[rancid] ASA Config for Rancid

Piegorsch, Weylin William weylin at bu.edu
Tue Sep 12 19:40:52 UTC 2017

Thanks Ryan.  We used to do exactly that, but it got to the point that ASAs were doing far more than merely firewall – to name a few:

... well ok these are just ASAs

  PIX, ASA, PaloAlto 3k, PaloAlto 7k, PaloAlto 500, and I think there’s a CheckPoint somewhere we haven’t yet replaced

  ASA, ASR1k, Catalyst6k, 7301, 3825

  Oh let me count the ways....

BGP Service Advertisement
  Nexus7k, ASR9k, ASR1k, 7301, ASA

Since the devices performing a function are so varied, the naming standard cannot take model into account, merely function.  It got to the point where I was essentially starting to list every ASA by specific name; after a few of these it became clear this approach wouldn’t scale.

And to answer the other question – somewhere around 20,000 devices; 11,000+ VoIP handsets, 6,000–7,000 access points, and 3,000+ of everything else (though largely only that last are needed in rancid).


-----Original Message-----
From: Ryan West <rwest at zyedge.com>
Date: Tuesday, September 12, 2017 at 15:17
To: Weylin Piegorsch <weylin at bu.edu>, Dan Anderson <dan.w.anderson at gmail.com>, "rancid-discuss at shrubbery.net" <rancid-discuss at shrubbery.net>
Subject: RE: [rancid] ASA Config for Rancid

    On Tue, Sep 12, 2017 at 15:06:20, Piegorsch, Weylin William wrote:
    > Thanks Ryan.  I’m unable to concretely determine a device is an ASA from it’s
    > domain name, unless I populate .cloginrc with every ASA I have.  I used to do
    > that, but it became cumbersome and at somepoint it was clear it would no
    > longer scale.  For a while I also went down the path of having a .cloginrc-asa
    > that had the ASA-specific methods and then included .cloginrc, but for similar
    > manageability reasons I had to abandon that approach as well.
    > Is there a way to do that by some other means?
    Not sure how many devices you're supporting, but I leverage an internal only DNS view that has a location and device type with number, then you can have a catch all in your .cloginrc that identifies them -
    ## Firewalls connect this way
    add user *fw*                   {username}
    add password *fw*              {password}	{en_password}
    add method *fw*                 ssh telnet
    add autoenable *fw*             0

More information about the Rancid-discuss mailing list