Sunday, 25 August 2019

SSH Configuration Examples in Cisco (IOS,IOS-XE,NX-OS,IOS-XR) and Juniper(JunOS)



Here are the configuration examples:
whereas:
192.168.100.100 = Jumphost IP (Allowed IP to SSH into the device)

Juniper

system {
    services {
        ssh {
            root-login deny;
            protocol-version v2;
            connection-limit 5;
            rate-limit 5;


policy-options {
    prefix-list PERMIT-SSH {
       192.168.100.100/32;
         }

firewall {
    family inet {
        filter PROTECT-ENGINE {
    term PERMIT-SSH {
                from {
                    source-prefix-list {
                        ALLOWED-IP;
                    }
                    protocol tcp;
                    port [ ssh ];
                }
                then {
                    count PERMIT-SSH;
                    accept;
                }
            }

            term DENY-SSH {
                from {
                    protocol tcp;
                    destination-port ssh;
                }
                then {
                    count DENY-SSH;
                    discard;
                }
            }


   interfaces {

 lo0 {
        unit 0 {
            family inet {
                filter {
                    input PROTECT-ENGINE;

 Set format:
set system services ssh root-login deny
set system services ssh protocol-version v2
set system services ssh connection-limit 5
set system services ssh rate-limit 5

set policy-options prefix-list  ALLOWED-IP 192.168.100.100/32

set firewall family inet filter PROTECT-ENGINE term PERMIT-SSH from source-prefix-list ALLOWED-IP
set firewall family inet filter PROTECT-ENGINE term PERMIT-SSH from protocol tcp
set firewall family inet filter PROTECT-ENGINE term PERMIT-SSH from port ssh
set firewall family inet filter PROTECT-ENGINE term PERMIT-SSH then count PERMIT-SSH
set firewall family inet filter PROTECT-ENGINE term PERMIT-SSH then accept

set firewall family inet filter PROTECT-ENGINE term DENY-SSH from protocol tcp
set firewall family inet filter PROTECT-ENGINE term DENY-SSH from destination-port ssh
set firewall family inet filter PROTECT-ENGINE term DENY-SSH then count DENY-SSH
set firewall family inet filter PROTECT-ENGINE term DENY-SSH then discard

set interfaces lo0 unit 0 family inet filter input PROTECT-ENGINE


Cisco:

Prerequisites in configuring SSH for Cisco devices include SSH key generation, please refer to Cisco Official Documentation.
command: crypto key generate rsa

Preferably, RSA key bits at least 2048, else use 1024 for better security

IOS:
ip ssh version 2
line vty 0 4
 access-class 101 in
 exec-timeout 5 0
 password 7 01234ABC
 login authentication VTY
 transport input ssh

access-list 101 permit tcp host 192.168.100.100 any eq 22


IOS-XE:
ip ssh version 2
login quiet-mode access-class SSH-ACL
ip access-list extended SSH-ACL
 permit tcp host 192.168.100.100 any eq 22
 deny   tcp any any eq 22

line vty 0 4
 access-class SSH-ACL in
 exec-timeout 5 0
 password 7 01234ABCDEF
 login authentication VTY
 transport input ssh


NEXUS OS:
feature ssh
interface mgmt0
  ip access-group acl_101 in
 vrf member management

ip access-list acl_101
10 permit tcp 192.168.100.100/32 any eq 22
20 deny ip any any log


IOS-XR:
ssh client source-interface Loopback0
ssh server v2
!
line template VTYTEMPLATE
 secret 5 $encrpytedlocalpass
 users group root-system
 users group cisco-support
 accounting exec VTY
 accounting commands VTY
 authorization exec VTY
 authorization commands VTY
 login authentication VTY
 exec-timeout 5 0
 access-class ingress SSH-VTY
 transport input ssh

vty-pool default 0 4 line-template VTYTEMPLATE

or (simpler)
line default
 secret 5 $encrpytedlocalpass
 login authentication default
 timestamp
 exec-timeout 5 0
 access-class ingress SSH-VTY
 session-timeout 5
 transport input ssh
!

!
ipv4 access-list SSH-VTY
 10 permit tcp host 192.168.100.100 any eq ssh
 20 deny ipv4 any any log
!
control-plane
 management-plane
  inband
   interface all
    allow SSH peer
     address ipv4 192.168.100.100
      !

TACACS (AAA) Configuration in Juniper and Cisco(IOS-XR,IOS-XE,IOS,NX-OS)

Configuring Juniper and Cisco to authenticate (also including authorization and accounting) to Tacacs+ server

10.10.10.10 - Tacacs+ AAA server
20.20.20.2 -  Loopback IP

Juniper:


system {
    host-name JUNIPER-ROUTER1;
       }
    authentication-order [ tacplus password ];
    root-authentication {
        encrypted-password "$r00tp44sw0rdh3r3/1"; ## SECRET-DATA
    }
    tacplus-server {
        10.10.10.10 {
            secret "$4ut0g3n3r4t3t4c4c5p455w0rd1"; ## SECRET-DATA
            single-connection;
            source-address 20.20.20.2;
        }
       }
    accounting {
        events interactive-commands;
        destination {
            tacplus {
                server {
                    10.10.10.10 {
                        secret "$4ut0g3n3r4t3t4c4c5p455w0rd2"; ## SECRET-DATA
                        single-connection;
                        source-address 20.20.20.2;
                    }
           }

firewall {
    family inet {
 filter FIREWALL-RE {
            /* TRUSTED TACACS */
            term TACACS-ACL {
                from {
                    source-address {
                        10.10.10.10/32;
                     
                    }
                    protocol tcp;
                    port tacacs;
                }
                then {
                    count TACACS-ACL;
                    accept;
                }
            }     

In set format:

set system host-name JUNIPER-ROUTER1
set system authentication-order tacplus
set system authentication-order password
set system root-authentication encrypted-password "$r00tp44sw0rdh3r3/1"
set system tacplus-server 10.10.10.10 secret "$4ut0g3n3r4t3t4c4c5p455w0rd1"
set system tacplus-server 10.10.10.10 single-connection
set system tacplus-server 10.10.10.10 source-address 20.20.20.2
set system accounting destination tacplus server 10.10.10.10 secret "$4ut0g3n3r4t3t4c4c5p455w0rd2"
set system accounting destination tacplus server 10.10.10.10 single-connection
set system accounting destination tacplus server 10.10.10.10 source-address 20.20.20.2


set firewall family inet filter FIREWALL-RE term TACACS-ACL from source-address 10.10.10.10/32
set firewall family inet filter FIREWALL-RE term TACACS-ACL from source-address 20.20.20.2/32
set firewall family inet filter FIREWALL-RE term TACACS-ACL from protocol tcp
set firewall family inet filter FIREWALL-RE term TACACS-ACL from port tacacs
set firewall family inet filter FIREWALL-RE term TACACS-ACL then count TACACS-ACL
set firewall family inet filter FIREWALL-RE term TACACS-ACL then accept



Cisco:

IOS:

aaa authentication login VTY group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

tacacs-server host 10.10.10.10 single-connection
tacacs-server key 7 1234567890
ip tacacs source-interface Loopback0


IOS-XE:
aaa authentication login VTY group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

tacacs server TACACS-SERVER
 address ipv4 10.10.10.10
 key 7 1234567890

ip tacacs source-interface Loopback0


NEXUS OS
aaa authentication login default group tacacs
aaa authentication login console group tacacs
aaa authorization config-commands default group tacacs local
aaa authorization commands default group tacacs local
aaa accounting default group tacacs

tacacs+ distribute
ip tacacs source-interface mgmt0
tacacs-server host 10.10.10.10 key 7 "tacacs_pass"
aaa group server tacacs+ tacacs
    server 10.10.10.10


IOS-XR
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands VTY start-stop group tacacs+
aaa authorization exec VTY group tacacs+ none
aaa authorization commands VTY group tacacs+ none
aaa authentication login VTY group tacacs+ line local

tacacs source-interface Loopback0 vrf default
tacacs-server host 10.10.10.10 port 49
 key 7 1234567890123456789

Static Route Configuration Examples in Cisco (IOS-XR) and Juniper for BGP aggregated prefix advertisements


In order to advertise the aggregated routes (and default routes) via BGP, it should exists in the routing table, that's the #1 rule. If these summarized routes (/16) are not existing and only smaller subnets are learned via the IGP(e.g. OSPF,IS-IS), then configure static route and next hop e.g. Null0.

Juniper:

routing-options {
    graceful-restart;
    rib inet6.0 {
       static {
          route fd41:c8be:2153:f400::/64 discard;
          route ::0/0 {
                discard;
                no-install;
    static {
        route 172.16.0.0/16 discard;
        route 0.0.0.0/0 {
            discard;
            no-install;

In display set format:

set routing-options graceful-restart
set routing-options rib inet6.0 static route fd41:c8be:2153:f400::/64 discard
set routing-options rib inet6.0 static route ::0/0 discard
set routing-options rib inet6.0 static route ::0/0 no-install

set routing-options static route 172.16.0.0/16 discard
set routing-options static route 0.0.0.0/0 discard
set routing-options static route 0.0.0.0/0 no-install


Cisco:

router static
 address-family ipv4 unicast
  0.0.0.0/0 Null0
  172.16.0.0/16 Null0
 !
 address-family ipv6 unicast
  ::/0 Null0
  fd41:c8be:2153:f400::/64 Null0


In formal:
router static address-family ipv4 unicast 172.16.0.0/16 Null0
router static address-family ipv4 unicast 0.0.0.0/0 Null0
router static address-family ipv6 unicast ::/0 Null0
router static address-family ipv6 unicast fd41:c8be:2153:f400::/64 Null0


Originating BGP advertisements and BGP community tagging (Juniper and Cisco(IOS-XR) configuration)

Originating BGP advertisement can be configured to any iBGP peer router. Here's the sample configuration of originating BGP routes and community tagging in Cisco and Juniper.






Assuming these are the summarized prefixes that you want to advertise via BGP.
111.111.0.0/16
222.222.0.0/16


Juniper:

 routing-options {
 graceful-restart;
  router-id 1.1.1.1;
    autonomous-system 11111;

protocols {
 bgp {
        group RR-IBGP {
            type internal;
            description RR-IPv4;
            local-address 192.168.100.6;
            family inet {
                unicast;
            }
            authentication-key "$1$N3tBioBwfdFsFVwgoGDh.3C0oL"; ## SECRET-DATA
            export bgp-statement;
            neighbor 192.168.100.5 {
                description iBGP to Route Reflector;
            }

policy-statement bgp-statement {
     term SITE1 {
            from {
                route-filter 111.111.0.0/16 exact;
                route-filter 222.222.0.0/16 exact;
   }
            then {
                community add SITE1;
              accept;
            }


 community SITE1 members 12345:111;


In display set:
set routing-options graceful-restart


set routing-options router-id 1.1.1.1
set routing-options autonomous-system 11111

set protocols bgp group RR-IBGP type internal
set protocols bgp group RR-IBGP description RR-IPv4
set protocols bgp group RR-IBGP local-address 192.168.100.6
set protocols bgp group RR-IBGP family inet unicast
set protocols bgp group RR-IBGP authentication-key "$1$N3tBioBwfdFsFVwgoGDh.3C0oL"
set protocols bgp group RR-IBGP export bgp-statement
set protocols bgp group RR-IBGP neighbor 192.168.100.5 description iBGP to Route Reflector

set policy-options policy-statement bgp-statement term SB from route-filter 111.111.0.0/16 exact
set policy-options policy-statement bgp-statement term SB from route-filter 222.222.0.0/16  exact
set policy-options policy-statement bgp-statement term SITE1 then community add SB
set policy-options policy-statement bgp-statement term SITE1 then accept

set policy-options community SITE1 members 12345:111


Cisco:

 prefix-set SITE1
 111.111.0.0/16,
 222.222.0.0/16
end-set

route-policy bgp-statement
 if destination in SITE1 then
  set community (12345:111)
  endif
end-policy



router bgp 11111
 nsr
 bgp router-id 1.1.1.1
 bgp graceful-restart
  address-family ipv4 unicast
  network 111.111.0.0/16
  network 222.222.0.0/16

 neighbor-group RR-IBG
  remote-as 11111
  password encrypted 2185073C7B74154C
  description RR IBGP GROUP IPV4
  update-source Loopback0
  address-family ipv4 unicast
   soft-reconfiguration inbound
 !
 neighbor 192.168.100.5
  use neighbor-group RR-IBG
  description RR-IPv4
  address-family ipv4 unicast
   route-policy iBGP-policy-in in
   route-policy bgp-statement out


In Formal:

prefix-set SITE1
 111.111.0.0/16,
 222.222.0.0/16,
end-set

route-policy bgp-statement
 if destination in SITE1 then
  set community (12345:111)
  endif
end-policy


router bgp 11111 nsr
router bgp 11111 bgp router-id 1.1.1.1
router bgp 11111 bgp graceful-restart
router bgp 11111 address-family ipv4 unicast
router bgp 11111 address-family ipv4 unicast network 111.111.0.0/16
router bgp 11111 address-family ipv4 unicast network 222.222.0.0/16
router bgp 11111 neighbor-group RR-IBG
router bgp 11111 neighbor-group RR-IBG remote-as 11111
router bgp 11111 neighbor-group RR-IBG password encrypted 2185073C7B74154C
router bgp 11111 neighbor-group RR-IBG description RR IBGP GROUP IPV4
router bgp 11111 neighbor-group RR-IBG update-source Loopback0
router bgp 11111 neighbor-group RR-IBG address-family ipv4 unicast
router bgp 11111 neighbor-group RR-IBG address-family ipv4 unicast soft-reconfiguration inbound
router bgp 11111 neighbor 192.168.100.5
router bgp 11111 neighbor 192.168.100.5 use neighbor-group RR-IBG
router bgp 11111 neighbor 192.168.100.5 description RR-IPv4
router bgp 11111 neighbor 192.168.100.5 address-family ipv4 unicast
router bgp 11111 neighbor 192.168.100.5 address-family ipv4 unicast route-policy iBGP-policy-in in
router bgp 11111 neighbor 192.168.100.5 address-family ipv4 unicast route-policy bgp-statement out

Tuesday, 20 August 2019

FIxing IOU Keygen Error (Running IOS on Linux in Eve-NG)



If you keep getting this error when generating key as license for  running IOL or IOS On Linux, (also called IOU or IOS On Unix) in EVE-NG

darwin@eve-ng:/$ cd /opt/unetlab/addons/iol/bin

darwin@eve-ng:/opt/unetlab/addons/iol/bin$ python keygen.py
*********************************************************************
Cisco IOU License Generator - Kal 2011, python port of 2006 C version
hostid=bada0c0f, hostname=eve-ng, ioukey=bada0e51
Traceback (most recent call last):
  File "./keygen.py", line 18, in <module>
    md5input=iouPad1 + iouPad2 + struct.pack('!i', ioukey) + iouPad1
struct.error: 'i' format requires -2147483648 <= number <= 2147483647

Step 1:
Solution: Modify the python script, change i to L
From: md5input=iouPad1 + iouPad2 + struct.pack('!i', ioukey) + iouPad1
To:     md5input=iouPad1 + iouPad2 + struct.pack('!L', ioukey) + iouPad1

Run again:
darwin@eve-ng:/opt/unetlab/addons/iol/bin$ python keygen.py
*********************************************************************
Cisco IOU License Generator - Kal 2011, python port of 2006 C version
hostid=bada0c0f, hostname=eve-ng, ioukey=bada0e51

Step 2: Add the following text to ~/.iourc:
[license]
eve-ng = f2630dfba88daedd;

You can disable the phone home feature with something like:
 echo '127.0.0.127 xml.cisco.com' >> /etc/hosts

Step 2: Input the license key in "iourc" file
vi iourc

[license]
eve-ng = f2630dfba88daedd;


Step 3: Test IOL

darwin@eve-ng:/opt/unetlab/addons/iol/bin$ LD_LIBRARY_PATH=/opt/unetlab/addons/iol/lib /opt/unetlab/addons/iol/bin/i86bi-linux-l3-adventerprisek9-15.4.2T.bin 1
***************************************************************
IOS On Unix - Cisco Systems confidential, internal use only
Under no circumstances is this software to be provided to any
non Cisco staff or customers.  To do so is likely to result
in disciplinary action. Please refer to the IOU Usage policy at
wwwin-iou.cisco.com for more information.
***************************************************************

              Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

           cisco Systems, Inc.
           170 West Tasman Drive
           San Jose, California 95134-1706


Cisco IOS Software, Linux Software (I86BI_LINUX-ADVENTERPRISEK9-M), Version 15.4(2)T, DEVELOPMENT TEST SOFTWARE
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Thu 27-Mar-14 01:08 by prod_rel_team


This product contains cryptographic features and is subject to United
--omitted lines --

Configuring Port Monitoring in Cisco Catalyst 4948 (via network optical tap)


SPAN mirrors receive or transmit (or both) traffic on one or more source ports to a destination port for analysis.
A copy of the packets received or sent by the source interfaces are sent to the destination interface

Prerequisites:

Need to understand how optical tap works, here's some interesting information (ctto)
Link:https://community.fs.com/blog/do-you-know-about-optical-tap-test-access-point-cassettes.html



https://en.wikipedia.org/wiki/Network_tap#/media/File:Optical-tap-schema-wiki.gif




Setup:
Cisco Catalyst 4948
2 Routers connected via Optical Tap

Network Diagram:


:
Step 1: Connect physically the links as per above diagram.  Connect UTP cable from switch to PC's ethernet port

Step 2: Configure 4948 Switch
Cisco 4948 Configuration:
4948#conf t
interface TenGigabitEthernet1/49
 description 10GE Conn to Router1 (via optical tap)
 switchport access vlan 100
 switchport mode access
 ip access-group dhcp-traffic in
 load-interval 30
 udld port disable
 no cdp enable
 no shutdown
!
interface TenGigabitEthernet1/50
 description 10GE Conn to Switch1 (via optical tap)
 switchport access vlan 200
 switchport mode access
 ip access-group dhcp-traffic in
 udld port disable
 no cdp enable
 no shutdown

interface GigabitEthernet1/47
 description GE Connection to RemoteServer
 load-interval 30
 spanning-tree bpdufilter enable
 no shutdown

monitor session 15 source interface Te1/49 - 50
monitor session 15 destination interface Gi1/47
monitor session 15 filter packet-type good rx
monitor session 15 filter ip access-group dhcp-traffic


[Optional]
If want to filter by traffic, e.g DHCP, you can configure an ACL and apply in interface accordingly
 ip access-list extended dhcp-traffic
 permit udp any eq domain any
 permit udp any any eq domain
 permit udp any range bootps bootpc any range bootps bootpc
 deny   ip any any


Step 3: Verify configuration and traffic. Status should be "monitoring"

4948-Switch#show monitor session all
Session 15
----------
Type                   : Local Session
Source Ports           :
    Both               : Te1/49-52
Destination Ports      : Gi1/47
    Encapsulation      : Native
          Ingress      : Disabled
         Learning : Disabled
Filter Pkt Type        :
    RX Only       : Good
IP Access-group        : dhcp-traffic


4948-Switch#show int gi1/47
GigabitEthernet1/47 is up, line protocol is down (monitoring)
  Hardware is Gigabit Ethernet Port, address is 649e.f3ec.0b6e (bia 649e.f3ec.0b6e)
  Description: GE Connection to RemoteServer
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 1000Mb/s, link type is auto, media type is 10/100/1000-TX
  input flow-control is on, output flow-control is on
  Auto-MDIX on (operational: on)
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 3059552617
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  30 second input rate 0 bits/sec, 0 packets/sec
  30 second output rate 0 bits/sec, 0 packets/sec

Step 4: If confirmed have traffic, open any packet analyzer like "Wireshark" or "tcpdump" accordingly.

Monday, 19 August 2019

Isolating IGP (OSPF & ISIS) traffic by increasing Metric in IOS-XR routers

@OSPF

Set the max-metric in OSPF and OSPFv3 in IOS-XR devices:

RP/0/RSP0/CPU0:IOS-XR(config)#router ospf 65555
 max-metric router-lsa external-lsa
 !
router ospfv3 65555
 stub-router router-lsa v6-bit
  always

Save the changes:
RP/0/RSP0/CPU0:IOS-XR(config)#commit

Verify:
show ospf database

@ISIS

Increase ISIS metric

router isis XXXX
set-overload-bit

Save the changes:
RP/0/RSP0/CPU0:IOS-XR(config)#commit

Verify:
show isis database


Wednesday, 10 July 2019

Sample Network Scanning of Routers using Nmap


Nmap, or short for Network Mapper, is a free and pen-source tool for scanning vulnerabilities and can also be used for network discovery. It can help identify what devices are running on their systems, discovering hosts that are available and the services they running. To see the open ports or running daemon/services in your routers or switches, you can use nmap to test your routers.

where: 192.168.1.1 is your router IP
Sample1: To scan using default safe scripts
nmap -sV -sC 192.168.1.1

Sample result:
[networkbio@server ~]$ nmap -sV -sC 192.168.1.1

Starting Nmap 6.40 ( http://nmap.org ) at 2019-07-10 15:12 +08
Nmap scan report for 192.168.1.1
Host is up (0.41s latency).
All 1000 scanned ports on 192.168.1.1 are closed

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 99.49 seconds

Sample2: Reports the number of algorithms (for encryption, compression, etc.) that the target SSH2 server offers. If verbosity is set, the offered algorithms are each listed by type.

[networkbio@server ~]$ nmap --script ssh2-enum-algos -p22 192.168.1.1

Starting Nmap 6.40 ( http://nmap.org ) at 2019-07-10 15:06 +08
Nmap scan report for 192.168.1.1
Host is up (0.0017s latency).
PORT   STATE SERVICE
22/tcp open  ssh
| ssh2-enum-algos:
|   kex_algorithms (5)
|       ecdh-sha2-nistp521
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp256
|       diffie-hellman-group14-sha1
|       diffie-hellman-group1-sha1
|   server_host_key_algorithms (1)
|       ssh-rsa
|   encryption_algorithms (3)
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|   mac_algorithms (3)
|       hmac-sha2-512
|       hmac-sha2-256
|       hmac-sha1
|   compression_algorithms (1)
|_      none

Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds

Sample3: This script repeatedly initiates SSLv3/TLS connections, each time trying a new cipher or compressor while recording whether a host accepts or rejects it. The end result is a list of all the ciphersuites and compressors that a server accepts.

[networkbio@server ~]$ nmap --script ssl-enum-ciphers -p 443 192.168.1.1

Starting Nmap 6.40 ( http://nmap.org ) at 2019-07-10 15:09 +08
Nmap scan report for 192.168.1.1
Host is up (0.0017s latency).
PORT    STATE  SERVICE
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds




Tuesday, 28 May 2019

Bringing up this new baby


Bringing up this new Cisco ASR 9010 with RSP440 and 24x10GE Linecards, running in IOS-XR 6.x.x. Ready to go live anytime soon



Wednesday, 15 May 2019

Wipe out running configuration in Cisco IOS-XR



For IOS, the equivalent command of "write erase" to IOS-XR is the command "commit replace"

RP/0/RSP0/CPU0:ASR9K(config)#commit replace ?
  best-effort   Commit the configuration changes via best-effort operation
  comment       Assign a comment to this commit
  confirmed     Rollback this commit unless there is a confirming commit
  force         Override the memory checks
  label         Assign a label to this commit
  save-running  Save running configuration to a file
  show-error    Displays commit failures immediately
  <cr>          Commit the configuration changes via pseudo-atomic operation

RP/0/RSP0/CPU0:ASR9K(config)#commit replace 
Tue May 14 14:20:33.387 SGP

This commit will replace or remove the entire running configuration. This
operation can be service affecting.
Do you wish to proceed? [no]: yes

RP/0/RSP0/CPU0:ios(config)#

Sunday, 12 May 2019

Best Practice Configuration for IOS-XR (Part 1)


There are sample best practice commands that need to be configured in IOS-XR devices for additional security.

Global config:
nsr process-failures switchover
tcp path-mtu-discovery
tcp selective-ack
logging console disable
snmp-server ifmib stats cache
ssh server logging
no telnet vrf $vrf-name ipv4 server
ssh client source-interface $$loopback0
logging events link-status software-interfaces

Admin config:
upgrade fpd all loc all
fpd auto-upgrade

Interface config:
interface name
  ipv4 unreachable disable
  ipv6 unreachable disable
  dampening 1 xxx yyy 1

OSPF config:
router ospf xxx
 graceful-restart
router ospfv3 xxx
 graceful-restart

MPLS LDP:
mpls ldp neighbor <ip_address> password <pwd>’

AAA:
aaa authorization exec default group tacacs+ none
aaa authorization commands default group tacacs+ none

Monday, 6 May 2019

How to upgrade Field Programmable Device (FPD) on Cisco IOS XR


How to upgrade Field Programmable Device (FPD) on Cisco IOS XR

As per Cisco official documentation, the definition of FPD as follows:
An FPD refers to any programmable hardware device on a router, which includes a Field Programmable Gate Array (FPGA) and Read Only Memory Monitor (ROMMON). Cisco IOS® XR routers use a number of FPDs that are crucial for the function of route processors, line cards, shared port adapters (SPAs), SPA Interface Processors (SIPs), and fan trays.


1. Use the command 'show hw-module' to provide information about the FPD
Sample:

RP/0/RSP0/CPU0:CISCO-A9K#admin show hw-module fpd location all

===================================== ==========================================
                                      Existing Field Programmable Devices
                                      ==========================================
                                        HW                       Current SW Upg/
Location     Card Type                Version Type Subtype Inst   Version   Dng?
============ ======================== ======= ==== ======= ==== =========== ====
0/RSP0/CPU0  A9K-RSP880-TR              1.0   lc   cbc     0      34.38     No
                                              lc   rommon  0      10.59     No
                                              lc   fpga2   0       0.57     No
                                              lc   fsbl    0       1.103    No
                                              lc   lnxfw   0       1.103    No
                                              lc   fpga3   0       0.16     No
                                              lc   fpga4   0       0.16     No
                                              lc   fpga5   0       0.12     No
                                              lc   fpga6   0       0.06     No
--------------------------------------------------------------------------------
0/FT0/SP     ASR-9010-FAN-V2            1.0   ft   cbc     7      29.12     No
--------------------------------------------------------------------------------
0/FT1/SP     ASR-9010-FAN-V2            1.0   ft   cbc     8      29.12     No
--------------------------------------------------------------------------------
0/BPID0/SP   ASR-9010-BPID2             1.0   bp   cbc     11      7.105    No
--------------------------------------------------------------------------------
0/PS0/M0/SP  PWR-6KW-AC-V3              1.0   pm   fpga11  13      4.03^    Yes
                                              pm   fpga12  13      4.01^    Yes
                                              pm   fpga13  13      4.02^    Yes
--------------------------------------------------------------------------------
0/PS0/M1/SP  PWR-6KW-AC-V3              1.0   pm   fpga11  14      4.03^    Yes
                                              pm   fpga12  14      4.01^    Yes
                                              pm   fpga13  14      4.02^    Yes
--------------------------------------------------------------------------------
0/PS1/M0/SP  PWR-6KW-AC-V3              1.0   pm   fpga11  17      4.03^    Yes
                                              pm   fpga12  17      4.01^    Yes
                                              pm   fpga13  17      4.02^    Yes
--------------------------------------------------------------------------------
0/PS1/M1/SP  PWR-6KW-AC-V3              1.0   pm   fpga11  18      4.03^    Yes
                                              pm   fpga12  18      4.01^    Yes
                                              pm   fpga13  18      4.02^    Yes

NOTES:
1.  One or more FPD needs an upgrade.  This can be accomplished
    using the "admin> upgrade hw-module fpd <fpd> location <loc>" CLI.
2.  ^ One or more FPD will be intentionally skipped from upgrade using CLI with option "all" or during "Auto fpd".
      It can be upgraded only using the "admin> upgrade hw-module fpd <fpd> location <loc>" CLI with exact location.

Note: As you can see those FANs and RSPs no longer require upgrade as from the column Upg/Dng? are stated as "No", while those PWR-6KW power supply are stated as "Yes".
From the message above, it was mentioned that upgrade can be accomplished using the command
 "admin> upgrade hw-module fpd <fpd> location <loc>"
It can be upgraded by using this command:
admin>upgrade hw-module fpd all location all
This is to upgrade all the fpd of all the linecards inserted in the router. But not always works as some fpd need to specify the location.

RP/0/RSP0/CPU0:CISCO-A9K(admin)#upgrade hw-module fpd all location all


This can take some time for a full chassis.
Ensure that system is not power cycled during the upgrades.
Please consult the documentation for more information.

***** UPGRADE WARNING MESSAGE: *****
  *  This upgrade operation has a maximum timout of 90 minutes.  *
  *  If you are executing the cmd for one specific location and  *
  *  card in that location reloads or goes down for some reason  *
  *  you can press CTRL-C to get back the RP's prompt.           *
  *  If you are executing the cmd for _all_ locations and a node *
  *  reloads or is down please allow other nodes to finish the   *
  *  upgrade process before pressing CTRL-C.                     *

% RELOAD REMINDER:
  - The upgrade operation of the target module will not interrupt its normal
    operation. However, for the changes to take effect, the target module
    will need to be manually reloaded after the upgrade operation. This can
    be accomplished with the use of "hw-module <target> reload" command.
  - If automatic reload operation is desired after the upgrade, please use
    the "reload" option at the end of the upgrade command.
  - The output of "show hw-module fpd location" command will not display
    correct version information after the upgrade if the target module is
    not reloaded.
NOTE: Chassis CLI will not be accessible while upgrade is in progress.
Continue ? [no]: yes

No fpd on location 0/RSP0/CPU0 need upgrade at this time.
No fpd on location 0/RSP1/CPU0 need upgrade at this time.
No fpd on location 0/0/CPU0 need upgrade at this time.
No fpd on location 0/1/CPU0 need upgrade at this time.
No fpd on location 0/2/CPU0 need upgrade at this time.

Example:
RP/0/RSP0/CPU0:CISCO-A9K(admin)#upgrade hw-module fpd all location 0/PS0/M1/SP

***** UPGRADE WARNING MESSAGE: *****
  *  This upgrade operation has a maximum timout of 90 minutes.  *
  *  If you are executing the cmd for one specific location and  *
  *  card in that location reloads or goes down for some reason  *
  *  you can press CTRL-C to get back the RP's prompt.           *
  *  If you are executing the cmd for _all_ locations and a node *
  *  reloads or is down please allow other nodes to finish the   *
  *  upgrade process before pressing CTRL-C.                     *

% RELOAD REMINDER:
  - The upgrade operation of the target module will not interrupt its normal
    operation. However, for the changes to take effect, the target module
    will need to be manually reloaded after the upgrade operation. This can
    be accomplished with the use of "hw-module <target> reload" command.
  - If automatic reload operation is desired after the upgrade, please use
    the "reload" option at the end of the upgrade command.
  - The output of "show hw-module fpd location" command will not display
    correct version information after the upgrade if the target module is
    not reloaded.
NOTE: Chassis CLI will not be accessible while upgrade is in progress.
Continue ? [no]: yes



FPD upgrade in progress on some hardware, reload/configuration change
on those is not recommended as it might cause HW programming failure
and result in RMA of the hardware.


Starting the upgrade/download of following FPDs:
=========== ==== ======= ======= =========== =========
                                   Current    Upg/Dng
Location    Type Subtype Upg/Dng   Version    Version
=========== ==== ======= ======= =========== =========
0/PS0/M1/SP pm   fpga11  upg         4.03        4.04 
            pm   fpga12  upg         4.01        4.02 
            pm   fpga13  upg         4.02        4.03 
------------------------------------------------------

Upgrading Delta Power Module Firmware
0/PS0/M1/SP : module: Delta AC V3, upgrade supprted: Parallel

Current power supply 0/PS0/M1/SP firmware version: (Logic 4.3) (Secondary 4.2) (Primary 4.1)

Starting firmware upgrade of power supply 0/PS0/M1/SP Primary 54V micro-controller 0
File path = /net/node0_RSP0_CPU0/disk0:/asr9k-fpd-6.2.3.sp4-1.0.0/fpd/ucode/delta_v3_ac_primary_mcu.bin.gz, Image start 0x1800, No of pages = 64, No of blocks/page = 4, xmit_size = 64

Unzipping the file /net/node0_RSP0_CPU0/disk0:/asr9k-fpd-6.2.3.sp4-1.0.0/fpd/ucode/delta_v3_ac_primary_mcu.bin.gz

Unzipping of file /net/node0_RSP0_CPU0/disk1a:/fpd/delta_v3_ac_primary_mcu.bin.gz complete

FPD upgrade in progress. Max timeout remaining 89 min.
Upgraded power supply 0/PS0/M1/SP firmware version: (Logic 4.3) (Secondary 4.2) (Primary 4.2)

FPD upgrade in progress. Max timeout remaining 88 min.

Upgrading Delta Power Module Firmware
0/PS0/M1/SP : module: Delta AC V3, upgrade supprted: Serial

Current power supply 0/PS0/M1/SP firmware version: (Logic 4.3) (Secondary 4.2) (Primary 4.2)

Starting firmware upgrade of power supply 0/PS0/M1/SP Secondary 5V micro-controller 0
File path = /net/node0_RSP0_CPU0/disk0:/asr9k-fpd-6.2.3.sp4-1.0.0/fpd/ucode/delta_v3_ac_sec5v_mcu.bin.gz, Image start 0x2000, No of pages = 896, No of blocks/page = 1, xmit_size = 64

Unzipping the file /net/node0_RSP0_CPU0/disk0:/asr9k-fpd-6.2.3.sp4-1.0.0/fpd/ucode/delta_v3_ac_sec5v_mcu.bin.gz

Unzipping of file /net/node0_RSP0_CPU0/disk1a:/fpd/delta_v3_ac_sec5v_mcu.bin.gz complete

FPD upgrade in progress. Max timeout remaining 87 min.
FPD upgrade in progress. Max timeout remaining 86 min.
FPD upgrade in progress. Max timeout remaining 85 min.
Upgraded power supply 0/PS0/M1/SP firmware version: (Logic 4.4) (Secondary 4.2) (Primary 4.2)

Upgrading Delta Power Module Firmware
0/PS0/M1/SP : module: Delta AC V3, upgrade supprted: Parallel

Current power supply 0/PS0/M1/SP firmware version: (Logic 4.4) (Secondary 4.2) (Primary 4.2)

Starting firmware upgrade of power supply 0/PS0/M1/SP Secondary 54V micro-controller 0
File path = /net/node0_RSP0_CPU0/disk0:/asr9k-fpd-6.2.3.sp4-1.0.0/fpd/ucode/delta_v3_ac_sec54v_mcu.bin.gz, Image start 0x2000, No of pages = 640, No of blocks/page = 1, xmit_size = 64

Unzipping the file /net/node0_RSP0_CPU0/disk0:/asr9k-fpd-6.2.3.sp4-1.0.0/fpd/ucode/delta_v3_ac_sec54v_mcu.bin.gz

Unzipping of file /net/node0_RSP0_CPU0/disk1a:/fpd/delta_v3_ac_sec54v_mcu.bin.gz complete

FPD upgrade in progress. Max timeout remaining 84 min.
FPD upgrade in progress. Max timeout remaining 83 min.
FPD upgrade in progress. Max timeout remaining 82 min.
FPD upgrade in progress. Max timeout remaining 81 min.
FPD upgrade in progress. Max timeout remaining 80 min.
Upgraded power supply 0/PS0/M1/SP firmware version: (Logic 4.4) (Secondary 4.3) (Primary 4.2)

Successfully upgraded    fpga11 for        PWR-6KW-AC-V3 on location 0/PS0/M1/SP from  4.03 to  4.04
Successfully upgraded    fpga12 for        PWR-6KW-AC-V3 on location 0/PS0/M1/SP from  4.01 to  4.02
Successfully upgraded    fpga13 for        PWR-6KW-AC-V3 on location 0/PS0/M1/SP from  4.02 to  4.03

FPD upgrade has ended.