Saturday, March 21, 2015

Configuring OSPF for IPv6

My daughter and I celebrated our birthday together in Dubai this month. My kid is really growing taller and have started to outsmart both me and my wife. We stayed at Atlantis, The Palm where the resort is situated in a man-made island that's in the shape of a palm tree. We've enjoyed swimming at the water theme park (Adventure Cove) and staring at the huge aquariums (The Lost Chambers) where you can see lots of sharks, sting rays and other sea creatures.


I tend to get a bit intimidated whenever I see and work with IPv6 addresses maybe because of its length and different notation (hexadecimal with colon). I started to configure and troubleshoot with actual IPv6 addresses way back in 2012 when I was still working at an ISP company.

We still have plenty of IPv4 public address space in my current company and I'm lucky that I've maximized my IPv4 skills over the years. It's not too long when everyone will completely work with IPv6. Some prediction says that IPv4 will become obsolete by 2040. I could just imagine how we would sound like when doing troubleshooting over the phone with other IT folks.


R1(config)#interface loopback0
R1(config-if)#
*Jan  9 23:28:53.051: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
R1(config-if)#ip address 10.1.1.1 255.255.255.0
R1(config-if)#ipv6 address ?
  WORD                General prefix name
  X:X:X:X::X          IPv6 link-local address
  X:X:X:X::X/<0-128>  IPv6 prefix
  autoconfig          Obtain address using autoconfiguration
  dhcp                Obtain a ipv6 address using dhcp

R1(config-if)#ipv6 address FEC0::1:1/112    // USE no ipv6 address <address> TO REMOVE IPv6 ADDRESS; ISSUING ipv6 address MULTIPLE TIMES ONLY ADDS MORE ADDRESSES THAN REPLACING THEM

R2(config)#interface loopback0    // IPv4 AND IPv6 RUN INDEPENDENTLY
R2(config-if)#
*Jan  9 22:11:52.647: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
R2(config-if)#ip address 10.1.2.1 255.255.255.0
R2(config-if)#ipv6 address FEC0::2:1/112


R3(config)#interface loopback0
R3(config-if)#ip address 10.1
*Jan  9 22:50:02.659: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
R3(config-if)#ip address 10.1.3.1 255.255.255.0
R3(config-if)#ipv6 address FEC0::3:1/112


R1(config)#interface s0/0/0
R1(config-if)#ipv6 address FEC0::12:1/112
R1(config-if)#clock rate 64000
R1(config-if)#bandwidth 64
R1(config-if)#no shutdown
R1(config-if)#
*Jan  9 23:34:30.207: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to down
R1(config)#interface s0/0/1
R1(config-if)#ipv6 address FEC0::13:1/112
R1(config-if)#bandwidth 64
R1(config-if)#no shutdown
R1(config-if)#
*Jan  9 23:35:23.967: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to down


R2(config)#interface s0/0/0
R2(config-if)#ipv6 address FEC0::12:2/112
R2(config-if)#bandwidth 64
R2(config-if)#no shutdown
R2(config-if)#
*Jan  9 22:18:00.451: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up
*Jan  9 22:18:01.451: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up
R2(config-if)#do ping ipv6 FEC0::12:1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0::12:1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms


R3(config)#interface s0/0/0
R3(config-if)#ipv6 address FEC0::13:3/112
R3(config-if)#clockrate 64000
R3(config-if)#bandwidth 64
R3(config-if)#no shutdown
R3(config-if)#
*Jan  9 22:56:41.359: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up
*Jan  9 22:56:42.359: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up
R3(config-if)#do ping ipv6 FEC0::13:1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0::13:1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
R3(config-if)#


R1#ping FEC0::12:2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0::12:2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms


R1#ping FEC0::13:3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0::13:3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms


R2#ping FEC0::12:1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0::12:1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms


R3#ping FEC0::13:1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0::13:1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms


R1#show ipv6 interface s0/0/0
Serial0/0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::20A:B8FF:FEF8:8392     // LINK-LOCAL ADDRESS; NOT ROUTED
  No Virtual link-local address(es):
  Global unicast address(es):
    FEC0::12:1, subnet is FEC0::12:0/112
  Joined group address(es):
    FF02::1
    FF02::1:FF12:1
    FF02::1:FFF8:8392
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 37426)


R2#show ipv6 interface s0/0/0
Serial0/0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::21C:58FF:FE89:AE8E  
  No Virtual link-local address(es):
  Global unicast address(es):
    FEC0::12:2, subnet is FEC0::12:0/112
  Joined group address(es):
    FF02::1
    FF02::1:FF12:2
    FF02::1:FF89:AE8E
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 39070)


R1(config)#interface s0/0/0
R1(config-if)#ipv6 address FE80::1 ?
  link-local  Use link-local address

R1(config-if)#ipv6 address FE80::1 link-local


R2(config)#interface s0/0/0
R2(config-if)#ipv6 address FE80::2 link-local


R1#ping ?
  WORD       Ping destination address or hostname
  appletalk  Appletalk echo
  clns       CLNS echo
  decnet     DECnet echo
  ethernet   Ethernet echo
  ip         IP echo
  ipv6       IPv6 echo
  ipx        Novell/IPX echo
  srb        srb echo
  tag        Tag encapsulated IP echo
  <cr>

R1#ping FE80::2    // PING REMOTE LINK-LOCAL ADDRESS; MUST SPECIFY OUTGOING INTERFACE
Output Interface: s0/0/0
% Invalid interface. Use full interface name without spaces (e.g. Serial0/1)
Output Interface: Serial0/0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FE80::2, timeout is 2 seconds:
Packet sent with a source address of FE80::1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms


R2#ping FE80::1
Output Interface: Serial0/0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FE80::1, timeout is 2 seconds:
Packet sent with a source address of FE80::2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms


R1#show ipv6 interface s0/0/0
Serial0/0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::1    // MODIFYING LINK-LOCAL ADDRESS IS SELDOM USED
  No Virtual link-local address(es):
  Global unicast address(es):
    FEC0::12:1, subnet is FEC0::12:0/112
  Joined group address(es):
    FF02::1
    FF02::1:FF00:1
    FF02::1:FF12:1
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 37426)

R2#show ipv6 interface s0/0/0
Serial0/0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::2   
  No Virtual link-local address(es):
  Global unicast address(es):
    FEC0::12:2, subnet is FEC0::12:0/112
  Joined group address(es):
    FF02::1
    FF02::1:FF00:2
    FF02::1:FF12:2
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 39070)


R2(config)#interface f0/0
R2(config-if)#ipv6 address FECO:23::/64 ?
  X:X:X:X::X/<0-128>  IPv6 prefix

R2(config-if)#ipv6 address FECO:23::/64 ?
  X:X:X:X::X/<0-128>  IPv6 prefix

R2(config-if)#ipv6 address FECO:23::/64 eui-64
                                         ^
% Invalid input detected at '^' marker.

R2(config-if)#no shutdown     // NEED TO UNSHUT PORT TO ENABLE eui-64 KEYWORD
*Jan  9 22:31:01.855: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed
R2(config-if)#ipv6 address FEC0:23::/64 ?
  anycast  Configure as an anycast
  cga      Use CGA interface identifier
  eui-64   Use eui-64 interface identifier
  <cr>

R2(config-if)#ipv6 address FEC0:23::/64 eui-64


R3(config)#interface f0/0
R3(config-if)#no shutdown
R3(config-if)#
*Jan  9 23:10:06.903: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Jan  9 23:10:07.903: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R3(config-if)#ipv6 address FEC0:23::/64 eui-64


R2#show ipv6 interface f0/0
FastEthernet0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::21C:58FF:FE89:AE8E
  No Virtual link-local address(es):
  Global unicast address(es):
    FEC0:23::21C:58FF:FE89:AE8E, subnet is FEC0:23::/64 [EUI]   
  Joined group address(es):
    FF02::1
    FF02::1:FF89:AE8E
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 37623)


R3#show ipv6 interface f0/0
FastEthernet0/0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::21B:D5FF:FE05:9B3A
  No Virtual link-local address(es):
  Global unicast address(es):
    FEC0:23::21B:D5FF:FE05:9B3A, subnet is FEC0:23::/64 [EUI]  
  Joined group address(es):
    FF02::1
    FF02::1:FF05:9B3A
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ICMP unreachables are sent
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds (using 26231)


R2#show ipv6 interface brief
FastEthernet0/0            [up/up]
    FE80::21C:58FF:FE89:AE8E
    FEC0:23::21C:58FF:FE89:AE8E  
FastEthernet0/1            [administratively down/down]
    unassigned
Serial0/0/0                [up/up]
    FE80::2
    FEC0::12:2
Serial0/0/1                [administratively down/down]
    unassigned
Loopback0                  [up/up]
    FE80::21C:58FF:FE89:AE8E
    FEC0::2:1


R3#show ipv6 interface brief
FastEthernet0/0            [up/up]
    FE80::21B:D5FF:FE05:9B3A
    FEC0:23::21B:D5FF:FE05:9B3A   
FastEthernet0/1            [administratively down/down]
    unassigned
Serial0/0/0                [up/up]
    FE80::21B:D5FF:FE05:9B3A
    FEC0::13:3
Serial0/0/1                [down/down]
    unassigned
Loopback0                  [up/up]
    FE80::21B:D5FF:FE05:9B3A
    FEC0::3:1


R2#ping FEC0:23::21B:D5FF:FE05:9B3A

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0:23::21B:D5FF:FE05:9B3A, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/2/8 ms


R3#ping FEC0:23::21C:58FF:FE89:AE8E

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0:23::21C:58FF:FE89:AE8E, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms


R1(config)#ipv6 unicast-routing    // BOTH ARE DISABLED BY DEFAULT
R1(config)#ipv6 cef


R2(config)#ipv6 unicast-routing
R2(config)#ipv6 cef


R3(config)#ipv6 unicast-routing
R3(config)#ipv6 cef


R1(config)#interface loopback0
R1(config-if)#ipv6 ?
IPv6 interface subcommands:
  address             Configure IPv6 address on interface
  authentication      authentication subcommands
  bandwidth-percent   Set EIGRP bandwidth limit
  cef                 Cisco Express Forwarding for IPv6
  cga                 Configure cga on the interface
  dhcp                IPv6 DHCP interface subcommands
  eigrp               Configure EIGRP IPv6 on interface
  enable              Enable IPv6 on interface
  flow                Flow related commands
  hello-interval      Configures IP-EIGRP hello interval
  hold-time           Configures IP-EIGRP hold time
  inspect             Apply inspect name
  mfib                Interface Specific MFIB Control
  mld                 interface commands
  mobile              Mobile IPv6
  mode                Interface mode
  mtu                 Set IPv6 Maximum Transmission Unit
  multicast           multicast
  nat                 Enable IPv6 NAT on interface
  nd                  IPv6 interface Neighbor Discovery subcommands
  next-hop-self       Configures IP-EIGRP next-hop-self
  ospf                OSPF interface commands
  pim                 PIM interface commands
  policy              Enable IPv6 policy routing
  redirects           Enable sending of ICMP Redirect messages
  rip                 Configure RIP routing protocol
  router              IPv6 Router interface commands
  split-horizon       Perform split horizon
  summary-address     Summary prefix
  traffic-filter      Access control list for packets
  unnumbered          Preferred interface for source address selection
  unreachables        Enable sending of ICMP Unreachable messages
  verify              Enable per packet validation
  virtual-reassembly  IPv6 Enable Virtual Fragment Reassembly

R1(config-if)#ipv6 ospf ?
  <1-65535>            Process ID
  authentication       Enable authentication
  cost                 Cost
  database-filter      Filter OSPF LSA during synchronization and flooding
  dead-interval        Interval after which a neighbor is declared dead
  demand-circuit       OSPF demand circuit
  encryption           Enable encryption
  flood-reduction      OSPF Flood Reduction
  hello-interval       Time between HELLO packets
  mtu-ignore           Ignores the MTU in DBD packets
  neighbor             OSPF neighbor
  network              Network type
  priority             Router priority
  retransmit-interval  Time between retransmitting lost link state
                       advertisements
  transmit-delay       Link state transmit delay

R1(config-if)#ipv6 ospf 1 ?
  area  Set the OSPF area ID

R1(config-if)#ipv6 ospf 1 area ?
  <0-4294967295>  OSPF area ID as a decimal value
  A.B.C.D         OSPF area ID in IP address format

R1(config-if)#ipv6 ospf 1 area 0    // IPv6 OSPF USES INTERFACE CONFIG CLI
R1(config-if)#interface s0/0/0
R1(config-if)#ipv6 ospf 1 area 0
R1(config-if)#interface s0/0/1
R1(config-if)#ipv6 ospf 1 area 0


R2(config)#interface loopback0
R2(config-if)#ipv6 ospf 1 area 0
R2(config-if)#interface s0/0/0
R2(config-if)#ipv6 ospf 1 area 0
R2(config-if)#
*Jan  9 22:43:01.623: %OSPFv3-5-ADJCHG: Process 1, Nbr 10.1.1.1 on Serial0/0/0 from LOADING to FULL, Loading Done
R2(config-if)#interface f0/0
R2(config-if)#ipv6 ospf 1 area 0


R3(config)#interface loopback0
R3(config-if)#ipv6 ospf 1 area 0
R3(config-if)#interface s0/0/0
R3(config-if)#ipv6 ospf 1 area 0
R3(config-if)#
*Jan  9 23:21:11.055: %OSPFv3-5-ADJCHG: Process 1, Nbr 10.1.1.1 on Serial0/0/0 from LOADING to FULL, Loading Done
R3(config-if)#interface f0/0
R3(config-if)#ipv6 ospf 1 area 0
*Jan  9 23:21:59.283: %OSPFv3-5-ADJCHG: Process 1, Nbr 10.1.2.1 on FastEthernet0/0 from LOADING to FULL, Loading Done    // TOOK FEW SECONDS TO FORM ADJACENCY


R1#show ipv6 ospf neighbor     // OSPFv3 PROCESS WILL NOT START UNLESS AN IPv4 ADDRESS IS CONFIGURED FOR ROUTER ID

Neighbor ID     Pri   State           Dead Time   Interface ID    Interface
10.1.3.1          1   FULL/  -        00:00:34    5               Serial0/0/1
10.1.2.1          1   FULL/  -        00:00:36    5               Serial0/0/0


R2#show ipv6 ospf neighbor

Neighbor ID     Pri   State           Dead Time   Interface ID    Interface
10.1.3.1          1   FULL/DR         00:00:31    3               FastEthernet0/0
10.1.1.1          1   FULL/  -        00:00:34    5               Serial0/0/0


R3#show ipv6 ospf neighbor

Neighbor ID     Pri   State           Dead Time   Interface ID    Interface
10.1.2.1          1   FULL/BDR        00:00:35    3               FastEthernet0/0
10.1.1.1          1   FULL/  -        00:00:35    6               Serial0/0/0


R1#show ipv6 route
IPv6 Routing Table - Default - 10 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1
       I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
       EX - EIGRP external
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
C   FEC0::1:0/112 [0/0]
     via Loopback0, directly connected
L   FEC0::1:1/128 [0/0]
     via Loopback0, receive
O   FEC0::2:1/128 [110/1562]
     via FE80::2, Serial0/0/0
O   FEC0::3:1/128 [110/1562]
     via FE80::21B:D5FF:FE05:9B3A, Serial0/0/1
C   FEC0::12:0/112 [0/0]
     via Serial0/0/0, directly connected
L   FEC0::12:1/128 [0/0]
     via Serial0/0/0, receive
C   FEC0::13:0/112 [0/0]
     via Serial0/0/1, directly connected
L   FEC0::13:1/128 [0/0]
     via Serial0/0/1, receive
O   FEC0:23::/64 [110/1563]
     via FE80::2, Serial0/0/0
     via FE80::21B:D5FF:FE05:9B3A, Serial0/0/1
L   FF00::/8 [0/0]
     via Null0, receive


R2#show ipv6 route
IPv6 Routing Table - Default - 10 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1
       I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
       EX - EIGRP external
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
O   FEC0::1:1/128 [110/1562]
     via FE80::1, Serial0/0/0
C   FEC0::2:0/112 [0/0]
     via Loopback0, directly connected
L   FEC0::2:1/128 [0/0]
     via Loopback0, receive
O   FEC0::3:1/128 [110/1]
     via FE80::21B:D5FF:FE05:9B3A, FastEthernet0/0
C   FEC0::12:0/112 [0/0]
     via Serial0/0/0, directly connected
L   FEC0::12:2/128 [0/0]
     via Serial0/0/0, receive
O   FEC0::13:0/112 [110/1563]
     via FE80::21B:D5FF:FE05:9B3A, FastEthernet0/0
C   FEC0:23::/64 [0/0]
     via FastEthernet0/0, directly connected
L   FEC0:23::21C:58FF:FE89:AE8E/128 [0/0]
     via FastEthernet0/0, receive
L   FF00::/8 [0/0]
     via Null0, receive


R3#show ipv6 route
IPv6 Routing Table - Default - 10 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
       B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1
       I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
       EX - EIGRP external
       O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
O   FEC0::1:1/128 [110/1562]
     via FE80::20A:B8FF:FEF8:8392, Serial0/0/0
O   FEC0::2:1/128 [110/1]
     via FE80::21C:58FF:FE89:AE8E, FastEthernet0/0
C   FEC0::3:0/112 [0/0]
     via Loopback0, directly connected
L   FEC0::3:1/128 [0/0]
     via Loopback0, receive
O   FEC0::12:0/112 [110/1563]
     via FE80::21C:58FF:FE89:AE8E, FastEthernet0/0
C   FEC0::13:0/112 [0/0]
     via Serial0/0/0, directly connected
L   FEC0::13:3/128 [0/0]
     via Serial0/0/0, receive
C   FEC0:23::/64 [0/0]
     via FastEthernet0/0, directly connected
L   FEC0:23::21B:D5FF:FE05:9B3A/128 [0/0]
     via FastEthernet0/0, receive
L   FF00::/8 [0/0]
     via Null0, receive


R1#show ipv6 ospf interface
Loopback0 is up, line protocol is up
  Link Local Address FE80::20A:B8FF:FEF8:8392, Interface ID 12
  Area 0, Process ID 1, Instance ID 0, Router ID 10.1.1.1
  Network Type LOOPBACK, Cost: 1
  Loopback interface is treated as a stub Host
Serial0/0/1 is up, line protocol is up
  Link Local Address FE80::20A:B8FF:FEF8:8392, Interface ID 6
  Area 0, Process ID 1, Instance ID 0, Router ID 10.1.1.1
  Network Type POINT_TO_POINT, Cost: 1562
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:06
  Index 1/3/3, flood queue length 0
  Next 0x0(0)/0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 2
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 10.1.3.1
  Suppress hello for 0 neighbor(s)
Serial0/0/0 is up, line protocol is up
  Link Local Address FE80::1, Interface ID 5
  Area 0, Process ID 1, Instance ID 0, Router ID 10.1.1.1
  Network Type POINT_TO_POINT, Cost: 1562
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:06
  Index 1/2/2, flood queue length 0
  Next 0x0(0)/0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 4
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 10.1.2.1
  Suppress hello for 0 neighbor(s)


R2#show ipv6 ospf interface
Loopback0 is up, line protocol is up
  Link Local Address FE80::21C:58FF:FE89:AE8E, Interface ID 12
  Area 0, Process ID 1, Instance ID 0, Router ID 10.1.2.1
  Network Type LOOPBACK, Cost: 1
  Loopback interface is treated as a stub Host
FastEthernet0/0 is up, line protocol is up
  Link Local Address FE80::21C:58FF:FE89:AE8E, Interface ID 3
  Area 0, Process ID 1, Instance ID 0, Router ID 10.1.2.1
  Network Type BROADCAST, Cost: 1
  Transmit Delay is 1 sec, State BDR, Priority 1
  Designated Router (ID) 10.1.3.1, local address FE80::21B:D5FF:FE05:9B3A
  Backup Designated router (ID) 10.1.2.1, local address FE80::21C:58FF:FE89:AE8E
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:01
  Index 1/3/3, flood queue length 0
  Next 0x0(0)/0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 2
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 10.1.3.1  (Designated Router)
  Suppress hello for 0 neighbor(s)
Serial0/0/0 is up, line protocol is up
  Link Local Address FE80::2, Interface ID 5
  Area 0, Process ID 1, Instance ID 0, Router ID 10.1.2.1
  Network Type POINT_TO_POINT, Cost: 1562
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:06
  Index 1/2/2, flood queue length 0
  Next 0x0(0)/0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 6
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 10.1.1.1
  Suppress hello for 0 neighbor(s)


R3#show ipv6 ospf interface
Loopback0 is up, line protocol is up
  Link Local Address FE80::21B:D5FF:FE05:9B3A, Interface ID 12
  Area 0, Process ID 1, Instance ID 0, Router ID 10.1.3.1
  Network Type LOOPBACK, Cost: 1
  Loopback interface is treated as a stub Host
FastEthernet0/0 is up, line protocol is up
  Link Local Address FE80::21B:D5FF:FE05:9B3A, Interface ID 3
  Area 0, Process ID 1, Instance ID 0, Router ID 10.1.3.1
  Network Type BROADCAST, Cost: 1
  Transmit Delay is 1 sec, State DR, Priority 1
  Designated Router (ID) 10.1.3.1, local address FE80::21B:D5FF:FE05:9B3A
  Backup Designated router (ID) 10.1.2.1, local address FE80::21C:58FF:FE89:AE8E
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:05
  Index 1/3/3, flood queue length 0
  Next 0x0(0)/0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 4
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 10.1.2.1  (Backup Designated Router)
  Suppress hello for 0 neighbor(s)
Serial0/0/0 is up, line protocol is up
  Link Local Address FE80::21B:D5FF:FE05:9B3A, Interface ID 5
  Area 0, Process ID 1, Instance ID 0, Router ID 10.1.3.1
  Network Type POINT_TO_POINT, Cost: 1562
  Transmit Delay is 1 sec, State POINT_TO_POINT,
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    Hello due in 00:00:05
  Index 1/2/2, flood queue length 0
  Next 0x0(0)/0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 4
  Last flood scan time is 0 msec, maximum is 0 msec
  Neighbor Count is 1, Adjacent neighbor count is 1
    Adjacent with neighbor 10.1.1.1
  Suppress hello for 0 neighbor(s)


R1#tclsh
R1(tcl)#foreach address {
+>(tcl)#FEC0::1:1
+>(tcl)#FEC0::2:1
+>(tcl)#FEC0::3:1
+>(tcl)#FEC0::12:1
+>(tcl)#FEC0::12:2
+>(tcl)#FEC0::13:1
+>(tcl)#FEC0::13:3
+>(tcl)#FEC0:23::21C:58FF:FE89:AE8E
+>(tcl)#FEC0:23::21B:D5FF:FE05:9B3A
+>(tcl)#} {
+>(tcl)#ping $address }

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0::1:1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0::2:1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0::3:1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0::12:1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0::12:2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0::13:1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0::13:3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FEC0:23::21C:58FF:FE89:AE8E, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
Sending 5, 100-byte ICMP Echos to FEC0:23::21B:D5FF:FE05:9B3A, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms

Posted by at No comments:

Thursday, March 12, 2015

Configure GRE over IPsec VPN

I've visited many countries mostly in Asia trying to set up client VPN connections and for our Point-of-Presence (POP) connection back to our HQ in Singapore. I started doing network security (with CCNA Security) back in 2012 and I'm now enjoying the traveling perks because of my network security skills. This is me at Petronas Towers in Kuala Lumpur Malaysia where I setup a client site with MetroE as primary link and a DSL Internet as backup.

 

I've observed that many companies today are buying cheaper but secure WAN solution, especially those on a remote location. Companies also try to use VPN as a backup WAN solution.

It's fun educating my colleagues, mainly those who have routing and switching skills, about security terms, ASA firewall CLI (mostly on NAT) and recipes for creating IPsec VPNs. It also helps me reinforce my network security and ASA firewall knowledge. I always tell that the "official" security term is GRE over IPsec and the mnemonic I use is "GRE is covered by IPsec."


Branch(config)#interface loopback1
Branch(config-if)#
*Jan  3 23:37:17.179: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
Branch(config-if)#description Branch LAN
Branch(config-if)#ip address 192.168.1.1 255.255.255.0
Branch(config-if)#interface s0/0/1
Branch(config-if)#description Connection to ISP
Branch(config-if)#ip address 209.165.200.242 255.255.255.248
Branch(config-if)#bandwidth 64
Branch(config-if)#no shutdown
*Jan  3 23:38:07.179: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to down


HQ(config)#interface loopback1
HQ(config-if)#
*Jan  3 22:20:47.579: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
HQ(config-if)#description Headquarters LAN
HQ(config-if)#ip address 10.10.10.1 255.255.255.0
HQ(config-if)#interface s0/0/1
HQ(config-if)#description Connection to ISP
HQ(config-if)#ip address 209.165.200.226 255.255.255.248
HQ(config-if)#clock rate 64000
HQ(config-if)#bandwidth 64
HQ(config-if)#no shutdown
HQ(config-if)#
*Jan  3 22:21:55.527: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to up
*Jan  3 22:21:56.527: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up


ISP(config)#interface loopback1
ISP(config-if)#
*Jan  3 22:59:50.259: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
ISP(config-if)#description Simulating the Internet
ISP(config-if)#ip address 209.165.202.129 255.255.255.240
ISP(config-if)#interface s0/0/0
ISP(config-if)#description Connection to Branch
ISP(config-if)#ip address 209.165.200.241 255.255.255.248
ISP(config-if)#clock rate 64000
ISP(config-if)#bandwidth 64
ISP(config-if)#no shutdown
ISP(config-if)#
*Jan  3 23:00:53.167: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up
*Jan  3 23:00:54.167: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up
ISP(config-if)#do ping 209.165.200.242

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.242, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
ISP(config-if)#interface s0/0/1
ISP(config-if)#description Connection to HQ
ISP(config-if)#ip address 209.165.200.225 255.255.255.248
ISP(config-if)#bandwidth 64
ISP(config-if)#no shutdown
ISP(config-if)#do ping 209.165.200.226

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.226, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
ISP(config-if)#exit
ISP(config)#ip route 209.165.200.232 255.255.255.248 serial0/0/1
ISP(config)#ip route 209.165.200.248 255.255.255.248 serial0/0/0


Branch#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES NVRAM  administratively down down
FastEthernet0/1            unassigned      YES NVRAM  administratively down down
Serial0/0/0                unassigned      YES NVRAM  administratively down down
Serial0/0/1                209.165.200.242 YES manual up                    up 
Loopback1                  192.168.1.1     YES manual up                    up

Branch#tclsh
Branch(tcl)#foreach address {
+>209.165.200.241
+>209.165.202.129
+>209.165.200.226
+>} { ping $address }

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.241, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.202.129, timeout is 2 seconds:   // NO LEARNED ROUTE
.....
Success rate is 0 percent (0/5) 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.226, timeout is 2 seconds:   // NO LEARNED ROUTE
.....
Success rate is 0 percent (0/5)


Branch#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set   // NO DEFAULT ROUTE TO ISP

     209.165.200.0/29 is subnetted, 1 subnets
C       209.165.200.240 is directly connected, Serial0/0/1
C    192.168.1.0/24 is directly connected, Loopback1


Branch(config)#ip route 0.0.0.0 0.0.0.0 209.165.200.241

HQ(config)#ip route 0.0.0.0 0.0.0.0 209.165.200.225


Branch#tclsh
Branch(tcl)#foreach address {
+>209.165.200.241
+>209.165.202.129
+>209.165.200.226
+>} { ping $address }

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.241, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.202.129, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.226, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/56 ms


Branch#tclsh
Branch(tcl)#foreach address {
+>209.165.200.241
+>209.165.202.129
+>209.165.200.226
+>} { ping $address source 192.168.1.1 }

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.241, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1   // ISP BLOCKS PRIVATE IP; NO NAT CONFIGURED
.....
Success rate is 0 percent (0/5)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.202.129, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
.....
Success rate is 0 percent (0/5)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.226, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
.....
Success rate is 0 percent (0/5)


Branch(config)#ip access-list extended BRANCH_NAT_ACL    // SKIP NAT DUE TO ROUTER MEMORY ISSUE
Branch(config-ext-nacl)#remark ?
  LINE  Comment up to 100 characters
  <cr>

Branch(config-ext-nacl)#remark Do not translate Branch LAN to HQ LAN addresses
Branch(config-ext-nacl)#deny ip 192.168.1.0 0.0.0.255 10.10.0.0 0.0.255.255    // FOR S2S IPSEC VPN
Branch(config-ext-nacl)#remark Translate LAN to all Internet destinations
Branch(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 any   // NAT ACL
Branch(config-ext-nacl)#exit
Branch(config)#ip nat ?
  Stateful           Stateful NAT configuration commands
  create             Create flow entries
  inside             Inside address translation
  log                NAT Logging
  outside            Outside address translation
  piggyback-support  NAT Piggybacking Support
  pool               Define pool of addresses
  portmap            Define portmap of portranges
  service            Special translation for application using non-standard
                     port
  sip-sbc            SIP Session Border Controller commands
  source             Source address translation
  translation        NAT translation entry configuration

Branch(config)#ip nat pool ?
  WORD  Pool name

Branch(config)#ip nat pool BRANCH_NAT_POOL ?
  A.B.C.D        Start IP address
  netmask        Specify the network mask
  prefix-length  Specify the prefix length

Branch(config)#ip nat pool BRANCH_NAT_POOL 209.165.200.249 ?
  A.B.C.D  End IP address

Branch(config)#ip nat pool BRANCH_NAT_POOL 209.165.200.249 209.165.200.254 ?
  netmask        Specify the network mask
  prefix-length  Specify the prefix length

Branch(config)#ip nat pool BRANCH_NAT_POOL 209.165.200.249 209.165.200.254 prefix-length ?
  <1-32>  Prefix length

Branch(config)#ip nat pool BRANCH_NAT_POOL 209.165.200.249 209.165.200.254 prefix-length 29
Branch(config)#
*Jan  3 23:56:03.863: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
Branch(config)#ip nat inside ?
  destination  Destination address translation
  source       Source address translation

Branch(config)#ip nat inside source ?
  list       Specify access list describing local addresses
  route-map  Specify route-map
  static     Specify static local->global mapping

Branch(config)#ip nat inside source list ?
  <1-2699>  Access list number for local addresses
  WORD      Access list name for local addresses

Branch(config)#ip nat inside source list BRANCH_NAT_ACL ?
  interface  Specify interface for global address
  pool       Name pool of global addresses

Branch(config)#ip nat inside source list BRANCH_NAT_ACL pool ?
  WORD  Pool name for global addresses

Branch(config)#ip nat inside source list BRANCH_NAT_ACL pool BRANCH_NAT_POOL

Branch(config)#interface loopback1
Branch(config-if)#ip nat inside
Branch(config-if)#interface s0/0/1
Branch(config-if)#ip nat outside
Branch(config-if)#end
Branch#ping 10.10.10.1 source 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1   // ISP CAN'T ROUTE PINGS TO PRIVATE IP ON HQ; IPsecVPN IS NEEDED TO PROTECT TRAFFIC TRAVERSING THE PUBLIC INTERNET
.....
Success rate is 0 percent (0/5)


Branch(config)#crypto ?
  ca            Certification authority
  call          Configure Crypto Call Admission Control
  ctcp          Configure cTCP encapsulation
  dynamic-map   Specify a dynamic crypto map template
  engine        Enter a crypto engine configurable menu
  gdoi          Configure GDOI policy
  identity      Enter a crypto identity list
  ipsec         Configure IPSEC policy
  isakmp        Configure ISAKMP policy
  key           Long term key operations
  keyring       Key ring commands
  logging       logging messages
  map           Enter a crypto map
  mib           Configure Crypto-related MIB Parameters
  pki           Public Key components
  provisioning  Secure Device Provisioning
  wui           Crypto HTTP configuration interfaces
  xauth         X-Auth parameters

Branch(config)#crypto isakmp ?
  aggressive-mode       Disable ISAKMP aggressive mode
  client                Set client configuration policy
  default               ISAKMP default policy
  enable                Enable ISAKMP
  fragmentation         IKE Fragmentation enabled if required
  identity              Set the identity which ISAKMP will use
  invalid-spi-recovery  Initiate IKE and send Invalid SPI Notify
  keepalive             Set a keepalive interval for use with IOS peers
  key                   Set pre-shared key for remote peer
  nat                   Set a nat  keepalive interval for use with IOS peers
  peer                  Set Peer Policy
  policy                Set policy for an ISAKMP protection suite
  profile               Define ISAKMP Profiles
  xauth                 Set Extended Authentication values

Branch(config)#crypto isakmp policy ?
  <1-10000>  Priority of protection suite

Branch(config)#crypto isakmp policy 1   // ISAKMP POLICY FOR PHASE 1
Branch(config-isakmp)#?
ISAKMP commands:
  authentication  Set authentication method for protection suite
  default         Set a command to its defaults
  encryption      Set encryption algorithm for protection suite
  exit            Exit from ISAKMP protection suite configuration mode
  group           Set the Diffie-Hellman group
  hash            Set hash algorithm for protection suite
  lifetime        Set lifetime for ISAKMP security association
  no              Negate a command or set its defaults

Branch(config-isakmp)#encryption ?
  3des  Three key triple DES
  aes   AES - Advanced Encryption Standard.
  des   DES - Data Encryption Standard (56 bit keys).

Branch(config-isakmp)#encryption aes
Branch(config-isakmp)#authentication ?
  pre-share  Pre-Shared Key
  rsa-encr   Rivest-Shamir-Adleman Encryption
  rsa-sig    Rivest-Shamir-Adleman Signature

Branch(config-isakmp)#authentication pre-share
Branch(config-isakmp)#group ?
  1   Diffie-Hellman group 1 (768 bit)
  14  Diffie-Hellman group 14 (2048 bit)
  15  Diffie-Hellman group 15 (3072 bit)
  16  Diffie-Hellman group 16 (4096 bit)
  2   Diffie-Hellman group 2 (1024 bit)
  5   Diffie-Hellman group 5 (1536 bit)

Branch(config-isakmp)#group 2
Branch(config-isakmp)#exit
Branch(config)#crypto isakmp ?
  aggressive-mode       Disable ISAKMP aggressive mode
  client                Set client configuration policy
  default               ISAKMP default policy
  enable                Enable ISAKMP
  fragmentation         IKE Fragmentation enabled if required
  identity              Set the identity which ISAKMP will use
  invalid-spi-recovery  Initiate IKE and send Invalid SPI Notify
  keepalive             Set a keepalive interval for use with IOS peers
  key                   Set pre-shared key for remote peer
  nat                   Set a nat  keepalive interval for use with IOS peers
  peer                  Set Peer Policy
  policy                Set policy for an ISAKMP protection suite
  profile               Define ISAKMP Profiles
  xauth                 Set Extended Authentication values

Branch(config)#crypto isakmp key ?
  0     Specifies an UNENCRYPTED password will follow
  6     Specifies an ENCRYPTED password will follow
  WORD  The UNENCRYPTED (cleartext) user password

Branch(config)#crypto isakmp key cisco123 ?
  address   define shared key with IP address
  hostname  define shared key with hostname

Branch(config)#crypto isakmp key cisco123 address 209.165.200.226
Branch(config)#crypto ipsec ?
  client                Configure a client
  default               Default transform-set
  df-bit                Handling of encapsulated DF bit.
  fragmentation         Handling of fragmentation of near-MTU sized packets
  nat-transparency      IPsec NAT transparency model
  optional              Enable optional encryption for IPSec
  profile               Configure an ipsec policy profile
  security-association  Security association parameters
  transform-set         Define transform and settings

Branch(config)#crypto ipsec transform-set ?
  WORD  Transform set tag

Branch(config)#crypto ipsec transform-set HQ-VPN ?
  ah-md5-hmac   AH-HMAC-MD5 transform
  ah-sha-hmac   AH-HMAC-SHA transform
  comp-lzs      IP Compression using the LZS compression algorithm
  esp-3des      ESP transform using 3DES(EDE) cipher (168 bits)
  esp-aes       ESP transform using AES cipher
  esp-des       ESP transform using DES cipher (56 bits)
  esp-md5-hmac  ESP transform using HMAC-MD5 auth
  esp-null      ESP transform w/o cipher
  esp-seal      ESP transform using SEAL cipher (160 bits)
  esp-sha-hmac  ESP transform using HMAC-SHA auth

Branch(config)#crypto ipsec transform-set HQ-VPN esp-3des ?
  ah-md5-hmac   AH-HMAC-MD5 transform
  ah-sha-hmac   AH-HMAC-SHA transform
  comp-lzs      IP Compression using the LZS compression algorithm
  esp-md5-hmac  ESP transform using HMAC-MD5 auth
  esp-sha-hmac  ESP transform using HMAC-SHA auth
  <cr>

Branch(config)#crypto ipsec transform-set HQ-VPN esp-3des esp-sha-hmac   // IPSEC POLICY FOR PHASE 2
Branch(cfg-crypto-trans)#exit
Branch(config)#crypto map ?
  WORD  Crypto map tag

Branch(config)#crypto map HQ-MAP ?
  <1-65535>       Sequence to insert into crypto map entry
  client          Specify client configuration settings
  gdoi            Configure crypto map gdoi features
  isakmp          Specify isakmp configuration settings
  isakmp-profile  Specify isakmp profile to use
  local-address   Interface to use for local address for this crypto map
  redundancy      High availability options for this map

Branch(config)#crypto map HQ-MAP 10 ?
  gdoi          GDOI
  ipsec-isakmp  IPSEC w/ISAKMP
  ipsec-manual  IPSEC w/manual keying
  <cr>

Branch(config)#crypto map HQ-MAP 10 ipsec-isakmp   // VPN TUNNEL INFO
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
Branch(config-crypto-map)#?
Crypto Map configuration commands:
  default        Set a command to its defaults
  description    Description of the crypto map statement policy
  dialer         Dialer related commands
  exit           Exit from crypto map configuration mode
  match          Match values.
  no             Negate a command or set its defaults
  qos            Quality of Service related commands
  reverse-route  Reverse Route Injection.
  set            Set values for encryption/decryption

Branch(config-crypto-map)#set ?
  identity              Identity restriction.
  ip                    Interface Internet Protocol config commands
  isakmp-profile        Specify isakmp Profile
  nat                   Set NAT translation
  peer                  Allowed Encryption/Decryption peer.
  pfs                   Specify pfs settings
  reverse-route         Reverse Route Injection.
  security-association  Security association parameters
  transform-set         Specify list of transform sets in priority order

Branch(config-crypto-map)#set peer ?
  A.B.C.D  IP address of peer
  WORD     Host name of the peer

Branch(config-crypto-map)#set peer 209.165.200.226
Branch(config-crypto-map)#set transform-set ?
  WORD  Proposal tag

Branch(config-crypto-map)#set transform-set HQ-VPN
Branch(config-crypto-map)#match ?
  address  Match address of packets to encrypt.

Branch(config-crypto-map)#match address ?
  <100-199>    IP access-list number
  <2000-2699>  IP access-list number (expanded range)
  WORD         Access-list name

Branch(config-crypto-map)#match address HQ-VPN-ACL
Branch(config-crypto-map)#exit
Branch(config)#ip access-list extended HQ-VPN-ACL
Branch(config-ext-nacl)#remark Branch to HQ traffic to trigger VPN
Branch(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 10.10.0.0 0.0.255.255   // CRYPTO ACL
Branch(config-ext-nacl)#exit
Branch(config)#interface s0/0/1
Branch(config-if)#crypto ?
  ipsec  Set IPSec parameters
  map    Assign a Crypto Map

Branch(config-if)#crypto map ?
  WORD  Crypto Map tag
  <cr>

Branch(config-if)#crypto map HQ-MAP   // APPLY CRYPTO MAP
*Jan  4 00:15:42.747: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON


HQ(config)#crypto isakmp policy 1
HQ(config-isakmp)#encryption aes
HQ(config-isakmp)#authentication pre-share
HQ(config-isakmp)#group 2
HQ(config-isakmp)#exit
HQ(config)#crypto isakmp key cisco123 address 209.165.200.242
HQ(config)#crypto ipsec transform-set BRANCH-VPN esp-3des esp-sha-hmac
HQ(cfg-crypto-trans)#exit
HQ(config)#crypto map BRANCH-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
HQ(config-crypto-map)#set peer 209.165.200.242
HQ(config-crypto-map)#set transform-set BRANCH-VPN
HQ(config-crypto-map)#match address BRANCH-VPN-ACL
HQ(config-crypto-map)#exit
HQ(config)#ip access-list extended BRANCH-VPN-ACL
HQ(config-ext-nacl)#remark HQ to Branch traffic to trigger VPN
HQ(config-ext-nacl)#permit ip 10.10.0.0 0.0.255.255 192.168.1.0 0.0.0.255   // CRYPTO ACL; MIRRORED

BRANCH ACL
HQ(config-ext-nacl)#exit
HQ(config)#interface s0/0/1
HQ(config-if)#crypto map BRANCH-MAP
HQ(config-if)#
*Jan  3 23:02:38.631: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON


Branch#show crypto ?
  call             Show crypto call admission info
  ctcp             cTCP connections
  datapath         Data Path
  debug-condition  Debug Condition filters
  dynamic-map      Crypto map templates
  eli              Encryption Layer Interface
  engine           Show crypto engine info
  gdoi             Show crypto gdoi
  ha               Crypto High Availability information
  identity         Show crypto identity list
  ipsec            Show IPSEC policy
  isakmp           Show ISAKMP
  key              Show long term public keys
  map              Crypto maps
  mib              Show Crypto-related MIB Parameters
  optional         Optional Encryption Status
  pki              Show PKI
  route            Show crypto VPN routes
  ruleset          Show crypto rules on outgoing packets
  session          Show crypto sessions (tunnels)
  sockets          Secure Socket Information
  tech-support     Displays relevant crypto information

Branch#show crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Serial0/0/1
Session status: DOWN  
Peer: 209.165.200.226 port 500 fvrf: (none) ivrf: (none)  
      Desc: (none)
      Phase1_id: (none)
  IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 10.10.0.0/255.255.0.0  
        Active SAs: 0, origin: crypto map
        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0

Branch#ping 10.10.10.1 source 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
.!!!!  
Success rate is 80 percent (4/5), round-trip min/avg/max = 84/84/84 ms    // PING DROPPED DUE TO VPN HANDSHAKE

TUNNEL NEGOTIATION

Branch#show crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Serial0/0/1
Uptime: 00:00:09
Session status: UP-ACTIVE  
Peer: 209.165.200.226 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 209.165.200.226
      Desc: (none)
  IKE SA: local 209.165.200.242/500 remote 209.165.200.226/500 Active
          Capabilities:(none) connid:1001 lifetime:23:59:49
  IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 10.10.0.0/255.255.0.0
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 4 drop 0 life (KB/Sec) 4501643/3590  
        Outbound: #pkts enc'ed 4 drop 1 life (KB/Sec) 4501643/3590  

Branch#clear crypto isakmp
Branch#clear crypto sa  


Branch(config)#interface tunnel0   // IPSEC VPN DOES NOT ALLOW DYNAMIC ROUTING PROTOCOLS, MULTICAST

AND BROADCAST; WILL NEED GRE OVER IPSEC
Branch(config-if)#
*Jan  4 00:27:11.739: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
Branch(config-if)#ip address 172.16.100.2 255.255.255.252
Branch(config-if)#tunnel ?
  bandwidth           Set tunnel bandwidth informational parameter
  checksum            enable end to end checksumming of packets
  destination         destination of tunnel
  flow                flow options
  key                 security or selector key
  mode                tunnel encapsulation method
  mpls                MPLS tunnel commands
  path-mtu-discovery  Enable Path MTU Discovery on tunnel
  protection          Enable tunnel protection
  rbscp               Set tunnel RBSCP parameters
  route-via           Select subset of routes for tunnel transport
  sequence-datagrams  drop datagrams arriving out of order
  source              source of tunnel packets
  tos                 set type of service byte
  ttl                 set time to live
  udlr                associate tunnel with unidirectional interface
  vrf                 set tunnel vrf membership

Branch(config-if)#tunnel source ?
  A.B.C.D             ip address
  Async               Async interface
  Auto-Template       Auto-Template interface
  BVI                 Bridge-Group Virtual Interface
  CDMA-Ix             CDMA Ix interface
  CTunnel             CTunnel interface
  Dialer              Dialer interface
  FastEthernet        FastEthernet IEEE 802.3
  Lex                 Lex interface
  Loopback            Loopback interface
  MFR                 Multilink Frame Relay bundle interface
  Multilink           Multilink-group interface
  Null                Null interface
  SSLVPN-VIF          SSLVPN Virtual Interface
  Serial              Serial
  Tunnel              Tunnel interface
  Vif                 PGM Multicast Host interface
  Virtual-Dot11Radio  Virtual dot11 interface
  Virtual-PPP         Virtual PPP interface
  Virtual-Template    Virtual Template interface
  Virtual-TokenRing   Virtual TokenRing
  X:X:X:X::X          IPv6 address
  vmi                 Virtual Multipoint Interface

Branch(config-if)#tunnel source 209.165.200.242
Branch(config-if)#tunnel destination 209.165.200.226
Branch(config-if)#
*Jan  4 00:27:43.055: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up


HQ(config)#interface tunnel0
HQ(config-if)#
*Jan  3 23:10:26.883: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
HQ(config-if)#ip address 172.16.100.1 255.255.255.252
HQ(config-if)#tunnel source 209.165.200.226
HQ(config-if)#tunnel destination 209.165.200.242
HQ(config-if)#
*Jan  3 23:10:53.603: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up


Branch#show interfaces tunnel0
Tunnel0 is up, line protocol is up  
  Hardware is Tunnel
  Internet address is 172.16.100.2/30  
  MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set  
  Keepalive not set
  Tunnel source 209.165.200.242, destination 209.165.200.226
  Tunnel protocol/transport GRE/IP   
    Key disabled, sequencing disabled
    Checksumming of packets disabled
  Tunnel TTL 255
  Fast tunneling enabled
  Tunnel transport MTU 1476 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out

Branch#ping 172.16.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/69/72 ms


Branch#show crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Serial0/0/1
Session status: DOWN    // TRAFFIC IS NOT ENCRYPTED
Peer: 209.165.200.226 port 500 fvrf: (none) ivrf: (none)
      Desc: (none)
      Phase1_id: (none)
  IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 10.10.0.0/255.255.0.0
        Active SAs: 0, origin: crypto map
        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0


Branch(config)#no ip access-list extended HQ-VPN-ACL
Branch(config)#ip access-list extended HQ-VPN-ACL
Branch(config-ext-nacl)#remark HQ to Branch GRE traffic to trigger VPN
Branch(config-ext-nacl)#permit gre host 209.165.200.242 host 209.165.200.226   // MAKE GRE TRAFFIC INTERESTING


HQ(config)#no ip access-list extended BRANCH-VPN-ACL
HQ(config)#ip access-list extended BRANCH-VPN-ACL
HQ(config-ext-nacl)#remark Branch to HQ GRE traffic to trigger VPN
HQ(config-ext-nacl)#permit gre host 209.165.200.226 host 209.165.200.242


Branch#ping 172.16.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.100.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 96/97/100 ms

Branch#show crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Serial0/0/1
Uptime: 00:00:19
Session status: UP-ACTIVE  
Peer: 209.165.200.226 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 209.165.200.226
      Desc: (none)
  IKE SA: local 209.165.200.242/500 remote 209.165.200.226/500 Active  
          Capabilities:(none) connid:1002 lifetime:23:59:40
  IPSEC FLOW: permit 47 host 209.165.200.242 host 209.165.200.226   // GRE PROTOCOL 47
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 4 drop 0 life (KB/Sec) 4426451/3580   
        Outbound: #pkts enc'ed 4 drop 1 life (KB/Sec) 4426451/3580    


Branch#ping 10.10.10.1 source 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1   // PING DROPS DUE TO NO ROUTE TO HQ
.....
Success rate is 0 percent (0/5)

Branch#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 209.165.200.241 to network 0.0.0.0

     172.16.0.0/30 is subnetted, 1 subnets
C       172.16.100.0 is directly connected, Tunnel0
     209.165.200.0/29 is subnetted, 1 subnets
C       209.165.200.240 is directly connected, Serial0/0/1
C    192.168.1.0/24 is directly connected, Loopback1
S*   0.0.0.0/0 [1/0] via 209.165.200.241


Branch(config)#router eigrp 1
Branch(config-router)#network 192.168.1.0 0.0.0.255
Branch(config-router)#network 172.16.100.0 0.0.0.3


HQ(config)#router eigrp 1
HQ(config-router)#network 10.10.0.0 0.0.255.255
HQ(config-router)#network 172.16.100.0 0.0.0.3
HQ(config-router)#
*Jan  3 23:26:09.743: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.100.2 (Tunnel0) is up: new

adjacency


Branch#show ip eigrp neighbor
IP-EIGRP neighbors for process 1
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   172.16.100.1            Tu0               12 00:00:21   88  2151  0  3

Branch#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 209.165.200.241 to network 0.0.0.0

     172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
D       172.16.0.0/16 is a summary, 00:01:08, Null0
C       172.16.100.0/30 is directly connected, Tunnel0
     209.165.200.0/29 is subnetted, 1 subnets
C       209.165.200.240 is directly connected, Serial0/0/1
D    10.0.0.0/8 [90/27008000] via 172.16.100.1, 00:00:23, Tunnel0
C    192.168.1.0/24 is directly connected, Loopback1
S*   0.0.0.0/0 [1/0] via 209.165.200.241

Branch#show crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Serial0/0/1
Uptime: 00:08:38
Session status: UP-ACTIVE  
Peer: 209.165.200.226 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 209.165.200.226
      Desc: (none)
  IKE SA: local 209.165.200.242/500 remote 209.165.200.226/500 Active
          Capabilities:(none) connid:1002 lifetime:23:51:21
  IPSEC FLOW: permit 47 host 209.165.200.242 host 209.165.200.226
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 19 drop 0 life (KB/Sec) 4426449/3081   
        Outbound: #pkts enc'ed 29 drop 1 life (KB/Sec) 4426448/3081   

Branch#ping 10.10.10.1 source 192.168.1.1   // LAN-TO-LAN (SITE-TO-SITE VPN) HAS REACHABILITY

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 96/98/100 ms

Branch#show crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Serial0/0/1
Uptime: 00:09:45
Session status: UP-ACTIVE  
Peer: 209.165.200.226 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 209.165.200.226
      Desc: (none)
  IKE SA: local 209.165.200.242/500 remote 209.165.200.226/500 Active
          Capabilities:(none) connid:1002 lifetime:23:50:13
  IPSEC FLOW: permit 47 host 209.165.200.242 host 209.165.200.226
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 39 drop 0 life (KB/Sec) 4426446/3014  
        Outbound: #pkts enc'ed 49 drop 1 life (KB/Sec) 4426445/3014  

Branch#traceroute 10.10.20.238 source 192.168.1.1

Type escape sequence to abort.
Tracing the route to 10.10.20.238

  1 172.16.100.1 68 msec *  68 msec   // HOPS TO HQ GRE TUNNEL (ENCRYPTED); BRANCH UNAWARE IT TRAVERSED PUBLIC INTERNET

Posted by at No comments:

Saturday, March 7, 2015

Converting Lightweight AP to Autonomous AP

Our warehouse mistakenly bought the Cisco AIR-CAP1602E-E-K9, which is the Lightweight or Controller-based access point. We should be getting the AIR-SAP1602E-E-K9 Standalone access point in the first place. I had no choice but to convert them from Lightweight to Autonomous type AP since it would be difficult to replace them with the vendor because of the price difference. Last time I did this was way back in 2009 on a Cisco Aironet 1100 series during my first job as a Network Administrator for a pharmaceutical company in Singapore.

In Cisco.com's website, it showed several ways to convert an access point from Lightweight to Autonomous and vice-versa using archive download-sw (just like when upgrading a Catalyst switch) and by also using (or holding) the MODE button. I tried them all but this one worked for me. We must first need to know the basics of the AP's IOS. There are three type of IOS being used:

* k9w7: Autonomous IOS (which I'm going to use for conversion)

* k9w8: Lightweight IOS (currently used by my LWAP)

* rcvk9w8: Lightweight recovery image (like a bootstrap IOS in a router)




This is the initial boot sequence from a Cisco AIR-CAP1602E-E-K9. For my setup, I just used an 8-port Cisco switch using default config (ports on VLAN 1) and static IP address 10.1.1.1/8 on my PC running TFTP server.


Boot from flash

IOS Bootloader - Starting system.

 FLASH CHIP: Micronix MX25L256_35F

Xmodem file system is available.

flashfs[0]: 5 files, 2 directories

flashfs[0]: 0 orphaned files, 0 orphaned directories

flashfs[0]: Total bytes: 31936000

flashfs[0]: Bytes used: 6554112

flashfs[0]: Bytes available: 25381888

flashfs[0]: flashfs fsck took 9 seconds.

Reading cookie from SEEPROM

Base Ethernet MAC address: c0:8c:60:1f:24:ab

 ************* loopback_mode = 0

Loading "flash:/ap1g2-rcvk9w8-mx/ap1g2-rcvk9w8-mx"...####################

File "flash:/ap1g2-rcvk9w8-mx/ap1g2-rcvk9w8-mx" uncompressed and installed, entry point: 0x100000

executing...


              Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

           cisco Systems, Inc.
           170 West Tasman Drive
           San Jose, California 95134-1706



Cisco IOS Software, C1600 Software (AP1G2-RCVK9W8-M), Version 15.2(2)JB2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Mon 29-Jul-13 12:40 by prod_rel_team

Initializing flashfs...
 FLASH CHIP: Micronix MX25L256_35F

flashfs[2]: 5 files, 2 directories
flashfs[2]: 0 orphaned files, 0 orphaned directories
flashfs[2]: Total bytes: 31808000
flashfs[2]: Bytes used: 6554112
flashfs[2]: Bytes available: 25253888
flashfs[2]: flashfs fsck took 9 seconds.
flashfs[2]: Initialization complete.
flashfs[3]: 0 files, 1 directories
flashfs[3]: 0 orphaned files, 0 orphaned directories
flashfs[3]: Total bytes: 11999232
flashfs[3]: Bytes used: 1024
flashfs[3]: Bytes available: 11998208
flashfs[3]: flashfs fsck took 1 seconds.
flashfs[3]: Initialization complete....done Initializing flashfs.

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
memory validate-checksum 30
 ^
% Invalid input detected at '^' marker.

no ip http server
       ^
% Invalid input detected at '^' marker.
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for

login authentication default
  ^
% Invalid input detected at '^' marker.

compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.


Warning:  the compile-time code checksum does not appear to be present.
cisco AIR-CAP1602E-E-K9    (PowerPC) processor (revision B0) with 98294K/32768K bytes of memory.
Processor board ID FGL1735Wabc
PowerPC CPU at 533Mhz, revision number 0x2151
Last reset from power-on
LWAPP image version 7.4.1.37
1 Gigabit Ethernet interface

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: C0:8C:60:1F:24:ab
Part Number                          : 73-14508-04
PCA Assembly Number                  : 000-00000-00
PCA Revision Number                  :
PCB Serial Number                    : FOC17292abc
Top Assembly Part Number             : 800-38553-01
Top Assembly Serial Number           : FGL1735Wabc
Top Revision Number                  : A0
Product/Model Number                 : AIR-CAP1602E-E-K9  
% Please define a domain-name first.
logging facility kern
        ^
% Invalid input detected at '^' marker.

logging trap emergencies
        ^
% Invalid input detected at '^' marker.



Press RETURN to get started!


*Mar  1 00:00:12.363: %LWAPP-3-CLIENTERRORLOG: Config load from flash failed. Initialising Cfg

*Mar  1 00:00:13.595: %LINK-6-UPDOWN: Interface GigabitEthernet0, changed state to up
*Mar  1 00:00:14.599: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*Mar  1 00:00:15.039: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C1600 Software (AP1G2-RCVK9W8-M), Version 15.2(2)JB2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Mon 29-Jul-13 12:40 by prod_rel_team
*Mar  1 00:00:15.067: %LWAPP-3-CLIENTERRORLOG: Config load from flash failed. Initialising Cfg

*Mar  1 00:00:15.067: %CAPWAP-3-ERRORLOG: Failed to load configuration from flash. Resetting to default config
*Mar  1 00:00:16.111: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to uplwapp_crypto_init: MIC Present and Parsed Successfully

no bridge-group 1 source-learning
                   ^
% Invalid input detected at '^' marker.
%Default route without gateway, if not a point-to-point interface, may impact performance

User Access Verification

Username: Cisco
Password: <Cisco>

APc08c.601f.2460>enable
Password: capwap process not yet started.Please execute enable command again

APc08c.601f.2460>
*Mar  1 00:00:44.327: %CDP_PD-4-POWER_OK: All radios disabled - NEGOTIATED inline power source
APc08c.601f.2460>enable
Password: <Cisco>
APc08c.601f.2460#conf t
                  ^
% Invalid input detected at '^' marker.

APc08c.601f.24ab#debug
*Mar  1 00:00:53.847: %CAPWAP-3-ERRORLOG: Not sending discovery request AP does not have an Ip !!  ca
APc08c.601f.24ab#debug capwap console cli   // NEED TO ISSUE THIS COMMAND IN ORDER TO GO TO GLOBAL CONFIG MODE
This command is meant only for debugging/troubleshooting
Any configuration change may result in different
behavior from centralized configuration.

CAPWAP console CLI allow/disallow debugging is on
APc08c.601f.24ab#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
APc08c.601f.24ab(config)#
*Mar  1 00:01:03.847: %CAPWAP-3-ERRORLOG: Not sending discovery request AP does not have an Ip !!
APc08c.601f.24ab(config)#do show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
BVI1                       unassigned      YES DHCP   up                    up     
GigabitEthernet0           unassigned      NO  unset  up                    up     
GigabitEthernet0.1         unassigned      YES unset  up                    up     
APc08c.601f.24ab(config)#interface bvi1
APc08c.601f.24ab(config-if)#ip add 10.1.1.1
*Mar  1 00:01:13.847: %CAPWAP-3-ERRORLOG: Not sending discovery request AP does not have an Ip !! 
APc08c.601f.24ab(config-if)#ip address 10.1.1.1 2 255.0.0.0
APc08c.601f.24ab(config-if)#end
APc08c.601f.24ab#
*Mar  1 00:01:20.343: %SYS-5-CONFIG_I: Configured from console by Cisco on console
APc08c.601f.2460#archive download-sw /force-reload /overwrite tftp://10.1.1.1/ap1g2k9w7-tar.153-3.JAB.tar      // I HAD SUCCESS WITH TWO APs USING THIS COMMAND; IT'S NOT 100% GUARANTEE IT WILL ALWAYS WORK
examining image...
Loading ap1g2-k9w7-tar.153-3.JAB.tar from 10.1.1.1 (via BVI1): !
extracting info (288 bytes)
Image info:
    Version Suffix: k9w7-.153-3.JAB
    Image Name: ap1g2-k9w7-mx.153-3.JAB
    Version Directory: ap1g2-k9w7-mx.153-3.JAB
    Ios Image Size: 1290752
    Total Image Size: 11387392
    Image Feature: WIRELESS LAN|LWAPP
    Image Family: AP1G2
    Wireless Switch Management Version: 8.0.72.236
Extracting files...
ap1g2-k9w7-mx.153-3.JAB/ (directory) 0 (bytes)
extracting ap1g2-k9w7-mx.153-3.JAB/ap1g2-k9w7-mx.153-3.JAB (123464 bytes)
ap1g2-k9w7-mx.153-3.JAB/html/ (directory) 0 (bytes)
ap1g2-k9w7-mx.153-3.JAB/html/level/ (directory) 0 (bytes)
ap1g2-k9w7-mx.153-3.JAB/html/level/1/ (directory) 0 (bytes)
extracting ap1g2-k9w7-mx.153-3.JAB/html/level/1/appsui.js (563 bytes)
extracting ap1g2-k9w7-mx.153-3.JAB/html/level/1/back.shtml (512 bytes)
extracting ap1g2-k9w7-mx.153-3.JAB/html/level/1/cookies.js (5032 bytes)


<OUTPUT TRUNCATED>

extracting ap1g2-k9w7-mx.153-3.JAB/html/level/15/ap_contextmgr_scm-groups.shtml.gz (7586 bytes)
extracting ap1g2-k9w7-mx.153-3.JAB/html/level/15/ap_contextmgr_scm_summary.shtml.gz (5194 bytes)
extracting ap1g2-k9w7-mx.153-3.JAB/ap1g2-k9w7-xx.153-3.JAB (8810727 bytes)!!!!!!!!!!!!!!!!!!!!
*Mar  1 00:03:19.305: %CAPWAP-3-STATIC_TO_DHCP_IP: Could not discover WLC using static IP. Forcing AP to use DHCP...     // WILL REVERT BVI PORT TO DHCP, IOS UPDATE WILL GET DISRUPTED
*Mar  1 00:03:29.309: %CAPWAP-3-ERRORLOG: Not sending discovery request AP does not have an Ip !! .
*Mar  1 00:03:39.309: %CAPWAP-3-ERRORLOG: Not sending discovery request AP does not have an Ip !!  [timed out]

Premature end of tar file      // I KEEP GETTING THIS ERROR EACH TIME I REPEAT THE CONVERSION PROCESS
ERROR: Problem extracting files from archive.
Download image failed, notify controller!!! From:7.4.1.37 to 8.0.72.236, FailureCode:3
archive download: takes 137 seconds

APc08c.601f.24ab#
APc08c.601f.24ab#
Not in Bound state.
*Mar  1 00:03:49.309: %CAPWAP-3-ERRORLOG: Not sending discovery request AP does not have an Ip !!
*Mar  1 00:03:49.309: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.


This is a sure way of getting the right IOS on the AP by first deleting the recovery image file and boot it up afterwards (just like a ROMmon in IOS router).

APc08c.601f.24ab#show flash

Directory of flash:/

    2  -rwx        1048   Mar 1 1993 00:00:20 +00:00  private-multiple-fs
    3  -rwx           0   Mar 1 1993 00:00:34 +00:00  config.txt
   12  drwx         128   Mar 1 1993 00:03:03 +00:00  ap1g2-rcvk9w8-mx    // DIRECTORY
    4  -rwx         155   Jan 1 1970 00:01:46 +00:00  env_vars

31808000 bytes total (25253888 bytes free)
APc08c.601f.2460#
*Mar  1 00:03:59.309: %CAPWAP-3-ERRORLOG: Not sending discovery request AP does not have an Ip !! dir
APc08c.601f.24ab#dir ap1g2-rcvk9w8-mx
Directory of flash:/ap1g2-rcvk9w8-mx/

   13  -rwx     6550041   Mar 1 1993 00:03:03 +00:00  ap1g2-rcvk9w8-mx   // ACTUAL RECOVERY IMAGE FILE
   14  -rwx         273   Mar 1 1993 00:03:03 +00:00  info

31808000 bytes total (25253888 bytes free)
APc08c.601f.24ab#
*Mar  1 00:04:09.309: %CAPWAP-3-ERRORLOG: Not sending discovery request AP does not have an Ip !!
APc08c.601f.24ab#delete flash:/ap1g2-rcvk9w8-mx/ap1g2-rcvk9w8-mx   // DELETE THE RECOVERY IMAGE/IOS
Delete filename [/ap1g2-rcvk9w8-mx/ap1g2-rcvk9w8-mx]?
Delete flash:/ap1g2-rcvk9w8-mx/ap1g2-rcvk9w8-mx? [confirm]

*Mar  1 00:04:19.489: %CAPWAP-3-ERRORLOG: Not sending discovery request AP does not have an Ip !!
APc08c.601f.24ab#
*Mar  1 00:04:29.489: %CAPWAP-3-ERRORLOG: Not sending discovery request AP does not have an Ip !!
APc08c.601f.24ab#dir
Directory of flash:/

    2  -rwx        1048   Mar 1 1993 00:00:20 +00:00  private-multiple-fs
    3  -rwx           0   Mar 1 1993 00:00:34 +00:00  config.txt
   12  drwx          64   Mar 1 1993 00:04:23 +00:00  ap1g2-rcvk9w8-mx
    4  -rwx         155   Jan 1 1970 00:01:46 +00:00  env_vars

31808000 bytes total (31804416 bytes free)

APc08c.601f.24ab#dir ap1g2-rcvk9w8-mx
Directory of flash:/ap1g2-rcvk9w8-mx/

   14  -rwx         273   Mar 1 1993 00:03:03 +00:00  info

31808000 bytes total (31804416 bytes free)
APc08c.601f.2460#reload

System configuration has been modified. Save? [yes/no]: y
Proceed with reload? [confirm]

Writing out the event log to flash:/event.log ...

Write of event.log done


*Mar  1 00:04:49.489: %CAPWAP-3-ERRORLOG: Not sending discovery request AP does not have an Ip !!
*Mar  1 00:04:50.657: %SYS-5-RELOAD: Reload requested by Cisco on console. Reload Reason: Reload Command.
*Mar  1 00:04:50.657: %LWAPP-5-CHANGED: CAPWAP changed state to DOWN
Boot from flash


IOS Bootloader - Starting system.

 FLASH CHIP: Micronix MX25L256_35F

Xmodem file system is available.

flashfs[0]: 5 files, 2 directories

flashfs[0]: 0 orphaned files, 0 orphaned directories

flashfs[0]: Total bytes: 31936000

flashfs[0]: Bytes used: 6656

flashfs[0]: Bytes available: 31929344

flashfs[0]: flashfs fsck took 9 seconds.

Reading cookie from SEEPROM

Base Ethernet MAC address: c0:8c:60:1f:24:60

 ************* loopback_mode = 0

Loading "flash:/ap1g2-rcvk9w8-mx/ap1g2-rcvk9w8-mx"...flash:/ap1g2-rcvk9w8-mx/ap1g2-rcvk9w8-mx: no such file or directory


Error loading "flash:/ap1g2-rcvk9w8-mx/ap1g2-rcvk9w8-mx"


Interrupt within 5 seconds to abort boot process.

Boot process failed...


The system is unable to boot automatically.  The BOOT

environment variable needs to be set to a bootable

image.


C1600 Boot Loader (AP1G2-BOOT-M) LoaderVersion 15.2(2)JAX, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Compiled Fri 30-Nov-12 15:48 by aselvara

ap: set IP_ADDR 10.1.1.2   

ap: set NETMASK 255.0.0.0

 ap: set DEFAULT_ROUTER 10.1.1.1

 ap: tftp_init    // I'VE USED AN ADDITIONAL COMMAND ether_init WHEN CONVERTING 2600 AP TO AUTONOUS

 ap: tar -xtract tftp://10.1.1.1/ap1g2-k9w7-tar.153-3.JAB.tar flash:    // SIMILAR TO tftpdnld COMMAND IN IOS ROUTER


extracting info (288 bytes)

ap1g2-k9w7-mx.153-3.JAB/ (directory) 0 (bytes)

extracting ap1g2-k9w7-mx.153-3.JAB/ap1g2-k9w7-mx.153-3.JAB (123464 bytes)..........................

ap1g2-k9w7-mx.153-3.JAB/html/ (directory) 0 (bytes)

ap1g2-k9w7-mx.153-3.JAB/html/level/ (directory) 0 (bytes)

ap1g2-k9w7-mx.153-3.JAB/html/level/1/ (directory) 0 (bytes)


<OUTPUT TRUNCATED>

extracting ap1g2-k9w7-mx.153-3.JAB/img_sign_rel.cert (1375 bytes)

extracting ap1g2-k9w7-mx.153-3.JAB/img_sign_rel_sha2.cert (1371 bytes)

extracting info.ver (288 bytes)ap: set BOOT flash:ap1g2-k9w7-tar.153-3.JAB.tar

ap: set    // TO CHECK AP INITIAL SETTINGS

BOOT=flash:ap1g2-k9w7-tar.153-3.JAB.tar

DEFAULT_ROUTER=10.1.1.1

ENABLE_BREAK=yes

IP_ADDR=10.1.1.2

MANUAL_BOOT=no

NETMASK=255.0.0.0

RELOAD_REASON=41

TERMLINES=0

ap: boot

Loading "flash:ap1g2-k9w7-tar.153-3.JAB.tar"...flash:ap1g2-k9w7-tar.153-3.JAB.tar: no such file or directory


Error loading "flash:ap1g2-k9w7-tar.153-3.JAB.tar"


Interrupt within 5 seconds to abort boot process.

Loading "flash:/ap1g2-k9w7-mx.153-3.JAB/ap1g2-k9w7-mx.153-3.JAB"...##############


File "flash:/ap1g2-k9w7-mx.153-3.JAB/ap1g2-k9w7-mx.153-3.JAB" uncompressed and installed, entry point: 0x2004000

executing...


Secondary Bootloader - Starting system.

 FLASH CHIP: Micronix MX25L256_35F

Xmodem file system is available.

flashfs[0]: 210 files, 8 directories

flashfs[0]: 0 orphaned files, 0 orphaned directories

flashfs[0]: Total bytes: 31936000

flashfs[0]: Bytes used: 11331584

flashfs[0]: Bytes available: 20604416

flashfs[0]: flashfs fsck took 10 seconds.

Reading cookie from SEEPROM

Base Ethernet MAC address: c0:8c:60:1f:24:60

Secondary bootloader Ethernet not enabled, skip ether_init


Unable to locate IOS image with name **xx**.

Boot CMD: 'boot  flash:ap1g2-k9w7-tar.153-3.JAB.tar;flash:/ap1g2-k9w7-mx.153-3.JAB/ap1g2-k9w7-xx.153-3.JAB'

Loading "flash:ap1g2-k9w7-tar.153-3.JAB.tar"...flash:ap1g2-k9w7-tar.153-3.JAB.tar: no such file or directory


Error loading "flash:ap1g2-k9w7-tar.153-3.JAB.tar"


Interrupt within 5 seconds to abort boot process.

Unable to locate IOS image with name **xx**.

Boot CMD: 'flash:/ap1g2-k9w7-mx.153-3.JAB/ap1g2-k9w7-xx.153-3.JAB'

Loading "flash:/ap1g2-k9w7-mx.153-3.JAB/ap1g2-k9w7-xx.153-3.JAB"...####################################

File "flash:/ap1g2-k9w7-mx.153-3.JAB/ap1g2-k9w7-xx.153-3.JAB" uncompressed and installed, entry point: 0x100000

executing...


              Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

           cisco Systems, Inc.
           170 West Tasman Drive
           San Jose, California 95134-1706



Cisco IOS Software, C1600 Software (AP1G2-K9W7-M), Version 15.3(3)JAB, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Tue 02-Sep-14 20:36 by prod_rel_team

Initializing flashfs...
 FLASH CHIP: Micronix MX25L256_35F

flashfs[2]: erasing block[0]...
flashfs[2]: erasing block[1]...
flashfs[2]: 210 files, 8 directories
flashfs[2]: 0 orphaned files, 0 orphaned directories
flashfs[2]: Total bytes: 31808000
flashfs[2]: Bytes used: 11331584
flashfs[2]: Bytes available: 20476416
flashfs[2]: flashfs fsck took 11 seconds.
flashfs[2]: Initialization complete.
flashfs[4]: 0 files, 1 directories
flashfs[4]: 0 orphaned files, 0 orphaned directories
flashfs[4]: Total bytes: 11999232
flashfs[4]: Bytes used: 1024
flashfs[4]: Bytes available: 11998208
flashfs[4]: flashfs fsck took 0 seconds.
flashfs[4]: Initialization complete....done Initializing flashfs.

Radio0  present 8764B 8000 0 A8000000 A8010000 0
Rate table has 586 entries (20 legacy/160 11n/406 11ac)

POWER TABLE FILENAME = flash:/ap1g2-k9w7-mx.153-3.JAB/S2.bin

Radio1  present 8764B 8000 0 88000000 88010000 4
POWER TABLE FILENAME = flash:/ap1g2-k9w7-mx.153-3.JAB/S5.bin

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco AIR-SAP1602E-E-K9 (PowerPC) processor (revision B0) with 187382K/74672K bytes of memory.
Processor board ID FGL1735W7LF
PowerPC CPU at 533Mhz, revision number 0x2151
Last reset from power-on
1 Gigabit Ethernet interface
2 802.11 Radios

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: C0:8C:60:1F:24:ab
Part Number                          : 73-14508-04
PCA Assembly Number                  : 000-00000-00
PCA Revision Number                  :
PCB Serial Number                    : FOC17292abc
Top Assembly Part Number             : 800-38553-01
Top Assembly Serial Number           : FGL1735Wab
Top Revision Number                  : A0
Product/Model Number                 : AIR-CAP1602E-E-K9  



Press RETURN to get started!


*Mar  1 00:00:13.891: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed (15)
*Mar  1 00:00:14.719: APAVC:  WlanPAKs 9355 RadioPaks  8747

*Mar  1 00:00:20.827: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0 (4)
*Mar  1 00:00:27.207: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1 (4)
*Mar  1 00:00:29.931: %LINK-6-UPDOWN: Interface GigabitEthernet0, changed state to up
*Mar  1 00:00:31.059: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*Mar  1 00:00:31.243: Starting Ethernet promiscuous mode
*Mar  1 00:00:31.299: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Mar  1 00:00:31.303: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Mar  1 00:00:31.319: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C1600 Software (AP1G2-K9W7-M), Version 15.3(3)JAB, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Tue 02-Sep-14 20:36 by prod_rel_team
*Mar  1 00:00:31.319: %SNMP-5-COLDSTART: SNMP agent on host ap is undergoing a cold start
*Mar  1 00:00:32.295: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
*Mar  1 00:00:32.299: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Mar  1 00:00:32.303: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Mar  1 00:00:43.547: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
ap>show version
Cisco IOS Software, C1600 Software (AP1G2-K9W7-M), Version 15.3(3)JAB, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Tue 02-Sep-14 20:36 by prod_rel_team

ROM: Bootstrap program is C1600 boot loader
BOOTLDR: C1600 Boot Loader (AP1G2-BOOT-M) LoaderVersion 15.2(2)JAX, RELEASE SOFTWARE (fc1)

ap uptime is 1 minute
System returned to ROM by power-on
System image file is "flash:/ap1g2-k9w7-mx.153-3.JAB/ap1g2-k9w7-xx.153-3.JAB"
Last reload reason:



This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
 --More--         agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco AIR-SAP1602E-E-K9 (PowerPC) processor (revision B0) with 187382K/74672K bytes of memory.
Processor board ID FGL1735W7LF
PowerPC CPU at 533Mhz, revision number 0x2151
Last reset from power-on
1 Gigabit Ethernet interface
2 802.11 Radios

32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: C0:8C:60:1F:24:ab
Part Number                          : 73-14508-04
PCA Assembly Number                  : 000-00000-00
PCA Revision Number                  :
PCB Serial Number                    : FOC17292abc
 --More--         Top Assembly Part Number             : 800-38553-01
Top Assembly Serial Number           : FGL1735Wabc
Top Revision Number                  : A0
Product/Model Number                 : AIR-CAP1602E-E-K9    // MUST BE COSMETIC BUG

Configuration register is 0xF

ap>

Posted by at 3 comments:
Subscribe to: Posts (Atom)