ciscoconfparse
Important: ciscoconfparse2
ciscoconfparse is End of Life
As of December 14, 2023 ciscoconfparse2 is released; this is equivalent to version 2.0 of ciscoconfparse, but ciscoconfparse2 is a different PYPI project.
You should upgrade; here's why, ciscoconfparse2:
- It supports all major network vendor text configuration files (Arista, Cisco, F5, Juniper, Palo Alto)
- It supports searching across any number of configuration levels (ciscoconfparse only supports two config levels : a parent and child)
- It adds a string methods so you don't need to use regex matching if you don't want to
- It adds a CLI command
- Revamped documentation
- It simplifies the user interface and fixes broken ciscoconfparse default parameters (this could require changing old scripts using the original API)
- It intentionally uses a new python import to minimize confusion between itself and the original
NOTE ciscoconfparse2 deprecates many legacy ciscoconfparse APIs; overall this is a good thing because ciscoconfparse2 is easier to use. As such, test your code before using ciscoconfparse2 as a drop-in replacement.
Introduction: What is ciscoconfparse?
Short answer: ciscoconfparse is a Python library
that helps you quickly answer questions like these about your
Cisco configurations:
- What interfaces are shutdown?
- Which interfaces are in trunk mode?
- What address and subnet mask is assigned to each interface?
- Which interfaces are missing a critical command?
- Is this configuration missing a standard config line?
It can help you:
- Audit existing router / switch / firewall / wlc configurations
- Modify existing configurations
- Build new configurations
Speaking generally, the library examines an IOS-style config and breaks
it into a set of linked parent / child relationships. You can perform
complex queries about these relationships.
Generic Usage
The following code will parse a configuration stored in
exampleswitch.conf
and select interfaces that are shutdown.
In this case, the parent is a line containing interface
and
the child is a line containing the word shutdown
.
from ciscoconfparse import CiscoConfParse
parse = CiscoConfParse('exampleswitch.conf', syntax='ios')
for intf_obj in parse.find_parent_objects('^interface', '^\s+shutdown'):
print("Shutdown: " + intf_obj.text)
The next example will find the IP address assigned to interfaces.
from ciscoconfparse import CiscoConfParse
parse = CiscoConfParse('exampleswitch.conf', syntax='ios')
for ccp_obj in parse.find_objects('^interface'):
intf_name = ccp_obj.re_match_typed('^interface\s+(\S.+?)$')
intf_ip_addr = ccp_obj.re_match_iter_typed(
r'ip\saddress\s(\d+\.\d+\.\d+\.\d+)\s', result_type=str,
group=1, default='')
print(f"{intf_name}: {intf_ip_addr}")
Cisco IOS Factory Usage
CiscoConfParse has a special feature that abstracts common IOS / NXOS / ASA / IOSXR fields; at this time, it is only supported on those configuration types. You will see factory parsing in CiscoConfParse code as parsing the configuration with factory=True
. A fraction of these pre-parsed Cisco IOS fields follows; some variables are not used below, but simply called out for quick reference.
from ciscoconfparse import IPv4Obj, IPv6Obj
from ciscoconfparse import CiscoConfParse
parse = CiscoConfParse('tests/fixtures/configs/sample_08.ios', syntax='ios', factory=True)
for ccp_obj in parse.find_objects('^interface'):
if len(ccp_obj.hsrp_interfaces) == 0:
continue
intf_name = ccp_obj.name
intf_description = ccp_obj.description
intf_v4obj = ccp_obj.ipv4_addr_object
intf_v4addr = ccp_obj.ipv4_addr_object.ip
intf_v4masklength = ccp_obj.ipv4_addr_object.masklength
intf_v4secondary_networks = ccp_obj.ip_secondary_networks
intf_v4secondary_addresses = ccp_obj.ip_secondary_addresses
intf_hsrp_addresses = [hsrp_grp.ip for hsrp_grp in ccp_obj.hsrp_interfaces]
intf_hsrp_usebia = any([ii.use_bia for ii in ccp_obj.hsrp_interfaces])
print("----")
print(f"Interface {ccp_obj.interface_object.name}: {intf_v4addr}/{intf_v4masklength}")
print(f" Interface {intf_name} description: {intf_description}")
print("")
print(f" HSRP tracking for {set([ii.interface_name for ii in ccp_obj.hsrp_interfaces])}")
for hsrp_intf_group in ccp_obj.hsrp_interfaces:
group = hsrp_intf_group.hsrp_group
if len(hsrp_intf_group.interface_tracking) > 0:
print(f" --- HSRP Group {group} ---")
for track_intf in hsrp_intf_group.interface_tracking:
print(f" --- Tracking {track_intf.interface} ---")
print(f" Tracking interface: {track_intf.interface}")
print(f" Tracking decrement: {track_intf.decrement}")
print(f" Tracking weighting: {track_intf.weighting}")
intf_cisco_interface = ccp_obj.interface_object
intf_name = ccp_obj.interface_object.name
intf_prefix = ccp_obj.interface_object.prefix
digit_separator = ccp_obj.interface_object.digit_separator or ""
intf_slot = ccp_obj.interface_object.slot or ""
intf_card = ccp_obj.interface_object.card or ""
intf_port = ccp_obj.interface_object.port
intf_subinterface = ccp_obj.interface_object.subinterface or ""
intf_channel = ccp_obj.interface_object.channel or ""
intf_class = ccp_obj.interface_object.interface_class or ""
_default = None
for _obj in ccp_obj.children:
intf_dict = _obj.re_match_iter_typed(
r"ip\s+address\s+(?P<v4addr>\S.+?\d)\s*(?P<secondary>secondary)*$",
groupdict={"v4addr": IPv4Obj, "secondary": str},
default=_default,
)
intf_ipv4obj = intf_dict["v4addr"]
_default = None
for _obj in ccp_obj.children:
intf_dict = _obj.re_match_iter_typed(
r"ipv6\s+address\s+(?P<v6addr>\S.+?\d)\s*(?P<v6type>eui.64|link.local)*$",
groupdict={"v6addr": IPv6Obj, "v6type": str},
default=_default,
)
intf_ipv6obj = intf_dict["v6addr"]
intf_ipv6type = intf_dict["v6type"]
if intf_ipv6obj is _default:
continue
When that is run, you will see information similar to this...
----
Interface FastEthernet0/0: 172.16.2.1/24
Interface FastEthernet0/0 description: [IPv4 and IPv6 desktop / laptop hosts on 2nd-floor North LAN]
HSRP Group tracking for {'FastEthernet0/0'}
--- HSRP Group 110 ---
--- Tracking Dialer1 ---
Tracking interface: Dialer1
Tracking decrement: 75
Tracking weighting: None
--- Tracking FastEthernet 0/1 ---
Tracking interface: FastEthernet 0/1
Tracking decrement: 10
Tracking weighting: None
--- Tracking FastEthernet1/0 ---
Tracking interface: FastEthernet1/0
Tracking decrement: 30
Tracking weighting: None
--- HSRP Group 111 ---
--- Tracking Dialer1 ---
Tracking interface: Dialer1
Tracking decrement: 50
Tracking weighting: None
GRP {'addr': <IPv6Obj fd01:ab00::/64>}
RESULT <IOSIntfLine # 231 'FastEthernet0/0' primary_ipv4: '172.16.2.1/24'> <IPv6Obj fd01:ab00::/64>
Are there private copies of CiscoConfParse()?
Yes. Cisco Systems maintains their own copy of CiscoConfParse()
. The terms of the GPLv3
license allow this as long as they don't distribute their modified private copy in
binary form. Also refer to this GPLv3 License primer / GPLv3 101. Officially, modified
copies of CiscoConfParse source-code must also be licensed as GPLv3.
Dear Cisco Systems: please consider porting your improvements back into
the github ciscoconfparse repo
.
Are you releasing licensing besides GPLv3?
I will not; however, you can take the solution Cisco does above as long as you comply with the GPLv3 terms. If it's truly a problem for your company, there are commercial solutions available (to include purchasing the project, or hiring me).
What if we don't use Cisco IOS?
Don't let that stop you.
As of CiscoConfParse 1.2.4, you can parse brace-delimited configurations into a Cisco IOS style (see Github Issue #17), which means that CiscoConfParse can parse these configurations:
- Juniper Networks Junos
- Palo Alto Networks Firewall configurations
- F5 Networks configurations
CiscoConfParse also handles anything that has a Cisco IOS style of configuration, which includes:
- Cisco IOS, Cisco Nexus, Cisco IOS-XR, Cisco IOS-XE, Aironet OS, Cisco ASA, Cisco CatOS
- Arista EOS
- Brocade
- HP Switches
- Force 10 Switches
- Dell PowerConnect Switches
- Extreme Networks
- Enterasys
- Screenos
Docs
Installation and Downloads
If you're interested in the source, you can always pull from the github repo:
Github Star History
What is the pythonic way of handling script credentials?
- Never hard-code credentials
- Use python-dotenv
Is this a tool, or is it artwork?
That depends on who you ask. Many companies use CiscoConfParse as part of their
network engineering toolbox; others regard it as a form of artwork.
Pre-requisites
The ciscoconfparse python package requires Python versions 3.7+ (note: Python version 3.7.0 has a bug - ref Github issue #117, but version 3.7.1 works); the OS should not matter.
Other Resources
Bug Tracker and Support
- Please report any suggestions, bug reports, or annoyances with a github bug report.
- If you're having problems with general python issues, consider searching for a solution on Stack Overflow. If you can't find a solution for your problem or need more help, you can ask on Stack Overflow or reddit/r/Python.
- If you're having problems with your Cisco devices, you can contact:
Dependencies
Unit-Tests and Development
- We are manually disabling some SonarCloud alerts with:
#pragma warning disable S1313
#pragma warning restore S1313
- Where
S1313
is a False-positive that SonarCloud flags in CiscoConfParse. - Those
#pragma warning
lines should be carefully-fenced to ensure that we don't disable a SonarCloud alert that is useful.
Semantic Versioning and Conventional Commits
Execute Unit tests
The project's test workflow checks ciscoconfparse on Python versions 3.7 and higher, as well as a pypy JIT executable.
If you already git cloned the repo and want to manually run tests either run with make test
from the base directory, or manually run with pytest
in a unix-like system...
$ cd tests
$ pytest -vvs ./test_*py
...
Execute Miss Report
If you already have have pytest
and pytest-cov
installed, run a test line miss report as shown below.
$ cd tests
$ pytest --cov-report=term-missing --cov=ciscoconfparse ./
...
Editing the Package
This uses the example of editing the package on a git branch called develop
...
git clone https://github.com/mpenning/ciscoconfparse
cd ciscoconfparse
git branch develop
git checkout develop
- Add / modify / delete on the
develop
branch make test
- If tests run clean,
git commit
all the pending changes on the develop
branch - If you plan to publish this as an official version rev, edit the version number in pyproject.toml. In the future, we want to integrate
commitizen
to manage versioning. git checkout main
git merge develop
make test
git push origin main
make pypi
Sphinx Documentation
Building the ciscoconfparse documentation tarball comes down to this one wierd trick:
cd sphinx-doc/
pip install -r ./requirements.txt; # install Sphinx dependencies
pip install -r ../requirements.txt; # install ccp dependencies
make html
License and Copyright
ciscoconfparse is licensed GPLv3
- Copyright (C) 2022-2023 David Michael Pennington
- Copyright (C) 2022 David Michael Pennington at WellSky
- Copyright (C) 2022 David Michael Pennington
- Copyright (C) 2019-2021 David Michael Pennington at Cisco Systems / ThousandEyes
- Copyright (C) 2012-2019 David Michael Pennington at Samsung Data Services
- Copyright (C) 2011-2012 David Michael Pennington at Dell Computer Corp
- Copyright (C) 2007-2011 David Michael Pennington
The word "Cisco" is a registered trademark of Cisco Systems.
Author
ciscoconfparse was written by David Michael Pennington (mike [~at~] pennington [.dot.] net).
Interesting Users (and some downstream projects)
The following are featured CiscoConfParse users / projects:
- salt
- suzieq: SuzieQ collects, normalizes, and stores timestamped data that is otherwise only available to engineers by logging into each device, providing a rich data lake that can be queried and leveraged for next generation monitoring and alerting
- netwalk: Python library to discover, parse, analyze and change Cisco switched networks
- netlint
- cisco_switchport_auditor: Parses Cisco switch configuration into Switch & Interface objects to access configuration details of the aforementioned in a programatic manner. Works with SSH, RESTCONF, or with running/start-up config files.
- nipper-ng: a network security analyzer
- pynipper-ng: a network security analyzer
- build_fabric: Build a declarative Cisco NXOS leaf and spine fabric using Ansible
- junos-ansible
- faddr
- NetOpsNornir
- adala: Extract useful information about your Cisco network
- xlina:
- organize_acls.py: Extract and organize access-list configurations and organizes associated objects and object-groups.
- organize_anyconnect.py: Extract and organize Anyconnect profiles and associated group policies, auth servers, access-lists, etc
- organize_static_nats.py: Extract and organize static nat configurations and associated objects and object-groups
- organize_auto_nat.py: Extract and organize auto nat configurations with associated objects
- organize_crypto_maps.py: Extract and organize crypto map configurations and associated access-lists, transform-sets, tunnel-groups, etc
- Catalyst_2_Meraki_Config_Checker: Check the Cisco Catalyst configuration text file and verify if they are supported by the Meraki MS platform.
- parse_nxos_config: Generates an Excel file with the information gathered from running-config file from Cisco NXOS
- Nornir3_CDP_map: Set interface descriptions by looking at the hostname of its CDP neighbor
- devicebanner: Update the banner message of the day on network devices
- iosconfigslicer: Simple script to slice Cisco configuration file, and replicate sections of the config via SSH to another device
- ciscocfg: a simple RPCd for ciscoconfparse
- confParser: SSH with paramiko, and dump information about your configs into sqllite3 / Excel
- parse_config: Dump information about your Vlans / VRFs to excel
- Finally, Cisco Systems Product Engineering and Advanced Services
Other Useful Network Management Projects
-
netbox: NetBox is the source of truth for everything on your network, from physical components like power systems and cabling to virtual assets like IP addresses and VLANs
-
nautobot: Network Source of Truth & Network Automation Platform.
-
nornir: Network Automation via Plugins - A pluggable multi-threaded framework with inventory management to help operate collections of devices
-
network-importer: The network importer is a tool/library to analyze and/or synchronize an existing network with a Network Source of Truth (SOT), it's designed to be idempotent and by default it's only showing the difference between the running network and the remote SOT.
-
nuts: NUTS defines a desired network state and checks it against a real network using pytest and nornir.
-
jerikan:
-
nettowel: Collection of useful network automation functions
-
napalm-panos
-
Tacquito: A go TACACS+ implementation
-
assessment-cmds: Useful show commands to check your Cisco router's health
-
learn-to-cloud: Primer for Cloud-computing fundamentals