Discussion:
[rancid] Download configs from one router through another
Graham Fleming
2008-09-04 22:56:37 UTC
Permalink
Hello all,



I've tried researching this but, to be honest, haven't been able to find
any concrete steps that make sense to me-please bear with me as I'm very
new to the whole RANCID/CVS/ViewVC thing although I have plenty Cisco
and Linux experience.



I have many clients with routers and switches on an internal network
that I can access either via VPN or by Cisco CLI by logging into their
public WAN-facing router and then drilling through the network that way.
I think I understand that I need to patch RANCID to allow this behavior.
So, here is my question:



How do I get this patch and how do I apply the patch to enable RANCID to
hop from one router to another?


Thank you so much for any help or points in the right direction!



Regards,

Graham
Alex Dekker
2008-09-05 11:38:11 UTC
Permalink
Post by Graham Fleming
I have many clients with routers and switches on an internal network
that I can access either via VPN or by Cisco CLI by logging into their
public WAN-facing router and then drilling through the network that way.
I'm in a similar position to yourself, and I'm sure when I asked this I was
told it wasn't going to happen.
Post by Graham Fleming
I think I understand that I need to patch RANCID to allow this behavior.
How do I get this patch and how do I apply the patch to enable RANCID to
hop from one router to another?
You're assuming the patch exists, although I assumed RANCID would do this
before I looked into it also. If you do find it, please let me know.

alexd
ryan speed
2008-09-05 15:05:49 UTC
Permalink
Maybe I'm crazy but I've been lurking on this list for years and I'm
almost certain I've seen the patch discussed a couple times over the
years...
Post by Alex Dekker
Post by Graham Fleming
I have many clients with routers and switches on an internal network
that I can access either via VPN or by Cisco CLI by logging into their
public WAN-facing router and then drilling through the network that way.
I'm in a similar position to yourself, and I'm sure when I asked this I was
told it wasn't going to happen.
Post by Graham Fleming
I think I understand that I need to patch RANCID to allow this behavior.
How do I get this patch and how do I apply the patch to enable RANCID to
hop from one router to another?
You're assuming the patch exists, although I assumed RANCID would do this
before I looked into it also. If you do find it, please let me know.
alexd
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Alex Dekker
2008-09-05 19:38:17 UTC
Permalink
Post by ryan speed
Maybe I'm crazy but I've been lurking on this list for years and I'm
almost certain I've seen the patch discussed a couple times over the
years...
The problem here isn't a lack of data [the patch and discussion about it may
well exist], it is what do we search for? What is a commonly-used term for
remotely accessing a device on a network that you don't have access to, using
a device on the edge of that network? I'm sure if I knew the right search
terms, I'd find it in no time :-)

alexd
ryan speed
2008-09-05 19:52:00 UTC
Permalink
this may be what we're looking for

[rancid] patch for "out of band" access to devices
http://www.shrubbery.net/pipermail/rancid-discuss/2006-May/001490.html

or

Using rancid to hop from router to router
http://www.shrubbery.net/pipermail/rancid-discuss/2004-November/000905.html
the term I would use and have based my searches on is a bastion host/device
Post by Alex Dekker
Post by ryan speed
Maybe I'm crazy but I've been lurking on this list for years and I'm
almost certain I've seen the patch discussed a couple times over the
years...
The problem here isn't a lack of data [the patch and discussion about it may
well exist], it is what do we search for? What is a commonly-used term for
remotely accessing a device on a network that you don't have access to, using
a device on the edge of that network? I'm sure if I knew the right search
terms, I'd find it in no time :-)
alexd
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
ryan speed
2008-09-05 19:44:26 UTC
Permalink
the term I would use and have based my searches on is a bastion host/device
Post by Alex Dekker
Post by ryan speed
Maybe I'm crazy but I've been lurking on this list for years and I'm
almost certain I've seen the patch discussed a couple times over the
years...
The problem here isn't a lack of data [the patch and discussion about it may
well exist], it is what do we search for? What is a commonly-used term for
remotely accessing a device on a network that you don't have access to, using
a device on the edge of that network? I'm sure if I knew the right search
terms, I'd find it in no time :-)
alexd
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Shekhar Basnet
2008-09-06 05:20:17 UTC
Permalink
Would you mean this???


From: "Sherrill, Justin"
<***@currentcomm.net>
To: Ed Ravin <***@panix.com>
Cc: rancid-***@shrubbery.net
Subject: [rancid]
Re: 'out of band' access script changes?
Date: Mon, 27 Nov 2006
11:28:14 -0500

Alright, then to sum up for future people who
may encounter this
problem:

If the target device for
Rancid is on a separate network that can't be
accessed directly from
the machine Rancid is on, but can be accessed
from a gateway device,
here's the steps to reach that remote router.

In .cloginrc:

   add method 192.168.0.2 telnet
   add
user 192.168.0.2 your_gateway_router_username
   add
password 192.168.0.2 {your_gateway_router_password}

   add method 172.18.0.1 {usercmd}
   add user
172.18.0.1 your_remote_switch_username
   add password
172.18.0.1 {your_ remote_switch_password} {your_
remote_switch_enable_password}
   add usercmd 172.18.0.1
{clogin} {-noenable} {192.168.0.2}
   add usercmd_chat
172.18.0.1 {>} {telnet far-router\r} {User Access
Verification}
{}

clogin needs to be patched with Ed Ravin's changes here:
http://www.shrubbery.net/pipermail/rancid-discuss/2006-May/001490.html

The {>} in the above example needs to be changed to match
whatever shows
up on the gateway system's prompt. 

Credit goes to Ed Ravin for getting this all to work.  Ed, I owe
you
beer/cookies; mail me what brand/recipe you prefer and where to
send
them.


***CONFIDENTIALITY NOTICE***
The
information in this email may be confidential and/or privileged. This
email is
intended to be reviewed by only the individual or
organization named above. If you
are not the intended recipient or an
authorized representative of the intended
recipient, you are hereby
notified that any review, dissemination or copying of this
email and
its attachments, if any, or the information contained herein is
prohibited. If you have received this email in error, please immediately
notify the
sender by return email and delete this message from your
system.

_______________________________________________
Rancid-discuss mailing list
Rancid-***@shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Post by Alex Dekker
Post by ryan speed
Maybe I'm crazy but I've been lurking on this list for years
and I'm
Post by Alex Dekker
Post by ryan speed
almost certain I've seen the patch discussed a
couple times over the
Post by Alex Dekker
Post by ryan speed
years...
The
problem here isn't a lack of data [the patch and discussion about it
Post by Alex Dekker
may
well exist], it is what do we search for? What is a
commonly-used term for
Post by Alex Dekker
remotely accessing a device on a network
that you don't have access to,
Post by Alex Dekker
using
a device on the
edge of that network? I'm sure if I knew the right search
terms, I'd find it in no time :-)
Post by Alex Dekker
alexd
_______________________________________________
Post by Alex Dekker
Rancid-discuss
mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Post by Alex Dekker
--
Experience Fully featured web mail through
http://fulbari.mos.com.np
Jeffrey Ollie
2008-09-05 16:11:30 UTC
Permalink
Post by Alex Dekker
Post by Graham Fleming
I have many clients with routers and switches on an internal network
that I can access either via VPN or by Cisco CLI by logging into their
public WAN-facing router and then drilling through the network that way.
I'm in a similar position to yourself, and I'm sure when I asked this I was
told it wasn't going to happen.
Post by Graham Fleming
I think I understand that I need to patch RANCID to allow this behavior.
How do I get this patch and how do I apply the patch to enable RANCID to
hop from one router to another?
You're assuming the patch exists, although I assumed RANCID would do this
before I looked into it also. If you do find it, please let me know.
Ed Ravin developed just the thing you need a few years ago. I've
attached a copy that I've re-based to apply against version 2.3.2a8.
--
Jeff Ollie

"You know, I used to think it was awful that life was so unfair. Then
I thought, wouldn't it be much worse if life were fair, and all the
terrible things that happen to us come because we actually deserve
them? So, now I take great comfort in the general hostility and
unfairness of the universe."

-- Marcus to Franklin in Babylon 5: "A Late Delivery from Avalon"
Ed Ravin
2008-09-08 20:03:27 UTC
Permalink
On Fri, Sep 05, 2008 at 11:11:30AM -0500, Jeffrey Ollie wrote:
...
Post by Jeffrey Ollie
Ed Ravin developed just the thing you need a few years ago. I've
attached a copy that I've re-based to apply against version 2.3.2a8.
I'm not 100% happy with the way this patch works - it works fine if
the bastion host is a device other than the kind you are trying to
access. But if you are trying to access a Cisco from another Cisco,
you need to jump through some hoops (like putting in a unique prompt
or unique banner on one or both of them) to help the main clogin
figure out when the second clogin has finished the "out of band"
login.
Graham Fleming
2008-09-11 18:52:38 UTC
Permalink
Ed, thanks a lot for your patch. I got it working. Is there a way
though, to use wildcards with the usercmd_chat?

For instance, we log into a gateway router using a public IP address. We
then specify a method to reach the internal routers using usercmd. All
of the internal routers, let's say, are on the 10.0.0.0/24 network.

Is there a way to add a universal method that would use the 10.0.0.0/24
network as a wildcard (ie 10.0.0.*) and then could we put in a {*} or
something in the usercmd_chat so that any prompt is matched?

This would save us from adding dozens of separate .cloginrc commands for
the internal routers.

Regards,

Graham



-----Original Message-----
From: rancid-discuss-***@shrubbery.net
[mailto:rancid-discuss-***@shrubbery.net] On Behalf Of Ed Ravin
Sent: Monday, September 08, 2008 1:03 PM
To: Jeffrey Ollie
Cc: rancid-***@shrubbery.net
Subject: [rancid] Re: Download configs from one router through another

On Fri, Sep 05, 2008 at 11:11:30AM -0500, Jeffrey Ollie wrote:
...
Post by Jeffrey Ollie
Ed Ravin developed just the thing you need a few years ago. I've
attached a copy that I've re-based to apply against version 2.3.2a8.
I'm not 100% happy with the way this patch works - it works fine if
the bastion host is a device other than the kind you are trying to
access. But if you are trying to access a Cisco from another Cisco,
you need to jump through some hoops (like putting in a unique prompt
or unique banner on one or both of them) to help the main clogin
figure out when the second clogin has finished the "out of band"
login.
Ed Ravin
2008-09-11 20:17:45 UTC
Permalink
Post by Graham Fleming
Ed, thanks a lot for your patch. I got it working. Is there a way
though, to use wildcards with the usercmd_chat?
For instance, we log into a gateway router using a public IP address. We
then specify a method to reach the internal routers using usercmd. All
of the internal routers, let's say, are on the 10.0.0.0/24 network.
Is there a way to add a universal method that would use the 10.0.0.0/24
network as a wildcard (ie 10.0.0.*) and then could we put in a {*} or
something in the usercmd_chat so that any prompt is matched?
This would save us from adding dozens of separate .cloginrc commands for
the internal routers.
I'm not sure I fully understand what you're trying to do - it would help
if you posted a sanitized .cloginrc of what you're doing now, and then
a wishful thinking .cloginrc of what you'd like to have.

The "usercmd" definitions are matched the same way everything else is
in the *login scripts, which would let you have a common usercmd for
groups of routers. However, my patch doesn't add any fucntionality for
unique content in the usercmd variable or expansion of variables other
than what is already supported by clogin. There may be a way to use
"$router" in the usercmd definition or some other extra coding in cloginrc
to do what you want; it might require an extra "eval" in clogin when
assigning the value of $usercmd. Perhaps someone more familiar with
TCL and/or RANCID scripting could speak up with the details.

-- Ed
Graham Fleming
2008-09-12 18:04:46 UTC
Permalink
Thanks for the reply, Ed. Here's a small snippet of the kind of thing we
would be using your patch for. This would be one site where we log into
the GATEWAY router and then from there we would log into the internal
routers on the 172.16.0.0/24 network.

This is a small example for three such routers and how I have it
configured using your patch. The trouble is we have a few clients with
dozens of routers so, as you can see, this could get quite tedious:


add user 172.16.0.23 username1
add autoenable 172.16.0.23 1
add password 172.16.0.23 {password1}
add method 172.16.0.23 {usercmd}
add usercmd 172.16.0.23 {ssh} {***@public-ip.address}
add usercmd_chat 172.16.0.23 {Password: } {password2\r}
{GATEWAY-PROMPT#} {ssh 172.16.0.23\r} {Password: } {password1\r}
{INTERNAL-PROMPT#} {\r}

add user 172.16.0.34 username1
add autoenable 172.16.0.34 1
add password 172.16.0.34 {password1}
add method 172.16.0.34 {usercmd}
add usercmd 172.16.0.34 {ssh} {***@public-ip.address}
add usercmd_chat 172.16.0.34 {Password: } {password2\r}
{GATEWAY-PROMPT#} {ssh 172.16.0.34\r} {Password: } {password1\r}
{INTERNAL-PROMPT#} {\r}

add user 172.16.0.56 username1
add autoenable 172.16.0.56 1
add password 172.16.0.56 {password1}
add method 172.16.0.56 {usercmd}
add usercmd 172.16.0.56 {ssh} {***@public-ip.address}
add usercmd_chat 172.16.0.56 {Password: } {password2\r}
{GATEWAY-PROMPT#} {ssh 172.16.0.56\r} {Password: } {password1\r}
{INTERNAL-PROMPT#} {\r}

... and so on....

So, what I'd love to be able to do is use wildcards with your patch,
specifcally the 'usercmd_chat' portion. So instead of one statement for
each router, we use one for all internal routers like so:

add user 172.16.0.* username1
add autoenable 172.16.0.* 1
add password 172.16.0.* {password1}
add method 172.16.0.* {usercmd}
add usercmd 172.16.0.* {ssh} {***@public-ip.address}
add usercmd_chat 172.16.0.* {Password: } {password2\r}
{GATEWAY-PROMPT#} {ssh $INTERNAL_IP\r} {Password: } {password1\r}
{$INTERNAL_PROMPT#} {\r}

Where {ssh $INTERNAL_IP\r} would be the value for the wildcarded
internal IP address and {ssh $INTERNAL_IP\r} could somehow be a wilcard
value to match any prompt.

I'm assuming this probably won't work though, as I have no idea how
you'd pass the internal IP address to the ssh command on the gateway
router using variables or whatnot. Similarly, is there a way to accept
any value for the internal router's prompt so we don't need to use
specific values for each router?

Thanks a lot for all your help!

Graham

-----Original Message-----
From: Ed Ravin [mailto:***@panix.com]
Sent: Thursday, September 11, 2008 1:18 PM
To: Graham Fleming
Cc: rancid-***@shrubbery.net
Subject: Re: [rancid] Re: Download configs from one router through
another

I'm not sure I fully understand what you're trying to do - it would help
if you posted a sanitized .cloginrc of what you're doing now, and then
a wishful thinking .cloginrc of what you'd like to have.

The "usercmd" definitions are matched the same way everything else is
in the *login scripts, which would let you have a common usercmd for
groups of routers. However, my patch doesn't add any fucntionality for
unique content in the usercmd variable or expansion of variables other
than what is already supported by clogin. There may be a way to use
"$router" in the usercmd definition or some other extra coding in
cloginrc
to do what you want; it might require an extra "eval" in clogin when
assigning the value of $usercmd. Perhaps someone more familiar with
TCL and/or RANCID scripting could speak up with the details.

-- Ed
Ed Ravin
2008-09-15 01:14:25 UTC
Permalink
Post by Graham Fleming
Thanks for the reply, Ed. Here's a small snippet of the kind of thing we
would be using your patch for. This would be one site where we log into
the GATEWAY router and then from there we would log into the internal
routers on the 172.16.0.0/24 network.
[...]
Post by Graham Fleming
So, what I'd love to be able to do is use wildcards with your patch,
specifcally the 'usercmd_chat' portion. So instead of one statement for
add user 172.16.0.* username1
add autoenable 172.16.0.* 1
add password 172.16.0.* {password1}
add method 172.16.0.* {usercmd}
All of the above is already supported in RANCID, even without the usercmd
Post by Graham Fleming
add usercmd_chat 172.16.0.* {Password: } {password2\r}
{GATEWAY-PROMPT#} {ssh $INTERNAL_IP\r} {Password: } {password1\r}
{$INTERNAL_PROMPT#} {\r}
Where {ssh $INTERNAL_IP\r} would be the value for the wildcarded
internal IP address and {ssh $INTERNAL_IP\r} could somehow be a wilcard
value to match any prompt.
Not yet supported. Should be doable by creating escapes that evaluate
to the current value of variables like $router, which corresponds to the
"$INTERNAL_IP" that you want above. It's a bit harder for the prompt -
if you are using IP addresses to connect to the router, if your DNS
is set up properly then some new code could do a reverse lookup and
use that to build the router prompt.

It occurs to me that all this could be done with a new feature in cloginrc:
the ability to specify that the string value should be evaluated when
"find()" is called in clogin to look up the value, rather than when
cloginrc is sourced. Maybe put a leading \ or @ or other unlikely
escape character - then, when find() is called, if it sees the value
has the escape character, it runs "eval" on the string, which could
include variables like $router, function calls, etc.
Post by Graham Fleming
... Similarly, is there a way to accept
any value for the internal router's prompt so we don't need to use
specific values for each router?
Yes, you could use a regexp pattern match that was indifferent to
the name of the router - but it might match something in the login
sequence and then you're stuck.

Here's what might be a workaround - if you're not into programming tcl
and changing clogin, you could write a script or program in any language
to create a password file that is included into the run by your cloginrc.

-- Ed

Chris Stave
2008-09-05 15:07:55 UTC
Permalink
To do this you'd have to make significant changes in either clogin or
rancid, which might be possible to get working, but much more difficult to
make so that it works easily and productively, especially in a generic
fashion. If you're going to attempt this, the two ways of going about it as
far I as can guess in a few minutes are either change clogin to accept a
second address as an argument (not forgetting the issue of usernames and
passwords), or if you just want configs, change rancid itself so that there
is a new type of router in there that parses additional commands that
connect to the remote switches and get the configs that way. Either way, it
is a significant change in the way that rancid and clogin would be working.
Keep us updated if you add this functionality -- it seems some other people
would like it as well.

Chris
Post by Graham Fleming
Hello all,
I've tried researching this but, to be honest, haven't been able to find
any concrete steps that make sense to me—please bear with me as I'm very new
to the whole RANCID/CVS/ViewVC thing although I have plenty Cisco and Linux
experience.
I have many clients with routers and switches on an internal network that I
can access either via VPN or by Cisco CLI by logging into their public
WAN-facing router and then drilling through the network that way. I think I
understand that I need to patch RANCID to allow this behavior. So, here is
How do I get this patch and how do I apply the patch to enable RANCID to
hop from one router to another?
Thank you so much for any help or points in the right direction!
Regards,
Graham
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Loading...