[rancid] Re: config file postprocessing

Michael Stefaniuc mstefani at redhat.com
Tue May 30 17:42:30 UTC 2006


Ed Ravin wrote:
>>I also have several ACL's that are optimized by packet hits given the
>>large amount of traffic and RANCID sorts those as well.  So these aren't
>>necessarily functional problems so much as performance and audit issues. I
>>suppose I can hack up the script to turn this off, but I'd imagine other
>>people might possibly run into the same problem.  Thanks,
Was there a solution for this? Like a patch that makes this configurable
or disables it?
Removing passwords and SNMP community strings isn't a problem in the
case of the recovery of a network device. Of course only if properly
documented; there is other information that isn't in the config file
anyway like VLAN and VTP infos.
But the sorting of the ACLs is as information is lost without any
possibility to recover it. Ranging from a performance issue to "damn
this ACL looks weird" effect when looking on the router. Though this
resorting can be mitigated by heavy use of comments in the ACLs thus
breaking big blocks of permit or deny rules into smaller chunks. But
still i would prefer to have the ACLs as is.


> My point was that even though functionality is the same, the config isn't.
> And though the differences caused by RANCID's processing almost never
> matter, sometimes, like in the case above, it does.  If you have
> an auditor looking over your shoulder asking if the router configs
> are properly backed up (as the author of the quote above did), you're
> put in the position of defending RANCID's changes to the config, as
> the auditor is understandably going to ask why the alleged backups
> in RANCID don't exactly match the config file on the router.
> 
> Another issue that might occur when using RANCID as your primary backup
Isn't that the main use of RANCID?

> the original config file, due to all the helpful comments inserted
> by RANCID showing things like the hardware status or directory listings.
> Depending on the size of the NVRAM and your disaster recovery plan, you
> might try to restore a router with a config that won't fit until you
> trim down the comments.
IMHO this shouldn't be realy a problem quite the opposite, the comments
contain usefull information like VTP and VLAN setup that might not be
saved in the config. And trimming the comments at the beginning
is/should be an easy task for an automated process or a human.

bye
	michael
-- 
Michael Stefaniuc               Tel.: +49-711-96437-199
Sr. Network Engineer            Fax.: +49-711-96437-111
Red Hat GmbH                    Email: mstefani at redhat.com
Hauptstaetterstr. 58            http://www.redhat.de/
D-70178 Stuttgart



More information about the Rancid-discuss mailing list