Opengear data center and remote site management devices integrate with RANCID - the Really Awesome New Cisco confIg Differ. RANCID is a popular open source package that's readily available for Linux, FreeBSD and Mac OSX servers.
|
RANCID is monitoring software designed to automatically retrieve and backup configuration, primarily from Cisco devices, but also from a range of other networking gear. It operates on a polled basis. At periods that you specify, it will log in to your configured devices, retrieve their configuration, and store it on the server. It will then compare those new configuration settings against the most recent that it has stored and, if the two are different, will email out a description of what has changed. RANCID keeps backups of the fetched configuration on the server in a version control database, such as subversion or CVS which you can then browse using standard tools. |
 |
There are many HOWTOs on how to set up an standard RANCID install to monitor existing infrastruction. One which the Opengear engineers have used is http://openmaniak.com/rancid_tutorial.php.
The following instructions assume you've installed RANCID according to the above tutorial. Specifically it assumes that you've created a "rancid" user and that the RANCID binaries have been installed to "~/rancid/bin". Many of the scripts in "~rancid/bin" define binary location as #!/usr/bin/perl and #!/usr/bin/expect so if you are running FreeBSD or other distributions, you may need to edit the scripts to reference the actual location of perl or expect on your system.
Opengear currently integrates with RANCID in two ways, one as an Opengear RANCID device, the other as a out-of-band access channel for other device types.
Opengear RANCID device type
The Opengear RANCID device type allows for RANCID to back-up and monitor, via ssh or telnet, an Opengear device's config.xml, it's connected USB devices and, if authenticating as the root user, the hashed passwords of on-board users.
To setup and install the Opengear RANCID device type, complete the following steps – choose the second step appropriate to your version of RANCID:
1) Download the opengear rancid zip file attached to this page and extract it into: ~/rancid/bin/
oglogin
ograncid
ssh-serial-console-wrapper
2a) With RANCID version 2.3.x insert the following line insde the 'vendortable' clause in ~/rancid/bin/rancid-fe line:
'opengear' => 'ograncid',
RANCID 2.3.x is now ready to be configured to monitor Opengear devices, just as it would for any other device. For example, to configure RANCID to monitor an ACM5004 that's at 192.168.0.1 with username 'root' and password 'default' add the following lines to your router.db and .cloginrc:
router.db:
192.168.0.1:opengear:up
.cloginrc:
add method 192.168.0.1 ssh
add password 192.168.0.1 default
add user 192.168.0.1 root
add cyphertype 192.168.0.1 aes256-ctr
2b) With RANCID version 3.1 the delimiter has changed from '.' to ';' avoiding clashes with IPv6 address.
The ~/rancid/bin/rancid-fe format has changed so create file ~/rancid/etc/rancid.types.conf and insert the following line:
opengear;script;ograncid
RANCID 3.1.x is now ready to be configured to monitor Opengear devices, just as it would for any other device. For example, to configure RANCID to monitor an ACM5004 that's at 192.168.0.1 with username 'root' and password 'default' add the following lines to your router.db and .cloginrc:
Edit file ~/rancid/var/GROUP_NAME/router.db and insert the following lines:
192.168.0.1;opengear;up
Edit file ~/rancid/.cloginrc and insert the following lines:
add method 192.168.0.1 ssh
add password 192.168.0.1 default
add user 192.168.0.1 root
add noenable 192.168.0.1 1
add cyphertype 192.168.0.1 aes256-ctr
2c) With RANCID versions later than 3.1, modify the file ~/rancid/etc/rancid.types.base and insert the following lines:
opengear;script;ograncid
opengear;login;oglogin
RANCID > 3.1 is now ready to be configured to monitor Opengear devices, just as it would for any other device. For example, to configure RANCID to monitor an ACM5004 that's at 192.168.0.1 with username 'root' and password 'default' add the following lines to your router.db and .cloginrc:
Edit file ~rancid/var/GROUP_NAME/router.db and insert the following lines.
192.168.0.1;opengear;up
Edit file ~rancid/.cloginrc and insert the following lines:
add method 192.168.0.1 ssh
add password 192.168.0.1 default
add user 192.168.0.1 root
add noenable 192.168.0.1 1
add cyphertype 192.168.0.1 aes256-ctr
Note: the username (eg root or admin user) that monitors the configuration changes on the Opengear device must use the default "# " or "$ " prompt (note the space at the end). Do not use custom prompts such as "username@hostname$ " or "hostname-cons1> " as the oglogin script that performs the login can only detect the default "# " or "$ " prompt.
Opengear as a RANCID device concentrator
The second way an Opengear can integrate with RANCID is to use it as a device concentrator. Normally RANCID contacts the devices that it monitors via network ports using SSH or Telnet. This has limitations. For example, if the configuration changes so that you cannot reach the device via the network port then RANCID can no longer monitor the device to see what has changed.
It is now possible to leverage the out-of-band serial console capabilities that an Opengear console server provides to ensure reliable access to the devices you need managed via RANCID.
The differences between the serial console and a network console of most devices requires a shim script to be used to ensure that RANCID will talk successfully to a network-exposed serial console.
This involves installing a script that will allow you to use the serial ports accessible over the network via an Opengear console server as your access path for RANCID.
The wrapper script is available inside the opengear rancid zip file attached to this page (it is the file, ssh-serial-console-wrapper). Install it to ~rancid/bin, as before with the other Opengear RANCID scripts.
We recommend using SSH to talk to devices through the Opengear. On the Opengear, ensure that you have configured these two ports and allowed SSH access for these two ports.
For example, imagine you have an Opengear configured with a network address of 192.168.0.250. Connected to serial port 2 is a Cisco ASA, and to port 3 is a Cisco 1721.
In order for RANCID to monitor via these serial ports, test and ensure that you can authenticate via SSH to each port like so, using the Opengear's root password:
For the Cisco ASA on Port 2:
ssh -l root:port2 192.168.0.250
For the Cisco 1721 on Port 3:
ssh -l root:port3 192.168.0.250
Now, to configure RANCID to talk to devices behind the Opengear, you need to specify them in a certain way in the standard router.db and cloginrc files. RANCID normally has the concept of a single device per IP address. Opengear has overcome this problem by allowing a special character, '%', to be used to in the IP address or domain name to specify the devices behind a console server. The wrapper script we installed earler is intelligent enough to detect the '%' and interpret the IP address or hostname correctly.
Using the same example from before, you would set this up in RANCID as so:
router.db:
192.168.0.250%ciscoasa:cisco:up
192.168.0.250%cisco1721:cisco:up
.cloginrc:
add password 192.168.0.250%cisco1721 opengearpassword ciscopassword1
add user 192.168.0.250%cisco1721 root:port3
add password 192.168.0.250%ciscoasa opengearpassword ciscopassword2
add user 192.168.0.250%ciscoasa root:port2
add method *%* ssh
add sshcmd *%* ~rancid/bin/ssh-serial-console-wrapper
add cyphertype 192.168.0.250%ciscoasa aes256-ctr
Note: the name after the % in the router specification in router.db and .cloginrc can be any combination of lowercase letters and numbers. We recommend that it be a descriptive name identifying the device connected to the serial port, as it's this full name (i.e. 192.168.0.250%ciscoasa) that will appear in email notifications when RANCID detects a configuration change.
Finally we have a short video overviewing Opengear's RANCID support: http://www.youtube.com/watch?v=CMJbFp0dt08&feature=relmfu
Comments
0 comments
Article is closed for comments.