BSD Guides :: Doing Stuff With FreeBSD, NetBSD, OpenBSD, & Mac OS X

RANCID
Created: 06/25/2007


General Information

RANCID monitors a router's (or more generally a device's) configuration, including software and hardware (cards, serial numbers, etc) and uses CVS (Concurrent Version System) or Subversion to maintain history of changes.

Requirements

  1. FreeBSD box (mine is 6.2)
  2. Router's with enable access
  3. Local root access on the box or be able to su to root.
  4. A SSH client such as puTTy or SecureCRT (if you are setting it up remotely)

Installation

Let's install RANCID from ports:
#
#		 cd /usr/ports/net-mgmt/rancid/
make install clean

Configuration

Copy the rancid.conf.sample to rancid.conf; Conf file is pretty well commented.
# cp /usr/local/etc/rancid.conf.sample /usr/local/etc/rancid.conf
I only uncomment the following:
LIST_OF_GROUPS="networks"
MAILDOMAIN="@yourdomain.tld"; export MAILDOMAIN
Then create a "rancid" user account to run rancid.
# pw user add rancid
Let's make sure the rancid is for rancid only.
# chown -R rancid:rancid /usr/local/etc/rancid
Now copy the cloginrc.sample to your ~rancid (rancid user) and then copy it to .cloginrc file.  Then make sure again it's for rancid only:
#
#		 chown rancid:rancid .cloginrc
vi .cloginrc
Here is an example on mine
add user * rancid will log in as the rancid user if the device uses a username prompt i.e. tacacs+
add password *-pix-fw
add method *-pix-fw ssh
The above will log into any host matching somehost-pix.fw as rancid with the above specified passwords
add password specific-hosting-fw
add method specific-hosting-fw ssh
The above will log only into the firewall whose host is specific-hosting-fw as rancid with the above specified passwords
# all our routers, i.e.: everything else
add password *

# set ssh encryption type, dflt: 3des
add cyphertype *
Then let's try it.
clogin [router IP]

[rancid@lab ~]$ /usr/local/libexec/rancid/clogin 10.0.0.1
10.0.0.1
spawn telnet 10.0.0.1
Trying 10.0.0.1...
Connected to CISCO-1.
Escape character is '^]'.

CISCO-1 line 162


User Access Verification

Username: rancid
Password:

CISCO-1>enable
Password:
CISCO-1#
You might consider to link the clogin to /usr/sbin just a suggestion.

Now let's set up the CVS... do this with root
#
#
#
#		 cd /usr/local/
rm -fr var/rancid
mkdir /usr/local/var/rancid
chown -R rancid:rancid /usr/local/var/rancid
Then logout as root and login as rancid user; run the cvs.
$ /usr/local/bin/rancid-cvs
You should see diff and logs is created in /usr/local/var/rancid
CVS   ---- CVS log
logs ---- logs
networks ---- created based on your group on rancid.conf

Let's add the router on the database...

# vi /usr/local/var/rancid/networks/router.db


10.0.0.1:cisco:up

/usr/local/bin/rancid-run
Then check your email... If you received something then you're done.

Author: coolest
shonga_kerz at hotmail dot com