RANCID

General Information

RANCID monitors a router’s (or more generally a device’s) configuration, including software and hardware (cards, serial numbers, etc) and uses CVS (Concurrent Version System) or Subversion to maintain history of changes.

Requirements

  1. FreeBSD box (mine is 6.2)
  2. Router’s with enable access
  3. Local root access on the box or be able to su to root.
  4. A SSH client such as puTTy or SecureCRT (if you are setting it up remotely)

Installation

Let’s install RANCID from ports:

# cd /usr/ports/net-mgmt/rancid/
# make install clean

Configuration

Copy the rancid.conf.sample to rancid.conf; Conf file is pretty well commented.

# cp /usr/local/etc/rancid.conf.sample /usr/local/etc/rancid.conf

I only uncomment the following:

LIST_OF_GROUPS="networks"
MAILDOMAIN="@yourdomain.tld"; export MAILDOMAIN

Then create a “rancid” user account to run rancid.

# pw user add rancid

Let’s make sure the rancid is for rancid only.

# chown -R rancid:rancid /usr/local/etc/rancid

Now copy the cloginrc.sample to your ~rancid (rancid user) and then copy it to .cloginrc file. Then make sure again it’s for rancid only:

# chown rancid:rancid .cloginrc
# vi .cloginrc

Here is an example on mine

add user * rancid will log in as the rancid user if the device uses a username prompt i.e. tacacs+

add password *-pix-fw
add method *-pix-fw ssh

The above will log into any host matching somehost-pix.fw as rancid with the above specified passwords

add password specific-hosting-fw
add method specific-hosting-fw ssh

The above will log only into the firewall whose host is specific-hosting-fw as rancid with the above specified passwords

# all our routers, i.e.: everything else
add password *

# set ssh encryption type, dflt: 3des
add cyphertype *

Then let’s try it.

clogin [router IP]

[rancid@lab ~]$ /usr/local/libexec/rancid/clogin 10.0.0.1
10.0.0.1
spawn telnet 10.0.0.1
Trying 10.0.0.1...
Connected to CISCO-1.
Escape character is '^]'.

CISCO-1 line 162


User Access Verification

Username: rancid
Password:

CISCO-1>enable
Password:
CISCO-1#

You might consider to link the clogin to /usr/sbin just a suggestion.

Now let’s set up the CVS… do this with root

# cd /usr/local/
# rm -fr var/rancid
# mkdir /usr/local/var/rancid
# chown -R rancid:rancid /usr/local/var/rancid

Then logout as root and login as rancid user; run the cvs.

$ /usr/local/bin/rancid-cvs

You should see diff and logs is created in /usr/local/var/rancid

CVS   ---- CVS log
logs ---- logs
networks ---- created based on your group on rancid.conf

Let’s add the router on the database…

# vi /usr/local/var/rancid/networks/router.db


10.0.0.1:cisco:up

/usr/local/bin/rancid-run

Then check your email… If you received something then you’re done.

Speak Your Mind

*