Cisco IOS CLI regular expressions, Part II — ‘AND’

In an earlier post, I talked about Cisco command line regular expressions, and held off on giving any good examples of using the CLI regexp tools to get ‘AND’ functionality. ( I pointed out there that the ‘|’ (pipe symbol) could be used as a simple ‘OR’ function.)
Here are some easy regexp’s that function (more as less) as simple Boolean ‘AND’s.

Here’s a scenario: you’re auditing one of your routers, checking to make sure privilege levels are what they should be for individual users, and that commands that have been moved into non-default privilege levels that appear to be correctly defined.

Here’s the output of ’show running-config’ with only lines that match ‘privi’ included (so as to catch lines that show privilege levels):

IOS-rtr#sh run | inc privi
username sneezy privilege 0 secret 5 $1$Dz6cKoEINsYusITt.l
username dopey privilege 0 secret 5 $1$MIUYWJ.I3iGq/qNleB.
username meson privilege 0 secret 5 $1$7uBWyjan.5JB8KHR0
username gluon privilege 15 secret 5 $1$VuoC$09dsgXRB.A/d
privilege exec level 0 traceroute
privilege exec level 0 ping
privilege exec all level 0 show
privilege exec level 0 clear ip nat translation
privilege exec level 0 clear ip nat
privilege exec level 0 clear ip
privilege exec level 0 clear
privilege configure level 7 logging
privilege configure level 7 logging trap
privilege configure level 7 logging source
privilege level 15
privilege level 15

In this case, you can use the regular expression “.*” (dot-star) to match lines that contain both the word ‘privilege’ and ‘level 0′, thus eliminating other priv levels, as well as username definitions:
IOS-rtr#sh run | inc privi.*level 0
privilege exec level 0 traceroute
privilege exec level 0 ping
privilege exec all level 0 show
privilege exec level 0 clear ip nat translation
privilege exec level 0 clear ip nat
privilege exec level 0 clear ip
privilege exec level 0 clear

The same thing works for an audit of ‘level 7′ commands:

OS-rtr#sh run | inc privi.*level 7
privilege configure level 7 logging
privilege configure level 7 logging trap
privilege configure level 7 logging source

If you want to show lines that match privilege levels other than zero, you could use this:
IOS-rtr#sh run | inc priv.*[1-9]

You should note that the “.*” (dot-star) regular expression can be used as a synonym for AND, provided that you are aware that “.*” is not order agnostic.
In order to do a true AND, you’d need an expression like :
sh run | inc (privi.*level 0|level 0.*privi)
This will match lines containing both ‘privilege’ and ‘level 0′, no matter which of the words appears first. To illustrate this, I’ll create a loopback interface (loop3) with some description text that will match the regex:

IOS-rtr#conf t
Enter configuration commands, one per line. End with CNTL/Z.
IOS-rtr(config)#int loop3
IOS-rtr(config-if)#desc level 0 is not privileged here!
IOS-rtr(config-if)#^Z
IOS-rtr#sh run | inc (privi.*level 0|level 0.*privi)
description level 0 is not privileged here!
privilege exec level 0 traceroute
privilege exec level 0 ping
privilege exec all level 0 show
privilege exec level 0 clear ip nat translation
privilege exec level 0 clear ip nat
privilege exec level 0 clear ip
privilege exec level 0 clear

It works! Notice that we caught both the description line and the privilege exec lines.

Apparently I’m easily amused, but there it is.

Tags: , ,

2 Comments

  • ciscozine says:

    To check exacly an IP address use the backslash (\) before the dot (.) to remove the special meaning of the dot (.) character and the underscore (_) to check the space before/after the IP address. For example, to find the ip address 10.0.0.1 in the running configuration, use the command

    show run | i _10\.0\.0\.1_

    and not the command (it can match 10.0.0.1, 110.0.0.1, 10.1.1.11, …)

    show run | i 10.0.0.1

    More info on http://www.ciscozine.com/2010/10/06/using-regular-expressions-with-the-show-command/

  • admin says:

    I understand that it is possible to create more precise matches using the method you have described well here. In practice, it makes more sense to match only what needs to be matched with the least possible typing. While you are correct that there are multiple matches with a partial representation of the regex for an IP, on a live network it is usually sufficient to get close. If you are doing ‘show run’ and are matching an IP, you are matching the output of a static config, and presumably searching for known data. Even for dynamic data with many possible matches, it often makes more sense to do a quick and inexact search and then refine your regular expression to get the match you need (based on the output). This also cuts down on typos. Enclosing the expression in parens will also take care of space matching, if one is disinclined to use the underscores (as I am).

Leave a Reply

You must be logged in to post a comment.