Nov 24, 2010

Tips on output filtering

During troubleshooting sessions, you execute several show commands to collect information. Oftentimes you don't need all the output, then you use the vertical bar (aka pipe symbol) to filter. In this article I will show some useful filtering expressions.

The filtering expression is a Cisco IOS regular expression (regex). You can find the meaning for the special characters in command reference documents.

Let's use the routing table below to test some filtering expressions (I used the begin operator to exclude the codes from the output):

asa# sh route | begin Gateway
Gateway of last resort is 192.0.2.254 to network 0.0.0.0

S 172.17.0.0 255.255.0.0 [1/0] via 10.0.0.254, inside
S 172.16.0.0 255.255.0.0 [1/0] via 10.0.0.254, inside
S 10.2.0.0 255.255.0.0 [1/0] via 10.0.0.254, inside
S 10.3.0.0 255.255.0.0 [1/0] via 10.0.0.254, inside
C 10.0.0.0 255.255.255.0 is directly connected, inside
S 10.1.0.0 255.255.0.0 [1/0] via 10.0.0.254, inside
S 10.4.0.0 255.255.0.0 [1/0] via 10.0.0.254, inside
C 192.0.2.0 255.255.255.0 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 192.0.2.254, outside


1) Filtering 10.x.x.x routes:
 
asa# sh route | i 10\.
S 172.17.0.0 255.255.0.0 [1/0] via 10.0.0.254, inside
S 172.16.0.0 255.255.0.0 [1/0] via 10.0.0.254, inside
S 10.2.0.0 255.255.0.0 [1/0] via 10.0.0.254, inside
S 10.3.0.0 255.255.0.0 [1/0] via 10.0.0.254, inside
C 10.0.0.0 255.255.255.0 is directly connected, inside
S 10.1.0.0 255.255.0.0 [1/0] via 10.0.0.254, inside
S 10.4.0.0 255.255.0.0 [1/0] via 10.0.0.254, inside


This first expression includes routes for 172.16 and 172.17 because the gateway address starts with "10.". Thus we need to filter using another expression:
 
asa# sh route | i 10.*255
S 10.2.0.0 255.255.0.0 [1/0] via 10.0.0.254, inside
S 10.3.0.0 255.255.0.0 [1/0] via 10.0.0.254, inside
C 10.0.0.0 255.255.255.0 is directly connected, inside
S 10.1.0.0 255.255.0.0 [1/0] via 10.0.0.254, inside
S 10.4.0.0 255.255.0.0 [1/0] via 10.0.0.254, inside

 
Now we got only the lines with "10" followed by "255" after a string of undefined length.
 
2) Filtering 10.1.0.0 and 10.4.0.0:
 
asa# sh route | i 10\.[1,4]\.0\.0
S 10.1.0.0 255.255.0.0 [1/0] via 10.0.0.254, inside
S 10.4.0.0 255.255.0.0 [1/0] via 10.0.0.254, inside


3) Filtering 10.2.0.0, 10.3.0.0 and 10.4.0.0:
 
asa# sh route | i 10\.[2-4]\.0\.0
S 10.2.0.0 255.255.0.0 [1/0] via 10.0.0.254, inside
S 10.3.0.0 255.255.0.0 [1/0] via 10.0.0.254, inside
S 10.4.0.0 255.255.0.0 [1/0] via 10.0.0.254, inside


4) Filtering 10.0.0.0, 10.2.0.0, 10.3.0.0 and 10.4.0.0:
 
asa# sh route | i 10\.[0,2-4]\.0\.0
S 10.2.0.0 255.255.0.0 [1/0] via 10.0.0.254, inside
S 10.3.0.0 255.255.0.0 [1/0] via 10.0.0.254, inside
C 10.0.0.0 255.255.255.0 is directly connected, inside
S 10.4.0.0 255.255.0.0 [1/0] via 10.0.0.254, inside


Now I will use other commands to demonstrate some filter expressions.

5) Filtering ACEs with www or https or smtp:

asa# sh run access-l outside_access_in | i www|https|smtp
access-list outside_access_in extended permit tcp any host mail_Server eq smtp
access-list outside_access_in extended permit tcp any host web_server eq www
access-list outside_access_in extended permit tcp any host web_server eq https

6) Ignore case:
 
asa# sh run name | i [s|S]erver
name 192.0.2.11 web_server
name 192.0.2.10 mail_Server



Parentheses are not supported. Therefore we need to use a backslash to use these special characters:

asa# sh run static | i outside)
% unmatched ()ERROR: Failed to compile regular expression for show filter.

asa# sh run static | i outside\)
static (inside,outside) 192.0.2.10 10.0.0.10 netmask 255.255.255.255
static (inside,outside) 192.0.2.11 10.0.0.11 netmask 255.255.255.255

asa# sh run static | i (inside
% unmatched ()ERROR: Failed to compile regular expression for show filter.

asa# sh run static | i \(inside
static (inside,outside) 192.0.2.10 10.0.0.10 netmask 255.255.255.255
static (inside,outside) 192.0.2.11 10.0.0.11 netmask 255.255.255.255
static (inside,outside_backup) 172.31.0.11 10.0.0.11 netmask 255.255.255.255


There are many possible expressions, but these ones may be useful on day-to-day activities.
 
 
asa(config)# end
asa# wr mem

No comments:

Post a Comment