Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1582
Views
0
Helpful
4
Replies

acs command set: how to permit only interfaces Gi [1-5]/0/[1-48] and in config-if, permit all commands?

hichamemorchid
Level 1
Level 1

‎10-16-2017 06:15 AM - edited ‎02-21-2020 10:36 AM

Hi Team,

 

I hope someone can help me on this subject because I'm on this for 2 weeks.

My client wants to configure command sets to do two things:

- permit only interfaces Gi [1-5]/0/[1-48]

AND

- in config-if permit all commands

For information, Some of the client equipments have 52 ports.

For the interfaces, I tried the following using wildcards:

Interface GigabitEthernet 0/0/^

Interface GigabitEthernet 1/0/^

Interface GigabitEthernet 2/0/^

Interface GigabitEthernet 3/0/^

Interface GigabitEthernet 4/0/^

Interface GigabitEthernet 5/0/^

Deny Interface $/0/49

Deny Interface $/0/50

Deny Interface $/0/51

Deny Interface $/0/52

 

If I'm not wrong, the wildcard "^" and "$" can be used.

 

This doesn't seem to work. Can someone help me on this?

 

Many thanks

 

Best Regards

 

 

Labels:
0 Helpful
4 Replies 4

Arne Bier
VIP
VIP

‎10-17-2017 04:20 PM

Hi

The caret '^' and $ are special regular expression operators (not wildcards) and you have to use them as follows:

^ is used to match the beginning of a string

$ is used to match the end of the string

You can't just place them willy nilly in your expression :-)  No worries - we have all been there, and regex doesn't come easily to most people.  Needs loads of practice but is really powerful once you understand it.

e.g.

Interface GigabitEthernet 0/0/^  is wrong because the ^ operator doesn't work at the end of a line., and likewise for Deny Interface $/0/49 because $ is always at the end of the line.

Here is a regular expression I came up with to cater for your interface statement

interf.*\sgig.*[1-5]\/0\/[1-48]

 

Test it out on https://regex101.com/

Capture.PNG

 

 

 

As for the remaining stuff, you can make a list of all the commands that are allowed, e.g. like ip address, or shutdown, no shutdown etc.

See how you go.

 

 

 

 

 

0 Helpful

hichamemorchid
Level 1
Level 1
In response to Arne Bier

‎10-18-2017 01:19 AM

Hi Arne,

 

Thank you for your feedback.

I'll test the regex you provided and let you know if this works in my side.

 

Best Regards

0 Helpful

hichamemorchid
Level 1
Level 1
In response to hichamemorchid

‎11-06-2017 05:51 AM

Hi Ame,

 

I tried to test your suggestion via the ACS CLI but doesn't found how to implement it.

Do you know how to do the same via the ACS web interface.

Please see screenshot attached

 

Preview file
273 KB
0 Helpful

Arne Bier
VIP
VIP
In response to hichamemorchid

‎11-07-2017 03:14 PM

I don't have an ACS to test but I was able to enter these commands below that (with some modifications) may do the trick. 

The idea is that once you have entered conf t, then in theory you only can go to "interface" next and in there you'll have to list all the commands you need (I have started you off with a few).  Don't forget the end and exit commands.

IOS has this other concept that you may want to investigate - it's called "views" - and I think that may be another possible solution to do RBAC. 

http://www.omnisecu.com/ccna-security/parser-views-role-based-access-control-rbac.php

 

 

ACS-regex.PNG

 

0 Helpful
Customers Also Viewed These Support Documents