N9K firmware upgrade

1.Pre-check the following commands before upgrade ES02
show version
show interface status
show interface brief
show ip interface brief
show run
show ip route
show standby brief
show ip arp
show mac address table
show boot
show run | in boot

 
2.Upgrade firmware ES02
Hostname#show install all impact nxos bootflash:nxos.9.3.12.bin
Hostname#install all nxos bootflash:nxos.9.3.12.bin
Press Y to proceed upgrade and automatically will reboot

Router 1002-HX firmware Upgarde

Precheck

ROUTER02#verify /md5 bootflash:ASR1K-fpga_prog.16.0.1.xe.bin
ROUTER02#verify /md5 bootflash:asr1000-universalk9.17.06.06a.SPA.bin


ROUTER02#sh run
ROUTER02#sh ver
ROUTER02#sh platform
ROUTER02#sh ip int bri
ROUTER02#sh ip route
ROUTER02#sh ip ospf int bri
ROUTER02#sh ip ospf nei
ROUTER02#sh ip bgp sum
ROUTER02#sh ip arp
ROUTER02#sh crypto ikev2 sa
ROUTER02#sh crypto ikev2 sa detailed
ROUTER02#sh crypto ipsec sa
ROUTER02#sh crypto ipsec sa detail
ROUTER02#sh crypto session
ROUTER02#sh crypto session detail


Activity
ROUTER02(config)#router bgp 65307
ROUTER02(config-router)#neighbor 10.122.109.77 shutdown graceful 120 community 1600
ROUTER02(config-router)#do wr
ROUTER02(config-router)#do sh ip bgp sum
ROUTER02(config-router)#do sh ip bgp community gshut
ROUTER02(config)#config-reg 0x00
ROUTER02(config)#do wr
ROUTER02(config)#do reload
rommon 1 > dir bootflash:
rommon 1 > boot bootflash:ASR1K-fpga_prog.16.0.1.xe.bin
rommon 1 > boot bootflash:asr1000-universalk9.17.06.06a.SPA.bin
ROUTER02#show version
ROUTER02#show platform
ROUTER02#show hw-programmable all
ROUTER02#show boot
ROUTER02#show run | in boot
ROUTER02(config)#boot system flash bootflash:/asr1000-universalk9.17.06.06a.SPA.bin
ROUTER02(config)#do show boot
ROUTER02(config)#do show run | in boot
ROUTER02(config)#no boot system flash bootflash:/asr1000-universalk9.17.06.05.SPA.bin
ROUTER02(config)#do show boot
ROUTER02(config)#do show run | in boot
ROUTER02(config)#config-reg 0x2102
ROUTER02(config)#do wr
ROUTER02(config)#do reboot

ROUTER02(config)#router bgp 65307
ROUTER02(config-router)#neighbor 10.122.109.77 shutdown graceful 120 community 1600
ROUTER02(config-router)#do wr





ROUTER01(config)#router bgp 65307
ROUTER01(config-router)#neighbor 10.122.109.69 shutdown graceful 120 community 1600
ROUTER01(config-router)#do wr

ROUTER01(config-router)#do sh ip bgp sum
ROUTER01(config-router)#do sh ip bgp community gshut
ROUTER01(config)#config-reg 0x00
ROUTER01(config)#do wr
ROUTER01(config)#do reload
rommon 1 > dir bootflash:
rommon 1 > boot bootflash:ASR1K-fpga_prog.16.0.1.xe.bin
rommon 1 > boot bootflash:asr1000-universalk9.17.06.06a.SPA.bin
ROUTER01#show version
ROUTER01#show platform
ROUTER01#show hw-programmable all
ROUTER01#show boot
ROUTER01#show run | in boot
ROUTER01(config)#boot system flash bootflash:/asr1000-universalk9.17.06.06a.SPA.bin
ROUTER01(config)#do show boot
ROUTER01(config)#do show run | in boot
ROUTER01(config)#no boot system flash bootflash:/asr1000-universalk9.17.06.05.SPA.bin
ROUTER01(config)#do show boot
ROUTER01(config)#do show run | in boot
ROUTER01(config)#config-reg 0x2102
ROUTER01(config)#do wr
ROUTER01(config)#do reboot
ROUTER01(config)#router bgp 65307
ROUTER01(config-router)#no neighbor 10.122.109.69 shutdown graceful 120 community 1600
ROUTER01(config-router)#do wr

Office Note

ASR-1002HX
show platform (check rommon)
show hw-programmable (check CPLD & FPGA)

ip tftp source gi0/0/0 (to upload cisco image)

ASR-1002HX iOS image upgrade example;

conf t

show boot (check new image followed by old image)

no boot system (delete if there any wrong image)

copy run start (save config)

boot system bootflash:/asr1000-universalk9.17.06.04.SPA.bin (boot with desired image)

reload (restart)

IPsec VPNs with Crypto Maps

Test IPsec VPN

1. Assign IP addresses all routers
R1
conf t
hostname R1
int lo0
ip add 1.1.1.1 255.255.255.255

int e0/0
ip add 192.168.12.1 255.255.255.0
no sh

R2
conf t
hostname R2
int e0/0
ip add 192.168.12.2 255.255.255.0
no sh

int e0/1
ip add 192.168.23.2 255.255.255.0
no sh

R3
conf t
hostname R3
int lo0
ip add 3.3.3.3 255.255.255.255

int e0/0
ip add 192.168.23.3 255.255.255.0
no sh

2. Configure OSPF all routers
R1
router ospf 100
router-id 1.1.1.1
network 0.0.0.0 0.0.0.0 area 0

R2
router ospf 100
router-id 2.2.2.2
network 0.0.0.0 0.0.0.0 area 0

R3
router ospf 100
router-id 3.3.3.3
network 0.0.0.0 0.0.0.0 area 0

3. Configure an IPSEC connection between R1 and R2
Create a ISAKMP policy:
Authentication: pre-shared-key
Encryption: AES 256
Hashing: SHA
DH: Group 5
Lifetime: 3600

R1 and R3
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600

4. Configure the pre-shared-key “VAULT” which you will use for the IPSEC connection
R1
crypto isakmp key VAULT address 192.168.23.3

R3
crypto isakmp key VAULT address 192.168.12.1

5.Configure the IPSEC transform-set:
Cipher: AES 256
ESP (Encapsulating Security Protcol)
Hashing: SHA

R1 & R3
crypto ipsec transform-set MYTRANS esp-aes 256 esp-sha-hmac

6. Change the IPSEC security association lifetime to 1800 seconds.
R1 & R3
crypto ipsec security-association lifetime seconds 1800

7. You need to encrypt traffic from R1’s Loopback0 interface destined to R2’s Loopback0 interface, create the correct access-list.
R1
access-list 100 permit ip 1.1.1.1 0.0.0.0 3.3.3.3 0.0.0.0

R3
access-list 100 permit ip 3.3.3.3 0.0.0.0 1.1.1.1 0.0.0.0

8. Create the correct crypto-map to finish the IPSEC configuration.
R1
crypto map MYMAP 10 ipsec-isakmp
set peer 192.168.23.3
set security-association lifetime seconds 1800
set transform-set MYTRANS
set pfs group5
match address 100

int e0/0
crypto map MYMAP

R3
crypto map MYMAP 10 ipsec-isakmp
set peer 192.168.12.1
set security-association lifetime seconds 1800
set transform-set MYTRANS
set pfs group5
match address 100

int e0/0
crypto map MYMAP

9.Verify the IPSEC configuration, you can use the following show/debug commands:
show crypto isakmp sa
show crypto ipsec sa
show crypto ipsec transform-set
show crypto map
show access-list
debug crypto isakmp

R1#ping 3.3.3.3 so 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/5/6 ms
R1#

R3#ping 1.1.1.1 so l0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/6 ms
R3#

R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.23.3 192.168.12.1 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
R1#

R3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.23.3 192.168.12.1 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
R3#

C-Vlan & S-Vlan

QinQ involves use multiple VLAN tags in an Ethernet header so that one VLAN ID can carry another 4096 VLAN IDs in a second tag. This makes a simple and useful tunnelling strategy.

The first/inner tag is the one set by the customer, and the second/outer tag would be set by the network. It’s common in the Service Provider industry 1 to refer to these as Customer VLAN and Service VLAN.

Weight_Attribute (MED)

MED
1)configure normally

traceroute 4.4.4.4 sourece 5.5.5.5

R4
receives the traffic towards 4.4.4.0/24 from R1
and the traffic towards 44.44.44.0/24 from R2 when use MED

R4
ip prefix-list lo 0 seq 5 permit 4.4.4.0/24
ip prefix-list lo 1 seq 5 permit 44.44.44.0/24
route-map RETURN_TRAFFIC-R1 permit 10
match ip address prefix-list lo 1
set metric 300
route-map RETURN-TRAFFIC-R1 permit 999
route-map RETURN_TRAFFIC-R2 permit 10
match ip address prefix-list lo 0
set metric 300
route-map RETURN-TRAFFIC-R2 permit 999
router bgp 40
nei 10.1.14.1 route-map RETURN_TRAFFIC R1 out
nei 10.1.24.2 route-map RETURN_TRAFFIC R2 out

Weight_Attribute

R2
ip prefix-list CHANGE seq 5 permit 1.1.1.0/24
ip prefix-list CHANGE seq 10 permit 5.5.5.0/24
route-map SET_WEIGHT permit 10
match ip address prefix-list CHANGE
set weight 50

router bgp 20
nei 10.1.24.4 route-map SET_WEIGHT in

#sh ip bgp on R2 (for 1.1.1.0 & 5.5.5.0)