Cisco IOS regex behavior — the misunderstood underscore?

Many demonstrations of Cisco IOS regular expression use over-simplify or misstate the actual use and definition of the underscore wildcard _.  This may lead to unexpected behavior in some situations.

In practice, the underscore can often work in an expression as a stand in for “match spaces”, which is typically how it is used in Cisco regular expression examples.   In reality, it can match many other other characters and symbol representations than a space.

Here’s what the documentation says about the underscore:

Matches a comma (,), left brace ({), right brace (}), left parenthesis ( ( ), right parenthesis ( ) ), the beginning of the string, the end of the string, or a space.

(This is from, but there are numerous Cisco documents with the definition.)

It may be worth testing on multiple Cisco OS platforms and versions, but my use so far been consistent with the documentation.

In IOS, a space inside parentheses with match a space, and in NX-OS, a space inside of a quotation mark will match a space.  IOS behavior with the grouping or delimiting characters (parens) will still work, but spaces represented between words will be the reliable matching construct that can be relied upon on.   NX-OS requires the use of quotation marks to treat multiple words as a group.

Fixing broken mysql / mysql-server under Ubuntu 9.04 (Jaunty) after a purge

I broke my server attempting to do some clean-up before making bigger changes.   mysql would not restart, and the culprit was something like  ‘apt-get purge mysql-server,’ which deleted the /etc/mysql directory .  Various installs brought back /etc/mysql but without solving the problem:

% sudo apt-get install mysql-server mysql-common

Setting up mysql-server-5.0 (…)
* Stopping MySQL database server mysqld [ OK ]
* Starting MySQL database server mysqld [fail]
invoke-rc.d: initscript mysql, action “start” failed.
dpkg: error processing mysql-server-5.0 (–configure):
subprocess post-installation script returned error exit status 1
dpkg: dependency problems prevent configuration of mysql-server:
mysql-server depends on mysql-server-5.0; however:
Package mysql-server-5.0 is not configured yet.
dpkg: error processing mysql-server (–configure):
dependency problems – leaving unconfigured
No apport report written because the error message indicates its a followup error from a previous failure.
Errors were encountered while processing:
E: Sub-process /usr/bin/dpkg returned an error code (1)

2009-06-12 17:23:31 status half-installed mysql-server 5.1.30really5.0.75-0ubuntu10.2

In any case, the only way I could get things back running was to copy over the /etc/mysql directory from a working server,  doing

% sudo apt-get remove –purge mysql-server
% sudo apt-get install mysql-server

and rebooting.

Here’s what the /etc/mysql directory looked like after the copy:

/etc/mysql# ls -l
total 16
drwxr-xr-x 2 root root 4096 2009-06-12 17:23 conf.d
-rw------- 1 root root  312 2009-06-12 17:23 debian.cnf
-rwxr-xr-x 1 root root 1198 2009-05-14 05:39 debian-start
-rw-r--r-- 1 root root 4088 2009-03-30 15:18 my.cnf
/etc/mysql# ls -l conf.d/
total 0

So, the copy provided the conf.d directory and the my.cnf file that the re-install failed to (re)create.

I’ve uploaded a copy of the default Ubuntu 9.04 /etc/mysql/my.cnf file here.

And here’s just the active info from my.cnf file
(filtered through egrep -v '^$|^#' my.cnf to remove empty lines and comment lines) :

—–start my.cnf——

port        = 3306
socket        = /var/run/mysqld/mysqld.sock
socket        = /var/run/mysqld/mysqld.sock
nice        = 0
user        = mysql
pid-file    = /var/run/mysqld/
socket        = /var/run/mysqld/mysqld.sock
port        = 3306
basedir        = /usr
datadir        = /var/lib/mysql
tmpdir        = /tmp
bind-address        =
key_buffer        = 16M
max_allowed_packet    = 16M
thread_stack        = 128K
thread_cache_size    = 8
myisam-recover        = BACKUP
query_cache_limit       = 1M
query_cache_size        = 16M
expire_logs_days    = 10
max_binlog_size         = 100M
max_allowed_packet    = 16M
key_buffer        = 16M
!includedir /etc/mysql/conf.d/

—–end my.cnf——

Recreating that file may help you get mysql back running, as it appears to have been essential for me.

Incidentally, here is a handy search for printing which logfiles have info about your misbehaving program (in this case, mysql):

/var/log# egrep mysql * | awk -F: '{print $1}' | uniq

A simple output filter for “show cdp neighbors” using a compound regular expression (Cisco IOS)

Here is a simple filter I’ve used on ’show cdp’ output, which lets me get information quickly.

MalbecMDF#show cdp neighbor detail | include (---|Device ID|IP address|Platform)

In practice, I generally cut the command down to:
sh cdp ne d | inc (blah|blah)
It is probably best to start with obvious match choices, before pairing them down, as you can find yourself surprised with the text that is grabbed from different types of devices if you’re basing your regular expression match on a small sample.

In any case, the output should come out something like this:

MalbecMDF#sh cdp ne d | inc (---|e ID|IP add|Plat)
Device ID: SummaC-6509
IP address:
Platform: cisco WS-C6509-E, Capabilities: Router Switch IGMP
Device ID: Malbec-AP10
IP address:
Platform: cisco AIR-AP1231G-A-K9 , Capabilities: Trans-Bridge
Device ID: Malbec-AP11
IP address:
Platform: cisco AIR-AP1231G-A-K9 , Capabilities: Trans-Bridge

Cisco IOS CLI regular expressions, Part II — ‘AND’

In an earlier post, I talked about Cisco command line regular expressions, and held off on giving any good examples of using the CLI regexp tools to get ‘AND’ functionality. ( I pointed out there that the ‘|’ (pipe symbol) could be used as a simple ‘OR’ function.)
Here are some easy regexp’s that function (more as less) as simple Boolean ‘AND’s.

Here’s a scenario: you’re auditing one of your routers, checking to make sure privilege levels are what they should be for individual users, and that commands that have been moved into non-default privilege levels that appear to be correctly defined.

Here’s the output of ’show running-config’ with only lines that match ‘privi’ included (so as to catch lines that show privilege levels):

IOS-rtr#sh run | inc privi
username sneezy privilege 0 secret 5 $1$Dz6cKoEINsYusITt.l
username dopey privilege 0 secret 5 $1$MIUYWJ.I3iGq/qNleB.
username meson privilege 0 secret 5 $1$7uBWyjan.5JB8KHR0
username gluon privilege 15 secret 5 $1$VuoC$09dsgXRB.A/d
privilege exec level 0 traceroute
privilege exec level 0 ping
privilege exec all level 0 show
privilege exec level 0 clear ip nat translation
privilege exec level 0 clear ip nat
privilege exec level 0 clear ip
privilege exec level 0 clear
privilege configure level 7 logging
privilege configure level 7 logging trap
privilege configure level 7 logging source
privilege level 15
privilege level 15

In this case, you can use the regular expression “.*” (dot-star) to match lines that contain both the word ‘privilege’ and ‘level 0′, thus eliminating other priv levels, as well as username definitions:
IOS-rtr#sh run | inc privi.*level 0
privilege exec level 0 traceroute
privilege exec level 0 ping
privilege exec all level 0 show
privilege exec level 0 clear ip nat translation
privilege exec level 0 clear ip nat
privilege exec level 0 clear ip
privilege exec level 0 clear

The same thing works for an audit of ‘level 7′ commands:

OS-rtr#sh run | inc privi.*level 7
privilege configure level 7 logging
privilege configure level 7 logging trap
privilege configure level 7 logging source

If you want to show lines that match privilege levels other than zero, you could use this:
IOS-rtr#sh run | inc priv.*[1-9]

You should note that the “.*” (dot-star) regular expression can be used as a synonym for AND, provided that you are aware that “.*” is not order agnostic.
In order to do a true AND, you’d need an expression like :
sh run | inc (privi.*level 0|level 0.*privi)
This will match lines containing both ‘privilege’ and ‘level 0′, no matter which of the words appears first. To illustrate this, I’ll create a loopback interface (loop3) with some description text that will match the regex:

IOS-rtr#conf t
Enter configuration commands, one per line. End with CNTL/Z.
IOS-rtr(config)#int loop3
IOS-rtr(config-if)#desc level 0 is not privileged here!
IOS-rtr#sh run | inc (privi.*level 0|level 0.*privi)
description level 0 is not privileged here!
privilege exec level 0 traceroute
privilege exec level 0 ping
privilege exec all level 0 show
privilege exec level 0 clear ip nat translation
privilege exec level 0 clear ip nat
privilege exec level 0 clear ip
privilege exec level 0 clear

It works! Notice that we caught both the description line and the privilege exec lines.

Apparently I’m easily amused, but there it is.

Cisco IOS CLI regular expressions (“Ceci n’est pas une pipe.”)

[taken from a  note originally written March 2007]

Yesterday, I was trying to find a method to implement an  ‘AND’ function within the Cisco IOS cisco command line.  I was familiar with the  ‘OR’ function available through the ‘|’ symbol (which is to say, the same symbol as the pipe).

For example, if you wanted to show the running config, and filter out lines that contained either ‘foo’ or ‘bar’, you could type

show run | include foo|bar

The second “pipe,”  in this case, isn’t a pipe, but the symbol for an ‘OR’ function.

Magritte -- this (pipe) is not a pipe

“Ceci n’est pas une pipe.”


I wasn’t able to find a way to do an ‘AND’ in an analogous fashion, but I  did find a decent Cisco webpage on CLI and regular expressions (regexp) that helped a bit. That page can be found here:

It is possible to do ‘AND’ type functions implicitly by using a more complex set of matching rules based on regular expressions.

Here’s a example that shows (from an interactive session on the Cisco CLI) if access-lists have been applied to interfaces using the “access-group” command:

sh run | include (^interface [A-Z])|(ip access-group [0-9a-zA-Z])

Lines that start with ‘interface’ followed by an uppercase letter (the expression matches anything in the range A-Z) are supposed to match things like ‘interface Fastethernet,’ ‘interface Serial’ and so on. The second part of the expression matches access-groups that have three possible initial character ranges: a lowercase letter (a-z), an uppercase letter (A-Z), or a number (0-9) for the standard access lists.
Some rudimentary filtering is done, so things like Loopback sourcing, route-maps, and so on, don’t match.

Interfaces that have no access-lists applied have on the interface name listed, but interfaces with an access-group command show the complete access-group statement under the relevant interface (which makes sense, given that this is only a filtered ’show run’).

Output might look something like this:

interface Serial3/3
interface Serial3/3.1 point-to-point
ip access-group pac in
ip access-group ket out
interface FastEthernet4/0
interface Serial6/0
ip access-group Ozona in

If this kind of function is useful for you, it is even easier to use if you put it in an alias on your switch or router:

#conf t
#alias exec shlag sh run | include (^interface [A-Z])|(ip access-group [0-9a-zA-Z])

Of course, pick a name for the alias that you’ll remember.