My Network Lab

Thursday, October 3, 2024

Managing Configuration Files in a Cisco ASR920

This Cisco link covers the management of configuration files in a Cisco ASR920. You wouldn't find the startup-config in the Cisco ASR920 bootflash memory.

ASR920# dir

Directory of bootflash:/

11 drwx 16384 Oct 16 2015 21:37:46 +00:00 lost+found

15105 drwx 4096 Oct 31 2016 22:31:05 +00:00 .prst_sync

30209 drwx 4096 Apr 8 2021 21:34:51 +00:00 .installer

13 -rw- 1182 Oct 16 2015 21:51:23 +00:00 CAT1941V21234_1445051234.lic

14 -rw- 1176 Oct 16 2015 21:51:56 +00:00 CAT1941V25678_1445055678.lic

135937 drwx 4096 Apr 8 2021 21:25:23 +00:00 core

45313 drwx 4096 Oct 16 2015 21:56:47 +00:00 .rollback_timer

15 -rw- 0 Oct 16 2015 21:57:06 +00:00 tracelogs.809

120833 drwx 270336 May 29 2024 04:49:54 +00:00 tracelogs

60417 drwx 4096 Jul 15 2014 01:09:40 +00:00 usb_modem

32 -rw- 311284732 Mar 9 2018 10:36:53 +00:00 asr920-universalk9_npe.03.x.x.S.x-3.S7-ext.bin

30 -rw- 822 Mar 22 2016 16:11:14 +00:00 usb_modem_stats.txt

31 -rw- 467318537 Dec 16 2020 02:27:50 +00:00 asr920-universalk9_npe.16.x.x.SPA.bin

151044 drwx 4096 Apr 8 2021 21:39:04 +00:00 onep

33 -rw- 317446 Oct 31 2016 22:24:58 +00:00 crashinfo_RP_00_00_20161031-222450-UTC

34 -rw- 1586124 Dec 16 2020 01:53:56 +00:00 asr920_x_x_xr_s_rommon.pkg

151042 drwx 4096 Aug 4 2021 09:33:14 +00:00 .dbpersist

151043 drwx 4096 Apr 8 2021 21:39:09 +00:00 license_evlog

1339412480 bytes total (366039040 bytes free)

The startup-config is found in the nvram directory.

ASR920#dir nvram:

Directory of nvram:/

32769 -rw- 25314 <no date> startup-config

32770 ---- 3689 <no date> private-config

32771 -rw- 25314 <no date> underlying-config

1 ---- 462 <no date> persistent-data

2 -rw- 17 <no date> ecfm_ieee_mib

3 -rw- 3257 <no date> ifIndex-table

33554432 bytes total (33519233 bytes free)

To view the startup-config, use the more nvram:startup-config command:

ASR920#more nvram:startup-config
!
! Last configuration change at 10:25:49 UTC Thu May 16 2024 by nx
! NVRAM config last updated at 10:25:51 UTC Thu May 16 2024 by nx
!
version 16.12
no service pad
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
no platform punt-keepalive disable-kernel-core
platform bfd-debug-trace 1
platform xconnect load-balance-hash-algo mac-ip-instanceid
platform tcam-parity-error enable
platform tcam-threshold alarm-frequency 1
!
hostname ASR920
!
boot-start-marker
boot system bootflash:asr920-universalk9_npe.16.x.x.SPA.bin
boot system bootflash:asr920-universalk9_npe.03.xx.0x.S.1xx-3.S7-ext.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family

To perform a file transfer in a Cisco ASR920, use the copy nvram:startup-config <ftp/tftp://<REMOTE IP> command. Make sure the source interface can reach the remote file server.

ASR920#ping 172.27.5.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.27.5.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 196/196/196 ms

ASR920(config)#ip tftp source-interface Loopback0
ASR920(config)#end

ASR920#copy nvram:startup-config tftp://172.27.5.3
Address or name of remote host [172.27.5.3]?
Destination filename [startup-confg]?
!!
25314 bytes copied in 10.516 secs (2407 bytes/sec)

I renamed the file to startup-config2 (to avoid any file conflict), transferred it to the new Cisco ASR920, boot the new config using copy nvram:startup-config2 running-config and issued write memory to save config. Booting the new startup-config to running-config only took a few seconds.

This greatly speeds up staging a new router (in this case RMA replacement). It also lessens the human error if you have a big configuration file.

RMA_ASR920#copy nvram:startup-config2 running-config

Destination filename [running-config]?

%Log packet overrun, PC 0x111F6508, format:

User:%s logged command:%s

% Previously established LDP sessions will not be affected by this change.

% OSPF: Reference bandwidth is changed.

Please ensure reference bandwidth is consistent across all routers.

25080 bytes copied in 4.564 secs (5495 bytes/sec)

ASR920# // NOTICE THE HOSTNAME IMMEDIATELY CHANGED

ASR920#show ip interface brief

% Authorization failed. // I'M UNABLE TO ISSUE COMMANDS SINCE IT HAS AAA CONFIGURED

Sunday, September 1, 2024

Cisco ASR920 License Install (non Smart License)

I had to RMA a Cisco ASR920 router due to a faulty port and unable to detect the inserted SFP. I also requested the Cisco TAC License team to generate a new license file (Traditional/PAK license) based on the feature licenses on the previous ASR920 (bundled in a single license). You'll need to use the new chassis serial number to generate the new PAK license.

The RMA ASR920 came with the default IOS-XE version 16.9.3, so it's easy for to upgrade to any 16.x code. I had a previous post regarding the IOS-XE upgrade in a Cisco ASR920. The RMA also doesn't come with new hot-swappable power supply unit (PSU) so you had to swap out the PSU from the old to new ASR920.

RMA_ASR920#copy tftp://172.27.5.3/CAT24071234_20240621080644.lic bootflash:

Destination filename [CAT24071234_20240621080644.lic]?

Accessing tftp://172.27.5.3/CAT24071234_20240621080644.lic...

Loading CAT24071234_20240621080644.lic from 172.27.5.3 (via GigabitEthernet0): !

[OK - 3326 bytes]

3326 bytes copied in 22.088 secs (151 bytes/sec)

RMA_ASR920#dir

Directory of bootflash:/

11 drwx 16384 Jul 1 2020 01:41:57 +00:00 lost+found

46273 drwx 4096 Jul 1 2020 01:42:01 +00:00 .prst_sync

12 -rw- 445862301 Jul 1 2020 01:57:10 +00:00 asr920-universalk9_npe.16.09.03.SPA.bin

23137 drwx 20480 Jun 21 2024 19:00:37 +00:00 tracelogs

7713 drwx 4096 Jun 21 2024 16:43:44 +00:00 .installer

16 -rw- 3326 Jun 21 2024 19:04:11 +00:00 CAT24071234_20240621080644.lic

1241329664 bytes total (253034496 bytes free)

RMA_ASR920#license install bootflash:CAT24071234_20240621080644.lic

Installing licenses from "bootflash:CAT24071234_20240621080644.lic

Installing...Feature:24portGE-4port10GE...Successful:Supported

Installing...Feature:advancedmetroipaccess...Successful:Supported

Installing...Feature:metroaccess...Failed:

% Error: Duplicate license

2/3 licenses were successfully installed

1/3 licenses were existing licenses

0/3 licenses were failed to install

I noticed the installed and my target advancedmetroipaccess License State was Active, Not in Use.

RMA_ASR920#show license

Index 1 Feature: advancedmetroipaccess

Period left: Life time

License Type: Permanent

License State: Active, Not in Use

License Count: Non-Counted

License Priority: Medium

Index 2 Feature: metroipaccess

Period left: Not Activated

License Type: Evaluation

License State: Active, Not in Use, EULA not accepted

License Count: Non-Counted

License Priority: None

Index 3 Feature: metroaccess

Period left: Life time

License Type: Permanent

License State: Active, In Use

License Count: Non-Counted

License Priority: Medium

Index 4 Feature: atm

Index 5 Feature: oc3

Index 6 Feature: oc12

Index 7 Feature: 1588

Index 8 Feature: 10GEupgradelicense

Index 9 Feature: 24portGE-4port10GE

Period left: Life time

License Type: Permanent

License State: Active, In Use

License Count: Non-Counted

License Priority: Medium

Index 10 Feature: 12x1GEupgradelicense

RMA_ASR920#show license all

License Store: Primary License Storage

StoreIndex: 1 Feature: metroaccess Version: 1.0

License Type: Permanent

License State: Active, In Use

License Count: Non-Counted

License Priority: Medium

StoreIndex: 2 Feature: 24portGE-4port10GE Version: 1.0

License Type: Permanent

License State: Active, In Use

License Count: Non-Counted

License Priority: Medium

StoreIndex: 3 Feature: advancedmetroipaccess Version: 1.0

License Type: Permanent

License State: Active, Not in Use

License Count: Non-Counted

License Priority: Medium

License Store: Built-In License Storage

StoreIndex: 0 Feature: advancedmetroipaccess Version: 1.0

License Type: Evaluation

License State: Inactive

Evaluation total period: 8 weeks 4 days

Evaluation period left: 8 weeks 4 days

Period used: 0 minute 0 second

License Count: Non-Counted

License Priority: None

StoreIndex: 1 Feature: metroipaccess Version: 1.0

License Type: Evaluation

License State: Active, Not in Use, EULA not accepted

Evaluation total period: 8 weeks 4 days

Evaluation period left: 8 weeks 4 days

Period used: 0 minute 0 second

License Count: Non-Counted

License Priority: None

StoreIndex: 2 Feature: metroaccess Version: 1.0

License Type: Evaluation

License State: Inactive

Evaluation total period: 8 weeks 4 days

Evaluation period left: 8 weeks 4 days

Period used: 0 minute 0 second

License Count: Non-Counted

License Priority: None

Per the Cisco link, I had to configure the license boot level and perform a reload command to take effect.

RMA_ASR920#show run | i license boot

license boot level metroaccess

RMA_ASR920#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

RMA_ASR920(config)#license ?

accept Accept all further License Agreements

agent Configure LIC_AGENT

boot license boot config commands

feature License features

smart Smart licensing

udi license udi

RMA_ASR920(config)#license boot ?

level which level to boot

RMA_ASR920(config)#license boot level ?

advancedmetroipaccess Advanced Metro IP Access License Level

metroaccess Metro Access License Level

metroipaccess Metro IP Access License Level

RMA_ASR920(config)#license boot level advancedmetroipaccess ?

RMA_ASR920(config)#license boot level advancedmetroipaccess

% use 'write' command to make license boot config take effect on next boot

RMA_ASR920(config)#end

RMA_ASR920#write memory

Building configuration...

[OK]

RMA_ASR920#show run | i license boot

license boot level advancedmetroipaccess

RMA_ASR920#show license all

License Store: Primary License Storage

StoreIndex: 1 Feature: metroaccess Version: 1.0

License Type: Permanent

License State: Active, In Use

License Count: Non-Counted

License Priority: Medium

StoreIndex: 2 Feature: 24portGE-4port10GE Version: 1.0

License Type: Permanent

License State: Active, In Use

License Count: Non-Counted

License Priority: Medium

StoreIndex: 3 Feature: advancedmetroipaccess Version: 1.0

License Type: Permanent

License State: Active, Not in Use

License Count: Non-Counted

License Priority: Medium

RMA_ASR920#show version

Cisco IOS XE Software, Version 16.x.x

Cisco IOS Software [Gibraltar], ASR920 Software (PPC_LINUX_IOSD-UNIVERSALK9_NPE-M), Version 16.x.x, RELEASE SOFTWARE (fc5)

Technical Support: http://www.cisco.com/techsupport

Compiled Thu 09-Jul-20 17:13 by mcpre

licensed under the GNU General Public License ("GPL") Version 2.0. The

software code licensed under GPL Version 2.0 is free software that comes

with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such

GPL code under the terms of GPL Version 2.0. For more details, see the

documentation or "License Notice" file accompanying the IOS-XE software,

or the applicable URL provided on the flyer accompanying the IOS-XE

software.

ROM: IOS-XE ROMMON

RMA_ASR920 uptime is 23 hours, 12 minutes

Uptime for this control processor is 23 hours, 17 minutes

System returned to ROM by reload

System image file is "bootflash:asr920-universalk9_npe.16.x.x.SPA.bin"

Last reload reason: Reload Command

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

License Level: metroaccess

License Type: Permanent

Next reload license Level: advancedmetroipaccess

Smart Licensing Status: Smart Licensing is DISABLED

cisco ASR-920-x-x (Freescale P2020) processor (revision 1.2 GHz) with 890398K/6147K bytes of memory.

Processor board ID CAT24071234

24 Gigabit Ethernet interfaces

4 Ten Gigabit Ethernet interfaces

32768K bytes of non-volatile configuration memory.

3670016K bytes of physical memory.

1231647K bytes of eMMC flash at bootflash:.

Configuration register is 0x2102

RMA_ASR920#reload

Proceed with reload? [confirm]

Notice the advancemetroipaccess License State was changed to Active, In Use after a reload.

RMA_ASR920#show license

Index 1 Feature: advancedmetroipaccess

Period left: Life time

License Type: Permanent

License State: Active, In Use

License Count: Non-Counted

License Priority: Medium

Index 2 Feature: metroipaccess

Period left: Not Activated

License Type: Evaluation

License State: Active, Not in Use, EULA not accepted

License Count: Non-Counted

License Priority: None

Index 3 Feature: metroaccess

Period left: Life time

License Type: Permanent

License State: Active, Not in Use

License Count: Non-Counted

License Priority: Medium

Friday, August 9, 2024

Cisco ASR1001-X Throughput License

The Cisco ASR1001-X Throughput license is an honor-based license. Meaning, there's no need to purchase the 20 Gbps Throughput Product Activation Key (PAK) license. Just simply activate it, accept the End User License Agreement (EULA) and reload the router to take effect.

Cisco IOS XE Software feature licenses

◦ Certain functions supported on the Cisco ASR 1000 Series require feature licenses.

◦ All Cisco ASR 1000 feature and performance upgrade licenses are honor-based; that is, they are not enforced through a Product Activation Key (PAK). Note: Prior to Cisco IOS XE Software Release 3.7S, performance upgrade licenses that are required to upgrade the Cisco ASR 1001 from 2.5 to 5 Gbps or the Cisco ASR 1002-X from 5 to 10 to 20 to 36 Gbps are enforced through a PAK. Similarly, prior to Cisco IOS XE Software Release 3.6S, technology package licenses are enforced through a PAK.

ASR1K#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

ASR1K(config)#platform hardware throughput level 20000000

Feature Name:throughput_20g

PLEASE READ THE FOLLOWING TERMS CAREFULLY. INSTALLING THE LICENSE OR
LICENSE KEY PROVIDED FOR ANY CISCO PRODUCT FEATURE OR USING SUCH
PRODUCT FEATURE CONSTITUTES YOUR FULL ACCEPTANCE OF THE FOLLOWING
TERMS. YOU MUST NOT PROCEED FURTHER IF YOU ARE NOT WILLING TO BE BOUND
BY ALL THE TERMS SET FORTH HEREIN.

Use of this product feature requires an additional license from Cisco,
together with an additional payment. You may use this product feature
on an evaluation basis, without payment to Cisco, for 60 days. Your use
of the product, including during the 60 day evaluation period, is
subject to the Cisco end user license agreement
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
If you use the product feature beyond the 60 day evaluation period, you
must submit the appropriate payment to Cisco for the license. After the
60 day evaluation period, your use of the product feature will be
governed solely by the Cisco end user license agreement (link above),
together with any supplements relating to such product feature. The
above applies even if the evaluation license is not automatically
terminated and you do not receive any notice of the expiration of the
evaluation period. It is your responsibility to determine when the
evaluation period is complete and you are required to make payment to
Cisco for your use of the product feature beyond the evaluation period.

Your acceptance of this agreement for the software features on one
product shall be deemed your acceptance with respect to all such
software on all Cisco products you purchase which includes the same
software. (The foregoing notwithstanding, you must purchase a license
for each software feature you use past the 60 days evaluation period,
so that if you enable a software feature on 1000 devices, you must
purchase 1000 licenses for use past the 60 day evaluation period.)

Activation of the software command line interface will be evidence of
your acceptance of this agreement.

ACCEPT? (yes/[no]): yes
% The config will take effect on next reboot
ASR1K(config)#
Feb 15 14:24:18.111: %LICENSE-6-EULA_ACCEPTED: EULA for feature throughput_20g 1.0 has been accepted. UDI=ASR1001-X:JAE19261234; StoreIndex=11:Built-In License Storage
ASR1K(config)#
Feb 15 14:24:18.597: %PARSER-5-CFGLOG_LOGGEDCMD: User:johxx logged command:platform hardware throughput level 20000000
ASR1K(config)#end
ASR1K#write memory
Building configuration...

Feb 15 14:25:32.979: %SYS-5-CONFIG_I: Configured from console by johxx on console[OK]
Feb 15 14:25:38.738: %SYS-2-PRIVCFG_ENCRYPT: Successfully encrypted private config file
ASR1K#reload
The following license(s) are transitioning, expiring or have expired.
Features with expired licenses may not work after Reload.
Feature: throughput_20g ,Status: transition, Period Left: 8 wks 3 days

Proceed with reload? [confirm] <ENTER>

*Feb 15 14:10:09.234: boot_env_str = adventerprise,all:asr1001x;
*Feb 15 14:10:10.477: %LICENSE-6-EULA_ACCEPT_ALL: The Right to Use End User License Agreement is accepted
*Feb 15 14:10:10.512: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = asr1001x Next reboot level = adventerprise and License = adventerprise
*Feb 15 14:10:12.919: %IOSXE_THROUGHPUT-6-LEVEL: Throughput level has been set to 20000000 kbps

ASR1K#show platform hardware throughput level
The current throughput level is 20000000 kb/s

ASR1K#show version
Cisco IOS XE Software, Version 16.0x.0x
Cisco IOS Software [Fuji], ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.x.x, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2019 by Cisco Systems, Inc.
Compiled Wed 20-Mar-19 08:02 by mcpre

<OUTPUT TRUNCATED>

License Type: Permanent
License Level: adventerprise
Next reload license Level: adventerprise
The current throughput level is 20000000 kbps

Smart Licensing Status: Smart Licensing is DISABLED

ASR1K ASR1001-X (1NG) processor (revision 1NG) with 3853454K/6147K bytes of memory.
Processor board ID FXS22501234
6 Gigabit Ethernet interfaces
2 Ten Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
8388608K bytes of physical memory.
6594559K bytes of eUSB flash at bootflash:.
0K bytes of WebUI ODM Files at webui:.

Configuration register is 0x2102

Saturday, July 6, 2024

Deploy Juniper vMX in GNS3

I needed a Juniper virtual lab to refresh my Junos OS CLI, so the easiest way is to deploy a virtual MX (vMX) in GNS3. You'll need a vMX qcow2 file to run in GNS3.

Go to Edit >Preferences > QEMU > Qemu VM >New > select New Image >browse the .qcow2 file.

It will automatically upload the image. Just click Finish when it's done.

Select vMX > click Edit.

Under Symbol > click Browse.

To distinguish between a Cisco and Juniper router, under General settings tab > Symbol > select: Affinity-circle-blue > select: Router > click OK.

Go to Network tab > Adapters: type 3 (or click up arrow).

Click OK > Apply.

Click Browse all devices (left-hand side) > click/drag vMX.

I've deployed two vMX, a Cisco L2 switch and a Cisco 7200 router in my JNCIA lab.

I just ran/power on a single vMX and the L2 switch to play around with Junos CLI.

Profile database initialized

Local package initialization:.

kern.securelevel: -1 -> 1

starting local daemons:set cores for group access

Running /packages/finish.install ...

Sat Jun 8 03:03:56 UTC 2024

Amnesiac (ttyd0) <<< HOSTNAME Amnesic IS FACTORY DEFAULT

--- JUNOS 14.1R1.10 built 2014-06-07 09:37:07 UTC

root@% cli <<< TYPE CLI TO GO OPERATIONAL MODE

root> show version

Model: vmx

Junos: 14.1R1.10

JUNOS Base OS Software Suite [14.1R1.10]

JUNOS Base OS boot [14.1R1.10]

JUNOS Crypto Software Suite [14.1R1.10]

JUNOS Online Documentation [14.1R1.10]

JUNOS Kernel Software Suite [14.1R1.10]

JUNOS Packet Forwarding Engine Support (M320) [14.1R1.10]

JUNOS Packet Forwarding Engine Support (M/T/EX Common) [14.1R1.10]

JUNOS Routing Software Suite [14.1R1.10]

JUNOS Runtime Software Suite [14.1R1.10]

To configure the root password, go to configuration mode by typing edit > issue the command set system root-authentication plain-text-password > type a password > type again the password to confirm.

Type commit to save configuration.

root> edit

Entering configuration mode

[edit]

root# set system root-authentication plain-text-password

New password:

Retype new password:

[edit]

root# set system host-name vMX1

[edit]

root# commit

commit complete

[edit]

root@vMX1# <<< NOTICE THE HOSTNAME APPEARED

[edit]

Friday, June 7, 2024

Check the SNMP Interface Index in a Cisco Router

You can use the show snmp mib ifmib ifindex to map or retreive the interface MIB in a Cisco router without performing an SNMP walk from a NMS.

4321#show snmp mib ifmib ifindex
GigabitEthernet0/0/1.40: Ifindex = 22
GigabitEthernet0/0/1.13: Ifindex = 21
Voice Over IP Peer: 22: Ifindex = 35
Voice Encapsulation (POTS) Peer: 1004: Ifindex = 30
Foreign Exchange Station 0/1/2: Ifindex = 10
Voice Over IP Peer: 20: Ifindex = 24
Voice Encapsulation (POTS) Peer: 1006: Ifindex = 32
Foreign Exchange Station 0/1/0: Ifindex = 8
GigabitEthernet0/0/0: Ifindex = 1
Service-Engine0/1/0: Ifindex = 3
GigabitEthernet0/0/0.4: Ifindex = 19
GigabitEthernet0/0/0.3: Ifindex = 16
VoIP-Null0: Ifindex = 6
Null0: Ifindex = 7

Thursday, May 2, 2024

Cisco Access Control List (ACL) Established

Here's a nice link regarding the access control list (ACL) established in a Cisco router. This keyword is commonly used to only allow originating TCP traffic towards the destination IP. This effectively denies TCP traffic coming from the outside or public Internet.

In order to test, I setup two routers which are directly connected and used Loopback interfaces for the destination IP address. Ping and TCP ports 80 and 443 on each router were initially allowed.

R1#show ip interface biref

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 10.1.1.1 YES manual up up

FastEthernet1/0 unassigned YES unset administratively down down

FastEthernet1/1 192.168.1.1 YES manual up up

Loopback1 1.1.1.1 YES manual up up

R1#ping 2.2.2.2 source 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/28/92 ms

R1#telnet 2.2.2.2 80 /source-interface f0/0

Trying 2.2.2.2, 80 ... Open

R1#telnet 2.2.2.2 443 /source-interface f0/0

Trying 2.2.2.2, 443 ... Open

R2#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 200.1.1.1 YES manual up up

FastEthernet1/0 unassigned YES unset administratively down down

FastEthernet1/1 192.168.1.2 YES manual up up

Loopback2 2.2.2.2 YES manual up up

R2#ping 1.1.1.1 source 200.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 200.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/22/44 ms

R2#telnet 1.1.1.1 80 /source-interface f0/0

Trying 1.1.1.1, 80 ... Open

R2#telnet 1.1.1.1 443 /source-interface f0/0

Trying 1.1.1.1, 443 ... Open

Below is the ACL with the established keyword. I added log to capture ACL traffic match. R1 was able to ping and open TCP ports 80 and 443 to R2's Loopback IP address 2.2.2.2 using its LAN source IP address (10.1.1.1).

ip access-list extended WEB_ACL

permit udp any 10.1.1.0 0.0.0.255 eq 53 log

permit tcp any eq 80 10.1.1.0 0.0.0.255 established log

permit tcp any eq 443 10.1.1.0 0.0.0.255 established log

permit icmp any 10.1.1.0 0.0.0.255 echo-reply log

interface f1/1

ip access-group WEB_ACL in

R1#show ip access-list

Extended IP access list WEB_ACL

10 permit udp any 10.1.1.0 0.0.0.255 eq domain log

20 permit tcp any eq www 10.1.1.0 0.0.0.255 established log

30 permit tcp any eq 443 10.1.1.0 0.0.0.255 established log

40 permit icmp any 10.1.1.0 0.0.0.255 echo-reply log

R1#ping 2.2.2.2 source 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/25/60 ms

R1#telnet 2.2.2.2 80 /source-interface f0/0

Trying 2.2.2.2, 80 ... Open

*Feb 18 08:45:24.615: %SEC-6-IPACCESSLOGP: list WEB_ACL permitted tcp 2.2.2.2(80) -> 10.1.1.1(35657), 1 packet

R1#telnet 2.2.2.2 443 /source-interface f0/0

Trying 2.2.2.2, 443 ... Open

*Feb 18 08:45:47.987: %SEC-6-IPACCESSLOGP: list WEB_ACL permitted tcp 2.2.2.2(443) -> 10.1.1.1(59649), 1 packet

R1#show access-list

Extended IP access list WEB_ACL

10 permit udp any 10.1.1.0 0.0.0.255 eq domain log

20 permit tcp any eq www 10.1.1.0 0.0.0.255 established log (8 matches)

30 permit tcp any eq 443 10.1.1.0 0.0.0.255 established log (6 matches)

40 permit icmp any 10.1.1.0 0.0.0.255 echo-reply log (5 matches)

R2 is unable to ping and open TCP ports 80 and 443 to R1's Loopback IP 1.1.1.1 using it's LAN source IP address (200.1.1.1).

R2#ping 1.1.1.1 source 200.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 200.1.1.1

UUUUU

Success rate is 0 percent (0/5)

R2#telnet 1.1.1.1 80 /source-interface f0/0

Trying 1.1.1.1, 80 ...

% Destination unreachable; gateway or host down

R2#telnet 1.1.1.1 443 /source-interface f0/0

Trying 1.1.1.1, 443 ...

% Destination unreachable; gateway or host down