Ignoring regular differential updates

Andrew Fort afort at choqolat.org
Mon Sep 2 14:48:27 UTC 2002


On Mon, 2 Sep 2002 23:46, jnull wrote:

>         I've the same issue, save it is with static route entries for
> secondary IPs. Also, I don't care about saved configs. I asked a similar
> question, but was basically told that the current release doesn't support
> it.

Yep, I remember your earlier post.  Like I'd suspect most others, we want to 
use the saved configs for long term problem tracking across the whole 
network.  I imagine you're interested in diffs of specific devices, minus one 
or two regularly changing bits.  We'd like to ignore all changes made at a 
particular time in the day, as we run our major filter update only once 
daily.

I'm guessing some NSPs that use RANCID deal with the matter operationally by 
having some person review the diffs; expected ACL changes, warts and all, and 
then bring/forward out-of-spec stuff to the architects.    I'd like a 
meat-free approach to this....

> > 2. run RANCID 'quietly', immediately before and after each router's
> > successful
>
>         I think there is too much risk here, defeating a prime benefit of
> RANCID.

I think this is only an issue because you don't care about saved 
configurations.  My thoughts go something along the lines of:

1. run a "regular" do-diffs immediately before you run your nightly routing 
maintenance job (that builds router configs and spits em out).

2. run your maintenance, updating router configs.

3. run a "quiet" do-diffs, so that configs are still in CVS, but the usual 
aliases aren't mailed with the diff output which will consist of the 
maintenance changes (which we dont care to see, but we'd like a record of 
incase they fail).

You may have rogue operatives attempting to sneak config changes under your 
nose during this quiet diff, but 1. you still have the diffs in your CVS 
tree, and 2. you've got bigger problems to deal with if this is happening :).

> > 3. hack up your own version of do-diffs/control_rancid to perform 2.
> > without
>
>         I've got this on my tuit list. As soon as I'm done hacking on a DoS
> det. app.

OT: If you publish your work/findings, drop me a line, working with 
netflow/etc data on attack analysis was an a challenging and enjoyable part 
of my work in my previous life (running a colo/hosting farm similar to 
rackspace) and I'm interested in all efforts and research in this area.

> However,
> for changing snmp strings or local passwords I'll use it across the board.

I've been using a combination of scripts to do this, including pancho, but 
find rancid *login useful for its cross platform capabilty and scripting 
flexibility.

> Let me know if you opt on number 3, possibly we could QA each others work or 
> swap some ideas.
> My time schedule puts it a few weeks out yet. 

Right now, I'm learning towards a silent diff after the routing update due to 
my requirements (i.e., I'm looking filtering alot of stuff out of the diff, 
rather than just a little).  The difference between exclusive and inclusive 
route filtering, I suppose, and likely just as religious an argument :-)

-amf



More information about the Rancid-discuss mailing list