Contents
ciscoconfparse parses, audits, queries, builds, and modifies Cisco IOS configurations.
Suppose you have a large switched network and need to run audits on your configurations; assume you need to build configurations which conform to the following criteria:
- Access switchports must be configured with
storm-control - Trunk ports must not have port-security
- Timestamps must be enabled on logging and debug messages
You should follow the following steps.
Assume that you start with the following Cisco IOS configuration saved as
short.conf:! interface FastEthernet0/1 switchport mode access switchport access vlan 532 ! interface FastEthernet0/2 switchport mode trunk switchport trunk allowed 300,532 switchport nonegotiate switchport port-security maximum 2 switchport port-security violation restrict switchport port-security ! interface FastEthernet0/3 switchport mode access switchport access vlan 300 ! end
Next, we build this script to read and change the config:
# required if running Python 2.6... from __future__ import with_statement from ciscoconfparse import CiscoConfParse def standardize_intfs(parse): ## Search all switch interfaces and modify them # # r'^interface.+?thernet' is a regular expression, for ethernet intfs for intf in parse.find_objects(r'^interface.+?thernet'): has_stormcontrol = intf.has_child_with(r' storm-control broadcast') is_switchport_access = intf.has_child_with(r'switchport mode access') is_switchport_trunk = intf.has_child_with(r'switchport mode trunk') ## Add missing features if is_switchport_access and (not has_stormcontrol): intf.append_to_family(' storm-control action trap') intf.append_to_family(' storm-control broadcast level 0.4 0.3') ## Remove dot1q trunk misconfiguration... elif is_switchport_trunk: intf.delete_children_matching('port-security') ## Parse the config parse = CiscoConfParse('short.conf') ## Add a new switchport at the bottom of the config... obj = parse.find_objects('^end').pop() # Find the last object in the config obj.insert_before('interface FastEthernet0/4') obj.insert_before(' switchport') obj.insert_before(' switchport mode access') obj.insert_before('!') parse.commit() # commit() **must** be called before searching again ## Search and standardize the interfaces... standardize_intfs(parse) parse.commit() # commit() **must** be called before searching again ## I'm illustrating regular expression usage in has_line_with() if not parse.has_line_with(r'^service\stimestamp'): ## prepend_line() adds a line at the top of the configuration parse.prepend_line('service timestamps debug datetime msec localtime show-timezone') parse.prepend_line('service timestamps log datetime msec localtime show-timezone') ## Write the new configuration parse.save_as('short.conf.new')
Normally, regular expressions should be used in .has_child_with();
however, you can technically get away with the bare strings that I used in
standardize_intfs() in some cases. That said, regular expressions are
more powerful, and reliable when searching text. Usage of
the has_line_with() and find_objects() methods illustrate regular
expression syntax.
After the script runs, the new configuration (
short.conf.new) looks like this:service timestamps log datetime msec localtime show-timezone service timestamps debug datetime msec localtime show-timezone ! interface FastEthernet0/1 switchport mode access switchport access vlan 532 storm-control broadcast level 0.4 0.3 storm-control action trap ! interface FastEthernet0/2 switchport mode trunk switchport trunk allowed 300,532 switchport nonegotiate ! interface FastEthernet0/3 switchport mode access switchport access vlan 300 storm-control broadcast level 0.4 0.3 storm-control action trap ! interface FastEthernet0/4 switchport switchport mode access storm-control broadcast level 0.4 0.3 storm-control action trap ! end
The script:
- Added a switchport named FastEthernet0/4
- Added storm-control to Fa0/1, Fa0/3, and Fa0/4
- Removed port-security from Fa0/2
- Added timestamps to logs and debug messages
The latest copy of the docs are archived on the web
ciscoconfparse needs Python versions 2.6, 2.7 or 3.2+; the OS should not matter. If you want to run it under a Python virtualenv, it's been heavily tested in that environment as well.
The best way to get ciscoconfparse is with setuptools or pip. If you already have setuptools, you can install as usual:
# Substitute whatever ciscoconfparse version you like... easy_install -U ciscoconfparse==0.9.17
Alternatively you can install with pip:
pip install ciscoconfparse
Otherwise download it from PyPi, extract it and run the setup.py script:
python setup.py install
If you're interested in the source, you can always pull from the github repo or bitbucket repo:
From bitbucket:
hg init hg clone https://bitbucket.org/mpenning/ciscoconfparse
From github:
git clone git://github.com//mpenning/ciscoconfparse
ciscoconfparse is licensed GPLv3; Copyright David Michael Pennington, 2007-2014.
The ipaddr module is distributed with ciscoconfparse to facilitate unit tests. ipaddr uses the ASF License 2.0; ipaddr is part of the Python standard library, starting in Python 3.3.
- QUESTION: I want to use ciscoconfparse with Python3; is that safe? ANSWER: As long as you're using Python 3.2 or higher, it's safe. I test every release against Python 3.2+.
- QUESTION: The example in this
README.rstfile looks different than what I'm used to seeing. Did you change something? ANSWER: Yes, starting around ciscoconfparse v0.9.10 I introducted more methods directly onIOSConfigLineobjects; going forward, these methods are the preferred way to use ciscoconfparse, although the sphinx docs on my website haven't been updated yet. Please start using the new methods shown in the example, since they're faster, and you type much less code this way. Eventually I'm going to deprecate the original style ciscoconfparse methods, but that's not going to happen yet. - QUESTION: ciscoconfparse saved me a lot of time, I want to give money. Do you have a donation link? ANSWER: I love getting emails like this; helping people get their jobs done is why I wrote the module. However, I'm not accepting donations.
- QUESTION: Is there a way to use this module with perl? ANSWER: Yes, I do this myself. Install the python package as you normally would and import it into perl with
Inline.pmandInline::Pythonfrom CPAN. - QUESTION: When I use
find_children("interface GigabitEthernet3/2"), I'm getting all interfaces beginning with 3/2, including 3/21, 3/22, 3/23 and 3/24. How can I limit my results? ANSWER: There are two ways... the simplest is to use the 'exactmatch' option...find_children("interface GigabitEthernet3/2", exactmatch=True). Another way is to utilize regex expansion that is native to many methods...find_children("interface GigabitEthernet3/2$")
- Dive into Python3 is a good way to learn Python
- Team CYMRU has a Secure IOS Template, which is especially useful for external-facing routers / switches
- Cisco's Guide to hardening IOS devices
Please report any suggestions, bug reports, or annoyances with ciscoconfparse through the bitbucket bug tracker.
If you're having problems with general python issues, consider searching for a solution on Stack Overflow. If you can't find a solution for your problem or need more help, you can ask a question.
If you're having problems with your Cisco devices, you can open a case with Cisco TAC; if you prefer crowd-sourcing, you can ask on the Stack Exchange Network Engineering site.
ciscoconfparse is developed with mercurial, and pushed to bitbucket. hg-git keeps github repo and bitbucket in sync, so it shouldn't matter if you just want to fork the github repo.
Due to real-life time limitations, the docs are getting behind the bitbucket repo. Even if you think your Python isn't good enough to contribute directly, I also value thoughtful improvements to the docs.
I use the Travis CI project to continuously test ciscoconfparse on Python versions 2.6 through 3.3.
Click the image below for details; the current build status is:
ciscoconfparse was written by David Michael Pennington (mike [~at~] pennington [/dot] net).
Special thanks:
- Thanks to David Muir Sharnoff for his suggestion about making a special case for IOS banners.
- Thanks to Alan Cownie for his API suggestions.
- Sola Dei Gloria.