Network Config Validation

Name: Network Config Validation
Author: affaan-m

affaan-m/everything-claude-code

Pre-flight review of Cisco IOS-style router and switch configs before a change window or automation push to production.

Overview

Network-config-validation is an agent skill for the Ship phase that reviews Cisco IOS-style network configuration for dangerous commands, overlaps, stale references, and management-plane risk before deployment.

Install

npx skills add https://github.com/affaan-m/everything-claude-code --skill network-config-validation

What is this skill?

Layered validation: destructive commands, credentials, duplicates, stale refs, hygiene
Dangerous command detection patterns including reload-style operations
Duplicate IP and overlapping subnet checks for generated snippets
Stale ACL, route-map, prefix-list, and interface reference detection
NTP, timestamps, remote logging, and banner operational hygiene checks
Five ordered validation layers from destructive commands through operational hygiene

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 1.2k installs on skills.sh; 210k GitHub stars; 2/3 security scanners passed (skills.sh audits).

What problem does it solve?

You are about to deploy or automate router config but might ship reload commands, duplicate IPs, or references to ACLs that were never defined.

Who is it for?

Indie operators or full-stack builders who occasionally ship network changes and want structured IOS config review before automation or manual paste.

Skip if: Pure cloud-only shops with no CLI network devices, or teams needing a full formal parser/simulator instead of regex pre-flight warnings.

When should I use this skill?

Reviewing Cisco IOS or IOS-XE snippets before deployment, auditing generated config, or building pre-flight scripts for network automation.

What do I get? / Deliverables

You get an ordered pre-flight review checklist and pattern-based findings so a network engineer can approve or fix config before the change window.

Layered findings on dangerous commands and exposure
Duplicate/overlap and stale reference warnings for engineer sign-off

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Primary fit

Ship is where config hits production; this skill is a gate before deployment or automation runs, not early idea research. Review matches pre-change validation and engineer sign-off layered on regex evidence—not writing new app code in Build.

Also useful

ShipSecurity

How it compares

Lightweight regex checker and review ritual—not a full NetDevOps simulation platform or generic linter.

Common Questions / FAQ

Who is network-config-validation for?

Builders and operators who prepare Cisco IOS or IOS-XE configuration for deployment or automation and need a structured dangerous-command and consistency pass.

When should I use network-config-validation?

In Ship/review before change windows; in Ship/security when auditing management-plane exposure; in Operate/iterate when revisiting generated config after an incident.

Is network-config-validation safe to install?

It is read-oriented review guidance—check the Security Audits panel on this page; applying wrong config to devices is an operational risk the skill does not eliminate.

SKILL.md

READMESKILL.md - Network Config Validation

# Network Config Validation

Use this skill to review network configuration before a change window or before
an automation run touches production devices.

## When to Use

- Reviewing Cisco IOS or IOS-XE style snippets before deployment.
- Auditing generated config from scripts or templates.
- Looking for dangerous commands, duplicate IP addresses, or subnet overlaps.
- Checking whether ACLs, route-maps, prefix-lists, or line policies are referenced
  but not defined.
- Building lightweight pre-flight scripts for network automation.

## How It Works

Treat config validation as layered evidence, not as a complete parser. Regex
checks are useful for pre-flight warnings, but final approval still needs a
network engineer to review intent, platform syntax, and rollback steps.

Validate in this order:

1. Destructive commands.
2. Credential and management-plane exposure.
3. Duplicate addresses and overlapping subnets.
4. Stale references to ACLs, route-maps, prefix-lists, and interfaces.
5. Operational hygiene such as NTP, timestamps, remote logging, and banners.

## Dangerous Command Detection

```python
import re

DANGEROUS_PATTERNS: list[tuple[re.Pattern[str], str]] = [
    (re.compile(r"\breload\b", re.I), "reload causes downtime"),
    (re.compile(r"\berase\s+(startup|nvram|flash)", re.I), "erases persistent storage"),
    (re.compile(r"\bformat\b", re.I), "formats a device filesystem"),
    (re.compile(r"\bno\s+router\s+(bgp|ospf|eigrp)\b", re.I), "removes a routing process"),
    (re.compile(r"\bno\s+interface\s+\S+", re.I), "removes interface configuration"),
    (re.compile(r"\baaa\s+new-model\b", re.I), "changes authentication behavior"),
    (re.compile(r"\bcrypto\s+key\s+(zeroize|generate)\b", re.I), "changes device SSH keys"),
]

def find_dangerous_commands(lines: list[str]) -> list[dict[str, str | int]]:
    findings = []
    for line_number, line in enumerate(lines, start=1):
        stripped = line.strip()
        for pattern, reason in DANGEROUS_PATTERNS:
            if pattern.search(stripped):
                findings.append({
                    "line": line_number,
                    "command": stripped,
                    "reason": reason,
                })
    return findings
```

## Duplicate IPs And Subnet Overlaps

```python
import ipaddress
import re
from collections import Counter

IP_ADDRESS_RE = re.compile(
    r"^\s*ip address\s+"
    r"(?P<ip>\d{1,3}(?:\.\d{1,3}){3})\s+"
    r"(?P<mask>\d{1,3}(?:\.\d{1,3}){3})\b",
    re.I | re.M,
)

def extract_interfaces(config: str) -> list[dict[str, str]]:
    results = []
    current = None
    for line in config.splitlines():
        if line.startswith("interface "):
            current = line.split(maxsplit=1)[1]
            continue
        match = IP_ADDRESS_RE.match(line)
        if current and match:
            ip = match.group("ip")
            mask = match.group("mask")
            network = ipaddress.ip_interface(f"{ip}/{mask}").network
            results.append({"interface": current, "ip": ip, "network": str(network)})
    return results

def find_duplicate_ips(config: str) -> list[str]:
    ips = [entry["ip"] for entry in extract_interfaces(config)]
    counts = Counter(ips)
    return sorted(ip for ip, count in counts.items() if count > 1)

def find_subnet_overlaps(config: str) -> list[tuple[str, str]]:
    networks = [ipaddress.ip_network(entry["network"]) for entry in extract_interfaces(config)]
    overlaps = []
    for index, left in enumerate(networks):
        for right in networks[index + 1:]:
            if left.overlaps(right):
                overlaps.append((str(left), str(right)))
    return overlaps
```

## Management-Plane Checks

Parse VTY blocks by section so acce

What is this skill?

Layered validation: destructive commands, credentials, duplicates, stale refs, hygiene

Dangerous command detection patterns including reload-style operations

Duplicate IP and overlapping subnet checks for generated snippets

Stale ACL, route-map, prefix-list, and interface reference detection

NTP, timestamps, remote logging, and banner operational hygiene checks

Five ordered validation layers from destructive commands through operational hygiene

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 1.2k installs on skills.sh; 210k GitHub stars; 2/3 security scanners passed (skills.sh audits).

Journey fit

Primary fit

Also useful

SKILL.md

READMESKILL.md - Network Config Validation

# Network Config Validation

Use this skill to review network configuration before a change window or before
an automation run touches production devices.

## When to Use

- Reviewing Cisco IOS or IOS-XE style snippets before deployment.
- Auditing generated config from scripts or templates.
- Looking for dangerous commands, duplicate IP addresses, or subnet overlaps.
- Checking whether ACLs, route-maps, prefix-lists, or line policies are referenced
  but not defined.
- Building lightweight pre-flight scripts for network automation.

## How It Works

Treat config validation as layered evidence, not as a complete parser. Regex
checks are useful for pre-flight warnings, but final approval still needs a
network engineer to review intent, platform syntax, and rollback steps.

Validate in this order:

1. Destructive commands.
2. Credential and management-plane exposure.
3. Duplicate addresses and overlapping subnets.
4. Stale references to ACLs, route-maps, prefix-lists, and interfaces.
5. Operational hygiene such as NTP, timestamps, remote logging, and banners.

## Dangerous Command Detection

```python
import re

DANGEROUS_PATTERNS: list[tuple[re.Pattern[str], str]] = [
    (re.compile(r"\breload\b", re.I), "reload causes downtime"),
    (re.compile(r"\berase\s+(startup|nvram|flash)", re.I), "erases persistent storage"),
    (re.compile(r"\bformat\b", re.I), "formats a device filesystem"),
    (re.compile(r"\bno\s+router\s+(bgp|ospf|eigrp)\b", re.I), "removes a routing process"),
    (re.compile(r"\bno\s+interface\s+\S+", re.I), "removes interface configuration"),
    (re.compile(r"\baaa\s+new-model\b", re.I), "changes authentication behavior"),
    (re.compile(r"\bcrypto\s+key\s+(zeroize|generate)\b", re.I), "changes device SSH keys"),
]

def find_dangerous_commands(lines: list[str]) -> list[dict[str, str | int]]:
    findings = []
    for line_number, line in enumerate(lines, start=1):
        stripped = line.strip()
        for pattern, reason in DANGEROUS_PATTERNS:
            if pattern.search(stripped):
                findings.append({
                    "line": line_number,
                    "command": stripped,
                    "reason": reason,
                })
    return findings
```

## Duplicate IPs And Subnet Overlaps

```python
import ipaddress
import re
from collections import Counter

IP_ADDRESS_RE = re.compile(
    r"^\s*ip address\s+"
    r"(?P<ip>\d{1,3}(?:\.\d{1,3}){3})\s+"
    r"(?P<mask>\d{1,3}(?:\.\d{1,3}){3})\b",
    re.I | re.M,
)

def extract_interfaces(config: str) -> list[dict[str, str]]:
    results = []
    current = None
    for line in config.splitlines():
        if line.startswith("interface "):
            current = line.split(maxsplit=1)[1]
            continue
        match = IP_ADDRESS_RE.match(line)
        if current and match:
            ip = match.group("ip")
            mask = match.group("mask")
            network = ipaddress.ip_interface(f"{ip}/{mask}").network
            results.append({"interface": current, "ip": ip, "network": str(network)})
    return results

def find_duplicate_ips(config: str) -> list[str]:
    ips = [entry["ip"] for entry in extract_interfaces(config)]
    counts = Counter(ips)
    return sorted(ip for ip, count in counts.items() if count > 1)

def find_subnet_overlaps(config: str) -> list[tuple[str, str]]:
    networks = [ipaddress.ip_network(entry["network"]) for entry in extract_interfaces(config)]
    overlaps = []
    for index, left in enumerate(networks):
        for right in networks[index + 1:]:
            if left.overlaps(right):
                overlaps.append((str(left), str(right)))
    return overlaps
```

## Management-Plane Checks

Parse VTY blocks by section so acce

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is network-config-validation for?

When should I use network-config-validation?

Is network-config-validation safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is network-config-validation for?

When should I use network-config-validation?

Is network-config-validation safe to install?

SKILL.md