[rancid] Reasoning behind not running a "show vlan" if specific VTP options are set?

Sat Jan 14 14:00:52 UTC 2017

On 1/13/17, heasley <heas at shrubbery.net> wrote:
> Fri, Jan 13, 2017 at 10:24:43AM -0500, Lee:
>> On 1/13/17, Mischa Diehm <mischa.diehm at unibas.ch> wrote:
>> > Hi
>> >
>> > I was wondering why we didn’t get any
>> > !VLAN…
>> > lines for our nexus 7700 rancid runs and found out that on the nexus a
>> > „show
>> > vtp“ gives:
>> >
>> > XXX-cc# show vtp status
>> > Service not enabled
>> >
>> > looking at the code I found that in /usr/share/perl5/rancid/nxos.pm:
>> >
>> > In sub ShowVTP
>> >         # Nexus 5k and 1000v do note support vtp
>> >         if (!/^VTP Operating Mode\s+:\s+(Transparent|Server)/) {
>> >             $DO_SHOW_VLAN = 0;
>> >         }
>> > and later in sub ShowVLAN:
>> >
>> >     ($_ = <$INPUT>, return(1)) if (!$DO_SHOW_VLAN);
>> >
>> > Similar for ios.. I wonder why it would be bad to have the output of
>> > „show
>> > vlan“ in the config even if we were running the VTP-Modes exclude like
>> > „Server“. Okay the vlan configs might be inside the config (not always
>> > like
>> > in the „Server“ case) but the „show vlan“ shows more information like
>> > which
>> > interfaces are configured etc. So wouldn’t it be good to just remove
>> > this
>> > restriction?
>
> It causes nevery-ending changes in the config as ports become
> active/inactive, eg: someone disconnects or powers-off equipment.

For IOS switches I added
  'show vlan all-ports'
  'show vlan'
before
  'show vlan-switch'
and added this bit at the end of sub ShowVLAN
    $DO_SHOW_VLAN = 0;          # -LR-
        # -LR- not everything supports "show vlan all-ports"
        # -LR- so do "show vlan all-ports" first and, if it succeeds,
        # -LR- clear the flag so we do not do a plain "show vlan"
    return(0);
so rancid would save only the output from the first show vlan command
that succeeded.

'show vlan all-ports' shows vlan info even for shutdown switchports &
most all our stuff supports show vlan all-ports, so config-churn
wasn't a problem.

>  and in the case of VTP, it potentially is network wide.

  <.. snip rant about vtp ..>

>  if you wanted to monitor such things, its
> probably best done in a NMS, where you'd catch all such changes.

It's nice having rancid collect vlan info; you can do things like
process all the configs to create a summary listing of
 vlanNum  vlanName: switch1  switch2 ... switchN
showing what vlans are configured where, do config sanity checks that
for all "switchport voice vlan NNN" the vlan NNN name starts with
"voice_", etc.

> rancid 3.5 added for some modules:
>
> # FILTER_OSC determines if oscillating data such as keys, passwords, etc
> are
> # filtered from configs by the value set (NO | YES).  FILTER_PWDS may
> override
> # this.  see rancid.conf(5).
> #FILTER_OSC=YES; export FILTER_OSC
>
> such a thing could be dependent upon this configuration, but again I do not
> see the point.

which is why it's so nice having the source code :)  Whatever pain
caused by collecting vlan info in rancid was, i thought, more than
offset by the utility of having rancid collect vlan info.

Best Regards,
Lee