From yuvalba at netvision.net.il Fri Jan 2 12:29:26 2004 From: yuvalba at netvision.net.il (Yuval Ben-Ari) Date: Fri, 2 Jan 2004 14:29:26 +0200 Subject: clogin with CatOS + autoenable Message-ID: Hi, Been using rancid with CatOS that required login password and then manually enable with enable password, it was working fine. We changed the CatOS switch (5500) to use aaa server which enters user directly to enable mode and the clogin seems to be unable to deal with that: $clogin cat55 spawn telnet cat55 Cisco Systems Console Username: rancid Password: cat55-u-b> (enable) Error: TIMEOUT reached $ the login succeeds but seems the clogin will not recognize the enable prompt and expecting the # sign. the .cloginrc config is: add user cat55 rancid add password cat55 {rancidpassword} add autoenable cat55 1 before I go hacking the clogin, is this really not supported or am I missing something ? Thanks Yuval From erik at code.de Fri Jan 2 16:24:07 2004 From: erik at code.de (erik at code.de) Date: Fri, Jan 2 2004 17:24:07 +0100 Subject: integration of security enhancement patch Message-ID: <20031222172045.GA17908@hendrix.code.de> Hi List, I red a mail from Janos Mohacsi[1] about a more secure way of getting config files, he wrote 1 1/2 years ago. His patch is 62139 Bytes long mainly to introduce a new mrancid.in with autoconf and so on. An integration of the patch he was sending is not nessesary, if the author/community decides to change a single command in two lines of bin/rancid.in. Is there a reason why the running-config of a cisco is gathered by rancid? If not, is there any reason not to change that command to "show config" which is taking the startup-config? This change is needed to enable the great feature, of getting configs from a cisco without granting "privilege 15" access to a cisco device. I just want to throw that request to the list for discussion. [1] http://www.shrubbery.net/pipermail/rancid-discuss/2002-June/000230.html -- erik at code.de "I am not a Geek! I shower." From heas at shrubbery.net Fri Jan 2 16:27:57 2004 From: heas at shrubbery.net (john heasley) Date: Fri, 2 Jan 2004 08:27:57 -0800 Subject: clogin with CatOS + autoenable In-Reply-To: References: Message-ID: <20040102162757.GF29302@shrubbery.net> Fri, Jan 02, 2004 at 02:29:26PM +0200, Yuval Ben-Ari: > Hi, > > Been using rancid with CatOS that required login password and then > manually enable with enable password, it was working fine. > We changed the CatOS switch (5500) to use aaa server which enters user > directly to enable mode and the clogin seems to be unable to deal with > that: > > $clogin cat55 > spawn telnet cat55 > > Cisco Systems Console > > Username: rancid > > Password: > cat55-u-b> (enable) > Error: TIMEOUT reached > $ > > > the login succeeds but seems the clogin will not recognize the enable > prompt and expecting the # sign. > > the .cloginrc config is: > > add user cat55 rancid > add password cat55 {rancidpassword} > add autoenable cat55 1 > > before I go hacking the clogin, is this really not supported or am I > missing something ? this (clogin + autoenable + catos) does not work properly, ATM. I have a patch for the next release, but nothing to test it on. please contact me directly if you're willing to debug with me or provide access to one remotely. From wedge at shopping.com Sat Jan 3 18:27:43 2004 From: wedge at shopping.com (Wedge Martin) Date: Sat, 3 Jan 2004 10:27:43 -0800 Subject: Cisco CSS rancid script... Message-ID: <0F8C9793B7D3D74CAAA29BAFD3C704D4379D71@msgsf.sf1.corp.dealtime.com> I call this 'cssrancid' and use the vendor type of 'css' to differentiate it. It's a total hack on the standard rancid script, but it has all the functional differences, including one that was super hard to track down... The user profile, when the term length is changed to 65535 ( css handles term len 0 stupidly and gives you a term len of 24 ) it prompts you when you log out to commit or discard user profile changes, screwing up the session by hanging indefinitely... so the trick is to copy the profile to user-profile; i found this _buried_ in cisco documentation.. goofy voodoo.. but it works. i threw in a couple of other little hacks to make this functional, and it's working nicely.. feel free to put this in the next distribution... i'll clean it up a bit too and send you any changes i make. #!/bin/perl ## ## ## Copyright (C) 1997-2001 by Henry Kilmer. ## All rights reserved. ## ## This software may be freely copied, modified and redistributed without ## fee for non-commerical purposes provided that this copyright notice is ## preserved intact on all copies and modified copies. ## ## There is no warranty or other guarantee of fitness of this software. ## It is provided solely "as is". The author(s) disclaim(s) all ## responsibility and liability with respect to this software's usage ## or its effect upon hardware, computer systems, other software, or ## anything else. ## ## # # RANCID - Really Awesome New Cisco confIg Differ # # usage: rancid [-d] [-l] [-f filename | $host] # use Getopt::Std; getopts('dflm'); $log = $opt_l; $debug = $opt_d; $debug = "true"; $file = $opt_f; $host = $ARGV[0]; $clean_run = 0; $found_end = 0; $timeo = 90; # clogin timeout in seconds my(%filter_pwds); # password filtering mode # This routine is used to print out the router configuration sub ProcessHistory { my($new_hist_tag,$new_command,$command_string, at string)=(@_); if((($new_hist_tag ne $hist_tag) || ($new_command ne $command)) && defined %history) { print eval "$command \%history"; undef %history; } if (($new_hist_tag) && ($new_command) && ($command_string)) { if ($history{$command_string}) { $history{$command_string} = "$history{$command_string}@string"; } else { $history{$command_string} = "@string"; } } elsif (($new_hist_tag) && ($new_command)) { $history{++$#history} = "@string"; } else { print "@string"; } $hist_tag = $new_hist_tag; $command = $new_command; 1; } sub numerically { $a <=> $b; } # This is a sort routine that will sort numerically on the # keys of a hash as if it were a normal array. sub keynsort { local(%lines)=@_; local($i) = 0; local(@sorted_lines); foreach $key (sort numerically keys(%lines)) { $sorted_lines[$i] = $lines{$key}; $i++; } @sorted_lines; } # This is a sort routine that will sort on the # keys of a hash as if it were a normal array. sub keysort { local(%lines)=@_; local($i) = 0; local(@sorted_lines); foreach $key (sort keys(%lines)) { $sorted_lines[$i] = $lines{$key}; $i++; } @sorted_lines; } # This is a sort routine that will sort on the # values of a hash as if it were a normal array. sub valsort{ local(%lines)=@_; local($i) = 0; local(@sorted_lines); foreach $key (sort values %lines) { $sorted_lines[$i] = $key; $i++; } @sorted_lines; } # This is a numerical sort routine (ascending). sub numsort { local(%lines)=@_; local($i) = 0; local(@sorted_lines); foreach $num (sort {$a <=> $b} keys %lines) { $sorted_lines[$i] = $lines{$num}; $i++; } @sorted_lines; } # This is a sort routine that will sort on the # ip address when the ip address is anywhere in # the strings. sub ipsort { local(%lines)=@_; local($i) = 0; local(@sorted_lines); foreach $addr (sort sortbyipaddr keys %lines) { $sorted_lines[$i] = $lines{$addr}; $i++; } @sorted_lines; } # These two routines will sort based upon IP addresses sub ipaddrval { my(@a) = ($_[0] =~ m#^(\d+)\.(\d+)\.(\d+)\.(\d+)$#); $a[3]+256*($a[2]+256*($a[1]+256*$a[0])); } sub sortbyipaddr { &ipaddrval($a) <=> &ipaddrval($b); } # This routine parses "show version" sub ShowVersion { print STDERR " In ShowVersion: $_" if ($debug); while () { tr/\015//d; study; last if(/^$prompt/); next if(/^(\s*|\s*$cmd\s*)$/); return(-1) if (/command authorization failed/i); if (/^Slave in slot (\d+) is running/) { $slave = " Slave:"; next; } /^Cisco Secure PIX /i && ProcessHistory("COMMENTS","keysort","F1", "!Image: $_") && next; /^IOS .* Software \(([A-Za-z-0-9]*)\), .*Version\s+(.*)$/ && ProcessHistory("COMMENTS","keysort","F1", "!Image:$slave Software: $1, $2\n") && next; /^([A-Za-z-0-9_]*) Synced to mainline version: (.*)$/ && ProcessHistory("COMMENTS","keysort","F2", "!Image:$slave $1 Synced to mainline version: $2\n") && next; /^Compiled (.*)$/ && ProcessHistory("COMMENTS","keysort","F3", "!Image:$slave Compiled: $1\n") && next; /^ROM: (System )?Bootstrap.*(Version.*)$/ && ProcessHistory("COMMENTS","keysort","G1", "!ROM Bootstrap: $2\n") && next; if (/^Hardware:\s+(.*), (.* RAM), CPU (.*)$/) { ProcessHistory("COMMENTS","keysort","A1", "!Chassis type: $1 - a PIX\n"); ProcessHistory("COMMENTS","keysort","A2", "!CPU: $3\n"); ProcessHistory("COMMENTS","keysort","B1", "!Memory: $2\n"); } /^Serial Number:\s+(.*)$/ && ProcessHistory("COMMENTS","keysort","C1", "!$_") && next; /^Activation Key:\s+(.*)$/ && ProcessHistory("COMMENTS","keysort","C2", "!$_") && next; /^ROM: \d+ Bootstrap .*(Version.*)$/ && ProcessHistory("COMMENTS","keysort","G2", "!ROM Image: Bootstrap $1\n!\n") && next; /^ROM: .*(Version.*)$/ && ProcessHistory("COMMENTS","keysort","G3","!ROM Image: $1\n") && next; /^BOOTFLASH: .*(Version.*)$/ && ProcessHistory("COMMENTS","keysort","G4","!BOOTFLASH: $1\n") && next; /^BOOTLDR: .*(Version.*)$/ && ProcessHistory("COMMENTS","keysort","G4","!BOOTLDR: $1\n") && next; /^System image file is "([^\"]*)", booted via (\S*)/ && ProcessHistory("COMMENTS","keysort","F4","!Image: booted $1\n") && next; /^System image file is "([^\"]*)"$/ && ProcessHistory("COMMENTS","keysort","F5","!Image: $1\n") && next; if (/(\S+)\s+\((\S+)\)\s+processor.*with (\S+[kK]) bytes/) { my($proc) = $1; my($cpu) = $2; my($mem) = $3; my($device) = "router"; $type = "CSS"; print STDERR "TYPE = $type\n" if ($debug); ProcessHistory("COMMENTS","keysort","A1", "!Chassis type:$slave $proc - a $type $device\n"); ProcessHistory("COMMENTS","keysort","B1", "!Memory:$slave main $mem\n"); ProcessHistory("COMMENTS","keysort","A3","!CPU:$slave $cpu\n"); next; } if (/(\S+) Silicon\s*Switch Processor/) { if (!defined($C0)) { $C0=1; ProcessHistory("COMMENTS","keysort","C0","!\n"); } ProcessHistory("COMMENTS","keysort","C2","!SSP: $1\n"); $ssp = 1; $sspmem = $1; next; } /^(\d+[kK]) bytes of multibus/ && ProcessHistory("COMMENTS","keysort","B2", "!Memory: multibus $1\n") && next; /^(\d+[kK]) bytes of non-volatile/ && ProcessHistory("COMMENTS","keysort","B3", "!Memory: nvram $1\n") && next; /^(\d+[kK]) bytes of flash memory/ && ProcessHistory("COMMENTS","keysort","B5","!Memory: flash $1\n") && next; /^(\d+[kK]) bytes of .*flash partition/ && ProcessHistory("COMMENTS","keysort","B6", "!Memory: flash partition $1\n") && next; /^(\d+[kK]) bytes of Flash internal/ && ProcessHistory("COMMENTS","keysort","B4", "!Memory: bootflash $1\n") && next; if(/^(\d+[kK]) bytes of (Flash|ATA)?.*PCMCIA .*(slot|disk) ?(\d)/i) { ProcessHistory("COMMENTS","keysort","B7", "!Memory: pcmcia $2 $3$4 $1\n"); next; } if(/^WARNING/) { if (!defined($I0)) { $I0=1; ProcessHistory("COMMENTS","keysort","I0","!\n"); } ProcessHistory("COMMENTS","keysort","I1","! $_"); # The line after the WARNING is what to do about it. $_ = ; tr/\015//d; ProcessHistory("COMMENTS","keysort","I1","! $_"); } if (/^Configuration register is (.*)$/) { $config_register=$1; next; } } return(0); } # Dummy routine to set term length.... sub TermLength { # Dummy subroutine.. need to set term length differently for CSS # boxes as term length 0 doesnt work correctly. POS. return(0); } # Dummy routine to copy profile... sub CopyProfile { ## Because the term length gets changed twice, the stupid ## box will ask you to save or discard changes. This prompt ## of couse breaks the interaction... strangely enough tho ## in a failover environment, only the secondary behaves this ## way.. the primary lets you log out and does not complain. return(0); } # This routine parses "show boot" sub ShowBoot { # Pick up boot variables if 7000/7200/7500/12000/2900/3500; # otherwise pick up bootflash. print STDERR " In ShowBoot: $_" if ($debug); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); return(1) if /^\s*\^\s*$/; return(-1) if (/command authorization failed/i); return(1) if /Ambiguous command/i; # return(1) if /(Invalid input detected|Type help or )/; return(1) if /(Open device \S+ failed|Error opening \S+:)/; next if /CONFGEN variable/; if (!defined($H0)) { $H0=1; ProcessHistory("COMMENTS","keysort","H0","!\n"); } if ($type !~ /^(12[04]|7)/) { if ($type !~ /^(29|35)00/) { ProcessHistory("COMMENTS","keysort","H2","!BootFlash: $_"); } else { ProcessHistory("COMMENTS","keysort","H1","!Variable: $_"); } } elsif (/variable/) { ProcessHistory("COMMENTS","keysort","H1","!Variable: $_"); } } ProcessHistory("COMMENTS","","","!\n"); return(0); } # This routine processes a "show run" sub ShowRun { print STDERR " In ShowRun: $_" if ($debug); my($lineauto) = 0; while () { tr/\015//d; study; last if(/^$prompt/); return(-1) if (/command authorization failed/i); # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; /Non-Volatile memory is in use/ && return(-1); # NvRAM is locked $lineauto = 0 if (/^[^ ]/); # skip the crap if (/^(##+$|(Building|Current) configuration)/i) { while () { next if (/^Current configuration\s*:/i); next if (/^:/); next if (/^([%!].*|\s*)$/); next if (/^ip add.*ipv4:/); # band-aid for 3620 12.0S last; } if (defined($config_register)) { ProcessHistory("","","","!\nconfig-register $config_register\n"); } tr/\015//d; } # some versions have other crap mixed in with the bits in the # block above /^! (Last configuration|NVRAM config last)/ && next; ## CSS specific.... /Generated on/ && next; # Dog gone Cool matches to process the rest of the config /^tftp-server flash / && next; # kill any tftp remains /^ntp clock-period / && next; # kill ntp clock-period /^ length / && next; # kill length on serial lines /^ width / && next; # kill width on serial lines $lineauto = 1 if /^ modem auto/; /^ speed / && $lineauto && next; # kill speed on serial lines /^ clockrate / && next; # kill clockrate on serial interfaces if (/^(enable )?(password|passwd) / && $filter_pwds >= 1) { ProcessHistory("ENABLE","","","!$1$2 \n"); next; } if (/^(enable secret) / && $filter_pwds >= 2) { ProcessHistory("ENABLE","","","!$1 \n"); next; } if (/^username (\S+)(\s.*)? secret /) { if ($filter_pwds >= 2) { ProcessHistory("USER","keysort","$1","!username $1$2 secret \n"); } else { ProcessHistory("USER","keysort","$1","$_"); } next; } if (/^username (\S+)(\s.*)? password ((\d) \S+|\S+)/) { if ($filter_pwds == 2) { ProcessHistory("USER","keysort","$1","!username $1$2 password \n"); } elsif ($filter_pwds == 1 && $4 ne "5"){ ProcessHistory("USER","keysort","$1","!username $1$2 password \n"); } else { ProcessHistory("USER","keysort","$1","$_"); } next; } if (/^(\s*)password / && $filter_pwds >= 1) { ProcessHistory("LINE-PASS","","","!$1password \n"); next; } if (/^\s*neighbor (\S*) password / && $filter_pwds >= 1) { ProcessHistory("","","","! neighbor $1 password \n"); next; } if (/^(ppp .* password) 7 .*/ && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } if (/^(ip ftp password) / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } if (/^( ip ospf authentication-key) / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } # isis passwords appear to be completely plain-text if (/^\s+isis password (\S+)( .*)?/ && $filter_pwds >= 1) { ProcessHistory("","","","!isis password $2\n"); next; } if (/^\s+(domain-password|area-password) (\S+)( .*)?/ && $filter_pwds >= 1) { ProcessHistory("","","","!$1 $2\n"); next; } # this is reversable, despite 'md5' in the cmd if (/^( ip ospf message-digest-key \d+ md5) / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } if (/^((crypto )?isakmp key) \S+ / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 $'"); next; } # i am told these are plain-text on the PIX if (/^(vpdn username \S+ password)/ && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } /fair-queue individual-limit/ && next; # sort ip explicit-paths. if (/^ip explicit-path name (\S+)/) { my($key) = $1; my($expath) = $_; while () { tr/\015//d; last if (/^$prompt/); last if (/^$prompt/ || ! /^(ip explicit-path name |[ !])/); if (/^ip explicit-path name (\S+)/) { ProcessHistory("EXPATH","keysort","$key","$expath"); $key = $1; $expath = $_; } else { $expath .= $_; } } ProcessHistory("EXPATH","keysort","$key","$expath"); } # sort route-maps if (/^route-map (\S+)/) { my($key) = $1; my($routemap) = $_; while () { tr/\015//d; last if (/^$prompt/ || ! /^(route-map |[ !])/); if (/^route-map (\S+)/) { ProcessHistory("ROUTEMAP","keysort","$key","$routemap"); $key = $1; $routemap = $_; } else { $routemap .= $_; } } ProcessHistory("ROUTEMAP","keysort","$key","$routemap"); } # filter out any RCS/CVS tags to avoid confusing local CVS storage s/\$(Revision|Id):/ $1:/; # order access-lists /^access-list\s+(\d\d?)\s+(\S+)\s+(\S+)/ && ProcessHistory("ACL $1 $2","ipsort","$3","$_") && next; # order extended access-lists /^access-list\s+(\d\d\d)\s+(\S+)\s+ip\s+host\s+(\S+)/ && ProcessHistory("EACL $1 $2","ipsort","$3","$_") && next; /^access-list\s+(\d\d\d)\s+(\S+)\s+ip\s+(\d\S+)/ && ProcessHistory("EACL $1 $2","ipsort","$3","$_") && next; /^access-list\s+(\d\d\d)\s+(\S+)\s+ip\s+any/ && ProcessHistory("EACL $1 $2","ipsort","0.0.0.0","$_") && next; # order arp lists /^arp\s+(\d+\.\d+\.\d+\.\d+)\s+/ && ProcessHistory("ARP","ipsort","$1","$_") && next; /^ip prefix-list\s+(\S+)\s+seq\s+(\d+)\s+(permit|deny)\s+(\d\S+)(\/.*)$/ && ProcessHistory("PACL $1 $3","ipsort","$4","ip prefix-list $1 $3 $4$5\n") && next; # order logging statements /^logging (\d+\.\d+\.\d+\.\d+)/ && ProcessHistory("LOGGING","ipsort","$1","$_") && next; # order/prune snmp-server host statements # we only prune lines of the form # snmp-server host a.b.c.d if (/^snmp-server host (\d+\.\d+\.\d+\.\d+) /) { if (defined($ENV{'NOCOMMSTR'})) { my($ip) = $1; my($line) = "snmp-server host $ip"; my(@tokens) = split(' ', $'); my($token); while ($token = shift(@tokens)) { if ($token eq 'version') { $line .= " " . join(' ', ($token, shift(@tokens))); } elsif ($token =~ /^(informs?|traps?|(no)?auth)$/) { $line .= " " . $token; } else { $line = "!$line " . join(' ', ("", join(' ', at tokens))); last; } } ProcessHistory("SNMPSERVERHOST","ipsort","$ip","$line\n"); } else { ProcessHistory("SNMPSERVERHOST","ipsort","$1","$_"); } next; } if (/^(snmp-server community) (\S+)/) { if (defined($ENV{'NOCOMMSTR'})) { ProcessHistory("SNMPSERVERCOMM","keysort","$_","!$1 $'") && next; } else { ProcessHistory("SNMPSERVERCOMM","keysort","$_","$_") && next; } } # order/prune tacacs/radius server statements if (/^(tacacs-server|radius-server) key / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 key \n"); next; } # order clns host statements /^clns host \S+ (\S+)/ && ProcessHistory("CLNS","keysort","$1","$_") && next; # order alias statements /^alias / && ProcessHistory("ALIAS","keysort","$_","$_") && next; # delete ntp auth password - this md5 is a reversable too if (/^(ntp authentication-key \d+ md5) / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } # order ntp peers/servers if (/^ntp (server|peer) (\d+)\.(\d+)\.(\d+)\.(\d+)/) { $sortkey = sprintf("$1 %03d%03d%03d%03d",$2,$3,$4,$5); ProcessHistory("NTP","keysort",$sortkey,"$_"); next; } # order ip host line statements /^ip host line(\d+)/ && ProcessHistory("IPHOST","numsort","$1","$_") && next; # order ip nat source static statements /^ip nat (\S+) source static (\S+)/ && ProcessHistory("IP NAT $1","ipsort","$2","$_") && next; # order atm map-list statements /^\s+ip\s+(\d+\.\d+\.\d+\.\d+)\s+atm-vc/ && ProcessHistory("ATM map-list","ipsort","$1","$_") && next; # order ip rcmd lines /^ip rcmd/ && ProcessHistory("RCMD","keysort","$_","$_") && next; # system controller /^syscon address (\S*) (\S*)/ && ProcessHistory("","","","!syscon address $1 \n") && next; if (/^syscon password (\S*)/ && $filter_pwds >= 1) { ProcessHistory("","","","!syscon password \n"); next; } # catch anything that wasnt matched above. ProcessHistory("","","","$_"); # end of config. the ": " game is for the PIX if (/^(: +)?end$/ || /CSS.*#/ || /$prompt/ ) { $found_end = 1; return(1); } } return(0); } # dummy function sub DoNothing {print STDOUT;} # Main %commands=( 'term length 65535' => "TermLength", 'copy profile user-profile' => "CopyProfile", 'show version' => "ShowVersion", 'show boot' => "ShowBoot", 'show run' => "ShowRun" ); # keys() doesnt return things in the order entered and the order of the # cmds is important (show version first and show run last). pita @commands=( "term length 65535", "copy profile user-profile", "show version", "show boot", "show run" ); $cisco_cmds=join(";", at commands); $cmds_regexp=join("|", at commands); open(OUTPUT,">$host.new") || die "Can't open $host.new for writing: $!\n"; select(OUTPUT); # make OUTPUT unbuffered if debugging if ($debug) { $| = 1; } if ($file) { print STDERR "opening file $host\n" if ($debug); print STDOUT "opening file $host\n" if ($log); open(INPUT,"<$host") || die "open failed for $host: $!\n"; } else { print STDERR "executing clogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($debug); print STDOUT "executing clogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($log); if (defined($ENV{NOPIPE})) { system "clogin -t $timeo -c \"$cisco_cmds\" $host $host.raw 2>&1" || die "clogin failed for $host: $!\n"; open(INPUT, "< $host.raw") || die "clogin failed for $host: $!\n"; } else { open(INPUT,"clogin -t $timeo -c \"$cisco_cmds\" $host ) { tr/\015//d; # if (/\#\s?exit$/) { if (/\#\s?exit/) { $clean_run=1; last; } if (/^Error:/) { print STDOUT ("$host clogin error: $_"); print STDERR ("$host clogin error: $_") if ($debug); $clean_run=0; last; } while (/#\s*($cmds_regexp)\s*$/) { $cmd = $1; if (!defined($prompt)) {$prompt = ($_ =~ /^([^#]+#)/)[0]; } print STDERR ("HIT COMMAND:$_") if ($debug); if (! defined($commands{$cmd})) { print STDERR "$host: found unexpected command - \"$cmd\"\n"; # $clean_run = 0; i'll track down why this is necessary, but # last TOP; the bottom line is this gets stuck in a loop.. next TOP; } else { $rval = &{$commands{$cmd}}; delete($commands{$cmd}); if ($rval == -1) { $clean_run = 0; last TOP; } } } } print STDOUT "Done $logincmd: $_\n" if ($log); # Flush History ProcessHistory("","","",""); # Cleanup close(INPUT); close(OUTPUT); if (defined($ENV{NOPIPE})) { unlink("$host.raw") if (! $debug); } # check for completeness if (scalar(%commands) || !$clean_run || !$found_end) { if (scalar(%commands)) { printf(STDOUT "$host: missed cmd(s): %s\n", join(',', keys(%commands))); printf(STDERR "$host: missed cmd(s): %s\n", join(',', keys(%commands))) if ($debug); } if (!$clean_run || !$found_end) { print STDOUT "$host: End of run not found\n"; print STDERR "$host: End of run not found\n" if ($debug); system("/usr/bin/tail -1 $host.new"); } unlink "$host.new" if (! $debug); } From yuvalba at netvision.net.il Sun Jan 4 13:59:23 2004 From: yuvalba at netvision.net.il (Yuval Ben-Ari) Date: Sun, 4 Jan 2004 15:59:23 +0200 Subject: "show ver" output changes in recent IOS Message-ID: Hi, Lately after upgrading some routers to 12.3(4)T code I noticed rancid is no longer able to determine Memory/nvram memory size and Image/Software info. I found this is caused due to changes in the "show ver" command's output. relevant changed output lines: Old output: IOS (tm) 7400 Software (C7400-JS-M), Experimental Version 12.3(20030813:213719) [REL-v123_1_b_throttle.ios-weekly 120] 509K bytes of non-volatile configuration memory. New output: Cisco IOS Software, 7400 Software (C7400-IK9S-M), Version 12.3(4)T, RELEASE SOFTWARE (fc1) 509K bytes of NVRAM. it can be solved easily by adjusting the regexp in bin/rancid (line numbers relevant to rancid-2.2.2) line 151: - /^IOS .* Software \(([A-Za-z-0-9]*)\), .*Version\s+(.*)$/ && + /IOS .* Software.* \(([A-Za-z-0-9]*)\), .*Version\s+(.*)$/ && line 252: - /^(\d+[kK]) bytes of non-volatile/ && + /^(\d+[kK]) bytes of non-volatile/ && We are still using 2.2.2 so if it is already fixed in 2.3* just ignore my message :-) The problem is that syntax is prone to change in the future again without any notice. I guess this is the price for fetching data from parsing CLI output. On the other hand I see that sysDescr.0 OID is inconsistent in the same way. I saw recent IOS has some XML support but did not really looked into it ..... Yuval From yuvalba at netvision.net.il Sun Jan 4 22:31:14 2004 From: yuvalba at netvision.net.il (Yuval Ben-Ari) Date: Mon, 5 Jan 2004 00:31:14 +0200 Subject: "show ver" output changes in recent IOS Message-ID: > Lately after upgrading some routers to 12.3(4)T code I > noticed rancid is > no longer able to determine Memory/nvram memory size and > Image/Software > info. > I found this is caused due to changes in the "show ver" command's > output. > > relevant changed output lines: > > Old output: > IOS (tm) 7400 Software (C7400-JS-M), Experimental Version > 12.3(20030813:213719) [REL-v123_1_b_throttle.ios-weekly 120] > 509K bytes of non-volatile configuration memory. > > New output: > Cisco IOS Software, 7400 Software (C7400-IK9S-M), Version 12.3(4)T, > RELEASE SOFTWARE (fc1) > 509K bytes of NVRAM. > > it can be solved easily by adjusting the regexp in bin/rancid > > (line numbers relevant to rancid-2.2.2) > line 151: > - /^IOS .* Software \(([A-Za-z-0-9]*)\), .*Version\s+(.*)$/ && > + /IOS .* Software.* \(([A-Za-z-0-9]*)\), .*Version\s+(.*)$/ && > > line 252: > - /^(\d+[kK]) bytes of non-volatile/ && > + /^(\d+[kK]) bytes of non-volatile/ && I pasted the same line twice, should have been: + /^(\d+[kK]) bytes of (non-volatile|NVRAM)/ && > We are still using 2.2.2 so if it is already fixed in 2.3* just ignore > my message :-) > > The problem is that syntax is prone to change in the future again > without any notice. > I guess this is the price for fetching data from parsing CLI output. > On the other hand I see that sysDescr.0 OID is inconsistent > in the same > way. > I saw recent IOS has some XML support but did not really > looked into it > ..... > > Yuval > From erik at code.de Mon Jan 5 10:20:40 2004 From: erik at code.de (Erik Wenzel) Date: Mon, 5 Jan 2004 11:20:40 +0100 Subject: integration of security enhancement patch In-Reply-To: <946FD6186E8D4E46AB4F6FDD23AAE864015A00FC@pvdexc02.jwu.edu> References: <946FD6186E8D4E46AB4F6FDD23AAE864015A00FC@pvdexc02.jwu.edu> Message-ID: <20040105102040.GA5597@hendrix.code.de> On Fri, Jan 02, 2004 at 01:34:56PM -0500, Joshua Wright wrote: [...] > Why wouldn't you just grant a similar AAA configuration entry for > "show running-config" for privilege 2 (or whatever privilege level you > assign this user)? Did you tried that, ever? Because even if I grant access to "show running-config" you will get an answer with some comments and nothing else. Not a single configuration line. I tested that without enabling "aaa new-model". So there is no alternative in using "show startup-config" > Changing RANCID to perform "show startup-config" instead of a running > configuration is "a bad idea" (tm). If an attacker were able to > compromise your router and make changes to the configuration, RANCID > in its current state will identify the changes and let you know about > it. If RANCID used "show startup-config" instead, you would be > unaware of the changes until they were saved. The running > configuration is a better reflection of the state of the router. Using Rancid to check if an attacker is compromising your routers is only possible if only one person is having write access. If you have a colleague you are not able to distinguish configuration changes coming from your colleague or an attacker. So, using RANCID for that purpose is one thing. On the other Hand is the purpose of having backups for desaster recovery and for that I can't see a reason to prefer one of the other. In a production environment I concider it "a bad idea (TM)" to have a difference between both configurations. > Also, consider the case when someone makes a change to the router and > doesn't save the configuration changes. Next time the router reboots, > something breaks because the configuration change was lost. With > RANCID monitoring the running configuration file, it would alert you > when the router came back online since the new running configuration > reflects the previously saved startup config file. So you blame "someone" for not saving the configuration. In that case, you see the big backdraw on not saving the running-config. You can't do a simple reboot. That "is bad style (TM)", generally. That's an argument pro saving "startup-config". -- erik at code.de "I am not a Geek! I shower." From funraps at yahoo.com Mon Jan 5 15:41:37 2004 From: funraps at yahoo.com (funraps too) Date: Mon, 5 Jan 2004 07:41:37 -0800 (PST) Subject: Cipher not supported? In-Reply-To: Message-ID: <20040105154137.50820.qmail@web41108.mail.yahoo.com> Hello everyone, I wonder if you can help... des is not working for me and telnet was not called as a secondary.. .cloginrc: #add method * {telnet}{ssh}{rsh} add method * ssh telnet add cyphertype des Then trying ./clogin x.x.x.x spawn ssh -c 3des -x -l rancid x.x.x.x Selected cipher type 3des not supported by server. From heas at shrubbery.net Mon Jan 5 16:45:39 2004 From: heas at shrubbery.net (john heasley) Date: Mon, 5 Jan 2004 08:45:39 -0800 Subject: Cipher not supported? In-Reply-To: <20040105154137.50820.qmail@web41108.mail.yahoo.com> References: <20040105154137.50820.qmail@web41108.mail.yahoo.com> Message-ID: <20040105164539.GG23740@shrubbery.net> Mon, Jan 05, 2004 at 07:41:37AM -0800, funraps too: > > Hello everyone, I wonder if you can help... > > des is not working for me and telnet was not called as a secondary.. > > .cloginrc: > > #add method * {telnet}{ssh}{rsh} > add method * ssh telnet It should have been; try {}'ing the arguments. > add cyphertype des you need to have a host glob here; like add cyphertype * {des} > > Then trying ./clogin x.x.x.x > > spawn ssh -c 3des -x -l rancid x.x.x.x > > Selected cipher type 3des not supported by server. > > > > --------------------------------- > Do you Yahoo!? > Find out what made the Top Yahoo! Searches of 2003 From ag at a.co.nz Mon Jan 5 09:23:47 2004 From: ag at a.co.nz (Alastair Galloway) Date: Mon, 5 Jan 2004 10:23:47 +0100 (CET) Subject: Adding "show chassis alarms" to jrancid Message-ID: Hi, Has anyone out there added "show chassis alarms" to jrancid? If not I think that I will as it'd be handy to see. Cheers, Alastair From heas at shrubbery.net Mon Jan 5 20:23:35 2004 From: heas at shrubbery.net (john heasley) Date: Mon, 5 Jan 2004 12:23:35 -0800 Subject: clogin changes for cat19k Message-ID: <20040105202335.GB23740@shrubbery.net> A user reported that the cat19k requires that upon connection both a key be pressed to proceed and a 'K' be entered to start the command-line interface. I have changes to clogin to deal with both of these, but lack a cat19k on which to test. If anyone has one and is willing to test these changes, please contact me off-list. tia. From scriptboy at finalstate.com Mon Jan 5 23:15:29 2004 From: scriptboy at finalstate.com (Kevin O'Malley) Date: Mon, 05 Jan 2004 18:15:29 -0500 Subject: Newbie Problem Message-ID: <3FF9F011.80800@finalstate.com> Greetings All, I seem to be missing something basic with rancid 2.2.2 . I don't seem to be saving the configurations.... Any clogin and rancid seem to work fine. When I run do-diff however, I never save a config file, or get a config.new file. Subsequent runs with small changes to the router do not generate mail, because the checked in config seems to be zero length. Putting a NOPIPE=YES; export NOPIPE into the env file lets me see the .raw file get bigger with each iteration of rancid... but I don't see the config changing anywhere or being saved. The routername and routername.new are of zero length. This is the log file from do-diffs .... starting: Mon Jan 5 16:20:25 EST 2004 Trying to get all of the configs. ROUTERNAME: missed cmd(s): show diag,show install active,show controllers cbus ===================================== Getting missed routers: round 1. ROUTERNAME: missed cmd(s): show diag,show install active,show controllers cbus ===================================== Getting missed routers: round 2. ROUTERNAME: missed cmd(s): show diag,show install active,show controllers cbus ===================================== Getting missed routers: round 3. ROUTERNAME: missed cmd(s): show diag,show install active,show controllers cbus ===================================== Getting missed routers: round 4. ROUTERNAME: missed cmd(s): show diag,show install active,show controllers cbus /usr/local/net/rancid/bin/rename: *.new: No such file or directory cvs diff: Diffing . cvs diff: Diffing configs cvs commit: Examining . cvs commit: Examining configs ending: Mon Jan 5 16:23:18 EST 2004 From rancid [rancid at localhost rancid]$ rancid -d -l ROUTERNAME executing clogin -t 90 -c"show version;show install active;show env all;show gsr chassis;show boot;show bootvar;show variables boot;show flash;dir /all nvram:;dir /all bootflash:;dir /all slot0:;dir /all disk0:;dir /all slot1:;dir /all disk1:;dir /all slot2:;dir /all disk2:;dir /all sup-bootflash:;dir /all sup-microcode:;show controllers;show controllers cbus;show diagbus;show diag;show module;show c7200;show vtp status;show vlan;write term" ROUTERNAME executing clogin -t 90 -c"show version;show install active;show env all;show gsr chassis;show boot;show bootvar;show variables boot;show flash;dir /all nvram:;dir /all bootflash:;dir /all slot0:;dir /all disk0:;dir /all slot1:;dir /all disk1:;dir /all slot2:;dir /all disk2:;dir /all sup-bootflash:;dir /all sup-microcode:;show controllers;show controllers cbus;show diagbus;show diag;show module;show c7200;show vtp status;show vlan;write term" ROUTERNAME HIT COMMAND:ROUTERNAME#show version In ShowVersion: ROUTERNAME#show version TYPE = 3660 HIT COMMAND:ROUTERNAME#show env all In ShowEnv: ROUTERNAME#show env all HIT COMMAND:ROUTERNAME#show gsr chassis In ShowGSR: ROUTERNAME#show gsr chassis HIT COMMAND:ROUTERNAME#show boot In ShowBoot: ROUTERNAME#show boot HIT COMMAND:ROUTERNAME#show bootvar In ShowBoot: ROUTERNAME#show bootvar HIT COMMAND:ROUTERNAME#show variables boot In ShowBoot: ROUTERNAME#show variables boot HIT COMMAND:ROUTERNAME#show flash In ShowFlash: ROUTERNAME#show flash HIT COMMAND:ROUTERNAME#dir /all nvram: In DirSlotN: ROUTERNAME#dir /all nvram: HIT COMMAND:ROUTERNAME#dir /all bootflash: In DirSlotN: ROUTERNAME#dir /all bootflash: HIT COMMAND:ROUTERNAME#dir /all slot0: In DirSlotN: ROUTERNAME#dir /all slot0: HIT COMMAND:ROUTERNAME#dir /all disk0: In DirSlotN: ROUTERNAME#dir /all disk0: HIT COMMAND:ROUTERNAME#dir /all slot1: In DirSlotN: ROUTERNAME#dir /all slot1: HIT COMMAND:ROUTERNAME#dir /all disk1: In DirSlotN: ROUTERNAME#dir /all disk1: HIT COMMAND:ROUTERNAME#dir /all slot2: In DirSlotN: ROUTERNAME#dir /all slot2: HIT COMMAND:ROUTERNAME#dir /all disk2: In DirSlotN: ROUTERNAME#dir /all disk2: HIT COMMAND:ROUTERNAME#dir /all sup-bootflash: In DirSlotN: ROUTERNAME#dir /all sup-bootflash: HIT COMMAND:ROUTERNAME#dir /all sup-microcode: In DirSlotN: ROUTERNAME#dir /all sup-microcode: HIT COMMAND:ROUTERNAME#show controllers In ShowContAll: ROUTERNAME#show controllers HIT COMMAND:ROUTERNAME#show diagbus In ShowDiagbus: ROUTERNAME#show diagbus HIT COMMAND:ROUTERNAME#show module In ShowModule: ROUTERNAME#show module HIT COMMAND:ROUTERNAME#show c7200 In ShowC7200: ROUTERNAME#show c7200 HIT COMMAND:ROUTERNAME#show vtp status In ShowVTP: ROUTERNAME#show vtp status HIT COMMAND:ROUTERNAME#show vlan In ShowVLAN: ROUTERNAME#show vlan HIT COMMAND:ROUTERNAME#write term In WriteTerm: ROUTERNAME#write term Done : ROUTERNAME#exit ROUTERNAME: missed cmd(s): show diag,show install active,show controllers cbus ROUTERNAME: missed cmd(s): show diag,show install active,show controllers cbus Which looks good, and makes a .new file, but it still runs all 4 times. I am looking at the rancid code but I fear I am not man enough. Any help would be appriciated. From afort at choqolat.org Tue Jan 6 05:22:18 2004 From: afort at choqolat.org (Andrew Fort) Date: Tue, 06 Jan 2004 16:22:18 +1100 Subject: integration of security enhancement patch In-Reply-To: <20040105102040.GA5597@hendrix.code.de> References: <946FD6186E8D4E46AB4F6FDD23AAE864015A00FC@pvdexc02.jwu.edu> <20040105102040.GA5597@hendrix.code.de> Message-ID: <3FFA460A.1060203@choqolat.org> On 5/01/2004 9:20 PM, Erik Wenzel wrote: >On Fri, Jan 02, 2004 at 01:34:56PM -0500, Joshua Wright wrote: >[...] > > >>Changing RANCID to perform "show startup-config" instead of a running >>configuration is "a bad idea" (tm). If an attacker were able to >>compromise your router and make changes to the configuration, RANCID >>in its current state will identify the changes and let you know about >>it. If RANCID used "show startup-config" instead, you would be >>unaware of the changes until they were saved. The running >>configuration is a better reflection of the state of the router. >> >> >Using Rancid to check if an attacker is compromising your routers is >only possible if only one person is having write access. If you have >a colleague you are not able to distinguish configuration changes coming >from your colleague or an attacker. So, using RANCID for that purpose is >one thing. On the other Hand is the purpose of having backups for desaster >recovery and for that I can't see a reason to prefer one of the other. >In a production environment I concider it "a bad idea (TM)" to have a >difference between both configurations. > > > I think you both have a point worthy of argument, but noone wins arguments. There's no reason why the site administrator can't do this locally, nor why it could not be a configuration (bin/env) variable. The quick hack I just did to do this is kinda ugly (rewrite both the %commands and @commands variables _entirely_, based on whether a ENV variable is set one way or another), so I wont submit it if there's a cleaner way to just re-write that last line. Can someone submit a cleaner method? (Default behaviour remains the same, i.e., if there's no variable in the bin/env file). What do other people think? I've often had people ask me "oh, why doesn't RANCID look at the startup config", and I've explained it as Joshua has, above, but Erik makes a good point, and this seems like something that should be decided by the administrator. -afort From afort at choqolat.org Tue Jan 6 05:29:50 2004 From: afort at choqolat.org (Andrew Fort) Date: Tue, 06 Jan 2004 16:29:50 +1100 Subject: Newbie Problem In-Reply-To: <3FF9F011.80800@finalstate.com> References: <3FF9F011.80800@finalstate.com> Message-ID: <3FFA47CE.7000400@choqolat.org> On 6/01/2004 10:15 AM, Kevin O'Malley wrote: > Greetings All, > > [rancid at localhost rancid]$ rancid -d -l ROUTERNAME [snip] > Done : ROUTERNAME#exit > > ROUTERNAME: missed cmd(s): show diag,show install active,show > controllers cbus > ROUTERNAME: missed cmd(s): show diag,show install active,show > controllers cbus > > Which looks good, and makes a .new file, but it still runs all 4 > times. I am looking at the rancid code but I fear I am not man enough. > Any help would be appriciated. Check the .new file for the exchange between expect and the router's output around the command 'show diag', 'show install active', and 'show controllers cbus'. If you have output and it all looks like it should be OK, then the "rancid" program (parser) is missing those bits for whatever reason. If this is so, try upgrading to 2.3beta first off as some similar sounding parser bugs have been cleaned up recently (check the recent list archives for occurances of "ftp.shrubbery.net" to get the link). -afort From scriptboy at finalstate.com Tue Jan 6 10:27:40 2004 From: scriptboy at finalstate.com (Kevin O'Malley) Date: Tue, 06 Jan 2004 05:27:40 -0500 Subject: Newbie Problem In-Reply-To: <3FFA47CE.7000400@choqolat.org> References: <3FF9F011.80800@finalstate.com> <3FFA47CE.7000400@choqolat.org> Message-ID: <3FFA8D9C.8010602@finalstate.com> Ahh... Much better. 2.3beta resolved the issue. Thank you very much. KO'M Andrew Fort wrote: > On 6/01/2004 10:15 AM, Kevin O'Malley wrote: > >> Greetings All, >> >> [rancid at localhost rancid]$ rancid -d -l ROUTERNAME > > > [snip] > >> Done : ROUTERNAME#exit >> >> ROUTERNAME: missed cmd(s): show diag,show install active,show >> controllers cbus >> ROUTERNAME: missed cmd(s): show diag,show install active,show >> controllers cbus >> >> Which looks good, and makes a .new file, but it still runs all 4 >> times. I am looking at the rancid code but I fear I am not man >> enough. Any help would be appriciated. > > > > Check the .new file for the exchange between expect and the router's > output around the command 'show diag', 'show install active', and > 'show controllers cbus'. > If you have output and it all looks like it should be OK, then the > "rancid" program (parser) is missing those bits for whatever reason. > If this is so, try upgrading to 2.3beta first off as some similar > sounding parser bugs have been cleaned up recently (check the recent > list archives for occurances of "ftp.shrubbery.net" to get the link). > > -afort > > > > From yuvalba at netvision.net.il Tue Jan 6 13:12:17 2004 From: yuvalba at netvision.net.il (Yuval Ben-Ari) Date: Tue, 6 Jan 2004 15:12:17 +0200 Subject: ignoring some changes Message-ID: Hi, I would like to have the option to ignore certain lines that keep changing every time "write mem" is done on the router. like "config.text" files on IOS Catalyst's or local user passwords on certain IOS's. currently it is done by hack to bin/rancid itself which filters these lines altogether but I would rather just ignore it during the cvs diff operation. Is there an easy place to add regexp of lines that should be ignored during the diff operation ? example of unwanted diffs: @@ -26,9 +26,9 @@ ! !Flash: Directory of flash:/ !Flash: 7 drwx 320 Mar 01 1993 20:17:06 c1100-k9w7-mx.122-13.JA1 +!Flash: 2 -rwx 1951 Mar 01 1993 23:47:13 private-config !Flash: 3 -rwx 212 Mar 01 1993 00:10:06 env_vars -!Flash: 4 -rwx 2589 Mar 01 1993 17:47:38 config.txt -!Flash: 5 -rwx 1951 Mar 01 1993 17:47:38 private-config +!Flash: 5 -rwx 2589 Mar 01 1993 23:47:13 config.txt !Flash: 7741440 bytes total (4176384 bytes free) ! ! Thanks Yuval From heas at shrubbery.net Tue Jan 6 17:20:15 2004 From: heas at shrubbery.net (john heasley) Date: Tue, 6 Jan 2004 09:20:15 -0800 Subject: ignoring some changes In-Reply-To: References: Message-ID: <20040106172015.GC3502@shrubbery.net> Tue, Jan 06, 2004 at 03:12:17PM +0200, Yuval Ben-Ari: > Hi, > > I would like to have the option to ignore certain lines that keep > changing every time "write mem" is done on the router. > like "config.text" files on IOS Catalyst's or local user passwords on > certain IOS's. > currently it is done by hack to bin/rancid itself which filters these > lines altogether but I would rather just ignore it during the cvs diff > operation. > Is there an easy place to add regexp of lines that should be ignored > during the diff operation ? not ATM. we have discussed this a bit and plan to add something after the next release (ie: after 2.3). > example of unwanted diffs: > > @@ -26,9 +26,9 @@ > ! > !Flash: Directory of flash:/ > !Flash: 7 drwx 320 Mar 01 1993 20:17:06 > c1100-k9w7-mx.122-13.JA1 > +!Flash: 2 -rwx 1951 Mar 01 1993 23:47:13 private-config > !Flash: 3 -rwx 212 Mar 01 1993 00:10:06 env_vars > -!Flash: 4 -rwx 2589 Mar 01 1993 17:47:38 config.txt > -!Flash: 5 -rwx 1951 Mar 01 1993 17:47:38 private-config > +!Flash: 5 -rwx 2589 Mar 01 1993 23:47:13 config.txt > !Flash: 7741440 bytes total (4176384 bytes free) > ! > ! > > > Thanks > Yuval From heas at shrubbery.net Wed Jan 7 03:01:46 2004 From: heas at shrubbery.net ('john heasley') Date: Tue, 6 Jan 2004 19:01:46 -0800 Subject: Riverstones and RANCID In-Reply-To: <00d901c3bd6f$e11eaf90$1701a8c0@ALEC> References: <20031205175015.GP13880@shrubbery.net> <00d901c3bd6f$e11eaf90$1701a8c0@ALEC> Message-ID: <20040107030146.GK3502@shrubbery.net> Mon, Dec 08, 2003 at 12:44:31PM +0300, Alexander Voropay: > Hi! > > >It is (will be) included in rancid 2-3. you are welcome to try the EFT > image here: > > ftp://ftp.shrubbery.net/outgoing/rancid-2.3.eft5.tar.gz > > Could you rename the RANCID's 'rename' utility too ? > > It conflicts with RedHat's '/usr/bin/rename' from the "util-linux" > package (system). > This "util-linux" also includes "/bin/login" "/sbin/clock" e.t.c. so, it > is very hard > to recompile/remove this package. So, RANCID incompatible with > RedHat-based > systems... we're not sure which solution we'll choose, but 'rename' will not appear in 2.3. > P.S. I'm trying to create a ~good~ "rancid.spec" file to build RANCID as > RPM. > I've renamed 'rename' to 'rancid-rename' now. > > P.P.S. Will you update rancid's web-page > http://www.shrubbery.net/rancid/ to new version ? it current points to 2.2.2 & patches; when 2.3 is released, it will be updated. From heas at shrubbery.net Wed Jan 7 04:03:16 2004 From: heas at shrubbery.net (john heasley) Date: Tue, 6 Jan 2004 20:03:16 -0800 Subject: integration of security enhancement patch In-Reply-To: <3FFA460A.1060203@choqolat.org> References: <946FD6186E8D4E46AB4F6FDD23AAE864015A00FC@pvdexc02.jwu.edu> <20040105102040.GA5597@hendrix.code.de> <3FFA460A.1060203@choqolat.org> Message-ID: <20040107040315.GO3502@shrubbery.net> Tue, Jan 06, 2004 at 04:22:18PM +1100, Andrew Fort: > On 5/01/2004 9:20 PM, Erik Wenzel wrote: > > >On Fri, Jan 02, 2004 at 01:34:56PM -0500, Joshua Wright wrote: > >[...] > > > > > >>Changing RANCID to perform "show startup-config" instead of a running > >>configuration is "a bad idea" (tm). If an attacker were able to > >>compromise your router and make changes to the configuration, RANCID > >>in its current state will identify the changes and let you know about > >>it. If RANCID used "show startup-config" instead, you would be > >>unaware of the changes until they were saved. The running > >>configuration is a better reflection of the state of the router. > >> > >> > >Using Rancid to check if an attacker is compromising your routers is > >only possible if only one person is having write access. If you have > >a colleague you are not able to distinguish configuration changes coming > >from your colleague or an attacker. So, using RANCID for that purpose is > >one thing. On the other Hand is the purpose of having backups for desaster > >recovery and for that I can't see a reason to prefer one of the other. > >In a production environment I concider it "a bad idea (TM)" to have a > >difference between both configurations. > > > > > > > > I think you both have a point worthy of argument, but noone wins > arguments. There's no reason why the site administrator can't do this > locally, nor why it could not be a configuration (bin/env) variable. > The quick hack I just did to do this is kinda ugly (rewrite both the > %commands and @commands variables _entirely_, based on whether a ENV > variable is set one way or another), so I wont submit it if there's a > cleaner way to just re-write that last line. Can someone submit a > cleaner method? (Default behaviour remains the same, i.e., if there's > no variable in the bin/env file). > > What do other people think? I've often had people ask me "oh, why > doesn't RANCID look at the startup config", and I've explained it as > Joshua has, above, but Erik makes a good point, and this seems like > something that should be decided by the administrator. just want to add two bits to this. 1) "router has the canonical config", ie: what's in nvram is authoritative, is a practice that most folks grow out of. you will eventually begin to generate your configs and load those into nvram. 2) what i'd like to add for rancid 3.0 (or whatever) are boiler-plate device types. for example, type "cisco" runs commands x, y, & z. but, a user can define their own type, cisco-startup which might run x, y, z, & show startup-config. not quite sure how to do that yet. From afort at choqolat.org Wed Jan 7 05:28:48 2004 From: afort at choqolat.org (Andrew Fort) Date: Wed, 07 Jan 2004 16:28:48 +1100 Subject: integration of security enhancement patch In-Reply-To: <20040107040315.GO3502@shrubbery.net> References: <946FD6186E8D4E46AB4F6FDD23AAE864015A00FC@pvdexc02.jwu.edu> <20040105102040.GA5597@hendrix.code.de> <3FFA460A.1060203@choqolat.org> <20040107040315.GO3502@shrubbery.net> Message-ID: <3FFB9910.8010901@choqolat.org> On 7/01/2004 3:03 PM, john heasley wrote: >2) what i'd like to add for rancid 3.0 (or whatever) are boiler-plate device > types. for example, type "cisco" runs commands x, y, & z. but, a user > can define their own type, cisco-startup which might run x, y, z, & show > startup-config. not quite sure how to do that yet. > > Thinking out loud here, but... How about merging the concept covered in 'rancid-fe' with this, so you have a device type which nominates a given *rancid script to execute and also a file which has the commands for that script to run, along with the function names to parse them. The parsers commands are split out into a perl module or similar, with examples on how to write your own and what inputs to expect and outputs to provide. -afort From heas at shrubbery.net Wed Jan 7 06:25:26 2004 From: heas at shrubbery.net (john heasley) Date: Tue, 6 Jan 2004 22:25:26 -0800 Subject: integration of security enhancement patch In-Reply-To: <3FFB9910.8010901@choqolat.org> References: <946FD6186E8D4E46AB4F6FDD23AAE864015A00FC@pvdexc02.jwu.edu> <20040105102040.GA5597@hendrix.code.de> <3FFA460A.1060203@choqolat.org> <20040107040315.GO3502@shrubbery.net> <3FFB9910.8010901@choqolat.org> Message-ID: <20040107062526.GJ8088@shrubbery.net> Wed, Jan 07, 2004 at 04:28:48PM +1100, Andrew Fort: > On 7/01/2004 3:03 PM, john heasley wrote: > > >2) what i'd like to add for rancid 3.0 (or whatever) are boiler-plate > >device > > types. for example, type "cisco" runs commands x, y, & z. but, a user > > can define their own type, cisco-startup which might run x, y, z, & show > > startup-config. not quite sure how to do that yet. > > > > > > Thinking out loud here, but... > How about merging the concept covered in 'rancid-fe' with this, so you > have a device type which nominates a given *rancid script to execute and > also a file which has the commands for that script to run, along with > the function names to parse them. The parsers commands are split out > into a perl module or similar, with examples on how to write your own > and what inputs to expect and outputs to provide. that is what i had in mind. plus some default device "types". From koch at tiscali.net Wed Jan 7 11:04:26 2004 From: koch at tiscali.net (Alexander Koch) Date: Wed, 7 Jan 2004 12:04:26 +0100 Subject: Adding "show chassis alarms" to jrancid In-Reply-To: References: Message-ID: <20040107110426.GF20019@shekinah.ip.tiscali.net> On Mon, 5 January 2004 10:23:47 +0100, Alastair Galloway wrote: > Has anyone out there added "show chassis alarms" to jrancid? If not I think > that I will as it'd be handy to see. It is very handy, indeed! We added it and it helps us when our NOC does not see these &&%$?&%)&?"= Juniper power supplies breaking every some months. All these fan failures are really nasty. Also 'fxp0 down' is handy to see in rancid, would not have been spotted that easily otherwise... our NOC is our NOC, and we are we, sort of. I do not reply on some SNMP crab to tell me so... Regards, Alexander -- Alexander Koch / ako4-ripe IP Engineering, Tiscali International Network Robert-Bosch-Strasse 32, D-63303 Dreieich, Germany Phone +49 6103 916 480, Fax +49 6103 916 464 From heas at shrubbery.net Wed Jan 7 20:26:35 2004 From: heas at shrubbery.net (john heasley) Date: Wed, 7 Jan 2004 12:26:35 -0800 Subject: Adding "show chassis alarms" to jrancid In-Reply-To: <20040107110426.GF20019@shekinah.ip.tiscali.net> References: <20040107110426.GF20019@shekinah.ip.tiscali.net> Message-ID: <20040107202635.GE8088@shrubbery.net> Wed, Jan 07, 2004 at 12:04:26PM +0100, Alexander Koch: > On Mon, 5 January 2004 10:23:47 +0100, Alastair Galloway wrote: > > Has anyone out there added "show chassis alarms" to jrancid? If not I think > > that I will as it'd be handy to see. > > It is very handy, indeed! We added it and it helps us when > our NOC does not see these &&%$?&%)&?"= Juniper power > supplies breaking every some months. All these fan failures > are really nasty. > > Also 'fxp0 down' is handy to see in rancid, would not have > been spotted that easily otherwise... our NOC is our NOC, > and we are we, sort of. I do not reply on some SNMP crab to > tell me so... > > Regards, > Alexander > > -- > Alexander Koch / ako4-ripe > IP Engineering, Tiscali International Network > Robert-Bosch-Strasse 32, D-63303 Dreieich, Germany > Phone +49 6103 916 480, Fax +49 6103 916 464 could some provide an example of this command's output? I dont seem to have any alarms ATM. From asr at latency.net Wed Jan 7 23:40:09 2004 From: asr at latency.net (Adam Rothschild) Date: Wed, 7 Jan 2004 18:40:09 -0500 Subject: Adding "show chassis alarms" to jrancid In-Reply-To: <20040107202635.GE8088@shrubbery.net> References: <20040107110426.GF20019@shekinah.ip.tiscali.net> <20040107202635.GE8088@shrubbery.net> Message-ID: <20040107234008.GH16787@latency.net> On 2004-01-07-15:26:35, john heasley wrote: > could some provide an example of this command's output? I dont seem > to have any alarms ATM. asr at jewnipper.lab> show chassis alarms 1 alarms currently active Alarm time Class Description 2004-01-07 18:38:31 EST Major fxp0: ethernet link down Hope this helps, -a From mohacsi at niif.hu Thu Jan 8 08:08:04 2004 From: mohacsi at niif.hu (Mohacsi Janos) Date: Thu, 8 Jan 2004 09:08:04 +0100 (CET) Subject: Adding "show chassis alarms" to jrancid In-Reply-To: <20040107202635.GE8088@shrubbery.net> References: <20040107110426.GF20019@shekinah.ip.tiscali.net> <20040107202635.GE8088@shrubbery.net> Message-ID: <20040108090449.S73143@mignon.ki.iif.hu> On Wed, 7 Jan 2004, john heasley wrote: > Wed, Jan 07, 2004 at 12:04:26PM +0100, Alexander Koch: > > On Mon, 5 January 2004 10:23:47 +0100, Alastair Galloway wrote: > > > Has anyone out there added "show chassis alarms" to jrancid? If not I think > > > that I will as it'd be handy to see. > > > > It is very handy, indeed! We added it and it helps us when > > our NOC does not see these &&%$?&%)&?"= Juniper power > > supplies breaking every some months. All these fan failures > > are really nasty. > > > > Also 'fxp0 down' is handy to see in rancid, would not have > > been spotted that easily otherwise... our NOC is our NOC, > > and we are we, sort of. I do not reply on some SNMP crab to > > tell me so... > > > > Regards, > > Alexander > > > > -- > > Alexander Koch / ako4-ripe > > IP Engineering, Tiscali International Network > > Robert-Bosch-Strasse 32, D-63303 Dreieich, Germany > > Phone +49 6103 916 480, Fax +49 6103 916 464 > > could some provide an example of this command's output? I dont seem > to have any alarms ATM. If there is no alarm you see: >show chassis alarms No alarms currently active If there are some alarms: user at host> show chassis alarms 3 alarms are currently active Alarm time Class Description 2000-02-07 10:12:22 UTC Major fxp0: ethernet link down 2000-02-07 10:11:54 UTC Minor YELLOW ALARM - PEM 1 Removed 2000-02-07 10:11:03 UTC Minor YELLOW ALARM - Lower Fan Tray Removed The last was taken from the Juniper documentation. Regards, Janos Mohacsi From hank at rem.com Fri Jan 9 07:02:44 2004 From: hank at rem.com (Henry Kilmer) Date: Fri, 9 Jan 2004 02:02:44 -0500 Subject: integration of security enhancement patch In-Reply-To: <3FFA460A.1060203@choqolat.org> References: <946FD6186E8D4E46AB4F6FDD23AAE864015A00FC@pvdexc02.jwu.edu> <20040105102040.GA5597@hendrix.code.de> <3FFA460A.1060203@choqolat.org> Message-ID: <16382.21012.43804.773588@durmstrang.padfoot.com> Rancid's original goal was to track the changes in the running network. That meant grabbing the running configs since they might have changed from the startup config (people forget/don't want to save configs all the time). It is useful to track on-going changes too if you work in a NOC. If changes are made and a save isn't done, the configs rancid stores (if using the startup configs) would not restore the router as well. It was always my opinion when this topic got brought up that it was trivial for a site to make the change to grab the startup config if they really wanted but that rancid's default should be the running config. -Hank Andrew Fort writes: >On 5/01/2004 9:20 PM, Erik Wenzel wrote: > >>On Fri, Jan 02, 2004 at 01:34:56PM -0500, Joshua Wright wrote: >>[...] >> >> >>>Changing RANCID to perform "show startup-config" instead of a running >>>configuration is "a bad idea" (tm). If an attacker were able to >>>compromise your router and make changes to the configuration, RANCID >>>in its current state will identify the changes and let you know about >>>it. If RANCID used "show startup-config" instead, you would be >>>unaware of the changes until they were saved. The running >>>configuration is a better reflection of the state of the router. >>> >>> >>Using Rancid to check if an attacker is compromising your routers is >>only possible if only one person is having write access. If you have >>a colleague you are not able to distinguish configuration changes coming >>from your colleague or an attacker. So, using RANCID for that purpose is >>one thing. On the other Hand is the purpose of having backups for desaster >>recovery and for that I can't see a reason to prefer one of the other. >>In a production environment I concider it "a bad idea (TM)" to have a >>difference between both configurations. >> >> >> > >I think you both have a point worthy of argument, but noone wins >arguments. There's no reason why the site administrator can't do this >locally, nor why it could not be a configuration (bin/env) variable. >The quick hack I just did to do this is kinda ugly (rewrite both the >%commands and @commands variables _entirely_, based on whether a ENV >variable is set one way or another), so I wont submit it if there's a >cleaner way to just re-write that last line. Can someone submit a >cleaner method? (Default behaviour remains the same, i.e., if there's >no variable in the bin/env file). > >What do other people think? I've often had people ask me "oh, why >doesn't RANCID look at the startup config", and I've explained it as >Joshua has, above, but Erik makes a good point, and this seems like >something that should be decided by the administrator. > >-afort From mohacsi at niif.hu Fri Jan 9 08:20:30 2004 From: mohacsi at niif.hu (Mohacsi Janos) Date: Fri, 9 Jan 2004 09:20:30 +0100 (CET) Subject: integration of security enhancement patch In-Reply-To: <16382.21012.43804.773588@durmstrang.padfoot.com> References: <946FD6186E8D4E46AB4F6FDD23AAE864015A00FC@pvdexc02.jwu.edu> <20040105102040.GA5597@hendrix.code.de> <3FFA460A.1060203@choqolat.org> <16382.21012.43804.773588@durmstrang.padfoot.com> Message-ID: <20040109090404.H91437@mignon.ki.iif.hu> On Fri, 9 Jan 2004, Henry Kilmer wrote: > > Rancid's original goal was to track the changes in the running > network. That meant grabbing the running configs since they might > have changed from the startup config (people forget/don't want to save > configs all the time). It is useful to track on-going changes too if > you work in a NOC. If changes are made and a save isn't done, the > configs rancid stores (if using the startup configs) would not restore > the router as well. > > It was always my opinion when this topic got brought up that it was > trivial for a site to make the change to grab the startup config if > they really wanted but that rancid's default should be the running > config. > > -Hank I would like to start with the broader view. I think CVS of rancid should reflect the stable and working configuration. I am usually not interested in the transient state of the router. In my opinion the running config is only interesting if: - You are actually configuring something - You are running a certain test, - the result are not sure. If you look at another type of router. For example Juniper router. You can always see the the "startup config". You can see the transient config only if you are in the config mode.... So my vote would be default to startup config, and possible option for running config. Best Regards, Janos Mohacsi Network Engineer, Research Associate NIIF/HUNGARNET, HUNGARY Key 00F9AF98: 8645 1312 D249 471B DBAE 21A2 9F52 0D1F 00F9 AF98 > > Andrew Fort writes: > >On 5/01/2004 9:20 PM, Erik Wenzel wrote: > > > >>On Fri, Jan 02, 2004 at 01:34:56PM -0500, Joshua Wright wrote: > >>[...] > >> > >> > >>>Changing RANCID to perform "show startup-config" instead of a running > >>>configuration is "a bad idea" (tm). If an attacker were able to > >>>compromise your router and make changes to the configuration, RANCID > >>>in its current state will identify the changes and let you know about > >>>it. If RANCID used "show startup-config" instead, you would be > >>>unaware of the changes until they were saved. The running > >>>configuration is a better reflection of the state of the router. > >>> > >>> > >>Using Rancid to check if an attacker is compromising your routers is > >>only possible if only one person is having write access. If you have > >>a colleague you are not able to distinguish configuration changes coming > >>from your colleague or an attacker. So, using RANCID for that purpose is > >>one thing. On the other Hand is the purpose of having backups for desaster > >>recovery and for that I can't see a reason to prefer one of the other. > >>In a production environment I concider it "a bad idea (TM)" to have a > >>difference between both configurations. > >> > >> > >> > > > >I think you both have a point worthy of argument, but noone wins > >arguments. There's no reason why the site administrator can't do this > >locally, nor why it could not be a configuration (bin/env) variable. > >The quick hack I just did to do this is kinda ugly (rewrite both the > >%commands and @commands variables _entirely_, based on whether a ENV > >variable is set one way or another), so I wont submit it if there's a > >cleaner way to just re-write that last line. Can someone submit a > >cleaner method? (Default behaviour remains the same, i.e., if there's > >no variable in the bin/env file). > > > >What do other people think? I've often had people ask me "oh, why > >doesn't RANCID look at the startup config", and I've explained it as > >Joshua has, above, but Erik makes a good point, and this seems like > >something that should be decided by the administrator. > > > >-afort > From a.voropay at vmb-service.ru Fri Jan 9 10:48:47 2004 From: a.voropay at vmb-service.ru (Alexander Voropay) Date: Fri, 9 Jan 2004 13:48:47 +0300 Subject: vcware and modemware Versions on AS5300 Message-ID: <09c801c3d69e$29127c40$1701a8c0@ALEC> Hi! Does anyone have an idea how to add a monitoring of vcware and modemware versions on CISCOs AS5300 ? Gate#show vfc 1 version dspware Version of Dspware in VFC slot 1 is 3.6.15L Gate#show vfc 1 version vcware Voice Feature Card in Slot 1: VCware Version : 9.19 ROM Monitor Version: 1.3 DSPware Version : 3.6.15L Technology : C549 Caller#show modem version Codes: d - DSP software download is required for achieving K56flex connections Modem module Firmware Boot DSP Mdm Number Rev Rev Rev 2/0 0 2.9.4.0 2/1 0 2.9.4.0 2/2 0 2.9.4.0 2/3 0 2.9.4.0 2/4 0 2.9.4.0 2/5 0 2.9.4.0 2/6 0 2.9.4.0 2/7 0 2.9.4.0 2/8 0 2.9.4.0 2/9 0 2.9.4.0 ... -- -=AV=- From zpiggy1 at skwire.net Fri Jan 9 14:56:02 2004 From: zpiggy1 at skwire.net (Daniel Evans) Date: Fri, 09 Jan 2004 08:56:02 -0600 Subject: Pushing config changes Message-ID: <20040109084202.2A5C.ZPIGGY1@skwire.net> All, I'm new to RANCID (and UNIX for that matter) and need help with RANCID. I have successfully issued the following command to add a configuration change to a single Juniper router: $ jlogin -x ./Update_File/Policy_1 192.168.100.1 What I need to do is push this file to ~80 additional devices. Is there a way to have a host list used rather than just the single host of 192.168.100.1? Thanks for any help you can offer! -- Daniel Evans From JSahala at fusiontel.com Fri Jan 9 15:02:29 2004 From: JSahala at fusiontel.com (Joshua Sahala) Date: Fri, 9 Jan 2004 10:02:29 -0500 Subject: Pushing config changes Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 it isn't pretty (mostly because my scripting is limited), but it works: - - create a file with a list of all the ip addresses - - have your ready-made config changes in a file for routers in `cat /rancid/router.list` do jlogin -x /Update_File/Policy_1 $routers done hth /joshua > >-----Original Message----- > >From: Daniel Evans [mailto:zpiggy1 at skwire.net] > >Sent: Friday, January 09, 2004 09:56 > >To: RANCID > >Subject: Pushing config changes > > > > > >All, > > > >I'm new to RANCID (and UNIX for that matter) and need help > >with RANCID. > >I have successfully issued the following command to add a > >configuration > >change to a single Juniper router: > > > >$ jlogin -x ./Update_File/Policy_1 192.168.100.1 > > > >What I need to do is push this file to ~80 additional > >devices. Is there > >a way to have a host list used rather than just the single host of > >192.168.100.1? > > > >Thanks for any help you can offer! > > > >-- > >Daniel Evans > > > > -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBP/7Che4482rKSzocEQJvfwCfX6G7iXzXwImDe1nlhe8+1oSTmkYAn375 w8bYnhp8u+QGv12mWDsrrzcN =s+Yx -----END PGP SIGNATURE----- From zpiggy1 at skwire.net Fri Jan 9 15:25:29 2004 From: zpiggy1 at skwire.net (Daniel Evans) Date: Fri, 09 Jan 2004 09:25:29 -0600 Subject: Pushing config changes In-Reply-To: References: Message-ID: <20040109092500.2A5F.ZPIGGY1@skwire.net> Thanks for the quick help. I'll give this a shot... On Fri, 9 Jan 2004 10:02:29 -0500 Joshua Sahala wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > it isn't pretty (mostly because my scripting is limited), but it > works: > > - - create a file with a list of all the ip addresses > - - have your ready-made config changes in a file > > for routers in `cat /rancid/router.list` > do > jlogin -x /Update_File/Policy_1 $routers > done > > hth > > /joshua > > > >-----Original Message----- > > >From: Daniel Evans [mailto:zpiggy1 at skwire.net] > > >Sent: Friday, January 09, 2004 09:56 > > >To: RANCID > > >Subject: Pushing config changes > > > > > > > > >All, > > > > > >I'm new to RANCID (and UNIX for that matter) and need help > > >with RANCID. > > >I have successfully issued the following command to add a > > >configuration > > >change to a single Juniper router: > > > > > >$ jlogin -x ./Update_File/Policy_1 192.168.100.1 > > > > > >What I need to do is push this file to ~80 additional > > >devices. Is there > > >a way to have a host list used rather than just the single host of > > >192.168.100.1? > > > > > >Thanks for any help you can offer! > > > > > >-- > > >Daniel Evans > > > > > > > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 6.5.8 for non-commercial use > > iQA/AwUBP/7Che4482rKSzocEQJvfwCfX6G7iXzXwImDe1nlhe8+1oSTmkYAn375 > w8bYnhp8u+QGv12mWDsrrzcN > =s+Yx > -----END PGP SIGNATURE----- -- Daniel Evans From ag at a.co.nz Fri Jan 9 15:21:11 2004 From: ag at a.co.nz (Alastair (Alex) Galloway) Date: Fri, 9 Jan 2004 16:21:11 +0100 (CET) Subject: Pushing config changes Message-ID: Hi, Joshua Sahala writes: > it isn't pretty (mostly because my scripting is limited), but it > works: > > for routers in `cat /rancid/router.list` > do > jlogin -x /Update_File/Policy_1 $routers > done I just keep it all on the command line, and also pipe it to tee so that I can go back and see what happened if something goes wrong. $ jlogin -x ./Update_File/Policy_1 `cat /rancid/router.list` | tee Policy_1-output Cheers, Alastair From yuvalba at netvision.net.il Fri Jan 9 15:47:42 2004 From: yuvalba at netvision.net.il (Yuval Ben-Ari) Date: Fri, 9 Jan 2004 17:47:42 +0200 Subject: vcware and modemware Versions on AS5300 Message-ID: show modem version seems too long, you might want to monitor "show spe version" this routine will do it: sub ShowSpeVersion { print STDERR " In ShowSpeVersion: $_" if ($debug); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); return(1) if /^\s*\^\s*$/; return(1) if /(Invalid input detected|Type help or )/; return(-1) if (/command authorization failed/i); ProcessHistory("MODEM","","","!Modem: $_") && next; } ProcessHistory("MODEM","","","!\n"); return(0); } also need to add the commands to trigger it in the right place: 'show spe version' => "ShowSpeVersion", 'show spe version', From yuvalba at netvision.net.il Fri Jan 9 15:53:44 2004 From: yuvalba at netvision.net.il (Yuval Ben-Ari) Date: Fri, 9 Jan 2004 17:53:44 +0200 Subject: Pushing config changes Message-ID: under bash: $ clogin -x config_file $(cat routers_list_file) From heas at shrubbery.net Fri Jan 9 16:14:30 2004 From: heas at shrubbery.net (john heasley) Date: Fri, 9 Jan 2004 08:14:30 -0800 Subject: Pushing config changes In-Reply-To: References: Message-ID: <20040109161430.GS22884@shrubbery.net> Fri, Jan 09, 2004 at 10:02:29AM -0500, Joshua Sahala: > it isn't pretty (mostly because my scripting is limited), but it > works: > > - create a file with a list of all the ip addresses > - have your ready-made config changes in a file > > for routers in `cat /rancid/router.list` > do > jlogin -x /Update_File/Policy_1 $routers > done or for routers in `cat /usr/local/rancid/*/router.db | grep :rancid:up | cut -d' ' -f 1` do echo $routers >> log jlogin ... $routers >> log done From zpiggy1 at skwire.net Fri Jan 9 16:16:23 2004 From: zpiggy1 at skwire.net (Daniel Evans) Date: Fri, 09 Jan 2004 10:16:23 -0600 Subject: Pushing config changes In-Reply-To: References: Message-ID: <20040109101448.2A62.ZPIGGY1@skwire.net> All, Thanks! It's working exactly like I need it to! -Daniel On Fri, 9 Jan 2004 17:53:44 +0200 "Yuval Ben-Ari" wrote: > under bash: > > $ clogin -x config_file $(cat routers_list_file) > -- Daniel Evans From jlewis at lewis.org Fri Jan 9 21:41:00 2004 From: jlewis at lewis.org (jlewis at lewis.org) Date: Fri, 9 Jan 2004 16:41:00 -0500 (EST) Subject: integration of security enhancement patch In-Reply-To: <20040109090404.H91437@mignon.ki.iif.hu> Message-ID: On Fri, 9 Jan 2004, Mohacsi Janos wrote: > I would like to start with the broader view. I think CVS of rancid should > reflect the stable and working configuration. I am usually not interested > in the transient state of the router. In my opinion the running config is > only interesting if: > > - You are actually configuring something > - You are running a certain test, - the result are not sure. Or someone makes changes and neglects to write mem. There are other odd (beneficial) side effects of having rancid get the running config. Cisco as5200's, when low on memory, show a partial running config. The rancid email serves as an early warning system, telling us it's time to reboot an as5200. > So my vote would be default to startup config, and possible option for > running config. I'd vote the other way :) Keep it as is, and maybe make it an easily configured option to look at startup configs. ---------------------------------------------------------------------- Jon Lewis *jlewis at lewis.org*| I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From heas at shrubbery.net Sat Jan 10 02:41:16 2004 From: heas at shrubbery.net ('john heasley') Date: Fri, 9 Jan 2004 18:41:16 -0800 Subject: Cloginvs dollar signs In-Reply-To: <64BC9A2B18FC5843BA0DE93548F745F3236F4C99@nihexchange3.nih.gov> References: <64BC9A2B18FC5843BA0DE93548F745F3236F4C99@nihexchange3.nih.gov> Message-ID: <20040110024116.GY22884@shrubbery.net> Tue, Dec 30, 2003 at 11:13:26AM -0500, Gee-clough, Aaron (NIH/CIT): > > please provide an example of your .cloginrc entry. afaik, > > what you've tried should have worked. I think that I have this one nailed. I believe that what happens is proc find() actually returns a list. because one of the values, your password, contains a meta-character ($), tcl decides that it should protect us by deferring (or is it protecting) the eval/expansion of what would be a variable (ie: $net). That may not be exactly correct, but... join()'ing the value seems to fix this; Which i've wrapped around all the find() calls which return a string that may include a meta-character or a non-integer. That is, "password" and "user", but not "autoenable" or "method". Please try ftp://ftp.shrubbery.net/outgoing/clogin.in [ i happened across this while googling for answers... After a duel with TCL, I return triumphant (but seriously injured; I took a blow to the head that may never heal...). - Daniel Jacobowitz ] From afort at choqolat.org Sat Jan 10 09:52:39 2004 From: afort at choqolat.org (Andrew Fort) Date: Sat, 10 Jan 2004 20:52:39 +1100 Subject: *login in perl? (was Re: Cloginvs dollar signs) In-Reply-To: <20040110024116.GY22884@shrubbery.net> References: <64BC9A2B18FC5843BA0DE93548F745F3236F4C99@nihexchange3.nih.gov> <20040110024116.GY22884@shrubbery.net> Message-ID: <3FFFCB67.2020605@choqolat.org> 'john heasley' wrote: >[ i happened across this while googling for answers... > > After a duel with TCL, I return triumphant (but seriously injured; I took a > blow to the head that may never heal...). > - Daniel Jacobowitz >] > > and from the same post, " A friend of mine got so fed up with TCL that he rewrote DejaGNU in Perl, which he's planning to publish in the next couple of weeks. I can see why. - Daniel Jacobowitz " Has there been much discussion of rewriting *logins in perl? If so, is the main hurdle you see porting the -s functionality? -afort From heas at shrubbery.net Sat Jan 10 18:49:38 2004 From: heas at shrubbery.net ('john heasley') Date: Sat, 10 Jan 2004 10:49:38 -0800 Subject: *login in perl? (was Re: Cloginvs dollar signs) In-Reply-To: <3FFFCB67.2020605@choqolat.org> References: <64BC9A2B18FC5843BA0DE93548F745F3236F4C99@nihexchange3.nih.gov> <20040110024116.GY22884@shrubbery.net> <3FFFCB67.2020605@choqolat.org> Message-ID: <20040110184938.GD22884@shrubbery.net> Sat, Jan 10, 2004 at 08:52:39PM +1100, Andrew Fort: > 'john heasley' wrote: > > >[ i happened across this while googling for answers... > > > > After a duel with TCL, I return triumphant (but seriously injured; I took > > a > > blow to the head that may never heal...). > > - Daniel Jacobowitz > >] > > > > > > and from the same post, > > " > A friend of mine got so fed up with TCL that he rewrote DejaGNU in Perl, > which he's planning to publish in the next couple of weeks. I can see why. > - Daniel Jacobowitz > " > > Has there been much discussion of rewriting *logins in perl? If so, is > the main hurdle you see porting the -s functionality? spot on. rewriting it in _something_ else, yes. and, yes, the -s option is the primary concern. From asp at partan.com Sun Jan 11 05:30:10 2004 From: asp at partan.com (Andrew Partan) Date: Sun, 11 Jan 2004 00:30:10 -0500 Subject: vcware and modemware Versions on AS5300 *&* GSR FRU info In-Reply-To: References: Message-ID: <20040111053010.GA20163@partan.com> On Fri, Jan 09, 2004 at 05:47:42PM +0200, Yuval Ben-Ari wrote: > show modem version seems too long, > you might want to monitor "show spe version" > > this routine will do it: On Fri, Jan 09, 2004 at 06:44:40PM +0200, Yuval Ben-Ari wrote: > I find it very useful for inventory purposes to include FRU information > on GSR routers. > I added the following to sub ShowDiag: I merged these into rancid.in; can you (or someone) do a check of these bits to make sure they still work & I didn't blow something? Thanks, --asp -------------- next part -------------- #! @PERLV_PATH@ ## ## $Id: rancid.in,v 1.167 2004/01/11 03:49:13 heas Exp $ ## ## Copyright (C) 1997-2004 by Terrapin Communications, Inc. ## All rights reserved. ## ## This software may be freely copied, modified and redistributed ## without fee for non-commerical purposes provided that this license ## remains intact and unmodified with any RANCID distribution. ## ## There is no warranty or other guarantee of fitness of this software. ## It is provided solely "as is". The author(s) disclaim(s) all ## responsibility and liability with respect to this software's usage ## or its effect upon hardware, computer systems, other software, or ## anything else. ## ## Except where noted otherwise, rancid was written by and is maintained by ## Henry Kilmer, John Heasley, Andrew Partan, Pete Whiting, and Austin Schutz. ## # # RANCID - Really Awesome New Cisco confIg Differ # # usage: rancid [-d] [-l] [-f filename | $host] # use Getopt::Std; getopts('dfl'); $log = $opt_l; $debug = $opt_d; $file = $opt_f; $host = $ARGV[0]; $clean_run = 0; $found_end = 0; $timeo = 90; # clogin timeout in seconds my(%filter_pwds); # password filtering mode # This routine is used to print out the router configuration sub ProcessHistory { my($new_hist_tag,$new_command,$command_string, at string)=(@_); if((($new_hist_tag ne $hist_tag) || ($new_command ne $command)) && defined %history) { print eval "$command \%history"; undef %history; } if (($new_hist_tag) && ($new_command) && ($command_string)) { if ($history{$command_string}) { $history{$command_string} = "$history{$command_string}@string"; } else { $history{$command_string} = "@string"; } } elsif (($new_hist_tag) && ($new_command)) { $history{++$#history} = "@string"; } else { print "@string"; } $hist_tag = $new_hist_tag; $command = $new_command; 1; } sub numerically { $a <=> $b; } # This is a sort routing that will sort numerically on the # keys of a hash as if it were a normal array. sub keynsort { local(%lines)=@_; local($i) = 0; local(@sorted_lines); foreach $key (sort numerically keys(%lines)) { $sorted_lines[$i] = $lines{$key}; $i++; } @sorted_lines; } # This is a sort routing that will sort on the # keys of a hash as if it were a normal array. sub keysort { local(%lines)=@_; local($i) = 0; local(@sorted_lines); foreach $key (sort keys(%lines)) { $sorted_lines[$i] = $lines{$key}; $i++; } @sorted_lines; } # This is a sort routing that will sort on the # values of a hash as if it were a normal array. sub valsort{ local(%lines)=@_; local($i) = 0; local(@sorted_lines); foreach $key (sort values %lines) { $sorted_lines[$i] = $key; $i++; } @sorted_lines; } # This is a numerical sort routing (ascending). sub numsort { local(%lines)=@_; local($i) = 0; local(@sorted_lines); foreach $num (sort {$a <=> $b} keys %lines) { $sorted_lines[$i] = $lines{$num}; $i++; } @sorted_lines; } # This is a sort routine that will sort on the # ip address when the ip address is anywhere in # the strings. sub ipsort { local(%lines)=@_; local($i) = 0; local(@sorted_lines); foreach $addr (sort sortbyipaddr keys %lines) { $sorted_lines[$i] = $lines{$addr}; $i++; } @sorted_lines; } # These two routines will sort based upon IP addresses sub ipaddrval { my(@a) = ($_[0] =~ m#^(\d+)\.(\d+)\.(\d+)\.(\d+)$#); $a[3]+256*($a[2]+256*($a[1]+256*$a[0])); } sub sortbyipaddr { &ipaddrval($a) <=> &ipaddrval($b); } # This routine parses "show version" sub ShowVersion { print STDERR " In ShowVersion: $_" if ($debug); my($slaveslot); while () { tr/\015//d; last if(/^$prompt/); next if(/^(\s*|\s*$cmd\s*)$/); return(-1) if (/command authorization failed/i); # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; if (/^Slave in slot (\d+) is running/) { $slave = " Slave:"; $slaveslot = ", slot $1"; next; } if (/^Application and Content Networking Software/) { $type="CE"; } /^Application and Content Networking Software Release /i && ProcessHistory("COMMENTS","keysort","F1", "!Image: $_") && next; /^Cisco Secure PIX /i && ProcessHistory("COMMENTS","keysort","F1", "!Image: $_") && next; # PIX fail-over license /^This PIX has an?\s+(.*)$/ && ProcessHistory("COMMENTS","keysort","C1", "!$_") && next; /^(Cisco )?IOS .* Software,? \(([A-Za-z-0-9]*)\), .*Version\s+(.*)$/ && ProcessHistory("COMMENTS","keysort","F1", "!Image:$slave Software: $2, $3\n") && next; /^([A-Za-z-0-9_]*) Synced to mainline version: (.*)$/ && ProcessHistory("COMMENTS","keysort","F2", "!Image:$slave $1 Synced to mainline version: $2\n") && next; /^Compiled (.*)$/ && ProcessHistory("COMMENTS","keysort","F3", "!Image:$slave Compiled: $1\n") && next; /^ROM: (IOS \S+ )?(System )?Bootstrap.*(Version.*)$/ && ProcessHistory("COMMENTS","keysort","G1", "!ROM Bootstrap: $3\n") && next; if (/^Hardware:\s+(.*), (.* RAM), CPU (.*)$/) { ProcessHistory("COMMENTS","keysort","A1", "!Chassis type: $1 - a PIX\n"); ProcessHistory("COMMENTS","keysort","A2", "!CPU: $3\n"); ProcessHistory("COMMENTS","keysort","B1", "!Memory: $2\n"); } /^Serial Number:\s+(.*)$/ && ProcessHistory("COMMENTS","keysort","C1", "!$_") && next; # CatOS 3500xl stuff /^System serial number(:\s+.*)$/ && ProcessHistory("COMMENTS","keysort","C1", "!Serial Number$1\n") && next; /^Model / && ProcessHistory("COMMENTS","keysort","C2", "!$_") && next; /^Motherboard / && ProcessHistory("COMMENTS","keysort","C3", "!$_") && next; /^Power supply / && ProcessHistory("COMMENTS","keysort","C4", "!$_") && next; /^Activation Key:\s+(.*)$/ && ProcessHistory("COMMENTS","keysort","C2", "!$_") && next; /^ROM: \d+ Bootstrap .*(Version.*)$/ && ProcessHistory("COMMENTS","keysort","G2", "!ROM Image: Bootstrap $1\n!\n") && next; /^ROM: .*(Version.*)$/ && ProcessHistory("COMMENTS","keysort","G3","!ROM Image: $1\n") && next; /^BOOTFLASH: .*(Version.*)$/ && ProcessHistory("COMMENTS","keysort","G4","!BOOTFLASH: $1\n") && next; /^BOOTLDR: .*(Version.*)$/ && ProcessHistory("COMMENTS","keysort","G4","!BOOTLDR: $1\n") && next; /^System image file is "([^\"]*)", booted via (\S*)/ && # removed the booted source due to # CSCdk28131: cycling info in 'sh ver' # ProcessHistory("COMMENTS","keysort","F4","!Image: booted via $2, $1\n") && ProcessHistory("COMMENTS","keysort","F4","!Image: booted $1\n") && next; /^System image file is "([^\"]*)"$/ && ProcessHistory("COMMENTS","keysort","F5","!Image: $1\n") && next; if (/(\S+)\s+\((\S+)\)\s+processor.*with (\S+[kK]) bytes/) { my($proc) = $1; my($cpu) = $2; my($mem) = $3; my($device) = "router"; # the next line ought to be the more specific cpu info, grab it. # yet, some boards/IOS vers have a processor ID line between these # two. grrr. make sure we dont grab the "software" junk that # follows these lines by looking for "CPU at " or the 2600s # "processor: " unique string. there are undoubtedly many other # incantations. for a slave, we dont get this info and its just a # blank line. $_ = ; $_ = if (/processor board id/i); $_ = "" if (! /(cpu at |processor: |$cpu processor,)/i); tr/\015//d; s/implementation/impl/i; if ($_ !~ /^\s*$/) { chomp; s/^/, /; } if ( $proc eq "CSC") { $type = "AGS"; } elsif ( $proc eq "CSC4") { $type = "AGS+"; } elsif ( $proc =~ /^(AS)?25[12][12]/) { $type = "2500"; } elsif ( $proc =~ /261[01]/ || $proc =~ /262[01]/ ) { $type = "2600"; } elsif ( $proc =~ /^36[0246][0-9]/) { $type = "3600"; } elsif ( $proc =~ /^37/) { $type = "3700"; } elsif ( $proc eq "RSP7000") { $type = "7500"; } elsif ( $proc =~ /RSP\d/) { $type = "7500"; } elsif ( $proc eq "RP1") { $type = "7000"; } elsif ( $proc eq "RP") { $type = "7000"; } elsif ( $proc =~ /720[246]/) { $type = "7200"; } elsif ( $proc =~ /1200[48]\/GRP/ || $proc =~ /1201[26]\/GRP/) { $type = "12000"; } elsif ( $proc =~ /1201[26]-8R\/GRP/) { $type = "12000"; } elsif ( $proc =~ /WS-C29/) { $type = "2900XL"; $device = "switch"; } elsif ( $proc =~ /WS-C355/) { $type = "3550"; $device = "switch"; } elsif ( $proc =~ /WS-C35/) { $type = "3500XL"; $device = "switch"; } elsif ( $proc =~ /WS-C45/) { $type = "4500"; $device = "switch"; } elsif ( $proc =~ /6000/) { $type = "6000"; $device = "switch"; } elsif ( $proc =~ /CISCO76/) { $type = "7600"; $device = "router"; } elsif ( $proc =~ /1900/) { $type = "1900"; $device = "switch"; } else { $type = $proc; } print STDERR "TYPE = $type\n" if ($debug); ProcessHistory("COMMENTS","keysort","A1", "!Chassis type:$slave $proc - a $type $device\n"); ProcessHistory("COMMENTS","keysort","B1", "!Memory:$slave main $mem\n"); ProcessHistory("COMMENTS","keysort","A3","!CPU:$slave $cpu$_$slaveslot\n"); next; } if (/(\S+) Silicon\s*Switch Processor/) { if (!defined($C0)) { $C0=1; ProcessHistory("COMMENTS","keysort","C0","!\n"); } ProcessHistory("COMMENTS","keysort","C2","!SSP: $1\n"); $ssp = 1; $sspmem = $1; next; } /^(\d+[kK]) bytes of multibus/ && ProcessHistory("COMMENTS","keysort","B2", "!Memory: multibus $1\n") && next; /^(\d+[kK]) bytes of (non-volatile|NVRAM)/ && ProcessHistory("COMMENTS","keysort","B3", "!Memory: nvram $1\n") && next; /^(\d+[kK]) bytes of flash memory/ && ProcessHistory("COMMENTS","keysort","B5","!Memory: flash $1\n") && next; /^(\d+[kK]) bytes of .*flash partition/ && ProcessHistory("COMMENTS","keysort","B6", "!Memory: flash partition $1\n") && next; /^(\d+[kK]) bytes of Flash internal/ && ProcessHistory("COMMENTS","keysort","B4", "!Memory: bootflash $1\n") && next; if(/^(\d+[kK]) bytes of (Flash|ATA)?.*PCMCIA .*(slot|disk) ?(\d)/i) { ProcessHistory("COMMENTS","keysort","B7", "!Memory: pcmcia $2 $3$4 $1\n"); next; } if(/^WARNING/) { if (!defined($I0)) { $I0=1; ProcessHistory("COMMENTS","keysort","I0","!\n"); } ProcessHistory("COMMENTS","keysort","I1","! $_"); } if (/^Configuration register is (.*)$/) { $config_register=$1; next; } } return(0); } # This routine parses "show redundancy" sub ShowRedundancy { print STDERR " In ShowRedundancy: $_" if ($debug); while () { tr/\015//d; last if(/^$prompt/); next if(/^(\s*|\s*$cmd\s*)$/); # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; /^IOS .* Software \(([A-Za-z-0-9]*)\), .*Version\s+(.*)$/ && ProcessHistory("COMMENTS","keysort","F1", "!Image:$slave Software: $1, $2\n") && next; /^Compiled (.*)$/ && ProcessHistory("COMMENTS","keysort","F3", "!Image:$slave Compiled: $1\n") && next; } return(0); } # This routine parses "show IDprom" sub ShowIDprom { my($tmp); print STDERR " In ShowIDprom: $_" if ($debug); while () { tr/\015//d; last if(/^$prompt/); next if(/^(\s*|\s*$cmd\s*)$/); # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; /FRU is .(.*)\'/ && ($tmp = $1); /Product Number = .(.*)\'/ && ProcessHistory("COMMENTS","keysort","D0","!\n") && ProcessHistory("COMMENTS","keysort","D0", "!Catalyst Chassis type: $1, $tmp\n"); /Serial Number = .([0-9A-Za-z]+)/ && ProcessHistory("COMMENTS","keysort","D1", "!Catalyst Chassis S/N: $1\n"); /Manufacturing Assembly Number = .([-0-9]+)/ && ($tmp = $1); /Manufacturing Assembly Revision = .(.*)\'/ && ($tmp .= ", rev " . $1); /Hardware Revision = ([0-9.]+)/ && ProcessHistory("COMMENTS","keysort","D2", "!Catalyst Chassis assembly: $tmp, ver $1\n"); } return(0); } # This routine parses "show install active" sub ShowInstallActive { print STDERR " In ShowInstallActive: $_" if ($debug); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); return(1) if /^\s*\^\s*$/; return(1) if /(Invalid input detected|Type help or )/; return(-1) if (/command authorization failed/i); # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; ProcessHistory("COMMENTS","keysort","F5","!Image: $_") && next; } return(0); } # This routine parses "show env all" sub ShowEnv { # Skip if this is not a 7500, 7200, or 7000. print STDERR " In ShowEnv: $_" if ($debug); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); #return(1) if ($type !~ /^7/); return(-1) if (/command authorization failed/i); # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; if (!defined($E0)) { $E0=1; ProcessHistory("COMMENTS","keysort","E0","!\n"); } if (/^Arbiter type (\d), backplane type (\S+)/) { if (!defined($C0)) { $C0=1; ProcessHistory("COMMENTS","keysort","C0","!\n"); } ProcessHistory("COMMENTS","keysort","C1", "!Enviromental Arbiter Type: $1\n"); ProcessHistory("COMMENTS","keysort","A2", "!Chassis type: $2 backplane\n"); next; } /^\s*(Power [^:\n]+)$/ && ProcessHistory("COMMENTS","keysort","E1","!Power: $1\n") && next; /^\s*(Lower Power .*)/i && ProcessHistory("COMMENTS","keysort","E2","!Power: $1\n") && next; /^\s*(redundant .*)/i && ProcessHistory("COMMENTS","keysort","E2","!Power: $1\n") && next; /^\s*(RPS is .*)/i && ProcessHistory("COMMENTS","keysort","E2","!Power: $1\n") && next; } ProcessHistory("COMMENTS","","","!\n"); return(0); } # This routine parses "show rsp chassis-info" for the rsp # This will create arrays for hw info. sub ShowRSP { print STDERR " In ShowRSP: $_" if ($debug); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); return(-1) if (/command authorization failed/i); # return(1) if ($type !~ /^12[40]/); # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; /^$/ && next; /^\s+Chassis model: (\S+)/ && ProcessHistory("COMMENTS","keysort","D0","!\n") && ProcessHistory("COMMENTS","keysort","D1", "!RSP Chassis model: $1\n") && next; /^\s+Chassis S\/N: (.*)$/ && ProcessHistory("COMMENTS","keysort","D2", "!RSP Chassis S/N: $1\n") && next; } return(0); } # This routine parses "show gsr chassis-info" for the gsr # This will create arrays for hw info. sub ShowGSR { # Skip if this is not a 1200n. print STDERR " In ShowGSR: $_" if ($debug); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); return(-1) if (/command authorization failed/i); # return(1) if ($type !~ /^12[40]/); # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; /^$/ && next; /^\s+Chassis: type (\S+) Fab Ver: (\S+)/ && ProcessHistory("COMMENTS","keysort","D0","!\n") && ProcessHistory("COMMENTS","keysort","D1", "!GSR Chassis type: $1 Fab Ver: $2\n") && next; /^\s+Chassis S\/N: (.*)$/ && ProcessHistory("COMMENTS","keysort","D2", "!GSR Chassis S/N: $1\n") && next; /^\s+PCA: (\S+)\s*rev: (\S+)\s*dev: \S+\s*HW ver: (\S+)$/ && ProcessHistory("COMMENTS","keysort","D3", "!GSR Backplane PCA: $1, rev $2, ver $3\n") && next; /^\s+Backplane S\/N: (\S+)$/ && ProcessHistory("COMMENTS","keysort","D4", "!GSR Backplane S/N: $1\n") && next; } ProcessHistory("COMMENTS","","","!\n"); return(0); } # This routine parses "show boot" sub ShowBoot { # Pick up boot variables if 7000/7200/7500/12000/2900/3500; # otherwise pick up bootflash. print STDERR " In ShowBoot: $_" if ($debug); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); return(1) if /^\s*\^\s*$/; return(-1) if (/command authorization failed/i); return(1) if /Ambiguous command/i; return(1) if /(Invalid input detected|Type help or )/; return(1) if /(Open device \S+ failed|Error opening \S+:)/; # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; next if /CONFGEN variable/; if (!defined($H0)) { $H0=1; ProcessHistory("COMMENTS","keysort","H0","!\n"); } if ($type !~ /^(12[04]|7)/) { if ($type !~ /^(29|35)00/) { ProcessHistory("COMMENTS","keysort","H2","!BootFlash: $_"); } else { ProcessHistory("COMMENTS","keysort","H1","!Variable: $_"); } } elsif (/variable/) { ProcessHistory("COMMENTS","keysort","H1","!Variable: $_"); } } ProcessHistory("COMMENTS","","","!\n"); return(0); } # This routine parses "show flash" sub ShowFlash { # skip if this is 7000, 7200, 7500, or 12000; else we end up with # redundant data from dir /all slot0: print STDERR " In ShowFlash: $_" if ($debug); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); return(1) if ($type =~ /^(12[40]|7)/); return(-1) if (/command authorization failed/i); return(1) if /^\s*\^\s*$/; return(1) if /(Invalid input detected|Type help or )/; # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; ProcessHistory("FLASH","","","!Flash: $_"); } ProcessHistory("","","","!\n"); return; } # This routine parses "dir /all ((disk|slot)N|bootflash|nvram):" sub DirSlotN { # Skip if this is not a 3600, 7000, 7200, 7500, or 12000. print STDERR " In DirSlotN: $_" if ($debug); my($dev) = (/\s([^\s]+):/); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); # return(1) if ($type !~ /^(12[40]|7|36)/); return(1) if /^\s*\^\s*$/; return(1) if /(Invalid input detected|Type help or )/; return(1) if /(No such device|Error Sending Request)/i; return(1) if /\%Error: No such file or directory/; return(1) if /No space information available/; return(-1) if /\%Error calling/; return(-1) if /(: device being squeezed|ATA_Status time out)/i; # busy return(-1) if (/command authorization failed/i); return(1) if /(Open device \S+ failed|Error opening \S+:)/; # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; ProcessHistory("FLASH","","","!Flash: $dev: $_"); } ProcessHistory("","","","!\n"); return(0); } # This routine parses "show controllers" sub ShowContAll { # Skip if this is a 70[01]0, 7500, or 12000. print STDERR " In ShowContAll: $_" if ($debug); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); # return(1) if ($type =~ /^(12[40]|7[05])/); return(-1) if (/command authorization failed/i); # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; if (/^Interface ([^ \n(]*)/) { $INT = "$1, "; next; } /^(BRI unit \d)/ && ProcessHistory("INT","","","!Interface: $1\n") && next; /^LANCE unit \d, NIM/ && ProcessHistory("INT","","","!Interface: $_") && next; /^(LANCE unit \d)/ && ProcessHistory("INT","","","!Interface: $1\n") && next; /(Media Type is \S+),/ && ProcessHistory("INT","","","!\t$1\n"); if (/(M\dT[^ :]*:) show controller:$/) { my($ctlr) = $1; $_ = ; tr/\015//d; s/ subunit \d,//; ProcessHistory("INT","","","!Interface: $ctlr $_"); } if (/^(\S+) : show controller:$/) { my($ctlr) = $1; $_ = ; tr/\015//d; s/ subunit \d,//; ProcessHistory("INT","","","!Interface: $ctlr: $_"); } /^(HD unit \d), idb/ && ProcessHistory("INT","","","!Interface: $1\n") && next; /^HD unit \d, NIM/ && ProcessHistory("INT","","","!Interface: $_") && next; /^buffer size \d+ HD unit \d, (.*)/ && ProcessHistory("INT","","","!\t$1\n") && next; /^AM79970 / && ProcessHistory("INT","","","!Interface: $_") && next; /^buffer size \d+ (Universal Serial: .*)/ && ProcessHistory("INT","","","!\t$1\n") && next; /^Hardware is (.*)/ && ProcessHistory("INT","","","!Interface: $INT$1\n") && next; /^(QUICC Serial unit \d),/ && ProcessHistory("INT","","","!$1\n") && next; /^QUICC Ethernet .*/ && ProcessHistory("INT","","","!$_") && next; /^DTE .*\.$/ && ProcessHistory("INT","","","!\t$_") && next; /^(cable type :.*),/ && ProcessHistory("INT","","","!\t$1\n") && next; /^(.* cable.*), received clockrate \d+$/ && ProcessHistory("INT","","","!\t$1\n") && next; /^.* cable.*$/ && ProcessHistory("INT","","","!\t$_") && next; } return(0); } # This routine parses "show controllers cbus" # Some of this is printed out in ShowDiagbus. sub ShowContCbus { # Skip if this is not a 7000 or 7500. print STDERR " In ShowContCbus: $_" if ($debug); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); #return(1) if ($type !~ /^7[05]0/); return(-1) if (/command authorization failed/i); # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; if (/^\s*slot(\d+): ([^,]+), hw (\S+), sw (\S+), ccb/) { $slot = $1; $board{$slot} = $2; $hwver{$slot} = $3; $hwucode{$slot} = $4; } elsif (/^\s*(\S+) (\d+), hardware version (\S+), microcode version (\S+)/) { $slot = $2; $board{$slot} = $1; $hwver{$slot} = $3; $hwucode{$slot} = $4; } elsif (/(Microcode .*)/) { $ucode{$slot} = $1; } elsif (/(software loaded .*)/) { $ucode{$slot} = $1; } elsif (/(\d+) Kbytes of main memory, (\d+) Kbytes cache memory/) { $hwmemd{$slot} = $1; $hwmemc{$slot} = $2; } elsif (/byte buffers/) { chop; s/^\s*//; $hwbuf{$slot} = $_; } elsif (/Interface (\d+) - (\S+ \S+),/) { $interface = $1; ProcessHistory("HW","","", "!\n!Int $interface: in slot $slot, named $2\n"); next; } elsif (/(\d+) buffer RX queue threshold, (\d+) buffer TX queue limit, buffer size (\d+)/) { ProcessHistory("HW","","","!Int $interface: rxq $1, txq $2, bufsize $3\n"); next; } } return(0); } # This routine parses "show diagbus" # This will create arrarys for hw info. sub ShowDiagbus { # Skip if this is not a 7000, 70[01]0, or 7500. print STDERR " In ShowDiagbus: $_" if ($debug); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); #return(1) if ($type !~ /^7[05]/); return(-1) if (/command authorization failed/i); # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; if (/^\s*Slot (\d+):/i) { $slot = $1; next; } elsif (/^\s*Slot (\d+) \(virtual\):/i) { $slot = $1; next; } elsif (/^\s*(.*Processor.*|.*controller|.*controler|.*Chassis Interface)(, FRU\s?:.*)?, HW rev (\S+), board revision (\S+)/i) { $board = $1; $hwver = $3; $boardrev = $4; if ($board =~ /Processor/) { if ($board =~ /7000 Route\/Switch/) { $board = "RSP7000"; } elsif ($board =~ /Route\/Switch Processor (\d)/) { $board = "RSP$1"; } elsif ($board =~ /Route/) { $board = "RP"; } elsif ($board =~ /Silicon Switch/) { $board = "SSP"; } elsif ($board =~ /Switch/) { $board = "SP"; $board = "SSP $sspmem" if $ssp; } elsif ($board =~ /ATM/) { $board = "AIP"; } } elsif ($board =~ /(.*) controller/i) { $board = $1; } # hwucode{$slot} defined in ShowContCbus if (defined $hwucode{$slot}) { ProcessHistory("SLOT","","","!\n!Slot $slot/$board: hvers $hwver rev $boardrev ucode $hwucode{$slot}\n"); } else { ProcessHistory("SLOT","","","!\n!Slot $slot/$board: hvers $hwver rev $boardrev\n"); } # These are also from the ShowContCbus ProcessHistory("SLOT","","","!Slot $slot/$board: $ucode{$slot}\n") if (defined $ucode{$slot}); ProcessHistory("SLOT","","","!Slot $slot/$board: memd $hwmemd{$slot}, cache $hwmemc{$slot}\n") if ((defined $hwmemd{$slot}) && (defined $hwmemc{$slot})); ProcessHistory("SLOT","","","!Slot $slot/$board: $hwbuf{$slot}\n") if (defined $hwbuf{$slot}); next; } /Serial number: (\S+)\s*Part number: (\S+)/ && ProcessHistory("SLOT","","", "!Slot $slot/$board: part $2, serial $1\n") && next; /^\s*Controller Memory Size: (.*)$/ && ProcessHistory("SLOT","","","!Slot $slot/$board: $1\n") && next; if (/PA Bay (\d) Information/) { $pano = $1; if ("PA" =~ /$board/) { ($s,$c) = split(/\//,$board); $board = "$s/$c/PA $pano"; } else { $board =~ s/\/PA \d//; $board = "$board/PA $pano"; } next; } /\s+(.*) (IP|PA), (\d) ports?,( \S+,)? (FRU\s?: )?(\S+)/ && ProcessHistory("SLOT","","","!Slot $slot/$board: type $6, $3 ports\n") && next; /\s+(.*) (IP|PA)( \(\S+\))?, (\d) ports?/ && ProcessHistory("SLOT","","","!Slot $slot/$board: type $1$3, $4 ports\n") && next; /^\s*HW rev (\S+), Board revision (\S+)/ && ProcessHistory("SLOT","","","!Slot $slot/$board: hvers $1 rev $2\n") && next; /Serial number: (\S+)\s*Part number: (\S+)/ && ProcessHistory("SLOT","","","!Slot $slot/$board: part $2, serial $1\n") && next; } return(0); } # This routine parses "show diag" for the gsr, 7200, 3700, 3600, 2600. # This will create arrarys for hw info. sub ShowDiag { # Skip if this is not a 12000. print STDERR " In ShowDiag: $_" if ($debug); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); # return(1) if ($type !~ /^(12[40]|720|36|26)/); return(-1) if (/command authorization failed/i); /^$/ && next; # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; s/Port Packet Over SONET/POS/; if (/^\s*SLOT\s+(\d+)\s+\((.*)\): (.*)/) { $slot = $1; ProcessHistory("SLOT","","","!\n"); ProcessHistory("SLOT","keysort","A","!Slot $slot: $3\n"); next; } if (/^\s+MAIN:\s* type \d+,\s+(.*)/) { ProcessHistory("SLOT","keysort","AM","!Slot $slot/MAIN: part $1\n"); next; } if (/^c3700\s+(io-board|mid-plane)/i) { $slot=$1; ProcessHistory("SLOT","","","!\n"); ProcessHistory("SLOT","keysort","A","!Slot $slot: part $1\n"); next; } if (/ Engine:\s+(.*)/) { ProcessHistory("SLOT","keysort","AE","!Slot $slot/Engine: $1\n"); } if (/^\s+PCA:\s+(.*)/) { local($part) = $1; $_ = ; /^\s+(HW version|design release) (\S+)\s+S\/N (\S+)/i && ProcessHistory("SLOT","keysort","C1","!Slot $slot/PCA: part $part, serial $3\n") && ProcessHistory("SLOT","keysort","C2","!Slot $slot/PCA: hvers $2\n"); next; } if (/^\s+MBUS: .*\)\s+(.*)/) { local($tmp) = "!Slot $slot/MBUS: part $1"; $_ = ; /^\s+HW version (\S+)\s+S\/N (\S+)/ && ProcessHistory("SLOT","keysort","MB1","$tmp, serial $2\n") && ProcessHistory("SLOT","keysort","MB2","!Slot $slot/MBUS: hvers $1\n"); next; } if (/^\s+MBUS Agent Software version (.*)/) { ProcessHistory("SLOT","keysort","MB3","!Slot $slot/MBUS: software $1\n"); next; } if (/^\s+ROM Monitor version (.*)/) { ProcessHistory("SLOT","keysort","R","!Slot $slot/ROM Monitor: version $1\n"); next; } if (/^\s+Fabric Downloader version used (.*)/) { ProcessHistory("SLOT","keysort","Z","!Slot $slot/Fabric Downloader: version $1\n"); next; } if (/^\s+DRAM size: (\d+)/) { local($dram) = $1 / 1048576; $_ = ; if (/^\s+FrFab SDRAM size: (\d+)/) { ProcessHistory("SLOT","keysort","MB4","!Slot $slot/MBUS: $dram Mbytes DRAM, " . $1 / 1024 . " Kbytes SDRAM\n"); } else { ProcessHistory("SLOT","keysort","MB4","!Slot $slot/MBUS: $dram Mbytes DRAM\n"); } next; } if (/FRU:\s+Linecard\/Module:\s+(\S+)/) { ProcessHistory("SLOT","","","!Slot $slot/FRU: Linecard/Module: $1\n") next; } # 7200, 3600, 2600, and 1700 stuff if (/^(Slot)\s+(\d+(\/\d+)?):/ || /^\s+(WIC|VIC|WIC\/VIC) Slot (\d):/ || /^(Encryption AIM) (\d):/) { if ($1 eq "WIC") { $WIC = "/$2"; } elsif ($1 eq "VIC") { $WIC = "/$2"; } elsif ($1 eq "WIC/VIC") { $WIC = "/$2"; } elsif ($1 eq "Encryption AIM") { $slot = "$2"; undef($WIC); ProcessHistory("SLOT","","","!\n"); ProcessHistory("SLOT","keysort","B","!Slot $slot: type $1\n"); next; } else { $slot = $2; undef($WIC); } $_ = ; tr/\015//d; # clean up hideous 7200/etc formats to look more like 7500 output s/Fast-ethernet on C7200 I\/O card/FE-IO/; s/ with MII or RJ45/-TX/; s/Fast-ethernet /100Base/; s/[)(]//g; s/intermediate reach/IR/i; ProcessHistory("SLOT","","","!\n"); /\s+(.*) port adapter,?\s+(\d+)\s+/i && ProcessHistory("SLOT","keysort","B","!Slot $slot: type $1, $2 ports\n") && next; # I/O controller with no interfaces /\s+(.*)\s+port adapter\s*$/i && ProcessHistory("SLOT","keysort","B","!Slot $slot: type $1, 0 ports\n") && next; /\s+(.*)\s+daughter card(.*)$/ && ProcessHistory("SLOT","keysort","B","!Slot $slot$WIC: type $1$2\n") && next; /\s+(FT1)$/ && ProcessHistory("SLOT","keysort","B","!Slot $slot$WIC: type $1\n") && next; # handle WICs lacking "daughter card" in the 2nd line of their # show diag o/p if (defined($WIC)) { s/^\s+//; ProcessHistory("SLOT","keysort","B","!Slot $slot$WIC: type $_"); } next; } # yet another format. seen on 2600s w/ 12.1, but appears to be all # 12.1, including 7200s & 3700s. Sometimes the PCB serial appears # before the hardware revision. if (/(pcb serial number|hardware revision)\s+:\s+(\S+)$/i) { my($hw, $pn, $rev, $sn); if ($1 =~ /^pcb/i) { $sn = $2; } else { $hw = $2; } while () { tr/\015//d; if (/0x..: /) { # no effing idea why break does not work there goto PerlSucks; } if (/hardware revision\s+:\s+(\S+)/i) { $hw = $1; } if (/part number\s+:\s+(\S+)/i) { $pn = $1; } if (/board revision\s+:\s+(\S+)/i) { $rev = $1; } if (/pcb serial number\s+:\s+(\S+)/i) { $sn = $1; } } PerlSucks: ProcessHistory("SLOT","keysort","B","!Slot $slot$WIC: hvers $hw rev $rev\n"); ProcessHistory("SLOT","keysort","C","!Slot $slot$WIC: part $pn, serial $sn\n"); } /revision\s+(\S+).*revision\s+(\S+)/ && ProcessHistory("SLOT","keysort","C","!Slot $slot$WIC: hvers $1 rev $2\n") && next; /number\s+(\S+)\s+Part number\s+(\S+)/ && ProcessHistory("SLOT","keysort","D","!Slot $slot$WIC: part $2, serial $1\n") && next; } ProcessHistory("SLOT","","","!\n"); return(0); } # This routine parses "show module". sub ShowModule { print STDERR " In ShowModule: $_" if ($debug); my(@lines); my($slot); while () { tr/\015//d; return if (/^\s*\^$/); last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); return(-1) if (/command authorization failed/i); # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; # match slot/card info line if (/^ *(\d+)\s+(\d+)\s+(.*)\s+(\S+)\s+(\S+)\s*$/) { $lines[$1] .= "!Slot $1: type $3, $2 ports\n!Slot $1: part $4, serial $5\n"; $lines[$1] =~ s/\s+,/,/g; } # now match the Revs in the second paragraph of o/p and stick it in # the array with the previous bits...grumble. if (/^ *(\d+)\s+\S+\s+to\s+\S+\s+(\S+)\s+(\S*)\s+(\S+)(\s+\S+)?\s*$/) { $lines[$1] .= "!Slot $1: hvers $2, firmware $3, sw $4\n"; $lines[$1] =~ s/\s+,/,/g; } } foreach $slot (@lines) { next if ($slot =~ /^\s*$/); ProcessHistory("Module","","","$slot!\n"); } return(0); } # This routine parses "show spe version". sub ShowSpeVersion { print STDERR " In ShowSpeVersion: $_" if ($debug); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); return(1) if /^\s*\^\s*$/; return(1) if /(Invalid input detected|Type help or )/; return(-1) if (/command authorization failed/i); ProcessHistory("MODEM","","","!Modem: $_") && next; } ProcessHistory("MODEM","","","!\n"); return(0); } # This routine parses "show c7200" for the 7200 # This will create arrays for hw info. sub ShowC7200 { # Skip if this is not a 7200. print STDERR " In ShowC7200: $_" if ($debug); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); #return(1) if ($type !~ /^72/); return(-1) if (/command authorization failed/i); /^$/ && next; # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; if (/^(C7200 )?Midplane EEPROM:/) { $_ = ; /revision\s+(\S+).*revision\s+(\S+)/; ProcessHistory("SLOT","","","!Slot Midplane: hvers $1 rev $2\n"); $_ = ; /number\s+(\S+)\s+Part number\s+(\S+)/; ProcessHistory("SLOT","","","!Slot Midplane: part $2, serial $1\n!\n"); next; } if (/C720\d(VXR)? CPU EEPROM:/) { my ($hvers,$rev,$part,$serial); # npe400s report their cpu eeprom info differently w/ 12.0.21S while () { /Hardware Revision\s+: (\S+)/ && ($hvers = $1) && next; /Board Revision\s+: (\S+)/ && ($rev = $1) && next; /Part Number\s+: (\S+)/ && ($part = $1) && next; /Serial Number\s+: (\S+)/ && ($serial = $1) && next; /revision\s+(\S+).*revision\s+(\S+)/ && ($hvers = $1, $rev = $2) && next; /number\s+(\S+)\s+Part number\s+(\S+)/ && ($serial = $1, $part = $2) && next; /^\s*$/ && last; } ProcessHistory("SLOT","","","!Slot CPU: hvers $hvers rev $rev\n"); ProcessHistory("SLOT","","","!Slot CPU: part $part, serial $serial\n!\n"); next; } } return(0); } # This routine parses "show vtp status" sub ShowVTP { print STDERR " In ShowVTP: $_" if ($debug); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); return(1) if /^\s*\^\s*$/; return(1) if /(Invalid input detected|Type help or )/; #return(1) if ($type !~ /^(2900XL|3500XL|6000)$/); return(-1) if (/command authorization failed/i); next if (/^Configuration last modified by/); # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; if (/^VTP Operating Mode\s+:\s+(Transparent|Server)/) { $DO_SHOW_VLAN = 1; } ProcessHistory("COMMENTS","keysort","I0","!VTP: $_"); } ProcessHistory("COMMENTS","keysort","I0","!\n"); return(0); } # This routine parses "show vlan" sub ShowVLAN { print STDERR " In ShowVLAN: $_" if ($debug); ($_=,return(1)) if (!$DO_SHOW_VLAN); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); return(1) if /(Invalid input detected|Type help or )/; # newer releases (~12.1(9)) place the vlan config in the normal # configuration (write term). return(1) if ($type =~ /^(3550|4500|7600)$/); #return(1) if ($type !~ /^(2900XL|3500XL|6000)$/); return(-1) if (/command authorization failed/i); # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; ProcessHistory("COMMENTS","keysort","IO","!VLAN: $_"); } ProcessHistory("COMMENTS","keysort","IO","!\n"); return(0); } # This routine processes a "write term" sub WriteTerm { print STDERR " In WriteTerm: $_" if ($debug); my($lineauto,$comment,$linecnt) = (0,0,0); while () { tr/\015//d; last if(/^$prompt/); return(-1) if (/command authorization failed/i); # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; /Non-Volatile memory is in use/ && return(-1); # NvRAM is locked return(0) if ($found_end); # Only do this routine once $linecnt++; $lineauto = 0 if (/^[^ ]/); # skip the crap if (/^(##+$|(Building|Current) configuration)/i) { while () { next if (/^Current configuration\s*:/i); next if (/^:/); next if (/^([%!].*|\s*)$/); next if (/^ip add.*ipv4:/); # band-aid for 3620 12.0S last; } if (defined($config_register)) { ProcessHistory("","","","!\nconfig-register $config_register\n"); } tr/\015//d; } # some versions have other crap mixed in with the bits in the # block above /^! (Last configuration|NVRAM config last)/ && next; # skip consecutive comment lines to avoid oscillating extra comment # line on some access servers. grrr. if (/^!/) { next if ($comment); ProcessHistory("","","",$_); $comment++; next; } $comment = 0; # Dog gone Cool matches to process the rest of the config /^tftp-server flash / && next; # kill any tftp remains /^ntp clock-period / && next; # kill ntp clock-period /^ length / && next; # kill length on serial lines /^ width / && next; # kill width on serial lines $lineauto = 1 if /^ modem auto/; /^ speed / && $lineauto && next; # kill speed on serial lines /^ clockrate / && next; # kill clockrate on serial interfaces if (/^(enable )?(password|passwd) / && $filter_pwds >= 1) { ProcessHistory("ENABLE","","","!$1$2 \n"); next; } if (/^(enable secret) / && $filter_pwds >= 2) { ProcessHistory("ENABLE","","","!$1 \n"); next; } if (/^username (\S+)(\s.*)? secret /) { if ($filter_pwds >= 2) { ProcessHistory("USER","keysort","$1","!username $1$2 secret \n"); } else { ProcessHistory("USER","keysort","$1","$_"); } next; } if (/^username (\S+)(\s.*)? password ((\d) \S+|\S+)/) { if ($filter_pwds == 2) { ProcessHistory("USER","keysort","$1","!username $1$2 password \n"); } elsif ($filter_pwds == 1 && $4 ne "5"){ ProcessHistory("USER","keysort","$1","!username $1$2 password \n"); } else { ProcessHistory("USER","keysort","$1","$_"); } next; } if (/^( set session-key (in|out)bound ah \d+ )/ && $filter_pwds >= 1) { ProcessHistory("","","","!$1\n"); next; } if (/^( set session-key (in|out)bound esp \d+ (authenticator|cypher) )/ && $filter_pwds >= 1) { ProcessHistory("","","","!$1\n"); next; } if (/^(\s*)password / && $filter_pwds >= 1) { ProcessHistory("LINE-PASS","","","!$1password \n"); next; } if (/^\s*neighbor (\S*) password / && $filter_pwds >= 1) { ProcessHistory("","","","! neighbor $1 password \n"); next; } if (/^(ppp .* password) 7 .*/ && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } if (/^(ip ftp password) / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } if (/^( ip ospf authentication-key) / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } # isis passwords appear to be completely plain-text if (/^\s+isis password (\S+)( .*)?/ && $filter_pwds >= 1) { ProcessHistory("","","","!isis password $2\n"); next; } if (/^\s+(domain-password|area-password) (\S+)( .*)?/ && $filter_pwds >= 1) { ProcessHistory("","","","!$1 $3\n"); next; } # this is reversable, despite 'md5' in the cmd if (/^( ip ospf message-digest-key \d+ md5) / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } if (/^((crypto )?isakmp key) \S+ / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 $'"); next; } # filter HSRP passwords if (/^(\s+standby \d authentication) / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } # this appears in "measurement/sla" images if (/^(\s+key-string \d?)/ && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } if (/^( l2tp tunnel \S+ password)/ && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } # i am told these are plain-text on the PIX if (/^(vpdn username \S+ password)/ && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } if (/^( cable shared-secret ) / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } /fair-queue individual-limit/ && next; # sort ip explicit-paths. if (/^ip explicit-path name (\S+)/) { my($key) = $1; my($expath) = $_; while () { tr/\015//d; last if (/^$prompt/); last if (/^$prompt/ || ! /^(ip explicit-path name |[ !])/); if (/^ip explicit-path name (\S+)/) { ProcessHistory("EXPATH","keysort","$key","$expath"); $key = $1; $expath = $_; } else { $expath .= $_; } } ProcessHistory("EXPATH","keysort","$key","$expath"); } # sort route-maps if (/^route-map (\S+)/) { my($key) = $1; my($routemap) = $_; while () { tr/\015//d; last if (/^$prompt/ || ! /^(route-map |[ !])/); if (/^route-map (\S+)/) { ProcessHistory("ROUTEMAP","keysort","$key","$routemap"); $key = $1; $routemap = $_; } else { $routemap .= $_; } } ProcessHistory("ROUTEMAP","keysort","$key","$routemap"); } # filter out any RCS/CVS tags to avoid confusing local CVS storage s/\$(Revision|Id):/ $1:/; # order access-lists /^access-list\s+(\d\d?)\s+(\S+)\s+(\S+)/ && ProcessHistory("ACL $1 $2","ipsort","$3","$_") && next; # order extended access-lists /^access-list\s+(\d\d\d)\s+(\S+)\s+ip\s+host\s+(\S+)/ && ProcessHistory("EACL $1 $2","ipsort","$3","$_") && next; /^access-list\s+(\d\d\d)\s+(\S+)\s+ip\s+(\d\S+)/ && ProcessHistory("EACL $1 $2","ipsort","$3","$_") && next; /^access-list\s+(\d\d\d)\s+(\S+)\s+ip\s+any/ && ProcessHistory("EACL $1 $2","ipsort","0.0.0.0","$_") && next; # order arp lists /^arp\s+(\d+\.\d+\.\d+\.\d+)\s+/ && ProcessHistory("ARP","ipsort","$1","$_") && next; /^ip prefix-list\s+(\S+)\s+seq\s+(\d+)\s+(permit|deny)\s+(\d\S+)(\/.*)$/ && ProcessHistory("PACL $1 $3","ipsort","$4","ip prefix-list $1 $3 $4$5\n") && next; # order logging statements /^logging (\d+\.\d+\.\d+\.\d+)/ && ProcessHistory("LOGGING","ipsort","$1","$_") && next; # order/prune snmp-server host statements # we only prune lines of the form # snmp-server host a.b.c.d if (/^snmp-server host (\d+\.\d+\.\d+\.\d+) /) { if (defined($ENV{'NOCOMMSTR'})) { my($ip) = $1; my($line) = "snmp-server host $ip"; my(@tokens) = split(' ', $'); my($token); while ($token = shift(@tokens)) { if ($token eq 'version') { $line .= " " . join(' ', ($token, shift(@tokens))); } elsif ($token =~ /^(informs?|traps?|(no)?auth)$/) { $line .= " " . $token; } else { $line = "!$line " . join(' ', ("", join(' ', at tokens))); last; } } ProcessHistory("SNMPSERVERHOST","ipsort","$ip","$line\n"); } else { ProcessHistory("SNMPSERVERHOST","ipsort","$1","$_"); } next; } if (/^(snmp-server community) (\S+)/) { if (defined($ENV{'NOCOMMSTR'})) { ProcessHistory("SNMPSERVERCOMM","keysort","$_","!$1 $'") && next; } else { ProcessHistory("SNMPSERVERCOMM","keysort","$_","$_") && next; } } # prune tacacs/radius server keys if (/^(tacacs-server|radius-server) key / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 key \n"); next; } if (/^((tacacs-server|radius-server) host \S+ key) / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } # order clns host statements /^clns host \S+ (\S+)/ && ProcessHistory("CLNS","keysort","$1","$_") && next; # order alias statements /^alias / && ProcessHistory("ALIAS","keysort","$_","$_") && next; # delete ntp auth password - this md5 is a reversable too if (/^(ntp authentication-key \d+ md5) / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } # order ntp peers/servers if (/^ntp (server|peer) (\d+)\.(\d+)\.(\d+)\.(\d+)/) { $sortkey = sprintf("$1 %03d%03d%03d%03d",$2,$3,$4,$5); ProcessHistory("NTP","keysort",$sortkey,"$_"); next; } # order ip host statements /^ip host (\S+) / && ProcessHistory("IPHOST","keysort","$1","$_") && next; # order ip nat source static statements /^ip nat (\S+) source static (\S+)/ && ProcessHistory("IP NAT $1","ipsort","$2","$_") && next; # order atm map-list statements /^\s+ip\s+(\d+\.\d+\.\d+\.\d+)\s+atm-vc/ && ProcessHistory("ATM map-list","ipsort","$1","$_") && next; # order ip rcmd lines /^ip rcmd/ && ProcessHistory("RCMD","keysort","$_","$_") && next; # system controller /^syscon address (\S*) (\S*)/ && ProcessHistory("","","","!syscon address $1 \n") && next; if (/^syscon password (\S*)/ && $filter_pwds >= 1) { ProcessHistory("","","","!syscon password \n"); next; } # catch anything that wasnt matched above. ProcessHistory("","","","$_"); # end of config. the ": " game is for the PIX if (/^(: +)?end$/) { $found_end = 1; return(1); } } # The ContentEngine lacks a definitive "end of config" marker. If we # know that it is a CE and we have seen at least 5 lines of write term # o/p, we can be reasonably sure that we got the config. if ($type =~ /^CE$/ && $linecnt > 5) { $found_end = 1; return(1); } return(0); } # dummy function sub DoNothing {print STDOUT;} # Main %commands=( 'show version' => "ShowVersion", 'show redundancy secondary' => "ShowRedundancy", 'show idprom backplane', => "ShowIDprom", 'show install active' => "ShowInstallActive", 'show env all' => "ShowEnv", 'show rsp chassis-info',=> "ShowRSP", 'show gsr chassis' => "ShowGSR", 'show boot' => "ShowBoot", 'show bootvar' => "ShowBoot", 'show variables boot' => "ShowBoot", 'show flash' => "ShowFlash", 'dir /all nvram:' => "DirSlotN", 'dir /all bootflash:' => "DirSlotN", 'dir /all slot0:' => "DirSlotN", 'dir /all disk0:' => "DirSlotN", 'dir /all slot1:' => "DirSlotN", 'dir /all disk1:' => "DirSlotN", 'dir /all slot2:' => "DirSlotN", 'dir /all disk2:' => "DirSlotN", "dir /all sup-bootflash:"=> "DirSlotN", # cat 6500-ios "dir /all sup-microcode:"=> "DirSlotN", # cat 6500-ios 'dir /all slavenvram:' => "DirSlotN", 'dir /all slavebootflash:' => "DirSlotN", 'dir /all slaveslot0:' => "DirSlotN", 'dir /all slavedisk0:' => "DirSlotN", 'dir /all slaveslot1:' => "DirSlotN", 'dir /all slavedisk1:' => "DirSlotN", 'dir /all slaveslot2:' => "DirSlotN", 'dir /all slavedisk2:' => "DirSlotN", "dir /all slavesup-bootflash:"=> "DirSlotN", # cat 7609 'dir /all sec-nvram:' => "DirSlotN", 'dir /all sec-bootflash:' => "DirSlotN", 'dir /all sec-slot0:' => "DirSlotN", 'dir /all sec-disk0:' => "DirSlotN", 'dir /all sec-slot1:' => "DirSlotN", 'dir /all sec-disk1:' => "DirSlotN", 'dir /all sec-slot2:' => "DirSlotN", 'dir /all sec-disk2:' => "DirSlotN", 'show controllers' => "ShowContAll", 'show controllers cbus' => "ShowContCbus", 'show diagbus' => "ShowDiagbus", 'show diag' => "ShowDiag", 'show module' => "ShowModule", # cat 6500-ios 'show spe version' => "ShowSpeVersion", 'show c7200' => "ShowC7200", 'show vtp status' => "ShowVTP", 'show vlan' => "ShowVLAN", 'show running-config' => "WriteTerm", 'write term' => "WriteTerm" ); # keys() doesnt return things in the order entered and the order of the # cmds is important (show version first and write term last). pita @commands=( "show version", "show redundancy secondary", "show idprom backplane", "show install active", "show env all", "show rsp chassis-info", "show gsr chassis", "show boot", "show bootvar", "show variables boot", "show flash", "dir /all nvram:", "dir /all bootflash:", "dir /all slot0:", "dir /all disk0:", "dir /all slot1:", "dir /all disk1:", "dir /all slot2:", "dir /all disk2:", "dir /all sup-bootflash:", "dir /all sup-microcode:", "dir /all slavenvram:", "dir /all slavebootflash:", "dir /all slaveslot0:", "dir /all slavedisk0:", "dir /all slaveslot1:", "dir /all slavedisk1:", "dir /all slaveslot2:", "dir /all slavedisk2:", "dir /all slavesup-bootflash:", "dir /all sec-nvram:", "dir /all sec-bootflash:", "dir /all sec-slot0:", "dir /all sec-disk0:", "dir /all sec-slot1:", "dir /all sec-disk1:", "dir /all sec-slot2:", "dir /all sec-disk2:", "show controllers", "show controllers cbus", "show diagbus", "show diag", "show module", "show spe version", "show c7200", "show vtp status", "show vlan", "show running-config", "write term" ); $cisco_cmds=join(";", at commands); $cmds_regexp=join("|", at commands); open(OUTPUT,">$host.new") || die "Can't open $host.new for writing: $!\n"; select(OUTPUT); # make OUTPUT unbuffered if debugging if ($debug) { $| = 1; } if ($file) { print STDERR "opening file $host\n" if ($debug); print STDOUT "opening file $host\n" if ($log); open(INPUT,"<$host") || die "open failed for $host: $!\n"; } else { print STDERR "executing clogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($debug); print STDOUT "executing clogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($log); if (defined($ENV{NOPIPE})) { system "clogin -t $timeo -c \"$cisco_cmds\" $host $host.raw 2>&1" || die "clogin failed for $host: $!\n"; open(INPUT, "< $host.raw") || die "clogin failed for $host: $!\n"; } else { open(INPUT,"clogin -t $timeo -c \"$cisco_cmds\" $host ) { tr/\015//d; if (/[>#]\s?exit$/) { $clean_run=1; last; } if (/^Error:/) { print STDOUT ("$host clogin error: $_"); print STDERR ("$host clogin error: $_") if ($debug); $clean_run=0; last; } while (/#\s*($cmds_regexp)\s*$/) { $cmd = $1; if (!defined($prompt)) { $prompt = ($_ =~ /^([^#]+#)/)[0]; $prompt =~ s/([][}{)(\\])/\\$1/g; print STDERR ("PROMPT MATCH: $prompt\n") if ($debug); } print STDERR ("HIT COMMAND:$_") if ($debug); if (! defined($commands{$cmd})) { print STDERR "$host: found unexpected command - \"$cmd\"\n"; $clean_run = 0; last TOP; } $rval = &{$commands{$cmd}}; delete($commands{$cmd}); if ($rval == -1) { $clean_run = 0; last TOP; } } } print STDOUT "Done $logincmd: $_\n" if ($log); # Flush History ProcessHistory("","","",""); # Cleanup close(INPUT); close(OUTPUT); if (defined($ENV{NOPIPE})) { unlink("$host.raw") if (! $debug); } # check for completeness if (scalar(%commands) || !$clean_run || !$found_end) { if (scalar(%commands)) { printf(STDOUT "$host: missed cmd(s): %s\n", join(',', keys(%commands))); printf(STDERR "$host: missed cmd(s): %s\n", join(',', keys(%commands))) if ($debug); } if (!$clean_run || !$found_end) { print STDOUT "$host: End of run not found\n"; print STDERR "$host: End of run not found\n" if ($debug); system("/usr/bin/tail -1 $host.new"); } unlink "$host.new" if (! $debug); } From asp at partan.com Sun Jan 11 05:38:10 2004 From: asp at partan.com (Andrew Partan) Date: Sun, 11 Jan 2004 00:38:10 -0500 Subject: vcware and modemware Versions on AS5300 *&* GSR FRU info In-Reply-To: <20040111053010.GA20163@partan.com> References: <20040111053010.GA20163@partan.com> Message-ID: <20040111053810.GA21458@partan.com> On Sun, Jan 11, 2004 at 12:30:10AM -0500, Andrew Partan wrote: > On Fri, Jan 09, 2004 at 05:47:42PM +0200, Yuval Ben-Ari wrote: > > show modem version seems too long, > > you might want to monitor "show spe version" > > > > this routine will do it: > > On Fri, Jan 09, 2004 at 06:44:40PM +0200, Yuval Ben-Ari wrote: > > I find it very useful for inventory purposes to include FRU information > > on GSR routers. > > I added the following to sub ShowDiag: > > I merged these into rancid.in; can you (or someone) do a check of > these bits to make sure they still work & I didn't blow something? Bletch; I should have know better; I sent bad bits. Try these instead. --asp -------------- next part -------------- #! @PERLV_PATH@ ## ## $Id: rancid.in,v 1.167 2004/01/11 03:49:13 heas Exp $ ## ## Copyright (C) 1997-2004 by Terrapin Communications, Inc. ## All rights reserved. ## ## This software may be freely copied, modified and redistributed ## without fee for non-commerical purposes provided that this license ## remains intact and unmodified with any RANCID distribution. ## ## There is no warranty or other guarantee of fitness of this software. ## It is provided solely "as is". The author(s) disclaim(s) all ## responsibility and liability with respect to this software's usage ## or its effect upon hardware, computer systems, other software, or ## anything else. ## ## Except where noted otherwise, rancid was written by and is maintained by ## Henry Kilmer, John Heasley, Andrew Partan, Pete Whiting, and Austin Schutz. ## # # RANCID - Really Awesome New Cisco confIg Differ # # usage: rancid [-d] [-l] [-f filename | $host] # use Getopt::Std; getopts('dfl'); $log = $opt_l; $debug = $opt_d; $file = $opt_f; $host = $ARGV[0]; $clean_run = 0; $found_end = 0; $timeo = 90; # clogin timeout in seconds my(%filter_pwds); # password filtering mode # This routine is used to print out the router configuration sub ProcessHistory { my($new_hist_tag,$new_command,$command_string, at string)=(@_); if((($new_hist_tag ne $hist_tag) || ($new_command ne $command)) && defined %history) { print eval "$command \%history"; undef %history; } if (($new_hist_tag) && ($new_command) && ($command_string)) { if ($history{$command_string}) { $history{$command_string} = "$history{$command_string}@string"; } else { $history{$command_string} = "@string"; } } elsif (($new_hist_tag) && ($new_command)) { $history{++$#history} = "@string"; } else { print "@string"; } $hist_tag = $new_hist_tag; $command = $new_command; 1; } sub numerically { $a <=> $b; } # This is a sort routing that will sort numerically on the # keys of a hash as if it were a normal array. sub keynsort { local(%lines)=@_; local($i) = 0; local(@sorted_lines); foreach $key (sort numerically keys(%lines)) { $sorted_lines[$i] = $lines{$key}; $i++; } @sorted_lines; } # This is a sort routing that will sort on the # keys of a hash as if it were a normal array. sub keysort { local(%lines)=@_; local($i) = 0; local(@sorted_lines); foreach $key (sort keys(%lines)) { $sorted_lines[$i] = $lines{$key}; $i++; } @sorted_lines; } # This is a sort routing that will sort on the # values of a hash as if it were a normal array. sub valsort{ local(%lines)=@_; local($i) = 0; local(@sorted_lines); foreach $key (sort values %lines) { $sorted_lines[$i] = $key; $i++; } @sorted_lines; } # This is a numerical sort routing (ascending). sub numsort { local(%lines)=@_; local($i) = 0; local(@sorted_lines); foreach $num (sort {$a <=> $b} keys %lines) { $sorted_lines[$i] = $lines{$num}; $i++; } @sorted_lines; } # This is a sort routine that will sort on the # ip address when the ip address is anywhere in # the strings. sub ipsort { local(%lines)=@_; local($i) = 0; local(@sorted_lines); foreach $addr (sort sortbyipaddr keys %lines) { $sorted_lines[$i] = $lines{$addr}; $i++; } @sorted_lines; } # These two routines will sort based upon IP addresses sub ipaddrval { my(@a) = ($_[0] =~ m#^(\d+)\.(\d+)\.(\d+)\.(\d+)$#); $a[3]+256*($a[2]+256*($a[1]+256*$a[0])); } sub sortbyipaddr { &ipaddrval($a) <=> &ipaddrval($b); } # This routine parses "show version" sub ShowVersion { print STDERR " In ShowVersion: $_" if ($debug); my($slaveslot); while () { tr/\015//d; last if(/^$prompt/); next if(/^(\s*|\s*$cmd\s*)$/); return(-1) if (/command authorization failed/i); # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; if (/^Slave in slot (\d+) is running/) { $slave = " Slave:"; $slaveslot = ", slot $1"; next; } if (/^Application and Content Networking Software/) { $type="CE"; } /^Application and Content Networking Software Release /i && ProcessHistory("COMMENTS","keysort","F1", "!Image: $_") && next; /^Cisco Secure PIX /i && ProcessHistory("COMMENTS","keysort","F1", "!Image: $_") && next; # PIX fail-over license /^This PIX has an?\s+(.*)$/ && ProcessHistory("COMMENTS","keysort","C1", "!$_") && next; /^(Cisco )?IOS .* Software,? \(([A-Za-z-0-9]*)\), .*Version\s+(.*)$/ && ProcessHistory("COMMENTS","keysort","F1", "!Image:$slave Software: $2, $3\n") && next; /^([A-Za-z-0-9_]*) Synced to mainline version: (.*)$/ && ProcessHistory("COMMENTS","keysort","F2", "!Image:$slave $1 Synced to mainline version: $2\n") && next; /^Compiled (.*)$/ && ProcessHistory("COMMENTS","keysort","F3", "!Image:$slave Compiled: $1\n") && next; /^ROM: (IOS \S+ )?(System )?Bootstrap.*(Version.*)$/ && ProcessHistory("COMMENTS","keysort","G1", "!ROM Bootstrap: $3\n") && next; if (/^Hardware:\s+(.*), (.* RAM), CPU (.*)$/) { ProcessHistory("COMMENTS","keysort","A1", "!Chassis type: $1 - a PIX\n"); ProcessHistory("COMMENTS","keysort","A2", "!CPU: $3\n"); ProcessHistory("COMMENTS","keysort","B1", "!Memory: $2\n"); } /^Serial Number:\s+(.*)$/ && ProcessHistory("COMMENTS","keysort","C1", "!$_") && next; # CatOS 3500xl stuff /^System serial number(:\s+.*)$/ && ProcessHistory("COMMENTS","keysort","C1", "!Serial Number$1\n") && next; /^Model / && ProcessHistory("COMMENTS","keysort","C2", "!$_") && next; /^Motherboard / && ProcessHistory("COMMENTS","keysort","C3", "!$_") && next; /^Power supply / && ProcessHistory("COMMENTS","keysort","C4", "!$_") && next; /^Activation Key:\s+(.*)$/ && ProcessHistory("COMMENTS","keysort","C2", "!$_") && next; /^ROM: \d+ Bootstrap .*(Version.*)$/ && ProcessHistory("COMMENTS","keysort","G2", "!ROM Image: Bootstrap $1\n!\n") && next; /^ROM: .*(Version.*)$/ && ProcessHistory("COMMENTS","keysort","G3","!ROM Image: $1\n") && next; /^BOOTFLASH: .*(Version.*)$/ && ProcessHistory("COMMENTS","keysort","G4","!BOOTFLASH: $1\n") && next; /^BOOTLDR: .*(Version.*)$/ && ProcessHistory("COMMENTS","keysort","G4","!BOOTLDR: $1\n") && next; /^System image file is "([^\"]*)", booted via (\S*)/ && # removed the booted source due to # CSCdk28131: cycling info in 'sh ver' # ProcessHistory("COMMENTS","keysort","F4","!Image: booted via $2, $1\n") && ProcessHistory("COMMENTS","keysort","F4","!Image: booted $1\n") && next; /^System image file is "([^\"]*)"$/ && ProcessHistory("COMMENTS","keysort","F5","!Image: $1\n") && next; if (/(\S+)\s+\((\S+)\)\s+processor.*with (\S+[kK]) bytes/) { my($proc) = $1; my($cpu) = $2; my($mem) = $3; my($device) = "router"; # the next line ought to be the more specific cpu info, grab it. # yet, some boards/IOS vers have a processor ID line between these # two. grrr. make sure we dont grab the "software" junk that # follows these lines by looking for "CPU at " or the 2600s # "processor: " unique string. there are undoubtedly many other # incantations. for a slave, we dont get this info and its just a # blank line. $_ = ; $_ = if (/processor board id/i); $_ = "" if (! /(cpu at |processor: |$cpu processor,)/i); tr/\015//d; s/implementation/impl/i; if ($_ !~ /^\s*$/) { chomp; s/^/, /; } if ( $proc eq "CSC") { $type = "AGS"; } elsif ( $proc eq "CSC4") { $type = "AGS+"; } elsif ( $proc =~ /^(AS)?25[12][12]/) { $type = "2500"; } elsif ( $proc =~ /261[01]/ || $proc =~ /262[01]/ ) { $type = "2600"; } elsif ( $proc =~ /^36[0246][0-9]/) { $type = "3600"; } elsif ( $proc =~ /^37/) { $type = "3700"; } elsif ( $proc eq "RSP7000") { $type = "7500"; } elsif ( $proc =~ /RSP\d/) { $type = "7500"; } elsif ( $proc eq "RP1") { $type = "7000"; } elsif ( $proc eq "RP") { $type = "7000"; } elsif ( $proc =~ /720[246]/) { $type = "7200"; } elsif ( $proc =~ /1200[48]\/GRP/ || $proc =~ /1201[26]\/GRP/) { $type = "12000"; } elsif ( $proc =~ /1201[26]-8R\/GRP/) { $type = "12000"; } elsif ( $proc =~ /WS-C29/) { $type = "2900XL"; $device = "switch"; } elsif ( $proc =~ /WS-C355/) { $type = "3550"; $device = "switch"; } elsif ( $proc =~ /WS-C35/) { $type = "3500XL"; $device = "switch"; } elsif ( $proc =~ /WS-C45/) { $type = "4500"; $device = "switch"; } elsif ( $proc =~ /6000/) { $type = "6000"; $device = "switch"; } elsif ( $proc =~ /CISCO76/) { $type = "7600"; $device = "router"; } elsif ( $proc =~ /1900/) { $type = "1900"; $device = "switch"; } else { $type = $proc; } print STDERR "TYPE = $type\n" if ($debug); ProcessHistory("COMMENTS","keysort","A1", "!Chassis type:$slave $proc - a $type $device\n"); ProcessHistory("COMMENTS","keysort","B1", "!Memory:$slave main $mem\n"); ProcessHistory("COMMENTS","keysort","A3","!CPU:$slave $cpu$_$slaveslot\n"); next; } if (/(\S+) Silicon\s*Switch Processor/) { if (!defined($C0)) { $C0=1; ProcessHistory("COMMENTS","keysort","C0","!\n"); } ProcessHistory("COMMENTS","keysort","C2","!SSP: $1\n"); $ssp = 1; $sspmem = $1; next; } /^(\d+[kK]) bytes of multibus/ && ProcessHistory("COMMENTS","keysort","B2", "!Memory: multibus $1\n") && next; /^(\d+[kK]) bytes of (non-volatile|NVRAM)/ && ProcessHistory("COMMENTS","keysort","B3", "!Memory: nvram $1\n") && next; /^(\d+[kK]) bytes of flash memory/ && ProcessHistory("COMMENTS","keysort","B5","!Memory: flash $1\n") && next; /^(\d+[kK]) bytes of .*flash partition/ && ProcessHistory("COMMENTS","keysort","B6", "!Memory: flash partition $1\n") && next; /^(\d+[kK]) bytes of Flash internal/ && ProcessHistory("COMMENTS","keysort","B4", "!Memory: bootflash $1\n") && next; if(/^(\d+[kK]) bytes of (Flash|ATA)?.*PCMCIA .*(slot|disk) ?(\d)/i) { ProcessHistory("COMMENTS","keysort","B7", "!Memory: pcmcia $2 $3$4 $1\n"); next; } if(/^WARNING/) { if (!defined($I0)) { $I0=1; ProcessHistory("COMMENTS","keysort","I0","!\n"); } ProcessHistory("COMMENTS","keysort","I1","! $_"); } if (/^Configuration register is (.*)$/) { $config_register=$1; next; } } return(0); } # This routine parses "show redundancy" sub ShowRedundancy { print STDERR " In ShowRedundancy: $_" if ($debug); while () { tr/\015//d; last if(/^$prompt/); next if(/^(\s*|\s*$cmd\s*)$/); # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; /^IOS .* Software \(([A-Za-z-0-9]*)\), .*Version\s+(.*)$/ && ProcessHistory("COMMENTS","keysort","F1", "!Image:$slave Software: $1, $2\n") && next; /^Compiled (.*)$/ && ProcessHistory("COMMENTS","keysort","F3", "!Image:$slave Compiled: $1\n") && next; } return(0); } # This routine parses "show IDprom" sub ShowIDprom { my($tmp); print STDERR " In ShowIDprom: $_" if ($debug); while () { tr/\015//d; last if(/^$prompt/); next if(/^(\s*|\s*$cmd\s*)$/); # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; /FRU is .(.*)\'/ && ($tmp = $1); /Product Number = .(.*)\'/ && ProcessHistory("COMMENTS","keysort","D0","!\n") && ProcessHistory("COMMENTS","keysort","D0", "!Catalyst Chassis type: $1, $tmp\n"); /Serial Number = .([0-9A-Za-z]+)/ && ProcessHistory("COMMENTS","keysort","D1", "!Catalyst Chassis S/N: $1\n"); /Manufacturing Assembly Number = .([-0-9]+)/ && ($tmp = $1); /Manufacturing Assembly Revision = .(.*)\'/ && ($tmp .= ", rev " . $1); /Hardware Revision = ([0-9.]+)/ && ProcessHistory("COMMENTS","keysort","D2", "!Catalyst Chassis assembly: $tmp, ver $1\n"); } return(0); } # This routine parses "show install active" sub ShowInstallActive { print STDERR " In ShowInstallActive: $_" if ($debug); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); return(1) if /^\s*\^\s*$/; return(1) if /(Invalid input detected|Type help or )/; return(-1) if (/command authorization failed/i); # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; ProcessHistory("COMMENTS","keysort","F5","!Image: $_") && next; } return(0); } # This routine parses "show env all" sub ShowEnv { # Skip if this is not a 7500, 7200, or 7000. print STDERR " In ShowEnv: $_" if ($debug); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); #return(1) if ($type !~ /^7/); return(-1) if (/command authorization failed/i); # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; if (!defined($E0)) { $E0=1; ProcessHistory("COMMENTS","keysort","E0","!\n"); } if (/^Arbiter type (\d), backplane type (\S+)/) { if (!defined($C0)) { $C0=1; ProcessHistory("COMMENTS","keysort","C0","!\n"); } ProcessHistory("COMMENTS","keysort","C1", "!Enviromental Arbiter Type: $1\n"); ProcessHistory("COMMENTS","keysort","A2", "!Chassis type: $2 backplane\n"); next; } /^\s*(Power [^:\n]+)$/ && ProcessHistory("COMMENTS","keysort","E1","!Power: $1\n") && next; /^\s*(Lower Power .*)/i && ProcessHistory("COMMENTS","keysort","E2","!Power: $1\n") && next; /^\s*(redundant .*)/i && ProcessHistory("COMMENTS","keysort","E2","!Power: $1\n") && next; /^\s*(RPS is .*)/i && ProcessHistory("COMMENTS","keysort","E2","!Power: $1\n") && next; } ProcessHistory("COMMENTS","","","!\n"); return(0); } # This routine parses "show rsp chassis-info" for the rsp # This will create arrays for hw info. sub ShowRSP { print STDERR " In ShowRSP: $_" if ($debug); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); return(-1) if (/command authorization failed/i); # return(1) if ($type !~ /^12[40]/); # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; /^$/ && next; /^\s+Chassis model: (\S+)/ && ProcessHistory("COMMENTS","keysort","D0","!\n") && ProcessHistory("COMMENTS","keysort","D1", "!RSP Chassis model: $1\n") && next; /^\s+Chassis S\/N: (.*)$/ && ProcessHistory("COMMENTS","keysort","D2", "!RSP Chassis S/N: $1\n") && next; } return(0); } # This routine parses "show gsr chassis-info" for the gsr # This will create arrays for hw info. sub ShowGSR { # Skip if this is not a 1200n. print STDERR " In ShowGSR: $_" if ($debug); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); return(-1) if (/command authorization failed/i); # return(1) if ($type !~ /^12[40]/); # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; /^$/ && next; /^\s+Chassis: type (\S+) Fab Ver: (\S+)/ && ProcessHistory("COMMENTS","keysort","D0","!\n") && ProcessHistory("COMMENTS","keysort","D1", "!GSR Chassis type: $1 Fab Ver: $2\n") && next; /^\s+Chassis S\/N: (.*)$/ && ProcessHistory("COMMENTS","keysort","D2", "!GSR Chassis S/N: $1\n") && next; /^\s+PCA: (\S+)\s*rev: (\S+)\s*dev: \S+\s*HW ver: (\S+)$/ && ProcessHistory("COMMENTS","keysort","D3", "!GSR Backplane PCA: $1, rev $2, ver $3\n") && next; /^\s+Backplane S\/N: (\S+)$/ && ProcessHistory("COMMENTS","keysort","D4", "!GSR Backplane S/N: $1\n") && next; } ProcessHistory("COMMENTS","","","!\n"); return(0); } # This routine parses "show boot" sub ShowBoot { # Pick up boot variables if 7000/7200/7500/12000/2900/3500; # otherwise pick up bootflash. print STDERR " In ShowBoot: $_" if ($debug); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); return(1) if /^\s*\^\s*$/; return(-1) if (/command authorization failed/i); return(1) if /Ambiguous command/i; return(1) if /(Invalid input detected|Type help or )/; return(1) if /(Open device \S+ failed|Error opening \S+:)/; # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; next if /CONFGEN variable/; if (!defined($H0)) { $H0=1; ProcessHistory("COMMENTS","keysort","H0","!\n"); } if ($type !~ /^(12[04]|7)/) { if ($type !~ /^(29|35)00/) { ProcessHistory("COMMENTS","keysort","H2","!BootFlash: $_"); } else { ProcessHistory("COMMENTS","keysort","H1","!Variable: $_"); } } elsif (/variable/) { ProcessHistory("COMMENTS","keysort","H1","!Variable: $_"); } } ProcessHistory("COMMENTS","","","!\n"); return(0); } # This routine parses "show flash" sub ShowFlash { # skip if this is 7000, 7200, 7500, or 12000; else we end up with # redundant data from dir /all slot0: print STDERR " In ShowFlash: $_" if ($debug); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); return(1) if ($type =~ /^(12[40]|7)/); return(-1) if (/command authorization failed/i); return(1) if /^\s*\^\s*$/; return(1) if /(Invalid input detected|Type help or )/; # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; ProcessHistory("FLASH","","","!Flash: $_"); } ProcessHistory("","","","!\n"); return; } # This routine parses "dir /all ((disk|slot)N|bootflash|nvram):" sub DirSlotN { # Skip if this is not a 3600, 7000, 7200, 7500, or 12000. print STDERR " In DirSlotN: $_" if ($debug); my($dev) = (/\s([^\s]+):/); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); # return(1) if ($type !~ /^(12[40]|7|36)/); return(1) if /^\s*\^\s*$/; return(1) if /(Invalid input detected|Type help or )/; return(1) if /(No such device|Error Sending Request)/i; return(1) if /\%Error: No such file or directory/; return(1) if /No space information available/; return(-1) if /\%Error calling/; return(-1) if /(: device being squeezed|ATA_Status time out)/i; # busy return(-1) if (/command authorization failed/i); return(1) if /(Open device \S+ failed|Error opening \S+:)/; # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; ProcessHistory("FLASH","","","!Flash: $dev: $_"); } ProcessHistory("","","","!\n"); return(0); } # This routine parses "show controllers" sub ShowContAll { # Skip if this is a 70[01]0, 7500, or 12000. print STDERR " In ShowContAll: $_" if ($debug); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); # return(1) if ($type =~ /^(12[40]|7[05])/); return(-1) if (/command authorization failed/i); # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; if (/^Interface ([^ \n(]*)/) { $INT = "$1, "; next; } /^(BRI unit \d)/ && ProcessHistory("INT","","","!Interface: $1\n") && next; /^LANCE unit \d, NIM/ && ProcessHistory("INT","","","!Interface: $_") && next; /^(LANCE unit \d)/ && ProcessHistory("INT","","","!Interface: $1\n") && next; /(Media Type is \S+),/ && ProcessHistory("INT","","","!\t$1\n"); if (/(M\dT[^ :]*:) show controller:$/) { my($ctlr) = $1; $_ = ; tr/\015//d; s/ subunit \d,//; ProcessHistory("INT","","","!Interface: $ctlr $_"); } if (/^(\S+) : show controller:$/) { my($ctlr) = $1; $_ = ; tr/\015//d; s/ subunit \d,//; ProcessHistory("INT","","","!Interface: $ctlr: $_"); } /^(HD unit \d), idb/ && ProcessHistory("INT","","","!Interface: $1\n") && next; /^HD unit \d, NIM/ && ProcessHistory("INT","","","!Interface: $_") && next; /^buffer size \d+ HD unit \d, (.*)/ && ProcessHistory("INT","","","!\t$1\n") && next; /^AM79970 / && ProcessHistory("INT","","","!Interface: $_") && next; /^buffer size \d+ (Universal Serial: .*)/ && ProcessHistory("INT","","","!\t$1\n") && next; /^Hardware is (.*)/ && ProcessHistory("INT","","","!Interface: $INT$1\n") && next; /^(QUICC Serial unit \d),/ && ProcessHistory("INT","","","!$1\n") && next; /^QUICC Ethernet .*/ && ProcessHistory("INT","","","!$_") && next; /^DTE .*\.$/ && ProcessHistory("INT","","","!\t$_") && next; /^(cable type :.*),/ && ProcessHistory("INT","","","!\t$1\n") && next; /^(.* cable.*), received clockrate \d+$/ && ProcessHistory("INT","","","!\t$1\n") && next; /^.* cable.*$/ && ProcessHistory("INT","","","!\t$_") && next; } return(0); } # This routine parses "show controllers cbus" # Some of this is printed out in ShowDiagbus. sub ShowContCbus { # Skip if this is not a 7000 or 7500. print STDERR " In ShowContCbus: $_" if ($debug); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); #return(1) if ($type !~ /^7[05]0/); return(-1) if (/command authorization failed/i); # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; if (/^\s*slot(\d+): ([^,]+), hw (\S+), sw (\S+), ccb/) { $slot = $1; $board{$slot} = $2; $hwver{$slot} = $3; $hwucode{$slot} = $4; } elsif (/^\s*(\S+) (\d+), hardware version (\S+), microcode version (\S+)/) { $slot = $2; $board{$slot} = $1; $hwver{$slot} = $3; $hwucode{$slot} = $4; } elsif (/(Microcode .*)/) { $ucode{$slot} = $1; } elsif (/(software loaded .*)/) { $ucode{$slot} = $1; } elsif (/(\d+) Kbytes of main memory, (\d+) Kbytes cache memory/) { $hwmemd{$slot} = $1; $hwmemc{$slot} = $2; } elsif (/byte buffers/) { chop; s/^\s*//; $hwbuf{$slot} = $_; } elsif (/Interface (\d+) - (\S+ \S+),/) { $interface = $1; ProcessHistory("HW","","", "!\n!Int $interface: in slot $slot, named $2\n"); next; } elsif (/(\d+) buffer RX queue threshold, (\d+) buffer TX queue limit, buffer size (\d+)/) { ProcessHistory("HW","","","!Int $interface: rxq $1, txq $2, bufsize $3\n"); next; } } return(0); } # This routine parses "show diagbus" # This will create arrarys for hw info. sub ShowDiagbus { # Skip if this is not a 7000, 70[01]0, or 7500. print STDERR " In ShowDiagbus: $_" if ($debug); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); #return(1) if ($type !~ /^7[05]/); return(-1) if (/command authorization failed/i); # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; if (/^\s*Slot (\d+):/i) { $slot = $1; next; } elsif (/^\s*Slot (\d+) \(virtual\):/i) { $slot = $1; next; } elsif (/^\s*(.*Processor.*|.*controller|.*controler|.*Chassis Interface)(, FRU\s?:.*)?, HW rev (\S+), board revision (\S+)/i) { $board = $1; $hwver = $3; $boardrev = $4; if ($board =~ /Processor/) { if ($board =~ /7000 Route\/Switch/) { $board = "RSP7000"; } elsif ($board =~ /Route\/Switch Processor (\d)/) { $board = "RSP$1"; } elsif ($board =~ /Route/) { $board = "RP"; } elsif ($board =~ /Silicon Switch/) { $board = "SSP"; } elsif ($board =~ /Switch/) { $board = "SP"; $board = "SSP $sspmem" if $ssp; } elsif ($board =~ /ATM/) { $board = "AIP"; } } elsif ($board =~ /(.*) controller/i) { $board = $1; } # hwucode{$slot} defined in ShowContCbus if (defined $hwucode{$slot}) { ProcessHistory("SLOT","","","!\n!Slot $slot/$board: hvers $hwver rev $boardrev ucode $hwucode{$slot}\n"); } else { ProcessHistory("SLOT","","","!\n!Slot $slot/$board: hvers $hwver rev $boardrev\n"); } # These are also from the ShowContCbus ProcessHistory("SLOT","","","!Slot $slot/$board: $ucode{$slot}\n") if (defined $ucode{$slot}); ProcessHistory("SLOT","","","!Slot $slot/$board: memd $hwmemd{$slot}, cache $hwmemc{$slot}\n") if ((defined $hwmemd{$slot}) && (defined $hwmemc{$slot})); ProcessHistory("SLOT","","","!Slot $slot/$board: $hwbuf{$slot}\n") if (defined $hwbuf{$slot}); next; } /Serial number: (\S+)\s*Part number: (\S+)/ && ProcessHistory("SLOT","","", "!Slot $slot/$board: part $2, serial $1\n") && next; /^\s*Controller Memory Size: (.*)$/ && ProcessHistory("SLOT","","","!Slot $slot/$board: $1\n") && next; if (/PA Bay (\d) Information/) { $pano = $1; if ("PA" =~ /$board/) { ($s,$c) = split(/\//,$board); $board = "$s/$c/PA $pano"; } else { $board =~ s/\/PA \d//; $board = "$board/PA $pano"; } next; } /\s+(.*) (IP|PA), (\d) ports?,( \S+,)? (FRU\s?: )?(\S+)/ && ProcessHistory("SLOT","","","!Slot $slot/$board: type $6, $3 ports\n") && next; /\s+(.*) (IP|PA)( \(\S+\))?, (\d) ports?/ && ProcessHistory("SLOT","","","!Slot $slot/$board: type $1$3, $4 ports\n") && next; /^\s*HW rev (\S+), Board revision (\S+)/ && ProcessHistory("SLOT","","","!Slot $slot/$board: hvers $1 rev $2\n") && next; /Serial number: (\S+)\s*Part number: (\S+)/ && ProcessHistory("SLOT","","","!Slot $slot/$board: part $2, serial $1\n") && next; } return(0); } # This routine parses "show diag" for the gsr, 7200, 3700, 3600, 2600. # This will create arrarys for hw info. sub ShowDiag { # Skip if this is not a 12000. print STDERR " In ShowDiag: $_" if ($debug); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); # return(1) if ($type !~ /^(12[40]|720|36|26)/); return(-1) if (/command authorization failed/i); /^$/ && next; # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; s/Port Packet Over SONET/POS/; if (/^\s*SLOT\s+(\d+)\s+\((.*)\): (.*)/) { $slot = $1; ProcessHistory("SLOT","","","!\n"); ProcessHistory("SLOT","keysort","A","!Slot $slot: $3\n"); next; } if (/^\s+MAIN:\s* type \d+,\s+(.*)/) { ProcessHistory("SLOT","keysort","AM","!Slot $slot/MAIN: part $1\n"); next; } if (/^c3700\s+(io-board|mid-plane)/i) { $slot=$1; ProcessHistory("SLOT","","","!\n"); ProcessHistory("SLOT","keysort","A","!Slot $slot: part $1\n"); next; } if (/ Engine:\s+(.*)/) { ProcessHistory("SLOT","keysort","AE","!Slot $slot/Engine: $1\n"); } if (/^\s+PCA:\s+(.*)/) { local($part) = $1; $_ = ; /^\s+(HW version|design release) (\S+)\s+S\/N (\S+)/i && ProcessHistory("SLOT","keysort","C1","!Slot $slot/PCA: part $part, serial $3\n") && ProcessHistory("SLOT","keysort","C2","!Slot $slot/PCA: hvers $2\n"); next; } if (/^\s+MBUS: .*\)\s+(.*)/) { local($tmp) = "!Slot $slot/MBUS: part $1"; $_ = ; /^\s+HW version (\S+)\s+S\/N (\S+)/ && ProcessHistory("SLOT","keysort","MB1","$tmp, serial $2\n") && ProcessHistory("SLOT","keysort","MB2","!Slot $slot/MBUS: hvers $1\n"); next; } if (/^\s+MBUS Agent Software version (.*)/) { ProcessHistory("SLOT","keysort","MB3","!Slot $slot/MBUS: software $1\n"); next; } if (/^\s+ROM Monitor version (.*)/) { ProcessHistory("SLOT","keysort","R","!Slot $slot/ROM Monitor: version $1\n"); next; } if (/^\s+Fabric Downloader version used (.*)/) { ProcessHistory("SLOT","keysort","Z","!Slot $slot/Fabric Downloader: version $1\n"); next; } if (/^\s+DRAM size: (\d+)/) { local($dram) = $1 / 1048576; $_ = ; if (/^\s+FrFab SDRAM size: (\d+)/) { ProcessHistory("SLOT","keysort","MB4","!Slot $slot/MBUS: $dram Mbytes DRAM, " . $1 / 1024 . " Kbytes SDRAM\n"); } else { ProcessHistory("SLOT","keysort","MB4","!Slot $slot/MBUS: $dram Mbytes DRAM\n"); } next; } if (/FRU:\s+Linecard\/Module:\s+(\S+)/) { ProcessHistory("SLOT","","","!Slot $slot/FRU: Linecard/Module: $1\n"); next; } # 7200, 3600, 2600, and 1700 stuff if (/^(Slot)\s+(\d+(\/\d+)?):/ || /^\s+(WIC|VIC|WIC\/VIC) Slot (\d):/ || /^(Encryption AIM) (\d):/) { if ($1 eq "WIC") { $WIC = "/$2"; } elsif ($1 eq "VIC") { $WIC = "/$2"; } elsif ($1 eq "WIC/VIC") { $WIC = "/$2"; } elsif ($1 eq "Encryption AIM") { $slot = "$2"; undef($WIC); ProcessHistory("SLOT","","","!\n"); ProcessHistory("SLOT","keysort","B","!Slot $slot: type $1\n"); next; } else { $slot = $2; undef($WIC); } $_ = ; tr/\015//d; # clean up hideous 7200/etc formats to look more like 7500 output s/Fast-ethernet on C7200 I\/O card/FE-IO/; s/ with MII or RJ45/-TX/; s/Fast-ethernet /100Base/; s/[)(]//g; s/intermediate reach/IR/i; ProcessHistory("SLOT","","","!\n"); /\s+(.*) port adapter,?\s+(\d+)\s+/i && ProcessHistory("SLOT","keysort","B","!Slot $slot: type $1, $2 ports\n") && next; # I/O controller with no interfaces /\s+(.*)\s+port adapter\s*$/i && ProcessHistory("SLOT","keysort","B","!Slot $slot: type $1, 0 ports\n") && next; /\s+(.*)\s+daughter card(.*)$/ && ProcessHistory("SLOT","keysort","B","!Slot $slot$WIC: type $1$2\n") && next; /\s+(FT1)$/ && ProcessHistory("SLOT","keysort","B","!Slot $slot$WIC: type $1\n") && next; # handle WICs lacking "daughter card" in the 2nd line of their # show diag o/p if (defined($WIC)) { s/^\s+//; ProcessHistory("SLOT","keysort","B","!Slot $slot$WIC: type $_"); } next; } # yet another format. seen on 2600s w/ 12.1, but appears to be all # 12.1, including 7200s & 3700s. Sometimes the PCB serial appears # before the hardware revision. if (/(pcb serial number|hardware revision)\s+:\s+(\S+)$/i) { my($hw, $pn, $rev, $sn); if ($1 =~ /^pcb/i) { $sn = $2; } else { $hw = $2; } while () { tr/\015//d; if (/0x..: /) { # no effing idea why break does not work there goto PerlSucks; } if (/hardware revision\s+:\s+(\S+)/i) { $hw = $1; } if (/part number\s+:\s+(\S+)/i) { $pn = $1; } if (/board revision\s+:\s+(\S+)/i) { $rev = $1; } if (/pcb serial number\s+:\s+(\S+)/i) { $sn = $1; } } PerlSucks: ProcessHistory("SLOT","keysort","B","!Slot $slot$WIC: hvers $hw rev $rev\n"); ProcessHistory("SLOT","keysort","C","!Slot $slot$WIC: part $pn, serial $sn\n"); } /revision\s+(\S+).*revision\s+(\S+)/ && ProcessHistory("SLOT","keysort","C","!Slot $slot$WIC: hvers $1 rev $2\n") && next; /number\s+(\S+)\s+Part number\s+(\S+)/ && ProcessHistory("SLOT","keysort","D","!Slot $slot$WIC: part $2, serial $1\n") && next; } ProcessHistory("SLOT","","","!\n"); return(0); } # This routine parses "show module". sub ShowModule { print STDERR " In ShowModule: $_" if ($debug); my(@lines); my($slot); while () { tr/\015//d; return if (/^\s*\^$/); last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); return(-1) if (/command authorization failed/i); # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; # match slot/card info line if (/^ *(\d+)\s+(\d+)\s+(.*)\s+(\S+)\s+(\S+)\s*$/) { $lines[$1] .= "!Slot $1: type $3, $2 ports\n!Slot $1: part $4, serial $5\n"; $lines[$1] =~ s/\s+,/,/g; } # now match the Revs in the second paragraph of o/p and stick it in # the array with the previous bits...grumble. if (/^ *(\d+)\s+\S+\s+to\s+\S+\s+(\S+)\s+(\S*)\s+(\S+)(\s+\S+)?\s*$/) { $lines[$1] .= "!Slot $1: hvers $2, firmware $3, sw $4\n"; $lines[$1] =~ s/\s+,/,/g; } } foreach $slot (@lines) { next if ($slot =~ /^\s*$/); ProcessHistory("Module","","","$slot!\n"); } return(0); } # This routine parses "show spe version". sub ShowSpeVersion { print STDERR " In ShowSpeVersion: $_" if ($debug); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); return(1) if /^\s*\^\s*$/; return(1) if /(Invalid input detected|Type help or )/; return(-1) if (/command authorization failed/i); ProcessHistory("MODEM","","","!Modem: $_") && next; } ProcessHistory("MODEM","","","!\n"); return(0); } # This routine parses "show c7200" for the 7200 # This will create arrays for hw info. sub ShowC7200 { # Skip if this is not a 7200. print STDERR " In ShowC7200: $_" if ($debug); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); #return(1) if ($type !~ /^72/); return(-1) if (/command authorization failed/i); /^$/ && next; # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; if (/^(C7200 )?Midplane EEPROM:/) { $_ = ; /revision\s+(\S+).*revision\s+(\S+)/; ProcessHistory("SLOT","","","!Slot Midplane: hvers $1 rev $2\n"); $_ = ; /number\s+(\S+)\s+Part number\s+(\S+)/; ProcessHistory("SLOT","","","!Slot Midplane: part $2, serial $1\n!\n"); next; } if (/C720\d(VXR)? CPU EEPROM:/) { my ($hvers,$rev,$part,$serial); # npe400s report their cpu eeprom info differently w/ 12.0.21S while () { /Hardware Revision\s+: (\S+)/ && ($hvers = $1) && next; /Board Revision\s+: (\S+)/ && ($rev = $1) && next; /Part Number\s+: (\S+)/ && ($part = $1) && next; /Serial Number\s+: (\S+)/ && ($serial = $1) && next; /revision\s+(\S+).*revision\s+(\S+)/ && ($hvers = $1, $rev = $2) && next; /number\s+(\S+)\s+Part number\s+(\S+)/ && ($serial = $1, $part = $2) && next; /^\s*$/ && last; } ProcessHistory("SLOT","","","!Slot CPU: hvers $hvers rev $rev\n"); ProcessHistory("SLOT","","","!Slot CPU: part $part, serial $serial\n!\n"); next; } } return(0); } # This routine parses "show vtp status" sub ShowVTP { print STDERR " In ShowVTP: $_" if ($debug); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); return(1) if /^\s*\^\s*$/; return(1) if /(Invalid input detected|Type help or )/; #return(1) if ($type !~ /^(2900XL|3500XL|6000)$/); return(-1) if (/command authorization failed/i); next if (/^Configuration last modified by/); # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; if (/^VTP Operating Mode\s+:\s+(Transparent|Server)/) { $DO_SHOW_VLAN = 1; } ProcessHistory("COMMENTS","keysort","I0","!VTP: $_"); } ProcessHistory("COMMENTS","keysort","I0","!\n"); return(0); } # This routine parses "show vlan" sub ShowVLAN { print STDERR " In ShowVLAN: $_" if ($debug); ($_=,return(1)) if (!$DO_SHOW_VLAN); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); return(1) if /(Invalid input detected|Type help or )/; # newer releases (~12.1(9)) place the vlan config in the normal # configuration (write term). return(1) if ($type =~ /^(3550|4500|7600)$/); #return(1) if ($type !~ /^(2900XL|3500XL|6000)$/); return(-1) if (/command authorization failed/i); # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; ProcessHistory("COMMENTS","keysort","IO","!VLAN: $_"); } ProcessHistory("COMMENTS","keysort","IO","!\n"); return(0); } # This routine processes a "write term" sub WriteTerm { print STDERR " In WriteTerm: $_" if ($debug); my($lineauto,$comment,$linecnt) = (0,0,0); while () { tr/\015//d; last if(/^$prompt/); return(-1) if (/command authorization failed/i); # the pager can not be disabled per-session on the PIX s/^<-+ More -+>\s*//; /Non-Volatile memory is in use/ && return(-1); # NvRAM is locked return(0) if ($found_end); # Only do this routine once $linecnt++; $lineauto = 0 if (/^[^ ]/); # skip the crap if (/^(##+$|(Building|Current) configuration)/i) { while () { next if (/^Current configuration\s*:/i); next if (/^:/); next if (/^([%!].*|\s*)$/); next if (/^ip add.*ipv4:/); # band-aid for 3620 12.0S last; } if (defined($config_register)) { ProcessHistory("","","","!\nconfig-register $config_register\n"); } tr/\015//d; } # some versions have other crap mixed in with the bits in the # block above /^! (Last configuration|NVRAM config last)/ && next; # skip consecutive comment lines to avoid oscillating extra comment # line on some access servers. grrr. if (/^!/) { next if ($comment); ProcessHistory("","","",$_); $comment++; next; } $comment = 0; # Dog gone Cool matches to process the rest of the config /^tftp-server flash / && next; # kill any tftp remains /^ntp clock-period / && next; # kill ntp clock-period /^ length / && next; # kill length on serial lines /^ width / && next; # kill width on serial lines $lineauto = 1 if /^ modem auto/; /^ speed / && $lineauto && next; # kill speed on serial lines /^ clockrate / && next; # kill clockrate on serial interfaces if (/^(enable )?(password|passwd) / && $filter_pwds >= 1) { ProcessHistory("ENABLE","","","!$1$2 \n"); next; } if (/^(enable secret) / && $filter_pwds >= 2) { ProcessHistory("ENABLE","","","!$1 \n"); next; } if (/^username (\S+)(\s.*)? secret /) { if ($filter_pwds >= 2) { ProcessHistory("USER","keysort","$1","!username $1$2 secret \n"); } else { ProcessHistory("USER","keysort","$1","$_"); } next; } if (/^username (\S+)(\s.*)? password ((\d) \S+|\S+)/) { if ($filter_pwds == 2) { ProcessHistory("USER","keysort","$1","!username $1$2 password \n"); } elsif ($filter_pwds == 1 && $4 ne "5"){ ProcessHistory("USER","keysort","$1","!username $1$2 password \n"); } else { ProcessHistory("USER","keysort","$1","$_"); } next; } if (/^( set session-key (in|out)bound ah \d+ )/ && $filter_pwds >= 1) { ProcessHistory("","","","!$1\n"); next; } if (/^( set session-key (in|out)bound esp \d+ (authenticator|cypher) )/ && $filter_pwds >= 1) { ProcessHistory("","","","!$1\n"); next; } if (/^(\s*)password / && $filter_pwds >= 1) { ProcessHistory("LINE-PASS","","","!$1password \n"); next; } if (/^\s*neighbor (\S*) password / && $filter_pwds >= 1) { ProcessHistory("","","","! neighbor $1 password \n"); next; } if (/^(ppp .* password) 7 .*/ && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } if (/^(ip ftp password) / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } if (/^( ip ospf authentication-key) / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } # isis passwords appear to be completely plain-text if (/^\s+isis password (\S+)( .*)?/ && $filter_pwds >= 1) { ProcessHistory("","","","!isis password $2\n"); next; } if (/^\s+(domain-password|area-password) (\S+)( .*)?/ && $filter_pwds >= 1) { ProcessHistory("","","","!$1 $3\n"); next; } # this is reversable, despite 'md5' in the cmd if (/^( ip ospf message-digest-key \d+ md5) / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } if (/^((crypto )?isakmp key) \S+ / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 $'"); next; } # filter HSRP passwords if (/^(\s+standby \d authentication) / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } # this appears in "measurement/sla" images if (/^(\s+key-string \d?)/ && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } if (/^( l2tp tunnel \S+ password)/ && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } # i am told these are plain-text on the PIX if (/^(vpdn username \S+ password)/ && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } if (/^( cable shared-secret ) / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } /fair-queue individual-limit/ && next; # sort ip explicit-paths. if (/^ip explicit-path name (\S+)/) { my($key) = $1; my($expath) = $_; while () { tr/\015//d; last if (/^$prompt/); last if (/^$prompt/ || ! /^(ip explicit-path name |[ !])/); if (/^ip explicit-path name (\S+)/) { ProcessHistory("EXPATH","keysort","$key","$expath"); $key = $1; $expath = $_; } else { $expath .= $_; } } ProcessHistory("EXPATH","keysort","$key","$expath"); } # sort route-maps if (/^route-map (\S+)/) { my($key) = $1; my($routemap) = $_; while () { tr/\015//d; last if (/^$prompt/ || ! /^(route-map |[ !])/); if (/^route-map (\S+)/) { ProcessHistory("ROUTEMAP","keysort","$key","$routemap"); $key = $1; $routemap = $_; } else { $routemap .= $_; } } ProcessHistory("ROUTEMAP","keysort","$key","$routemap"); } # filter out any RCS/CVS tags to avoid confusing local CVS storage s/\$(Revision|Id):/ $1:/; # order access-lists /^access-list\s+(\d\d?)\s+(\S+)\s+(\S+)/ && ProcessHistory("ACL $1 $2","ipsort","$3","$_") && next; # order extended access-lists /^access-list\s+(\d\d\d)\s+(\S+)\s+ip\s+host\s+(\S+)/ && ProcessHistory("EACL $1 $2","ipsort","$3","$_") && next; /^access-list\s+(\d\d\d)\s+(\S+)\s+ip\s+(\d\S+)/ && ProcessHistory("EACL $1 $2","ipsort","$3","$_") && next; /^access-list\s+(\d\d\d)\s+(\S+)\s+ip\s+any/ && ProcessHistory("EACL $1 $2","ipsort","0.0.0.0","$_") && next; # order arp lists /^arp\s+(\d+\.\d+\.\d+\.\d+)\s+/ && ProcessHistory("ARP","ipsort","$1","$_") && next; /^ip prefix-list\s+(\S+)\s+seq\s+(\d+)\s+(permit|deny)\s+(\d\S+)(\/.*)$/ && ProcessHistory("PACL $1 $3","ipsort","$4","ip prefix-list $1 $3 $4$5\n") && next; # order logging statements /^logging (\d+\.\d+\.\d+\.\d+)/ && ProcessHistory("LOGGING","ipsort","$1","$_") && next; # order/prune snmp-server host statements # we only prune lines of the form # snmp-server host a.b.c.d if (/^snmp-server host (\d+\.\d+\.\d+\.\d+) /) { if (defined($ENV{'NOCOMMSTR'})) { my($ip) = $1; my($line) = "snmp-server host $ip"; my(@tokens) = split(' ', $'); my($token); while ($token = shift(@tokens)) { if ($token eq 'version') { $line .= " " . join(' ', ($token, shift(@tokens))); } elsif ($token =~ /^(informs?|traps?|(no)?auth)$/) { $line .= " " . $token; } else { $line = "!$line " . join(' ', ("", join(' ', at tokens))); last; } } ProcessHistory("SNMPSERVERHOST","ipsort","$ip","$line\n"); } else { ProcessHistory("SNMPSERVERHOST","ipsort","$1","$_"); } next; } if (/^(snmp-server community) (\S+)/) { if (defined($ENV{'NOCOMMSTR'})) { ProcessHistory("SNMPSERVERCOMM","keysort","$_","!$1 $'") && next; } else { ProcessHistory("SNMPSERVERCOMM","keysort","$_","$_") && next; } } # prune tacacs/radius server keys if (/^(tacacs-server|radius-server) key / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 key \n"); next; } if (/^((tacacs-server|radius-server) host \S+ key) / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } # order clns host statements /^clns host \S+ (\S+)/ && ProcessHistory("CLNS","keysort","$1","$_") && next; # order alias statements /^alias / && ProcessHistory("ALIAS","keysort","$_","$_") && next; # delete ntp auth password - this md5 is a reversable too if (/^(ntp authentication-key \d+ md5) / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } # order ntp peers/servers if (/^ntp (server|peer) (\d+)\.(\d+)\.(\d+)\.(\d+)/) { $sortkey = sprintf("$1 %03d%03d%03d%03d",$2,$3,$4,$5); ProcessHistory("NTP","keysort",$sortkey,"$_"); next; } # order ip host statements /^ip host (\S+) / && ProcessHistory("IPHOST","keysort","$1","$_") && next; # order ip nat source static statements /^ip nat (\S+) source static (\S+)/ && ProcessHistory("IP NAT $1","ipsort","$2","$_") && next; # order atm map-list statements /^\s+ip\s+(\d+\.\d+\.\d+\.\d+)\s+atm-vc/ && ProcessHistory("ATM map-list","ipsort","$1","$_") && next; # order ip rcmd lines /^ip rcmd/ && ProcessHistory("RCMD","keysort","$_","$_") && next; # system controller /^syscon address (\S*) (\S*)/ && ProcessHistory("","","","!syscon address $1 \n") && next; if (/^syscon password (\S*)/ && $filter_pwds >= 1) { ProcessHistory("","","","!syscon password \n"); next; } # catch anything that wasnt matched above. ProcessHistory("","","","$_"); # end of config. the ": " game is for the PIX if (/^(: +)?end$/) { $found_end = 1; return(1); } } # The ContentEngine lacks a definitive "end of config" marker. If we # know that it is a CE and we have seen at least 5 lines of write term # o/p, we can be reasonably sure that we got the config. if ($type =~ /^CE$/ && $linecnt > 5) { $found_end = 1; return(1); } return(0); } # dummy function sub DoNothing {print STDOUT;} # Main %commands=( 'show version' => "ShowVersion", 'show redundancy secondary' => "ShowRedundancy", 'show idprom backplane', => "ShowIDprom", 'show install active' => "ShowInstallActive", 'show env all' => "ShowEnv", 'show rsp chassis-info',=> "ShowRSP", 'show gsr chassis' => "ShowGSR", 'show boot' => "ShowBoot", 'show bootvar' => "ShowBoot", 'show variables boot' => "ShowBoot", 'show flash' => "ShowFlash", 'dir /all nvram:' => "DirSlotN", 'dir /all bootflash:' => "DirSlotN", 'dir /all slot0:' => "DirSlotN", 'dir /all disk0:' => "DirSlotN", 'dir /all slot1:' => "DirSlotN", 'dir /all disk1:' => "DirSlotN", 'dir /all slot2:' => "DirSlotN", 'dir /all disk2:' => "DirSlotN", "dir /all sup-bootflash:"=> "DirSlotN", # cat 6500-ios "dir /all sup-microcode:"=> "DirSlotN", # cat 6500-ios 'dir /all slavenvram:' => "DirSlotN", 'dir /all slavebootflash:' => "DirSlotN", 'dir /all slaveslot0:' => "DirSlotN", 'dir /all slavedisk0:' => "DirSlotN", 'dir /all slaveslot1:' => "DirSlotN", 'dir /all slavedisk1:' => "DirSlotN", 'dir /all slaveslot2:' => "DirSlotN", 'dir /all slavedisk2:' => "DirSlotN", "dir /all slavesup-bootflash:"=> "DirSlotN", # cat 7609 'dir /all sec-nvram:' => "DirSlotN", 'dir /all sec-bootflash:' => "DirSlotN", 'dir /all sec-slot0:' => "DirSlotN", 'dir /all sec-disk0:' => "DirSlotN", 'dir /all sec-slot1:' => "DirSlotN", 'dir /all sec-disk1:' => "DirSlotN", 'dir /all sec-slot2:' => "DirSlotN", 'dir /all sec-disk2:' => "DirSlotN", 'show controllers' => "ShowContAll", 'show controllers cbus' => "ShowContCbus", 'show diagbus' => "ShowDiagbus", 'show diag' => "ShowDiag", 'show module' => "ShowModule", # cat 6500-ios 'show spe version' => "ShowSpeVersion", 'show c7200' => "ShowC7200", 'show vtp status' => "ShowVTP", 'show vlan' => "ShowVLAN", 'show running-config' => "WriteTerm", 'write term' => "WriteTerm" ); # keys() doesnt return things in the order entered and the order of the # cmds is important (show version first and write term last). pita @commands=( "show version", "show redundancy secondary", "show idprom backplane", "show install active", "show env all", "show rsp chassis-info", "show gsr chassis", "show boot", "show bootvar", "show variables boot", "show flash", "dir /all nvram:", "dir /all bootflash:", "dir /all slot0:", "dir /all disk0:", "dir /all slot1:", "dir /all disk1:", "dir /all slot2:", "dir /all disk2:", "dir /all sup-bootflash:", "dir /all sup-microcode:", "dir /all slavenvram:", "dir /all slavebootflash:", "dir /all slaveslot0:", "dir /all slavedisk0:", "dir /all slaveslot1:", "dir /all slavedisk1:", "dir /all slaveslot2:", "dir /all slavedisk2:", "dir /all slavesup-bootflash:", "dir /all sec-nvram:", "dir /all sec-bootflash:", "dir /all sec-slot0:", "dir /all sec-disk0:", "dir /all sec-slot1:", "dir /all sec-disk1:", "dir /all sec-slot2:", "dir /all sec-disk2:", "show controllers", "show controllers cbus", "show diagbus", "show diag", "show module", "show spe version", "show c7200", "show vtp status", "show vlan", "show running-config", "write term" ); $cisco_cmds=join(";", at commands); $cmds_regexp=join("|", at commands); open(OUTPUT,">$host.new") || die "Can't open $host.new for writing: $!\n"; select(OUTPUT); # make OUTPUT unbuffered if debugging if ($debug) { $| = 1; } if ($file) { print STDERR "opening file $host\n" if ($debug); print STDOUT "opening file $host\n" if ($log); open(INPUT,"<$host") || die "open failed for $host: $!\n"; } else { print STDERR "executing clogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($debug); print STDOUT "executing clogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($log); if (defined($ENV{NOPIPE})) { system "clogin -t $timeo -c \"$cisco_cmds\" $host $host.raw 2>&1" || die "clogin failed for $host: $!\n"; open(INPUT, "< $host.raw") || die "clogin failed for $host: $!\n"; } else { open(INPUT,"clogin -t $timeo -c \"$cisco_cmds\" $host ) { tr/\015//d; if (/[>#]\s?exit$/) { $clean_run=1; last; } if (/^Error:/) { print STDOUT ("$host clogin error: $_"); print STDERR ("$host clogin error: $_") if ($debug); $clean_run=0; last; } while (/#\s*($cmds_regexp)\s*$/) { $cmd = $1; if (!defined($prompt)) { $prompt = ($_ =~ /^([^#]+#)/)[0]; $prompt =~ s/([][}{)(\\])/\\$1/g; print STDERR ("PROMPT MATCH: $prompt\n") if ($debug); } print STDERR ("HIT COMMAND:$_") if ($debug); if (! defined($commands{$cmd})) { print STDERR "$host: found unexpected command - \"$cmd\"\n"; $clean_run = 0; last TOP; } $rval = &{$commands{$cmd}}; delete($commands{$cmd}); if ($rval == -1) { $clean_run = 0; last TOP; } } } print STDOUT "Done $logincmd: $_\n" if ($log); # Flush History ProcessHistory("","","",""); # Cleanup close(INPUT); close(OUTPUT); if (defined($ENV{NOPIPE})) { unlink("$host.raw") if (! $debug); } # check for completeness if (scalar(%commands) || !$clean_run || !$found_end) { if (scalar(%commands)) { printf(STDOUT "$host: missed cmd(s): %s\n", join(',', keys(%commands))); printf(STDERR "$host: missed cmd(s): %s\n", join(',', keys(%commands))) if ($debug); } if (!$clean_run || !$found_end) { print STDOUT "$host: End of run not found\n"; print STDERR "$host: End of run not found\n" if ($debug); system("/usr/bin/tail -1 $host.new"); } unlink "$host.new" if (! $debug); } From heas at shrubbery.net Mon Jan 12 03:52:23 2004 From: heas at shrubbery.net (john heasley) Date: Sun, 11 Jan 2004 19:52:23 -0800 Subject: Rancid 2.3 RC1 Message-ID: <20040112035223.GI23852@shrubbery.net> Hello Rancid users, It has been quite some time since the release of 2.2.2. 2.3 is very close. We have a few more small bits on the to-do list before release. However, 2.3 represents some rather large changes and some new additions that we can not test ourselves. So, we thought that we'd make a RC1 (Release Candidate 1) of 2.3 available, in hopes that these changes would get some exposure. The most significant change is rancid's adaptation to the FHS (File Hierarchy Std). Some folks attempting to package rancid were pestering us for this and about a few of our file names that conflicted with existing packages. we agreed that it'd be a win in the long run, making it easier to package for the likes of NetBSD, FreeBSD, Linux, etc. So, if you choose to test drive, you'll notice that there are now etc and share/rancid directories beneath /usr/local/rancid (configure's --prefix option). A simple list of user-visible changes: bin/env has moved and been renamed etc/rancid.conf bin/create_cvs has been renamed rancid-cvs bin/do-diffs has been renamed rancid-run util/lg/lg.conf has moved to etc/lg.conf util/lg/lg*.cgi have moved to bin/ Also, if a user chose to use /usr as their --prefix, then the rancid CVS repository and logs dir would have been placed under /usr. We have made this dependant upon configure's --localstatedir, which defaults to /var. We agree that this seems like a fairly stupid place for it, while /var/rancid is far more logical, but it follows the standard and is configurable. For example, if you wished to maintain the existing directory locations of your logs dir and CVS repository, ie: /usr/local/rancid/, then configure like so: ./configure --localstatedir=/usr/local/rancid Remember ...for the common good... and please dont complain to us. Please please please read the file UPGRADING, which includes valuable instructions on how to move your cvs trees, if you choose to relocate them, and many other bits of trivia. RC1 has seen some testing. The looking glass has not been tested much. The following changes need more exposure or have not been tested by us. *login: handle TCL meta characters in passwords (etc) rancid: add show spe version and parse FRU show diag output jrancid: collect show chassis alarms rancid: skip show vlan for (3550|4500|7600) - from Andrew Fort rancid: show diag updates for 1700, 3700, etc - help from Michael Haba add Cisco CSS support - from Wedge Martin *login: add cloginrc sshcmd directive - idea from steve neighorn support for hitachi routers - from Mohacsi Janos Riverstone/Enterasys updates from Andrew Fort nlogin: Fix prompt groveling when running a cluster - from D. Pfleger nrancid: filter "set admin user" - from D. Pfleger For those not afraid to get dirty; ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.rc1.tar.gz Cheers. From geecla at mail.nih.gov Mon Jan 12 14:07:36 2004 From: geecla at mail.nih.gov (Gee-clough, Aaron (NIH/CIT)) Date: Mon, 12 Jan 2004 09:07:36 -0500 Subject: Cloginvs dollar signs Message-ID: <64BC9A2B18FC5843BA0DE93548F745F3236F4CAA@nihexchange3.nih.gov> Hmmm...I took that script, named it clogin.new, and ran it with this in the cloginrc: add user lab-*.nih.gov te$t add userpassword lab-*.nih.gov te$tpass The result: [rancid at lithium rancid]$ clogin.new lab-pix.nih.gov Error: can't read "t": no such variable Is there something else I should change to handle the new script? Thanks. Aaron -----Original Message----- From: 'john heasley' [mailto:heas at shrubbery.net] Sent: Friday, January 09, 2004 9:41 PM To: Gee-clough, Aaron (NIH/CIT) Cc: 'john heasley'; 'rancid-discuss at shrubbery.net' Subject: Re: Cloginvs dollar signs Tue, Dec 30, 2003 at 11:13:26AM -0500, Gee-clough, Aaron (NIH/CIT): > > please provide an example of your .cloginrc entry. afaik, > > what you've tried should have worked. I think that I have this one nailed. I believe that what happens is proc find() actually returns a list. because one of the values, your password, contains a meta-character ($), tcl decides that it should protect us by deferring (or is it protecting) the eval/expansion of what would be a variable (ie: $net). That may not be exactly correct, but... join()'ing the value seems to fix this; Which i've wrapped around all the find() calls which return a string that may include a meta-character or a non-integer. That is, "password" and "user", but not "autoenable" or "method". Please try ftp://ftp.shrubbery.net/outgoing/clogin.in [ i happened across this while googling for answers... After a duel with TCL, I return triumphant (but seriously injured; I took a blow to the head that may never heal...). - Daniel Jacobowitz ] From asp at partan.com Mon Jan 12 14:45:04 2004 From: asp at partan.com (Andrew Partan) Date: Mon, 12 Jan 2004 09:45:04 -0500 Subject: Cloginvs dollar signs In-Reply-To: <64BC9A2B18FC5843BA0DE93548F745F3236F4CAA@nihexchange3.nih.gov> References: <64BC9A2B18FC5843BA0DE93548F745F3236F4CAA@nihexchange3.nih.gov> Message-ID: <20040112144504.GA3892@partan.com> On Mon, Jan 12, 2004 at 09:07:36AM -0500, Gee-clough, Aaron (NIH/CIT) wrote: > Hmmm...I took that script, named it clogin.new, and ran it with this in the > cloginrc: > add user lab-*.nih.gov te$t > add userpassword lab-*.nih.gov te$tpass Make sure these are inside of {}: add user lab-*.nih.gov {te$t} add userpassword lab-*.nih.gov {te$tpass} > The result: > [rancid at lithium rancid]$ clogin.new lab-pix.nih.gov > Error: can't read "t": no such variable Can you give it a shot again with the {}? --asp From geecla at mail.nih.gov Mon Jan 12 14:56:02 2004 From: geecla at mail.nih.gov (Gee-clough, Aaron (NIH/CIT)) Date: Mon, 12 Jan 2004 09:56:02 -0500 Subject: Cloginvs dollar signs Message-ID: <64BC9A2B18FC5843BA0DE93548F745F3236F4CAC@nihexchange3.nih.gov> That looks like it worked. Very cool. Thanks. So, will it break anything if I put all usernames/passwords within braces, just to keep this from biting me again? Thanks again. Aaron From heas at shrubbery.net Mon Jan 12 15:40:27 2004 From: heas at shrubbery.net (john heasley) Date: Mon, 12 Jan 2004 07:40:27 -0800 Subject: Cloginvs dollar signs In-Reply-To: <64BC9A2B18FC5843BA0DE93548F745F3236F4CAC@nihexchange3.nih.gov> References: <64BC9A2B18FC5843BA0DE93548F745F3236F4CAC@nihexchange3.nih.gov> Message-ID: <20040112154027.GJ23852@shrubbery.net> Mon, Jan 12, 2004 at 09:56:02AM -0500, Gee-clough, Aaron (NIH/CIT): > That looks like it worked. Very cool. Thanks. So, will it break anything > if I put all usernames/passwords within braces, just to keep this from > biting me again? It should not. I have added verbage to cloginrc(5) indicating that it should be considered BCP to _always_ enclose the values in braces. Thanks. From a.voropay at vmb-service.ru Mon Jan 12 07:43:01 2004 From: a.voropay at vmb-service.ru (Alexander Voropay) Date: Mon, 12 Jan 2004 10:43:01 +0300 Subject: vcware and modemware Versions on AS5300 In-Reply-To: Message-ID: <003e01c3d8df$b47837f0$1701a8c0@ALEC> Hi! This commands are AS5200/AS5300/AS5400 specific, so it seems, rancid should recognize this ciscos as "access server" not "router" in sub ShowVersion { ... } elsif ( $proc =~ /AS5300/) { $type = "AS5300"; $device = "access server"; ... -- -=AV=- -----Original Message----- From: Yuval Ben-Ari [mailto:yuvalba at netvision.net.il] Sent: Friday, January 09, 2004 6:48 PM To: a.voropay at vmb-service.ru; rancid-discuss at shrubbery.net Subject: RE: vcware and modemware Versions on AS5300 show modem version seems too long, you might want to monitor "show spe version" this routine will do it: sub ShowSpeVersion { print STDERR " In ShowSpeVersion: $_" if ($debug); while () { tr/\015//d; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); return(1) if /^\s*\^\s*$/; return(1) if /(Invalid input detected|Type help or )/; return(-1) if (/command authorization failed/i); ProcessHistory("MODEM","","","!Modem: $_") && next; } ProcessHistory("MODEM","","","!\n"); return(0); } also need to add the commands to trigger it in the right place: 'show spe version' => "ShowSpeVersion", 'show spe version', > -----Original Message----- > From: owner-rancid-discuss at shrubbery.net > [mailto:owner-rancid-discuss at shrubbery.net] On Behalf Of > Alexander Voropay > Sent: Friday, January 09, 2004 12:49 > To: rancid-discuss at shrubbery.net > Subject: vcware and modemware Versions on AS5300 > > > Hi! > > Does anyone have an idea how to add a monitoring of > vcware and modemware versions on CISCOs AS5300 ? > > > Gate#show vfc 1 version dspware > Version of Dspware in VFC slot 1 is 3.6.15L > > Gate#show vfc 1 version vcware > > Voice Feature Card in Slot 1: > VCware Version : 9.19 > ROM Monitor Version: 1.3 > DSPware Version : 3.6.15L > Technology : C549 > > Caller#show modem version > > Codes: > d - DSP software download is required for achieving K56flex > connections > > Modem module Firmware Boot DSP > Mdm Number Rev Rev Rev > 2/0 0 2.9.4.0 > 2/1 0 2.9.4.0 > 2/2 0 2.9.4.0 > 2/3 0 2.9.4.0 > 2/4 0 2.9.4.0 > 2/5 0 2.9.4.0 > 2/6 0 2.9.4.0 > 2/7 0 2.9.4.0 > 2/8 0 2.9.4.0 > 2/9 0 2.9.4.0 > ... > > > -- > -=AV=- > > From asp at partan.com Mon Jan 12 17:50:30 2004 From: asp at partan.com (Andrew Partan) Date: Mon, 12 Jan 2004 12:50:30 -0500 Subject: vcware and modemware Versions on AS5300 In-Reply-To: <003e01c3d8df$b47837f0$1701a8c0@ALEC> References: <003e01c3d8df$b47837f0$1701a8c0@ALEC> Message-ID: <20040112175030.GC16383@partan.com> On Mon, Jan 12, 2004 at 10:43:01AM +0300, Alexander Voropay wrote: > This commands are AS5200/AS5300/AS5400 specific, so it seems, > rancid should recognize this ciscos as "access server" not "router" in rancid splits ciscos into 'routers' and 'switches'. There is nothing else that is an access server. --asp From Brent_Gardner at icgcomm.com Mon Jan 12 22:07:08 2004 From: Brent_Gardner at icgcomm.com (Gardner, Brent) Date: Mon, 12 Jan 2004 15:07:08 -0700 Subject: Restore Configurations Through CVSWeb Message-ID: <8055B5FEF64BCF4F944A4D031D194056076B6619@denexg20.icgcomm.com> Has anyone come up with a way to restore a configuration through the CVSweb interface? I would like Rancid to checkout a configuration and copy it to a ftp or tftp server. Then have it log into the router and upload the configuration. Any ideas? Thanks, Brent Gardner From heas at shrubbery.net Tue Jan 13 00:58:18 2004 From: heas at shrubbery.net (john heasley) Date: Mon, 12 Jan 2004 16:58:18 -0800 Subject: Restore Configurations Through CVSWeb In-Reply-To: <8055B5FEF64BCF4F944A4D031D194056076B6619@denexg20.icgcomm.com> References: <8055B5FEF64BCF4F944A4D031D194056076B6619@denexg20.icgcomm.com> Message-ID: <20040113005818.GE4652@shrubbery.net> Mon, Jan 12, 2004 at 03:07:08PM -0700, Gardner, Brent: > > Has anyone come up with a way to restore a configuration through the CVSweb > interface? I would like Rancid to checkout a configuration and copy it to a > ftp or tftp server. Then have it log into the router and upload the > configuration. Any ideas? > > Thanks, > > Brent Gardner Between the looking glass s/w and the cisco-load.exp sample that come with rancid, you could probably hack this up rather easily. Sounds rather risky though. From afort at choqolat.org Tue Jan 13 04:13:14 2004 From: afort at choqolat.org (Andrew Fort) Date: Tue, 13 Jan 2004 15:13:14 +1100 Subject: Rancid 2.3 RC1 In-Reply-To: <20040112035223.GI23852@shrubbery.net> References: <20040112035223.GI23852@shrubbery.net> Message-ID: <4003705A.5020504@choqolat.org> On 12/01/2004 2:52 PM, john heasley wrote: [i have some brief notes about the patches i submitted] >Hello Rancid users, > It has been quite some time since the release of 2.2.2. 2.3 >is very close. We have a few more small bits on the to-do list before >release. > > RC1 has seen some testing. The looking glass has not been tested >much. The following changes need more exposure or have not been tested by us. > > rancid: skip show vlan for (3550|4500|7600) - from Andrew Fort > > This is because the VLANs should be in your main ('running') configuration on these platforms if you're using any recent release and "vtp mode transparent" is in your master config along with "spanning-tree extend system-id" as opposed to stored solely in vlan.dat - that is, if you're using "extended range VLAN support" as cisco call it (all 12-bits of 802.1q VLAN ID tag supported). If you don't have this enabled, you should comment out the line of code in subroutine ShowVLAN that reads: return(1) if ($type =~ /^(3550|4500|7600)$/); > Riverstone/Enterasys updates from Andrew Fort > > This is a replacement of the existing Riverstone login program (which worked poorly at my site and some others on various different expect/OS combinations) and may break your logins due to added functionality (we handle RADIUS failures and so on now). So, changes to your .cloginrc are required. Please read the end of the cloginrc example file in the distribution for an example of where your initial login pass, enable pass (aka last resort) and TAC+/RADIUS username and password goes for one of these babies. For those who tested this code privately, you shall need to make those changes - sorry for the wasted electrons. -afort From yuvalba at netvision.net.il Tue Jan 13 12:10:57 2004 From: yuvalba at netvision.net.il (Yuval Ben-Ari) Date: Tue, 13 Jan 2004 14:10:57 +0200 Subject: CatOS session log message during rancid operation Message-ID: Hi, not sure if this was discussed before. Once in a while I get such diffs from our Catalyst5500's (CatOS): @@ -522,8 +522,9 @@ set spantree portfast 3/1-24 enable ! #module 4 : 24-port 10/100BaseTX Ethernet set vlan 103 4/22-23 + 2004 Jan 13 13:32:03 IDT +03:00 %PAGP-5-PORTTOSTP:Port 8/19 joined bridge port 8/19 this happens because by default logging session is enabled. it needs to be disabled per session with "set logging session disable" not sure where is the best place to add it, thought you can advice .... Yuval From a.voropay at vmb-service.ru Tue Jan 13 13:17:05 2004 From: a.voropay at vmb-service.ru (Alexander Voropay) Date: Tue, 13 Jan 2004 16:17:05 +0300 Subject: oscillating config Message-ID: <00bd01c3d9d7$8a409470$1701a8c0@ALEC> Hi! ...It seems, this is software defect of CISCO IOS 12.2.19 AS5300 RANCID logs config diff ~~ in every 2..3 hours. @@ -365,7 +365,7 @@ interface Dialer7 ... - fair-queue 64 16 0 + fair-queue @@ -365,7 +365,7 @@ interface Dialer7 ... - fair-queue + fair-queue 64 16 0 Is there any way to prevent this ? -- -=AV=- From arnold at nipper.de Tue Jan 13 13:41:49 2004 From: arnold at nipper.de (Arnold Nipper) Date: Tue, 13 Jan 2004 14:41:49 +0100 Subject: CatOS session log message during rancid operation In-Reply-To: References: Message-ID: <4003F59D.8080903@nipper.de> On 13.01.2004 13:10 Yuval Ben-Ari wrote: > Once in a while I get such diffs from our Catalyst5500's (CatOS): > > @@ -522,8 +522,9 @@ > set spantree portfast 3/1-24 enable > ! > #module 4 : 24-port 10/100BaseTX Ethernet > set vlan 103 4/22-23 > + 2004 Jan 13 13:32:03 IDT +03:00 %PAGP-5-PORTTOSTP:Port 8/19 joined > bridge port 8/19 > > > this happens because by default logging session is enabled. > it needs to be disabled per session with "set logging session disable" > not sure where is the best place to add it, thought you can advice .... The recommendation is to disable logging on telnet as well as on console (see http://www.cisco.com/en/US/products/hw/switches/ps663/products_tech_note09186a0080094713.shtml for a comprehensive description) HTH, Arnold From yuvalba at netvision.net.il Tue Jan 13 15:01:37 2004 From: yuvalba at netvision.net.il (Yuval Ben-Ari) Date: Tue, 13 Jan 2004 17:01:37 +0200 Subject: CatOS session log message during rancid operation Message-ID: As I said it can only be disabled per session, on next login it is enabled again. Do you know a way to permanently disable session logging ? From arnold at nipper.de Tue Jan 13 15:18:44 2004 From: arnold at nipper.de (Arnold Nipper) Date: Tue, 13 Jan 2004 16:18:44 +0100 Subject: CatOS session log message during rancid operation In-Reply-To: References: Message-ID: <40040C54.5000809@nipper.de> On 13.01.2004 16:01 Yuval Ben-Ari wrote: > As I said it can only be disabled per session, on next login it is > enabled again. > Do you know a way to permanently disable session logging ? set logging telnet disable should do, Arnold From yuvalba at netvision.net.il Tue Jan 13 17:45:40 2004 From: yuvalba at netvision.net.il (Yuval Ben-Ari) Date: Tue, 13 Jan 2004 19:45:40 +0200 Subject: CatOS session log message during rancid operation Message-ID: no such command. the command "set logging session disable" works but for that session only. CatOS is 5.5(19) Was just wondering were is the correct place to add this command. Yuval From terry at tmk.com Tue Jan 13 17:52:10 2004 From: terry at tmk.com (Terry Kennedy) Date: Tue, 13 Jan 2004 12:52:10 -0500 (EST) Subject: CatOS session log message during rancid operation In-Reply-To: "Your message dated Tue, 13 Jan 2004 19:45:40 +0200" Message-ID: <01L5CN56HLVS000LJC@tmk.com> > no such command. > the command "set logging session disable" works but for that session > only. > CatOS is 5.5(19) > Was just wondering were is the correct place to add this command. This is in RANCID 2.2.2 already - look near the bottom of clogin for: } elseif { $do_script } { # If the prompt is (enable), then we are on a switch and the # command is "set length 0"; otherwise its "term length 0". if [ regexp -- ".*> .*enable" "$prompt" ] { send "set length 0\r" send "set logging session disable\r" } else { send "term length 0\r" } did this code go missing in more recent versions? Terry Kennedy http://www.tmk.com terry at tmk.com New York, NY USA From asp at partan.com Tue Jan 13 22:16:15 2004 From: asp at partan.com (Andrew Partan) Date: Tue, 13 Jan 2004 17:16:15 -0500 Subject: CatOS session log message during rancid operation In-Reply-To: <01L5CN56HLVS000LJC@tmk.com> References: <01L5CN56HLVS000LJC@tmk.com> Message-ID: <20040113221615.GA51011@partan.com> On Tue, Jan 13, 2004 at 12:52:10PM -0500, Terry Kennedy wrote: > This is in RANCID 2.2.2 already - look near the bottom of clogin for: > > } elseif { $do_script } { > # If the prompt is (enable), then we are on a switch and the > # command is "set length 0"; otherwise its "term length 0". > if [ regexp -- ".*> .*enable" "$prompt" ] { > send "set length 0\r" > send "set logging session disable\r" > } else { > send "term length 0\r" > } > > did this code go missing in more recent versions? Nope; its still there. --asp From yuvalba at netvision.net.il Tue Jan 13 22:24:30 2004 From: yuvalba at netvision.net.il (Yuval Ben-Ari) Date: Wed, 14 Jan 2004 00:24:30 +0200 Subject: CatOS session log message during rancid operation Message-ID: your'e right, I have this line, and yet get session logs slip into rancid diffs sometimes. I will try to debug it further ..... Thanks, From heas at shrubbery.net Tue Jan 13 23:00:27 2004 From: heas at shrubbery.net (john heasley) Date: Tue, 13 Jan 2004 15:00:27 -0800 Subject: oscillating config In-Reply-To: <00bd01c3d9d7$8a409470$1701a8c0@ALEC> References: <00bd01c3d9d7$8a409470$1701a8c0@ALEC> Message-ID: <20040113230027.GH10293@shrubbery.net> Tue, Jan 13, 2004 at 04:17:05PM +0300, Alexander Voropay: > Hi! > > ...It seems, this is software defect of CISCO IOS 12.2.19 AS5300 > > RANCID logs config diff ~~ in every 2..3 hours. > > > @@ -365,7 +365,7 @@ interface Dialer7 > ... > - fair-queue 64 16 0 > + fair-queue > > @@ -365,7 +365,7 @@ interface Dialer7 > ... > - fair-queue > + fair-queue 64 16 0 > > > Is there any way to prevent this ? only w/ a hack or upgrading to some IOS that doesnt do that, at the moment. something like /^ fair-queue/ && next; added to the WriteTerm function after the first set of matches ought to do it. From yuvalba at netvision.net.il Wed Jan 14 15:10:54 2004 From: yuvalba at netvision.net.il (Yuval Ben-Ari) Date: Wed, 14 Jan 2004 17:10:54 +0200 Subject: vcware and modemware Versions on AS5300 *&* GSR FRU info Message-ID: looks ok after a quick check Thanks From a.voropay at vmb-service.ru Thu Jan 15 11:59:00 2004 From: a.voropay at vmb-service.ru (Alexander Voropay) Date: Thu, 15 Jan 2004 14:59:00 +0300 Subject: RANCID RPM 2.3rc1 alpha Message-ID: <020801c3db5e$f683fe00$1701a8c0@ALEC> Hi! http://monitor.vmb-service.ru/~alec/rancid-2.3.rc1-2.src.rpm RANCID RPM, alpha Bugeports, suggestions e.t.c. are welcomed. -- -=AV=- From a.voropay at vmb-service.ru Fri Jan 16 10:43:01 2004 From: a.voropay at vmb-service.ru (Alexander Voropay) Date: Fri, 16 Jan 2004 13:43:01 +0300 Subject: oscillating config In-Reply-To: <20040113230027.GH10293@shrubbery.net> Message-ID: <028801c3dc1d$83a02a20$1701a8c0@ALEC> john heasley wrote: >> ...It seems, this is software defect of CISCO IOS 12.2.19 AS5300 >> RANCID logs config diff ~~ in every 2..3 hours. >> @@ -365,7 +365,7 @@ interface Dialer7 >> ... >> - fair-queue 64 16 0 >> + fair-queue >only w/ a hack or upgrading to some IOS that doesnt do that, at the moment. something like > > /^ fair-queue/ && next; > >added to the WriteTerm function after the first set of matches ought to do it. The "fair-queue 64 16 0" is a default CISCO setting. I did "fair-queue 65 16 0" (non-default), it works without oscillation now... -- -=AV=- From steve at smiller.org Tue Jan 13 02:47:58 2004 From: steve at smiller.org (Stephen Miller) Date: Mon, 12 Jan 2004 19:47:58 -0700 Subject: using config templates with rancid Message-ID: <20040113024452.M13382@smiller.org> i want to not only diff current configs from previous configs but also diff current configs against standard config templates. to ensure that certain config sections stay within network standards...ie. acl's for vty access, snmp communities, etc... anyone ideas on how to get rancid to do this? steve From asp at partan.com Sat Jan 17 19:15:12 2004 From: asp at partan.com (Andrew Partan) Date: Sat, 17 Jan 2004 14:15:12 -0500 Subject: using config templates with rancid In-Reply-To: <20040113024452.M13382@smiller.org> References: <20040113024452.M13382@smiller.org> Message-ID: <20040117191512.GA89663@partan.com> On Mon, Jan 12, 2004 at 07:47:58PM -0700, Stephen Miller wrote: > i want to not only diff current configs from previous configs but also diff > current configs against standard config templates. to ensure that certain > config sections stay within network standards...ie. acl's for vty access, snmp > communities, etc... > > anyone ideas on how to get rancid to do this? Write a post processor. Run rancid to fetch the current configs and then run a 2nd program that does diffs vs your standard (generated?) configs. --asp From Rob_Evans at johnlewis.com Mon Jan 19 12:40:33 2004 From: Rob_Evans at johnlewis.com (Rob Evans) Date: Mon, 19 Jan 2004 12:40:33 -0000 Subject: using config templates with rancid Message-ID: <05E552EE3FE62B46974D70306287F85A5B7122@xgb193.corpeu.buy.com> I always keep a current checked out read-only version of the configs which I then run extra diffs on via a batch script. The checked out version of the configs is updated each time after do-diffs is run. You could put an entry in crontab entry that looks something like this: 0 * * * * /usr/local/rancid/bin/do-diffs ; cd /configs ; /usr/local/bin/cvs -r -d /usr/local/rancid/CVS update >/dev/null 2>&1 ; /usr/bin/diff -U0 /configs/router1 /configs/router1.template | mailx -s diffs steve at smiller.org I don't know much about CVS, but this works for me anyway. Regards, Rob From erik at code.de Mon Jan 19 16:46:03 2004 From: erik at code.de (Erik Wenzel) Date: Mon, 19 Jan 2004 17:46:03 +0100 Subject: integration of security enhancement patch In-Reply-To: <20031222172045.GA17908@hendrix.code.de> References: <20031222172045.GA17908@hendrix.code.de> Message-ID: <20040119164603.GA4837@hendrix.code.de> I implemeted an option, configured in rancid.conf, which satisfies my security needs. This option is disabled by default. -- erik at code.de "I am not a Geek! I shower." -------------- next part -------------- A non-text attachment was scrubbed... Name: cisco-lower-privilege.patch.gz Type: application/octet-stream Size: 1515 bytes Desc: not available Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20040119/62be8eb7/attachment.obj From ag at a.co.nz Mon Jan 19 08:55:55 2004 From: ag at a.co.nz (Alastair (Alex) Galloway) Date: Mon, 19 Jan 2004 09:55:55 +0100 (CET) Subject: using config templates with rancid In-Reply-To: Message-ID: Andrew Partan writes: > Run rancid to fetch the current configs and then run a 2nd program > that does diffs vs your standard (generated?) configs. Then all you need is a third program to go and beat the people who make uncommented/undocumented changes with a large stick :-) Cheers, Alastair From rancid-andrew at andrew.net.au Wed Jan 21 23:33:59 2004 From: rancid-andrew at andrew.net.au (Andrew Pollock) Date: Thu, 22 Jan 2004 09:33:59 +1000 Subject: RANCID's fantastic! In-Reply-To: <3FD11F89.3090609@choqolat.org> References: <20031205221714.GW26257@daedalus.andrew.net.au> <20031205142823.I14099@tweety.corp.gnac.com> <3FD11F89.3090609@choqolat.org> Message-ID: <20040121233358.GA23665@daedalus.andrew.net.au> On Sat, Dec 06, 2003 at 11:15:05AM +1100, Andrew Fort wrote: > > I'd definately like to see this also, (not just for lab gear). There > was a little discussion about this a few months back, you might check > the archives to see what came of that. (htdig seems busted, the archive files aren't particularly friendly) Okay, I'm now having a serious play with RANCID, and I'd like to see it do the out of band stuff I mentioned a while ago (i.e. we have switches, they're not telnetable, but the console is accessible via SSH to a Cyclades console access server). Can someone point me in the right direction as to what I'd have to modify to implement this? regards Andrew From afort at choqolat.org Thu Jan 22 00:06:52 2004 From: afort at choqolat.org (Andrew Fort) Date: Thu, 22 Jan 2004 11:06:52 +1100 Subject: RANCID's fantastic! In-Reply-To: <20040121233358.GA23665@daedalus.andrew.net.au> References: <20031205221714.GW26257@daedalus.andrew.net.au> <20031205142823.I14099@tweety.corp.gnac.com> <3FD11F89.3090609@choqolat.org> <20040121233358.GA23665@daedalus.andrew.net.au> Message-ID: <400F141C.6050301@choqolat.org> On 22/01/2004 10:33 AM, Andrew Pollock wrote: >Okay, I'm now having a serious play with RANCID, and I'd like to see it do >the out of band stuff I mentioned a while ago (i.e. we have switches, >they're not telnetable, but the console is accessible via SSH to a Cyclades >console access server). > >Can someone point me in the right direction as to what I'd have to modify to >implement this? > Referring to Heas' previous reply to your post to the list, to add the 'loginscript' or 'connectscript' type of functionality, one would need to hack the *login scripts. You could start by hacking clogin (if cisco switches are your targets, obviously), modifying the procedure 'login'. At first glance, you're probably wanting to source another expect script before the line # try each of the connection methods in $cmethod until one is successful set progs [llength $cmethod] e.g. source $filename With all the necessary expect business occuring in $filename to login to the cyclades up to such a point that you'd be typing "telnet hostname port" or similar to connect to the cisco. In theory you could use autoexpect to generate this script. In addition, you'd need to flag to clogin that you're running a prelogin script, otherwise it would expect to be running 'spawn telnet hostname [args]' (or ssh, etc depending on your method flag), which obviously doesn't grok since you're already SSH'd in), and send the command instead of spawning the command. Then, you'd need to catch the prompt of the cyclades again to indicate to expect that you want to bail out of that loop. . The 'hostname' and 'port' values would come from your router.db and cloginrc values for those entries. In regards to the port values, you specify these in the cloginrc file as follows: add method sw1.popname {telnet:2001} However if this doesn't work for you, try add method sw1.popname {telnet:-2001} I'm happy to help in getting this working, or testing this (I have some terminal servers in my lab I'd like to get configs through, too), so feel free to contact me offline if you like. -afort From asp at partan.com Thu Jan 22 00:53:00 2004 From: asp at partan.com (Andrew Partan) Date: Wed, 21 Jan 2004 19:53:00 -0500 Subject: RANCID's fantastic! In-Reply-To: <400F141C.6050301@choqolat.org> References: <20031205221714.GW26257@daedalus.andrew.net.au> <20031205142823.I14099@tweety.corp.gnac.com> <3FD11F89.3090609@choqolat.org> <20040121233358.GA23665@daedalus.andrew.net.au> <400F141C.6050301@choqolat.org> Message-ID: <20040122005300.GA3991@partan.com> On Thu, Jan 22, 2004 at 11:06:52AM +1100, Andrew Fort wrote: > add method sw1.popname {telnet:2001} With a small amount of hacking, rancid could support add method sw1.popname {ssh:2001} as well, so you would be a step closer to sshing to some port on your terminal server to connect to some device's console. [I recently turned telnet off in my console servers & started using ssh instead. Works nicely & one less use of telnet around here.] Anyone want to try these changes to clogin to support sshing to a port? --asp --- clogin.in.orig Mon Jan 19 20:52:47 2004 +++ clogin.in Wed Jan 21 19:46:42 2004 @@ -306,8 +306,14 @@ send_user "\nError: telnet failed: $reason\n" exit 1 } - } elseif ![string compare $prog "ssh"] { - if [ catch {spawn $sshcmd -c $cyphertype -x -l $user $router} reason ] { + } elseif [string match "ssh*" $prog] { + regexp {ssh(:([^[:space:]]+))*} $prog command suffix port + if {"$port" == ""} { + set retval [ catch {spawn $sshcmd -c $cyphertype -x -l $user $router} reason ] + } else { + set retval [ catch {spawn $sshcmd -c $cyphertype -x -l $user -p $port $router} reason ] + } + if { $retval } { send_user "\nError: $sshcmd failed: $reason\n" exit 1 } From rancid-andrew at andrew.net.au Thu Jan 22 01:10:40 2004 From: rancid-andrew at andrew.net.au (Andrew Pollock) Date: Thu, 22 Jan 2004 11:10:40 +1000 Subject: RANCID's fantastic! In-Reply-To: <400F141C.6050301@choqolat.org> References: <20031205221714.GW26257@daedalus.andrew.net.au> <20031205142823.I14099@tweety.corp.gnac.com> <3FD11F89.3090609@choqolat.org> <20040121233358.GA23665@daedalus.andrew.net.au> <400F141C.6050301@choqolat.org> Message-ID: <20040122011040.GA26295@daedalus.andrew.net.au> On Thu, Jan 22, 2004 at 11:06:52AM +1100, Andrew Fort wrote: > On 22/01/2004 10:33 AM, Andrew Pollock wrote: > > >Okay, I'm now having a serious play with RANCID, and I'd like to see it do > >the out of band stuff I mentioned a while ago (i.e. we have switches, > >they're not telnetable, but the console is accessible via SSH to a Cyclades > >console access server). > > > >Can someone point me in the right direction as to what I'd have to modify > >to > >implement this? > > > > Referring to Heas' previous reply to your post to the list, to add the > 'loginscript' or 'connectscript' type of functionality, one would need > to hack the *login scripts. > > You could start by hacking clogin (if cisco switches are your targets, > obviously), modifying the procedure 'login'. At first glance, you're > probably wanting to source another expect script before the line [snip] Thanks for the very detailed pointer. That helps get me started. The way I have our Cyclades setup is you can SSH to it thusly: ssh andrew:switch1 at mycyclades or ssh -l andrew:switch1 mycyclades and you'll land straight onto the console port in question. Obviously you need to send a ~. to get off again. So you don't spend any time on the console server itself. Is it best to hack in a new method along the lines of "cas" and a have a cas user and password in cloginrc? Then the foreach loop of the login procedure would just do nothing if the method was cas, and I'd be conditionally sourcing another script prior to the foreach that handles connecting to the port if the method was cas. Then the rest of the login procedure should be able to cope from there. I guess I'd just have to handle disconnecting from the port then somewhere as well. regards Andrew From afort at choqolat.org Thu Jan 22 11:39:03 2004 From: afort at choqolat.org (Andrew Fort) Date: Thu, 22 Jan 2004 22:39:03 +1100 Subject: RANCID's fantastic! In-Reply-To: <20040122011040.GA26295@daedalus.andrew.net.au> References: <20031205221714.GW26257@daedalus.andrew.net.au> <20031205142823.I14099@tweety.corp.gnac.com> <3FD11F89.3090609@choqolat.org> <20040121233358.GA23665@daedalus.andrew.net.au> <400F141C.6050301@choqolat.org> <20040122011040.GA26295@daedalus.andrew.net.au> Message-ID: <20040122113903.GA22411@ninja.choqolat.org> * Andrew Pollock [2004-01-22 11:10:40 +1000]: > [snip] > > Thanks for the very detailed pointer. That helps get me started. > > The way I have our Cyclades setup is you can SSH to it thusly: > > ssh andrew:switch1 at mycyclades > or > ssh -l andrew:switch1 mycyclades > > and you'll land straight onto the console port in question. Obviously you > need to send a ~. to get off again. So you don't spend any time on the > console server itself. So this works now? (or perhaps with asp's patch he posted)? add username mycyclades {andrew:switch1} add userpasswd mycyclades {blah} just that you have the overloaded 'mycyclades' issue to resolve? > Is it best to hack in a new method along the lines of "cas" and a have a cas > user and password in cloginrc? Then the foreach loop of the login procedure > would just do nothing if the method was cas, and I'd be conditionally > sourcing another script prior to the foreach that handles connecting to the > port if the method was cas. Then the rest of the login procedure should be > able to cope from there. I guess I'd just have to handle disconnecting from > the port then somewhere as well. changing rancid minimally would suggest (if i'm right above) that you have multiple host aliases (for the switches' names) all pointing to the same IP address of mycyclades, and you treat them differently in .cloginrc (different username password pairs per 'switch'); and then just ssh to the 'switch' (really the cyclades with the extended username). > regards > Andrew -afort (away for a week to have surgery.. wish me luck :) From rancid-andrew at andrew.net.au Tue Jan 27 01:33:20 2004 From: rancid-andrew at andrew.net.au (Andrew Pollock) Date: Tue, 27 Jan 2004 11:33:20 +1000 Subject: Hacking Cyclades support into clogin Message-ID: <20040127013319.GA11291@daedalus.andrew.net.au> I give up, I can't grok TCL/Expect as well as I'd like, and therefore can't hack the support into clogin that I'd like, so I'm going to explain here what I'm trying to do in the hope that someone else who wants this functionality (or some kind soul who knows the innards of clogin) can help with the mechanics of the code (or help improve the logic). Firstly, the Cyclades is configured so that going: ssh -l andrew:router cyclades or ssh -l andrew:ttyS1 cyclades will land you (after authenticating) on the console of the router connected to port ttyS1 (where router has been defined as an alias for ttyS1). Pressing Enter is required to get a console login spat out. Sending a ~. on a newline after logging out of the console is required to disconnect. So I thought I'd create another method, instead of trying to hack the life out of the existing ssh method, so I made a method called "cas" (console access server), with caspassword and casuser variables. I think this is where I've come unstuck, because the login procedure is only passing a username and a userpassword, which aren't necessarily relevant to the SSH connection to the Cyclades. The login procedure needs to be recursive, in that it logs in once to the Cyclades using SSH, and then presses Enter, and then handles a console login as it would normally (I guess not unlike a telnet connection). I haven't even made it to the logging out stage in clogin, but I guess if it sees an "exit" or a "logout" or whatever, it needs to send an Enter and then a ~. Hope this helps someone with more TCL clue than I to get somewhere. Andrew