July 27, 2006

Backing up your network with RANCID

Author: Walter Gould

A couple of years ago, my employer, a large state university, was looking for an open source replacement for CiscoWorks to assist us in backing up our network configurations. We found RANCID (Really Awesome New Cisco config Differ), tried it, and have used it ever since.

RANCID, which its developers say is released under a BSD-like license, will check your network device configurations and back them up if changes have been made. It keeps a history of changes using either Concurrent Version System (CVS) or Subversion. RANCID is written in Perl and Expect. It supports Cisco routers, switches, and firewalls, Juniper routers, Foundry switches, Redback network-attached storage, Alteon and Hewlett-Packard ProCurve switches, and other devices. RANCID is a useful tool not only for backing up device configs, but also for troubleshooting network problems, because it lets you determine what changes were made since the last revision.

Before installing, you should scan the README file that is included with the package. It contains a quick installation guide that will help in configuring RANCID.

Installing RANCID is straightforward. If you are running FreeBSD, RANCID can be found in the ports under /usr/ports/net/rancid; running make install should do the trick. Ubuntu and Debian Linux distributions include RANCID packages that can be installed using APT. If you are using a distribution that does not include a RANCID package (Fedora Core, CentOS, Gentoo, etc.) you can manually install it by following the instructions in the README file.

After installing, add an unprivileged user that RANCID can run its scripts as -- "rancid," for instance. You also need to give that user privileges to run scripts in the directory that RANCID was installed in, with a command like chown -R rancid.rancid /usr/local/rancid.

Next, you need to modify the LIST_OF_GROUPS variable in the rancid.conf file, which defines the groups that you will classify your devices into. For example, your LIST_OF_GROUPS variable might be defined as LIST_OF_GROUPS="core border resnet engineering wireless firewalls library". Doing this makes things easier when you're adding devices, as you can place a device in a group that corresponds to its function or location.

The next step is to put a copy of the .cloginrc file in the home directory of the user that RANCID will run as. This file tells RANCID how to log in to the devices that are to be backed up. The syntax is pretty straightforward and there are examples in the cloginrc.sample file in the /usr/local/rancid/share/rancid/ directory.

After setting up your .cloginrc file, make sure that you change the permissions on the file so that is not readable or writable by other users, with a command like chmod 600 .cloginrc.

If you would like to be emailed a report about the configuration differences when a change has been made to a device config, or notification of error messages, modify your /etc/aliases file. RANCID will send reports to rancid-group@domain_name and errors to rancid-admin-group@domain_name, where group is the group you defined in the rancid.conf file.

Next, you should run $rancid_home/bin/rancid-cvs to create directories and configuration files for each of the groups you specified in the LIST_OF_GROUPS variable and import them into your RANCID CVS repository. These directories and config files will be created under $rancid_home/var/. You need to cd into each of these directories and add to the router.db file each device whose configuration is to be backed up. Be aware of what operating system your Cisco switch or router uses, and be sure to specify that in the router.db file. The README file contains examples that will help you in making these entries.

Now you should be ready to actually test RANCID. Run $rancid_home/bin/rancid-run and tail the logs in the $rancid_home/var/logs directory. If all goes well, you should see something similar to:

cvs add: scheduling file `10.3.1.1' for addition
cvs add: use 'cvs commit' to add this file permanently
RCS file: /usr/local/rancid/var/CVS/core/configs/10.3.1.1,v
done
Checking in 10.3.1.1;
/usr/local/rancid/var/CVS/core/configs/10.3.1.1,v <-- 10.3.41.1
initial revision: 1.1
done

Once you are able to run rancid-run without receiving errors in your logs, you should add a crontab entry for $rancid_home/bin/rancid-run, after you decide how often your configs need to be backed up. If you make many changes throughout the day, then it might be a good idea to have RANCID run every hour or two. If you only make a couple of changes during the day, then running RANCID once or twice a day would probably suffice. At our university, we back our configs up once per day, but I know of a company that backs up its configurations every hour.

RANCID is particular regarding device prompts, especially on Cisco Catalyst switches. The Catalyst OS does not include a ">" in its prompt, and that character is something RANCID looks for. If you have any CatOS switches, you will need to add a ">" after its prompt in order for RANCID to be able to log in and fetch the config. You can do this easily by issuing a set prompt switchname> command on the switch.

One file that has helped us in troubleshooting our RANCID configuration is $rancid_home/bin/clogin. If you notice login errors in your RANCID logs, trying running this file to log in to your switch or router. The syntax is easy: $rancid_home/bin/clogin ip_address. If the correct IP address and password combination is in your .cloginrc file and if there are no prompt issues (as mentioned above), running clogin should log you into the device that you specify. If clogin allows you to log in, that indicates that the IP and password combination in your .cloginrc file is correct -- so your problem lies elsewhere.

A useful package to run alongside RANCID is CVSweb. CVSweb is a CGI script that allows you to view your CVS repository using a Web browser. Our switch technicians use CVSweb to copy and paste device configs directly from a browser into a text editor, so they don't have to worry about knowing any CVS commands. You can also browse each file's revisions and even see and highlight the differences between each revision.

As helpful a tool as it is, RANCID is fairly hands-on to configure and requires someone to manage the list of devices to be backed up. In addition, it helps if you have a working knowledge of CVS. For these reasons, RANCID may not be a viable solution for everyone. For us, however, the benefits outweigh the costs and the minor inconveniences. On more than one occasion, RANCID has gotten us out of a tight spot.

Click Here!