Thursday, October 3, 2024

Managing Configuration Files in a Cisco ASR920

This Cisco link covers the management of configuration files in a Cisco ASR920. You wouldn't find the startup-config in the Cisco ASR920 bootflash memory.

ASR920# dir

Directory of bootflash:/

 

   11  drwx            16384  Oct 16 2015 21:37:46 +00:00  lost+found

15105  drwx             4096  Oct 31 2016 22:31:05 +00:00  .prst_sync

30209  drwx             4096   Apr 8 2021 21:34:51 +00:00  .installer

   13  -rw-             1182  Oct 16 2015 21:51:23 +00:00  CAT1941V21234_1445051234.lic

   14  -rw-             1176  Oct 16 2015 21:51:56 +00:00  CAT1941V25678_1445055678.lic

135937  drwx             4096   Apr 8 2021 21:25:23 +00:00  core

45313  drwx             4096  Oct 16 2015 21:56:47 +00:00  .rollback_timer

   15  -rw-                0  Oct 16 2015 21:57:06 +00:00  tracelogs.809

120833  drwx           270336  May 29 2024 04:49:54 +00:00  tracelogs

60417  drwx             4096  Jul 15 2014 01:09:40 +00:00  usb_modem

   32  -rw-        311284732   Mar 9 2018 10:36:53 +00:00  asr920-universalk9_npe.03.x.x.S.x-3.S7-ext.bin

   30  -rw-              822  Mar 22 2016 16:11:14 +00:00  usb_modem_stats.txt

   31  -rw-        467318537  Dec 16 2020 02:27:50 +00:00  asr920-universalk9_npe.16.x.x.SPA.bin

151044  drwx             4096   Apr 8 2021 21:39:04 +00:00  onep

   33  -rw-           317446  Oct 31 2016 22:24:58 +00:00  crashinfo_RP_00_00_20161031-222450-UTC

   34  -rw-          1586124  Dec 16 2020 01:53:56 +00:00  asr920_x_x_xr_s_rommon.pkg

151042  drwx             4096   Aug 4 2021 09:33:14 +00:00  .dbpersist

151043  drwx             4096   Apr 8 2021 21:39:09 +00:00  license_evlog

 

1339412480 bytes total (366039040 bytes free)

 

The startup-config is found in the nvram directory.

 

ASR920#dir nvram:

Directory of nvram:/

 

32769  -rw-            25314                    <no date>  startup-config

32770  ----             3689                    <no date>  private-config

32771  -rw-            25314                    <no date>  underlying-config

    1  ----              462                    <no date>  persistent-data

    2  -rw-               17                    <no date>  ecfm_ieee_mib

    3  -rw-             3257                    <no date>  ifIndex-table

 

33554432 bytes total (33519233 bytes free)

 

To view the startup-config, use the more nvram:startup-config command:

ASR920#more nvram:startup-config
!
! Last configuration change at 10:25:49 UTC Thu May 16 2024 by nx
! NVRAM config last updated at 10:25:51 UTC Thu May 16 2024 by nx
!
version 16.12
no service pad
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
no platform punt-keepalive disable-kernel-core
platform bfd-debug-trace 1
platform xconnect load-balance-hash-algo mac-ip-instanceid
platform tcam-parity-error enable
platform tcam-threshold alarm-frequency 1
!
hostname ASR920
!
boot-start-marker
boot system bootflash:asr920-universalk9_npe.16.x.x.SPA.bin
boot system bootflash:asr920-universalk9_npe.03.xx.0x.S.1xx-3.S7-ext.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family

<OUTPUT TRUNCATED>

 

To perform a file transfer in a Cisco ASR920, use the copy nvram:startup-config <ftp/tftp://<REMOTE IP> command. Make sure the source interface can reach the remote file server.

ASR920#ping 172.27.5.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.27.5.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 196/196/196 ms

ASR920(config)#ip tftp source-interface Loopback0
ASR920(config)#end

ASR920#copy nvram:startup-config tftp://172.27.5.3
Address or name of remote host [172.27.5.3]?
Destination filename [startup-confg]?
!!
25314 bytes copied in 10.516 secs (2407 bytes/sec)

 

I renamed the file to startup-config2 (to avoid any file conflict), transferred it to the new Cisco ASR920, boot the new config using copy nvram:startup-config2 running-config and issued write memory to save config. Booting the new startup-config to running-config only took a few seconds.

This greatly speeds up staging a new router (in this case RMA replacement). It also lessens the human error if you have a big configuration file.

RMA_ASR920#copy nvram:startup-config2 running-config

Destination filename [running-config]?

 

%Log packet overrun, PC 0x111F6508, format:

User:%s  logged command:%s

% Previously established LDP sessions will not be affected by this change.

% OSPF: Reference bandwidth is changed.

        Please ensure reference bandwidth is consistent across all routers.

25080 bytes copied in 4.564 secs (5495 bytes/sec)

ASR920#     // NOTICE THE HOSTNAME IMMEDIATELY CHANGED

ASR920#show ip interface brief

% Authorization failed.     // I'M UNABLE TO ISSUE COMMANDS SINCE IT HAS AAA CONFIGURED


Sunday, September 1, 2024

Cisco ASR920 License Install (non Smart License)

I had to RMA a Cisco ASR920 router due to a faulty port and unable to detect the inserted SFP. I also requested the Cisco TAC License team to generate a new license file (Traditional/PAK license) based on the feature licenses on the previous ASR920 (bundled in a single license). You'll need to use the new chassis serial number to generate the new PAK license. 

The RMA ASR920 came with the default IOS-XE version 16.9.3, so it's easy for to upgrade to any 16.x code. I had a previous post regarding the IOS-XE upgrade in a Cisco ASR920. The RMA also doesn't come with new hot-swappable power supply unit (PSU) so you had to swap out the PSU from the old to new ASR920.


RMA_ASR920#copy tftp://172.27.5.3/CAT24071234_20240621080644.lic bootflash:

Destination filename [CAT24071234_20240621080644.lic]?

Accessing tftp://172.27.5.3/CAT24071234_20240621080644.lic...

Loading CAT24071234_20240621080644.lic from 172.27.5.3 (via GigabitEthernet0): !

[OK - 3326 bytes]

 

3326 bytes copied in 22.088 secs (151 bytes/sec)

 

 

RMA_ASR920#dir

Directory of bootflash:/

 

   11  drwx            16384   Jul 1 2020 01:41:57 +00:00  lost+found

46273  drwx             4096   Jul 1 2020 01:42:01 +00:00  .prst_sync

   12  -rw-        445862301   Jul 1 2020 01:57:10 +00:00  asr920-universalk9_npe.16.09.03.SPA.bin

23137  drwx            20480  Jun 21 2024 19:00:37 +00:00  tracelogs

 7713  drwx             4096  Jun 21 2024 16:43:44 +00:00  .installer

 

<OUTPUT TRUNCATED>


   16  -rw-             3326  Jun 21 2024 19:04:11 +00:00  CAT24071234_20240621080644.lic

 

1241329664 bytes total (253034496 bytes free)

 

 

RMA_ASR920#license install bootflash:CAT24071234_20240621080644.lic

Installing licenses from "bootflash:CAT24071234_20240621080644.lic

Installing...Feature:24portGE-4port10GE...Successful:Supported

Installing...Feature:advancedmetroipaccess...Successful:Supported

Installing...Feature:metroaccess...Failed:

% Error: Duplicate license

2/3 licenses were successfully installed

1/3 licenses were existing licenses

0/3 licenses were failed to install

 

 

I noticed the installed and my target advancedmetroipaccess License State was Active, Not in Use.

 

RMA_ASR920#show license

Index 1 Feature: advancedmetroipaccess         

        Period left: Life time

        License Type: Permanent

        License State: Active, Not in Use

        License Count: Non-Counted

        License Priority: Medium

Index 2 Feature: metroipaccess                 

        Period left: Not Activated

        License Type: Evaluation

        License State: Active, Not in Use, EULA not accepted

        License Count: Non-Counted

        License Priority: None

Index 3 Feature: metroaccess                   

        Period left: Life time

        License Type: Permanent

        License State: Active, In Use

        License Count: Non-Counted

        License Priority: Medium

Index 4 Feature: atm                           

Index 5 Feature: oc3                           

Index 6 Feature: oc12                          

Index 7 Feature: 1588                          

Index 8 Feature: 10GEupgradelicense            

Index 9 Feature: 24portGE-4port10GE            

        Period left: Life time

        License Type: Permanent

        License State: Active, In Use

        License Count: Non-Counted

        License Priority: Medium

Index 10 Feature: 12x1GEupgradelicense          

 

 

RMA_ASR920#show license all

License Store: Primary License Storage

StoreIndex: 1   Feature: metroaccess                       Version: 1.0

        License Type: Permanent

        License State: Active, In Use

        License Count: Non-Counted

        License Priority: Medium

StoreIndex: 2   Feature: 24portGE-4port10GE                Version: 1.0

        License Type: Permanent

        License State: Active, In Use

        License Count: Non-Counted

        License Priority: Medium

StoreIndex: 3   Feature: advancedmetroipaccess             Version: 1.0

        License Type: Permanent

        License State: Active, Not in Use

        License Count: Non-Counted

        License Priority: Medium

License Store: Built-In License Storage

StoreIndex: 0   Feature: advancedmetroipaccess             Version: 1.0

        License Type: Evaluation

        License State: Inactive

            Evaluation total period: 8  weeks 4  days

            Evaluation period left: 8  weeks 4  days

            Period used: 0  minute  0  second 

        License Count: Non-Counted

        License Priority: None

StoreIndex: 1   Feature: metroipaccess                     Version: 1.0

        License Type: Evaluation

        License State: Active, Not in Use, EULA not accepted

            Evaluation total period: 8  weeks 4  days

            Evaluation period left: 8  weeks 4  days

            Period used: 0  minute  0  second 

        License Count: Non-Counted

        License Priority: None

StoreIndex: 2   Feature: metroaccess                       Version: 1.0

        License Type: Evaluation

        License State: Inactive

            Evaluation total period: 8  weeks 4  days

            Evaluation period left: 8  weeks 4  days

            Period used: 0  minute  0  second 

        License Count: Non-Counted

        License Priority: None

 

Per the Cisco link, I had to configure the license boot level and perform a reload command to take effect.

RMA_ASR920#show run | i license boot

license boot level metroaccess


RMA_ASR920#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

RMA_ASR920(config)#license ?

  accept   Accept all further License Agreements

  agent    Configure LIC_AGENT

  boot     license boot config commands

  feature  License features

  smart    Smart licensing

  udi      license udi

 

RMA_ASR920(config)#license boot ?

  level  which level to boot

 

RMA_ASR920(config)#license boot level ?

  advancedmetroipaccess  Advanced Metro IP Access License Level

  metroaccess            Metro Access License Level

  metroipaccess          Metro IP Access License Level

 

RMA_ASR920(config)#license boot level advancedmetroipaccess ?

  <cr>  <cr>

 

RMA_ASR920(config)#license boot level advancedmetroipaccess

% use 'write' command to make license boot config take effect on next boot

 

RMA_ASR920(config)#end

RMA_ASR920#write memory

Building configuration...

[OK]

 

RMA_ASR920#show run | i license boot

license boot level advancedmetroipaccess

 

 

RMA_ASR920#show license all

License Store: Primary License Storage

StoreIndex: 1   Feature: metroaccess                       Version: 1.0

        License Type: Permanent

        License State: Active, In Use

        License Count: Non-Counted

        License Priority: Medium

StoreIndex: 2   Feature: 24portGE-4port10GE                Version: 1.0

        License Type: Permanent

        License State: Active, In Use

        License Count: Non-Counted

        License Priority: Medium

StoreIndex: 3   Feature: advancedmetroipaccess             Version: 1.0

        License Type: Permanent

        License State: Active, Not in Use

        License Count: Non-Counted

        License Priority: Medium

 

 

RMA_ASR920#show version

Cisco IOS XE Software, Version 16.x.x

Cisco IOS Software [Gibraltar], ASR920 Software (PPC_LINUX_IOSD-UNIVERSALK9_NPE-M), Version 16.x.x, RELEASE SOFTWARE (fc5)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2020 by Cisco Systems, Inc.

Compiled Thu 09-Jul-20 17:13 by mcpre

 

 

Cisco IOS-XE software, Copyright (c) 2005-2020 by cisco Systems, Inc.

All rights reserved.  Certain components of Cisco IOS-XE software are

licensed under the GNU General Public License ("GPL") Version 2.0.  The

software code licensed under GPL Version 2.0 is free software that comes

with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such

GPL code under the terms of GPL Version 2.0.  For more details, see the

documentation or "License Notice" file accompanying the IOS-XE software,

or the applicable URL provided on the flyer accompanying the IOS-XE

software.

 

 

ROM: IOS-XE ROMMON

 

RMA_ASR920 uptime is 23 hours, 12 minutes

Uptime for this control processor is 23 hours, 17 minutes

System returned to ROM by reload

System image file is "bootflash:asr920-universalk9_npe.16.x.x.SPA.bin"

Last reload reason: Reload Command

 

 

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

 

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

 

If you require further assistance please contact us by sending email to

export@cisco.com.

 

License Level: metroaccess

License Type: Permanent

Next reload license Level: advancedmetroipaccess

 

 

Smart Licensing Status: Smart Licensing is DISABLED

 

cisco ASR-920-x-x (Freescale P2020) processor (revision 1.2 GHz) with 890398K/6147K bytes of memory.

Processor board ID CAT24071234

24 Gigabit Ethernet interfaces

4 Ten Gigabit Ethernet interfaces

32768K bytes of non-volatile configuration memory.

3670016K bytes of physical memory.

1231647K bytes of eMMC flash at bootflash:.

 

Configuration register is 0x2102

 

 

RMA_ASR920#reload

Proceed with reload? [confirm]

 

 

Notice the advancemetroipaccess License State was changed to Active, In Use after a reload.

 

RMA_ASR920#show license

Index 1 Feature: advancedmetroipaccess         

        Period left: Life time

        License Type: Permanent

        License State: Active, In Use

        License Count: Non-Counted

        License Priority: Medium

Index 2 Feature: metroipaccess                 

        Period left: Not Activated

        License Type: Evaluation

        License State: Active, Not in Use, EULA not accepted

        License Count: Non-Counted

        License Priority: None

Index 3 Feature: metroaccess                   

        Period left: Life time

        License Type: Permanent

        License State: Active, Not in Use

        License Count: Non-Counted

        License Priority: Medium

 

Friday, August 9, 2024

Cisco ASR1001-X Throughput License

The Cisco ASR1001-X Throughput license is an honor-based license. Meaning, there's no need to purchase the 20 Gbps Throughput Product Activation Key (PAK) license. Just simply activate it, accept the End User License Agreement (EULA) and reload the router to take effect.

Cisco IOS XE Software feature licenses

    Certain functions supported on the Cisco ASR 1000 Series require feature licenses.

    All Cisco ASR 1000 feature and performance upgrade licenses are honor-based; that is, they are not enforced through a Product Activation Key (PAK). Note: Prior to Cisco IOS XE Software Release 3.7S, performance upgrade licenses that are required to upgrade the Cisco ASR 1001 from 2.5 to 5 Gbps or the Cisco ASR 1002-X from 5 to 10 to 20 to 36 Gbps are enforced through a PAK. Similarly, prior to Cisco IOS XE Software Release 3.6S, technology package licenses are enforced through a PAK.


ASR1K#configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

ASR1K(config)#platform hardware throughput level 20000000

         Feature Name:throughput_20g

 
PLEASE  READ THE  FOLLOWING TERMS  CAREFULLY. INSTALLING THE LICENSE OR
LICENSE  KEY  PROVIDED FOR  ANY CISCO  PRODUCT  FEATURE  OR  USING SUCH
PRODUCT  FEATURE  CONSTITUTES  YOUR  FULL ACCEPTANCE  OF  THE FOLLOWING
TERMS. YOU MUST NOT PROCEED FURTHER IF YOU ARE NOT WILLING TO  BE BOUND
BY ALL THE TERMS SET FORTH HEREIN.

Use of this product feature requires  an additional license from Cisco,
together with an additional  payment.  You may use this product feature
on an evaluation basis, without payment to Cisco, for 60 days. Your use
of the  product,  including  during the 60 day  evaluation  period,  is
subject to the Cisco end user license agreement
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
If you use the product feature beyond the 60 day evaluation period, you
must submit the appropriate payment to Cisco for the license. After the
60 day  evaluation  period,  your  use of the  product  feature will be
governed  solely by the Cisco  end user license agreement (link above),
together  with any supplements  relating to such product  feature.  The
above  applies  even if the evaluation  license  is  not  automatically
terminated  and you do  not receive any notice of the expiration of the
evaluation  period.  It is your  responsibility  to  determine when the
evaluation  period is complete and you are required to make  payment to
Cisco for your use of the product feature beyond the evaluation period.

Your  acceptance  of  this agreement  for the software  features on one
product  shall be deemed  your  acceptance  with  respect  to all  such
software  on all Cisco  products  you purchase  which includes the same
software.  (The foregoing  notwithstanding, you must purchase a license
for each software  feature you use past the 60 days evaluation  period,
so  that  if you enable a software  feature on  1000  devices, you must
purchase 1000 licenses for use past  the 60 day evaluation period.)    

Activation  of the  software command line interface will be evidence of
your acceptance of this agreement.


ACCEPT? (yes/[no]): yes
% The config will take effect on next reboot
ASR1K(config)#
Feb 15 14:24:18.111: %LICENSE-6-EULA_ACCEPTED: EULA for feature throughput_20g 1.0 has been accepted. UDI=ASR1001-X:JAE19261234; StoreIndex=11:Built-In License Storage
ASR1K(config)#
Feb 15 14:24:18.597: %PARSER-5-CFGLOG_LOGGEDCMD: User:johxx  logged command:platform hardware throughput level 20000000
ASR1K(config)#end
ASR1K#write memory
Building configuration...

Feb 15 14:25:32.979: %SYS-5-CONFIG_I: Configured from console by johxx on console[OK]
Feb 15 14:25:38.738: %SYS-2-PRIVCFG_ENCRYPT: Successfully encrypted private config file
ASR1K#reload
The following license(s) are transitioning, expiring or have expired.
Features with expired licenses may not work after Reload.
Feature: throughput_20g                 ,Status: transition, Period Left: 8  wks 3  days

Proceed with reload? [confirm] <ENTER>

 

<OUTPUT TRUNCATED>


*Feb 15 14:10:09.234: boot_env_str = adventerprise,all:asr1001x;
*Feb 15 14:10:10.477: %LICENSE-6-EULA_ACCEPT_ALL: The Right to Use End User License Agreement is accepted

*Feb 15 14:10:10.512: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = asr1001x Next reboot level = adventerprise and License = adventerprise
*Feb 15 14:10:12.919: %IOSXE_THROUGHPUT-6-LEVEL: Throughput level has been set to 20000000 kbps


ASR1K#show platform hardware throughput level
The current throughput level is 20000000 kb/s


ASR1K#show version
Cisco IOS XE Software, Version 16.0x.0x
Cisco IOS Software [Fuji], ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.x.x, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2019 by Cisco Systems, Inc.
Compiled Wed 20-Mar-19 08:02 by mcpre


<OUTPUT TRUNCATED>

License Type: Permanent
License Level: adventerprise
Next reload license Level: adventerprise
The current throughput level is 20000000 kbps


Smart Licensing Status: Smart Licensing is DISABLED

ASR1K ASR1001-X (1NG) processor (revision 1NG) with 3853454K/6147K bytes of memory.
Processor board ID FXS22501234
6 Gigabit Ethernet interfaces
2 Ten Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
8388608K bytes of physical memory.
6594559K bytes of eUSB flash at bootflash:.
0K bytes of WebUI ODM Files at webui:.

Configuration register is 0x2102


Saturday, July 6, 2024

Deploy Juniper vMX in GNS3

I needed a Juniper virtual lab to refresh my Junos OS CLI, so the easiest way is to deploy a virtual MX (vMX) in GNS3. You'll need a vMX qcow2 file to run in GNS3.

Go to Edit >Preferences > QEMU > Qemu VM >New > select New Image >browse the .qcow2 file.

It will automatically upload the image. Just click Finish when it's done.

Select vMX > click Edit.

Under Symbol > click Browse.

To distinguish between a Cisco and Juniper router, under General settings tab > Symbol > select: Affinity-circle-blue > select: Router > click OK.


Go to Network tab > Adapters: type 3 (or click up arrow).

Click OK > Apply.

Click Browse all devices (left-hand side) > click/drag vMX.

I've deployed two vMX, a Cisco L2 switch and a Cisco 7200 router in my JNCIA lab.

I just ran/power on a single vMX and the L2 switch to play around with Junos CLI.



<OUTPUT TRUNCATED>

 

Profile database initialized

Local package initialization:.

kern.securelevel: -1 -> 1

starting local daemons:set cores for group access

Running /packages/finish.install ...

.

Sat Jun  8 03:03:56 UTC 2024

 

Amnesiac (ttyd0)   <<< HOSTNAME Amnesic IS FACTORY DEFAULT

 

login: root   <<< HIT ENTER, NO INITIAL PASSWORD

 

--- JUNOS 14.1R1.10 built 2014-06-07 09:37:07 UTC

root@% cli   <<< TYPE CLI TO GO OPERATIONAL MODE

root> show version

Model: vmx

Junos: 14.1R1.10

JUNOS Base OS Software Suite [14.1R1.10]

JUNOS Base OS boot [14.1R1.10]

JUNOS Crypto Software Suite [14.1R1.10]

JUNOS Online Documentation [14.1R1.10]

JUNOS Kernel Software Suite [14.1R1.10]

JUNOS Packet Forwarding Engine Support (M320) [14.1R1.10]

JUNOS Packet Forwarding Engine Support (M/T/EX Common) [14.1R1.10]

JUNOS Routing Software Suite [14.1R1.10]

JUNOS Runtime Software Suite [14.1R1.10]

 

<OUTPUT TRUNCATED>

 

To configure the root password, go to configuration mode by typing edit > issue the command set system root-authentication plain-text-password > type a password > type again the password to confirm.

 

Type commit to save configuration.

 

 

root> edit

Entering configuration mode

 

[edit]

root# set system root-authentication plain-text-password

New password:

Retype new password:

 

[edit]

root# set system host-name vMX1 

 

[edit]

root# commit

commit complete

 

[edit]

root@vMX1#   <<< NOTICE THE HOSTNAME APPEARED

 

[edit]


Friday, June 7, 2024

Check the SNMP Interface Index in a Cisco Router

You can use the show snmp mib ifmib ifindex to map or retreive the interface MIB in a Cisco router without performing an SNMP walk from a NMS.

4321#show snmp mib ifmib ifindex
GigabitEthernet0/0/1.40: Ifindex = 22
GigabitEthernet0/0/1.13: Ifindex = 21
Voice Over IP Peer: 22: Ifindex = 35
Voice Encapsulation (POTS) Peer: 1004: Ifindex = 30
Foreign Exchange Station 0/1/2: Ifindex = 10
Voice Over IP Peer: 20: Ifindex = 24
Voice Encapsulation (POTS) Peer: 1006: Ifindex = 32
Foreign Exchange Station 0/1/0: Ifindex = 8
GigabitEthernet0/0/0: Ifindex = 1
Service-Engine0/1/0: Ifindex = 3
GigabitEthernet0/0/0.4: Ifindex = 19
GigabitEthernet0/0/0.3: Ifindex = 16
VoIP-Null0: Ifindex = 6
Null0: Ifindex = 7

Thursday, May 2, 2024

Cisco Access Control List (ACL) Established

Here's a nice link regarding the access control list (ACL) established in a Cisco router. This keyword is commonly used to only allow originating TCP traffic towards the destination IP. This effectively denies TCP traffic coming from the outside or public Internet.

In order to test, I setup two routers which are directly connected and used Loopback interfaces for the destination IP address. Ping and TCP ports 80 and 443 on each router were initially allowed.

R1#show ip interface biref

Interface              IP-Address      OK? Method Status                Protocol

FastEthernet0/0        10.1.1.1        YES manual up                    up     

FastEthernet1/0        unassigned      YES unset  administratively down down   

FastEthernet1/1        192.168.1.1     YES manual up                    up     

Loopback1              1.1.1.1         YES manual up                    up

 

 

R1#ping 2.2.2.2 source 10.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/28/92 ms

 

 

R1#telnet 2.2.2.2 80 /source-interface f0/0

Trying 2.2.2.2, 80 ... Open

 

 

R1#telnet 2.2.2.2 443 /source-interface f0/0

Trying 2.2.2.2, 443 ... Open

 

 

R2#show ip interface brief

Interface              IP-Address      OK? Method Status                Protocol

FastEthernet0/0        200.1.1.1       YES manual up                    up     

FastEthernet1/0        unassigned      YES unset  administratively down down   

FastEthernet1/1        192.168.1.2     YES manual up                    up     

Loopback2              2.2.2.2         YES manual up                    up  

 

 

R2#ping 1.1.1.1 source 200.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 200.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/22/44 ms

 

 

R2#telnet 1.1.1.1 80 /source-interface f0/0

Trying 1.1.1.1, 80 ... Open

 

 

R2#telnet 1.1.1.1 443 /source-interface f0/0

Trying 1.1.1.1, 443 ... Open

 

 

Below is the ACL with the established keyword. I added log to capture ACL traffic match. R1 was able to ping and open TCP ports 80 and 443 to R2's Loopback IP address 2.2.2.2 using its LAN source IP address (10.1.1.1).

 

ip access-list extended WEB_ACL

 permit udp any 10.1.1.0 0.0.0.255 eq 53 log

 permit tcp any eq 80 10.1.1.0 0.0.0.255 established log

 permit tcp any eq 443 10.1.1.0 0.0.0.255 established log

 permit icmp any 10.1.1.0 0.0.0.255 echo-reply log

 

interface f1/1

 ip access-group WEB_ACL in

 

 

R1#show ip access-list                      

Extended IP access list WEB_ACL

    10 permit udp any 10.1.1.0 0.0.0.255 eq domain log

    20 permit tcp any eq www 10.1.1.0 0.0.0.255 established log

    30 permit tcp any eq 443 10.1.1.0 0.0.0.255 established log

    40 permit icmp any 10.1.1.0 0.0.0.255 echo-reply log

 

 

R1#ping 2.2.2.2 source 10.1.1.1           

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 10.1.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/25/60 ms

 

 

R1#telnet 2.2.2.2 80 /source-interface f0/0

Trying 2.2.2.2, 80 ... Open

 

*Feb 18 08:45:24.615: %SEC-6-IPACCESSLOGP: list WEB_ACL permitted tcp 2.2.2.2(80) -> 10.1.1.1(35657), 1 packet

 

 

R1#telnet 2.2.2.2 443 /source-interface f0/0

Trying 2.2.2.2, 443 ... Open

 

*Feb 18 08:45:47.987: %SEC-6-IPACCESSLOGP: list WEB_ACL permitted tcp 2.2.2.2(443) -> 10.1.1.1(59649), 1 packet

 

R1#show access-list

Extended IP access list WEB_ACL

    10 permit udp any 10.1.1.0 0.0.0.255 eq domain log

    20 permit tcp any eq www 10.1.1.0 0.0.0.255 established log (8 matches)

    30 permit tcp any eq 443 10.1.1.0 0.0.0.255 established log (6 matches)

    40 permit icmp any 10.1.1.0 0.0.0.255 echo-reply log (5 matches)

 

 

R2 is unable to ping and open TCP ports 80 and 443 to R1's Loopback IP 1.1.1.1 using it's LAN source IP address (200.1.1.1).

 

R2#ping 1.1.1.1 source 200.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 200.1.1.1

UUUUU

Success rate is 0 percent (0/5)

 

 

R2#telnet 1.1.1.1 80 /source-interface f0/0

Trying 1.1.1.1, 80 ...

% Destination unreachable; gateway or host down

 

 

R2#telnet 1.1.1.1 443 /source-interface f0/0

Trying 1.1.1.1, 443 ...

% Destination unreachable; gateway or host down