Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Parse, Audit, Query, Build, and Modify Cisco IOS-style and JunOS-style configs
ciscoconfparse is End of Life
As of December 14, 2023 ciscoconfparse2 is released; this is equivalent to version 2.0 of ciscoconfparse, but ciscoconfparse2 is a different PYPI project.
You should upgrade; here's why, ciscoconfparse2:
NOTE ciscoconfparse2 deprecates many legacy ciscoconfparse APIs; overall this is a good thing because ciscoconfparse2 is easier to use. As such, test your code before using ciscoconfparse2 as a drop-in replacement.
Short answer: ciscoconfparse is a Python library that helps you quickly answer questions like these about your Cisco configurations:
It can help you:
Speaking generally, the library examines an IOS-style config and breaks it into a set of linked parent / child relationships. You can perform complex queries about these relationships.
The following code will parse a configuration stored in
exampleswitch.conf
and select interfaces that are shutdown.
In this case, the parent is a line containing interface
and
the child is a line containing the word shutdown
.
from ciscoconfparse import CiscoConfParse
parse = CiscoConfParse('exampleswitch.conf', syntax='ios')
for intf_obj in parse.find_parent_objects('^interface', '^\s+shutdown'):
print("Shutdown: " + intf_obj.text)
The next example will find the IP address assigned to interfaces.
from ciscoconfparse import CiscoConfParse
parse = CiscoConfParse('exampleswitch.conf', syntax='ios')
for ccp_obj in parse.find_objects('^interface'):
intf_name = ccp_obj.re_match_typed('^interface\s+(\S.+?)$')
# Search children of all interfaces for a regex match and return
# the value matched in regex match group 1. If there is no match,
# return a default value: ''
intf_ip_addr = ccp_obj.re_match_iter_typed(
r'ip\saddress\s(\d+\.\d+\.\d+\.\d+)\s', result_type=str,
group=1, default='')
print(f"{intf_name}: {intf_ip_addr}")
CiscoConfParse has a special feature that abstracts common IOS / NXOS / ASA / IOSXR fields; at this time, it is only supported on those configuration types. You will see factory parsing in CiscoConfParse code as parsing the configuration with factory=True
. A fraction of these pre-parsed Cisco IOS fields follows; some variables are not used below, but simply called out for quick reference.
from ciscoconfparse import IPv4Obj, IPv6Obj
from ciscoconfparse import CiscoConfParse
##############################################################################
# Parse an example Cisco IOS HSRP configuration from:
# tests/fixtures/configs/sample_08.ios
#
# !
# interface FastEthernet0/0
# ip address 172.16.2.1 255.255.255.0
# ipv6 dhcp server IPV6_2FL_NORTH_LAN
# ipv6 address fd01:ab00::/64 eui-64
# ipv6 address fe80::1 link-local
# ipv6 enable
# ipv6 ospf 11 area 0
# standby 110 ip 172.16.2.254
# standby 110 ipv6 autoconfig
# standby 110 priority 150
# standby 110 preempt delay minimum 15
# standby 110 track Dialer1 75
# standby 110 track FastEthernet 0/1
# standby 110 track FastEthernet1/0 30
# standby 111 ip 172.16.2.253
# standby 111 priority 150
# standby 111 preempt delay minimum 15
# standby 111 track Dialer1 50
#
##############################################################################
parse = CiscoConfParse('tests/fixtures/configs/sample_08.ios', syntax='ios', factory=True)
for ccp_obj in parse.find_objects('^interface'):
# Skip if there are no HSRPInterfaceGroup() instances...
if len(ccp_obj.hsrp_interfaces) == 0:
continue
# Interface name, such as 'FastEthernet0/0'
intf_name = ccp_obj.name
# Interface description
intf_description = ccp_obj.description
# IPv4Obj
intf_v4obj = ccp_obj.ipv4_addr_object
# IPv4 address object: ipaddress.IPv4Address()
intf_v4addr = ccp_obj.ipv4_addr_object.ip
# IPv4 netmask object: ipaddress.IPv4Address()
intf_v4masklength = ccp_obj.ipv4_addr_object.masklength
# set() of IPv4 secondary address/prefixlen strings
intf_v4secondary_networks = ccp_obj.ip_secondary_networks
# set() of IPv4 secondary address strings
intf_v4secondary_addresses = ccp_obj.ip_secondary_addresses
# List of HSRP IPv4 addrs from the ciscoconfpasre/models_cisco.py HSRPInterfaceGroup()
intf_hsrp_addresses = [hsrp_grp.ip for hsrp_grp in ccp_obj.hsrp_interfaces]
# A bool for using HSRP bia mac-address...
intf_hsrp_usebia = any([ii.use_bia for ii in ccp_obj.hsrp_interfaces])
##########################################################################
# Print a simple interface summary
##########################################################################
print("----")
print(f"Interface {ccp_obj.interface_object.name}: {intf_v4addr}/{intf_v4masklength}")
print(f" Interface {intf_name} description: {intf_description}")
##########################################################################
# Print HSRP Group interface tracking information
##########################################################################
print("")
print(f" HSRP tracking for {set([ii.interface_name for ii in ccp_obj.hsrp_interfaces])}")
for hsrp_intf_group in ccp_obj.hsrp_interfaces:
group = hsrp_intf_group.hsrp_group
# hsrp_intf_group.interface_tracking is a list of dictionaries
if len(hsrp_intf_group.interface_tracking) > 0:
print(f" --- HSRP Group {group} ---")
for track_intf in hsrp_intf_group.interface_tracking:
print(f" --- Tracking {track_intf.interface} ---")
print(f" Tracking interface: {track_intf.interface}")
print(f" Tracking decrement: {track_intf.decrement}")
print(f" Tracking weighting: {track_intf.weighting}")
##########################################################################
# Break out inidividual interface name components
# Example: 'Serial3/4/5.6:7 multipoint'
##########################################################################
# The base ciscoconfparse/ccp_util.py CiscoInterface() instance
intf_cisco_interface = ccp_obj.interface_object
# The ciscoconfparse/ccp_util.py CiscoInterface() name, 'Serial3/4/5.6:7 multipoint'
intf_name = ccp_obj.interface_object.name
# The ciscoconfparse/ccp_util.py CiscoInterface() prefix, 'Serial'
intf_prefix = ccp_obj.interface_object.prefix
# The ciscoconfparse/ccp_util.py CiscoInterface() digit separator, '/'
digit_separator = ccp_obj.interface_object.digit_separator or ""
# The ciscoconfparse/ccp_util.py CiscoInterface() slot, 3
intf_slot = ccp_obj.interface_object.slot or ""
# The ciscoconfparse/ccp_util.py CiscoInterface() card, 4
intf_card = ccp_obj.interface_object.card or ""
# The ciscoconfparse/ccp_util.py CiscoInterface() card, 5
intf_port = ccp_obj.interface_object.port
# The ciscoconfparse/ccp_util.py CiscoInterface() subinterface, 6
intf_subinterface = ccp_obj.interface_object.subinterface or ""
# The ciscoconfparse/ccp_util.py CiscoInterface() channel, 7
intf_channel = ccp_obj.interface_object.channel or ""
# The ciscoconfparse/ccp_util.py CiscoInterface() interface_class, 'multipoint'
intf_class = ccp_obj.interface_object.interface_class or ""
##########################################################################
# Extract all IPv4Obj() with re_match_iter_typed()
##########################################################################
_default = None
for _obj in ccp_obj.children:
# Get a dict() from re_match_iter_typed() by caling it with 'groupdict'
intf_dict = _obj.re_match_iter_typed(
# Add a regex match-group called 'v4addr'
r"ip\s+address\s+(?P<v4addr>\S.+?\d)\s*(?P<secondary>secondary)*$",
# Cast the v4addr regex match group as an IPv4Obj() type
groupdict={"v4addr": IPv4Obj, "secondary": str},
# Default to None if there is no regex match
default=_default,
)
intf_ipv4obj = intf_dict["v4addr"]
##########################################################################
# Extract all IPv6Obj() with re_match_iter_typed()
##########################################################################
_default = None
for _obj in ccp_obj.children:
# Get a dict() from re_match_iter_typed() by caling it with 'groupdict'
intf_dict = _obj.re_match_iter_typed(
# Add regex match-groups called 'v6addr' and an optional 'ipv6type'
r"ipv6\s+address\s+(?P<v6addr>\S.+?\d)\s*(?P<v6type>eui.64|link.local)*$",
# Cast the v6addr regex match group as an IPv6Obj() type
groupdict={"v6addr": IPv6Obj, "v6type": str},
# Default to None if there is no regex match
default=_default,
)
intf_ipv6obj = intf_dict["v6addr"]
intf_ipv6type = intf_dict["v6type"]
# Skip this object if it has no IPv6 address
if intf_ipv6obj is _default:
continue
When that is run, you will see information similar to this...
----
Interface FastEthernet0/0: 172.16.2.1/24
Interface FastEthernet0/0 description: [IPv4 and IPv6 desktop / laptop hosts on 2nd-floor North LAN]
HSRP Group tracking for {'FastEthernet0/0'}
--- HSRP Group 110 ---
--- Tracking Dialer1 ---
Tracking interface: Dialer1
Tracking decrement: 75
Tracking weighting: None
--- Tracking FastEthernet 0/1 ---
Tracking interface: FastEthernet 0/1
Tracking decrement: 10
Tracking weighting: None
--- Tracking FastEthernet1/0 ---
Tracking interface: FastEthernet1/0
Tracking decrement: 30
Tracking weighting: None
--- HSRP Group 111 ---
--- Tracking Dialer1 ---
Tracking interface: Dialer1
Tracking decrement: 50
Tracking weighting: None
GRP {'addr': <IPv6Obj fd01:ab00::/64>}
RESULT <IOSIntfLine # 231 'FastEthernet0/0' primary_ipv4: '172.16.2.1/24'> <IPv6Obj fd01:ab00::/64>
Yes. Cisco Systems maintains their own copy of CiscoConfParse()
. The terms of the GPLv3
license allow this as long as they don't distribute their modified private copy in
binary form. Also refer to this GPLv3 License primer / GPLv3 101. Officially, modified
copies of CiscoConfParse source-code must also be licensed as GPLv3.
Dear Cisco Systems: please consider porting your improvements back into
the github ciscoconfparse repo
.
I will not; however, you can take the solution Cisco does above as long as you comply with the GPLv3 terms. If it's truly a problem for your company, there are commercial solutions available (to include purchasing the project, or hiring me).
Don't let that stop you.
As of CiscoConfParse 1.2.4, you can parse brace-delimited configurations into a Cisco IOS style (see Github Issue #17), which means that CiscoConfParse can parse these configurations:
CiscoConfParse also handles anything that has a Cisco IOS style of configuration, which includes:
Use poetry
for Python3.x... :
python -m pip install ciscoconfparse
If you're interested in the source, you can always pull from the github repo:
Download from the github repo: :
git clone git://github.com/mpenning/ciscoconfparse
cd ciscoconfparse/
python -m pip install .
That depends on who you ask. Many companies use CiscoConfParse as part of their network engineering toolbox; others regard it as a form of artwork.
The ciscoconfparse python package requires Python versions 3.7+ (note: Python version 3.7.0 has a bug - ref Github issue #117, but version 3.7.1 works); the OS should not matter.
#pragma warning disable S1313
#pragma warning restore S1313
S1313
is a False-positive that SonarCloud flags in CiscoConfParse.#pragma warning
lines should be carefully-fenced to ensure that we don't disable a SonarCloud alert that is useful.The project's test workflow checks ciscoconfparse on Python versions 3.7 and higher, as well as a pypy JIT executable.
If you already git cloned the repo and want to manually run tests either run with make test
from the base directory, or manually run with pytest
in a unix-like system...
$ cd tests
$ pytest -vvs ./test_*py
...
If you already have have pytest
and pytest-cov
installed, run a test line miss report as shown below.
$ cd tests
$ pytest --cov-report=term-missing --cov=ciscoconfparse ./
...
This uses the example of editing the package on a git branch called develop
...
git clone https://github.com/mpenning/ciscoconfparse
cd ciscoconfparse
git branch develop
git checkout develop
develop
branchmake test
git commit
all the pending changes on the develop
branchcommitizen
to manage versioning.git checkout main
git merge develop
make test
git push origin main
make pypi
Building the ciscoconfparse documentation tarball comes down to this one wierd trick:
cd sphinx-doc/
pip install -r ./requirements.txt; # install Sphinx dependencies
pip install -r ../requirements.txt; # install ccp dependencies
make html
ciscoconfparse is licensed GPLv3
The word "Cisco" is a registered trademark of Cisco Systems.
ciscoconfparse was written by David Michael Pennington (mike [~at~] pennington [.dot.] net).
The following are featured CiscoConfParse users / projects:
netbox: NetBox is the source of truth for everything on your network, from physical components like power systems and cabling to virtual assets like IP addresses and VLANs
nautobot: Network Source of Truth & Network Automation Platform.
nornir: Network Automation via Plugins - A pluggable multi-threaded framework with inventory management to help operate collections of devices
network-importer: The network importer is a tool/library to analyze and/or synchronize an existing network with a Network Source of Truth (SOT), it's designed to be idempotent and by default it's only showing the difference between the running network and the remote SOT.
nuts: NUTS defines a desired network state and checks it against a real network using pytest and nornir.
nettowel: Collection of useful network automation functions
Tacquito: A go TACACS+ implementation
assessment-cmds: Useful show commands to check your Cisco router's health
learn-to-cloud: Primer for Cloud-computing fundamentals
FAQs
Parse, Audit, Query, Build, and Modify Cisco IOS-style and JunOS-style configs
We found that ciscoconfparse demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.