11-11-2018 10:22 PM
Hello, I'm struggling with some regex issues on my ACS command sets.
I can of course block access to various commands and had blocked access to various interfaces; however, I'm unable to block access to our trunk interfaces while allowing access to our edge interfaces.
Using:
deny int* g1/1/1
deny int* g1/1/2
worked to keep low level admins out of those interfaces while allowing them access to:
g1/0/1, g1/0/2 etc...
I handled interface commands normally:
deny switchport
Now I need to deny access to those very same interfaces, g1/1/1, g1/1/2 etc..
while allowing access go g1/0/1 - 24, g1/0/1 - 48 and also for stacks.
I worked up a regex that I created from findings Googling around.
permit int* g*([1-4/])*0/([1-4]|1[0-9]|2[0-9]|3[0-9]|4[0-8])$
should this be
permit int* g*([1-4/])0\/1[0-8]|2[0-8]|3[0-8]|4[0-8])$
Our switches are 24 and 48 porters.
So the stacks would range 1/0/1 - 24 or 48 and 2/0/1 - 24 or 48 etc.. up to 4 stacks.
The second value should always be a zero.
Solved! Go to Solution.
11-11-2018 10:50 PM
Do not use * operator for everything. It is 0 or more occurance.
There are a few pointers in the community on regular expresssions. Please look at those
I have some examples of regular expression in the ISE device admin prescriptive guide. You can look at that as well.
-Krishnan
11-11-2018 10:49 PM
if you looking to deny regex you can do same way as permit this time we change 0 to 1
Deny interf.*\sgig.*[1]\/2\/[1-2]
good regex tool
11-12-2018 03:25 PM
Hi, I created this command set, permit int* g*^([1-4][\/][0][\/][1-4])$, and ran it through regex 101.
It gave me a Full match in the Match Information section on 1/0/1 and other interfaces using 1/0/? format.
It fails on g1/1/? format which is what I want.
However, I'm still not able to access the interface.
I modified the one you sent, .*\sgig.*[1-4]\/[1-4]\/[1-2], and no joy.
They pass regex 101, thanks for that link btw.
ej
11-11-2018 10:50 PM
Do not use * operator for everything. It is 0 or more occurance.
There are a few pointers in the community on regular expresssions. Please look at those
I have some examples of regular expression in the ISE device admin prescriptive guide. You can look at that as well.
-Krishnan
11-13-2018 04:09 AM
I tested this one in the regex 101 tester ^([1-4]\/[1-4]\/[1-4])$.
It worked and the group that reappeared shows all 3 sections.
Hopefully this will work following the g* to signify gigabitethernet.
So in my mind the rule should read.
Grant command attribute
deny int* g^([1-4]\/[1-4]\/[1-4])$
So when the user enters:
config t
int g1/1/1
They should see a reply that this command is not authorized.
ej
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide