Re: [c-nsp] Tool To Backup Configurations
Tue, Jan 04, 2011 at 11:06:28PM +1300, Terry Rupeni: previously we had used a commercial product Solarwinds Configuration/Policy Manager. One thing we found useful in Solarwinds was a policy Reporter where you could easily script the manager to go through device configs and flag those devices that have say for example ip http server in the config. Is this possible/easy to do in Rancid? it does not have such a capability. better, IMO; you're free to roll your own scripts to read the diff(1) emails and tag additions of such offensive configuration. Or, use cron jobs to periodically run audit scripts over the saved configs. IIRC, Joe Abley Steven Stuart wrote some auditing scripts that were presented at the last Eugene, Oregon NANOG. and, the rancid dist comes with an example or two of auxiliary scripts in its share directory. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] rancid and inventory with ^
Tue, Sep 07, 2010 at 11:03:47AM +0300, Tassos Chatzithomaoglou: We get daily differences (whole config parts are removed and readded), because rancid believes that something has changed, although this is not the case. Probably has to do with the expect code. possibly; but doubtful. when i see such behavior, it is because the device is having problems; low memory, fragmented memory, other s/w bug, failing hardware, etc. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] rancid and inventory with ^
Tue, Sep 07, 2010 at 09:39:00AM +0100, Alexander Clouter: !NAME: temperature outlet 9 , DESCR: module 9 outlet temperature Sensor !NAME: temperature inlet 9 , DESCR: module 9 inlet temperature Sensor + !NAME: temperature device-1 9 , DESCR: module 9 device-1 temperature Sensor + !NAME: temperature device-2 9 , DESCR: module 9 device-2 temperature Sensor !opv1^T^LB fwiw, this would strike me a either failing hardware (SMbuss or sensor) or a s/w bug thats reading outside of device ID buffer range or an improperly flashed device ID. if it flaps, its probably not the latter. it could also be a s/w bug that is just writing junk to the tty when this command is run. you can speculate based upon the bahavior. Anyway, there was a thread here that kicked this off into life: http://marc.info/?l=cisco-nspm=126780984709176w=2 and that could be the s/w just not being patient enough for those devices. if the command returns an error when it fails to reach devices it knows to exist, then rancid can be altered to fail and retry. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Network Change Management
Tue, Aug 17, 2010 at 09:18:28AM -0500, Jeff Wojciechowski: All: I know there are tools out there like RANCID that help manage configuration changes but we want something that will be able to be able to have a system that will not only be able to document what changes were made, but to also document why. not the most efficient method and requires discipline, but one could annotate the CVS or SVN versions (cvs admin -m rev:msg file or svnadmin setlog -r rev file) generated by rancid SCM commits for documentation. you can also tag or branch to create named sets, such as replace_foundry. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] App to manage pushing out changes
Fri, Aug 13, 2010 at 10:19:20AM -0700, Eric Cables: On Thu, Aug 12, 2010 at 12:42 PM, Brandon Ewing nicot...@warningg.comwrote: On Thu, Aug 12, 2010 at 01:24:24PM -0600, Saxon Jones wrote: CiscoWorks LMS or even RANCID will work for this. On a box with RANCID installed it's done like so: for host in router1 router2 router3; do clogin -cconfig t;no ip access list extended asdf;ip access list extended asdf permit any any;end;write mem ${host}; done also see share/cisco-load.exp in the rancid tar file as an example of doing this with clogin -s file.exp hostname [...]. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] [rancid] Cisco L2tp class with password and rancid
Mon, Jul 05, 2010 at 06:49:04PM +0100, Alan Buxey: Hi, I have an issue when I configure a l2tp-class with a password in it, every time I do a sho run the level 7 encrypted password is shown differently. When using Rancid for config backups, every time Rancid runs I receive a complaint my config has changed. I've had this issue with several devices and its been fixed by cisco. recently, however, have had the same with the level 7 password for energywise. the 'fix' is to not have it encrypted in the config and save it as plain text (level 0) - thats not acceptable. you'll have to do what i did - reconfigure rancid to ignore that value. if you provide examples of these config lines, l2tp and energywise, i'll provide a hack to filter them within rancid. they should, however, not change in the config and you should complain to cisco to get it fixed so that you can have them archived by rancid without the oscillating. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] SNMP MIB for Receiving Prefix Counts for Individual Peers
Wed, Jun 30, 2010 at 10:52:25AM -0400, Gary T. Giesen: Seeing as that was published in Feb 2010, I doubt it's supported by anything yet... I guess I'll have to wait and see... this is still a draft, but you should ask your vendors to add per-afi/safi support (please). juniper and cisco have enterprise mibs with some of the data (ie: at least ipv4), of course it depends on O/S revision. On Wed, Jun 30, 2010 at 9:16 AM, Per Carlson pe...@hemmop.com wrote: Hi Gary. Is anyone aware of a MIB that supports querying the number of prefixes (not the individual prefixes) received from a BGP peer? There is an I-D supporting this: http://tools.ietf.org/html/draft-ietf-idr-bgp4-mibv2-10 From the Overview section: This MIB addresses several of the deficiencies of the previous BGP-4 MIB. ?In particular: ? o ?Add several counters of operational interest. ?For example, the ? ? ?number of routes received from a given BGP peer. Finding a software supporting the I-D is another story... -- Pelle A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? ___ cisco-nsp mailing list ?cisco-...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500 nvram contents changing
Mon, Mar 22, 2010 at 09:27:35AM +, Ben Cooper: John, It looks like Jared was correct, we had another instance of rancid running on another box a roughly the same time, I shifted the the cron job forward 30 minutes, and the diffs have stopped. i can't reproduce it. if anyone knows the error that the cli displays when this contention occurs, please e-mail the info to me so that i can fix rancid to deal with it. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] 6500 nvram contents changing
Fri, Mar 19, 2010 at 10:40:20AM -0400, Jared Mauch: This typically happens if someone is viewing the startup-config (eg: show conf) as it is locked. afaict, reading nor writing locks the nvram fsys in such a way that dir /all nvram:, the command rancid uses, fails. it seems to wait as you'd expect the locking to work, though not in a fifo manner. at least, i can't reproduce this on 12.2.18SXF16. if it did fail, i'd expect that it the cli would return an error, which rancid may not recognize. in cases where the fsys is locked, like for one being squeezed, the cli normally produces errors like Open device \S+ failed Error opening \S+: which rancid does recognize. it may be that write memory removes all the nvram files, then writes the new ones and you're just lucky. other ideas? - Jared On Mar 19, 2010, at 7:58 AM, Ben Cooper wrote: Hi, We use rancid to retrieve configs from our cisco kit, recently one of our 6500s (s72033_rp-ADVENTERPRISEK9_WAN-M Version 12.2(33)SXH3) has started reporting nvram content changes sporadically throughout the day, eg: !Flash: nvram: Directory of nvram:/ !Flash: nvram: 1918 -rw- 26788no date startup-config !Flash: nvram: 1919 24no date private-config !Flash: nvram: 1920 -rw- 26788no date underlying-config - !Flash: nvram: 1 4no date rf_cold_starts - !Flash: nvram: 2 48no date persistent-data - !Flash: nvram: 3 -rw-4887no date ifIndex-table !Flash: nvram: 1964024 bytes total (1929992 bytes free) !Flash: nvram: Directory of nvram:/ - !Flash: nvram: No files in directory + !Flash: nvram: 1918 -rw- 26788no date startup-config + !Flash: nvram: 1919 24no date private-config + !Flash: nvram: 1920 -rw- 26788no date underlying-config + !Flash: nvram: 1 4no date rf_cold_starts + !Flash: nvram: 2 48no date persistent-data + !Flash: nvram: 3 -rw-4887no date ifIndex-table !Flash: nvram: 1964024 bytes total (1929992 bytes free) Has anyone experienced this behaviour before? Thanks, Ben ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RANCID Spiking CPUs
Mon, Jun 09, 2008 at 03:56:08PM -0400, Nick Davey: Hi All, I've deployed rancid on a fairly large metro network, and am seeing some pretty high CPU averages. When RANCID runs the CPU's on a large number of our boxes spike to about 95% for several seconds. Although they have never hit 100%, or caused any issues (dropped OSPF hello's, stp bpdu's) I'm concerned that this could happen under the right combination of events this could result is dropped OSPF neighbor adjacency's or other badness. I've tried to replicate the high CPU issue by pasting the commands in manually however I haven't come anywhere close to the 95% I'm seeing when RANCID runs them. I'm assuming this is just the frequency at which the commands are run. Does anyone have any experience with this or any insight they can provide? RANCID will submit many commands in less time that it'l take a human; you will not likely be able to replicate it by hand. However, displaying the configuration, esp for a large and compressed config, likely causes the greatest CPU util of any of the commands that are used. Any process should be able to consume all the available CPU. However, your device's scheduler should use a higher preference for critical core processes, such as routing, and lower for the user/cli so when there is a resource deficit the critical bits get the time they need. For example, notice that when a device boots, BGP consumes all the CPU, yet OSPF continues to manage its timers. I've only seen one case where it was a problem; a massive EoA config. show running-config took so long that it affected management. But, the same was true when run by a human. It was the wrong box for the job. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Top 10 Network Engineering Tools
Mon, Jan 28, 2008 at 01:02:54PM -0800, Tony Li: 1. A laptop with a built-in serial port or a USB-Serial converter that you know works (in fact, even if your laptop has a built-in serial port it could be useful to have a USB-Serial converter handy in case you need to connect to multiple devices at once). Also need to make sure that your terminal client works well and that you know how to configure it to access all your serial ports. 2. Console cables for connecting to all of the various devices you are in charge of. 3. Wireshark 4. SSH telnet clients. 5. An up-to-date, fully functional TFTP server rcpd and ftp; tftp doesnt really cut it anymore. 6. Rancid 7. A SQL database, with configuration infrastructure 8. ping, traceroute, whois Tony ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Top 10 Network Engineering Tools
Tue, Jan 29, 2008 at 12:00:20AM +, Stephen Stuart: heas said: 5. An up-to-date, fully functional TFTP server rcpd and ftp; tftp doesnt really cut it anymore. Not just any rcpd; you want jhawk's rcpd, whose README says: thats right; if can be found (with a few additions) here: ftp://ftp.shrubbery.net/pub/rcpd/rcpd-1.2.tar.gz ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] RFC 1918 on loopback?
Tue, Jan 15, 2008 at 08:56:44AM -0800, Tony Tauber: - Merger/acquisition/interconnection with another entity which uses them and there's an overlap. (That will never happen are the words which ... which FUD is made of. The dubious security argument and inter-AS debugging, such as traceroute, should be sufficient to end this discussion. Need another? BGP RID? ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/