[rancid] cisco-xr ASR9K and numbered ACL's

Jos buoy at clear.net.nz
Thu Oct 16 01:37:56 UTC 2014 

Hi

Thanks for this, perhaps it’s as stupid as this, in my 3.1 install I don’t
have a xrrancid file, does it ship as part of the standalone 3.1 zipped
download?

Cheers, Jos

On 16/10/14 14:19, "Anson Maddock" <anson.maddock at gmx.com> wrote:

>I'm utilizing Rancid 3.1 on Debian currently, I also have the
>repositories and CVS from when we were running 2.3.8. We do not have
>ACLSORT enabled and we are not seeing the problems you are describing.
>Our ASR9Ks are running 4.3.2 code. We are not not showing any truncation
>in the configs/CVS from our 2.3.8 database.
>Here is the sort from our xrrancid 3.1 distribution file. Can you confirm
>that the xrrancid file is a 3.1 version?
>
># This is a sort routine that will sort on the
># ip address when the ip address is anywhere in
># the strings.
>sub ipsort {
>local(%lines) = @_;
>local($i) = 0;
>local(@sorted_lines);
>foreach $addr (sort sortbyipaddr keys %lines) {
>$sorted_lines[$i] = $lines{$addr};
>$i++;
>}
>@sorted_lines;
>}
>
># These two routines will sort based upon IP addresses
>sub ipaddrval {
>my(@a) = ($_[0] =~ m#^(\d+)\.(\d+)\.(\d+)\.(\d+)$#);
>$a[3] + 256 * ($a[2] + 256 * ($a[1] +256 * $a[0]));
>}
>sub sortbyipaddr {
>&ipaddrval($a) <=> &ipaddrval($b);
>}
>
>-----Original Message-----
>On Wed, 15 Oct 2014 23:14:09 +0200
>Alan McKinnon <alan.mckinnon at gmail.com> wrote:
>
>On 15/10/2014 09:59, Jos wrote:
>> Hi Guys
>>
>> Thanks to you both for the replies. I should have mentioned I’ve tried
>>the
>> ACL-SORT option being disabled/enabled in config without seeing any
>> success, I had this line in rancid.conf:
>>
>> # if ACLSORT is NO, access-lists will NOT be sorted.
>> ACLSORT=NO; export ACLSORT
>> #
>>
>> I have tried removing “export ACLSORT” with no luck either.
>>
>>
>> I have 4 or 5 ASR9K’s running 4.3.x and all do the same thing. Perhaps a
>> better example is this one:
>>
>> Rancid backs up this:
>> ipv4 access-list name
>> permit ipv4 any 166
>> remark the below subnet is currently not in use
>> permit ipv4 any 166
>>
>> What we have configured is:
>> ipv4 access-list name
>> 10 permit ipv4 any 166.1xx.xx.xx/28
>> 20 remark the below subnet is currently not in use
>> 30 permit ipv4 any 166.1xx.xx.xxx/28
>>
>>
>> - so the rancid backup leaves a bit to be desired here I think.
>
>
>The truncated address is due to this code in WriteTerm():
>
>if (/^ipv(4|6) access-list (\S+)\s*$/) {
>...
>while (<INPUT>) {
>...
>($seq, $cmd, $misc, $ip) = ($_ =~ /^\s+(\d+) (\w+) (.*\s)(\w+)/);
>if ($cmd =~ /(permit|deny)/) {
>ProcessHistory("ACL $nlri $key $cmd",
>"$aclsort","$ip", " $cmd $misc$ip\n");
>...
>}
>}
>
>
>That final (\w+) stops at the first dot.
>
>I'm no Cisco guru and don't know all the permutations of how XR lists
>access-lists, but I imagine the address must be everything after
>"ipv(4|6) any ", so the regex should probably become:
>
>
>($_ =~ /^\s+(\d+) (\w+) (.*\s)(.*)/)
>
>
>This is for 2.3.8 (I don't have a 3.x install to hand to check)
>
>>
>> I have:
>> expect version 5.44.1.15
>> This is on centos 6.5, I had the packaged version of rancid installed,
>>an
>> old 2.3.8 or something but then grabbed 3.1 and compiled it and have
>> removed the package.
>>
>>
>> Thanks for all your help with this, I can share more config if you let
>>me
>> know what exactly.
>>
>> Cheers, Jos
>>
>>
>> On 15/10/14 18:27, "heasley" <heas at shrubbery.net> wrote:
>>
>>> Wed, Oct 15, 2014 at 07:22:23AM +0200, Alan McKinnon:
>>>>> Rancid collected config:
>>>>> ipv4 access-list no-rfc1918
>>>>> remark Deny traffic to RFC 1918
>>>>> deny ipv4 10.0.0.0/8 any
>>>>> deny ipv4 any 10
>>>>> deny ipv4 172.16.0.0/12 any
>>>>> deny ipv4 any 172
>>>>> deny ipv4 192.168.0.0/16 any
>>>>> deny ipv4 any 192
>>>>> permit ipv4 any any
>>>>>
>>>>>
>>>>> A minor problem where the ACL is obvious as above, but this is the
>>>>> exception.
>>>>> Can someone suggest a good fix or workaround for this please
>>>> (preferably
>>>>> without changing the ASR9K config), I trust it affects others with
>>>> this
>>>>> sort of config?
>>>>> I can see earlier posts mention xrrancid but can’t find that in our
>>>> 3.1
>>>>> install.
>>>>
>>>> This appears to be rancid's acl renumbering, which is the designed
>>>> behaviour for good reasons.
>>>
>>> I dont think so; yes its removing the line numbers, but its botching
>>>every
>>> other line.
>>> _______________________________________________
>>> Rancid-discuss mailing list
>>> Rancid-discuss at shrubbery.net
>>> http://www.shrubbery.net/mailman/listinfo/rancid-discuss
>>
>>
>
>
>--
>Alan McKinnon
>alan.mckinnon at gmail.com
>
>_______________________________________________
>Rancid-discuss mailing list
>Rancid-discuss at shrubbery.net
>http://www.shrubbery.net/mailman/listinfo/rancid-discuss
>
>_______________________________________________
>Rancid-discuss mailing list
>Rancid-discuss at shrubbery.net
>http://www.shrubbery.net/mailman/listinfo/rancid-discuss

More information about the Rancid-discuss mailing list