Mailing List Archive

On Thu, 30 Sep 2004, Alex Sharaz wrote:

> Hi chaps,
>
> quick question about tftp'ing config files off foundry kit onto a tftp
> server.

Hi Alex,

it's not really answering your question, but I've been using "rancid"
(http://www.shrubbery.net/rancid/) to back up all our foundry kit for
over a year. It's a tool to backup and archive configs, and it works
really well. It has modules for Foundry, Cisco, HP and many others.

Basically, it remotely logs on to each device regularly - I do it
every hour - and grabs a copy of the config, and also the output from
show flash,show module,show chassis,show version

It then compares this with the previous result - if they're the same it
takes no further action, if anything has changed it (a) stores the
changes in a CVS archive, and (b) mails you the diffs.

So you always have a copy of all current configs, can roll back to any
previous version, and it's obvious when any config changes get made.


Another trick you may find useful is that you can remotely "trigger" a
tftp config save via SNMP. I have some code to do this - the relevant
lines are:

# Transfer startup and running config to tftp host

# The OIDs and some Foundry SNMP trickery are documented here:
# http://www.notarus.net/networking/foundry_snmp.html
/usr/local/bin/snmpset -v 1 $hostip $community \
'.1.3.6.1.4.1.1991.1.1.2.1.5.0' a $tftphost \
'.1.3.6.1.4.1.1991.1.1.2.1.8.0' s $config \
'.1.3.6.1.4.1.1991.1.1.2.1.9.0' i $int

where $hostip is the foundry IP, $community is the SNMP community,
$tftphost is the Ip address of the server, $config is the filename to
save on the server and $int is either 22 for running-config or 20 for
startup-config.

Bruce.

--
Bruce Rodger |Bruce.Rodger@strath.ac.uk PGP key available
Network Manager, IT Services |http://www.strath.ac.uk/IT/People/bruce.html
The University of Strathclyde | +44 (0)141 548 3300
Glasgow G4 0LN, Scotland. | Fax 553 4100

On Thu, 30 Sep 2004, Bruce Rodger wrote:
: On Thu, 30 Sep 2004, Alex Sharaz wrote:

: > quick question about tftp'ing config files off foundry kit onto a tftp
: > server.

: it's not really answering your question, but I've been using "rancid"
: (http://www.shrubbery.net/rancid/) to back up all our foundry kit for
: over a year. It's a tool to backup and archive configs, and it works
: really well. It has modules for Foundry, Cisco, HP and many others.
:
: Basically, it remotely logs on to each device regularly - I do it
: every hour - and grabs a copy of the config, and also the output from
: show flash,show module,show chassis,show version
:
: It then compares this with the previous result - if they're the same it
: takes no further action, if anything has changed it (a) stores the
: changes in a CVS archive, and (b) mails you the diffs.
:
: So you always have a copy of all current configs, can roll back to any
: previous version, and it's obvious when any config changes get made.


There is also the IronView Network Manager...

scott













x=x=x=x=x=x=x=x=x=x=x

> : So you always have a copy of all current configs, can roll back to any
> : previous version, and it's obvious when any config changes get made.
>
>
> There is also the IronView Network Manager...
>

Enough said :-)

I looked at Ironview, and wasn't impressed. Perhaps it has improved....
but we thought it was a lot of money for not a lot of functionality.

It's definitely NOT a network management package - more of a router/config
management tool. We decided not to buy it - it had some nice features, but
didn't give us anything that we didn't already have via various other
freeware tools (rancid, netdisco, mrtg).

On the other hand, we DID buy Inmon traffic server (a Sflow analysis package)
and are very impressed with it. The "fan-out" report is one of the most
useful reports I've obtained from any network management tool.


Another tool which is worth a look is netdisco (www.netdisco.org). It's
very cisco-centric, but I've been working on a patch to get it to use
FDP rather than CDP. Without that patch, you need to enter topology
information manually, which is tedious, but once set up it polls all
routers and switches regularly, retrieving arp and bridging tables, and
storing it in a database. So you can very quickly find out which
devices (by mac or ip) are connected to each switch port. You can also
enable/disable ports via netdisco. Definitely worth a closer look.

Bruce.
--
Bruce Rodger |Bruce.Rodger@strath.ac.uk PGP key available
Network Manager, IT Services |http://www.strath.ac.uk/IT/People/bruce.html
The University of Strathclyde | +44 (0)141 548 3300
Glasgow G4 0LN, Scotland. | Fax 553 4100

Many thanks for this bruce, Nive thing to have a play around with on a
Friday afternoon :-))
Alex

--On 30 September 2004 21:04 +0100 Bruce Rodger <Bruce.Rodger@strath.ac.uk>
wrote:

> http://www.shrubbery.net/rancid/



Sent using Mulberry 3.1.2

Do not forget using snmp to trigger a tftp backup, see page 68:

http://www.foundrynet.com/services/documentation/MIB/mib.pdf

This is what I do. Works flawlessly from a tiny shell script in cron.


-----Original Message-----
From: foundry-nsp-bounces@puck.nether.net
[mailto:foundry-nsp-bounces@puck.nether.net] On Behalf Of Alex Sharaz
Sent: Thursday, September 30, 2004 10:29 AM
To: foundry-nsp@puck.nether.net
Subject: [f-nsp] using

Hi chaps,

quick question about tftp'ing config files off foundry kit onto a tftp
server.

I've cobbled together a set of expect scripts, one per router, switch
etc that log onto a foundry box,and execute a tftp command to save the
config back onto my server. (sigh! our extreme kit does this for you
automagically, why can't foundry)

Anyway, the scripts all work when i run it from a bash shell on my linux
box but screw up when I try to run it from a cron job. It conects and
then seems to screw up when passing the login information

Anyone seen this before?

Any help appreciated

TIA
Alex


Sent using Mulberry 3.1.2
_______________________________________________
foundry-nsp mailing list
foundry-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/foundry-nsp

It's (rancid) a very useful tool. I find that the main benefit is not that it
backs up the configs, but that it tells you what has changed, and
when. Very useful in an environment where several people are modifying
router configs.

I run it hourly, and I regularly get mails like the one below, which
shows that during the last hour someone has added a "spanning tree"
statement to one particular config.

It's clever enough to know about things in the config that you would expect
to change - timestamps etc.

The only real problem I've found is that occasionally when retrieving
the config from a BigIron, the module serial number (as reported by
"show version") gets corrupted, so you occasionally get emails from
rancid saying the config has changed, with a corresponding email an
hour later saying it has changed back....

Bruce.


*** 107,114 ****
!
vlan 3140 name SGBS-Students by port
tagged ethe 3/11
router-interface ve 40
+ spanning-tree
!
vlan 252 name Todd-Centre by port
untagged ethe 1/5
!
***************



--
Bruce Rodger |Bruce.Rodger@strath.ac.uk PGP key available
Network Manager, IT Services |http://www.strath.ac.uk/IT/People/bruce.html
The University of Strathclyde | +44 (0)141 548 3300
Glasgow G4 0LN, Scotland. | Fax 553 4100

On Fri, Oct 01, 2004 at 10:12:19AM +0100, Bruce Rodger wrote:

>
> It's (rancid) a very useful tool. I find that the main benefit is not that it
> backs up the configs, but that it tells you what has changed, and
> when. Very useful in an environment where several people are modifying
> router configs.

We are doing the same, but then with custom build software and also the
use of CVS (which rancid also employs). I had some troubles using rancid
in our setup of mainly different equipment and had to rebuild something
from scratch which would do the job. However it's really custom so
expect no public release anywhere soon.

--
Cliff Albert <cliff@oisec.net>

* Bruce.Rodger@strath.ac.uk (Bruce Rodger) [Fri 01 Oct 2004, 11:15 CEST]:
[about rancid]
> The only real problem I've found is that occasionally when retrieving
> the config from a BigIron, the module serial number (as reported by
> "show version") gets corrupted, so you occasionally get emails from
> rancid saying the config has changed, with a corresponding email an
> hour later saying it has changed back....

You get that too? Here it usually happens with the standby mgmt module.
I first thought it'd be telnet crapping out, or rancid's --More-- pause
detector (pagebreaks are a pain to work around on IronWare in automated
scripts), until it showed "Non-exist." for the first time, and reverted
to the correct serial # on the next run.

Guess I now have really no excuse anymore to not submit it as a bug :)

I can wholeheartedly recommend rancid. Hook it up to a user with
lowered privilege levels (one that can only execute "show" command),
optionally write a script to watch syslog and tell rancid to get the
config whenever a box logs that it's been changed. You can't upload
configs with it but it forms a good audit trail along with cvsweb.


-- Niels.

--

>
> Guess I now have really no excuse anymore to not submit it as a bug :)
>

If you do, let me know what happens....

I've been meaning to do it for ages, but I try to not have more than
one "trivial" bug open at once, otherwise I waste too much time following them
up.

Example: Two of out bigirons occasionally throw an error message onto the
telnet console "Error! tunnel, but uptr_pkthdr=NULL"

So I logged a call just asking what this means. I had a suspicion that it was
PIM-related.

So far I've not had a definitive answer, but have been asked for
several "show tech" outputs, some console diagnostics (which means
physically visiting the site) and they've also asked me to disable and
re-enable PIM, which involves a reboot. Sigh.

Bruce.

--
Bruce Rodger |Bruce.Rodger@strath.ac.uk PGP key available
Network Manager, IT Services |http://www.strath.ac.uk/IT/People/bruce.html
The University of Strathclyde | +44 (0)141 548 3300
Glasgow G4 0LN, Scotland. | Fax 553 4100

On (02/10/04 22:08), Niels Bakker wrote:
>
> * Bruce.Rodger@strath.ac.uk (Bruce Rodger) [Fri 01 Oct 2004, 11:15 CEST]:
> [about rancid]
> > The only real problem I've found is that occasionally when retrieving
> > the config from a BigIron, the module serial number (as reported by
> > "show version") gets corrupted, so you occasionally get emails from
> > rancid saying the config has changed, with a corresponding email an
> > hour later saying it has changed back....
>
> You get that too?

i see it too, mostly on our ni1500's

> I can wholeheartedly recommend rancid. Hook it up to a user with
> lowered privilege levels (one that can only execute "show" command),
> optionally write a script to watch syslog and tell rancid to get the
> config whenever a box logs that it's been changed. You can't upload
> configs with it but it forms a good audit trail along with cvsweb.

i too will add a recomendation for rancid :)

you can push config changes with rancid, you just have to pre-write
them (which could work with automated scripting), and then use the
'-s' flag on flogin

/joshua
--

* jejs@sahala.org (joshua sahala) [Mon 04 Oct 2004, 03:51 CEST]:
> you can push config changes with rancid, you just have to pre-write
> them (which could work with automated scripting), and then use the
> '-s' flag on flogin

This is true, I meant more in a verified way where the program would do
a syntax check on the commands you give it and reject obvious errors.


-- Niels.

--

* jejs at sahala.org (joshua sahala) [Mon 04 Oct 2004, 03:51 CEST]:
> On (02/10/04 22:08), Niels Bakker wrote:
>> * Bruce.Rodger at strath.ac.uk (Bruce Rodger) [Fri 01 Oct 2004, 11:15 CEST]:
>> [about rancid]
>>> The only real problem I've found is that occasionally when retrieving
>>> the config from a BigIron, the module serial number (as reported by
>>> "show version") gets corrupted, so you occasionally get emails from
>>> rancid saying the config has changed, with a corresponding email an
>>> hour later saying it has changed back....
>> You get that too?
> i see it too, mostly on our ni1500's

I opened a case and it should be fixed in an upcoming version of 7.6.06
(bugid is 37644, I think).


-- Niels.

--

On Tue, 8 Feb 2005, Niels Bakker wrote:

> > On (02/10/04 22:08), Niels Bakker wrote:
> >> * Bruce.Rodger at strath.ac.uk (Bruce Rodger) [Fri 01 Oct 2004, 11:15 CEST]:
> >>> The only real problem I've found is that occasionally when retrieving
> >>> the config from a BigIron, the module serial number (as reported by
> >>> "show version") gets corrupted, so you occasionally get emails from
> >>> rancid saying the config has changed, with a corresponding email an
> >>> hour later saying it has changed back....
>
> I opened a case and it should be fixed in an upcoming version of 7.6.06
> (bugid is 37644, I think).
>

From the list of 7.8.00d bug fixes:

37644 - show version shows corrupt serial number of a secondary management module.

Bruce.


--
Bruce Rodger |Bruce.Rodger at strath.ac.uk PGP key available
Network Manager, IT Services |http://www.strath.ac.uk/IT/People/bruce.html
The University of Strathclyde | +44 (0)141 548 3300
Glasgow G4 0LN, Scotland. | Fax 553 4100