$ loading_
在部署前校验路由器与交换机配置,提前发现安全与连通性风险。
复制安装指令,让 AI 自动完成配置 · 推荐新手
请帮我安装 askskill 上的 "network-config-validation" 技能: 1. 下载 https://raw.githubusercontent.com/affaan-m/ECC/main/skills/network-config-validation/SKILL.md 2. 保存为 ~/.claude/skills/network-config-validation/SKILL.md 3. 装好后重载技能,告诉我可以用了
请检查以下路由器和交换机配置,找出危险命令、重复 IP、子网重叠、失效引用、管理面暴露风险,以及不符合 IOS 安全最佳实践的问题,并按严重程度排序给出修复建议: [粘贴配置文本]
一份按严重程度分组的配置检查报告,包含问题位置、风险说明和修复建议。
我有多台网络设备的配置,请交叉检查接口地址、VLAN 网段和静态路由,找出重复地址、子网重叠和可能导致路由异常的配置冲突,并列出受影响设备: [粘贴多份配置]
一份跨设备冲突清单,标明冲突类型、涉及设备及建议调整方案。
请重点审查这份网络配置中的管理面安全,包括 Telnet/SSH、SNMP、ACL、管理 VLAN、弱口令风险、未限制的访问来源和日志审计配置,并给出加固建议: [粘贴配置文本]
一份管理面安全评估结果,指出薄弱项并给出可执行的加固措施。
Use this skill to review network configuration before a change window or before an automation run touches production devices.
Treat config validation as layered evidence, not as a complete parser. Regex checks are useful for pre-flight warnings, but final approval still needs a network engineer to review intent, platform syntax, and rollback steps.
Validate in this order:
import re
DANGEROUS_PATTERNS: list[tuple[re.Pattern[str], str]] = [
(re.compile(r"\breload\b", re.I), "reload causes downtime"),
(re.compile(r"\berase\s+(startup|nvram|flash)", re.I), "erases persistent storage"),
(re.compile(r"\bformat\b", re.I), "formats a device filesystem"),
(re.compile(r"\bno\s+router\s+(bgp|ospf|eigrp)\b", re.I), "removes a routing process"),
(re.compile(r"\bno\s+interface\s+\S+", re.I), "removes interface configuration"),
(re.compile(r"\baaa\s+new-model\b", re.I), "changes authentication behavior"),
(re.compile(r"\bcrypto\s+key\s+(zeroize|generate)\b", re.I), "changes device SSH keys"),
]
def find_dangerous_commands(lines: list[str]) -> list[dict[str, str | int]]:
findings = []
for line_number, line in enumerate(lines, start=1):
stripped = line.strip()
for pattern, reason in DANGEROUS_PATTERNS:
if pattern.search(stripped):
findings.append({
"line": line_number,
"command": stripped,
"reason": reason,
})
return findings
import ipaddress
import re
from collections import Counter
IP_ADDRESS_RE = re.compile(
r"^\s*ip address\s+"
r"(?P<ip>\d{1,3}(?:\.\d{1,3}){3})\s+"
r"(?P<mask>\d{1,3}(?:\.\d{1,3}){3})\b",
re.I | re.M,
)
def extract_interfaces(config: str) -> list[dict[str, str]]:
results = []
current = None
for line in config.splitlines():
if line.startswith("interface "):
current = line.split(maxsplit=1)[1]
continue
match = IP_ADDRESS_RE.match(line)
if current and match:
ip = match.group("ip")
mask = match.group("mask")
network = ipaddress.ip_interface(f"{ip}/{mask}").network
results.append({"interface": current, "ip": ip, "network": str(network)})
return results
def find_duplicate_ips(config: str) -> list[str]:
ips = [entry["ip"] for entry in extract_interfaces(config)]
counts = Counter(ips)
return sorted(ip for ip, count in counts.items() if count > 1)
def find_subnet_overlaps(config: str) -> list[tuple[str, str]]:
networks = [ipaddress.ip_network(entry["network"]) for entry in extract_interfaces(config)]
overlaps = []
for index, left in enumerate(networks):
for right in networks[index + 1:]:
if left.overlaps(right):
overlaps.append((str(left), str(right)))
return overlaps
Parse VTY blocks by section so access-class checks do not spill across unrelated lines.
import re
def iter_blocks(config: str, starts_with: str) -> list[str]:
blocks = []
current: list[str] = []
for line in config.splitlines():
if line.startswith(starts_with):
…
通过双评审智能体对结果进行对抗式校验,提升输出发布前的可靠性
帮助你在数据流经各层时建立分层校验,提前阻断缺陷与安全风险。