3Com/H3C/HP Networking support for rancid
Overview
These add-ons for rancid provide support for the following equipment:
3Com SuperStack 4 (post-joint venture with Huawei) (Comware 3)
H3C (Comware 5)
HP Networking ('A' & some 'E' portfolio, post 2010 3Com acquitision)
The scripts have been in development since at least 2009, however in early 2011 I sorted out some long-standing problems, tidied them all up, and have made the new versions available again for wider testing. I hope to have them rolled into the main rancid distribution one day.
3Com no more
The story of 3Com's joint venture with China's Huawei, the creation of H3C, the buy-out of H3C by 3Com, and the subsequent purchase of 3Com by HP Networking is long and tortuous - I will not attempt to replicate it here (nor do I know most of the details anyway!). Suffice it to say here that a noteworthy consequence of 3Com having two portfolios, one under the "3Com" brand (well-known in USA/Europe), and one under the "H3C" brand (well-known in China) is that the product portfolios overlapped, sometimes featuring the exactly the same switches with different branding product names (e.g., 3Com 4800G is operationally exactly identical to the H3C S5500). Unfortunately, completely different products from the portfolios sometimes shared designation (e.g., 3Com 5500-EI is not the same as H3C S5500). Furthermore, when HP acquired 3Com/H3C and merged the models with their HP Procurve range, they created a portfolio with three strands:
'A' (advanced) series (the previous H3C portfolio
'E' (enterprise/essential?) series (a mixture of 3Com and Procurve)
'V' (value) series (low-end SMB/home 3Com and Procurve)
As they merged the products into the portfolio, they re-labelled them again, so the H3C S5500 became the HP Networking A5500 (as well as it also acquiring a traditional 'J' HP part number).
Tested models
The following models have been tested and are known to work to some degree:
3Com 7750 (Comware 3)
3Com 5500-EI/SI / HP E5500-EI/SI (Comware 3)
3Com 5500G (Comware 3)
3Com 4200G (Comware 3)
3Com 4210 (Comware 3)
3Com 4800G / H3C S5500 / HP A5500 (Comware 5)
3Com 4210G (Comware 5)
H3C S3100 (Comware 3)
H3C S5600 (Comware 3)
H3C S7506 (Comware 5)
H3C S7906E (Comware 5)
H3C S5820X / HP A5800-48G (Comware 5)
H3C S5800 (Comware 5)
H3C S3610 (Comware 5)
H3C MSR30-60 (Comware 5)
H3C/HP S5120 (Comware 5)
Huawei MA5600 (Comware 5)
HP A5900 (Comware 7)
An early version was also tested on Huawei NE80E v3r3 once, but I have no idea if it still works for that platform now, nor indeed for any other Huawei models.
There has been minimal testing and modifications for Comware 7 devices.
Since you didn't ask, there was no Comware 4, nor Comware 6 either. Blame Chinese numerology and superstition.
Tested scenarios
(Parts of this section need more detail)
Both telnet and ssh methods work, so long as they are properly enabled and configured on the device and for the login user.
Under Comware 3/5, the login user rancid uses needs to be at least priv. level 2, or be able to execute and supply a password to the "super" command to achieve priv. level 3.
Comware 3/5: User with priv level 2 or 3
User has high enough privilege that it is not necessary to switch to "super" mode.
device:
local-user rancidUser
authorization-attribute level 3
.cloginrc:
add user hostname rancidUser
add password hostname {rancidPass}
add autoenable hostname {1}
Comware 3/5: User with priv level 1
User needs to execute switch to "super" mode.
device:
local-user rancidUser
authorization-attribute level 1
.cloginrc:
add user hostname rancidUser
add password hostname {rancidPass} {superPass}
add autoenable hostname {0}
Comware 7
There is a new roles regime under Comware 7 which is much more flexible (i.e., complicated).
Rancid operates correctly if logging in to the device with a user in role network-admin (equivalent to level-15), which has all rights. (But not actually tested yet)
It operates reasonably well if logging in to the device with a user in role network-operator (roughly equivalent to level-1), which has rights to execute all display commands. However, this role cannot execute certain other commands that rancid requires (including, strangely, the commands to turn paging off, and file system viewing commands).
The recommended approach is to have rancid login with a specific user for that purpose, and create a role assigned to that user which permits rancid to do just what it needs to do.
For example:
role name rancid-role
description Rancid role
rule 1 permit command display *
rule 2 permit command dir *
rule 3 permit command undo terminal monitor
rule 4 permit command screen-length disable
quit
local-user rancid class manage
service-type ssh
authorization-attribute user-role rancid-role
SSH users
For some models (at least H3C S58xx and equivalents), you may find you need to specify the following in .cloginrc:
add cyphertype ip.ad.re.ss {aes128-cbc}
The default (on my system, at least) of "3des" does not appear to work. A symptom of this would be that a test of ssh -x -c 3des -l user ip.ad.re.ss fails with key_verify failed for server_host_key. I also got this when I upgraded a 3Com 4800G from CMW520-R2202P15-S168 to S4800G-CMW520-R2208-S168.
Ensure that there is already an entry in ~/.ssh/known_hosts for the host (easily achieved by performing a manual ssh first as the user you run rancid as), or set StrictHostKeyChecking=no in ssh_config or equivalent. It does not appear to be possible to pass arbitrary command-line arguments to the ssh invocation using .cloginrc.
How To Install
Install the files attached to this page in the usual place that clogin and rancid are installed (often in /usr/local/libexec/rancid or similar).
Modify rancid-fe in the same directory to include:
'h3c' => 'h3crancid',
and use the type h3c in the router.db.
Caveats
It is no use for older 3Com SuperStack 3/II/etc products;
For Comware 3 devices (e.g., 3Com 5500), there appears to be no way to turn off paging on a per-session basis. You can turn it off per-vty, but that affects other users too. In Comware 5 (e.g., 3Com 4800G), there is a per-session "screen-length disable" command;
Problems / Testing
If the scripts don't work for you, then please get in touch with details. I may ask you to provide some debug output; the following commands would be useful:
env NOPIPE=YES PATH=${PATH}:/path/to/ranciddir h3crancid -d ip.ad.re.ss
and send me the .raw output (sensitive data like passswords removed as required).
Also:
expect /path/to/h3clogin -d -c 'dir; display version' ip.ad.re.ss
Credits
Thanks particularly to Ugo Bellavance who has patiently tested various versions and sent me debug output and commentary, and to Alexander Belokopytov who gave me remote access to some equipment which proved useful at one point.
Notes
Nothing to note.
Files
See attachments.
Status
Mentioned several times on the rancid-users list, but not formally submitted.