Cisco IOS regex behavior — the misunderstood underscore?

Many demonstrations of Cisco IOS regular expression use over-simplify or misstate the actual use and definition of the underscore wildcard _.  This may lead to unexpected behavior in some situations.

In practice, the underscore can often work in an expression as a stand in for “match spaces”, which is typically how it is used in Cisco regular expression examples.   In reality, it can match many other other characters and symbol representations than a space.

Here’s what the documentation says about the underscore:

Matches a comma (,), left brace ({), right brace (}), left parenthesis ( ( ), right parenthesis ( ) ), the beginning of the string, the end of the string, or a space.

(This is from http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/configuration/15_sy/fundamentals-15-sy-book/cf-cli-search.html, but there are numerous Cisco documents with the definition.)

It may be worth testing on multiple Cisco OS platforms and versions, but my use so far been consistent with the documentation.

In IOS, a space inside parentheses with match a space, and in NX-OS, a space inside of a quotation mark will match a space.  IOS behavior with the grouping or delimiting characters (parens) will still work, but spaces represented between words will be the reliable matching construct that can be relied upon on.   NX-OS requires the use of quotation marks to treat multiple words as a group.

Cisco 3560, 3750 archive command to install or upgrade IOS via tar file

Some newer L3 Cisco switches are now happier if you use the ‘archive’ facility to manage images.
If you only want the IOS, and not the web interface and so on, use the /imageonly flag.
From the Cisco release notes :
For example:
Switch# archive download-sw /overwrite tftp://198.30.20.19/c3750-ipservices-tar.122-50.SE.tar

Check the release notes or command reference (or in-exec help) for further options.

This apparently does away with ‘boot system statements’ as well, as you can see if you run ‘show boot’ on the switches. The image set by your ‘archive’ command becomes the active image on reboot.  I’m not sure what happens if you have both explicit ‘system boot <blah>’ statements and the automatic IOS precedence setting configured via the fancy archive method.

anynode#sh boot
BOOT path-list : flash:c3750-ipservicesk9-mz.122-53.SE1/c3750-ipservicesk9-mz.122-53.SE1.bin
Config file : flash:/config.text
Private Config file : flash:/private-config.text
Enable Break : no
Manual Boot : no
HELPER path-list :
Auto upgrade : yes
Auto upgrade path :
Timeout for Config
Download: 0 seconds
Config Download
via DHCP: disabled (next boot: disabled)
-------------------

A simple output filter for “show cdp neighbors” using a compound regular expression (Cisco IOS)

Here is a simple filter I’ve used on ’show cdp’ output, which lets me get information quickly.

MalbecMDF#show cdp neighbor detail | include (---|Device ID|IP address|Platform)

In practice, I generally cut the command down to:
sh cdp ne d | inc (blah|blah)
It is probably best to start with obvious match choices, before pairing them down, as you can find yourself surprised with the text that is grabbed from different types of devices if you’re basing your regular expression match on a small sample.

In any case, the output should come out something like this:

MalbecMDF#sh cdp ne d | inc (---|e ID|IP add|Plat)
-------------------------
Device ID: SummaC-6509
IP address: 10.77.234.131
Platform: cisco WS-C6509-E, Capabilities: Router Switch IGMP
-------------------------
Device ID: Malbec-AP10
IP address: 10.88.129.22
Platform: cisco AIR-AP1231G-A-K9 , Capabilities: Trans-Bridge
-------------------------
Device ID: Malbec-AP11
IP address: 10.88.129.29
Platform: cisco AIR-AP1231G-A-K9 , Capabilities: Trans-Bridge
-------------------------

Cisco IOS CLI regular expressions, Part II — ‘AND’

In an earlier post, I talked about Cisco command line regular expressions, and held off on giving any good examples of using the CLI regexp tools to get ‘AND’ functionality. ( I pointed out there that the ‘|’ (pipe symbol) could be used as a simple ‘OR’ function.)
Here are some easy regexp’s that function (more as less) as simple Boolean ‘AND’s.

Here’s a scenario: you’re auditing one of your routers, checking to make sure privilege levels are what they should be for individual users, and that commands that have been moved into non-default privilege levels that appear to be correctly defined.

Here’s the output of ’show running-config’ with only lines that match ‘privi’ included (so as to catch lines that show privilege levels):

IOS-rtr#sh run | inc privi
username sneezy privilege 0 secret 5 $1$Dz6cKoEINsYusITt.l
username dopey privilege 0 secret 5 $1$MIUYWJ.I3iGq/qNleB.
username meson privilege 0 secret 5 $1$7uBWyjan.5JB8KHR0
username gluon privilege 15 secret 5 $1$VuoC$09dsgXRB.A/d
privilege exec level 0 traceroute
privilege exec level 0 ping
privilege exec all level 0 show
privilege exec level 0 clear ip nat translation
privilege exec level 0 clear ip nat
privilege exec level 0 clear ip
privilege exec level 0 clear
privilege configure level 7 logging
privilege configure level 7 logging trap
privilege configure level 7 logging source
privilege level 15
privilege level 15

In this case, you can use the regular expression “.*” (dot-star) to match lines that contain both the word ‘privilege’ and ‘level 0′, thus eliminating other priv levels, as well as username definitions:
IOS-rtr#sh run | inc privi.*level 0
privilege exec level 0 traceroute
privilege exec level 0 ping
privilege exec all level 0 show
privilege exec level 0 clear ip nat translation
privilege exec level 0 clear ip nat
privilege exec level 0 clear ip
privilege exec level 0 clear

The same thing works for an audit of ‘level 7′ commands:

OS-rtr#sh run | inc privi.*level 7
privilege configure level 7 logging
privilege configure level 7 logging trap
privilege configure level 7 logging source

If you want to show lines that match privilege levels other than zero, you could use this:
IOS-rtr#sh run | inc priv.*[1-9]

You should note that the “.*” (dot-star) regular expression can be used as a synonym for AND, provided that you are aware that “.*” is not order agnostic.
In order to do a true AND, you’d need an expression like :
sh run | inc (privi.*level 0|level 0.*privi)
This will match lines containing both ‘privilege’ and ‘level 0′, no matter which of the words appears first. To illustrate this, I’ll create a loopback interface (loop3) with some description text that will match the regex:

IOS-rtr#conf t
Enter configuration commands, one per line. End with CNTL/Z.
IOS-rtr(config)#int loop3
IOS-rtr(config-if)#desc level 0 is not privileged here!
IOS-rtr(config-if)#^Z
IOS-rtr#sh run | inc (privi.*level 0|level 0.*privi)
description level 0 is not privileged here!
privilege exec level 0 traceroute
privilege exec level 0 ping
privilege exec all level 0 show
privilege exec level 0 clear ip nat translation
privilege exec level 0 clear ip nat
privilege exec level 0 clear ip
privilege exec level 0 clear

It works! Notice that we caught both the description line and the privilege exec lines.

Apparently I’m easily amused, but there it is.

Cisco IOS CLI regular expressions (“Ceci n’est pas une pipe.”)

[taken from a  note originally written March 2007]

Yesterday, I was trying to find a method to implement an  ‘AND’ function within the Cisco IOS cisco command line.  I was familiar with the  ‘OR’ function available through the ‘|’ symbol (which is to say, the same symbol as the pipe).

For example, if you wanted to show the running config, and filter out lines that contained either ‘foo’ or ‘bar’, you could type

show run | include foo|bar

The second “pipe,”  in this case, isn’t a pipe, but the symbol for an ‘OR’ function.

Magritte -- this (pipe) is not a pipe

“Ceci n’est pas une pipe.”

 

I wasn’t able to find a way to do an ‘AND’ in an analogous fashion, but I  did find a decent Cisco webpage on CLI and regular expressions (regexp) that helped a bit. That page can be found here: http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t1/cliparse.htm

It is possible to do ‘AND’ type functions implicitly by using a more complex set of matching rules based on regular expressions.

Here’s a example that shows (from an interactive session on the Cisco CLI) if access-lists have been applied to interfaces using the “access-group” command:

sh run | include (^interface [A-Z])|(ip access-group [0-9a-zA-Z])

Lines that start with ‘interface’ followed by an uppercase letter (the expression matches anything in the range A-Z) are supposed to match things like ‘interface Fastethernet,’ ‘interface Serial’ and so on. The second part of the expression matches access-groups that have three possible initial character ranges: a lowercase letter (a-z), an uppercase letter (A-Z), or a number (0-9) for the standard access lists.
Some rudimentary filtering is done, so things like Loopback sourcing, route-maps, and so on, don’t match.

Interfaces that have no access-lists applied have on the interface name listed, but interfaces with an access-group command show the complete access-group statement under the relevant interface (which makes sense, given that this is only a filtered ’show run’).

Output might look something like this:

interface Serial3/3
interface Serial3/3.1 point-to-point
ip access-group pac in
ip access-group ket out
interface FastEthernet4/0
interface Serial6/0
ip access-group Ozona in

If this kind of function is useful for you, it is even easier to use if you put it in an alias on your switch or router:

#conf t
#alias exec shlag sh run | include (^interface [A-Z])|(ip access-group [0-9a-zA-Z])

Of course, pick a name for the alias that you’ll remember.