My Network Lab: 2021

Saturday, December 4, 2021

Cisco CSR 1000V IOS-XE Upgrade

Here's a good link to perform an IOS-XE upgrade in a Cisco CSR 1000V. You download the .bin file to perform the IOS-XE code upgrade. The .iso and .ova are only used for the initial virtual machine deployment. The IOS-XE Gibraltar 16.12.5 is the recommended code (with a gold star) as of this writing.

My CSRv lab router runs IOS-XE 16.6.7 so I need to transfer the new .bin file in bootflash.

CSRv#show version
Cisco IOS XE Software, Version 16.06.07
Cisco IOS Software [Everest], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.6.7, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2019 by Cisco Systems, Inc.
Compiled Mon 23-Sep-19 14:33 by mcpre

Cisco IOS-XE software, Copyright (c) 2005-2019 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.

ROM: IOS-XE ROMMON

CSRv uptime is 6 days, 18 hours, 17 minutes
Uptime for this control processor is 6 days, 18 hours, 20 minutes
System returned to ROM by reload
System image file is "bootflash:packages.conf"
Last reload reason: Unknown reason

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

License Level: ax
License Type: Default. No valid license found.
Next reload license Level: ax

cisco CSR1000V (VXE) processor (revision VXE) with 2190141K/3075K bytes of memory.
Processor board ID 9FVTXL4B123
3 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
3984872K bytes of physical memory.
7774207K bytes of virtual hard disk at bootflash:.
0K bytes of WebUI ODM Files at webui:.

Configuration register is 0x2102

CSRv#copy tftp://192.168.1.100/csr1000v-universalk9.16.12.05.SPA.bin bootflash:
Destination filename [csr1000v-universalk9.16.12.05.SPA.bin]?
Accessing tftp://192.168.1.100/csr1000v-universalk9.16.12.05.SPA.bin...
Loading csr1000v-universalk9.16.12.05.SPA.bin from 192.168.1.100 (via GigabitEthernet1): !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

<OUTPUT TRUNCATED>

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 468361091 bytes]

468361091 bytes copied in 1381.498 secs (339024 bytes/sec)

CSRv#dir
Directory of bootflash:/

   11 drwx            16384 Jun 27 2021 11:11:18 +00:00 lost+found
130049 drwx             4096 Jun 27 2021 11:12:40 +00:00 .super.iso.dir
260097 drwx             4096 Jun 27 2021 11:15:53 +00:00 .installer
   12 -rw-               31 Jun 27 2021 11:18:47 +00:00 .CsrLxc_LastInstall
   13 -rw-               69 Jun 27 2021 11:18:49 +00:00 virtual-instance.conf
406401 drwx             4096 Jun 27 2021 11:15:33 +00:00 core
   15 -rw-        125829120 Jun 27 2021 11:12:40 +00:00 iosxe-remote-mgmt.16.06.07.ova
373891 -rw-        371549204 Jun 27 2021 11:13:40 +00:00 csr1000v-mono-universalk9.16.06.07.SPA.pkg
373892 -rw-         40656486 Jun 27 2021 11:14:21 +00:00 csr1000v-rpboot.16.06.07.SPA.pkg
373890 -rw-             2776 Jun 27 2021 11:14:21 +00:00 packages.conf
105665 drwx             4096 Jun 27 2021 11:15:23 +00:00 .prst_sync
316993 drwx             4096 Jun 27 2021 11:15:34 +00:00 .rollback_timer
243841 drwx             4096 Jun 27 2021 11:18:54 +00:00 virtual-instance
   16 -rw-               30 Jun 27 2021 11:18:13 +00:00 throughput_monitor_params
   17 -rw-                0 Jun 27 2021 11:18:14 +00:00 cvac.log
   18 -rw-             1766 Jun 27 2021 11:18:58 +00:00 csrlxc-cfg.log
430785 drwx             4096 Jun 27 2021 11:18:56 +00:00 onep
   14 -rw-               35 Jun 27 2021 11:19:37 +00:00 pnp-tech-time
   19 -rw-            58123 Jun 27 2021 11:19:38 +00:00 pnp-tech-discovery-summary
   20 -rw-        468361091 Aug 21 2021 03:18:39 +00:00 csr1000v-universalk9.16.12.05.SPA.bin

7897796608 bytes total (5976797184 bytes free)

It's always best practice to verify the hash of newly transferred file. Verify if the hash is the same in the Cisco download site.

CSRv#verify /md5 bootflash:csr1000v-universalk9.16.12.05.SPA.bin
..........................................................................................................................

<OUTPUT TRUNCATED>

........................................Done!
verify /md5 (bootflash:csr1000v-universalk9.16.12.05.SPA.bin) = 226c54c04dcfbb7fdad5e00dcb66c8f8

Change the boot variable and reload the router.

CSRv#show run | inc boot
boot-start-marker
boot-end-marker
diagnostic bootup level minimal

CSRv#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
CSRv(config)#boot system bootflash:csr1000v-universalk9.16.12.05.SPA.bin
CSRv(config)#end
CSRv#write memory
Building configuration...
[OK]

CSRv#show run | inc boot
boot-start-marker
boot system bootflash:csr1000v-universalk9.16.12.05.SPA.bin
boot-end-marker
diagnostic bootup level minimal

CSRv#show bootvar
BOOT variable = bootflash:csr1000v-universalk9.16.12.05.SPA.bin,12;
CONFIG_FILE variable does not exist
BOOTLDR variable does not exist
Configuration register is 0x2102

CSRv#reload
Proceed with reload? [confirm]

<OUTPUT TRUNCATED>

The VM bootup using the new IOS-XE in less than 5 minutes (depends on the VM specs). Verify the new IOS-XE version using the show version command.

CSRv#show version
Cisco IOS XE Software, Version 16.12.05
Cisco IOS Software [Gibraltar], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.12.5, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2021 by Cisco Systems, Inc.
Compiled Fri 29-Jan-21 12:24 by mcpre

Cisco IOS-XE software, Copyright (c) 2005-2021 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.

ROM: IOS-XE ROMMON

CSRv uptime is 2 minutes
Uptime for this control processor is 6 minutes
System returned to ROM by reload at 03:22:42 UTC Sat Aug 21 2021
System image file is "bootflash:csr1000v-universalk9.16.12.05.SPA.bin"
Last reload reason: Reload Command

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

License Level: ax
License Type: N/A(Smart License Enabled)
Next reload license Level: ax

Smart Licensing Status: UNREGISTERED/No Licenses in Use

cisco CSR1000V (VXE) processor (revision VXE) with 2079946K/3075K bytes of memory.
Processor board ID 9FVTXL4B123
3 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
3978408K bytes of physical memory.
7774207K bytes of virtual hard disk at bootflash:.
0K bytes of WebUI ODM Files at webui:.

Configuration register is 0x2102

The new IOS-XE 16.12.5 converted the username and enable secret to a type 9 password (using scrypt). The call-home config was automatically added and made Smart Licensing mandatory starting IOS-XE 16.10.1a in CSR1000v and ISRv routers. A Public Key Infrastructure (PKI) Trustpoint and Certificate were also generated by the new code.

CSRv#show run
Building configuration...

Current configuration : 5147 bytes
!
! Last configuration change at 11:30:00 UTC Sat Aug 21 2021
!
version 16.12
service config
service timestamps debug datetime msec
service timestamps log datetime msec
! Call-home is enabled by Smart-Licensing.
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname CSRv
!
boot-start-marker
boot system bootflash:csr1000v-universalk9.16.12.05.SPA.bin
boot-end-marker
!
!
enable secret 9 $14$irt/$vxybaz5tx788zU$nJTdFHkRG6FaEln/IoWRdNJC/kKhYOTcAefKYEp/zhk
!
no aaa new-model

call-home

! If contact email address in call-home is configured as sch-smart-licensing@cisco.com

! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.

contact-email-addr sch-smart-licensing@cisco.com

profile "CiscoTAC-1"

active

destination transport-method http

no destination transport-method email

!
no ip domain lookup
ip domain name lab.com
!
!
!
no login on-success log
!
subscriber templating
!
multilink bundle-name authenticated
!

crypto pki trustpoint TP-self-signed-808986070

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-808986070

revocation-check none

rsakeypair TP-self-signed-808986070

crypto pki trustpoint SLA-TrustPoint

enrollment pkcs12

revocation-check crl

crypto pki certificate chain TP-self-signed-808986070

crypto pki certificate chain SLA-TrustPoint

certificate ca 01

30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030

32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363

418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0

D697DF7F 28

quit

!
license udi pid CSR1000V sn 9FVTXL4B123
diagnostic bootup level minimal
memory free low-watermark processor 72301
!
!
spanning-tree extend system-id
!
username admin privilege 15 secret 9 $14$ipiQ$JOPYppUclEDJCE$KqpKTScOAxrx4ue3Kt3Kpp7R.Uiie8nlUPNWkYJq.WM
!
redundancy
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key fortinet address 192.168.1.160
!
!
crypto ipsec transform-set TSET esp-des esp-md5-hmac
mode tunnel
!
crypto map CMAP 10 ipsec-isakmp
set peer 192.168.1.160
set transform-set TSET
match address FTG_CISCO_VPN
!
interface Loopback10
ip address 10.1.1.100 255.255.255.0
ip nat inside
!
interface GigabitEthernet1
ip address 192.168.1.140 255.255.255.0
ip nat outside
negotiation auto
no mop enabled
no mop sysid
crypto map CMAP
!
interface GigabitEthernet2
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet3
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
!
virtual-service csr_mgmt
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet1 // PART OF CALL-HOME CONFIG
!
ip nat inside source list 101 interface GigabitEthernet1 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.160
ip ssh version 2
!
ip access-list extended FTG_CISCO_VPN
10 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
!
ip access-list extended 101
10 permit ip 10.1.1.0 0.0.0.255 any
!
control-plane
!
banner login ^C
### CSR1000v LAB ROUTER ###
^C
!
line con 0
stopbits 1
line vty 0 4
password cisco
logging synchronous
login
!
ntp server pnpntpserver.lab.com
!
end

Friday, November 12, 2021

Creating AWS Free Tier Account

I studied for my second Cloud certification and took the AWS Cloud Practitioner exam (CLF-C01) exam last month. You can take the free AWS Cloud Practitioner online course using the new AWS Skill Builder portal.

There's a separate AWS CertMetrics portal where you can schedule for the exam, view your score report and download your PDF certificate and digital badge. I took the CLF-C01 online exam via Pearson OnVUE (due to COVID-19) and the cost is around $100 USD (as of this writing). You can check the AWS Certification FAQ for more info.

Below is how the AWS digital certificate (PDF) and badge looks like.

Before creating an AWS Free Tier account, you'll need a mobile phone and credit/debit card.

Go to Amazon AWS website > click Get Started for Free

Click Create a Free Account.

Type the email address (to be used for login) > type a password (twice to confirm) > type an AWS account name > click Continue.

A complex password with minimum of 8 characters is recommended.

Select the AWS Plan > fill up the Contact Information fields > select: I have read and agree to the terms of the AWS Customer Agreement > click Continue.

In this case I chose the Personal since this is for my own lab.

Fill up the Billing Information (Credit or Debit card number) > select your Billing address > click Verify and Continue.

Note that AWS will not charge for usage below the Free Tier limits and will temporarily hold a $1 USD/EUR for 3-5 days as verification.

Select Text message (SMS) or Voice call to confirm identity > select Country or region code > type mobile number > type the captcha code > select send SMS (default).

Type the SMS code received in your mobile phone > click Continue.

Select a support plan. In this case I chose Basic support - Free > click Complete sign up.

The AWS account registration is complete. Click Go to the AWS Management Console to get started.

Select your role and interest in AWS > click Submit.

Select Root user > type email address > click Next.

Type the captcha code > click Submit.

The AWS Management Console will open using the default region us-east-2 (Ohio, USA).

Friday, November 5, 2021

Cisco ASR1001-X Licensing via license install Command

It's important to re-host or request from Cisco TAC License team the appropriate licenses when you do a Return Material Authorization (RMA) for a Cisco ASR1K router. The RMA unit sent to me had an ipbase and there's no valid license found. I would need to activate the Advanced Enterprise adventerprise in order to run advanced BGP commands.

Issue a show license udi and give the serial number info to TAC.

ASR1K#show license udi
SlotID PID SN UDI
--------------------------------------------------------------------------------
* ASR1001-X JAD23101234 ASR1001-X:JAD23101234

ASR1K#show version

Cisco IOS XE Software, Version 16.09.03

Cisco IOS Software [Fuji], ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.9.3, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Compiled Wed 20-Mar-19 08:02 by mcpre

licensed under the GNU General Public License ("GPL") Version 2.0. The

software code licensed under GPL Version 2.0 is free software that comes

with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such

GPL code under the terms of GPL Version 2.0. For more details, see the

documentation or "License Notice" file accompanying the IOS-XE software,

or the applicable URL provided on the flyer accompanying the IOS-XE

software.

ROM: IOS-XE ROMMON

ASR1K uptime is 33 minutes

Uptime for this control processor is 35 minutes

System returned to ROM by Reload Command

System image file is "bootflash:asr1001x-universalk9.16.09.03.SPA.bin"

Last reload reason: Reload Command

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

License Type: Default. No valid license found.

License Level: ipbase

Next reload license Level: ipbase

The current throughput level is 2500000 kbps

Smart Licensing Status: Smart Licensing is DISABLED

cisco ASR1001-X (1NG) processor (revision 1NG) with 3853454K/6147K bytes of memory.

Processor board ID FXS22505678

6 Gigabit Ethernet interfaces

2 Ten Gigabit Ethernet interfaces

32768K bytes of non-volatile configuration memory.

8388608K bytes of physical memory.

6594559K bytes of eUSB flash at bootflash:.

1974239K bytes of USB flash at usb1:.

0K bytes of WebUI ODM Files at webui:.

Configuration register is 0x2102

Below are the SKU or part number for ASR 1000 series license.

SLASR1-IPB: Cisco ASR 1000 IP Base license
SLASR1-AIS: Cisco ASR 1000 Advanced IP Services license
SLASR1-AES: Cisco ASR 1000 Advanced Enterprise Services license

Transfer the license file to the ASR1K bootflash and install using the license install bootflash:<LICENSE.lic> privileged EXEC command. There's no need to reload the ASR1K router in this case.

ASR1K#license install bootflash:JAD23101234_20201103060139515.lic

Installing licenses from "bootflash:JAD23101234_20201103060139515.lic"

Installing...Feature:adventerprise...Successful:Supported

1/1 licenses were successfully installed

0/1 licenses were existing licenses

0/1 licenses were failed to install

ASR1K#

*Nov 3 07:05:03.260: %LICENSE-6-INSTALL: Feature adventerprise 1.0 was installed in this device. UDI=ASR1001-X:JAD23101234; StoreIndex=0:Primary License Storage