cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1122
Views
0
Helpful
5
Replies
network_geek
Beginner

Allowing only dot interfaces on a Bundle

Hi All,

I am working on Cisco Secure ACS for IOS-XR and I want help from experts out there. I want to globally deny if someone could remove the whole bundle(e.g: no interface Bundle-Ether10) but can do both of the following on the dot interfaces only:

a): no interface Bundle-Ether10.10

b): configure interface Bundle-Ether10.10.

 

I am currently working using regular expressions but I am at lost. Mind you that the biggest bundle name is 1422(4 digits).

1 ACCEPTED SOLUTION

Accepted Solutions

If I understand your question, you don't want to allow any changes to Bundle-Ether10 but you still want to allow access/changes to sub-interfaces such as Bundle-Ether10.10.  Is that correct?  And you want to allow anything to happen to any Bundle-Ether other than Bundle-Ether10.  If so, try the following:

^\w*\s*interface\sBundle-Ether10$

 

View solution in original post

5 REPLIES 5
Colby LeMaire
VIP Collaborator

Hard to say what specific regex to use for your situation since we don't know what the rest of your command-set looks like.  But if you only wanted to match the examples you gave, you could try the following:

^no\sinterface\sBundle-Ether\d{1,}\.\d{1,}$ - This would match if someone tried to enter "no interface Bundle-Ether10.10".  \d is any digit and "{1,}" is 1 or more.  "\." is specifically a period.  "$" is end of line.

A really good website for learning and testing regex is at https://regex101.com

 

Hi Colby,

Thank you so much for your response. The website says that this can been done, I will also check it in my environment and see if it works smoothly. Moreover, I have globally permitted all commands that are not present in my list hence I need to only disallow a few. I hope this will solve my problem. I will get back to you with updates.

Is there a way if I could only stop commands for Bundle-Ether10 only, both no and any interface configuration commands? I have globally permitted all commands and doing so would allow me to accept all but reject the global interface only.

If I understand your question, you don't want to allow any changes to Bundle-Ether10 but you still want to allow access/changes to sub-interfaces such as Bundle-Ether10.10.  Is that correct?  And you want to allow anything to happen to any Bundle-Ether other than Bundle-Ether10.  If so, try the following:

^\w*\s*interface\sBundle-Ether10$

 

View solution in original post

Hi Colby,

Thank you so much. It worked like a charm. I am, however, stuck on a different task now.

Content for Community-Ad