[rancid] cisco-xr ASR9K and numbered ACL's

Alan McKinnon alan.mckinnon at gmail.com
Wed Oct 15 05:22:23 UTC 2014 

On 15/10/2014 01:33, Jos wrote:
> Hi
> 
> Am new to this list and hoping someone can help me with a problem please
> that I can’t figure out yet or find an earlier posting and solution for.
> We are running the latest rancid version 3.1 on a centos vm and collecting
> a bunch of cisco configs, all is good except for our iosxr ASR9K’s and
> numbered ACL’s. 
> Rancid seems to strip out part of the lines as below:
> 
> Real config:
> ipv4 access-list no-rfc1918
> 
>  10 remark Deny traffic to RFC 1918
> 20 deny ipv4 10.0.0.0/8 any
>  30 deny ipv4 any 10.0.0.0/8
>  40 deny ipv4 172.16.0.0/12 any
>  50 deny ipv4 any 172.16.0.0/12
>  60 deny ipv4 192.168.0.0/16 any
>  70 deny ipv4 any 192.168.0.0/16
>  80 permit ipv4 any any
> 
> 
> Rancid collected config:
> ipv4 access-list no-rfc1918
>  remark Deny traffic to RFC 1918
>  deny ipv4 10.0.0.0/8 any
>  deny ipv4 any 10
>  deny ipv4 172.16.0.0/12 any
>  deny ipv4 any 172
>  deny ipv4 192.168.0.0/16 any
>  deny ipv4 any 192
>  permit ipv4 any any
> 
> 
> A minor problem where the ACL is obvious as above, but this is the
> exception.
> Can someone suggest a good fix or workaround for this please (preferably
> without changing the ASR9K config), I trust it affects others with this
> sort of config?
> I can see earlier posts mention xrrancid but can’t find that in our 3.1
> install.

This appears to be rancid's acl renumbering, which is the designed
behaviour for good reasons.

Access list numbers are problematic as they are subject to being
renumbered when the device reloads the list. However, all that changes
is the interval between numbers, the logic of what the li8st achieves
stays the same. This causes unnecessary noise in the diffs as there
isn't an actual change, just a change of a bunch of redundant leading
numbers.

Rancid's solution is to strip out the numbers, gather contiguous series
of allows or denies and reorder those based on IP addresses. This works
because if you have 5 denys in a row affecting different ranges, it does
not matter what order they are applied in. Thus the router can renumber
ACLs all it likes and the rancid diff does not change, reducing noise.


I don't know about 3.2 but the 2.3 series had a knob to disable this. If
memory serves it was called ACL_SORT and is documented in the config
file. The topic has also been discussed at length here on the list
before, you can find the threads in the on-line archives, there's more
info there than I can give in one shortish reply.




-- 
Alan McKinnon
alan.mckinnon at gmail.com

More information about the Rancid-discuss mailing list