<div dir="ltr">That sounds very impressive and useful. Have you shared any of these scripts?<div><br></div><div><br></div><div>Regards,</div><div><br></div><div>David</div><div><a href="mailto:david.russell@dowjones.com">david.russell@dowjones.com</a></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 11, 2015 at 11:54 AM, Hagen, Skye (<a href="mailto:skyeh@uidaho.edu">skyeh@uidaho.edu</a>) <span dir="ltr"><<a href="mailto:skyeh@uidaho.edu" target="_blank">skyeh@uidaho.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I have been asked to do something similar where I work. The problem that I<br>
ran into was the verification process for certain kinds of jobs. For a<br>
simple change, that only affected the device itself, and if there was a<br>
problem, wouldn't cause a major outage, I could hack together some scripts<br>
to use clogin and do the job. But, when identical changes had to be made<br>
to several devices in coordination, no way. The number of ways things<br>
could go wrong, and the varieties of backout procedures, it just got too<br>
complex. And for something as potentially disruptive as making changes to<br>
a routing protocol, I always wanted to be hands on.<br>
<br>
On the other side of RANCID, you have a repository that contains a near<br>
real-time copy of your device configurations. I have written a number of<br>
auditing scripts that will determine all routed networks, and compare them<br>
against our network management system to make sure all routed networks are<br>
defined. I also use this list of routed networks to audit ACL's, to make<br>
sure that we clean up related ACL's when we delete networks. I audit the<br>
VLAN's to make sure they are all contiguous across all our switches. I<br>
also have a configuration auditing system that will compare a<br>
configuration file against a set of rules, and check for compliance.<br>
<br>
As I learned from an auditor, there are two ways to approach controlling<br>
something. Control it up front, or audit after the fact. In my case,<br>
auditing after the fact was a lot easier and quicker.<br>
<br>
Skye.<br>
<br>
<br>
On 2/11/15, 7:31 AM, "Alan McKinnon" <<a href="mailto:alan.mckinnon@gmail.com">alan.mckinnon@gmail.com</a>> wrote:<br>
<br>
>On 11/02/2015 14:02, James Bensley wrote:<br>
>> Hi All,<br>
>><br>
>> I am think about writing a web interface that uses RANCID in the<br>
>> background to make configuration changes on devices. Since RANCID has<br>
>> a bunch of scripts for various device types my thinking is a<br>
>> simple-ish web interface in which I can paste in some config and then<br>
>> use RANCID to log into the device and input the config, also though I<br>
>> can specify some commands and RANCID will run though them and capture<br>
>> output which can be passed to Bash/PERL/Python scripts to interogate<br>
>> the output and check that the BGP sessions have come back up or that<br>
>> the number of routes in a VRF is still the same etc.<br>
>><br>
>> The goal is: Anything I do on the CLI when making changes to devices<br>
>> can be automated.<br>
>><br>
>> I know I can push config using the RANCID CLI wrapper scripts but I'm<br>
>> wondering if anyone has done this before to extend RANCID to also run<br>
>> "show" style commands and interogated the output to make checks to<br>
>> valid the success of the change, and also if anyone has made a web<br>
>> interface already (other than the CVS types for RANCID's normal<br>
>> purpose of backing up rather than pushing config) ?<br>
><br>
><br>
><br>
>It doesn't make sense to extend rancid in this way.<br>
><br>
>Consider rancid's purpose: it logs in, captures the config, diffs it and<br>
>stores the result. Then tells you what the diff is.<br>
><br>
>None of that involves in any way changing the device in question and it<br>
>is highly recommended that you lock down the rancid user to only the<br>
>specific commands listed in @commands.<br>
><br>
><br>
>There is one part of rancid that enables you to do config changes<br>
>however: clogin<br>
><br>
>Rather do something like this:<br>
>Get the changes you want to make from the user, apply them using clogin<br>
>and then write a framework that will do the double-checking you<br>
>describe. Rancid itself has no code you can leverage to do any of that.<br>
>It's best done in an entirely separate system, with the added benefit<br>
>that rancid will come along in an hour and record the fact of a change<br>
>made.<br>
><br>
>All this depends however on your Risk department being OK with the idea.<br>
>I know mine would shoot me at the very thought :-)<br>
><br>
><br>
><br>
><br>
><br>
><br>
>--<br>
>Alan McKinnon<br>
><a href="mailto:alan.mckinnon@gmail.com">alan.mckinnon@gmail.com</a><br>
><br>
>_______________________________________________<br>
>Rancid-discuss mailing list<br>
><a href="mailto:Rancid-discuss@shrubbery.net">Rancid-discuss@shrubbery.net</a><br>
><a href="http://www.shrubbery.net/mailman/listinfo/rancid-discuss" target="_blank">http://www.shrubbery.net/mailman/listinfo/rancid-discuss</a><br>
<br>
_______________________________________________<br>
Rancid-discuss mailing list<br>
<a href="mailto:Rancid-discuss@shrubbery.net">Rancid-discuss@shrubbery.net</a><br>
<a href="http://www.shrubbery.net/mailman/listinfo/rancid-discuss" target="_blank">http://www.shrubbery.net/mailman/listinfo/rancid-discuss</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><p><span style="font-size:9.0pt;font-family:"Arial","sans-serif";color:#1f497d">David R. Russell<b><br></b>CCIE #5751</span></p>
<p><b><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#0070c0">Infrastructure
Planning & Engineering</span></b><b><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#58a618"> <br>
</span></b><b><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#0070c0">Dow Jones Technology</span></b><b><span style="font-size:8.0pt;font-family:"Calibri","sans-serif";color:#595959"><br>
</span></b><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#595959">P.O. Box 300 | Princeton NJ 08543-0300</span><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#242424"><br>
</span><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#595959">Direct: 609-520-4458 | Cell: 610-909-1129</span><span style="color:black"></span></p>
<p><b><span style="font-size:8.0pt;font-family:"Arial","sans-serif";color:#595959">Email: </span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><b><span style="font-size:8.0pt;font-family:"Arial","sans-serif""><a href="mailto:david.russell@dowjones.com" title="mailto:alias@dowjones.com" target="_blank">david.russell@dowjones.com</a></span></b></span></p></div></div>
</div>