The Speed Test

Setup Rancid on FreeBSD

Setting up and Installing Rancid on FreeBSD for Cisco Products

What is Rancid?

Rancid is an application that monitors a devices configuration including
software and hardware. The configuration is then stored in a Concurrent
Version System or CVS. Most of the time it is used to back up router,
switch and firewall configurations, as well as notify you when a
configuration has changed, i.e a firewall rule or a routers IP address
or access list change.

here is an example of the output


retrieving revision 1.29

diff -u -4 -r1.29 mpls-jhb-pe1

@@ -288,9 +288,9 @@


interface Serial0/0

description Link to Client X

bandwidth 2048

- ip address

+ ip address

ip route-cache flow

ip tcp header-compression iphc-format

ip tcp compression-connections 256

! ip ospf message-digest-key 1 md5 the - symbol represents what was removed

the + symbol represents what was added

The above example is from a Cisco Router, however Rancid also is known to support
Redback, Foundry, HP Procurve, Juniper, of course Cisco Routers and Switches
and a host of others.

I Suggest that you also use Tacacs+ if your hardware supports it.

Installing Rancid

Install the port in /usr/ports/net-mgmt/rancid/

you can just run a "make install clean"

Once installed there are a few places where the files are found that you
will need to configure this.

The config files are in /usr/local/etc/rancid

The bin files are in /usr/local/libexec/rancid

The CVS and other files needed are in /usr/local/var/rancid

more other files /usr/local/share/rancid/

Frstly the rancid.conf file.

Copy the rancid.conf.sample to rancid.conf

The Conf file is pretty well commented and there are only 2 or 3 lines
you would need to change

The lines I changed are as follows.


MAILDOMAIN="@yourdomain.tld"; export MAILDOMAIN

you might also want to check this line


4 hours is the default, you could change it to 1 or 2 hours

But if your cron that checks the config is set to every 2 hours setting
the OLDTIME to 1 hour is not going to be a big help.

OLDTIME is the amount of hours that pass before rancid complains about
routers/devices that can not be reached.

4 hours should be fine, you should have some sort of an NMS System in
place anyway that will tell you about a network problem so you should
not have to rely on Rancid as an NMS.

Creating a Rancid User

I would suggest creating a rancid user

No special privileges are needed that I have noticed

I just used a standard user and a bash shell (I'm more comfortable using bash)

The .cloginrc file

This file is also pretty well commented and should be pretty easy to figure out.
the file should be in the rancid users home directory, the owner and group
should be the rancid user and the file should be either chmod 640 or 600

here is an example on mine

add user * rancid will log in as the rancid user if the device uses a username prompt i.e. tacacs+

add password *-pix-fw

add method *-pix-fw ssh

The above will log into any host matching somehost-pix.fw as rancid with the
above specified passwords.

add password specific-hosting-fw

add method specific-hosting-fw ssh

The above will log only into the firewall whose host is specific-hosting-fw
as rancid with the above specified passwords.

# all our routers, i.e.: everything else

add password *

# set ssh encryption type, dflt: 3des

add cyphertype *

There are namy other options in the file but these are the basics of what you
might need to get yours up and running, once you have your .cloginrc file
setup its time to test it.

su to your rancid user "su rancid"

and run: /usr/local/libexec/rancid/clogin ipaddr of the host you want to log into

if all goes well you should see something like this

[rancid@rat ~]$ clogin

spawn telnet


Connected to MPLS-JHB-PE1.

Escape character is '^]'.

MPLS-JHB-PE1 line 162

User Access Verification

Username: rancid






you might want to consider linking the clogin script on the libexec dir
to someplace else like /usr/sbin (or somewhere else in your path).

i.e ln -s /usr/local/libexec/rancid/clogin /usr/sbin/clogin

If your hosts are not in your DNS server zone files you can add
them to your /etc/hosts file.

Yes you guessed it im a lazy swine so the first thing i did was added
a bunch on aliases to my .bashrc file and copied the .cloginrc file to
my home directory and changed the user name from rancid in the file to
my username.

no all i have to do to log into a router switch or firewall is type in the
alias name and im in no need to remember passwords.

however there are security considerations that you might want to think about
before hand.

here is an example of my aliases in the .bashrc file

## Aliases ##

alias mpls='clear;clogin mpls-ny-pe1;clear'

alias mcore1='clear;clogin mcore1-ny-sw;clear'

alias mcore2='clear;clogin mcore2-ny-sw;clear'

Ok now most of the hard work is done.

Setting up the CVS and telling Rancid what devices monitor for config changes.

The first thing to do here is to check if the this directory exists


any way if it exists cd to /usr/local/ (as root)

and rm -fr var/rancid

then as the rancid user do the follwing

mkdir /usr/local/var/

mkdir /usr/local/var/rancid

then run rancid-run it should already be in /usr/local/bin/rancid-run
if its not then you can create a link as you did with clogin the rancid-run
and rancid-cvs bin's are in the libexec dir.

when you run rancid-run as the rancid user you should not get any errors

then you run rancid-cvs

Between these 2 rancid binaries your /user/local/var/rancid directory should
now contain the following directories.

CVS logs networks <-- networks here is the group in the /usr/local/etc/rancid/conf file

cd to the networks (or what ever group you created)

vi the router.db file

and add the hosts you want to monitor

Example below:











I would suggest just adding one line for for now so you can test it.

also on your mail server add an alias to mail you or your group the
info that will be sent by rancid.

vi /etc/aliases

rancid-networks: bob,john,jack

or you could do this

networks: bob,john,jack

rancid-networks: networks

But mail policy�s are up to you. Remember that rancid-xxxxxx will be
what ever you group was called mine is networks hence the alias rancid-networks

Once you have setup the mail to send you the logs of rancid data.

Run rancid-run again.

With any luck you will receive an email that will have a bunch of info
in regarding the host you just had rancid log into.

it should look similar to the output example right near the top of this page.

if not then either you have a problem with your rancid config
(check /usr/local/var/rancid/logs for log files)

or maybe your alias is not working or the server you are running rancid from
is not sending the mail (mail server stopped disabled being blocked etc.)

Last Step if all works

add a crontab as the rancid user

something like this


@hourly /usr/local/bin/rancid-run

Speed Test
Setting up Rancid on Freebsd 7.0
Setting up TACACS on Freebsd 7.0
Rate limiting host on a Cisco Router
Why is my internet slow?
How to enable SSH login access to a Cisco router?
Enhanced Interior Gateway Routing Protocol (EIGRP)
Privacy Policy
Copyright ©2010