Hands-On: Keep Networking Config Files Squeaky Clean With RANCID
This Linux and Unix freeware tool automatically compares configuration data from your network devices, enabling you to monitor changes that might otherwise go unnoticed.
The real power of RANCID is how it automatically tracks and notifies you of any configuration changes. To take advantage of that, you must set up e-mail notification recipients.
RANCID is designed to support multiple groups of network engineers working on different groups of switches and routers. In our labs, for instance, we have a set of devices in Syracuse, N.Y., Green Bay, Wis., and Gainesville, Fla. It makes sense for the technical editors in each location to oversee the devices located in their respective labs.
But to show how to get automation running, we defined a single group. RANCID's install README directs the modification of the configuration file "rancid.conf." This file will be in your $HOME/rancid/etc directory, where you can set variables such as work directories, job time-outs and groups for switches and routers. We modified the group setting and added only a single group--"nwc":
List_OF_GROUPS=$LIST_OF_GROUPS nwc
The configuration file ".cloginrc" passes various parameters to "clogin." Userid, password and unique prompts, for example, can be stored in the ".cloginrc" file. The README shows how to configure ".cloginrc."
This file in our download came as a file named "cloginrc.sample." But we had to rename it to ".cloginrc" in order to use it. We then placed in the user's home directory ($HOME if using BASH on Red Hat). This renaming and moving process sets up the operating system so that RANCID will execute. Because ".cloginrc" can include the passwords for your devices, make sure you protect it from unauthorized use. Having it in your home directory helps.
RANCID won't execute "clogin" if the permissions on ".cloginrc" are open and readable by anyone. Make the permission in the GUI file manager read/write only by the owner by typing "ls -la .cloginrc" at the command line. To change permission on the command line, type "chmod 600 .cloginrc." Check "man chmod," which is the short description of the change-mod (chmod) command for more information on setting file permissions.
We added our test switch into ".cloginrc" by including:
add password switch.nwc.com vtypassword enablepassword
Then we could log in to our switch using:
clogin switch.nwc.syr.edu
Be careful not to add tabs of null characters when you add lines like the one above to the ".cloginrc" file. Null characters are interpreted by "clogin" as part of the password, which will cause it to fail. If you can't get the correct login and enable password to work, first test it manually by feeding the parameters directly into "clogin" as in the example above. If that's successful, the passwords are correct and working with "clogin." Then delete "add password" in ".cloginrc" and retype it, being careful not to inadvertently introduce additional characters. If you're unfamiliar with "vi," the default Unix editor, transfer the file to a Windows machine and edit with Notepad or another text editor.
The next step defines the user's e-mail address to the operating system's e-mail service. This adds two aliases for our "nwc" group into the mail /etc/aliases file with the following two lines:
rancid-nwc: [email protected]
rancid-admin-nwc:[email protected]
These two lines resolve to the e-mail addresses listed. For the e-mail shown on the first line, RANCID sends compared switch and router files, and in the second line, any RANCID error messages. You can test whether this is working from the command line by entering the following commands:
"mail rancid-nwc" enter
for subject type, "test" enter
for the body type, "test" enter
Hold the "Ctrl" key and hit the "C"
You'll get a "cc" line
Hold the "Ctrl" key and hit the "C" again to send
If the mail transport is working, you'll receive the test e-mail. Then set up the files for each group, which in our case is only one "nwc":
rancid-cvs
You now have three new directories in the $HOME/ rancid/var directory-- CVS (Concurrent Versions System), logs and our group "nwc." Then you must configure an empty file (router.db) for the targeted switches and routers. Using a text editor, you can add a switch or router:
switch.nwc.syr.edu:switch_vendor_name:up
The line specifies the fully qualified domain name or IP address of the targeted switch or router, the router manufacturer and the device status--whether it's up or down.
Drum Roll, Please
It's time to see if everything is working properly. At a command prompt, type:
rancid-run
This executable will read your "router.db" and ".cloginrc" files. It also downloads a copy of the switch configuration to $HOME/rancid/var/nwc. The file will have the domain name or IP address defined in your "router.db."
Now when you log on to a switch or router to make a change and rerun "rancid-run," you will have another log file. You also will receive an e-mail with the configuration files "diffed." The diff e-mail is sent when a change has occurred. It looks something like the screenshot.
Bruce Boardman, executive editor of Network Computing, tests and writes about network and systems management. He has 12 years' experience managing networks and distributed computing for a financial service provider. Write to him at [email protected]..
About the Author
You May Also Like
2024 InformationWeek US IT Salary Report
Aug 15, 20242024 InformationWeek US IT Salary Report
May 29, 20242022 State of ITOps and SecOps
Jun 21, 2022