[rancid] Re: Pulling down context configs from a Cisco FWSM

Lance rancid at gheek.net
Wed Mar 28 17:38:42 UTC 2007


I am not sure the best method would be to make a config that large as it
would be hard to report on the changes and know where the changes where
other than on that asa/pix. The way I would think about doing it would
be to create a config for the pix/asa using system/admin then create a
series of config files for each context but name it something like this
"ops-pix-01-context-timewarner.conf". This would allow you to be
notified of each one being updated etc and keep the config file from
getting huge.

The way I would go about doing this would be to use the addon that Ed
Ravin published a while back. I would specify a custom portion in
bin/rancid-fe for ASA/Pixes (that use contexts) and then collect the
config like normal but also collect information on "show context" so
that I can parse it after the config is collected. Then log into the
device via and issue a change to each context and log each output to a
new file. Another file would need to be updated as well, this being
bin/clogin. The file would need to be updated to know it has to modify
the file it creates to reflect the context name.

It is possible to do it another way such as creating host entries in
your /etc/host file for each context on each firewall, but that would
be a great idea as it wouldn't scale well and wouldn't be completely
dynamic as we like to have things these days.

I will see if I can take a stab at it this weekend. No promises.


> -------- Original Message --------
> Subject: [rancid] Re: Pulling down context configs from a Cisco FWSM
> From: Rob Shepherd <rob at techniumcast.com>
> Date: Wed, March 28, 2007 7:30 am
> To: rancid-discuss at shrubbery.net
> Lance wrote:
> > Rob,
> >
> > When you do a "show run" after changing contexts does it give you a
> > slightly different config or an entirely different config.
> It's an entirely different config. Each context is like a virtual PIX.
> (until you get down to feature completeness and command compatability
> that is :) )
> > Unfortunately at my place of business we only have a need to run 2
> > basic contexts, the default admin and system. So I don't work with
> > them.
> >
> > I don't intend on this being a context session 101, but why do you
> > create contexts for each customer you have (as it appears to me)? You
> > might enlighten me and I might switch to such a model. :-D
> >
> I do this because it permits me to hand off control of a context to a
> particular customer, if they want to do the config themselves.
> They can then SSH or PDM independently.
> Also there is some limitations with things like DNS/DHCP. I havn't found
> a way to have different DNS server options outputted by the dhcpd
> service on different interfaces. Same for extra options, like vendor
> specific 43, which different for each customer, for Alcatel AVA.
> I'm really eager to get the context's + system backed up automatically
> by rancid. I do it manually at present. :(
> If there's anything I can do to progress the development of such a
> feature, somebody please enlighten me. I'm not a perl devel though, but
> there's one sat next to me, who isn't a network engineer however. If I
> know what to code I can help get it done.....
> But i need the input from somebody who knows the architecture of rancid....
> Cheers
> Rob
> --
> Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd
> Technium CAST | LL57 4HJ | http://www.techniumcast.com
> rob at techniumcast.com | 01248 675024 | 077988 72480
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

More information about the Rancid-discuss mailing list