[rancid] cisco-xr ASR9K and numbered ACL's

Alan McKinnon alan.mckinnon at gmail.com
Wed Oct 15 21:14:09 UTC 2014 

On 15/10/2014 09:59, Jos wrote:
> Hi Guys
> 
> Thanks to you both for the replies. I should have mentioned I’ve tried the
> ACL-SORT option being disabled/enabled in config without seeing any
> success, I had this line in rancid.conf:
> 
> # if ACLSORT is NO, access-lists will NOT be sorted.
> ACLSORT=NO; export ACLSORT
> #
> 
> I have tried removing “export ACLSORT” with no luck either.
> 
> 
> I have 4 or 5 ASR9K’s running 4.3.x and all do the same thing. Perhaps a
> better example is this one:
> 
> Rancid backs up this:
> ipv4 access-list name
>  permit ipv4 any 166
>  remark the below subnet is currently not in use
>  permit ipv4 any 166
> 
> What we have configured is:
> ipv4 access-list name
>  10 permit ipv4 any 166.1xx.xx.xx/28
>  20 remark the below subnet is currently not in use
>  30 permit ipv4 any 166.1xx.xx.xxx/28
> 
> 
>  - so the rancid backup leaves a bit to be desired here I think.


The truncated address is due to this code in WriteTerm():

if (/^ipv(4|6) access-list (\S+)\s*$/) {
    ...
    while (<INPUT>) {
       ...
       ($seq, $cmd, $misc, $ip) = ($_ =~ /^\s+(\d+) (\w+) (.*\s)(\w+)/);
                if ($cmd =~ /(permit|deny)/) {
                    ProcessHistory("ACL $nlri $key $cmd",
"$aclsort","$ip", " $cmd $misc$ip\n");
                ...
    }
}


That final (\w+) stops at the first dot.

I'm no Cisco guru and don't know all the permutations of how XR lists
access-lists, but I imagine the address must be everything after
"ipv(4|6) any ", so the regex should probably become:


($_ =~ /^\s+(\d+) (\w+) (.*\s)(.*)/)


This is for 2.3.8 (I don't have a 3.x install to hand to check)

> 
> I have:
> expect version 5.44.1.15
> This is on centos 6.5, I had the packaged version of rancid installed, an
> old 2.3.8 or something but then grabbed 3.1 and compiled it and have
> removed the package.
> 
> 
> Thanks for all your help with this, I can share more config if you let me
> know what exactly.
> 
> Cheers, Jos
> 
> 
> On 15/10/14 18:27, "heasley" <heas at shrubbery.net> wrote:
> 
>> Wed, Oct 15, 2014 at 07:22:23AM +0200, Alan McKinnon:
>>>> Rancid collected config:
>>>> ipv4 access-list no-rfc1918
>>>>  remark Deny traffic to RFC 1918
>>>>  deny ipv4 10.0.0.0/8 any
>>>>  deny ipv4 any 10
>>>>  deny ipv4 172.16.0.0/12 any
>>>>  deny ipv4 any 172
>>>>  deny ipv4 192.168.0.0/16 any
>>>>  deny ipv4 any 192
>>>>  permit ipv4 any any
>>>>
>>>>
>>>> A minor problem where the ACL is obvious as above, but this is the
>>>> exception.
>>>> Can someone suggest a good fix or workaround for this please
>>> (preferably
>>>> without changing the ASR9K config), I trust it affects others with
>>> this
>>>> sort of config?
>>>> I can see earlier posts mention xrrancid but can’t find that in our
>>> 3.1
>>>> install.
>>>
>>> This appears to be rancid's acl renumbering, which is the designed
>>> behaviour for good reasons.
>>
>> I dont think so; yes its removing the line numbers, but its botching every
>> other line.
>> _______________________________________________
>> Rancid-discuss mailing list
>> Rancid-discuss at shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo/rancid-discuss
> 
> 


-- 
Alan McKinnon
alan.mckinnon at gmail.com

More information about the Rancid-discuss mailing list