From wcgallar at iupui.edu Wed May 4 19:43:53 2005 From: wcgallar at iupui.edu (Chris Gallardo) Date: Wed, 4 May 2005 14:43:53 -0500 (EST) Subject: rancid and HP 410x switches using ssh Message-ID: Is there a way to use the HP driver in rancid to make an ssh connection to an HP switch instead of telnet? -- Chris Gallardo Network Services 278-9067 From justin at grote.name Wed May 4 23:12:44 2005 From: justin at grote.name (Justin Grote) Date: Wed, 04 May 2005 17:12:44 -0600 Subject: rancid and HP 410x switches using ssh In-Reply-To: References: Message-ID: <427956EC.6050505@grote.name> Chris Gallardo wrote: > Is there a way to use the HP driver in rancid to make an ssh connection > to an HP switch instead of telnet? > In your configuration file, do: add method ssh telnet where router name glob matches your HP switches. This will make them use SSH first, then failover to telnet if SSH doesn't work. This information is in man .cloginrc _____________________ Justin Grote Network Architect JWG Networks From funraps at yahoo.com Thu May 5 16:55:14 2005 From: funraps at yahoo.com (funraps too) Date: Thu, 5 May 2005 09:55:14 -0700 (PDT) Subject: Cisco 1900's, did anyone get a resolution? Message-ID: <20050505165515.73918.qmail@web32002.mail.mud.yahoo.com> Hello Everyone, I'm still facing the issue on how to use Rancid to log in to Cisco 1900's since at login it asks for Command line or menu... Does anyone have a sample .clogin? 1 user(s) now active on Management Console. User Interface Menu [M] Menus [K] Command Line Enter Selection: Thanks! From heas at shrubbery.net Thu May 5 16:58:29 2005 From: heas at shrubbery.net (john heasley) Date: Thu, 5 May 2005 09:58:29 -0700 Subject: Cisco 1900's, did anyone get a resolution? In-Reply-To: <20050505165515.73918.qmail@web32002.mail.mud.yahoo.com> References: <20050505165515.73918.qmail@web32002.mail.mud.yahoo.com> Message-ID: <20050505165829.GB5208@shrubbery.net> please try 2.3.2a, several have reported success. Thu, May 05, 2005 at 09:55:14AM -0700, funraps too: > Hello Everyone, > > I'm still facing the issue on how to use Rancid to log in to Cisco 1900's since at login it asks for Command line or menu... > Does anyone have a sample .clogin? > 1 user(s) now active on Management Console. > User Interface Menu > [M] Menus > [K] Command Line > Enter Selection: > > Thanks! > > > --------------------------------- > Yahoo! Mail > Stay connected, organized, and protected. Take the tour From heas at shrubbery.net Thu May 5 17:33:36 2005 From: heas at shrubbery.net (john heasley) Date: Thu, 5 May 2005 10:33:36 -0700 Subject: rancid and HP 410x switches using ssh In-Reply-To: <427956EC.6050505@grote.name> References: <427956EC.6050505@grote.name> Message-ID: <20050505173336.GD5208@shrubbery.net> It is a little more complex than that; hrancid uses hpuifilter to filter the screen handling control characters/esc seqs. It needs additional code to handle ptys and /dev/tty for ssh. Alternatively, I finally figured out how to make expect (tcl) match escapes - reliably...just havent had time to work on it. Wed, May 04, 2005 at 05:12:44PM -0600, Justin Grote: > Chris Gallardo wrote: > > > Is there a way to use the HP driver in rancid to make an ssh connection > > to an HP switch instead of telnet? > > > In your configuration file, do: > > add method ssh telnet > > where router name glob matches your HP switches. This will make them use > SSH first, then failover to telnet if SSH doesn't work. > > This information is in man .cloginrc > > _____________________ > Justin Grote > Network Architect > JWG Networks From justin at grote.name Thu May 5 18:19:35 2005 From: justin at grote.name (Justin Grote) Date: Thu, 05 May 2005 12:19:35 -0600 Subject: rancid and HP 410x switches using ssh In-Reply-To: <20050505173336.GD5208@shrubbery.net> References: <427956EC.6050505@grote.name> <20050505173336.GD5208@shrubbery.net> Message-ID: <427A63B7.7040109@grote.name> And you should certainly trust john over me, seeing as I haven't ever had to use it on an HP 4100 :) john heasley wrote: >It is a little more complex than that; hrancid uses hpuifilter to filter >the screen handling control characters/esc seqs. It needs additional >code to handle ptys and /dev/tty for ssh. Alternatively, I finally >figured out how to make expect (tcl) match escapes - reliably...just >havent had time to work on it. > > -- __________________________ Justin Grote Network Architect JWG Networks From eravin at panix.com Tue May 10 00:21:14 2005 From: eravin at panix.com (Ed Ravin) Date: Mon, 9 May 2005 20:21:14 -0400 Subject: How to use "rancid -f file" option? Message-ID: <20050510002114.GA23390@panix.com> I'm trying to set up rancid for the first time. We already have a job that fetches configs from our routers and I'd like to have rancid work with those files. I see I can invoke rancid with "-f filename", but it doesn't look like there's a way to fit that into the "normal" rancid setup with rancid_run. Do I need to set up all my batch jobs for those routers separately? From heas at shrubbery.net Tue May 10 02:16:24 2005 From: heas at shrubbery.net (john heasley) Date: Mon, 9 May 2005 19:16:24 -0700 Subject: How to use "rancid -f file" option? In-Reply-To: <20050510002114.GA23390@panix.com> References: <20050510002114.GA23390@panix.com> Message-ID: <20050510021624.GE7840@shrubbery.net> Mon, May 09, 2005 at 08:21:14PM -0400, Ed Ravin: > I'm trying to set up rancid for the first time. We already > have a job that fetches configs from our routers and I'd like to > have rancid work with those files. I see I can invoke rancid with > "-f filename", but it doesn't look like there's a way to fit > that into the "normal" rancid setup with rancid_run. Do I need to > set up all my batch jobs for those routers separately? -f is more a debugging tool than anything else. eg: % clogin -c 'cmds that;rancid;would;run' foo > foo % rancid -dlf foo many have written (see ISC.org) tools that grovel rancid's outputs; perhaps you want the paradigm the other way or just build the router.db's from your tools. From booloo at ucsc.edu Tue May 10 02:47:13 2005 From: booloo at ucsc.edu (Mark Boolootian) Date: Mon, 9 May 2005 19:47:13 -0700 Subject: can you use SecurID with rancid? Message-ID: <20050510024713.GB245@root.ucsc.edu> Is it possible to integrate any of the one-time password systems (RSA, Secure Computing, Cryptocard, etc) with rancid? mb From terry at tmk.com Tue May 10 02:48:42 2005 From: terry at tmk.com (Terry Kennedy) Date: Mon, 09 May 2005 22:48:42 -0400 (EDT) Subject: can you use SecurID with rancid? In-Reply-To: "Your message dated Mon, 09 May 2005 19:47:13 -0700" <20050510024713.GB245@root.ucsc.edu> Message-ID: <01LO2KMMDRQE000BOY@tmk.com> > Is it possible to integrate any of the one-time password systems > (RSA, Secure Computing, Cryptocard, etc) with rancid? Even if this could be done, would you really want to? It would involve having a challenge responder which had full knowledge of the private keys, etc. used by the one-time password system. Much of the appeal of the one-time password system is that users can't easily leave the password laying around - they carry a token on their per- son. Leaving the algorithm and keys on the RANCID box might be more of a risk than some admins might want. Also, depending on what underlying method is used (telnet, for example), regular RANCID sessions to a box would let an attacker build up a nice set of challenge/response pairs, which might make an attack easier. In the case of a single host, the attacker gets 24 known-good challenge/response pairs per day. If multiple boxes share the same algorithm / keys, the number of good pairs goes up very rapidly. I'm not saying it isn't a good idea for your specific application, I'm just explaining why I never bothered to add CRYPTOCard support to it (we're a heavy user of these cards here). Terry Kennedy http://www.tmk.com terry at tmk.com New York, NY USA From booloo at ucsc.edu Tue May 10 03:23:01 2005 From: booloo at ucsc.edu (Mark Boolootian) Date: Mon, 9 May 2005 20:23:01 -0700 Subject: can you use SecurID with rancid? In-Reply-To: <01LO2KMMDRQE000BOY@tmk.com> References: <20050510024713.GB245@root.ucsc.edu> <01LO2KMMDRQE000BOY@tmk.com> Message-ID: <20050510032301.GA504@root.ucsc.edu> Hi Terry, Thanks for the note. Was just showing your media system web page to someone this afternoon. > Also, depending on what underlying method is used (telnet, for example), > regular RANCID sessions to a box would let an attacker build up a nice set > of challenge/response pairs, which might make an attack easier. In the case > of a single host, the attacker gets 24 known-good challenge/response pairs > per day. If multiple boxes share the same algorithm / keys, the number of > good pairs goes up very rapidly. All good points, but where am I left if I want to protect my network gear with OTPs and still run rancid? It seems they are mutually incompatible. I can create a single instance of a reusable password to be used for rancid logins, but that doesn't improve the situation. > I'm not saying it isn't a good idea for your specific application, I'm > just explaining why I never bothered to add CRYPTOCard support to it (we're > a heavy user of these cards here). So what do you do? best, mb --- Mark Boolootian UC Santa Cruz From terry at tmk.com Tue May 10 03:23:48 2005 From: terry at tmk.com (Terry Kennedy) Date: Mon, 09 May 2005 23:23:48 -0400 (EDT) Subject: can you use SecurID with rancid? In-Reply-To: "Your message dated Mon, 09 May 2005 20:23:01 -0700" <20050510032301.GA504@root.ucsc.edu> References: <20050510024713.GB245@root.ucsc.edu> <01LO2KMMDRQE000BOY@tmk.com> Message-ID: <01LO2LU0AZN2000BOY@tmk.com> > Thanks for the note. Was just showing your media system web page to > someone this afternoon. 8-} [snip] > All good points, but where am I left if I want to protect my network > gear with OTPs and still run rancid? It seems they are mutually > incompatible. I can create a single instance of a reusable password to be > used for rancid logins, but that doesn't improve the situation. > > > I'm not saying it isn't a good idea for your specific application, I'm > > just explaining why I never bothered to add CRYPTOCard support to it (we're > > a heavy user of these cards here). > > So what do you do? We ("real people") use CRYPTOCard access to our various devices (via the TACACS+ hooks). SSH is encouraged, but in cases where it isn't available, on the trusted parts of our network, there's an occasional Telnet session. RANCID uses a fixed (per-device) password and always accesses the devices via SSH, as long as the devices are SSH-capable. There are some older boxes that don't do SSH, but as we control the infrastructure between the RANCID box and those devices, we grin and bear it. SSH is a must-have on any new device purchases, however. Terry Kennedy http://www.tmk.com terry at tmk.com New York, NY USA From justin at grote.name Tue May 10 03:53:53 2005 From: justin at grote.name (Justin Grote) Date: Mon, 09 May 2005 21:53:53 -0600 Subject: can you use SecurID with rancid? In-Reply-To: <01LO2LU0AZN2000BOY@tmk.com> References: <20050510024713.GB245@root.ucsc.edu> <01LO2KMMDRQE000BOY@tmk.com> <01LO2LU0AZN2000BOY@tmk.com> Message-ID: <42803051.5070202@grote.name> > We ("real people") use CRYPTOCard access to our various devices (via the >TACACS+ hooks). SSH is encouraged, but in cases where it isn't available, >on the trusted parts of our network, there's an occasional Telnet session. >RANCID uses a fixed (per-device) password and always accesses the devices >via SSH, as long as the devices are SSH-capable. There are some older boxes >that don't do SSH, but as we control the infrastructure between the RANCID >box and those devices, we grin and bear it. SSH is a must-have on any new >device purchases, however. > We do similar for rancid: A few of our Cisco edge routers run IOS 12.4 now, which has SSHv2 support (including RSA keypairs, finally). These get connected to with rancid using individual public keys for each router. Our Quagga (Cisco-like Linux routers) also use SSHv2. For the non-SSH routers, we use telnet and a TACACS username that is restricted to the rancid host's IP only, and is only allowed to run the show commands required by clogin and the "show run | exclude" password command (which we modified clogin to run instead of show run), which removes the easily breakable password lines since we have a per-device password as a failsafe if our TACACS is down. I'm so glad Cisco finally got a good implementation of SSH into 12.4. I know they have two-year release cycles as a rule, but this was so badly needed in 12.3. -- __________________________ Justin Grote Network Architect JWG Networks From colin.whittaker at heanet.ie Tue May 10 07:33:57 2005 From: colin.whittaker at heanet.ie (Colin Whittaker) Date: Tue, 10 May 2005 08:33:57 +0100 Subject: can you use SecurID with rancid? In-Reply-To: <20050510032301.GA504@root.ucsc.edu> References: <20050510024713.GB245@root.ucsc.edu> <01LO2KMMDRQE000BOY@tmk.com> <20050510032301.GA504@root.ucsc.edu> Message-ID: <20050510073357.GA828@aine.heanet.ie> On Mon, May 09, 2005 at 08:23:01PM -0700, Mark Boolootian wrote: > All good points, but where am I left if I want to protect my network > gear with OTPs and still run rancid? It seems they are mutually > incompatible. I can create a single instance of a reusable password to be > used for rancid logins, but that doesn't improve the situation. Hi Mark, We use RSASecurIDs and Ciscos ACS TACACS+ software to do OTP passwords for all of our networking device. Rancid uses a fixed password account on ACS but is restricted to excuting only those commands it needs and as soon as I get arround to it I will also use ACS to restrict where the rancid user can login from. Colin -- Colin Whittaker colin.whittaker at heanet.ie Tel: +353 1 6609040 HEAnet NOC noc at heanet.ie iNOC-DBA: 1213*752 From jaitken at aitken.com Tue May 10 11:57:17 2005 From: jaitken at aitken.com (Jeff Aitken) Date: Tue, 10 May 2005 07:57:17 -0400 Subject: can you use SecurID with rancid? In-Reply-To: <20050510032301.GA504@root.ucsc.edu> References: <20050510024713.GB245@root.ucsc.edu> <01LO2KMMDRQE000BOY@tmk.com> <20050510032301.GA504@root.ucsc.edu> Message-ID: <20050510115717.GA31430@eagle.aitken.com> On Mon, May 09, 2005 at 08:23:01PM -0700, Mark Boolootian wrote: > All good points, but where am I left if I want to protect my network > gear with OTPs and still run rancid? It seems they are mutually > incompatible. I can create a single instance of a reusable password to be > used for rancid logins, but that doesn't improve the situation. Presumably rancid won't be the only tool for which you'll need to solve this problem, so you do want to consider just how many holes and backdoors you go poking in things. For example, do you script config changes? What about allowing access by third parties (contractors, vendors, whatever)? How will you roll out a global network change if you have to do an OTP dance to get into each and every router? As you note, if you have a user who doesn't have to use OTPs, then this becomes a security through obscurity exercise (i.e., hope the attacker doesn't guess/find out about your "special" account). An alternative method is to limit VTY access to network devices to only a few trusted hosts, then make those hosts "more" secure. Use ACLs to limit VTY access to network devices to only two hosts, A and B. Next, require that users pass an OTP challenge, as well as supply a standard password, in order to access A or B. Then run rancid and whatever other tools you need on host A or host B. Ultimately, this means your network security depends on the integrity of the two hosts, which might be a better approach for you (or might not be, I don't know). Obviously, there are a lot of things you'll need to do in order to secure & maintain hosts A & B (firewalls, IDSes, having mroe than two hosts, and so on). --Jeff From eravin at panix.com Tue May 10 13:33:02 2005 From: eravin at panix.com (Ed Ravin) Date: Tue, 10 May 2005 09:33:02 -0400 Subject: can you use SecurID with rancid? In-Reply-To: <42803051.5070202@grote.name> References: <20050510024713.GB245@root.ucsc.edu> <01LO2KMMDRQE000BOY@tmk.com> <01LO2LU0AZN2000BOY@tmk.com> <42803051.5070202@grote.name> Message-ID: <20050510133301.GD29597@panix.com> On Mon, May 09, 2005 at 09:53:53PM -0600, Justin Grote wrote: ... > For the non-SSH routers, we use telnet and a TACACS username that is > restricted to the rancid host's IP only, and is only allowed to run the > show commands required by clogin and the "show run | exclude" password > command (which we modified clogin to run instead of show run), Could you go into more detail on your config for restricting the username to the rancid host? I haven't been able to figure that out yet. -- Ed From eravin at panix.com Tue May 10 13:44:58 2005 From: eravin at panix.com (Ed Ravin) Date: Tue, 10 May 2005 09:44:58 -0400 Subject: hlogin and hp2424/4000/8000 ? Message-ID: <20050510134458.GF29597@panix.com> Has anyone got hrancid/hlogin working with the Procurve 2424/4000/8000 switches? It looks like hlogin is meant for a newer switch that has a more command-line like interface and an extra command or two. To get to the command prompt, you have to enter a couple of menu choices after logging in ("5", then "4", no carriage returns, then get a line with a VLAN prompt and enter a CR), and there's no router prompt to speak of because the telnet interface keeps sending cursor control characters to show you the current time in the upper right corner. From bas.haakman at multikabel.nl Tue May 10 13:46:34 2005 From: bas.haakman at multikabel.nl (Bas Haakman) Date: Tue, 10 May 2005 15:46:34 +0200 Subject: can you use SecurID with rancid? In-Reply-To: <20050510133301.GD29597@panix.com> References: <20050510024713.GB245@root.ucsc.edu> <01LO2KMMDRQE000BOY@tmk.com> <01LO2LU0AZN2000BOY@tmk.com> <42803051.5070202@grote.name> <20050510133301.GD29597@panix.com> Message-ID: <4280BB3A.7060306@multikabel.nl> Hi, I can imagine that you can use the radius attribute "Calling-Station-Id" (which seems to be the host you login from on a cisco). bash Ed Ravin wrote: > On Mon, May 09, 2005 at 09:53:53PM -0600, Justin Grote wrote: > ... > >>For the non-SSH routers, we use telnet and a TACACS username that is >>restricted to the rancid host's IP only, and is only allowed to run the >>show commands required by clogin and the "show run | exclude" password >>command (which we modified clogin to run instead of show run), > > > Could you go into more detail on your config for restricting the > username to the rancid host? I haven't been able to figure that out yet. > > -- Ed From Mark_Scheuber at mgic.com Tue May 10 20:22:43 2005 From: Mark_Scheuber at mgic.com (Mark Scheuber) Date: Tue, 10 May 2005 15:22:43 -0500 Subject: Rancid Access-lists Message-ID: Hi, I'm having a rather odd problem with RANCID. It's apparently sorting my Cisco ACL's by IP which is bad to say the least. I'm just wondering if anyone else has experienced this or knew of a way to shut this off? Thanks, Mark From cstave at gmail.com Tue May 10 20:23:44 2005 From: cstave at gmail.com (Chris Stave) Date: Tue, 10 May 2005 16:23:44 -0400 Subject: Adding cisco cluster support for RANCID Message-ID: <5471c93d0505101323aaac3ec@mail.gmail.com> I am NOT including patches or anything here, but following my description you should be able to do everything I have done, probably better. I have enjoyed RANCID since I first installed it, it is nice, but it didn't get information from cluster members (many of the switches that I am dealing with are interfaceless cluster members accessable through the cluster commander by typing (eg.) rcommand 1) ... I initially tried to add an extra flag for cluster member to various parts of rancid, but after some progress I eventually ran into the fact that I had forgotten: I don't actually know expect, tcl, perl, or really any other scripting language enough to extend the scripts in the way that I was thinking of. Then the issue of cluster member configs was brought up again and I thought about the problem again. I now have rancid collecting configurations and information from my cluster member switches. What follows is how I did it (okay, this is how I should have done it, a few things have been added in where they should have been done rather than at later points in the process when i realized something was wrong and did them): While working on rancid it is a good idea to stop it from running every hour ... I got this all working on a test system rather than a production system, but it was still running every hour... that can cause strangeness when you've only changed some things that need to be changed, not all of them... I made three copies of clogin -- cm1login, cm2login, and cm3login, to log into cluster member 1, 2, and 3, respectively (if you have any 5+ member clusters then you will have to make more cmXlogins). I edited these to include include sending "rcommand 1(or 2, or 3)" to the switch (I tacked this on to the enable section for quickness and I figured it would work there) -- I also had to include an extra "quit" at the end of the process so that when leaving the cluster member it did not get stuck at the cluster commander. I then had to make three new versions of rancid (cm1rancid, cm2rancid, and cm3rancid), based upon the original rancid. These changes were easy, just search and replace clogin with the appropriate new cm1login (or cm2login, etc.)... Then I edited rancid-fe to include three new device types, ccm1, ccm2, and ccm3, each pointing to the appropriate edited rancid. Finally, I had to add three new groups (one for each cluster member type), since if they were all in one router.db like so: 10.0.0.x:cisco:up 10.0.0.x:ccm1:up it didn't work, as the information from the cluster member overwrote the information from the cluster commander. So I made 3 new groups (and associated aliases) for cluster member 1s, cluster member 2s, and cluster member 3s, respectively. I populated their router.db lists and all was well. It was pretty easy, required no specific knowledge of scripting beyond looking up a few surrounding commands and matching syntax within files, and worked. It is not elegant, pretty, well documented, error-resistant, or even non-horrible (rcommand in the enable section?!), but it seems to be working (I haven't had it going for long, it might be overly error-prone or generally unreliable) Comments? Questions? From heas at shrubbery.net Wed May 11 03:22:04 2005 From: heas at shrubbery.net (john heasley) Date: Tue, 10 May 2005 20:22:04 -0700 Subject: Rancid Access-lists In-Reply-To: References: Message-ID: <20050511032204.GD26198@shrubbery.net> Tue, May 10, 2005 at 03:22:43PM -0500, Mark Scheuber: > Hi, I'm having a rather odd problem with RANCID. It's apparently sorting > my Cisco ACL's by IP which is bad to say the least. I'm just wondering > if anyone else has experienced this or knew of a way to shut this off? rancid sorts a few of the ACL "types", but not all. there are no knobs to adjust this behavior. I thought that we only adjusted those which could be without buggering it. example, please? From Mark_Scheuber at mgic.com Wed May 11 14:09:17 2005 From: Mark_Scheuber at mgic.com (Mark Scheuber) Date: Wed, 11 May 2005 09:09:17 -0500 Subject: Rancid Access-lists In-Reply-To: <20050511032204.GD26198@shrubbery.net> Message-ID: John - Spending more time looking at this, the config lines could be moved without impacting any functionality. Due to the nature of the router it has several locations that if it receives traffic from it drops it, if it has any other traffic it's supposed to log. This is simply in place to reduce log volume. It's currently not having that much of an impact other than sending an auditor scrambling and causing a caveat for router restores. access-list 122 deny ip any any log access-list 122 deny ip any access-list 122 deny ip any access-list 122 deny ip any access-list 122 deny ip any access-list 122 deny ip any access-list 122 deny ip any access-list 122 deny ip any I also have several ACL's that are optimized by packet hits given the large amount of traffic and RANCID sorts those as well. So these aren't necessarily functional problems so much as performance and audit issues. I suppose I can hack up the script to turn this off, but I'd imagine other people might possibly run into the same problem. Thanks, Mark mark_scheuber at mgic.com john heasley Sent by: owner-rancid-discuss at shrubbery.net 05/10/2005 10:22 PM To Mark Scheuber cc rancid-discuss at shrubbery.net Subject Re: Rancid Access-lists Tue, May 10, 2005 at 03:22:43PM -0500, Mark Scheuber: > Hi, I'm having a rather odd problem with RANCID. It's apparently sorting > my Cisco ACL's by IP which is bad to say the least. I'm just wondering > if anyone else has experienced this or knew of a way to shut this off? rancid sorts a few of the ACL "types", but not all. there are no knobs to adjust this behavior. I thought that we only adjusted those which could be without buggering it. example, please? From heas at shrubbery.net Wed May 11 17:57:10 2005 From: heas at shrubbery.net (john heasley) Date: Wed, 11 May 2005 10:57:10 -0700 Subject: hlogin and hp2424/4000/8000 ? In-Reply-To: <20050510134458.GF29597@panix.com> References: <20050510134458.GF29597@panix.com> Message-ID: <20050511175710.GD3704@shrubbery.net> Tue, May 10, 2005 at 09:44:58AM -0400, Ed Ravin: > Has anyone got hrancid/hlogin working with the Procurve 2424/4000/8000 > switches? It looks like hlogin is meant for a newer switch that has > a more command-line like interface and an extra command or two. To > get to the command prompt, you have to enter a couple of menu choices > after logging in ("5", then "4", no carriage returns, then get a line > with a VLAN prompt and enter a CR), and there's no router prompt to speak > of because the telnet interface keeps sending cursor control characters > to show you the current time in the upper right corner. I'm not really keen on supporting such platforms. Changes to the menus are very likely, such that those selections no longer invoke the CLI. To handle that in a reasonable way, hlogin would have to grovel the menu and pick out the selections - not pleasant. HP is a particular PITA, as their interface produces gobs of vt screen handling codes that are a real bugger to filter. % script hplog % telnet switch will give you a good idea. you're welcome to send the log; maybe these actually have clean output. From eravin at panix.com Thu May 12 01:20:41 2005 From: eravin at panix.com (Ed Ravin) Date: Wed, 11 May 2005 21:20:41 -0400 Subject: hlogin and hp2424/4000/8000 ? In-Reply-To: <20050511175710.GD3704@shrubbery.net> References: <20050510134458.GF29597@panix.com> <20050511175710.GD3704@shrubbery.net> Message-ID: <20050512012041.GA11438@panix.com> On Wed, May 11, 2005 at 10:57:10AM -0700, john heasley wrote: > Tue, May 10, 2005 at 09:44:58AM -0400, Ed Ravin: > > Has anyone got hrancid/hlogin working with the Procurve 2424/4000/8000 > > switches? It looks like hlogin is meant for a newer switch that has > > a more command-line like interface and an extra command or two. To > > get to the command prompt, you have to enter a couple of menu choices > > after logging in ("5", then "4", no carriage returns, then get a line > > with a VLAN prompt and enter a CR), and there's no router prompt to speak > > of because the telnet interface keeps sending cursor control characters > > to show you the current time in the upper right corner. > > I'm not really keen on supporting such platforms. Changes to the menus > are very likely, such that those selections no longer invoke the CLI. This particular platform hasn't changed its top-level menu for years, and the boxes are getting old enough that I doubt HP will do anything other than fix bugs in future firmware revs. > HP is a particular PITA, as their interface produces gobs of vt screen > handling codes that are a real bugger to filter. > > % script hplog > % telnet switch > > will give you a good idea. you're welcome to send the log; maybe these > actually have clean output. No, the input is extremely ugly, although once you get to command line mode and start dumping things it's not too horrid (you still have to hit space at each "MORE" prompt). I'll send in a sample. From Mark_Scheuber at mgic.com Thu May 12 22:11:57 2005 From: Mark_Scheuber at mgic.com (Mark Scheuber) Date: Thu, 12 May 2005 17:11:57 -0500 Subject: Cisco/EMC 9500 Series Switches Message-ID: Just wondering if anyone has had any experience using RANCID with the Cisco SAN switches? I'm specifically looking at using it with the 9500 series. Thanks, Mark Scheuber OS Analyst 270 E. Kilbourn Ave. Milwaukee, WI 53202 414.347.6899 800.558.9900 x6899 mark_scheuber at mgic.com From rancid at layer7.com.au Thu May 12 23:07:53 2005 From: rancid at layer7.com.au (rancid at layer7.com.au) Date: Fri, 13 May 2005 09:07:53 +1000 Subject: All supported devices Message-ID: <200505122308.j4CN7xjr006765@ram.onthenet.com.au> Hi All, I've recently installed RANCID and have it collecting configs from Cisco switches and routers and PIX firewalls. I'd like to know if there is a full list of supported devices, both "out of the box" and any addon modules that people might have hacked up, as I'd really like to go "RANCID mad" and add as many devices as possible. Thanks, Thomas From heas at shrubbery.net Thu May 12 23:55:32 2005 From: heas at shrubbery.net (john heasley) Date: Thu, 12 May 2005 16:55:32 -0700 Subject: Cisco/EMC 9500 Series Switches In-Reply-To: References: Message-ID: <20050512235532.GI28606@shrubbery.net> Thu, May 12, 2005 at 05:11:57PM -0500, Mark Scheuber: > Just wondering if anyone has had any experience using RANCID with the > Cisco SAN switches? I'm specifically looking at using it with the 9500 > series. Thanks, I'm not familiar with that platform. try it and post if it doesnt work or if some data is missing. From heas at shrubbery.net Fri May 13 00:01:02 2005 From: heas at shrubbery.net (john heasley) Date: Thu, 12 May 2005 17:01:02 -0700 Subject: All supported devices In-Reply-To: <200505122308.j4CN7xjr006765@ram.onthenet.com.au> References: <200505122308.j4CN7xjr006765@ram.onthenet.com.au> Message-ID: <20050513000102.GL28606@shrubbery.net> Fri, May 13, 2005 at 09:07:53AM +1000, rancid at layer7.com.au: > Hi All, > > I've recently installed RANCID and have it collecting configs from Cisco > switches and routers and PIX firewalls. > > I'd like to know if there is a full list of supported devices, both "out of > the box" and any addon modules that people might have hacked up, as I'd > really like to go "RANCID mad" and add as many devices as possible. see rancid(1). it doesnt list every possible model, but most work. From cstave at gmail.com Tue May 10 15:37:08 2005 From: cstave at gmail.com (Chris Stave) Date: Tue, 10 May 2005 11:37:08 -0400 Subject: trying to add Cisco clustering support to rancid -- almost done Message-ID: <5471c93d050510083736e22032@mail.gmail.com> I'm trying to add support for clustering into rancid, I'm on my second attempt, and this time I'm almost done (I'll describe the process and provide code when I'm done)... I've just got one question/problem to solve before it is done (or at least testable): at the end of processing a switch rancid logs out of the switch; where is this done? I need to add a second 'exit' command there, but I'm not sure where it does this. (a line number would be completely ideal, since my knowledge of scripting is a bit questionable) Any advice on this would be great... From asp at partan.com Fri May 13 18:29:37 2005 From: asp at partan.com (Andrew Partan) Date: Fri, 13 May 2005 14:29:37 -0400 Subject: trying to add Cisco clustering support to rancid -- almost done In-Reply-To: <5471c93d050510083736e22032@mail.gmail.com> References: <5471c93d050510083736e22032@mail.gmail.com> Message-ID: <20050513182937.GA33986@partan.com> On Tue, May 10, 2005 at 11:37:08AM -0400, Chris Stave wrote: > at the end of processing a switch rancid logs out of the switch; where > is this done? I need to add a second 'exit' command there, but I'm > not sure where it does this. (a line number would be completely > ideal, since my knowledge of scripting is a bit questionable) Its in clogin; look for this line: send "exit\r" Or you could add it to the list of commands in bin/rancid; I'd try adding it to the end of $cisco_cmds. This may be harder, since rancid looks for 'quit' to see if its done running all of the commands; if it sees 'quit', than rancid figures its done with all of its work and stops. I'm not quite sure what needs to be changed so that you can have quit commands to log out of parts of the cluster, but then still have more commands left. I don't know what cisco cluster stuff looks like, but for HFR support, we had to add commands like these: admin show diag - which means to run show diag in admin mode. Does cisco support anything sorta like run_on cluster_node 3 show something ? If so, adding commands like these to the list of commands would be trivial. I just think that we are going to run into problems with rancid's control logic if we want to spit a serias of commands like this to some cluster: show version show diag login cluster_node 1 show version show diag exit login cluster_node 2 show version show diag exit show running-config exit These embedded 'exit' commands are really going to mess things up. rancid's control logic is really very simple right now; all that it knows is that is runs a series of commands and that the last command is 'exit', and that when it sees 'exit', its done & its an error if there are commands left over. --asp From justin at grote.name Fri May 13 18:31:58 2005 From: justin at grote.name (Justin Grote) Date: Fri, 13 May 2005 12:31:58 -0600 Subject: trying to add Cisco clustering support to rancid -- almost done In-Reply-To: <20050513182937.GA33986@partan.com> References: <5471c93d050510083736e22032@mail.gmail.com> <20050513182937.GA33986@partan.com> Message-ID: <4284F29E.20307@grote.name> Andrew Partan wrote: >On Tue, May 10, 2005 at 11:37:08AM -0400, Chris Stave wrote: > > >>at the end of processing a switch rancid logs out of the switch; where >>is this done? I need to add a second 'exit' command there, but I'm >>not sure where it does this. (a line number would be completely >>ideal, since my knowledge of scripting is a bit questionable) >> >> Just out of curiosity, is there some reason you can't just assign IP addresses to the VLAN interface of the individual switches and capture normally? I know that it's not the most elegant solution, but you sure do seem to be going to a lot of work to achieve a goal that can be accomplished otherwise rather simply (plus you get the added granularity of one config per switch, rather than a giant cluster config). -- __________________________ Justin Grote Network Architect JWG Networks From geecla at mail.nih.gov Fri May 13 20:58:06 2005 From: geecla at mail.nih.gov (Gee-clough, Aaron (NIH/CIT)) Date: Fri, 13 May 2005 16:58:06 -0400 Subject: trying to add Cisco clustering support to rancid -- almost do ne Message-ID: <71B0C9CB1FF4EA43BB48C08DCFF1A1FF1E26C0@NIHCESMLBX.nih.gov> > -----Original Message----- > From: Andrew Partan [mailto:asp at partan.com] > Sent: Friday, May 13, 2005 2:30 PM > To: Chris Stave > Cc: Rancid Discussion List > Subject: Re: trying to add Cisco clustering support to rancid (snip) > These embedded 'exit' commands are really going to mess things up. > rancid's control logic is really very simple right now; all that > it knows is that is runs a series of commands and that the last > command is 'exit', and that when it sees 'exit', its done & its an > error if there are commands left over. As a data point, I've used Rancid with embedded "exits" with the -c command and a bunch of semi-colons (like clogin -c "conf t; enable password blah;exit;write mem") with no problem. Perhaps it's parsing the -c options differently than its internal control logic...dunno. So far, though, I've found that as long as the end result of my string of commands is enable mode (not configure), rancid just handles it. Aaron ------------------ Aaron Gee-Clough DNST/CIT/NEB/NSS Contractor. Geek. From asp at partan.com Fri May 13 21:32:50 2005 From: asp at partan.com (Andrew Partan) Date: Fri, 13 May 2005 17:32:50 -0400 Subject: trying to add Cisco clustering support to rancid -- almost do ne In-Reply-To: <71B0C9CB1FF4EA43BB48C08DCFF1A1FF1E26C0@NIHCESMLBX.nih.gov> References: <71B0C9CB1FF4EA43BB48C08DCFF1A1FF1E26C0@NIHCESMLBX.nih.gov> Message-ID: <20050513213250.GA51988@partan.com> On Fri, May 13, 2005 at 04:58:06PM -0400, Gee-clough, Aaron (NIH/CIT) wrote: > As a data point, I've used Rancid with embedded "exits" with the -c command > and a bunch of semi-colons (like clogin -c "conf t; enable password > blah;exit;write mem") with no problem. Perhaps it's parsing the -c options > differently than its internal control logic...dunno. So far, though, I've > found that as long as the end result of my string of commands is enable mode > (not configure), rancid just handles it. [Warning: rancid refers to the entire package and to one of the programs in the package; here I'm taking about the program in the package.] clogin -c "cmd;exit;cmd;exit;cmd" is not a problem. The problem is trying to do it in bin/rancid. [rancid internally calls clogin -c with a series of commands.] Look at bin/rancid and %commands and @commands. %commands takes a command and a subroutine to handle the output of that command. @commands is just the list of commands. Adding "exit" and a no-op subroutine to handle exit should be no problem, except that I think it will mess up the control loop - see the control loop that starts with TOP:. After rancid has run & parsed all of the commands in %commands/@commands, it looks for "exit" to make sure that everything has run correctly. I think that the control loop will get messed up if you try to have "exit" be a 'normal' command and the end-of-commands marker. Also you can't have repeated commands in %commands/@commands; I just tried modifying %commands/@commands to run show version twice and rancid died with: found unexpected command - "show version" So I think that if you want to have "exit" in the commands list, and to use "exit" as the end-of-commands marker, and to have "exit" in the commands list more than once, then the control loop in rancid will have to be rewritten. --asp From mwilson at northwestern.edu Mon May 16 14:30:35 2005 From: mwilson at northwestern.edu (Matt Wilson) Date: Mon, 16 May 2005 09:30:35 -0500 Subject: write mem if running-config and startup-config are different? Message-ID: Hi- We would like to catch and remedy situations where we have altered a switch's running-config, but then forget to write mem (weeks later, the switch reboots due to power outage, and suddenly vlans aren't working, etc). Is anyone using rancid to notice that running-config and startup-config are different, and if so, issue a write mem command? (or something else to address such an issue?) Would you be willing to share what you've done? Thanks- Matt -- -- Matt Wilson Systems Engineer, IT Telecomm and Network Services Northwestern University From arnold at nipper.de Mon May 16 15:05:48 2005 From: arnold at nipper.de (Arnold Nipper) Date: Mon, 16 May 2005 17:05:48 +0200 Subject: write mem if running-config and startup-config are different? In-Reply-To: References: Message-ID: <4288B6CC.9080800@nipper.de> On 16.05.2005 16:30 Matt Wilson wrote > Hi- > > We would like to catch and remedy situations where we have altered a > switch's running-config, but then forget to write mem (weeks later, > the switch reboots due to power outage, and suddenly vlans aren't > working, etc). > > Is anyone using rancid to notice that running-config and > startup-config are different, and if so, issue a write mem command? > (or something else to address such an issue?) Would you be willing > to share what you've done? > Why don't you run "write memory" every time you pick up the config? Arnold -- Arnold Nipper, AN45 From cstave at gmail.com Mon May 16 15:22:09 2005 From: cstave at gmail.com (Chris Stave) Date: Mon, 16 May 2005 11:22:09 -0400 Subject: trying to add Cisco clustering support to rancid -- almost done In-Reply-To: <4284F29E.20307@grote.name> References: <5471c93d050510083736e22032@mail.gmail.com> <20050513182937.GA33986@partan.com> <4284F29E.20307@grote.name> Message-ID: <5471c93d050516082212e680a8@mail.gmail.com> I just realized that this didn't go out to the whole list... It was mostly a scope of control issue -- I'm not responsible for deciding that each switch gets an interface, but I am the one who sets up Rancid, so I did what I could where I could. Right now it's a little messy, with configs for one dorm going several places the 3550 group the clu1 group the clu2 group and the clu3 group because just listing them as seperate types, but with the same ip address ended up with configs being overwritten as it went down the list. but it seems to work for now (I'm missing 'write term' frequently, but by the 4th round of collection most of them get caught) clustering works as follows: there is pretty much only one command once it is setup -- rcommand, which connects to the cluster member, if enabled you stay enabled, if not you can still rcommand, but you need to enable on the cluster member. Once you're on the cluster member it is the same as being on the switch directly. From a cluster member you can't rcommand to anything else, you need to exit back to the cluster commander first. There is no way from the cluster member to completely drop the session, you can only go back to the commander. Besides hostname (here we use an _0, _1, _2, etc. at the end of the hostname) theres not much you can do to tell that you're on the clustermember. On 5/13/05, Justin Grote wrote: > Andrew Partan wrote: > > >On Tue, May 10, 2005 at 11:37:08AM -0400, Chris Stave wrote: > > > > > >>at the end of processing a switch rancid logs out of the switch; where > >>is this done? I need to add a second 'exit' command there, but I'm > >>not sure where it does this. (a line number would be completely > >>ideal, since my knowledge of scripting is a bit questionable) > >> > >> > Just out of curiosity, is there some reason you can't just assign IP > addresses to the VLAN interface of the individual switches and capture > normally? I know that it's not the most elegant solution, but you sure > do seem to be going to a lot of work to achieve a goal that can be > accomplished otherwise rather simply (plus you get the added granularity > of one config per switch, rather than a giant cluster config). > > -- > __________________________ > Justin Grote > Network Architect > JWG Networks > > > > From heas at shrubbery.net Mon May 16 21:00:00 2005 From: heas at shrubbery.net (john heasley) Date: Mon, 16 May 2005 14:00:00 -0700 Subject: write mem if running-config and startup-config are different? In-Reply-To: <4288B6CC.9080800@nipper.de> References: <4288B6CC.9080800@nipper.de> Message-ID: <20050516210000.GG13308@shrubbery.net> Mon, May 16, 2005 at 05:05:48PM +0200, Arnold Nipper: > On 16.05.2005 16:30 Matt Wilson wrote > > >Hi- > > > >We would like to catch and remedy situations where we have altered a > >switch's running-config, but then forget to write mem (weeks later, > >the switch reboots due to power outage, and suddenly vlans aren't > >working, etc). > > > >Is anyone using rancid to notice that running-config and > >startup-config are different, and if so, issue a write mem command? > >(or something else to address such an issue?) Would you be willing > >to share what you've done? > > > > Why don't you run "write memory" every time you pick up the config? > or periodically, somethign like for r in `cat */router.db | egrep -i '(cisco|cat5)' | cut -f1 -d: `; do clogin -c 'write mem' $r done From arnold at nipper.de Mon May 16 21:25:38 2005 From: arnold at nipper.de (Arnold Nipper) Date: Mon, 16 May 2005 23:25:38 +0200 Subject: write mem if running-config and startup-config are different? In-Reply-To: <20050516210000.GG13308@shrubbery.net> References: <4288B6CC.9080800@nipper.de> <20050516210000.GG13308@shrubbery.net> Message-ID: <42890FD2.5040907@nipper.de> On 16.05.2005 23:00 john heasley wrote > Mon, May 16, 2005 at 05:05:48PM +0200, Arnold Nipper: >> On 16.05.2005 16:30 Matt Wilson wrote >> >> >Hi- >> > >> >We would like to catch and remedy situations where we have altered a >> >switch's running-config, but then forget to write mem (weeks later, >> >the switch reboots due to power outage, and suddenly vlans aren't >> >working, etc). >> > >> >Is anyone using rancid to notice that running-config and >> >startup-config are different, and if so, issue a write mem command? >> >(or something else to address such an issue?) Would you be willing >> >to share what you've done? >> > >> >> Why don't you run "write memory" every time you pick up the config? >> > > or periodically, somethign like > for r in `cat */router.db | egrep -i '(cisco|cat5)' | cut -f1 -d: `; do > clogin -c 'write mem' $r > done Be aware that this will fail as both cisco and cat5 expect confirmation of the write command. You have to add 2-3 new lines to make it work (2 for cisco and 3 for cat5 iirc) Arnold -- Arnold Nipper, AN45 From morty at sled.gsfc.nasa.gov Mon May 16 22:13:09 2005 From: morty at sled.gsfc.nasa.gov (Morty Abzug) Date: Mon, 16 May 2005 18:13:09 -0400 Subject: rancid: mail filenames only, set max rounds In-Reply-To: <20050422211239.GI24171@shrubbery.net> References: <20050421010633.GK14554@frakir.gsfc.nasa.gov> <20050421172539.GC4566@shrubbery.net> <20050422211239.GI24171@shrubbery.net> Message-ID: <20050516221309.GM14554@frakir.gsfc.nasa.gov> [resending, because I haven't yet seen a reply.] On Fri, Apr 22, 2005 at 02:12:39PM -0700, john heasley wrote: > [ trying this again; first one bounced from verisign ] > > Thu, Apr 21, 2005 at 10:25:39AM -0700, john heasley: > > Wed, Apr 20, 2005 at 09:06:33PM -0400, Mordechai T. Abzug: > > > > > > The attached patch: > > > > > > - adds a "MAIL_FILENAME_ONLY" tunable to control whether entire diffs > > > are mailed as per the default, or only the filename is mailed. > > > > This is interesting. Perhaps it would be more interesting to generate the > > cvs command necessary to generate the diff? eg: > > cvs diff -r 1.1 -r 1.2 hostname > > OR > > cvs diff -r 1.1 -r 1.2 group/configs/hostname Hmm. I would prefer to just use the old version: cvs diff -r1.1 whatever/configs/hostname This is fairly necessary, since the next CVS version hasn't been assigned yet at this point, and guessing is perilous. Done, in attached patch. > > > - adds a "MAX_ROUNDS" tunable to control the maximum number of > > > rounds/passes. > > > > Added. I changed it just a little to ensure the floor of 1 itteration. > > Thanks! Thank you! The attached patch also includes a few minor tweaks to deal with Solaris systems that don't have GNU diff installed. Ie. do a straight diff instead of diff -c -4. In the contexts involved, the context options don't matter. [Patch also includes the MAX_ROUNDS patch that you've already accepted; don't know what your preferences are on patch submission.] - Morty -------------- next part -------------- diff -cr rancid-2.3.1/bin/control_rancid.in rancid-2.3.1-local-p2/bin/control_rancid.in *** rancid-2.3.1/bin/control_rancid.in Fri Mar 12 23:13:09 2004 --- rancid-2.3.1-local-p2/bin/control_rancid.in Tue Apr 26 02:50:05 2005 *************** *** 138,152 **** sort -u > routers.db cut -d: -f1,2 routers.db > routers.all.new if [ ! -f routers.all ] ; then touch routers.all; fi ! @DIFF_CMD@ routers.all routers.all.new > /dev/null 2>&1; RALL=$? @PERLV@ -F: -ane '{($F[0] =~ tr at A-Z@a-z@,print $_) if ($F[2] !~ /^up$/i);}' routers.db > routers.down.new if [ ! -f routers.down ] ; then touch routers.down; fi ! @DIFF_CMD@ routers.down routers.down.new > /dev/null 2>&1; RDOWN=$? @PERLV@ -F: -ane '{($F[0] =~ tr at A-Z@a-z@,print "$F[0]:$F[1]\n") if ($F[2] =~ /^up$/i);}' routers.db > routers.up.new if [ ! -f routers.up ] ; then touch routers.up; fi ! @DIFF_CMD@ routers.up routers.up.new > /dev/null 2>&1; RUP=$? if [ $RALL -ne 0 -o $RDOWN -ne 0 -o $RUP -ne 0 ] then --- 138,152 ---- sort -u > routers.db cut -d: -f1,2 routers.db > routers.all.new if [ ! -f routers.all ] ; then touch routers.all; fi ! @DIFF@ routers.all routers.all.new > /dev/null 2>&1; RALL=$? @PERLV@ -F: -ane '{($F[0] =~ tr at A-Z@a-z@,print $_) if ($F[2] !~ /^up$/i);}' routers.db > routers.down.new if [ ! -f routers.down ] ; then touch routers.down; fi ! @DIFF@ routers.down routers.down.new > /dev/null 2>&1; RDOWN=$? @PERLV@ -F: -ane '{($F[0] =~ tr at A-Z@a-z@,print "$F[0]:$F[1]\n") if ($F[2] =~ /^up$/i);}' routers.db > routers.up.new if [ ! -f routers.up ] ; then touch routers.up; fi ! @DIFF@ routers.up routers.up.new > /dev/null 2>&1; RUP=$? if [ $RALL -ne 0 -o $RDOWN -ne 0 -o $RUP -ne 0 ] then *************** *** 308,315 **** # This section will generate a list of missed routers # and try to grab them again. It will run through ! # $pass times. ! pass=4 round=1 if [ -f $DIR/routers.up.missed ]; then rm -f $DIR/routers.up.missed --- 308,315 ---- # This section will generate a list of missed routers # and try to grab them again. It will run through ! # $pass times; tune with MAX_ROUNDS, default 4 ! pass=${MAX_ROUNDS:=4} round=1 if [ -f $DIR/routers.up.missed ]; then rm -f $DIR/routers.up.missed *************** *** 369,376 **** # Diff the directory and then checkin. trap 'rm -fr $TMP $TMP.diff $DIR/routers.single;' 1 2 15 cd $DIR ! cvs -f @DIFF_CMD@ | sed -e '/^RCS file: /d' -e '/^--- /d' \ ! -e '/^+++ /d' -e 's/^\([-+ ]\)/\1 /' >$TMP.diff if [ $alt_mailrcpt -eq 1 ] ; then subject="router config diffs - courtesy of $mailrcpt" --- 369,387 ---- # Diff the directory and then checkin. trap 'rm -fr $TMP $TMP.diff $DIR/routers.single;' 1 2 15 cd $DIR ! mail_filename_only=${MAIL_FILENAME_ONLY:=0} ! hostname=`hostname` ! if [ "$mail_filename_only" = "0" ]; then ! cvs -f @DIFF_CMD@ | sed -e '/^RCS file: /d' -e '/^--- /d' \ ! -e '/^+++ /d' -e 's/^\([-+ ]\)/\1 /' >$TMP.diff ! else ! cvs -f @DIFF_CMD@ | \ ! sed -ne 's,^Index:,Config changed:,p' \ ! -e "s/^======.*/ For recent changes, run on $hostname:/p" \ ! -e 's,^RCS file: \(.*\)/CVS\(/.*/\).*, cd \1\2 \&\&,p' \ ! -e 's,^diff, cvs diff,p' \ ! > $TMP.diff ! fi if [ $alt_mailrcpt -eq 1 ] ; then subject="router config diffs - courtesy of $mailrcpt" diff -cr rancid-2.3.1/etc/rancid.conf.sample.in rancid-2.3.1-local-p2/etc/rancid.conf.sample.in *** rancid-2.3.1/etc/rancid.conf.sample.in Sat Mar 13 00:17:50 2004 --- rancid-2.3.1-local-p2/etc/rancid.conf.sample.in Thu Apr 21 01:54:11 2005 *************** *** 49,54 **** --- 49,57 ---- # The number of devices to collect simultaneously. #PAR_COUNT=5; export PAR_COUNT # + # How many times should we try to reach devices? Minimum: one. + #MAX_ROUNDS=4; export MAX_ROUNDS + # # list of rancid groups #LIST_OF_GROUPS="sl joebobisp" # more groups... *************** *** 65,67 **** --- 68,74 ---- # included, as this is simply appended to the usual recipients. It is NOT # appended to recipients specified in rancid-run's -m option. #MAILDOMAIN="@example.com"; export MAILDOMAIN + # + # if you don't want to actually email the diffs, just the names of the files + # that changed, set the below to 1 + #MAIL_FILENAME_ONLY=0; export MAIL_FILENAME_ONLY diff -cr rancid-2.3.1/man/rancid.conf.5.in rancid-2.3.1-local-p2/man/rancid.conf.5.in *** rancid-2.3.1/man/rancid.conf.5.in Fri Mar 12 23:13:09 2004 --- rancid-2.3.1-local-p2/man/rancid.conf.5.in Thu Apr 21 01:54:11 2005 *************** *** 115,120 **** --- 115,126 ---- Default: $BASEDIR/logs .\" .TP + .B MAIL_FILENAME_ONLY + Control whether diff bodies are mailed or filenames that have changed + are mailed. The default, 0, is diff bodies. Set to any other value for + filenames only. + .\" + .TP .B MAILDOMAIN Define the domain part of addresses for administrative and diff e-mail. The value of this variable is simply appended to the normal mail addresses. *************** *** 123,128 **** --- 129,139 ---- had been set to "@example.com". .\" .TP + .B MAX_ROUNDS + Defines how many times rancid should use to reach devices. The minimum is + 1. The default is 4. + .\" + .TP .B NOCOMMSTR If set, .IR rancid (1) From eravin at panix.com Mon May 16 23:02:29 2005 From: eravin at panix.com (Ed Ravin) Date: Mon, 16 May 2005 19:02:29 -0400 Subject: hlogin and hp2424/4000/8000 ? In-Reply-To: <20050510134458.GF29597@panix.com> References: <20050510134458.GF29597@panix.com> Message-ID: <20050516230229.GA20522@panix.com> On Tue, May 10, 2005 at 09:44:58AM -0400, Ed Ravin wrote: > Has anyone got hrancid/hlogin working with the Procurve 2424/4000/8000 > switches? I just stumbled over a Perl/Expect.pm script that fetches the config file from an HP2424m/4000m/8000m - with a little bit of work it could be brought into rancid. I'm rather embarrassed, since it looks like I wrote this script three years ago and then promptly forgot about it. Based on my limited understanding of rancid so far, I think that the "little bit of work" means the following: * add a new device type to rancid-fe. * create a clone of hrancid to support this device. I'm not 100% clear on what needs to happen here, other than having hrancid call my new script rather than the hlogin / hpui combination which doesn't work for these devices. * teach the new login script how to parse cloginrc to get the username/password. Has anyone else done parsing of cloginrc in Perl? * teach the new login script how to accept arbitrary commands on the command line, instead of the hard coded "fetch config" task that it has now. Is there anything else I'd need to worry about? -- Ed From mwilson at northwestern.edu Tue May 17 15:13:47 2005 From: mwilson at northwestern.edu (Matt Wilson) Date: Tue, 17 May 2005 10:13:47 -0500 Subject: write mem if running-config and startup-config are different? In-Reply-To: <42890FD2.5040907@nipper.de> References: <4288B6CC.9080800@nipper.de> <20050516210000.GG13308@shrubbery.net> <42890FD2.5040907@nipper.de> Message-ID: At 11:25 PM +0200 5/16/05, Arnold Nipper wrote: >On 16.05.2005 23:00 john heasley wrote >>> >Is anyone using rancid to notice that running-config >>>and >startup-config are different, and if so, issue a write mem >>>command? >(or something else to address such an issue?) Would you >>>be willing >to share what you've done? >>>> >>> >>>Why don't you run "write memory" every time you pick up the config? >>> >> >>or periodically, somethign like >> for r in `cat */router.db | egrep -i '(cisco|cat5)' | cut -f1 -d: `; do >> clogin -c 'write mem' $r >> done > >Be aware that this will fail as both cisco and cat5 expect >confirmation of the write command. You have to add 2-3 new lines to >make it work (2 for cisco and 3 for cat5 iirc) Hi- Thanks for the replies -- our experience seems to indicate that doing a wr mem will often make NVRAM look different even if the configs are the same. We want to avoid lots of extraneous NVRAM diffs on every rancid run. We're still looking into why this seems to be happening for us. Running a separate script to wr mem against all devices sounds good though -- thanks for the help! Regarding sending newlines clogin -c 'wr mem' $router seems to work without problems at our site (rancid v2.3.1) -Matt From morty at sled.gsfc.nasa.gov Tue May 24 02:10:14 2005 From: morty at sled.gsfc.nasa.gov (Mordechai T. Abzug) Date: Mon, 23 May 2005 22:10:14 -0400 Subject: rancid: ciscos, clogin and AAA Message-ID: <20050524021014.GA11342@frakir.gsfc.nasa.gov> If one has a device that logs one in at Cisco level 2 rather than 1 or 15, the prompt has "#" but clogin still needs to run enable to achieve level 15. autoenable won't help because it assumes you're at enable 15. The attached (trivial) patch deals with this. I'm fairly sure it doesn't break backwards compatibility. Thanks! - Morty -------------- next part -------------- *** rancid/bin/clogin.dist Tue Apr 26 03:14:41 2005 --- rancid/bin/clogin.in Tue May 24 02:00:23 2005 *************** *** 634,640 **** } else { set autoenable 0 set enable $avenable ! set prompt ">" } } --- 634,640 ---- } else { set autoenable 0 set enable $avenable ! set prompt "(>|#)" } } From mmchenry at lightedge.com Tue May 24 03:58:44 2005 From: mmchenry at lightedge.com (Mike McHenry) Date: Mon, 23 May 2005 22:58:44 -0500 Subject: Rivlogin modifications Message-ID: Rivlogin is currently in a sad state of functionality that doesn't support many of the things the newer clogin does; most notably SSH logins. I've remedied this on my systems by hacking up the latest version of clogin to support Riverstone equipment. The new expect script can be found here http://colossus.lh.net/rivlogin Also a patch in "diff -uNr" context http://colossus.lh.net/rivlogin-vs-clogin.patch Treat this code as beta quality. However it is working well on my network of RS3000s/RS38000s running 9.1 code. Any chance we can get this script into the mainline code releases? Mike McHenry (612) 252-2340 mmchenry at lightedge.com Senior Network Engineer LightEdge Solutions "This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation." From heas at shrubbery.net Tue May 24 06:20:52 2005 From: heas at shrubbery.net (john heasley) Date: Mon, 23 May 2005 23:20:52 -0700 Subject: rancid: ciscos, clogin and AAA In-Reply-To: <20050524021014.GA11342@frakir.gsfc.nasa.gov> References: <20050524021014.GA11342@frakir.gsfc.nasa.gov> Message-ID: <20050524062052.GZ8640@shrubbery.net> Mon, May 23, 2005 at 10:10:14PM -0400, Mordechai T. Abzug: > > If one has a device that logs one in at Cisco level 2 rather than 1 or > 15, the prompt has "#" but clogin still needs to run enable to achieve > level 15. autoenable won't help because it assumes you're at enable > 15. > > The attached (trivial) patch deals with this. I'm fairly sure it > doesn't break backwards compatibility. I do not think that will work. can you try clogin with an incorrect enable password? it might fail; as in not return an error. Meaning that the matches might need adjustment in do_enable(). > Thanks! > > - Morty > *** rancid/bin/clogin.dist Tue Apr 26 03:14:41 2005 > --- rancid/bin/clogin.in Tue May 24 02:00:23 2005 > *************** > *** 634,640 **** > } else { > set autoenable 0 > set enable $avenable > ! set prompt ">" > } > } > > --- 634,640 ---- > } else { > set autoenable 0 > set enable $avenable > ! set prompt "(>|#)" > } > } > From morty at sled.gsfc.nasa.gov Tue May 24 06:48:29 2005 From: morty at sled.gsfc.nasa.gov (Morty Abzug) Date: Tue, 24 May 2005 02:48:29 -0400 Subject: rancid: ciscos, clogin and AAA In-Reply-To: <20050524062052.GZ8640@shrubbery.net> References: <20050524021014.GA11342@frakir.gsfc.nasa.gov> <20050524062052.GZ8640@shrubbery.net> Message-ID: <20050524064829.GG11366@frakir.gsfc.nasa.gov> On Mon, May 23, 2005 at 11:20:52PM -0700, john heasley wrote: > Mon, May 23, 2005 at 10:10:14PM -0400, Mordechai T. Abzug: > > > > If one has a device that logs one in at Cisco level 2 rather than 1 or > > 15, the prompt has "#" but clogin still needs to run enable to achieve > > level 15. autoenable won't help because it assumes you're at enable > > 15. > > > > The attached (trivial) patch deals with this. I'm fairly sure it > > doesn't break backwards compatibility. > > I do not think that will work. can you try clogin with an incorrect > enable password? it might fail; as in not return an error. Meaning > that the matches might need adjustment in do_enable(). Gah. As you said, that goes from being overly paranoid to overly lax. One Cisco-centric solution could be to run "disable" -- at which point we're busted down to priv 1 with a ">" prompt -- and then run enable. disable is a no-op if you're already at priv 1. On another device type, this might be a harmless no-op. Another solution -- unfortunately, even more cisco-centric, might break other devices type for which you use clogin -- could be for enable to run "show priv" and make sure we're actually at privilege level 15. - Morty From heas at shrubbery.net Tue May 24 06:52:39 2005 From: heas at shrubbery.net (john heasley) Date: Mon, 23 May 2005 23:52:39 -0700 Subject: Rivlogin modifications In-Reply-To: References: Message-ID: <20050524065239.GA8640@shrubbery.net> Nice. Changes to login scripts always seems a lot like screwing with nature - one wrong move and there is a pestilence upon the land, so ... not being keen on riverstone myself and since rivlogin was contributed, I am curious about it's relation to "Enterasys". It's not clear to me what enterasys is; or if changes to rivlogin will alienate it. Andrew (fort), perhaps you can take this? Mon, May 23, 2005 at 10:58:44PM -0500, Mike McHenry: > Rivlogin is currently in a sad state of functionality that doesn't > support many of the things the newer clogin does; most notably SSH > logins. > > > > I've remedied this on my systems by hacking up the latest version of > clogin to support Riverstone equipment. The new expect script can be > found here > > http://colossus.lh.net/rivlogin > > > > Also a patch in "diff -uNr" context > > http://colossus.lh.net/rivlogin-vs-clogin.patch > > > > Treat this code as beta quality. However it is working well on my > network of RS3000s/RS38000s running 9.1 code. Any chance we can get this > script into the mainline code releases? > > > > Mike McHenry (612) 252-2340 > > mmchenry at lightedge.com > > Senior Network Engineer > > LightEdge Solutions > > > > "This message may contain confidential and/or privileged information. If > you are not the addressee or authorized to receive this for the > addressee, you must not use, copy, disclose, or take any action based on > this message or any information herein. If you have received this > message in error, please advise the sender immediately by reply e-mail > and delete this message. Thank you for your cooperation." > > > From afort at choqolat.org Tue May 24 07:03:03 2005 From: afort at choqolat.org (Andrew Fort) Date: Tue, 24 May 2005 17:03:03 +1000 Subject: Rivlogin modifications In-Reply-To: <20050524065239.GA8640@shrubbery.net> References: <20050524065239.GA8640@shrubbery.net> Message-ID: <4292D1A7.8090409@choqolat.org> john heasley wrote: > Nice. Changes to login scripts always seems a lot like screwing with > nature - one wrong move and there is a pestilence upon the land, so ... > not being keen on riverstone myself and since rivlogin was contributed, > I am curious about it's relation to "Enterasys". It's not clear to me > what enterasys is; or if changes to rivlogin will alienate it. > > Andrew (fort), perhaps you can take this? sure thing.. thanks for the updates and i'll test them here. -andrew From mohacsi at niif.hu Tue May 24 07:35:09 2005 From: mohacsi at niif.hu (Mohacsi Janos) Date: Tue, 24 May 2005 09:35:09 +0200 (CEST) Subject: rancid: ciscos, clogin and AAA In-Reply-To: <20050524062052.GZ8640@shrubbery.net> References: <20050524021014.GA11342@frakir.gsfc.nasa.gov> <20050524062052.GZ8640@shrubbery.net> Message-ID: <20050524092305.C14455@mignon.ki.iif.hu> On Mon, 23 May 2005, john heasley wrote: > Mon, May 23, 2005 at 10:10:14PM -0400, Mordechai T. Abzug: >> >> If one has a device that logs one in at Cisco level 2 rather than 1 or >> 15, the prompt has "#" but clogin still needs to run enable to achieve >> level 15. autoenable won't help because it assumes you're at enable >> 15. >> >> The attached (trivial) patch deals with this. I'm fairly sure it >> doesn't break backwards compatibility. > > I do not think that will work. can you try clogin with an incorrect > enable password? it might fail; as in not return an error. Meaning > that the matches might need adjustment in do_enable(). I think this might work, if you use autoenable 1 . This is waht I do in my environment. Regards, Janos Mohacsi Network Engineer, Research Associate NIIF/HUNGARNET, HUNGARY Key 00F9AF98: 8645 1312 D249 471B DBAE 21A2 9F52 0D1F 00F9 AF98 > >> Thanks! >> >> - Morty > >> *** rancid/bin/clogin.dist Tue Apr 26 03:14:41 2005 >> --- rancid/bin/clogin.in Tue May 24 02:00:23 2005 >> *************** >> *** 634,640 **** >> } else { >> set autoenable 0 >> set enable $avenable >> ! set prompt ">" >> } >> } >> >> --- 634,640 ---- >> } else { >> set autoenable 0 >> set enable $avenable >> ! set prompt "(>|#)" >> } >> } >> > > From eravin at panix.com Tue May 24 15:09:08 2005 From: eravin at panix.com (Ed Ravin) Date: Tue, 24 May 2005 11:09:08 -0400 Subject: rancid: ciscos, clogin and AAA In-Reply-To: <20050524064829.GG11366@frakir.gsfc.nasa.gov> References: <20050524021014.GA11342@frakir.gsfc.nasa.gov> <20050524062052.GZ8640@shrubbery.net> <20050524064829.GG11366@frakir.gsfc.nasa.gov> Message-ID: <20050524150908.GA6875@panix.com> On Tue, May 24, 2005 at 02:48:29AM -0400, Morty Abzug wrote: > On Mon, May 23, 2005 at 11:20:52PM -0700, john heasley wrote: > > Mon, May 23, 2005 at 10:10:14PM -0400, Mordechai T. Abzug: > > > > > > If one has a device that logs one in at Cisco level 2 rather than 1 or > > > 15, the prompt has "#" but clogin still needs to run enable to achieve > > > level 15. autoenable won't help because it assumes you're at enable > > > 15. > > > > > > The attached (trivial) patch deals with this. I'm fairly sure it > > > doesn't break backwards compatibility. > > > > I do not think that will work. can you try clogin with an incorrect > > enable password? it might fail; as in not return an error. Meaning > > that the matches might need adjustment in do_enable(). > > Gah. As you said, that goes from being overly paranoid to overly lax. > > One Cisco-centric solution could be to run "disable" -- at which point > we're busted down to priv 1 with a ">" prompt -- and then run enable. > disable is a no-op if you're already at priv 1. On another device > type, this might be a harmless no-op. Here's a less Cisco-centric solution - run the command requested, if you get back "Unrecognized command" or "Permission denied" etc., try to do the enable. If that doesn't work, game over. If the enable succeeds, run the command again. From mmchenry at lightedge.com Tue May 24 15:27:05 2005 From: mmchenry at lightedge.com (Mike McHenry) Date: Tue, 24 May 2005 10:27:05 -0500 Subject: Rivlogin modifications Message-ID: Enterasys and Riverstone were both spun off divisions of Cabletron so they are somewhat similar but may not be identical anymore. I definitely don't think my rivlogin should replace the stock version without a good amount of testing. I would have rather patched the exiting rivlogin but it seemed like such a long road to go down when clogin was 95% of the way there. :) -----Original Message----- From: Andrew Fort [mailto:afort at choqolat.org] Sent: Tuesday, May 24, 2005 2:03 AM To: john heasley Cc: Mike McHenry; afort at shrubbery.net; rancid-discuss at shrubbery.net Subject: Re: Rivlogin modifications john heasley wrote: > Nice. Changes to login scripts always seems a lot like screwing with > nature - one wrong move and there is a pestilence upon the land, so ... > not being keen on riverstone myself and since rivlogin was contributed, > I am curious about it's relation to "Enterasys". It's not clear to me > what enterasys is; or if changes to rivlogin will alienate it. > > Andrew (fort), perhaps you can take this? sure thing.. thanks for the updates and i'll test them here. -andrew From afort at choqolat.org Tue May 24 22:17:59 2005 From: afort at choqolat.org (Andrew Fort) Date: Wed, 25 May 2005 08:17:59 +1000 Subject: Rivlogin modifications In-Reply-To: References: Message-ID: <11FAC5DE-96DA-4B61-A47A-4159A6030A1A@choqolat.org> On 25/05/2005, at 1:27 AM, Mike McHenry wrote: > Enterasys and Riverstone were both spun off divisions of Cabletron so > they are somewhat similar but may not be identical anymore. > not to forget Aprisma, who were the division spun off for the Spectrum NMS. these unfortunate souls were snaffled up by Netcool who were snaffled up by Computer Associates. Riverstone is the NSP-focussed spin-off. Enterasys is the Enterprise-focussed spin-off. > I definitely don't think my rivlogin should replace the stock version > without a good amount of testing. I would have rather patched the > exiting rivlogin but it seemed like such a long road to go down when > clogin was 95% of the way there. :) it's actually preferred that all the *login programs are as similar as possible (i.e., it'd be really nice if there wasn't multiple login programs). i had tried to initially do that, but had had a lot of problems with the escape characters for the line wrapping in EOS/ROS; problems I haven't had with the initial testing I've done of your offered rivlogin sofar. I've run into a couple of things; - Do you use RADIUS for auth in your shop? The 'userpassword' variable doesn't seem to be consulted in the same way as the existing rivlogin. e.g. my .cloginrc stanzas look like add user host {afort} add userpassword host {radiuspass} add password host {initial_login_password} {last_resort_password} The initial password works, but when asked for RADIUS credentials after that, we send the username but not the correct password. It appears that the variable used for the 'last_resort_password', above, is being used for any 'Password:' prompt. I changed this behaviour a few releases back, because: - riverstone/enterasys CLI OSes ask for the initial_login_password BEFORE radius. - if radius is unreachable, you get a message indicating you need to use the last resort (enable) password now. - the user password for RADIUS is of course a seperate password. Thus I figured the most logical mapping was the one, above. So the logic changes to: - if we have seen a 'username' prompt, we're in radius/tac+ mode. - if we're in radius/tac+ mode, the password prompt is asking for the users' password. - if we see the message indicating we cannot reach radius, use the last_resort. However, SSH logins are probably different. Can you send me an example SSH login dialgoue with the switch so I can better understand the choices made in your patch? - On EOS 8.3 (we're running ancient code for stability reasons), there is a max login banner length which precludes us using our regular banner plus the "Press RETURN to Begin" prompt (it's like 4 lines, perhaps 255 chars). In any event, this means that our switches don't provide the initial prompt that is expected. So, I have removed the expect and just have the program sleep 0.3 and then send \r to the switch. Though this removes the stop-and-wait behaviour, I've never found it to cause problems, at least not with telnet. One last question - what is the length of your _longest_ hostname on your switches, in characters? The majority of terminal handling problems only appeared for me when using longer prompts (like, longer than about 9 characters, if my brain is working today). thanks again, -andrew From mmchenry at lightedge.com Wed May 25 04:16:39 2005 From: mmchenry at lightedge.com (Mike McHenry) Date: Tue, 24 May 2005 23:16:39 -0500 Subject: Rivlogin modifications Message-ID: Andrew, We don't (as of yet) utilize Radius lookups on our Riverstone gear. Perhaps it would be more helpful for me to give you access to one of my pseudo-development Riverstone chassis so you can test out the SSH sequence yourself. Please reply to me offline if you feel this would be useful. Here is an example login sequence on a RS3000 chassis running 9.1.2.8 code. Anything in << brackets >> indicates something typed in. [mmchenry at unixhost]# << ssh -1 RIVERSTONEHOST >> ---------------------------------------------------------------------- RS 3000 System Software, Version 9.1.2.8 Copyright (c) 2000-2004 Riverstone Networks, Inc. System started on 2004-10-11 20:18:49 ---------------------------------------------------------------------- Press RETURN to activate console . . . << RETURN >> Password: << login password >> RIVERSTONEHOST> enable Password: << enable password >> RIVERSTONEHOST# Where the initial prompt for password is being pulled from system set hashed-password login xxxxxxx and the secondary enable password is pulled from system set hashed-password enable xxxxxxx > > I've run into a couple of things; > > - Do you use RADIUS for auth in your shop? The 'userpassword' > variable doesn't seem to be consulted in the same way as the existing > rivlogin. > > e.g. my .cloginrc stanzas look like > > add user host {afort} > add userpassword host {radiuspass} > add password host {initial_login_password} {last_resort_password} > > The initial password works, but when asked for RADIUS credentials > after that, we send the username but not the correct password. > > It appears that the variable used for the 'last_resort_password', > above, is being used for any 'Password:' prompt. > > I changed this behaviour a few releases back, because: > > - riverstone/enterasys CLI OSes ask for the initial_login_password > BEFORE radius. > - if radius is unreachable, you get a message indicating you need > to use the last resort (enable) password now. > - the user password for RADIUS is of course a seperate password. > > Thus I figured the most logical mapping was the one, above. > So the logic changes to: > - if we have seen a 'username' prompt, we're in radius/tac+ mode. > - if we're in radius/tac+ mode, the password prompt is asking for > the users' password. > - if we see the message indicating we cannot reach radius, use the > last_resort. > > However, SSH logins are probably different. Can you send me an > example SSH login dialgoue with the switch so I can better understand > the choices made in your patch? > I never had problems in my testing either when I removed the "Press RETURN" expect sequence and I agree that it could probably be removed safely. > - On EOS 8.3 (we're running ancient code for stability reasons), > there is a max login banner length which precludes us using our > regular banner plus the "Press RETURN to Begin" prompt (it's like 4 > lines, perhaps 255 chars). In any event, this means that our > switches don't provide the initial prompt that is expected. So, I > have removed the expect and just have the program sleep 0.3 and then > send \r to the switch. Though this removes the stop-and-wait > behaviour, I've never found it to cause problems, at least not with > telnet. > My longest hostname is 16 characters long and I haven't run into any apparent problems so far. > One last question - what is the length of your _longest_ hostname on > your switches, in characters? The majority of terminal handling > problems only appeared for me when using longer prompts (like, longer > than about 9 characters, if my brain is working today). > > thanks again, > -andrew