Wednesday, November 22, 2023

Router 1002-HX firmware Upgarde

Precheck
ROUTER02#verify /md5 bootflash:ASR1K-fpga_prog.16.0.1.xe.bin
ROUTER02#verify /md5 bootflash:asr1000-universalk9.17.06.06a.SPA.bin


ROUTER02#sh run
ROUTER02#sh ver
ROUTER02#sh platform
ROUTER02#sh ip int bri
ROUTER02#sh ip route
ROUTER02#sh ip ospf int bri
ROUTER02#sh ip ospf nei
ROUTER02#sh ip bgp sum
ROUTER02#sh ip arp
ROUTER02#sh crypto ikev2 sa
ROUTER02#sh crypto ikev2 sa detailed
ROUTER02#sh crypto ipsec sa
ROUTER02#sh crypto ipsec sa detail
ROUTER02#sh crypto session
ROUTER02#sh crypto session detail


Activity
ROUTER02(config)#router bgp 65307
ROUTER02(config-router)#neighbor 10.122.109.77 shutdown graceful 120 community 1600
ROUTER02(config-router)#do wr
ROUTER02(config-router)#do sh ip bgp sum
ROUTER02(config-router)#do sh ip bgp community gshut
ROUTER02(config)#config-reg 0x00
ROUTER02(config)#do wr
ROUTER02(config)#do reload
rommon 1 > dir bootflash:
rommon 1 > boot bootflash:ASR1K-fpga_prog.16.0.1.xe.bin
rommon 1 > boot bootflash:asr1000-universalk9.17.06.06a.SPA.bin
ROUTER02#show version
ROUTER02#show platform
ROUTER02#show hw-programmable all
ROUTER02#show boot
ROUTER02#show run | in boot
ROUTER02(config)#boot system flash bootflash:/asr1000-universalk9.17.06.06a.SPA.bin
ROUTER02(config)#do show boot
ROUTER02(config)#do show run | in boot
ROUTER02(config)#no boot system flash bootflash:/asr1000-universalk9.17.06.05.SPA.bin
ROUTER02(config)#do show boot
ROUTER02(config)#do show run | in boot
ROUTER02(config)#config-reg 0x2102
ROUTER02(config)#do wr
ROUTER02(config)#do reboot


ROUTER02(config)#router bgp 65307
ROUTER02(config-router)#neighbor 10.122.109.77 shutdown graceful 120 community 1600
ROUTER02(config-router)#do wr





ROUTER01(config)#router bgp 65307
ROUTER01(config-router)#neighbor 10.122.109.69 shutdown graceful 120 community 1600
ROUTER01(config-router)#do wr

ROUTER01(config-router)#do sh ip bgp sum
ROUTER01(config-router)#do sh ip bgp community gshut
ROUTER01(config)#config-reg 0x00
ROUTER01(config)#do wr
ROUTER01(config)#do reload
rommon 1 > dir bootflash:
rommon 1 > boot bootflash:ASR1K-fpga_prog.16.0.1.xe.bin
rommon 1 > boot bootflash:asr1000-universalk9.17.06.06a.SPA.bin
ROUTER01#show version
ROUTER01#show platform
ROUTER01#show hw-programmable all
ROUTER01#show boot
ROUTER01#show run | in boot
ROUTER01(config)#boot system flash bootflash:/asr1000-universalk9.17.06.06a.SPA.bin
ROUTER01(config)#do show boot
ROUTER01(config)#do show run | in boot
ROUTER01(config)#no boot system flash bootflash:/asr1000-universalk9.17.06.05.SPA.bin
ROUTER01(config)#do show boot
ROUTER01(config)#do show run | in boot
ROUTER01(config)#config-reg 0x2102
ROUTER01(config)#do wr
ROUTER01(config)#do reboot
ROUTER01(config)#router bgp 65307
ROUTER01(config-router)#no neighbor 10.122.109.69 shutdown graceful 120 community 1600
ROUTER01(config-router)#do wr
Posted by at No comments:

Friday, November 10, 2023

Office Note

ASR-1002HX
show platform (check rommon)
show hw-programmable (check CPLD & FPGA)

ip tftp source gi0/0/0 (to upload cisco image)

ASR-1002HX iOS image upgrade example;
conf t
show boot (check new image followed by old image)
no boot system (delete if there any wrong image)
copy run start (save config)
boot system bootflash:/asr1000-universalk9.17.06.04.SPA.bin (boot with desired image)
reload (restart)
Posted by at No comments:

Thursday, November 9, 2023

IPsec VPNs with Crypto Maps

Test IPsec VPN

1. Assign IP addresses all routers
R1
conf t
hostname R1
int lo0
ip add 1.1.1.1 255.255.255.255

int e0/0
ip add 192.168.12.1 255.255.255.0
no sh

R2
conf t
hostname R2
int e0/0
ip add 192.168.12.2 255.255.255.0
no sh

int e0/1
ip add 192.168.23.2 255.255.255.0
no sh

R3
conf t
hostname R3
int lo0
ip add 3.3.3.3 255.255.255.255

int e0/0
ip add 192.168.23.3 255.255.255.0
no sh

2. Configure OSPF all routers
R1
router ospf 100
router-id 1.1.1.1
network 0.0.0.0 0.0.0.0 area 0

R2
router ospf 100
router-id 2.2.2.2
network 0.0.0.0 0.0.0.0 area 0

R3
router ospf 100
router-id 3.3.3.3
network 0.0.0.0 0.0.0.0 area 0

3. Configure an IPSEC connection between R1 and R2
Create a ISAKMP policy:
Authentication: pre-shared-key
Encryption: AES 256
Hashing: SHA
DH: Group 5
Lifetime: 3600

R1 and R3
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600

4. Configure the pre-shared-key “VAULT” which you will use for the IPSEC connection
R1
crypto isakmp key VAULT address 192.168.23.3

R3
crypto isakmp key VAULT address 192.168.12.1

5.Configure the IPSEC transform-set:
Cipher: AES 256
ESP (Encapsulating Security Protcol)
Hashing: SHA

R1 & R3
crypto ipsec transform-set MYTRANS esp-aes 256 esp-sha-hmac

6. Change the IPSEC security association lifetime to 1800 seconds.
R1 & R3
crypto ipsec security-association lifetime seconds 1800

7. You need to encrypt traffic from R1’s Loopback0 interface destined to R2’s Loopback0 interface, create the correct access-list.
R1
access-list 100 permit ip 1.1.1.1 0.0.0.0 3.3.3.3 0.0.0.0

R3
access-list 100 permit ip 3.3.3.3 0.0.0.0 1.1.1.1 0.0.0.0

8. Create the correct crypto-map to finish the IPSEC configuration.
R1
crypto map MYMAP 10 ipsec-isakmp
set peer 192.168.23.3
set security-association lifetime seconds 1800
set transform-set MYTRANS
set pfs group5
match address 100

int e0/0
crypto map MYMAP

R3
crypto map MYMAP 10 ipsec-isakmp
set peer 192.168.12.1
set security-association lifetime seconds 1800
set transform-set MYTRANS
set pfs group5
match address 100

int e0/0
crypto map MYMAP

9.Verify the IPSEC configuration, you can use the following show/debug commands:
show crypto isakmp sa
show crypto ipsec sa
show crypto ipsec transform-set
show crypto map
show access-list
debug crypto isakmp

R1#ping 3.3.3.3 so 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/5/6 ms
R1#

R3#ping 1.1.1.1 so l0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/6 ms
R3#

R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.23.3 192.168.12.1 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
R1#

R3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.23.3 192.168.12.1 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
R3#





















Posted by at No comments:
Subscribe to: Posts (Atom)