Check the release notes or command reference (or in-exec help) for further options.

This apparently does away with ‘boot system statements’ as well, as you can see if you run ‘show boot’ on the switches. The image set by your ‘archive’ command becomes the active image on reboot.  I’m not sure what happens if you have both explicit ‘system boot <blah>’ statements and the automatic IOS precedence setting configured via the fancy archive method.

anynode#sh boot
BOOT path-list : flash:c3750-ipservicesk9-mz.122-53.SE1/c3750-ipservicesk9-mz.122-53.SE1.bin
Config file : flash:/config.text
Private Config file : flash:/private-config.text
Enable Break : no
Manual Boot : no
HELPER path-list :
Auto upgrade : yes
Auto upgrade path :
Timeout for Config
Download: 0 seconds
Config Download
via DHCP: disabled (next boot: disabled)
-------------------


MalbecMDF#show cdp neighbor detail | include (---|Device ID|IP address|Platform)

In practice, I generally cut the command down to:
sh cdp ne d | inc (blah|blah)
It is probably best to start with obvious match choices, before pairing them down, as you can find yourself surprised with the text that is grabbed from different types of devices if you’re basing your regular expression match on a small sample.

In any case, the output should come out something like this:

MalbecMDF#sh cdp ne d | inc (---|e ID|IP add|Plat)
-------------------------
Device ID: SummaC-6509
IP address: 10.77.234.131
Platform: cisco WS-C6509-E, Capabilities: Router Switch IGMP
-------------------------
Device ID: Malbec-AP10
IP address: 10.88.129.22
Platform: cisco AIR-AP1231G-A-K9 , Capabilities: Trans-Bridge
-------------------------
Device ID: Malbec-AP11
IP address: 10.88.129.29
Platform: cisco AIR-AP1231G-A-K9 , Capabilities: Trans-Bridge
-------------------------

Here’s a scenario: you’re auditing one of your routers, checking to make sure privilege levels are what they should be for individual users, and that commands that have been moved into non-default privilege levels that appear to be correctly defined.

Here’s the output of ’show running-config’ with only lines that match ‘privi’ included (so as to catch lines that show privilege levels):

IOS-rtr#sh run | inc privi
username sneezy privilege 0 secret 5 $1$Dz6cKoEINsYusITt.l
username dopey privilege 0 secret 5 $1$MIUYWJ.I3iGq/qNleB.
username meson privilege 0 secret 5 $1$7uBWyjan.5JB8KHR0
username gluon privilege 15 secret 5 $1$VuoC$09dsgXRB.A/d
privilege exec level 0 traceroute
privilege exec level 0 ping
privilege exec all level 0 show
privilege exec level 0 clear ip nat translation
privilege exec level 0 clear ip nat
privilege exec level 0 clear ip
privilege exec level 0 clear
privilege configure level 7 logging
privilege configure level 7 logging trap
privilege configure level 7 logging source
privilege level 15
privilege level 15

In this case, you can use the regular expression “.*” (dot-star) to match lines that contain both the word ‘privilege’ and ‘level 0′, thus eliminating other priv levels, as well as username definitions:
IOS-rtr#sh run | inc privi.*level 0
privilege exec level 0 traceroute
privilege exec level 0 ping
privilege exec all level 0 show
privilege exec level 0 clear ip nat translation
privilege exec level 0 clear ip nat
privilege exec level 0 clear ip
privilege exec level 0 clear

The same thing works for an audit of ‘level 7′ commands:

OS-rtr#sh run | inc privi.*level 7
privilege configure level 7 logging
privilege configure level 7 logging trap
privilege configure level 7 logging source

If you want to show lines that match privilege levels other than zero, you could use this:
IOS-rtr#sh run | inc priv.*[1-9]

You should note that the “.*” (dot-star) regular expression can be used as a synonym for AND, provided that you are aware that “.*” is not order agnostic.
In order to do a true AND, you’d need an expression like :
sh run | inc (privi.*level 0|level 0.*privi)
This will match lines containing both ‘privilege’ and ‘level 0′, no matter which of the words appears first. To illustrate this, I’ll create a loopback interface (loop3) with some description text that will match the regex:

IOS-rtr#conf t
Enter configuration commands, one per line. End with CNTL/Z.
IOS-rtr(config)#int loop3
IOS-rtr(config-if)#desc level 0 is not privileged here!
IOS-rtr(config-if)#^Z
IOS-rtr#sh run | inc (privi.*level 0|level 0.*privi)
description level 0 is not privileged here!
privilege exec level 0 traceroute
privilege exec level 0 ping
privilege exec all level 0 show
privilege exec level 0 clear ip nat translation
privilege exec level 0 clear ip nat
privilege exec level 0 clear ip
privilege exec level 0 clear

It works! Notice that we caught both the description line and the privilege exec lines.

Apparently I’m easily amused, but there it is.

Yesterday, I was trying to find a method to implement an  ‘AND’ function within the Cisco IOS cisco command line.  I was familiar with the  ‘OR’ function available through the ‘|’ symbol (which is to say, the same symbol as the pipe).

For example, if you wanted to show the running config, and filter out lines that contained either ‘foo’ or ‘bar’, you could type

show run | include foo|bar

The second “pipe,”  in this case, isn’t a pipe, but the symbol for an ‘OR’ function.  (“Ceci n’est pas une pipe.”)

I wasn’t able to find a way to do an ‘AND’ in an analogous fashion, but I  did find a decent Cisco webpage on CLI and regular expressions (regexp) that helped a bit. That page can be found here: http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t1/cliparse.htm

It is possible to do ‘AND’ type functions implicitly by using a more complex set of matching rules based on regular expressions.

Here’s a example that shows (from an interactive session on the Cisco CLI) if access-lists have been applied to interfaces using the “access-group” command:

sh run | include (^interface [A-Z])|(ip access-group [0-9a-zA-Z])

Lines that start with ‘interface’ followed by an uppercase letter (the expression matches anything in the range A-Z) are supposed to match things like ‘interface Fastethernet,’ ‘interface Serial’ and so on. The second part of the expression matches access-groups that have three possible initial character ranges: a lowercase letter (a-z), an uppercase letter (A-Z), or a number (0-9) for the standard access lists.
Some rudimentary filtering is done, so things like Loopback sourcing, route-maps, and so on, don’t match.

Interfaces that have no access-lists applied have on the interface name listed, but interfaces with an access-group command show the complete access-group statement under the relevant interface (which makes sense, given that this is only a filtered ’show run’).

Output might look something like this:

interface Serial3/3
interface Serial3/3.1 point-to-point
ip access-group pac in
ip access-group ket out
interface FastEthernet4/0
interface Serial6/0
ip access-group Ozona in

If this kind of function is useful for you, it is even easier to use if you put it in an alias on your switch or router:

#conf t
#alias exec shag sh run | include (^interface [A-Z])|(ip access-group [0-9a-zA-Z])

You should, of course, pick a name for the alias that you’ll remember.