Backing up your network with RANCID

Author: Walter Gould

A couple of years ago, my employer, a large state university, was looking for an open
source replacement for CiscoWorks to assist us in backing up our network
configurations. We found RANCID (Really Awesome New Cisco config Differ), tried
it, and have used it ever since.
RANCID, which its developers say is released under a BSD-like license, will check
your network device configurations and back them up if changes have been made. It
keeps a history of changes using either Concurrent Version System (CVS)
or Subversion. RANCID is written in Perl and Expect. It supports Cisco routers,
switches, and firewalls, Juniper routers, Foundry switches, Redback network-attached
storage, Alteon and Hewlett-Packard ProCurve switches, and other devices. RANCID
is a useful tool not only for backing up device configs, but also for troubleshooting
network problems, because it lets you determine what changes were made since the
last revision.

Before installing, you should scan the README file that is included with the
package. It contains a quick installation guide that will help in configuring RANCID.

Installing RANCID is straightforward. If you are running FreeBSD, RANCID can be

found in the ports under /usr/ports/net/rancid; running make installshould do the
trick. Ubuntu and Debian Linux distributions include RANCID packages that can be
installed using APT. If you are using a distribution that does not include a RANCID
package (Fedora Core, CentOS, Gentoo, etc.) you can manually install it by following
the instructions in the README file.

After installing, add an unprivileged user that RANCID can run its scripts as --
"rancid," for instance. You also need to give that user privileges to run scripts in the
directory that RANCID was installed in, with a command like chown -R
rancid.rancid /usr/local/rancid.

Next, you need to modify the LIST_OF_GROUPS variable in the rancid.conf file,
which defines the groups that you will classify your devices into. For example, your
LIST_OF_GROUPS variable might be defined as LIST_OF_GROUPS="core
border resnet engineering wireless firewalls library".
Doing this makes things easier when you're adding devices, as you can place a device
in a group that corresponds to its function or location.
The next step is to put a copy of the .cloginrc file in the home directory of the user
that RANCID will run as. This file tells RANCID how to log in to the devices that are
to be backed up. The syntax is pretty straightforward and there are examples in the
cloginrc.sample file in the /usr/local/rancid/share/rancid/ directory.

After setting up your .cloginrc file, make sure that you change the permissions on the
file so that is not readable or writable by other users, with a command like chmod
600 .cloginrc.

If you would like to be emailed a report about the configuration differences when a
change has been made to a device config, or notification of error messages, modify
your /etc/aliases file. RANCID will send reports to rancid-group@domain_name and
errors to rancid-admin-group@domain_name, where group is the group you defined
in the rancid.conf file.

Next, you should run $rancid_home/bin/rancid-cvs to create directories

and configuration files for each of the groups you specified in the
LIST_OF_GROUPS variable and import them into your RANCID CVS repository.
These directories and config files will be created under $rancid_home/var/. You need
to cd into each of these directories and add to the router.db file each device whose
configuration is to be backed up. Be aware of what operating system your Cisco
switch or router uses, and be sure to specify that in the router.db file. The README
file contains examples that will help you in making these entries.

Now you should be ready to actually test RANCID.

Run $rancid_home/bin/rancid-run and tail the logs in the
$rancid_home/var/logs directory. If all goes well, you should see something similar
to:

cvs add: scheduling file `10.3.1.1' for addition

cvs add: use 'cvs commit' to add this file permanently
RCS file:
/usr/local/rancid/var/CVS/core/configs/10.3.1.1,v
done
Checking in 10.3.1.1;
/usr/local/rancid/var/CVS/core/configs/10.3.1.1,v <--
10.3.41.1
initial revision: 1.1
done
Once you are able to run rancid-run without receiving errors in your logs, you should
add a crontab entry for $rancid_home/bin/rancid-run, after you decide how
often your configs need to be backed up. If you make many changes throughout the
day, then it might be a good idea to have RANCID run every hour or two. If you only
make a couple of changes during the day, then running RANCID once or twice a day
would probably suffice. At our university, we back our configs up once per day, but I
know of a company that backs up its configurations every hour.

RANCID is particular regarding device prompts, especially on Cisco Catalyst

switches. The Catalyst OS does not include a ">" in its prompt, and that character is
something RANCID looks for. If you have any CatOS switches, you will need to add
a ">" after its prompt in order for RANCID to be able to log in and fetch the config.
You can do this easily by issuing a set prompt switchname> command on the
switch.

One file that has helped us in troubleshooting our RANCID configuration is

$rancid_home/bin/clogin. If you notice login errors in your RANCID logs, trying
running this file to log in to your switch or router. The syntax is
easy: $rancid_home/bin/clogin ip_address. If the correct IP address and
password combination is in your .cloginrc file and if there are no prompt issues (as
mentioned above), running clogin should log you into the device that you specify. If
clogin allows you to log in, that indicates that the IP and password combination in
your .cloginrc file is correct -- so your problem lies elsewhere.

A useful package to run alongside RANCID is CVSweb. CVSweb is a CGI script that
allows you to view your CVS repository using a Web browser. Our switch technicians
use CVSweb to copy and paste device configs directly from a browser into a text
editor, so they don't have to worry about knowing any CVS commands. You can also
browse each file's revisions and even see and highlight the differences between each
revision.

As helpful a tool as it is, RANCID is fairly hands-on to configure and requires

someone to manage the list of devices to be backed up. In addition, it helps if you
have a working knowledge of CVS. For these reasons, RANCID may not be a viable
solution for everyone. For us, however, the benefits outweigh the costs and the minor
inconveniences. On more than one occasion, RANCID has gotten us out of a tight
spot.