affaan-m/cisco-ios-patterns
skills/cisco-ios-patterns/SKILL.md
Cisco IOS and IOS-XE review patterns for show commands, config hierarchy, wildcard masks, ACL placement, interface hygiene, and safe change-window verification.
$ install --global
skillsauthnpx skillsauth add affaan-m/everything-claude-code cisco-ios-patternsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 16, 2026, 4:03 AM57.5s1 file scanned
SKILL.md
- name:
- cisco-ios-patterns
- description:
- Cisco IOS and IOS-XE review patterns for show commands, config hierarchy, wildcard masks, ACL placement, interface hygiene, and safe change-window verification.
- origin:
- community
Cisco IOS Patterns
Use this skill when reviewing Cisco IOS or IOS-XE snippets, building a change-window checklist, or explaining how to collect evidence from a router or switch without making the incident worse.
When to Use
- Reviewing IOS or IOS-XE configuration before a planned change.
- Choosing read-only
showcommands for troubleshooting. - Checking ACL wildcard masks and interface direction.
- Explaining global, interface, routing process, and line configuration modes.
- Verifying that a change landed in running config and was saved intentionally.
Operating Rules
Treat IOS examples as patterns, not paste-ready production changes. Confirm the platform, interface names, current config, rollback path, and out-of-band access before making changes on a real device.
Prefer this workflow:
- Capture current state with read-only commands.
- Review the exact candidate config.
- Confirm management access cannot be locked out.
- Apply the smallest change in a maintenance window.
- Re-read state, compare to the baseline, then save only after validation.
Mode Reference
Router> enable
Router# show running-config
Router# configure terminal
Router(config)# interface GigabitEthernet0/1
Router(config-if)# description UPLINK-TO-CORE
Router(config-if)# no shutdown
Router(config-if)# exit
Router(config)# end
Router# show running-config interface GigabitEthernet0/1
running-config is active memory. startup-config is what survives reload.
Do not save a change just because a command was accepted; validate behavior
first, then use copy running-config startup-config if the change is approved.
Read-Only Collection
show version
show inventory
show processes cpu sorted
show memory statistics
show logging
show running-config | section line vty
show running-config | section interface
show running-config | section router bgp
show ip interface brief
show interfaces
show interfaces status
show vlan brief
show mac address-table
show spanning-tree
show ip route
show ip protocols
show ip access-lists
show route-map
show ip prefix-list
Collect the specific section you need instead of dumping full config into a ticket when the config may contain secrets, customer names, or private topology.
Wildcard Masks
IOS ACL and many routing statements use wildcard masks, not subnet masks.
Subnet mask Wildcard mask
255.255.255.255 0.0.0.0
255.255.255.252 0.0.0.3
255.255.255.0 0.0.0.255
255.255.0.0 0.0.255.255
Review wildcard masks before deployment. A subnet mask accidentally used as a wildcard can match far more traffic than intended.
ip access-list extended WEB-IN
10 permit tcp 192.0.2.0 0.0.0.255 any eq 443
999 deny ip any any log
Every ACL has an implicit deny at the end. Add an explicit logged deny when the operational goal includes observing misses, and confirm logging volume is safe.
ACL Placement Review
Before applying an ACL to an interface, answer these questions:
- Which traffic direction is being filtered,
inorout? - Is management traffic sourced from a known jump host or management subnet?
- Is there an explicit permit for required routing, DNS, NTP, monitoring, or application traffic?
- Are hit counters available from a safe test source?
- Is there a rollback command and an active console or out-of-band path?
Do not test reachability by removing firewall or ACL protections. Read counters, logs, and route state first.
Interface Hygiene
interface GigabitEthernet0/1
description UPLINK-TO-CORE
switchport mode trunk
switchport trunk allowed vlan 10,20,30
switchport trunk native vlan 999
no shutdown
Use clear descriptions, explicit switchport mode, and documented native VLANs. On routed interfaces, confirm the mask, peer addressing, and routing process before assuming link state means forwarding is correct.
Change-Window Verification
Use before/after checks that match the actual change.
show running-config | section interface GigabitEthernet0/1
show interfaces GigabitEthernet0/1
show logging | include GigabitEthernet0/1|changed state|line protocol
show ip route <prefix>
show ip access-lists <name>
For routing changes, also capture neighbor state and route tables before and after the change. For ACL changes, compare hit counters from a planned test source rather than relying on a generic ping.
Anti-Patterns
- Applying a generated config without a device-specific diff.
- Saving configuration before post-change checks pass.
- Using a subnet mask where IOS expects a wildcard mask.
- Applying an ACL to the wrong interface direction.
- Troubleshooting by disabling ACLs, route policies, or authentication.
- Pasting full configs into public tools without sanitizing secrets and topology.
See Also
- Agent:
network-config-reviewer - Agent:
network-troubleshooter - Skill:
network-config-validation - Skill:
network-interface-health
Related Skills
affaan-m/config-gc
tools
VerifiedTrustedCommunity
Garbage collection for your Claude Code configuration. Periodically scans ~/.claude (skills, memory, hooks, permissions, MCP servers, caches) for redundant, stale, orphaned, or low-value items, then walks the user through a confirm-each-deletion cleanup. Use when the user says "clean up my config", "config GC", "too many skills", "audit my setup", "my .claude is bloated", or asks for a periodic config review.
213,637SKILL.mdUpdated Jun 12, 2026
affaan-m/parallel-execution-optimizer
data-ai
VerifiedTrustedCommunity
当用户希望通过并行工作、并发 agents、批量工具调用、隔离 worktree 或多条独立验证通道来大幅加速任务、同时不损失正确性时使用。
213,637SKILL.mdUpdated Jun 12, 2026
affaan-m/ecc-guide
documentation
VerifiedTrustedCommunity
在回答之前先读取仓库的实时状态,引导用户了解 ECC 当前的 agents、skills、命令、hooks、规则、安装配置档案以及项目接入流程。
213,637SKILL.mdUpdated Jun 12, 2026
affaan-m/gateguard
testing
VerifiedTrustedCommunity
Fact-forcing gate that blocks Edit/Write/Bash (including MultiEdit) and demands concrete investigation (importers, data schemas, user instruction) before allowing the action. Measurably improves output quality by +2.25 points vs ungated agents.
213,637SKILL.mdUpdated Apr 15, 2026