[rancid] Reverse RANCID

James Bensley jwbensley at gmail.com
Thu Feb 12 09:57:55 UTC 2015


Hi  All,

In answer to some of the feedback I've had I perhaps should have been
more detailed in my explenation as people are thowing back reason not
really related to the technically of do this which is what I was
trying to query for;

- When I said I'd like to use RANCID, I mean I have no intention of
using it for backups we already have a system for that which we
prefer, I mean clogin specifically (as someone mentioned). RANCID
contains a bunch of scripts that allow you to execute commands on a
whole range of vendor devices, I'm talking about bastardising though
as the interaction layer with the devices so I don't have to write my
own per vendor/make/OS.

- Obviously RANCID can't check syntax of config it would push, when we
make changes on the network we write out the full concfig to be
applied, it is peer reviewed by another engineer, then submitted to a
change board to reviewel, only then would it go into the reverse
rancid tool so that is no more risk than a human finally copying and
pasting it in. If at any point an error is through back, the tool
would see that.

- We also have a full virtual mock-up of the core and a nearly full
hardware mock-up in the lab, so again, the syntax will be tested, that
could even be built into the tool that at the scheduled time of change
executing it runs it on the lab first.

- Making changes to something seen as "dangerous" like routing
protocols shouldn't be shied away from because of the potential
impact, you have to find ways to de-risk the change. Like someone else
mentions we have thousand and thousands of devices, this must be
automated.

- Someone mentioned security, We have plenty of that locking down
rancid access to a sepcific IP, in a specific VRF, and the user
account is of course in Tacacs so we can then limit the exact commands
it runs on a per-device basis, we can even limit the dates/times the
account is allowed to log in. All comands that it does run at logged
back to Tacac's so its fully auditable. No issues there.


I'm really just interested in writing a web interface in which you can
paste in some config, give a date/time, username/password maybe, and
hostname/IP, at that time it uploads the configs. Also one must be
able to configure checks to the run before and after the config upload
as I said, like grabing the number of routers in a table, or number of
routes received from a specific neighbour, or number of neighbours we
are exchanging routes with. Then I can define some pass/fail criteria
and my reverse RANCID would simply roll back the changes, I could have
pre-supplied the equivilent config to roll back.

This sounds like fairly strait forward stuff so I could be missing
something. I have seen systems like NETCONF but the support isn't wide
spread yet, there is more support on JunOS at present than Cisco (and
we have more Cisco and JunOS) and no one is really rolling much in the
way of applications for utilising it.


Kind regards,
James.


More information about the Rancid-discuss mailing list