Mailing List Archive: RANCID: Users

Download configs from one router through another

Index | Next | Previous | View Threaded

Graham.Fleming at bdwalk

Sep 4, 2008, 2:56 PM

Post #1 of 14 (3457 views)
Permalink

Download configs from one router through another

Hello all,

I've tried researching this but, to be honest, haven't been able to find
any concrete steps that make sense to me-please bear with me as I'm very
new to the whole RANCID/CVS/ViewVC thing although I have plenty Cisco
and Linux experience.

I have many clients with routers and switches on an internal network
that I can access either via VPN or by Cisco CLI by logging into their
public WAN-facing router and then drilling through the network that way.
I think I understand that I need to patch RANCID to allow this behavior.
So, here is my question:

How do I get this patch and how do I apply the patch to enable RANCID to
hop from one router to another?

Thank you so much for any help or points in the right direction!

Regards,

Graham

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20080904/4e12b367/attachment.html

rancid at ale

Sep 5, 2008, 3:38 AM

Post #2 of 14 (3389 views)
Permalink

Re: Download configs from one router through another [In reply to]

On Thursday 04 September 2008 23:56:37 Graham Fleming wrote:

> I have many clients with routers and switches on an internal network
> that I can access either via VPN or by Cisco CLI by logging into their
> public WAN-facing router and then drilling through the network that way.

I'm in a similar position to yourself, and I'm sure when I asked this I was
told it wasn't going to happen.

> I think I understand that I need to patch RANCID to allow this behavior.
> So, here is my question:
>
> How do I get this patch and how do I apply the patch to enable RANCID to
> hop from one router to another?

You're assuming the patch exists, although I assumed RANCID would do this
before I looked into it also. If you do find it, please let me know.

alexd

rspeed at gmail

Sep 5, 2008, 7:05 AM

Post #3 of 14 (3390 views)
Permalink

Re: Download configs from one router through another [In reply to]

Maybe I'm crazy but I've been lurking on this list for years and I'm
almost certain I've seen the patch discussed a couple times over the
years...

On Fri, Sep 5, 2008 at 4:38 AM, Alex Dekker <rancid at ale.cx> wrote:
> On Thursday 04 September 2008 23:56:37 Graham Fleming wrote:
>
>> I have many clients with routers and switches on an internal network
>> that I can access either via VPN or by Cisco CLI by logging into their
>> public WAN-facing router and then drilling through the network that way.
>
> I'm in a similar position to yourself, and I'm sure when I asked this I was
> told it wasn't going to happen.
>
>> I think I understand that I need to patch RANCID to allow this behavior.
>> So, here is my question:
>>
>> How do I get this patch and how do I apply the patch to enable RANCID to
>> hop from one router to another?
>
> You're assuming the patch exists, although I assumed RANCID would do this
> before I looked into it also. If you do find it, please let me know.
>
> alexd
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>

cstave at gmail

Sep 5, 2008, 7:07 AM

Post #4 of 14 (3387 views)
Permalink

Re: Download configs from one router through another [In reply to]

To do this you'd have to make significant changes in either clogin or
rancid, which might be possible to get working, but much more difficult to
make so that it works easily and productively, especially in a generic
fashion. If you're going to attempt this, the two ways of going about it as
far I as can guess in a few minutes are either change clogin to accept a
second address as an argument (not forgetting the issue of usernames and
passwords), or if you just want configs, change rancid itself so that there
is a new type of router in there that parses additional commands that
connect to the remote switches and get the configs that way. Either way, it
is a significant change in the way that rancid and clogin would be working.
Keep us updated if you add this functionality -- it seems some other people
would like it as well.

Chris

On Thu, Sep 4, 2008 at 6:56 PM, Graham Fleming <Graham.Fleming at bdwalk.biz>wrote:

> Hello all,
>
>
>
> I've tried researching this but, to be honest, haven't been able to find
> any concrete steps that make sense to me?please bear with me as I'm very new
> to the whole RANCID/CVS/ViewVC thing although I have plenty Cisco and Linux
> experience.
>
>
>
> I have many clients with routers and switches on an internal network that I
> can access either via VPN or by Cisco CLI by logging into their public
> WAN-facing router and then drilling through the network that way. I think I
> understand that I need to patch RANCID to allow this behavior. So, here is
> my question:
>
>
>
> How do I get this patch and how do I apply the patch to enable RANCID to
> hop from one router to another?
>
>
> Thank you so much for any help or points in the right direction!
>
>
>
> Regards,
>
> Graham
>
>
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20080905/edb768a4/attachment.html

jeff at ocjtech

Sep 5, 2008, 8:11 AM

Post #5 of 14 (3384 views)
Permalink

Re: Download configs from one router through another [In reply to]

On Fri, Sep 5, 2008 at 6:38 AM, Alex Dekker <rancid at ale.cx> wrote:
> On Thursday 04 September 2008 23:56:37 Graham Fleming wrote:
>
>> I have many clients with routers and switches on an internal network
>> that I can access either via VPN or by Cisco CLI by logging into their
>> public WAN-facing router and then drilling through the network that way.
>
> I'm in a similar position to yourself, and I'm sure when I asked this I was
> told it wasn't going to happen.
>
>> I think I understand that I need to patch RANCID to allow this behavior.
>> So, here is my question:
>>
>> How do I get this patch and how do I apply the patch to enable RANCID to
>> hop from one router to another?
>
> You're assuming the patch exists, although I assumed RANCID would do this
> before I looked into it also. If you do find it, please let me know.

Ed Ravin developed just the thing you need a few years ago. I've
attached a copy that I've re-based to apply against version 2.3.2a8.

--
Jeff Ollie

"You know, I used to think it was awful that life was so unfair. Then
I thought, wouldn't it be much worse if life were fair, and all the
terrible things that happen to us come because we actually deserve
them? So, now I take great comfort in the general hostility and
unfairness of the universe."

-- Marcus to Franklin in Babylon 5: "A Late Delivery from Avalon"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-patch-for-out-of-band-access-to-devices.patch
Type: text/x-patch
Size: 4879 bytes
Desc: not available
Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20080905/d901529a/attachment.bin

rancid at ale

Sep 5, 2008, 11:38 AM

Post #6 of 14 (3384 views)
Permalink

Re: Download configs from one router through another [In reply to]

On Friday 05 September 2008 16:05:49 ryan speed wrote:
> Maybe I'm crazy but I've been lurking on this list for years and I'm
> almost certain I've seen the patch discussed a couple times over the
> years...

The problem here isn't a lack of data [the patch and discussion about it may
well exist], it is what do we search for? What is a commonly-used term for
remotely accessing a device on a network that you don't have access to, using
a device on the edge of that network? I'm sure if I knew the right search
terms, I'd find it in no time :-)

alexd

rspeed at gmail

Sep 5, 2008, 11:44 AM

Post #7 of 14 (3394 views)
Permalink

Re: Download configs from one router through another [In reply to]

the term I would use and have based my searches on is a bastion host/device

On Fri, Sep 5, 2008 at 12:38 PM, Alex Dekker <rancid at ale.cx> wrote:
> On Friday 05 September 2008 16:05:49 ryan speed wrote:
>> Maybe I'm crazy but I've been lurking on this list for years and I'm
>> almost certain I've seen the patch discussed a couple times over the
>> years...
>
> The problem here isn't a lack of data [the patch and discussion about it may
> well exist], it is what do we search for? What is a commonly-used term for
> remotely accessing a device on a network that you don't have access to, using
> a device on the edge of that network? I'm sure if I knew the right search
> terms, I'd find it in no time :-)
>
> alexd
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>

rspeed at gmail

Sep 5, 2008, 11:52 AM

Post #8 of 14 (3383 views)
Permalink

Re: Download configs from one router through another [In reply to]

this may be what we're looking for

[rancid] patch for "out of band" access to devices
http://www.shrubbery.net/pipermail/rancid-discuss/2006-May/001490.html

or

Using rancid to hop from router to router
http://www.shrubbery.net/pipermail/rancid-discuss/2004-November/000905.html

On Fri, Sep 5, 2008 at 12:44 PM, ryan speed <rspeed at gmail.com> wrote:
> the term I would use and have based my searches on is a bastion host/device
>
> On Fri, Sep 5, 2008 at 12:38 PM, Alex Dekker <rancid at ale.cx> wrote:
>> On Friday 05 September 2008 16:05:49 ryan speed wrote:
>>> Maybe I'm crazy but I've been lurking on this list for years and I'm
>>> almost certain I've seen the patch discussed a couple times over the
>>> years...
>>
>> The problem here isn't a lack of data [the patch and discussion about it may
>> well exist], it is what do we search for? What is a commonly-used term for
>> remotely accessing a device on a network that you don't have access to, using
>> a device on the edge of that network? I'm sure if I knew the right search
>> terms, I'd find it in no time :-)
>>
>> alexd
>> _______________________________________________
>> Rancid-discuss mailing list
>> Rancid-discuss at shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>>
>

shekhar at mos

Sep 5, 2008, 9:20 PM

Post #9 of 14 (3394 views)
Permalink

Re: Download configs from one router through another [In reply to]

Would you mean this???

From: "Sherrill, Justin"
<jsherrill at currentcomm.net>
To: Ed Ravin <eravin at panix.com>
Cc: rancid-discuss at shrubbery.net
Subject: [rancid]
Re: 'out of band' access script changes?
Date: Mon, 27 Nov 2006
11:28:14 -0500

Alright, then to sum up for future people who
may encounter this
problem:

If the target device for
Rancid is on a separate network that can't be
accessed directly from
the machine Rancid is on, but can be accessed
from a gateway device,
here's the steps to reach that remote router.

In .cloginrc:

?? add method 192.168.0.2 telnet
?? add
user 192.168.0.2 your_gateway_router_username
?? add
password 192.168.0.2 {your_gateway_router_password}

?? add method 172.18.0.1 {usercmd}
?? add user
172.18.0.1 your_remote_switch_username
?? add password
172.18.0.1 {your_ remote_switch_password} {your_
remote_switch_enable_password}
?? add usercmd 172.18.0.1
{clogin} {-noenable} {192.168.0.2}
?? add usercmd_chat
172.18.0.1 {>} {telnet far-router\r} {User Access
Verification}
{}

clogin needs to be patched with Ed Ravin's changes here:
http://www.shrubbery.net/pipermail/rancid-discuss/2006-May/001490.html

The {>} in the above example needs to be changed to match
whatever shows
up on the gateway system's prompt.?

Credit goes to Ed Ravin for getting this all to work.? Ed, I owe
you
beer/cookies; mail me what brand/recipe you prefer and where to
send
them.

***CONFIDENTIALITY NOTICE***
The
information in this email may be confidential and/or privileged. This
email is
intended to be reviewed by only the individual or
organization named above. If you
are not the intended recipient or an
authorized representative of the intended
recipient, you are hereby
notified that any review, dissemination or copying of this
email and
its attachments, if any, or the information contained herein is
prohibited. If you have received this email in error, please immediately
notify the
sender by return email and delete this message from your
system.

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

> On Friday 05 September 2008 16:05:49 ryan speed wrote:
>> Maybe I'm crazy but I've been lurking on this list for years
and I'm
>> almost certain I've seen the patch discussed a
couple times over the
>> years...
>
> The
problem here isn't a lack of data [the patch and discussion about it
> may
> well exist], it is what do we search for? What is a
commonly-used term for
> remotely accessing a device on a network
that you don't have access to,
> using
> a device on the
edge of that network? I'm sure if I knew the right search
>
terms, I'd find it in no time :-)
>
> alexd
>
_______________________________________________
> Rancid-discuss
mailing list
> Rancid-discuss at shrubbery.net
>
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>

> --
> Experience Fully featured web mail through
> http://fulbari.mos.com.np
>
>

eravin at panix

Sep 8, 2008, 12:03 PM

Post #10 of 14 (3381 views)
Permalink

Re: Download configs from one router through another [In reply to]

On Fri, Sep 05, 2008 at 11:11:30AM -0500, Jeffrey Ollie wrote:
...
> Ed Ravin developed just the thing you need a few years ago. I've
> attached a copy that I've re-based to apply against version 2.3.2a8.

I'm not 100% happy with the way this patch works - it works fine if
the bastion host is a device other than the kind you are trying to
access. But if you are trying to access a Cisco from another Cisco,
you need to jump through some hoops (like putting in a unique prompt
or unique banner on one or both of them) to help the main clogin
figure out when the second clogin has finished the "out of band"
login.

Graham.Fleming at bdwalk

Sep 11, 2008, 10:52 AM

Post #11 of 14 (3386 views)
Permalink

Re: Download configs from one router through another [In reply to]

Ed, thanks a lot for your patch. I got it working. Is there a way
though, to use wildcards with the usercmd_chat?

For instance, we log into a gateway router using a public IP address. We
then specify a method to reach the internal routers using usercmd. All
of the internal routers, let's say, are on the 10.0.0.0/24 network.

Is there a way to add a universal method that would use the 10.0.0.0/24
network as a wildcard (ie 10.0.0.*) and then could we put in a {*} or
something in the usercmd_chat so that any prompt is matched?

This would save us from adding dozens of separate .cloginrc commands for
the internal routers.

Regards,

Graham

-----Original Message-----
From: rancid-discuss-bounces [at] shrubbery
[mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Ed Ravin
Sent: Monday, September 08, 2008 1:03 PM
To: Jeffrey Ollie
Cc: rancid-discuss at shrubbery.net
Subject: [rancid] Re: Download configs from one router through another

On Fri, Sep 05, 2008 at 11:11:30AM -0500, Jeffrey Ollie wrote:
...
> Ed Ravin developed just the thing you need a few years ago. I've
> attached a copy that I've re-based to apply against version 2.3.2a8.

I'm not 100% happy with the way this patch works - it works fine if
the bastion host is a device other than the kind you are trying to
access. But if you are trying to access a Cisco from another Cisco,
you need to jump through some hoops (like putting in a unique prompt
or unique banner on one or both of them) to help the main clogin
figure out when the second clogin has finished the "out of band"
login.
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

eravin at panix

Sep 11, 2008, 12:17 PM

Post #12 of 14 (3387 views)
Permalink

Re: Download configs from one router through another [In reply to]

On Thu, Sep 11, 2008 at 02:52:38PM -0400, Graham Fleming wrote:
> Ed, thanks a lot for your patch. I got it working. Is there a way
> though, to use wildcards with the usercmd_chat?
>
> For instance, we log into a gateway router using a public IP address. We
> then specify a method to reach the internal routers using usercmd. All
> of the internal routers, let's say, are on the 10.0.0.0/24 network.
>
> Is there a way to add a universal method that would use the 10.0.0.0/24
> network as a wildcard (ie 10.0.0.*) and then could we put in a {*} or
> something in the usercmd_chat so that any prompt is matched?
>
> This would save us from adding dozens of separate .cloginrc commands for
> the internal routers.

I'm not sure I fully understand what you're trying to do - it would help
if you posted a sanitized .cloginrc of what you're doing now, and then
a wishful thinking .cloginrc of what you'd like to have.

The "usercmd" definitions are matched the same way everything else is
in the *login scripts, which would let you have a common usercmd for
groups of routers. However, my patch doesn't add any fucntionality for
unique content in the usercmd variable or expansion of variables other
than what is already supported by clogin. There may be a way to use
"$router" in the usercmd definition or some other extra coding in cloginrc
to do what you want; it might require an extra "eval" in clogin when
assigning the value of $usercmd. Perhaps someone more familiar with
TCL and/or RANCID scripting could speak up with the details.

-- Ed

Graham.Fleming at bdwalk

Sep 12, 2008, 10:04 AM

Post #13 of 14 (3398 views)
Permalink

Re: Download configs from one router through another [In reply to]

Thanks for the reply, Ed. Here's a small snippet of the kind of thing we
would be using your patch for. This would be one site where we log into
the GATEWAY router and then from there we would log into the internal
routers on the 172.16.0.0/24 network.

This is a small example for three such routers and how I have it
configured using your patch. The trouble is we have a few clients with
dozens of routers so, as you can see, this could get quite tedious:

add user 172.16.0.23 username1
add autoenable 172.16.0.23 1
add password 172.16.0.23 {password1}
add method 172.16.0.23 {usercmd}
add usercmd 172.16.0.23 {ssh} {username1 at public-ip.address}
add usercmd_chat 172.16.0.23 {Password: } {password2\r}
{GATEWAY-PROMPT#} {ssh 172.16.0.23\r} {Password: } {password1\r}
{INTERNAL-PROMPT#} {\r}

add user 172.16.0.34 username1
add autoenable 172.16.0.34 1
add password 172.16.0.34 {password1}
add method 172.16.0.34 {usercmd}
add usercmd 172.16.0.34 {ssh} {username1 at public-ip.address}
add usercmd_chat 172.16.0.34 {Password: } {password2\r}
{GATEWAY-PROMPT#} {ssh 172.16.0.34\r} {Password: } {password1\r}
{INTERNAL-PROMPT#} {\r}

add user 172.16.0.56 username1
add autoenable 172.16.0.56 1
add password 172.16.0.56 {password1}
add method 172.16.0.56 {usercmd}
add usercmd 172.16.0.56 {ssh} {username1 at public-ip.address}
add usercmd_chat 172.16.0.56 {Password: } {password2\r}
{GATEWAY-PROMPT#} {ssh 172.16.0.56\r} {Password: } {password1\r}
{INTERNAL-PROMPT#} {\r}

... and so on....

So, what I'd love to be able to do is use wildcards with your patch,
specifcally the 'usercmd_chat' portion. So instead of one statement for
each router, we use one for all internal routers like so:

add user 172.16.0.* username1
add autoenable 172.16.0.* 1
add password 172.16.0.* {password1}
add method 172.16.0.* {usercmd}
add usercmd 172.16.0.* {ssh} {username1 at public-ip.address}
add usercmd_chat 172.16.0.* {Password: } {password2\r}
{GATEWAY-PROMPT#} {ssh $INTERNAL_IP\r} {Password: } {password1\r}
{$INTERNAL_PROMPT#} {\r}

Where {ssh $INTERNAL_IP\r} would be the value for the wildcarded
internal IP address and {ssh $INTERNAL_IP\r} could somehow be a wilcard
value to match any prompt.

I'm assuming this probably won't work though, as I have no idea how
you'd pass the internal IP address to the ssh command on the gateway
router using variables or whatnot. Similarly, is there a way to accept
any value for the internal router's prompt so we don't need to use
specific values for each router?

Thanks a lot for all your help!

Graham

-----Original Message-----
From: Ed Ravin [mailto:eravin [at] panix]
Sent: Thursday, September 11, 2008 1:18 PM
To: Graham Fleming
Cc: rancid-discuss at shrubbery.net
Subject: Re: [rancid] Re: Download configs from one router through
another

I'm not sure I fully understand what you're trying to do - it would help
if you posted a sanitized .cloginrc of what you're doing now, and then
a wishful thinking .cloginrc of what you'd like to have.

The "usercmd" definitions are matched the same way everything else is
in the *login scripts, which would let you have a common usercmd for
groups of routers. However, my patch doesn't add any fucntionality for
unique content in the usercmd variable or expansion of variables other
than what is already supported by clogin. There may be a way to use
"$router" in the usercmd definition or some other extra coding in
cloginrc
to do what you want; it might require an extra "eval" in clogin when
assigning the value of $usercmd. Perhaps someone more familiar with
TCL and/or RANCID scripting could speak up with the details.

-- Ed

eravin at panix

Sep 14, 2008, 5:14 PM

Post #14 of 14 (3393 views)
Permalink

Re: Download configs from one router through another [In reply to]

On Fri, Sep 12, 2008 at 02:04:46PM -0400, Graham Fleming wrote:
> Thanks for the reply, Ed. Here's a small snippet of the kind of thing we
> would be using your patch for. This would be one site where we log into
> the GATEWAY router and then from there we would log into the internal
> routers on the 172.16.0.0/24 network.
[...]
> So, what I'd love to be able to do is use wildcards with your patch,
> specifcally the 'usercmd_chat' portion. So instead of one statement for
> each router, we use one for all internal routers like so:
>
> add user 172.16.0.* username1
> add autoenable 172.16.0.* 1
> add password 172.16.0.* {password1}
> add method 172.16.0.* {usercmd}
> add usercmd 172.16.0.* {ssh} {username1 at public-ip.address}

All of the above is already supported in RANCID, even without the usercmd
patch. But what you really need is this:

> add usercmd_chat 172.16.0.* {Password: } {password2\r}
> {GATEWAY-PROMPT#} {ssh $INTERNAL_IP\r} {Password: } {password1\r}
> {$INTERNAL_PROMPT#} {\r}
>
> Where {ssh $INTERNAL_IP\r} would be the value for the wildcarded
> internal IP address and {ssh $INTERNAL_IP\r} could somehow be a wilcard
> value to match any prompt.

Not yet supported. Should be doable by creating escapes that evaluate
to the current value of variables like $router, which corresponds to the
"$INTERNAL_IP" that you want above. It's a bit harder for the prompt -
if you are using IP addresses to connect to the router, if your DNS
is set up properly then some new code could do a reverse lookup and
use that to build the router prompt.

It occurs to me that all this could be done with a new feature in cloginrc:
the ability to specify that the string value should be evaluated when
"find()" is called in clogin to look up the value, rather than when
cloginrc is sourced. Maybe put a leading \ or @ or other unlikely
escape character - then, when find() is called, if it sees the value
has the escape character, it runs "eval" on the string, which could
include variables like $router, function calls, etc.

> ... Similarly, is there a way to accept
> any value for the internal router's prompt so we don't need to use
> specific values for each router?

Yes, you could use a regexp pattern match that was indifferent to
the name of the router - but it might match something in the login
sequence and then you're stuck.

Here's what might be a workaround - if you're not into programming tcl
and changing clogin, you could write a script or program in any language
to create a password file that is included into the run by your cloginrc.

-- Ed

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads