topic acs command set: how to permit only interfaces Gi [1-5]/0/[1-48] and in config-if, permit all commands? in Network Access Control

acs command set: how to permit only interfaces Gi [1-5]/0/[1-48] and in config-if, permit all commands?

hichamemorchid — Fri, 21 Feb 2020 18:36:13 GMT

Hi Team,

I hope someone can help me on this subject because I'm on this for 2 weeks.

My client wants to configure command sets to do two things:

- permit only interfaces Gi [1-5]/0/[1-48]

AND

- in config-if permit all commands

For information, Some of the client equipments have 52 ports.

For the interfaces, I tried the following using wildcards:

Interface GigabitEthernet 0/0/^

Interface GigabitEthernet 1/0/^

Interface GigabitEthernet 2/0/^

Interface GigabitEthernet 3/0/^

Interface GigabitEthernet 4/0/^

Interface GigabitEthernet 5/0/^

Deny Interface $/0/49

Deny Interface $/0/50

Deny Interface $/0/51

Deny Interface $/0/52

If I'm not wrong, the wildcard "^" and "$" can be used.

This doesn't seem to work. Can someone help me on this?

Many thanks

Best Regards

Re: acs command set: how to permit only interfaces Gi [1-5]/0/[1-48] and in config-if, permit all commands?

Arne Bier — Tue, 17 Oct 2017 23:20:59 GMT

The caret '^' and $ are special regular expression operators (not wildcards) and you have to use them as follows:

^ is used to match the beginning of a string

$ is used to match the end of the string

You can't just place them willy nilly in your expression 🙂 No worries - we have all been there, and regex doesn't come easily to most people. Needs loads of practice but is really powerful once you understand it.

e.g.

Interface GigabitEthernet 0/0/^ is wrong because the ^ operator doesn't work at the end of a line., and likewise for Deny Interface $/0/49 because $ is always at the end of the line.

Here is a regular expression I came up with to cater for your interface statement

interf.*\sgig.*[1-5]\/0\/[1-48]

Test it out on https://regex101.com/

As for the remaining stuff, you can make a list of all the commands that are allowed, e.g. like ip address, or shutdown, no shutdown etc.

See how you go.

Re: acs command set: how to permit only interfaces Gi [1-5]/0/[1-48] and in config-if, permit all commands?

hichamemorchid — Wed, 18 Oct 2017 08:19:31 GMT

Hi Arne,

Thank you for your feedback.

I'll test the regex you provided and let you know if this works in my side.

Best Regards

Re: acs command set: how to permit only interfaces Gi [1-5]/0/[1-48] and in config-if, permit all commands?

hichamemorchid — Mon, 06 Nov 2017 13:51:34 GMT

Hi Ame,

I tried to test your suggestion via the ACS CLI but doesn't found how to implement it.

Do you know how to do the same via the ACS web interface.

Please see screenshot attached

Re: acs command set: how to permit only interfaces Gi [1-5]/0/[1-48] and in config-if, permit all commands?

Arne Bier — Tue, 07 Nov 2017 23:14:23 GMT

I don't have an ACS to test but I was able to enter these commands below that (with some modifications) may do the trick.

The idea is that once you have entered conf t, then in theory you only can go to "interface" next and in there you'll have to list all the commands you need (I have started you off with a few). Don't forget the end and exit commands.

IOS has this other concept that you may want to investigate - it's called "views" - and I think that may be another possible solution to do RBAC.

http://www.omnisecu.com/ccna-security/parser-views-role-based-access-control-rbac.php