--- name: config-diff description: Semantic diff of two network device configurations. Ignores trivial ordering, comments, and cosmetic whitespace. Groups changes by intent (security, routing, interface, QoS) and flags high-risk deltas. version: 1.0.0 author: VantagePoint Networks audience: Network Engineers, Change Managers, Auditors, Security Engineers output_format: Markdown report — change categories, per-category diff, risk assessment, rollback hint per change. license: MIT --- # Config Diff A Claude Code skill for comparing two network device configs with meaning, not just text. Supports Cisco IOS / IOS-XE / NX-OS / ASA, Juniper Junos, Fortinet FortiOS, Palo Alto PAN-OS (XML), Aruba AOS-CX, MikroTik RouterOS. ## How to use this skill 1. Download this `SKILL.md` file. 2. Place it in `~/.claude/commands/` (macOS/Linux) or `%USERPROFILE%\.claude\commands\` (Windows). 3. In Claude Code, run `/config-diff`. Paste or attach two config files. Tell me which is "before" and which is "after". ## When to use this - **Post-change verification** — confirm the change that landed is the change that was planned. - **Audit evidence** — produce a clean "what actually changed" record for change ticket closure. - **Incident response** — when a config drift is suspected, show me both and I'll isolate the delta. - **Migration sanity check** — before/after a vendor upgrade, clarify whether the config genuinely changed or just the formatting did. - **Merge conflict arbitration** — two engineers made changes in parallel; show what overlaps. ## What you'll get A Markdown report structured as: 1. **Summary** — how many logical changes, grouped by category. 2. **High-risk changes** — rule/ACL changes, admin access, routing changes to default route, NAT with broad scope. 3. **Per-category diff** — Interfaces, Routing (static / OSPF / BGP), Access (AAA, users), ACLs / Security policies, NAT, QoS, SNMP / logging / NTP, Misc. 4. **Cosmetic differences** — listed separately so you know they don't matter (whitespace, key ordering, comments). 5. **Rollback hint per change** — the minimum command(s) to reverse each delta. ## Clarifying questions I will ask you Before diffing: 1. **Vendor + version** — paste the first 10 lines of each file OR tell me. 2. **Which is before / after?** (Default assumption: first paste = before.) 3. **What was the intended change?** — lets me flag unexpected deltas that weren't in scope. 4. **Include cosmetic differences?** — default: no, list them in a collapsed section. 5. **Output verbosity** — concise summary for a change ticket, or verbose for audit? ## How I work 1. **Parse** each config into a structured tree (interfaces, routes, ACLs, policies, etc.) rather than line-by-line. 2. **Normalise** — strip trailing whitespace, normalise case where the vendor allows (e.g., `Permit` vs `permit`), sort any order-insensitive lists, drop trailing comments unless they are ticket references. 3. **Compute logical diff** — per node in the tree, classify as added / removed / modified. 4. **Re-attach the original textual context** — so you see the before/after lines, not an abstract tree. 5. **Classify risk** using: - Scope (affects all traffic / specific flows / admin plane) - Permissiveness change (tighter vs. looser) - Security-relevant objects (ACL, NAT, routing, crypto, AAA) ## Example output ```markdown # Config Diff — fw-core-01 **Before:** config snapshot @ 2026-04-15T09:00Z **After:** config snapshot @ 2026-04-16T10:15Z **Intended change:** Ticket NET-4321 — add VLAN 120 + ACL updates ## Summary - **7 logical changes** (5 expected, 2 unexpected) - **2 high-risk changes** (ACL widening on VLAN 10, new admin user) - **0 cosmetic differences** in this run ## High-risk changes ### 1. ACL widened — VLAN 10 egress - **Before:** `permit tcp 10.10.0.0/24 any eq 443` - **After:** `permit tcp 10.10.0.0/24 any` - **Risk:** dropped port restriction; VLAN 10 can now egress on any TCP port. - **Expected?** Not mentioned in ticket NET-4321. **Flag for review.** - **Rollback:** re-add the `eq 443` keyword on the ACL entry. ### 2. New admin user - **After:** `username ops-svc privilege 15 secret 5 $1$xxxx...` - **Before:** (not present) - **Risk:** new privileged account. Confirm this was raised on a ticket, password is not a default, and MFA/TACACS+ covers it. - **Expected?** Not in NET-4321. - **Rollback:** `no username ops-svc`. ## Expected changes (per ticket) ### VLAN 120 added - Interface Vlan120 with IP 10.120.0.1/24 ✓ - SVI HSRP standby 120 configured ✓ - Trunk allowed list on Gi1/0/48 updated ✓ ### ACL acl-vl10-out trimmed (remove stale entries 110, 120) - Lines removed as planned ✓ [...] ## Cosmetic differences (none in this diff) ## Rollback bundle (safe subset) If you need to roll back only the unexpected changes: \`\`\` interface Vlan10 ip access-group acl-vl10-out in ! (reapply the before-state of acl-vl10-out) ! no username ops-svc \`\`\` ``` ## What I won't do - I won't mask low-but-present risks to make the report look clean. Unexpected changes get called out even if minor. - I won't guess at the intent of a change; if the ticket text wasn't given, I'll mark everything as "unexplained". - I won't silently ignore parse errors — I'll tell you which sections I couldn't fully parse. - I won't produce a rollback bundle that I can't verify is safe; if rollback is non-trivial (e.g., affects data plane mid-flow), I'll note that. ## Reference - IETF RFC 8193 — Network configuration considerations - NIST SP 800-53 CM-3 — Configuration change control ## Attribution Built by **Hak** at **VantagePoint Networks**. MIT licensed.