ciscoconfparse

ciscoconfparse

Important: ciscoconfparse2

ciscoconfparse is End of Life

As of December 14, 2023 ciscoconfparse2 is released; this is equivalent to version 2.0 of ciscoconfparse, but ciscoconfparse2 is a different PYPI project.

You should upgrade; here's why, ciscoconfparse2:

• It supports all major network vendor text configuration files (Arista, Cisco, F5, Juniper, Palo Alto)
• It supports searching across any number of configuration levels (ciscoconfparse only supports two config levels : a parent and child)
• It adds a string methods so you don't need to use regex matching if you don't want to
• It adds a CLI command
• Revamped documentation
• It simplifies the user interface and fixes broken ciscoconfparse default parameters (this could require changing old scripts using the original API)
• It intentionally uses a new python import to minimize confusion between itself and the original

NOTE ciscoconfparse2 deprecates many legacy ciscoconfparse APIs; overall this is a good thing because ciscoconfparse2 is easier to use. As such, test your code before using ciscoconfparse2 as a drop-in replacement.

Introduction: What is ciscoconfparse?

Short answer: ciscoconfparse is a Python library that helps you quickly answer questions like these about your Cisco configurations:

• What interfaces are shutdown?
• Which interfaces are in trunk mode?
• What address and subnet mask is assigned to each interface?
• Which interfaces are missing a critical command?
• Is this configuration missing a standard config line?

It can help you:

• Audit existing router / switch / firewall / wlc configurations
• Modify existing configurations
• Build new configurations

Speaking generally, the library examines an IOS-style config and breaks it into a set of linked parent / child relationships. You can perform complex queries about these relationships.

Generic Usage

The following code will parse a configuration stored in exampleswitch.conf and select interfaces that are shutdown.

In this case, the parent is a line containing interface and the child is a line containing the word shutdown.

from ciscoconfparse import CiscoConfParse

parse = CiscoConfParse('exampleswitch.conf', syntax='ios')

for intf_obj in parse.find_parent_objects('^interface', '^\s+shutdown'):
    print("Shutdown: " + intf_obj.text)

The next example will find the IP address assigned to interfaces.

from ciscoconfparse import CiscoConfParse

parse = CiscoConfParse('exampleswitch.conf', syntax='ios')

for ccp_obj in parse.find_objects('^interface'):

    intf_name = ccp_obj.re_match_typed('^interface\s+(\S.+?)$')

    # Search children of all interfaces for a regex match and return
    # the value matched in regex match group 1.  If there is no match,
    # return a default value: ''
    intf_ip_addr = ccp_obj.re_match_iter_typed(
        r'ip\saddress\s(\d+\.\d+\.\d+\.\d+)\s', result_type=str,
        group=1, default='')
    print(f"{intf_name}: {intf_ip_addr}")

Cisco IOS Factory Usage

CiscoConfParse has a special feature that abstracts common IOS / NXOS / ASA / IOSXR fields; at this time, it is only supported on those configuration types. You will see factory parsing in CiscoConfParse code as parsing the configuration with factory=True. A fraction of these pre-parsed Cisco IOS fields follows; some variables are not used below, but simply called out for quick reference.

from ciscoconfparse import IPv4Obj, IPv6Obj
from ciscoconfparse import CiscoConfParse

##############################################################################
# Parse an example Cisco IOS HSRP configuration from:
#     tests/fixtures/configs/sample_08.ios
#
# !
# interface FastEthernet0/0
#  ip address 172.16.2.1 255.255.255.0
#  ipv6 dhcp server IPV6_2FL_NORTH_LAN
#  ipv6 address fd01:ab00::/64 eui-64
#  ipv6 address fe80::1 link-local
#  ipv6 enable
#  ipv6 ospf 11 area 0
#  standby 110 ip 172.16.2.254
#  standby 110 ipv6 autoconfig
#  standby 110 priority 150
#  standby 110 preempt delay minimum 15
#  standby 110 track Dialer1 75
#  standby 110 track FastEthernet 0/1
#  standby 110 track FastEthernet1/0 30
#  standby 111 ip 172.16.2.253
#  standby 111 priority 150
#  standby 111 preempt delay minimum 15
#  standby 111 track Dialer1 50
#
##############################################################################
parse = CiscoConfParse('tests/fixtures/configs/sample_08.ios', syntax='ios', factory=True)
for ccp_obj in parse.find_objects('^interface'):

    # Skip if there are no HSRPInterfaceGroup() instances...
    if len(ccp_obj.hsrp_interfaces) == 0:
        continue

    # Interface name, such as 'FastEthernet0/0'
    intf_name = ccp_obj.name

    # Interface description
    intf_description = ccp_obj.description

    # IPv4Obj
    intf_v4obj = ccp_obj.ipv4_addr_object

    # IPv4 address object: ipaddress.IPv4Address()
    intf_v4addr = ccp_obj.ipv4_addr_object.ip

    # IPv4 netmask object: ipaddress.IPv4Address()
    intf_v4masklength = ccp_obj.ipv4_addr_object.masklength

    # set() of IPv4 secondary address/prefixlen strings
    intf_v4secondary_networks = ccp_obj.ip_secondary_networks

    # set() of IPv4 secondary address strings
    intf_v4secondary_addresses = ccp_obj.ip_secondary_addresses

    # List of HSRP IPv4 addrs from the ciscoconfpasre/models_cisco.py HSRPInterfaceGroup()
    intf_hsrp_addresses = [hsrp_grp.ip for hsrp_grp in ccp_obj.hsrp_interfaces]

    # A bool for using HSRP bia mac-address...
    intf_hsrp_usebia = any([ii.use_bia for ii in ccp_obj.hsrp_interfaces])

    ##########################################################################
    # Print a simple interface summary
    ##########################################################################
    print("----")
    print(f"Interface {ccp_obj.interface_object.name}: {intf_v4addr}/{intf_v4masklength}")
    print(f"  Interface {intf_name} description: {intf_description}")

    ##########################################################################
    # Print HSRP Group interface tracking information
    ##########################################################################
    print("")
    print(f"  HSRP tracking for {set([ii.interface_name for ii in ccp_obj.hsrp_interfaces])}")
    for hsrp_intf_group in ccp_obj.hsrp_interfaces:
        group = hsrp_intf_group.hsrp_group
        # hsrp_intf_group.interface_tracking is a list of dictionaries
        if len(hsrp_intf_group.interface_tracking) > 0:
            print(f"  --- HSRP Group {group} ---")
            for track_intf in hsrp_intf_group.interface_tracking:
                print(f"    --- Tracking {track_intf.interface} ---")
                print(f"    Tracking interface: {track_intf.interface}")
                print(f"    Tracking decrement: {track_intf.decrement}")
                print(f"    Tracking weighting: {track_intf.weighting}")


    ##########################################################################
    # Break out inidividual interface name components
    #   Example: 'Serial3/4/5.6:7 multipoint'
    ##########################################################################
    # The base ciscoconfparse/ccp_util.py CiscoInterface() instance
    intf_cisco_interface = ccp_obj.interface_object
    # The ciscoconfparse/ccp_util.py CiscoInterface() name, 'Serial3/4/5.6:7 multipoint'
    intf_name = ccp_obj.interface_object.name
    # The ciscoconfparse/ccp_util.py CiscoInterface() prefix, 'Serial'
    intf_prefix = ccp_obj.interface_object.prefix
    # The ciscoconfparse/ccp_util.py CiscoInterface() digit separator, '/'
    digit_separator = ccp_obj.interface_object.digit_separator or ""
    # The ciscoconfparse/ccp_util.py CiscoInterface() slot, 3
    intf_slot = ccp_obj.interface_object.slot or ""
    # The ciscoconfparse/ccp_util.py CiscoInterface() card, 4
    intf_card = ccp_obj.interface_object.card or ""
    # The ciscoconfparse/ccp_util.py CiscoInterface() card, 5
    intf_port = ccp_obj.interface_object.port
    # The ciscoconfparse/ccp_util.py CiscoInterface() subinterface, 6
    intf_subinterface = ccp_obj.interface_object.subinterface or ""
    # The ciscoconfparse/ccp_util.py CiscoInterface() channel, 7
    intf_channel = ccp_obj.interface_object.channel or ""
    # The ciscoconfparse/ccp_util.py CiscoInterface() interface_class, 'multipoint'
    intf_class = ccp_obj.interface_object.interface_class or ""

    ##########################################################################
    # Extract all IPv4Obj() with re_match_iter_typed()
    ##########################################################################
    _default = None
    for _obj in ccp_obj.children:
        # Get a dict() from re_match_iter_typed() by caling it with 'groupdict'
        intf_dict = _obj.re_match_iter_typed(
            # Add a regex match-group called 'v4addr'
            r"ip\s+address\s+(?P<v4addr>\S.+?\d)\s*(?P<secondary>secondary)*$",
            # Cast the v4addr regex match group as an IPv4Obj() type
            groupdict={"v4addr": IPv4Obj, "secondary": str},
            # Default to None if there is no regex match
            default=_default,
        )
        intf_ipv4obj = intf_dict["v4addr"]

    ##########################################################################
    # Extract all IPv6Obj() with re_match_iter_typed()
    ##########################################################################
    _default = None
    for _obj in ccp_obj.children:
        # Get a dict() from re_match_iter_typed() by caling it with 'groupdict'
        intf_dict = _obj.re_match_iter_typed(
            # Add regex match-groups called 'v6addr' and an optional 'ipv6type'
            r"ipv6\s+address\s+(?P<v6addr>\S.+?\d)\s*(?P<v6type>eui.64|link.local)*$",
            # Cast the v6addr regex match group as an IPv6Obj() type
            groupdict={"v6addr": IPv6Obj, "v6type": str},
            # Default to None if there is no regex match
            default=_default,
        )
        intf_ipv6obj = intf_dict["v6addr"]
        intf_ipv6type = intf_dict["v6type"]
        # Skip this object if it has no IPv6 address
        if intf_ipv6obj is _default:
            continue

When that is run, you will see information similar to this...

----
Interface FastEthernet0/0: 172.16.2.1/24
  Interface FastEthernet0/0 description: [IPv4 and IPv6 desktop / laptop hosts on 2nd-floor North LAN]

  HSRP Group tracking for {'FastEthernet0/0'}
  --- HSRP Group 110 ---
    --- Tracking Dialer1 ---
    Tracking interface: Dialer1
    Tracking decrement: 75
    Tracking weighting: None
    --- Tracking FastEthernet 0/1 ---
    Tracking interface: FastEthernet 0/1
    Tracking decrement: 10
    Tracking weighting: None
    --- Tracking FastEthernet1/0 ---
    Tracking interface: FastEthernet1/0
    Tracking decrement: 30
    Tracking weighting: None
  --- HSRP Group 111 ---
    --- Tracking Dialer1 ---
    Tracking interface: Dialer1
    Tracking decrement: 50
    Tracking weighting: None
GRP {'addr': <IPv6Obj fd01:ab00::/64>}
RESULT <IOSIntfLine # 231 'FastEthernet0/0' primary_ipv4: '172.16.2.1/24'> <IPv6Obj fd01:ab00::/64>

Are there private copies of CiscoConfParse()?

Yes. Cisco Systems maintains their own copy of CiscoConfParse(). The terms of the GPLv3 license allow this as long as they don't distribute their modified private copy in binary form. Also refer to this GPLv3 License primer / GPLv3 101. Officially, modified copies of CiscoConfParse source-code must also be licensed as GPLv3.

Dear Cisco Systems: please consider porting your improvements back into the github ciscoconfparse repo.

Are you releasing licensing besides GPLv3?

I will not; however, you can take the solution Cisco does above as long as you comply with the GPLv3 terms. If it's truly a problem for your company, there are commercial solutions available (to include purchasing the project, or hiring me).

What if we don't use Cisco IOS?

Don't let that stop you.

As of CiscoConfParse 1.2.4, you can parse brace-delimited configurations into a Cisco IOS style (see Github Issue #17), which means that CiscoConfParse can parse these configurations:

• Juniper Networks Junos
• Palo Alto Networks Firewall configurations
• F5 Networks configurations

CiscoConfParse also handles anything that has a Cisco IOS style of configuration, which includes:

• Cisco IOS, Cisco Nexus, Cisco IOS-XR, Cisco IOS-XE, Aironet OS, Cisco ASA, Cisco CatOS
• Arista EOS
• Brocade
• HP Switches
• Force 10 Switches
• Dell PowerConnect Switches
• Extreme Networks
• Enterasys
• Screenos

Docs

• Blogs
  • Kirk Byers published a ciscoconfparse blog piece
  • Henry Ölsner published a ciscoconfparse blog piece
• The latest copy of the docs are archived on the web
• There is also a CiscoConfParse Tutorial

Installation and Downloads

• Use poetry for Python3.x... :

  python -m pip install ciscoconfparse
  

If you're interested in the source, you can always pull from the github repo:

• Download from the github repo: :

    git clone git://github.com/mpenning/ciscoconfparse
    cd ciscoconfparse/
    python -m pip install .
  

Github Star History

What is the pythonic way of handling script credentials?

1. Never hard-code credentials
2. Use python-dotenv

Is this a tool, or is it artwork?

That depends on who you ask. Many companies use CiscoConfParse as part of their network engineering toolbox; others regard it as a form of artwork.

Pre-requisites

The ciscoconfparse python package requires Python versions 3.7+ (note: Python version 3.7.0 has a bug - ref Github issue #117, but version 3.7.1 works); the OS should not matter.

Other Resources

• Dive into Python3 is a good way to learn Python
• Team CYMRU has a Secure IOS Template, which is especially useful for external-facing routers / switches
• Cisco's Guide to hardening IOS devices
• Center for Internet Security Benchmarks (An email address, cookies, and javascript are required)

Bug Tracker and Support

• Please report any suggestions, bug reports, or annoyances with a github bug report.
• If you're having problems with general python issues, consider searching for a solution on Stack Overflow. If you can't find a solution for your problem or need more help, you can ask on Stack Overflow or reddit/r/Python.
• If you're having problems with your Cisco devices, you can contact:
  • Cisco TAC
  • reddit/r/Cisco
  • reddit/r/networking
  • NetworkEngineering.se

Dependencies

• Python 3
• passlib
• toml
• dnspython
• loguru
• deprecated

Unit-Tests and Development

• We are manually disabling some SonarCloud alerts with:
  • #pragma warning disable S1313
  • #pragma warning restore S1313
  • Where S1313 is a False-positive that SonarCloud flags in CiscoConfParse.
  • Those #pragma warning lines should be carefully-fenced to ensure that we don't disable a SonarCloud alert that is useful.

Semantic Versioning and Conventional Commits

• At this point, CiscoConfParse does NOT adhere to Semantic Versioning
• Although we added commitizen as a dev dependency, we are NOT enforcing commit rules (such as Conventional Commits) yet.

Execute Unit tests

The project's test workflow checks ciscoconfparse on Python versions 3.7 and higher, as well as a pypy JIT executable.

If you already git cloned the repo and want to manually run tests either run with make test from the base directory, or manually run with pytest in a unix-like system...

$ cd tests
$ pytest -vvs ./test_*py
...

Execute Miss Report

If you already have have pytest and pytest-cov installed, run a test line miss report as shown below.

$ cd tests
$ pytest --cov-report=term-missing --cov=ciscoconfparse ./
...

Editing the Package

This uses the example of editing the package on a git branch called develop...

• git clone https://github.com/mpenning/ciscoconfparse
• cd ciscoconfparse
• git branch develop
• git checkout develop
• Add / modify / delete on the develop branch
• make test
• If tests run clean, git commit all the pending changes on the develop branch
• If you plan to publish this as an official version rev, edit the version number in pyproject.toml. In the future, we want to integrate commitizen to manage versioning.
• git checkout main
• git merge develop
• make test
• git push origin main
• make pypi

Sphinx Documentation

Building the ciscoconfparse documentation tarball comes down to this one wierd trick:

• cd sphinx-doc/
• pip install -r ./requirements.txt; # install Sphinx dependencies
• pip install -r ../requirements.txt; # install ccp dependencies
• make html

License and Copyright

ciscoconfparse is licensed GPLv3

• Copyright (C) 2022-2023 David Michael Pennington
• Copyright (C) 2022 David Michael Pennington at WellSky
• Copyright (C) 2022 David Michael Pennington
• Copyright (C) 2019-2021 David Michael Pennington at Cisco Systems / ThousandEyes
• Copyright (C) 2012-2019 David Michael Pennington at Samsung Data Services
• Copyright (C) 2011-2012 David Michael Pennington at Dell Computer Corp
• Copyright (C) 2007-2011 David Michael Pennington

The word "Cisco" is a registered trademark of Cisco Systems.

Author

ciscoconfparse was written by David Michael Pennington (mike [~at~] pennington [.dot.] net).

Interesting Users (and some downstream projects)

The following are featured CiscoConfParse users / projects:

• salt
• suzieq: SuzieQ collects, normalizes, and stores timestamped data that is otherwise only available to engineers by logging into each device, providing a rich data lake that can be queried and leveraged for next generation monitoring and alerting
• netwalk: Python library to discover, parse, analyze and change Cisco switched networks
• netlint
• cisco_switchport_auditor: Parses Cisco switch configuration into Switch & Interface objects to access configuration details of the aforementioned in a programatic manner. Works with SSH, RESTCONF, or with running/start-up config files.
• nipper-ng: a network security analyzer
• pynipper-ng: a network security analyzer
• build_fabric: Build a declarative Cisco NXOS leaf and spine fabric using Ansible
• junos-ansible
• faddr
• NetOpsNornir
• adala: Extract useful information about your Cisco network
• xlina:
  • organize_acls.py: Extract and organize access-list configurations and organizes associated objects and object-groups.
  • organize_anyconnect.py: Extract and organize Anyconnect profiles and associated group policies, auth servers, access-lists, etc
  • organize_static_nats.py: Extract and organize static nat configurations and associated objects and object-groups
  • organize_auto_nat.py: Extract and organize auto nat configurations with associated objects
  • organize_crypto_maps.py: Extract and organize crypto map configurations and associated access-lists, transform-sets, tunnel-groups, etc
• Catalyst_2_Meraki_Config_Checker: Check the Cisco Catalyst configuration text file and verify if they are supported by the Meraki MS platform.
• parse_nxos_config: Generates an Excel file with the information gathered from running-config file from Cisco NXOS
• Nornir3_CDP_map: Set interface descriptions by looking at the hostname of its CDP neighbor
• devicebanner: Update the banner message of the day on network devices
• iosconfigslicer: Simple script to slice Cisco configuration file, and replicate sections of the config via SSH to another device
• ciscocfg: a simple RPCd for ciscoconfparse
• confParser: SSH with paramiko, and dump information about your configs into sqllite3 / Excel
• parse_config: Dump information about your Vlans / VRFs to excel
• Finally, Cisco Systems Product Engineering and Advanced Services

Other Useful Network Management Projects

• netbox: NetBox is the source of truth for everything on your network, from physical components like power systems and cabling to virtual assets like IP addresses and VLANs

  • ntc-netbox-plugin-onboarding: A plugin for NetBox to easily onboard new devices.

• nautobot: Network Source of Truth & Network Automation Platform.

• nornir: Network Automation via Plugins - A pluggable multi-threaded framework with inventory management to help operate collections of devices

• network-importer: The network importer is a tool/library to analyze and/or synchronize an existing network with a Network Source of Truth (SOT), it's designed to be idempotent and by default it's only showing the difference between the running network and the remote SOT.

• nuts: NUTS defines a desired network state and checks it against a real network using pytest and nornir.

• jerikan:

• nettowel: Collection of useful network automation functions

• napalm-panos

• Tacquito: A go TACACS+ implementation

• assessment-cmds: Useful show commands to check your Cisco router's health

• learn-to-cloud: Primer for Cloud-computing fundamentals