[rancid] cisco-xr ASR9K and numbered ACL's

Post by Jos
Hi
Am new to this list and hoping someone can help me with a problem please
that I can’t figure out yet or find an earlier posting and solution for.
We are running the latest rancid version 3.1 on a centos vm and collecting
a bunch of cisco configs, all is good except for our iosxr ASR9K’s and
numbered ACL’s.
ipv4 access-list no-rfc1918
10 remark Deny traffic to RFC 1918
20 deny ipv4 10.0.0.0/8 any
30 deny ipv4 any 10.0.0.0/8
40 deny ipv4 172.16.0.0/12 any
50 deny ipv4 any 172.16.0.0/12
60 deny ipv4 192.168.0.0/16 any
70 deny ipv4 any 192.168.0.0/16
80 permit ipv4 any any
ipv4 access-list no-rfc1918
remark Deny traffic to RFC 1918
deny ipv4 10.0.0.0/8 any
deny ipv4 any 10
deny ipv4 172.16.0.0/12 any
deny ipv4 any 172
deny ipv4 192.168.0.0/16 any
deny ipv4 any 192
permit ipv4 any any
A minor problem where the ACL is obvious as above, but this is the
exception.
Can someone suggest a good fix or workaround for this please (preferably
without changing the ASR9K config), I trust it affects others with this
sort of config?
I can see earlier posts mention xrrancid but can’t find that in our 3.1
install.

This appears to be rancid's acl renumbering, which is the designed
behaviour for good reasons.

Access list numbers are problematic as they are subject to being
renumbered when the device reloads the list. However, all that changes
is the interval between numbers, the logic of what the li8st achieves
stays the same. This causes unnecessary noise in the diffs as there
isn't an actual change, just a change of a bunch of redundant leading
numbers.

Rancid's solution is to strip out the numbers, gather contiguous series
of allows or denies and reorder those based on IP addresses. This works
because if you have 5 denys in a row affecting different ranges, it does
not matter what order they are applied in. Thus the router can renumber
ACLs all it likes and the rancid diff does not change, reducing noise.

I don't know about 3.2 but the 2.3 series had a knob to disable this. If
memory serves it was called ACL_SORT and is documented in the config
file. The topic has also been discussed at length here on the list
before, you can find the threads in the on-line archives, there's more
info there than I can give in one shortish reply.

--
Alan McKinnon
***@gmail.com

heasley

2014-10-15 05:27:02 UTC

Post by Alan McKinnon

Post by Jos
ipv4 access-list no-rfc1918
remark Deny traffic to RFC 1918
deny ipv4 10.0.0.0/8 any
deny ipv4 any 10
deny ipv4 172.16.0.0/12 any
deny ipv4 any 172
deny ipv4 192.168.0.0/16 any
deny ipv4 any 192
permit ipv4 any any
A minor problem where the ACL is obvious as above, but this is the
exception.
Can someone suggest a good fix or workaround for this please (preferably
without changing the ASR9K config), I trust it affects others with this
sort of config?
I can see earlier posts mention xrrancid but can’t find that in our 3.1
install.

This appears to be rancid's acl renumbering, which is the designed
behaviour for good reasons.

I dont think so; yes its removing the line numbers, but its botching every
other line.

Alan McKinnon

2014-10-15 05:28:52 UTC

Post by Alan McKinnon

This appears to be rancid's acl renumbering, which is the designed
behaviour for good reasons.

I dont think so; yes its removing the line numbers, but its botching every
other line.

Is "deny ipv4 any 192" a valid Cisco config?

--
Alan McKinnon
***@gmail.com

Jos

2014-10-15 07:59:08 UTC

Hi Guys

Thanks to you both for the replies. I should have mentioned I’ve tried the
ACL-SORT option being disabled/enabled in config without seeing any
success, I had this line in rancid.conf:

# if ACLSORT is NO, access-lists will NOT be sorted.
ACLSORT=NO; export ACLSORT
#

I have tried removing “export ACLSORT” with no luck either.

I have 4 or 5 ASR9K’s running 4.3.x and all do the same thing. Perhaps a
better example is this one:

Rancid backs up this:
ipv4 access-list name
permit ipv4 any 166
remark the below subnet is currently not in use
permit ipv4 any 166

What we have configured is:
ipv4 access-list name
10 permit ipv4 any 166.1xx.xx.xx/28
20 remark the below subnet is currently not in use
30 permit ipv4 any 166.1xx.xx.xxx/28

- so the rancid backup leaves a bit to be desired here I think.

I have:
expect version 5.44.1.15
This is on centos 6.5, I had the packaged version of rancid installed, an
old 2.3.8 or something but then grabbed 3.1 and compiled it and have
removed the package.

Thanks for all your help with this, I can share more config if you let me
know what exactly.

Cheers, Jos

(preferably

Post by Jos
without changing the ASR9K config), I trust it affects others with

this

Post by Jos
sort of config?
I can see earlier posts mention xrrancid but can’t find that in our

3.1

Post by Jos
install.

This appears to be rancid's acl renumbering, which is the designed
behaviour for good reasons.

I dont think so; yes its removing the line numbers, but its botching every
other line.
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

Alan McKinnon

2014-10-15 21:14:09 UTC

Post by Jos
Hi Guys
Thanks to you both for the replies. I should have mentioned I’ve tried the
ACL-SORT option being disabled/enabled in config without seeing any
# if ACLSORT is NO, access-lists will NOT be sorted.
ACLSORT=NO; export ACLSORT
#
I have tried removing “export ACLSORT” with no luck either.
I have 4 or 5 ASR9K’s running 4.3.x and all do the same thing. Perhaps a
ipv4 access-list name
permit ipv4 any 166
remark the below subnet is currently not in use
permit ipv4 any 166
ipv4 access-list name
10 permit ipv4 any 166.1xx.xx.xx/28
20 remark the below subnet is currently not in use
30 permit ipv4 any 166.1xx.xx.xxx/28
- so the rancid backup leaves a bit to be desired here I think.

The truncated address is due to this code in WriteTerm():

if (/^ipv(4|6) access-list (\S+)\s*$/) {
...
while (<INPUT>) {
...
($seq, $cmd, $misc, $ip) = ($_ =~ /^\s+(\d+) (\w+) (.*\s)(\w+)/);
if ($cmd =~ /(permit|deny)/) {
ProcessHistory("ACL $nlri $key $cmd",
"$aclsort","$ip", " $cmd $misc$ip\n");
...
}
}

That final (\w+) stops at the first dot.

I'm no Cisco guru and don't know all the permutations of how XR lists
access-lists, but I imagine the address must be everything after
"ipv(4|6) any ", so the regex should probably become:

($_ =~ /^\s+(\d+) (\w+) (.*\s)(.*)/)

This is for 2.3.8 (I don't have a 3.x install to hand to check)

Post by Jos
expect version 5.44.1.15
This is on centos 6.5, I had the packaged version of rancid installed, an
old 2.3.8 or something but then grabbed 3.1 and compiled it and have
removed the package.
Thanks for all your help with this, I can share more config if you let me
know what exactly.
Cheers, Jos

(preferably

Post by Jos
without changing the ASR9K config), I trust it affects others with

this

Post by Jos
sort of config?
I can see earlier posts mention xrrancid but can’t find that in our

3.1

Post by Jos
install.

This appears to be rancid's acl renumbering, which is the designed
behaviour for good reasons.

--
Alan McKinnon
***@gmail.com

Jos

2014-10-16 08:08:41 UTC

Thanks Alan and all those offering help with this. Your suggestion Alan of
using “($_ =~ /^\s+(\d+) (\w+) (.*\s)(.*)/)” has worked for me, I have
extra line breaks between ACL entries, but the ACL’s hold all the key data
they should now so I’m happy.
In my 3.1 install I had to adjust /home/rancid/lib/rancid/iosxr.pm as
noted.
Not sure if this is a bug or not, should the ACLSORT=NO disable this
feature entirely?

Cheers, Jos

Post by Alan McKinnon

if (/^ipv(4|6) access-list (\S+)\s*$/) {
...
while (<INPUT>) {
...
($seq, $cmd, $misc, $ip) = ($_ =~ /^\s+(\d+) (\w+) (.*\s)(\w+)/);
if ($cmd =~ /(permit|deny)/) {
ProcessHistory("ACL $nlri $key $cmd",
"$aclsort","$ip", " $cmd $misc$ip\n");
...
}
}
That final (\w+) stops at the first dot.
I'm no Cisco guru and don't know all the permutations of how XR lists
access-lists, but I imagine the address must be everything after
($_ =~ /^\s+(\d+) (\w+) (.*\s)(.*)/)
This is for 2.3.8 (I don't have a 3.x install to hand to check)

(preferably

Post by Jos
without changing the ASR9K config), I trust it affects others with

this

Post by Jos
sort of config?
I can see earlier posts mention xrrancid but can’t find that in our

3.1

Post by Jos
install.

This appears to be rancid's acl renumbering, which is the designed
behaviour for good reasons.

--
Alan McKinnon
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

Peter Jackson

2014-10-15 20:52:40 UTC

I looked over the script last night and I think the tail end of the lines are being dropped because the regex needs to be tweaked. \w in Perl regex doesn't match a period, does it? If not, then the regex matches only up to the first period in the IP address and that is why the rest of the line is dropped.

I will look again when I get a chance.

(preferably

Post by Jos
without changing the ASR9K config), I trust it affects others with

this

Post by Jos
sort of config?
I can see earlier posts mention xrrancid but can’t find that in our

3.1

Post by Jos
install.

This appears to be rancid's acl renumbering, which is the designed
behaviour for good reasons.

_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

heasley

2014-10-20 23:13:56 UTC

Post by Peter Jackson
I looked over the script last night and I think the tail end of the lines are being dropped because the regex needs to be tweaked. \w in Perl regex doesn't match a period, does it? If not, then the regex matches only up to the first period in the IP address and that is why the rest of the line is dropped.

Indeed that regex needs some adjustment. What you suggest will fix the
truncation and is a good start, but the process needs to be expanded to
pick out the address properly. thanks

Post by Peter Jackson
I will look again when I get a chance.

(preferably

Post by Jos
without changing the ASR9K config), I trust it affects others with

this

Post by Jos
sort of config?
I can see earlier posts mention xrrancid but can’t find that in our

3.1

Post by Jos
install.

This appears to be rancid's acl renumbering, which is the designed
behaviour for good reasons.

_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

Anson Maddock

2014-10-16 01:19:57 UTC

<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>I'm utilizing Rancid 3.1 on Debian currently, I also have the repositories and CVS from when we were running 2.3.8. We do not have ACLSORT enabled and we are not seeing the problems you are describing. Our ASR9Ks are running 4.3.2 code. We are not not showing any truncation in the configs/CVS from our 2.3.8 database. 
Here is the sort from our xrrancid 3.1 distribution file. Can you confirm that the xrrancid file is a 3.1 version? 
 
# This is a sort routine that will sort on the 
# ip address when the ip address is anywhere in 
# the strings. 
sub ipsort { 
local(%lines) = @_; 
local($i) = 0; 
local(@sorted_lines); 
foreach $addr (sort sortbyipaddr keys %lines) { 
$sorted_lines[$i] = $lines{$addr}; 
$i++; 
} 
@sorted_lines; 
} 
 
# These two routines will sort based upon IP addresses 
sub ipaddrval { 
my(@a) = ($_[0] =~ m#^(\d+)\.(\d+)\.(\d+)\.(\d+)$#); 
$a[3] + 256 * ($a[2] + 256 * ($a[1] +256 * $a[0])); 
} 
sub sortbyipaddr { 
&ipaddrval($a) <=> &ipaddrval($b); 
} 
 
-----Original Message----- 
On Wed, 15 Oct 2014 23:14:09 +0200 
Alan McKinnon <***@gmail.com> wrote: 
 
On 15/10/2014 09:59, Jos wrote: 
> Hi Guys 
> 
> Thanks to you both for the replies. I should have mentioned I’ve tried the 
> ACL-SORT option being disabled/enabled in config without seeing any 
> success, I had this line in rancid.conf: 
> 
> # if ACLSORT is NO, access-lists will NOT be sorted. 
> ACLSORT=NO; export ACLSORT 
> # 
> 
> I have tried removing “export ACLSORT” with no luck either. 
> 
> 
> I have 4 or 5 ASR9K’s running 4.3.x and all do the same thing. Perhaps a 
> better example is this one: 
> 
> Rancid backs up this: 
> ipv4 access-list name 
> permit ipv4 any 166 
> remark the below subnet is currently not in use 
> permit ipv4 any 166 
> 
> What we have configured is: 
> ipv4 access-list name 
> 10 permit ipv4 any 166.1xx.xx.xx/28 
> 20 remark the below subnet is currently not in use 
> 30 permit ipv4 any 166.1xx.xx.xxx/28 
> 
> 
> - so the rancid backup leaves a bit to be desired here I think. 
 
 
The truncated address is due to this code in WriteTerm(): 
 
if (/^ipv(4|6) access-list (\S+)\s*$/) { 
... 
while (<INPUT>) { 
... 
($seq, $cmd, $misc, $ip) = ($_ =~ /^\s+(\d+) (\w+) (.*\s)(\w+)/); 
if ($cmd =~ /(permit|deny)/) { 
ProcessHistory("ACL $nlri $key $cmd", 
"$aclsort","$ip", " $cmd $misc$ip\n"); 
... 
} 
} 
 
 
That final (\w+) stops at the first dot. 
 
I'm no Cisco guru and don't know all the permutations of how XR lists 
access-lists, but I imagine the address must be everything after 
"ipv(4|6) any ", so the regex should probably become: 
 
 
($_ =~ /^\s+(\d+) (\w+) (.*\s)(.*)/) 
 
 
This is for 2.3.8 (I don't have a 3.x install to hand to check) 
 
> 
> I have: 
> expect version 5.44.1.15 
> This is on centos 6.5, I had the packaged version of rancid installed, an 
> old 2.3.8 or something but then grabbed 3.1 and compiled it and have 
> removed the package. 
> 
> 
> Thanks for all your help with this, I can share more config if you let me 
> know what exactly. 
> 
> Cheers, Jos 
> 
> 
> On 15/10/14 18:27, "heasley" <***@shrubbery.net> wrote: 
> 
>> Wed, Oct 15, 2014 at 07:22:23AM +0200, Alan McKinnon: 
>>>> Rancid collected config: 
>>>> ipv4 access-list no-rfc1918 
>>>> remark Deny traffic to RFC 1918 
>>>> deny ipv4 10.0.0.0/8 any 
>>>> deny ipv4 any 10 
>>>> deny ipv4 172.16.0.0/12 any 
>>>> deny ipv4 any 172 
>>>> deny ipv4 192.168.0.0/16 any 
>>>> deny ipv4 any 192 
>>>> permit ipv4 any any 
>>>> 
>>>> 
>>>> A minor problem where the ACL is obvious as above, but this is the 
>>>> exception. 
>>>> Can someone suggest a good fix or workaround for this please 
>>> (preferably 
>>>> without changing the ASR9K config), I trust it affects others with 
>>> this 
>>>> sort of config? 
>>>> I can see earlier posts mention xrrancid but can’t find that in our 
>>> 3.1 
>>>> install. 
>>> 
>>> This appears to be rancid's acl renumbering, which is the designed 
>>> behaviour for good reasons. 
>> 
>> I dont think so; yes its removing the line numbers, but its botching every 
>> other line. 
>> _______________________________________________ 
>> Rancid-discuss mailing list 
>> Rancid-***@shrubbery.net 
>> <a href="http://www.shrubbery.net/mailman/listinfo/rancid-discuss" target="_blank">http://www.shrubbery.net/mailman/listinfo/rancid-discuss</a> 
> 
> 
 
 
-- 
Alan McKinnon 
***@gmail.com 
 
_______________________________________________ 
Rancid-discuss mailing list 
Rancid-***@shrubbery.net 
<a href="http://www.shrubbery.net/mailman/listinfo/rancid-discuss" target="_blank">http://www.shrubbery.net/mailman/listinfo/rancid-discuss</a></div></div></body></html>

Jos

2014-10-16 01:37:56 UTC

Hi

Thanks for this, perhaps it’s as stupid as this, in my 3.1 install I don’t
have a xrrancid file, does it ship as part of the standalone 3.1 zipped
download?

Cheers, Jos

I'm utilizing Rancid 3.1 on Debian currently, I also have the
repositories and CVS from when we were running 2.3.8. We do not have
ACLSORT enabled and we are not seeing the problems you are describing.
Our ASR9Ks are running 4.3.2 code. We are not not showing any truncation
in the configs/CVS from our 2.3.8 database.
Here is the sort from our xrrancid 3.1 distribution file. Can you confirm
that the xrrancid file is a 3.1 version?
# This is a sort routine that will sort on the
# ip address when the ip address is anywhere in
# the strings.
sub ipsort {
local($i) = 0;
foreach $addr (sort sortbyipaddr keys %lines) {
$sorted_lines[$i] = $lines{$addr};
$i++;
}
@sorted_lines;
}
# These two routines will sort based upon IP addresses
sub ipaddrval {
$a[3] + 256 * ($a[2] + 256 * ($a[1] +256 * $a[0]));
}
sub sortbyipaddr {
&ipaddrval($a) <=> &ipaddrval($b);
}
-----Original Message-----
On Wed, 15 Oct 2014 23:14:09 +0200

Post by Jos
Hi Guys
Thanks to you both for the replies. I should have mentioned I’ve tried
the
ACL-SORT option being disabled/enabled in config without seeing any
# if ACLSORT is NO, access-lists will NOT be sorted.
ACLSORT=NO; export ACLSORT
#
I have tried removing “export ACLSORT” with no luck either.
I have 4 or 5 ASR9K’s running 4.3.x and all do the same thing. Perhaps a
ipv4 access-list name
permit ipv4 any 166
remark the below subnet is currently not in use
permit ipv4 any 166
ipv4 access-list name
10 permit ipv4 any 166.1xx.xx.xx/28
20 remark the below subnet is currently not in use
30 permit ipv4 any 166.1xx.xx.xxx/28
- so the rancid backup leaves a bit to be desired here I think.

Post by Jos
expect version 5.44.1.15
This is on centos 6.5, I had the packaged version of rancid installed,
an
old 2.3.8 or something but then grabbed 3.1 and compiled it and have
removed the package.
Thanks for all your help with this, I can share more config if you let
me
know what exactly.
Cheers, Jos

(preferably

Post by Jos
without changing the ASR9K config), I trust it affects others with

this

Post by Jos
sort of config?
I can see earlier posts mention xrrancid but can’t find that in our

3.1

Post by Jos
install.

This appears to be rancid's acl renumbering, which is the designed
behaviour for good reasons.

I dont think so; yes its removing the line numbers, but its botching
every
other line.
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

--
Alan McKinnon
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

Anson Maddock

2014-10-16 01:59:42 UTC