$ ~/registry/skill/affaan-m-network-config-validation

SKILL

network-config-validation

在部署前校验路由器与交换机配置，提前发现安全与连通性风险。

星标

★ 209,790

来源

GitHub

更新于

2026-06-07

// 安全评估低风险

仅提示词，不执行代码
开源可审计
社区验证· 209.8k

正在进行安全审计…

凭证密钥
网络外发
代码执行
数据访问
来源供应链

// 安装

复制安装指令，让 AI 自动完成配置 · 推荐新手

请帮我安装 askskill 上的 "network-config-validation" 技能：
1. 下载 https://raw.githubusercontent.com/affaan-m/ECC/main/skills/network-config-validation/SKILL.md
2. 保存为 ~/.claude/skills/network-config-validation/SKILL.md
3. 装好后重载技能，告诉我可以用了

// 下载

下载 SKILL.md机读安装清单 ↗

// 用法示例

上线前配置体检

输入

请检查以下路由器和交换机配置，找出危险命令、重复 IP、子网重叠、失效引用、管理面暴露风险，以及不符合 IOS 安全最佳实践的问题，并按严重程度排序给出修复建议：
[粘贴配置文本]

预期产出

一份按严重程度分组的配置检查报告，包含问题位置、风险说明和修复建议。

多设备地址冲突排查

输入

我有多台网络设备的配置，请交叉检查接口地址、VLAN 网段和静态路由，找出重复地址、子网重叠和可能导致路由异常的配置冲突，并列出受影响设备：
[粘贴多份配置]

预期产出

一份跨设备冲突清单，标明冲突类型、涉及设备及建议调整方案。

管理面安全加固检查

输入

请重点审查这份网络配置中的管理面安全，包括 Telnet/SSH、SNMP、ACL、管理 VLAN、弱口令风险、未限制的访问来源和日志审计配置，并给出加固建议：
[粘贴配置文本]

预期产出

一份管理面安全评估结果，指出薄弱项并给出可执行的加固措施。

// 文档

Network Config Validation

Use this skill to review network configuration before a change window or before an automation run touches production devices.

When to Use

Reviewing Cisco IOS or IOS-XE style snippets before deployment.
Auditing generated config from scripts or templates.
Looking for dangerous commands, duplicate IP addresses, or subnet overlaps.
Checking whether ACLs, route-maps, prefix-lists, or line policies are referenced but not defined.
Building lightweight pre-flight scripts for network automation.

How It Works

Treat config validation as layered evidence, not as a complete parser. Regex checks are useful for pre-flight warnings, but final approval still needs a network engineer to review intent, platform syntax, and rollback steps.

Validate in this order:

Destructive commands.
Credential and management-plane exposure.
Duplicate addresses and overlapping subnets.
Stale references to ACLs, route-maps, prefix-lists, and interfaces.
Operational hygiene such as NTP, timestamps, remote logging, and banners.

Dangerous Command Detection

import re

DANGEROUS_PATTERNS: list[tuple[re.Pattern[str], str]] = [
    (re.compile(r"\breload\b", re.I), "reload causes downtime"),
    (re.compile(r"\berase\s+(startup|nvram|flash)", re.I), "erases persistent storage"),
    (re.compile(r"\bformat\b", re.I), "formats a device filesystem"),
    (re.compile(r"\bno\s+router\s+(bgp|ospf|eigrp)\b", re.I), "removes a routing process"),
    (re.compile(r"\bno\s+interface\s+\S+", re.I), "removes interface configuration"),
    (re.compile(r"\baaa\s+new-model\b", re.I), "changes authentication behavior"),
    (re.compile(r"\bcrypto\s+key\s+(zeroize|generate)\b", re.I), "changes device SSH keys"),
]

def find_dangerous_commands(lines: list[str]) -> list[dict[str, str | int]]:
    findings = []
    for line_number, line in enumerate(lines, start=1):
        stripped = line.strip()
        for pattern, reason in DANGEROUS_PATTERNS:
            if pattern.search(stripped):
                findings.append({
                    "line": line_number,
                    "command": stripped,
                    "reason": reason,
                })
    return findings

Duplicate IPs And Subnet Overlaps

import ipaddress
import re
from collections import Counter

IP_ADDRESS_RE = re.compile(
    r"^\s*ip address\s+"
    r"(?P<ip>\d{1,3}(?:\.\d{1,3}){3})\s+"
    r"(?P<mask>\d{1,3}(?:\.\d{1,3}){3})\b",
    re.I | re.M,
)

def extract_interfaces(config: str) -> list[dict[str, str]]:
    results = []
    current = None
    for line in config.splitlines():
        if line.startswith("interface "):
            current = line.split(maxsplit=1)[1]
            continue
        match = IP_ADDRESS_RE.match(line)
        if current and match:
            ip = match.group("ip")
            mask = match.group("mask")
            network = ipaddress.ip_interface(f"{ip}/{mask}").network
            results.append({"interface": current, "ip": ip, "network": str(network)})
    return results

def find_duplicate_ips(config: str) -> list[str]:
    ips = [entry["ip"] for entry in extract_interfaces(config)]
    counts = Counter(ips)
    return sorted(ip for ip, count in counts.items() if count > 1)

def find_subnet_overlaps(config: str) -> list[tuple[str, str]]:
    networks = [ipaddress.ip_network(entry["network"]) for entry in extract_interfaces(config)]
    overlaps = []
    for index, left in enumerate(networks):
        for right in networks[index + 1:]:
            if left.overlaps(right):
                overlaps.append((str(left), str(right)))
    return overlaps

Management-Plane Checks

Parse VTY blocks by section so access-class checks do not spill across unrelated lines.

import re

def iter_blocks(config: str, starts_with: str) -> list[str]:
    blocks = []
    current: list[str] = []
    for line in config.splitlines():
        if line.startswith(starts_with):

…

查看完整文档 ↗

// 同源资产

MCP 工具★210k

ECC

帮助开发者为代码代理配置性能优化、安全防护与研究优先工作流。

affaan-m装→

技能★210k

database-migrations

提供数据库迁移、回滚与零停机发布的最佳实践指导，适用于多种 ORM 与 SQL 数据库。

affaan-m装→

技能★210k

santa-method

通过双评审智能体对结果进行对抗式校验，提升输出发布前的可靠性

affaan-m装→

技能★210k

rust-patterns

帮助你掌握地道 Rust 模式、所有权与并发实践，编写安全高性能应用。

affaan-m装→

技能★210k

cpp-coding-standards

基于 C++ Core Guidelines 编写、审查并重构更安全现代的 C++ 代码。

affaan-m装→

技能★210k

verification-loop

为 Claude Code 会话提供系统化校验流程，帮助检查结果正确性与质量。

affaan-m装→

// 功能相似

技能★210k