From ignasr at vault13.lt Mon Feb 4 14:04:59 2013 From: ignasr at vault13.lt (ignasr at vault13.lt) Date: Mon, 04 Feb 2013 16:04:59 +0200 Subject: [rancid] h3crancid doesn't filter passwords Message-ID: <510FC00B.9070603@vault13.lt> Hello, I know H3C is not officially supported in rancid, but maybe someone took the time and already wrote password filtering routines for h3crancid? If not, can I get some pointers on where in h3crancid that filtering should happen? I would use other scripts as examples and write something. I used scripts from here: https://sites.google.com/site/jrbinks/code/rancid/h3c Thank you, IgnasR From jethro.binks at strath.ac.uk Mon Feb 4 21:23:10 2013 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Mon, 4 Feb 2013 21:23:10 +0000 (GMT) Subject: [rancid] h3crancid doesn't filter passwords In-Reply-To: <510FC00B.9070603@vault13.lt> References: <510FC00B.9070603@vault13.lt> Message-ID: On Mon, 4 Feb 2013, ignasr at vault13.lt wrote: > I know H3C is not officially supported in rancid, but maybe someone took > the time and already wrote password filtering routines for h3crancid? > > If not, can I get some pointers on where in h3crancid that filtering > should happen? I would use other scripts as examples and write > something. I have a bunch of updates to make to h3crancid at some point. If you can give me samples of the lines where you want the passwords removing and the context, I can take a look at incorporating them. Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263. From auzzik at gmail.com Tue Feb 5 05:55:42 2013 From: auzzik at gmail.com (Auzzik) Date: Tue, 05 Feb 2013 16:55:42 +1100 Subject: [rancid] Need help with fixing custom Rancid script (IBM flex switches) Message-ID: <51109EDE.3020406@gmail.com> Good day, I am trying to backup configs from IBM flex switches. They have different commands like: /info/l2/dump or /cfg/dump. I made a copy of 'flogin' and 'francid' files: ibmlogin and ibmrancid. I added a new line into /usr/bin/rancid-fe to specify a new device class 'ibm'. The file has now: %vendortable = ( 'agm' => 'agmrancid', 'alteon' => 'arancid', 'arista' => 'arrancid', 'avocent' => 'avorancid', 'baynet' => 'brancid', 'cat5' => 'cat5rancid', 'cisco' => 'rancid', 'cisco-nx' => 'nxrancid', 'cisco-xr' => 'xrrancid', 'css' => 'cssrancid', 'enterasys' => 'rivrancid', 'erx' => 'jerancid', 'extreme' => 'xrancid', 'ezt3' => 'erancid', 'f5' => 'f5rancid', 'force10' => 'f10rancid', 'fortigate' => 'fnrancid', 'foundry' => 'francid', 'hitachi' => 'htrancid', 'hp' => 'hrancid', # ibm was added manually 'ibm' => 'ibmrancid', 'juniper' => 'jrancid', 'mrtd' => 'mrancid', 'mrv' => 'mrvrancid', 'netopia' => 'trancid', 'netscaler' => 'nsrancid', 'netscreen' => 'nrancid', 'procket' => 'prancid', 'redback' => 'rrancid', 'riverstone' => 'rivrancid', 'smc' => 'srancid', 'tnt' => 'tntrancid', 'zebra' => 'zrancid' ); I specified device names in .cloginrc: add user sw* rancid add password sw* {www.rancid.net} add method sw* ssh add autoenable sw* 1 I added device into router.db: sw1.ibm:ibm:up In ibmrancid I added: sub WriteTerm { .... # custom added lines if (/^Press q to quit, any other key to continue/) { next; } if (/script end*/) { $found_end = 1; return(1); } } return(0); } So, when I do '/usr/libexec/rancid/ibmrancid -c "/cfg/dump" sw1.ibm' it works fine. When I try to run 'racnid-run -r sw1.ibm" if fails. To troubleshoot I tried to run: /usr/libexec/rancid/ibmrancid -d sw1.ibm executing /usr/libexec/rancid/ibmlogin -t 30 -c"/cfg/dump" sw1.ibm PROMPT MATCH: >> sw1.aus - Main# HIT COMMAND:>> sw1.aus - Main# /cfg/dump In WriteTerm: >> sw1.aus - Main# /cfg/dump sw1.ibm /usr/libexec/rancid/ibmlogin error: Error: TIMEOUT reached sw1.ibm /usr/libexec/rancid/ibmlogin error: Error: TIMEOUT reached sw1.ibm: End of run not found 0 || 1 sw1.ibm: End of run not found results: found END string sw1.ibm: End of run not found script end /**** DO NOT EDIT THIS LINE! Also, ibmrancid has the following commands to run: @commandtable = ( # {'/info/sys/general' => 'WriteTerm'}, # {'/info/sys/chassis' => 'WriteTerm'}, # {'/info/l2/vlan' => 'WriteTerm'}, # {'/info/l2/failovr/trigger' => 'WriteTerm'}, # {'/info/transcvr' => 'WriteTerm'}, {'/cfg/dump' => 'WriteTerm'}, ); Please help me find out what's wrong. Looks like it tries to get run command but fails. The outpuif of /cfg/dump looks like (the end): /c/sys/syslog console dis /c/l2/lldp on /c/sys/ntp on / script end /**** DO NOT EDIT THIS LINE! Thanks. Auzzik From jethro.binks at strath.ac.uk Tue Feb 5 08:40:29 2013 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Tue, 5 Feb 2013 08:40:29 +0000 (GMT) Subject: [rancid] h3crancid doesn't filter passwords In-Reply-To: <5110BF50.30401@vault13.lt> References: <510FC00B.9070603@vault13.lt> <5110BF50.30401@vault13.lt> Message-ID: On Tue, 5 Feb 2013, ignasr at vault13.lt wrote: > > I have a bunch of updates to make to h3crancid at some point. If you can > > give me samples of the lines where you want the passwords removing and the > > context, I can take a look at incorporating them. > > > > Jethro. > > Thank you. It seems this was easier than I thought. Password ciphers can be > filtered with > > ### > --- h3crancid.o 2013-02-04 16:06:16.583056212 +0200 > +++ h3crancid 2013-02-04 21:38:27.514053756 +0200 > @@ -367,6 +367,12 @@ > next; > } > > + # Filter password ciphers > + if (/^( password cipher )\S+$/ && $filter_pwds >= 2) { > + ProcessHistory("","","","$1$'"); > + next; > + } > + > ProcessHistory("","","","$_"); > > # end of config > ### > > And this is enough for me for the time being. I just looked, and the current version I am running has this: # Filter out some sensitive data: if (/^( ?snmp-agent community (read|write)) (\S+)/) { if ($filter_commstr) { ProcessHistory("", "", "", "!$1 $'"); next; } else { ProcessHistory("", "", "", "$_"); next; } } if ( /^( ?super password( level \d)? (cipher|simple)) (\S+)/ || /^( set authentication password (cipher|simple)) (\S+)/ || /^( password (cipher|simple)) (\S+)/ ) { if ($filter_pwds >= 1) { ProcessHistory("", "", "", "! $1 $'"); next; } else { ProcessHistory("", "", "", "$_"); } } ProcessHistory("", "", "", "$_"); Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263. From jethro.binks at strath.ac.uk Tue Feb 5 09:08:09 2013 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Tue, 5 Feb 2013 09:08:09 +0000 (GMT) Subject: [rancid] Need help with fixing custom Rancid script (IBM flex switches) In-Reply-To: <51109EDE.3020406@gmail.com> References: <51109EDE.3020406@gmail.com> Message-ID: On Tue, 5 Feb 2013, Auzzik wrote: > Good day, > > I am trying to backup configs from IBM flex switches. > They have different commands like: /info/l2/dump or /cfg/dump. Did you try the Alteon WebOS alogin and arancid first? That uses those types of commands: %commands=( '/info/sys' => "ShowVersion", '/cfg/dump' => "WriteTerm", ); Jethro. > I made a copy of 'flogin' and 'francid' files: ibmlogin and ibmrancid. > > I added a new line into /usr/bin/rancid-fe to specify a new device class > 'ibm'. > > The file has now: > > %vendortable = ( > 'agm' => 'agmrancid', > 'alteon' => 'arancid', > 'arista' => 'arrancid', > 'avocent' => 'avorancid', > 'baynet' => 'brancid', > 'cat5' => 'cat5rancid', > 'cisco' => 'rancid', > 'cisco-nx' => 'nxrancid', > 'cisco-xr' => 'xrrancid', > 'css' => 'cssrancid', > 'enterasys' => 'rivrancid', > 'erx' => 'jerancid', > 'extreme' => 'xrancid', > 'ezt3' => 'erancid', > 'f5' => 'f5rancid', > 'force10' => 'f10rancid', > 'fortigate' => 'fnrancid', > 'foundry' => 'francid', > 'hitachi' => 'htrancid', > 'hp' => 'hrancid', > # ibm was added manually > 'ibm' => 'ibmrancid', > 'juniper' => 'jrancid', > 'mrtd' => 'mrancid', > 'mrv' => 'mrvrancid', > 'netopia' => 'trancid', > 'netscaler' => 'nsrancid', > 'netscreen' => 'nrancid', > 'procket' => 'prancid', > 'redback' => 'rrancid', > 'riverstone' => 'rivrancid', > 'smc' => 'srancid', > 'tnt' => 'tntrancid', > 'zebra' => 'zrancid' > ); > > I specified device names in .cloginrc: > add user sw* rancid > add password sw* {www.rancid.net} > add method sw* ssh > add autoenable sw* 1 > > I added device into router.db: > sw1.ibm:ibm:up > > In ibmrancid I added: > > sub WriteTerm { > .... > # custom added lines > if (/^Press q to quit, any other key to continue/) { > next; > } > if (/script end*/) { > $found_end = 1; > return(1); > } > } > return(0); > } > > So, when I do '/usr/libexec/rancid/ibmrancid -c "/cfg/dump" sw1.ibm' it works > fine. > When I try to run 'racnid-run -r sw1.ibm" if fails. > > To troubleshoot I tried to run: > > /usr/libexec/rancid/ibmrancid -d sw1.ibm > > executing /usr/libexec/rancid/ibmlogin -t 30 -c"/cfg/dump" sw1.ibm > PROMPT MATCH: >> sw1.aus - Main# > HIT COMMAND:>> sw1.aus - Main# /cfg/dump > In WriteTerm: >> sw1.aus - Main# /cfg/dump > sw1.ibm /usr/libexec/rancid/ibmlogin error: Error: TIMEOUT reached > sw1.ibm /usr/libexec/rancid/ibmlogin error: Error: TIMEOUT reached > sw1.ibm: End of run not found 0 || 1 > sw1.ibm: End of run not found > results: found END string > sw1.ibm: End of run not found > script end /**** DO NOT EDIT THIS LINE! > > Also, ibmrancid has the following commands to run: > > @commandtable = ( > # {'/info/sys/general' => 'WriteTerm'}, > # {'/info/sys/chassis' => 'WriteTerm'}, > # {'/info/l2/vlan' => 'WriteTerm'}, > # {'/info/l2/failovr/trigger' => 'WriteTerm'}, > # {'/info/transcvr' => 'WriteTerm'}, > {'/cfg/dump' => 'WriteTerm'}, > ); > > > Please help me find out what's wrong. Looks like it tries to get run command > but fails. > > The outpuif of /cfg/dump looks like (the end): > > /c/sys/syslog > console dis > /c/l2/lldp > on > /c/sys/ntp > on > / > script end /**** DO NOT EDIT THIS LINE! > > > Thanks. > Auzzik > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263. From ignasr at vault13.lt Tue Feb 5 08:14:08 2013 From: ignasr at vault13.lt (ignasr at vault13.lt) Date: Tue, 05 Feb 2013 10:14:08 +0200 Subject: [rancid] h3crancid doesn't filter passwords In-Reply-To: References: <510FC00B.9070603@vault13.lt> Message-ID: <5110BF50.30401@vault13.lt> On 2013.02.04 23:23, Jethro R Binks wrote: > On Mon, 4 Feb 2013, ignasr at vault13.lt wrote: > >> I know H3C is not officially supported in rancid, but maybe someone took >> the time and already wrote password filtering routines for h3crancid? >> >> If not, can I get some pointers on where in h3crancid that filtering >> should happen? I would use other scripts as examples and write >> something. > > I have a bunch of updates to make to h3crancid at some point. If you can > give me samples of the lines where you want the passwords removing and the > context, I can take a look at incorporating them. > > Jethro. Thank you. It seems this was easier than I thought. Password ciphers can be filtered with ### --- h3crancid.o 2013-02-04 16:06:16.583056212 +0200 +++ h3crancid 2013-02-04 21:38:27.514053756 +0200 @@ -367,6 +367,12 @@ next; } + # Filter password ciphers + if (/^( password cipher )\S+$/ && $filter_pwds >= 2) { + ProcessHistory("","","","$1$'"); + next; + } + ProcessHistory("","","","$_"); # end of config ### And this is enough for me for the time being. Ignas Kazlauskas From ignasr at vault13.lt Tue Feb 5 10:20:07 2013 From: ignasr at vault13.lt (ignasr at vault13.lt) Date: Tue, 05 Feb 2013 12:20:07 +0200 Subject: [rancid] h3crancid doesn't filter passwords In-Reply-To: References: <510FC00B.9070603@vault13.lt> <5110BF50.30401@vault13.lt> Message-ID: <5110DCD7.4010901@vault13.lt> On 2013.02.05 10:40, Jethro R Binks wrote: > On Tue, 5 Feb 2013, ignasr at vault13.lt wrote: > >>> I have a bunch of updates to make to h3crancid at some point. If you can >>> give me samples of the lines where you want the passwords removing and the >>> context, I can take a look at incorporating them. >>> >>> Jethro. >> >> Thank you. It seems this was easier than I thought. Password ciphers can be >> filtered with >> >> ### >> --- h3crancid.o 2013-02-04 16:06:16.583056212 +0200 >> +++ h3crancid 2013-02-04 21:38:27.514053756 +0200 >> @@ -367,6 +367,12 @@ >> next; >> } >> >> + # Filter password ciphers >> + if (/^( password cipher )\S+$/ && $filter_pwds >= 2) { >> + ProcessHistory("","","","$1$'"); >> + next; >> + } >> + >> ProcessHistory("","","","$_"); >> >> # end of config >> ### >> >> And this is enough for me for the time being. > > I just looked, and the current version I am running has this: > > # Filter out some sensitive data: > if (/^( ?snmp-agent community (read|write)) (\S+)/) { > if ($filter_commstr) { > ProcessHistory("", "", "", "!$1 $'"); > next; > } else { > ProcessHistory("", "", "", "$_"); > next; > } > } > > if ( > /^( ?super password( level \d)? (cipher|simple)) (\S+)/ || > /^( set authentication password (cipher|simple)) (\S+)/ || > /^( password (cipher|simple)) (\S+)/ ) { > if ($filter_pwds >= 1) { > ProcessHistory("", "", "", "! $1 $'"); > next; > } else { > ProcessHistory("", "", "", "$_"); > } > } > > ProcessHistory("", "", "", "$_"); > > > Jethro. Thank you for the snippet. I was using h3crancid from https://sites.google.com/site/jrbinks/code/rancid/h3c which doesn't have this code. IgnasR From jethro.binks at strath.ac.uk Tue Feb 5 11:14:17 2013 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Tue, 5 Feb 2013 11:14:17 +0000 (GMT) Subject: [rancid] h3crancid doesn't filter passwords In-Reply-To: <5110DCD7.4010901@vault13.lt> References: <510FC00B.9070603@vault13.lt> <5110BF50.30401@vault13.lt> <5110DCD7.4010901@vault13.lt> Message-ID: On Tue, 5 Feb 2013, ignasr at vault13.lt wrote: > Thank you for the snippet. I was using h3crancid from > https://sites.google.com/site/jrbinks/code/rancid/h3c which doesn't have > this code. Correct; I haven't updated it for a while. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263. From auzzik at gmail.com Wed Feb 6 04:12:28 2013 From: auzzik at gmail.com (Auzzik) Date: Wed, 06 Feb 2013 15:12:28 +1100 Subject: [rancid] Need help with fixing custom Rancid script (IBM flex switches) In-Reply-To: References: <51109EDE.3020406@gmail.com> Message-ID: <5111D82C.6050105@gmail.com> Thanks a lot Jethro! I have not heard about such company and their products before. It worked fine, I just needed to modify scripts to log commands like '/info/sys/general', etc. If someone needs I can share these modifications. Auzzik On 05/02/13 20:08, Jethro R Binks wrote: > On Tue, 5 Feb 2013, Auzzik wrote: > >> Good day, >> >> I am trying to backup configs from IBM flex switches. >> They have different commands like: /info/l2/dump or /cfg/dump. > Did you try the Alteon WebOS alogin and arancid first? That uses those > types of commands: > > %commands=( > '/info/sys' => "ShowVersion", > '/cfg/dump' => "WriteTerm", > ); > > Jethro. > > > >> I made a copy of 'flogin' and 'francid' files: ibmlogin and ibmrancid. >> >> I added a new line into /usr/bin/rancid-fe to specify a new device class >> 'ibm'. >> >> The file has now: >> >> %vendortable = ( >> 'agm' => 'agmrancid', >> 'alteon' => 'arancid', >> 'arista' => 'arrancid', >> 'avocent' => 'avorancid', >> 'baynet' => 'brancid', >> 'cat5' => 'cat5rancid', >> 'cisco' => 'rancid', >> 'cisco-nx' => 'nxrancid', >> 'cisco-xr' => 'xrrancid', >> 'css' => 'cssrancid', >> 'enterasys' => 'rivrancid', >> 'erx' => 'jerancid', >> 'extreme' => 'xrancid', >> 'ezt3' => 'erancid', >> 'f5' => 'f5rancid', >> 'force10' => 'f10rancid', >> 'fortigate' => 'fnrancid', >> 'foundry' => 'francid', >> 'hitachi' => 'htrancid', >> 'hp' => 'hrancid', >> # ibm was added manually >> 'ibm' => 'ibmrancid', >> 'juniper' => 'jrancid', >> 'mrtd' => 'mrancid', >> 'mrv' => 'mrvrancid', >> 'netopia' => 'trancid', >> 'netscaler' => 'nsrancid', >> 'netscreen' => 'nrancid', >> 'procket' => 'prancid', >> 'redback' => 'rrancid', >> 'riverstone' => 'rivrancid', >> 'smc' => 'srancid', >> 'tnt' => 'tntrancid', >> 'zebra' => 'zrancid' >> ); >> >> I specified device names in .cloginrc: >> add user sw* rancid >> add password sw* {www.rancid.net} >> add method sw* ssh >> add autoenable sw* 1 >> >> I added device into router.db: >> sw1.ibm:ibm:up >> >> In ibmrancid I added: >> >> sub WriteTerm { >> .... >> # custom added lines >> if (/^Press q to quit, any other key to continue/) { >> next; >> } >> if (/script end*/) { >> $found_end = 1; >> return(1); >> } >> } >> return(0); >> } >> >> So, when I do '/usr/libexec/rancid/ibmrancid -c "/cfg/dump" sw1.ibm' it works >> fine. >> When I try to run 'racnid-run -r sw1.ibm" if fails. >> >> To troubleshoot I tried to run: >> >> /usr/libexec/rancid/ibmrancid -d sw1.ibm >> >> executing /usr/libexec/rancid/ibmlogin -t 30 -c"/cfg/dump" sw1.ibm >> PROMPT MATCH: >> sw1.aus - Main# >> HIT COMMAND:>> sw1.aus - Main# /cfg/dump >> In WriteTerm: >> sw1.aus - Main# /cfg/dump >> sw1.ibm /usr/libexec/rancid/ibmlogin error: Error: TIMEOUT reached >> sw1.ibm /usr/libexec/rancid/ibmlogin error: Error: TIMEOUT reached >> sw1.ibm: End of run not found 0 || 1 >> sw1.ibm: End of run not found >> results: found END string >> sw1.ibm: End of run not found >> script end /**** DO NOT EDIT THIS LINE! >> >> Also, ibmrancid has the following commands to run: >> >> @commandtable = ( >> # {'/info/sys/general' => 'WriteTerm'}, >> # {'/info/sys/chassis' => 'WriteTerm'}, >> # {'/info/l2/vlan' => 'WriteTerm'}, >> # {'/info/l2/failovr/trigger' => 'WriteTerm'}, >> # {'/info/transcvr' => 'WriteTerm'}, >> {'/cfg/dump' => 'WriteTerm'}, >> ); >> >> >> Please help me find out what's wrong. Looks like it tries to get run command >> but fails. >> >> The outpuif of /cfg/dump looks like (the end): >> >> /c/sys/syslog >> console dis >> /c/l2/lldp >> on >> /c/sys/ntp >> on >> / >> script end /**** DO NOT EDIT THIS LINE! >> >> >> Thanks. >> Auzzik >> _______________________________________________ >> Rancid-discuss mailing list >> Rancid-discuss at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss >> > . . . . . . . . . . . . . . . . . . . . . . . . . > Jethro R Binks, Network Manager, > Information Services Directorate, University Of Strathclyde, Glasgow, UK > > The University of Strathclyde is a charitable body, registered in > Scotland, number SC015263. > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From jethro.binks at strath.ac.uk Wed Feb 6 12:20:45 2013 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Wed, 6 Feb 2013 12:20:45 +0000 (GMT) Subject: [rancid] Need help with fixing custom Rancid script (IBM flex switches) In-Reply-To: <5111D82C.6050105@gmail.com> References: <51109EDE.3020406@gmail.com> <5111D82C.6050105@gmail.com> Message-ID: I don't know much about it either, seems to be something to do with Nortel? Anyway, I've seen this AOS crop up in a few places; the last time was on HP c-class blade enclosure ethernet switches rebadged from from Blade Network Technologies, GbE2c and so on. I don't know the history behind the rancid module for such. I'm sure the project will be happy to incorporate any modifications you make. The current one is clearly very basic! Jethro. On Wed, 6 Feb 2013, Auzzik wrote: > Thanks a lot Jethro! > > I have not heard about such company and their products before. > It worked fine, I just needed to modify scripts to log commands like > '/info/sys/general', etc. > > If someone needs I can share these modifications. > > Auzzik > > > On 05/02/13 20:08, Jethro R Binks wrote: > > On Tue, 5 Feb 2013, Auzzik wrote: > > > > > Good day, > > > > > > I am trying to backup configs from IBM flex switches. > > > They have different commands like: /info/l2/dump or /cfg/dump. > > Did you try the Alteon WebOS alogin and arancid first? That uses those > > types of commands: > > > > %commands=( > > '/info/sys' => "ShowVersion", > > '/cfg/dump' => "WriteTerm", > > ); > > > > Jethro. > > > > > > > > > I made a copy of 'flogin' and 'francid' files: ibmlogin and ibmrancid. > > > > > > I added a new line into /usr/bin/rancid-fe to specify a new device class > > > 'ibm'. > > > > > > The file has now: > > > > > > %vendortable = ( > > > 'agm' => 'agmrancid', > > > 'alteon' => 'arancid', > > > 'arista' => 'arrancid', > > > 'avocent' => 'avorancid', > > > 'baynet' => 'brancid', > > > 'cat5' => 'cat5rancid', > > > 'cisco' => 'rancid', > > > 'cisco-nx' => 'nxrancid', > > > 'cisco-xr' => 'xrrancid', > > > 'css' => 'cssrancid', > > > 'enterasys' => 'rivrancid', > > > 'erx' => 'jerancid', > > > 'extreme' => 'xrancid', > > > 'ezt3' => 'erancid', > > > 'f5' => 'f5rancid', > > > 'force10' => 'f10rancid', > > > 'fortigate' => 'fnrancid', > > > 'foundry' => 'francid', > > > 'hitachi' => 'htrancid', > > > 'hp' => 'hrancid', > > > # ibm was added manually > > > 'ibm' => 'ibmrancid', > > > 'juniper' => 'jrancid', > > > 'mrtd' => 'mrancid', > > > 'mrv' => 'mrvrancid', > > > 'netopia' => 'trancid', > > > 'netscaler' => 'nsrancid', > > > 'netscreen' => 'nrancid', > > > 'procket' => 'prancid', > > > 'redback' => 'rrancid', > > > 'riverstone' => 'rivrancid', > > > 'smc' => 'srancid', > > > 'tnt' => 'tntrancid', > > > 'zebra' => 'zrancid' > > > ); > > > > > > I specified device names in .cloginrc: > > > add user sw* rancid > > > add password sw* {www.rancid.net} > > > add method sw* ssh > > > add autoenable sw* 1 > > > > > > I added device into router.db: > > > sw1.ibm:ibm:up > > > > > > In ibmrancid I added: > > > > > > sub WriteTerm { > > > .... > > > # custom added lines > > > if (/^Press q to quit, any other key to continue/) { > > > next; > > > } > > > if (/script end*/) { > > > $found_end = 1; > > > return(1); > > > } > > > } > > > return(0); > > > } > > > > > > So, when I do '/usr/libexec/rancid/ibmrancid -c "/cfg/dump" sw1.ibm' it > > > works > > > fine. > > > When I try to run 'racnid-run -r sw1.ibm" if fails. > > > > > > To troubleshoot I tried to run: > > > > > > /usr/libexec/rancid/ibmrancid -d sw1.ibm > > > > > > executing /usr/libexec/rancid/ibmlogin -t 30 -c"/cfg/dump" sw1.ibm > > > PROMPT MATCH: >> sw1.aus - Main# > > > HIT COMMAND:>> sw1.aus - Main# /cfg/dump > > > In WriteTerm: >> sw1.aus - Main# /cfg/dump > > > sw1.ibm /usr/libexec/rancid/ibmlogin error: Error: TIMEOUT reached > > > sw1.ibm /usr/libexec/rancid/ibmlogin error: Error: TIMEOUT reached > > > sw1.ibm: End of run not found 0 || 1 > > > sw1.ibm: End of run not found > > > results: found END string > > > sw1.ibm: End of run not found > > > script end /**** DO NOT EDIT THIS LINE! > > > > > > Also, ibmrancid has the following commands to run: > > > > > > @commandtable = ( > > > # {'/info/sys/general' => 'WriteTerm'}, > > > # {'/info/sys/chassis' => 'WriteTerm'}, > > > # {'/info/l2/vlan' => 'WriteTerm'}, > > > # {'/info/l2/failovr/trigger' => 'WriteTerm'}, > > > # {'/info/transcvr' => 'WriteTerm'}, > > > {'/cfg/dump' => 'WriteTerm'}, > > > ); > > > > > > > > > Please help me find out what's wrong. Looks like it tries to get run > > > command > > > but fails. > > > > > > The outpuif of /cfg/dump looks like (the end): > > > > > > /c/sys/syslog > > > console dis > > > /c/l2/lldp > > > on > > > /c/sys/ntp > > > on > > > / > > > script end /**** DO NOT EDIT THIS LINE! > > > > > > > > > Thanks. > > > Auzzik > > > _______________________________________________ > > > Rancid-discuss mailing list > > > Rancid-discuss at shrubbery.net > > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > > > . . . . . . . . . . . . . . . . . . . . . . . . . > > Jethro R Binks, Network Manager, > > Information Services Directorate, University Of Strathclyde, Glasgow, UK > > > > The University of Strathclyde is a charitable body, registered in > > Scotland, number SC015263. > > _______________________________________________ > > Rancid-discuss mailing list > > Rancid-discuss at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263. From techgrrl at gmail.com Thu Feb 7 22:25:25 2013 From: techgrrl at gmail.com (Elle Plato) Date: Thu, 7 Feb 2013 14:25:25 -0800 (PST) Subject: [rancid] Support for Aruba devices In-Reply-To: <20090413141213.I26023@dust.noc.drexel.edu> References: <49E37DDB.9070103@northwestern.edu> <20090413141213.I26023@dust.noc.drexel.edu> Message-ID: <197fe99c-d7c0-41fb-9591-34134826cbca@googlegroups.com> Andrew, > I haven't done it, but one issue is that their encrypted strings change > between each run of "show configuration" even when the configuration is > unaltered. I am hoping other people put pressure on Aruba to fix this, they change encrypted strings, the location of items with ACLs, blank lines and more. I use perl with expect.pm, and have a script replace the keys with *****, and as long as I have the keys someplace else for hardware replacements, this works well to avoid the constantly changing diffs. Today's fun is two devices, both running Version 6.1.3.6 and one prints extra blank lines in "show startup-config" and the other does not. I was hoping the rancid community would have seen this and had some insight, but if that is the case, my google foo does not find it. Is it really that hard to make the output of "show whatever" consistent? I am not sure how hard it would be to write an arubalogin. I have screen scraping code in PERL with expect.pm and it is fairly easy to get running. I replace .cloginrc with a DevInfo.pm module that reads a config file. My scripts just use DevInfo, and then call a getMethod to get the username and password along with some device specific stuff like autoenable and sshver=1 ($uname, $password, ConnectionMethod, $DevSpecificArgs) = getMethod($host); If anyone has any insight into the extra lines, I am tormented and would love to hear suggestions. Sorry for the hijack, I just *really* wanted to +1 the issue of Aruba changing config bits. Elle -------------- next part -------------- An HTML attachment was scrubbed... URL: From techgrrl at gmail.com Thu Feb 7 22:13:30 2013 From: techgrrl at gmail.com (Elle Plato) Date: Thu, 7 Feb 2013 14:13:30 -0800 (PST) Subject: [rancid] SSH process hangs using cron with Aruba devices In-Reply-To: References: Message-ID: <4f3cc93c-b46a-4fac-9426-4dfca995a8e7@googlegroups.com> > This works fine if I do it manually while SSH?ed into the Rancid server > but if I run it through cron the ssh instances hang. > > I don't run rancid, but I have some homegrown stuff I maintain that works in a similar fashion. In general I look for differences in the execution environment. - Dump the environment to look for changes in the path, etc. - If you are running as a different user, look for permissions issues. - maybe you cannot find your .cloginrc or some executable you are shelling out to. - Non-interactive shells behave differently than interactive shells in terms of sourcing dotfiles and more. You can force them to be treated as interactive, but if you have something expecting something on STDIN, you are going to be waiting for a long time. Have you tried enabled debugging using debug and exp_internal? It can be real handy when expect is waiting on a pattern match, and you need to see exactly what it is waiting on. Elle -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Fri Feb 8 06:30:49 2013 From: heas at shrubbery.net (heasley) Date: Fri, 8 Feb 2013 06:30:49 +0000 Subject: [rancid] Support for Aruba devices In-Reply-To: <197fe99c-d7c0-41fb-9591-34134826cbca@googlegroups.com> References: <49E37DDB.9070103@northwestern.edu> <20090413141213.I26023@dust.noc.drexel.edu> <197fe99c-d7c0-41fb-9591-34134826cbca@googlegroups.com> Message-ID: <20130208063049.GC58964@shrubbery.net> Thu, Feb 07, 2013 at 02:25:25PM -0800, Elle Plato: > Andrew, > > > I haven't done it, but one issue is that their encrypted strings change > > between each run of "show configuration" even when the configuration is > > unaltered. > > I am hoping other people put pressure on Aruba to fix this, they change > encrypted strings, the location of items with ACLs, blank lines and more. > > I use perl with expect.pm, and have a script replace the > keys with *****, and as long as I have the keys someplace else > for hardware replacements, this works well to avoid the constantly changing > diffs. > > Today's fun is two devices, both running Version 6.1.3.6 and one prints > extra > blank lines in "show startup-config" and the other does not. I was hoping > the > rancid community would have seen this and had some insight, but if that is > the case, my google foo does not find it. there is code in the cisco module to compress comment lines of running configs. you could use the same method to filter the extra blanks. From brian.thompson at iovation.com Fri Feb 8 07:29:07 2013 From: brian.thompson at iovation.com (Brian Thompson) Date: Thu, 7 Feb 2013 23:29:07 -0800 Subject: [rancid] unsubscribe Message-ID: *Brian Thompson* Senior Infrastructure Engineer // Senior Second Guesser Direct: 503.943.6779 Mobile: 503.707.9018 // Twitter: iovation *www.iovation.com* -------------- next part -------------- An HTML attachment was scrubbed... URL: From GMourani at prival.ca Fri Feb 8 14:08:30 2013 From: GMourani at prival.ca (Gerhard Mourani) Date: Fri, 8 Feb 2013 14:08:30 +0000 Subject: [rancid] Brocade MLX16 generate diff on up time change date Message-ID: <312FF37225924E42A1D3D228EDBD119315D58DA0@PRIVALEX.PrivalODC.lan> Hello List, I've a particular small issue with Brocade/Foundry MLX16 devices. My crond job is configured to run Rancid every two hours and every two hours I receive messages alerting me that configs has changed on the MLX16 switches but the diff is related to Up Time change like this: - !Switch Fabric Module 1 Up Time is 64 days 3 hours 10 minutes 28 seconds + !Switch Fabric Module 1 Up Time is 64 days 5 hours 10 minutes 47 seconds This happen only on MLX16 models, the other Brocade/Foundry doesn't have this problem. Gerhard, -------------- next part -------------- An HTML attachment was scrubbed... URL: From tobias.brunner at nine.ch Fri Feb 8 14:24:49 2013 From: tobias.brunner at nine.ch (Tobias Brunner) Date: Fri, 08 Feb 2013 15:24:49 +0100 Subject: [rancid] Brocade MLX16 generate diff on up time change date In-Reply-To: <312FF37225924E42A1D3D228EDBD119315D58DA0@PRIVALEX.PrivalODC.lan> References: <312FF37225924E42A1D3D228EDBD119315D58DA0@PRIVALEX.PrivalODC.lan> Message-ID: <3027774.KiP3JFJJCm@pctobru> Hi, > I've a particular small issue with Brocade/Foundry MLX16 devices. My crond > job is configured to run Rancid every two hours and every two hours I > receive messages alerting me that configs has changed on the MLX16 switches > but the diff is related to Up Time change like this: > > - !Switch Fabric Module 1 Up Time is 64 days 3 hours 10 minutes 28 seconds > + !Switch Fabric Module 1 Up Time is 64 days 5 hours 10 minutes 47 seconds > > This happen only on MLX16 models, the other Brocade/Foundry doesn't have > this problem. We had exactly the same issue, see http://www.shrubbery.net/pipermail/rancid-discuss/2013-January/006632.html And here are some more infos: http://tobrunet.ch/2013/01/backup-brocade-router-config-with-rancid/ Cheers, Tobias -- Nine Internet Solutions AG, Albisriederstr. 243a, CH-8047 Zuerich Support +41 44 637 40 40 | Tel +41 44 637 40 00 | Direct +41 44 637 40 13 Skype nine.ch_support From GMourani at prival.ca Fri Feb 8 15:34:00 2013 From: GMourani at prival.ca (Gerhard Mourani) Date: Fri, 8 Feb 2013 15:34:00 +0000 Subject: [rancid] Brocade MLX16 generate diff on up time change date In-Reply-To: <3027774.KiP3JFJJCm@pctobru> References: <312FF37225924E42A1D3D228EDBD119315D58DA0@PRIVALEX.PrivalODC.lan> <3027774.KiP3JFJJCm@pctobru> Message-ID: <312FF37225924E42A1D3D228EDBD119315D58EB6@PRIVALEX.PrivalODC.lan> Hi Tobias, Thanks a lot. I use latest version of Rancid 2.3.8 and the line to change doesn't look the same. Therefore I've modified as follow, and will test to let you know, thanks again. - next if (/^(System|(Active|Standby) Management|LP Slot \d+) uptime is/); + next if (/^(System|(Active|Standby) Management|LP Slot \d+|Switch Fabric Module \d+) (uptime|Up Time) is/); Gerhard, -----Original Message----- From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Tobias Brunner Sent: February-08-13 9:25 AM To: rancid-discuss at shrubbery.net Subject: Re: [rancid] Brocade MLX16 generate diff on up time change date Hi, > I've a particular small issue with Brocade/Foundry MLX16 devices. My > crond job is configured to run Rancid every two hours and every two > hours I receive messages alerting me that configs has changed on the > MLX16 switches but the diff is related to Up Time change like this: > > - !Switch Fabric Module 1 Up Time is 64 days 3 hours 10 minutes 28 > seconds > + !Switch Fabric Module 1 Up Time is 64 days 5 hours 10 minutes 47 > + seconds > > This happen only on MLX16 models, the other Brocade/Foundry doesn't > have this problem. We had exactly the same issue, see http://www.shrubbery.net/pipermail/rancid-discuss/2013-January/006632.html And here are some more infos: http://tobrunet.ch/2013/01/backup-brocade-router-config-with-rancid/ Cheers, Tobias -- Nine Internet Solutions AG, Albisriederstr. 243a, CH-8047 Zuerich Support +41 44 637 40 40 | Tel +41 44 637 40 00 | Direct +41 44 637 40 13 Skype nine.ch_support _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From ramonbatwork at gmail.com Tue Feb 12 16:04:40 2013 From: ramonbatwork at gmail.com (Ramon) Date: Tue, 12 Feb 2013 11:04:40 -0500 Subject: [rancid] Rollback functionality and potential pitfalls Message-ID: Hello all, I am currently looking in to a way to implement rollback functionality using rancid. What would it take to reverse bad changes and restore the config of a cisco device back to a previous saved version? I ask because just pushing the original config on top of the modified version would not remove or flush out certain statements, possibly leaving duplicates that would have to be removed manually. My first idea was to create a negative file, by generating a "no statement" for every line in the new config that does not match the old config. After pushing the negative file and removing the changes I would push the old config to restore any of the deleted statements. Feedback on any foreseeable issues such as possible hierarchical problems (interfaces, acls, bgp) would be very welcomed. Thanks, Ramon -------------- next part -------------- An HTML attachment was scrubbed... URL: From mlott at gie.com Tue Feb 12 20:27:59 2013 From: mlott at gie.com (Miles Lott) Date: Tue, 12 Feb 2013 14:27:59 -0600 Subject: [rancid] Rollback functionality and potential pitfalls In-Reply-To: References: Message-ID: <511AA5CF.2070801@gie.com> Seems like it might be better to just overwrite running or startup configs using copy from tftp. Or maybe I am missing your point. On 02/12/2013 10:04 AM, Ramon wrote: > Hello all, > > I am currently looking in to a way to implement rollback functionality > using rancid. What would it take to reverse bad changes and restore > the config of a cisco device back to a previous saved version? > > I ask because just pushing the original config on top of the modified > version would not remove or flush out certain statements, possibly > leaving duplicates that would have to be removed manually. > > My first idea was to create a negative file, by generating a "no > statement" for every line in the new config that does not match the > old config. After pushing the negative file and removing the changes I > would push the old config to restore any of the deleted statements. > > Feedback on any foreseeable issues such as possible hierarchical > problems (interfaces, acls, bgp) would be very welcomed. > > Thanks, > Ramon -------------------------------------------------------------------------------- Privileged, Proprietary and/or Confidential Information may be contained in this electronic message. If you are not the intended recipient, you should not copy it, re-transmit it, use it or disclose its contents, but should kindly return to the sender immediately and delete your copy from your system. Gulf Interstate Engineering Company does not accept responsibility for changes made to this electronic message or its attachments. From andrew.brennan+rancid at drexel.edu Tue Feb 12 20:42:36 2013 From: andrew.brennan+rancid at drexel.edu (andrew.brennan+rancid at drexel.edu) Date: Tue, 12 Feb 2013 15:42:36 -0500 (EST) Subject: [rancid] Rollback functionality and potential pitfalls Message-ID: One complication would be cases where a command's default state was one that isn't normally displayed in the configs. You could do the CVS diff between good/bad configs and then parse for +/- to remove/add any change that was shown. Then, parse the "no shutdown" so that you weren't doing something like "no no shutdown" (remove 'no' when present, add 'no' for other diff'd lines). That *might* address the non-displayed default config lines, but I'm not sure I've thought through this completely yet. You'll still have issues where lines are eliminated from the RANCID store (passwds, etc.). The other option would be to create a copy of the old/good config file and copy it directly to startup-config for the next reboot. You still have an issue with lines eliminated by RANCID, though. andrew. On Tue, 12 Feb 2013, Ramon wrote: > Hello all, > > I am currently looking in to a way to implement rollback functionality using > rancid. What would it take to reverse bad changes and restore the config of > a cisco device back to a previous saved version? > > I ask because just pushing the original config on top of the modified > version would not remove or flush out certain statements, possibly leaving > duplicates that would have to be removed manually. > > My first idea was to create a negative file, by generating a "no statement" > for every line in the new config that does not match the old config. After > pushing the negative file and removing the changes I would push the old > config to restore any of the deleted statements. > > Feedback on any foreseeable issues such as possible hierarchical problems > (interfaces, acls, bgp) would be very welcomed. > > Thanks, > Ramon > > From skyeh at uidaho.edu Tue Feb 12 20:55:42 2013 From: skyeh at uidaho.edu (Skye Hagen) Date: Tue, 12 Feb 2013 12:55:42 -0800 Subject: [rancid] Rollback functionality and potential pitfalls In-Reply-To: Message-ID: You may want to look into the Cisco IOS 'configure replace' command. This will replace the running configuration with another configuration. It is NOT a merge operation like 'copy ... Running-config'. It can work using tftp, ftp, scp, etc. Configure replace will work with whole configurations only. If you are removing passwords in RANCID, you would need to replace them beforehand, otherwise they will be missing when you replace the config. Skye. On 2/12/13 12:42 PM, "andrew.brennan+rancid at drexel.edu" wrote: > One complication would be cases where a command's default state was one that > isn't normally displayed in the configs. You could do the CVS diff between > good/bad configs and then parse for +/- to remove/add any change that was > shown. Then, parse the "no shutdown" so that you weren't doing something like > "no no shutdown" (remove 'no' when present, add 'no' for other diff'd lines). > > That *might* address the non-displayed default config lines, but I'm not sure > I've thought through this completely yet. You'll still have issues where > lines > are eliminated from the RANCID store (passwds, etc.). > > The other option would be to create a copy of the old/good config file and > copy > it directly to startup-config for the next reboot. You still have an issue > with lines eliminated by RANCID, though. > > andrew. > > On Tue, 12 Feb 2013, Ramon wrote: > >> Hello all, >> >> I am currently looking in to a way to implement rollback functionality using >> rancid. What would it take to reverse bad changes and restore the config of >> a cisco device back to a previous saved version? >> >> I ask because just pushing the original config on top of the modified >> version would not remove or flush out certain statements, possibly leaving >> duplicates that would have to be removed manually. >> >> My first idea was to create a negative file, by generating a "no statement" >> for every line in the new config that does not match the old config. After >> pushing the negative file and removing the changes I would push the old >> config to restore any of the deleted statements. >> >> Feedback on any foreseeable issues such as possible hierarchical problems >> (interfaces, acls, bgp) would be very welcomed. >> >> Thanks, >> Ramon >> >> > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From heas at shrubbery.net Tue Feb 12 21:37:38 2013 From: heas at shrubbery.net (heasley) Date: Tue, 12 Feb 2013 21:37:38 +0000 Subject: [rancid] Rollback functionality and potential pitfalls In-Reply-To: References: Message-ID: <20130212213738.GM73394@shrubbery.net> Tue, Feb 12, 2013 at 03:42:36PM -0500, andrew.brennan+rancid at drexel.edu: > One complication would be cases where a command's default state was one that > isn't normally displayed in the configs. You could do the CVS diff between many commands/blocks now have a default command (default interface ...). I dont know how well it works (i expect poorly), but if you can tolerate service interrupts that it will cause, that will at least provide a clean slate on which to apply the portion from the saved config. From shouldbeq931 at gmail.com Tue Feb 12 22:49:44 2013 From: shouldbeq931 at gmail.com (shouldbe q931) Date: Tue, 12 Feb 2013 22:49:44 +0000 Subject: [rancid] Rollback functionality and potential pitfalls In-Reply-To: References: Message-ID: On Tue, Feb 12, 2013 at 4:04 PM, Ramon wrote: > Hello all, > > I am currently looking in to a way to implement rollback functionality > using rancid. What would it take to reverse bad changes and restore the > config of a cisco device back to a previous saved version? > > I ask because just pushing the original config on top of the modified > version would not remove or flush out certain statements, possibly leaving > duplicates that would have to be removed manually. > > My first idea was to create a negative file, by generating a "no > statement" for every line in the new config that does not match the old > config. After pushing the negative file and removing the changes I would > push the old config to restore any of the deleted statements. > > Feedback on any foreseeable issues such as possible hierarchical problems > (interfaces, acls, bgp) would be very welcomed. > > Thanks, > Ramon > A few problems that I thought of If you're doing a "conf t" and then sending the updates, you need to be able to parse and escape "special" characters, such as the ? in line three below 1 ip ddns update method dyn.he.net 2 HTTP 3 add http://dynamicrouter.domain.com:hjo97864hhj06hA at ipv4.dyn.dns.he.net/nic/update?hostname= &myip= The thought of escaping characters lead me onto motd lines... banner motd ^C This is not the router you are looking for ^C And finally, the order of NAT rules on an ASA can be critical, this would mean either removing all of them (affecting all traffic) and then adding all of them, or being able to parse all of the NAT rule lines to add the sequence to the rollback, such as no nat 14 nat (inside,outside) 14 source static i-server i-server.domain.comservice tcp-in-https tcp-in-https I'm sure there are lots of other similar cases If you can cope with a reload, then would go with either a tftp boot, or erase startup, tftp copy to startup and then reload. As well as rancid, I also like to archive to a FTP server, so when TFTP isn't an option (such as a remote site router, I can simply go erase start copy ftp://user:pass at host/path/file startup And then reload For a client that bought CSM, I manage their ASA firewalls with CSM, after a particularly bad experience with the built in CSM rollback, I now do the changes and deploy normally rather than a rollback deploy if changes need to be "reverted". Cheers -------------- next part -------------- An HTML attachment was scrubbed... URL: From pmagee at williamhill.co.uk Wed Feb 13 12:20:50 2013 From: pmagee at williamhill.co.uk (Paul Magee) Date: Wed, 13 Feb 2013 12:20:50 -0000 Subject: [rancid] Rollback functionality and potential pitfalls Message-ID: +1 I'd also take this approach -----Original Message----- From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Miles Lott Sent: 12 February 2013 20:28 To: rancid-discuss at shrubbery.net Subject: Re: [rancid] Rollback functionality and potential pitfalls Seems like it might be better to just overwrite running or startup configs using copy from tftp. Or maybe I am missing your point. On 02/12/2013 10:04 AM, Ramon wrote: > Hello all, > > I am currently looking in to a way to implement rollback functionality > using rancid. What would it take to reverse bad changes and restore > the config of a cisco device back to a previous saved version? > > I ask because just pushing the original config on top of the modified > version would not remove or flush out certain statements, possibly > leaving duplicates that would have to be removed manually. > > My first idea was to create a negative file, by generating a "no > statement" for every line in the new config that does not match the > old config. After pushing the negative file and removing the changes I > would push the old config to restore any of the deleted statements. > > Feedback on any foreseeable issues such as possible hierarchical > problems (interfaces, acls, bgp) would be very welcomed. > > Thanks, > Ramon -------------------------------------------------------------------------------- Privileged, Proprietary and/or Confidential Information may be contained in this electronic message. If you are not the intended recipient, you should not copy it, re-transmit it, use it or disclose its contents, but should kindly return to the sender immediately and delete your copy from your system. Gulf Interstate Engineering Company does not accept responsibility for changes made to this electronic message or its attachments. _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss --------------------------------------- -- ********************************************* Confidentiality: The contents of this e-mail and any attachments transmitted with it are intended to be confidential to the intended recipient; and may be privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. This e-mail is sent by a William Hill PLC group company. The William Hill group companies include, among others, William Hill PLC (registered number 4212563), William Hill Organization Limited (registered number 278208), William Hill US HoldCo Inc, WHG (International) Limited (registered number 99191) and WHG Trading Limited (registered number 101439). Each of William Hill PLC, William Hill Organization Limited is registered in England and Wales and has its registered office at Greenside House, 50 Station Road, Wood Green, London N22 7TP. William Hill U.S. HoldCo, Inc. is 160 Greentree Drive, Suite 101, Dover 19904, Kent, Delaware, United States of America. Each of WHG (International) Limited and WHG Trading Limited is registered in Gibraltar and has its registered office at 6/1 Waterport Place, Gibraltar. Unless specifically indicated otherwise, the contents of this e-mail are subject to contract; and are not an official statement, and do not necessarily represent the views, of William Hill PLC, its subsidiaries or affiliated companies. Please note that neither William Hill PLC, nor its subsidiaries and affiliated companies can accept any responsibility for any viruses contained within this e-mail and it is your responsibility to scan any emails and their attachments. William Hill PLC, its subsidiaries and affiliated companies may monitor e-mail traffic data and also the content of e-mails for effective operation of the e-mail system, or for security, purposes. ********************************************* From ramonbatwork at gmail.com Wed Feb 13 15:20:22 2013 From: ramonbatwork at gmail.com (Ramon) Date: Wed, 13 Feb 2013 10:20:22 -0500 Subject: [rancid] Rollback functionality and potential pitfalls In-Reply-To: References: Message-ID: shouldbe, thanks.... that is exactly what I was looking for. Characters "?" , "$" and "^C" all produce unwanted expansion. The "?" throws a WORD in the example you cite, breaking the config script. The "$" in a secret or password string breaks out the clogin process with because it tries to read it as a variable: can't read "1": no such variable while executing "subst -nocommands [lindex $commands $i]" (procedure "run_commands" line 26) invoked from within "run_commands $prompt $command" ("foreach" body line 186) invoked from within "foreach router [lrange $argv $i end] { set router [string tolower $router] # attempt at platform switching. set platform "" send_user ..." (file "/usr/local/rancid/bin/clogin" line 740) And the "^C" on the motd enters interactive mode and eventually times out: #banner login ^C Enter TEXT message. End with the character '^'. Error: TIMEOUT reached I took the ASA out of the scope yesterday when I noticed what a mess that would be. So right now I am only trying to make this work for Cisco routers and switches (2911's and 2950's specifically). Router reload in completely out of question, and configure replace has proved to be risky at times (when the command is scripted you have to use force, and it has trimmed correct vlans and left old ones in place). I'm going to dig thru clogin code to see if I can come up with a workaround for the parsing problems mentioned above, any help appreciated! Ramon On Tue, Feb 12, 2013 at 5:49 PM, shouldbe q931 wrote: > > > > On Tue, Feb 12, 2013 at 4:04 PM, Ramon wrote: > >> Hello all, >> >> I am currently looking in to a way to implement rollback functionality >> using rancid. What would it take to reverse bad changes and restore the >> config of a cisco device back to a previous saved version? >> >> I ask because just pushing the original config on top of the modified >> version would not remove or flush out certain statements, possibly leaving >> duplicates that would have to be removed manually. >> >> My first idea was to create a negative file, by generating a "no >> statement" for every line in the new config that does not match the old >> config. After pushing the negative file and removing the changes I would >> push the old config to restore any of the deleted statements. >> >> Feedback on any foreseeable issues such as possible hierarchical problems >> (interfaces, acls, bgp) would be very welcomed. >> >> Thanks, >> Ramon >> > > A few problems that I thought of > > If you're doing a "conf t" and then sending the updates, you need to be > able to parse and escape "special" characters, such as the ? in line three > below > > 1 ip ddns update method dyn.he.net > 2 HTTP > 3 add > http://dynamicrouter.domain.com:hjo97864hhj06hA at ipv4.dyn.dns.he.net/nic/update?hostname= > &myip= > > The thought of escaping characters lead me onto motd lines... > > banner motd ^C > This is not the router you are looking for > ^C > > And finally, the order of NAT rules on an ASA can be critical, this would > mean either removing all of them (affecting all traffic) and then adding > all of them, or being able to parse all of the NAT rule lines to add the > sequence to the rollback, such as > > no nat 14 > nat (inside,outside) 14 source static i-server i-server.domain.comservice tcp-in-https tcp-in-https > > I'm sure there are lots of other similar cases > > If you can cope with a reload, then would go with either a tftp boot, or > erase startup, tftp copy to startup and then reload. > > As well as rancid, I also like to archive to a FTP server, so when TFTP > isn't an option (such as a remote site router, I can simply go > > erase start > copy ftp://user:pass at host/path/file startup > > And then reload > > For a client that bought CSM, I manage their ASA firewalls with CSM, after > a particularly bad experience with the built in CSM rollback, I now do the > changes and deploy normally rather than a rollback deploy if changes need > to be "reverted". > > Cheers > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ramonbatwork at gmail.com Wed Feb 13 17:33:50 2013 From: ramonbatwork at gmail.com (Ramon) Date: Wed, 13 Feb 2013 12:33:50 -0500 Subject: [rancid] Rollback functionality and potential pitfalls In-Reply-To: References: Message-ID: So far I have been able to to bypass the "$" expansion with sed, by adding a "\" in front of every occurrence. The question mark "?" is possible to be bypassed by using "Ctrl-V". However I could not find a way for to add that control sequence (like we can do with "\n" or "\r" ) to a script line nor make clogin inject that before an instance of "?". The banner login and motd I could only make it work with clogin if I use just one line for the text immediately followed by the delimiter character. Any newlines will make the clogin script hang, which I suspect is because expect is waiting for some shell return string or character. Since most banners are several lines, right now I am having to trim the banner statements out completely to avoid the problem. Anyone could give me some direction as to how I could make clogin play ball both with Ctrl-V and with banner text newlines? Thanks, Ramon On Wed, Feb 13, 2013 at 10:20 AM, Ramon wrote: > shouldbe, thanks.... that is exactly what I was looking for. Characters > "?" , "$" and "^C" all produce unwanted expansion. The "?" throws a WORD in > the example you cite, breaking the config script. The "$" in a secret or > password string breaks out the clogin process with because it tries to read > it as a variable: > > can't read "1": no such variable > while executing > "subst -nocommands [lindex $commands $i]" > (procedure "run_commands" line 26) > invoked from within > "run_commands $prompt $command" > ("foreach" body line 186) > invoked from within > "foreach router [lrange $argv $i end] { > set router [string tolower $router] > # attempt at platform switching. > set platform "" > send_user ..." > (file "/usr/local/rancid/bin/clogin" line 740) > > And the "^C" on the motd enters interactive mode and eventually times out: > > #banner login ^C > Enter TEXT message. End with the character '^'. > > Error: TIMEOUT reached > > > I took the ASA out of the scope yesterday when I noticed what a mess that > would be. So right now I am only trying to make this work for Cisco routers > and switches (2911's and 2950's specifically). Router reload in completely > out of question, and configure replace has proved to be risky at times > (when the command is scripted you have to use force, and it has trimmed > correct vlans and left old ones in place). > > I'm going to dig thru clogin code to see if I can come up with a > workaround for the parsing problems mentioned above, any help appreciated! > > Ramon > > > > > > On Tue, Feb 12, 2013 at 5:49 PM, shouldbe q931 wrote: > >> >> >> >> On Tue, Feb 12, 2013 at 4:04 PM, Ramon wrote: >> >>> Hello all, >>> >>> I am currently looking in to a way to implement rollback functionality >>> using rancid. What would it take to reverse bad changes and restore the >>> config of a cisco device back to a previous saved version? >>> >>> I ask because just pushing the original config on top of the modified >>> version would not remove or flush out certain statements, possibly leaving >>> duplicates that would have to be removed manually. >>> >>> My first idea was to create a negative file, by generating a "no >>> statement" for every line in the new config that does not match the old >>> config. After pushing the negative file and removing the changes I would >>> push the old config to restore any of the deleted statements. >>> >>> Feedback on any foreseeable issues such as possible hierarchical >>> problems (interfaces, acls, bgp) would be very welcomed. >>> >>> Thanks, >>> Ramon >>> >> >> A few problems that I thought of >> >> If you're doing a "conf t" and then sending the updates, you need to be >> able to parse and escape "special" characters, such as the ? in line three >> below >> >> 1 ip ddns update method dyn.he.net >> 2 HTTP >> 3 add >> http://dynamicrouter.domain.com:hjo97864hhj06hA at ipv4.dyn.dns.he.net/nic/update?hostname= >> &myip= >> >> The thought of escaping characters lead me onto motd lines... >> >> banner motd ^C >> This is not the router you are looking for >> ^C >> >> And finally, the order of NAT rules on an ASA can be critical, this would >> mean either removing all of them (affecting all traffic) and then adding >> all of them, or being able to parse all of the NAT rule lines to add the >> sequence to the rollback, such as >> >> no nat 14 >> nat (inside,outside) 14 source static i-server i-server.domain.comservice tcp-in-https tcp-in-https >> >> I'm sure there are lots of other similar cases >> >> If you can cope with a reload, then would go with either a tftp boot, or >> erase startup, tftp copy to startup and then reload. >> >> As well as rancid, I also like to archive to a FTP server, so when TFTP >> isn't an option (such as a remote site router, I can simply go >> >> erase start >> copy ftp://user:pass at host/path/file startup >> >> And then reload >> >> For a client that bought CSM, I manage their ASA firewalls with CSM, >> after a particularly bad experience with the built in CSM rollback, I now >> do the changes and deploy normally rather than a rollback deploy if changes >> need to be "reverted". >> >> Cheers >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Wed Feb 13 21:43:30 2013 From: heas at shrubbery.net (heasley) Date: Wed, 13 Feb 2013 21:43:30 +0000 Subject: [rancid] Rollback functionality and potential pitfalls In-Reply-To: References: Message-ID: <20130213214330.GL98159@shrubbery.net> Wed, Feb 13, 2013 at 12:33:50PM -0500, Ramon: > So far I have been able to to bypass the "$" expansion with sed, by adding > a "\" in front of every occurrence. > > The question mark "?" is possible to be bypassed by using "Ctrl-V". However > I could not find a way for to add that control sequence (like we can do > with "\n" or "\r" ) to a script line nor make clogin inject that before an > instance of "?". > > The banner login and motd I could only make it work with clogin if I use > just one line for the text immediately followed by the delimiter character. > Any newlines will make the clogin script hang, which I suspect is because > expect is waiting for some shell return string or character. > > Since most banners are several lines, right now I am having to trim the > banner statements out completely to avoid the problem. Anyone could give me > some direction as to how I could make clogin play ball both with Ctrl-V and > with banner text newlines? use any char not in the banner. eg: = > Thanks, > Ramon > > > On Wed, Feb 13, 2013 at 10:20 AM, Ramon wrote: > > > shouldbe, thanks.... that is exactly what I was looking for. Characters > > "?" , "$" and "^C" all produce unwanted expansion. The "?" throws a WORD in > > the example you cite, breaking the config script. The "$" in a secret or > > password string breaks out the clogin process with because it tries to read > > it as a variable: > > > > can't read "1": no such variable > > while executing > > "subst -nocommands [lindex $commands $i]" > > (procedure "run_commands" line 26) > > invoked from within > > "run_commands $prompt $command" > > ("foreach" body line 186) > > invoked from within > > "foreach router [lrange $argv $i end] { > > set router [string tolower $router] > > # attempt at platform switching. > > set platform "" > > send_user ..." > > (file "/usr/local/rancid/bin/clogin" line 740) > > > > And the "^C" on the motd enters interactive mode and eventually times out: > > > > #banner login ^C > > Enter TEXT message. End with the character '^'. > > > > Error: TIMEOUT reached > > > > > > I took the ASA out of the scope yesterday when I noticed what a mess that > > would be. So right now I am only trying to make this work for Cisco routers > > and switches (2911's and 2950's specifically). Router reload in completely > > out of question, and configure replace has proved to be risky at times > > (when the command is scripted you have to use force, and it has trimmed > > correct vlans and left old ones in place). > > > > I'm going to dig thru clogin code to see if I can come up with a > > workaround for the parsing problems mentioned above, any help appreciated! > > > > Ramon > > > > > > > > > > > > On Tue, Feb 12, 2013 at 5:49 PM, shouldbe q931 wrote: > > > >> > >> > >> > >> On Tue, Feb 12, 2013 at 4:04 PM, Ramon wrote: > >> > >>> Hello all, > >>> > >>> I am currently looking in to a way to implement rollback functionality > >>> using rancid. What would it take to reverse bad changes and restore the > >>> config of a cisco device back to a previous saved version? > >>> > >>> I ask because just pushing the original config on top of the modified > >>> version would not remove or flush out certain statements, possibly leaving > >>> duplicates that would have to be removed manually. > >>> > >>> My first idea was to create a negative file, by generating a "no > >>> statement" for every line in the new config that does not match the old > >>> config. After pushing the negative file and removing the changes I would > >>> push the old config to restore any of the deleted statements. > >>> > >>> Feedback on any foreseeable issues such as possible hierarchical > >>> problems (interfaces, acls, bgp) would be very welcomed. > >>> > >>> Thanks, > >>> Ramon > >>> > >> > >> A few problems that I thought of > >> > >> If you're doing a "conf t" and then sending the updates, you need to be > >> able to parse and escape "special" characters, such as the ? in line three > >> below > >> > >> 1 ip ddns update method dyn.he.net > >> 2 HTTP > >> 3 add > >> http://dynamicrouter.domain.com:hjo97864hhj06hA at ipv4.dyn.dns.he.net/nic/update?hostname= > >> &myip= > >> > >> The thought of escaping characters lead me onto motd lines... > >> > >> banner motd ^C > >> This is not the router you are looking for > >> ^C > >> > >> And finally, the order of NAT rules on an ASA can be critical, this would > >> mean either removing all of them (affecting all traffic) and then adding > >> all of them, or being able to parse all of the NAT rule lines to add the > >> sequence to the rollback, such as > >> > >> no nat 14 > >> nat (inside,outside) 14 source static i-server i-server.domain.comservice tcp-in-https tcp-in-https > >> > >> I'm sure there are lots of other similar cases > >> > >> If you can cope with a reload, then would go with either a tftp boot, or > >> erase startup, tftp copy to startup and then reload. > >> > >> As well as rancid, I also like to archive to a FTP server, so when TFTP > >> isn't an option (such as a remote site router, I can simply go > >> > >> erase start > >> copy ftp://user:pass at host/path/file startup > >> > >> And then reload > >> > >> For a client that bought CSM, I manage their ASA firewalls with CSM, > >> after a particularly bad experience with the built in CSM rollback, I now > >> do the changes and deploy normally rather than a rollback deploy if changes > >> need to be "reverted". > >> > >> Cheers > >> > > > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From shouldbeq931 at gmail.com Thu Feb 14 01:39:41 2013 From: shouldbeq931 at gmail.com (shouldbe q931) Date: Thu, 14 Feb 2013 01:39:41 +0000 Subject: [rancid] Rollback functionality and potential pitfalls In-Reply-To: <20130213214330.GL98159@shrubbery.net> References: <20130213214330.GL98159@shrubbery.net> Message-ID: On Wed, Feb 13, 2013 at 9:43 PM, heasley wrote: > > use any char not in the banner. eg: = However _any_ character _could_ be in the banner, ASCII art in logon banners http://3.bp.blogspot.com/-ElfhjuMPYwI/UE58pIwnT5I/AAAAAAAAAKw/Lux6mgM-DKw/s1600/banner+motd+2.PNG As the banner is not important for routing (or switching) packets, I'd probably go with removing it from the rollback, or adding a "hardcoded" banner that said that the router config had been rolled back, possibly including pertinent information such as the date and time that the rollback had been done etc. -------------- next part -------------- An HTML attachment was scrubbed... URL: From shouldbeq931 at gmail.com Wed Feb 13 14:08:37 2013 From: shouldbeq931 at gmail.com (shouldbe q931) Date: Wed, 13 Feb 2013 14:08:37 +0000 Subject: [rancid] Rollback functionality and potential pitfalls In-Reply-To: References: Message-ID: On Tue, Feb 12, 2013 at 8:55 PM, Skye Hagen wrote: > You may want to look into the Cisco IOS 'configure replace' command. This > will replace the running configuration with another configuration. It is > NOT > a merge operation like 'copy ... Running-config'. It can work using tftp, > ftp, scp, etc. > > Configure replace will work with whole configurations only. If you are > removing passwords in RANCID, you would need to replace them beforehand, > otherwise they will be missing when you replace the config. > > Skye. > Thank you for making me feel like an idiot for not knowing about configure replace :-) Cheers -------------- next part -------------- An HTML attachment was scrubbed... URL: From tosimpson at forchtgroup.com Thu Feb 14 14:18:25 2013 From: tosimpson at forchtgroup.com (Tom Simpson) Date: Thu, 14 Feb 2013 09:18:25 -0500 Subject: [rancid] Help with suppressing part of the show run output Message-ID: <51ED20F87B8EC049A125651522F36ED902019F09D7@SRVEXCHMB.1stcorbin.local> How do I go about suppressing part of the show run output from Cisco devices? The first two lines every time. We have added a command recently to the config on several switches that when you use any show command, it adds the output from "show ip os summary" to the first of the output. Since this changes every time you run any command it shows up as a diff in RANCID every time. I am assuming that this would be a regex, but I don't know where to begin adding it inside the rancid script, what would be the best section to put this in? Should it be possible to strip the first few lines off of the configuration output? Or would ignoring these lines be easier? The config line that we added is: exec prompt timestamp and it gets added to the vty config section A couple of examples of the output that is added to the show run or any other show command is the following: Load for five secs: 5%/0%; one minute: 6%; five minutes: 5% Time source is NTP, 09:02:17.501 EDT Thu Feb 14 2013 Load for five secs: 5%/0%; one minute: 5%; five minutes: 5% Time source is NTP, 09:06:14.333 EDT Thu Feb 14 2013 Since this happens after the command is input it can't be added as part of the prompt; so I guess I am stuck with either stripping it out of the config prior to parsing it, or just simply have rancid ignore it when it does run the diff... Thanks, Tom Simpson LAN/WAN Engineer Forcht Group of Kentucky 859.259.9700 x538 "We all knew there was just one way to improve our odds for survival: train, train, train. Sometimes, if your training is properly intense it will kill you. More often -- much, much more often -- it will save your life." - Richard Marcinko, former US Navy SEAL Team Commander CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Forcht Group IT, 2400 South Main Street, Corbin, Ky. From GMourani at prival.ca Thu Feb 14 14:24:33 2013 From: GMourani at prival.ca (Gerhard Mourani) Date: Thu, 14 Feb 2013 14:24:33 +0000 Subject: [rancid] Brocade MLX16 generate diff on up time change date In-Reply-To: <312FF37225924E42A1D3D228EDBD119315D58EB6@PRIVALEX.PrivalODC.lan> References: <312FF37225924E42A1D3D228EDBD119315D58DA0@PRIVALEX.PrivalODC.lan> <3027774.KiP3JFJJCm@pctobru> <312FF37225924E42A1D3D228EDBD119315D58EB6@PRIVALEX.PrivalODC.lan> Message-ID: <312FF37225924E42A1D3D228EDBD119315D7D064@PRIVALEX.PrivalODC.lan> Hello, Just to let you know that the applied patch (modification) worked for the MLX models. Gerhard, -----Original Message----- From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Gerhard Mourani Sent: February-08-13 10:34 AM To: Tobias Brunner; rancid-discuss at shrubbery.net Subject: Re: [rancid] Brocade MLX16 generate diff on up time change date Hi Tobias, Thanks a lot. I use latest version of Rancid 2.3.8 and the line to change doesn't look the same. Therefore I've modified as follow, and will test to let you know, thanks again. - next if (/^(System|(Active|Standby) Management|LP Slot \d+) uptime is/); + next if (/^(System|(Active|Standby) Management|LP Slot + \d+|Switch Fabric Module \d+) (uptime|Up Time) is/); Gerhard, -----Original Message----- From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Tobias Brunner Sent: February-08-13 9:25 AM To: rancid-discuss at shrubbery.net Subject: Re: [rancid] Brocade MLX16 generate diff on up time change date Hi, > I've a particular small issue with Brocade/Foundry MLX16 devices. My > crond job is configured to run Rancid every two hours and every two > hours I receive messages alerting me that configs has changed on the > MLX16 switches but the diff is related to Up Time change like this: > > - !Switch Fabric Module 1 Up Time is 64 days 3 hours 10 minutes 28 > seconds > + !Switch Fabric Module 1 Up Time is 64 days 5 hours 10 minutes 47 > + seconds > > This happen only on MLX16 models, the other Brocade/Foundry doesn't > have this problem. We had exactly the same issue, see http://www.shrubbery.net/pipermail/rancid-discuss/2013-January/006632.html And here are some more infos: http://tobrunet.ch/2013/01/backup-brocade-router-config-with-rancid/ Cheers, Tobias -- Nine Internet Solutions AG, Albisriederstr. 243a, CH-8047 Zuerich Support +41 44 637 40 40 | Tel +41 44 637 40 00 | Direct +41 44 637 40 13 Skype nine.ch_support _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From ramonbatwork at gmail.com Thu Feb 14 14:38:13 2013 From: ramonbatwork at gmail.com (Ramon) Date: Thu, 14 Feb 2013 09:38:13 -0500 Subject: [rancid] Rollback functionality and potential pitfalls In-Reply-To: References: Message-ID: heasley; that is a good idea and I have definitely have tried that... the problem I am having however with the banner at this point is with clogin or "expect" perhaps: newlines (line breaks) after each line in the banner statement dont return any meaningful character such as ">", "#" to the clogin script, so it just halts. I dont think it is a bug, but it would be very good to be able use the -x option with clogin and push a complete config files (including banner). Perhaps the solution is for clogin to push lines after a banner statement differently "knowing" that until it reaches the delimiter character it can continue to paste lines without expecting the hash. shouldb, excellent idea to write the date and message about rollback. That is a easy and useful one-liner (the limit a this point) I also got very interested when I found about configure replace... my success rate using on production so far was 1 out of 3. Yesterday I saw another (undocumented new) failure: "Error: could not write to output buffer incremental-temp.cfg" On Wed, Feb 13, 2013 at 9:08 AM, shouldbe q931 wrote: > On Tue, Feb 12, 2013 at 8:55 PM, Skye Hagen wrote: > >> You may want to look into the Cisco IOS 'configure replace' command. This >> will replace the running configuration with another configuration. It is >> NOT >> a merge operation like 'copy ... Running-config'. It can work using tftp, >> ftp, scp, etc. >> >> Configure replace will work with whole configurations only. If you are >> removing passwords in RANCID, you would need to replace them beforehand, >> otherwise they will be missing when you replace the config. >> >> Skye. >> > > Thank you for making me feel like an idiot for not knowing about configure > replace :-) > > Cheers > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Thu Feb 14 19:00:20 2013 From: heas at shrubbery.net (heasley) Date: Thu, 14 Feb 2013 19:00:20 +0000 Subject: [rancid] Help with suppressing part of the show run output In-Reply-To: <51ED20F87B8EC049A125651522F36ED902019F09D7@SRVEXCHMB.1stcorbin.local> References: <51ED20F87B8EC049A125651522F36ED902019F09D7@SRVEXCHMB.1stcorbin.local> Message-ID: <20130214190020.GG49541@shrubbery.net> Thu, Feb 14, 2013 at 09:18:25AM -0500, Tom Simpson: > How do I go about suppressing part of the show run output from Cisco devices? The first two lines every time. We have added a command recently to the config on several switches that when you use any show command, it adds the output from "show ip os summary" to the first of the output. Since this changes every time you run any command it shows up as a diff in RANCID every time. > > I am assuming that this would be a regex, but I don't know where to begin adding it inside the rancid script, what would be the best section to put this in? Should it be possible to strip the first few lines off of the configuration output? Or would ignoring these lines be easier? > > > The config line that we added is: exec prompt timestamp > and it gets added to the vty config section well, remove that config. if you want to know the time or load avg, enter the command to see it when you want to see it. or use tacacs to apply an autocmd for users that want that junk. else you have to filter it in each rancid function or add the command to disable it. > A couple of examples of the output that is added to the show run or any other show command is the following: > > Load for five secs: 5%/0%; one minute: 6%; five minutes: 5% > Time source is NTP, 09:02:17.501 EDT Thu Feb 14 2013 > > > Load for five secs: 5%/0%; one minute: 5%; five minutes: 5% > Time source is NTP, 09:06:14.333 EDT Thu Feb 14 2013 > > > Since this happens after the command is input it can't be added as part of the prompt; so I guess I am stuck with either stripping it out of the config prior to parsing it, or just simply have rancid ignore it when it does run the diff... > > > Thanks, > > Tom Simpson > LAN/WAN Engineer > Forcht Group of Kentucky > 859.259.9700 x538 > > "We all knew there was just one way to improve our odds for survival: train, train, train. Sometimes, if your training is properly intense it will kill you. More often -- much, much more often -- it will save your life." - Richard Marcinko, former US Navy SEAL Team Commander > > > CONFIDENTIALITY NOTICE: > This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. > > Forcht Group IT, 2400 South Main Street, Corbin, Ky. > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From b225ccc at gmail.com Thu Feb 14 18:26:57 2013 From: b225ccc at gmail.com (Brian Talley) Date: Thu, 14 Feb 2013 11:26:57 -0700 Subject: [rancid] Help with suppressing part of the show run output In-Reply-To: <51ED20F87B8EC049A125651522F36ED902019F09D7@SRVEXCHMB.1stcorbin.local> References: <51ED20F87B8EC049A125651522F36ED902019F09D7@SRVEXCHMB.1stcorbin.local> Message-ID: Add the following lines to the "while()" block of every subroutine that calls a 'show' command (see @commandtable array) in the rancid file: /Load for five secs/ && next; /Time source is NTP/ && next; e.g.: # This routine processes a "write term" sub WriteTerm { ... while () { ... /Load for five secs/ && next; /Time source is NTP/ && next; ... } ... } BT On Thu, Feb 14, 2013 at 7:18 AM, Tom Simpson wrote: > How do I go about suppressing part of the show run output from Cisco > devices? The first two lines every time. We have added a command recently > to the config on several switches that when you use any show command, it > adds the output from "show ip os summary" to the first of the output. Since > this changes every time you run any command it shows up as a diff in RANCID > every time. > > I am assuming that this would be a regex, but I don't know where to begin > adding it inside the rancid script, what would be the best section to put > this in? Should it be possible to strip the first few lines off of the > configuration output? Or would ignoring these lines be easier? > > > The config line that we added is: exec prompt timestamp > and it gets added to the vty config section > > A couple of examples of the output that is added to the show run or any > other show command is the following: > > Load for five secs: 5%/0%; one minute: 6%; five minutes: 5% > Time source is NTP, 09:02:17.501 EDT Thu Feb 14 2013 > > > Load for five secs: 5%/0%; one minute: 5%; five minutes: 5% > Time source is NTP, 09:06:14.333 EDT Thu Feb 14 2013 > > > Since this happens after the command is input it can't be added as part of > the prompt; so I guess I am stuck with either stripping it out of the > config prior to parsing it, or just simply have rancid ignore it when it > does run the diff... > > > Thanks, > > Tom Simpson > LAN/WAN Engineer > Forcht Group of Kentucky > 859.259.9700 x538 > > "We all knew there was just one way to improve our odds for survival: > train, train, train. Sometimes, if your training is properly intense it > will kill you. More often -- much, much more often -- it will save your > life." - Richard Marcinko, former US Navy SEAL Team Commander > > > CONFIDENTIALITY NOTICE: > This message contains confidential information and is intended only for > the individual named. If you are not the named addressee you should not > disseminate, distribute or copy this e-mail. Please notify the sender > immediately by e-mail if you have received this e-mail by mistake and > delete this e-mail from your system. E-mail transmission cannot be > guaranteed to be secure or error-free as information could be intercepted, > corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. > The sender therefore does not accept liability for any errors or omissions > in the contents of this message, which arise as a result of e-mail > transmission. If verification is required please request a hard-copy > version. > > Forcht Group IT, 2400 South Main Street, Corbin, Ky. > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > -- Brian Talley b225ccc at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From jason.lempka at pbvllc.com Thu Feb 14 20:38:53 2013 From: jason.lempka at pbvllc.com (Lempka, Jason) Date: Thu, 14 Feb 2013 20:38:53 +0000 Subject: [rancid] Help with suppressing part of the show run output In-Reply-To: <51ED20F87B8EC049A125651522F36ED902019F09D7@SRVEXCHMB.1stcorbin.local> References: <51ED20F87B8EC049A125651522F36ED902019F09D7@SRVEXCHMB.1stcorbin.local> Message-ID: <88D2CDCD09D4104388DE58D9D00078B297391FA5@PBV-EXCH01.PEPCOM.pbv.pbvllc.com> > I am assuming that this would be a regex, but I don't know where to begin > adding it inside the rancid script, what would be the best section to put > this in? Should it be possible to strip the first few lines off of the > configuration output? Or would ignoring these lines be easier? > > > The config line that we added is: exec prompt timestamp > and it gets added to the vty config section I disabled that prompt upon login via clogin. Here's a diff: ========= --- bin/clogin 2012-11-29 08:12:39.688077830 -0500 +++ clogin 2012-11-29 08:08:44.387041585 -0500 @@ -918,6 +918,9 @@ send "terminal length 0\r" expect -re $prompt {} send "terminal width 132\r" + expect -re $prompt {} + send "terminal no exec prompt timestamp\r" + #expect -re $prompt {} } expect -re $prompt {} } else { ========= Had I been aware of an autocmd via tacacs as heasley points out in another message, I would have asked them to remove the vty command and shoved it into their tacacs profile. Thanks! Jason From tosimpson at forchtgroup.com Thu Feb 14 20:40:31 2013 From: tosimpson at forchtgroup.com (Tom Simpson) Date: Thu, 14 Feb 2013 15:40:31 -0500 Subject: [rancid] Help with suppressing part of the show run output In-Reply-To: <88D2CDCD09D4104388DE58D9D00078B297391FA5@PBV-EXCH01.PEPCOM.pbv.pbvllc.com> References: <51ED20F87B8EC049A125651522F36ED902019F09D7@SRVEXCHMB.1stcorbin.local>, <88D2CDCD09D4104388DE58D9D00078B297391FA5@PBV-EXCH01.PEPCOM.pbv.pbvllc.com> Message-ID: <51ED20F87B8EC049A125651522F36ED902019F09E7@SRVEXCHMB.1stcorbin.local> Yeah, if TACACS was an option, I would as well. Plus I can't get it removed right now, since someone else has been convinced we "need that information" every time we run any show commands.... I am trying to get TACACS implemented sometime this year, but it is low on my todo list, since the authentication we are currently using works... Thanks, Tom Simpson LAN/WAN Engineer Forcht Group of Kentucky 859.259.9700 x538 "We all knew there was just one way to improve our odds for survival: train, train, train. Sometimes, if your training is properly intense it will kill you. More often -- much, much more often -- it will save your life." - Richard Marcinko, former US Navy SEAL Team Commander ________________________________________ From: Lempka, Jason [jason.lempka at pbvllc.com] Sent: Thursday, February 14, 2013 3:38 PM To: Tom Simpson Cc: rancid-discuss at shrubbery.net Subject: RE: Help with suppressing part of the show run output > I am assuming that this would be a regex, but I don't know where to begin > adding it inside the rancid script, what would be the best section to put > this in? Should it be possible to strip the first few lines off of the > configuration output? Or would ignoring these lines be easier? > > > The config line that we added is: exec prompt timestamp > and it gets added to the vty config section I disabled that prompt upon login via clogin. Here's a diff: ========= --- bin/clogin 2012-11-29 08:12:39.688077830 -0500 +++ clogin 2012-11-29 08:08:44.387041585 -0500 @@ -918,6 +918,9 @@ send "terminal length 0\r" expect -re $prompt {} send "terminal width 132\r" + expect -re $prompt {} + send "terminal no exec prompt timestamp\r" + #expect -re $prompt {} } expect -re $prompt {} } else { ========= Had I been aware of an autocmd via tacacs as heasley points out in another message, I would have asked them to remove the vty command and shoved it into their tacacs profile. Thanks! Jason CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Forcht Group IT, 2400 South Main Street, Corbin, Ky. From heas at shrubbery.net Thu Feb 14 23:39:58 2013 From: heas at shrubbery.net (heasley) Date: Thu, 14 Feb 2013 23:39:58 +0000 Subject: [rancid] Rollback functionality and potential pitfalls In-Reply-To: References: Message-ID: <20130214233958.GO56074@shrubbery.net> Thu, Feb 14, 2013 at 09:38:13AM -0500, Ramon: > heasley; that is a good idea and I have definitely have tried that... the > problem I am having however with the banner at this point is with clogin or > "expect" perhaps: newlines (line breaks) after each line in the banner > statement dont return any meaningful character such as ">", "#" to the > clogin script, so it just halts. > > I dont think it is a bug, but it would be very good to be able use the -x > option with clogin and push a complete config files (including banner). you should be able to send \n instead. or, just eliminate or ignore the banner. > I also got very interested when I found about configure replace... my > success rate using on production so far was 1 out of 3. Yesterday I saw > another (undocumented new) failure: afaik, its a relatively new feature for ios. From marc.boisis at univ-lr.fr Mon Feb 18 13:11:29 2013 From: marc.boisis at univ-lr.fr (Marc Boisis-Delavaud) Date: Mon, 18 Feb 2013 14:11:29 +0100 Subject: [rancid] HP procurve Menu logon Message-ID: <1156DBA5-8167-4772-B42B-620AA8D3ED2F@univ-lr.fr> Hello, For different reason I 've to use "Menu" logon on my HP procure switch. With my test hlogin only works with "CLI" logon. Is there any fix or patch to make "Menu" logon working with rancid ? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From jandrewartha at ccgs.wa.edu.au Tue Feb 19 04:04:44 2013 From: jandrewartha at ccgs.wa.edu.au (James Andrewartha) Date: Tue, 19 Feb 2013 12:04:44 +0800 Subject: [rancid] XML files? Message-ID: <5122F9DC.2020109@ccgs.wa.edu.au> Hi, I have an Enterasys NAC controller, which stores its config as an XML file. It's also only accessible by a SOAP service, or from the filesystem (scp/rsync). Is there an easy way to get such a file into rancid? Thanks, -- James Andrewartha Network & Projects Engineer Christ Church Grammar School Claremont, Western Australia Ph. (08) 9442 1757 Mob. 0424 160 877 From marc.boisis at univ-lr.fr Tue Feb 19 07:12:37 2013 From: marc.boisis at univ-lr.fr (Marc Boisis-Delavaud) Date: Tue, 19 Feb 2013 08:12:37 +0100 Subject: [rancid] HP procurve Menu logon In-Reply-To: <20130219051133.GC93736@shrubbery.net> References: <1156DBA5-8167-4772-B42B-620AA8D3ED2F@univ-lr.fr> <20130219051133.GC93736@shrubbery.net> Message-ID: <0FD58A9A-E69C-40E8-AC7E-109AB0EF65FF@univ-lr.fr> It look like this : sw28cri 19-Feb-2013 8:11:21 ===========================- TELNET - MANAGER MODE -============================ Main Menu 1. Status and Counters... 2. Switch Configuration... 3. Console Passwords... 4. Event Log 5. Command Line (CLI) 6. Reboot Switch 7. Download OS 8. Run Setup 9. Stacking... 0. Logout Provides the menu to display configuration, status, and counters. To select menu item, press item number, or highlight item and press . Le 19 f?vr. 2013 ? 06:11, heasley a ?crit : > Mon, Feb 18, 2013 at 02:11:29PM +0100, Marc Boisis-Delavaud: >> Hello, >> For different reason I 've to use "Menu" logon on my HP procure switch. With my test hlogin only works with "CLI" logon. Is there any fix or patch to make "Menu" logon working with rancid ? > > what does "menu logon" look like? Marc Boisis-Delavaud Direction du Syst?me d'Information Universit? de La Rochelle marc.boisis at univ-lr.fr | 05 46 45 82 14 -------------- next part -------------- An HTML attachment was scrubbed... URL: From adam.korab at gmail.com Tue Feb 19 06:50:12 2013 From: adam.korab at gmail.com (Adam Korab) Date: Tue, 19 Feb 2013 00:50:12 -0600 Subject: [rancid] XML files? In-Reply-To: <5122F9DC.2020109@ccgs.wa.edu.au> References: <5122F9DC.2020109@ccgs.wa.edu.au> Message-ID: <-4470559225130907011@unknownmsgid> Yes, you can tell rancid to snarf in a local text file, then kick off scp from cron to fetch it each hour before rancid looks for changes. I did this a year ago for Vyatta routers. --Adam -- Adam Korab On Feb 18, 2013, at 10:05 PM, James Andrewartha wrote: > Hi, > > I have an Enterasys NAC controller, which stores its config as an XML > file. It's also only accessible by a SOAP service, or from the > filesystem (scp/rsync). Is there an easy way to get such a file into rancid? > > Thanks, > > -- > James Andrewartha > Network & Projects Engineer > Christ Church Grammar School > Claremont, Western Australia > Ph. (08) 9442 1757 > Mob. 0424 160 877 > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From marc.boisis at univ-lr.fr Wed Feb 20 14:00:12 2013 From: marc.boisis at univ-lr.fr (Marc Boisis-Delavaud) Date: Wed, 20 Feb 2013 15:00:12 +0100 Subject: [rancid] HP procurve Menu logon In-Reply-To: <20130219183726.GK12440@shrubbery.net> References: <1156DBA5-8167-4772-B42B-620AA8D3ED2F@univ-lr.fr> <20130219051133.GC93736@shrubbery.net> <0FD58A9A-E69C-40E8-AC7E-109AB0EF65FF@univ-lr.fr> <20130219183726.GK12440@shrubbery.net> Message-ID: <8E1B0503-040E-4ABF-992E-AA6A16300A9E@univ-lr.fr> I 've made this patch which is working : #diff hlogin hloginULR 398a399 > 475a477,480 > -re ".*=============================================- TELNET - MANAGER MODE" { > send "5" > exp_continue > } thanks Le 19 f?vr. 2013 ? 19:37, heasley a ?crit : > Tue, Feb 19, 2013 at 08:12:37AM +0100, Marc Boisis-Delavaud: >> It look like this : >> >> sw28cri 19-Feb-2013 8:11:21 >> ===========================- TELNET - MANAGER MODE -============================ >> Main Menu >> >> 1. Status and Counters... >> 2. Switch Configuration... >> 3. Console Passwords... >> 4. Event Log >> 5. Command Line (CLI) >> 6. Reboot Switch >> 7. Download OS >> 8. Run Setup >> 9. Stacking... >> 0. Logout >> >> >> >> >> >> >> >> Provides the menu to display configuration, status, and counters. >> To select menu item, press item number, or highlight item and press . > > add a match in the login function of hlogin to find 'and press .' and > send '5\r'. > >> Le 19 f?vr. 2013 ? 06:11, heasley a ?crit : >> >>> Mon, Feb 18, 2013 at 02:11:29PM +0100, Marc Boisis-Delavaud: >>>> Hello, >>>> For different reason I 've to use "Menu" logon on my HP procure switch. With my test hlogin only works with "CLI" logon. Is there any fix or patch to make "Menu" logon working with rancid ? >>> >>> what does "menu logon" look like? >> >> Marc Boisis-Delavaud >> Direction du Syst?me d'Information >> Universit? de La Rochelle >> marc.boisis at univ-lr.fr | 05 46 45 82 14 >> Marc Boisis-Delavaud Direction du Syst?me d'Information Universit? de La Rochelle marc.boisis at univ-lr.fr | 05 46 45 82 14 -------------- next part -------------- An HTML attachment was scrubbed... URL: From brokenflea at gmail.com Wed Feb 20 10:17:51 2013 From: brokenflea at gmail.com (Khurram Khan) Date: Wed, 20 Feb 2013 03:17:51 -0700 Subject: [rancid] Help with Removing encrypted secret Message-ID: Hello All, I've been lurking around the mailing list trying to find a solution to my issue. I'm trying to grab configuration from a Cisco ASR5000 which contains the configuration in the form of: spi remote-address 192.168.3.50 spi-number 256 encrypted secret ba8533de9d50051d04c124ccebb16563 description "REMOTE-1" Regex is not one of my forte's , and so far I've got the following to remove the encrypted key from the configuration which doesn't seem to be working if (/(\s+spi remote-address (.*) spi-number (.*) encrypted secret .* description .* )/ && $filter_pwds >= 1) { ProcessHistory("ADMIN","","","#spi remote-address $1 spi-number $2 encrypted secret description $4 $5\n"); next; } the result that I get in the configuration looks like: #spi remote-address spi remote-address 192.168.3.50 spi-number 256 encrypted secret ba8533de9d50051d04c124ccebb16563 description "REMOTE-1" spi-number encrypted secret description i'm pretty sure i'm missing something in regex. If someone could point me in the right direction, I would really appreciate it. Thank you in advance! -------------- next part -------------- An HTML attachment was scrubbed... URL: From scott.brynen at visioncritical.com Wed Feb 20 15:46:22 2013 From: scott.brynen at visioncritical.com (Scott Brynen) Date: Wed, 20 Feb 2013 15:46:22 +0000 Subject: [rancid] Help with Removing encrypted secret In-Reply-To: References: Message-ID: <48187E5711D3204C991CB60EC396B754774C05EA@VCVANMAILMB2.vci.local> The $1 is matching the entire matched string because you put () around the whole thing What you're looking for is: if (/#spi remote-address (.*) spi-number (.*) encrypted secret .* description (.*)/ && $filter_pwds >= 1) { ProcessHistory("ADMIN","","","#spi remote-address $1 spi-number $2 encrypted secret description $3\n"); next; } Scott Brynen Systems Operations Lead | Vision Critical direct +1.604.638.9804 mobile +1.778.788.0543 web visioncritical.com From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Khurram Khan Sent: Wednesday, February 20, 2013 2:18 AM To: rancid-discuss at shrubbery.net Subject: [rancid] Help with Removing encrypted secret Hello All, I've been lurking around the mailing list trying to find a solution to my issue. I'm trying to grab configuration from a Cisco ASR5000 which contains the configuration in the form of: spi remote-address 192.168.3.50 spi-number 256 encrypted secret ba8533de9d50051d04c124ccebb16563 description "REMOTE-1" Regex is not one of my forte's , and so far I've got the following to remove the encrypted key from the configuration which doesn't seem to be working if (/(\s+spi remote-address (.*) spi-number (.*) encrypted secret .* description .* )/ && $filter_pwds >= 1) { ProcessHistory("ADMIN","","","#spi remote-address $1 spi-number $2 encrypted secret description $4 $5\n"); next; } the result that I get in the configuration looks like: #spi remote-address spi remote-address 192.168.3.50 spi-number 256 encrypted secret ba8533de9d50051d04c124ccebb16563 description "REMOTE-1" spi-number encrypted secret description i'm pretty sure i'm missing something in regex. If someone could point me in the right direction, I would really appreciate it. Thank you in advance! -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Wed Feb 20 17:43:18 2013 From: heas at shrubbery.net (heasley) Date: Wed, 20 Feb 2013 17:43:18 +0000 Subject: [rancid] HP procurve Menu logon In-Reply-To: <8E1B0503-040E-4ABF-992E-AA6A16300A9E@univ-lr.fr> References: <1156DBA5-8167-4772-B42B-620AA8D3ED2F@univ-lr.fr> <20130219051133.GC93736@shrubbery.net> <0FD58A9A-E69C-40E8-AC7E-109AB0EF65FF@univ-lr.fr> <20130219183726.GK12440@shrubbery.net> <8E1B0503-040E-4ABF-992E-AA6A16300A9E@univ-lr.fr> Message-ID: <20130220174317.GG58636@shrubbery.net> Wed, Feb 20, 2013 at 03:00:12PM +0100, Marc Boisis-Delavaud: > I 've made this patch which is working : > > #diff hlogin hloginULR > 398a399 > > > 475a477,480 > > -re ".*=============================================- TELNET - MANAGER MODE" { > > send "5" > > exp_continue > > } its better, imo, to match all or at least the majority of input before sending. that way, your output and its response, is not mixed in with the input. its cleaner, easier, and more reliable - again, imo. btw, is this menu a standard thing with procurves? I've never seen it, but the one that i have is a lower-end model. > thanks > > Le 19 f?vr. 2013 ? 19:37, heasley a ?crit : > > > Tue, Feb 19, 2013 at 08:12:37AM +0100, Marc Boisis-Delavaud: > >> It look like this : > >> > >> sw28cri 19-Feb-2013 8:11:21 > >> ===========================- TELNET - MANAGER MODE -============================ > >> Main Menu > >> > >> 1. Status and Counters... > >> 2. Switch Configuration... > >> 3. Console Passwords... > >> 4. Event Log > >> 5. Command Line (CLI) > >> 6. Reboot Switch > >> 7. Download OS > >> 8. Run Setup > >> 9. Stacking... > >> 0. Logout > >> > >> > >> > >> > >> > >> > >> > >> Provides the menu to display configuration, status, and counters. > >> To select menu item, press item number, or highlight item and press . > > > > add a match in the login function of hlogin to find 'and press .' and > > send '5\r'. > > > >> Le 19 f?vr. 2013 ? 06:11, heasley a ?crit : > >> > >>> Mon, Feb 18, 2013 at 02:11:29PM +0100, Marc Boisis-Delavaud: > >>>> Hello, > >>>> For different reason I 've to use "Menu" logon on my HP procure switch. With my test hlogin only works with "CLI" logon. Is there any fix or patch to make "Menu" logon working with rancid ? > >>> > >>> what does "menu logon" look like? > >> > >> Marc Boisis-Delavaud > >> Direction du Syst?me d'Information > >> Universit? de La Rochelle > >> marc.boisis at univ-lr.fr | 05 46 45 82 14 > >> > > Marc Boisis-Delavaud > Direction du Syst?me d'Information > Universit? de La Rochelle > marc.boisis at univ-lr.fr | 05 46 45 82 14 > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From rancid at ale.cx Wed Feb 20 21:19:39 2013 From: rancid at ale.cx (Alex DEKKER) Date: Wed, 20 Feb 2013 21:19:39 +0000 Subject: [rancid] HP procurve Menu logon In-Reply-To: <20130220174317.GG58636@shrubbery.net> References: <1156DBA5-8167-4772-B42B-620AA8D3ED2F@univ-lr.fr> <20130219051133.GC93736@shrubbery.net> <0FD58A9A-E69C-40E8-AC7E-109AB0EF65FF@univ-lr.fr> <20130219183726.GK12440@shrubbery.net> <8E1B0503-040E-4ABF-992E-AA6A16300A9E@univ-lr.fr> <20130220174317.GG58636@shrubbery.net> Message-ID: <51253DEB.9000301@ale.cx> On 20/02/13 17:43, heasley wrote: > btw, is this menu a standard thing with procurves? I've never seen it, > but the one that i have is a lower-end model. It's not the default on current Procurves, you can access it with 'menu'. From what Marc is saying, it sounds like there is a way to make it go straight into the menu on login for a given username. alexd From ntop at ale.cx Wed Feb 20 20:59:41 2013 From: ntop at ale.cx (Alex DEKKER) Date: Wed, 20 Feb 2013 20:59:41 +0000 Subject: [rancid] HP procurve Menu logon In-Reply-To: <20130220174317.GG58636@shrubbery.net> References: <1156DBA5-8167-4772-B42B-620AA8D3ED2F@univ-lr.fr> <20130219051133.GC93736@shrubbery.net> <0FD58A9A-E69C-40E8-AC7E-109AB0EF65FF@univ-lr.fr> <20130219183726.GK12440@shrubbery.net> <8E1B0503-040E-4ABF-992E-AA6A16300A9E@univ-lr.fr> <20130220174317.GG58636@shrubbery.net> Message-ID: <5125393D.6060702@ale.cx> On 20/02/13 17:43, heasley wrote: > btw, is this menu a standard thing with procurves? I've never seen it, > but the one that i have is a lower-end model. It's not the default on current Procurves, you can access it with 'menu'. From what Marc is saying, it sounds like there is a way to make it go straight into the menu on login for a given username. alexd From mike.albano at unlv.edu Wed Feb 20 21:14:19 2013 From: mike.albano at unlv.edu (mike.albano at unlv.edu) Date: Wed, 20 Feb 2013 13:14:19 -0800 Subject: [rancid] Cisco WLC ver 7.x Message-ID: An HTML attachment was scrubbed... URL: From brokenflea at gmail.com Wed Feb 20 17:29:30 2013 From: brokenflea at gmail.com (Khurram Khan) Date: Wed, 20 Feb 2013 10:29:30 -0700 Subject: [rancid] Help with Removing encrypted secret In-Reply-To: <48187E5711D3204C991CB60EC396B754774C05EA@VCVANMAILMB2.vci.local> References: <48187E5711D3204C991CB60EC396B754774C05EA@VCVANMAILMB2.vci.local> Message-ID: Thank you Scott for pointing me in the right direction. Taking your example I tweaked this a little which looks like it worked. The final regex looks like: if (/\s+spi remote-address (.*) spi-number (.*) encrypted secret .* description (.*)/ && $filter_pwds >= 1) { ProcessHistory("ADMIN","","","#spi remote-address $1 spi-number $2 encrypted secret description $3\n"); next; } and the configuration now looks like: #spi remote-address 192.168.3.50 spi-number 256 encrypted secret description "REMOTE-1" On Wed, Feb 20, 2013 at 8:46 AM, Scott Brynen < scott.brynen at visioncritical.com> wrote: > The $1 is matching the entire matched string because you put () around > the whole thing**** > > What you're looking for is:**** > > if (/#spi remote-address (.*) spi-number (.*) encrypted secret .* > description (.*)/ && $filter_pwds >= 1) {**** > > ProcessHistory("ADMIN","","","#spi remote-address $1 > spi-number $2 encrypted secret description $3\n");**** > > next;**** > > }**** > > ** ** > > ** ** > > ** ** > > ** ** > > *Scott Brynen* > Systems Operations Lead | Vision Critical > direct +1.604.638.9804 mobile +1.778.788.0543 > web visioncritical.com **** > > *From:* rancid-discuss-bounces at shrubbery.net [mailto: > rancid-discuss-bounces at shrubbery.net] *On Behalf Of *Khurram Khan > *Sent:* Wednesday, February 20, 2013 2:18 AM > *To:* rancid-discuss at shrubbery.net > *Subject:* [rancid] Help with Removing encrypted secret**** > > ** ** > > Hello All,**** > > ** ** > > I've been lurking around the mailing list trying to find a solution to my > issue. I'm trying to grab configuration from a Cisco ASR5000 which contains > the configuration in the form of:**** > > ** ** > > spi remote-address 192.168.3.50 spi-number 256 encrypted secret > ba8533de9d50051d04c124ccebb16563 description "REMOTE-1" **** > > ** ** > > Regex is not one of my forte's , and so far I've got the following to > remove the encrypted key from the configuration which doesn't seem to be > working**** > > ** ** > > if (/(\s+spi remote-address (.*) spi-number (.*) encrypted secret > .* description .* )/ && $filter_pwds >= 1) {**** > > ProcessHistory("ADMIN","","","#spi remote-address $1 > spi-number $2 encrypted secret description $4 $5\n");**** > > next;**** > > }**** > > ** ** > > the result that I get in the configuration looks like:**** > > ** ** > > #spi remote-address spi remote-address 192.168.3.50 spi-number 256 > encrypted secret ba8533de9d50051d04c124ccebb16563 description "REMOTE-1" > spi-number encrypted secret description **** > > ** ** > > i'm pretty sure i'm missing something in regex. If someone could point me > in the right direction, I would really appreciate it. **** > > ** ** > > Thank you in advance!**** > > ** ** > > ** ** > -- - kk -------------- next part -------------- An HTML attachment was scrubbed... URL: From peo at chalmers.se Thu Feb 21 07:40:23 2013 From: peo at chalmers.se (Per-Olof Olsson) Date: Thu, 21 Feb 2013 08:40:23 +0100 Subject: [rancid] HP procurve Menu logon In-Reply-To: <51253DEB.9000301@ale.cx> References: <1156DBA5-8167-4772-B42B-620AA8D3ED2F@univ-lr.fr> <20130219051133.GC93736@shrubbery.net> <0FD58A9A-E69C-40E8-AC7E-109AB0EF65FF@univ-lr.fr> <20130219183726.GK12440@shrubbery.net> <8E1B0503-040E-4ABF-992E-AA6A16300A9E@univ-lr.fr> <20130220174317.GG58636@shrubbery.net> <51253DEB.9000301@ale.cx> Message-ID: <5125CF67.7000006@chalmers.se> Alex DEKKER skrev 02/20/2013 10:19 PM: > On 20/02/13 17:43, heasley wrote: >> btw, is this menu a standard thing with procurves? I've never seen it, >> but the one that i have is a lower-end model. > It's not the default on current Procurves, you can access it with 'menu'. From what Marc > is saying, it sounds like there is a way to make it go straight into the menu on login for > a given username. > > alexd > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss Only setting I found for this is in "8. Run Setup" menu where you select "Logon Default" to "CLI" or "Menu" /Peo ---------------------------------------------------------- Per-Olof Olsson Email: peo at chalmers.se Chalmers tekniska h?gskola IT-service H?rsalsv?gen 5 412 96 G?teborg Tel: 031/772 6738 Fax: 031/772 8660 ---------------------------------------------------------- From pedro.serotto at yahoo.es Tue Feb 26 09:40:57 2013 From: pedro.serotto at yahoo.es (Pedro Serotto) Date: Tue, 26 Feb 2013 09:40:57 +0000 (GMT) Subject: [rancid] Extreme XOS and rancid-2.3.8 Message-ID: <1361871657.55597.YahooMailNeo@web28802.mail.ir2.yahoo.com> Hi Mickey, I've the same problem, did you solve it ? Please let me know. Tnx Pedro -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Tue Feb 26 15:48:21 2013 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Tue, 26 Feb 2013 08:48:21 -0700 Subject: [rancid] NX-OS sap: Message-ID: Anybody else getting this spurious diff? + !DEBUG: Could not retrieve info from application sap:28 : Timer expired Might have been discussed before ? apologies if I missed it. E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From peo at chalmers.se Wed Feb 27 07:47:30 2013 From: peo at chalmers.se (Per-Olof Olsson) Date: Wed, 27 Feb 2013 08:47:30 +0100 Subject: [rancid] Minor fix/update for hlogin ( and *login?). Message-ID: <512DBA12.1030909@chalmers.se> Hello Testing some minor update for hlogin (rancid 2.3.8). Sometimes I use hlogin to login to switches but get the session filtered by hpuifilter. A bit hard to work with that output. I think this helps. rancid at host bin]$ diff -c hlogin.in_ORG hlogin.in *** hlogin.in_ORG 2013-01-21 07:05:47.357345221 +0100 --- hlogin.in 2013-02-27 07:56:51.332898135 +0100 *************** *** 328,336 **** regexp {(telnet|ssh)(:([^[:space:]]+))*} $prog command suffix junk port if [string match "telnet*" $prog] { if {"$port" == ""} { ! set retval [ catch {spawn hpuifilter -- telnet $router} reason ] } else { ! set retval [ catch {spawn hpuifilter -- telnet $router $port} reason ] } if { $retval } { send_user "\nError: telnet failed: $reason\n" --- 328,344 ---- regexp {(telnet|ssh)(:([^[:space:]]+))*} $prog command suffix junk port if [string match "telnet*" $prog] { if {"$port" == ""} { ! if { $do_command || $do_script } { ! set retval [ catch {spawn hpuifilter -- telnet $router } reason ] ! } else { ! set retval [ catch {spawn telnet $router} reason ] ! } } else { ! if { $do_command || $do_script } { ! set retval [ catch {spawn hpuifilter -- telnet -- $router $port} reason ] ! } else { ! set retval [ catch {spawn telnet -- $router $port} reason ] ! } } if { $retval } { send_user "\nError: telnet failed: $reason\n" *************** *** 346,352 **** if {"$identfile" != ""} { set cmd "$cmd -i $identfile" } ! set retval [ catch {eval spawn hpuifilter -- [split "$cmd -c $cyphertype -x -l $user $router" { }]} reason ] if { $retval } { send_user "\nError: $cmd failed: $reason\n" return 1 --- 354,364 ---- if {"$identfile" != ""} { set cmd "$cmd -i $identfile" } ! if { $do_command || $do_script } { ! set retval [ catch {eval spawn hpuifilter -- [split "$cmd -c $cyphertype -x -l $user $router" { }]} reason ] ! } else { ! set retval [ catch {eval spawn [split "$cmd -c $cyphertype -x -l $user $router" { }]} reason ] ! } if { $retval } { send_user "\nError: $cmd failed: $reason\n" return 1 Testing to set negative port number to telnet shows that it don't work on RHlinux (from "man cloginrc" " Example: add method * {ssh} {telnet:-3000} {rsh}"). Tested "add method {telnet:-23}" ----------------------- $ telnet -23 telnet: invalid option -- '2' Usage: telnet [-8] [-E] [-L] [-S tos] [-a] [-c] [-d] [-e char] [-l user] [-n tracefile] [-b hostalias ] [-r] [host-name [port]] -------------------- I have to add "--" to telnet args in hlogin, "telnet -- $router $port" or used positive port number and put ---------------------- DEFAULT mode character ---------------------- or ---------------------- mode character ---------------------- in ~/.telnetrc Is telnet special for RHlinux or update needed for telnet in all *login scripts and/or add some notes in man page for cloginrc about ~/.telnetrc? /Peo ---------------------------------------------------------- Per-Olof Olsson Email: peo at chalmers.se Chalmers tekniska h?gskola IT-service H?rsalsv?gen 5 412 96 G?teborg Tel: 031/772 6738 Fax: 031/772 8660 ---------------------------------------------------------- From heas at shrubbery.net Thu Feb 28 21:57:29 2013 From: heas at shrubbery.net (heasley) Date: Thu, 28 Feb 2013 21:57:29 +0000 Subject: [rancid] NX-OS sap: In-Reply-To: References: Message-ID: <20130228215729.GS80425@shrubbery.net> Tue, Feb 26, 2013 at 08:48:21AM -0700, Daniel Schmidt: > Anybody else getting this spurious diff? > > > > + !DEBUG: Could not retrieve info from application sap:28 : Timer expired > > > > Might have been discussed before ? apologies if I missed it. i've not noticed anyone mention that before. you'd want something like this...and a TAC ticket. Index: bin/nxrancid.in =================================================================== --- bin/nxrancid.in (revision 2663) +++ bin/nxrancid.in (working copy) @@ -589,6 +589,7 @@ return(1) if /(Invalid input detected|Type help or )/; return(-1) if (/\% Invalid command at /); return(-1) if (/command authorization failed/i); + return(-1) if (/could not retrieve info/i); # XXX return(-1) if (/\% Permission denied/); # NX 5000 bug? "show debug" generates # "Permission denied" when using command authorization. -Per-Olof Olsson From babydr at baby-dragons.com Thu Feb 28 22:52:05 2013 From: babydr at baby-dragons.com (Mr. James W. Laferriere) Date: Thu, 28 Feb 2013 13:52:05 -0900 (AKST) Subject: [rancid] dlogin , Continously attempting to Login , way to limit number of attempts ? Message-ID: Hello All , dlogin , I am aware that it may not be part of rancid production . Is anyone aware of a way to limit the login retries ? I've not seen a way thru dlogin itself . The manpage of .cloginrc doesn't mention a retries or anything I am able to ascertain as functionaly equivalent . Tia , JimL # dlogin mo-swd22 mo-swd22 spawn ssh -c 3des -x -l administrator mo-swd22 ssh: connect to host mo-swd22 port 22: Connection refused spawn telnet mo-swd22 Trying 10.1.1.29... Connected to mo-swd22. Escape character is '^]'. User:administrator Password:*********** User:administrator Password:*********** User:administrator Password:*********** User:administrator Password:*********** User:administrator Password:*********** User:administrator Password:*********** User:administrator Password:*********** User:administrator Password:*********** User:administrator Password:*********** User:administrator Password:*********** ......... -- +------------------------------------------------------------------+ | James W. Laferriere | System Techniques | Give me VMS | | Network&System Engineer | 3237 Holden Road | Give me Linux | | babydr at baby-dragons.com | Fairbanks, AK. 99709 | only on AXP | +------------------------------------------------------------------+ From Nicolai.Langfeldt at broadnet.no Sat Feb 23 06:52:18 2013 From: Nicolai.Langfeldt at broadnet.no (Nicolai Langfeldt) Date: Sat, 23 Feb 2013 06:52:18 +0000 Subject: [rancid] clogin goes out of phase with extreme switches Message-ID: <76559C2CEC19234C83D86F21E613AC5D0E61EA4E@p1exmbx01.corp.local> Hi, Our rancid version is 2.3.8. We have a large number of extreme switches. xrancid has a tendency to fail, quite reliably for a few of them (and then suddenly it works again on a switch to switch basis). The problem lies in clogin which fires off commands prematurely. Here follows some clogin -d output with some annotations to make it clearer to me what happens. clogin has logged in and sent the clipaging commands without problem. The first commands have been sent also no problem. In this instance, at the fifth prompt everything goes south. It appears that it's always on the fifth prompt that stuff breaks (*mumble* at least with this switch). expect: does "fs1.skatt.5 # show diag\r\n\r" (spawn_id exp6) match regular expression "\u0008+"? (No Gate, R\ E only) gate=yes re=no "^[^\n\r *]*.? ?fs1.skatt.[0-9]+ #"? Gate "*fs1?skatt* #"? gate=yes re=yes ******* The prompt remains in buffer, a prompt match is found at once and the next command is send prematurely. Only how is the match buffer advanced the right way: expect: set expect_out(0,string) "fs1.skatt.5 #" expect: set expect_out(spawn_id) "exp6" expect: set expect_out(buffer) "fs1.skatt.5 #" fs1.skatt.5 # ***** send: sending "show switch\r" to { exp6 } Gate keeper glob pattern for '^H+' is ''. Not usable, disabling the performance booster. Gate keeper glob pattern for '^[^ *]*.? ?fs1.skatt.[0-9]+ #' is '*fs1?skatt* #'. Activating booster. Gate keeper glob pattern for '^[^ ]*.? ?fs1.skatt.[0-9]+ #.' is '*fs1?skatt* #?'. Activating booster. Gate keeper glob pattern for '^--More--[ ]+' is '--More--*'. Activating booster. Gate keeper glob pattern for '[^ ]*[ ]+' is ''. Not usable, disabling the performance booster. Gate keeper glob pattern for '[^ ]*Press to cont[^ ]*' is '*Press to cont*'. Activating booster. Gate keeper glob pattern for '^ *--More--[^ ]*' is '*--More--*'. Activating booster. Gate keeper glob pattern for '^<-+ More -+>[^ ]*' is ''. Not usable, disabling the performance booster. ******* Here we're out of phase. We start seeing the output of the "show diag" command sent before "show switch" expect: does " show diag\r\n\r" (spawn_id exp6) match regular expression "\u0008+"? (No Gate, RE only) gate=\ yes re=no