11-11-2018 10:22 PM
Hello, I'm struggling with some regex issues on my ACS command sets.
I can of course block access to various commands and had blocked access to various interfaces; however, I'm unable to block access to our trunk interfaces while allowing access to our edge interfaces.
Using:
deny int* g1/1/1
deny int* g1/1/2
worked to keep low level admins out of those interfaces while allowing them access to:
g1/0/1, g1/0/2 etc...
I handled interface commands normally:
deny switchport
Now I need to deny access to those very same interfaces, g1/1/1, g1/1/2 etc..
while allowing access go g1/0/1 - 24, g1/0/1 - 48 and also for stacks.
I worked up a regex that I created from findings Googling around.
permit int* g*([1-4/])*0/([1-4]|1[0-9]|2[0-9]|3[0-9]|4[0-8])$
should this be
permit int* g*([1-4/])0\/1[0-8]|2[0-8]|3[0-8]|4[0-8])$
Our switches are 24 and 48 porters.
So the stacks would range 1/0/1 - 24 or 48 and 2/0/1 - 24 or 48 etc.. up to 4 stacks.
The second value should always be a zero.
Solved! Go to Solution.
11-11-2018 10:50 PM
Do not use * operator for everything. It is 0 or more occurance.
There are a few pointers in the community on regular expresssions. Please look at those
I have some examples of regular expression in the ISE device admin prescriptive guide. You can look at that as well.
-Krishnan
11-11-2018 10:49 PM
if you looking to deny regex you can do same way as permit this time we change 0 to 1
Deny interf.*\sgig.*[1]\/2\/[1-2]
good regex tool
11-12-2018 03:25 PM
Hi, I created this command set, permit int* g*^([1-4][\/][0][\/][1-4])$, and ran it through regex 101.
It gave me a Full match in the Match Information section on 1/0/1 and other interfaces using 1/0/? format.
It fails on g1/1/? format which is what I want.
However, I'm still not able to access the interface.
I modified the one you sent, .*\sgig.*[1-4]\/[1-4]\/[1-2], and no joy.
They pass regex 101, thanks for that link btw.
ej
11-11-2018 10:50 PM
Do not use * operator for everything. It is 0 or more occurance.
There are a few pointers in the community on regular expresssions. Please look at those
I have some examples of regular expression in the ISE device admin prescriptive guide. You can look at that as well.
-Krishnan
11-13-2018 04:09 AM
I tested this one in the regex 101 tester ^([1-4]\/[1-4]\/[1-4])$.
It worked and the group that reappeared shows all 3 sections.
Hopefully this will work following the g* to signify gigabitethernet.
So in my mind the rule should read.
Grant command attribute
deny int* g^([1-4]\/[1-4]\/[1-4])$
So when the user enters:
config t
int g1/1/1
They should see a reply that this command is not authorized.
ej
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: