[rancid] cisco-xr ASR9K and numbered ACL's

heasley heas at shrubbery.net
Mon Oct 20 23:13:56 UTC 2014


Wed, Oct 15, 2014 at 04:52:40PM -0400, Peter Jackson:
> I looked over the script last night and I think the tail end of the lines are being dropped because the regex needs to be tweaked.  \w in Perl regex doesn't match a period, does it?  If not, then the regex matches only up to the first period in the IP address and that is why the rest of the line is dropped.

Indeed that regex needs some adjustment.  What you suggest will fix the
truncation and is a good start, but the process needs to be expanded to
pick out the address properly.  thanks

> I will look again when I get a chance.
> 
> 
> 
> > On Oct 15, 2014, at 3:59 AM, Jos <buoy at clear.net.nz> wrote:
> > 
> > Hi Guys
> > 
> > Thanks to you both for the replies. I should have mentioned I’ve tried the
> > ACL-SORT option being disabled/enabled in config without seeing any
> > success, I had this line in rancid.conf:
> > 
> > # if ACLSORT is NO, access-lists will NOT be sorted.
> > ACLSORT=NO; export ACLSORT
> > #
> > 
> > I have tried removing “export ACLSORT” with no luck either.
> > 
> > 
> > I have 4 or 5 ASR9K’s running 4.3.x and all do the same thing. Perhaps a
> > better example is this one:
> > 
> > Rancid backs up this:
> > ipv4 access-list name
> > permit ipv4 any 166
> > remark the below subnet is currently not in use
> > permit ipv4 any 166
> > 
> > What we have configured is:
> > ipv4 access-list name
> > 10 permit ipv4 any 166.1xx.xx.xx/28
> > 20 remark the below subnet is currently not in use
> > 30 permit ipv4 any 166.1xx.xx.xxx/28
> > 
> > 
> > - so the rancid backup leaves a bit to be desired here I think.
> > 
> > I have:
> > expect version 5.44.1.15
> > This is on centos 6.5, I had the packaged version of rancid installed, an
> > old 2.3.8 or something but then grabbed 3.1 and compiled it and have
> > removed the package.
> > 
> > 
> > Thanks for all your help with this, I can share more config if you let me
> > know what exactly.
> > 
> > Cheers, Jos
> > 
> > 
> >> On 15/10/14 18:27, "heasley" <heas at shrubbery.net> wrote:
> >> 
> >> Wed, Oct 15, 2014 at 07:22:23AM +0200, Alan McKinnon:
> >>>> Rancid collected config:
> >>>> ipv4 access-list no-rfc1918
> >>>> remark Deny traffic to RFC 1918
> >>>> deny ipv4 10.0.0.0/8 any
> >>>> deny ipv4 any 10
> >>>> deny ipv4 172.16.0.0/12 any
> >>>> deny ipv4 any 172
> >>>> deny ipv4 192.168.0.0/16 any
> >>>> deny ipv4 any 192
> >>>> permit ipv4 any any
> >>>> 
> >>>> 
> >>>> A minor problem where the ACL is obvious as above, but this is the
> >>>> exception.
> >>>> Can someone suggest a good fix or workaround for this please
> >>> (preferably
> >>>> without changing the ASR9K config), I trust it affects others with
> >>> this
> >>>> sort of config?
> >>>> I can see earlier posts mention xrrancid but can’t find that in our
> >>> 3.1
> >>>> install.
> >>> 
> >>> This appears to be rancid's acl renumbering, which is the designed
> >>> behaviour for good reasons.
> >> 
> >> I dont think so; yes its removing the line numbers, but its botching every
> >> other line.
> >> _______________________________________________
> >> Rancid-discuss mailing list
> >> Rancid-discuss at shrubbery.net
> >> http://www.shrubbery.net/mailman/listinfo/rancid-discuss
> > 
> > 
> > _______________________________________________
> > Rancid-discuss mailing list
> > Rancid-discuss at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo/rancid-discuss


More information about the Rancid-discuss mailing list