[rancid] Rollback functionality and potential pitfalls

shouldbe q931 shouldbeq931 at gmail.com
Tue Feb 12 22:49:44 UTC 2013


On Tue, Feb 12, 2013 at 4:04 PM, Ramon <ramonbatwork at gmail.com> wrote:

> Hello all,
>
> I am currently looking in to a way to implement rollback functionality
> using rancid. What would it take to reverse bad changes and restore the
> config of a cisco device back to a previous saved version?
>
> I ask because just pushing the original config on top of the modified
> version would not remove or flush out certain statements, possibly leaving
> duplicates that would have to be removed manually.
>
> My first idea was to create a negative file, by generating a "no
> statement" for every line in the new config that does not match the old
> config. After pushing the negative file and removing the changes I would
> push the old config to restore any of the deleted statements.
>
> Feedback on any foreseeable issues such as possible hierarchical problems
> (interfaces, acls, bgp) would be very welcomed.
>
> Thanks,
> Ramon
>

A few problems that I thought of

If you're doing a "conf t" and then sending the updates, you need to be
able to parse and escape "special" characters, such as the ? in line three
below

1 ip ddns update method dyn.he.net
2  HTTP
3   add
http://dynamicrouter.domain.com:hjo97864hhj06hA@ipv4.dyn.dns.he.net/nic/update?hostname=
<h>&myip=<a>

The thought of escaping characters lead me onto motd lines...

banner motd ^C
This is not the router you are looking for
^C

And finally, the order of NAT rules on an ASA can be critical, this would
mean either removing all of them (affecting all traffic) and then adding
all of them, or being able to parse all of the NAT rule lines to add the
sequence to the rollback, such as

    no nat 14
    nat (inside,outside) 14 source static i-server
i-server.domain.comservice tcp-in-https tcp-in-https

I'm sure there are lots of other similar cases

If you can cope with a reload, then would go with either a tftp boot, or
erase startup, tftp copy to startup and then reload.

As well as rancid, I also like to archive to a FTP server, so when TFTP
isn't an option (such as a remote site router, I can simply go

 erase start
 copy ftp://user:pass@host/path/file startup

And then reload

For a client that bought CSM, I manage their ASA firewalls with CSM, after
a particularly bad experience with the built in CSM rollback, I now do the
changes and deploy normally rather than a rollback deploy if changes need
to be "reverted".

Cheers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20130212/57af5e81/attachment.html>


More information about the Rancid-discuss mailing list