Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1982
Views
0
Helpful
5
Replies

Allowing only dot interfaces on a Bundle

Go to solution
network_geek
Level 1
Level 1

‎08-05-2020 07:19 AM

Hi All,

I am working on Cisco Secure ACS for IOS-XR and I want help from experts out there. I want to globally deny if someone could remove the whole bundle(e.g: no interface Bundle-Ether10) but can do both of the following on the dot interfaces only:

a): no interface Bundle-Ether10.10

b): configure interface Bundle-Ether10.10.

 

I am currently working using regular expressions but I am at lost. Mind you that the biggest bundle name is 1422(4 digits).

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to network_geek

‎08-05-2020 01:29 PM

If I understand your question, you don't want to allow any changes to Bundle-Ether10 but you still want to allow access/changes to sub-interfaces such as Bundle-Ether10.10.  Is that correct?  And you want to allow anything to happen to any Bundle-Ether other than Bundle-Ether10.  If so, try the following:

^\w*\s*interface\sBundle-Ether10$

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎08-05-2020 09:49 AM

Hard to say what specific regex to use for your situation since we don't know what the rest of your command-set looks like.  But if you only wanted to match the examples you gave, you could try the following:

^no\sinterface\sBundle-Ether\d{1,}\.\d{1,}$ - This would match if someone tried to enter "no interface Bundle-Ether10.10".  \d is any digit and "{1,}" is 1 or more.  "\." is specifically a period.  "$" is end of line.

A really good website for learning and testing regex is at https://regex101.com

 

0 Helpful

Go to solution
network_geek
Level 1
Level 1
In response to Colby LeMaire

‎08-05-2020 11:09 AM

Hi Colby,

Thank you so much for your response. The website says that this can been done, I will also check it in my environment and see if it works smoothly. Moreover, I have globally permitted all commands that are not present in my list hence I need to only disallow a few. I hope this will solve my problem. I will get back to you with updates.

0 Helpful

Go to solution
network_geek
Level 1
Level 1
In response to Colby LeMaire

‎08-05-2020 11:13 AM

Is there a way if I could only stop commands for Bundle-Ether10 only, both no and any interface configuration commands? I have globally permitted all commands and doing so would allow me to accept all but reject the global interface only.

0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to network_geek

‎08-05-2020 01:29 PM

If I understand your question, you don't want to allow any changes to Bundle-Ether10 but you still want to allow access/changes to sub-interfaces such as Bundle-Ether10.10.  Is that correct?  And you want to allow anything to happen to any Bundle-Ether other than Bundle-Ether10.  If so, try the following:

^\w*\s*interface\sBundle-Ether10$

 

0 Helpful

Go to solution
network_geek
Level 1
Level 1
In response to Colby LeMaire

‎08-06-2020 11:01 AM

Hi Colby,

Thank you so much. It worked like a charm. I am, however, stuck on a different task now.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents