands.
cast-tec-mr2-c5-fsm1/cast>
cast-tec-mr2-c5-fsm1/cast> enable
Password: ****
cast-tec-mr2-c5-fsm1/cast# changeto system
cast-tec-mr2-c5-fsm1# changeto context etl
cast-tec-mr2-c5-fsm1/etl#
Would this be a case of entending clogin to perform a context switch?

Cheers

Rob
--
Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd
Technium CAST | LL57 4HJ | http://www.techniumcast.com
***@techniumcast.com | 01248 675024 | 077988 72480
Justin Shore
2007-03-28 03:06:43 UTC
Permalink
Post by Lance
In my opinion it shouldn't be too hard. The hardest part would be
looking at the output from "show contexts" and substringing or
delimiting the line via expect and then dynamically changing to each
one and doing the commands needed needed. The perl part I would like to
think would be the easy part. With some work I am sure I could come up
with something. I am just wrapped up in another project with IP Plan.
Once I finish that I would love to attempt this.
Ed Ravin should be able to code something pretty quick. He has solid
coding skills and should be able to do this in a matter of a few hours
max I would think. That is up to him though.
Other options are Austin Schutz and John Heasley. I know their work is
solid as well.
I would volunteer but my coding skills are lacking as well. When I get
tired of repeatedly doing something day in and day out I'll spend a
weekend writing a shell script to do it for me. The next weekend I'll
rewrite it in Perl. I'll spend the following week debugging that script
only to get it just right, discover it's now 10x slower and ultimately
revert back to my Bash script. I've done this more times than I care to
admit. :-) I should have paid more attention back in my college CS
courses.

I can however test scripts on my FWSMs. I have 2 in separate chassis in
a A/S configuration. This code should also work or go a long ways
towards being able to do the same thing on Pixs/ASAs. I can also
provide moral support to the person that takes this task on. :-)

Justin
Lance
2007-03-27 17:09:00 UTC
Permalink
Ed,

I am sure you are busy like everyone else. I know you have a very solid
grasp on rancid's files and might be able to offer some insight.

Maybe a "hack" method might be to have clogin do its normal collection
but add "show context" to the commands and then after it evaluates the
output it will login and gather additional information. The addition
information could then be added to the same file that was originally
created.

An Expect approach would be to read a line at a time from "show context"
and do a substring or split on that line and create another array of the
show context commands. I was thinking something like this to capture the
contexts. I basically just created an array out of the lines that were
posted.

set source(0) "cast cast vlan3,164,501,511
disk:/cast.cfg"
set source(1) "university university vlan216,316,416,501,511
disk:/university.cfg"
set source(2) "inspired-broadcast inspired-b vlan217,317,417,501,511
disk:/inspired-broadcast.cfg"
set source(3) "bdex default vlan218,318,418,501,511
disk:/bdex.cfg"
set source(4) "cast-shared-servers cast vlan102,511
disk:/cast-shared-servers.cfg"
set source(5) "alcatel-ipt alcatel-ip vlan511,601,616-626,632
disk:/alcatel-ipt.cfg"
set source(6) "netability netability vlan219,319,419,501,511
disk:/netability.cfg"
set source(7) "etl etl vlan223,323,423,501,511
disk:/etl.cfg"
set source(8) "celeritas celeritas vlan220,320,420,501,511
disk:/celeritas.cfg"
set source(9) "brandsauce brandsauce vlan221,321,421,501,511
disk:/brandsauce.cfg"
set source(10) "eon eon vlan222,322,422,501,511
disk:/eon.cfg"
set source(11) "heat3d neat3d vlan224,324,424,501,511
disk:/neat3d.cfg"
set source(12) "lightwave-technologies lightwave-
vlan225,325,425,501,511 disk:/lightwave-technologies.cfg"
set source(13) "guest-networks guest-netw vlan426,501,504-505,508,511
disk:/guest-networks.cfg"
set source(14) "event-networks event-netw vlan501,506-507,511
disk:/event-networks.cfg"
set source(15) "wag wag vlan226,326,501,511
disk:/wag.cfg"


foreach {key value} [array get source] {
set line [split $value]
set context [lindex $line 0]
puts $context
}

Output:
$/usr/local/bin/expect split.exp
cast
university
inspired-broadcast
bdex
cast-shared-servers
alcatel-ipt
netability
etl
celeritas
brandsauce
eon
heat3d
lightwave-technologies
guest-networks
event-networks
wag

-lance
-------- Original Message --------
Subject: Re: [rancid] Re: Pulling down context configs from a Cisco
FWSM
Date: Tue, March 27, 2007 8:45 am
Post by Lance
In my opinion it shouldn't be too hard. The hardest part would be
looking at the output from "show contexts" and substringing or
delimiting the line via expect and then dynamically changing to each
one and doing the commands needed needed.
The problem is that we're asking the *login scripts to do something
that is outside their model - normally the *rancid scripts send the
list of exact commands to run, the *login scripts run them and put the
output in a file, and then the *rancid scripts parse the output.
There's just no hook for dynamic / interactive commands, or returning
multiple files. You've got the ability to "plugin" an external script,
maybe that would be the place to start, to write a TCL script that can
be called with the "-s" option to clogin, that would deliver the
individual files for each context.
But then we have to get the files into the *rancid program. It
would be nice to do this without some ugly hack, like the ones I
usually code to get around RANCID's limitations.
Post by Lance
Ed Ravin should be able to code something pretty quick. He has solid
coding skills and should be able to do this in a matter of a few hours
max I would think. That is up to him though.
Thanks for the flowers, but you are being awfully generous with my time!
I have a suspicion that Austin and John are also otherwise engaged.
Lance
2007-03-28 14:19:19 UTC
Permalink
Rob,

When you do a "show run" after changing contexts does it give you a
slightly different config or an entirely different config.
Unfortunately at my place of business we only have a need to run 2
basic contexts, the default admin and system. So I don't work with
them.

I don't intend on this being a context session 101, but why do you
create contexts for each customer you have (as it appears to me)? You
might enlighten me and I might switch to such a model. :-D

-Lance
-------- Original Message --------
Subject: [rancid] Re: Pulling down context configs from a Cisco FWSM
Date: Wed, March 28, 2007 3:16 am
Post by Ed Ravin
Post by Lance
In my opinion it shouldn't be too hard. The hardest part would be
looking at the output from "show contexts" and substringing or
delimiting the line via expect and then dynamically changing to each
one and doing the commands needed needed.
The problem is that we're asking the *login scripts to do something
that is outside their model - normally the *rancid scripts send the
list of exact commands to run, the *login scripts run them and put the
output in a file, and then the *rancid scripts parse the output.
There's just no hook for dynamic / interactive commands, or returning
multiple files. You've got the ability to "plugin" an external script,
maybe that would be the place to start, to write a TCL script that can
be called with the "-s" option to clogin, that would deliver the
individual files for each context.
But then we have to get the files into the *rancid program. It
would be nice to do this without some ugly hack, like the ones I
usually code to get around RANCID's limitations.
Post by Lance
Ed Ravin should be able to code something pretty quick. He has solid
coding skills and should be able to do this in a matter of a few hours
max I would think. That is up to him though.
Thanks for the flowers, but you are being awfully generous with my time!
I have a suspicion that Austin and John are also otherwise engaged.
1) An option would be to have a seperate component for discovering the contexts and laying them out in a file like hosts are at present.
I'd be happy to do this manually as I only add contexts every 3-4 months anyway.
2) An additional command, after "enable" select the correct context.
...would this be a variation of clogin?
I guess clogin can perform the enable command... and enter the password. Does it detect the change in prompt? to decide if it's in enable mode?
The prompt changes also when in context mode....
Here's the output of a login session. it goes straight to the admin context, then I switch to the system context, then to another context.
Post by Ed Ravin
Type help or '?' for a list of available commands.
cast-tec-mr2-c5-fsm1/cast>
cast-tec-mr2-c5-fsm1/cast> enable
Password: ****
cast-tec-mr2-c5-fsm1/cast# changeto system
cast-tec-mr2-c5-fsm1# changeto context etl
cast-tec-mr2-c5-fsm1/etl#
Would this be a case of entending clogin to perform a context switch?
Cheers
Rob
--
Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd
Technium CAST | LL57 4HJ | http://www.techniumcast.com
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Rob Shepherd
2007-03-28 14:30:46 UTC
Permalink
Post by Lance
Rob,
When you do a "show run" after changing contexts does it give you a
slightly different config or an entirely different config.
It's an entirely different config. Each context is like a virtual PIX.
(until you get down to feature completeness and command compatability
that is :) )
Post by Lance
Unfortunately at my place of business we only have a need to run 2
basic contexts, the default admin and system. So I don't work with
them.
I don't intend on this being a context session 101, but why do you
create contexts for each customer you have (as it appears to me)? You
might enlighten me and I might switch to such a model. :-D
I do this because it permits me to hand off control of a context to a
particular customer, if they want to do the config themselves.

They can then SSH or PDM independently.

Also there is some limitations with things like DNS/DHCP. I havn't found
a way to have different DNS server options outputted by the dhcpd
service on different interfaces. Same for extra options, like vendor
specific 43, which different for each customer, for Alcatel AVA.

I'm really eager to get the context's + system backed up automatically
by rancid. I do it manually at present. :(

If there's anything I can do to progress the development of such a
feature, somebody please enlighten me. I'm not a perl devel though, but
there's one sat next to me, who isn't a network engineer however. If I
know what to code I can help get it done.....
But i need the input from somebody who knows the architecture of rancid....

Cheers

Rob
--
Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd
Technium CAST | LL57 4HJ | http://www.techniumcast.com
***@techniumcast.com | 01248 675024 | 077988 72480
Justin Shore
2007-03-29 02:47:38 UTC
Permalink
Post by Rob Shepherd
Post by Lance
I don't intend on this being a context session 101, but why do you
create contexts for each customer you have (as it appears to me)? You
might enlighten me and I might switch to such a model. :-D
I do this because it permits me to hand off control of a context to a
particular customer, if they want to do the config themselves.
They can then SSH or PDM independently.
Also there is some limitations with things like DNS/DHCP. I havn't found
a way to have different DNS server options outputted by the dhcpd
service on different interfaces. Same for extra options, like vendor
specific 43, which different for each customer, for Alcatel AVA.
That's one of the main reasons for us. We fully expect some customers
to want to control their own context. This way we can just hand it off
to them. It also gives us the option of putting these customers in VRFs
which afford a better layer of security between customers than simple
VLANs. Customers that tunnel to us can have their own IGP in their VRF,
can have IP subnets that would otherwise conflict with another
customer's, etc. MPLS VRF affords hide the underlying network
components from the VRF itself. It's really quite slick and very
complex (I don't pretend to fully understand it but I'm getting better).

Justin
Lance
2007-03-28 17:38:42 UTC
Permalink
Rob,

I am not sure the best method would be to make a config that large as it
would be hard to report on the changes and know where the changes where
other than on that asa/pix. The way I would think about doing it would
be to create a config for the pix/asa using system/admin then create a
series of config files for each context but name it something like this
"ops-pix-01-context-timewarner.conf". This would allow you to be
notified of each one being updated etc and keep the config file from
getting huge.

The way I would go about doing this would be to use the addon that Ed
Ravin published a while back. I would specify a custom portion in
bin/rancid-fe for ASA/Pixes (that use contexts) and then collect the
config like normal but also collect information on "show context" so
that I can parse it after the config is collected. Then log into the
device via and issue a change to each context and log each output to a
new file. Another file would need to be updated as well, this being
bin/clogin. The file would need to be updated to know it has to modify
the file it creates to reflect the context name.

It is possible to do it another way such as creating host entries in
your /etc/host file for each context on each firewall, but that would
be a great idea as it wouldn't scale well and wouldn't be completely
dynamic as we like to have things these days.

I will see if I can take a stab at it this weekend. No promises.

-lance
-------- Original Message --------
Subject: [rancid] Re: Pulling down context configs from a Cisco FWSM
Date: Wed, March 28, 2007 7:30 am
Post by Lance
Rob,
When you do a "show run" after changing contexts does it give you a
slightly different config or an entirely different config.
It's an entirely different config. Each context is like a virtual PIX.
(until you get down to feature completeness and command compatability
that is :) )
Post by Lance
Unfortunately at my place of business we only have a need to run 2
basic contexts, the default admin and system. So I don't work with
them.
I don't intend on this being a context session 101, but why do you
create contexts for each customer you have (as it appears to me)? You
might enlighten me and I might switch to such a model. :-D
I do this because it permits me to hand off control of a context to a
particular customer, if they want to do the config themselves.
They can then SSH or PDM independently.
Also there is some limitations with things like DNS/DHCP. I havn't found
a way to have different DNS server options outputted by the dhcpd
service on different interfaces. Same for extra options, like vendor
specific 43, which different for each customer, for Alcatel AVA.
I'm really eager to get the context's + system backed up automatically
by rancid. I do it manually at present. :(
If there's anything I can do to progress the development of such a
feature, somebody please enlighten me. I'm not a perl devel though, but
there's one sat next to me, who isn't a network engineer however. If I
know what to code I can help get it done.....
But i need the input from somebody who knows the architecture of rancid....
Cheers
Rob
--
Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd
Technium CAST | LL57 4HJ | http://www.techniumcast.com
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Ed Ravin
2007-03-28 19:18:16 UTC
Permalink
Post by Lance
It is possible to do it another way such as creating host entries in
your /etc/host file for each context on each firewall, but that would
be a great idea as it wouldn't scale well and wouldn't be completely
dynamic as we like to have things these days.
How about creating a whole new RANCID group for the contexts of a
particular firewall? Then your scripts could manage the router.db
for that group, adding entries when new contexts are discovered, and
create the appropriate config files for each context so that RANCID's
version control scripts think each context is a separate router config,
and do all the diffs and archiving the usual way.

You'd need new "contextrancid" and "contextlogin" scripts. You'd also
need a parent script that would run "contextlogin" to get a list of
contexts on the router, then manage routers.db as needed. Maybe that
script could be built into "contextrancid", and it would just have to
keep a statefile somewhere so it could figure out that it's being invoked
multiple times for the same router.

Oh yeah, and you'd need to use either my rancid-fe patches for configurable
device types (see the list archives for my hp4000m or ciscorsh scripts),
or hard-code a new device type in rancid-fe.
Krzysztof Adamski
2007-03-28 14:51:14 UTC
Permalink
I should start this email by saying I have not ever used context on the ASA.

Now saying this, if you are allowing users to SSH into individual context, maybe
you can backup the context separately by having each context listed in the rancid
database as separate PIXes. You will need to have a username for rancid in each
context, this may be a show stopper.

K
Post by Rob Shepherd
Post by Lance
Rob,
When you do a "show run" after changing contexts does it give you a
slightly different config or an entirely different config.
It's an entirely different config. Each context is like a virtual PIX.
(until you get down to feature completeness and command compatability
that is :) )
Post by Lance
Unfortunately at my place of business we only have a need to run 2
basic contexts, the default admin and system. So I don't work with
them.
I don't intend on this being a context session 101, but why do you
create contexts for each customer you have (as it appears to me)? You
might enlighten me and I might switch to such a model. :-D
I do this because it permits me to hand off control of a context to a
particular customer, if they want to do the config themselves.
They can then SSH or PDM independently.
Also there is some limitations with things like DNS/DHCP. I havn't found
a way to have different DNS server options outputted by the dhcpd
service on different interfaces. Same for extra options, like vendor
specific 43, which different for each customer, for Alcatel AVA.
I'm really eager to get the context's + system backed up automatically
by rancid. I do it manually at present. :(
If there's anything I can do to progress the development of such a
feature, somebody please enlighten me. I'm not a perl devel though, but
there's one sat next to me, who isn't a network engineer however. If I
know what to code I can help get it done.....
But i need the input from somebody who knows the architecture of rancid....
Cheers
Rob
--
Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd
Technium CAST | LL57 4HJ | http://www.techniumcast.com
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Justin Shore
2007-03-29 22:17:52 UTC
Permalink
That's always a possibility though it would require a userid like you
mentioned as well as allowing SSH into the context from the outside.
This would likely freak out some security-paranoid customers, even
though you really aren't compromising security if the ACL is set up in a
sane manner. It's a thought but it could present additional problems.

Our SME last week did mention something about a way to have a common DMZ
in each context, though he said it was extremely difficult and would of
course compromise security if that machine was ever rooted.

Justin
Post by Krzysztof Adamski
I should start this email by saying I have not ever used context on the ASA.
Now saying this, if you are allowing users to SSH into individual context, maybe
you can backup the context separately by having each context listed in the rancid
database as separate PIXes. You will need to have a username for rancid in each
context, this may be a show stopper.
K
Post by Rob Shepherd
Post by Lance
Rob,
When you do a "show run" after changing contexts does it give you a
slightly different config or an entirely different config.
It's an entirely different config. Each context is like a virtual PIX.
(until you get down to feature completeness and command compatability
that is :) )
Post by Lance
Unfortunately at my place of business we only have a need to run 2
basic contexts, the default admin and system. So I don't work with
them.
I don't intend on this being a context session 101, but why do you
create contexts for each customer you have (as it appears to me)? You
might enlighten me and I might switch to such a model. :-D
I do this because it permits me to hand off control of a context to a
particular customer, if they want to do the config themselves.
They can then SSH or PDM independently.
Also there is some limitations with things like DNS/DHCP. I havn't found
a way to have different DNS server options outputted by the dhcpd
service on different interfaces. Same for extra options, like vendor
specific 43, which different for each customer, for Alcatel AVA.
I'm really eager to get the context's + system backed up automatically
by rancid. I do it manually at present. :(
If there's anything I can do to progress the development of such a
feature, somebody please enlighten me. I'm not a perl devel though, but
there's one sat next to me, who isn't a network engineer however. If I
know what to code I can help get it done.....
But i need the input from somebody who knows the architecture of rancid....
Cheers
Rob
--
Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd
Technium CAST | LL57 4HJ | http://www.techniumcast.com
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Lance
2007-03-29 20:55:54 UTC
Permalink
I guess if you can actually do as you think they can, then that is a
much better approach.
-------- Original Message --------
Subject: [rancid] Re: Pulling down context configs from a Cisco FWSM
Date: Wed, March 28, 2007 7:51 am
I should start this email by saying I have not ever used context on the ASA.
Now saying this, if you are allowing users to SSH into individual context, maybe
you can backup the context separately by having each context listed in the rancid
database as separate PIXes. You will need to have a username for rancid in each
context, this may be a show stopper.
K
Post by Rob Shepherd
Post by Lance
Rob,
When you do a "show run" after changing contexts does it give you a
slightly different config or an entirely different config.
It's an entirely different config. Each context is like a virtual PIX.
(until you get down to feature completeness and command compatability
that is :) )
Post by Lance
Unfortunately at my place of business we only have a need to run 2
basic contexts, the default admin and system. So I don't work with
them.
I don't intend on this being a context session 101, but why do you
create contexts for each customer you have (as it appears to me)? You
might enlighten me and I might switch to such a model. :-D
I do this because it permits me to hand off control of a context to a
particular customer, if they want to do the config themselves.
They can then SSH or PDM independently.
Also there is some limitations with things like DNS/DHCP. I havn't found
a way to have different DNS server options outputted by the dhcpd
service on different interfaces. Same for extra options, like vendor
specific 43, which different for each customer, for Alcatel AVA.
I'm really eager to get the context's + system backed up automatically
by rancid. I do it manually at present. :(
If there's anything I can do to progress the development of such a
feature, somebody please enlighten me. I'm not a perl devel though, but
there's one sat next to me, who isn't a network engineer however. If I
know what to code I can help get it done.....
But i need the input from somebody who knows the architecture of rancid....
Cheers
Rob
--
Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd
Technium CAST | LL57 4HJ | http://www.techniumcast.com
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Lance
2007-03-29 22:24:26 UTC
Permalink
True, True.

BTW, how would you access each context? By way of ssh to each IP?

-lance
-------- Original Message --------
Subject: [rancid] Re: Pulling down context configs from a Cisco FWSM
Date: Thu, March 29, 2007 3:17 pm
That's always a possibility though it would require a userid like you
mentioned as well as allowing SSH into the context from the outside.
This would likely freak out some security-paranoid customers, even
though you really aren't compromising security if the ACL is set up in a
sane manner. It's a thought but it could present additional problems.
Our SME last week did mention something about a way to have a common DMZ
in each context, though he said it was extremely difficult and would of
course compromise security if that machine was ever rooted.
Justin
Post by Krzysztof Adamski
I should start this email by saying I have not ever used context on the ASA.
Now saying this, if you are allowing users to SSH into individual context, maybe
you can backup the context separately by having each context listed in the rancid
database as separate PIXes. You will need to have a username for rancid in each
context, this may be a show stopper.
K
Post by Rob Shepherd
Post by Lance
Rob,
When you do a "show run" after changing contexts does it give you a
slightly different config or an entirely different config.
It's an entirely different config. Each context is like a virtual PIX.
(until you get down to feature completeness and command compatability
that is :) )
Post by Lance
Unfortunately at my place of business we only have a need to run 2
basic contexts, the default admin and system. So I don't work with
them.
I don't intend on this being a context session 101, but why do you
create contexts for each customer you have (as it appears to me)? You
might enlighten me and I might switch to such a model. :-D
I do this because it permits me to hand off control of a context to a
particular customer, if they want to do the config themselves.
They can then SSH or PDM independently.
Also there is some limitations with things like DNS/DHCP. I havn't found
a way to have different DNS server options outputted by the dhcpd
service on different interfaces. Same for extra options, like vendor
specific 43, which different for each customer, for Alcatel AVA.
I'm really eager to get the context's + system backed up automatically
by rancid. I do it manually at present. :(
If there's anything I can do to progress the development of such a
feature, somebody please enlighten me. I'm not a perl devel though, but
there's one sat next to me, who isn't a network engineer however. If I
know what to code I can help get it done.....
But i need the input from somebody who knows the architecture of rancid....
Cheers
Rob
--
Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd
Technium CAST | LL57 4HJ | http://www.techniumcast.com
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Loading...