Config File Matches
- Viktoryia Varapayeva (Deactivated)
For the most part, config file matches look almost exactly like configuration commands, with the possible use of wildcards and regular expressions instead of hard-coded arguments. For example, the following config file match specifies an exact match that requires a specific ACL command to be included in the configuration file:
access-list 10 permit 10.76.4.11
This is the simplest and most common type of config file match, which is typically the result of a cut-and-paste from a correct configuration file.
Config file matches are written using the actual syntax defined for the configuration file for a given type of device and software version. In some cases, the syntax is the same across multiple device types or software versions, but in other cases, a different syntax is required. The device filter defined for a rule determines which types of devices can be analyzed using that rule.
To allow a given config file match to match multiple configuration lines, rule authors can include regular expressions for one or more of the command arguments. For example, the following wildcard config file match:
access-list 10 permit 10.76.4.[0-9]+
indicates that an ACL entry must exist for any host in the 10.76.4.0 subnet, instead of just the host at 10.76.4.11 as in the previous example.
The regular expression shown above matches more than just “10.76.4.x” because the “.” is a special symbol that matches any single character. In practice, this expression will still match what you want it to match because only dotted decimal notation will appear in this rule.