B IR1101config

Download as pdf or txt
Download as pdf or txt
You are on page 1of 424

Cisco Catalyst IR1101 Rugged Series Router Software Configuration

Guide
First Published: 2018-05-18
Last Modified: 2022-12-19

Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
© 2018–2022 Cisco Systems, Inc. All rights reserved.
Full Cisco Trademarks with Software License
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL
ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND
RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED
WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL
RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT
ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND
ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE
SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE
FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the
University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating
system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE
OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS. CISCO AND THE
ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING,
WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE
PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL,
CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST
PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE
THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY
OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual
addresses and phone numbers. Any examples, command display output, network topology diagrams, and
other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses
or phone numbers in illustrative content is unintentional and coincidental.
All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current
online version for the latest version.
Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at
www.cisco.com/go/offices.
The documentation set for this product strives to use bias-free language. For purposes of this documentation
set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial
identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be
present in the documentation due to language that is hardcoded in the user interfaces of the product software,
language used based on standards documentation, or language that is used by a referenced third-party product.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and
other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/c/en/us/about/
legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use
of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


iii
Full Cisco Trademarks with Software License
Full Cisco Trademarks with Software License

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


iv
CHAPTER 1
Introduction
The Cisco Catalyst IR1101 Rugged Series Router is a next generation modular industrial router which has a
Base module with additional Pluggable Modules that can be added. The Pluggable Module provides the
flexibility of adding different interfaces to the IR1101 platform.

Note The documentation set for this product strives to use bias-free language. For purposes of this
documentation set, bias-free is defined as language that does not imply discrimination based on age,
disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and
intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in
the user interfaces of the product software, language used based on RFP documentation, or language
that is used by a referenced third-party product.

The IR1101 also has two Expansion Modules that add key capabilities such as dual LTE Pluggables, mSATA
SSD FRU, SFP, additional ethernet and async ports,and Digital GPIO connections.
The IR1101 is the first IoT platform to run the Cisco IOS-XE operating system. IOS-XE is a Linux based OS
that comes with many enhancements and more features compared to the classic IOS version.
This secion of the guide also includes:

IR1101 Base Router


The following figure shows the front panel of the IR1101 and highlights some of its capabilities:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


1
Introduction

Figure 1: IR1101 Front Panel

Table 1: Front Panel Descriptions

Item Description

1 SFP GigE WAN Port (Combo port of #3 below)

2 Type A USB 2.0 Host Port

3 RJ45 GigE WAN Port (Combo port of #1 above)

4 Asynchronous Serial Port (DTE only)

5 RJ45 Fast Ethernet LAN Ports

6 Grounding Point (On side of device)

7 DC Power and Alarm Input

8 Type B Mini-USB Console Port

9 Reset Button

10 Pluggable Module Slot (ex. 4G/LTE module)

IRM-1100 Expansion Modules


The Expansion Module comes in two types:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


2
Introduction

• IRM-1100-SPMI
• IRM-1100-SP

The following figure shows the front panel of the IRM-1100-SPMI and highlights some of its capabilities:
Figure 2: IR-1100-SPMI Expansion Module Details

Item Description

1 4 GPIO + 1 Return (Digital I/O)


Note Functionality is available on Cisco IOS-XE release 16.12.1 and above.

2 SFP Connector

3 Pluggable Module

4 mSATA SSD Slot

5 Digital I/O LEDs

The IR-1100-SP Expansion Module is the same as the IR-1100-SPMI module, without the Digital I/O and
mSATA components.
More information can be found in IRM-1101 Expansion Module, on page 281.
Complete details on the IR1101 can be found in the product data sheet.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


3
Introduction
Accessing the CLI Using a Router Console

IRM-1100-4A2T Expansion Module


The IRM-1100-4A2T is an expansion module that can be attached to the IR1101. It offers an additional four
asynchronous serial ports and two Ethernet interfaces to the IR1101. The following graphic shows the
IRM-1100-4A2T.

The IRM-1100-4A2T Ethernet interfaces are Layer 2 RJ45 10/100/1000 Mbps ports.
The IRM-1100-4A2T serial ports are RJ45 combo ports (RS232/RS485/RS422).
The IR1101 has two sides that expansion modules mount to. The top is called the Expansion side, and the
bottom is called the Compute side. If the additional module is connected to the top, then it is referenced as
the Expansion Module (EM) side. If the additional module is connected on the bottom, then it is referenced
as the Compute Module (CM) side. Functionality differs depending on which side the expansion module is
attached to, and how many and type of expansion modules are in use.
The IRM-1100-4A2T can be managed from the following tools:
• Cisco DNA Center
• WebUI

More information can be found in IRM-1100-4A2T Expansion Module, on page 293.


• Accessing the CLI Using a Router Console, on page 4
• Accessing the CLI from a Remote Console , on page 7
• CLI Session Management, on page 9

Accessing the CLI Using a Router Console


Cisco IR1101 routers have console port with only USB support. The console cable (Cisco P/N
CAB-CONSOLE-USB, 6ft long) is not included and must be ordered.
The console port is a USB 2.0 mini USB Type B connector which is located on the front panel of the chassis.
The default baud rate is 9600.
If your laptop or PC warns you that you do not have the proper drivers to communicate with the router, you
can obtain them from your computers manufacturer, or go here: https://www.silabs.com/products/
development-tools/software/usb-to-uart-bridge-vcp-drivers
On a device fresh from the factory, you are greeted with a System Configuration Dialog where you respond
to basic configuration questions. If the router was ordered for the use of Cisco PnP connect services, in the
case of centralized provisioning, the router skips the initial dialog. The following is an example:
--- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]: yes

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


4
Introduction
Accessing the CLI Using a Router Console

At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.

Basic management setup configures only enough connectivity


for management of the system, extended setup will ask you
to configure each interface on the system

Would you like to enter basic management setup? [yes/no]: yes


Configuring global parameters:

Enter host name [Router]: <your-host-name>

The enable secret is a password used to protect access to


privileged EXEC and configuration modes. This password, after
entered, becomes encrypted in the configuration.
Enter enable secret: <your-password>

The enable password is used when you do not specify an


enable secret password, with some older software versions, and
some boot images.
Enter enable password: <your-password>

The virtual terminal password is used to protect


access to the router over a network interface.
Enter virtual terminal password: <your-password>
Setup account for accessing HTTP server? [yes]: <return>
Username [admin]: <your-username>
Password [cisco]: <your-password>
Password is UNENCRYPTED.
Configure SNMP Network Management? [no]: <return>

Current interface summary

Any interface listed with OK? value "NO" does not have a valid configuration

Interface IP-Address OK? Method Status Protocol


GigabitEthernet0/0/0 unassigned NO unset up up
FastEthernet0/0/1 unassigned YES unset down down
FastEthernet0/0/2 unassigned YES unset down down
FastEthernet0/0/3 unassigned YES unset down down
FastEthernet0/0/4 unassigned YES unset up up
Async0/2/0 unassigned YES unset up down
Vlan1 unassigned YES unset up up

Note Names and IP addresses in this next section are shown as examples.

Enter interface name used to connect to the


management network from the above interface summary: vlan1

Configuring interface Vlan1:


Configure IP on this interface? [no]: yes
IP address for this interface: 192.168.1.1
Subnet mask for this interface [255.255.255.0] : <return>
Class C network is 192.168.1.0, 24 subnet bits; mask is /24

Would you like to configure DHCP? [yes/no]: yes


Enter DHCP pool name: wDHCPool

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


5
Introduction
Accessing the CLI Using a Router Console

Enter DHCP network: 192.168.1.0


Enter DHCP netmask: 255.255.255.0
Enter Default router: 192.168.1.1

The following configuration command script was created:

hostname <your-hostname>
enable secret 9 $9$Z6fl74fvoEdMgU$XZYs8l4phbqpXsb48l9bzCng3u4Bc2kh1STsoLoHNes
enable password <your-enable-password>
line vty 0 4
password <your-password>
username <your-username> privilege 15 password <your-password>
no snmp-server
!
!
interface GigabitEthernet0/0/0
shutdown
no ip address
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface FastEthernet0/0/4
!
interface Vlan1
no shutdown
ip address 192.168.1.1 255.255.255.0
no mop enabled
ip dhcp pool wDHCPool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
end

[0] Go to the IOS command prompt without saving this config.


[1] Return back to the setup without saving this config.
[2] Save this configuration to nvram and exit.

Enter your selection [2]: 2


Building configuration...

[OK]
Use the enabled mode 'configure' command to modify this configuration.

Press RETURN to get started! <return>

*Jul 27 21:35:24.369: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named TP-self-signed-3211716068


has been generated or imported by crypto-engine
*Jul 27 21:35:24.372: %SSH-5-ENABLED: SSH 1.99 has been enabled
*Jul 27 21:35:24.448: %PKI-4-NOCONFIGAUTOSAVE: Configuration was modified. Issue "write
memory" to save new IOS PKI configuration
*Jul 27 21:35:24.532: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named
TP-self-signed-3211716068.server has been generated or imported by crypto-engine
hostname>

The device now has a basic configuration that you can build upon.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


6
Introduction
Using the Console Interface

Using the Console Interface

Step 1 Enter the following command:


Router > enable

Step 2 (Go to Step 3 if the enable password has not been configured.) At the password prompt, enter your system password:
Password: enablepass

When your password is accepted, the privileged EXEC mode prompt is displayed.
Router#

You now have access to the CLI in privileged EXEC mode and you can enter the necessary commands to complete your
desired tasks.

Step 3 To exit the console session, enter the quit command:


Router# quit

Accessing the CLI from a Remote Console


The remote console of the IR1101 can be accessed through Telnet or the more secure SSH. Details on telnet
access follow in this chapter. For details on SSH access see the SSH chapter.
The following topics describe the procedure to access the CLI from a remote console:

Preparing to Connect to the Router Console Using Telnet


See the Cisco IOS-XE Device hardening guide at https://www.cisco.com/c/en/us/support/docs/ip/access-lists/
13608-21.html for details.
Configuring the diagnostic and wait banners is optional, but recommended. The banners are especially useful
as indicators to users about the status of their Telnet or SSH attempts.
To access the router remotely using Telnet from a TCP/IP network, configure the router to support virtual
terminal lines using the line vty global configuration command. Configure the virtual terminal lines to require
users to log in and specify a password.
See the Cisco IOS Terminal Services Command Reference document for more information about the line vty
global configuration command.
To prevent disabling login on a line, specify a password with the password command when you configure
the login command.
If you are using authentication, authorization, and accounting (AAA), configure the login authentication
command. To prevent disabling login on a line for AAA authentication when you configure a list with the
login authentication command, you must also configure that list using the aaa authentication login global
configuration command.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


7
Introduction
Using Telnet to Access a Console Interface

For more information about AAA services, see the Cisco IOS XE Security Configuration Guide: Secure
Connectivity and the Cisco IOS Security Command Reference documents. For more information about the
login line-configuration command, see the Cisco IOS Terminal Services Command Reference document.
In addition, before you make a Telnet connection to the router, you must have a valid hostname for the router
or have an IP address configured on the router. For more information about the requirements for connecting
to the router using Telnet, information about customizing your Telnet services, and using Telnet key sequences,
see the Cisco IOS Configuration Fundamentals Configuration Guide.

Using Telnet to Access a Console Interface

Step 1 From your terminal or PC, enter one of the following commands:
• connect host [port] [keyword]
• telnet host [port] [keyword]

Here, host is the router hostname or IP address, port is a decimal port number (23 is the default), and keyword is a
supported keyword. For more information about these commands, see the Cisco IOS Terminal Services Command
Reference document.
Note If you are using an access server, specify a valid port number, such as telnet 172.20.52.40 2004, in addition to
the hostname or IP address.

The following example shows how to use the telnet command to connect to a router named router:
unix_host% telnet router
Trying 172.20.52.40...
Connected to 172.20.52.40.
Escape character is '^]'.
unix_host% connect

Step 2 Enter your login password:


User Access Verification
Password: mypassword

Note If no password has been configured, press Return.

Step 3 From user EXEC mode, enter the enable command:


Router> enable

Step 4 At the password prompt, enter your system password:


Password: enablepass

Step 5 When the enable password is accepted, the privileged EXEC mode prompt is displayed:
Router#

Step 6 You now have access to the CLI in privileged EXEC mode and you can enter the necessary commands to complete your
desired tasks.
Step 7 To exit the Telnet session, use the exit or logout command.
Router# logout

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


8
Introduction
CLI Session Management

CLI Session Management


An inactivity timeout is configurable and can be enforced. Session locking provides protection from two users
overwriting changes that the other has made. To prevent an internal process from using all the available
capacity, some spare capacity is reserved for CLI session access. For example, this allows a user to remotely
access a router.

Information About CLI Session Management


An inactivity timeout is configurable and can be enforced. Session locking provides protection from two users
overwriting changes that each other has made. To prevent an internal process from using all the available
capacity, some spare capacity is reserved for CLI session access. For example, this allows a user to remotely
access the router.

Changing the CLI Session Timeout

Step 1 configure terminal

Enters global configuration mode

Step 2 line console 0


Step 3 session-timeout minutes

The value of minutes sets the amount of time that the CLI waits before timing out. Setting the CLI session timeout
increases the security of a CLI session. Specify a value of 0 for minutes to disable session timeout.

Step 4 show line console 0


Verifies the value to which the session timeout has been set, which is shown as the value for " Idle Session ".

Locking a CLI Session


Before you begin
To configure a temporary password on a CLI session, use the lock command in EXEC mode. Before you can
use the lock command, you need to configure the line using the lockable command. In this example the line
is configured as lockable, and then the lock command is used and a temporary password is assigned.

Step 1 Router# configure terminal

Enters global configuration mode.

Step 2 Enter the line upon which you want to be able to use the lock command.
Router(config)# line console 0

Step 3 Router(config)# lockable

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


9
Introduction
Locking a CLI Session

Enables the line to be locked.

Step 4 Router(config)# exit


Step 5 Router# lock
The system prompts you for a password, which you must enter twice.
Password: <password>
Again: <password>
Locked

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


10
CHAPTER 2
Using Cisco IOS XE Software
If your installation will make use of Cisco SDWAN technology, it is important to note that the Cisco IOS-XE
SDWAN image (cEdge) has different Commands modes, (for example Config-transaction, commit...).
IR1101 SDWAN features are aligned on cEdge IOS-XE 16.12.1 ones. Some features may not be available
on the IR1101, i.e. URL Filtering, IPS/IDS, and some IR1101 features may not be available from the SDWAN
image.
Be sure to review the SDWAN documentation here: https://www.cisco.com/c/en/us/support/routers/sd-wan/
tsd-products-support-series-home.html%0A
This chapter contains the following sections:
• Understanding Command Modes, on page 11
• Keyboard Shortcuts, on page 13
• Using the no and default Forms of Commands, on page 14
• Using the History Buffer to Recall Commands, on page 14
• Managing Configuration Files, on page 15
• Saving Configuration Changes, on page 15
• Filtering Output from the show and more Commands, on page 15
• Finding Support Information for Platforms and Cisco Software Images, on page 16

Understanding Command Modes


The command modes available in Cisco IOS XE are the same as those available in traditional Cisco IOS. Use
the CLI to access Cisco IOS XE software. Because the CLI is divided into many different modes, the commands
available to you at any given time depend on the mode that you are currently in. Entering a question mark (?)
at the CLI prompt allows you to obtain a list of commands available for each command mode.
When you log in to the CLI, you are in user EXEC mode. User EXEC mode contains only a limited subset
of commands. To have access to all commands, you must enter privileged EXEC mode, normally by using a
password. From privileged EXEC mode, you can issue any EXEC command—user or privileged mode—or
you can enter global configuration mode. Most EXEC commands are one-time commands. For example, show
commands show important status information, and clear commands clear counters or interfaces. The EXEC
commands are not saved when the software reboots.
Configuration modes allow you to make changes to the running configuration. If you later save the running
configuration to the startup configuration, these changed commands are stored when the software is rebooted.
To enter specific configuration modes, you must start at global configuration mode. From global configuration

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


11
Using Cisco IOS XE Software
Understanding Command Modes

mode, you can enter interface configuration mode and a variety of other modes, such as protocol-specific
modes.
ROM monitor mode is a separate mode used when the Cisco IOS XE software cannot load properly. If a valid
software image is not found when the software boots or if the configuration file is corrupted at startup, the
software might enter ROM monitor mode.
The following table describes how to access and exit various common command modes of the Cisco IOS XE
software. It also shows examples of the prompts displayed for each mode.

Table 2: Accessing and Exiting Command Modes

Command Mode Access Method Prompt Exit Method

User EXEC Log in. Router> Use the logout command.

Privileged EXEC From user EXEC mode, Router# To return to user EXEC
use the enable command. mode, use the disable
command.

Global configuration From privileged EXEC Router(config)# To return to privileged


mode, use the configure EXEC mode from global
terminal command. configuration mode, use
the exit or end command.

Interface configuration From global configuration Router(config-if)# To return to global


mode, specify an interface configuration mode, use
using an interface the exit command.
command.
To return to privileged
EXEC mode, use the end
command.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


12
Using Cisco IOS XE Software
Keyboard Shortcuts

Command Mode Access Method Prompt Exit Method

Diagnostic The router boots up or Router(diag)# If failure of the Cisco IOS


accesses diagnostic mode process is the reason for
in the following scenarios: entering diagnostic mode,
the Cisco IOS problem
• In some cases,
must be resolved and the
diagnostic mode will
router rebooted to get out
be reached when the
of diagnostic mode.
Cisco IOS process or
processes fail. In If the router is in
most scenarios, diagnostic mode because
however, the router of a transport-map
will reload. configuration, access the
router through another
• A user-configured port or by using a method
access policy is that is configured to
configured using the connect to the Cisco IOS
transport-map CLI.
command that directs
a user into diagnostic
mode.
• A break signal
(Ctrl-C,
Ctrl-Shift-6, or the
send break
command) is entered
and the router is
configured to go to
diagnostic mode
when the break
signal is received.

ROM monitor From privileged EXEC rommon#> To exit ROM monitor


mode, use the reload mode, manually boot a
EXEC command. Press valid image or perform a
the Break key during the reset with autoboot set so
first 60 seconds while the that a valid image is
system is booting. loaded.

Keyboard Shortcuts
Commands are not case sensitive. You can abbreviate commands and parameters if the abbreviations contain
enough letters to be different from any other currently available commands or parameters.
The following table lists the keyboard shortcuts for entering and editing commands.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


13
Using Cisco IOS XE Software
Using the no and default Forms of Commands

Table 3: Keyboard Shortcuts

Key Name Purpose

Ctrl-B or the Left Arrow key1 Move the cursor back one character.

Ctrl-F or the Right Arrow key1 Move the cursor forward one character.

Ctrl-A Move the cursor to the beginning of the command


line.

Ctrl-E Move the cursor to the end of the command line.

Esc B Move the cursor back one word.

Esc F Move the cursor forward one word.

Using the no and default Forms of Commands


Almost every configuration command has a no form. In general, use the no form to disable a function. Use
the command without the no keyword to re-enable a disabled function or to enable a function that is disabled
by default. For example, IP routing is enabled by default. To disable IP routing, use the no ip routing command;
to re-enable IP routing, use the ip routing command. The Cisco IOS software command reference publications
provide the complete syntax for the configuration commands and describe what the no form of a command
does.
Many CLI commands also have a default form. By issuing the <command> default command-name, you
can configure the command to its default setting. The Cisco IOS software command reference publications
describe the function from a default form of the command when the default form performs a different function
than the plain and no forms of the command. To see what default commands are available on your system,
enter default ? in the appropriate command mode.

Using the History Buffer to Recall Commands


The history buffer stores the last 20 commands you entered. History substitution allows you to access these
commands without retyping them, by using special abbreviated commands.
The following table lists the history substitution commands.

Table 4: History Substitution Commands

Command Purpose

Ctrl-P or the Up Arrow key1 Recalls commands in the history buffer, beginning
with the most recent command. Repeat the key
sequence to recall successively older commands.

Ctrl-N or the Down Arrow key1 Returns to more recent commands in the history buffer
after recalling commands with Ctrl-P or the Up
Arrow key.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


14
Using Cisco IOS XE Software
Managing Configuration Files

Command Purpose

Router# show history While in EXEC mode, lists the last few commands
you entered.
1
The arrow keys function only on ANSI-compatible terminals such as VT100s.

Managing Configuration Files


The startup configuration file is stored in the nvram: file system and the running configuration files are stored
in the system: file system. This configuration file storage setup is also used on several other Cisco router
platforms.
IOS XE provides encryption of the configuration file. Encryption is discussed in length in the IOS XE hardening
device guide which can be found here:https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html
As a matter of routine maintenance on any Cisco router, users should back up the startup configuration file
by copying the startup configuration file from NVRAM to one of the router’s other file systems and,
additionally, to a network server. Backing up the startup configuration file provides an easy method of
recovering the startup configuration file if the startup configuration file in NVRAM becomes unusable for
any reason.
The copy command can be used to back up startup configuration files.
For more detailed information on managing configuration files, see the “Managing Configuration Files”
section in the Cisco IOS XE Configuration Fundamentals Configuration Guide.

Saving Configuration Changes


Use the copy running-config startup-config command to save your configuration changes to the startup
configuration so that the changes will not be lost if the software reloads or a power outage occurs. For example:
Router# copy running-config startup-config
Building configuration...

It may take a few minutes to save the configuration. After the configuration has been saved, the following
output is displayed:
[OK]
Router#

This task saves the configuration to the NVRAM.

Filtering Output from the show and more Commands


You can search and filter the output of show and more commands. This functionality is useful if you need to
sort through large amounts of output or if you want to exclude output that you need not see.
To use this functionality, enter a show or more command followed by the “pipe” character ( | ); one of the
keywords begin, include, or exclude; and a regular expression on which you want to search or filter (the
expression is case sensitive):

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


15
Using Cisco IOS XE Software
Finding Support Information for Platforms and Cisco Software Images

show command | {append | begin | exclude | include | redirect | section | tee} regular-expression
The output matches certain lines of information in the configuration file.

Example
In this example, a modifier of the show interface command (include protocol) is used to provide only the
output lines in which the expression protocol is displayed:
Router# show interface | include protocol
GigabitEthernet0/0/0 is administratively down, line protocol is down (disabled)
0 unknown protocol drops
FastEthernet0/0/1 is down, line protocol is down (notconnect)
0 unknown protocol drops
FastEthernet0/0/2 is down, line protocol is down (notconnect)
0 unknown protocol drops
FastEthernet0/0/3 is down, line protocol is down (notconnect)
0 unknown protocol drops
FastEthernet0/0/4 is down, line protocol is down (notconnect)
0 unknown protocol drops
GigabitEthernet0/0/5 is up, line protocol is up (connected)
0 unknown protocol drops
Cellular0/1/0 is up, line protocol is up
0 unknown protocol drops
Cellular0/1/1 is administratively down, line protocol is down
0 unknown protocol drops
Cellular0/3/0 is up, line protocol is up
0 unknown protocol drops
Cellular0/3/1 is administratively down, line protocol is down
0 unknown protocol drops
Async0/2/0 is up, line protocol is down
0 unknown protocol drops
Vlan1 is up, line protocol is up , Autostate Enabled
0 unknown protocol drops
Vlan172 is up, line protocol is down , Autostate Enabled
0 unknown protocol drops
Vlan175 is down, line protocol is down , Autostate Enabled
0 unknown protocol drops
IR1101#

Finding Support Information for Platforms and Cisco Software


Images
The Cisco IOS XE software is packaged in feature sets consisting of software images that support specific
platforms.
All of the Cisco IOS-XE configuration guides can be found here: https://www.cisco.com/c/en/us/support/
ios-nx-os-software/ios-xe-16/tsd-products-support-series-home.html
The group of feature sets that are available for a specific platform depends on which Cisco software images
are included in a release. To identify the set of software images available in a specific release or to find out
if a feature is available in a given Cisco IOS XE software image, you can use Cisco Feature Navigator or see
the https://www.cisco.com/c/en/us/support/ios-nx-os-software/ios-xe-16/products-release-notes-list.html.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


16
Using Cisco IOS XE Software
Using Cisco Feature Navigator

Using Cisco Feature Navigator


Use Cisco Feature Navigator to find information about platform support and software image support. Cisco
Feature Navigator is a tool that enables you to determine which Cisco IOS XE software images support a
specific software release, feature set, or platform. To use the navigator tool, an account on Cisco.com is not
required.

Getting Help
Entering a question mark (?) at the CLI prompt displays a list of commands available for each command
mode. You can also get a list of keywords and arguments associated with any command by using the
context-sensitive help feature.
To get help that is specific to a command mode, a command, a keyword, or an argument, use one of the
following commands.

Command Purpose

help Provides a brief description of the help system in any


command mode.

abbreviated-command-entry? Provides a list of commands that begin with a


particular character string.
Note There is no space between the command
and the question mark.

abbreviated-command-entry<Tab> Completes a partial command name.

? Lists all the commands that are available for a


particular command mode.

command ? Lists the keywords or arguments that you must enter


next on the command line.
Note There is a space between the command and
the question mark.

Finding Command Options: Example


This section provides information about how to display the syntax for a command. The syntax can consist of
optional or required keywords and arguments. To display keywords and arguments for a command, enter a
question mark (?) at the configuration prompt or after entering a part of a command followed by a space. The
Cisco IOS XE software displays a list and brief descriptions of the available keywords and arguments. For
example, if you are in global configuration mode and want to see all the keywords and arguments for the arap
command, you should type arap ?.
The <cr> symbol in command help output stands for carriage return. On older keyboards, the carriage return
key is the Return key. On most modern keyboards, the carriage return key is the Enter key. The <cr> symbol
at the end of command help output indicates that you have the option to press Enter to complete the command
and that the arguments and keywords in the list preceding the <cr> symbol are optional. The <cr> symbol by

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


17
Using Cisco IOS XE Software
Finding Command Options: Example

itself indicates that no more arguments or keywords are available, and that you must press Enter to complete
the command.
The following table shows examples of using the question mark (?) to assist you in entering commands.

Table 5: Finding Command Options

Command Comment
Router> enable Enter the enable command and password to access
Password: <password>
privileged EXEC commands. You are in privileged
Router#
EXEC mode when the prompt changes to a “ # ”
from the “ > ”, for example, Router> to Router#
Router# configure terminal Enter the configure terminal privileged EXEC
Enter configuration commands, one per line. End
command to enter global configuration mode. You
with CNTL/Z.
Router(config)# are in global configuration mode when the prompt
changes to Router (config)#
Router(config)# interface GigabitEthernet ? Enter interface configuration mode by specifying
<0-0> GigabitEthernet interface number
the interface that you want to configure, using the
Router(config)# interface GigabitEthernet 0/? interface GigabitEthernet global configuration
<0-5> Port Adapter number command.
Router (config)# interface GigabitEthernet 0/0/? Enter ? to display what you must enter next on the
<0-63> GigabitEthernet interface number command line.
Router (config)# interface GigabitEthernet When the <cr> symbol is displayed, you can press
0/0/0? Enter to complete the command.
. <0-71>
You are in interface configuration mode when the
Router(config-if)# prompt changes to Router(config-if)#

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


18
Using Cisco IOS XE Software
Finding Command Options: Example

Command Comment
Router(config-if)# ? Enter ? to display a list of all the interface
Interface configuration commands:
configuration commands available for the interface.
.
. This example shows only some of the available
. interface configuration commands.
ip Interface Internet
Protocol
config commands
keepalive Enable keepalive
lan-name LAN Name command
llc2 LLC2 Interface Subcommands

load-interval Specify interval for load


calculation
for an interface
locaddr-priority Assign a priority group
logging Configure logging for
interface
loopback Configure internal
loopback on an
interface
mac-address Manually set interface
MAC address
mls mls router sub/interface
commands
mpoa MPOA interface
configuration commands
mtu Set the interface
Maximum Transmission Unit
(MTU)
netbios Use a defined NETBIOS
access list
or enable
name-caching
no Negate a command or set
its defaults
nrzi-encoding Enable use of NRZI
encoding
ntp Configure NTP
.
.
.
Router(config-if)#

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


19
Using Cisco IOS XE Software
Finding Command Options: Example

Command Comment
Router(config-if)# ip ? Enter the command that you want to configure for
Interface IP configuration subcommands: the interface. This example uses the ip command.
access-group Specify access control
for packets Enter ? to display what you must enter next on the
accounting Enable IP accounting on
this interface
command line. This example shows only some of
address Set the IP address of an the available interface IP configuration commands.
interface
authentication authentication subcommands

bandwidth-percent Set EIGRP bandwidth limit

broadcast-address Set the broadcast address


of an interface
cgmp Enable/disable CGMP
directed-broadcast Enable forwarding of
directed broadcasts
dvmrp DVMRP interface commands
hello-interval Configures IP-EIGRP hello
interval
helper-address Specify a destination
address for UDP broadcasts
hold-time Configures IP-EIGRP hold
time
.
.
.
Router(config-if)# ip

Router(config-if)# ip address ? Enter the command that you want to configure for
A.B.C.D IP address the interface. This example uses the ip address
negotiated IP Address negotiated over
PPP command.
Router(config-if)# ip address
Enter ? to display what you must enter next on the
command line. In this example, you must enter an
IP address or the negotiated keyword.
A carriage return (<cr>) is not displayed. Therefore,
you must enter additional keywords or arguments
to complete the command.
Router(config-if)# ip address 172.16.0.1 ? Enter the keyword or argument that you want to
A.B.C.D IP subnet mask use. This example uses the 172.16.0.1 IP address.
Router(config-if)# ip address 172.16.0.1
Enter ? to display what you must enter next on the
command line. In this example, you must enter an
IP subnet mask.
<cr> is not displayed. Therefore, you must enter
additional keywords or arguments to complete the
command.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


20
Using Cisco IOS XE Software
Using Software Advisor

Command Comment
Router(config-if)# ip address 172.16.0.1 Enter the IP subnet mask. This example uses the
255.255.255.0 ? 255.255.255.0 IP subnet mask.
secondary Make this IP address a
secondary address Enter ? to display what you must enter next on the
<cr>
Router(config-if)# ip address 172.16.0.1
command line. In this example, you can enter the
255.255.255.0 secondary keyword, or you can press Enter.
<cr> is displayed. Press Enter to complete the
command, or enter another keyword.
Router(config-if)# ip address 172.16.0.1 Press Enter to complete the command.
255.255.255.0
Router(config-if)#

Using Software Advisor


Cisco maintains the Software Advisor tool. See Tools and Resources. Use the Software Advisor tool to see
if a feature is supported in a Cisco IOS XE release, to locate the software document for that feature, or to
check the minimum software requirements of Cisco IOS XE software with the hardware installed on your
router. You must be a registered user on Cisco.com to access this tool.

Using Software Release Notes


See the release notes for information about the following:
• Memory recommendations
• Open and resolved severity 1 and 2 caveats

Release notes are intended to be release-specific for the most current release, and the information provided
in these documents may not be cumulative in providing information about features that first appeared in
previous releases. For cumulative feature information, refer to the Cisco Feature Navigator at:
http://www.cisco.com/go/cfn/.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


21
Using Cisco IOS XE Software
Using Software Release Notes

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


22
CHAPTER 3
Basic Router CLI Configuration
This chapter contains the following sections:
• IR1101 Interface Naming, on page 23
• Basic Configuration, on page 24
• Configuring Global Parameters, on page 28
• Configuring the Gigabit Ethernet Interface, on page 28
• Support for sub-interface on GigabitEthernet0/0/0, on page 29
• Configuring a Loopback Interface, on page 30
• Enabling Cisco Discovery Protocol, on page 31
• Configuring Command-Line Access, on page 31
• Configuring Static Routes, on page 33
• Configuring Dynamic Routes, on page 34
• Modular QoS (MQC), on page 36
• Configuring the Serial Interface, on page 36

IR1101 Interface Naming


The supported hardware interfaces and their naming conventions are in the following table:

Hardware Interface Naming Convention

Gigabit Ethernet combo port gigabitethernet 0/0/0

Fast Ethernet ports fastethernet0/0/1-0/0/4

Cellular Interface cellular 0/1/0 and cellular 0/1/1

Asynchronous Serial Interface async 0/2/0

USB usbflash0:

mSATA msata

IR1101 Base Unit Alarm input alarm contact 0

Interface names for the different expansion modules are found in the following chapters:
• IRM-1100-4A2T Expansion Module, on page 293

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


23
Basic Router CLI Configuration
Basic Configuration

• IRM-1101 Expansion Module, on page 281

Basic Configuration
The basic configuration is a result of the entries you made during the initial configuration dialog. This means
the router has at least one interface set with an IP address to be reachable, either through WebUI or to allow
the PnP process to work. Use the show running-config command to view the initial configuration, as shown
in the following example:
Router# show running-config
Building configuration...

Current configuration : 8079 bytes


!
! Last configuration change at 17:33:19 GMT Tue Jun 25 2019
!
version 16.12
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service internal
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname IR1101
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
clock timezone GMT 0 0
call-home
! If contact email address in call-home is configured as [email protected]
! the email address configured in Cisco Smart License Portal will be used as contact email
address to send SCH notifications.
contact-email-addr [email protected]
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
!
!
ip name-server 171.70.168.183 198.224.173.135 8.8.8.8
no ip domain lookup
ip domain name cisco.com
!
login on-success log
ipv6 unicast-routing
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
chat-script hspa-R7 "" "AT!SCACT=1,1" TIMEOUT 60 "OK"
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
crypto pki trustpoint TP-self-signed-756885843
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-756885843

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


24
Basic Router CLI Configuration
Basic Configuration

revocation-check none
rsakeypair TP-self-signed-756885843
!
!
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
D697DF7F 28
quit
crypto pki certificate chain TP-self-signed-756885843
certificate self-signed 01
3082032E 30820216 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 37353638 38353834 33301E17 0D313930 35333130 30303530
385A170D 33303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3735 36383835
38343330 82012230 0D06092A 864886F7 0D010101 05000382 010F0030 82010A02
82010100 D2F61742 3B651909 95856431 9BC2CCB7 D4B04861 DD6E0924 4C3E6A51
8BF2ABD9 5C3A597D 2EE0112C ECA615AA D0297F9E 071B6B5D 9B831332 021E61F4
2352EEC9 EE70742E 46EFBAFC A03744D8 A22E4DA3 AAF919CC 0A7929A7 3BDB3B17
C04DA5B9 028DD3EC 992493A6 EA864ED6 354CB3F4 094D3EBF 5307CAA3 192B5759
E458712D 841A43CD 709D4D9E 72A9DE3E F935A688 59B6F278 65B59EE0 6B72469E
7B97582A 64E511A6 D81735FF 117CE399 4C2A2973 F5FD407D BCEB62A6 FD7C6B08
882E0749 ACE5BD44 32634790 3607ADEA 9F319343 4CA76B0D B1DE6A1C AD144548
E38119E2 8B34F7AC 090C0450 03166B42 8C7C9EA7 5132687F E1F7BF6E B065CD4E
889F02BB 02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F
0603551D 23041830 16801405 77954127 36509205 7025CF4E 84B5D4A2 A3D53730
1D060355 1D0E0416 04140577 95412736 50920570 25CF4E84 B5D4A2A3 D537300D
06092A86 4886F70D 01010505 00038201 01004147 49C6A0A9 56F5BD4D 4892AEE0
22955E06 AF192FA6 868D5556 959ACF05 398F3907 DFE3148B 0E2CFC12 20BEEA05
DC23E8D7 A47DB4AE D6CB6665 BCAE7F39 24D010F0 DB8F0E70 5E7C3F73 25AB1783
1346D540 47BB7E89 2BB1BE4D 16990318 A4612CC5 C7CC9376 7DF1A1F4 C09C0051
4D950D99 3CC0C65B 0A98859A 3B81E324 BAB34EDF 64CA8C38 184DC796 47DDD9DD
F71F8D5E D3B7A962 3D0FDE44 012AC034 D0E7F75A DB1BF12A CF23E2F5 6A4FDA14
A588DCDA 8272CE33 36ABC57A BFF52980 5FFC7C34 4D4307BB AC0C0F18 AA783B9D
27C61E89 0EC1C6AA 6AB3F73B EF8450FD 782DFC63 038F6A27 456CA32B D3FEDB97
C8064523 EBB93FF5 8B98B546 44F853E9 0E04
quit
!
license udi pid IR1101-K9 sn FCW222700KS

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


25
Basic Router CLI Configuration
Basic Configuration

diagnostic bootup level minimal


!
spanning-tree extend system-id
memory free low-watermark processor 50357
file prompt quiet
!
!
username cisco privilege 15 password 0 cisco
username lab password 0 lab123
!
redundancy
!
!
controller Cellular 0/1/0
no lte firmware auto-sim
lte modem link-recovery disable
!
controller Cellular 0/3/0
!
vlan internal allocation policy ascending
!
!
interface GigabitEthernet0/0/0
no ip address
shutdown
!
interface FastEthernet0/0/1
switchport access vlan 192
switchport mode access
!
interface FastEthernet0/0/2
switchport access vlan 172
switchport mode access
!
interface FastEthernet0/0/3
switchport access vlan 172
!
interface FastEthernet0/0/4
switchport mode access
!
interface GigabitEthernet0/0/5
!
interface Cellular0/1/0
ip address negotiated
load-interval 30
dialer in-band
dialer idle-timeout 0
dialer watch-group 1
ipv6 enable
pulse-time 1
ip virtual-reassembly
!
interface Cellular0/1/1
no ip address
shutdown
!
interface Cellular0/3/0
ip address negotiated
dialer in-band
dialer idle-timeout 0
dialer watch-group 2
ipv6 enable
pulse-time 1
ip virtual-reassembly

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


26
Basic Router CLI Configuration
Basic Configuration

!
interface Cellular0/3/1
no ip address
shutdown
!
interface Vlan1
ip address 192.168.10.15 255.255.255.0
!
interface Vlan172
ip address 172.27.167.121 255.255.255.128
!
interface Vlan175
ip address 175.1.1.1 255.255.255.0
!
interface Async0/2/0
no ip address
encapsulation scada
!
ip default-gateway 172.27.167.1
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.27.167.1
ip route 0.0.0.0 0.0.0.0 Cellular0/1/0
ip route 0.0.0.0 0.0.0.0 Cellular0/3/0 253
ip route 8.8.4.0 255.255.255.0 Cellular0/3/0
ip route 171.70.0.0 255.255.0.0 172.27.167.1
ip route 192.1.1.0 255.255.255.0 Cellular0/1/0
ip route 192.168.193.0 255.255.255.0 192.168.10.1
!
!
ip access-list standard 1
10 permit any
dialer watch-list 1 ip 5.6.7.8 255.255.255.255
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 1
dialer watch-list 2 ip 5.6.7.8 255.255.255.255
dialer watch-list 2 delay route-check initial 60
dialer watch-list 2 delay connect 1
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipv6 permit
ipv6 route ::/0 Cellular0/1/0
!
!
snmp-server community public RO
snmp-server community private RW
snmp-server host 171.70.127.43 version 2c public
snmp-server host 172.27.167.220 version 2c public
snmp-server manager
!
control-plane
!
line con 0
exec-timeout 0 0
stopbits 1
speed 115200
line 0/0/0
line 0/2/0
line vty 0 4
exec-timeout 0 0
password cisco
login

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


27
Basic Router CLI Configuration
Configuring Global Parameters

transport input none


!
!
end

IR1101#

Configuring Global Parameters


To configure global parameters for your router, follow these steps.

Procedure

Command or Action Purpose


Step 1 configure terminal Enters global configuration mode when using the console
port.
Example:
Use the following to connect to the router with a remote
Router> enable terminal:
Router# configure terminal
Router(config)# telnet router-name or address
Login: login-id
Password: *********
Router> enable

Step 2 hostname name Specifies the name for the router.


Example:

Router(config)# hostname Router

Step 3 enable password password Specifies a password to prevent unauthorized access to the
router.
Example:
Note In this form of the command, password is not
Router(config)# enable password cr1ny5ho encrypted. To encrypt the password use enable
secret password as noted in the previously
mentioned Device Hardening Guide.

Configuring the Gigabit Ethernet Interface


The default configuration for the Gigabit Ethernet Interface (GI0/0/0) on the IR1101 is Layer 3 (L3). It is
possible to configure the interface as a Layer 2 (L2) interface. The Gigabit Ethernet Interface on the IR1101
is a combo port, which means it is a RJ45+SFP connector.
The IRM-1100-SPMI Expansion Module also has an SFP port. The Gigabit Ethernet Interface (GI0/0/5) on
the IRM-1100-SPMI is Layer 2 (L2) only. This means you can assign this port to any vlan (switchport acc
vlan #) and use the SVI interface. You cannot assign an ip address directly under this port.
The correct connector must be selected, refer to the Cisco Catalyst IR1101 Rugged Series Router Hardware
Installation Guide.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


28
Basic Router CLI Configuration
Support for sub-interface on GigabitEthernet0/0/0

To manually define the Gigabit Ethernet interface, follow these steps, beginning from global configuration
mode.

Procedure

Command or Action Purpose


Step 1 interface GigabitEthernet slot/bay/port Enters the configuration mode for an interface on the router.
Example:

Router(config)# interface GigabitEthernet 0/0/0

Step 2 ip address ip-address mask Sets the IP address and subnet mask for the specified
interface. Use this Step if you are configuring an IPv4
Example:
address.
Router(config-if)# ip address 192.168.12.2
255.255.255.0

Step 3 ipv6 address ipv6-address/prefix Sets the IPv6 address and prefix for the specified interface.
Use this step instead of Step 2, if you are configuring an
Example:
IPv6 address. IPv6 unicast-routing needs to be set-up as
well, see further information in the IPv6 Addressing and
Router(config-if)# ipv6 address
2001.db8::ffff:1/128
Basic Connectivity Configuration Guide located here:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_
basic/configuration/xe-16-10/ip6b-xe-16-10-book/
read-me-first.html

Step 4 ipv6 unicast-routing Enables forwarding of IPv6 unicast data packets.


Example:

Router (config)# ipv6 unicast-routing

Step 5 no shutdown Enables the interface and changes its state from
administratively down to administratively up.
Example:

Router(config-if)# no shutdown

Step 6 exit Exits the configuration mode of interface and returns to the
global configuration mode.
Example:

Router(config-if)# exit

Support for sub-interface on GigabitEthernet0/0/0


Cisco IOS-XE release 16.11.1 and above supports sub-interfaces and dot1q configuration on the g0/0/0
interface. For example:

Router(config)#interface g0/0/0 ?
<1-4294967295> GigabitEthernet interface number

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


29
Basic Router CLI Configuration
Configuring a Loopback Interface

Router(config-subif)#encapsulation ?
dot1Q IEEE 802.1Q Virtual LAN

Configuring a Loopback Interface


Before you begin
The loopback interface acts as a placeholder for the static IP address and provides default routing information.
To configure a loopback interface, follow these steps.

Procedure

Command or Action Purpose


Step 1 interface type number Enters configuration mode on the loopback interface.
Example:

Router(config)# interface Loopback 0

Step 2 (Option 1) ip address ip-address mask Sets the IP address and subnet mask on the loopback
interface. (If you are configuring an IPv6 address, use the
Example:
ipv6 address ipv6-address/prefix command described
below.
Router(config-if)# ip address 10.108.1.1
255.255.255.0

Step 3 (Option 2) ipv6 address ipv6-address/prefix Sets the IPv6 address and prefix on the loopback interface.
Example:

Router(config-if)# ipv6 address


2001:db8::ffff:1/128

Step 4 exit Exits configuration mode for the loopback interface and
returns to global configuration mode.
Example:

Router(config-if)# exit

Example
Verifying Loopback Interface Configuration
Enter the show interface loopback command. You should see an output similar to the following
example:

Router# show interface loopback 0


Loopback0 is up, line protocol is up
Hardware is Loopback
Internet address is 192.0.2.0/16
MTU 1514 bytes, BW 8000000 Kbit, DLY 5000 usec,
reliability 255/255, txload 1/255, rxload 1/255

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


30
Basic Router CLI Configuration
Enabling Cisco Discovery Protocol

Encapsulation LOOPBACK, loopback not set


Last input never, output never, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/0, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out

Alternatively, use the ping command to verify the loopback interface, as shown in the following
example:

Router# ping 192.0.2.0


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.0.2.0, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Enabling Cisco Discovery Protocol


Cisco Discovery Protocol (CDP) is enabled by default on the router. It may be disabled if needed for security
purposes.
For more information on using CDP, see Cisco Discovery Protocol Configuration Guide, Cisco IOS XE
Release 3S.

Configuring Command-Line Access


To configure parameters to control access to the router, follow these steps.

Note Transport input must be set as explained in the previous Telnet and SSH sections of the guide.

Procedure

Command or Action Purpose


Step 1 line [aux | console | tty | vty] line-number Enters line configuration mode, and specifies the type of
line.
Example:
The example provided here specifies a console terminal for
Router(config)# line console 0 access.

Step 2 password password Specifies a unique password for the console terminal line.
Example:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


31
Basic Router CLI Configuration
Configuring Command-Line Access

Command or Action Purpose

Router(config-line)# password 5dr4Hepw3

Step 3 login Enables password checking at terminal session login.


Example:

Router(config-line)# login

Step 4 exec-timeout minutes [seconds] Sets the interval during which the EXEC command
interpreter waits until user input is detected. The default is
Example:
10 minutes. Optionally, adds seconds to the interval value.
Router(config-line)# exec-timeout 5 30 The example provided here shows a timeout of 5 minutes
Router(config-line)# and 30 seconds. Entering a timeout of 0 0 specifies never
to time out.

Step 5 exit Exits line configuration mode to re-enter global


configuration mode.
Example:

Router(config-line)# exit

Step 6 line [aux | console | tty | vty] line-number Specifies a virtual terminal for remote console access.
Example:

Router(config)# line vty 0 4


Router(config-line)#

Step 7 password password Specifies a unique password for the virtual terminal line.
Example:

Router(config-line)# password aldf2ad1

Step 8 login Enables password checking at the virtual terminal session


login.
Example:

Router(config-line)# login

Step 9 end Exits line configuration mode, and returns to privileged


EXEC mode.
Example:

Router(config-line)# end

Example
The following configuration shows the command-line access commands. Note that transport input
none is the default, but if SSH is enabled this must be set to ssh.
You do not have to input the commands marked default. These commands appear automatically in
the configuration file that is generated when you use the show running-config command.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


32
Basic Router CLI Configuration
Configuring Static Routes

!
line console 0
exec-timeout 10 0
password 4youreyesonly
login
transport input none (default)
stopbits 1 (default)
line vty 0 4
password secret
login
!

Configuring Static Routes


Static routes provide fixed routing paths through the network. They are manually configured on the router. If
the network topology changes, the static route must be updated with a new route. Static routes are private
routes unless they are redistributed by a routing protocol.
To configure static routes, follow these steps.

Procedure

Command or Action Purpose


Step 1 (Option 1) ip route prefix mask {ip-address | Specifies a static route for the IP packets. (If you are
interface-type interface-number [ip-address]} configuring an IPv6 address, use the ipv6 route command
described below.)
Example:

Router(config)# ip route 192.10.2.3 255.255.0.0


10.10.10.2

Step 2 (Option 2) ipv6 route prefix/mask {ipv6-address | Specifies a static route for the IP packets. See additional
interface-type interface-number [ipv6-address]} information for IPv6 here: https://www.cisco.com/c/en/us/
td/docs/ios-xml/ios/ipv6_basic/configuration/xe-16-10/
Example:
ip6b-xe-16-10-book/read-me-first.html
Router(config)# ipv6 route 2001:db8:2::/64
2001:db8:3::0

Step 3 end Exits global configuration mode and enters privileged EXEC
mode.
Example:

Router(config)# end

In the following configuration example, the static route sends out all IP packets with a destination
IP address of 192.168.1.0 and a subnet mask of 255.255.255.0 on the Gigabit Ethernet interface to
another device with an IP address of 10.10.10.2. Specifically, the packets are sent to the configured
PVC.
You do not have to enter the command marked default. This command appears automatically in the
configuration file generated when you use the running-config command.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


33
Basic Router CLI Configuration
Configuring Dynamic Routes

!
ip classless (default)
ip route 2001:db8:2::/64 2001:db8:3::0

Verifying Configuration
To verify that you have configured static routing correctly, enter the show ip route command (or
show ipv6 route command) and look for static routes marked with the letter S.
When you use an IPv4 address, you should see verification output similar to the following:

Router# show ip route


Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/24 is subnetted, 1 subnets


C 10.108.1.0 is directly connected, Loopback0
S* 0.0.0.0/0 is directly connected, FastEthernet0

When you use an IPv6 address, you should see verification output similar to the following:

Router# show ipv6 route


IPv6 Routing Table - default - 5 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, H - NHRP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external, ND - ND Default, NDp - ND Prefix, DCE -
Destination
NDr - Redirect, O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1
OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
ls - LISP site, ld - LISP dyn-EID, a - Application

C 2001:DB8:3::/64 [0/0]
via GigabitEthernet0/0/2, directly connected
S 2001:DB8:2::/64 [1/0]
via 2001:DB8:3::1

Configuring Dynamic Routes


In dynamic routing, the network protocol adjusts the path automatically, based on network traffic or topology.
Changes in dynamic routes are shared with other routers in the network.
All of the Cisco IOS-XE configuration guides can be found here: https://www.cisco.com/c/en/us/support/
ios-nx-os-software/ios-xe-16/products-installation-and-configuration-guides-list.html

Configuring Routing Information Protocol


To configure the RIP on a router, follow these steps.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


34
Basic Router CLI Configuration
Configuring Routing Information Protocol

Procedure

Command or Action Purpose


Step 1 router rip Enters router configuration mode, and enables RIP on the
router.
Example:

Router(config)# router rip

Step 2 version {1 | 2} Specifies use of RIP version 1 or 2.


Example:

Router(config-router)# version 2

Step 3 network ip-address Specifies a list of networks on which RIP is to be applied,


using the address of the network of each directly connected
Example:
network.
Router(config-router)# network 192.168.1.1
Router(config-router)# network 10.10.7.1

Step 4 no auto-summary Disables automatic summarization of subnet routes into


network-level routes. This allows subprefix routing
Example:
information to pass across classful network boundaries.
Router(config-router)# no auto-summary

Step 5 end Exits router configuration mode, and enters privileged


EXEC mode.
Example:

Router(config-router)# end

Example
Verifying Configuration
To verify that you have configured RIP correctly, enter the show ip route command and look for
RIP routes marked with the letter R. You should see an output similar to the one shown in the
following example:
Router# show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/24 is subnetted, 1 subnets


C 10.108.1.0 is directly connected, Loopback0
R 3.0.0.0/8 [120/1] via 2.2.2.1, 00:00:02, Ethernet0/0/0

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


35
Basic Router CLI Configuration
Configuring Enhanced Interior Gateway Routing Protocol

Configuring Enhanced Interior Gateway Routing Protocol


The Enhanced Interior Gateway Routing Protocol (EIGRP) is an enhanced version of the Interior Gateway
Routing Protocol (IGRP) developed by Cisco. The convergence properties and the operating efficiency of
EIGRP have improved substantially over IGRP, and IGRP is now obsolete.
The convergence technology of EIGRP is based on an algorithm called the Diffusing Update Algorithm
(DUAL). The algorithm guarantees loop-free operation at every instant throughout a route computation and
allows all devices involved in a topology change to synchronize. Devices that are not affected by topology
changes are not involved in recomputations
Details on configuring Enhanced Interior Gateway Routing Protocol (EIGRP), are found in the following
guide: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/xe-16-10/
ire-xe-16-10-book/ire-enhanced-igrp.html

Modular QoS (MQC)


This section provides an overview of Modular QoS CLI (MQC), which is how all QoS features are configured
on the IoT Integrated Services Router. MQC is a standardized approach to enabling QoS on Cisco routing
and switching platforms.
Follow the procedures that are in the QoS Modular QoS Command-Line Interface Configuration Guide, Cisco
IOS XE 17 guide.

Configuring the Serial Interface


This section describes configuring serial interface management.
The IR1101 supports asynchronous serial interface protocols used for SCADA, Raw Socket, or reverse Telnet.
It has a single serial interface, designated async 0/2/0. The serial interface is DTE only.

Note Async serial cabling is documented in the IR1101 HW installation guide located here:
https://www.cisco.com/c/en/us/td/docs/routers/access/1101/hardware/installation/guide/1101hwinst.html

Specifying an Asynchronous Serial Interface


To specify an asynchronous serial interface and enter interface configuration mode, use one of the following
commands in global configuration mode.

Command or Action Purpose

Router(config)# interface async 0/2/0 Enters interface configuration mode.

Specifying Asynchronous Serial Encapsulation


The asynchronous serial interfaces support the following serial encapsulation methods:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


36
Basic Router CLI Configuration
Configuring the Serial Port

• Raw-TCP
• Raw-UDP
• SCADA
• Encapsulation Relay

Command or Action Purpose

Router(config-if)# encapsulation {raw-tcp | raw-udp | scada} Configures asynchronous serial encapsulation.

Encapsulation methods are set according to the type of protocol or application you configure in the Cisco IOS
software.
The remaining encapsulation methods are defined in their respective books and chapters describing the
protocols or applications.

Configuring the Serial Port


To configure the serial port perform the steps in the following example:

IR1101#sh run int async 0/2/0


Building configuration...
Current configuration : 62 bytes
!
interface Async0/2/0
no ip address
encapsulation raw-tcp
end
IR1101#show line
Tty Line Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
* 0 0 CTY - - - - - 0 0 0/0 -
0/2/0 50 TTY 9600/9600 - - - - - 0 0 0/0 -
74 74 VTY - - - - - 3 0 0/0 -
75 75 VTY - - - - - 0 0 0/0 -
76 76 VTY - - - - - 0 0 0/0 -
77 77 VTY - - - - - 0 0 0/0 -
78 78 VTY - - - - - 0 0 0/0 -

Line(s) not in async mode -or- with no hardware support:


1-49, 51-73, 79-726

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


37
Basic Router CLI Configuration
Configuring the Serial Port

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


38
CHAPTER 4
Web User Interface (WebUI)
This chapter contains the following sections:
• Introduction to the Web User Interface, on page 39
• Day 0 Cellular Mode, on page 40
• Configuration Notes, on page 40
• Configuring Your Computer to Connect to the Router, on page 41
• Configuring Basic Mode WebUI through the Browser, on page 42
• Configuring Advanced Mode WebUI through the Browser, on page 46
• WebUI Dashboard, on page 51

Introduction to the Web User Interface


The Web User Interface (WebUI) provides network administrators with a single solution for provisioning,
monitoring, and optimizing devices. After you complete the hardware installation, you need to setup the device
with a configuration required to enable traffic to pass through the network. On your first day with your new
device, you can perform a number of tasks to ensure that your device is online, reachable and easily configured.
This is referred to as the Day 0 interface.

Note A Day 0 configuration is defined as a device that is fresh out of the box with no startup-configuration.

After the initial Day 0 configuration, the WebUI can be used for day to day configuration.
Effective with IOS-XE Release 17.3.1, the Day 0 Web User Interface (WebUI) will be supported on the
IR1101. Day 0 WebUI is supported only on LAN ports. These are FastEthernet ports 0/0/1 – 0/0/4 on the
IR1101. Connect a PC to one of the LAN ports of the IR1101 and boot the router on Day 0. The PC should
be configured with a static IP address of 192.168.1.2/255.255.255.0.
Once the router boots up in Day 0, the PC can connect to the 192.168.1.x network and can access WebUI
using the IP address of 192.168.1.1 with any browser. After the configuration is applied through the WebUI,
the router will display the message "Day 0 config done. Stopping autoinstall".

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


39
Web User Interface (WebUI)
Day 0 Cellular Mode

Day 0 Cellular Mode


Cisco IOS XE release 17.9.1 provides new functionality allowing the router to be configured on Day 0 through
the cellular pluggable module. This assumes a cellular pluggable module is already installed.
This mode helps configuring the Cellular APN, assuming the customer gets a private APN (or private LTE/5G)
as WAN backhaul. By doing so, the APN value is stored in the modem. Once the router reboots, it is reset to
factory-default, enabling the router to perform PnP over Cellular when private APN is used.

Note Advanced Mode is needed in order to set up Cellular WAN, including public or private APN. This
should be provided by your SIM's service provider.

Note The pluggable interface is not hot swappable. If you wish to change a SIM, power off the router.

The steps to configure through the cellular pluggable module follow:


1. Select the Cellular interface in the WAN type.
2. Enter the APN name.
3. There is no need to select a backup WAN.
4. Reboot the router.

PnP will now be able to run with private APN to connect to IOS OD, vManage, or DNA-C.

Configuration Notes
The following are important notes when using the WebUI:
• The WebUI is not supported on the 1G port because this interface is dedicated to PnP. It is only supported
on the 100M ports 1-4. See the figure below:
• Plug and Play (PNP) cannot be used if router is being used to configure using Day 0 WebUI as PNP will
be aborted once the configuration is applied through Day 0 WebUI.
• Starting from release 17.1.2, an explicit write memory is not needed once the configuration is applied
through the WebUI.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


40
Web User Interface (WebUI)
Configuring Your Computer to Connect to the Router

1 WAN port (GigabitEthernet 0/0/0 to IOS-XE)

2 LAN ports 1-4 (0/0/1 – 0/0/4 to IOS-XE)

Configuring Your Computer to Connect to the Router


The following section provides guidance for configuring your computer to properly interface with the IR1101.
You can access the application from a client web browser. Ensure that the following web client requirements
are met:
• Hardware—A Mac (OS version 10.9.5) or Windows (OS version 10) laptop or desktop compatible with
one of the following tested and supported browsers:
• Google Chrome 59 or later
• Mozilla Firefox 54 or later
• Apple Safari 10 or later
• Microsoft Edge browser

• Display resolution—We recommend that you set the screen resolution to 1280 x 800 or higher.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


41
Web User Interface (WebUI)
Configuring Basic Mode WebUI through the Browser

Configuring Basic Mode WebUI through the Browser


The following steps guide you through the process of using the browser on your PC/laptop to configure the
WebUI.

Step 1 Open your browser and enter 192.168.1.1in the address bar. The Login Screen appears. Enter the Username webui and
the Password cisco. Then click Log In.
Figure 3: Login Screen

Step 2 The Welcome Screen appears. Select Advanced Mode or Basic Mode. Basic Mode allows for configuring Basic settings,
LAN, and a Primary WAN. Advanced Mode allows you to configure an additional Backup WAN, AVC, as well as
additional settings. For the purposes of this section, Basic Mode is used. Select Basic Mode.
Figure 4: Welcome Screen

Step 3 Click Go To Account Creation Page. The Create New Account Screen appears. Create a new Login Name and
Password to access the WebUI.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


42
Web User Interface (WebUI)
Configuring Basic Mode WebUI through the Browser

Figure 5: Create New Account Screen

Step 4 Click CREATE & LAUNCH WIZARD. The Basic Settings Screen appears. Provide a Router Name (hostname),
Domain Name, Time Zone and Date & Time Mode.
Figure 6: BASIC SETTINGS Screen

Step 5 Click LAN SETTINGS. The LAN Configuration Screen appears. Enter the webui_dhcp Pool Name, VLAN interface
IP address, and select the interface that is connected to your laptop from the list of available interfaces.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


43
Web User Interface (WebUI)
Configuring Basic Mode WebUI through the Browser

Figure 7: LAN Configuration Screen

Step 6 Click PRIMARY WAN SETTINGS. The PRIMARY WAN SETTINGS Screen appears. Configure the WAN interface
by selecting the WAN Type and Interface from the available options. Next enter your DNS IP address information and
select Enable/Disable NAT.
Figure 8: Primary WAN Interface Screen

Step 7 Click Day 0 Config Summary. The Review Summary Screen appears. Verify your entries before applying the
configuration.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


44
Web User Interface (WebUI)
Configuring Basic Mode WebUI through the Browser

Figure 9: Summary Screen

Step 8 (Optional) You can click on CLI Preview to see the Configuration that is being applied to the router. Close the CLI
Preview and if you are ready, Click Submit.
Figure 10: CLI Preview Screen

Step 9 After clicking on Submit, a dialog box will appear which informs you that the configuration has been applied successfully.
The new WebUI ip address is also presented.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


45
Web User Interface (WebUI)
Configuring Advanced Mode WebUI through the Browser

Figure 11: Submit Dialog Box

Step 10 If you have web connectivity, the device will try to connect. It is recommended that you close the browser session and
move to the newly configured WebUI ip address.
Figure 12: Test VLAN Connection Screen

Configuring Advanced Mode WebUI through the Browser


The following steps guide you through the process of using the browser on your PC to configure the WebUI.
Make sure your laptop is configured to obtain an IP address through DHCP, or assign an IP address n.n.n.n
matching our default subnet.

Note Advanced Mode is needed in order to set up Cellular WAN, including public or private APN.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


46
Web User Interface (WebUI)
Configuring Advanced Mode WebUI through the Browser

Step 1 Open your browser and enter 192.168.1.1in the address bar. The Login Screen appears. Enter the Username webui and
the Password cisco. Then click Log In.
Figure 13: Login Screen

Step 2 The WELCOME screen appears. Select Advanced Mode or Basic Mode. Basic Mode allows for configuring Basic
settings, LAN, and a Primary WAN. Advanced Mode allows you to configure an additional Backup WAN, AVC, as well
as additional settings. For the purposes of this section, Advanced Mode is used.
Figure 14: WELCOME Screen

Step 3 Select Advanced Mode, then click Go To Account Creation Page. The Create New Account screen appears. Create a
new Login Name and Password to access the WebUI.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


47
Web User Interface (WebUI)
Configuring Advanced Mode WebUI through the Browser

Figure 15: Create New Account Screen

Step 4 Click CREATE & LAUNCH WIZARD The LAN Configuration screen appears. Provide a Pool Name, Network IP
Address, Subnet, Access VLAN, and Device IP Address. A list of available interfaces is shown to select from. Only
FastEthernet interfaces may be used.
Figure 16: LAN Configuration Screen

Step 5 Click PRIMARY WAN SETTINGS. The WAN Configuration screen appears. Select the WAN Type and Interface
from the pull-downs. Provide an APN (Access Point Name) from your LTE Service Provider, and then select the DNS
and IP Address settings for your network.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


48
Web User Interface (WebUI)
Configuring Advanced Mode WebUI through the Browser

Figure 17: WAN Configuration Screen

Step 6 Click BACKUP WAN SETTINGS. The BACKUP WAN Configuration screen appears. Select the button to Enable or
Disable a backup WAN.
Figure 18: BACKUP WAN Configuration

Step 7 Click Day 0 Config Summary. The SUMMARY screen appears. Verify your entries before applying the configuration.
Figure 19: Summary Screen

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


49
Web User Interface (WebUI)
Configuring Advanced Mode WebUI through the Browser

Step 8 (Optional) You can click on CLI Preview to see the Configuration that is being applied to the router. Close the CLI
Preview, and if you are ready, click Submit.
Note A CLI Preview example is found at the end of this section.

Step 9 After clicking on Submit, a dialog box will appear which informs you that the configuration has been applied successfully.
The new WebUI ip address is also presented.
Figure 20: Submit Dialog Box

Example
The following is an example of a CLI Preview:
ip domain name cisco.com
clock timezone GMT -6 00
ntp server pool.ntp.org

username admin privilege 15 secret 0 Mjc1N0dsb2NrIQ==

hostname "IR1101"
interface vlan 1
ip address 10.1.1.1 255.255.255.0
no shutdown
vlan 1
interface FastEthernet0/0/1
switchport access vlan 1
switchport trunk native vlan 1
switchport mode access
no shutdown
interface FastEthernet0/0/2
switchport access vlan 1
switchport trunk native vlan 1
switchport mode access
no shutdown
interface FastEthernet0/0/3
switchport access vlan 1
switchport trunk native vlan 1
switchport mode access
no shutdown
interface FastEthernet0/0/4
switchport access vlan 1

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


50
Web User Interface (WebUI)
WebUI Dashboard

switchport trunk native vlan 1


switchport mode access
no shutdown
ip dhcp pool 10Net-Pool
dns-server 10.1.1.1
network 10.1.1.0 255.255.255.0
import all
default-router 10.1.1.1
lease 0 2

ip dhcp excluded-address 10.1.1.1

ip dns server
ip dns view default
default dns forwarder
default dns forwarding
default domain lookup
default domain name-server
interface Cellular0/1/0
description primary_wan
ip address negotiated
dialer in-band
dialer-group 1
pulse-time 1
shutdown
no shutdown
ip nat outside
exit
dialer-list 1 protocol ip permit

controller Cellular 0/1/0


lte sim data-profile 2 attach-profile 2 slot 0

ip route 0.0.0.0 0.0.0.0 Cellular0/1/0

ip nat inside source list 197 interface Cellular0/1/0 overload


access-list 197 permit ip any any

WebUI Dashboard
After completing the Day 0 setup, the WebUI can now be used for day to day administration. The WebUI
opens up to an easy to use dashboard.

Note WebUI feature support may vary based on the license and platform type of your device.

The following figure shows the dashboard:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


51
Web User Interface (WebUI)
WebUI Dashboard

Figure 21: Dashboard

The following table provides an overview of the dashboard.

Dashboard View dashlets that give you a snapshot of CPU and


memory utilization and system information.

Monitoring Monitor your network on a daily basis and perform


other ad hoc operations related to network device
inventory and configuration management.

Configuration Configure your device.

Administration Specify system configuration settings and user


administration settings.

Troubleshooting Troubleshoot connectivity problems and packet loss


using Ping and Traceroute, and monitor device health
and performance using web server logs and syslogs.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


52
CHAPTER 5
Configuring Secure Shell
This chapter contains the following sections:
• Information About Secure Shell , on page 53
• How to Configure Secure Shell, on page 55
• Information about Secure Copy, on page 59
• Additional References, on page 61

Information About Secure Shell


Secure Shell (SSH) is a protocol that provides a secure, remote connection to a device. SSH provides more
security for remote connections than Telnet does by providing strong encryption when a device is authenticated.
This software release supports SSH Version 1 (SSHv1) and SSH Version 2 (SSHv2).

Prerequisites for Configuring Secure Shell


The following are the prerequisites for configuring the device for secure shell (SSH):
• For SSH to work, the switch needs an RSA public/private key pair.
• The Secure Shell (SSH) server requires an IPsec (Data Encryption Standard [DES] or 3DES) encryption
software image; the SSH client requires an IPsec (DES or 3DES) encryption software image.)
• Configure a hostname and host domain for your device by using the hostname and ip domain-name
commands in global configuration mode. Use the hostname and ip domain-name commands in global
configuration mode.

Restrictions for Configuring Secure Shell


The following are restrictions for configuring the IR1101 for secure shell.
• The router supports RSA authentication.
• SSH supports only the execution-shell application.
• The SSH server and the SSH client are supported only on Data Encryption Standard (DES) (56-bit) and
3DES (168-bit) data encryption software. In DES software images, DES is the only encryption algorithm
available. In 3DES software images, both DES and 3DES encryption algorithms are available.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


53
Configuring Secure Shell
SSH And Router Access

Note Cisco highly recommends the 3DES encryption as it is stronger.


See the Cisco IOS-XE Device hardening guide at https://www.cisco.com/
c/en/us/support/docs/ip/access-lists/13608-21.html for details.

• This software release supports IP Security (IPSec).


• The IR1101 supports the Advanced Encryption Standard (AES) encryption algorithm with a 128-bit key,
192-bit key, or 256-bit key. However, symmetric cipher AES to encrypt the keys is not supported.
• The login banner is not supported in Secure Shell Version 1. It is supported in Secure Shell Version 2,
which Cisco recommends due to its better security.
• The -l keyword and userid :{number} {ip-address} delimiter and arguments are mandatory when
configuring the alternative method of Reverse SSH for console access.

SSH And Router Access


Secure Shell (SSH) is a protocol that provides a secure, remote connection to a device. SSH provides more
security for remote connections than Telnet does by providing strong encryption when a device is authenticated.
This software release supports SSH Version 1 (SSHv1) and SSH Version 2 (SSHv2). SSH functions the same
in IPv6 as in IPv4. For IPv6, SSH supports IPv6 addresses and enables secure, encrypted connections with
remote IPv6 nodes over an IPv6 transport.

SSH Servers, Integrated Clients, and Supported Versions


The Secure Shell (SSH) Integrated Client feature is an application that runs over the SSH protocol to provide
device authentication and encryption. The SSH client enables a Cisco device to make a secure, encrypted
connection to another Cisco device or to any other device running the SSH server. This connection provides
functionality similar to that of an outbound Telnet connection except that the connection is encrypted. With
authentication and encryption, the SSH client allows for secure communication over an unsecured network.
The SSH server and SSH integrated client are applications that run on the switch. The SSH server works with
the SSH client supported in this release and with non-Cisco SSH clients. The SSH client works with publicly
and commercially available SSH servers. The SSH client supports the ciphers of Data Encryption Standard
(DES), 3DES, and password authentication.

Note The SSH client functionality is available only when the SSH server is enabled.

User authentication is performed like that in the Telnet session to the device. SSH also supports the following
user authentication methods:
• TACACS+
• RADIUS
• Local authentication and authorization

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


54
Configuring Secure Shell
SSH Configuration Guidelines

SSH Configuration Guidelines


Follow these guidelines when configuring the device as an SSH server or SSH client:
• An RSA key pair generated by a SSHv1 server can be used by an SSHv2 server, and the reverse.
• If you get CLI error messages after entering the crypto key generate rsa global configuration command,
an RSA key pair has not been generated. Reconfigure the hostname and domain, and then enter the crypto
key generate rsa command.
• When generating the RSA key pair, the message No hostname specified might appear. If it does, you
must configure an IP hostname by using the hostname global configuration command.
• When generating the RSA key pair, the message No domain specified might appear. If it does, you must
configure an IP domain name by using the ip domain-name global configuration command.
• When configuring the local authentication and authorization authentication method, make sure that AAA
is disabled on the console.

Related Tasks
Setting Up the IR1101 to Run SSH, on page 55
#unique_62

How to Configure Secure Shell


Setting Up the IR1101 to Run SSH
Follow the procedure given below to set up your device to run SSH:

Before you begin


Configure user authentication for local or remote access. This step is required. For more information, see
Related Topics below.

Procedure

Command or Action Purpose


Step 1 configure terminal Enters global configuration mode.
Example:

IR1101# configure terminal

Step 2 hostname hostname Configures a hostname and IP domain name for your device.
Example: Note Follow this procedure only if you are configuring
the device as an SSH server.
IR1101(config)# hostname your_hostname

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


55
Configuring Secure Shell
Configuring the SSH Server

Command or Action Purpose


Step 3 ip domain-name domain_name Configures a host domain for your device.
Example:

IR1101(config)# ip domain-name your_domain_name

Step 4 crypto key generate rsa Enables the SSH server for local and remote authentication
on the device and generates an RSA key pair. Generating
Example:
an RSA key pair for the device automatically enables SSH.
IR1101(config)# crypto key generate rsa We recommend that a minimum modulus size of 1024 bits.
When you generate RSA keys, you are prompted to enter
a modulus length. A longer modulus length might be more
secure, but it takes longer to generate and to use.
Note Follow this procedure only if you are configuring
the device as an SSH server.

Step 5 end Returns to privileged EXEC mode.


Example:

IR1101(config)# end

Configuring the SSH Server


Follow these steps to configure the SSH server:

Note This procedure is only required if you are configuring the device as an SSH server.

Procedure

Command or Action Purpose


Step 1 configure terminal Enters global configuration mode.
Example:

IR1101# configure terminal

Step 2 ip ssh version [2] (Optional) Configures the device to run SSH Version 2.
Example: If you do not enter this command or do not specify a
keyword, the SSH server selects the latest SSH version
IR1101(config)# ip ssh version 2 supported by the SSH client. For example, if the SSH client
supports SSHv1 and SSHv2, the SSH server selects SSHv2.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


56
Configuring Secure Shell
Monitoring the SSH Configuration and Status

Command or Action Purpose


Step 3 ip ssh {timeout seconds | authentication-retries number} Configures the SSH control parameters:
Example: • Specify the time-out value in seconds; the default is
120 seconds. The range is 0 to 120 seconds. This
IR1101(config)# ip ssh timeout 90 parameter applies to the SSH negotiation phase. After
ip ssh authentication-retries 2 the connection is established, the device uses the
default time-out values of the CLI-based sessions.
By default, up to five simultaneous, encrypted SSH
connections for multiple CLI-based sessions over the
network are available (session 0 to session 4). After
the execution shell starts, the CLI-based session
time-out value returns to the default of 10 minutes.
• Specify the number of times that a client can
re-authenticate to the server. The default is 3; the range
is 0 to 5.

Repeat this step when configuring both parameters.

Step 4 Use one or both of the following: (Optional) Configures the virtual terminal line settings.
• line vty line_number [ending line number] • Enters line configuration mode to configure the virtual
• transport input ssh terminal line settings. For the line_number and
ending_line_number arguments, the range is from 0
Example: to 15.
IR1101(config)# line vty 1 10
• Specifies that the device prevents non-SSH Telnet
connections, limiting the device to only SSH
or
connections.
IR1101(config-line)# transport input ssh

Step 5 end Exits line configuration mode and returns to privileged


EXEC mode.
Example:

IR1101(config-line)# end

Monitoring the SSH Configuration and Status


This table displays the SSH server configuration and status.

Table 6: Commands for Displaying the SSH Server Configuration and Status

Command Purpose

show ip Shows the version and configuration information for the SSH server.
ssh
show ssh Shows the status of the SSH server.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


57
Configuring Secure Shell
Configuring the Router for Local Authentication and Authorization

Configuring the Router for Local Authentication and Authorization


You can configure AAA to operate without a server by setting the switch to implement AAA in local mode.
The router then handles authentication and authorization. No accounting is available in this configuration.
Follow these steps to configure AAA to operate without a server by setting the router to implement AAA in
local mode:

Note To secure the router for HTTP access by using AAA methods, you must configure the router with the
ip http authentication aaa global configuration command. Configuring AAA authentication does not
secure the router for HTTP access by using AAA methods.

Procedure

Command or Action Purpose


Step 1 configure terminal Enters global configuration mode.
Example:

IR1101# configure terminal

Step 2 aaa new-model Enables AAA


Example:

IR1101(config)# aaa new-model

Step 3 aaa authentication login default local Sets the login authentication to use the local username
database. The default keyword applies the local user
Example:
database authentication to all ports.
IR1101(config)# aaa authentication login default
local

Step 4 aaa authorization exec local Configures user AAA authorization, check the local
database, and allow the user to run an EXEC shell.
Example:

IR1101(config-line)# aaa authorization exec local

Step 5 aaa authorization network local Configures user AAA authorization for all network-related
service requests.
Example:

IR1101(config-line)# aaa authorization network


local

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


58
Configuring Secure Shell
Information about Secure Copy

Command or Action Purpose


Step 6 username name privilege level password encryption-type Enters the local database, and establishes a username-based
password authentication system.
Example: Repeat this command for each user.
a. For name, specify the user ID as one word. Spaces and
IR1101(config-line)# username your_user_name
privilege 1 password 7 secret567 quotation marks are not allowed.
b. (Optional) For level, specify the privilege level the user
has after gaining access. The range is 0 to 15. Level 15
gives privileged EXEC mode access. Level 0 gives user
EXEC mode access.
c. For encryption-type, enter 0 to specify that an
unencrypted password follows. Enter 7 to specify that
a hidden password follows.
d. For password, specify the password the user must enter
to gain access to the switch. The password must be from
1 to 25 characters, can contain embedded spaces, and
must be the last option specified in the username
command.

Step 7 end Exits line configuration mode and returns to privileged


EXEC mode.
Example:

IR1101(config-line)# end

Information about Secure Copy


The Secure Copy Protocol (SCP) feature provides a secure and authenticated method for copying router
configuration or router image files. SCP relies on Secure Shell (SSH), an application and a protocol that
provide a secure replacement for the Berkeley r-tools.

Prerequisites for Secure Copy


The following are the prerequisites for configuring the device for secure shell (SSH):
• Before enabling SCP, you must correctly configure SSH, authentication, and authorization on the switch.
• Because SCP relies on SSH for its secure transport, the router must have an RSA key pair.
• SCP relies on SSH for security.
• SCP requires that authentication, authorization, and accounting (AAA) authorization be configured so
the router can determine whether the user has the correct privilege level.
• A user must have appropriate authorization to use SCP.
• A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS File System
(IFS) to and from a switch by using the copy command. An authorized administrator can also do this
from a workstation.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


59
Configuring Secure Shell
Restrictions for Configuring Secure Copy

Restrictions for Configuring Secure Copy


• Before enabling SCP, you must correctly configure SSH, authentication, and authorization on the router.
• When using SCP, you cannot enter the password into the copy command. You must enter the password
when prompted.

Configuring Secure Copy


To configure the Cisco IR1101 for Secure Copy (SCP) server-side functionality, perform the following steps.

Procedure

Command or Action Purpose


Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Device> enable

Step 2 configure terminal Enters global configuration mode.


Example:

Device# configure terminal

Step 3 aaa new-model Sets AAA authentication at login.


Example:

Device(config)# aaa new-model

Step 4 aaa authentication login {default | list-name} method1 Enables the AAA access control system.
[ method2... ]
Example:

Device(config)# aaa authentication login default


group tacacs+

Step 5 username name [privilege level] password Establishes a username-based authentication system.
encryption-type encrypted-password
Note You may omit this step if a network-based
Example: authentication mechanism, such as TACACS+
or RADIUS, has been configured.
Device(config)# username superuser privilege 2
password 0 superpassword

Step 6 ip scp server enable Enables SCP server-side functionality.


Example:

Device(config)# ip scp server enable

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


60
Configuring Secure Shell
Additional References

Command or Action Purpose


Step 7 exit Exits global configuration mode and returns to privileged
EXEC mode.
Example:

Device(config)# exit

Step 8 show running-config (Optional) Displays the SCP server-side functionality.


Example:

Device# show running-config

Step 9 debug ip scp (Optional) Troubleshoots SCP authentication problems.


Example:

Device# debug ip scp

Example
IR1101# copy scp <somefile> your_username@remotehost:/<some/remote/directory>

Additional References
The following sections provide references related to the SSH feature.

Related Topic Document Title

Configuring Identity Control policies Session Aware Networking Configuration Guide, Cisco IOS XE Release
and Identity Service templates for 3SE: https://www.cisco.com/en/US/docs/ios-xml/ios/san/configuration/
Session Aware networking. xe-3se/3850/san-xe-3se-3850-book.pdf

Configuring RADIUS, TACACS+, Secure Shell Configuration Guide, Cisco IOS XE Gibraltar 16.11.x:
Secure Shell, 802.1X and AAA. https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/
software/release/16-11/configuration_guide/sec/b_1611_sec_9500_cg/
configuring_secure_shell__ssh_.html

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


61
Configuring Secure Shell
Additional References

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


62
CHAPTER 6
NTP Timing Based on GPS Clock
This chapter contains the following sections:
• Configuring NTP using GPS Time, on page 63

Configuring NTP using GPS Time


You can configure the GPS time as the reference clock for NTP using the command ntp refclock gps.

Note This feature is available with IOS XE release 17.6.1. Further information can be found in NTP Clock
Sync with GPS in the Cellular Pluggable Interface Module Configuration Guide.

The GPS time acts as a stratum 0 source, and the Cisco IOS NTP server acts as a stratum 1 device, which in
turn provides clock information to its NTP clients (stratum 2 and 3).

Step 1 Enter global configuration mode:


Example:

Router# configure terminal

Step 2 Configure the NTP reference clock as GPS:


Example:
Router(config)#ntp refclock gps

Step 3 To verify the configuration, use the show commands in the following example:
Example:
Router#
Sep 24 19:58:43.046 GMT: %PKI-6-AUTHORITATIVE_CLOCK: The system clock has been set.
Router#show ntp status
Clock is synchronized, stratum 1, reference is .GPS.
nominal freq is 250.0000 Hz, actual freq is 249.9970 Hz, precision is 2**10
ntp uptime is 94000 (1/100 of seconds), resolution is 4016
reference time is E31778F3.0B851ED8 (19:58:43.045 GMT Thu Sep 24 2020)
clock offset is 11.0000 msec, root delay is 0.00 msec

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


63
NTP Timing Based on GPS Clock
Configuring NTP using GPS Time

root dispersion is 3950.55 msec, peer dispersion is 3938.47 msec


loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000011995 s/s
system poll interval is 64, last update was 7 sec ago.
Router#
Router#
Router#show ntp associations

address ref clock st when poll reach delay offset disp


*~127.127.5.1 .GPS. 0 38 64 7 0.000 11.000 1938.8
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
Router#
Router#show clock
20:00:43.660 GMT Thu Sep 24 2020
Router#

Step 4 Use the debug ntp refclock command to troubleshoot the configuration:
Example:
Router#debug ntp ?
adjust NTP clock adjustments
all NTP all debugging on
core NTP core messages
events NTP events
packet NTP packet debugging
refclock NTP refclock messages

Router#debug ntp re
Router#debug ntp refclock
*Sep 24 19:58:43.045 GMT: GPS: Poll Requested
*Sep 24 19:58:43.045 GMT: GPS (19:58:43.056 GMT Thu Sep 24 2020)
*Sep 24 19:58:43.045 GMT: Valid time rcvd from GPS: 2020/09/24 19:58:43.056 (frac = 0x0E560440)
*Sep 24 19:58:43.045 GMT: RTS poll timestamp (local clock) was 0xE31778F3.0B851ED8
*Sep 24 19:58:43.045 GMT: GPS timestamp is 0xE31778F3.0E560440
*Sep 24 19:58:43.045 GMT: NTP Core(NOTICE): ntpd PPM
*Sep 24 19:58:43.046 GMT: NTP Core(NOTICE): trans state : 5
*Sep 24 19:58:43.046 GMT: NTP Core(NOTICE): Clock is synchronized.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


64
CHAPTER 7
New Features for Cisco IOS-XE 17.1.1
The following are the new features available on the IR1101 for IOS-XE release 17.1.1:
• Support for the X25 over TCP (XOT), on page 65
• Support for YANG Data Models (Call-home), on page 65
• Yang Data Model Support for Scada, on page 66
• Support for Model Driven support for GNMI Telemetry Dial-In , on page 66
• Option to Enable or Disable USB Access, on page 66
• Day 0 Web User Interface, on page 66

Support for the X25 over TCP (XOT)


X.25 is an ITU standard for packet switching Wide Area Network (WAN). This is used in the
Telecommunication industry over serial interfaces that are replaced by IP Network. An X25 connection can
be established by using a PAD connection similar to Telnet/SSH. The IR1101 router has only one asynchronous
serial interface where features of X25 are not supported. However, we can communicate to the X25 edge
devices using by using feature TCP over X25 (XOT). With XOT, we can directly establish a PAD connection
to X25 edge devices. Also, we can assign default or customized profiles to the access-groups by changing
various parameters of X25 packets.
For additional information about XOT for IOS-XE, see the following:
Wide-Area Networking Configuration Guide: X.25 and LAPB, Cisco IOS XE

Support for YANG Data Models (Call-home)


The YANG models supported for the call-home feature are similar to the earlier releases of Cisco-IOS-XE,
and the same is supported on 17.1 release of IOS-XE on IR1101. The following references are available for
earlier YANG models:
https://github.com/YangModels/yang/tree/master/vendor/cisco/xe/1651
For additional information about call-home for IOS-XE, see the following:
Software Activation Configuration Guide, Cisco IOS XE Release 3S

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


65
New Features for Cisco IOS-XE 17.1.1
Yang Data Model Support for Scada

Yang Data Model Support for Scada


The Cisco IOS XE 17.1.1 introduces support for the Cisco IOS XE YANG model for the Scada System.
Previous releases already provided Yang models in other areas.
https://github.com/YangModels/yang/tree/master/vendor/cisco/xe/1711

Support for Model Driven support for GNMI Telemetry Dial-In


Similar to YANG models, there is support on IOS-XE for open source models defined by Google and is
referred as Google Network Management Interface (GNMI). Configurations of GNMI can be verified either
with Secure or Insecure Mode.
• Secure Mode
Secure Mode establishes secure connection using OpenSSL certificates between client and server. It sends
GNMI telemetry updates using open source gnmi_cli tool.
• Insecure Mode
Insecure Mode sends GNMI telemetry updates between client and server using open source pygnmi tool.
For additional information about GNMI Telemetry see the following reference:
Programmability Configuration Guide, Cisco IOS XE

Option to Enable or Disable USB Access

Day 0 Web User Interface

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


66
CHAPTER 8
New Features for Cisco IOS-XE 17.2.1
• Native docker support, on page 67
• Yang Data Model Support for Raw Socket Transport, on page 68
• Digital IO for IOx container applications, on page 69
• L2 Sticky Secure MAC Addresses, on page 70
• Signed Application Support, on page 71

Native docker support


Native Docker Support has been added to the 17.2.1 release. This feature enables users to deploy the docker
applications on the IR1101. The application lifecycle process is similar to the procedure in the Installing and
Uninstalling Apps section. For docker applications, entry point configuration is required as part of the
application configuration. Please refer to the following example for the entry point configuration.

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#app-hosting appid app3
Router(config-app-hosting)#app-vnic gateway0 virtualportgroup 0 guest-interface 0
Router(config-app-hosting-gateway0)#guest-ipaddress 192.168.0.7 netmask 255.255.255.0
Router(config-app-hosting-gateway0)#app-default-gateway 192.168.0.1 guest-interface 0
Router(config-app-hosting)#app-resource docker
Router(config-app-hosting-docker)#run-opts 1 "--entrypoint '/bin/sleep 10000'"
Router(config-app-hosting-docker)#end
Router#

The output for docker applications is shown in the following example:

Router#show app-hosting detail


App id : app1
Owner : iox
State : RUNNING
Application
Type : docker
Name : aarch64/busybox
Version : latest
Description :
Path : bootflash:busybox.tar
Activated profile name : custom
Resource reservation
Memory : 431 MB
Disk : 10 MB

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


67
New Features for Cisco IOS-XE 17.2.1
Yang Data Model Support for Raw Socket Transport

CPU : 577 units


VCPU : 1
Attached devices
Type Name Alias
---------------------------------------------
serial/shell iox_console_shell serial0
serial/aux iox_console_aux serial1
serial/syslog iox_syslog serial2
serial/trace iox_trace serial3
Network interfaces
---------------------------------------
eth0:
MAC address : 52:54:dd:e9:ab:7a
IPv4 address : 192.168.0.7
Network name : VPG0
Docker
------
Run-time information
Command :
Entry-point : /bin/sleep 10000
Run options in use : --entrypoint '/bin/sleep 10000'
Application health information
Status : 0
Last probe error :
Last probe output :
Router#

Yang Data Model Support for Raw Socket Transport


Release 17.2.1 adds support for additional Yang Data Models. These additional models include Raw Socket
Transport.
Yang Data Models can be found here:
https://github.com/YangModels/yang/tree/master/vendor/cisco/xe/1721
There are two feature modules available for raw socket that belong to the main Cisco-IOS-XE-native model.
They are:
• Cisco-IOS-XE-rawsocket.yang
This module contains a collection of YANG definitions for Raw Socket Transport Configuration commands.
This module has the following corresponding Cli commands:

# encapsulation raw-tcp
# encapsulation raw-udp
# raw-socket packet-length
<length>
# raw-socket packet-timer
<timer>
# raw-socket special-char
<value>
# raw-socket tcp server
<port> <ip>
# raw-socket tcp idle-timeout
<value>
# raw-socket tcp client <
dest-ip> <dest-port>
# raw-socket tcp idle-timeout
<timeout>

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


68
New Features for Cisco IOS-XE 17.2.1
Digital IO for IOx container applications

# raw-socket tcp tcp-session


<value>
# raw-socket tcp dscp
<value>
# raw-socket udp connection
<dest-ip> <dest-port> <local_port>

• Cisco-IOS-XE-rawsocket-oper.yang
This module contains a collection of YANG definitions for Raw Socket Transport operational data.
This module has the following corresponding Cli commands:

# show raw udp statistics


# show raw tcp statistics
# show raw tcp session
# show raw udp session
# show raw tcp session local
# show raw udp session local

The following is a list of the Dependent Modules:


• Cisco-IOS-XE-native
• Cisco-IOS-XE-features
• ietf-inet-types
• Cisco-IOS-XE-interfaces
• Cisco-IOS-XE-ip
• Cisco-IOS-XE-vlan
• ietf-yang-types @ (any revision)
• cisco-semver

Digital IO for IOx container applications


Release 17.2.1 provides support for IOx container applications to be able to access the digital IO. There is a
new CLI that has been added to the alarm contact command.

Router(config)# alarm contact ?


<0-4> Alarm contact number (0: Alarm port, 1-4: Digital I/O)
attach-to-iox Enable Digital IO Ports access from IOX
Router (config)# alarm contact attach-to-iox

Enabling the attach-to-iox command will provide complete control of all Digital IO ports to IOx. The ports
will be exposed as four character devices /dev/dio-[1-4] to IOX applications. You can use read/write functions
to get/set values of the Digital IO ports.
If you wish to update the mode, you can write the mode value to the character device file. This is accomplished
by IOCTL calls to read/write the state, change mode, and read the true analog voltage of the port. Following
this method, you can attach analog sensors to the IR1101. All ports are initially set to Input mode with voltage
pulled up to 3.3v.
The following are examples of IOCTL calls:
Read Digital IO Port:

cat /dev/dio-1

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


69
New Features for Cisco IOS-XE 17.2.1
L2 Sticky Secure MAC Addresses

Write to Digital IO Port:

echo 0 > /dev/dio-1


echo 1 > /dev/dio-1

Change mode:

echo out > /dev/dio-1


echo in > /dev/dio-1

List of IOCTLs supported:

DIO_GET_STATE = 0x1001
DIO_SET_STATE = 0x1002
DIO_GET_MODE = 0x1003
DIO_SET_MODE_OUTPUT = 0x1004
DIO_SET_MODE_INPUT = 0x1005
DIO_GET_THRESHOLD 0x1006
DIO_SET_THRESHOLD = 0x1007
DIO_GET_VOLTAGE = 0x1009

Read State using IOCTL:

import fcntl, array


file = open("/dev/dio-1","rw")
state = array.array('L',[0])
fcntl.ioctl(file, DIO_GET_STATE, state)
print(state[0])

Change mode using IOCTL:

import fcntl
file = open("/dev/dio-1","rw")
fcntl.ioctl(file, DIO_SET_MODE_OUTPUT, 0)

L2 Sticky Secure MAC Addresses


This is a new feature for the IR1101, however, it been present in IOS-XE for some time.
You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses and
to add them to the running configuration by enabling sticky learning. The interface converts all the dynamic
secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to
sticky secure MAC addresses. All sticky secure MAC addresses are added to the running configuration.
The sticky secure MAC addresses do not automatically become part of the configuration file, which is the
startup configuration used each time the switch restarts. If you save the sticky secure MAC addresses in the
configuration file, when the switch restarts, the interface does not need to relearn these addresses. If you do
not save the sticky secure addresses, they are lost.

Security Violations
It is a security violation when one of these situations occurs:
• The maximum number of secure MAC addresses have been added to the address table, and a station
whose MAC address is not in the address table attempts to access the interface.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


70
New Features for Cisco IOS-XE 17.2.1
Command Line Interface

• An address learned or configured on one secure interface is seen on another secure interface in the same
VLAN.
You can configure the interface for one of three violation modes, based on the action to be taken if a violation
occurs:
• protect—when the number of secure MAC addresses reaches the maximum limit allowed on the port,
packets with unknown source addresses are dropped until you remove a sufficient number of secure
MAC addresses to drop below the maximum value or increase the number of maximum allowable
addresses. You are not notified that a security violation has occurred.
Note: If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses
and are removed from the running configuration.
• restrict—when the number of secure MAC addresses reaches the maximum limit allowed on the port,
packets with unknown source addresses are dropped until you remove a sufficient number of secure
MAC addresses to drop below the maximum value or increase the number of maximum allowable
addresses. In this mode, you are notified that a security violation has occurred. An SNMP trap is sent, a
syslog message is logged, and the violation counter increments.
• shutdown—a port security violation causes the interface to become error-disabled and to shut down
immediately, and the port LED turns off. When a secure port is in the error-disabled state, you can bring
it out of this state by entering the errdisable recovery cause psecure-violation global configuration
command, or you can manually re-enable it by entering the shutdown and no shut down interface
configuration commands. This is the default mode.
• shutdown vlan—Use to set the security violation mode per-VLAN. In this mode, the VLAN is error
disabled instead of the entire port when a violation occurs

Command Line Interface


Under switch interface, add port-security cli.

Router(config-if)#switchport port-security ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
<cr> <cr>
Router(config-if)#switchport port-security mac-address sticky

Signed Application Support


Cisco Signed applications are now supported on the IR1101. In order to install a signed application, signed
verification has to be enabled on the device. Signed verification can be enabled by following the following
instructions.

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
Router(config)#app-hosting signed-verification
Router(config)#
Router(config)#exit

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


71
New Features for Cisco IOS-XE 17.2.1
Signed Application Support

After enabling the signed verification, follow the instructions in the Installing and Uninstalling Apps section
under IOx Application Hosting in order to install the application.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


72
CHAPTER 9
New Features for Cisco IOS-XE 17.3.1
The following are the new features available on the IR1101 for IOS-XE release 17.3.1:
• Yang Support for IO Ports, on page 73
• Support for Security-Enhanced Linux (SELinux), on page 74
• Support Added for the P-LTEAP18-GL Modem PID, on page 76
• Initial Bootup Security Improvements, on page 76
• Initial Bootup Security Improvements, on page 78

Yang Support for IO Ports


This feature increases the compatibility between the Command Line Interface and the Yang Model. Cisco
IOS-XE Yang Data Models are found here:
https://github.com/YangModels/yang/tree/master/vendor/cisco/xe
Each release has a directory, and the 17.3.1 release is found under 1731. The two modules for Digital IO are
Cisco-IOS-XE-digital-io-oper and Cisco-IOS-XE-digitalio.
The following are relevant IOS-XE CLI commands available:

Show Commands
• show run
• show alarm
• show led

Configuration Commands
• alarm contact attach-to-iox
• no alarm contact attach-to-iox
• alarm contact 1 enable enable
• no alarm contact <1-4> enable
• alarm contact <1-4> application <wet | dry>
• no alarm contact <1-4> application
• alarm contact <1-4> description <alarm description>
• no alarm contact <1-4> description
• alarm contact <1-4> severity <critical | major | minor | none>

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


73
New Features for Cisco IOS-XE 17.3.1
Support for Security-Enhanced Linux (SELinux)

• no alarm contact <1-4> severity


• alarm contact <1-4> threshold <1600-2700>
• no alarm contact <1-4> threshold
• alarm contact <1-4> trigger <closed | open>
• no alarm contact <1-4> trigger
• alarm contact <1-4> output <1 | 0>
• alarm contact <1-4> output relay temperature <critical | major | minor>
• alarm contact <1-4> output relay input-alarm <0-4>
• no alarm contact <1-4> output

Support for Security-Enhanced Linux (SELinux)


Security-Enhanced Linux is a set of patches to the Linux kernel and some utilities to incorporate a strong,
flexible mandatory access control (MAC) architecture into the major subsystems of the kernel. SELinux
provides an enhanced mechanism to enforce the separation of information based on confidentiality and integrity
requirements, which allows threats of tampering and bypassing of application security mechanisms to be
addressed and enables the confinement of damage that can be caused by malicious or flawed applications.
SELinux enforces mandatory access control policies that confine user programs and system servers to the
minimum amount of privilege they require to do their jobs. This reduces or eliminates the ability of these
programs and daemons to cause harm when compromised (for example, via buffer overflows or
mis-configurations). This confinement mechanism operates independently of the traditional Linux access
control mechanisms.
The are no additional requirements or configuration steps required to enable or operate the SELinux feature.
The solution is enabled/operational by default as part of the base IOS-XE software on supported platforms.
The following are enhanced show commands that have been defined for viewing SELinux related audit logs.
show platform software audit all
show platform software audit summary
show platform software audit switch <<1-8> | active | standby> <FRU identifier from a drop-down list>

Command Examples
The following is a sample output of the show software platform software audit summary command:

Device# show platform software audit summary


===================================
AUDIT LOG ON switch 1
-----------------------------------
AVC Denial count: 58
===================================

The following is a sample output of the show software platform software audit all command:

Device# show platform software audit all


===================================
AUDIT LOG ON switch 1
-----------------------------------
========== START ============

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


74
New Features for Cisco IOS-XE 17.3.1
Command Examples

type=AVC msg=audit(1539222292.584:100): avc: denied { read } for pid=14017


comm="mcp_trace_filte" name="crashinfo" dev="rootfs" ino=13667
scontext=system_u:system_r:polaris_trace_filter_t:s0
tcontext=system_u:object_r:polaris_disk_crashinfo_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1539222292.584:100): avc: denied { getattr } for pid=14017
comm="mcp_trace_filte" path="/mnt/sd1" dev="sda1" ino=2
scontext=system_u:system_r:polaris_trace_filter_t:s0
tcontext=system_u:object_r:polaris_disk_crashinfo_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1539222292.586:101): avc: denied { getattr } for pid=14028 comm="ls"
path="/tmp/ufs/crashinfo" dev="tmpfs" ino=58407
scontext=system_u:system_r:polaris_trace_filter_t:s0
tcontext=system_u:object_r:polaris_ncd_tmp_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1539222292.586:102): avc: denied { read } for pid=14028 comm="ls"
name="crashinfo" dev="tmpfs" ino=58407 scontext=system_u:system_r:polaris_trace_filter_t:s0
tcontext=system_u:object_r:polaris_ncd_tmp_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1539438600.896:119): avc: denied { execute } for pid=8300 comm="sh"
name="id" dev="loop0" ino=6982 scontext=system_u:system_r:polaris_auto_upgrade_server_rp_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
========== END ============

(output omitted for brevity)


The following is a sample output of the show software platform software audit switch command:

Device# show platform software audit switch active R0


========== START ============
type=AVC msg=audit(1539222292.584:100): avc: denied { read } for pid=14017
comm="mcp_trace_filte" name="crashinfo" dev="rootfs" ino=13667
scontext=system_u:system_r:polaris_trace_filter_t:s0
tcontext=system_u:object_r:polaris_disk_crashinfo_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1539222292.584:100): avc: denied { getattr } for pid=14017
comm="mcp_trace_filte" path="/mnt/sd1" dev="sda1" ino=2
scontext=system_u:system_r:polaris_trace_filter_t:s0
tcontext=system_u:object_r:polaris_disk_crashinfo_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1539222292.586:101): avc: denied { getattr } for pid=14028 comm="ls"
path="/tmp/ufs/crashinfo" dev="tmpfs" ino=58407
scontext=system_u:system_r:polaris_trace_filter_t:s0
tcontext=system_u:object_r:polaris_ncd_tmp_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1539222292.586:102): avc: denied { read } for pid=14028 comm="ls"
name="crashinfo" dev="tmpfs" ino=58407 scontext=system_u:system_r:polaris_trace_filter_t:s0
tcontext=system_u:object_r:polaris_ncd_tmp_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1539438624.916:122): avc: denied { execute_no_trans } for pid=8600
comm="auto_upgrade_se" path="/bin/bash" dev="rootfs" ino=7276
scontext=system_u:system_r:polaris_auto_upgrade_server_rp_t:s0
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1539438648.936:123): avc: denied { execute_no_trans } for pid=9307
comm="auto_upgrade_se" path="/bin/bash" dev="rootfs" ino=7276
scontext=system_u:system_r:polaris_auto_upgrade_server_rp_t:s0
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1539438678.649:124): avc: denied { name_connect } for pid=26421
comm="nginx" dest=8098 scontext=system_u:system_r:polaris_nginx_t:s0
tcontext=system_u:object_r:polaris_caf_api_port_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1539438696.969:125): avc: denied { execute_no_trans } for pid=10057
comm="auto_upgrade_se" path="/bin/bash" dev="rootfs" ino=7276
scontext=system_u:system_r:polaris_auto_upgrade_server_rp_t:s0
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1539438732.973:126): avc: denied { execute_no_trans } for pid=10858
comm="auto_upgrade_se" path="/bin/bash" dev="rootfs" ino=7276
scontext=system_u:system_r:polaris_auto_upgrade_server_rp_t:s0
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1539438778.008:127): avc: denied { execute_no_trans } for pid=11579
comm="auto_upgrade_se" path="/bin/bash" dev="rootfs" ino=7276
scontext=system_u:system_r:polaris_auto_upgrade_server_rp_t:s0
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


75
New Features for Cisco IOS-XE 17.3.1
Syslog Message Reference

type=AVC msg=audit(1539438800.156:128): avc: denied { name_connect } for pid=26421


comm="nginx" dest=8098 scontext=system_u:system_r:polaris_nginx_t:s0
tcontext=system_u:object_r:polaris_caf_api_port_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1539438834.099:129): avc: denied { execute_no_trans } for pid=12451
comm="auto_upgrade_se" path="/bin/bash" dev="rootfs" ino=7276
scontext=system_u:system_r:polaris_auto_upgrade_server_rp_t:s0
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1539438860.907:130): avc: denied { name_connect } for pid=26421
comm="nginx" dest=8098 scontext=system_u:system_r:polaris_nginx_t:s0
tcontext=system_u:object_r:polaris_caf_api_port_t:s0 tclass=tcp_socket permissive=1
========== END ============
===================================

Syslog Message Reference


Facility-Severity-Mnemonic
• %SELINUX-3-MISMATCH
Severity-Meaning
• ERROR LEVEL Log
Message Explanation
• A resource access was made by the process for which a resource access policy is not defined. The operation
was flagged but not denied.
• The operation continued successfully and was not disrupted. A system log has been generated about the
missing policy for resource access by the process as denied operation.
Recommended Action
• Please contact CISCO TAC with the following relevant information as attachments:
• The message exactly as it appears on the console or in the system log.
• Output of "show tech-support" (text file)
• Archive of Btrace files from the box using the following command ("request platform software trace
archive target <URL>") For Example: Device#request platform software trace archive target
flash:selinux_btrace_logs

Support Added for the P-LTEAP18-GL Modem PID


The P-LTEAP18-GL PID uses the Telit modem LM960 modem. Details about all of the IR1101 modems are
found here:
https://www.cisco.com/c/en/us/td/docs/routers/access/1101/b_IR1101HIG/b_IR1101HIG_chapter_01.html#con_1161147

Initial Bootup Security Improvements


This section contains the following:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


76
New Features for Cisco IOS-XE 17.3.1
Enforce Changing Default Password

Enforce Changing Default Password


Previous software versions allowed the user to bypass setting a new enable password. When the device was
first booted after factory reset or fresh from the factory, the following prompt is received on the console:
Would you like to enter the initial configuration dialog? [yes/no]:
Previous software versions allowed answering no and the device would drop to the Router> prompt with a
blank enable password. At this point, the router could be configured and brought into service with a blank
enable password.
In previous documentation, Cisco recommended using the enable secret command instead of the enable
password command because this offers an improved encryption algorithm.
Starting with 17.3.1, the initial dialog has been changed to force setting a new enable password, and also using
the enable secret command instead. The following is an example:

Would you like to enter basic management setup? [yes/no]: yes


Configuring global parameters:

Enter host name [Router]: router-1

The enable secret is a password used to protect access to


privileged EXEC and configuration modes. This password, after
entered, becomes encrypted in the configuration.
Enter enable secret: ********
Confirm enable secret: ********

The enable password is used when you do not specify an


enable secret password, with some older software versions, and
some boot images.
Enter enable password: **********

The virtual terminal password is used to protect


access to the router over a network interface.
Enter virtual terminal password: *********
Configure SNMP Network Management? [yes]: no

Enter interface name used to connect to the


management network from the above interface summary: Ethernet0/0

Configuring interface Ethernet0/0:


Configure IP on this interface? [yes]: no

The following configuration command script was created:


hostname router-1
enable secret 9 $9$emUzIshVXwlUaE$nTzhgi9STdZKzQc4VJ0kEaCqafjUNdCD7ZUf37SY9qg
enable password password-1
.
.
[0] Go to the IOS command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration to nvram and exit.

Enter your selection [2]: 2


.
.
router-1>en
Password:
router-1#sh run | sec enable

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


77
New Features for Cisco IOS-XE 17.3.1
Telnet and HTTP

enable secret 9 $9$emUzIshVXwlUaE$nTzhgi9STdZKzQc4VJ0kEaCqafjUNdCD7ZUf37SY9qg


enable password password-1

The following is an example of what happens if you answer no to the initial configuration dialog:

Would you like to enter the initial configuration dialog? [yes/no]: no


The enable secret is a password used to protect access to
privileged EXEC and configuration modes. This password, after
entered, becomes encrypted in the configuration.
Enter enable secret: ********
Confirm enable secret: ********
Would you like to terminate autoinstall? [yes]: yes

.
.
router-1>en
Password:
router-1#sh run | sec enable
enable secret 9 $9$emUzIshVXwlUaE$nTzhgi9STdZKzQc4VJ0kEaCqafjUNdCD7ZUf37SY9qg

After the enable secret is prompted during the first login, and the admin enters a password, the admin entered
password will be always masked. If the admin enters a weak password, they will be prompted again to enter
strong password (i.e. the standard mix of upper/lower case characters, special characters, numbers etc.). The
prompting will continue until the admin enters a strong password. The admin will be prompted to enter the
strong secret password twice for confirming that admin is sure that it is the secret that they want to configure.

Telnet and HTTP


There has been a change in the telnet and http boot configuration. When the device is first booted after factory
reset or fresh from the factory, the following takes place:
• Disable telnet
• Disable http server. HTTP client works.
• Enable SSH
• Enable https server
Note: This only applies to the IR1101, other IoT routers configuration remains the same.

Initial Bootup Security Improvements


This section contains the following:

Enforce Changing Default Password


Previous software versions allowed the user to bypass setting a new enable password. When the device was
first booted after factory reset or fresh from the factory, the following prompt is received on the console:
Would you like to enter the initial configuration dialog? [yes/no]:
Previous software versions allowed answering no and the device would drop to the Router> prompt with a
blank enable password. At this point, the router could be configured and brought into service with a blank
enable password.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


78
New Features for Cisco IOS-XE 17.3.1
Enforce Changing Default Password

In previous documentation, Cisco recommended using the enable secret command instead of the enable
password command because this offers an improved encryption algorithm.
Starting with 17.3.1, the initial dialog has been changed to force setting a new enable password, and also using
the enable secret command instead. The following is an example:

Would you like to enter basic management setup? [yes/no]: yes


Configuring global parameters:

Enter host name [Router]: router-1

The enable secret is a password used to protect access to


privileged EXEC and configuration modes. This password, after
entered, becomes encrypted in the configuration.
Enter enable secret: ********
Confirm enable secret: ********

The enable password is used when you do not specify an


enable secret password, with some older software versions, and
some boot images.
Enter enable password: **********

The virtual terminal password is used to protect


access to the router over a network interface.
Enter virtual terminal password: *********
Configure SNMP Network Management? [yes]: no

Enter interface name used to connect to the


management network from the above interface summary: Ethernet0/0

Configuring interface Ethernet0/0:


Configure IP on this interface? [yes]: no

The following configuration command script was created:


hostname router-1
enable secret 9 $9$emUzIshVXwlUaE$nTzhgi9STdZKzQc4VJ0kEaCqafjUNdCD7ZUf37SY9qg
enable password password-1
.
.
[0] Go to the IOS command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration to nvram and exit.

Enter your selection [2]: 2


.
.
router-1>en
Password:
router-1#sh run | sec enable
enable secret 9 $9$emUzIshVXwlUaE$nTzhgi9STdZKzQc4VJ0kEaCqafjUNdCD7ZUf37SY9qg
enable password password-1

The following is an example of what happens if you answer no to the initial configuration dialog:

Would you like to enter the initial configuration dialog? [yes/no]: no


The enable secret is a password used to protect access to
privileged EXEC and configuration modes. This password, after
entered, becomes encrypted in the configuration.
Enter enable secret: ********
Confirm enable secret: ********
Would you like to terminate autoinstall? [yes]: yes

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


79
New Features for Cisco IOS-XE 17.3.1
Enforce Changing Default Password

.
.
router-1>en
Password:
router-1#sh run | sec enable
enable secret 9 $9$emUzIshVXwlUaE$nTzhgi9STdZKzQc4VJ0kEaCqafjUNdCD7ZUf37SY9qg

After the enable secret is prompted during the first login, and the admin enters a password, the admin entered
password will be always masked. If the admin enters a weak password, they will be prompted again to enter
strong password (i.e. the standard mix of upper/lower case characters, special characters, numbers etc.). The
prompting will continue until the admin enters a strong password. The admin will be prompted to enter the
strong secret password twice for confirming that admin is sure that it is the secret that they want to configure.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


80
CHAPTER 10
New Features for Cisco IOS-XE 17.4.1
The following are the new features available on the IR1101 for IOS-XE release 17.4.1:
• Features for Cisco IOS-XE 17.4.1, on page 81
• Cyber Vision Support, on page 81
• Deployment of Cyber Vision Center (CVC) on IOS-XE platform, on page 81
• Installing CVC Sensor using LM GUI, on page 88

Features for Cisco IOS-XE 17.4.1


The following features are introduced for IoT Routing.
Cisco Cyber Vision Support feature is found further below in this chapter.
Out Of Band Management is found here: https://www.cisco.com/c/en/us/td/docs/routers/access/1101/software/
configuration/guide/b_IR1101config/m-out-of-band-management.html
DSL capability by using a Small Form-factor Pluggable (SFP) network interface module is found here:
https://www.cisco.com/c/en/us/td/docs/routers/access/1101/software/configuration/guide/b_IR1101config/
m_configuring_dsl.html

Cyber Vision Support


Cisco Cyber Vision Center (CVC) gives more visibility into Industrial IoT networks across Industrial Control
Systems (ICS) with real-time monitoring of control and data networks. On IoT IOS-XE platforms beginning
with release 17.4, integration of CVC is supported by deploying IOX Cyber Vision sensor. With this sensor
deployed on IoT Routers, the platform can forward the traffic from IOX applications to Cyber Vision Center
for real-time monitoring and we can forward any captured PCAP files to Vision center from IOX application.

Deployment of Cyber Vision Center (CVC) on IOS-XE platform


Step 1 Download Cisco supported Cyber Vision IOX application from the following location:
https://software.cisco.com/download/home/286325414/type/286325316/release/3.1.1?catid=268438162

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


81
New Features for Cisco IOS-XE 17.4.1
Example Configuration for ERSPAN over L3 configuration along with Virtual Port Groups:

Select Cisco Cyber Vision Sensor IOx Application 3.1.1 for IE3400 and IR1101.

Step 2 Install CVC version 3.1.1 on Virtual Machine or on any Hypervisor. The following location is the download link for
different versions of CVC:
https://software.cisco.com/download/home/286325414/type
Release Notes for Cisco Cyber Vision Release 3.1.1:
https://www.cisco.com/c/dam/en/us/td/docs/security/cyber_vision/Cisco-Cyber-Vision_Release-Note-3-1-1.pdf

Step 3 The CVC sensor requires two VirtualPort Group interfaces. One on the platform where one interface is used for IOX
traffic, and the other for mirror traffic which is forwarded to physical, SVI or Tunnel interface which ERSPAN source.
Refer to the following illustration:
Figure 22: CVC over L3 interface

Step 4 The CVC Sensor deployment can be installed from either the LMGUI or CLI.

Example Configuration for ERSPAN over L3 configuration along with Virtual


Port Groups:
Physical and Virtual Port Configuration:

interface virtualportgroup 0
ip address 169.254.1.1 255.255.255.252
interface virtualportgroup 1
ip nat inside
ip address 169.254.0.1 255.255.255.252
interface gi0/0/0
ip address 101.0.0.151 255.255.255.0
ip nat outside
no shut

ERSPAN Configuration:

monitor session 1 type erspan-source

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


82
New Features for Cisco IOS-XE 17.4.1
CLI Installation

source interface Gi0/0/0


no shutdown
destination
erspan-id 1
mtu 1464
ip address 169.254.1.2
origin ip address 169.254.1.1

NAT Configuration with Access-list:

ip nat inside source list NAT_ACL interface Gi0/0/0 overload


ip access-list standard NAT_ACL
10 permit 169.254.0.0 0.0.0.3

CLI Installation
To install the app through the CLI, copy the CVC sensor to bootflash, USB or mSATA. Then install the app
using the app-hosting CLI, and provide the docker options before activating the app. For example:

Router(config-if)#iox
Router# app-hosting install app-id <app-id> package {bootflash:/|usbflash0:|msata:}
app-hosting appid <app-id>
app-vnic gateway0 virtualportgroup 0 guest-interface 0
guest-ipaddress 169.254.1.2 netmask 255.255.255.252
app-vnic gateway1 virtualportgroup 1 guest-interface 1
guest-ipaddress 169.254.0.2 netmask 255.255.255.252
app-default-gateway 169.254.0.1 guest-interface 1
app-resource docker
run-opts 1 "--rm --tmpfs /tmp:rw,size=128m"
Router# app-hosting {activate|start|stop|deactivate|uninstall} app-id <app-id>

LMGUI Installation
Configure the following to reach the LMGUI:

iox
ip http server
ip http secure-server
ip http authentication local
Username cisco privilege 15 password cisco
Login URL: http://<Mgmt_IP>/iox/login

Additional details can be found in Installing CVC Sensor using LM GUI, on page 88

Register the Router Details

Step 1 Register the IOS-XE Router details on CVC by logging in and navigating to:
Admin > Sensors > Install Sensor Manually
Then click on Cisco IOx Application. Refer to the following:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


83
New Features for Cisco IOS-XE 17.4.1
Register the Router Details

Figure 23: Sensor install

Step 2 Provide the serial number of the Router. It should be an exact match from the output of show inventory, and then click
on Create Sensor. Refer to the following:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


84
New Features for Cisco IOS-XE 17.4.1
Register the Router Details

Figure 24: Router Serial Number

Step 3 Generate the Provisioning file from CVC by clicking on Get Provisioning File. Refer to the following:
Figure 25: Generate Provisioning File

Step 4 Download the provisioning file to a local directory. The file comes as a zip file with a file name like the following:
Example:
sbs-sensor-config-<S/N of Router>.zip

Step 5 Import the Provisioning file to Router through the LM GUI. From the LM GUI Applications, navigate to:
Applications > CVC App (Application Name) > Manage > App-DataDir
Refer to the following:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


85
New Features for Cisco IOS-XE 17.4.1
Register the Router Details

Figure 26: Upload Provision File

Step 6 Click Upload. The Upload Configuration window appears. Upload the downloaded provisioned file from CVC with the
same name. Refer to the following:
Figure 27: Upload Configuration

Step 7 Verify the Authentication on CVC. Validate if the installed sensor Status changed to Connected or Waiting for Data.
Refer to the following:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


86
New Features for Cisco IOS-XE 17.4.1
Capture Live Traffic

Figure 28: Sensor Status

Capture Live Traffic

Step 1 Sync the date and time between CVC and Router. To capture the live traffic there should be exact clock sync between
Router and CVC.
Step 2 Simulate IOX Traffic or play captured PCAP files. The CVC Sensor installed on the Router is a docker app. To login to
the console of the App, perform the following command:
Example:
app-hosting connect app-id <app-name> session

Step 3 Upload the PCAP Files to the App from LM-GUI. Navigate to:
Applications > CVC App (Application Name) > Manage >App-Dir
The following commands show how to play the PCAP file:
Example:

Router# show app-hosting list


App id State
-------------------------------------------------
CVC Sensor RUNNING

Router# app-hosting connect appid CVCSensor session

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


87
New Features for Cisco IOS-XE 17.4.1
Installing CVC Sensor using LM GUI

sh-5.0#
*Jul 14 08:45:05.603: %SELINUX-3-MISMATCH: R0/0: audispd: type=AVC msg=audit(15! in/busybox.nosuid"
dev="overlay" ino=72930 scontext=system_u:system_r: polaris_bexecute_*
sh-5.0# flowctl read-capture-file /iox_data/appdata/tl04
OK
sh-5.0#

Step 4 Monitor the traffic on CVC. Navigate to Explore > Essential Data > Activity List
Refer to the following:
Figure 29: Activity List

Installing CVC Sensor using LM GUI


Step 1 Login using user account and password.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


88
New Features for Cisco IOS-XE 17.4.1
Installing CVC Sensor using LM GUI

Figure 30: Local Manager Login

Step 2 Install the sensor virtual application. Once you are logged in, the following menu will appear:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


89
New Features for Cisco IOS-XE 17.4.1
Installing CVC Sensor using LM GUI

Figure 31: LM GUI Application Install

Step 3 Click on Add New. Navigate to the app file, for example, CiscoCyberVision-IOx-aarch64-xxx.tar. Add the name of the
app, for example, CCVSensor.
Configure the sensor virtual application. Refer to the following:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


90
New Features for Cisco IOS-XE 17.4.1
Installing CVC Sensor using LM GUI

Figure 32: CCVSensor Activation

Step 4 Click on Activate to launch the configuration of the sensor application. Click on the CCVSensor Tab, and click on
Resources. Refer to the following:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


91
New Features for Cisco IOS-XE 17.4.1
Installing CVC Sensor using LM GUI

Figure 33: Setup Sensor LM IOXAppDisk

Change the disk size to 128MB.


Note Do not use more space than that.

Step 5 Navigate to Advanced Settings. In advanced options, configure the tmpfs by adding the following in the text area beside
Docker Options:
--tmpfs /tmp:rw,size=128m

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


92
New Features for Cisco IOS-XE 17.4.1
Binding eth0

Figure 34: Advanced Settings

Step 6 Bind interfaces in the container to an interface on the host in the Network Configuration section.

What to do next
Move to the next sections Binding eth0 and Binding eth1.

Binding eth0
To configure eth0:

Step 1 Select interface eth0, and then click on edit.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


93
New Features for Cisco IOS-XE 17.4.1
Binding eth0

Figure 35: eth0

Step 2 Select the Interface VPG1.


Figure 36: VPG1

Step 3 Click on Interface Setting.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


94
New Features for Cisco IOS-XE 17.4.1
Binding eth0

Figure 37: Interface Setting

Step 4 Apply the following configuration:


• • Choose the Static option
• IP/Mask add 169.254.0.2 / 30
• Default Gateway IP is 169.254.0.1

Then click on OK.


Figure 38: IPv4 Setting

Step 5 Click on OK again.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


95
New Features for Cisco IOS-XE 17.4.1
Binding eth1

Step 6 The Activate window appears. Click on OK.


Figure 39: Activate Window

Binding eth1
To configure the eth1 interface:

Step 1 Select VPG0.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


96
New Features for Cisco IOS-XE 17.4.1
Binding eth1

Figure 40: VPG0

Step 2 Click Interface Setting and apply the following configuration:


• • Choose the Static option
• IP/Mask add 169.254.1.2 / 30

Figure 41: IPV4 Setting

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


97
New Features for Cisco IOS-XE 17.4.1
Activate the Application

Activate the Application


Now the sensor application should be activated.

Step 1 Click on Activate App. Refer to the following:


Figure 42: Activate the Application

Step 2 The progress window appears. This may take several seconds to finish.
Figure 43: Activation Progress

Step 3 Click on Applications to display the app status. Refer to the following:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


98
New Features for Cisco IOS-XE 17.4.1
Starting the Application

Figure 44: Applications Resources

Step 4 The application is activated and needs to be started.

Starting the Application

Step 1 Click on Start. Refer to the following:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


99
New Features for Cisco IOS-XE 17.4.1
Starting the Application

Figure 45: Start Application

Step 2 The progress window appears. This may take several seconds to finish.
Figure 46: Progress Window

Step 3 After some time, the app status will change to running.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


100
New Features for Cisco IOS-XE 17.4.1
Starting the Application

Figure 47: Application Running

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


101
New Features for Cisco IOS-XE 17.4.1
Starting the Application

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


102
CHAPTER 11
New Features for Cisco IOS-XE 17.5.1
The following are the new features available on the IR1101 for IOS-XE release 17.5.1:
• DSL SFP Annex J support, on page 103
• VXLAN, on page 104
• Dying-Gasp SMS Notification for EM74XX Modems, on page 105
• SNMP MIB for Digital I/O, on page 106
• GPS access to IOx Apps, on page 106
• Yang model for mSATA, on page 107
• Guest shell as IOx container app, on page 108
• SNMP MIB supports the show power CLI, on page 109
• ERSPAN support cellular interface as source interface, on page 110
• Yang model for DSL, on page 110
• DNP3 Enhancement, on page 111

DSL SFP Annex J support


IOS-XE release 17.5.1 adds in support for Annex-J configuration in the controller interface.

Note ADSL2+ J is supported, ADSL2 J is not yet supported in 17.5.1.

To enable Annex-J, perform the following:

router#config term
router(conf)#controller vdsl 0/0/0
router(conf-if)#capability annex-j
router#(conf-if)#exit
router#

To remove Annex-J, perform the following:

To remove Annex-J:
router#config term
router(conf)#controller vdsl 0/0/0
router(conf-if)#no capability annex-j

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


103
New Features for Cisco IOS-XE 17.5.1
VXLAN

router#(conf-if)#exit
router#

17.5.1 adds in a new command rx-padding. This command is used for packets with an MTU less than 64
bytes.

Important If frames less than 64mtu are expected downstream from the service provider, the Vlan configuration
must be vlan 96.

The command example is as follows:

router#config term
router#controller vdsl 0/0/0
router(conf-if)#rx-padding
router(conf-if)#end

Execute write mem to save the configuration.

VXLAN
VXLAN is a MAC in IP/UDP (MAC-in-UDP) encapsulation technique with a 24-bit segment identifier in
the form of a VXLAN ID. The larger VXLAN ID allows LAN segments to scale to 16 million in a cloud
network. In addition, the IP/UDP encapsulation allows each LAN segment to be extended across existing
Layer 3 networks, making use of Layer 3 Equal-Cost Multi-Path (ECMP).

The configuration for the two devices is shown in the following table:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


104
New Features for Cisco IOS-XE 17.5.1
Dying-Gasp SMS Notification for EM74XX Modems

Router-1 Router-2

bridge-domain 1 bridge-domain 1
member vni 6001 member vni 6001
member Vlan100 service-instance 1 member Vlan100 service-instance 1
! !
interface Loopback1 interface Loopback1
ip address 200.200.200.200 255.255.255.255 ip address 100.100.100.100 255.255.255.255
! !
interface GigabitEthernet0/0/0 interface GigabitEthernet0/0/0
ip address 192.168.1.2 255.255.255.0 ip address 192.168.1.3 255.255.255.0
media-type rj45 media-type rj45
! !
interface FastEthernet0/0/1 interface FastEthernet0/0/1
switchport access vlan 100 switchport access vlan 100
! !
interface Vlan100 interface Vlan100
no ip address no ip address
service instance 1 ethernet service instance 1 ethernet
encapsulation dot1q 100 //untag encapsulation dot1q 100 //untag
! !
interface nve1 interface nve1
no ip address no ip address
source-interface Loopback1 source-interface Loopback1
member vni 6001 member vni 6001
ingress-replication 100.100.100.100 ingress-replication 200.200.200.200
! !
ip forward-protocol nd ip forward-protocol nd
ip pim rp-address 200.200.200.200 ip pim rp-address 100.100.100.100
ip http server no ip http server
ip http secure-server ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.1.3 ip route 0.0.0.0 0.0.0.0 192.168.1.2
! !

Dying-Gasp SMS Notification for EM74XX Modems


Prerequisites:
• Hardware Peripheral: P-LTEA-EA, P-LTEA-LA
• Initial Release: IOS-XE 17.5.1
• License: Cisco Network-advantage
Pluggable Interface Modules (PIMs) using the EM7430 or EM7455 modem have extra capacitors to supply
power to the modem in case of loss of power to the module. This allows a graceful power off of the modem.
When loss of power is detected, the modem is expected to send out dying gasp SMS when configured.
The following is an example of configuring dying gasp with a phone number and SMS message:

#controller Cellular 0/1/0


#lte dyinggasp sms send 9119110911 “Losing Power”
Warning: Enabling Dying Gasp SMS configuration completed successfully.
Please reset Modem for the changes to take effect

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


105
New Features for Cisco IOS-XE 17.5.1
Configuration Steps

Configuration Steps
Step Command Purpose

1 configure terminal Enters the global configuration mode.

2 controller Cellular <slot> Enters the interface command mode for the cellular module
controller slot.

3 lte dyinggasp detach enable Enable dying-gasp feature with send detach request

4 lte dyinggasp sms send <phone Configure the phone number to receive SMS text message and
number> <SMS message> the content of text message to be sent by the modem when
platform or module powered down.

5 exit Exit configuration

6 write mem Save changes to the router configuration

Configuration Example
The following example shows how to enable dying-gasp feature on cellular module in slot 0/1/0, specify
phone number receiving the SMS, and the specific SMS text message to be sent by modem upon power failure.

router# configure terminal

router(config)# controller cellular 0/1/0


router (config-controller)# lte dyinggasp detach enable
router (config-controller)# lte dyinggasp sms send 4081112222
IR1101-#999_EM7455_powered_off!

SNMP MIB for Digital I/O


Digital I/O is similar to the ALARM IN and ALARM OUT supported in other IR devices. On other devices,
ALARM IN is a dedicated input and the ALARM OUT is a dedicated output. With Digital I/O it can be input
or output. There are 4 Digital I/O available on the IR1101 with an IRM-1100 Expansion Module.
MIB support will reflect the show alarm output for digital I/O only.
CISCO-DIGITAL-IO-MIB.my will have 4 digital I/O nodes. Each digital I/O node will have corresponding
attributes like description, enable, severity, application, output, threshold, trigger leaf nodes for each digital
I/O nodes.

GPS access to IOx Apps


Previously, when a modem has GPS enabled, the NMEA stream was not forwarded to IOx. This release allows
the NMEA stream to be forwarded to IOx from the ngiolite module. There are two steps to enable this.
• Create a tunnel between Linux and IOx
• Forward all NMEA messages over the tunnel to IOx.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


106
New Features for Cisco IOS-XE 17.5.1
Yang model for mSATA

The system code checks for the presence of the tunnel, and if it is not present, data cannot be sent to IOx.
To support this feature there will be two new tunnels created for two cellular modems on the IR1101 and
IR1800. Two tunnels are created by default and whichever modem has the GPS/NMEA enabled, the NMEA
stream will be sent over the corresponding tunnel as follows:
Modem0:
[Linux] /dev/ttyTun5 and /dev/ttyTun6 [IOx]. Soft link to /dev/ttyTun5 will be created named
/dev/ttyTunNMEA0, soft link to /dev/ttyTun6 will be created named /dev/ttyNMEA0 which can be accessed
from IOx.
Modem1:
[Linux] /dev/ttyTun7 and /dev/ttyTun8 [IOx]. Soft link to /dev/ttyTun7 will be created named
/dev/ttyTunNMEA1, soft link to /dev/ttyTun8 will be created named /dev/ttyNMEA1 which can be accessed
from IOx.
The following command shows the state of the GPS:

IR1101#show app-hosting list


App id State
---------------------------------------------------------
gps RUNNING

Yang model for mSATA


YANG is a popular data modeling language to represent data sent over network management protocols such
as NETCONF and RESTCONF. The Cisco-IOS-XE-device-hardware-oper YANG model has been modified
to show mSATA information. mSATA has two CLIs to display associated data.
These two CLIs are:
show platform hardware msata status
• The CLI gives information on whether the SSD is present or not.
• If the SSD is present, a message "SSD is present" is displayed.
• If the SSD is not present, a message "SSD is not present" is displayed.
show platform hardware msata lifetime
• If SSD is present an output representing the SSD lifetime in % is displayed: "SSD lifetime remaining
(%): 99"
• If SSD is not present, a message "SSD is not present" is displayed.
A typical YANG response for mSATA in device-inventory is as shown below:

<device-inventory>
<hw-type>hw-type-ssd</hw-type>
<hw-dev-index>5</hw-dev-index>
<version>V00</version>
<part-number>IR-SSD-MSATA-100G</part-number>
<serial-number>FOC21520XFV</serial-number>
<hw-description>mSATA Module</hw-description>
<dev-name>Expansion module 2 - mSATA Module</dev-name>
<field-replaceable>true</field-replaceable>
<hw-class>hw-class-virtual</hw-class>

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


107
New Features for Cisco IOS-XE 17.5.1
Guest shell as IOx container app

<lifetime>99</lifetime>
</device-inventory>

Cisco IOS-XE Yang Data Models are found here:


https://github.com/YangModels/yang/tree/master/vendor/cisco/xe
Each release has a directory, and the 17.5.1 release is found under 1751.

Guest shell as IOx container app


The Guest Shell is a virtualized Linux-based environment, designed to run custom Linux applications, including
Python for automated control and management of Cisco devices. Using the Guest Shell, the user can also
install, update, and operate third-party Linux applications and access the IOS CLI.
The Guest Shell environment is intended for tools, Linux utilities, and manageability rather than networking.
Guest Shell shares the kernel with the host (router) system. Users can access the Linux shell of Guest Shell
and update scripts and software packages in the container rootfs. However, users within the Guest Shell cannot
modify the host file system and processes.
The Guest Shell container is managed using IOx. IOx is Cisco's Application Hosting Infrastructure for Cisco
IOS XE devices. IOx enables hosting of applications and services developed by Cisco, partners, and third-party
developers in network edge devices, seamlessly across diverse and disparate hardware platforms.
The Guest Shell is typically bundled with the system image and can be installed using the guestshell enable
Cisco IOS command. However, this approach leads to an increase of roughly 75MB in the size of the image.
This is a problem for some users who have limited bandwidth, or download images through LTE.
With these users in mind, guestshell will be made available as a single tar file which can then be downloaded
and installed on the system like any other IOX application. As a result, there won't be any increase in the size
of the universal release image.

Note Day 0 guestshell provisioning will not work with this approach.

By default, Guest Shell allows applications to access the management network via the management interface.
For platforms like the IR1101, which don't have a dedicated management port, a VirtualPortGroup can be
associated with Guest Shell in the IOS configuration.
Sample guestshell configuration can be found on this page:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/prog/configuration/1612/b_1612_programmability_cg/guest_shell.html#id_45931
To install guestshell on the device, copy the tar file to the router and run the following command:

app-hosting install appid guestshell package <path to tar file>

Use the following command to check the status:

show app-hosting list

Once guestshell has been deployed successfully, standard guestshell commands such as guestshell enable,
guestshell run bash, and guestshell run python3 should work.
The following resource talks about running python scripts using guestshell:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


108
New Features for Cisco IOS-XE 17.5.1
SNMP MIB supports the show power CLI

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/prog/configuration/1612/b_1612_programmability_cg/cli_python_module.html

Note Only python3 is supported in 17.5.1.

Important - Before You Install


Before attempting to install Guest shell on your device, please verify that the device has IOx container keys
programmed on it by running the following command:
Router#show software authenticity keys | i Name
Product Name : SFP-VADSL2-I
Product Name : SFP-VADSL2-I
Product Name : IR1101
Product Name : IR1101
Product Name : Cisco Services Containers
Product Name : Cisco Services Containers

The output should contain one or more lines with the Product Name “Cisco Services Containers”. If the device
doesn’t have container keys programmed on it, then you won’t be able to install guest shell.
You will see an error like the following:
*Aug 26 15:47:21.484: %IOSXE-3-PLATFORM: R0/0: IOx: App signature verification failed with
non-zero exit code
*Aug 26 15:47:21.588: %IM-6-INSTALL_MSG: R0/0: ioxman: app-hosting: Install failed: App
package signature (package.sign)
verification failed for package manifest file package.mf. Re-sign the application and then
deploy again.

There is no software based mechanism to install container keys on the device. The keys have to be programmed
at the manufacturing facility. IR1100 devices shipped after January 1, 2020, should have the container keys
programmed.
The guest shell tar file is published along with the IOS-XE image for a given release. More information can
be found here:https://developer.cisco.com/docs/iox/#!iox-resource-downloads/downloads

SNMP MIB supports the show power CLI


SNMP MIB support for the show power CLI is available through a new mib file:
CISCO-ENTITY-SENSOR-MIB.my
The following is an example of the show power CLI:

#show power
Main PSU :
Total Power Consumed: 8.77 Watts
Configured Mode : N/A
Current runtime state same : N/A
PowerSupplySource : External PS

The following is an example of the CISCO-ENTITY-SENSOR-MIB.my MIB:

SensorDataType (INTEGER) watts(6)


SensorDataScale (INTEGER) milli(8)
SensorValue(INTEGER) 8770

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


109
New Features for Cisco IOS-XE 17.5.1
ERSPAN support cellular interface as source interface

Use the following commands to configure:

Router#config term
Router#(config) snmp-server community public RW
Router#(config) end

ERSPAN support cellular interface as source interface


Encapsulated Remote Switched Port Analyzer (ERSPAN) allows traffic from Cellular interfaces to be
monitored. ERSPAN sends monitored traffic to a network analyzer.
The following is a sample configuration:

Router(config)#monitor session 1 type erspan-source


Router(config-mon-erspan-src)#no shut
Router(config-mon-erspan-src)#source interface Cellular0/1/0
Router(config-mon-erspan-src)#destination
Router(config-mon-erspan-src-dst)#erspan-id 1
Router(config-mon-erspan-src-dst)#mtu 146
Router(config-mon-erspan-src-dst)#ip address 169.254.1.2
Router(config-mon-erspan-src-dst)#origin ip address 169.254.1.1
Router#show monitor session erspan-source
Session 1
---------
Type : ERSPAN Source Session
Status : Admin Enabled
Source Ports :
Both : Ce0/1/0
Destination IP Address : 169.254.1.2
MTU : 1464
Destination ERSPAN ID : 1
Origin IP Address : 169.254.1.1

For detailed information on configuring ERSPAN, see the following guide:


https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/lanswitch/configuration/xe-3s/lanswitch-xe-3s-book/lnsw-conf-erspan.pdf

Yang model for DSL


YANG is a popular data modeling language to represent data sent over network management protocols such
as NETCONF and RESTCONF.
The Cisco-IOS-XE-controller-vdsl-oper has been introduced to edit the Controller vdsl configurations which
gives the yang support for the DSL.
An example of a typical yang response for edit config of the dsl controller follows:

<native xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-native">
<controller>
<VDSL xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-controller">
<name>0/0/0</name>
<adsl-pvc xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-adsl">
<vpi-vci>255/65535</vpi-vci>
<bridge-dot1q>21</bridge-dot1q>
<encapsulation>vcmux</encapsulation>
</adsl-pvc>

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


110
New Features for Cisco IOS-XE 17.5.1
DNP3 Enhancement

</VDSL>
</controller>
</native>
</nc:config></nc:edit-config></nc:rpc>

Note The Controller configurations can be retrieved using get and get-config operations with the
Cisco-IOS-XE-native yang model.

Cisco IOS-XE Yang Data Models are found here:


https://github.com/YangModels/yang/tree/master/vendor/cisco/xe
Each release has a directory, and the 17.5.1 release is found under 1751.

DNP3 Enhancement
In some cases, older RTUs were previously used in peer-to-peer mode. These RTUs dynamically swapped
the roles of DNP3 Serial subordinate and primary by setting the bit DIR=1 in the message header. ASE’s
SCADA stack used in Cisco routers are always configured to be DNP3 Serial primary. In this case, all the
packets received from DNP3 serial with DIR=1 were ignored causing many messages from RTU to be
discarded. To handle these scenarios, a new SCADA configuration CLI has been added:
scada-gw protocol ignore direction.
Enabling this CLI will allow the router to accept incoming packets from RTU even when DIR=1. The new
CLI will also be added to the Cisco-IOS-XE-scada-gw.yang config model.
The following is an example usage:

Router# config term


Router(config)# scada-gw protocol ignore direction

Configuration
Configuration example with scada-gw protocol ignore direction on T101/T104

scada-gw protocol t101


channel rt-chan
link-addr-size two
bind-to-interface Async0/2/0
session rt-sess
attach-to-channel rt-chan
common-addr-size one
cot-size two
info-obj-addr-size three
link-addr 31
sector rt-sec
attach-to-session rt-sess
asdu-addr 100
scada-gw protocol t104
channel mt-chan
t3-timeout 20
tcp-connection 0 local-port 8001 remote-ip 192.168.1.0/24
session mt-sess

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


111
New Features for Cisco IOS-XE 17.5.1
Configuration

attach-to-channel mt-chan
sector mt-sec
attach-to-session mt-sess
asdu-addr 101
map-to-sector rt-sec
scada-gw protocol ignore direction
scada-gw enable

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


112
CHAPTER 12
New Features for Cisco IOS-XE 17.6.1
The following are the new features available for the IR1101 on release 17.6.1:
• Per Port DHCP Address Allocation, on page 113
• Custom Controlled LED, on page 114
• Support DSL SFP Firmware signing and signature validation, on page 114
• DSL SFP Annex M support, on page 115
• Support Four ADSL MIB Objects, on page 115
• Digital IO Enhancement, on page 115

Per Port DHCP Address Allocation


No new CLI added. The device on interface FA0/0/1 should get 192.0.2.90.
The minimum configuration looks like the following example:

conf t
ip dhcp excluded-address 192.0.2.1 192.0.2.80
ip dhcp excluded-address 192.0.2.100 192.0.2.255
ip dhcp use subscriber-id client-id
end

conf t
ip dhcp pool 16
network 192.0.2.0 255.255.255.0
address 192.0.2.90 client-id Fa0/0/1 ascii
end

The show output CLI appears like the following:

Router#show ip dhcp binding


Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type State Interface
Hardware address/
User name
192.0.2.90 0046.6130.2f30.2f31 Infinite Manual Active Unknown

Note The client-id has to be the short-name of the interface. Use "Fa" for FastEthernet interface. Use "Gi"
for GigabitEthernet interface.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


113
New Features for Cisco IOS-XE 17.6.1
Custom Controlled LED

Custom Controlled LED


The IR-1101 has a non-blinking tri-color custom LED, which can be controlled with the following executive
privilege CLI.

router# set platform hardware custom-led <0-7>

The numbers 0-7 are as follows:


• 0: Off
• 1: Blue
• 2: Green
• 3: Red
• 4: Blue/Green
• 5: Blue/Red
• 6: Green Red
• 7: Blue/Green/Red

Support DSL SFP Firmware signing and signature validation


An optional IOS filepath has been added to the end of the existing upgrade command. The file must be signed
with SFP-VADSL2-I key. The file could be in bootflash:/flash:, usbflash0 or msata:. It cannot be from any
remote file system.

Command Line Interface


The command line interface for upgrading the module follows:
router# upgrade hw-module subslot 0/0 sfp 0 <IOS filepath>
Options to the command are:
Router#upgrade hw-module subslot 0/0 sfp 0 ?
bootflash: Firmware filename on local driver
crashinfo: Firmware filename on local driver
flash: Firmware filename on local driver
usbflash0: Firmware filename on local driver

The following is an example of the command usage:


Router#upgrade hw-module subslot 0/0 sfp 0 bootflash:sfp8455_rel.bin
Digital signature successfully verified in file bootflash:sfp8455_rel.bin
Upgrade SFP firmware on interface GigabitEthernet0/0/0 from 1_62_8463 to 1_62_8455
Connection will be disrupted, Continue(Y/N)?y
Start ebm upgrade!!
.................................................................................
.................................................................................
..................................................................................
..................................................................................

firmware update success!!

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


114
New Features for Cisco IOS-XE 17.6.1
DSL SFP Annex M support

DSL SFP Annex M support


Support is the same as it was for Annex-J in 17.5.1

Support Four ADSL MIB Objects


MIB support has been added to obtain the DSL line speed and attainable rate on the IR1101.
The new MIBS are shown below:
1.3.6.1.2.1.10.94.1.1.4.1.2 ADSL-LINE MIB:adslAtucChanCurrTxRate
1.3.6.1.2.1.10.94.1.1.5.1.2 ADSL-LINE MIB:adslAturChanCurrTxRate
1.3.6.1.2.1.10.94.1.1.2.1.8 ADSL-LINE MIB:adslAtucCurrAttainableRate
1.3.6.1.2.1.10.94.1.1.3.1.8 ADSL-LINE MIB:adslAturCurrAttainableRate

Command Line Interface


On a router with a DSL SFP connected to ADSL DSLAM, the following existing SNMP CLIs can be used
to verify support for the above OIDs:

!configure SNMP Server


!---------------------
snmp-server community public RO
snmp-server manager
!
!verify MIB OIDs
!---------------
snmp get-next v2c 33.33.33.102 public oid 1.3.6.1.2.1.10.94.1.1.4.1.2
!

The following command can also be used to gather the MIB values from another SNMP Client (for example,
a linux device):

$ snmpwalk -v 2c -c public 33.33.33.102 1.3.6.1.2.1.10.94.1.1.4.1.2

Digital IO Enhancement
Support has been added to allow some digital I/O ports to be managed by IOSd, and some other digital IO
ports to be managed by IOx container apps. An updated CLI has been added and the YANG model for Digital
IO Enhancement has been updated.
The 17.5.1 version of the CLI is:

Router(config)# alarm contact attach-to-iox

Note With release 17.5.1, alarm contact attach-to-iox gave IOX control for ALL digital IO ports (1 thru 4).

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


115
New Features for Cisco IOS-XE 17.6.1
Digital IO Enhancement

The 17.6.1 version of the CLI is:

Router(config)#alarm contact 1 ?
application Set the alarm application
attach-port-to-iox Enable selected Digital IO Ports access from IOX
description Set alarm description
enable Enable the alarm/digital IO port
output Set mode as output
severity Set the severity level reported
threshold Set the digital IO threshold
trigger Set the alarm trigger

Router(config)#alarm contact 1 attach-port-to-iox

Router#show alarm
Alarm contact 0:
Not enabled.
Digital I/O 1:
Attached to IOX.
Digital I/O 2:
Not enabled.
Digital I/O 3:
Not enabled.
Digital I/O 4:
Not enabled.

In the updated CLI, <1-4> are the number of digital I/O ports to assign to IOx for container apps.

Note With release 17.6.1, each digital IO port can be assigned to IOX individually.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


116
CHAPTER 13
New Features for Cisco IOX XE 17.7.1
This chapter contains the following sections:
• IRM-1100 Expansion Module on the Compute Side, on page 117
• Support ADSL MIB Objects, on page 117
• Support VDSL MIB Objects, on page 118
• Support 1G SFPs, on page 119

IRM-1100 Expansion Module on the Compute Side


The IR1101 has two attachment points for expansion modules. The top side of the router is referred to as the
Expansion side. The bottom side of the router is referred to as the Compute side.
Prior to IOS XE release 17.7.1, support was only on the Expansion side.
Starting with the 17.7.1 release, additional modules can be connected on the Compute side.

Features and Limitations


The following apply to the IRM-1100 with release 17.7.1:
• Switchports will not work if anything is connected on the Compute side
• MSATA and GPIO Pins for IRM-1100-SPMI are not supported when it is connected to the Compute
side (bottom) for 17.7.1
• The IR1101 can only support a maximum of two LTE interfaces. Connecting an IRM-1100 on both sides
is not supported. If connected in this configuration, only the Expansion side will be active.
• LTE interfaces when connected on Compute side, are enumerated cellular 0/4/0 and cellular 0/4/1
• CAT18 LTE module is not supported on the Compute side.
• Only the LTE interface functions when the IRM-1100-SP or IRM-1100-SPMI is connected on the
Compute side.

Support ADSL MIB Objects


The following ADSL MIB OID will be supported on the IR1101:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


117
New Features for Cisco IOX XE 17.7.1
Support VDSL MIB Objects

1.3.6.1.2.1.10.94.1.1.6.1.15 ADSL-LINE-MIB adslAtucPerfCurr15MinInits


1.3.6.1.2.1.10.94.1.1.6.1.22 ADSL-LINE-MIB adslAtucPerfCurr1DayInits

Support VDSL MIB Objects


The following VDSL MIB OID will be supported on the IR1101:

1.3.6.1.2.1.10.251.1.4.1.2.1.3 VDSL2-LINE-MIB xdsl2PMLInitCurr15MTimeElapsed


1.3.6.1.2.1.10.251.1.4.1.2.1.4 VDSL2-LINE-MIB xdsl2PMLInitCurr15MFullInits
1.3.6.1.2.1.10.251.1.4.1.2.1.5 VDSL2-LINE-MIB xdsl2PMLInitCurr15MFailedFullInits
1.3.6.1.2.1.10.251.1.4.1.2.1.6 VDSL2-LINE-MIB xdsl2PMLInitCurr15MShortInits
1.3.6.1.2.1.10.251.1.4.1.2.1.7 VDSL2-LINE-MIB xdsl2PMLInitCurr15MFailedShortInits
1.3.6.1.2.1.10.251.1.4.1.2.1.10 VDSL2-LINE-MIB xdsl2PMLInitCurr1DayTimeElapsed
1.3.6.1.2.1.10.251.1.4.1.2.1.11 VDSL2-LINE-MIB xdsl2PMLInitCurr1DayFullInits
1.3.6.1.2.1.10.251.1.4.1.2.1.12 VDSL2-LINE-MIB xdsl2PMLInitCurr1DayFailedFullInits
1.3.6.1.2.1.10.251.1.4.1.2.1.13 VDSL2-LINE-MIB xdsl2PMLInitCurr1DayShortInits
1.3.6.1.2.1.10.251.1.4.1.2.1.14 VDSL2-LINE-MIB xdsl2PMLInitCurr1DayFailedShortInits
1.3.6.1.2.1.10.251.1.4.1.1.1.2 VDSL2-LINE-MIB xdsl2PMLCurr15MValidIntervals
1.3.6.1.2.1.10.251.1.4.1.1.1.3 VDSL2-LINE-MIB xdsl2PMLCurr15MInvalidIntervals
1.3.6.1.2.1.10.251.1.4.1.1.1.4 VDSL2-LINE-MIB xdsl2PMLCurr15MTimeElapsed
1.3.6.1.2.1.10.251.1.4.1.1.1.5 VDSL2-LINE-MIB xdsl2PMLCurr15MFecs
1.3.6.1.2.1.10.251.1.4.1.1.1.6 VDSL2-LINE-MIB xdsl2PMLCurr15MEs
1.3.6.1.2.1.10.251.1.4.1.1.1.7 VDSL2-LINE-MIB xdsl2PMLCurr15MSes
1.3.6.1.2.1.10.251.1.4.1.1.1.8 VDSL2-LINE-MIB xdsl2PMLCurr15MLoss
1.3.6.1.2.1.10.251.1.4.1.1.1.9 VDSL2-LINE-MIB xdsl2PMLCurr15MUas
1.3.6.1.2.1.10.251.1.4.1.1.1.10 VDSL2-LINE-MIB xdsl2PMLCurr1DayValidIntervals
1.3.6.1.2.1.10.251.1.4.1.1.1.11 VDSL2-LINE-MIB xdsl2PMLCurr1DayInvalidIntervals
1.3.6.1.2.1.10.251.1.4.1.1.1.12 VDSL2-LINE-MIB xdsl2PMLCurr1DayTimeElapsed
1.3.6.1.2.1.10.251.1.4.1.1.1.13 VDSL2-LINE-MIB xdsl2PMLCurr1DayFecs
1.3.6.1.2.1.10.251.1.4.1.1.1.14 VDSL2-LINE-MIB xdsl2PMLCurr1DayEs
1.3.6.1.2.1.10.251.1.4.1.1.1.15 VDSL2-LINE-MIB xdsl2PMLCurr1DaySes
1.3.6.1.2.1.10.251.1.4.1.1.1.16 VDSL2-LINE-MIB xdsl2PMLCurr1DayLoss
1.3.6.1.2.1.10.251.1.4.1.1.1.17 VDSL2-LINE-MIB xdsl2PMLCurr1DayUas
1.3.6.1.2.1.10.251.1.4.1.3.1.3 VDSL2-LINE-MIB xdsl2PMLHist15MMonitoredTime
1.3.6.1.2.1.10.251.1.4.1.3.1.4 VDSL2-LINE-MIB xdsl2PMLHist15MFecs
1.3.6.1.2.1.10.251.1.4.1.3.1.5 VDSL2-LINE-MIB xdsl2PMLHist15MEs
1.3.6.1.2.1.10.251.1.4.1.3.1.6 VDSL2-LINE-MIB xdsl2PMLHist15MSes
1.3.6.1.2.1.10.251.1.4.1.3.1.7 VDSL2-LINE-MIB xdsl2PMLHist15MLoss
1.3.6.1.2.1.10.251.1.4.1.3.1.8 VDSL2-LINE-MIB xdsl2PMLHist15MUas
1.3.6.1.2.1.10.251.1.4.1.3.1.9 VDSL2-LINE-MIB xdsl2PMLHist15MValidInterval
1.3.6.1.2.1.10.251.1.4.1.4.1.3 VDSL2-LINE-MIB xdsl2PMLHist1DMonitoredTime
1.3.6.1.2.1.10.251.1.4.1.4.1.4 VDSL2-LINE-MIB xdsl2PMLHist1DFecs
1.3.6.1.2.1.10.251.1.4.1.4.1.5 VDSL2-LINE-MIB xdsl2PMLHist1DEs
1.3.6.1.2.1.10.251.1.4.1.4.1.6 VDSL2-LINE-MIB xdsl2PMLHist1DSes
1.3.6.1.2.1.10.251.1.4.1.4.1.7 VDSL2-LINE-MIB xdsl2PMLHist1DLoss
1.3.6.1.2.1.10.251.1.4.1.4.1.8 VDSL2-LINE-MIB xdsl2PMLHist1DUas
1.3.6.1.2.1.10.251.1.4.1.4.1.9 VDSL2-LINE-MIB xdsl2PMLHist1DValidInterval
1.3.6.1.2.1.10.251.1.4.2.1.1.2 VDSL2-LINE-MIB xdsl2PMChCurr15MValidIntervals
1.3.6.1.2.1.10.251.1.4.2.1.1.3 VDSL2-LINE-MIB xdsl2PMChCurr15MInvalidIntervals
1.3.6.1.2.1.10.251.1.4.2.1.1.4 VDSL2-LINE-MIB xdsl2PMChCurr15MTimeElapsed
1.3.6.1.2.1.10.251.1.4.2.1.1.5 VDSL2-LINE-MIB xdsl2PMChCurr15MCodingViolations
1.3.6.1.2.1.10.251.1.4.2.1.1.6 VDSL2-LINE-MIB xdsl2PMChCurr15MCorrectedBlocks
1.3.6.1.2.1.10.251.1.4.2.1.1.7 VDSL2-LINE-MIB xdsl2PMChCurr1DayValidIntervals
1.3.6.1.2.1.10.251.1.4.2.1.1.8 VDSL2-LINE-MIB xdsl2PMChCurr1DayInvalidIntervals
1.3.6.1.2.1.10.251.1.4.2.1.1.9 VDSL2-LINE-MIB xdsl2PMChCurr1DayTimeElapsed
1.3.6.1.2.1.10.251.1.4.2.1.1.10 VDSL2-LINE-MIB xdsl2PMChCurr1DayCodingViolations
1.3.6.1.2.1.10.251.1.4.2.1.1.11 VDSL2-LINE-MIB xdsl2PMChCurr1DayCorrectedBlocks
1.3.6.1.2.1.10.251.1.4.2.2.1.3 VDSL2-LINE-MIB xdsl2PMChHist15MMonitoredTime
1.3.6.1.2.1.10.251.1.4.2.2.1.4 VDSL2-LINE-MIB xdsl2PMChHist15MCodingViolations
1.3.6.1.2.1.10.251.1.4.2.2.1.5 VDSL2-LINE-MIB xdsl2PMChHist15MCorrectedBlocks

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


118
New Features for Cisco IOX XE 17.7.1
Support 1G SFPs

1.3.6.1.2.1.10.251.1.4.2.2.1.6 VDSL2-LINE-MIB xdsl2PMChHist15MValidInterval


1.3.6.1.2.1.10.251.1.4.2.3.1.3 VDSL2-LINE-MIB xdsl2PMChHist1DMonitoredTime
1.3.6.1.2.1.10.251.1.4.2.3.1.4 VDSL2-LINE-MIB xdsl2PMChHist1DCodingViolations
1.3.6.1.2.1.10.251.1.4.2.3.1.5 VDSL2-LINE-MIB xdsl2PMChHist1DCorrectedBlocks
1.3.6.1.2.1.10.251.1.4.2.3.1.6 VDSL2-LINE-MIB xdsl2PMChHist1DValidInterval

Support 1G SFPs
Release 17.7.1 will add support for the following SFPs:
GLC-T-RGD
CWDM-SFP-1470=
CWDM-SFP-1610=
CWDM-SFP-1530=
DWDM-SFP-3033=
DWDM-SFP-3112=
GLC-BX-D-I=
GLC-BX-U-I=
GLC-TE

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


119
New Features for Cisco IOX XE 17.7.1
Support 1G SFPs

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


120
CHAPTER 14
New Features for Cisco IOS XE 17.8.1
This chapter contains the following sections:
• Support for DSL Annex B, on page 121
• Support for mSATA and IO Support for IRM-1100-SPMI in CM Side , on page 121
• Cellular Serviceability Enhancements, on page 122
• GNMI Broker (GNMIB) Update, on page 122
• gRPC Network Operations Interface Update, on page 123
• Raw Socket Feature Enhancement, on page 123
• SCADA Enhancement for TNB, on page 123

Support for DSL Annex B


For the 17.8.1 release, ADSL2+ Annex B will be supported.
Annex B is not configured by default. To enable Annex B, the following command will be used.
controller VDSL 0/0/0
capability annex-b

Support for mSATA and IO Support for IRM-1100-SPMI in CM


Side
With previous software releases, the mSATA and Digital I/O on the IRM-1100-SPMI were only supported
on the Expansion Module side of the IR1101. With 17.8.1, support is available on the Compute Module (CM)
side with the following restrictions:
IRM-1100-SPMI installed on both sides:
• This combination is not supported.
• Only the mSATA and Digital I/O from the EM side will work.
• The Digital I/O from the CM side will NOT work.

IRM-1100-SPMI installed on the CM side:


• The mSATA and Digital I/O will work.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


121
New Features for Cisco IOS XE 17.8.1
Cellular Serviceability Enhancements

• The Digital I/O instances will be numbered 1-4.

Cellular Serviceability Enhancements


Enhancements have been made for cellular and GPS features as follows:
Trigger points and debug code can be enabled via controller cellular CLIs for generating and trap the debug
data automatically without manual intervention. The following CLI options are available:
(config-controller)#lte modem serviceability ?
gps GPS debugging
interface-resets Interface resets/Bearer deletion
modem-crash Modem-crash debugging
modem-resets IOS initiated unknown modem-resets

The debug data includes the following:


• Context Based debug logs (tracebacks, and GPS locations).
• Well formatted debug messages.
• Vendor specific debug data at a broader range.

The debug logs are located in the following location of flash:


router#dir flash:servelogs
Directory of bootflash:/servelogs/

259340 -rw- 122 Sep 7 2021 17:40:44 +00:00 gpslog-slot5-20210907-174044


259339 -rw- 1734 Sep 7 2021 12:14:07 +00:00 celllog-slot5-20210905-164628

GPS and cellular log files are created separately with file names using the timestamp at the time of the creation.
These files are created as follows:
• If the existing file has reached 10Mb, a new file will be created.
• A new file will be created if the feature (GPS, or cellular) is completely disabled, and then re-enabled.

GNMI Broker (GNMIB) Update


The GNMI Broker (GNMIB) has been extended to support the gRPC Network Operations Interface (gNOI)
reset.proto service. This service provides functionality for restoring the device to its factory defaults via gRPC.
When the service is executed, it behaves similarly to the ‘factory-reset all’ command, and subsequently
triggering a reload. Additionally, the service will maintain the current booted image. The additional steps
below will be taken to comply with the reset.proto service:
• Set the rommon BOOT variable to the current booted image and maintain it through reload following
factory-reset
• Enable autoboot to bring the device up on the current booted image following factory-reset.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


122
New Features for Cisco IOS XE 17.8.1
gRPC Network Operations Interface Update

gRPC Network Operations Interface Update


gNOI is the gRPC Network Operations Interface. gNOI defines a set of gRPC-based microservices for executing
operational commands and procedure on network devices, such as OS Install, Activate, and Verification.
Through gNOI os.proto will be possible to perform operating system related tasks such as OS activation,
install, detailed overview, internal OS commands, and finally to output a summary of OS operations.
Furthermore, gNOI os.proto can also be used to display the gnmib detailed state, check the gnmib operational
statistics, and also to output modifiers.

Raw Socket Feature Enhancement


This enhancement allows the user to input the maximum number of retries available to the write socket. The
range of the number of retries goes from 1 to 1000. The default number of retries is 10. To accommodate this
feature, a new CLI has been created, raw-socket tcp max-retries <1-1000>. <1-1000> is the maximum
number of retries.

SCADA Enhancement for TNB


This enhancement provides compatibility with TNB’s WG RTUs, including the following:
• TNB RTUs require Reset-Link message to be sent out along with Link-Status message to ensure correct
initialization of the serial. The feature can be selectively turned on using the new configuration CLI
scada-gw protocol force reset-link.
• When clock passthru is enabled and if the router hasn’t received the timestamp from the DNP3-IP master,
the router’s hardware time will be sent downstream to RTU. Upon receiving a new timestamp from
DNP3-IP master, the router will start sending the new timestamp sourced from DNP3-IP master to RTU.
• The number of bufferable DNP3 events in memory will be increased from 600 to 10000.
• The scada-gw protocol interlock command will be supported for DNP3. Previously, the support only
existed for T101/T104. With this new enhancement, the router will disconnect Serial link if the DNP3-IP
master is down or unreachable. Similarly, when the Serial link to RTU is down, the TCP connection to
DNP3-IP master will be untethered.
• Custom “requests” will be automatically ordered based on priority so that the user can specify them in
any order that they would like to.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


123
New Features for Cisco IOS XE 17.8.1
SCADA Enhancement for TNB

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


124
CHAPTER 15
New Features for Cisco IOS XE 17.9.1
This chapter contains the following sections:
• Cellular Boot Time Improvements, on page 125
• IOS XE Downgrade Warning, on page 125
• SNMP Polling of Temperature OID, on page 126
• GPS Mode Enabled By Default, on page 126
• Install Mode Support, on page 127
• Cisco WebUI Access Point Name (APN), on page 128

Cellular Boot Time Improvements


Numerous improvements have been made in the Cellular link up-time with IOS-XE release 17.9.1. In previous
releases, the cellular interface was taking approximately 2:30 minutes to come up and pass traffic after the
router booted up. The Cellular link up-time has been improved by approximately 20% in this release.

IOS XE Downgrade Warning


This feature will present a warning when issuing a boot system flash command followed by a file name of
an image which has a version number lower than the one of the running image. The downgrade operation will
still be possible by ignoring the warning message presented to the user. Booting an image with the same or
higher version of the running image is allowed without warning. The feature is only intended for images
already loaded on the bootflash of the router, this means only for the boot system flash <file_name> CLI
(excluding other sources/devices like ftp, mop, rpc, tftp, rom).
The following are examples of how the system compares versions:
When comparing two version numbers as follows:
• 17.7.1
• 17.7.1c

The version with the letter (17.7.1c) will be considered the most updated one.
When comparing two version numbers as follows:
• 17.7.3a

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


125
New Features for Cisco IOS XE 17.9.1
SNMP Polling of Temperature OID

• 17.7.3f

The comparison will be made taking into consideration the alphabetical order. In the case above 17.7.3f will
be considered the most updated one.

SNMP Polling of Temperature OID


Support has been added for SNMP MIB to be able to return values from temperature sensors. The output
should look similar to the show environment CLI.
The output of a show environment on an IR1101:
IR1101#show env

Number of Critical alarms: 0


Number of Major alarms: 0
Number of Minor alarms: 0

Slot Sensor Current State Reading


Threshold(Minor,Major,Critical,Shutdown)
---------- -------------- --------------- ------------
---------------------------------------
R0 Temp: TS1 Normal 42 Celsius (75 ,80 ,90 ,na )(Celsius)
R0 Temp: TS2 Normal 37 Celsius (75 ,80 ,90 ,na )(Celsius)

The output from an snmpwalk would look similar to this:


[root@sg-centos-hv ~]# snmpwalk -v 2c -c public 33.33.33.204 1.3.6.1.4.1.9.9.13.1.3.1
SNMPv2-SMI::enterprises.9.9.13.1.3.1.2.1 = STRING: "Sensor 1"
SNMPv2-SMI::enterprises.9.9.13.1.3.1.3.1 = Gauge32: 48
SNMPv2-SMI::enterprises.9.9.13.1.3.1.4.1 = INTEGER: 93
SNMPv2-SMI::enterprises.9.9.13.1.3.1.5.1 = INTEGER: 0
SNMPv2-SMI::enterprises.9.9.13.1.3.1.6.1 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.13.1.3.1.7.1 = INTEGER: 0

The ciscoEnvMonTemperatureStatusEntry oid is 1.3.6.1.4.1.9.9.13.1.3.1:


• ciscoEnvMonTemperatureStatusIndex (.1)
• ciscoEnvMonTemperatureStatusDescr (.2)
• ciscoEnvMonTemperatureStatusValue (.3)
• ciscoEnvMonTemperatureThreshold (.4)
• ciscoEnvMonTemperatureLastShutdown (.5)
• ciscoEnvMonTemperatureStatus (.6)

GPS Mode Enabled By Default


In IOS XE versions prior to 17.9.1, GPS was enabled by defaut, however, GPS Mode was disabled by default.
This required that the user perform an additional modem power-cycle after the router came up in order to use
GPS.
Starting with IOS XE 17.9.1, GPS Mode will be enabled by default, and will be set to standalone mode. This
will help reduce the cellular link up time.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


126
New Features for Cisco IOS XE 17.9.1
Install Mode Support

Note This only applies to the cellular based GPS. This does not apply to the GPS/GNSS module in IR1800
(DR module), IR8140 (native GPS) and IR8340 (Timing module).

Use the following command to check cellular GPS status:IR1101-4001#sh cellular 0/3/0 gps
Router# show cellular <slot> gps
auto-reset Enable reset modem automatically after configuring GPS enable or mode

Install Mode Support


The following table describes the differences between Bundle mode and Install mode:
Cisco IOS XE running on IoT routers has typically made use of the Bundle boot mode. Bundle boot mode is
also known as Consolidated boot, and uses a single compressed image. The typical naming convention is
<product>-universalk9.<release>.SPA.bin.
This mode provides a consolidated boot process, using local (hard disk, flash) or remote (TFTP) .bin image.
Booting via a .bin image means that the router would first have to uncompress the image before booting from
it. This led to a longer period of time for the router to boot.
To upgrade the router to a new version of IOS XE, you would point the "boot system" to a new software
image. This method is well known and details are available in your products configuration guide.
Starting with IOS XE release 17.9.1, a new boot mode called Install mode has been added to the IoT routers.
Install mode uses packages loaded into bootflash, which are read by a packages.conf file. This method provides
more control over the software installation process.

Note SMU installation was supported in both bundle boot and install mode. From Cisco IOS XE Release
17.9.x, SMU installation will be stopped if the router is booted up in bundle mode. If the router is booted
up in install mode, SMU installation will keep working as it is in previous releases.

Table 7: Bundle Mode vs Install Mode

Bundle Mode Install Mode

This mode provides a consolidated boot process, using This mode uses the local (bootflash) packages.conf
local (hard disk, flash) or remote (TFTP) .bin image. file for the boot process.

This mode uses a single .bin file. .bin file is replaced with expanded .pkg files in this
mode.

CLI: CLI:
Router(config)#boot system #install add file bootflash: [activate commit]
bootflash:<filename>

To upgrade in this mode, point the boot system to the To upgrade in this mode, use the install commands.
new image.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


127
New Features for Cisco IOS XE 17.9.1
Cisco WebUI Access Point Name (APN)

Bundle Mode Install Mode

Image Auto-Upgrade: When a new Field-Replaceable Image Auto-Upgrade: When a new FRU is inserted
Unit (FRU) is inserted in a modular chassis, manual in a modular chassis, the joining FRU is
intervention is required to get the new FRU running auto-upgraded to the image version in sync with the
with the same version as the active FRUs. active FRUs.

Rollback: Rollback to the previous image with Rollback: Enables rollback to an earlier version of
multiple Software Maintenance Updates (SMUs) may Cisco IOS XE software, including multiple patches
require multiple reloads. in single reload.

For additional information, please see Cisco IOS XE Installation Methods.

Cisco WebUI Access Point Name (APN)


IOS XE 17.9.1 added the ability to add, edit, or delete the APN from the Cisco WebUI Interface. The following
provides an overview of how to perform this function.

Note This section only describes new functionality and is not a complete overview of the WebUI.

Adding the APN


From the WebUI, navigate to Configuration > Interface > Cellular. Double click on the cellular interface
based upon your platform.

On the Cellular window, click on the Profiles tab.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


128
New Features for Cisco IOS XE 17.9.1
Cisco WebUI Access Point Name (APN)

From the Profiles tab, you can Add, Delete, or Edit the APN. Once the profile is modified, click on Update
& Apply to Device at the bottom of the window.

Changing the SIM Slot


By default, the APN is attached to SIM slot 0. You can change the APN to SIM slot 1 by using the WebUI.
From the WebUI, navigate to Configuration > Interface > Cellular. Click on the Advanced radio button
on the top of the window.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


129
New Features for Cisco IOS XE 17.9.1
Cisco WebUI Access Point Name (APN)

Click on the Controller tab at the top of the window.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


130
New Features for Cisco IOS XE 17.9.1
Cisco WebUI Access Point Name (APN)

Click on the Primary SIM Slot pull-down and select slot 1. Click on Update & Apply to Device on the bottom
of the window.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


131
New Features for Cisco IOS XE 17.9.1
Cisco WebUI Access Point Name (APN)

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


132
CHAPTER 16
New Features for Cisco IOS XE 17.10.1a
This chapter contains the following sections:
• Software Supported MACsec, on page 133
• High Security (HSEC) License, on page 135
• Enable Secure Data Wipe Capabilities , on page 136
• Rawsocket Keepalive Configuration CLI, on page 137

Software Supported MACsec


Overview
All existing Cisco IOS XE based router/switch use special transceiver to do MACsec encryption/decryption.
This software MACsec uses CDAL infrastructure in QFP to do crypto operation. Comparing to the hardware
choice, the way configuration/status/datapath is done is different thus creating some limitation on the
functionality.
Release 17.10.1a only supports MACsec on L2 interfaces. The MACsec port should be put into access mode.
As the encryption happens on the egress SVI interface, the vlan used for the port should be unique, meaning
no other interface can use that vlan. This limitation is because the QFP does not have MAC table information.

Note Since MACsec is being done through software, performances are not line rate on L2 interfaces.

For an egress packet, SVI only know the packet needs to go out on a vlan without info about any specific
interface. It is up to the switch chip to decide which port to go. All the packets without MACsec tag can come
in as usual. Outgoing L2 packet will also egress without encryption or modification.
Both the NE and NA license support GCM-AES-128. This feature is not available running the NPE image.
The MACsec protocol is defined in IEEE802.1AE.

Feature Limitations
• MACsec is not supported in controller mode in this release.
• There must be a unique vlan id for a MACsec interface.
• Only gcm-aes-128 is supported in this initial release.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


133
New Features for Cisco IOS XE 17.10.1a
Software Supported MACsec

• Both explicit and non-explicit SCI are supported on ingress side. The IR1101 sends out only explicit SCI
packets as it is not an end system.
• The IR1101 does not support confidentiality offset.
• Integrity only is not supported in this first release.
• For gcm-aes-128, up to 32 bytes are added to an encrypted packet compared to a plain packet. So the
MTU setup should add 32 for it to work properly.
• The MACsec key is managed by the MKA module. For that device, it requires a static key for MKA to
negotiate MACsec key.
• There is no MIB support.

Related Documentation
Further information can be found at the following:
• MACsec and the MACsec Key Agreement (MKA) Protocol
• MACSEC and MKA Configuration Guide, Cisco IOS XE 17

Sample MKA Configuration


See the following example:
conf t
aaa new-model
mka policy p1
key-server priority 1
macsec-cipher-suite gcm-aes-128
sak-rekey interval 3600
end
conf t
key chain cak1 macsec
key 414243
cryptographic-algorithm aes-128-cmac
key-string 0 12345678901234567890123456789012
lifetime local 00:00:00 29 November 2021 infinite
end
conf t
int fa 0/0/2
switchport mode access
switchport access vlan 77
mtu 1532
mka policy p1
mka pre-shared-key key-chain cak1
macsec network-link
macsec replay-protection window-size 128
end

Show Commands
Show cpp_cp internal info:
show platform hardware cpp active feature soft-macsec server tx [dp] [item]
show platform hardware cpp active feature soft-macsec server rx [dp] [item]
show platform hardware cpp active feature soft-macsec server control [dp] [item]

Other show commands:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


134
New Features for Cisco IOS XE 17.10.1a
High Security (HSEC) License

show macsec summary


show macsec status int fa 0/0/2
show macsec statistics int fa 0/0/2A

Clear Statistics
Clear macsec statis int fa 0/0/2

Test Command
Print 10 MKA packet for debug:
test platform software smacsec mka-ingress

High Security (HSEC) License


HSEC (High Security) license is a feature license that can be configured in addition to the network license
(NE/NA). An HSEC license provides export controls for strong levels of encryption. HSEC is available to
customers in all currently non-embargoed countries as listed by the U.S. Department of Commerce. Without
an HSEC license, SEC performance is limited to a total of 250 Mbps of IPsec throughput in each direction.
An HSEC license removes this limitation.

Command Line Interface


The configuration mode CLI to enable HSEC on the IR1101 is the following:
IR1101(config)# license feature hsec9

To benefit from the HSEC license, a new bandwidth will be available. The new bandwidth is called uncapped,
and it is available with the following CLI from configuration mode:
IR1101(config)# platform hardware throughput level ?
250M throughput in bps
uncapped throughput in bps
IR1101# platform hardware throughput level uncapped

After performing the above commands, write mem and reload the router. The configuration will take effect
when the router comes back up.

License Types
With this new feature, the IR1101 will support the following bandwidth/license types:
• Network-essentials 250 Mbps
• Network-advantage 250 Mbps
• Network-essentials uncapped
• Network-advantage uncapped
• HSEC

Ordering
The following is an example from the IR1101-K9. The license will be available on the IR1101-A-K9 as well.
In the following example, select the SL-1101-NE/UNCP-K9 (Network Essentials Uncapped License):

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


135
New Features for Cisco IOS XE 17.10.1a
Enable Secure Data Wipe Capabilities

The L-1101-HSEC-K9 license will get auto included when you select the uncapped license, as shown in the
following:

Cisco Software Central


This guide provides information on how to order, activate, and manage your Cisco Smart Licenses.
https://software.cisco.com/software/csws/ws/platform/home?locale=en_US&locale=en_US&locale=en_US#

Enable Secure Data Wipe Capabilities


Secure data wipe is a Cisco wide initiative to ensure storage devices on all the IOS XE based platforms to be
properly purged using NIST SP 800-88r1 compliant secure erase commands. Whenever possible, IoT platforms
will leverage the corresponding ENG design and implementation available so far on their platforms.
This feature is supported on the following IoT platforms:
• IR1101
• IR1800
• IR8140
• ESR6300

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


136
New Features for Cisco IOS XE 17.10.1a
Rawsocket Keepalive Configuration CLI

When the enable secure data wipe is executed, the following will get wiped out:
• IR1101, IR1800, IR8140: NVRAM, rommon variables, bootflash, and msata
• ESR6300: NVARM, rommon variables, bootflash

The router will be in rommon prompt with default factory settings (baud rate 9600) after the command is
executed. The bootflash will not get formatted until booting with IOS image thru usbflash or tftp download
if the platform is supported.

Performing a Secure Data Wipe


To enable the feature, perform the following:
Router#factory-reset all secure
The factory reset operation is irreversible for securely reset all. Are you sure? [confirm]Y

Important This operation may take hours. Please do not power cycle.
To check the log after the command is executed, and booting up IOS XE, perform the following:
Router#show platform software factory-reset secure log
Factory reset log:
#CISCO DATA SANITIZATION REPORT:# IR1800
Purge ACT2 chip at 12-08-2022, 15:17:28
ACT2 chip Purge done at 12-08-2022, 15:17:29
mtd and backup flash wipe start at 12-08-2022, 15:17:29
mtd and backup flash wipe done at 12-08-2022, 15:17:29.

Rawsocket Keepalive Configuration CLI


Rawsocket keepalive for async interfaces is a feature that existed in classic IOS platforms. As part of 17.10.1a,
the feature will be extended to IOS-XE based platforms. A new CLI with the following syntax will be added
under rawsocket.
Router(config-line)#raw-socket tcp keepalive interval

CLI Changes
On IOS-XE platforms starting from 17.10.1a, there is a CLI correction and an additional CLI was added as
part of raw-socket.
The correction is for the raw-socket idle timeout command. There is now an option to configure the timeout
based on minutes and seconds, whereas the previous configuration used only minutes.
Router(config-line)# raw-socket tcp idle-timeout [0-1440] [<0-59> | cr]

The additional CLI is for clearing the raw-socket TCP clients. The command syntax is clear raw-socket line
[1-145|tty|x/y/z] for example:
Router# clear raw-socket line 0/2/0

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


137
New Features for Cisco IOS XE 17.10.1a
Rawsocket Keepalive Configuration CLI

Note When initiating clear raw-socket line, raw-socket sessions will be cleared for raw-socket clients from
the show raw-socket tcp sessions command. Connections will be re-established after a TCP hand-shake,
which can be done by doing shut/no shut on TCP connection interface.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


138
CHAPTER 17
Managing Configuration Files
This chapter contains the following sections:
• Understanding Configuration Files, on page 139
• Finding the Software Version, on page 140
• Managing and Configuring a Consolidated Package Using copy and boot Commands, on page 140
• Upgrading the Router Image through the WebUI, on page 142

Understanding Configuration Files


Configuration files contain the Cisco IOS XE software commands used to customize the functionality of your
Cisco routing device (router, access server, switch, and so on). Commands are parsed (translated and executed)
by the Cisco IOS XE software when the system is booted (from the startup-config file) or when you enter
commands at the CLI in a configuration mode.

Types of Configuration Files


Startup configuration files (startup-config) are used during system startup to configure the software. Running
configuration files (running-config) contain the current configuration of the software. The two configuration
files can be different. For example, you may want to change the configuration for a short time period rather
than permanently. In this case, you would change the running configuration using the configure terminal
EXEC command but not save the configuration using the copy running-config startup-config EXEC command.
To change the running configuration, use the configure terminal command. As you use the Cisco IOS XE
configuration modes, commands generally are executed immediately and are saved to the running configuration
file either immediately after you enter them or when you exit a configuration mode.
To change the startup configuration file, you can either save the running configuration file to the startup
configuration using the copy running-config startup-config EXEC command or copy a configuration file from
a file server to the startup configuration.

Location of Configuration Files


Configuration files can be stored in the following locations:
• The running configuration is stored in RAM.
• The startup configuration is stored in the location specified by the CONFIG_FILE environment variable.
The CONFIG_FILE variable defaults to NVRAM and can be a file in the following file systems:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


139
Managing Configuration Files
Finding the Software Version

• nvram: (NVRAM)
• bootflash: (Internal Flash memory)
• usbflash0: (external USB media)

Finding the Software Version


The package files for the Cisco IOS XE software can be found on the system board flash device (flash:) orone
of the external devices previously mentioned.
You can use the show version privileged EXEC command to see the software version that is running on your
device.

Note Although the show version output always shows the software image running on the device, the model
name shown at the end of this display is the factory configuration and does not change if you upgrade
the software license.

You can also use the dir filesystem: privileged EXEC command to see the directory names of other software
images that you might have stored in flash memory.

Managing and Configuring a Consolidated Package Using copy


and boot Commands
To upgrade a consolidated package, copy the consolidated package to the bootflash: directory on the router.
After making this copy of the consolidated package, configure the router to boot using the consolidated package
file.
The following example shows the consolidated package file being copied to the bootflash: file system. The
config register is then set to boot using boot system commands, and the commands instruct the router to boot
using the consolidated package stored in the bootflash: file system. The new configuration is then saved using
the copy running-config startup-config command, and the system is then reloaded to complete the process.
Display the contents of the bootflash directory.
Router# dir bootflash:
Directory of bootflash:/
13 drwx 278528 May 19 2022 05:20:04 +00:00 tracelogs
11 drwx 4096 May 17 2022 14:24:54 +00:00 .installer
84 drwx 20480 May 17 2022 14:22:00 +00:00 license_evlog
83 -rw- 30 May 17 2022 14:21:41 +00:00 throughput_monitor_params
12 drwx 4096 May 17 2022 14:21:39 +00:00 .prst_sync
22 -rw- 335 May 17 2022 14:20:50 +00:00 boothelper.log
14 -rwx 41040 May 17 2022 14:20:39 +00:00 mode_event_log
259 -rw- 682679541 May 17 2022 12:54:32 +00:00
ir1800-universalk9.17.07.01.SPA.bin

Copy the new image into the bootflash: directory.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


140
Managing Configuration Files
Managing and Configuring a Consolidated Package Using copy and boot Commands

Note In order to use secure copy (scp), you must first set up an SSH configuration. See Configuring Secure
Shell.

Router# copy scp: bootflash:


Address or name of remote host []? 192.168.1.2
Source username [xxxxx]?Enter
Source filename []? /auto/users/IR1800-universalk9.17.08.01.SPA.bin
Destination filename [IR1800-universalk9.17.08.01.SPA.bin]?

This is a Cisco managed device to be used only for authorized purposes.


Your use is monitored for security, asset protection, and policy compliance.

Password: <your-password>
Sending file modes: C0644 208904396 IR1800-universalk9.17.08.01.SPA.bin
...........
[OK - 208904396 bytes]
208904396 bytes copied in 330.453 secs (632176 bytes/sec)

Display the contents of the bootflash: directory.


Router# dir bootflash:
Directory of bootflash:/
13 drwx 278528 May 19 2022 05:20:04 +00:00 tracelogs
11 drwx 4096 May 17 2022 14:24:54 +00:00 .installer
84 drwx 20480 May 17 2022 14:22:00 +00:00 license_evlog
83 -rw- 30 May 17 2022 14:21:41 +00:00 throughput_monitor_params
12 drwx 4096 May 17 2022 14:21:39 +00:00 .prst_sync
22 -rw- 335 May 17 2022 14:20:50 +00:00 boothelper.log
14 -rwx 41040 May 17 2022 14:20:39 +00:00 mode_event_log
259 -rw- 682679541 May 17 2022 12:54:32 +00:00
ir1800-universalk9.17.07.01.SPA.bin
12 -rw- 208904396 May 17 2022 16:17:34 -07:00
ir1800-universalk9.17.08.01.SPA.bin

Configure the router to boot using the consolidated package file.


Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# boot system bootflash:ir1800-universalk9.17.08.01.SPA.bin
Router(config)# exit

Verify the configuration change.


Router# show run | include boot
boot-start-marker
boot system bootflash:IR1800-universalk9.17.08.01.SPA.bin
boot-end-marker

Copy the running configuration and save it. Then when reloading the router, it restarts with the saved
configuration.
Router# copy running-config startup-config
Destination filename [startup-config]? <enter>
Building configuration...
[OK]

Router# reload
Proceed with reload? [confirm] <enter>
Dec 04 17:42:54.445 R0/0: %PMAN-5-EXITACTION: Process manager is exiting: process exit with
reload

Initializing Hardware ...

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


141
Managing Configuration Files
Upgrading the Router Image through the WebUI

Upgrading the Router Image through the WebUI


The router can also be upgraded through the Web User Interface (WebUI). Further information on using the
WebUI can be found in the Web User Interface (WebUI) chapter.
After you launch the WebUI, go to the Administration tab.

Reload the router by selecting Administration > Reload.

Select your option from the choices, then click Apply.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


142
Managing Configuration Files
Upgrading the Router Image through the WebUI

Select Software Management under the Administration tab. Browse to the location of the new IOS XE
image file on your PC.

Select Administration > Management > Backup & Restore. Copy the image file from the laptop to your
router. This example uses HTTP as transport.

Save the configuration by clicking on the floppy drive icon at the top of the WebUI.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


143
Managing Configuration Files
Upgrading the Router Image through the WebUI

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


144
CHAPTER 18
New Cisco IOS XE Installation Methods
This chapter contains the following sections:
• Bundle Mode versus Install Mode, on page 145
• Installing the Software using install Commands, on page 145
• Restrictions for Installing the Software Using install Commands, on page 146
• Information About Installing the Software Using install Commands, on page 146
• Configuration Examples, on page 155
• Troubleshooting Software Installation Using install Commands, on page 161

Bundle Mode versus Install Mode


Cisco IOS XE running on IoT routers has typically made use of the Bundle boot mode. Bundle boot mode is
also known as Consolidated boot, and uses a single compressed image. The typical naming convention is
<product>-universalk9.<release>.SPA.bin.
This mode provides a consolidated boot process, using local (hard disk, flash) or remote (TFTP) .bin image.
Booting via a .bin image means that the router would first have to uncompress the image before booting from
it. This led to a longer period of time for the router to boot.
To upgrade the router to a new version of IOS XE, you would point the "boot system" to a new software
image. This method is well known and details are available in your products configuration guide.
Starting with IOS XE release 17.9.1, a new boot mode called Install mode has been added to the IoT routers.
Install mode uses packages loaded into bootflash, which are read by a packages.conf file. This method provides
more control over the software installation process.
Install mode requires more room in bootflash: for the files. The packages are slightly larger than the .bin
images, and they vary per product in size.

Installing the Software using install Commands


From Cisco IOS XE 17.9.1, Cisco IoT routers are shipped in install mode by default. Users can boot the
platform, and upgrade or downgrade to Cisco IOS XE software versions using a set of install commands.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


145
New Cisco IOS XE Installation Methods
Restrictions for Installing the Software Using install Commands

Restrictions for Installing the Software Using install Commands


• Install mode requires a reboot of the system.
• SMU installation was supported in both bundle boot and install mode. From Cisco IOS XE Release
17.9.x, SMU installation will be stopped if the router is booted up in bundle mode. If the router is booted
up in install mode, SMU installation will keep working as it is in previous releases.

Information About Installing the Software Using install


Commands
From the Cisco IOS XE 17.9.1 release, IoT routers will be shipped in install mode instead of bundle mode.
So any new router from the factory will boot up in install mode.
Existing installations using previous releases of IOS XE have the option to continue to use their device in
Bundle mode if they wish to. Or they can convert their device to Install mode.
Install mode is applicable to both autonomous mode and controller mode.
A new release can be installed in Install mode using vManage. Other management tools such as IOT OD and
FND will be available in a future release.
The following table describes the differences between Bundle mode and Install mode:

Table 8: Bundle Mode vs Install Mode

Bundle Mode Install Mode

This mode provides a consolidated boot process, using This mode uses the local (bootflash) packages.conf
local (hard disk, flash) or remote (TFTP) .bin image. file for the boot process.

This mode uses a single .bin file. .bin file is replaced with expanded .pkg files in this
mode.

CLI: CLI:
Router(config)#boot system #install add file bootflash: [activate commit]
bootflash:<filename>

To upgrade in this mode, point the boot system to the To upgrade in this mode, use the install commands.
new image.

Image Auto-Upgrade: When a new Field-Replaceable Image Auto-Upgrade: When a new FRU is inserted
Unit (FRU) is inserted in a modular chassis, manual in a modular chassis, the joining FRU is
intervention is required to get the new FRU running auto-upgraded to the image version in sync with the
with the same version as the active FRUs. active FRUs.

Rollback: Rollback to the previous image with Rollback: Enables rollback to an earlier version of
multiple Software Maintenance Updates (SMUs) may Cisco IOS XE software, including multiple patches
require multiple reloads. in single reload.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


146
New Cisco IOS XE Installation Methods
Install Mode Process Flow

Install Mode Process Flow


The install mode process flow comprises three commands to perform installation and upgrade of software on
platforms– install add, install activate, and install commit.
The following flow chart explains the install process with install commands:

The install add command copies the software package from a local or remote location to the platform. The
command extracts individual components of the .package file into subpackages and packages.conf files. It
also validates the file to ensure that the image file is specific to the platform on which it is being installed.
The location of the software package can be in several places, as shown in the output of the following command:
IR1831#install add file ?
bootflash: Package name
crashinfo: Package name
flash: Package name
ftp: Package name
http: Package name
https: Package name
pram: Package name
rcp: Package name
scp: Package name
sftp: Package name
tftp: Package name
webui: Package name

The install activate command performs the required validations and provisions the packages previously added
using the install add command. It also triggers a system reload.
The install commit command confirms the packages previously activated using the install activate command,
and makes the updates persistent over reloads.

Note Installing an update replaces any previously installed software image. At any time, only one image can
be installed in a device.

The following set of install commands is available:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


147
New Cisco IOS XE Installation Methods
Install Mode Process Flow

Table 9: List of install Commands

Command Syntax Purpose

install add install add file Copies the contents of the image,
location:filename.bin package, and SMUs to the software
repository. File location may be
local or remote. This command
does the following:
• Validates the file–checksum,
platform compatibility checks,
and so on.
• Extracts individual
components of the package
into subpackages and
packages.conf
• Copies the image into the local
inventory and makes it
available for the next steps.

install activate install activate Activates the package added using


the install add command.
• Use the show install
summary command to see
which image is inactive. This
image will get activated.
• System reloads on executing
this command. Confirm if you
want to proceed with the
activation. Use this command
with the prompt-level none
keyword to automatically
ignore any confirmation
prompts.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


148
New Cisco IOS XE Installation Methods
Install Mode Process Flow

Command Syntax Purpose

(install activate) auto abort-timer install activate auto-abort timer The auto-abort timer starts
<30-1200> automatically, with a default value
of 120 minutes. If the install
commit command is not executed
within the time provided, the
activation process is terminated,
and the system returns to the
last-committed state.
• You can change the time value
while executing the install
activate command.
• The install commit command
stops the timer, and continues
the installation process.
• The install activate
auto-abort timer stop
command stops the timer
without committing the
package.
• Use this command with the
prompt-level none keyword
to automatically ignore any
confirmation prompts.
• This command is valid only in
the three-step install variant.

install commit install commit Commits the package activated


using the install activate
command, and makes it persistent
over reloads.
• Use the show install
summary command to see
which image is uncommitted.
This image will get
committed.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


149
New Cisco IOS XE Installation Methods
Install Mode Process Flow

Command Syntax Purpose

install abort install abort Terminates the installation and


returns the system to the
last-committed state.
• This command is applicable
only when the package is in
activated status (uncommitted
state).
• If you have already committed
the image using the install
commit command, use the
install rollback to command
to return to the preferred
version.

install remove install remove {file <filename> | Deletes inactive packages from the
inactive} platform repository. Use this
command to free up space.
• file: Removes specified files.
• inactive: Removes all the
inactive files.

install rollback to install rollback to {base | label | Rolls back the software set to a
committed | id} saved installation point or to the
last-committed installation point.
The following are the
characteristics of this command:
• Requires reload.
• Is applicable only when the
package is in committed state.
• Use this command with the
prompt-level none keyword
to automatically ignore any
confirmation prompts.

Note If you are performing


install rollback to a
previous image, the
previous image must be
installed in install mode.
Only SMU rollback is
possible in bundle
mode.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


150
New Cisco IOS XE Installation Methods
Booting the Platform in Install Mode

Command Syntax Purpose

install deactivate install deactivate file <filename> Removes a package from the
platform repository. This command
is supported only for SMUs.
• Use this command with the
prompt-level none keyword
to automatically ignore any
confirmation prompts.

The following show commands are also available:

Table 10: List of show Commands

Command Syntax Purpose

show install log show install log Provides the history and details of
all install operations that have been
performed since the platform was
booted.

show install package show install package <filename> Provides details about the .pkg/.bin
file that is specified.

show install summary show install summary Provides an overview of the image
versions and their corresponding
install states.

show install active show install active Provides information about the
active packages.

show install inactive show install inactive Provides information about the
inactive packages.

show install committed show install committed Provides information about the
committed packages.

show install uncommitted show install uncommitted Provides information about


uncommitted packages.

show install rollback show install rollback {point-id | Displays the package associated
label} with a saved installation point.

show version show version [rp-slot] [installed Displays information about the
[user-interface] | provisioned | current package, along with
running] hardware and platform information.

Booting the Platform in Install Mode


You can install, activate, and commit a software package using a single command (one-step install) or multiple
separate commands (three-step install).

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


151
New Cisco IOS XE Installation Methods
One-Step Installation OR Converting from Bundle Mode to Install Mode

If the platform is working in bundle mode, the one-step install procedure must be used to initially convert the
platform from bundle mode to install mode. Subsequent installs and upgrades on the platform can be done
with either one-step or three-step variants.
You can see how your device is set up to boot by using the show romvar and show bootvar commands.
Router#show romvar
ROMMON variables:
PS1 = rommon ! >
CM = IR1100
DEVICE_MANAGED_MODE = autonomous
LICENSE_SUITE =
RET_2_RTS =
THRPUT = 250
BOOT = flash:packages.conf,12;
LICENSE_BOOT_LEVEL = network-advantage,all:IR1101;
BSI = 0
RET_2_RCALTS =
RANDOM_NUM = 212626522
Router#

Router#show bootvar
BOOT variable = flash:packages.conf,12;
CONFIG_FILE variable does not exist
BOOTLDR variable does not exist
Configuration register is 0x2102

Standby not ready to show bootvar

Router#

One-Step Installation OR Converting from Bundle Mode to Install Mode

Note • All the CLI actions (for example, add, activate, and so on) are executed.
• The configuration save prompt will appear if an unsaved configuration is detected.
• The reload prompt will appear after the second step in this workflow. Use the prompt-level none
keyword to automatically ignore the confirmation prompts.
• If the prompt-level is set to None, and there is an unsaved configuration, the install fails. You must
save the configuration before reissuing the command.

Use the one-step install procedure described below to convert a platform running in bundle boot mode to
install mode. After the command is executed, the platform reboots in install boot mode.
Later, the one-step install procedure can also be used to upgrade the platform.
This procedure uses the install add file activate commit command in privileged EXEC mode to install a
software package, and to upgrade the platform to a new version.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


152
New Cisco IOS XE Installation Methods
Three-Step Installation

Procedure

Command or Action Purpose


Step 1 enable Enables privileged EXEC mode. Enter your password, if
prompted.
Example:
Device>enable

Step 2 install add file location: filename [activate commit] Copies the software install package from a local or remote
location (through FTP, HTTP, HTTPs, or TFTP) to the
Example:
platform and extracts the individual components of the
Device#install add file .package file into subpackages and packages.conf files. It
bootflash:<router_image>.SSA.bin activate commit
also performs a validation and compatibility check for the
platform and image versions, activates the package, and
commits the package to make it persistent across reloads.
The platform reloads after this command is run.

Step 3 exit Exits privileged EXEC mode and returns to user EXEC
mode.
Example:
Device#exit

Three-Step Installation

Note • All the CLI actions (for example, add, activate, and so on) are executed.
• The configuration save prompt will appear if an unsaved configuration is detected.
• The reload prompt will appear after the install activate step in this workflow. Use the prompt-level
none keyword to automatically ignore the confirmation prompts.

The three-step installation procedure can be used only after the platform is in install mode. This option provides
more flexibility and control to the customer during installation.
This procedure uses individual install add, install activate, and install commit commands for installing a
software package, and to upgrade the platform to a new version.

Procedure

Command or Action Purpose


Step 1 enable Enables privileged EXEC mode. Enter your password, if
prompted.
Example:
Device>enable

Step 2 install add file location: filename Copies the software install package from a remote location
(through FTP, HTTP, HTTPs, or TFTP) to the platform,
Example:
and extracts the individual components of the .package
file into subpackages and packages.conf files.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


153
New Cisco IOS XE Installation Methods
Three-Step Installation

Command or Action Purpose


Device#install add file
bootflash:<router_image>.SSA.bin

Step 3 show install summary (Optional) Provides an overview of the image versions
and their corresponding install state.
Example:
Device#show install summary

Step 4 install activate auto-abort-timer <time> Activates the previously added package and reloads the
platform.
Example:
Device# install activate auto-abort-timer 120 • When doing a full software install, do not provide a
package filename.
• In the three-step variant, auto-abort-timer starts
automatically with the install activate command; the
default for the timer is 120 minutes. If the install
commit command is not run before the timer expires,
the install process is automatically terminated. The
platform reloads and boots up with the last committed
version.

Step 5 install abort (Optional) Terminates the software install activation and
returns the platform to the last committed version.
Example:
Device#install abort • Use this command only when the image is in activated
state, and not when the image is in committed state.

Step 6 install commit Commits the new package installation and makes the
changes persistent over reloads.
Example:
Device#install commit

Step 7 install rollback to committed (Optional) Rolls back the platform to the last committed
state.
Example:
Device#install rollback to committed

Step 8 install remove {file filesystem: filename | inactive} (Optional) Deletes software installation files.
Example: • file: Deletes a specific file
Device#install remove inactive
• inactive: Deletes all the unused and inactive
installation files.

Step 9 show install summary (Optional) Displays information about the current state of
the system. The output of this command varies according
Example:
to the install commands run prior to this command.
Device#show install summary

Step 10 exit Exits privileged EXEC mode and returns to user EXEC
mode.
Example:
Device#exit

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


154
New Cisco IOS XE Installation Methods
Upgrading in Install Mode

Upgrading in Install Mode


Use either the one-step installation or the three-step installation to upgrade the platform in install mode.

Downgrading in Install Mode


Use the install rollback command to downgrade the platform to a previous version by pointing it to the
appropriate image, provided the image you are downgrading to was installed in install mode.
The install rollback command reloads the platform and boots it with the previous image.

Note The install rollback command succeeds only if you have not removed the previous file using the install
remove inactive command.

Alternatively, you can downgrade by installing the older image using the install commands.

Terminating a Software Installation


You can terminate the activation of a software package in the following ways:
• When the platform reloads after activating a new image, the auto-abort-timer is triggered (in the three-step
install variant). If the timer expires before issuing the install commit command, the installation process
is terminated, and the platform reloads and boots with the last committed version of the software image.
Alternatively, use the install auto-abort-timer stop command to stop this timer, without using the install
commit command. The new image remains uncommitted in this process.
• Using the install abort command returns the platform to the version that was running before installing
the new software. Use this command before issuing the install commit command.

Configuration Examples
This section shows examples of using install commands.

One Step Installation


The following is an example of the one-step installation or converting from bundle mode to install mode:
Router# install add file
flash:ir1101-universalk9.BLD_POLARIS_DEV_LATEST_20220421_143208.SSA.bin activate commit
install_add_activate_commit: START Mon May 30 20:45:11 UTC 2022
install_add: Adding IMG
--- Starting initial file syncing ---
Copying flash:ir1101-universalk9.BLD_POLARIS_DEV_LATEST_20220421_143208.SSA.bin from R0
to R0
Info: Finished copying to the selected
Finished initial file syncing

--- Starting Add ---


Performing Add on all members

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


155
New Cisco IOS XE Installation Methods
One Step Installation

[1] Finished Add package(s) on R0


Checking status of Add on [R0]
Add: Passed on [R0]
Finished Add

Image added. Version: 17.09.01.0.157857

install_activate: Activating IMG


Following packages shall be activated:
/flash/ir1101-mono-universalk9_iot.BLD_POLARIS_DEV_LATEST_20220421_143208.SSA.pkg
/flash/ir1101-rpboot.BLD_POLARIS_DEV_LATEST_20220421_143208.SSA.pkg

This operation may require a reload of the system. Do you want to proceed? [y/n]y

--- Starting Activate ---


Performing Activate on all members
Building configuration...
[OK] [1] Activate package(s) on R0
[1] Finished Activate on R0
Checking status of Activate on [R0]
Activate: Passed on [R0]
Finished Activate

--- Starting Commit ---


Performing Commit on all members
[1] Commit package(s) on R0
[1] Finished Commit on R0
Checking status of Commit on [R0]
Commit: Passed on [R0]
Finished Commit operation

SUCCESS: install_add_activate_commit Mon May 30 20:48:01 UTC 2022


%PMAN-5-EXITACTION: R0/0: pvp: Process manager is exiting: reload action requested
watchdog: watchdog0: watchdog did not stop!
reboot: Restarting system

System Bootstrap, Version 3.3(REL), RELEASE SOFTWARE


Copyright (c) 1994-2021 by cisco Systems, Inc.

IR1101-K9 platform with 4169728 Kbytes of main memory

MCU Version - Bootloader: 4, App: 6


MCU is in application mode.

........

Loading: bootflash:packages.conf
#

#####################################################################################
#####################################################################################
#################################

%BOOT-5-OPMODE_LOG: R0/0: binos: System booted in AUTONOMOUS mode


Press RETURN to get started!

Router# show install summary


[ R0 ] Installed Package(s) Information:
State (St): I - Inactive, U - Activated & Uncommitted,
C - Activated & Committed, D - Deactivated & Uncommitted

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


156
New Cisco IOS XE Installation Methods
Three Step Installation

--------------------------------------------------------------------------------
Type St Filename/Version
--------------------------------------------------------------------------------
IMG C 17.09.01.0.157857

--------------------------------------------------------------------------------
Auto abort timer: inactive
--------------------------------------------------------------------------------

Three Step Installation


The following is an example of the three-step installation.

Install Add
Router# install add file flash:ir1101-universalk9.17.09.01prd1.SPA.bin
install_add: START Tue May 31 01:35:40 UTC 2022
install_add: Adding IMG
--- Starting initial file syncing ---
Copying flash:ir1101-universalk9.17.09.01prd1.SPA.bin from R0 to R0
Info: Finished copying to the selected
Finished initial file syncing

--- Starting Add ---


Performing Add on all members
[1] Finished Add package(s) on R0
Checking status of Add on [R0]
Add: Passed on [R0]
Finished Add

Image added. Version: 17.09.01.0.1

SUCCESS: install_add /flash1/ir1101-universalk9.17.09.01prd1.SPA.bin Tue May 31 01:37:10


UTC 2022
Router#

Router# show install summary


[ R0 ] Installed Package(s) Information:
State (St): I - Inactive, U - Activated & Uncommitted,
C - Activated & Committed, D - Deactivated & Uncommitted
--------------------------------------------------------------------------------
Type St Filename/Version
--------------------------------------------------------------------------------
IMG I 17.09.01.0.1

--------------------------------------------------------------------------------
Auto abort timer: inactive
--------------------------------------------------------------------------------

Install Activate
Router#install activate
install_activate: START Tue May 31 01:37:14 UTC 2022
install_activate: Activating IMG
Following packages shall be activated:
/flash/ir1101-mono-universalk9_iot.17.09.01prd1.SPA.pkg
/flash/ir1101-rpboot.17.09.01prd1.SPA.pkg

This operation may require a reload of the system. Do you want to proceed? [y/n]y

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


157
New Cisco IOS XE Installation Methods
Three Step Installation

--- Starting Activate ---


Performing Activate on all members
[1] Activate package(s) on R0
[1] Finished Activate on R0
Checking status of Activate on [R0]
Activate: Passed on [R0]
Finished Activate

SUCCESS: install_activate Tue May 31 01:41:03 UTC 2022


Router#
May 31 01:41:08.684: %PMAN-5-EXITACTION: R0/0: pvp: Process manager is exiting:
reload action requested

watchdog: watchdog0: watchdog did not stop!


reboot: Restarting system

System Bootstrap, Version 3.3(REL), RELEASE SOFTWARE


Copyright (c) 1994-2021 by cisco Systems, Inc.

IR1101-K9 platform with 4169728 Kbytes of main memory

MCU Version - Bootloader: 4, App: 6


MCU is in application mode.

........

Loading: bootflash:packages.conf
#

#########################################################################
#########################################################################
#######################

Press RETURN to get started!

Router# show install summary


[ R0 ] Installed Package(s) Information:
State (St): I - Inactive, U - Activated & Uncommitted,
C - Activated & Committed, D - Deactivated & Uncommitted
--------------------------------------------------------------------------------
Type St Filename/Version
--------------------------------------------------------------------------------
IMG U 17.09.01.0.1

--------------------------------------------------------------------------------
Auto abort timer: inactive
--------------------------------------------------------------------------------

Install Commit
Router#install commit
install_commit: START Tue May 31 01:47:56 UTC 2022
--- Starting Commit ---
Performing Commit on all members
[1] Commit packages(s) on R0
[1] Finished Commit packages(s) on R0
Checking status of Commit on [R0]
Commit: Passed on [R0]
Finished Commit operation

SUCCESS: install_commit Tue May 31 01:48:04 UTC 2022

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


158
New Cisco IOS XE Installation Methods
Showing the Installed Packages

Router# show install summary


[ R0 ] Installed Package(s) Information:
State (St): I - Inactive, U - Activated & Uncommitted,
C - Activated & Committed, D - Deactivated & Uncommitted
--------------------------------------------------------------------------------
Type St Filename/Version
--------------------------------------------------------------------------------
IMG C 17.09.01.0.1

--------------------------------------------------------------------------------
Auto abort timer: inactive
--------------------------------------------------------------------------------

Showing the Installed Packages


Router# show install package flash:ir1101-universalk9.17.09.01prd1.SPA.bin
Package: ir1101-universalk9.17.09.01prd1.SPA.bin
Size: 674114352
Timestamp:
Canonical path: /flash1/ir1101-universalk9.17.09.01prd1.SPA.bin

Raw disk-file SHA1sum:


e54ba5a59824156af7515eaf4367ebe51b920316
Header size: 1148 bytes
Package type: 30000
Package flags: 0
Header version: 3

Internal package information:


Name: rp_super
BuildTime: 2022-04-27_00.47
ReleaseDate: 2022-04-27_07.05
BootArchitecture: arm64
RouteProcessor: IR1101
Platform: IR1101
User: mcpre
PackageName: universalk9
Build: 17.09.01prd1
CardTypes:

Package is bootable from media and tftp.


Package contents:

Package: ir1101-mono-universalk9_iot.17.09.01prd1.SPA.pkg
Size: 673776700
Timestamp:

Raw disk-file SHA1sum:

Header size: 1084 bytes


Package type: 30000
Package flags: 0
Header version: 3

Internal package information:


Name: mono
BuildTime: 2022-04-27_00.47
ReleaseDate: 2022-04-27_07.05
BootArchitecture: arm64
RouteProcessor: IR1101
Platform: IR1101
User: mcpre

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


159
New Cisco IOS XE Installation Methods
Showing Committed and Uncommitted Packages

PackageName: mono-universalk9_iot
Build: 17.09.01prd1
CardTypes:

Package is bootable from media and tftp.


Package contents:

You can determine which package is active using the show install active command.
Router#show install active
[ R0 ] Active Package(s) Information:
State (St): I - Inactive, U - Activated & Uncommitted,
C - Activated & Committed, D - Deactivated & Uncommitted
--------------------------------------------------------------------------------
Type St Filename/Version
--------------------------------------------------------------------------------
IMG C 17.09.01.0.1193

--------------------------------------------------------------------------------
Auto abort timer: inactive
--------------------------------------------------------------------------------

Showing Committed and Uncommitted Packages


These two show commands provide information on which packages are committed and uncommited.
Router# show install committed
[ R0 ] Committed Package(s) Information:
State (St): I - Inactive, U - Activated & Uncommitted,
C - Activated & Committed, D - Deactivated & Uncommitted
--------------------------------------------------------------------------------
Type St Filename/Version
--------------------------------------------------------------------------------
IMG C 17.09.01.0.1

--------------------------------------------------------------------------------
Auto abort timer: inactive
--------------------------------------------------------------------------------
Router#show install uncommitted
[ R0 ] Uncommitted Package(s) Information:
State (St): I - Inactive, U - Activated & Uncommitted,
C - Activated & Committed, D - Deactivated & Uncommitted
--------------------------------------------------------------------------------
Type St Filename/Version
--------------------------------------------------------------------------------
No Uncommitted Packages

Removing Inactive Packages


This command will remove unused installation files (.conf/.pkg/.bin) from installation media.

Note This command is used to clean up the boot directory of unused installation files. This will not remove
the bootable image.

Router#install remove inactive


install_remove: START Tue May 31 01:49:10 UTC 2022
install_remove: Removing IMG

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


160
New Cisco IOS XE Installation Methods
Troubleshooting Software Installation Using install Commands

Cleaning up unnecessary package files


No path specified, will use booted path /bootflash/packages.conf

Cleaning /flash
Scanning boot directory for packages ... done.
Preparing packages list to delete ...
[R0]: /flash/packages.conf File is in use, will not delete.
[R0]: /flash/ir1101-mono-universalk9_iot.17.09.01prd1.SPA.pkg File is in use, will not
delete.
[R0]: /flash/ir1101-universalk9.17.09.01prd1.SPA.conf File is in use, will not delete.
[R0]: /flash/ir1101-rpboot.17.09.01prd1.SPA.pkg File is in use, will not delete.

The following files will be deleted:


[R0]: /flash/ir1101-universalk9.17.09.01prd1.SPA.bin
[R0]: /flash/ir1101-mono-universalk9_iot.BLD_POLARIS_DEV_LATEST_20220421_143208.SSA.pkg

[R0]: /flash/ir1101-universalk9.BLD_POLARIS_DEV_LATEST_20220421_143208.SSA.conf
[R0]: /flash/ir1101-rpboot.BLD_POLARIS_DEV_LATEST_20220421_143208.SSA.pkg

Do you want to remove the above files? [y/n]y

Deleting file /flash/ir1101-universalk9.17.09.01prd1.SPA.bin ... done.


Deleting file
/flash/ir1101-mono-universalk9_iot.BLD_POLARIS_DEV_LATEST_20220421_143208.SSA.pkg ... done.
Deleting file /flash/ir1101-universalk9.BLD_POLARIS_DEV_LATEST_20220421_143208.SSA.conf ...
done.
Deleting file /flash/ir1101-rpboot.BLD_POLARIS_DEV_LATEST_20220421_143208.SSA.pkg ... done.
Deleting /bootflash/.images/17.09.01.0.1.1651045630 ... done.
SUCCESS: Files deleted.

--- Starting Post_Remove_Cleanup ---


Performing REMOVE_POSTCHECK on all members
Finished Post_Remove_Cleanup
SUCCESS: install_remove Tue May 31 01:49:14 UTC 2022

Router#show install inactive


[ R0 ] Inactive Package(s) Information:
State (St): I - Inactive, U - Activated & Uncommitted,
C - Activated & Committed, D - Deactivated & Uncommitted
--------------------------------------------------------------------------------
Type St Filename/Version
--------------------------------------------------------------------------------
No Inactive Packages

Troubleshooting Software Installation Using install Commands


Problem Troubleshooting the software installation

Solution Use the following show commands to view installation summary, logs, and software versions.

• show install summary


• show install log
• show version
• show version running

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


161
New Cisco IOS XE Installation Methods
Troubleshooting Software Installation Using install Commands

Problem Other installation issues

Solution Use the following commands to resolve installation issue:

• dir <install directory>


• more location:packages.conf
• show tech-support install: this command automatically runs the show commands that display information
specific to installation.
• request platform software trace archive target bootflash <location>: this command archives all the
trace logs relevant to all the processes running on the system since the last reload, and saves this
information in the specified location.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


162
CHAPTER 19
Installing the Software
This chapter contains the following sections:
• Installing the Software, on page 163
• ROMMON Images, on page 166
• File Systems, on page 166
• Option to Enable or Disable USB Access, on page 167
• Autogenerated File Directories and Files, on page 168
• Flash Storage, on page 169
• LED Indicators, on page 170
• Related Documentation, on page 170

Installing the Software


Installing software on the router involves installing a consolidated package (bootable image). This consists
of a bundle of subpackages (modular software units), with each subpackage controlling a different set of
functions.
These are the two main methods to install the software:
• Managing and Configuring a Router to Run Using Consolidated Packages —This method allows for
individual upgrade of subpackages and generally has reduced boot times compared to the method below.
Use this method if you want to individually upgrade a module's software.
• Managing and Configuring a Router to Run Using Individual Packages —This simple method is similar
to a typical Cisco router image installation and management that is supported across Cisco routers.

It is better to upgrade software in a planned period of maintenance when an interruption in service is acceptable.
The router needs to be rebooted for a software upgrade to take effect.

Licensing
This section contains the following:

Cisco Software Licensing


Cisco software licensing consists of processes and components to activate Cisco IOS software feature sets by
obtaining and validating Cisco software licenses.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


163
Installing the Software
Consolidated Packages

You can enable licensed features and store license files in the bootflash of your router. Licenses pertain to
consolidated packages, technology packages, or individual features.
The IR1101 uses Smart Licensing, which is discussed in detail in the next chapter.
The IR1101 does not support the Right to Use licenses, and supports only the Specific License Reservation
(SLR)

Consolidated Packages
To obtain software images for the router, go to: https://software.cisco.com/download/home/286319772/type/
282046477/release/Gibraltar-16.11.1

Note All of the IOS-XE feature set may not apply to the IR1101. Some features may not have been implemented
yet, or are not appropriate for this platform.

An image-based license is used to help bring up all the subsystems that correspond to a license. This license
is enforced only at boot time.
One of the following image-based licenses can be pre-installed on the IR1101 router:
• Network-Essentials
• Network-Advantage

Note Details of the Network-Essentials and Network-Advantage contents can be found in the product data
sheet located here:

https://www.cisco.com/c/en/us/products/collateral/routers/1101-industrial-integrated-services-router/
datasheet-c78-741709.html

Network-Essentials
The Network-Essentials technology package includes the baseline features. It also supports security features.
The Network-Essentials_npe technology package (npe = No Payload Encryption) includes all the features
in the Network-Essentials technology package without the payload encryption functionality. This is to fulfill
export restriction requirements. The Network-Essentials_npe is available only in the Network-Essentials_npe
image. The difference in features between the Network-Essentials package and the Network-Essentials_npe
package is therefore the set of payload encryption features such as IPsec and Secure VPN.

Network-Advantage
The Network-Advantage technology package includes all crypto features.
The Network-Advantage_npe package (npe = No Payload Encryption) includes all the features in the
Network-Advantage technology package without the payload-encryption functionality. This is to fulfill
export restriction requirements. The Network-Advantage_npe package is available only in the
Network-Advantage_npe image. The difference in features between the Network-Advantage package and
the Network-Advantage_npe package is therefore the set of payload-encryption-enabling features such as
IPsec and Secure VPN.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


164
Installing the Software
Related Documentation

Related Documentation
For further information on software licenses, see the Smart Licensing chapter.

How to Install the Software for Cisco IOS XE


To install the software, use one of the following methods to use the software from a consolidated package or
an individual package. Also see Overview section.
• Managing and Configuring a Router to Run Using a Consolidated Package section
• Managing and Configuring a Router to Run Using Individual Packages section
• Configuring a Router to Boot the Consolidated Package via TFTP Using the boot Command: Example
section

Installing the Cisco IOS XE Release


When the device boots up with Cisco IOS XE image for the first time, the device checks the installed version
of the ROMMON, and upgrades if the system is running an older version. During the upgrade, do not power
cycle the device. The system automatically power cycles the device after the new ROMMON is installed.
After the installation, the system will boot up with the Cisco IOS XE image as normal.

Note When the device boots up for first time and if the device requires an upgrade, the entire boot process
may take several minutes. This process will be longer than a normal boot due to the ROMMON upgrade.

The following example illustrates the boot process of a consolidated package:


Router# configure terminal
Router(config)#boot sys bootflash:ir1101-universalk9.16.10.01.SPA.bin
Router(config)#config-register 0x2102
Router(config)#exit
Router#
*Nov 7 00:07:06.784: %SYS-5-CONFIG_I: Configured from console by console
Router#
Router#show run | inc license
license udi pid IR1101-K9 sn FCW2150TH0F
license boot level network-advantage
Router#
Router#reload ?
/noverify Don't verify file signature before reload.
/verify Verify file signature before reload.
at Reload at a specific time/date
cancel Cancel pending reload
in Reload after a time interval
pause Pause during reload
reason Reload reason
<cr> <cr>

Router#reload /verify

System configuration has been modified. Save? [yes/no]: yes


Building configuration...

[OK]
*Nov 7 00:08:48.101: %SYS-2-PRIVCFG_ENCRYPT: Successfully encrypted private config file
Verifying file integrity of bootflash:/ir1101-universalk9.16.10.01.SPA.bin...........

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


165
Installing the Software
ROMMON Images

....................................

Embedded Hash SHA1 : B0315BDC4F545D624BB128CE0FFAA468E6EF7587


Computed Hash SHA1 : B0315BDC4F545D624BB128CE0FFAA468E6EF7587
Starting image verification
Hash Computation: 100%Done!
Computed Hash SHA2: 03febcc07fbeadeed664f2f5ef87f6c3
5b343e6f7aecdd70e50e5203909aec8f
3d276529d2a6af6859d4c77237f812d5
0da93678edc942c8874edca2d5224101

Embedded Hash SHA2: 03febcc07fbeadeed664f2f5ef87f6c3


5b343e6f7aecdd70e50e5203909aec8f
3d276529d2a6af6859d4c77237f812d5
0da93678edc942c8874edca2d5224101

Digital signature successfully verified in file bootflash:/ir1101-universalk9.16.10.01.SPA.bin


Signature Verified

Proceed with reload? [confirm]

*Jul 9 06:43:37.910: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload


Command. Jul 9 14:43:59.134: %PMAN-5-EXITACTION: R0/0: pvp: Process manager is exiting:
process exit with reload chassis code

watchdog watchdog0: watchdog did not stop!


reboot: Restarting system

Press RETURN to get started!

ROMMON Images
A ROMMON image is a software package used by ROM Monitor (ROMMON) software on a router. The
software package is separate from the consolidated package normally used to boot the router.
An independent ROMMON image (software package) may occasionally be released and the router can be
upgraded with the new ROMMON software. For detailed instructions, see the documentation that accompanies
the ROMMON image.

Note A new version of the ROMMON image is not necessarily released at the same time as a consolidated
package for a router.

File Systems
The following table provides a list of file systems that can be seen on the Cisco IR1101 router.

Table 11: Router File Systems

File System Description

bootflash: Boot flash memory file system.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


166
Installing the Software
Option to Enable or Disable USB Access

File System Description

flash: Alias to the boot flash memory file system above.

cns: Cisco Networking Services file directory.

nvram: Router NVRAM. You can copy the startup configuration to NVRAM or from
NVRAM.

obfl: File system for Onboard Failure Logging (OBFL) files.

system: System memory file system, which includes the running configuration.

tar: Archive file system.

tmpsys: Temporary system files file system.

usbflash0: The Universal Serial Bus (USB) flash drive file systems.
Note The USB flash drive file system is visible only if a USB drive is installed
in the usb port.

Use the ? help option if you find a file system that is not listed in the table above.

Option to Enable or Disable USB Access


USB flash drives offer inexpensive and easy storage space for the routers to store the images, configuration
files and other files.
Note: The IR1101 supports ext2 and vfat file systems for USB flash drives.
The IR1101 supports hot plug/unplug of USB flash drives. To access the USB flash drive, insert the device
into Router's USB interface. Once the USB is recognized, an alert message is seen on the console:

Aug 1 11:08:53.198 PDT: %IOSD_INFRA-6-IFS_DEVICE_OIR: Device usbflash0 added

After this message is seen, the USB flash drive is accessible. Users can access the USB contents using the
dir usbflash0: command:

Device#dir usbflash0:
Directory of usbflash0:/
5 drwx 512 Aug 23 2019 10:42:18 -07:00 System Volume Information
6 -rwx 35 Aug 27 2019 17:40:38 -07:00 test.txt
206472192 bytes total (206470144 bytes free)
Device#

Contents can be copied to and from the USB flash drive using the copy command. Once the copy is complete,
a log message showing number of bytes copied is displayed.

Device#copy flash:test.txt usbflash0:


Destination filename [test.txt]? <Enter>
Copy in progress...C
35 bytes copied in 0.020 secs (1750 bytes/sec)
Device#

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


167
Installing the Software
Autogenerated File Directories and Files

While hot plug/unplug of a USB flash drive is supported, the functionality comes with security vulnerabilities.
To prevent users from copying sensitive information to the USB flash drive, USB enable/disable functionality
has been added.
By default, the USB flash drive is enabled. If a user wishes to disable USB, they can do so using the disable
command:

Device# config terminal


Device(config)#platform usb disable

Device(config)#end

Once the USB flash drive has been disabled, the file system is not shown on the Device and syslog messages
will not be displayed when the USB is inserted. Users will not be able to access the contents of the USB.
For example:

Device#dir usbflash0:
dir usbflash0:
^
% Invalid input detected at '^' marker.
Device#

The USB is enabled by issuing a 'no' with the disable command:

Device#config terminal

Device(config)#no platform usb disable


Device(config)#end

The USB status can be displayed using the following command:

Device#show platform usb status


USB enabled
Device#

The USB port could be considered a potential security risk. If you wish to disable the USB port, use these
steps:
Configure terminal
platform usb disable
exit

show platform usb

Autogenerated File Directories and Files


This section discusses the autogenerated files and directories that can be created, and how the files in these
directories can be managed.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


168
Installing the Software
Flash Storage

Table 12: Autogenerated Files

File or Directory Description

crashinfo files Crashinfo files may appear in the bootflash: file system.
These files provide descriptive information of a crash and may be useful for
tuning or troubleshooting purposes. However, the files are not part of router
operations, and can be erased without impacting the functioning of the router.

core directory The storage area for .core files.


If this directory is erased, it will automatically regenerate itself at bootup.
The .core files in this directory can be erased without impacting any router
functionality, but the directory itself should not be erased.

managed directory This directory is created on bootup if a system check is performed. Its
appearance is completely normal and does not indicate any issues with the
router.

tracelogs directory The storage area for trace files.


Trace files are useful for troubleshooting. If the Cisco IOS process fails, for
instance, users or troubleshooting personnel can access trace files using
diagnostic mode to gather information related to the Cisco IOS failure.
Trace files, however, are not a part of router operations, and can be erased
without impacting the router's performance.

Important Notes About Autogenerated Directories


Important information about autogenerated directories include:
• Autogenerated files on the bootflash: directory should not be deleted, renamed, moved, or altered in any
way unless directed by Cisco customer support.

Note Altering autogenerating files on the bootflash: may have unpredictable


consequences for system performance.

• Crashinfo files and files in the core and tracelogs directory can be deleted.

Flash Storage
Subpackages are installed to local media storage, such as flash. For flash storage, use the dir bootflash:
command to list the file names.

Note Flash storage is required for successful operation of a router.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


169
Installing the Software
LED Indicators

LED Indicators
For information on LEDs on the router, see "LED Indicators" in the "Product Overview" section of the Cisco
Catalyst IR1101 Rugged Series Router Hardware Installation Guide
To monitor the LED status of the system, the alarm and interface ports, the show LED command line is
supported in IOS mode.
Router# show LED
SYSTEM LED : Green

Custom LED : Off

VPN LED : Off

ALARM LED : Off

GigabitEthernet0/0/0 LED : Off


FastEthernet0/0/1 LED : Off
FastEthernet0/0/2 LED : Off
FastEthernet0/0/3 LED : Off
FastEthernet0/0/4 LED : Off
GigabitEthernet0/0/5 LED : On

EM Module digital I/O 1 LED : Off


EM Module digital I/O 2 LED : Off
EM Module digital I/O 3 LED : Off
EM Module digital I/O 4 LED : Off

*System LTE Pluggable*


LTE module Enable LED : Green
LTE module SIM 0 LED : Green
LTE module SIM 1 LED : Off
LTE module GPS LED : Off
LTE module RSSI 0 LED : On
LTE module RSSI 1 LED : On
LTE module RSSI 2 LED : On
LTE module RSSI 3 LED : On

*EM Module LTE Pluggable*


LTE module Enable LED : Green
LTE module SIM 0 LED : Green
LTE module SIM 1 LED : Off
LTE module GPS LED : Off
LTE module RSSI 0 LED : On
LTE module RSSI 1 LED : On
LTE module RSSI 2 LED : On
LTE module RSSI 3 LED : On
Router#

Related Documentation
For further information on software licenses, see the Smart Licensing Chapter.
For further information on obtaining and installing feature licenses, see Configuring the Cisco IOS Software
Activation Feature.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


170
CHAPTER 20
Cisco Network Plug and Play Agent
This chapter contains the following sections:
• Prerequisites for Cisco Network Plug and Play Agent, on page 171
• Restrictions for Cisco Network Plug and Play Agent, on page 172
• Information About Cisco Network Plug and Play Agent, on page 172
• Security Methods for the PnP Discovery Process, on page 186
• Security Methods for Post-PnP Discovery Process, on page 192
• How to Configure Cisco Network Plug and Play Agent, on page 195
• Troubleshooting and Debugging, on page 205
• Glossary, on page 206
• Additional References for Open Plug-n-Play Agent, on page 206

Prerequisites for Cisco Network Plug and Play Agent


• Cisco Network Plug and Play (PnP) deployment method depends on the type of discovery process as
required by the customer.
• Deploy the discovery mechanism, either a DHCP server discovery process or a Domain Name Server
(DNS) discovery process, before launching the PnP.
• Configure the DHCP server or the DNS server before deploying the PnP.
• Ensure that the PnP server talks to the PnP agent.
• Ensue that the Cisco Network PnP Agent has connectivity with the PnP Server. The Cisco Network PnP
Agent should be able to PING server.
• The PnP agent enforces the PnP server to send user credentials for every request. Cisco recommends the
usage of HTTP secure (HTTPS) protocol.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


171
Cisco Network Plug and Play Agent
Restrictions for Cisco Network Plug and Play Agent

Note • The terms Cisco Network Plug and Play, PnP are interchangeably used in this guide and all mean
the same.
• The terms PnP agent, agent, and deployment agent are interchangeably used in this guide and all
mean the same.
• The terms PnP server, server, and deployment server are interchangeably used in this guide and all
mean the same.

Restrictions for Cisco Network Plug and Play Agent


• Cisco Network Plug and Play (PnP) agent facilitates HTTP and HTTP secure (HTTPS) transport based
communication with the server.
• HTTPS cannot be used on platforms where crypto-enabled images are not supported (also, do not use
Secure Sockets Layer [SSL] or Transport Layer Security [TLS] protocols if crypto-enabled images are
used).
• Non-VLAN 1 configuration-Cisco Network Plug and Play supports devices using VLAN 1 by default.
To use a VLAN other than 1, adjacent upstream devices must use supported releases and configure the
following global CLI command on the upstream device to push this CLI to the upcoming Plug and Play
device: pnp startup-vlan x. When you execute this command on an adjacent upstream device, the VLAN
membership change does not happen on that device. However, all the active interfaces on the upcoming
Plug and Play device are changed to the specified VLAN. This guideline applies to both routers and
switches.

Information About Cisco Network Plug and Play Agent


Cisco Network Plug and Play Deployment Solution
The Cisco Network PnP Agent is a part of Cisco Network Plug and Play solution. The Cisco initiated Network
Plug and Play (PnP) deployment solution supports the concept of redirection and includes a PnP agent, a PnP
server, and other components. Simplified deployment process of any Cisco device automates the following
deployment related operational tasks:
• Establishing initial network connectivity for the device
• Delivering device configuration
• Delivering software and firmware images
• Delivering licenses
• Delivering deployment script files
• Provisioning local credentials
• Notifying other management systems about deployment related events

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


172
Cisco Network Plug and Play Agent
Cisco Network Plug and Play Features

Simplified deployment reduces the cost and complexity and increases the speed and security of deployments.
Cisco Network Plug and Play (PnP) agent is a software application that is running on a Cisco IOS or IOS-XE
device. The PnP agent together with the PnP deployment server provides effortless deployment services.
When a device is powered on for the first time, the PnP agent process wakes up in the absence of the startup
config, user input on the device's console, and attempts to discover the address of the PnP server. The PnP
agent uses methods like DHCP, Domain Name System (DNS), and others to acquire the desired IP address
of the PnP server. When the PnP agent successfully acquires the IP address, it initiates a long lived, bidirectional
layer 3 connection with the server and waits for a message from the server. The PnP server application sends
messages to the agent requesting for information and services to be performed on the device.
The PnP agent converges existing solutions into a unified agent and adds functionality to enhance the current
solutions. The main objectives of PnP agent are:
• Provide consistent day 1 deployment solution for all the deployment scenarios.
• Add new features to improve existing solutions.
• Provide day 2 management framework mainly in the context of configuration and image upgrades.

Cisco Network Plug and Play Features


Some of the features that the Cisco Network Plug and Play agent provides:
• Day 0 boot strapping—Configuration, image, licenses, and other files
• Day 2 management—Configuration and image upgrades and on-going monitoring of Simple Network
Management Protocol (SNMP) and syslog messages.
• Open communication protocol—Enables customers and partners to write applications
• XML based payload over HTTP between the server and the agent.
• Security—Authentication and encrypted communication channel between the management app and the
agent
• Deployment and management of devices behind firewall and Network Address Translation (NAT).
• Support for one-to-one and one-to-many communication
• Support for policy based deployment (product ID or location of the device)
• Deployment based on unique ID (Unique Device Identifier [UDI] or MAC)
• Unified solution across Cisco platforms (including IOS classic)
• Support for various deployment scenarios and use cases
• Zero-touch when possible, low-touch when needed

Cisco Network Plug and Play Agent Services and Capabilities


The services and capabilities of the Cisco Network Plug and Play agent are as follows:
1. Backoff
2. CLI execution
3. Configuration upgrade

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


173
Cisco Network Plug and Play Agent
Cisco Network Plug and Play Agent Services and Capabilities

4. Device information
5. File transfer
6. Image install
7. License install
8. PnP tagging
9. Script execution
10. Topology information

Note The PnP server provides an optional checksum tag to be used in the image installation and config upgrade
service requests by the PnP agent. When the checksum is provided in the request, the image install
process compares the checksum against the current running image checksum.
If the checksums are same, the image being installed or upgraded is the same as the current image running
on the device. The image install process will not perform any other operation in this scenario.
If the checksums are not same, then the new image will be copied to the local file system, and checksum
will again be calculated and compared against the checksum provided in the request. If same, the process
will continue to install the new image or upgrade the device to new image. If now, the checksums are
not same, the process will exit with error.

Backoff
A Cisco IOS device that supports PnP protocol (that uses HTTP transport), requires the PnP agent to send the
work request to the PnP server continuously. In case the PnP server does not have any scheduled or outstanding
PnP service for the PnP agent to execute, the continuous no operation work requests exhausts both network
bandwidth and device resource. This PnP backoff service allows the PnP server to inform the PnP agent to
rest for the specified time and call back later.

CLI Execution
Cisco IOS supports two modes of command execution—EXEC mode and global configuration mode. Most
of the EXEC commands are one-time commands, such as show commands, which show the current
configuration status, and clear commands, which clear counters or interfaces. The EXEC commands are not
saved when a device reboots. Configuration modes allow user to make changes to the running configuration.
If you save the configuration, these commands are saved when a device reboots.

Note For show command request and response details and for all PnP configuration commands, see Cisco
Network Plug and Play Agent Command Reference.

Configuration Upgrade
There are two types of configuration upgrades that can happen in a Cisco device—copying a new configuration
files to startup configuration and copying new configuration files to running configuration.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


174
Cisco Network Plug and Play Agent
Cisco Network Plug and Play Agent Services and Capabilities

Copying a new configuration files to startup configuration— The new configuration file is copied from the
file server to the device through copy command and file check is performed to check the validity of the file.
If the file is valid, then the file is copied to startup configuration. Backing up the previous configuration file
will be done if there is enough disk space available. The new configuration is seen when the device reloads
again.
Copying new configuration files to running configuration— The new configuration file is copied from the
file server to the device through copy command or configure replace command. Configuration file replace
and rollback may leave the system in an unstable state if rollback is performed efficiently. So configuration
upgrade by copying the files is preferred.

Device Information
The PnP agent provides capability to extract device inventory and other important information to the PnP
server on request. The following five types of device-profile requests are supported:
1. all—returns complete inventory information, which includes unique device identifier (UDI), image,
hardware and file system inventory data.
2. filesystem— returns file system inventory information, which includes file system name and type, local
size in bytes, free size in bytes, read flag, and write flag.
3. hardware— returns hardware inventory information, which includes hostname, vendor string, platform
name, processor type, hardware revision, main memory size, I/O memory size, board ID, board rework
ID, processor revision, midplane revision, and location.
4. image—returns image inventory information, which includes version string, image name, boot variable,
return to rommon reason, bootloader variable, configuration register, configuration register on next boot,
and configuration variable.
5. UDI— returns device UDI.

File Transfer
The PnP file server hosts files that can be copied over by the deploying devices in the network. The file server
can be a dedicated server hosting files or a part of the device hosting the PnP server. The PnP agent uses
standard file transfer protocols to copy files from the remote file server to the device. If the device is running
a crypto image then secured file transfer protocols such as SFTP, SCP, HTTPS are supported. For devices
running non-crypto images, the PnP agent supports unsecured copy protocols such as FTP, TFTP, HTTP.

Image Install
Image installation service enables a PnP-enabled device to perform image upgrade on receiving a request
from the PnP server.
Standalone Devices
When the PnP agent on a standalone device receives a request from the PnP server, the agent parses the XML
payload and identifies the request as an Image Upgrade request. The agent then creates an ImageInstall process,
which identifies the request as a standalone image install request. The PnP agent populates the data structure
defined by the ImageInstall service and passes it to the ImageInstall service.
The Image Install service then performs the following operations to successfully load the device with the new
image:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


175
Cisco Network Plug and Play Agent
Software Maintenance Upgrade

1. Copies the image from the file server to a local disk (the file server information is provided by the PnP
server in the request).
2. Configures the device to load the new image on next reload by executing the boot system command.
3. Reloads the device and sends a message to the PnP server.

PnP Tagging
Cisco IOS provides capability to assign tags to the devices for better grouping and tracking of all Cisco devices.
The PnP agent provides XML service for configuring the tag information on the device and for propagating
the tag information within the network using Cisco Discovery Protocol (CDP). The purpose of this service is
for the PnP agents to get to know their tag information and to pass on this information to the PnP server upon
request.

Topology Information
By default, every Cisco device on the network runs Cisco Discovery Protocol (CDP). Through CDP, devices
in the network discover their immediate neighbors and populate their databases with the attributes learnt or
derived through the protocol. This neighbor information is stored in the database and is available on demand
by the device to the PNP server. Typical neighbor information comprises neighboring device ID, software
version, hardware platform, interface ip, and the port on which CDP messages are sent or received.

Software Maintenance Upgrade


The software maintenance upgrade (SMU) is a package that contains fixes for a specific defect or security
resolution to a released image. SMUs are created to respond to immediate issues and do not include new
features. SMUs do not have a large impact on router operations. SMU versions are synchronized to the package
major, minor, and maintenance versions they upgrade.
To install and activate a software maintenance upgrade package:

Step 1 Use the install add <filename> command to unpack the package software file and copy it to the boot device (usually
disk0). If the file is on a remote source, use the tftp/ftp option to copy the file to the device.
After the file is copied to the device, information within the package is used to verify compatibility with the target cards
and with the other active software. Actual activation is performed only after the package compatibility and application
program interface (API) compatibility checks are passed.

Step 2 To activate a package, use the install activate <filename> command. The activate operation will run the compatibility
checks and install the software maintenance upgrade package. If it is a reload software maintenance upgrade, it will
automatically initiate a reload.
Step 3 Use the install commit command to commit the changes
Step 4 To deactivate the package, use the install deactivate <filename> command.
Step 5 If you find that you prefer a previous package set over the currently active package set, you can use the install rollback
to committed command to make a previously active package set active again
Step 6 To remove the installed version, use the install remove <filename> command.
This example shows how to install and remove the software maintenance upgrade package on a device.
install add <filename>
install activate <filename>
install commit

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


176
Cisco Network Plug and Play Agent
Cisco Network Plug and Play Agent

install rollback to committed


install remove <filename>

Cisco Network Plug and Play Agent


The Cisco Network Plug and Play agent is an embedded software component that is present in all Cisco
network devices that support simplified deployment architecture. The PnP agent understands and interacts
only with a PnP server. The PnP agent first tries to discover a PnP server, with which it can communicate.
Once a server is found and connection established, the agent performs deployment related activities like
configuration, image, license, and file updates by communicating with the server. It also notifies the server
of all interesting deployment related events like out-of-band configuration changes and a new device connection
on an interface.

Cisco Network Plug and Play Server


The Cisco Network Plug and Play server is a central server that encodes the logic of managing and distributing
deployment information (images, configurations, files, and licenses) for the devices being deployed. The
server communicates with the agent on the device that supports the simplified deployment process using a
specific deployment protocol.
Figure 48: Simplified Deployment Server

The PnP server also communicates with proxy servers like deployment applications on smart phones and PCs,
or other PnP agents acting as Neighbor Assisted Provisioning Protocol (NAPP) servers, and other types of
proxy deployment servers like VPN gateways.
The PnP server can redirect the agent to another deployment server. A common example of redirection is a
PnP server redirecting a device to communicate with it directly after sending the bootstrap configuration
through a NAPP server. A PnP server can be hosted by an enterprise. This solution allows for a cloud based

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


177
Cisco Network Plug and Play Agent
Cisco Network Plug and Play Agent Deployment

deployment service provided by Cisco. In this case, a device discovers and communicates with Cisco’s cloud
based deployment service for initial deployment. After that, it can be redirected to the customer’s deployment
server.
In addition to communicating with the devices, the server interfaces with a variety of external systems like
Authentication, Authorizing, and Accounting ( AAA) systems, provisioning systems, and other management
applications.

Cisco Network Plug and Play Agent Deployment


The following steps indicate the Cisco Network Plug and Play agent deployment on Cisco devices:
1. The Cisco device, having PnP agent contacts the PnP server requesting for a task, that is, the PnP Agent
sends its unique device identifier (UDI) along with a request for work.
2. The PnP server if it has any task for the device, sends a work request. For example, image install, config
upgrade, and so on.
3. When the PnP agent receives the work request, executes the task and sends back a reply to the PnP server
about the task status, whether it is a success or error, and the corresponding information requested.

Cisco Network Plug and Play Agent Network Topology


Figure 49: Network Topology of Cisco Network Plug and Play Agent Deployment

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


178
Cisco Network Plug and Play Agent
Cisco Network Plug and Play Agent Initialization

Cisco Network Plug and Play Agent Initialization


The Cisco Network Plug and Play agent software is currently available on all Cisco IOS XE platforms, and
is enabled by default. The PnP agent can be initiated on a device by the following ways:

Absence of Startup Configuration


New Cisco devices are shipped to customers with no startup configuration file in the NVRAM of the devices.
When a new device is connected to a network and powered on, the absence of a startup configuration and the
user input file on the device, it will automatically trigger the Cisco Network Plug and Play agent to discover
the PnP server IP address.
Figure 50: State Diagram for PnP Trigger with no Startup Configuration

CLI Configuration for Open Plug-n-Play Agent


Network administrators may use CLI configuration mode to initiate the Open Plug-n-Play (PnP) agent process
at any time. By configuring a PnP profile through CLI, a network administrator can start and stop the PnP
agent on a device. When the PnP profile is configured with CLI, the device starts the PnP agent process which,
in turn, initiates a connection with the PnP server using the IP address in the PnP profile.
Figure 51: State Diagram for PnP Trigger with CLI Configured PnP Profile

Cisco Network Plug and Play Agent Deployment Solutions


This section discusses the functionality of the Cisco Network Plug and Play agent, exposed to the PnP server,
for device deployment and management. The PnP agent deployment solution comprises the discovery process
initiated by the agent, communication between the device, agent, and the server, and the PnP agent services.
The PnP solution is described in detail in the following sections:

Cisco Network Plug and Play Agent Discovery Process


When the device boots up, the absence of any startup config on the NVRAM triggers the PnP discovery agent
to acquire the IP address of the PnP server. In order to acquire the IP address of the PnP server, the PnP agent
goes through one of the following discovery mechanisms:
1. PnP discovery through DHCP server
2. PnP discovery through DHCP snooping
3. PnP discovery through DNS lookup

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


179
Cisco Network Plug and Play Agent
Cisco Network Plug and Play Discovery through DHCP Server

4. PnP proxy for layer 2 and layer 3 devices


5. PnP deployment application

Cisco Network Plug and Play Discovery through DHCP Server


Device with no startup configuration in the NVRAM triggers the Cisco Network Plug and Play agent to initiate
a DHCP discovery process which acquires the IPv4 configuration from the DHCP server required for the
device. The DHCP server can be configured to insert additional information using vendor specific option 43
upon receiving option 60 from the device with the string ‘cisco pnp’, to pass on the IPv4 address or hostname
of the PnP server to the requesting device. When the DHCP response is received by the device, the PnP agent
extracts the option 43 from the response to get the IP address or the hostname of the PnP server. PnP agent
then uses this IPv4 address or hostname to communicate with the PnP server.
Figure 52: DHCP Discovery Process for PnP server

Assumptions:
• New devices can reach DHCP server
• Customer is willing to configure DHCP server for network devices

Plug-n-Play Discovery through DHCP Snooping


If a third party DHCP server cannot be configured to insert any vendor specific options, an existing Cisco
Open Plug-n-Play (PnP) enabled device can be configured to snoop in to the DHCP response and insert PnP
specific option 43 with the PnP server IP address.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


180
Cisco Network Plug and Play Agent
Cisco Network Plug and Play Discovery through DNS Lookup

Before inserting the option 43, the snooping agent verifies if the DHCP message is from a Cisco device in
the network. The remaining DHCP discovery process is same as described in the previous section.
Figure 53: DHCP Snooping by PnP Server

Assumptions:
• New devices can reach DHCP server
• New devices can reach DNS server
• Customer is not willing to configure DHCP server for network devices
• Upstream switch (SW) is configured to snoop DHCP and insert PnP server IP

Cisco Network Plug and Play Discovery through DNS Lookup


When the DHCP discovery fails to get the IP address of the Cisco Network Plug and Play server, the agent
falls back on Domain Name System (DNS) lookup method. PnP agent then uses a preset deployment server
name. The agent obtains the domain name of the customer network from the DHCP response and constructs
the fully qualified domain name (FQDN). The following FQDN is constructed by the PnP agent using a preset
deployment server name and the domain name information for the DHCP response, deployment.customer.com.
The agent then looks up the local name server and tries to resolve the IP address for the above FQDN.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


181
Cisco Network Plug and Play Agent
Cisco Network Plug and Play Proxy Server for Layer 3 and Layer 2 Devices

Figure 54: DNS Lookup for deployment.customer.com

Assumptions:
• New devices can reach DHCP server
• Customer deployed PnP server in the network with the name “pnpserver”

Cisco Network Plug and Play Proxy Server for Layer 3 and Layer 2 Devices
This device listens to a specific port for any incoming PnP messages. The Cisco device which is trying to
come up as a PnP device sends a UDP broadcast message to its network every 30 min for ten times. Hence,
if the device does not receive a response, the broadcasts stop after 300 min.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


182
Cisco Network Plug and Play Agent
Cisco Network Plug and Play Proxy Server for Layer 3 and Layer 2 Devices

Figure 55: DNS Lookup for Layer 3 and Layer 2 Devices

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


183
Cisco Network Plug and Play Agent
Plug-n-Play Agent Deployment Application

When the device hosting the proxy server process receives the incoming broadcasts, it verifies the version
field in the request and forwards the request to the PnP server if version validation is successful. The proxy
server process also caches the unique device identifier (UDI) of the requesting client coming in via incoming
datagram before forwarding the request to PnP server.
Upon receiving the configlet datagram from PnP server, the proxy server validates UDI in the incoming
datagram with the entries in the UDI cache. If validation is successful, proxy server process broadcasts the
datagram to a specific port number reserved for the proxy client processes to receive datagrams.
Upon receiving the datagrams, devices running proxy client processes, parse the incoming datagram for the
target UDI. If the target UDI in the datagram matches the UDI of the device, proxy client process proceeds
with framing, error control and configuring the configlet.
If the target UDI in the datagram fails to match UDI of the device, the packet is dropped.

Plug-n-Play Agent Deployment Application


A Cisco device can alternatively be manually configured by the network administrator using a deployment
application running on their PC or on a smart phone. The PC or the smart phone can be connected to the
device using an USB or an Ethernet cable.
Figure 56: Manually Configured PnP Agent

Plug-n-Play Agent Deployment Protocol


Deployment can be run over different transports. These transports include Ethernet and IP with Transport
Layer Security (TLS). Layer 2 transport is typically used between a deployment agent and a proxy deployment
server like a deployment application or as a deployment agent acting as a proxy. Transport between an agent
and a server is over an IP connection with TLS for security. Transport between a proxy deployment server
and a deployment server is also over IP with TLS.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


184
Cisco Network Plug and Play Agent
Plug-n-Play Agent Application Protocol

Plug-n-Play Agent Application Protocol


The Cisco Open Plug-n-Play (PnP) agent application protocol is an XML-based protocol that defines a
mechanism that allows network devices to be monitored and controlled by a remote application. The PnP
agent is a software module running on a Cisco device. The PnP server is an application running as the network
manager that remotely manages the network devices. The main features of the PnP protocol are as follows:
1. Supports HTTP protocols
2. Supports Transport Level Security (TLS) based encryption for HTTP
3. Uses HTTP secure (HTTPS) certificate for TLS handshake

Plug-n-Play Transport over Ethernet


Cisco Open Plug-n-Play (PnP) agent uses the Ethernet based transport in the following two scenarios:
• Deployment agent communicating with a deployment application on a PC: In this case, the PC is
connected to the device being deployed using an Ethernet cable. The deployment application advertises
itself as a deployment server supporting Ethernet transport.
• Deployment agent communicating with an already deployed device acting as a proxy deployment
server: In this case, the new device being deployed has an Ethernet connection to an already deployed
device. The deployment agent on the deployed device responds to the discovery requests and acts as a
proxy deployment server for the new device.

Once discovery is complete, the deployment agent starts an unsecured XML stream with the deployment
server over Ethernet. This protocol reserves an Ethertype (0xXX TBD) for this purpose. The deployment
agent and the server then negotiate to use Extensible Authentication Protocol–Transport Layer Security
(EAP-TLS) to protect the communication and complete the EAP-TLS session establishment. The deployment
server then authenticates the device with the HTTP secure (HTTPS) certificate or some other supported
mechanism.

Plug-n-Play Transport over IP


In Cisco Network Plug-n-Play (PnP) agent, the deployment agent opens TCP connection to the deployment
server and starts an XML stream of messages. The server can request the use of Transport Layer Security
(TLS) at this time. The agent closes the existing XML stream, initiates a TLS connection to the server, and
then restarts the XML stream. The server can request agent authentication over the TLS connection.

Plug-n-Play Agent Security


Security to all Cisco Open Plug-n-Play (PnP) devices is provided at both transport level as well as the application
level. The following sections describe the security mechanisms in detail:

Plug-n-Play Transport Layer 3 Security


For non-crypto or non-crypto-enabled images, TLS security choice is not possible. One alternative minimum
security is to have the PnP agent initiate the connection to the specified trusted PnP server on port 5222.

Authentication and Authorization between Plug-n-Play Agent and Server


Once the Cisco Open Plug-n-Play (PnP) deployment agent discovers the PnP server, the agent engages the
server in a Transport Layer Security (TLS) handshake. In order to authenticate itself to the server, the agent
presents its HTTP secure (HTTPS) certificate. The administrator for the PnP server sets device authentication
mechanisms which are acceptable for a particular deployment.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


185
Cisco Network Plug and Play Agent
Security Methods for the PnP Discovery Process

The deployment server presents its certificate to the deployment agent so that the agent can authenticate the
server. Irrespective of whether the agent is able to verify the server certificate, the agent engages the deployment
server in a post-TLS authorization exchange. In this exchange the agent requests the server to present its server
authorization token. In response to this request the server presents the authorization token it had obtained
from Cisco. The agent verifies the signature on the authorization token. If the authorization token is specific
to a Unique Device Identifier (UDI), the agent also ensures its UDI is listed in the authorization-token. At the
end of this step, a secure communication channel is established between the deployment agent and the server.
This secure communication channel is leveraged by the server to send deployment information to the agent.

Security Methods for the PnP Discovery Process


This section describes the methods that are used to secure the PnP agent-server communication in various
scenarios. The security options are used by the PnP agent during the zero-touch PnP server discovery. This
section includes the following topics:
• Self-Signed Certificate Based Authentication , on page 186
• Mobile Device Based Secured Installation, on page 187
• CA-Signed Certificate based Authentication, on page 187
• DHCP Option based Discovery over an IPv4 Network, on page 187

Self-Signed Certificate Based Authentication


The PnP server has an option to use a self-signed SSL certificate for server side authentication. When the PnP
server uses a self-signed certificate, the PnP discovery cannot be used for automatically initiating secured
communication from the agent to the server. The device goes through usual PnP discovery mechanisms and
when it finds the server, the agent sends a work-request over HTTP. The server should use the PnP
certificate-install service to instruct the agent to install the server self-signed certificate, and then automatically
reconnect back to the server over HTTPs.
To keep the solution secured, it is recommended that you use the unsecured port 80 of server to deliver the
one-time certificate installation to the devices. All other services should be sent over the secured port.
The following figure shows the end-to-end secured PnP workflow using a self-signed server SSL certificate.
Figure 57: PnP Deployment with Self-Signed Certificate

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


186
Cisco Network Plug and Play Agent
Mobile Device Based Secured Installation

Mobile Device Based Secured Installation


As part of this solution, an application for mobile devices is available to configure the bootstrap on the devices.
The mobile application can be used to install the server certificate directly on each device along with other
bootstrap configuration and then allow the PnP agent initiate secured communication with the server. In this
method, the server does not open up any unsecured port for certificate-install.
The following figure shows the end-to-end secured PnP workflow using the application on the mobile devices.
Figure 58: Secured PnP Deployment with the Mobile Application

CA-Signed Certificate based Authentication


Cisco distributes certificates signed by a signing authorities in a tar file format and signs the bundle with Cisco
Certificate Authority (CA) signature. This certificate bundle is provided by Cisco infoSec for public downloads
on cisco.com.
The certificates from this bundle can be installed on the Cisco IOS device for server side validation during
SSL handshake. It is assumed that the server uses a certificate, which is signed by one of the CA that is
available in the bundle.
The PnP agent uses the built-in PKI capability to validate the certificate bundle. As the bundle is signed by
Cisco CA, the agent is capable of identifying the bundle that is tampered before installing the certificates on
the device. After the integrity of the bundle is ensured by the agent, the agent installs the certificates on the
device. After the certificates are installed on the device, the PnP agent initiates an HTTPs connection to the
server without any additional steps from the server. The following mechanisms helps the PnP agent to initiate
a zero-touch secured communication.

DHCP Option based Discovery over an IPv4 Network


The DHCP option 43 and option 60 is a vendor specific identifier which is used by the PnP agent to locate
and connect to the PnP server. To support multiple vendors, the PnP agent in Cisco device sends out a
case-sensitive “ciscopnp” as the option 60 string during the DHCP discovery. The DHCP server can be
configured with multiple classes matching with a different option 60 string that comes from each network
device. After the option 60 string matches, the DHCP server sends out the corresponding option 43 string
back to the device. The following is the format for defining the option 43 for PnP deployments:
option 43 ascii "5A;K5;B2;I10.30.30.10;J443;Ttftp://10.30.30.10/ ios.p7b;Z10.30.30.1

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


187
Cisco Network Plug and Play Agent
DHCP Option based Discovery over an IPv4 Network

The field ‘T’ in the PnP string provides an option for the network administrator to specify the location of the
certificate bundle, which can be hosted on a local or remote file server.
If the certificate bundle is available at the specified location, then the agent:
1. Downloads the bundle from the file server to the device.
2. Checks the signature of the downloaded bundle to ensure it has a genuine Cisco signature.
3. Installs the certificates on the device.

If the ‘T’ option is not specified and the transport mechanism is specified in the option 43 string as HTTPs,
the PnP agent looks for the Cisco signed certificate bundle in the default folder of the same server
http://10.30.30.10:443/certificates/default/cert.p7b .
If the certificates are available at the default location then the agent performs the steps mentioned above to
install the certificates.
After the certificates are installed and the server discovery is complete, the agent initiates the HTTPs connection
with the server without any additional configuration. During the HTTPs handshake, the device uses the
certificates installed from the bundle to validate the server certificate.
The following figure shows the end-to-end secured PnP workflow using the CA bundle-based certificate.
Figure 59: Secured PnP Deployment with Trustpool

This flow works only if the server is using a certificate signed by one of the known signing authorities that is
available in the bundle. If the server uses a certificate that is not a part of the bundle then the HTTPs handshake
will fail. When you specify the option 43 string with HTTPs as a transport option and if the bundle download
fails, the agent will not fall back to any of the unsecured communication protocol even if the server is reachable.
If the transport option is specified as HTTP with a parameter 'T' pointing to a valid certificate bundle location,
the agent overrides the transport option HTTP and changes it to HTTPs for secured communication. Generally,
the agent will choose the most secured communication from the available options.
The path specified in the DHCP option 43 to locate the certificate bundle file can be an absolute URL or a
relative URL. If you specify a relative URL, the agent forms a full URL with the server IP address or hostname
as specified in the option 43 string and uses HTTP as the file transfer protocol.
Also, to install the certificates, the agent expects the device to have an updated system clock. Because, you
configure the DHCP server first, you cannot specify the current time in the DHCP server. In such a scenario,
an IP address or a URL can be specified as an alternative parameter in the option 43 with the prefix 'Z', which

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


188
Cisco Network Plug and Play Agent
DHCP Option based Discovery over an IPv6 Network

can point the device to a NTP server. The agent synchronizes the clock on the device with the NTP server
and then installs the certificates.

DHCP Option based Discovery over an IPv6 Network


Cisco Network PnP uses the DHCP Option 16 and Option 17 for an IPv6 DHCP discovery process.The Option
16 and Option 17 are vendor specific identifiers. These are used by the Cisco Network PnP agent to locate
and connect to the Cisco Network PnP server. The DHCP server can be configured to insert an additional
information using the vendor specific Option 17. When the DHCP server receives an Option 16 from the
device with the string cisco pnp , and if it matches the Option 17 string, the server passes the IP address or
the hostname of the Cisco PnP server to the requesting device. When the device receives the DHCPv6 response,
the Cisco Network PnP agent extracts the option from the response and identifies the IPv6 address of the
Cisco PnP server. Cisco PnP agent uses this IPv6 address to communicate with the Cisco PnP server. To
obtain and install the certificate, use the same process explained in the DHCP Option based Discovery over
an IPv4 Network section.
The following example shows how to configure a pool (DHCPv6-pool) with the vendor-specific options:
ipv6 dhcp pool dhcpv6-pool
address prefix 2003::/64 lifetime infinite infinite
vendor-specific 9
suboption 16 ascii "ciscopnp"
suboption 17 ascii "5A1D;K4;B3;IFE80::2E0:81FF:FE2D:3799;J6088"

DNS-based Discovery
In DNS-based discovery, a DHCP server receives the domain name of the customer network. The domain
name is used to create a PnP-specific, fully qualified domain name (FQDN) such as pnpserver.<domain_name>.
In this method, the customer network resolves this URL to a valid PnP server IP address. Because, there is
no mechanism to specify the certificate location, the agent locates the server certificate to initiate the HTTPs
connection without manual intervention.
During the system boot up, the device acquires IP network information from a DHCP server along with the
domain name. With the customer specific domain name, the Cisco PnP agent creates the following URL
pnpserver.<domain_name> and looks for the Cisco signed certificate bundle in a default folder of the server
<domain_name>/ca/trustpool/cabundle.p7b.
If the certificate bundle is available at the specified location, then the agent:
1. Downloads the bundle from the file server to the device.
2. Checks the signature of the downloaded bundle to ensure it has genuine Cisco signature.
3. Installs the certificates on the device.

If the certificate bundle is not available at the specified location, the PnP agent use a predefined
URL,pnpcertserver.<domain_name> and looks for the Cisco signed certificate bundle in the default folder
of the server, <domain_name>/ca/trustpool/cabundle.p7b.
If the certificates are available at the specified location, then the agent performs the steps specified above to
install the certificates.
After the certificates are installed and the server discovery is complete, the agent initiates the HTTPs connection
with the server at the URL, pnpserver.<domain_name > without any additional configuration. During the
HTTPs handshake, the device uses the certificates that are installed from the bundle to validate the server
certificate.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


189
Cisco Network Plug and Play Agent
DNS-based Discovery over an IPv6 Network

Also, to install the certificates, the agent expects the device to have an updated system clock. Because, you
configure the DHCP server first, you cannot specify the current time in the DHCP server. In such a scenario,
the agent uses a predefined URL, pnpntpserver.<domain_name> which needs to be mapped to a NTP sever
to synchronize the clock on the device, and then installs the certificates.
However, if the certificate is not present at either URL, the Cisco PnP agent will fall back and establish the
HTTP connection to the server using the created FQDN pnpserver.<domain_name>. With this workflow, the
agent expects the server to use the certificate-install service to install the self-signed certificates first and then
start the provisioning steps.

DNS-based Discovery over an IPv6 Network


To enable DNS-based discovery over an IPv6 network:

Step 1 Configure the DNS server with an IPv6 option. To enable the Cisco Network PnP DNS discovery, configure the DNS
server as shown in this example:
ip host pnpntpserver.domain.com 2001::1
ip host pnptrustpool.domain.com 2001::2
ip host pnpserver.domain.com 2001::3

Step 2 DHCPv6 server is discovered through DHCP bootstrap process. The following example shows how to configure the
DHCP server:
ipv6 unicast routing
ipv6 cef

ipv6 dhcp pool test


dns-server 2001::4
domain-name example.com

The device sends the DHCPv6 packets to the server over an IPv6 network. After receiving the DHCPv6 packets, the DNS
server information and the domain-name are returned to the device as Option 23 and Option 24 respectively.

Step 3 Configure the NTP server. The following example shows how to configure the NTP server:
ntp master 1

Note Similarly, the device NTP configuration should use the NTPv4 option.

Step 4 Host the trustpool server on an IPv6 network. Trustpool is supported only on DHCP Options T and Z. If the Option T is
configured, specify the URL of the trustpool CA bundle. If the Option Z is configured, specify the NTP server IP address.
Note When the Cisco Network PnP agent attempts to download the trustpool bundle over HTTP by using an IPv6
option, the trustpool server should support HTTP over an IPv6 network. Also, the clock must be syncronized
before configuring the trustpool.

Step 5 Host the Cisco Network PnP server on an IPv6 network.

Cisco Cloud Redirection over an IPv4 and IPv6 Network


Cisco Cloud Redirection service supports Cisco Network PnP zero-touch discovery. It is supported on both
IPv4 and IPv6 based Cisco Cloud discovery.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


190
Cisco Network Plug and Play Agent
Cisco Network PnP Discovery Over 4G Interface

Note Some of the Cisco PnP devices may have root certificate embedded in the devices. These devices will
communicate with the CCO server using HTTPS from the beginning. If the device does not have the
embedded certificate then the legacy behavior is initiated.

When the device boots up without any start-up configuration or authentication certificates, and if the DHCP
and DNS discovery fails, the device tries to contact the Cisco Cloud server at devicehelper.cisco.com.
If the devicehelper.cisco.com is reachable, the Cisco Network PnP agent downloads the trustpool bundle and
establishes a secure HTTP connection with the Cisco Cloud Redirection service. When the device tries the
Cisco cloud discovery for the first time, Cisco Network PnP agent downloads the trustpool from this location
devicehelper.cisco.com/ca/trustpool and saves it to the local flash memory. This location is shared with a
Public Key Infrastructure for a trustpool installation. If the Cisco cloud discovery fails, trustpool bundle is
retained in the flash memory and Cisco Network PnP checks for a copy of the trustpool bundle in the local
device flash memory. If the copy is not available in the local flash memory, it retries to download the trustpool
bundle from this location devicehelper.cisco.com/ca/trustpool download.
Cisco Network PnP agent sends a HTTPS hello message to the Cisco cloud. The Cisco Network PnP redirection
service running at Cisco cloud server replies to the HTTP request. A Cisco cloud server PnP profile is created
on the device as shown in this example.
pnp profile pnp_cco_profile
transport https host devicehelper.cisco.com port 443

After the Cisco cloud profile is created, the device sends a work-information message with its unique device
identifier information to the Cisco cloud server. Cisco Cloud Redirection service sends a redirection non-backoff
PnP request with the Cisco Network PnP server information. It can be an IPv4 address, IPv6 address, or a
hostname. When the redirection is successful, the following redirection profile is configured on the device.
pnp profile pnp_redirection_profile
transport https ipv4 172.19.153.133 port 443

If the non-backoff PnP request is not received within default wait time, Cisco Network PnP discovery process
continues with the next discovery mechanism.

Cisco Network PnP Discovery Over 4G Interface


Cisco Network PnP over 4G interface is available on platforms that have 4G NIMs and running Cisco IOS
XE.When a device with an activated SIM card boots up, the 4G interface is activated and used for the Cisco
Network PnP cloud discovery process. When a device without an activated SIM card boots up, the non-4G
interfaces are preferred for the discovery process. Cisco Network PnP cloud discovery over 4G interfaces is
attempted when the non-4G interfaces are not available or if the Cisco Network PnP discovery does not
succeed on the non-4G interfaces. When the device has multiple 4G interfaces with active SIM cards, the
Cisco Network PnP tries the cloud discovery on all the 4G interfaces one after the other until one of them
succeeds.

Note To use the 4G interface for the Cisco Network PnP discovery, the 4G NIMs should have an activated
SIM card on it.

Cisco Network PnP Cloud discovery over 4G interfaces works when all the 4G interfaces are activated during
the device bootup by default. In the absence of a startup configuration, the device attempts to bring up the 4G

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


191
Cisco Network Plug and Play Agent
Cisco Network PnP Discovery over a Management Interface

inutrafec by default and attempts Cicso PnP over cloud. After the device is redirected, the device connects to
the Cisco Network PnP server and downloads the appropriate image and configuration to the device.

Note The DNS server is available as part of the 4G network and the cloud portal should be programmed to
redirect the calling device to an appropriate Cisco Network PnP server for provisioning the device.
Currently, Cisco Network PnP support over 4G interface uses only the IPv4 network.

Ensure that the configuration pushed through the Cisco Network PnP server contains a route to Cisco Network
PnP server over the 4G interface. This can be a default route and should retain the Cisco Network PnP agent
and server communication to continue to work over the 4G interface, after the provisioning is completed.

Cisco Network PnP Discovery over a Management Interface


Cisco Network PnP Agent supports discovery and four-way handshake over a management interface with a
default VPN Routing/Forwarding (VRF). To send and receive the DHCP traffic over an VRF interface, you
have to configure the IOS DHCP server . This feature helps the new devices to access the Cisco Network PnP
features when only the management interface is active.
When the device boots up, the management interface under the default VRF is assigned an IP address though
DHCP. This interface establishes a connection to a Cisco Network PnP server and the Cisco Network PnP
agent on the device records this information (VRF name and source interface). This information is used for
future PnP communication with the Cisco Network PnP server. In this case, the Cisco PnP profile that is
created on the device will have an extra keyword VRFattached to it.

Cisco PnP over an EtherChannel


When you deploy an access switch by using the Cisco Network Plug and Play, the existence of LACP
EtherChannels on the provisioned switch (which acts as trunk) does not allow you to configure the device.
When the access device tries to connect through the provisioned switch over an L2 EtherChannel using LACP,
it breaks the connectivity. Since the configuration does not exists on the access device, the access device
cannot bring up the EtherChannel with the switch. This results in keeping the EtherChannel ports in suspended
state and breaks the L2 connectivity. Cisco Network PnP Agent detects the presence of EtherChannels and
auto-configures the EtherChannel on the device to bring up the Layer 2 connectivity automatically for the
day-zero configuration.

Security Methods for Post-PnP Discovery Process


This section explains the methods provided by the Cisco PnP agent which can be, used by the Cisco PnP
server to secure the client-server communication after completing the discovery process. This section includes
the following topic:
• Certificate Install Service, on page 192

Certificate Install Service


The Cisco PnP agent provides a mechanism to manage SSL certificates on the device by providing the
certificate-install service to the Cisco PnP server. The certificate-install service provides a simple XML to
install the server’s self-signed certificates or certificates signed by standard CA certificates on the device,

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


192
Cisco Network Plug and Play Agent
SUDI-based PnP Application Level Authentication

before initiating an HTTPs connection. The certificate-install service also provides an option to install the
client SSL certificate and instruct the device to use the same SSL certificate during the next device authentication
process.

SUDI-based PnP Application Level Authentication


The SSL communication ensures encryption of the data packets exchanged between the server and the device,
but does not provide a solution to authenticate the device.
To ensure that the server is talking to a genuine Cisco device, the agent uses the built-in Secure Unique Device
Identifier (SUDI) certificate support on the device. SUDI is a X.509 compliant device certificate burnt into
the device's secured chip (ACT2) during the manufacture time. The SUDI certificate contains the device's
serial number, private-public keys, and the Cisco CA signature. The agent provides the following mechanisms
that can be used by the server to authenticate the device as a genuine Cisco device:
• SUDI-based Client Certificate Validation, on page 193
• SUDI-based Serial Number, on page 193

SUDI-based Client Certificate Validation


Before the agent initiates an HTTPs connection with the server, the agent checks whether the device has a
built-in SUDI certificate. If the device has a certificate, then the agent sends the SUDI certificate to the client
during the SSL handshake for validating. Optionally, the HTTPs server may choose to validate the device
using the SUDI certificate during the SSL handshake. After validating, the HTTPs server allows the device
to connect to the server. To validate the device's SUDI certificate, the server should use Cisco CA to complete
the validation.

SUDI-based Serial Number


If the device is loaded with SUDI certificate, the PnP agent reads the serial number from the SUDI certificate
and presents the same information as an additional tag in the work-request body for all communication with
the server. To achieve this, the following optional tag is added in the work-info message, which goes out from
the device in every work-request. This field is optional and does not show up for devices that does not have
SUDI certificate.
There is no change in the existing UDI mechanism that is read from the chassis inventory. The agent continues
to be backwards compatible by sending the chassis UDI as the primary identifier. The server can use the
additionally provided SUDI-based serial number to authenticate the device and then continue to use the primary
UDI. For the devices without a SUDI certificate, the agent does not send this additional SUDI-based serial
number. Therefore, the server should continue with the primary UDI for authentication and further
communication.
There is no mechanism available to read the SUDI-based serial number from member hardware and there is
no change in how UDI is read from other members on a stack or HA unit. The agent will continue to read the
UDI from all the hardware units as it does presently.

SUDI-Based Device Authentication


In SUDI-based device authentication, the agent checks whether the device has a built-in SUDI certificate at
the boot-up time. If the device is loaded with the SUDI certificate, the agent provides a new PnP service,
which allows the server to help the device to identify itself. The availability of this new service depends on
the presence of the SUDI certificate and is listed in the agent's capability service.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


193
Cisco Network Plug and Play Agent
SUDI-Based Device Authentication

Along with the above change in the capability-service, the agent adds an additional field under the hardware-info
section of the device-info response, to specify and check whether the SUDI certificate is built into the device.
After, the agent initiates an HTTPs connection with the server and sends a work-request, the server should
be able to use the device authentication service for a challenge request-response. The device authentication
service requires a minimum of one field to generated a string by the server. Optionally, the server can send a
list of encryptions and hashing methods that it can support. The agent checks whether it has the capability to
use any of the listed encryption methods specified by the server, uses the encryption method and sends a
notification to the server. If the agent does not have the capability to use any of the methods specified by the
server, then the agent responds with an error message.
When the server sends a device authentication service request to the agent, the agent does the following:
1. Uses one of the specified encryption and hashing methods.
2. If the agent does not have capability to use one of the specified encryption and hashing methods, the agent
responds with an error message.
3. Encrypts the challenge string provided by the server using the private key using the PKI APIs.
4. Sends a response back with the following:
a. Cipher text
b. Methods used to cipher
c. Certificate (SUDI or client installed certificate)

After, the server receives the above response from the device, the server does the following:
1. Verifies the SUDI or the client certificate against the Cisco or customer CA.
2. Decrypts the cipher-string using the public key that is available in the SUDI or client certificate.
3. Verifies whether the deciphered string matches the original version.
4. Generates a session key (string) and sends it back to the device as an acknowledgment.

After the agent receives the final acknowledgment from the server with the session-key, it associates the
corresponding profile with the provided session-key and sends it to the server as an attribute in the root PnP
section of all the subsequent messages that the agent sends.
The server validates the session-key before sending any message from the device. Optionally, the server
maintains a timer for the session-keys and moves to invalid status when the timer expires. If the agent sends
a message with an expired session-key, the server repeats the device authentication process and generate a
new session-key before sending to the same device again. If the device sends a request without any session-key,
then the server performs the device authentication process and generates a new session-key before sending
to the same device.
The following figure displays the message sequence between the agent and the server to accomplish the device
authentication using the SUDI certificate.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


194
Cisco Network Plug and Play Agent
How to Configure Cisco Network Plug and Play Agent

Figure 60: Message Sequence

How to Configure Cisco Network Plug and Play Agent


Configuring Cisco Network Plug and Play Agent Profile
Perform the following task to create a Cisco Network Plug and Play agent profile:

Procedure

Command or Action Purpose


Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Device> enable

Step 2 configure terminal Enters global configuration mode.


Example:

Device# configure terminal

Step 3 pnp profile profile-name Creates a PnP agent profile and enters the PnP profile
initialization mode.
Example:
• String of alphanumeric characters that specify a name
Device(config)# pnp profile test-profile-1 for the PnP agent profile. Profile names cannot be
duplicated.

Step 4 end Exits the PnP profile initialization mode and returns to
privileged EXEC mode.
Example:

Device(config-pnp-init)# end

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


195
Cisco Network Plug and Play Agent
Configuring Network Plug and Play Agent Device

Configuring Network Plug and Play Agent Device


Perform the following task to create a Cisco Network Plug and Play agent device:

Procedure

Command or Action Purpose


Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Device> enable

Step 2 configure terminal Enters global configuration mode.


Example:

Device# configure terminal

Step 3 pnp profile profile-name Creates a PnP agent profile and enters the PnP profile
initialization mode.
Example:
• String of alphanumeric characters that specify a name
Device(config)# pnp profile test-profile-1 for the PnP agent profile. Profile names cannot be
duplicated.

Step 4 device {username username } {password {0 | 7} Configures the PnP agent on the device.
password}
• Establishes a username and password based
Example: authentication system.

Device(config-pnp-init)# device username sjohn


• username—User ID
password 0 Tan123
• password—Password that a user enters
• 0—Specifies that an unencrypted password or secret
(depending on the configuration) follows.
• 7—Specifies that an encrypted ( hidden) password
follows.

Step 5 end Exits the PnP profile initialization mode and returns to
privileged EXEC mode.
Example:

Device(config-pnp-init)# end

Configuring Cisco Network Plug and Play Reconnect Factor


Perform the following task to configure the time to wait before attempting to reconnect a session in either
fixed-interval-backoff, exponential-backoff, or random-exponential-backoff mode:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


196
Cisco Network Plug and Play Agent
Configuring Cisco Network Plug and Play HTTP Transport Profile

Procedure

Command or Action Purpose


Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Device> enable

Step 2 configure terminal Enters global configuration mode.


Example:

Device# configure terminal

Step 3 pnp profile profile-name Creates a PnP agent profile and enters the PnP profile
initialization mode.
Example:
• String of alphanumeric characters that specify a name
Device(config)# pnp profile test-profile-1 for the PnP agent profile. Profile names cannot be
duplicated.

Step 4 reconnect [pause-time [exponential-backoff-factor Specifies the time for the PnP agent initiator profile to wait
[random] ] ] before attempting to reconnect a session.
Example: • The pause-time value is the time to wait, in seconds,
before attempting to reconnect after a connection is
Device(config-pnp-init)# reconnect 100 2 random lost. The range is from 1 to 2000000. The default is
60.
• Exponential backoff factor value is the value that
triggers the reconnect attempt exponentially. The range
is from 2 to 9.

Step 5 end Exits the PnP profile initialization mode and returns to
privileged EXEC mode.
Example:

Device(config-pnp-init)# end

Configuring Cisco Network Plug and Play HTTP Transport Profile


Perform the following task to create a HTTP transport profile of the Cisoc Plug and Play agent manually on
a device.
Both IPv4 and IPv6 addresses can be used for PnP server IP configuration. Alternately, a hostname can also
be used in the configuration to connect to the PnP server.
Every profile can have one primary server and a backup server configuration. The Cisco PnP agent attempts
to initiate a connection with the primary server first and if it fails, it will try the backup server. If the backup
server fails, the Cisco PnP agent will attempt to connect to the primary server again. This will continue until
a connection is established with one of the servers.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


197
Cisco Network Plug and Play Agent
Configuring Cisco Network Plug and Play HTTP Transport Profile

Procedure

Command or Action Purpose


Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Device> enable

Step 2 configure terminal Enters global configuration mode.


Example:

Device# configure terminal

Step 3 pnp profile profile-name Creates a PnP agent profile and enters the PnP profile
initialization mode.
Example:
• String of alphanumeric characters that specify a name
Device(config)# pnp profile test-profile-1 for the PnP agent profile. Profile names cannot be
duplicated.

Step 4 transport http host host-name [port port-number ] [source Creates a HTTP transport configuration for the PnP agent
interface-type] profile based on the hostname of the server on which the
PnP agent is deployed.
Example:
• The value of the host specifies the host name, port,
Device(config-pnp-init)# transport http host and source of the server.
hostname-1 port 1 source gigabitEthernet 0/0/0
• The value of the port-number specifies the port that is
used.
• The value of the interface-type specifies the interface
on which the agent is connected to the server.

Step 5 transport http ipv4 ipv4-address [port port-number ] Creates a HTTP transport configuration for the PnP agent
[source interface-type] profile based on the IPv4 address of the server on which
the PnP agent is deployed.
Example:

Device(config-pnp-init)# transport http ipv4


10.0.1.0 port 221 source gigabitEthernet 0/0/0

Step 6 transport http ipv6 ipv6-address [port port-number ] Creates a HTTP transport configuration for the PnP agent
[source interface-type interface-number ] profile based on the IPv6 address of the server on which
the PnP agent is deployed.
Example:

Device(config-pnp-init)# transport http ipv6


2001:DB8:1::1 port 331 source gigabitEthernet 0/0/1

Step 7 end Exits the PnP profile initialization mode and returns to
privileged EXEC mode.
Example:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


198
Cisco Network Plug and Play Agent
Configuring Cisco Network Plug and Play HTTPS Transport Profile

Command or Action Purpose

Device(config-pnp-init)# end

Configuring Cisco Network Plug and Play HTTPS Transport Profile


Perform the following task to create a HTTP Secure (HTTPS) transport profile of the Cisco Network Plug
and Play agent manually on a device.

Procedure

Command or Action Purpose


Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Device> enable

Step 2 configure terminal Enters global configuration mode.


Example:

Device# configure terminal

Step 3 pnp profile profile-name Creates a PnP agent profile and enters the PnP profile
initialization mode.
Example:
• String of alphanumeric characters that specify a name
Device(config)# pnp profile test-profile-1 for the PnP agent profile. Profile names cannot be
duplicated.

Step 4 transport https host host-name [port port-number ][source Creates a HTTPS transport configuration for the PnP agent
interface-type ][localcert trustpoint-name ][remotecert profile based on the hostname of the server on which the
trustpoint-name ] PnP agent is deployed.
Example: • The value of localcert specifies the trustpoint used for
client-side authentication during the transport layer
Device(config-pnp-init)# transport https host security (TLS) handshake.
example.com port 231 source gigabitEthernet 0/0/0
localcert abc remotecert xyz • The value of remotecert specifies the trustpoint used
for server certificate validation.

Note Configure the trustpoint-name using the crypto


pki trustpoint command.

Step 5 transport https ipv4 ipv4-address [port port-number Creates a HTTPS transport configuration for the PnP agent
][source interface-type ][localcert trustpoint-name profile based on the IPv4 address of the server on which
][remotecert trustpoint-name ] the PnP agent is deployed.
Example:

Device(config-pnp-init)# transport https ipv4

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


199
Cisco Network Plug and Play Agent
Configuring Backup Cisco Network Plug and Play Device

Command or Action Purpose


10.0.1.0 port 221 source gigabitEthernet 0/0/0
localcert abc remotecert xyz

Step 6 transport https ipv6 ipv6-address [port port-number Creates a HTTPS transport configuration for the PnP agent
][source interface-type interface-number ][localcert profile based on the IPv6 address of the server on which
trustpoint-name ][remotecert trustpoint-name ] the PnP agent is deployed.
Example:

Device(config-pnp-init)# transport https ipv6


2001:DB8:1::1 port 331 source gigabitEthernet 0/0/1
localcert abc remotecert xyz

Step 7 end Exits the PnP profile initialization mode and returns to
privileged EXEC mode.
Example:

Device(config-pnp-init)# end

Configuring Backup Cisco Network Plug and Play Device


Perform the following task to create a backup profile and to enable or disable Cisco Network Plug and Play
agent manually on a device:

Procedure

Command or Action Purpose


Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Device> enable

Step 2 configure terminal Enters global configuration mode.


Example:

Device# configure terminal

Step 3 pnp profile profile-name Creates a PnP agent profile and enters the PnP profile
initialization mode.
Example:
• String of alphanumeric characters that specify a name
Device(config)# pnp profile test-profile-1 for the PnP agent profile. Profile names cannot be
duplicated.

Step 4 backup device {username username } {password {0 | 7} Configures the PnP agent backup profile on the device.
password}
• Establishes a username and password based
Example: authentication system.

Device(config-pnp-init)# backup device username


• username-User ID
sjohn password 0 Tan123

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


200
Cisco Network Plug and Play Agent
Configuring Backup Cisco Network Plug and Play Reconnect Factor

Command or Action Purpose


• password-Password that a user enters
• 0—Specifies that an unencrypted password or secret
(depending on the configuration) follows.
• 7—Specifies that a hidden password follows.

Step 5 end Exits the PnP profile initialization mode and returns to
privileged EXEC mode.
Example:

Device(config-pnp-init)# end

Configuring Backup Cisco Network Plug and Play Reconnect Factor


Perform the following task to configure backup reconnection of the Cisco Network Plug and Play (PnP) agent
to the server in either fixed-interval-backoff, exponential-backoff, or random-exponential-backoff manner :

Procedure

Command or Action Purpose


Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Device> enable

Step 2 configure terminal Enters global configuration mode.


Example:

Device# configure terminal

Step 3 pnp profile profile-name Creates a PnP agent profile and enters the PnP profile
initialization mode.
Example:
• String of alphanumeric characters that specify a name
Device(config)# pnp profile test-profile-1 for the PnP agent profile. Profile names cannot be
duplicated.

Step 4 backup reconnect [pause-time [exponential-backoff-factor Specifies the time for the PnP agent initiator profile to wait
[random] ] ] before attempting to reconnect a session.
Example: • The pause-time value is the time to wait, in seconds,
before attempting to reconnect after a connection is
Device(config-pnp-init)# backup reconnect 100 2 lost. The range is from 1 to 2000000. The default is
random 60.
• Exponential backoff factor value is the value that
triggers the reconnect attempt exponentially. The range
is from 2 to 9.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


201
Cisco Network Plug and Play Agent
Configuring Backup Cisco Network Plug and Play HTTP Transport Profile

Command or Action Purpose


Step 5 end Exits the PnP profile initialization mode and returns to
privileged EXEC mode.
Example:

Device(config-pnp-init)# end

Configuring Backup Cisco Network Plug and Play HTTP Transport Profile
Perform the following task to create a backup HTTP transport profile of the Cisco Network Plug and Play
agent manually on a device.

Procedure

Command or Action Purpose


Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Device> enable

Step 2 configure terminal Enters global configuration mode.


Example:

Device# configure terminal

Step 3 pnp profile profile-name Creates a PnP agent profile and enters the PnP profile
initialization mode.
Example:
• String of alphanumeric characters that specify a name
Device(config)# pnp profile test-profile-1 for the PnP agent profile. Profile names cannot be
duplicated.

Step 4 backup transport http host host-name [port port-number Creates a backup HTTP transport configuration for the PnP
] [source interface-type] agent profile based on the hostname of the server on which
the PnP agent is deployed.
Example:
• The value of the host specifies the host name, port,
Device(config-pnp-init)# backup transport http host and source of the server.
hostname-1 port 1 source gigabitEthernet 0/0/0
• The value of the port-number specifies the port that is
used.
• The value of the interface-type specifies the interface
on which the agent is connected to the server.

Step 5 backup transport http ipv4 ipv4-address [port Creates a backup HTTP transport configuration for the PnP
port-number ] [source interface-type] agent profile based on the IPv4 address of the server on
which the PnP agent is deployed.
Example:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


202
Cisco Network Plug and Play Agent
Configuring Backup Cisco Network Plug and Play HTTPS Transport Profile

Command or Action Purpose

Device(config-pnp-init)# backup transport http ipv4


10.0.1.0 port 221 source gigabitEthernet 0/0/0

Step 6 backup transport http ipv6 ipv6-address [port Creates a backup HTTP transport configuration for the PnP
port-number ] [source interface-type interface-number ] agent profile based on the IPv6 address of the server on
which the PnP agent is deployed.
Example:

Device(config-pnp-init)# backup transport http ipv6


2001:DB8:1::1 port 331 source gigabitEthernet
0/0/1

Step 7 end Exits the PnP profile initialization mode and returns to
privileged EXEC mode.
Example:

Device(config-pnp-init)# end

Configuring Backup Cisco Network Plug and Play HTTPS Transport Profile
Perform the following task to create a backup HTTPS transport profile of the Cisco Network Plug and Play
agent manually on a device.

Procedure

Command or Action Purpose


Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Device> enable

Step 2 configure terminal Enters global configuration mode.


Example:

Device# configure terminal

Step 3 pnp profile profile-name Creates a PnP agent profile and enters the PnP profile
initialization mode.
Example:
• String of alphanumeric characters that specify a name
Device(config)# pnp profile test-profile-1 for the PnP agent profile. Profile names cannot be
duplicated.

Step 4 backup transport https host host-name [port port-number Creates a HTTPS backup transport configuration for the
][source interface-type ][localcert trustpoint-name PnP agent profile based on the hostname of the server on
][remotecert trustpoint-name ] which the PnP agent is deployed.
Example: • The value of localcert specifies the trustpoint used for
client-side authentication during the transport layer
Device(config-pnp-init)# backup transport https security (TLS) handshake.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


203
Cisco Network Plug and Play Agent
Configuring Cisco Network Plug and Play Agent Tag

Command or Action Purpose


host example.com port 231 source gigabitEthernet • The value of remotecert specifies the trustpoint used
0/0/0 localcert abc remotecert xyz for server certificate validation.

Step 5 backup transport https ipv4 ipv4-address [port Creates a HTTPS backup transport configuration for the
port-number ][source interface-type ][localcert PnP agent profile based on the IPv4 address of the server
trustpoint-name ][remotecert trustpoint-name ] on which the PnP agent is deployed.
Example:

Device(config-pnp-init)# backup transport https


ipv4 10.0.1.0 port 221 source gigabitEthernet 0/0/0
localcert abc remotecert xyz

Step 6 backup transport https ipv6 ipv6-address [port Creates a HTTPS backup transport configuration for the
port-number ][source interface-type interface-number PnP agent profile based on the IPv6 address of the server
][localcert trustpoint-name ][remotecert trustpoint-name on which the PnP agent is deployed.
]
Example:

Device(config-pnp-init)# backup transport https


ipv6 2001:DB8:1::1 port 331 source gigabitEthernet
0/0/1 localcert abc remotecert xyz

Step 7 end Exits the PnP profile initialization mode and returns to
privileged EXEC mode.
Example:

Device(config-pnp-init)# end

Configuring Cisco Network Plug and Play Agent Tag


Perform the following task to create a Cisco Network Plug and Play agent tag information:

Procedure

Command or Action Purpose


Step 1 enable Enables privileged EXEC mode.
Example: • Enter your password if prompted.

Device> enable

Step 2 configure terminal Enters global configuration mode.


Example:

Device# configure terminal

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


204
Cisco Network Plug and Play Agent
Troubleshooting and Debugging

Command or Action Purpose


Step 3 pnp tag tag-name Use the pnp tag command to configure the tag for the
device. The neighboring Cisco devices will receive this tag
Example:
information through Cisco Discovery Protocol (CDP).
Device(config)# pnp tag xyz Note If there is an existing tag for the device, the tag
name can be only changed when the xml schema
is sent by the PnP server to change the tag name.
The tag name cannot be overwritten.

• String of alphanumeric characters that specify a name


for the PnP agent tag.

Step 4 end Exits the global configuration mode and returns to


privileged EXEC mode.
Example:

Device(config)# end

Troubleshooting and Debugging


To run the debugging on the Cisco Network Plug and Play ( server, start the server, configure the PnP profile
and PnP transport. For example, start the service interaction between PnP agent and PnP server.
You can capture the debugs by executing the debug pnp service command. When you report a problem,
collect all the pnp* files in the PnP agent flash” to the guide.

Note To collect Cisco Plug and Play server log, see the Cisco Application Policy Infrastructure Controller
Enterprise Module Deployment Guide.

To troubleshoot the device, server and Cisco PnP Agent, use the following commands:

Table 13: Troubleshooting the Device, Server, and Cisco PnP Agent

Command Description

dir nvram Use this command to ensure tht the device does not
have left over certificates.

ping vrf interface-name Use this command to ensure the the device can ping
the controller.
<controller_ip>

show auto install trace Use this command to view auto install trace log.

show boot Use the show boot command to display the current
value for the BOOTLDR variable.

show cdp neighbor Use this command to display all CDP neighbors.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


205
Cisco Network Plug and Play Agent
Glossary

Command Description

Show crypto pki trustpoint Use this command to view the PKI trustpoint.

Show crypto pki trustful Use this command to view the PKI trustful.

show ip interface brief Use this command to view a summary of the router
interfaces.

show ipv6 interface brief Use this command to display the IPv6 interfaces.

show run | inc pnp Uset this command to ensure that only one PnP profile
installed

show pnp trace Use this command to ensure that the device does not
have start-up configuration.

show pnp tech Use this command to view active connections for the
Cisco Plug and Play IOS Agent.

show vlan Use this command to view the VLAN information.

show ntp status Use this command to view the NTP status.

show version Use this command to ensure that the device is running
the latest CCO image

Glossary
PnP Agent: An embedded agent on the device to automate deployment process
PnP Helper Applications: Applications on smart phones and personal computers that facilitate deployment.
PnP helper applications are not specific to a customer or device and can be used in any deployment scenario.
May be needed in limited scenarios
PnP Protocol: Protocol between the PnP agent and PnP server. This is an open protocol allowing third-party
development of PnP servers
PnP Server: A central server that manages and distributes deployment information (images, configurations,
files, and licenses) for the devices being deployed. Cisco Network Plug and Play server provides a north bound
interface for management applications and communicates with the PnP agents on the devices using the PnP
protocol.

Additional References for Open Plug-n-Play Agent


Related Documents

Related Topic Document Title

Cisco IOS commands Cisco IOS Master Command List,


All Releases

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


206
Cisco Network Plug and Play Agent
Additional References for Open Plug-n-Play Agent

Related Topic Document Title

PnP commands: Complete command syntax, command mode, command Cisco IOS PnP Command
history, defaults, usage guidelines, and examples Reference

Cisco Network Plug and Play solution Solution Guide for Cisco Network
Plug and Play.

How to use the Cisco Network Plug and Play in the APIC-EM to Configuration Guide for Cisco
configure Cisco network devices. Network Plug and Play on Cisco
APIC-EM.

How to deploy the APIC-EM. Cisco Application Policy


Infrastructure Controller Enterprise
Module Deployment Guide.

Getting started with the APIC-EM. Cisco APIC-EM Quick Start Guide.

MIBs

MIB MIBs Link

• CISCO-BULK-FILE-MIB To locate and download MIBs for selected platforms, Cisco software
releases, and feature sets, use Cisco MIB Locator found at the
• CISCO-DATA-COLLECTION-MIB following URL:
• CISCO-PROCESS-MIB http://www.cisco.com/go/mibs
• Expression-MIB

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


207
Cisco Network Plug and Play Agent
Additional References for Open Plug-n-Play Agent

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


208
CHAPTER 21
Software Maintenance Upgrade (SMU)
This chapter contains the following sections:
• Software Maintenance Upgrade (SMU) Overview, on page 209
• SMU Work-flow and Basic Requirements, on page 210
• SMU Example, on page 210
• Installing a Patch Image, on page 211
• Uninstalling the Patch Image, on page 212

Software Maintenance Upgrade (SMU) Overview


The Software Maintenance Upgrade (SMU) is a package that can be installed on a system to provide a patch
fix or security resolution to a released image for a specific defect in order to respond to immediate issues. It
does not contain new features.
Some of the caveats of the SMU are:
• Provided on a per release, per component basis and is specific to the platform. SMU versions are
synchronized to the package major, minor, and maintenance versions they upgrade.
• SMUs are not an alternative to maintenance releases. All defects fixed by SMUs are then automatically
integrated into the upcoming maintenance releases.
• The Cisco IOS XE platform internally validates the SMU compatibility and does not allow you to install
non-compatible SMUs. This is based on rules/limitations for a SMU change-set.
• An SMU provides a significant benefit over classic IOS software as it allows you to address the network
issue quickly while reducing the time and scope of the testing required.
• SMU is a method to fix bugs in an existing release, and allows the application of a PSIRT fix in an
existing release
• SMU is NOT an upgrade path from release X to maintenance release X.1
• SMU is NOT an upgrade path from release X to release Y
The device only supports “Hot Patching”. This means:
• The running image is modified in-place or in-service
• This avoids downtime and interruption of service
• The updated code to fix the defect is written in a different location, and where the patch redirects the
program run

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


209
Software Maintenance Upgrade (SMU)
SMU Work-flow and Basic Requirements

SMU Work-flow and Basic Requirements


The work-flow for the patch requires that you complete the following sequence of operation in exec mode:
1. Addition of the SMU to the file system
2. Activation of the SMU onto the system
3. Committing the SMU change
4. Removal and Uninstallation of the SMU
The basic requirements for SMU are:
• The image where the defect was discovered
• The patch file that contains the fix for the defect must be formatted as
ir1101-image_name.release_version.CSCxxyyyyy.SPA.smu.bin

SMU Example
This section shows an example of a patch for the CDET CSCvk58743.
Command example:

Router# config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# interface g0/0/0
Router(config-if)# ipv6 nd cache expire 770
Router(config-if)# end
Router#
*Sep 25 12:00:29.978: %SYS-5-CONFIG_I: Configured from console by console

As the following CDET states, the ND Cache expire timer did not appear in the command output of show
ipv6 neighbors g0/0/0

• CSCvk58743
Summary: Show ipv6 interface does not display "ND Cache expire timer"
Component: ipv6
Defective Image: ir1101-universalk9.16.11.01.SPA.bin
Patch Image: ir1101-universalk9.16.11.01.CSCvk58743.SPA.smu.bin
The following is what the required configuration output should look like:

Interface GigabitEthernet0/0/0
no switchport
no ip address
ipv6 address FE80::1 link-local
ipv6 address 2001::1/64
ipv6 nd na glean

ipv6 nd cache expire 770

end

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


210
Software Maintenance Upgrade (SMU)
Installing a Patch Image

In the above output, the blue text configures the length of time before an IPv6 neighbor discovery cache entry
expires. The range is from 1 to 65536 seconds.

Installing a Patch Image


Perform the following steps to install the patch image:

Step 1 Add the image.

Router# install add file flash:ir1101-universalk9.16.11.01.CSCvk58743.SPA.smu.bin


install_add: START Mon Dec 17 21:11:23 UTC 2018
install_add: Adding SMU
*Dec 17 21:11:26.241: %INSTALL-5-INSTALL_START_INFO: R0/0: install_engine: Started install add
flash:ir1101-universalk9.16.11.01.CSCvk58743.SPA.smu.bin--- Starting SMU Add operation ---
Performing SMU_ADD on Active/Standby
[R0] SMU_ADD package(s) on R0
[R0] Finished SMU_ADD on R0
Checking status of SMU_ADD on [R0]
SMU_ADD: Passed on [R0]
Finished SMU Add operation
SUCCESS: install_add Mon Dec 17 21:11:39 UTC 2018

Step 2 Activate the patch image.

Router# install activate file flash:ir1101-universalk9.16.11.01.CSCvk58743.SPA.smu.bin


install_activate: START Mon Dec 17 21:11:57 UTC 2018
System configuration has been modified.
Press Yes(y) to save the configuration and proceed.
Press No(n) for proceeding without saving the configuration.
Press Quit(q) to exit, you may save configuration and re-enter the command. [y/n/q]y Building
configuration...
[OK]Modified configuration has been saved
*Dec 17 21:12:02.086: %SYS-2-PRIVCFG_ENCRYPT: Successfully encrypted private config
fileinstall_activate: Activating SMU
*Dec 17 21:12:05.339: %INSTALL-5-INSTALL_START_INFO: R0/0: install_engine: Started install activate
flash:ir1101-universalk9.16.11.01.CSCvk58743.SPA.smu.bin
Executing pre scripts....
Executing pre scripts done.
--- Starting SMU Activate operation ---
Performing SMU_ACTIVATE on Active/Standby
[R0] SMU_ACTIVATE package(s) on R0
[R0] Finished SMU_ACTIVATE on R0
Checking status of SMU_ACTIVATE on [R0]
SMU_ACTIVATE: Passed on [R0]
Finished SMU Activate operation
SUCCESS: install_activate /flash1/ir1101-universalk9.16.11.01.CSCvk58743.SPA.smu.bin Mon Dec 17
21:12:26 UTC 2018
*Dec 17 21:12:25.463: %INSTALL-5-INSTALL_AUTO_ABORT_TIMER_PROGRESS: R0/0: rollback_timer: Install
auto abort timer will expire in 7200 seconds
*Dec 17 21:12:27.358: %INSTALL-5-INSTALL_COMPLETED_INFO: R0/0: install_engine: Completed install
activate SMU flash:ir1101-universalk9.16.11.01.CSCvk58743.SPA.smu.bin

Step 3 Commit the installation.

Router# install commit


install_commit: START Mon Dec 17 21:13:28 UTC 2018
install_commit: Committing SMU

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


211
Software Maintenance Upgrade (SMU)
Uninstalling the Patch Image

*Dec 17 21:13:31.516: %INSTALL-5-INSTALL_START_INFO: R0/0: install_engine: Started install commit


Executing pre scripts....
Executing pre scripts done.
--- Starting SMU Commit operation ---
Performing SMU_COMMIT on Active/Standby
[R0] SMU_COMMIT package(s) on R0
[R0] Finished SMU_COMMIT on R0
Checking status of SMU_COMMIT on [R0]
SMU_COMMIT: Passed on [R0]
Finished SMU Commit operation

SUCCESS: install_commit /flash1/ir1101-universalk9.16.11.01.CSCvk58743.SPA.smu.bin Mon Dec 17 21:13:47


UTC 2018

Step 4 Show the status summary of the installation procedure.

Router# show install summary


[ R0 ] Installed Package(s) Information:
State (St): I - Inactive, U - Activated & Uncommitted,

C - Activated
& Committed, D - Deactivated & Uncommitted
--------------------------------------------------------------------------------
Type St Filename/Version
--------------------------------------------------------------------------------
SMU C /flash1/ir1101-universalk9.16.11.01.CSCvk58743.SPA.smu.bin
IMG C 16.11.1.0.4

--------------------------------------------------------------------------------
Auto abort timer: inactive
--------------------------------------------------------------------------------

Uninstalling the Patch Image


There are two methods to remove or uninstall the patch image.
• Restoring the image to its original version by using the following command:
• install rollback to base
• Specific removal of a patch by using the following commands in sequence:
• install deactivate file flash:ir1101-image_name.release_version.CSCxxyyyyy.SPA.smu.bin
• install commit
• install remove file flash:ir1101-image_name.release_version.CSCxxyyyyy.SPA.smu.bin

Uninstalling the Patch Image Using Rollback


This section shows an example of using the rollback method.
Show what patches are installed:

Router# show install summary


[ R0 ] Installed Package(s) Information:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


212
Software Maintenance Upgrade (SMU)
Uninstalling the Patch Image Using Rollback

State (St): I - Inactive, U - Activated & Uncommitted,


C - Activated & Committed, D - Deactivated & Uncommitted
--------------------------------------------------------------------------------
Type St Filename/Version
--------------------------------------------------------------------------------
SMU C /flash1/ir1101-universalk9.16.12.02.CSCvq74407.SPA.smu.bin
IMG C 16.12.02.0.6

The following commands are available:

Router# install ?
abort Abort the current install operation
activate Activate an installed package
add Install a package file to the system
auto-abort-timer Install auto-abort-timer
commit Commit the changes to the loadpath
deactivate Deactivate an install package
label Add a label name to any installation point
prepare Prepare package for operation
remove Remove installed packages
rollback Rollback to a previous installation point
Router# install rollback to ?
base Rollback to the base image
committed Rollback to the last committed installation point
id Rollback to a specific install point id
label Rollback to a specific install point label

The install rollback to base command removes the entire patch and returns to the base image version with
the found defect.

Router# install rollback to base


install_rollback: START Fri Apr 24 22:58:25 UTC 2020

*Apr 24 22:58:28.375: %INSTALL-5-INSTALL_START_INFO: R0/0: install_engine: Started install


rollbackinstall_rollback: Rolling back SMU
Executing pre scripts....
Executing pre sripts done.

--- Starting SMU Rollback operation ---


Performing SMU_ROLLBACK on Active/Standby
[R0] SMU_ROLLBACK package(s) on R0
[R0] Finished SMU_ROLLBACK on R0
Checking status of SMU_ROLLBACK on [R0]
SMU_ROLLBACK: Passed on [R0]
Finished SMU Rollback operation

SUCCESS: install_rollback /flash1/ir1101-universalk9.16.12.02.CSCvq74407.SPA.smu.bin Fri


Apr 24 22:58:54 UTC 2020

*Apr 24 22:58:55.368: %INSTALL-5-INSTALL_COMPLETED_INFO: R0/0: install_engine: Completed


install rollback

Show what patches are installed:

Router# show install summary


[ R0 ] Installed Package(s) Information:
State (St): I - Inactive, U - Activated & Uncommitted,
C - Activated & Committed, D - Deactivated & Uncommitted
--------------------------------------------------------------------------------
Type St Filename/Version
--------------------------------------------------------------------------------
IMG C 16.12.02.0.6

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


213
Software Maintenance Upgrade (SMU)
Uninstalling the Patch Image Using Deactivate, Commit, and Remove

Note In the above command output, the patch has been removed and the device returns to the base image
version prior to the upgrade.

Uninstalling the Patch Image Using Deactivate, Commit, and Remove


In the following sequence, there are two patches installed on the device. Only one will be removed.
Show what patches are installed.

Router# show install summary


[ R0 ] Installed Package(s) Information:
State (St): I - Inactive, U - Activated & Uncommitted,
C - Activated & Committed, D - Deactivated & Uncommitted
--------------------------------------------------------------------------------
Type St Filename/Version
--------------------------------------------------------------------------------
SMU C /flash1/ir1101-universalk9.16.12.02.CSCvq74407.SPA.smu.bin
SMU C /flash1/ir1101-universalk9.16.12.02.CSCvt63576.SPA.smu.bin
IMG C 16.12.02.0.6

Step 1 Deactivate the patch.

Router# install deactivate file flash:ir1101-universalk9.16.12.02.CSCvt63576.SPA.smu.bin


install_deactivate: START Fri Apr 24 22:54:10 UTC 2020
install_deactivate: Deactivating SMU
Executing pre scripts....
Executing pre sripts done.

--- Starting SMU Deactivate operation ---


Performing SMU_DEACTIVATE on Active/Standby
[R0] SMU_DEACTIVATE package(s) on R0
[R0] Finished SMU_DEACTIVATE on R0
Checking status of SMU_DEACTIVATE on [R0]
SMU_DEACTIVATE: Passed on [R0]
Finished SMU Deactivate operation

SUCCESS: install_deactivate /flash1/ir1101-universalk9.16.12.02.CSCvt63576.SPA.smu.bin Fri Apr 24


22:54:49 UTC 2020

Show what patches are installed:

Router# show install summary


[ R0 ] Installed Package(s) Information:
State (St): I - Inactive, U - Activated & Uncommitted,
C - Activated & Committed, D - Deactivated & Uncommitted
--------------------------------------------------------------------------------
Type St Filename/Version
--------------------------------------------------------------------------------
SMU C /flash1/ir1101-universalk9.16.12.02.CSCvq74407.SPA.smu.bin
SMU D /flash1/ir1101-universalk9.16.12.02.CSCvt63576.SPA.smu.bin
IMG C 16.12.02.0.6

Step 2 Commit the action.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


214
Software Maintenance Upgrade (SMU)
Uninstalling the Patch Image Using Deactivate, Commit, and Remove

Router# install commit


install_commit: START Fri Apr 24 22:56:11 UTC 2020
install_commit: Committing SMU

*Apr 24 22:56:15.169: %INSTALL-5-INSTALL_START_INFO: R0/0: install_engine: Started install


commitExecuting pre scripts....
Executing pre sripts done.
--- Starting SMU Commit operation ---
Performing SMU_COMMIT on Active/Standby
[R0] SMU_COMMIT package(s) on R0
[R0] Finished SMU_COMMIT on R0
Checking status of SMU_COMMIT on [R0]
SMU_COMMIT: Passed on [R0]
Finished SMU Commit operation

SUCCESS: install_commit /flash1/ir1101-universalk9.16.12.02.CSCvt63576.SPA.smu.bin Fri Apr 24 22:56:32


UTC 2020

*Apr 24 22:56:33.342: %INSTALL-5-INSTALL_COMPLETED_INFO: R0/0: install_engine: Completed install


commit SMU

Show what patches are installed:

Router# show install summary


[ R0 ] Installed Package(s) Information:
State (St): I - Inactive, U - Activated & Uncommitted,
C - Activated & Committed, D - Deactivated & Uncommitted
--------------------------------------------------------------------------------
Type St Filename/Version
--------------------------------------------------------------------------------
SMU C /flash1/ir1101-universalk9.16.12.02.CSCvq74407.SPA.smu.bin
SMU I /flash1/ir1101-universalk9.16.12.02.CSCvt63576.SPA.smu.bin
IMG C 16.12.02.0.6

Step 3 Remove the patch.

Router# install remove file flash:ir1101-universalk9.16.12.02.CSCvt63576.SPA.smu.bin


install_remove: START Fri Apr 24 22:57:17 UTC 2020

*Apr 24 22:57:20.775: %INSTALL-5-INSTALL_START_INFO: R0/0: install_engine: Started install remove


flash:ir1101-universalk9.16.12.02.CSCvt63576.SPA.smu.bininstall_remove: Removing SMU
Executing pre scripts....
Executing pre scripts done.

--- Starting SMU Remove operation ---


Performing SMU_REMOVE on Active/Standby
[R0] SMU_REMOVE package(s) on R0
[R0] Finished SMU_REMOVE on R0
Checking status of SMU_REMOVE on [R0]
SMU_REMOVE: Passed on [R0]
Finished SMU Remove operation

SUCCESS: install_remove /flash1/ir1101-universalk9.16.12.02.CSCvt63576.SPA.smu.bin Fri Apr 24 22:57:34


UTC 2020

*Apr 24 22:57:34.902: %INSTALL-5-INSTALL_COMPLETED_INFO: R0/0: install_engine: Completed install


remove flash:ir1101-universalk9.16.12.02.CSCvt63576.SPA.smu.bin

Show what patches are installed:

Router# show install summary

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


215
Software Maintenance Upgrade (SMU)
Uninstalling the Patch Image Using Deactivate, Commit, and Remove

[ R0 ] Installed Package(s) Information:


State (St): I - Inactive, U - Activated & Uncommitted,
C - Activated & Committed, D - Deactivated & Uncommitted
--------------------------------------------------------------------------------
Type St Filename/Version
--------------------------------------------------------------------------------
SMU C /flash1/ir1101-universalk9.16.12.02.CSCvq74407.SPA.smu.bin
IMG C 16.12.02.0.6

Note in the above command output the patch for CDET CSCvt63576 has been removed, while the patch for CDET
CSCvq74407 remains.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


216
CHAPTER 22
Smart Licensing Using Policy (SLP)
This chapter contains the following sections:
• SLP Overview, on page 217
• Customer Topologies, on page 219
• License Installation Procedure - Full Offline Access Topology, on page 220
• License Installation Procedure - CSLU has No Access to CSSM, on page 225
• Removing the Device from CSSM, on page 237

SLP Overview
Smart Licensing Using Policy (SLP), was previously referred to as Smart Licensing Enhanced (SLE), and is
the default mode starting with IOS-XE release 17.3.2. SLE replaced Smart Software Licensing. The IR1101
only supports SLP. Some of the feature differences are:
• An Authorization Code is required only for export control requirement
• No more EVAL licenses. Authorized status has changed to In Use or Not In Use with an Enforcement
Type class.
• Cisco Smart Licensing Utility (CSLU) is a new tool interfacing between the devices and Cisco Smart
Software Manager (CSSM) in specific customer topologies.
• Throughput is defaulted and capped at 250MB.

Important Examples used throughout the rest of this section show the ESR6300 Router. The IR1101 functions in
the same manner, with the exception of not supporting the higher throughput license.

License Enforcement Types


A given license belongs to one of three enforcement types. The enforcement type indicates if the license
requires authorization before use, or not.
• Unenforced or Not Enforced

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


217
Smart Licensing Using Policy (SLP)
SLP Architecture

The vast majority of licenses belong to this enforcement type. Unenforced licenses do not require authorization
before use in air-gapped networks, or registration, in connected networks. The terms of use for such licenses
are as per the end user license agreement (EULA).
• Enforced
Licenses that belong to this enforcement type require authorization before use. The required authorization is
in the form of an authorization code, which must be installed in the corresponding product instance.
An example of an enforced license is the Media Redundancy Protocol (MRP) Client license, which is available
on Industrial Ethernet Switches.
• Export-Controlled
Licenses that belong to this enforcement type are export-restricted by U.S. trade-control laws and these licenses
require authorization before use. The required authorization code must be installed in the corresponding
product instance for these licenses as well. Cisco may pre-install export-controlled licenses when ordered
with hardware purchase.
An example of an export-controlled license is the High Security (HSEC) license, which is available on certain
Cisco Routers.

SLP Architecture
This section explains the various components that can be part of your SLP implementation.

Product Instance
A product instance is a single instance of a Cisco product, identified by a Unique Device Identifier (UDI).
A product instance records and reports license usage (RUM reports), and provides alerts and system messages
about overdue reports, communication failures, etc. The RUM reports and usage data are also stored securely
in the product instance.
A Resource Utilization Measurement report (RUM report) is a license usage report, which fulfils reporting
requirements as specified by the policy. RUM reports are generated by the product instance and consumed
by CSSM. The product instance records license usage information and all license usage changes in an open
RUM report. At system-determined intervals, open RUM reports are closed and new RUM reports are opened
to continue recording license usage. A closed RUM report is ready to be sent to CSSM.
A RUM acknowledgement (RUM ACK or ACK) is a response from CSSM and provides information about
the status of a RUM report. Once the ACK for a report is available on the product instance, it indicates that
the corresponding RUM report is no longer required and can be deleted.
CSSM displays license usage information as per the last received RUM report.

Cisco Smart Software Manager (CSSM)


CSSM is a portal that enables you to manage all your Cisco software licenses from a centralized location.
CSSM helps you manage current requirements and review usage trends to plan for future license requirements.
You can access CSSM at https://software.cisco.com . Under the License tab, click the Smart Software Licensing
link.
In CSSM you can:
• Create, manage, or view virtual accounts.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


218
Smart Licensing Using Policy (SLP)
Cisco Smart Licensing Utility (CSLU)

• Create and manage Product Instance Registration Tokens.


• Transfer licenses between virtual accounts or view licenses.
• Transfer, remove, or view product instances.
• Run reports against your virtual accounts.
• Modify your email notification settings.
• View overall account information.
Prior to using CSSM, please view a short video about how to use the portal found here:
https://www.cisco.com/c/en/us/buy/smart-accounts/software-manager.html
Click on the View Video button.

Cisco Smart Licensing Utility (CSLU)


CSLU is a Windows-based reporting utility that provides aggregate licensing work-flows. It helps you
administer all your licenses and their associated product instances from your premises instead of having to
connect to CSSM.
This utility performs the following key functions:
• Provides the options relating to how work-flows are triggered. The work-flows can be triggered by CSLU
or by the product instance
• Collects usage reports from the product instance and upload these usage reports to the corresponding
smart account or virtual account – online, or offline, using files. Similarly, the RUM report ACK is
collected online, or offline, and provided back to the product instance.
• Sends authorization code requests to CSSM and receives authorization codes from CSSM.

CSLU can be part of your SLP topology in the following ways:


• Install the windows application, to use CSLU as a standalone tool and connect it to CSSM.
• Install the windows application, to use CSLU as a standalone tool and not connect it to CSSM. With this
option, the required usage information is downloaded to a file and then uploaded to CSSM. This is suited
to air-gapped networks.
• Embed it in a controller such as Cisco DNA Center.

Customer Topologies
IoT Routing platforms use two different topologies.
• Full Offline Access
• CSLU has No Access to CSSM
The following figure illustrates the Full Offline Access:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


219
Smart Licensing Using Policy (SLP)
License Installation Procedure - Full Offline Access Topology

In this topology, devices do not have connectivity to CSSM (software.cisco.com). The user must copy and
paste information between Cisco products and CSSM to manually check in and out licenses.
The following figure illustrates the CSLU having No Access to CSSM:

In this topology the devices are connected to the CSLU controller, but there is no connectivity between CSLU
and CSSM (Cisco Smart Software Manager – software.cisco.com).
Cisco devices will send usage information to a locally installed CSLU. The user must copy and paste information
between the CSLU and CSSM to manually check-in and check-out licenses.

License Installation Procedure - Full Offline Access Topology


This procedure requires a manual exchange of required information between the router and CSSM.
Refer to the following graphic for the flow of information:

1. Generate a License Usage Data file or AuthCode Request.


2. Export to CSSM.
3. Upload License Usage Data or AuthCode Request.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


220
Smart Licensing Using Policy (SLP)
Procedure to Register Product Instance in CSSM

4. Export ACK/AuthRequest file to Router.


5. Upload ACK file or AuthRequestAuthCode

Procedure to Register Product Instance in CSSM

Step 1 Generate a license usage file from the Router.


In exec mode, perform the following:
Example:

Router# license smart save usage all file flash:slp

Step 2 Export the license usage file (slp) to your host laptop/PC.
Step 3 Importing the license usage file to CSSM on Cloud. Click on the Usage Data Files tab.
Figure 61: Usage Data File

Step 4 The Upload Usage Data window appears. Click Browse, and navigate to where the file is.
Step 5 Click on Upload Data.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


221
Smart Licensing Using Policy (SLP)
Procedure to Register Product Instance in CSSM

Figure 62: Browse and Upload

Step 6 Select the Virtual Account.


Figure 63: Select Account

Step 7 From the pull-down, select your respective virtual account.


Figure 64: Select Your Account

Step 8 Click Ok.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


222
Smart Licensing Using Policy (SLP)
Importing the ACK file from CSSM to your Device

Step 9 Observe the Smart Software Licensing window. Initially, the Reporting Status state will be Pending. Wait until the
window reflects No Errors before continuing.
Figure 65: Reporting Status

Step 10 Click Download to download the ACK file.


Step 11 Check under the Product Instances tab to verify your device is listed.
Figure 66: Product Instances

Step 12 Import the ACK file from CSSM to your device using the command line interface.

Importing the ACK file from CSSM to your Device

Step 1 Copy the ACK file from CSSM to your host laptop or usbflash device. In exec mode on the device:
Example:

Router#license smart import <flash: | usbflash0:> ACK_slp


Import Data Successful
Router#
*Sep 1 21:12:58.576: %SIP-1-LICENSING: SIP service is Up. License report acknowledged.
*Sep 1 21:12:58.616: %SMART_LIC-6-POLICY_INSTALL_SUCCESS: A new licensing policy was successfully
installed

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


223
Smart Licensing Using Policy (SLP)
Removing the Device from CSSM

Step 2 Verify Product Instance has imported the data


Example:

Router# show license usage


License Authorization:
Status: Not Applicable
network-advantage_250M (ESR6300_P_250M_A):
Description: network-advantage_250M
Count: 1
Version: 1.0
Status: IN USE
Export status: NOT RESTRICTED
Feature Name: network-advantage_250M
Feature Description: network-advantage_250M
Enforcement type: NOT ENFORCED

Step 3 Verify the license is in use.


Example:

Router# show license summary


License Usage:
License Entitlement tag Count Status
-------------------------------------------------------------------------------------
network-advantage_250M (ESR6300_P_250M_A) 1 IN USE

Router#
Router#show license all | beg Usage Reporting:
Usage Reporting:
Last ACK received: Sep 01 21:12:58 2020 UTC
Next ACK deadline: <none>
Reporting Interval: 0 (no reporting)
Next ACK push check: <none>
Next report push: <none>
Last report push: <none>
Last report file write: <none>
Trust Code Installed: Sep 01 00:28:48 2020 UTC

Removing the Device from CSSM

Step 1 Navigate back to the product instances tab. Locate your device.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


224
Smart Licensing Using Policy (SLP)
License Installation Procedure - CSLU has No Access to CSSM

Figure 67: Product Instances

Step 2 Click on Actions beside your device, and from those options click Remove.
The Confirm Remove Product Instance window appears.
Figure 68: Confirm Remove Product Instance

Step 3 Click Remove Product Instance.

License Installation Procedure - CSLU has No Access to CSSM


This procedure performs an online exchange of required information between the Router and CSLU.
Refer to the following graphic for the flow of information:

Step 1 In CSLU, identify the devices that require an AuthCode, and initiate the request. An AuthCode file is created.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


225
Smart Licensing Using Policy (SLP)
Procedure when devices are connected to the CSLU

Step 2 Export the AuthCode file to CSSM.


Step 3 Upload the AuthCode to CSSM SA/VA account.
Step 4 Export the AuthRequestAuthcode file to CSLU.
Step 5 Upload ACK file or AuthRequestAuthCode

Procedure when devices are connected to the CSLU


First, perform these steps on the router using the CLI to get a license UDI:

Router#show license summary


License Reservation is ENABLED License Usage:
License Entitlement tag Count Status
network-advantage_250M (ESR6300 _P_250M_A) 1 IN USE

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#platform hardware throughput level 2G
% 2G throughput level requires hseck9 license!

Router(config)#end
Router#sh license udi
UDI: PID:ESR-6300-CON-K9,SN:FOC23032UVB

Step 1 Open the Cisco Smart License Utility (CSLU).


Step 2 Navigate to the Product Instances tab, then click on the UDI.
Figure 69: Select UDI

Step 3 The Edit Single Product Instance window appears.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


226
Smart Licensing Using Policy (SLP)
Procedure when devices are connected to the CSLU

Figure 70: Edit Single Product Instance

Step 4 The Edit Multiple Devices window appears. Supply your account password and click Save.
Figure 71: Edit Multiple Devices

Step 5 In the Product Instances window, click on the Actions for Selected Devices Tab.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


227
Smart Licensing Using Policy (SLP)
Procedure when devices are connected to the CSLU

Figure 72: Actions for Selected Devices

Step 6 Select Authorization Code Request.


Step 7 The Authorization Request Information window appears. Read the contents and then click Accept.
Figure 73: Authorization Request Information

Step 8 The CSLU downloads a Authorization Request file to your laptop. Click Save.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


228
Smart Licensing Using Policy (SLP)
Exporting the AuthRequest File to CSSM

Figure 74: Authorization Request File

Exporting the AuthRequest File to CSSM


The next step is to take the Authorization Request file you just saved, and export it into Cisco Smart Software
Manager (CSSM).
Launch CSSM.
Click on the Inventory Tab, select your Virtual Account.

Step 1 Click on the Product Instances Tab.


Step 2 Click on Authorize License-Enforced Features.
Figure 75: Authorize License-Enforced Features

The Authorize License-Enforced Features window appears.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


229
Smart Licensing Using Policy (SLP)
Exporting the AuthRequest File to CSSM

Figure 76: Authorize License-Enforced Features

Step 3 Choose Multiple or Single devices from the pull-down.


Step 4 The window changes to an option to select a device file. Click on Choose File.

Step 5 A popup window opens to navigate to where you saved your Authorization Request file on your laptop.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


230
Smart Licensing Using Policy (SLP)
Exporting the AuthRequest File to CSSM

Figure 77: Open File Navigation Window

Step 6 Select your file, and then click Open.


Step 7 The authorization file loads, and the window changes to present your devices.
Figure 78: Present Devices

Step 8 When successful, click Next.


Step 9 The Select Licenses Tab opens.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


231
Smart Licensing Using Policy (SLP)
Exporting the AuthRequest File to CSSM

Figure 79: Select Licenses

Step 10 Under Quantity per Device, enter the number you wish.
Figure 80: Enter Number

Step 11 If CSSM cannot identify your device from the identifying information, you can select it manually.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


232
Smart Licensing Using Policy (SLP)
Exporting the AuthRequest File to CSSM

Figure 81: Select a Device Type

Step 12 Click Continue, and the window changes to Review and Confirm.
Figure 82: Review and Confirm

Step 13 Click on Reserve Licenses, and CSSM generates feature authorization codes.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


233
Smart Licensing Using Policy (SLP)
Uploading the Authorization Request Code file into CSLU

Figure 83: Feature Authorization Codes

Step 14 Click Download Authorization Codes, and a window opens to navigate to where you wish to save the codes.
Figure 84: Save Authorization Code

Step 15 Click Ok.

Uploading the Authorization Request Code file into CSLU

Step 1 Open the Cisco Smart License Utility (CSLU).


Step 2 Navigate to Product Instances, and then select Upload From Cisco.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


234
Smart Licensing Using Policy (SLP)
Uploading the Authorization Request Code file into CSLU

Figure 85: Upload From Cisco

Step 3 There are two options to load your file. Drag and Drop, or Browse to where you saved your file. This example shows
Browse.
Figure 86: Browse to File

Step 4 Select your authorization code file, and then click Open. The system uploads the authorization code file, then a successful
upload message appears.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


235
Smart Licensing Using Policy (SLP)
License Installation Process in the Router

Figure 87: Successful Upload

License Installation Process in the Router


Perform the following from the command line interface.

Router#show license summary


License Reservation is ENABLED
License Usage:
License Entitlement tag Count Status
network-advantage_250M (ESR6300_P_250M_E) 1 IN USE
hseck9 (ESR6300_HSEC) 1 IN USE

Router#show license usage


License Authorization:
Status: Not Applicable
network-advantage_250M (ESR6300_P_250M_A):
Description: network-advantage_250M
Count: 1
Version: 1.0
Status: IN USE
Export status: NOT RESTRICTED
Feature Name: network-advantage_250M
Feature Description: network-advantage_250M
Enforcement type: NOT ENFORCED
hseck9 (ESR6300_HSEC_License):
Description: hseck9
Count: 1
Version: 1.0
Status: IN USE
Export status: RESTRICTED - ALLOWED
Feature Name: hseck9
Feature Description: hseck9
Enforcement type: EXPORT RESTRICTED

Router(config)#platform hardware throughput level 2G


% Please write mem and reload
% The config will take effect on next reboot
Router(config)#end

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


236
Smart Licensing Using Policy (SLP)
Removing the Device from CSSM

Router#
*Sep 30 18:05:55.654: %SYS-5-CONFIG_I: Configured from console by cisco on console
Router#show license summary
License Reservation is ENABLED License Usage:
License Entitlement tag Count Status
network-advantage_250M (ESR6300_P_250M_A) 1 IN USE
hseck9 (ESR6300_HSEC_License) 1 IN USE
network-advantage_2G (ESR6300_P_2G_A) 1 IN USE

Removing the Device from CSSM


Step 1 Navigate back to the product instances tab. Locate your device.
Figure 88: Product Instances

Step 2 Click on Actions beside your device, and from those options click Remove.
The Confirm Remove Product Instance window appears.
Figure 89: Confirm Remove Product Instance

Step 3 Click Remove Product Instance.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


237
Smart Licensing Using Policy (SLP)
Removing the Device from CSSM

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


238
CHAPTER 23
Configuring Ethernet Switch Ports
This chapter contains the following sections:
• Configuring VLANs, on page 239
• VLAN Trunking Protocol (VTP), on page 240
• Configuring IEEE 802.1X Port-Based Authentication, on page 240
• Configuring Spanning Tree Protocol, on page 241
• Configuring MAC Address Table Manipulation, on page 242
• Configuring Switch Port Analyzer, on page 243
• IGMP Snooping for IPv4, on page 244

Configuring VLANs
A VLAN is a switched network that is logically segmented by function or application, without regard to the
physical locations of the users. VLANs have the same attributes as physical LANs. However, you can group
end-stations even if they are not physically located on the same LAN segment. Any device port can belong
to a VLAN, unicast, broadcast, and multicast packets are forwarded and flooded only to end-stations in the
VLAN. Each VLAN is considered a logical network, and packets destined for stations that do not belong to
the VLAN must be forwarded through a router or a device supporting fallback bridging. In a device stack,
VLANs can be formed with ports across the stack. Because a VLAN is considered a separate logical network,
it contains its own bridge Management Information Base (MIB) information and can support its own
implementation of spanning tree.
VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet
belong to the same VLAN. Interface VLAN membership on the device is assigned manually on an
interface-by-interface basis. When you assign device interfaces to VLANs by using this method, it is known
as interface-based, or static, VLAN membership.
The device can route traffic between VLANs by using device virtual interfaces (SVIs). An SVI must be
explicitly configured and assigned an IP address to route traffic between VLANs.
Access Ports
An access port belongs to and carries the traffic of only one VLAN (unless it is configured as a voice VLAN
port). Traffic is received and sent in native formats with no VLAN tagging. Traffic arriving on an access port
is assumed to belong to the VLAN assigned to the port. If an access port receives a tagged packet IEEE 802.1Q
tagged), the packet is dropped, and the source address is not learned.
Trunk Ports

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


239
Configuring Ethernet Switch Ports
VLAN Trunking Protocol (VTP)

A trunk port carries the traffic of multiple VLANs and by default is a member of all VLANs in the VLAN
database. These trunk port types are supported:
• An IEEE 802.1Q trunk port supports simultaneous tagged and untagged traffic. An IEEE 802.1Q trunk
port is assigned a default port VLAN ID (PVID), and all untagged traffic travels on the port default
PVID. All untagged traffic and tagged traffic with a NULL VLAN ID are assumed to belong to the port
default PVID. A packet with a VLAN ID equal to the outgoing port default PVID is sent untagged. All
other traffic is sent with a VLAN tag.

Although by default, a trunk port is a member of every VLAN known to the VTP, you can limit VLAN
membership by configuring an allowed list of VLANs for each trunk port. The list of allowed VLANs does
not affect any other port but the associated trunk port. By default, all possible VLANs (VLAN ID 1 to 4094)
are in the allowed list. A trunk port can become a member of a VLAN only if VTP knows of the VLAN and
if the VLAN is in the enabled state. If VTP learns of a new, enabled VLAN and the VLAN is in the allowed
list for a trunk port, the trunk port automatically becomes a member of that VLAN and traffic is forwarded
to and from the trunk port for that VLAN. If VTP learns of a new, enabled VLAN that is not in the allowed
list for a trunk port, the port does not become a member of the VLAN, and no traffic for the VLAN is forwarded
to or from the port.
For more information on VLANs, see VLAN Configuration Guide, Cisco IOS XE Gibraltar 16.10.x.

VLAN Trunking Protocol (VTP)


VTP is a Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the
addition, deletion, and renaming of VLANs on a network-wide basis. VTP minimizes misconfigurations and
configuration inconsistencies that can cause several problems, such as duplicate VLAN names, incorrect
VLAN-type specifications, and security violations.
Before you create VLANs, you must decide whether to use VTP in your network. Using VTP, you can make
configuration changes centrally on one or more switches and have those changes automatically communicated
to all the other switches in the network. Without VTP, you cannot send information about VLANs to other
switches.VTP is designed to work in an environment where updates are made on a single switch and are sent
through VTP to other switches in the domain. It does not work well in a situation where multiple updates to
the VLAN database occur simultaneously on switches in the same domain, which would result in an
inconsistency in the VLAN database.
Further information about configuring VTP can be found here:http://www.cisco.com/c/en/us/td/docs/routers/
access/interfaces/software/feature/guide/geshwic_cfg.html#wp1046901

Configuring IEEE 802.1X Port-Based Authentication


IEEE 802.1X port-based authentication is configured on a device to prevent unauthorized devices (supplicants)
from gaining access to the network. The device can combine the function of a router, switch, and access point,
depending on the fixed configuration or installed modules. The switch functions are provided by either built-in
switch ports or a plug-in module with switch ports. This feature supports both access ports and trunk ports.
For more informaton on 802.1X port-based authentication, see the Configuring IEEE 802.1X Port-Based
Authentication Guide.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


240
Configuring Ethernet Switch Ports
Configuring Spanning Tree Protocol

Configuring Spanning Tree Protocol


Spanning Tree Protocol (STP) is a Layer 2 link management protocol that provides path redundancy while
preventing loops in the network. For a Layer 2 Ethernet network to function properly, only one active path
can exist between any two stations. Multiple active paths among end stations cause loops in the network. If
a loop exists in the network, end stations might receive duplicate messages. Switches might also learn
end-station MAC addresses on multiple Layer 2 interfaces. These conditions result in an unstable network.
Spanning-tree operation is transparent to end stations, which cannot detect whether they are connected to a
single LAN segment or a switched LAN of multiple segments.
The STP uses a spanning-tree algorithm to select one switch of a redundantly connected network as the root
of the spanning tree. The algorithm calculates the best loop-free path through a switched Layer 2 network by
assigning a role to each port based on the role of the port in the active topology:
• Root—A forwarding port elected for the spanning-tree topology
• Designated—A forwarding port elected for every switched LAN segment
• Alternate—A blocked port providing an alternate path to the root bridge in the spanning tree
• Backup—A blocked port in a loopback configuration

The switch that has all of its ports as the designated role or as the backup role is the root switch. The switch
that has at least one of its ports in the designated role is called the designated switch.Spanning tree forces
redundant data paths into a standby (blocked) state. If a network segment in the spanning tree fails and a
redundant path exists, the spanning-tree algorithm recalculates the spanning-tree topology and activates the
standby path. Switches send and receive spanning-tree frames, called bridge protocol data units (BPDUs), at
regular intervals. The switches do not forward these frames but use them to construct a loop-free path. BPDUs
contain information about the sending switch and its ports, including switch and MAC addresses, switch
priority, port priority, and path cost. Spanning tree uses this information to elect the root switch and root port
for the switched network and the root port and designated port for each switched segment.
When two ports on a switch are part of a loop, the spanning-tree port priority and path cost settings control
which port is put in the forwarding state and which is put in the blocking state. The spanning-tree port priority
value represents the location of a port in the network topology and how well it is located to pass traffic. The
path cost value represents the media speed.
For detailed configuration information on STP see the following link:
http://www.cisco.com/c/en/us/td/docs/routers/access/interfaces/NIM/software/configuration/guide/4_
8PortGENIM.html#pgfId-1079138
Example: Spanning Tree Protocol Configuration
The following example shows configuring spanning-tree port priority of a Gigabit Ethernet interface.
If a loop occurs, spanning tree uses the port priority when selecting an interface to put in the forwarding
state.
Router# configure terminal
Router(config)# interface FastEthernet 0/0/1
Router(config-if)# spanning-tree vlan 1 port-priority 64
Router(config-if)# end

The following example shows how to change the spanning-tree port cost of a Gigabit Ethernet
interface. If a loop occurs, spanning tree uses cost when selecting an interface to put in the forwarding
state.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


241
Configuring Ethernet Switch Ports
Configuring MAC Address Table Manipulation

Router#configure terminal
Router(config)# interface FastEthernet 0/0/1
Router(config-if)# spanning-tree cost 18
Router(config-if)# end

The following example shows configuring the bridge priority of VLAN 10 to 33792:
Router# configure terminal
Router(config)# spanning-tree vlan 10 priority 33792
Router(config)# end

The following example shows configuring the hello time for VLAN 10 being configured to 7 seconds.
The hello time is the interval between the generation of configuration messages by the root switch.
Router# configure terminal
Router(config)# spanning-tree vlan 10 hello-time 7
Router(config)# end

The following example shows configuring forward delay time. The forward delay is the number of
seconds an interface waits before changing from its spanning-tree learning and listening states to the
forwarding state.
Router# configure terminal
Router(config)# spanning-tree vlan 10 forward-time 21
Router(config)# end

The following example shows configuring maximum age interval for the spanning tree. The
maximum-aging time is the number of seconds a switch waits without receiving spanning-tree
configuration messages before attempting a reconfiguration.
Router# configure terminal
Router(config)# spanning-tree vlan 20 max-age 36
Router(config)# end

The following example shows the switch being configured as the root bridge for VLAN 10, with a
network diameter of 4.
Router# configure terminal
Router(config)# spanning-tree vlan 10 root primary diameter 4
Router(config)# exit

Configuring MAC Address Table Manipulation


The MAC address table contains address information that the switch uses to forward traffic between ports.
All MAC addresses in the address table are associated with one or more ports. The address table includes
these types of addresses:
• Dynamic address: a source MAC address that the switch learns and then drops when it is not in use. You
can use the aging time setting to define how long the switch retains unseen addresses in the table.
• Static address: a manually entered unicast address that does not age and that is not lost when the switch
resets.

The address table lists the destination MAC address, the associated VLAN ID, and port associated with the
address and the type (static or dynamic).
See the “Example: MAC Address Table Manipulation” for sample configurations for enabling secure MAC
address, creating a statc entry, set the maximum number of secure MAC addresses and set the aging time.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


242
Configuring Ethernet Switch Ports
Configuring Switch Port Analyzer

For detailed configuration information on MAC address table manipulation see the following link:
http://www.cisco.com/c/en/us/td/docs/routers/access/interfaces/software/feature/guide/geshwic_
cfg.html#wp1048223
Example: MAC Address Table Manipulation
The following example shows creating a static entry in the MAC address table.
Router# configure terminal
Router(config)# mac address-table static 0002.0003.0004 interface FastEthernet 0/0/1 vlan
3
Router(config)# end

The following example shows setting the aging timer.


Router# configure terminal
Router(config)# mac address-table aging-time 300
Router(config)# end

Configuring Switch Port Analyzer


The Cisco IR1101 supports local SPAN only, and up to one SPAN session. You can analyze network traffic
passing through ports by using SPAN to send a copy of the traffic to another port on the switch or on another
switch that has been connected to a network analyzer or other monitoring or security device. SPAN copies
(or mirrors) traffic received or sent (or both) on source ports to a destination port for analysis. SPAN does
not affect the switching of network traffic on the source ports. You must dedicate the destination port for
SPAN use. Except for traffic that is required for the SPAN or RSPAN session, destination ports do not receive
or forward traffic.
Only traffic that enters or leaves source ports or traffic that enters or leaves source can be monitored by using
SPAN; traffic routed to a source cannot be monitored. For example, if incoming traffic is being monitored,
traffic that gets routed from another source cannot be monitored; however, traffic that is received on the source
and routed to another can be monitored.
For detailed information on how to configure a switched port analyzer (SPAN) session, see the following web
link:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/15-0_2_se/configuration/
guide/scg3750/swspan.html
Example: SPAN Configuration
The following example shows how to configure a SPAN session to monitor bidirectional traffic from
a Gigabit Ethernet source interface:
Router# configure terminal
Router(config)# monitor session 1 source FastEthernet 0/0/1
Router(config)# end

The following example shows how to configure a gigabit ethernet interface as the destination for a
SPAN session:
Router# configure terminal
Router(config)# monitor session 1 destination FastEthernet 0/0/1
Router(config)# end

The following example shows how to remove gigabit ethernet as a SPAN source for SPAN session
1:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


243
Configuring Ethernet Switch Ports
IGMP Snooping for IPv4

Router# configure terminal


Router(config)# no monitor session 1 source FastEthernet 0/0/1
Router(config)# end

IGMP Snooping for IPv4


IGMP snooping allows switches to examine IGMP packets and make forwarding decisions based on their
content. You can configure the switch to use IGMP snooping in subnets that receive IGMP queries from either
IGMP or the IGMP snooping querier. IGMP snooping constrains IPv4 multicast traffic at Layer 2 by configuring
Layer 2 LAN ports dynamically to forward IPv4 multicast traffic only to those ports that want to receive it.
Layer 2 switches can use IGMP snooping to constrain the flooding of multicast traffic by dynamically
configuring Layer 2 interfaces so that multicast traffic is forwarded to only those interfaces associated with
IP multicast devices. As the name implies, IGMP snooping requires the LAN switch to snoop on the IGMP
transmissions between the host and the router and to keep track of multicast groups and member ports. When
the switch receives an IGMP report from a host for a particular multicast group, the switch adds the host port
number to the forwarding table entry; when it receives an IGMP Leave Group message from a host, it removes
the host port from the table entry. It also periodically deletes entries if it does not receive IGMP membership
reports from the multicast clients. For more information on this feature, see
https://www.cisco.com/c/en/us/td/docs/routers/7600/ios/15S/configuration/guide/7600_15_0s_book/snooigmp.html.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


244
CHAPTER 24
Cellular Pluggable Interface Module
Configuration Guide
The Cisco 4G LTE-Advanced Configuration chapter has been replaced by a new standalone guide called
Cellular Pluggable Interface Module Configuration Guide. This guide contains updated information on all
aspects of using the Cisco Cellular PIM.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


245
Cellular Pluggable Interface Module Configuration Guide

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


246
CHAPTER 25
Information About SCADA
This chapter contains the following sections:
• SCADA Overview, on page 247
• Role of the IR1101, on page 248
• Key Terms, on page 248
• Protocol Translation Application, on page 248
• Prerequisites, on page 249
• Guidelines and Limitations, on page 250
• Default Settings, on page 250
• Configuring Protocol Translation, on page 250
• Configuring the T101 Protocol Stack, on page 251
• Configuring the T104 Protocol Stack, on page 254
• Configuration Example, on page 257
• Yang Data Model Support for Scada, on page 258
• Configuring the DNP3 Protocol Stacks, on page 261
• Starting and Stopping the Protocol Translation Engine, on page 264
• Verifying Configuration, on page 265
• Debug Commands, on page 265

SCADA Overview
SCADA refers to a control and management system employed in industries such as water management, electric
power, and manufacturing. A SCADA system collects data from various types of equipment within the system
and forwards that information back to a Control Center for analysis. Generally, individuals located at the
Control Center monitor the activity on the SCADA system and intervene when necessary.
The Remote Terminal Unit (RTU) acts as the primary control system within a SCADA system. RTUs are
configured to control specific functions within the SCADA system, which can be modified as necessary
through a user interface.
On the IR1101, line is 0/2/0 same as the Async interface.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


247
Information About SCADA
Role of the IR1101

Role of the IR1101


In the network, the Control Center always serves as the master in the network when communicating with the
IR1101. The IR1101 serves as a proxy master station for the Control Center when it communicates with the
RTU.
The IR1101 provides protocol translation to serve as a SCADA gateway to do the following:
• Receive data from RTUs and relay configuration commands from the Control Center to RTUs.
• Receive configuration commands from the Control Center and relay RTU data to the Control Center
• Terminate incoming requests from the Control Center, when an RTU is offline.
The IR1101 performs Protocol Translation for the following protocols:
• IEC 60870 T101 to/from IEC 60870 T104.
• DNP3 serial to DNP3 IP

Key Terms
The following terms are relevant when you configure the T101 and T104 protocol stacks on the IR1101:
• Channel–A channel is configured on each IR1101 serial port interface to provide a connection to a single
RTU for each IP connection to a remote Control Center. Each connection transports a single T101 (RTU)
or T104 (Control Center) protocol stack.
• Link Address–Refers to the device or station address.
• Link Mode (Balanced and Unbalanced)–Refers to the modes of data transfer.
• An Unbalanced setting refers to a data transfer initiated from the master.
• A Balanced setting can refer to either a master or slave initiated data transfer.
• Sector–Refers to a single RTU within a remote site.
• Sessions–Represents a single connection to a remote site.
The following terms are relevant when you configure the DNP3 protocol stacks on the on the IR1101:
• Channel–A channel is configured on the IR1101 serial port interface to provide a connection to a single
RTU for each IP connection to a remote Control Center. Each connection transports a single DNP3 serial
(RTU) or DNP3 IP (Control Center) protocol stack.
• Link Address–Refers to the device or station address.
• Sessions–Represents a single connection to a remote site.

Protocol Translation Application


In Figure 90: Routers Within a SCADA System, on page 249 the IR1101 (installed within a secondary substation
of the Utility Network) employs Protocol Translation to provide secure, end-to-end connectivity between
Control Centers and RTUs within a SCADA System.
The IR1101 connects to the RTU (slave) through a RS232 connection. To protect the traffic when forwarded
over public infrastructures (for example, cellular), the IR1101 forwards SCADA data from the RTU to the
Control Center in the SCADA system through an IPSec tunnel (FlexVPN site-to-site or hub and spoke). The

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


248
Information About SCADA
Prerequisites

IPSec tunnel protects all traffic between the IR1101 and the Head-end aggregation router. SCADA traffic can
be inspected through an IPS device positioned in the path of the SCADA traffic before it is forwarded to the
proper Control Center.
Figure 90: Routers Within a SCADA System

Prerequisites
RTUs must be configured and operating in the network.
For each RTU that connects to the IR1101, you will need the following information for T101/T104:
• Channel information
• Channel name
• Connection type: serial
• Link transmission procedure setting: unbalanced or balanced
• Address field of the link (number expressed in octets)
• Session information
• Session name
• Size of common address of Application Service Data Unit (ASDU) (number expressed in octets)
• Cause of transmission (COT) size (number expressed in octets)
• Information object address (IOA) size (number expressed in octets)
• Sector information
• Sector name
• ASDU address, (number expressed in octets)

For each RTU that connects to the IR1101, you will need the following information for DNP3:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


249
Information About SCADA
Guidelines and Limitations

• Channel information
• Channel name
• Connection type: serial
• Link address

• Session information
• Session name

Guidelines and Limitations


Each channel supports only one session.
Each sessions supports only one sector.

Default Settings
T101/T104 Parameters Default

Role for T101 Master

Role for T104 Slave

DNP3 Parameters Default

Unsolicited Response (DNP3-serial) Not


Enabled

Send Unsolicited Message (DNP3-IP) Enabled

Configuring Protocol Translation


This section includes the following topics:

Note Before making any configuration changes to a IR1101 operating with Protocol Translation, please review
the section on Starting and Stopping the Protocol Translation Engine, on page 264.

Enabling the IR1101 Serial Port and SCADA Encapsulation


Before you can enable and configure Protocol Translation on the IR1101, you must first enable the serial port
on the IR1101 and enable SCADA encapsulation on that port.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


250
Information About SCADA
EXAMPLE

Before you begin


Determine availability of serial port on the IR1101.

Procedure

Command or Action Purpose


Step 1 configure terminal Enters the global configuration mode.

Step 2 interface async slot/port/interface Enters the interface command mode for the async
slot/port/interface.
slot –value of 0
port –value of 2
interface –value of 0

Step 3 no shutdown Brings up the port, administratively.

Step 4 encapsulation scada Enables encapsulation on the serial port for protocol
translation and other SCADA protocols.

EXAMPLE
This example shows how to enable serial port 0/2/0 and how to enable encapsulation on that interface to
support SCADA protocols.

router# configure terminal


router(config)# interface async 0/2/0
router (config-if)# no shutdown
router (config-if)# encapsulation scada

Configuring T101 and T104 Protocol Stacks


You can configure T101 and T104 protocol stacks, which allow end-to-end communication between Control
Centers (T104) and RTUs (T101) within a SCADA system.
• Configuring the T101 Protocol Stack, on page 251
• Configuring the T104 Protocol Stack, on page 254
• Starting and Stopping the Protocol Translation Engine, on page 264

Prerequisites
Ensure that you have gathered all the required configuration information.
Enable the serial port and SCADA encapsulation.

Configuring the T101 Protocol Stack


Configure the channel, session, and sector parameters for the T101 protocol stack.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


251
Information About SCADA
Configuring the T101 Protocol Stack

Procedure

Command or Action Purpose


Step 1 configure terminal Enters global configuration mode.

Step 2 scada-gw protocol t101 Enters the configuration mode for the T101 protocol.

Step 3 channel channel_name Enters the channel configuration mode for the T101
protocol.
channel_name –Identifies the channel on which the serial
port of the IR1101 communicates to the RTU.
Note When the entered channel name does not
already exist, the router creates a new channel.
Entering the no form of this command deletes an existing
channel. However, all sessions must be deleted before you
can delete a channel.

Step 4 role master Assigns the master role to the T101 protocol channel
(default).

Step 5 link-mode {balanced | unbalanced} Configures the link-mode as either balanced or unbalanced.
unbalanced–Refers to a data transfer initiated from the
master.
balanced–Refers to either a master or slave data transfer.

Step 6 link-addr-size {none | one | two} Defines the link address size in octets.

Step 7 bind-to-interface async slot/port/interface Defines the IR1101 serial interface on which the system
sends its T101 protocol traffic.
slot –Value of 0
port –Value of 2
interface –Value of 0

Step 8 exit Ends configuration of the channel and exits the channel
configuration mode. Saves all settings.

Step 9 session session_name Enters the session configuration mode and assigns a name
to the session.

Step 10 attach-to-channel channel_name Attaches the session to the channel.


Enter the same channel name that you entered in Step 3 .
channel_name –Identifies the channel.

Step 11 common-addr-size {one | two | three} Defines the common address size in octets.

Step 12 cot size {one | two | three} Defines the cause of transmission such as spontaneous or
cyclic data schemes in octets.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


252
Information About SCADA
EXAMPLE

Command or Action Purpose


Step 13 info-obj-addr-size {one | two | three} Defines the information object element address size in
octets.

Step 14 link-addr-size {one | two | three} Defines the link address size in octets.

Step 15 link-addr link_address Refers to the link address of the RTU.


Note The link address entered here must match the
value set on the RTU to which the serial port
connects.
link_address –Range of 0-65535.

Step 16 exit Exits the session configuration mode.

Step 17 sector sector_name Enters the sector configuration mode and assigns a name
to the sector for the RTU.
sector_name –Identifies the sector.

Step 18 attach-to-session session_name Attaches the RTU sector to the session.


Enter the same session name that you entered in Step 9 .
session_name- Identifies the session.

Step 19 asdu-addr asdu_address Refers to the ASDU structure address of the RTU.

Step 20 exit Exits the sector configuration mode.

Step 21 exit Exits the protocol configuration mode.

EXAMPLE
This example shows how to configure the parameters for the T101 protocol stack for RTU_10 .

router# configure terminal


router(config)# scada-gw protocol t101
router(config-t101)# channel rtu_channel
router(config-t101-channel)# role master
router(config-t101-channel)# link-mode unbalanced
router(config-t101-channel)# link-addr-size
one
router(config-t101-channel)# bind-to-interface async 0/2/0
router(config-t101-channel)# exit
router(config-t101)# session rtu_session
router(config-t101-session)# attach-to-channel rtu_channel
router(config-t101-session)# common-addr-size two
router(config-t101-session)# cot-size one
router(config-t101-session)# info-obj-addr-size two
router(config-t101-session)# link-addr 3
router(config-t101-session)# exit
router(config-t101)# sector rtu_sector
router(config-t101-sector)# attach-to-session rtu_session
router(config-t101-sector)# asdu-addr 3
router(config-t101-sector)# exit

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


253
Information About SCADA
Configuring the T104 Protocol Stack

router(config-t101)# exit
router(config)#

Configuring the T104 Protocol Stack


Follow the steps below for each Control Center that you want to connect to over a T104 protocol.

Before you begin


Ensure that you have gathered all the required configuration information. (See Prerequisites, on page 249)
Enable the serial port and SCADA encapsulation. (See Enabling the IR1101 Serial Port and SCADA
Encapsulation, on page 250)

Procedure

Command or Action Purpose


Step 1 configure terminal Enters configuration mode.

Step 2 scada-gw protocol t104 Enters the configuration mode for the T104 protocol.

Step 3 channel channel_name Enters the channel configuration mode for the T104
protocol.
channel_name –Identifies the channel on which the router
communicates with the Control Center.
Note When the entered channel name does not
already exist, the router creates a new channel.
Entering the no form of this command deletes an existing
channel. However, all sessions must be deleted before you
can delete a channel.

Step 4 k-value value Sets the maximum number of outstanding Application


Protocol Data Units (APDUs) for the channel.
Note An APDU incorporates the ASDU and a control
header.
value –Range of values from 1 to 32767. Default value is
12 APDUs.

Step 5 w-value value Sets the maximum number of APDUs for the channel.
value –Range of values from 1 to 32767. Default value is
8 APDUs.

Step 6 t0-timeout value Defines the t0-timeout value for connection establishment
of the T104 channel.

Step 7 t1-timeout value Defines the t1-timeout value for send or test APDUs on
the T104 channel.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


254
Information About SCADA
Configuring the T104 Protocol Stack

Command or Action Purpose


Step 8 t2-timeout value Defines the t2-timeout value for acknowledgements when
the router receives no data message.
Note The t2 value must always be set to a lower value
than the t1 value on the T104 channel.

Step 9 t3-timeout value Defines the t3-timeout value for sending s-frames in case
of a long idle state on the T104 channel.
Note The t3 value must always be set to a higher
value than the t1 value on the T104 channel.

Step 10 tcp-connection {0|1} local-port {port_number | default} In a configuration where there are redundant Control
remote-ip {A.B.C.D | A.B.C.D/LEN | any} [vrf WORD] Centers, sets the connection value for the secondary
Control Center as defined on the primary Control Center.
port-number –value between 2000 and 65535.
default–value of 2404.
A.B.C.D –single host.
A.B.C.D/nn –subnet A.B.C.D/LEN.
any–any remote hosts 0.0.0.0/0.
WORD–VRF name.

Step 11 exit Exits the channel configuration mode.

Step 12 session session_name Enters the session configuration mode and assigns a name
to the session.
session_name –Use the same name that you assigned to
the channel in Step 3 .

Step 13 attach-to-channel channel_name Defines the name of the channel that transports the session
traffic.

Step 14 cot size {one | two | three} Defines the cause of transmission (cot), such as
spontaneous or cyclic data schemes in octets.

Step 15 exit Exits the session configuration mode.

Step 16 sector sector_name Enters the sector configuration mode and assigns a name
to the sector for the Control Center.

Step 17 attach-to-session session_name Attaches the Control Center sector to the channel.
session_name –Use the same name that you assigned to
the channel in Step 3 .

Step 18 asdu-addr asdu_address Refers to the ASDU structure address. Value entered here
must match the ASDU value on the RTU.
asdu_address –asdu_address –Value of 1 or 2.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


255
Information About SCADA
EXAMPLE

Command or Action Purpose


Step 19 map-to-sector sector_name Maps the Control Center (T104) sector to the RTU (T101)
sector.

Step 20 Return to Step 1 . Repeat all steps in this section for each Control Center
active in the network.

EXAMPLE
This example shows how to configure the parameters for the T104 protocol stack on Control Center 1 and
Control Center 2, both of which are configured as masters , and how to map the T104 sector to the T101
sector.
To configure Control Center 1 (cc_master1 ), enter the following commands.

router# configure terminal


router(config)# scada-gw protocol t104
router(config-t104)# channel cc_master1
router(config-t104-channel)# k-value 12
router(config-t104-channel)# w-value 8
router(config-t104-channel)# t0-timeout 30
router(config-t104-channel)# t1-timeout 15
router(config-t104-channel)# t2-timeout 10
router(config-t104-channel)# t3-timeout 30
router(config-t104-channel)# tcp-connection 0 local-port 2050 remote-ip 209.165.200.225
router(config-t104-channel)# tcp-connection 1 local-port 2051 remote-ip 209.165.201.25
router(config-t104-channel)# exit
router(config-t104)# session
cc_master1
router(config-t104-session)# attach-to-channel cc_master1
router(config-t104-session)# cot-size two
router(config-t104-session)# exit
router(config-t104)# sector cc_master1-sector
router(config-t104-sector)# attach-to-session cc_master1
router(config-t104-sector)# asdu-adr 3
router(config-t104-sector)# map-to-sector rtu_sector
router(config-t104)# exit
router(config)#

To configure Control Center 2 (cc_master2 ), enter the following commands.

router(config)# scada-gw protocol t104


router(config-t104)# channel cc_master2
router(config-t104-channel)# k-value 12
router(config-t104-channel)# w-value 8
router(config-t104-channel)# t0-timeout 30
router(config-t104-channel)# t1-timeout 15
router(config-t104-channel)# t2-timeout 10
router(config-t104-channel)# t3-timeout 30
router(config-t104-channel)# tcp-connection 0 local-port 2060 remote-ip 209.165.201.237
router(config-t104-channel)# tcp-connection 1 local-port 2061 remote-ip 209.165.200.27
router(config-t104-channel)# exit
router(config-t104)# session
cc_master2
router(config-t104-session)# attach-to-channel cc_master2
router(config-t104-session)# cot-size two
router(config-t104-session)# exit

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


256
Information About SCADA
Configuration Example

router(config-t104)# sector cc_master2-sector


router(config-t104-sector)# attach-to-session cc_master2
router(config-t104-sector)# asdu-adr 3
router(config-t104-sector)# map-to-sector rtu_sector
router(config-t104-sector)# exit
router(config-t104)# exit
router(config)#

Configuration Example
The following example shows how to configure the serial port interface for T101 connection, configure T101
and T104 protocol stacks, and starts the Protocol Translation Engine on the IR1101.

router# configure terminal


router(config)# interface async 0/2/0
router (config-if)# no shutdown
router (config-if)# encapsulation scada
router (config-if)# exit
router(config)# scada-gw protocol t101
router(config-t101)# channel rtu_channel
router(config-t101-channel)# role master
router(config-t101-channel)# link-mode unbalanced
router(config-t101-channel)# link-addr-size
one
router(config-t101-channel)# bind-to-interface async 0/2/0
router(config-t101-channel)# exit
router(config-t101)# session rtu_session
router(config-t101-session)# attach-to-channel rtu_channel
router(config-t101-session)# common-addr-size two
router(config-t101-session)# cot-size one
router(config-t101-session)# info-obj-addr-size two
router(config-t101-session)# link-addr 3
router(config-t101-session)# exit
router(config-t101)# sector rtu_sector
router(config-t101-sector)# attach-to-session rtu_session
router(config-t101-sector)# asdu-addr 3
router(config-t101-sector)# exit
router(config-t101)# exit
router(config)# scada-gw protocol t104
router(config-t104)# channel cc_master1
router(config-t104-channel)# k-value 12
router(config-t104-channel)# w-value 8
router(config-t104-channel)# t0-timeout 30
router(config-t104-channel)# t1-timeout 15
router(config-t104-channel)# t2-timeout 10
router(config-t104-channel)# t3-timeout 30
router(config-t104-channel)# tcp-connection 0 local-port 2050 remote-ip any
router(config-t104-channel)# tcp-connection 1 local-port 2051 remote-ip any
router(config-t104-channel)# exit
router(config-t104)# session
cc_master1
router(config-t104-session)# attach-to-channel cc_master1
router(config-t104-session)# cot-size two
router(config-t104-session)# exit
router(config-t104)# sector cc_master1-sector
router(config-t104-sector)# attach-to-session cc_master1
router(config-t104-sector)# asdu-adr 3
router(config-t104-sector)# map-to-sector rtu_sector
router(config-t104)# exit

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


257
Information About SCADA
Yang Data Model Support for Scada

router(config-t104)# session
cc_master2
router(config-t104-session)# attach-to-channel cc_master2
router(config-t104-session)# cot-size two
router(config-t104-session)# exit
router(config-t104)# sector cc_master2-sector
router(config-t104-sector)# attach-to-session cc_master2
router(config-t104-sector)# asdu-adr 3
router(config-t104-sector)# map-to-sector rtu_sector
router(config-t104-sector)# exit
router(config-t104)# exit
router(config)# scada-gw enable

This example configures end-to-end communication between Control Centers and RTUs within a SCADA
system using the DNP3 protocol stacks and starts the Protocol Translation Engine on the IR1101:

router# configure terminal


router(config)# interface async 0/2/0
router (config-if)# no shutdown
router (config-if)# encapsulation scada
router (config-if)# exit
router(config)# scada-gw protocol dnp3-serial
router(config-dnp3s)# channel rtu_channel
router(config-dnp3s-channel)# bind-to-interface async 0/2/0
router(config-dnp3s-channel)# link-addr source 3
router(config-dnp3s-channel)# unsolicited-response enable
router(config-dnp3s-channel)# exit
router(config-dnp3s)# session rtu_session
router(config-dnp3s-session)# attach-to-channel rtu_channel
router(config-dnp3s-session)# link-addr dest 3
router(config-dnp3s-session)# exit
router(config-dnp3s)# exit
router(config)# scada-gw protocol dnp3-ip
router(config-dnp3n)# channel cc_channel
router(config-dnp3n-channel)# link-addr dest 3
router(config-dnp3n-channel)# tcp-connection local-port default remote-ip any
router(config-dnp3n-channel)# exit
router(config-dnp3n)# session cc_session
router(config-dnp3n-session)# attach-to-channel cc_channel
router(config-dnp3n-session)# link-addr source 3
router(config-dnp3n-session)# map-to-session rtu_session
router(config-dnp3n)# exit
router(config)# exit
router(config)# scada-gw enable

Note IOA addresses obtained from T101 side are sent to T104 side without any modification by the SCADA
Gateway

Yang Data Model Support for Scada


The Cisco IOS XE 17.1.1 introduces support for the Cisco IOS XE YANG model for the Scada System.
Previous releases already provided Yang models in other areas.
https://github.com/YangModels/yang/tree/master/vendor/cisco/xe/17111 .

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


258
Information About SCADA
Scada Yang Models

Scada Yang Models


There are two feature modules available for Scada that belong to the main Cisco-IOS-XE-native model:
• Cisco-IOS-XE-scada-gw.yang
This module contains a collection of YANG definitions for Scada Gateway Configuration commands.
• Cisco-IOS-XE-scada-gw-oper.yang
This module contains a collection of YANG definitions for Scada Gateway operational data.
There are 8 dependent modules (also belonging to the main Cisco-IOS-XE-native model), that should be
imported for the Scada models to work. The following section shows the Scada Yang Models list, configuration
CLI commands, and the dependent modules that each feature module covers.

Cisco-IOS-XE-scada-gw
This module has the following corresponding Cli commands:

(config)# scada-gw protocol t101


(config-t101)# channel <
channel-name>
(config-t101)# bind-to-interface
<interface-name>
(config-t101)# link-mode
<link-mode>
(config-t101)# link-addr-size
<size>
(config-t101)# day-of-week <enable>
(config-t101)# session
<session_name>
(config-t101)# attach-to-channel
<channel-name>
(config-t101)# cot-size
<size>
(config-t101)# common-addr-size
<size>
(config-t101)# info-obj-addr-size
<size>
(config-t101)# link-addr
<addr>
(config-t101)# request
(config-t101)# sector <sector_name
>
(config-t101)# attach-to-session <
session-name>
(config-t101)# asdu-addr
<addr>
(config-t101)# request
(config)# scada-gw protocol t104
(config-t104)# channel <channel-name>
(config-t104)# tcp connection

(config-t104)# to-timeout
<value>
(config-t104)# t1-timeout
<value>

(config-t104)# t2-timeout
<value>

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


259
Information About SCADA
Cisco-IOS-XE-scada-gw-oper

(config-t104)# t3-timeout
<value>

(config-t104)# k-value
<value>

(config-t104)# w-value
<value>

(config-t101)# day-of-week
<enable>
(config-t101)# send-ei <
enable>
(config-t104)# session
<session_name>
(config-t104)# attach-to-channel
<channel_name>
(config-t104)# sector
<sector_name>
(config-t104)# attach-to-session
<session-name>
config-t104)# map-to-sector
<sector-name>
(config) scada-gw enable

The Cisco-IOS-XE-scada-gw module has the following dependent modules:


• Cisco-IOS-XE-native
• Cisco-IOS-XE-features
• ietf-inet-types
• Cisco-IOS-XE-interfaces
• Cisco-IOS-XE-ip
• Cisco-IOS-XE-vlan
• ietf-yang-types @ (any revision)
• cisco-semver

Cisco-IOS-XE-scada-gw-oper
This module has the following corresponding Cli commands:

# show scada statistics


# show scada tcp

The Cisco-IOS-XE-scada-gw-oper module has the following dependent modules:


• Cisco-IOS-XE-native
• Cisco-IOS-XE-features
• ietf-inet-types
• Cisco-IOS-XE-interfaces
• Cisco-IOS-XE-ip
• Cisco-IOS-XE-vlan
• ietf-yang-types @ (any revision)
• cisco-semver

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


260
Information About SCADA
Configuring the DNP3 Protocol Stacks

Configuring the DNP3 Protocol Stacks


You can configure the DNP3 serial and DNP3 IP protocol stacks, which allow end-to-end communication
between Control Centers and RTUs within a SCADA system.

Configuring DNP3 Serial


Configure the channel and session parameters for the DNP serial communication with an RTU.

Procedure

Command or Action Purpose


Step 1 configure terminal Enters global configuration mode.

Step 2 scada-gw protocol dnp3-serial Enters configuration mode for the DNP3 serial protocol.

Step 3 channel channel_name Enters channel configuration mode for the DNP3 serial
protocol.
channel_name –Identifies the channel on which the router
serial port communicates to the RTU.
Note: When the entered channel name does not already
exist, the router creates a new channel
Entering the no form of this command deletes an existing
channel. However, all sessions must be deleted before you
can delete a channel.

Step 4 bind-to-interface async0/2/0 Defines the router async interface on which the system
sends its DNP3 protocol traffic.

Step 5 link-addr source source_address Refers to the link address of the master.
source_address –Range of values from 1 to 65535.

Step 6 unsolicited-response enable (Optional) Allows unsolicited responses.


Entering the no form of this command disables unsolicited
responses.
The default is disabled.

Step 7 exit Ends configuration of the channel and exits channel


configuration mode. Saves all settings.

Step 8 session session_name Enters session configuration mode and assigns a name to
the session.
Note: When the entered session name does not already
exist, the router creates a new session.
Entering the no form of this command deletes an existing
session.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


261
Information About SCADA
EXAMPLE

Command or Action Purpose


Step 9 attach-to-channel channel_name Attaches the session to the channel.
Note: Enter the same channel name that you entered in
Step 3 above
channel_name –Identifies the channel.

Step 10 link-addr dest destination_address Refers to the link address of the slave.
destination_address –Range of values from 1 to 65535.

Step 11 exit Exits session configuration mode.

Step 12 exit Exits protocol configuration mode.

EXAMPLE
This example shows how to configure the parameters for the DPN3-serial protocol stack:

router# configure terminal


router(config)# scada-gw protocol dnp3-serial
router(config-dnp3s)# channel rtu_channel
router(config-dnp3s-channel)# bind-to-interface async 0/2/0
router(config-dnp3s-channel)# link-addr source 3
router(config-dnp3s-channel)# unsolicited-response enable
router(config-dnp3s-channel)# exit
router(config-dnp3s)# session rtu_session
router(config-dnp3s-session)# attach-to-channel rtu_channel
router(config-dnp3s-session)# link-addr dest 3
router(config-dnp3s-session)# exit
router(config-dnp3s)# exit
router(config)#

Configuring DNP3 IP
Follow the steps below for the Control Center that you want to connect to over DNP3 IP. For redundancy,
you can create multiple connections that share the same session configuration under the same session.

Procedure

Command or Action Purpose


Step 1 configure terminal Enters configuration mode.

Step 2 scada-gw protocol dnp3-ip Enters configuration mode for the DNP-IP protocol.

Step 3 channel channel_name Enters channel configuration mode for the DNP-IP
protocol.
channel_name –Identifies the channel on which the router
communicates with the Control Center.
Note: When the entered channel name does not already
exist, the router creates a new channel.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


262
Information About SCADA
Configuring DNP3 IP

Command or Action Purpose


Entering the no form of this command deletes an existing
channel. However, all sessions must be deleted before you
can delete a channel.

Step 4 link-addr dest destination_address Refers to the link address of the master.
destination_address –Range of values from 1 to 65535.

Step 5 send-unsolicited-msg enable (Optional) Allow unsolicited messages.


The default is enabled.

Step 6 tcp-connection local-port [default | local_port ] Configures the local port number and remote IP address
remote-ip [any | remote_ip | remote_subnet ] for the TCP connection:
• default–20000.
• local_port –Range of values from 2000 to 65535.
• any–Any remote hosts 0.0.0.0/0
• remote_ip –Single host: A.B.C.D
• remote_subnet –Subnet: A.B.C.D/LEN
If remote_subnet is specified, when two channels have the
same local ports, the remote subnets cannot overlap each
other.
Note: Every <local-port, remote-ip> must be unique per
channel. If remote_subnet is specified, when two channels
have the same local ports, the remote subnets cannot
overlap each other.

Step 7 exit Exits channel configuration mode.

Step 8 session session_name Enters session configuration mode and assigns a name to
the session.
Note: When the entered session name does not already
exist, the router creates a new session.
Entering the no form of this command deletes an existing
session.

Step 9 attach-to-channel channel_name Attaches the session to the channel.


Enter the same channel name that you entered in Step 3 .
channel_name –Identifies the channel.

Step 10 link-addr source source_address Refers to the link address of the slave.
source_address –Value of 1-65535.

Step 11 map-to-session session_name Maps the dnp3-ip session to an existing dnp3-serial session.
Note: One dnp3-ip session can be mapped to only one
dnp3-serial session.

Step 12 exit Exits session configuration mode.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


263
Information About SCADA
EXAMPLE

Command or Action Purpose


Step 13 exit Exits protocol configuration mode.

EXAMPLE
This example shows how to configure the DNP3 IP parameters:

router# configure terminal


router(config)# scada-gw protocol dnp3-ip
router(config-dnp3n)# channel cc_channel
router(config-dnp3n-channel)# link-addr dest 3
router(config-dnp3n-channel)# tcp-connection local-port default remote-ip any
router(config-dnp3n-channel)# exit
router(config-dnp3n)# session cc_session
router(config-dnp3n-session)# attach-to-channel cc_channel
router(config-dnp3n-session)# link-addr source 4
router(config-dnp3n-session)# map-to-session rtu_session
router(config-dnp3n)# exit
router(config)# exit

Starting and Stopping the Protocol Translation Engine


You must start the Protocol Translation Engine to use Protocol Translation on the IR1101.
Starting–After enabling SCADA encapsulation on the IR1101 serial port and configuring the T101 and T104
protocols on the IR1101, you can start the Protocol Translation Engine.
Stopping–Before you can make any configuration changes to Protocol Translation on the IR1101 with an
active Protocol Translation Engine, you must stop the engine.

Before you begin


Before starting the Protocol Translation Engine on the router for the first time, make sure you complete the
following items:
Enabling the IR1101 Serial Port and SCADA Encapsulation, on page 250
Configuring T101 and T104 Protocol Stacks, on page 251

Procedure

Command or Action Purpose


Step 1 configure terminal Enters global configuration mode.

Step 2 [no] scada-gw enable Starts (scada-gw enable) or stops (no scada-gw enable)
the Protocol Translation Engine on the IR1101.

EXAMPLE
To start the protocol translation engine on the router, enter the following commands:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


264
Information About SCADA
Verifying Configuration

router# configure terminal


router(config)# scada-gw enable

To stop the protocol translation engine on the router, enter the following commands:

router# configure terminal


router(config)# no
scada-gw enable

Verifying Configuration
Command Purpose

show Shows the configuration of the router including active features and their settings.
running-config

show scada database Displays details on the SCADA database.

show scada statistics Shows statistics for the SCADA gateway, including the number of messages sent and
received, timeouts, and errors.

show scada tcp Displays TCP connections associated with the SCADA gateway.

This example shows the output from the show scada tcp and show scada statistics commands:

router# show scada tcp


DNP3 network channel [test]: 4 max simultaneous connections
conn: local-ip: 3.3.3.21 local-port 20000 remote-ip 3.3.3.15 data-socket
1
Total:
1 current client connections
0 total closed connections
router# show scada statistics
DNP3 network Channel [test]:
5 messages sent, 2 messages received
0 timeouts, 0 aborts, 0 rejections
2 protocol errors, 2 link errors, 0 address errors
DNP3 serial Channel [test]:
152 messages sent, 152 messages received
1 timeouts, 0 aborts, 0 rejections
0 protocol errors, 0 link errors, 0 address errors

Debug Commands
This section lists some debug commands that are helpful when troubleshooting.

Table 14: SCADA Function Level Debug Commands

Command Purpose

debug scada function config Configuration trace

debug scada function control Control trace

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


265
Information About SCADA
Debug Commands

Command Purpose

debug scada function file File trace

debug scada function freeze Freeze trace

debug scada function physical Physical trace

debug scada function poll Poll trace

debug scada function stack Stack trace

debug scada function umode Umode trace

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


266
CHAPTER 26
Raw Socket Transport
This chapter contains the following sections:
• Raw Socket Transport, on page 267
• Information About Raw Socket Transport, on page 267
• Prerequisites, on page 269
• Guidelines and Limitations, on page 270
• Default Settings, on page 270
• Configuring Raw Socket Transport, on page 270
• Verifying Configuration, on page 276
• Configuration Example, on page 276

Raw Socket Transport


Raw Socket Transport transports streams of characters from one serial interface to another over an IP network
for utility applications.
This document describes Raw Socket Transport for the IR1101 and provides a reference section describing
the Raw Socket Transport commands.
This document includes the following sections:

Information About Raw Socket Transport


Raw Socket is a method for transporting serial data through an IP network. The feature can be used to transport
Supervisory Control and Data Acquisition (SCADA) data from Remote Terminal Units (RTUs). This method
is an alternative to the Block Serial Tunnel (BSTUN) protocol.
Raw Socket Transport supports TCP or UDP as the transport protocol. An interface can be configured to use
either protocol but not both at the same time. TCP transport is suitable for applications such as control
applications that require acknowledged and sequenced delivery of data. For latency-sensitive applications
such as line SEL relays, UDP transport provides faster transport of serial data than TCP.
Raw Socket Transport supports the following for the asynchronous serial interface:
• TCP as the transport protocol, with built-in auto TCP connection retry mechanism.
• Up to 32 TCP sessions.
• Interface configuration as a server, client, or a combination of both.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


267
Raw Socket Transport
TCP Transport

• One server interface, but multiple clients.


• VRF-awareness, which enables the router to send Raw Socket Transport traffic to a server host connected
through a Virtual Private Network (VPN) Virtual Routing and Forwarding (VRF) interface.
This section includes the following topics:

TCP Transport
TCP Raw Socket transport uses a client-server model. At most one server and multiple clients can be configured
on a single asynchronous serial line. In client mode, the IR1101 can initiate up to 32 TCP sessions to Raw
Socket servers, which can be other IR1101 routers or third-party devices.
Figure 1 shows a sample Raw Socket TCP configuration. In this example, serial data is transferred between
RTUs and a utility management system across an IP network that includes several IR1101 routers. One IR1101
router (Router 1) acts as a Raw Socket server, listening for TCP connection requests from the other IR1101
routers (Router 2 and Router 3), which are configured as Raw Socket clients.
A Raw Socket client receives streams of serial data from the RTUs and accumulates this data in its buffer,
then places the data into packets, based on user-specified packetization criteria. The Raw Socket client initiates
a TCP connection with the Raw Socket server and sends the packetized data across the IP network to the Raw
Socket server, which retrieves the serial data from the packets and sends it to the serial interface, and on to
the utility management system.

Note When you configure the serial link interface on the router as a server, the interface’s peer is the serial
link interface on the client router and vice versa.

UDP Transport
UDP transport uses a peer-to-peer model. Multiple UDP connections can be configured on an asynchronous
serial line.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


268
Raw Socket Transport
Serial Data Processing

Figure 2 shows a sample Raw Socket UDP configuration. In this example, serial data is transferred between
RTUs and a utility management system across an IP network that includes two routers (Router 1 which is an
IR1101 and Router 2 which is an IR807) that are configured as Raw Socket UDP peers.
In this example, the Raw Socket UDP peer receives streams of serial data from the RTUs and accumulates
this data in its buffer, then places the data into packets, based on user-specified packetization criteria. The
Raw Socket UDP peer sends the packetized data across the IP network to the Raw Socket peer at the other
end, which retrieves the serial data from the packets and sends it to the serial interface, and on to the utility
management system.

Serial Data Processing


When the default serial protocol, Asynchronous Communication Protocol, is used, the streams of serial data
received by a Raw Socket peer can be packetized based on the following criteria:
• Packet length–You can specify a packet length that triggers the IR1101 to transmit the serial data to the
peer. Once the IR1101 collects this much data in its buffer, it packetizes the accumulated data and forwards
it to the Raw Socket peer.
• Packet-timer value–The packet timer specifies the amount of time the IR1101 waits to receive the next
character in a stream. If a character is not received by the time the packet timer expires, the data the
IR1101 has accumulated in its buffer is packetized and forwarded to the Raw Socket peer.
• Special character–You can specify a character that will trigger the IR1101 to packetize the data
accumulated in its buffer and send it to the Raw Socket peer. When the special character (for example,
a CR/LF) is received, the IR1101 packetizes the accumulated data and sends it to the Raw Socket peer.
See the “Configuring Common Raw Socket Line Options” procedure on page 6 for information about
configuring the processing options.

VRF-Aware Raw Socket


The VRF-aware Raw Socket Transport feature enables you to isolate Raw Socket traffic using a VRF for
efficient management and control of serial data. After configuring a VRF, you can associate the serial interface
configured for Raw Socket Transport with the VRF. See the Raw Socket VRF, on page 278 for a configuration
example.

Prerequisites
Determine how you want Raw Socket traffic transported in your network, including the network devices and
interfaces to use, how the router packetizes the serial data, and whether to use VRF.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


269
Raw Socket Transport
Guidelines and Limitations

Guidelines and Limitations


Typically, UDP traffic is blocked by firewalls in the network. If the network has such firewalls, make sure to
configure pinholes to allow the raw socket UDP traffic.

Default Settings
Feature Default Setting

Raw Socket Transport Disabled.

Packet length No packet length is configured.

Serial Protocol Asynchronous Communication Protocol

Packet timeout 15 ms.

Special character No special character is configured.

Raw Socket mode Best-effort mode is off, not supported on the IR1101.

TCP idle timeout 5 minutes.

Configuring Raw Socket Transport


This section includes the following topics:

Enabling Raw Socket Transport on the Serial Interface


To enable Raw Socket Transport on the IR1101 router, you must first enable an asynchronous serial port and
enable Raw Socket TCP or UDP encapsulation for that port.

Before you begin


Determine availability of the serial port on the IR1101.

Procedure

Command or Action Purpose


Step 1 configure terminal Enters global configuration mode.

Step 2 interface async0/slot /port Enters the interface command mode for the async slot/port.

Step 3 no ip address Disables IP processing on the interface.

Step 4 Do one of the following: Enables Raw Socket TCP encapsulation or UDP
encapsulation for the serial port.
• encapsulation raw-tcp

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


270
Raw Socket Transport
EXAMPLE

Command or Action Purpose



• encapsulation raw-udp

EXAMPLE
This example shows how to enable serial port 0/2/0 and how to enable Raw Socket TCP encapsulation on
that port.

router# configure terminal


router(config)# interface async0/2/0
router(config-if)# no ip address
router(config-if)# encapsulation raw-tcp
router(config-if)# exit

Configuring Common Raw Socket Line Options


You can configure options common to all connections on a line. The common options apply to both TCP and
UDP.

Before you begin


Enable Raw Socket Transport as described in Enabling Raw Socket Transport on the Serial Interface, on page
270.

Procedure

Command or Action Purpose


Step 1 configure terminal Enters global configuration mode.

Step 2 line 0/slot /port Enters line command mode for the serial slot/port.

Step 3 raw-socket packet-length length Specifies the packet size that triggers the IR1101 to transmit
the data to the peer. When the IR1101 accumulates this
much data in its buffer, it packetizes the data and forwards
it to the Raw Socket peer.
length— 2 to 1400 bytes.
By default, the packet-length trigger is disabled.

Step 4 raw-socket packet-timer timeout Specifies the maximum time in milliseconds the IR1101
waits to receive the next character in a stream. If a character
is not received by the time the packet-timer expires, the
accumulated data is packetized and forwarded to the Raw
Socket peer.
timeout —3 to 1000 ms.
The default is 15 ms.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


271
Raw Socket Transport
EXAMPLE

Command or Action Purpose


Step 5 raw-socket spec-char ascii_char Specifies a character that will trigger the IR1101 to
packetize the data accumulated in its buffer and send it to
the Raw Socket peer.
ascii_char— 0 to 255.
By default, the special character trigger is disabled.

What to do next
Use the no form of these commands to return to the default values.

EXAMPLE
router# configure terminal
router(config)# line 0/2/0
router(config-line)# raw-socket packet-length 32
router(config-line)# raw-socket packet-timer 500
router(config-line)# raw-socket special-char 3

Configuring Raw Socket TCP


After enabling Raw Socket TCP encapsulation, you configure the TCP server and/or clients.

Configuring the Raw Socket TCP Server

Before you begin


Enable a serial port and Raw Socket TCP encapsulation for that port, as described in Enabling Raw Socket
Transport on the Serial Interface, on page 270.

Procedure

Command or Action Purpose


Step 1 configure terminal Enters configuration mode.

Step 2 line 0/slot /port Enters line command mode for the serial slot/port.

Step 3 raw-socket tcp server port [ip_address ] Starts the Raw Socket Transport TCP server for an
asynchronous line interface. In Raw Socket server mode,
the IR1101 listens for incoming connection requests from
Raw Socket clients.
port –Port number the server listens on.
ip_address –(Optional) Local IP address on which the server
listens for connection requests.

Step 4 raw-socket tcp idle-timeout session_timeout Sets the Raw Socket Transport TCP session timeout for the
asynchronous line interface. If no data is transferred between
the client and server over this interval, then the TCP session

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


272
Raw Socket Transport
EXAMPLE

Command or Action Purpose


closes. The client then automatically attempts to reestablish
the TCP session with the server.
This timeout setting applies to all Raw Socket Transport
TCP sessions under this particular line.
session_timeout –Currently configured session idle timeout
in minutes. The default is 5 minutes.

What to do next
To remove a Raw Socket TCP server, use the no raw-socket tcp server command.

EXAMPLE
This example shows how to configure a Raw Socket TCP server for an asynchronous serial line. The TCP
server listens for TCP client connection requests on local port 4000 and local IP address 10.0.0.1. If no data
is exchanged between the Raw Socket TCP server and one of the TCP clients for 10 minutes, then the TCP
session closes, and the Raw Socket client attempts to reestablish the session with the Raw Socket server.

router# configure terminal

router(config)# line 0/2/0


router(config-line)# raw-socket tcp server 4000 10.0.0.1
router(config-line)# raw-socket tcp idle-timeout 10
router(config-line)# exit
router(config)#

Configuring the Raw Socket TCP Client

Before you begin


Enable a serial port and Raw Socket TCP encapsulation for that port, as described in Enabling Raw Socket
Transport on the Serial Interface, on page 270.

Procedure

Command or Action Purpose


Step 1 configure terminal Enters configuration mode.

Step 2 line 0/slot /port Enters line command mode for the serial slot/port.

Step 3 raw-socket tcp client dest_ip_address dest_port Specifies settings for Raw Socket Transport TCP client
[local_ip_address ] [local_port ] sessions.
dest_ip_address –Destination IP address of the remote Raw
Socket server.
dest_port –Destination port number to use for the TCP
connection to the remote server.
local_ip_address –(Optional) Local IP address that the
client can also bind to.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


273
Raw Socket Transport
EXAMPLE

Command or Action Purpose


local_port –(Optional) Local port number that the client
can also bind to.

Step 4 raw-socket tcp idle-timeout session_timeout Sets the Raw Socket Transport TCP session timeout for the
asynchronous line interface. If no data is transferred between
the client and server over this interval, then the TCP session
is closed. The client then automatically attempts to
reestablish the TCP session with the server.
This timeout setting applies to all Raw Socket Transport
TCP sessions under this particular line.
session_timeout –Currently configured session idle timeout
in minutes. The default is 5 minutes.

Step 5 raw-socket tcp keepalive interval Sets the Raw Socket Transport TCP session keepalive
interval for the asynchronous line interface. The router sends
keepalive messages based on the configured interval. You
may need to configure this interval, for example, when
sending raw TCP traffic over a cellular interface.
interval –Currently configured keepalive interval in seconds.
Range is 1-864000 seconds. The default is 1 second.

What to do next
To remove a Raw Socket TCP client, use the no raw-socket tcp client command.

EXAMPLE
This example shows how to configure a Raw Socket TCP client for an asynchronous serial line. The IR1101
(router), serving as a Raw Socket client, initiates TCP sessions with a Raw Socket server and forwards
packetized serial data to it. The router collects streams of serial data in its buffer; when it accumulates 827
bytes in its buffer, the router packetizes the data and forwards it to the Raw Socket server. If the router and
the Raw Socket server do not exchange any data for 10 minutes, then the TCP session with the Raw Socket
server closes, and the router attempts to reestablish the session with the Raw Socket server.

router# configure terminal

router(config)# line 0/2/0


router(config-line)# raw-socket tcp client 10.0.0.1 4000
router(config-line)# raw-socket packet-length 827
router(config-line)# raw-socket tcp idle-timeout 10
router(config-line)# exit
router(config)#

Configuring a Raw Socket UDP Peer-to-Peer Connection


After enabling Raw Socket UDP encapsulation and the common line options, you configure the Raw Socket
UDP peer-to-peer connection. The local port on one end of the connection should be the destination port on
the other end.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


274
Raw Socket Transport
EXAMPLE

Before you begin


Enable a serial port and Raw Socket UDP encapsulation for that port, as described in Enabling Raw Socket
Transport on the Serial Interface, on page 270.

Procedure

Command or Action Purpose


Step 1 configure terminal Enters configuration mode.

Step 2 line 0/slot /port Enters line command mode for the serial slot/port.

Step 3 raw-socket udp connection dest_ip_address dest_port Specifies settings for Raw Socket Transport UDP
local_port [local_ip_address ] connections.
dest_ip_address –Destination IP address to use for the UDP
connection.
dest_port –Destination port number to use for the UDP
connection.
local_port –Local port number for the UDP connection.
local_ip_address –(Optional) Local IP address for the UDP
connection.

What to do next
To remove a Raw Socket UDP connection, use the no raw-socket udp connection command.

EXAMPLE
This example shows how to configure a Raw Socket UDP connection between router A (local IP address
192.168.0.8) and router B (local IP address 192.168.0.2).

Router A

router# configure terminal


router(config)# line 0/2/0
router(config-line)# raw-socket udp connection 192.168.0.2 5000 7000
router(config-line)# exit
router(config)#

Router B

router# configure terminal


router(config)# line 0/2/0
router(config-line)# raw-socket udp connection 192.168.0.8 7000 5000
router(config-line)# exit
router(config)#

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


275
Raw Socket Transport
Verifying Configuration

Verifying Configuration
Command Purpose

show running-config Shows the configuration of the IR1101, including those features that are
active and their settings.

show raw-socket tcp detail Displays information about Raw Socket Transport TCP activity.

show raw-socket tcp sessions Displays information about Raw Socket Transport TCP sessions.

show raw-socket tcp statistics Displays Raw Socket Transport TCP statistics for each asynchronous serial
line.

show raw-socket udp detail Displays information about Raw Socket Transport UDP activity.

show raw-socket udp sessions Displays information about Raw Socket Transport UDP sessions.

show raw-socket udp statistics Displays Raw Socket Transport UDP statistics for each asynchronous serial
line.

clear raw-socket statistics Clears Raw Socket Transport statistics for a specific TTY interface or for
all asynchronous serial lines.

Configuration Example
The following sections include Raw Socket Transport configuration examples:

Raw Socket TCP


The following example shows a Raw Socket Transport configuration in which an IR1101 router (Router 1)
acts as the server, and another IR809 (Router 2) acts as the client.

The following table displays the configuration of the server and client IR1101s highlighted in Figure 3 :

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


276
Raw Socket Transport
Raw Socket UDP

IR1101 Server Configuration IR807 Client Configuration

... ...
interface async0/2/0 interface async0
no ip address no ip address
encapsulation raw-tcp encapsulation raw-tcp
! !
... interface async1
line 0/2/0 no ip address
raw-socket tcp server 5000 10.0.0.1 encapsulation raw-tcp
!
raw-socket packet-timer 3 ...
raw-socket tcp idle-timeout 5 line 1
... raw-socket tcp client 10.0.0.1 5000 10.0.0.2 9000

raw-socket packet-length 32
raw-socket tcp idle-timeout 5
line 2
raw-socket tcp client 10.0.0.1 5000 10.0.0.2 9001

raw-socket packet-length 32
raw-socket tcp idle-timeout 5

Raw Socket UDP


This example shows the configuration for a Raw Socket UDP connection between two IR1101 routers:

From Router1

interface GigabitEthernet0/1
ip address 192.168.0.8 255.255.255.0
duplex auto
speed auto
interface async0/2/0
no ip address
encapsulation raw-udp
line 0/2/0
raw-socket udp connection 192.168.0.2 2 2

From Router2

interface GigabitEthernet0/1
ip address 192.168.0.2 255.255.255.0
load-interval 60
duplex auto
speed auto
no keepalive
interface async0/2/0
no ip address
encapsulation raw-udp
line 0/2/0
raw-socket udp connection 192.168.0.8 2 2

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


277
Raw Socket Transport
Raw Socket VRF

Raw Socket VRF


The following example shows a Raw Socket VRF configuration in which two routers, configured for Raw
Socket Transport, connect through a VRF. Router1 is an IR1101, serves as the Raw Socket TCP server, and
Router2 is an IR807 serves as the Raw Socket TCP client.

Following are the configurations of Router1 and Router2 as shown in Figure 4 :

Router1 Configuration
Defining VRF on the router:

vrf definition router1


rd 100:1
route-target export 100:3
route-target import 100:3
!
address-family ipv4
exit-address-family

Applying VRF configuration on the interface:

interface GigabitEthernet0/0
vrf forwarding router1
ip address 100.100.100.2 255.255.255.0
duplex auto
speed auto

Applying raw-tcp on the serial interface:

interface async0/2/0
vrf forwarding router1
no ip address
encapsulation raw-tcp

Applying raw-tcp on the line:

line 0/2/0
raw-socket tcp server 5000 4.4.4.4

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


278
Raw Socket Transport
Raw Socket VRF

Router2 Configuration
Defining VRF on the router:

vrf definition router1


rd 100:1
route-target export 100:3
route-target import 100:3
!
address-family ipv4
exit-address-family

Applying VRF configuration on the interface:

interface GigabitEthernet0/0
vrf forwarding router1
ip address 100.100.100.1 255.255.255.0
duplex auto
speed auto

Applying raw-tcp on the serial interface:

interface async0
vrf forwarding router1
no ip address
encapsulation raw-tcp

Applying raw-tcp on line:

line 1
raw-socket tcp client 4.4.4.4 5000

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


279
Raw Socket Transport
Raw Socket VRF

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


280
CHAPTER 27
IRM-1101 Expansion Module
This section contains the following topics:
• IRM-1100 Expansion Module Overview, on page 281
• mSATA Overview, on page 283
• Digital IO, on page 285
• New Cellular Pluggable Modules, on page 288
• SFP Support, on page 289

IRM-1100 Expansion Module Overview


The IR1101 Router has an Expansion Module that adds key capabilities such as dual LTE Pluggables, mSATA
SSD FRU, SFP, and Digital GPIO connections.
The Expansion Module comes in two types:
• IRM-1100-SPMI
• IRM-1100-SP

Warning It is important to note that just like the Base IR1101, Online Insertion and Removal (OIR) is not supported
on The Expansion Module. If the 4G module (or mSATA) is inserted or pulled out while the device is
powered up, it may damage the module.

The following figure shows the front panel of the IRM-1100-SPMI and highlights some of its capabilities:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


281
IRM-1101 Expansion Module
IRM-1100 Expansion Module Overview

Figure 91: IRM-1100-SPMI Expansion Module Details

Item Description

1 4 GPIO + 1 Return (Digital I/O)


Note Functionality is available on Cisco IOS-XE release 16.12.1 and above.

2 SFP Connector

3 Pluggable Module

4 mSATA SSD Slot

5 Digital I/O LEDs

The supported hardware interfaces and their naming conventions are in the following table:

Hardware Interface Naming Convention

Gigabit Ethernet SFP port on Expansion Module gigabitethernet 0/0/5

Cellular Interface on Expansion Module cellular 0/3/0 and 0/3/1

GPIO on Expansion Module alarm contact 1-4

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


282
IRM-1101 Expansion Module
mSATA Overview

mSATA Overview
IOx/Guest-OS legacy systems on which end users can host applications, typically came with a disk storage
of 4GB to store user data. Functionality has been added allowing for a Cisco supported Pluggable mSATA
SSD PID to add 50 GB of available storage. Support for a 100 GB mSATA SSD has the following limitations:
• There is no support for theshow inventory command.
• Supports 55GB (IOx allocation for applications and packages alike), 32B (IOS allocation for storage can
be viewed in ‘dir msata’ on IOS).

Warning It is important to note that Online Insertion and Removal (OIR) is not supported. If the mSATA SSD
is inserted or pulled out while the device is powered up, it may damage the module.

Note As with any IoT platform, for IOx, use the Fog Director, Local Manager, or app-hosting CLI's to install
applications and access the new mSATA disk storage provided.

50 GB mSATA Partitioning
IOS-XE divides the mSATA SSD into 2 partitions. One for IOS-XE and the other for IOx. The percentage
of usage is:
• IOS: 33.33 %
• IOx: 66.66 %

Using these percentages, the space allocation breaks down as follows:


50GB mSATA:
• IOS: 16.51 GB
• IOx: 31.43 GB

Using the mSATA SSD


Functionality-wise, there are no configuration and troubleshooting differences to the end-user in IOS or IOx,
with or without mSATA. The system simply recognizes the additional storage. There are some CLI commands
that will show information that pertains to the mSATA storage. Examples are show inventory, and show
platform msata.
Router#show inventory
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
INFO: Please use "show license UDI" to get serial number for licensing.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Router#show platform hardware msata lifetime


SSD Lifetime Remaining: 99% -> 99% of the net disk read/write lifetime is remaining

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


283
IRM-1101 Expansion Module
Displaying the Wear Leveling Data for the mSATA SSD

Router#show platform hardware msata status


SSD is present
Router#show platform hardware msata
SSD Lifetime remaining(%): 99

Display the mSATA Partitioning:


Display mSATA partition 1 in IOS-XE:
Router#dir msata:
Directory of msata:/
11 drwx 16384 Jun 4 2019 17:59:45 +00:00 lost+found
33820622848 bytes total (32052379648 bytes free)

Copy contents to and from mSATA partition:


Router#copy bootflash: msata:
Source filename []? ir1101-uefi-rommon.SSA
Destination filename [ir1101-uefi-rommon.SSA]?
Copy in progress...CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
2097152 bytes copied in 0.164 secs (12787512 bytes/sec)

Display disk space allocated by mSATA to IOx:


Router#show app-hosting resource
CPU:
Quota: 1000(Units)
Available: 1000(Units)
Memory:
Quota: 862(MB)
Available: 862(MB)
Storage space:
Total: 58313(MB)
Available: 58313(MB)

Displaying the Wear Leveling Data for the mSATA SSD


IOx Local Manager/ Fog Director can now display the wear leveling data for the mSATA SSD on the IR1101.
In the IOx Local Manager, it is observed by selecting System > Storage.
From the IOS command line, you can monitor the lifetime using the show platform hardware msata
command.

Router#show platform hardware msata lifetime


SSD Lifetime remaining(%): 98

After a router reload, it will take a few minutes (approximately 5) before this data will be populated again.
When the SSD lifetime reduces to 15% and 5% of the lifetime limit, errors start getting reported in syslog.
For example:

*Jan 30 19:03:00.257: %IOX-4-IOX_SSD_LIFETIME_WARN: SSD Lifetime remaining in module:15


*Jan 30 19:02:30.157: %IOX-2-IOX_SSD_LIFETIME_CRITICAL: SSD Lifetime remaining in module:5

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


284
IRM-1101 Expansion Module
MIB support for mSATA Wear Ratio and Usage

MIB support for mSATA Wear Ratio and Usage


mSATA functionality was added to the router to add extra storage for IOx apps.. The following table shows
the router with the OID:

Table 15: mSATA OIDs

SKU OID

IR1100-SSD-100G 1.3.6.1.4.1.9.12.3.1.9.96.176

As part of this enhancement, SNMP support has been added for the following mSATA parameters on the
router:
• lifetime remaining (wear leveling)
• memory usage for the mSATA SSD
The show platform hardware msata command gives information about this MIB.
Related documentation:
https://www.cisco.com/c/en/us/support/cloud-systems-management/iox/tsd-products-support-series-home.html
https://developer.cisco.com/docs/iox/

Example: Actual OID and output of SNMP get/walk on OID


<OID> = STRING: "Lifetime Remaining: 99%, Usage: 30%"

Feature Details
The following conditions must be met before performing SNMP requests on the Router:
• An active mSATA module must be configured in the router.
• The Integrator must have incorporated the supported pluggable mSATA into their design.
• Verify this using the show platform hardware msata CLI.

Feature Assumptions
• After a router reload it will take approximately 5 minutes before mSATA data will be populated again.
Only SNMP get is allowed on the OID and is marked as read-only. Setting its value will not be allowed.
• Configurations to enable SNMP on the router are necessary for fetching MIB value.

Digital IO
The IR1101 has two different Expansion Modules, the IRM-1100-SP and IRM-1100-SPMI. The
IRM-1100-SPMI comes with a Digital I/O connector which has 4 GPIO connections plus 1 Return connection.
Both Dry and Wet contacts up to 60Volts.
• Dry contact is isolated from a voltage source (or “No Volt”), with an embedded relay function (NPN
transistor), usually used to indicate an event. For example: open/close, alarm.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


285
IRM-1101 Expansion Module
Configuration Commands

• Wet contact is a contact with external power (+3.3V to +60V, max 150mA of current allowed at high
voltage) applied, usually used to energize something. For example: solenoid, light.
Digital IO is similar to the ALARM IN and ALARM OUT supported on the IR800 series routers. The
differences are that on the IR800 series, ALARM IN is a dedicated input, the ALARM OUT is a dedicated
output. With Digital IO, it can be input or output. ALARM OUT includes a relay to provide the Normally
Open (NO) or Normally Close (NC) terminals. Digital IO does not include a relay.
There are no traps for alarms on the GPIO.
More information on the Digital IO hardware capabilities can be found in the Cisco Catalyst IR1101 Rugged
Series Router Hardware Installation Guide .

Configuration Commands
You can set the alarm severity to critical, major, minor, or none. The severity is included in the alarm message
when the alarm is triggered.
To configure and show alarms on the IR1101, use the Command Line Interface (CLI).

Command Purpose

configure terminal Enters global configuration mode.

alarm contact Enables the alarm contact number. o The contact-number value is from
contact-numberenable 0 to 4. <0-4> Alarm contact number (0: Alarm port, 1-4: Digital I/O).
Alarm contact 0 is located in the base unit (pins 3 and 4) and always in
Output Mode. Additional configurations for Alarm 0 include severity ,
threshold and trigger .
Alarm contact 1-4 (pins 1-4) are located in the IRM-1100 Expansion
Module and can be in Input or Output Mode. Pin 5 is for ground.
Additional configurations for Alarms 1-4 include application , output ,
severity , threshold and trigger .

alarm contact {contact-number • Enter a contact number (0-4) that you are configuring.
{application {dry | wet} | • The description string is up to 80 alphanumeric characters in length
description | enable | {output {1 and is included in any generated system messages.
for High | 0 for Low} | severity • For application, select dry (default) or wet. Only applicable for
{critical | major | minor | none} | Digital I/O ports 1-4.
threshold {1600-2700} | trigger • enable is for enabling the alarm port. A no alarm contact
{closed | open}} contact-number x will disable the alarm port.
• The output is either 1 for High or 0 for Low. Only application for
Digital I/O ports 1-4.
• For severity, enter critical , major , minor or none . If you do not
configure a severity, the default is minor.
• For threshold, select a value between 1600-2700. The default value
is 1600 mv.
• For trigger, enter open or closed . If you do not configure a trigger,
the alarm is triggered when the circuit is closed.

end Returns to privileged EXEC mode.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


286
IRM-1101 Expansion Module
Configuration Examples

Command Purpose

show alarm Shows the configured alarm contacts.

copy running-config (Optional) Saves your entries in the configuration file.


startup-config

Verify alarm contacts using the CLI:


Router(config)#alarm contact ?
<0-4> Alarm contact number (0: Alarm port, 1-4: Digital I/O)

Configuration Examples
Configure an alarm.

ir1101#conf term
Enter configuration commands, one per line. End with CNTL/Z.
ir1101(config)#alarm contact 1 description

Your Descriptive Text Here


ir1101(config)#alarm contact 1 severity critical

ir1101(config)#alarm contact 1 trigger closed

ir1101#

To show the alarm status:

ir1101#show alarm
Alarm contact 0:
Enabled: Yes
Status: Not Asserted
Application: Dry
Description: test
Severity: Critical
Trigger: Open
Threshold: 2000

Example of an alarm being generated:

ir1101# !
*Nov 27 14:54:52.573: %IR1101_ALARM_CONTACT-0-EXTERNAL_ALARM_CONTACT_ASSERT: External alarm
asserted, Severity: Critical

To show the alarm status during an event:

ir1101#show alarm
ALARM CONTACT
Enabled: Yes
Status: Asserted
Application: Dry
Description: test
Severity: Critical
Trigger: Open

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


287
IRM-1101 Expansion Module
New Cellular Pluggable Modules

Threshold: 2000
Digital I/O 1:
Enabled: No
Status: Not Asserted
Application: Dry
Description: External digital I/O port 1
Severity: Minor
Trigger: Closed
Threshold: 1600
Digital I/O 2:
Enabled: No
Status: Not Asserted
Application: Dry
Description: External digital I/O port 2
Severity: Minor
Trigger: Closed
Threshold: 1600
Digital I/O 3:
Enabled: No
Status: Not Asserted
Application: Dry
Description: External digital I/O port 3
Severity: Minor
Trigger: Closed
Threshold: 1600
Digital I/O 4:
Enabled: Yes
Status: Not Asserted
Description: External digital I/O port 4
Mode: Output
Router#

Example of an alarm being cleared:

ir1101# !
*Nov 27 14:55:02.573: %IR1101_ALARM_CONTACT-0-EXTERNAL_ALARM_CONTACT_CLEAR: External alarm
cleared
ir1101#

New Cellular Pluggable Modules


Release 16.12.1 supports new pluggable modules/modems. The IR1101 with an Expansion Module supports
DUAL LTE (Active/Active), DUAL SIM and DUAL Radio.
• Dual LTE (active/active or active/backup) is supported on the IR1101 equipped with an expansion module
and two LTE pluggable interfaces. One on the base unit, the other on the expansion module.
• With DUAL SIM, the two SIMs operate in active/backup mode on the single LTE pluggable module.
With DUAL Radio the two LTE pluggable modules operate in active/active mode with each of the two
SIMs assigned to a specific cellular radio on the DUAL Radio.
See the following table for details on the new SKUs.

SKU ID Modem Description Technology Supported


Used

P-LTE-VZ WP7601-G U.S. (Verizon) Single LTE CAT4: B4, B13


Micro SIM

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


288
IRM-1101 Expansion Module
SFP Support

SKU ID Modem Description Technology Supported


Used

P-LTE-US WP7603-G North America (AT&T) LTE CAT4:B2,B4,B5,B12HSPA+,UMTS: B2,B4,B5


Dual Micro SIM
P-LTE-GB WP7607-G Europe Dual Micro SIM LTE CAT4: B3, B5, B8, B20, B28
HSPA+: B1, B5, B8
EDGE: 900/1800

P-LTEA-LA EM7430 APAC LTE Bands: B1, B3, B5, B7, B8, B18, B19, B21, B28,
B38, B39, B40, B41.
Non-LTE Bands:
B87 - WCDMA (Europe, Japan, and China) 2100 band
B91 - WCDMA US 850 band
B92 - WCDMA Japan 800 band
B114 - WCDMA Europe and Japan 900 band
B115 - WCDMA Japan 1700 band
B125 - WCDMA Japan 850 band

P-LTEA-EA EM7455 USA, Canada, Europe, LTE bands: Bands B2, B4, B5, B13
Latin America
Non-LTE bands:
B87 - WCDMA (Europe, Japan, and China) 2100 band
B88 - WCDMA US PCS 1900 band
B89 - WCDMA (Europe and China) DCS 1800 band
B90 - WCDMA US 1700 band
B91 - WCDMA US 850 band
B114 - WCDMA Europe and Japan 900 band

SFP Support
The SFP interface on the Expansion Module operates differently than on the Base unit. The SFP interface on
the IR1101 base module is part of the combo port (SFP/RJ45) for GigabitEthernet0/0/0. It may be configured
as Layer-3 (default) or Layer-2 interface.
The SFP interface on the Expansion Module is only an SFP interface. It is named GigabitEthernet0/0/5, and
is a Layer-2 interface. For Layer-3 feature set, it must be assigned to a VLAN interface.
Details about the SFP Interface can be displayed using the show interfaces transceiver detail CLI, for
example:
Router#show interfaces transceiver detail
IDPROM for transceiver Gigabitethernet0/0/0:
Description = SFP or SFP+ optics (type 3)

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


289
IRM-1101 Expansion Module
SFP Support

Transceiver Type: = GE T (26)


Product Identifier (PID) = ABCU-5710RZ-CS4
Vendor Revision =
Serial Number (SN) = AGM151124J4
Vendor Name = CISCO-AVAGO
Vendor OUI (IEEE company ID) = 00.17.6A (5994)
CLEI code =
Cisco part number =
Device State = Enabled.
Date code (yy/mm/dd) = 11/03/21
Connector type = Unknown.
Encoding = 8B10B (1)
Nominal bitrate = GE (1300 Mbits/s)
Minimum bit rate as % of nominal bit rate = not specified
Maximum bit rate as % of nominal bit rate = not specified

Socket Verification

SFP IDPROM Page 0xA0:


000: 03 04 00 08 00 00 00 00 00 00
010: 00 01 0D 00 00 00 00 00 64 00
020: 43 49 53 43 4F 2D 41 56 41 47
030: 4F 20 20 20 20 20 01 00 17 6A
040: 41 42 43 55 2D 35 37 31 30 52
050: 5A 2D 43 53 34 20 20 20 20 20
060: 41 0C C1 15 00 10 00 00 41 47
070: 4D 31 35 31 31 32 34 4A 34 20
080: 20 20 20 20 31 31 30 33 32 31
090: 20 20 00 00 00 99 00 00 06 17
100: C5 44 22 B7 DE 02 63 0F 59 73
110: 64 EC A5 37 19 00 00 00 00 00
120: 00 00 00 00 0F 2C 6D 22 FF FF
130: FF FF FF FF FF FF FF FF FF FF
140: FF FF FF FF FF FF FF FF FF FF
150: FF FF FF FF FF FF FF FF FF FF
160: FF FF FF FF FF FF FF FF FF FF
170: FF FF FF FF FF FF FF FF FF FF
180: FF FF FF FF FF FF FF FF FF FF
190: FF FF FF FF FF FF FF FF FF FF
200: FF FF FF FF FF FF FF FF FF FF
210: FF FF FF FF FF FF FF FF FF FF
220: FF FF FF FF

SFP IDPROM Page 0xA2:


000: 00 00 00 00 00 00 00 00 00 00
010: 00 00 00 00 00 00 00 00 00 00
020: 00 00 00 00 00 00 00 00 00 00
030: 00 00 00 00 00 00 00 00 00 00
040: 00 00 00 00 00 00 00 00 00 00
050: 00 00 00 00 00 00 00 00 00 00
060: 00 00 00 00 00 00 00 00 00 00
070: 00 00 00 00 00 00 00 00 00 00
080: 00 00 00 00 00 00 00 00 00 00
090: 00 00 00 00 00 00 00 00 00 00
100: 00 00 00 00 00 00 00 00 00 00
110: 00 00 00 00 00 00 00 00 00 00
120: 00 00 00 00 00 00 00 00 00 00
130: 00 00 00 00 00 00 00 00 00 00
140: 00 00 00 00 00 00 00 00 00 00
150: 00 00 00 00 00 00 00 00 00 00
160: 00 00 00 00 00 00 00 00 00 00
170: 00 00 00 00 00 00 00 00 00 00
180: 00 00 00 00 00 00 00 00 00 00
190: 00 00 00 00 00 00 00 00 00 00

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


290
IRM-1101 Expansion Module
SFP Support

200: 00 00 00 00 00 00 00 00 00 00
210: 00 00 00 00 00 00 00 00 00 00
220: 00 00 00 00 00 00 00 00 00 00
230: 00 00 00 00 00 00 00 00 00 00
240: 00 00 00 00 00 00 00 00 00 00
250: 00 00 00 00 00 00
Link reach for 9u fiber (km) = SX(550/270m) (0)
1xFC-MM(500/300m) (0)
2xFC-MM(300/150m) (0)
ESCON-MM(2km) (0)
Link reach for 9u fiber (m) = SX(550/270m) (0)
1xFC-MM(500/300m) (0)
2xFC-MM(300/150m) (0)
ESCON-MM(2km) (0)
Link reach for 50u fiber (m) = SR(2km) (0)
IR-1(15km) (0)
IR-2(40km) (0)
LR-1(40km) (0)
LR-2(80km) (0)
LR-3(80km) (0)
DX(40KM) (0)
HX(40km) (0)
ZX(80km) (0)
VX(100km) (0)
1xFC, 2xFC-SM(10km) (0)
ESCON-SM(20km) (0)
Link reach for 62.5u fiber (m) = SR(2km) (0)
IR-1(15km) (0)
IR-2(40km) (0)
LR-1(40km) (0)
LR-2(80km) (0)
LR-3(80km) (0)
DX(40KM) (0)
HX(40km) (0)
ZX(80km) (0)
VX(100km) (0)
1xFC, 2xFC-SM(10km) (0)
ESCON-SM(20km) (0)
Nominal laser wavelength = 16652 nm.
DWDM wavelength fraction = 16652.193 nm.
Supported options = Tx disable

Assigning L3 SVI with IP address to Extended Module GE 0/0/5 SFP interface:


IR1101#config t
IR1101(config)#interface g0/0/5
IR1101(config-if)#switchport access vlan 2
IR1101(config-if)#no shut
IR1101(config-if)#interface vlan2
IR1101(config-if)#ip address 192.168.1.2 255.255.255.0
IR1101(config-if)#no shut

You can find all of the supported SFP Interfaces in the Cisco Catalyst IR1101 Rugged Series Router Hardware
Installation Guide

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


291
IRM-1101 Expansion Module
SFP Support

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


292
CHAPTER 28
IRM-1100-4A2T Expansion Module
This chapter contains the following sections:
• IRM-1100-4A2T Overview, on page 293
• Guidelines and Limitations, on page 295
• Deployment Scenarios, on page 296
• Inventory Details based on Deployment, on page 299
• Gigabit Ethernet Switch Ports, on page 300
• LEDs, on page 300
• Async Ports, on page 302
• GPIO Configuration Pins, on page 304
• Configuration Examples for Additional Async Interfaces, on page 306
• Scada Protocol Translations, on page 307
• Serial Relay, on page 309
• Using the WebUI to Configure Async Ports, on page 310

IRM-1100-4A2T Overview
The IRM-1100-4A2T is an expansion module that can be attached to the IR1101. It offers an additional four
asynchronous serial ports and two Ethernet interfaces to the IR1101. The following graphic shows the
IRM-1100-4A2T.

The IRM-1100-4A2T Ethernet interfaces are Layer 2 RJ45 10/100/1000 Mbps ports.
The IRM-1100-4A2T serial ports are RJ45 combo ports (RS232/RS485/RS422).
The IR1101 has two sides that expansion modules mount to. The top is called the Expansion side, and the
bottom is called the Compute side. If the additional module is connected to the top, then it is referenced as

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


293
IRM-1100-4A2T Expansion Module
IRM-1100-4A2T Overview

the Expansion Module (EM) side. If the additional module is connected on the bottom, then it is referenced
as the Compute Module (CM) side. Functionality differs depending on which side the expansion module is
attached to, and how many and type of expansion modules are in use.

Note Additional information can be found in the Cisco Catalyst IR1101 Rugged Series Router Software
Configuration Guide

The IRM-1100-4A2T can be managed from the following tools:


• Cisco DNA Center
• WebUI

Router Switch Path


The switch path that is detected on the platform, is based on the type of additional module connected on the
Expansion module (EM) side. Refer to the following table:

Additional Module Switch Path

No Module Connected IR1101-ES-5

IRM-1100-SPMI IR1101-ES-6S

IRM-IR1100-4A2T IR1101-ES-7G

Note When an IRM-IR1100-4A2T is connected on both sides of the IR1101-K9, there is a maximum of nine
Async interfaces which can be enumerated. The switch path for the IR1101-K9 will be IR1101-ES-7G.

Serial Port Pinouts and Characteristics


The serial ports are intended as a DCE port, capable of both RS232 and RS485. RS485 can support full or
half duplex.
The RJ45 pinouts are shown in the following figure and table:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


294
IRM-1100-4A2T Expansion Module
Guidelines and Limitations

Figure 92: Pinouts

Table 16: Serial Port Characteristics

RS232 RS485 Full Duplex RS485 Half Duplex


Pin # Signal Description Abbr. S0 (DTE) S1 (DCE) Signal DIR Signal DIR

1 DCE ready. DSR/RI Input Output TX- Output TXR


/ X+ <->
Used as DSR in Cisco IOS.

2 Received Line Signal Detector DCD Input Output TX+ Output TX/RX- <->

3 DTE Ready DTR Output Input RX- Input — —

4 Signal Ground COM — — COM — COM —

5 Received Data RxD Input Output — — — —

6 Transmitted Data TxD Output Input RX+ Input — —

7 Clear To Send CTS Input Output — — — —

8 Request To Send RTS Output Input — — — —

Guidelines and Limitations


The IRM-1100-4A2T has the following guidelines and limitations:
• Available with IOS-XE release 17.7.1
• Supports four deployment scenarios
• No support for OIR
• Ethernet ports are L2 switchport only
• Switchports will not work if anything is connected to the Compute module (bottom) side

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


295
IRM-1100-4A2T Expansion Module
Deployment Scenarios

Both the IRM-1100-SPMI Expansion Module and the IRM-1100-4A2T Expansion Module have the following
guidelines and limitations:
• The CAT18 LTE module is not supported on the Compute module (bottom) side
• MSATA and GPIO pins are not supported when attached to the Compute Module side.
• The IR1101 can only support a maximum of two LTE interfaces. This means connecting an Expansion
Module with LTE interfaces on both the EM and CM side is not supported. If connected, only the EM
side will be active.

Deployment Scenarios
The IRM-1100-4A2T supports four different deployment scenarios. This section discusses the differences in
functionality between the four.
Interface numbering are enumerated based on the deployment of the IRM-1100-4A2T module.

Scenario One
In this scenario, the IRM-1100-4A2T is mounted on the Expansion side, or the top. See the following figure:

In this configuration, you get full functionality out of the Serial and Ethernet ports.
There is support for 4 additional Async interfaces, and 2 Gigabit ethernet interfaces.
Interface numbering in this scenario is as follows:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


296
IRM-1100-4A2T Expansion Module
Scenario Two

• async 0/3/0 (corresponding line is: line 0/3/0) [Serial]


• async 0/3/1 (corresponding line is: line 0/3/1) [Serial]
• async 0/3/2 (corresponding line is: line 0/3/2) [Serial]
• async 0/3/3 (corresponding line is: line 0/3/3) [Serial]
• gigabitetherenet 0/0/5 [Layer 2]
• gigabitetherenet 0/0/6 [Layer 2]

Scenario Two
In this scenario, the IRM-1100-4A2T is mounted on the Compute side, or the bottom. In addition, the solution
also has the IRM-1100-SPMI expansion module mounted on the Expansion side, or the top. See the following
figure:

In this configuration, the ethernet ports on the IRM-1100-4A2T will not function. The serial ports have full
functionality.
There is support for 4 Async interfaces and no support for additional layer 2 interfaces.
Interface numbering in this scenario is as follows:
• async 0/4/0 (corresponding line is: line 0/4/0) [Serial]
• async 0/4/1 (corresponding line is: line 0/4/1) [Serial]
• async 0/4/2 (corresponding line is: line 0/4/2) [Serial]

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


297
IRM-1100-4A2T Expansion Module
Scenario Three

• async 0/4/3 (corresponding line is: line 0/4/3) [Serial]

Scenario Three
In this scenario, the IRM-1100-4A2T is mounted on the Expansion side, or the top. In addition, the configuration
also has the IRM-1100-SPMI expansion module mounted on the Compute side, or the bottom. See the following
figure:

In this configuration, the IRM-1100-4A2T is mounted on the Expansion side, or top, and has full functionality.
The SFP port on the IRM-1100-SPMI mounted on the Compute side, or bottom, will not function.
Interface numbering in this scenario is as follows:
• Async 0/3/0 – 0/3/3 [Connected on EM side]
• Async 0/4/0 – 0/4/3 [Connected on CM side]
• Gi0/0/5 and Gi0/0/6 [Layer 2 interfaces from EM side]
• LTE interface on CM side, cellular 0/4/0 and cellular 0/4/1

Scenario Four
In this scenario, there are two IRM-1100-4A2T expansion modules mounted on both the Expansion side and
the Compute side. See the following figure:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


298
IRM-1100-4A2T Expansion Module
Inventory Details based on Deployment

In this configuration, the IRM-1100-4A2T mounted on the Expansion side, or top, has full functionality. The
Ethernet ports on the IRM-1100-4A2T mounted on the Compute side, or bottom, will not function.
There is support for 8 more Async interfaces, and 2 Gigabit ethernet interfaces.
Interface numbering in this scenario is as follows:
• Async 0/3/0 – 0/3/3 [Connected on EM side]
• Async 0/4/0 – 0/4/3 [Connected on CM side]
• Gi0/0/5 and Gi0/0/6 [Layer 2 interfaces from EM side]

Inventory Details based on Deployment


The output to the show inventory command will show different details based upon which side of the IR1101
base unit it is attached to.
Router#sh inv
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
INFO: Please use "show license UDI" to get serial number for licensing.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

NAME: "Chassis", DESCR: "IR1101 Base Chassis"


PID: IR1101-K9 , VID: V03 , SN: FCW2452P561

NAME: "Module 0 - Mother Board", DESCR: "Cisco IR1101 motherboard"


PID: IR1101-K9 , VID: V03 , SN: FOC245126XR

NAME: "module subslot 0/0", DESCR: "IR1101-ES-7G"

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


299
IRM-1100-4A2T Expansion Module
Gigabit Ethernet Switch Ports

PID: IR1101-ES-7G , VID: V01 , SN:

NAME: "module subslot 0/4", DESCR: "P-LTE-MNA Module"


PID: P-LTE-MNA , VID: V01 , SN: FOC24230U79

NAME: "Modem on Cellular0/4/0", DESCR: "Sierra Wireless WP7610"


PID: WP7610 , VID: 10000, SN: 356307100162618

NAME: "Module 2 - Compute Module", DESCR: "IR1100 expansion module with Pluggable slot,
SFP, mSATA SSD slot and Digital GPIO"
PID: IRM-1100-SPMI , VID: V02 , SN: FCW2502PAP0

NAME: "Module 3 - Expansion Module", DESCR: "IR1100 expansion module with 4 Async ports and
2 copper ports"
PID: IRM-1100-4A2T , VID: V00 , SN: FOC25150ZRJ
Router# sh ip int bri
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0/0 unassigned YES NVRAM administratively down down
FastEthernet0/0/1 unassigned YES unset administratively down down
FastEthernet0/0/2 unassigned YES unset administratively down down
FastEthernet0/0/3 unassigned YES unset administratively down down
FastEthernet0/0/4 unassigned YES unset down down
GigabitEthernet0/0/5 unassigned YES unset administratively down down
GigabitEthernet0/0/6 unassigned YES unset down down
Cellular0/1/0 unassigned YES NVRAM administratively down down
Cellular0/1/1 unassigned YES NVRAM administratively down down
Async0/2/0 unassigned YES unset up up
Async0/3/0 unassigned YES unset up ip
Async0/4/0 unassigned YES unset administratively down down
Async0/3/1 unassigned YES unset administratively down down
Async0/4/1 unassigned YES unset administratively down down
Async0/3/2 unassigned YES unset administratively down down
Async0/4/2 unassigned YES unset administratively down down
Async0/3/3 unassigned YES unset administratively down down
Async0/4/3 unassigned YES unset administratively down down
Vlan1 unassigned YES unset up down

Gigabit Ethernet Switch Ports


The Ethernet ports are Layer 2 RJ45 10/100/1000 Mbps ports.
The base router (IR1101) GE port is named gigabitethernet 0/0/0. When the IRM-1100-4A2T is mounted on
the Expansion side, or top, two additional ports are available:
• gigabitethernet 0/0/5
• gigabitethernet 0/0/6

LEDs
There are two LEDs on the front associated with the two Ethernet ports (5 and 6). See the following figure:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


300
IRM-1100-4A2T Expansion Module
LEDs

Figure 93: Ethernet Port LEDs

See the following table for the LED functionality:

Color/State Description

Green Port link, no activity

Flashing Link healthy with activity


Green

Off No link

LED status is also available through the command line:


Router# show led

SYSTEM LED : Green

Custom LED : Off

VPN LED : Off

ALARM LED : Off

GigabitEthernet0/0/0 LED : On
FastEthernet0/0/1 LED : On
FastEthernet0/0/2 LED : Off
FastEthernet0/0/3 LED : Off
FastEthernet0/0/4 LED : Off
GigabitEthernet0/0/5 LED : On
GigabitEthernet0/0/6 LED : Off

*Cellular 0/1*
LTE module Enable LED : Green
LTE module SIM 0 LED : Off
LTE module SIM 1 LED : Off
LTE module GPS LED : Off
LTE module RSSI 0 LED : Off
LTE module RSSI 1 LED : Off
LTE module RSSI 2 LED : Off
LTE module RSSI 3 LED : Off

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


301
IRM-1100-4A2T Expansion Module
Async Ports

Async Ports
IOS-XE release 17.7.1 software provides support for an additional module (IRM-1100-4A2T) that has 4 Async
ports and 2 gigabit ethernet interfaces. The software enumerates the interface numbers depending on which
side of the Base IR1101 the expansion module is attached to.
The base router (IR1101) async port is async 0/2/0, with the out of bound management port being async 0/2/1.
When the IRM-1100-4A2T is mounted on the Expansion side, or top, the async ports are numbered as:
• async 0/3/0 (corresponding line is: line 0/3/0)
• async 0/3/1 (corresponding line is: line 0/3/1)
• async 0/3/2 (corresponding line is: line 0/3/2)
• async 0/3/3 (corresponding line is: line 0/3/3)

When the IRM-1100-4A2T is mounted on the Compute side, or bottom, the async ports are numbered as:
• async 0/4/0 (corresponding line is: line 0/4/0)
• async 0/4/1 (corresponding line is: line 0/4/1)
• async 0/4/2 (corresponding line is: line 0/4/2)
• async 0/4/3 (corresponding line is: line 0/4/3)

The async ports on the IRM-1100-4A2T support:


• media-type RS232 (DCE) and RS485 (RS422 and RS485 share the same configuration)
• full-duplex/half-duplex

Serial RJ45 Pin-Outs


All Serial ports can be in three operational modes:
• RS232
• RS485 Full Duplex
• RS485 Half Duplex

All ports follow the RS232 signal standard, with a max baud rate of 115Kbps supported. The following table
shows pinouts for the four ports:

Pin Description Mode Direction


Number

1 Data Set Ready DCE OUT

2 DCD/Ring DCE OUT

3 Data Terminal Ready DCE IN

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


302
IRM-1100-4A2T Expansion Module
DCE Interface Configuration Steps

Pin Description Mode Direction


Number

4 Signal Ground — —

5 Receive Data DCE OUT

6 Transmit Data DCE IN

7 Clear to Send DCE OUT

8 Request to Send DCE IN

DCE Interface Configuration Steps


The default interface configuration for all ports on the serial expansion module is RS232. If the interface is
configured for media-type RS485, the default configuration is in full-duplex mode.
• The configuration of GI0/0/5 and Gi0/0/6 are similar to the L2 ports in the IR1101 base unit.
• The async ports support both RS232 and RS485/full/half-duplex. Additionally, "media-type", "full-duplex",
and "half-duplex" are supported on the expansion module, compared to the async 0/2/0 in the IR1101
base unit.

Default Configuration
The default configuration for all ports of the serial expansion module is RS232.
Router#sh run int Async0/3/0
Building configuration...

Current configuration : 92 bytes

interface Async0/3/0
no ip address
encapsulation scada
shutdown
media-type rs232

Configuration Example for Media-Type RS232


The CLI media-type ? shows rs232 and rs485 available.
Router(config)#int Async0/3/3
Router(config-if)#media
Router(config-if)#media-type ?
rs232 Set RS232 media type
rs485 Set RS485 media type

Configure the media-type for RS232.


Router(config-if)#media-type rs232
Router(config-if)#no shut
Router(config-if)#end

Router#sh run int Async0/3/3


Building configuration...
!

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


303
IRM-1100-4A2T Expansion Module
GPIO Configuration Pins

Current configuration : 82 bytes


!
interface Async0/3/3
no ip address
encapsulation scada
media-type rs232
end

Configuration Example for Media-Type RS485


Configure the media-type for RS485.
Router#conf t
Enter configuration commands, one per line.
Router(config)#int Asyn0/3/0
Router(config-if)#media
Router(config-if)#media-type rs485
Router(config-if)#end

Router# sh run int Async0/3/0

Building configuration...

Current configuration : 105 bytes


!
interface Async0/3/0
no ip address
encapsulation scada
shutdown
media-type rs485
full-duplex
end

Configuration Example for Media-Type RS485 (half-duplex)


Configure the media-type for RS485 running half duplex.
Router(config)#int Async0/4/2
Router(config-if)#media
Router(config-if)#media-type rs485
Router(config-if)#half-duplex
Router(config-if)#end

Router#sh run int Async0/4/2


Building configuration...

Current configuration : 105 bytes


!
interface Async0/4/2
no ip address
encapsulation scada
shutdown
media-type rs485
half-duplex

GPIO Configuration Pins


The IRM-1100-4A2T has four Async ports that send signals to hardware using GPIO pins, through which
media-type and duplex settings are configured. The following are examples of standard signals if GPIO pin
is set to ‘6’ configured as RS232, ‘4’ configured as RS485 full-duplex and ‘C’ configured as RS485 half-duplex.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


304
IRM-1100-4A2T Expansion Module
GPIO Configuration Pins

Router#sh controllers Async0/3/0


Line: 0/3/0(74) Interface:Async0/3/0
State=6 encapsulation=95 speed=9600 maxmtu=1500
Duplex=0 ACCM_TX=0xFFFFFFFF ACCM_RX=0xFFFFFFFF
Max_idle=10 frame_size=100
Buffered bytes=0 tty capabilities=0x8 tty statbits=0x40 databits=8
TX packet cnt:0 Scattered: 0 Particle cnt:0 Request cnt:0
PPP in total:0
PPP Rx head:0x0 tail:0x0
GPIO read: 6666

Note Based on the above output, all the Async ports 0/3/0 to 0/3/3 are configured with default media-type
RS232.

Router#sh controllers Async0/4/2


Line: 0/4/2(100) Interface:Async0/4/2
State=6 encapsulation=95 speed=9600 maxmtu=1500
Duplex=0 ACCM_TX=0xFFFFFFFF ACCM_RX=0xFFFFFFFF
Max_idle=10 frame_size=100
Buffered bytes=0 tty capabilities=0x8 tty statbits=0x40 databits=8
TX packet cnt:0 Scattered: 0 Particle cnt:0 Request cnt:0
PPP in total:0
PPP Rx head:0x0 tail:0x0
GPIO read: 6C66

Note Based on the above output, Async port 0/4/2 is configured with RS485 Half-duplex, and remaining ports
Async0/4/0,0/4/1 and 0/4/3 are configured with default media-type RS232.

Router# sh controllers Async0/3/3


Line: 0/3/3(77) Interface:Async0/3/3
State=4 encapsulation=97 speed=9600 maxmtu=1500
Duplex=0 ACCM_TX=0xFFFFFFFF ACCM_RX=0xFFFFFFFF
Max_idle=10 frame_size=100
Buffered bytes=0 tty capabilities=0x8 tty statbits=0x440 databits=8
TX packet cnt:0 Scattered: 0 Particle cnt:0 Request cnt:0
PPP in total:0
PPP Rx head:0x0 tail:0x0
GPIO read: 4666

Note Based on the above output, Async port 0/3/3 is configured with RS485 Full-duplex, and the remaining
ports Asyn0/3/0, Async0/3/1 and Async0/3/2 are configured with default media-type RS232.

Debug Commands
There is a debug command available for troubleshooting the GPIO configuration:
Router# debug condition interface <ASYNC_INTERFACE_SLOT> event

Note This command is not supported for the Async 0/2/0 interface.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


305
IRM-1100-4A2T Expansion Module
Configuration Examples for Additional Async Interfaces

Configuration Examples for Additional Async Interfaces


Further information can be found in the Raw Socket Transport chapter of the IR1101 Rugged Series Router
Software Configuration Guide

Raw-TCP Multi-hop (daisy chain)


For raw-tcp, the user needs to configure encapsulation raw-tcp under the Async interface, and needs to
configure associated line interface either as server or client. Maximum number of sessions per server is 32.
Figure 94: Raw-TCP Multi-hop Example

The following is an example configuration for two routers as shown above.

IR1101 Other Router


Note Can be any IOS-XE router or IOS router,
that supports at least 2 serial interfaces.
int Async0/2/0 int Async 0/2/0
encapsulation raw-tcp encapsulation raw-tcp
no shut no shut
int Async 0/3/1 int Async 0/2/1
encapsulation raw-tcp encapsulation raw-tcp
media-type rs485 no shut
full-duplex
no shut line 0/2/0
raw-socket tcp server 6000
line 0/2/0 line 0/2/1
raw-socket tcp client 10.0.0.2 6000 10.0.0.1 raw-socket tcp server 5000
6001
line 0/3/1
raw-socket tcp client 10.0.0.2 5000 10.0.0.1
5001

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


306
IRM-1100-4A2T Expansion Module
Scada Protocol Translations

Raw-UDP Multi-hop (daisy chain)


Figure 95: Raw-UDP Multi-hop Example

The following is an example configuration for two routers as shown above.

IR1101 Other Router


Note Can be any IOS-XE router or IOS router,
that supports at least 2 serial interfaces.
int Async0/2/0 int Async 0/2/0
encapsulation raw-udp encapsulation raw-udp
no shut no shut
int Async 0/3/1 int Async 0/2/1
encapsulation raw-udp encapsulation raw-udp
media-type rs485 no shut
half-duplex
no shut line 0/2/0
raw-socket udp connection 10.0.0.1 6000 6001
line 0/2/0 10.0.0.2
raw-socket udp connection 10.0.0.2 6001 6000 line 0/2/1
10.0.0.1 raw-socket udp connection 10.0.0.1 5000 5001
line 0/3/1 10.0.0.2
raw-socket udp connection 10.0.0.2 5001 5000
10.0.0.1

Scada Protocol Translations


Further information can be found in the Information About SCADA chapter of the IR1101 Rugged Series
Router Software Configuration Guide

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


307
IRM-1100-4A2T Expansion Module
Scada Protocol Translations

T101/T104
Figure 96: T101/T104 Configuration Example

The following is an example configuration for the figure shown above.

Table 17: T101/T104 Configuration Example

int Async0/2/0 scada-gw protocol t101 Scada-gw protocol t104


encapsulation scada channel rt-chan-1 channel mt-chan-1
no shut link-mode balanced t3-timeout 20
bind-to-interface Async0/2/0 tcp-connection 0 local-port
session rt-sess-1 5000 remote-ip any
attach-to-channel rt-chan-1 session mt-sess-1
common-addr-size one attach-to-channel mt-chan-1
cot-size two sector mt-sec-1
info-obj-addr-size three attach-to-session mt-sess-1
link-addr 31 asdu-addr 120
sector rt-sec-1 map-to-sector rt-sec-1
attach-to-session rt-sess-1
asdu-addr 100

int Async0/3/0 channel rt-chan-2 channel mt-chan-2


encapsulation scada link-mode balanced t3-timeout 20
media-type rs485 bind-to-interface Async0/3/0 tcp-connection 0 local-port
half-duplex session rt-sess-2 6000 remote-ip any
no shut attach-to-channel rt-chan-2 session mt-sess-2
common-addr-size one attach-to-channel mt-chan-2
cot-size two sector mt-sec-2
info-obj-addr-size three attach-to-session mt-sess-2
link-addr 32 asdu-addr 121
sector rt-sec-2 map-to-sector rt-sec-2
attach-to-session rt-sess-2 scada-gw enable
asdu-addr 101

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


308
IRM-1100-4A2T Expansion Module
Serial Relay

DNP3 IP/Serial
Figure 97: DNP3 IP/Serial Configuration Example

The following is an example configuration for the figure shown above.

Table 18: DNP3 IP/Serial Configuration Example

int Async0/2/0 scada-gw protocol dnp3-serial scada-gw protocol dnp3-ip


encapsulation scada channel dnp3_serial_channel_1 channel dnp3_ip_channel_1
no shut link-addr source 5 link-addr dest 3
request-timeout 60 send-unsolicited-msg enable
link-timeout 6 tcp-connection local-port 5000
unsolicited-response enable remote-ip any
bind-to-interface Async0/2/0 session dnp3_ip_session_1
no protocol test-link attach-to-channel
session dnp3_serial_session_1 dnp3_ip_channel_1
attach-to-channel link-addr source 7
dnp3_serial_channel_1 map-to-session
link-addr dest 1 dnp3_serial_session_1

int Async0/3/0 channel dnp3_serial_channel_2 channel dnp3_ip_channel_2


encapsulation scada link-addr source 6 link-addr dest 5
media-type rs485 request-timeout 60 send-unsolicited-msg enable
half-duplex link-timeout 6 tcp-connection local-port 6000
no shut unsolicited-response enable remote-ip any
bind-to-interface Async0/3/0 session dnp3_ip_session_2
no protocol test-link attach-to-channel
session dnp3_serial_session_2 dnp3_ip_channel_2
attach-to-channel link-addr source 8
dnp3_serial_channel_2 map-to-session
link-addr dest 2 dnp3_serial_session_2
scada-gw protocol ignore
direction
scada-gw enable

Serial Relay
Serial relay can be supported on all of the Async ports of IRM-1100-4A2T. You can map in any order. Mapping
of Async interfaces with “encapsulation relay-line” configured on interface. For Example:
• relay line 0/0/0 0/2/0
• relay line 0/0/1 0/3/2

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


309
IRM-1100-4A2T Expansion Module
Using the WebUI to Configure Async Ports

• relay line 0/0/2 0/3/0


• relay line 0/0/3 0/3/1
• relay line 0/0/4 0/4/0

Refer to the Serial Relay Service chapter in the IR1101 Configuration Guide for additional detail.

Using the WebUI to Configure Async Ports


Use the following steps to configure Async ports through the WebUI.

Before you begin


Cisco IOS XE release supports WebUI support (Day-1) as basic template for configuration and validation for
Async interfaces.
Ports can be monitored by navigating to Monitoring > General > Ports:
Figure 98: Monitor Ports

Step 1 Navigate to Configuration > Interface > Serial.


Figure 99: Serial Ports

Step 2 Double click on the interface you want to edit. The Edit Interface <Interface Number> window appears.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


310
IRM-1100-4A2T Expansion Module
Using the WebUI to Configure Async Ports

Figure 100: Edit Interface

The Async0/2/0 interface on the base IR1101 supports media-type RS232 by default. You cannot change any media-type
associated with this interface.

Step 3 Click on the Encapsulation tab of the Edit Interface window.


Figure 101: Edit Interface (Encapsulation)

If needed, you can change the encapsulation for the Async0/2/0 interface, and the associated line interface. Select any
value from the drop down list that is supported for the Async interface on the IR1101.

Step 4 Perform the same steps to navigate to the Edit Interface window to configure the Async ports on the IRM-1100-4A2T.
For example, edit the Async0/3/3 interface:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


311
IRM-1100-4A2T Expansion Module
Using the WebUI to Configure Async Ports

Figure 102: Edit Interface Async0/3/3

The ports on the IRM-1100-4A2T can have the media type changed from the drop down box. If RS485 is selected, you
can select either full or half duplex.
Figure 103: Edit Interface Async0/3/3 (Encapsulation Tab)

Step 5 When satisfied with your selections, click on Update & Apply to Device.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


312
CHAPTER 29
System Messages
This chapter contains the following sections:
• Information About Process Management, on page 313
• How to Find Error Message Details, on page 313

Information About Process Management


You can access system messages by logging in to the console through Telnet protocol and monitoring your
system components remotely from any workstation that supports the Telnet protocol.
Starting and monitoring software is referred to as process management. The process management infrastructure
for a router is platform independent, and error messages are consistent across platforms running on Cisco IOS
XE. You do not have to be directly involved in process management, but we recommend that you read the
system messages that refer to process failures and other issues.

How to Find Error Message Details


To show further details about a process management or a syslog error message, enter the error message into
the Error Message Decoder tool at: https://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi.
For example, enter the message %PMAN-0-PROCESS_NOTIFICATION into the tool to view an explanation of the
error message and the recommended action to be taken.
The following are examples of the description and the recommended action displayed by the Error Message
Decoder tool for some of the error messages.
Error Message: %PMAN-0-PROCESS_NOTIFICATION : The process lifecycle notification component
failed because [chars]

Explanation Recommended Action

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


313
System Messages
How to Find Error Message Details

The process lifecycle notification component failed, Note the time of the message and investigate the
preventing proper detection of a process start and stop. kernel error message logs to learn more about the
This problem is likely the result of a software defect problem and see if it is correctable. If the problem
in the software subpackage. cannot be corrected or the logs are not helpful, copy
the error message exactly as it appears on the console
along with the output of the show tech-support
command and provide the gathered information to a
Cisco technical support representative.

Error Message: %PMAN-0-PROCFAILCRIT A critical process [chars] has failed (rc [dec])

Explanation Recommended Action

A process important to the functioning of the router Note the time of the message and investigate the error
has failed. message logs to learn more about the problem. If the
problem persists, copy the message exactly as it
appears on the console or in the system log. Research
and attempt to resolve the issue using the tools and
utilities provided at: http://www.cisco.com/tac. With
some messages, these tools and utilities will supply
clarifying information. Search for resolved software
issues using the Bug Search Tool at:
http://www.cisco.com/cisco/psn/bssprt/bss. If you still
require assistance, open a case with the Technical
Assistance Center at:
http://tools.cisco.com/ServiceRequestTool/create/, or
contact your Cisco technical support representative
and provide the representative with the information
you have gathered. Attach the following information
to your case in nonzipped, plain-text (.txt) format: the
output of the show logging and show tech-support
commands and your pertinent troubleshooting logs.

Error Message: %PMAN-3-PROCFAILOPT An optional process [chars] has failed (rc [dec])

Explanation Recommended Action

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


314
System Messages
How to Find Error Message Details

A process that does not affect the forwarding of traffic Note the time of the message and investigate the
has failed. kernel error message logs to learn more about the
problem. Although traffic will still be forwarded after
receiving this message, certain functions on the router
may be disabled because of this message and the error
should be investigated. If the logs are not helpful or
indicate a problem you cannot correct, copy the
message exactly as it appears on the console or in the
system log. Research and attempt to resolve the issue
using the tools and utilities provided at
http://www.cisco.com/tac. With some messages, these
tools and utilities will supply clarifying information.
Search for resolved software issues using the Bug
Search Tool at:
http://www.cisco.com/cisco/psn/bssprt/bss. If you still
require assistance, open a case with the Technical
Assistance Center at:
http://tools.cisco.com/ServiceRequestTool/create/, or
contact your Cisco technical support representative
and provide the representative with the information
you have gathered. Attach the following information
to your case in nonzipped, plain-text (.txt) format: the
output of the show logging and show tech-support
commands and your pertinent troubleshooting logs.

Error Message: %PMAN-3-PROCFAIL The process [chars] has failed (rc [dec])

Explanation Recommended Action

The process has failed as the result of an error. This message will appear with other messages related
to the process. Check the other messages to determine
the reason for the failures and see if corrective action
can be taken. If the problem persists, copy the message
exactly as it appears on the console or in the system
log. Research and attempt to resolve the issue using
the tools and utilities provided at:
http://www.cisco.com/tac. With some messages, these
tools and utilities will supply clarifying information.
Search for resolved software issues using the Bug
Search Tool at:
http://www.cisco.com/cisco/psn/bssprt/bss. If you still
require assistance, open a case with the Technical
Assistance Center at:
http://tools.cisco.com/ServiceRequestTool/create/, or
contact your Cisco technical support representative
and provide the representative with the information
you have gathered. Attach the following information
to your case in nonzipped, plain-text (.txt) format: the
output of the show logging and show tech-support
commands and your pertinent troubleshooting logs.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


315
System Messages
How to Find Error Message Details

Error Message: %PMAN-3-PROCFAIL_IGNORE [chars] process exits and failures are being ignored
due to debug settings. Normal router functionality will be affected. Critical router
functions like RP switchover, router reload, FRU resets, etc. may not function properly.

Explanation Recommended Action

A process failure is being ignored due to the If this behavior is desired and the debug settings are
user-configured debug settings. set according to a user's preference, no action is
needed. If the appearance of this message is viewed
as a problem, change the debug settings. The router
is not expected to behave normally with this debug
setting. Functionalities such as SSO switchover, router
reloads, FRU resets, and so on will be affected. This
setting should only be used in a debug scenario. It is
not normal to run the router with this setting.

Error Message: %PMAN-3-PROCHOLDDOWN The process [chars] has been helddown (rc [dec])

Explanation Recommended Action

The process was restarted too many times with This message will appear with other messages related
repeated failures and has been placed in the hold-down to the process. Check the other messages to determine
state. the reason for the failures and see if corrective action
can be taken. If the problem persists, copy the message
exactly as it appears on the console or in the system
log. Research and attempt to resolve the issue using
the tools and utilities provided at:
http://www.cisco.com/tac. With some messages, these
tools and utilities will supply clarifying information.
Search for resolved software issues using the Bug
Search Tool at:
http://www.cisco.com/cisco/psn/bssprt/bss. If you still
require assistance, open a case with the Technical
Assistance Center at:
http://tools.cisco.com/ServiceRequestTool/create/, or
contact your Cisco technical support representative
and provide the representative with the information
you have gathered. Attach the following information
to your case in nonzipped, plain-text (.txt) format: the
output of the show logging and show tech-support
commands and your pertinent troubleshooting logs.

Error Message: %PMAN-3-RELOAD_RP_SB_NOT_READY : Reloading: [chars]

Explanation Recommended Action

The route processor is being reloaded because there Ensure that the reload is not due to an error condition.
is no ready standby instance.

Error Message: %PMAN-3-RELOAD_RP : Reloading: [chars]

Explanation Recommended Action

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


316
System Messages
How to Find Error Message Details

The RP is being reloaded. Ensure that the reload is not due to an error condition.
If it is due to an error condition, collect information
requested by the other log messages.

Error Message: %PMAN-3-RELOAD_SYSTEM : Reloading: [chars]

Explanation Recommended Action

The system is being reloaded. Ensure that the reload is not due to an error condition.
If it is due to an error condition, collect information
requested by the other log messages.

Error Message: %PMAN-3-PROC_BAD_EXECUTABLE : Bad executable or permission problem with


process [chars]

Explanation Recommended Action

The executable file used for the process is bad or has Ensure that the named executable is replaced with the
permission problem. correct executable.

Error Message: %PMAN-3-PROC_BAD_COMMAND:Non-existent executable or bad library used for


process <process name>

Explanation Recommended Action

The executable file used for the process is missing, Ensure that the named executable is present and the
or a dependent library is bad. dependent libraries are good.

Error Message: %PMAN-3-PROC_EMPTY_EXEC_FILE : Empty executable used for process [chars]

Explanation Recommended Action

The executable file used for the process is empty. Ensure that the named executable is non-zero in size.

Error Message: %PMAN-5-EXITACTION : Process manager is exiting: [chars]

Explanation Recommended Action

The process manager is exiting. Ensure that the process manager is not exiting due to
an error condition. If it is due to an error condition,
collect information requested by the other log
messages.

Error Message: %PMAN-6-PROCSHUT : The process [chars] has shutdown

Explanation Recommended Action

The process has gracefully shut down. No user action is necessary. This message is provided
for informational purposes only.

Error Message: %PMAN-6-PROCSTART : The process [chars] has started

Explanation Recommended Action

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


317
System Messages
How to Find Error Message Details

The process has launched and is operating properly. No user action is necessary. This message is provided
for informational purposes only.

Error Message: %PMAN-6-PROCSTATELESS : The process [chars] is restarting stateless

Explanation Recommended Action

The process has requested a stateless restart. No user action is necessary. This message is provided
for informational purposes only.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


318
CHAPTER 30
Environmental Monitoring
• Environmental Monitoring, on page 319
• Environmental Monitoring and Reporting Functions, on page 319
• Environmental Monitoring Functions, on page 320
• Environmental Reporting Functions, on page 321
• Additional References, on page 327
• Technical Assistance, on page 327

Environmental Monitoring
The router provides a robust environment-monitoring system with several sensors that monitor the system
temperatures. The following are some of the key functions of the environmental monitoring system:
• Monitoring temperature of CPUs and Motherboard
• Recording abnormal events and generating notifications
• Monitoring Simple Network Management Protocol (SNMP) traps
• Generating and collecting Onboard Failure Logging (OBFL) data
• Sending call home event notifications
• Logging system error messages
• Displaying present settings and status

Environmental Monitoring and Reporting Functions


Monitoring and reporting functions allow you to maintain normal system operation by identifying and resolving
adverse conditions prior to loss of operation.
• Environmental Monitoring Functions, on page 320
• Environmental Reporting Functions, on page 321

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


319
Environmental Monitoring
Environmental Monitoring Functions

Environmental Monitoring Functions


Environmental monitoring functions use sensors to monitor the temperature of the cooling air as it moves
through the chassis.
The router is expected to meet the following environmental operating conditions
• Non-operating Temperature: -40°F to 158°F (-40°C to 70°C)
• Non-operating Humidity: 5 to 95% relative humidity (non-condensing)
• Operating Temperature:
-40° to 140°F (-40° to 60°C) in a sealed NEMA cabinet with no airflow
-40° to 158°F (-40° to 70°C) in a vented cabinet with 40 lfm of air
-40° to 167°F (-40° to 75°C) in a forced air enclosure with 200 lfm of air
• Operating Humidity: 10% to 95% relative humidity (non-condensing)
• Operating Altitude: -500 to 5,000 feet. Derate max operating temperature 1.5°C per 1000 feet.

The following table displays the levels of status conditions used by the environmental monitoring system.

Table 19: Levels of Status Conditions Used by the Environmental Monitoring System

Status Level Description

Normal All monitored parameters are within normal tolerance.

Warning The system has exceeded a specified threshold. The system continues to
operate, but operator action is recommended to bring the system back to a
normal state.

Critical An out-of-tolerance temperature or voltage condition exists. Although the


system continues to operate, it is approaching shutdown. Immediate operator
action is required.

The environmental monitoring system sends system messages to the console, for example, when the conditions
described here are met:

Temperature and Voltage Exceed Max/Min Thresholds


The following example shows the warning messages indicating the maximum and minimum thresholds of
the temperature or voltage:
Warnings :
--------
For all the temperature sensors (name starting with “Temp:”) above,
the critical warning threshold is 100C (100C and higher)
the warning threshold is 80C (range from 80C to 99C)
the low warning threshold is 1C (range from -inf to 1C).

For all voltage sensors (names starting with "V:"),


the high warning threshold starts at that voltage +10%. (voltage + 10% is warning)
the low warning threshold starts at the voltage -10%. (voltage - 10% is warning)

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


320
Environmental Monitoring
Environmental Reporting Functions

Environmental Reporting Functions


You can retrieve and display environmental status reports using the following commands:
• show diag all eeprom
• show environment
• show environment all
• show inventory
• show platform
• show platform diag
• show platform software status control-processor
• show diag slot R0 eeprom detail
• show version
• show power

These commands show the current values of parameters such as temperature and voltage.
The environmental monitoring system updates the values of these parameters every 60 seconds. Brief examples
of these commands are shown below:

show diag all eeprom: Example


Router# show diag all eepromMIDPLANE EEPROM data:

Product Identifier (PID) : IR1101-K9


Version Identifier (VID) : V00
PCB Serial Number : FOC21482ZQF
PCB Serial Number : FOC214822CK
PCB Serial Number : FOC21482SY7
Top Assy. Part Number : 68-6479-01
Top Assy. Revision : 13
Hardware Revision : 0.2
Asset ID :
CLEI Code : UNASSIGNED
Power/Fan Module P0 EEPROM data is not initialized

Power/Fan Module P1 EEPROM data is not initialized

Slot R0 EEPROM data:

Product Identifier (PID) : IR1101-K9


Version Identifier (VID) : V00
PCB Serial Number : FOC21482ZQF
PCB Serial Number : FOC214822CK
PCB Serial Number : FOC21482SY7
Top Assy. Part Number : 68-6479-01
Top Assy. Revision : 13
Hardware Revision : 0.2
CLEI Code : UNASSIGNED
Slot F0 EEPROM data:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


321
Environmental Monitoring
Environmental Reporting Functions

Product Identifier (PID) : IR1101-K9


Version Identifier (VID) : V00
PCB Serial Number : FOC21482ZQF
PCB Serial Number : FOC214822CK
PCB Serial Number : FOC21482SY7
Top Assy. Part Number : 68-6479-01
Top Assy. Revision : 13
Hardware Revision : 0.2
CLEI Code : UNASSIGNED
Slot 0 EEPROM data:

Product Identifier (PID) : IR1101-K9


Version Identifier (VID) : V00
PCB Serial Number : FOC21482ZQF
PCB Serial Number : FOC214822CK
PCB Serial Number : FOC21482SY7
Top Assy. Part Number : 68-6479-01
Top Assy. Revision : 13
Hardware Revision : 0.2
CLEI Code : UNASSIGNED
SPA EEPROM data for subslot 0/0:

Product Identifier (PID) : IR1101-ES-5


Version Identifier (VID) : V01
PCB Serial Number :
Top Assy. Part Number : 68-2236-01
Top Assy. Revision : A0
Hardware Revision : 2.2
CLEI Code : CNUIAHSAAA
SPA EEPROM data for subslot 0/1 is not available

SPA EEPROM data for subslot 0/2 is not available

SPA EEPROM data for subslot 0/3 is not available

SPA EEPROM data for subslot 0/4 is not available

SPA EEPROM data for subslot 0/5 is not available

Router#

show environment: Example


Router# show environment
Number of Critical alarms: 0
Number of Major alarms: 0
Number of Minor alarms: 0

Slot Sensor Current State Reading Threshold(Minor,Major,Critical,Shutdown)


---------- -------------- --------------- ------------ ---------------------------------------
R0 Temp: LM75BXXX Normal 43 Celsius (75 ,80 ,90 ,na )(Celsius)

Router#

show environment all: Example


Router# show environment all
Sensor List: Environmental Monitoring

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


322
Environmental Monitoring
Environmental Reporting Functions

Sensor Location State Reading


Temp: LM75BXXX R0 Normal 48 Celsius

show inventory: Example


Router# show inventory
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
INFO: Please use "show license UDI" to get serial number for licensing.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
NAME: "Chassis", DESCR: "IR1101 Base Chassis"
PID: IR1101-K9 , VID: V00 , SN: FCW2132TH0Z

NAME: "Module 0 - Mother Board", DESCR: "Cisco IR1101 motherboard"


PID: IR1101-K9 , VID: , SN:

NAME: "module subslot 0/0", DESCR: "IR1101-ES-5"


PID: IR1101-ES-5 , VID: V01 , SN:

NAME: "subslot 0/0 transceiver 0", DESCR: "GE SX"


PID: GLC-SX-MM-RGD , VID: V01 , SN: FNS16370HL4

NAME: "module subslot 0/1", DESCR: "P-LTE-US Module"


PID: P-LTE-US , VID: V01 , SN: FOC21333R92

NAME: "Modem 0 on Cellular0/1/0", DESCR: "Sierra Wireless WP7603"


PID: WP7603 , VID: 10000, SN: 359528080000794

show platform: Example


Router# show platform
Chassis type: IR1101-K9

Slot Type State Insert time (ago)


--------- ------------------- --------------------- -----------------
0 IR1101-K9 ok 01:52:41
0/0 IR1101-ES-5 ok 01:51:35
R0 IR1101-K9 ok, active 01:52:41
F0 IR1101-K9 init, active 01:52:41
Router#

show platform diag: Example


Router# show platform diag
Chassis type: IR1101-K9

Slot: 0, IR1101-K9
Running state : ok
Internal state : online
Internal operational state : ok
Physical insert detect time : 00:00:25 (5d02h ago)
Software declared up time : 00:01:07 (5d02h ago)
CPLD version :
Firmware version : 1.3

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


323
Environmental Monitoring
Environmental Reporting Functions

Sub-slot: 0/0, IR1101-ES-5


Operational status : ok
Internal state : inserted
Physical insert detect time : 00:02:21 (5d02h ago)
Logical insert detect time : 00:02:21 (5d02h ago)

Sub-slot: 0/1, P-LTE-US


Operational status : ok
Internal state : inserted
Physical insert detect time : 00:02:21 (5d02h ago)
Logical insert detect time : 00:02:21 (5d02h ago)

Slot: R0, IR1101-K9


Running state : ok, active
Internal state : online
Internal operational state : ok
Physical insert detect time : 00:00:25 (5d02h ago)
Software declared up time : 00:00:25 (5d02h ago)
CPLD version : 00000000
Firmware version : 1.2

Slot: F0, IR1101-K9


Running state : init, active
Internal state : online
Internal operational state : ok
Physical insert detect time : 00:00:25 (5d02h ago)
Software declared up time : 00:01:10 (5d02h ago)
Hardware ready signal time : 00:00:00 (never ago)
Packet ready signal time : 00:00:00 (never ago)
CPLD version : 00000000
Firmware version : 1.2

Router#

show platform software status control-processor: Example


Router# show platform software status control-processor
RP0: online, statistics updated 9 seconds ago
Load Average: healthy
1-Min: 0.32, status: healthy, under 5.00
5-Min: 0.33, status: healthy, under 5.00
15-Min: 0.35, status: healthy, under 5.00
Memory (kb): healthy
Total: 3959840
Used: 2894588 (73%), status: healthy
Free: 1065252 (27%)
Committed: 2435656 (62%), under 90%
Per-core Statistics
CPU0: CPU Utilization (percentage of time spent)
User: 0.50, System: 0.91, Nice: 0.00, Idle: 98.07
IRQ: 0.40, SIRQ: 0.10, IOwait: 0.00
CPU1: CPU Utilization (percentage of time spent)
User: 0.81, System: 0.30, Nice: 0.00, Idle: 98.48
IRQ: 0.20, SIRQ: 0.20, IOwait: 0.00
CPU2: CPU Utilization (percentage of time spent)
User: 0.81, System: 2.65, Nice: 0.00, Idle: 95.41
IRQ: 1.12, SIRQ: 0.00, IOwait: 0.00
CPU3: CPU Utilization (percentage of time spent)
User: 7.66, System: 17.05, Nice: 0.00, Idle: 70.58
IRQ: 4.59, SIRQ: 0.10, IOwait: 0.00

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


324
Environmental Monitoring
Environmental Reporting Functions

Router#

show diag slot RO eeprom detail: Example


Router# show diag slot R0 eeprom detail
Slot R0 EEPROM data:

EEPROM version : 4
Compatible Type : 0xFF
Controller Type : 3457
Hardware Revision : 0.2
PCB Part Number : 73-18820-03
Board Revision : 02
Deviation Number : 0
Fab Version : 02
PCB Serial Number : FOC22106KKH
Top Assy. Part Number : 68-6479-03
Top Assy. Revision : 04
Chassis Serial Number : FCW2213TH07
Deviation Number : 0
RMA Test History : 00
RMA Number : 0-0-0-0
RMA History : 00
Product Identifier (PID) : IR1101-K9
Version Identifier (VID) : V00
CLEI Code : UNASSIGNED
Manufacturing Test Data : 00 00 00 00 00 00 00 00
Field Diagnostics Data : 00 00 00 00 00 00 00 00
Chassis MAC Address : 682c.7b4d.7880
MAC Address block size : 128
Asset ID :
Asset Alias :
PCB Part Number : 73-18821-03
Board Revision : 03
Deviation Number : 0
Fab Version : 02
PCB Serial Number : FOC22106KHD
PCB Part Number : 73-19117-02
Board Revision : 02
Deviation Number : 0
Fab Version : 01
PCB Serial Number : FOC22106KJ9
Asset ID :
Router#

show version: Example


Router# show version
Cisco IOS XE Software, Version 16.10.01
Cisco IOS Software [Gibraltar], ISR Software (ARMV8EL_LINUX_IOSD-UNIVERSALK9-M), Version
16.10.1prd7, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Wed 31-Oct-18 23:27 by mcpre

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


325
Environmental Monitoring
Environmental Reporting Functions

Cisco IOS-XE software, Copyright (c) 2005-2018 by cisco Systems, Inc.


All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.

ROM: IOS-XE ROMMON

Router uptime is 1 hour, 53 minutes


Uptime for this control processor is 1 hour, 54 minutes
System returned to ROM by reload
System image file is "usb0:ir1101-universalk9.16.10.01prd7.SPA.bin"
Last reload reason: Reload Command

This product contains cryptographic features and is subject to United


States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to


[email protected].

Technology Package License Information:

------------------------------------------------------------------------------
Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------------------
network-advantage Smart License network-advantage

Smart Licensing Status: UNREGISTERED/EVAL EXPIRED

cisco IR1101-K9 (ARM64) processor (revision 1.2 GHz) with 711867K/6147K bytes of memory.
Processor board ID FCW2150TH0F
1 Virtual Ethernet interface
4 FastEthernet interfaces
1 Gigabit Ethernet interface
1 Serial interface
1 terminal line
32768K bytes of non-volatile configuration memory.
4038072K bytes of physical memory.
3110864K bytes of Bootflash at bootflash:.
0K bytes of WebUI ODM Files at webui:.
30670832K bytes of USB Flash at usbflash0:.

Configuration register is 0x0 (will be 0x2102 at next reload)

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


326
Environmental Monitoring
Additional References

Router#

show power: Example


Router# show power
Main PSU :
Total Power Consumed: 8.16 Watts
Router#

Additional References
The following sections provide references related to the power efficiency management feature.

MIBs

MIBs MIBs Link

CISCO-ENTITY-FRU-CONTROL-MIB To locate and download MIBs for selected platforms, Cisco IOS
releases, and feature sets, use the Cisco MIB Locator at:
http://www.cisco.com/go/mibs.

Technical Assistance
Description Link

The Cisco Support website provides extensive online http://www.cisco.com/cisco/web/support/index.html


resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


327
Environmental Monitoring
Technical Assistance

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


328
CHAPTER 31
IOx Application Hosting
This chapter contains the following sections:
• Application Hosting, on page 329
• Information About Application Hosting, on page 329
• Application Hosting on the IR1101 Router, on page 330
• How to Configure Application Hosting, on page 334
• Installing and Uninstalling Apps, on page 338
• Overriding the App Resource Configuration, on page 339
• Verifying the Application Hosting Configuration, on page 340
• Configuration Examples for Application Hosting, on page 341

Application Hosting
A hosted application is a software as a service solution, and it can be run remotely using commands. Application
hosting gives administrators a platform for leveraging their own tools and utilities.
This module describes the Application Hosting feature and how to enable it.

Information About Application Hosting


Need for Application Hosting
The move to virtual environments has given rise to the need to build applications that are reusable, portable,
and scalable. Application hosting gives administrators a platform for leveraging their own tools and utilities.
An application, hosted on a network device, can serve a variety of purposes. This ranges from automation,
configuration management monitoring, and integration with existing tool chains.
Cisco devices support third-party off-the-shelf applications built using Linux tool chains. Users can run custom
applications cross-compiled with the software development kit that Cisco provides.

IOx Overview
IOx is a Cisco-developed end-to-end application framework that provides application hosting capabilities for
different application types on Cisco network platforms.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


329
IOx Application Hosting
Cisco Application Hosting Overview

IOx architecture for the IR1101 is different compared to other Cisco platforms that use the hypervisor approach.
In other platforms, IOx runs as a virtual machine. IOx is running as a process on the IR1101.

Cisco Application Hosting Overview


The IR1101 enables the user to deploy the application using the app-hosting CLIs. These app-hosting CLIs
are not avaiable on the other older platforms. There are additional ways to deploy the applications using the
Local Manager and Fog Director.
Application hosting provides the following services:
• Launches designated applications in containers.
• Checks available resources (memory, CPU, and storage), and allocates and manages them.
• Provides support for console logging.
• Provides access to services via REST APIs.
• Provides a CLI endpoint.
• Provides an application hosting infrastructure referred to as Cisco Application Framework (CAF).
• Helps in the setup of platform-specific networking (packet-path) via VirtualPortGroup and management
interfaces
The container is referred to as the virtualization environment provided to run the guest application on the host
operating system. The Cisco IOS-XE virtualization services provide manageability and networking models
for running guest applications. The virtualization infrastructure allows the administrator to define a logical
interface that specifies the connectivity between the host and the guest. IOx maps the logical interface into
the Virtual Network Interface Card (vNIC) that the guest application uses.
Applications to be deployed in the containers are packaged as TAR files. The configuration that is specific
to these applications is also packaged as part of the TAR file.
The management interface on the device connects the application hosting network to the IOS management
interface. The Layer 3 interface of the application receives the Layer 2 bridged traffic from the IOS management
interface. The management interface connects through the management bridge to the container/application
interface. The IP address of the application must be on the same subnet as the management interface IP address.

IOXMAN
IOXMAN is a process that establishes a tracing infrastructure to provide logging or tracing services for guest
applications, except Libvirt, that emulates serial devices. IOXMAN is based on the lifecycle of the guest
application to enable and disable the tracing service, to send logging data to IOS syslog, to save tracing data
to IOx tracelog, and to maintain IOx tracelog for each guest application.

Application Hosting on the IR1101 Router


This section describes the application-hosting characteristics specific to the IR1101 Industrial Router.

Note The IR1101 CPU is not based on x86 architecture like other Routers. Therefore, this requires the
application to comply with the ARM 64-bits architecture.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


330
IOx Application Hosting
Application Hosting on the IR1101 Router

Application hosting can be achieved using the app-hosting cli's as well using the Local Manager and Fog
Director.

IOx URL Access Methods


The IOx URL can be accessed in two different ways.
1. Using the direct URL to the IOx login.
2. Navigate to the IOx login through the Web User Interface (WebUI)

The syntax for the first method is https://IR1101-IP-ADDRESS/iox/login


The syntax for the second method is https://IR1101-IP-ADDRESS and then navigate to IOx as shown in the
following:
Figure 104: Local Manager

1. From the WebUI, click on Configuration > Services > IOx


2. Login using the username and password configured.
3. Follow the steps for the application life-cycle in the Cisco IOx Local Manager Reference Guide.

IOX URL User Restriction


The second method will make the configuration of the entire router available to IOx users. In some
organizations, the IOx users are different from those that manage and administer the router. In this case, there
is a need for restricting the access of the IOx users to ONLY the IOx Local Manager WebUI and not the entire
WebUI of the router.
Currently, IOx users are configured as privilege 15 users. To restrict the IOx users to ONLY the Local Manager,
the following commands can be used:
Router(conf)# no ip http server
Router(conf)# ip http secure-server
Router(conf)# ip http session-module-list list2 OPENRESTY_PKI,NG_WEBUI
Router(conf)# ip http secure-active-session-modules list2

The command no ip http server will turn off the web server without https. The next command ip http
secure-server is to turn on the https mode.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


331
IOx Application Hosting
VirtualPortGroup

If you include only OPENRESTY_PKI AND NG_WEBUI, then you will be enabling ONLY the IOX local
manager modules, and hence ALL users can ONLY access the IOX local manager if they have privilege 15,
https://IR1101-IP-ADDRESS/iox/login.
And for ALL user, the WebUI access , https://IR1101-IP-ADDRESS will be disabled.

Note This method will disable the main web page https://IR1101-IP-ADDRESS for all users and will enable
only https://IR1101-IP-ADDRESS/iox/login for all users. Use this method if you do not use the IR1101
main router WebUI for general administration and configuration.

VirtualPortGroup
The VirtualPortGroup is a software construct on Cisco IOS that maps to a Linux bridge IP address. As such,
the VirtualPortGroup represents the switch virtual interface (SVI) of the Linux container. Each bridge can
contain multiple interfaces; each mapping to a different container. Each container can also have multiple
interfaces.
VirtualPortGroup interfaces are configured by using the interface virtualportgroup command. Once these
interfaces are created, IP address and other resources are allocated.
The VirtualPortGroup interface connects the application hosting network to the IOS routing domain. The
Layer 3 interface of the application receives routed traffic from IOS. The VirtualPortGroup interface connects
through the SVC Bridge to the container/application interface.
The following graphic helps to understand the relationship between the VirtualPortGroup and other interfaces,
as it is different than the IR8x9 routers.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


332
IOx Application Hosting
vNIC

Figure 105: Virtual Port Group Mapping

vNIC
For the container life cycle management, the Layer 3 routing model that supports one container per internal
logical interface is used. This means that a virtual Ethernet pair is created for each application; and one interface
of this pair, called vNIC is part of the application container. The other interface, called vpgX is part of the
host system.
NIC is the standard Ethernet interface inside the container that connects to the platform dataplane for the
sending and receiving of packets. IOx is responsible for the gateway (VirtualPortGroup interface), IP address,
and unique MAC address assignment for each vNIC in the container.
The vNIC inside the container/application are considered as standard Ethernet interfaces.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


333
IOx Application Hosting
How to Configure Application Hosting

How to Configure Application Hosting


Enabling IOx
Perform this task to enable access to the IOx Local Manager. The IOx Local Manager provides a web-based
user interface that you can use to manage, administer, monitor, and troubleshoot apps on the host system, and
to perform a variety of related activities.

Note In the steps that follow, IP HTTP commands do not enable IOX, but allow the user to access the WebUI
to connect the IOX Local Manager.

DETAILED STEPS

Steps Command Purpose

1. enable Enables
privileged
Example:
EXEC
mode.
Device>enable
Enter your
password if
prompted.

2. configure terminal Enters


global
Example:
configuration
mode.
Device#configure terminal

3. iox Enables
IOx
Example:

Device(config)#iox

4. ip http server Enables the


HTTP
Example:
server on
your IP or
Device(config)#ip http server
IPv6
system.

5. ip http secure-server Enables a


secure
Example:
HTTP
(HTTPS)
Device(config)#ip http secure-server
server.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


334
IOx Application Hosting
Configuring a VirtualPortGroup to a Layer 3 Data Port

Steps Command Purpose

6. username name privilege level password {0 | 7 | user-password }encrypted-password Establishes


a
Example:
username-based
authentication
Device(config)#username cisco privilege 15 password 0 cisco
system and
privilege
level for the
user.
The
username
privilege
level must
be
configured
as 15.

7. end Exits
interface
Example:
configuration
mode and
Device(config-if)#end
returns to
privileged
EXEC
mode.

Configuring a VirtualPortGroup to a Layer 3 Data Port


Multiple Layer 3 data ports can be routed to one or more VirtualPortGroups or containers. VirutalPortGroups
and Layer 3 data ports must be on different subnets.
Enable the ip routing command to allow external routing on the Layer 3 data-port.

DETAILED STEPS

Step Command Purpose

1. enable Enables privileged EXEC mode.


Example: Enter your password if prompted.

Device>enable

2. configure terminal Enters global configuration mode.


Example:

Device#configure terminal

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


335
IOx Application Hosting
Configuring a VirtualPortGroup to a Layer 3 Data Port

Step Command Purpose

3. ip routing Enables IP routing.


Example: The ip routing command must be
enabled to allow external routing
Device(config)#ip routing on Layer 3 data ports.

4. interface type number Configures an interface and enters


interface configuration mode
Example:

Device(config)#interface
gigabitethernet 0/0/0

5. no switchport Places the interface in Layer 3


mode, and makes it operate more
Example:
like a router interface rather than a
switch port.
Device(config-if)#no
switchport

6. ip address ip-address mask Configures an IP address for the


interface.
Example:

Device(config-if)#ip address
10.1.1.1 255.255.255.0

7. exit Exits interface configuration mode


and returns to global configuration
Example:
mode.
Device(config-if)#exit

8. interface type number Configures an interface and enters


interface configuration mode.
Example:

Device(config)#interface
virtualportgroup 0

9. ip address ip-address mask Configures an IP address for the


interface.
Example:

Device(config-if)#ip address
192.168.0.1 255.255.255.0

10. end Exits interface configuration mode


and returns to privileged EXEC
Example:
mode.
Device(config-if)#end

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


336
IOx Application Hosting
Configuring a VirtualPortGroup to a Layer 3 Data Port

Step Command Purpose

11. configure terminal Enters global configuration mode.


Enter configuration commands, one
per line. End with CNTL/Z.
Example:

Device#configure terminal

12. app-hosting appid app1 Configures the application and


enters the application configuration
Example:
mode.
Device(config)#app-hosting
appid app1

13. app-vnic gateway0 Configures the application interface


virtualportgroup 0 and the gateway of the application.
guest-interface 0
Example:

Device(config-app-hosting)#app-vnic
gateway0 virtualportgroup 0
guest-interface 0

14. guest-ipaddress 192.168.0.2 Configures the application Ethernet


netmask 255.255.255.0 interface ip address.
Example:

Device(config-app-hosting-gateway0)#guest-ipaddress
192.168.0.2 netmask
255.255.255.0

15. app-default-gateway 192.168.0.1 Configures the default gateway for


guest-interface 0 the application.
Example:

Device(config-app-hosting-gateway0)#app-default-gateway
192.168.0.1 guest-interface
0

16. end Exits global configuration mode


and returns to privileged EXEC
Example:
configuration mode.
Device#end

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


337
IOx Application Hosting
Installing and Uninstalling Apps

Installing and Uninstalling Apps


DETAILED STEPS

Step Command Purpose

1. enable Enables privileged EXEC mode.


Example: Enter your password if prompted.

Device>enable

2. app-hosting install appid Installs an app from the specified


application-name package location.
package-path
The app can be installed from any
Example: local storage location such as, flash,
bootflash, and usbflash0.
Device#app-hosting install
appid lxc_app package
flash:my_iox_app.tar

3. app-hosting activate appid Activates the application.


application-name
This command validates all
Example: application resource requests, and
if all resources are available the
Device#app-hosting activate application is activated; if not, the
appid app1 activation fails.

4. app-hosting start appid Starts the application.


application-name
Application start-up scripts are
Example: activated.

Device#app-hosting start appid


app1

5. app-hosting stop appid Stops the application.


application-name
Example:

Device#app-hosting stop appid


app1

6. app-hosting deactivate appid Deactivates all resources allocated


application-name for the application.
Example:

Device#app-hosting deactivate
appid app1

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


338
IOx Application Hosting
Overriding the App Resource Configuration

Step Command Purpose

7. app-hosting uninstall appid Uninstalls the application.


application-name
Uninstalls all packaging and images
Example: stored.
All changes and updates to the
Device#app-hosting uninstall
application are also removed.
appid app1

Overriding the App Resource Configuration


Resource changes will take effect only after the app-hosting activate command is configured.

DETAILED STEPS

Step Command Purpose

1. enable Enables privileged EXEC mode.


Example: Enter your password if prompted.

Device>enable

2. configure terminal Enters global configuration mode.


Example:

Device#configure terminal

3. app-hosting appid name Enables application hosting and


enters application hosting
Example:
configuration mode.
Device(config)#app-hosting
appid app1

4. app-resource profile name Configures the custom application


resource profile, and enters custom
Example:
application resource profile
configuration mode.
Device(config-app-hosting)#app-resource
profile custom Only the custom profile name is
supported.

5. cpu unit Changes the default CPU allocation


for the application.
Example:
Resource values are
Device(config-app-resource-profile-custom)# application-specific, and any
cpu 800 adjustment to these values must
ensure that the application can run
reliably with the changes.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


339
IOx Application Hosting
Verifying the Application Hosting Configuration

Step Command Purpose

6. memory memory Changes the default memory


allocation.
Example:

Device(config-app-resource-profile-custom)#
memory 512

7. vcpu number Changes the virtual CPU (vCPU)


allocation for the application.
Example:

Device(config-app-resource-profile-custom)#
vcpu 2

8. end Exits custom application resource


profile configuration mode and
Example:
returns to privileged EXEC mode.
Device(config-app-resource-profile-custom)#
end

Verifying the Application Hosting Configuration


DETAILED STEPS
1. enable
Enables privileged EXEC mode. Enter your password if prompted.
Example:

Device>enable

2. show iox-service
Displays the status of all IOx services
Example:

Device# show iox-service


IOx Infrastructure Summary:
–––––––––––––––––––––––––––––––––––-
IOx service (CAF) 1.8.0.2 : Running
IOx service (HA) : Not Supported
IOx service (IOxman) : Running
Libvirtd 1.3.4 : Running
Device#

3. show app-hosting detail


Displays detailed information about the application.
Example:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


340
IOx Application Hosting
Configuration Examples for Application Hosting

Device#show app-hosting detail


App id : app1
Owner : iox
State : RUNNING
Application
Type : lxc
Name : nt08-stress
Version : 0.1
Description : Stress Testing Application
Path : usbflash0: my_iox_app.tar
Activated profile name : custom
Resource reservation
Memory : 64 MB
Disk : 2 MB
CPU : 500 units
Attached devices
Type Name Alias
---------------------------------------------
serial/shell iox_console_shell serial0
serial/aux iox_console_aux serial1
serial/syslog iox_syslog serial2
serial/trace iox_trace serial3

Network interfaces
---------------------------------------
eth0:
MAC address : 52:54:dd:fa:25:ee

4. show app-hosting list


Displays the list of applications and their status.
Example:

Device#show app-hosting list


App id State
------------------------------------------------------
app1 RUNNING

Configuration Examples for Application Hosting


See the following examples:

Example: Enabling IOx


Device> enable
Device# configure terminal
Device(config)# iox
Device(config)# ip http server
Device(config)# ip http secure-server
Device(config)# username cisco privilege 15 password 0 cisco
Device(config)# end

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


341
IOx Application Hosting
Example: Configuring a VirtualPortGroup to a Layer 3 Data Port

Example: Configuring a VirtualPortGroup to a Layer 3 Data Port


Device> enable
Device# configure terminal
Device(config)# ip routing
Device(config)# interface gigabitethernet 0/0/0
Device(config-if)# no switchport
Device(config-if)# ip address 10.1.1.1 255.255.255.0
Device(config-if)# exit
Device(config)# interface virtualportgroup 0
Device(config-if)# ip address 192.168.0.1 255.255.255.0
Device(config-if)# end

Example: Installing and Uninstalling Apps


Device> enable
Device# app-hosting install appid app1 package flash:my_iox_app.tar
Device# app-hosting activate appid app1
Device# app-hosting start appid app1
Device# app-hosting stop appid app1
Device# app-hosting deactivate appid app1
Device# app-hosting uninstall appid app1

Example: Overriding the App Resource Configuration


Device# configure terminal
Device(config)# app-hosting appid app1
Device(config-app-hosting)# app-resource profile custom
Device(config-app-resource-profile-custom)# cpu 800
Device(config-app-resource-profile-custom)# memory 512
Device(config-app-resource-profile-custom)# vcpu 2
Device(config-app-resource-profile-custom)# end

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


342
CHAPTER 32
Serial Relay Service
This chapter contains the following sections:
• Serial Relay Service, on page 343
• Data Paths, on page 343
• Configuration Commands, on page 345

Serial Relay Service


Serial Relay service on the IR1101 enables IOx apps to communicate with the Async Serial port (/dev/ttyS1
under IOS-XE). The configuration of Serial Relay service is similar to that of the IR800.

Data Paths
On the IR1101, IOS-XE has complete control over the data path and control path of the Async Serial port.
This aspect is essential to other encapsulations supported on the Aysnc port such as PPP, raw-socket, SCADA,
etc. The IOx app is never allowed to exercise full control over the device. All data and configurations are
passed through IOS-XE before going to the device. Instead of exposing the actual Serial port to IOx apps, the
Serial relay service creates a software emulated serial tty device enumerated as /dev/ttyTun0 (shown below).
The pair of devices /dev/ttyTun0 and /dev/ttyTun1 represent a data tunnel whose primary function is to act
as a pass-through gateway during any data transfer. /dev/ttyTun1 is open by IOS-XE and all the ingress/egress
data from IOS to the app uses this device during data transfer. Line 0/0/0 is used to communicated with
/dev/ttyTun1. Serial relay service should be configured beforehand to allow the connection between two lines.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


343
Serial Relay Service
Data Paths

Figure 106: Data Paths

Data Path:
1. When the IOx app sends a character to /dev/ttyTun0, the tunnel driver automatically pushes the data to
/dev/ttyTun1.
2. IOS reads the data which it then passes to the Serial relay service.
3. The Serial relay service retrieves information about the other end of the relay service (Line 0/2/0 in this
case) and forwards the data to the Line's buffer.
4. The line driver actively pushes the data into the actual serial device (/dev/ttyS1) based on buffer availability.
5. The reverse path functions the same with the roles of /dev/ttyS1 and /dev/tun0 reversed.

Control Path:
1. When the IOx app performs TCGETS ioctl call on /dev/ttyTun0, the tunnel driver uses /dev/cttyTun to
send request to the CTTY handler service running in IOS.
2. CTTY handler service and the kernel driver use a client-server architecture to communicate configuration
objects.
3. Upon receiving the request about TCGETS from /dev/cttyTun, the CTTY handler examines the request
and requests Line driver to populate the required data into control data structures.
4. Upon receiving the control data structures, CTTY handler sends out a response to /dev/cttyTun which
eventually goes back to /dev/ttyTun0.
5. /dev/ttyTun0 passes the control data to IOx app as requested.
6. Similar path can be extrapolated for TCSETS where the CTTY handler requests the Line driver to update
the settings of the underneath /dev/ttyS1 driver.
7. Line driver of Line 0/2/0 and driver config on /dev/ttyTun0 are always in sync with each other. Any
configuration changes such as baud rate modification is transparently propagated to the Line driver without
any additional configuration overhead. This emulates the propagation feature of Serial relay on the IR800
series where the virtual serial port can configure the parameters of the real serial port.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


344
Serial Relay Service
Configuration Commands

Configuration Commands
IR1101#configure terminal
IR1101(config)#interface async 0/2/0
IR1101(config-if)#encapsulation relay-line
IR1101(config-if)#exit
IR1101(config)#relay line 0/2/0 0/0/0
IR1101(config)#exit
IR1101#

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


345
Serial Relay Service
Configuration Commands

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


346
CHAPTER 33
Cisco SD-WAN Support
This chapter contains the following sections:
• Cisco SD-WAN Overview, on page 347
• Related Documentation, on page 348

Cisco SD-WAN Overview


Cisco SD-WAN is a cloud-first architecture that separates data and control planes, managed through the Cisco
vManage console. You can quickly establish an SD-WAN overlay fabric to connect data centers, branches,
campuses, and co-location facilities to improve network speed, security, and efficiency.
Cisco SDWAN adopts a cloud based solution, it consists of vOrchestrator, vManage, vSmart and vEdge.
• vOrchestrator is responsible for launching all controllers VMs in the cloud.
• vManage is the management plane for the overall SDWAN solution. It uses netconf/YANG to talk to
vEdge devices.
• vSmart is the control plane for the overall SDWAN solution. It talks to the vEdge device, acts as the
route reflector, key reflector, and policy engine.
• vEdge is the data plane of the overall SDWAN solution. The IR1101 platform talks to vSmart, vManage,
as part of the SDWAN network.

The follow diagram shows the high level architecture of SDWAN:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


347
Cisco SD-WAN Support
Related Documentation

While Cisco SD-WAN is a cloud-first architecture, some of the components can be deployed on-premisis.
Refer to the Cisco SD-WAN landing page for further information on the capabilities of SD-WAN.
Starting with IOS XE release 17.3.2, the IOS XE image can be configured as controller mode to run SD-WAN.
A single universalk9 image is used to deploy Cisco IOS XE SD-WAN and Cisco IOS XE functionality. This
universalk9 image supports two modes - Autonomous mode (for Cisco IOS XE features) and Controller mode
(for Cisco SD-WAN features).
Access the Cisco IOS XE and Cisco IOS XE SD-WAN functionality through Autonomous and Controller
execution modes, respectively. The Autonomous mode is the default mode for the router and includes the
Cisco IOS XE functionality. To access Cisco IOS XE SD-WAN functionality, switch to the Controller mode.
You can use the existing Plug and Play Workflow to determine the mode of the device.

Note The PnP process works on either Gi0/0/0 or Cellular.

See the Cisco SD-WAN Getting Started Guide for further information.

Related Documentation
Cisco SDWAN documentation is available from the following sources:
https://www.cisco.com/c/en/us/support/routers/sd-wan/tsd-products-support-series-home.html
https://sdwan-docs.cisco.com/Product_Documentation/Software_Features
All of the technical documentation for Cisco SD-WAN can be found here:
https://www.cisco.com/c/en/us/support/routers/sd-wan/tsd-products-support-series-home.html

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


348
CHAPTER 34
ROM Monitor Overview
This chapter contains the following sections:
• ROM Monitor Overview, on page 349
• Access ROM Monitor Mode, on page 350
• Displaying the Configuration Register Setting, on page 352
• Environment Variable Settings, on page 353
• Exiting ROM Monitor Mode, on page 354

ROM Monitor Overview


The ROM Monitor is a bootstrap program that initializes the hardware and boots the Cisco IOS XE software
when you power on or reload a router. When you connect a terminal to the router that is in ROM Monitor
mode, the ROM Monitor (rommon 1>) prompt is displayed.
During normal operation, users do not use ROM Monitor mode. ROM Monitor mode is used only in special
circumstances, such as reinstalling the entire software set, resetting the router password, or specifying a
configuration file to use at startup.
The ROM Monitor software is known by many names. It is sometimes called ROMMON because of the CLI
prompt in ROM Monitor mode. The ROM Monitor software is also called the boot software , boot image ,
or boot helper . Although it is distributed with routers that use the Cisco IOS XE software, ROM Monitor is
a separate program from the Cisco IOS XE software. During normal startup, the ROM Monitor initializes the
router, and then control passes to the Cisco IOS XE software. After the Cisco IOS XE software takes over,
the ROM Monitor is no longer in use.

Environmental Variables and the Configuration Register


Two primary connections exist between ROM Monitor and the Cisco IOS XE software: the ROM Monitor
environment variables and the configuration register.
The ROM Monitor environment variables define the location of the Cisco IOS XE software and describe how
to load it. After the ROM Monitor has initialized the router, it uses the environment variables to locate and
load the Cisco IOS XE software.
The configuration register is a software setting that controls how a router starts up. One of the primary uses
of the configuration register is to control whether the router starts in ROM Monitor mode or Administration
EXEC mode. The configuration register is set in either ROM Monitor mode or Administration EXEC mode
as needed. Typically, you set the configuration register using the Cisco IOS XE software prompt when you

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


349
ROM Monitor Overview
Access ROM Monitor Mode

need to use ROM Monitor mode. When the maintenance in ROM Monitor mode is complete, you change the
configuration register so the router reboots with the Cisco IOS XE software.

Accessing ROM Monitor Mode with a Terminal Connection


When the router is in ROM Monitor mode, you can access the ROM Monitor software only from a terminal
connected directly to the console port of the card. Because the Cisco IOS XE software (EXEC mode) is not
operating, nonmanagement interfaces are not accessible. Basically, all Cisco IOS XE software resources are
unavailable. The hardware is available, but no configuration exists to make use of the hardware.

Network Management Access and ROM Monitor Mode


It is important to remember that ROM Monitor mode is a router mode, not a mode within the Cisco IOS XE
software. It is best to remember that ROM Monitor software and the Cisco IOS XE software are two separate
programs that run on the same router. At any given time, the router runs only one of these programs, .
One area that can be confusing when using ROM Monitor and the Cisco IOS XE software is the area that
defines the IP configuration for the Management Ethernet interface. Most users are comfortable with configuring
the Management Ethernet interface in the Cisco IOS XE software. When the router is in ROM Monitor mode,
however, the router does not run the Cisco IOS XE software, so that Management Ethernet interface
configuration is not available.
When you want to access other devices, such as a TFTP server, while in ROM Monitor mode on the router,
you must configure the ROM Monitor variables with IP access information.

Note TFTP access variables are currently not supported on the IR1101 platform.

Access ROM Monitor Mode


The following sections describe how to enter the ROMMON mode, and contains the following sections:

Checking the Current ROMMON Version


To display the version of ROMmon running on a router, use the show rom-monitor command . To show all
variables that are set in ROMmon, use show romvar.

Router#show rom-monitor r0
System Bootstrap, Version 1.2, RELEASE SOFTWARE
Copyright (c) 1994-2018 by cisco Systems, Inc.

Router# show romvar


ROMMON variables:
PS1 = rommon ! >
MCP_STARTUP_TRACEFLAGS = 00000000:00000000
LICENSE_SUITE =
RET_2_RTS =
Diagnostic = 1
THRPUT =
USER_BOOT_PARAM = DEBUG_CONF=/bootflash/debug.conf
EULA_ACCEPTED = TRUE
BOOT_WDOG = DISABLE

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


350
ROM Monitor Overview
Commonly Used ROM Monitor Commands

LICENSE_BOOT_LEVEL =
BOOT = bootflash:ir1101_crashkernel.bin,1;
CRASHINFO = bootflash:crashinfo_RP_00_00_20180619-204307-UTC
RET_2_RCALTS =
BSI = 0
RANDOM_NUM = 1662155698

Router# reload

If your configuration register was set to hex value 0x0 or 0x1820, reload operation will bring you to the
ROMmon mode command prompt (rommon 1>). Invoking the set command at the prompt (rommon 1> set)
will display the same information as "show romvar" above in IOS/XE exec mode.

rommon 1 > set


PS1=rommon ! >
MCP_STARTUP_TRACEFLAGS = 00000000:00000000
LICENSE_SUITE =
RET_2_RTS =
Diagnostic = 1
THRPUT =
USER_BOOT_PARAM = DEBUG_CONF=/bootflash/debug.conf
EULA_ACCEPTED = TRUE
BOOT_WDOG = DISABLE
LICENSE_BOOT_LEVEL =
BOOT = bootflash:ir1101_crashkernel.bin,1;
CRASHINFO = bootflash:crashinfo_RP_00_00_20180619-204307-UTC
RET_2_RCALTS =
BSI = 0
RANDOM_NUM = 1662155698

Commonly Used ROM Monitor Commands


The following table summarizes the commands commonly used in ROM Monitor. For specific instructions
on using these commands, refer to the relevant procedure in this document.

Table 20: Commonly Used ROM Monitor Commands

ROMMON Command Description

boot image Manually boots a Cisco IOS XE software image.

boot image –o config-file-path Manually boots the Cisco IOS XE software with a temporary alternative
administration configuration file.

confreg Changes the config-register setting.

dev Displays the available local storage devices.

dir Displays the files on a storage device.

reset Resets the node.

set Displays the currently set ROM Monitor environmental settings.

sync Saves the new ROM Monitor environmental settings.

unset Removes an environmental variable setting.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


351
ROM Monitor Overview
Examples

Examples
The following example shows what appears when you enter the ? command on a router:

rommon 1 > ?
alias set and display aliases command
boot boot up an external process
confreg configuration register utility
dev list the device table
dir list files in file system
help monitor builtin command help
history monitor command history
meminfo main memory information
repeat repeat a monitor command
reset system reset
set display the monitor variables
showmon display currently selected ROM monitor
sync write monitor environment to NVRAM
token display board's unique token identifier
unalias unset an alias
unset unset a monitor variable

Changing the ROM Monitor Prompt


You can change the prompt in ROM Monitor mode by using the PS1= command as shown in the following
example:

rommon 8 > PS1="IR1101 rommon ! > "


IR1101 rommon 9 >

Changing the prompt is useful if you are working with multiple routers in ROM Monitor at the same time.
This example specifies that the prompt should be “IR1101 rommon ”, followed by the line number, and then
followed by “ > “ by the line number.

Displaying the Configuration Register Setting


To display the current configuration register setting, enter the confreg command without parameters as follows:

rommon > confreg


Configuration Summary
(Virtual Configuration Register: )
enabled are:
[ 0 ] break/abort has effect
[ 1 ] console baud: 9600
boot:...... the ROM Monitor
do you wish to change the configuration? y/n [n]:

The configuration register setting is labeled Virtual Configuration Register . Enter the no command to avoid
changing the configuration register setting.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


352
ROM Monitor Overview
Environment Variable Settings

Environment Variable Settings


The ROM Monitor environment variables define the attributes of the ROM Monitor. Environmental variables
are entered like commands and are always followed by the equal sign (=). Environment variable settings are
entered in capital letters, followed by a definition. For example:

IP_ADDRESS=10.0.0.2

Under normal operating conditions, you do not need to modify these variables. They are cleared or set only
when you need to make changes to the way ROM Monitor operates.
This section includes the following topics:

Frequently Used Environmental Variables


The following table shows the main ROM Monitor environmental variables. For instructions on how to use
these variables, see the relevant instructions in this document. The IR1101 boot loader does not support
netboot, so any setting like environment variables IP_ADDRESS, IP_SUBNET_MASK,
DEFAULT_GATEWAY, TFTP_SERVER, TFTP_FILE are not used.

Table 21: Frequently Used ROM Monitor Environmental Variables

Environmental variable Description

BOOT=path/file Identifies the boot software for a node. This variable is usually set automatically
when the router boots.

Displaying Environment Variable Settings


To display the current environment variable settings, enter the set command :

rommon 1 > showmon


System Bootstrap, Version 1.3(REL), RELEASE SOFTWARE
Copyright (c) 1994-2018 by cisco Systems, Inc.

IR1101-K9 platform with 4188160 Kbytes of main memory

MCU Version - Bootloader: 4, App: 4


MCU is in application mode.

Entering Environment Variable Settings


Environment variable settings are entered in capital letters, followed by a definition. The following example
shows the environmental variables that can be configured in ROMmon mode.:

rommon 1 > confreg 0x0


rommon 1> BOOT_WDOG = DISABLE
rommon 1> BOOT = IR1101-K9_image_name

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


353
ROM Monitor Overview
Saving Environment Variable Settings

Saving Environment Variable Settings


To save the current environment variable settings, enter the sync command:

rommon > sync

Note Environmental values that are not saved with the sync command are discarded whenever the system is
reset or booted.

Exiting ROM Monitor Mode


To exit ROM Monitor mode, you must change the configuration register and reset the router.

Procedure

Command or Action Purpose


Step 1 confreg Initiates the configuration register configuration prompts.
Example:

rommon 1> confreg

Step 2 Respond to each prompt as instructed. See the example that follows this procedure for more
information.

Step 3 reset Resets and initializes the router.


Example:

rommon 2> reset

Configuration Example
rommon 3 > confreg
Configuration Summary
(Virtual Configuration Register: 0x0)
enabled are:
[ 0 ] break/abort has effect
[ 1 ] console baud: 9600
boot: ...... the ROM Monitor
do you wish to change the configuration? y/n [n]: y
enable "diagnostic mode"? y/n [n]:
enable "use net in IP bcast address"? y/n [n]:
enable "load rom after netboot fails"? y/n [n]:
enable "use all zero broadcast"? y/n [n]:
disable "break/abort has effect"? y/n [n]:
enable "ignore system config info"? y/n [n]:
change console baud rate? y/n [n]:
change the boot characteristics? y/n [n]:
Configuration Summary

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


354
ROM Monitor Overview
Upgrading the ROMmon for a Router

(Virtual Configuration Register: 0x0)


enabled are:
[ 0 ] break/abort has effect
[ 1 ] console baud: 9600
boot: ...... the ROM Monitor
do you wish to change the configuration? y/n [n]:

Upgrading the ROMmon for a Router


ROMmon upgrade on the IR1101-K9 router is automatically done when the image is booted. The latest version
of the ROMmon is bundled with the IOSXE image. An algorithm detects if the current running version is
older than the bundled version, if so, it is automatically upgraded. If the current running version is equal to
the bundled version no upgrade is executed. For every successful upgrade, the router is automatically rebooted
in order for the new version to get loaded and executed.:

Procedure

Command or Action Purpose


Step 1 (Optional) Run the show rom-monitor slot command on
the router to see the current release numbers of ROMmon
on the hardware. See the Checking the Current ROMMON
Version, on page 350 for information about interpreting the
output of the command that you run.
Step 2 If autoboot has not been enabled by using the
config-register 0x2102 command, run the boot
filesystem:/file-location command at the ROMmon prompt
to boot the Cisco IOS XE image, where
filesystem:/file-location is the path to the consolidated
package file. The ROMmon upgrade is not permanent for
any piece of hardware until the Cisco IOS XE image is
booted.
Step 3 Run the enable command at the user prompt to enter the
privileged EXEC mode after the boot is complete.
Step 4 Run the show rom-monitor slot command to verify whether
the ROMmon has been upgraded.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


355
ROM Monitor Overview
Upgrading the ROMmon for a Router

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


356
CHAPTER 35
WAN Monitoring
This chapter contains the following sections:
• Information About WANMon, on page 357
• Prerequisites , on page 358
• Guidelines and Limitations, on page 358
• Configuring WANMon, on page 358
• Verifying WANMon Configuration, on page 360
• Configuration Examples, on page 361

Information About WANMon


WANMon is a flexible solution to address the WAN link recovery requirements for the following products
and interfaces:
• Physical networks: 4G LTE and Ethernet (WAN port)
• Virtual links: Non-crypto map based IPSec tunnels (either legacy or FlexVPN); that is, any IPSec tunnel
you configure as an interface.

You enable WANMon to monitor your WAN links and initiate link recovery actions on receipt of link failure
triggers.

Built-in Recovery Actions


The following are the three levels of built-in recovery processes specific to the link type:

Link Recovery Actions


Type
Level 0 (Immediate) Level 1 (Active) Level 2
(Last-Resort)
4G LTE Clear interface, and then shut/no-shut Module reload System reload

Ethernet Clear interface, and then shut/no-shut No action System reload


taken

Tunnel Shut/no-shut No action System reload


taken

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


357
WAN Monitoring
Prerequisites

Each level has two time-based thresholds based on which built-in recovery actions are taken. The following
are the default settings for each level:
• threshold is the wait time in minutes after receipt of a link failure trigger to initiate the recovery action
as set in the specified level.
• mintime is the frequency to perform the recovery action if the link remains down.

The built-in values are:

Level threshold mintime Description

Level 10 min 10 min Triggers Level 0 actions 10 minutes after the link went down. Repeat no more
0 than every 10 minutes.

Level 60 min 60 min Triggers Level 1 actions 10 minutes after the link went down. Repeat no more
1 than every 60 minutes.

Level 480 min 60 min Triggers Level 2 actions 480 minutes after the link went down. Repeat no more
2 than every 60 minutes.

Note If threshold values are specified as 0, no recovery actions are taken for that level. You can use this to
avoid system reload (the built-in Level 2 recovery action) on receipt of a link failure trigger where other
WAN links may be operational.

Prerequisites
Ensure that the WANMon module is available. The WANMon module is included in the IOS-XE image as
the tm_wanmon.tcl policy file.

Guidelines and Limitations


• WANMon automatically performs IP address checking (no user configuration) as required for cellular
interfaces.
• For all other interfaces, WANMon never performs IP address checking.
• WANMon indirectly triggers user-specified actions by generating an application event that link resetter
applets monitor.
• If your network is live, ensure that you understand the potential impact of any command.

Configuring WANMon
You can enable WANMon on the router and assign WAMMon support to specific interfaces. Optionally, you
can override the built-in recovery actions, define custom recovery links, and define an event manager

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


358
WAN Monitoring
Configuring WANMon

environment policy to set the track object value and disable IP address checking. WANMon is disabled by
default.

Procedure

Command or Action Purpose


Step 1 event manager policy tm_wanmon.tcl authorization Enables the WANMon link recovery module.
bypass
Use authorization bypass to avoid authorization for CLIs
invoked by this policy.

Step 2 event manager environment wanmon_if_list <instance> Configures WANMon for the interfaces in your WAN, and
{interface name {ipsla <instance>}} indicates that this is an interface configuration command.
Note Any environment variable with the prefix
wanmon_if_list constitutes an interface
configuration.
Multiple interfaces are allowed by specifying an instance.
Be sure to specify the full interface name (for example,
cellular0/1/0 or cellular0/3/0).
You can set the IP SLA icmp-echo trigger, if desired.
Multiple IP SLA triggers are allowed by specifing an
instance.
Note WANMon only looks at the status of the SLA
ID. Even though icmp-echo is most common, if
needed any other type of SLA probe (for
example, udp-echo) can be used instead.

Step 3 event manager environment wanmon_if_listx {interface (Optional) Overrides the built-in thresholds.
name {recovery Level0 {Level1 } Level2}}
Step 4 publish-event sub-system 798 type 2000 arg1 <interface (Optional) Configures custom recovery actions using link
name> arg2 <level > resetter applets.
<interface > is the full interface name (for example,
cellular0/1/0 or cellular0/3/0).
<level > is 0, 1, or 2 to match the desired link recovery
action.

Step 5 {stub <track-stub-id > } (Optional) Allows an event manager environment policy
to set the track object value. WANMon can set a
track-stub-object value to reflect the link state so that an
external applet can track the stub object.

Step 6 event manager environment wanmon_if_listx {<interface (Optional) Disables IP address checking.
name > {checkip <instance >}}

What to do next
EXAMPLES

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


359
WAN Monitoring
Verifying WANMon Configuration

event manager policy tm_wanmon.tcl authorization bypass

The following examples are Event Manager commands to configure cellular and Ethernet interfaces:

event manager environment wanmon_if_list1 {cellular0/1/0 {ipsla 1}}


event manager environment wanmon_if_list2 {GigabitEthernet0/0/0 {ipsla 2}}

This example sets custom recovery thresholds:

event manager environment wanmon_if_list {cellular0/1/0 {recovery 20 {90 75} 600}

where:
• The Level 0 threshold is set to 20 minutes after the link failure trigger. Level 0 recovery actions are
performed for the cellular interface. Repeats indefinitely, no more than every 10 minutes (default).
• Level 1 threshold is set to 90 minutes. Level 1 recovery actions are performed for the cellular interface.
Repeats no more frequently than every 75 minutes.
• The Level 2 threshold is set to 600 minutes (10 hours).

The following sets the track-stub-object value to 21:

conf t
track 21 stub-object
event manager environment wanmon_if_list {cellular0/1/0 {ipsla 1} {stub 21}

Verifying WANMon Configuration


Use the following steps to verify your WANMon configuraion.

Procedure

Command or Action Purpose


Step 1 show event manager policy registered Displays the WAN monitoring policy.

Step 2 show event manager environment Displays the interface environment variables set during
interface configuration.

What to do next
EXAMPLE

show event manager policy registered


1 script system multiple Off Thu Jan 16 18:44:29 2014 tm_wanmon.tcl
show event manager environment
1 wanmon_if_list {cell0/1/0 {ipsla 1}}

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


360
WAN Monitoring
Configuration Examples

Configuration Examples
The following examples are provided:

WANMon Cellular Interface Configuration Example


track 1 ip sla 1
ip sla 1
icmp-echo 172.27.166.250
timeout 6000
frequency 300
ip sla schedule 1 life forever start-time now
event manager environment wanmon_if_list {cellular0/1/0 {ipsla 1}}
event manager policy tm_wanmon.tcl authorization bypass

Multiple WAN Link Monitoring Example


track 1 ip sla 1
track 21 stub-object
ip sla 1
icmp-echo 172.27.166.250
timeout 6000
frequency 300
ip sla schedule 1 life forever start-time now
track 2 ip sla 2
track 22 stub-object
ip sla 2
icmp-echo 10.27.16.25
timeout 6000
frequency 300
ip sla schedule 2 life forever start-time now
event manager environment wanmon_if_list1 {cellular0/1/0 {ipsla 1} {stub 21}}
event manager policy tm_wanmon.tcl authorization bypass

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


361
WAN Monitoring
Multiple WAN Link Monitoring Example

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


362
CHAPTER 36
Configuring Digital Subscriber Line (DSL)
This chapter contains the following sections:
• Overview, on page 363
• DSL Feature Specifications, on page 365
• Installing the DSL SFP, on page 366
• LED Indications on the SFP, on page 369
• DSL SFP Firmware Upgrade, on page 370
• ADSL2/2+, on page 371
• ADSL2/2+ Overview, on page 371
• Configuring ADSL2/2+, on page 372
• VDSL2, on page 381
• VDSL2 Overview, on page 381
• Configuring VDSL2, on page 382
• Troubleshooting and L1 Training Logs, on page 384
• Troubleshooting, on page 384
• L1 Training Logs, on page 394

Overview
The router adds DSL capability by using a Small Form-factor Pluggable (SFP) network interface module.
The DSL solution supports the following Annex:
ADSL2 (A), ADSL2+(A,J, where J only supported by the 17.5.1 release). VDSL2 supports Annex A,B. All
in compliance with TR100, TR105, TR114, TR115.
IOS-XE release 17.5.1 adds in support for Annex-J configuration in the controller interface.

Note ADSL2+ J is supported, ADSL2 J is not yet supported in 17.5.1.

To enable Annex-J, perform the following:


router#config term
router(conf)#controller vdsl 0/0/0
router(conf-if)#capability annex-j
router#(conf-if)#exit
router#

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


363
Configuring Digital Subscriber Line (DSL)
Overview

To remove Annex-J, perform the following:


router#config term
router(conf)#controller vdsl 0/0/0
router(conf-if)#no capability annex-j
router#(conf-if)#exit
router#

17.5.1 adds in a new command rx-padding. This command is used for packets with an MTU less than 64
bytes.

Note If frames less than 64mtu are expected downstream from the service provider, the Vlan configuration
must be vlan 96. If frames less than 64mtu are expected downstream from the service provider, only a
Single VLAN is supported in a single-PVC, i.e.Vlan96. In future releases, there is plan to extend the
range of vlan support to range from Vlan44 to 1024, single-vlan in single-pvc option.

The command example is as follows:


router#config term
router#controller vdsl 0/0/0
router(conf-if)#rx-padding
router(conf-if)#end
router#write mem

Feature Caveats
This section provides a list of what features are supported and unsupported.
• The DSL SFP operates only when inserted in the IR1101 base unit. It is NOT supported in the IRM-1100
expansion unit. The IR1101 can support only a single DSL SFP on GI0/0/0
• VDSL2 only supports profiles 8a through 17a, 30a is not supported.
• The SFP currently does not have Yang support. This will be provided in a future release.
• Supports Radius and AAA when authenticating and configuring DSL users.
• The DSL interface requires a minimum configuration dependent of the DSL services, therefore Plug and
Play (PnP) features are not available on the DSL interface.
• Zero-Touch-Deployment (ZTD) is only supported through IIoT Field Network Director. From FND, use
cgna wsma based ZTD only, PnP based ZTD is not supported over the DSL interface. For ZTD, stage
with basic minimum configuration and parameters depending on the service provider requirements.
The IR1101 must be on IOS-XE 17.4.1 or above for DSL support.
• The show controller vdsl 0/0/0 command is used to display all DSL [VDSL2/ADSL2/ADSL2+] controller
information, similar to the c111x platforms. Although the controller command is vdsl, is actually means
dsl and is used for adsl and vdsl alike.
• For ADSL2/2+ configurations, there is no ATM interface as with c111x platforms. All configurations
are on the DSL SFP WAN g0/0/0 interface, its sub-interface options, and controller vdsl0/0/0 itself. ATM
packets are handled by the DSL SFP and re-assembled as Ethernet packets. Annex A, L is supported.
• Using the WebUI, interface g0/0/0 can be configured/monitored as normal. No specific options to
monitor/configuration option for Controller vdsl 0/0/0 on release 17.4.1.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


364
Configuring Digital Subscriber Line (DSL)
DSL Feature Specifications

• VDSL2 and ADSL2+ various MIBS support only trickle in 17.5.1 and beyond releases. MIB information
is available later in this section.
• For ADSL2/2+ ATM configuration, if your scenario expects frames <64 byte MTU downstream from
Service Provider, please ensure following steps:
1. rx-padding cli is enabled
2. Vlan96 value is used in interface configuration
3. There is no multi-VLAN support in single-PVC in this specific scenario

DSL Feature Specifications


Table 22: DSL Feature Specifications

Multimode DSL (VDSL2 and • Provided through a DSL SFP


ADSL2/2+)
• SFP has a single RJ-45 interface
• Support for double-ended line testing (DELT) diagnostics mode
(VDSL2 Only)

Table 23: VDSL2 Feature Specifications

VDSL2 • VDSL2 993.2 Annex A and Annex B


• 997 and 998 band plans
• G.994.1 ITU G.hs
• VDSL2 profiles: 8a, 8b, 8c, 8d, 12a, 12b, and 17a
• Vectoring
• U0 band support (25 to 276 kHz)
• Ethernet packet transfer mode (PTM) based only on IEEE 802.3ah 64/65 octet
encapsulation
• Dying gasp

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


365
Configuring Digital Subscriber Line (DSL)
Installing the DSL SFP

Table 24: ADSL2/2+ Feature Specifications

ADSL2/2+ • Annex A and L for ADSL2


• Annex A for ADSL2+
• Annex J for ADSL2+ (available in 17.5.1)
• G.994.1 ITU G.hs
• Reach-extended ADSL2 (G.922.3) Annex L for increased performance on loop lengths
greater than 16,000 feet from central office
• T1.413 ANSI ADSL2/2+ DMT issue 2 compliance
• DSL Forum TR-067, and TR-100 conformity
• Impulse noise protection (INP) and extended INP
• Downstream power backoff (DPBO)
• Dying gasp

Dying gasp is when the the router is using some residual power on capacity to send outage messages to the
DSLAM. You can verify your router is ready to send out dying gasp messages by using the show controller
vdsl 0/0/0 local command:
Router#show controllers vdsl 0/0/0 local
SFP Vendor PID: SFPV5311TR
SFP Vendor SN: V021932028C
Firmware embedded in IOS-XE: 1_62_8463
Running Firmware Version: 1_62_8455
Management Link: up
DSL Status: showtime
Dumping internal info: idle
Dying Gasp: armed
Dumping DELT info: idle

Note If Dying Gasp is disabled, the output will show Dying gasp: disarmed.

There is no configuration for Dying Gasp. The Software takes care internally for the implementation. Once
an SFP shut/no shut has been triggered, 1-2 notifications are sent within 50ns.

Installing the DSL SFP


Instructions for inserting the DSL SFP are found in your products Hardware Installation Guide.

Warning It is critical that the installer read these instructions and be familiar with the correct method of inserting
and removing the SFP. Failure to do so may result in damage to the SFP.

The minimum IOS-XE release for DSL SFP support is 17.4.1 on the IR1101.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


366
Configuring Digital Subscriber Line (DSL)
Installing the DSL SFP

Basic Configuration
Once the SFP is installed, it requires a basic configuration to bring it up. Follow these steps:
configure t
Router(conf)#interface g0/0/0
Router(conf-if)#media-type sfp
Router(conf-if)#no shut
Router(conf-if)#exit

At this point, SFP insertion SYSLOG messages will appear.

SFP Verification
After safely installing the SFP, you can check its status with the show inventory command:
Router#show inventory

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
INFO: Please use "show license UDI" to get serial number for licensing.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

NAME: "Chassis", DESCR: "IR1101 Base Chassis"


PID: IR1101-K9 , VID: V03 , SN: FCW23500H5X

NAME: "Module 0 - Mother Board", DESCR: "Cisco IR1101 motherboard"


PID: IR1101-K9 , VID: V03 , SN: FOC23473SRK

NAME: "module subslot 0/0", DESCR: "IR1101-ES-5"


PID: IR1101-ES-5 , VID: V01 , SN:

NAME: "subslot 0/0 transceiver 0", DESCR: "GE T"


PID: SFP-VADSL2+-I , VID: V01 , SN: MET2023000A
Ignore the description, it will always reflect GE T for all IR1101 SFPs
PID and S/N are what matter

In the below output, ignore the Description and bitrate. The PID/Serial number information are true to the
SFP.
Router#show interfaces transceiver detail
IDPROM for transceiver Gigabitethernet0/0/0:
Description = SFP or SFP+ optics (type 3)
Transceiver Type: = GE T (26)
Product Identifier (PID) = SFP-VADSL2+-I
Vendor Revision = V5.1
Serial Number (SN) = MET2023000A
Vendor Name = CISCO-METANOIA
Vendor OUI (IEEE company ID) = 00.00.00 (0)
CLEI code =
Cisco part number = 74-124941
Device State = Enabled.
Date code (yy/mm/dd) = 20/23/
Connector type = .
Encoding = 8B10B (1)
Nominal bitrate = GE (1300 Mbits/s)
Minimum bit rate as % of nominal bit rate = not specified
Maximum bit rate as % of nominal bit rate = not specified

Socket Verification

SFP IDPROM Page 0xA0:


000: 03 04 22 08 00 00 00 00 00 00
010: 00 01 0D 00 00 00 00 00 FF 00

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


367
Configuring Digital Subscriber Line (DSL)
Installing the DSL SFP

020: 43 49 53 43 4F 2D 4D 45 54 41
030: 4E 4F 49 41 20 20 00 00 00 00
040: 53 46 50 56 35 33 31 31 54 52
050: 35 31 43 53 20 20 56 35 2E 31
060: 00 00 00 3F 08 00 00 00 4D 45
070: 54 32 30 32 33 30 30 30 41 20
080: 20 20 20 20 32 30 32 33 20 20
090: 20 20 00 00 00 6D 63 00 30 60
100: FE 53 E4 C1 54 F1 F1 C1 FA 1A
110: 98 EC 6B E0 7F 00 00 00 00 00
120: 00 00 00 00 8C D0 5C F7 00 00
130: 00 00 00 00 00 00 00 00 37 34
140: 2D 31 32 34 39 34 31 20 56 30
150: 31 20 CF EC 55 00 00 00 00 D4
160: 00 00 00 00 00 00 00 00 00 00
170: 00 00 00 00 00 00 00 00 00 00
180: 00 00 00 00 00 00 00 00 00 00
190: 00 00 53 46 50 2D 56 41 44 53
200: 4C 32 2B 2D 49 20 20 20 20 20
210: 20 20 00 00 17 00 00 00 00 00
220: 00 00 00 5A

SFP IDPROM Page 0xA2:


000: 00 00 00 00 00 00 00 00 00 00
010: 00 00 00 00 00 00 00 00 00 00
020: 00 00 00 00 00 00 00 00 00 00
030: 00 00 00 00 00 00 00 00 00 00
040: 00 00 00 00 00 00 00 00 00 00
050: 00 00 00 00 00 00 00 00 00 00
060: 00 00 00 00 00 00 00 00 00 00
070: 00 00 00 00 00 00 00 00 00 00
080: 00 00 00 00 00 00 00 00 00 00
090: 00 00 00 00 00 00 00 00 00 00
100: 00 00 00 00 00 00 00 00 00 00
110: 00 00 00 00 00 00 00 00 00 00
120: 00 00 00 00 00 00 00 00 00 00
130: 00 00 00 00 00 00 00 00 00 00
140: 00 00 00 00 00 00 00 00 00 00
150: 00 00 00 00 00 00 00 00 00 00
160: 00 00 00 00 00 00 00 00 00 00
170: 00 00 00 00 00 00 00 00 00 00
180: 00 00 00 00 00 00 00 00 00 00
190: 00 00 00 00 00 00 00 00 00 00
200: 00 00 00 00 00 00 00 00 00 00
210: 00 00 00 00 00 00 00 00 00 00
220: 00 00 00 00 00 00 00 00 00 00
230: 00 00 00 00 00 00 00 00 00 00
240: 00 00 00 00 00 00 00 00 00 00
250: 00 00 00 00 00 00
Link reach for 9u fiber (km) = SX(550/270m) (0)
1xFC-MM(500/300m) (0)
2xFC-MM(300/150m) (0)
ESCON-MM(2km) (0)
Link reach for 9u fiber (m) = SX(550/270m) (0)
1xFC-MM(500/300m) (0)
2xFC-MM(300/150m) (0)
ESCON-MM(2km) (0)
Link reach for 50u fiber (m) = SR(2km) (0)
IR-1(15km) (0)
IR-2(40km) (0)
LR-1(40km) (0)
LR-2(80km) (0)
LR-3(80km) (0)
DX(40KM) (0)

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


368
Configuring Digital Subscriber Line (DSL)
LED Indications on the SFP

HX(40km) (0)
ZX(80km) (0)
VX(100km) (0)
1xFC, 2xFC-SM(10km) (0)
ESCON-SM(20km) (0)
Link reach for 62.5u fiber (m) = SR(2km) (0)
IR-1(15km) (0)
IR-2(40km) (0)
LR-1(40km) (0)
LR-2(80km) (0)
LR-3(80km) (0)
DX(40KM) (0)
HX(40km) (0)
ZX(80km) (0)
VX(100km) (0)
1xFC, 2xFC-SM(10km) (0)
ESCON-SM(20km) (0)
Nominal laser wavelength = 0 nm.
DWDM wavelength fraction = 0.0 nm.

No transceiver present

LED Indications on the SFP


The DSL SFP has two LED indictors built into it. This LED operates independent of any LED that is on the
panel of the Router.

Note There is no show platform led support for the SFP LED. Use the show controller vdsl 0/0/0 local
command for DSL link status.

LED Indications
The following table describes the SFP LED indications:

Indicator LED LED Color State Description

LED 1 Orange On CPE side (expected to be


ON when used on an IR
router)

LED 1 Orange Off Central office side (not


supported

xDSL Status LED Green Slow Flash Idle

xDSL Status LED Green Fast Flash Training

xDSL Status LED Green Steady Showtime

xDSL Status LED Green Extremely Rapid Flash Packet Transmit

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


369
Configuring Digital Subscriber Line (DSL)
DSL SFP Firmware Upgrade

SFP LED Workflow


The following table describes the SFP LED indications during a bootup:

Before SFP is inserted Off

During SFP bootup Slow Green Flash

After auto-negotiation has completed Solid Green

SFP shut triggered from the CLI Off

SFP no shut triggered from the CLI Flashing, then Solid Green

SFP Traffic Flashing Green

Auto-Negotiation
You can tell the status of auto-negotiation based on the LED on the SFP. On shut/no shut or during
auto-negotiation, the following sequence should be observed:

Slow Flashing Green Idle

Fast Flashing Green Training

Solid Green Handshake success, Showtime

If the SFP LED is toggling between slow flashing green and fast flashing green, it usually means it is in
auto-negotiation mode. If this continues for a long time, the DSLAM and Router DSL SFP parameters need
to be rechecked. The following chapters cover more details on Router xDSL configuration.

DSL SFP Firmware Upgrade


The DSL SFP has firmware loaded on it. You should check the version loaded on the SFP and compare it to
what is available in the router image. The customer should make their decision to upgrade according to their
own agreement with their ISP.
The SFP must have a minimum configuration in order to upgrade it:
configure t
Router(conf)#interface g0/0/0
Router(conf-if)#media-type sfp
Router(conf-if)#no shut
Router(conf-if)#exit

Check your firmware levels by executing show controller vdsl 0/0/0 local command.
Router#show controllers vdsl 0/0/0 local
SFP Vendor PID: SFPV5311TR
SFP Vendor SN: V021932028C
Firmware embedded in IOS-XE: 1_62_8463
Running Firmware Version: 1_62_8455
Management Link: up
DSL Status: showtime
Dumping internal info: idle
Dying Gasp: armed
Dumping DELT info: idle

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


370
Configuring Digital Subscriber Line (DSL)
ADSL2/2+

Use the following command to upgrade the SFP:


Router#upgrade hw-module subslot 0/0 sfp 0
Upgrade SFP firmware on interface GigabitEthernet0/0/0 from 1_62_8455 to 1_62_8463
Connection will be disrupted, Continue(Y/N)?y
Start ebm upgrade!!
........................................................
........................................................
..................
firmware update success!!

The command loads the new firmware, and then performs a shut/no shut on the interface to reset the SFP.

Note In 17.5.1 and beyond, the capability exists to upgrade standalone SFP Firmware, in addition to the SFP
Firmware bundled with IOS image. For example:

Router#upgrade hw-module subslot 0/0 sfp 0 {flash|usbflash0|msata}:sfp_fw_image

MTU Limitation
As per the SFP Data sheet specification, the following are MTU limitations:
• For VDSL, the MTU range on the DSL SFP interface is between 64 - 1800 Bytes
• For ADSL2/2+, the MTU range on the DSL SFP interface is between 64 - 1700 Bytes

ADSL2/2+

ADSL2/2+ Overview
This section provides an overview for ADSL2/2+

Important The Router SFP based DSL support differs in configuration and troubleshooting in comparison to other
ISR DSL platforms. There is no ATM interface, ethernet to ATM packet translation is handled internally
via Adaption Layer5 (AAL5). All configurations are on the controller vdsl 0/0/0 and g0/0/0
interface/sub-interface. UBR is recommended over AAL5.

All details are listed in the chapters that follow.


ADSL2/2+ works in auto mode (configuration on DSLAM auto-negotiation automatically with the DSL
controller). Annex A is supported on ADSL2+. Annex A and reach-extended Annex L mode-1 is supported
on ADSL2. This is in compliance with TR-100/TR-105
• For Auto-negotiation handshake procedure, the SFP is compliant with ITU-T G.994.1 DSL TRx and for
Physical Layer Management compliant with ITU-T G.997.1 for DSL TRx.
• The DSL SFP complies with ITU-T G.99x standard with supporting AVD2 CPE mode only.
• Supports LLC/SNAP and VCMux ethernet bridged encapsulation option.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


371
Configuring Digital Subscriber Line (DSL)
Configuring ADSL2/2+

• All PPPoX encapsulation is configured via PPPoE only. Internally, packet translation is handled via
ATM. There is no PPPoA configuration like there is with the c111x ISR.
• ADSL-PVC is configurable in the Controller VDSL 0/0/0: Each SFP supports 8 PVCs.
• Each PVC supports mapping to/from 802.1q Vlan tagging.
• VPI range is 0-255, VCI range is 32-65535.

The 'mode' reflected in show controller vdsl 0/0/0 will always be PTM (Packet transfer mode). Internally
packet translation to ATM is handled (AAL5).

Configuring ADSL2/2+
The Router supports Asymmetric Digital Subscriber Line (ADSL) 2/2+ .

Procedure

Command or Action Purpose


Step 1 enable Enables privileged EXEC mode.
Example:
router> enable

Step 2 configure terminal Enters global configuration mode.


Example:
router# configure terminal

Step 3 controller vdsl <port> Enters configuration mode for the ADSL2/2+ controller.
Example:
router(config)# controller vdsl 0/0/0

Step 4 adsl-pvc <vpi/vci> Configures the PVC's VPI and VCI parameters. Refer to
ADSL2/2+ PVC Sub Mode, on page 374 for detailed
Example:
sub-commands.
router(config-controller)#adsl-pvc 0/35

Step 5 bridge-dot1q <1-4094> Configures the PVC's bridge-dot1q parameter.


Example:
router(config-controller-adsl-pvc)#bridge-dot1q 2

Step 6 encapsulation llcsnap|vcmux Disabled by default. Can be either llcsnap or vcmux. This
example shows the PVC encapsulation as LLCSNAP.
Example:
router(config-controller-adsl-pvc)#encapsulation
llcsnap

Step 7 exit Enables new configuration to take effect.


Example:
router(config-controller-adsl-pvc)# exit

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


372
Configuring Digital Subscriber Line (DSL)
ADSL2/2+ Controller Configuration Commands

Command or Action Purpose


Step 8 end Exits the configuration mode.
Example:
router(config-controller)# end

ADSL2/2+ Controller Configuration Commands


This section describes some of the CLI commands specific to controller configuration.

Brief Format Command Default Description Differences From


Other IOS-XE ISRs

adsl-pvc adsl-pvc [name] None ADSL2/2+ PVC VPI: 0-31


{<vpi>/<vci>} Submode
VCI: 1-1023
adsl-pvc 0/35 VPI/VCI value
0-255
adsl-pvc PVC1
0/35 VCI Value
32-65535
For additional
details on the
ADSL2/2+
submode, refer to
ADSL2/2+ PVC
Sub Mode, on page
374

bitswap Default is Enabled Bitswap

carrier-set carrier-set [a43 a43 a43c b43 DSL SFP Carrier Set c111x defines these
a43c b43] tones under the
modem vdsl option.
For example, v43
has to be disabled
via cli. In the
Router, tone v43 is
disabled by default.

default Set a command to its


defaults

description Controller specific


description

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


373
Configuring Digital Subscriber Line (DSL)
ADSL2/2+ PVC Sub Mode

Brief Format Command Default Description Differences From


Other IOS-XE ISRs

exit Exit from controller


configuration mode.
This is mandatory in
order to make the
configuration take
effect.

help Description of the


interactive help
system

mac-address mac-address The default is the DSL SFP MAC


<MAC address> MAC is Address. There is no
preconfigured. need to configure
anything to get the
controller working.

modem vdsl Not applicable to the Applicable only in


Router. Inherited the c111x.
from the c111x.

mpls Not applicable to the Applicable only in


Router. Inherited the c111x.
from the c111x.

no Negate a command
or set its defaults

shutdown Shutdown vdsl


controller

sra Default is Enabled Seamless Rate


Adaption

ADSL2/2+ PVC Sub Mode


The following table lists related commands.

Brief Format Default Description Differences From


Other IOS-XE ISRs

adsl-pvc adsl-pvc vpi/vci None A maximum of 8 VPI/VCI value 0-31


PVCs can be
VCI value 1-1023
supported on a DSL
interface.
vci range 32 - 65535
vpi range 0-255

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


374
Configuring Digital Subscriber Line (DSL)
ADSL2/2+ PVC Sub Mode

Brief Format Default Description Differences From


Other IOS-XE ISRs

bridge-dot1q bridge-dot1q None 802.1Q VLAN ID to


<1-4094> PVC mapping

cbr cbr <peak cell No Configure Constant 48-1408 in Kbps.


rate> Bit Rate (CBR)
Service
cbr pcr range is 0 to
5500 UBR is
recommended over
AAL5.

default-pvc default-pvc First PVC Created Set PVC as default


PVC
The default-pvc
command under
adsl-pvc is an option
available with the
DSL SFP. It selects
which PVC the DSL
SFP will treat as the
default when there
are 2 or more active
PVCs.

encapsulation encapsulation None Configure


<llcsnap|vcmux> ADSL2/2+ PVC
Encapsulation

exit Exit adsl-pvc sub


commands

ubr ubr <peak cell Yes Configure 48-1408 in Kbps.


rate> Unspecified Bit Rate
(UBR) Service
ubr peak cell rate
range is 0 to 5500

vbr-nrt vbr-nrt <peak cell No Configure Non 48-1408 in Kbps.


rate> <sustainable Real-time Variable
cell rate> Bit Rate Service
pcr range is 0 to UBR is
5500 recommended over
AAL5.
scr range is 0 to
5500

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


375
Configuring Digital Subscriber Line (DSL)
ADSL2/2+ PVC Sub Mode

Brief Format Default Description Differences From


Other IOS-XE ISRs

vbr-rt vbr-rt <peak cell No Configure Real-time 48-1408 in Kbps.


rate> <sustainable Variable Bit Rate
cell rate> Service
pcr range is 0 to UBR is
5500 recommended over
AAL5.
scr range is 0 to
5500

vlanid-rx vlanid-rx <1-4094> Depends on Configure the DSL Only on IoT Routers
bridge-dot1q SFP to set the
VLAN ID of the
Ethernet packet
received by the DSL
SFP to be sent to the
router.
Used in conjunction
with the DSL SFP
VLAN operation
vlanop-rx to either
remove or replace
the VLAN ID from
the Ethernet packet.

vlanid-tx vlanid-tx <1-4094> Depends on Configure the DSL Only on IoT Routers
bridge-dot1q SFP to set VLAN ID
of the Ethernet
packet for
transmission to the
network.
Used in conjunction
with the DSL SFP
VLAN operation
vlanop-tx to either
remove or replace
the VLAN ID from
the Ethernet packet
before transmitting
the packet to the
network.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


376
Configuring Digital Subscriber Line (DSL)
ADSL2+ Example

Brief Format Default Description Differences From


Other IOS-XE ISRs

vlanop-rx vlanop-rx Remove Configure the Only on IoT Routers


<pass-through| VLAN ID operation
remove|replace> of the DSL SFP to
the Ethernet packet
received by the DSL
SFP to be sent to the
router.
Remove or replace
VLAN operations
are used in
conjunction with the
vlanid-rx.
Pass-through option
preserves the
existing VLAN ID
of the Ethernet
packet.
vlanop-tx vlanop-tx Replace Configure the Only on IoT Routers
<pass-through| VLAN ID operation
remove|replace> of the DSL SFP to
the Ethernet packet
for transmission to
the network.
Remove or replace
VLAN operation are
used in conjunction
with the vlanid-tx.
Pass-through option
preserves the
existing VLAN ID
of the Ethernet
packet.

ADSL2+ Example
The following example is from an ADSL2+ configuration:

Note For an explanation of some of the key output messages, see Controller Status Messages, on page 393.

Router#show controller vdsl 0/0/0


Controller VDSL 0/0/0 is UP

Daemon Status: UP

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


377
Configuring Digital Subscriber Line (DSL)
ADSL2+ Example

XTU-R (DS) XTU-C (US)


Chip Vendor ID: 'META' 'BDCM'.
Chip Vendor Specific: 0x0000 0x0762
Chip Vendor Country: 0xB500 0xB500
Modem Vendor ID: 'META' ' '
Modem Vendor Specific: 0x0000 0x0000
Modem Vendor Country: 0xB500 0x0000
Serial Number Near: MET2023000A V5311TR 1_62_8463
Serial Number Far:
Modem Version Near: 1_62_8463 MT5311.
Modem Version Far: <value>

Modem Status: TC Sync (Showtime!)


DSL Config Mode: AUTO
Trained Mode: G.992.3 (ADSL2) Annex A

TC Mode: PTM
Selftest Result: 0x00
DELT configuration: disabled
DELT state: not running

Failed full inits: 0


Short inits: 0
Failed short inits: 0

Modem FW Version:
Modem PHY Version:
Modem PHY Source: System

Line 0:

XTU-R (DS) XTU-C (US)


Trellis: ON ON
SRA: enabled enabled.
SRA count: 0 0.
Bit swap: enabled enabled.
Bit swap count: 0 0
Line Attenuation: 2.4 dB dB
Signal Attenuation: 5.0 dB 0.0 dB
Noise Margin: 8.2 dB 6.5 dB
Attainable Rate: 12491 kbits/s 1153 kbits/s
Actual Power: 0.0 dBm 10.2 dBm
Total FECC: 0 0
Total ES: 0 399
Total SES: 0 188
Total LOSS: 0 177
Total UAS: 103 6325
Total LPRS: 0 0
Total LOFS: 0 0
Total LOLS: 0 0

DS Channel1 DS Channel0 US Channel1 US Channel0


Speed (kbps): NA 12491 NA 1093
SRA Previous Speed: NA 0 NA 0
Previous Speed: NA 12583 NA 1097
Reed-Solomon EC: NA 0 NA 0
CRC Errors: NA 209 NA 0
Header Errors: NA 0 NA 0
Interleave (ms): NA 1.00 NA 1.00
Actual INP: NA 0.00 NA 0.00

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


378
Configuring Digital Subscriber Line (DSL)
ADSL2 Annex A Example

ADSL2 Annex A Example


The following example is from an ADSL2 Annex A configuration:

Note For an explanation of some of the key output messages, see Controller Status Messages, on page 393.

show controller vdsl 0/0/0


Controller VDSL 0/0/0 is UP
Daemon Status: UP
XTU-R (DS) XTU-C (US)

Chip Vendor ID: 'META' 'BDCM'


Chip Vendor Specific: 0x0000 0x0762
Chip Vendor Country: 0xB500 0xB500
Modem Vendor ID: 'META' ' '
Modem Vendor Specific: 0x0000 0x0000
Modem Vendor Country: 0xB500 0x0000
Serial Number Near: MET2023000A V5311TR 1_62_8463
Serial Number Far:

Modem Version Near: 1_62_8463 MT5311


Modem Version Far:
Modem Status: TC Sync (Showtime!)
DSL Config Mode: AUTO
Trained Mode: G.992.5 (ADSL2+) Annex A
TC Mode: PTM
Selftest Result: 0x00
DELT configuration: disabled
DELT state: not running

Failed full inits: 0


Short inits: 0
Failed short inits: 0

Modem FW Version:
Modem PHY Version:
Modem PHY Source: System

Line 0:
XTU-R (DS) XTU-C (US)

Trellis: ON ON
SRA: enabled enabled
SRA count: 0 0
Bit swap: enabled enabled
Bit swap count: 0 0
Line Attenuation: 1.4 dB dB
Signal Attenuation: 2.4 dB 0.0 dB
Noise Margin: 9.5 dB 6.3 dB
Attainable Rate: 23550 kbits/s 1105 kbits/s
Actual Power: 0.0 dBm 12.2 dBm
Total FECC: 1 0
Total ES: 1 396
Total SES: 0 317
Total LOSS: 0 287
Total UAS: 57 3344
Total LPRS: 0 0
Total LOFS: 0 0
Total LOLS: 0 0
DS Channel1 DS Channel0 US Channel1 US Channel0

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


379
Configuring Digital Subscriber Line (DSL)
ADSL2 Annex L Example

Speed (kbps): NA 23550 NA 1105


SRA Previous Speed: NA 0 NA 0
Previous Speed: NA 23580 NA 1109
Reed-Solomon EC: NA 0 NA 0
CRC Errors: NA 95 NA 4
Header Errors: NA 0 NA 0
Interleave (ms): NA 1.00 NA 1.00
Actual INP: NA 0.00 NA 0.00
Training Log : Stopped
Training Log Filename : flash:vdsllog.bin

ADSL2 Annex L Example


The following example is from an ADSL2 Annex L configuration:

Note For an explanation of some of the key output messages, see Controller Status Messages, on page 393.

show controller vdsl 0/0/0


Controller VDSL 0/0/0 is UP
Daemon Status: UP
XTU-R (DS) XTU-C (US)

Chip Vendor ID: 'META' 'BDCM'


Chip Vendor Specific: 0x0000 0x0762
Chip Vendor Country: 0xB500 0xB500
Modem Vendor ID: 'META' ' '
Modem Vendor Specific: 0x0000 0x0000
Modem Vendor Country: 0xB500 0x0000
Serial Number Near: V0219320270 V5311TR 1_62_8463
Serial Number Far:

Modem Version Near: 1_62_8463 MT5311


Modem Version Far:
Modem Status: TC Sync (Showtime!)
DSL Config Mode: AUTO
Trained Mode: G.992.3 (ADSL2) Annex L
TC Mode: PTM
Selftest Result: 0x00
DELT configuration: disabled
DELT state: not running
Failed full inits: 0
Short inits: 0
Failed short inits: 0
Modem FW Version:
Modem PHY Version:
Modem PHY Source: System
Line 0:
XTU-R (DS) XTU-C (US)

Trellis: ON ON
SRA: enabled enabled
SRA count: 0 0
Bit swap: enabled enabled
Bit swap count: 0 0
Line Attenuation: 2.5 dB dB
Signal Attenuation: 5.7 dB 0.0 dB
Noise Margin: 7.0 dB 6.2 dB
Attainable Rate: 10164 kbits/s 288 kbits/s

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


380
Configuring Digital Subscriber Line (DSL)
VDSL2

Actual Power: 0.0 dBm 8.4 dBm


Total FECC: 0 0
Total ES: 6 0
Total SES: 6 0
Total LOSS: 6 0
Total UAS: 54 31
Total LPRS: 0 0
Total LOFS: 6 0
Total LOLS: 0 0
DS Channel1 DS Channel0 US Channel1 US Channel0

Speed (kbps): NA 10164 NA 243


SRA Previous Speed: NA 0 NA 0
Previous Speed: NA 12495 NA 1089
Reed-Solomon EC: NA 0 NA 0
CRC Errors: NA 0 NA 0
Header Errors: NA 0 NA 0
Interleave (ms): NA 1.00 NA 1.00
Actual INP: NA 0.00 NA 0.00
Training Log : Stopped
Training Log Filename : flash:vdsllog.bin

VDSL2

VDSL2 Overview
This section provides an overview for VDSL2,
The Router DSL SFP-VADSL2+-I provides VDSL2 Annex A, B support in conformance to ITU-T standards
G.993.2 (VDSL2). This xDSL SFP is also in compliance with TR-114 (VDSL2 Annex A and B performance)
and TR-115 (VDSL2 Feature validation tests by University of New Hampshire). The SFP complies with
ITU-T G.99x standard with supporting AVD2 CPEmode only.
• Configurable Band Plan, conforms to North America Annex A (G.998) and Europe Annex B (G.997,
998) Band Plans subject to the 3072/4096 and 8-band/4-passband constraints.
• Supports all VDSL2 profiles (8a/b/c/d, 12a/b, 17a, 30a).
• Supports EU type Upstream Band 0 (US0).
• Complies with ITU-T G.994.1 Handshake Procedure for DSL TRx.
• Complies with ITU-T G.997.1 Physical Layer Management for DSL TRx
• Complies with ITU-T G.993.5 Self-FEXT Cancellation (Vectoring) for CPE mode
• Supports Robust Overhead Channel (ROC)
• Supports Online Reconfiguration (OLR) including Seamless Rate Adaptation (SRA) with D/L change
and Bit Swapping
• Supports Upstream /Downstream Power Back Off (UPBO/DPBO)
• Supports DELT
• Supported maximum MTU size on VDSL2 is 1800 Bytes
• Standard compliance VDSL2 mode is PTM (Packet transfer mode)

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


381
Configuring Digital Subscriber Line (DSL)
Configuring VDSL2

• Supports VDSL2 Vectoring

For configuration and display commands, see the detailed sections below. The show controller vdsl 0/0/0 is
the fundamental command for validation.

Configuring VDSL2
The Router supports Very-high-bit-rate Digital Subscriber Line (VDSL2).

Procedure

Command or Action Purpose


Step 1 enable Enables privileged EXEC mode.
Example:
router> enable

Step 2 configure terminal Enters global configuration mode.


Example:
router# configure terminal

Step 3 controller vdsl 0/0/0 Enters configuration mode for the VDSL2 controller.
Example:
router(config-controller)# controller vdsl 0/0/0

Step 4 carrier-set a43 a43c b43 Configures the carrier set. Multiple choice. Default is a43
a43c b43. v43 is disabled by default.
Example:
router(config-controller)# carrier-set a43|a43c|b43

Step 5 end Exits controller configuration mode.


Example:
router(config-controller)# end

VDSL2 Controller Configuration Commands


This section describes some of the CLI commands specific to controller configuration.

Brief Format Command Default Description

bitswap Default is Enabled Bitswap

capability capability [annex-j] None Set the DSL SFP


Capability

carrier-set carrier-set [a43 b43 a43 b43 a43c DSL SFP Carrier Set
a43c]

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


382
Configuring Digital Subscriber Line (DSL)
VDSL Example

Brief Format Command Default Description

default Set a command to its


defaults

description Controller specific


description

exit Exit from controller


configuration mode

help Description of the


interactive help system

mac-address mac-address <MAC The default is the MAC is DSL SFP MAC Address.
address> preconfigured. There is no need to
configure anything to get
the controller working.

modem vdsl N/A Modem Configuration

mpls Not applicable to the IoT


Router. Inherited from the
c111x.

no Negate a command or set


its defaults

shutdown Shutdown vdsl controller

sra Default is Enabled Seamless Rate Adaption

VDSL Example
The following example is from a VDSL configuration:
show controllers vdsl 0/0/0
Controller VDSL 0/0/0 is UP
Daemon Status: UP
XTU-R (DS) XTU-C (US)

Chip Vendor ID: 'META' 'IKNS'


Chip Vendor Specific: 0x0000 0x0101
Chip Vendor Country: 0xB500 0xB500
Modem Vendor ID: 'META' ' '
Modem Vendor Specific: 0x0000 0x2AB0
Modem Vendor Country: 0xB500 0x37A0
Serial Number Near: E80462D1B001 SFP-V5311-T-R 8431
Serial Number Far: ^A5u
Modem Version Near: 1_62_8431 MT5311
Modem Version Far: 6.7.0.15IK005010

Modem Status: TC Sync (Showtime!)


DSL Config Mode: AUTO
Trained Mode: G.993.2 (VDSL2) Profile 17a

TC Mode: PTM

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


383
Configuring Digital Subscriber Line (DSL)
Troubleshooting and L1 Training Logs

Selftest Result: 0x00


DELT configuration: disabled
DELT state: not running

Failed full inits: 0


Short inits: 0
Failed short inits: 0

Modem FW Version:
Modem PHY Version:
Modem PHY Source: System

Line 0:
XTU-R (DS) XTU-C (US)

Trellis: ON ON
SRA: enabled enabled
SRA count: 0 0
Bit swap: enabled enabled
Bit swap count: 0 0
Line Attenuation: 2.7 dB dB
Signal Attenuation: 3.9 dB dB
Noise Margin: 7.2 dB 24.8 dB
Attainable Rate: 113289 kbits/s 86904 kbits/s
Actual Power: 9.3 dBm 8.1 dBm
Per Band Status: D1 D2 D3 U0 U1 U2 U3
Line Attenuation(dB): 0.0 1.5 2.5 N/A 0.2 0.2 0.6
Signal Attenuation(dB): 0.0 2.0 4.0 N/A 0.0 0.0 0.0
Noise Margin(dB): 0.0 7.2 7.2 0.0 24.7 24.8 24.8
Total FECC: 0 2203
Total ES: 1 2280
Total SES: 0 2199
Total LOSS: 0 2199
Total UAS: 81 2199
Total LPRS: 0 0
Total LOFS: 0 0
Total LOLS: 0 0
DS Channel1 DS Channel0 US Channel1 US Channel0

Speed (kbps): NA 103985 NA 50219


SRA Previous Speed: NA 0 NA 0
Previous Speed: NA 103985 NA 50219
Reed-Solomon EC: NA 0 NA 0
CRC Errors: NA 117 NA 1
Header Errors: NA 0 NA 0
Interleave (ms): NA 0.00 NA 0.02
Actual INP: NA 0.00 NA 0.00
Training Log : Stopped
Training Log Filename : flash:vdsllog.bin

For an explanation of some of the key output messages, see Controller Status Messages, on page 393.

Troubleshooting and L1 Training Logs

Troubleshooting
This section provides information for troubleshooting and debugging if the DSL control and/or datapath is
not up.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


384
Configuring Digital Subscriber Line (DSL)
Troubleshooting

Problem: If WAN interface g0/0/0 is DOWN:


Solution: Try the following:
• Check L1 cabling, networking, and with different SFP
• Capture output for show int g0/0/0, show run all, and show version
• Check if g0/0/0 has media-type sfp configuration set and the interface is unshut.
• Try another SFP to see if that is detected.
• Check SFP's LED status. Refer to LED Indications on the SFP, on page 369

Problem: If controller state is DOWN:


For example:
Router#show controllers vdsl 0/0/0
Controller VDSL 0/0/0 is DOWN

Solution: Try the following:


• Check L1 cabling.
• Try inserting RJ11 cable into an RJ11 male to RJ45 female connector to see if it helps align.
• Ensure Running FW is the same as System FW. If not, upgrade the SFP FW. Refer to DSL SFP Firmware
Upgrade, on page 370.
• Gather output for all L1 Training logs. Ensure L1 debug logs in folder are sent to Cisco TAC, as well as
the output of service internal command test vdsl option 0x0 6, and the output from show controller
0/0/0 local. Refer to L1 Training Logs, on page 394.
• Possible workaround: After gathering the above logs, try to reboot the router to see if it recovers. If it
still does not work, try to hot remove/insert the SFP again.

Problem: If the controller is UP, but show controller vdsl 0/0/0 shows the DSL Link Idle.
Solution: Try the following:
• Ensure show controller vdsl 0/0/0 local shows Running FW = System FW. If not, upgrade FW and
shut/no shut g0/0/0. Refer to DSL SFP Firmware Upgrade, on page 370
• Ensure carrier-set match (in controller vdsl 0/0/0) configuration with DSLAM
• Restart DSLAM interface if any config changes have been made
• Fine-tune the Power Spectrum Density, Freq Bandplan, profile, operating mode, vlan, etc... on the DSLAM
end. On the Router DSL controller end, auto mode is the default and no configuration is required except
possibly carrier-set. For example: If DSLAM only supports POTS, recommended to set carrier-set to
a43. By default, Cisco allows a43, a43c, b43.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


385
Configuring Digital Subscriber Line (DSL)
Troubleshooting

• Ensure the DSLAM profile ONLY includes supported Profiles, bands, etc as per VDSL2/ADSL2/2+
Refer to the tables in DSL Feature Specifications, on page 365.
• When using the service internal command test vdsl rawcli "basic show summary 1" consecutively,
do you see the status move from Idle/Handshake/Training back to Idle, or stuck in Idle? If former case,
recheck DSLAM profile configs. If latter, share L1 debug logs.
• If the DSLAM has the same configuration that used to work, and then after an image upgrade, or new
SFP change the controller is UP but no negotiation , then please provide following to Cisco:
• SFP LED status
• Capture show version, show running-config, show run all | sec controller, show interface
gigabitethernet 0/0/0, and show controller vdsl 0/0/0 local.

• Possible workaround: After providing logs to Cisco, attempt to write erase and reload the router. Also,
shut/no shut the DSLAM interface tied to this device, and unplug/plug SFP and cables again.

Problem: If the controller is Up, but the daemon is Down.


Solution: Try the following:
• Enable debug vdsl for debug, share with Cisco TAC
• Provide last known working configs and software version
• Possible workaround: After providing logs to Cisco, attempt to write erase and reload the router. Also,
shut/no shut the DSLAM interface tied to this device, and unplug/plug SFP and cables again.
• Check if the appropriate datak9, securityk9, and network-advantage licenses are enabled on both Peer
and Client.

Problem: If Controller is up, profile with DSLAM up in show controller vdsl 0/0/0, but Dialer did not acquire
IP
Solution: Try the following:
• Check routes
• Check the output of debug dialer to see if it offers any information. If dialer idle time is resetting too
soon, modify dialer idle-timeout (default is 120s , which ideally should be enough).
• Ensure there are SW Licenses (datak9, securityk9, and network-advantage) on both PPPoE server
and the PPPoE Client/CPE.
• The following is a basic Dialer configuration that works:
interface Dialer1
ip address negotiated
no ip redirects
encapsulation ppp
dialer pool 1
dialer-group 1

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


386
Configuring Digital Subscriber Line (DSL)
Troubleshooting

no cdp enable
ppp authentication chap callin
ppp chap hostname WORD
ppp chap password 0 WORD
ppp ipcp route default
!
ip route 0.0.0.0 0.0.0.0 Dialer1 (or any route that works in user environment)

• Ensure PPPoE Server authentication credentials match PPPoE client


• If using DHCP, ensure the Server has enough addresses to lease out
• Enable debug ppp session and debug ip dhcp server packet detail on the headend/Peer router to debug
if we receive any packets. Enable debug ppp session on router.
• If the above steps did not resolve the issue, provide all of the above debug information to Cisco TAC,
along with the following:
• Output of show version, show running, show run all | sec controller, show controller vdsl 0/0/0
and show controller vdsl 0/0/0 local.
• Output of service internal commands test vdsl rawcli "basic show summary 1", basic show
summary 1, and test vdsl option 0x0 6.
• Configuration of the DSLAM.
• L1 training logs. Refer to L1 Training Logs, on page 394.

• Possible workaround: After gathering the above logs in sequence for Cisco, you can try to write erase
and reload Peer and Router. Specifically removing the Dialer interface with PPP configurations and
reapplying. As a last resort, try to shut/no shut DSLAM interface attached to this Router DSL SFP
interface. Additionally, to isolate behavior, validate this SFP on another Router if available. If it works,
then validate multiple SFPs on same Router (to narrow down if it is an SFP or Router issue).

Problem: If controller is Up, Dialer is Up, but Dialer did not acquire IP, Authentication works only with PAP
and does not work with CHAP.
Solution: Suppose there is a scenario where:
show controller vdsl 0/0/0 shows showtime
show pppoe session shows PPP session established.
Then we see Virtual Access bound with Dialer successfully, but still Dialer didn't acquire an IP with PAP
config in dialer all as well, but CHAP would not work On PPPoE Server end, it showed CHAP authentication
passed and device ack too, but still IP not acquiring on PPPoE Client/device end.
debug ppp packet showed everything was okay, but still IP not acquiring. In such cases, enable following to
monitor: debug ppp authentication enabled, we may notice that after successful chap handshake, there was
another attempt by our device/client to validate based on local hostname set on Router CLI required to disable,
if there is default local hostname set for chap in Router client (or any IOS router):
config t
service internal
Int Dialer1
no ppp chap ignoreus

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


387
Configuring Digital Subscriber Line (DSL)
Troubleshooting

no shut
exit

For further information see the Understanding and Configuring PPP CHAP Authentication
link:https://www.cisco.com/c/en/us/support/docs/wan/point-to-point-protocol-ppp/
25647-understanding-ppp-chap.html

Problem If controller is up, Dialer acquired an IP, but cannot self-ping Dialer or ping PPPoE Server
Solution: Try the following:
• Ensure the appropriate SW licenses (datak9, securityk9, and network-advantage) are enabled on both
the PPPoe Server and Client
• Verify if icmp is enabled on PPPoE client session (enable via access list)
• Ensure pap/chap authentication match is seen in debug pppoe session.
• show pppoe session should reflect session (virtual-access binding with Dialer)
• For PPPoE session debugging, this section is common to all IOS platforms: https://www.cisco.com/c/
en/us/td/docs/routers/ir910/software/release/1_0/configuration/guide/ir910scg/swpppoe.pdf
• Apply Static IP on g0/0/0 DSL interface and check if you can ping the DSLAM and Peer (to isolate DSL
SFP issues)
• The following is a Basic PPPoE Server and PPPoE client configuration that works, presuming PPPoE
Server is a Cisco IOS device as well:
PPPoE Server
ip dhcp excluded-address 41.41.41.1 41.41.41.9
!
ip dhcp pool 41-41-41-pool
network 41.41.41.0 255.255.255.0
default-router 41.41.41.1
lease 2
!
username dslpeer password 0 dslpeerpass
!!
bba-group pppoe global
virtual-template 1
!
interface GigabitEthernet0/0/0
no ip address
media-type sfp
!
interface GigabitEthernet0/0/0.1
encapsulation dot1Q 1 native
ip address 41.41.41.1 255.255.255.0
pppoe enable group global
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/0/0.1
peer default ip address dhcp-pool 41-41-41-pool
ppp authentication pap chap
!
>>>>>> Add routes as relevant, next hop being the IP that Router Dialer acquires
!
ip route 10.0.0.0 255.255.255.0 41.41.41.3 >> dialer ip, change as necessary

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


388
Configuring Digital Subscriber Line (DSL)
Troubleshooting

PPPoE Client:
controller VDSL 0/0/0
Carrier-set a43 >>> Can set to whichever [a43, b43, a43c, v43 depending on DSLAM support]
interface GigabitEthernet0/0/0
no ip address
media-type sfp
!
interface GigabitEthernet0/0/0.1
encapsulation dot1Q 1 native
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Dialer1
ip address negotiated
no ip redirects
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname dslpeer
ppp chap password 0 dslpeerpass
ppp ipcp route default
!
ip route 0.0.0.0 0.0.0.0 Dialer1

Problem: If DSL traffic has been going through for a while, however bandwidth drops in time:
Solution: Try the following:
• Ensure DSLAM profile PSD, Freq band plan configurations are fine-tuned (in such cases, ideally unrelated
to Router DSL SFP).
• Ensure ip arp timeout is increased in the Cisco Router DSL interface, Dialer interface - this may specially
help in bursty traffic or during congestion.

Note The following commands may be helpful for troubleshooting:

Interface Status:
Router#show ip interface brief
Use this command to validate if Dialer acquired an IP address

Inventory Status:
Router#show inventory

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
INFO: Please use "show license UDI" to get serial number for licensing.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

NAME: "Chassis", DESCR: "IR1101 Base Chassis"


PID: IR1101-K9 , VID: V03 , SN: FCW23500H5X

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


389
Configuring Digital Subscriber Line (DSL)
Frequently Asked Questions

NAME: "Module 0 - Mother Board", DESCR: "Cisco IR1101 motherboard"


PID: IR1101-K9 , VID: V03 , SN: FOC23473SRK

NAME: "module subslot 0/0", DESCR: "IR1101-ES-5"


PID: IR1101-ES-5 , VID: V01 , SN:

NAME: "subslot 0/0 transceiver 0", DESCR: "GE T"


PID: SFP-VADSL2+-I , VID: V01 , SN: MET2023000A
Ignore the description, it will always reflect GE T for all ISR Router SFPs
PID and S/N are what matter

Commands to display the running software details:


Router#show running-config all
Router#dir flash:
Router#dir nvram:
Router#show version

There are some debugging commands that will also reflect the status of auto-negotiation:
Router#configure terminal
Router#service internal
Router#exit
The following test command will reflect auto-negotiation status:
Router#test vdsl rawcli "basic show summary 1"
Link time Rate US/DS Mode Status Annex TxPkts/RxPkts
4 1097/12491 ADSL2 Showtime AnnexA 0/0

Frequently Asked Questions


This section provides answers to some common questions.
Question: How can I set VDSL2 or ADSL2/2+ to a specific Annex and profile in Controller?
Answer: The Router DSL SFP operates in auto mode only. There are no options to configure on the SFP
controller end. You can only make changes on the DSLAM side.

Question: There is no Controller ADSL option to configure.


Answer: Controller vdsl 0/0/0 is common nomenclature across Cisco IOS-XE products. The same cli is valid
for ALL DSL protocols - VDSL2, ADSL2, ADSL2+.

Question: There is no ATM interface to configure.


Answer: There is no ATM interface for user configuration. On all configuration options on controller vdsl
0/0/0 and DSL SFP WAN interface g0/0/0 and its sub-interface options, ATM packets are handled by the
DSL SFP and re-assembled as Ethernet packets. Annex A, L is supported.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


390
Configuring Digital Subscriber Line (DSL)
Frequently Asked Questions

Question: The training log in show controller vdsl 0/0/0 is not working. There is no option to start/stop.
Answer: This option is only specific to the c111x platform and not the Router DSL SFP. For Router platform
L1 debugging, refer to: L1 Training Logs, on page 394

Question: Where can I download DSL SFP Firmware?


Answer:
In 17.5.1 and beyond, standalone FW is available to upgrade via Flash:, mSATA and usbflash0: in IOS To
upgrade DSL Firmware, refer to: DSL SFP Firmware Upgrade, on page 370

Question: ADSL2 Annex L is not working.


Answer: Ensure the DSLAM profile configuration has the right bit rate allowed. Since the Router DSL SFP
is auto-mode, it will negotiate with the profile with the highest bit rate (so this is predominantly determined
by DSLAM config fine-tuning).

Question: Annex-L Mode1 is supported, but not Mode2.


Answer: Ensure that unsupported modes/profiles/bands in DSLAM configuration are disabled. Refer to DSL
Feature Specifications, on page 365 for supported specifications.

Question: In ADSL2/2+ if burst size (peak cell rate and sustainable cell rate ) are configured to the maximum
5500, dialer keeps flapping.
Answer: If Dialer is flapping, could be receiving Peer upstream and was unable to handle high rate of
downstream traffic. Either disable ip keepalive in dialer configuration, or increase default keepalive to
the maximum.

Question: How many PVCs are allowed?


Answer: 8

Question: Controller configurations are not taking effect.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


391
Configuring Digital Subscriber Line (DSL)
Frequently Asked Questions

Answer: Ensure you exit out of controller configuration mode for the configuration to take effect. As a
workaround, shut/no shut the controller interface. Ideally this should reflected the moment you 'exit' out of
controller config mode. Check the DSLAM for matching profile criteria, unsupported bands/profiles should
be removed as they may delay the Handshake.

Question: In ADSL2/2+ controller configuration, Maximum Burst Size configuration is not taking affect.
Answer: When configuring either nrt-VBR or rt-VBR, only the configuration of Peak Cell Rate (PCR) and
Sustainable Cell Rate (SCR) are supported. The optional Maximum Burst Size (MBS) is not supported.

Question: System hangs during L1 Debug Logs capture, taking very long. show commands are not working.
Answer: When debug vdsl controller 0/0/0 dump internal folder_name is executed, it drains most of the
system resources. A warning syslog to that effect is displayed as well. This takes approximately 10 minutes
to complete depending on state of controller. Multiple times during the process the controller is shut/no shut,
during this activity do NOT intervene. Once complete, you should observe 'DONE' in syslog and prompted
to shut/no shut g0/0/0.

Question: Are there any new SNMP MIBS added?


Answer: Release 17.5.1 introduced the following ADSL2+ MIBS:
• 1.3.6.1.2.1.10.94.1.1.4.1.2 ADSL-LINE MIB:adslAtucChanCurrTxRate
• 1.3.6.1.2.1.10.94.1.1.5.1.2 ADSL-LINE MIB:adslAturChanCurrTxRate
• 1.3.6.1.2.1.10.94.1.1.2.1.8 ADSL-LINE MIB:adslAtucCurrAttainableRate
• 1.3.6.1.2.1.10.94.1.1.3.1.8 ADSL-LINE MIB:adslAturCurrAttainableRate

Question: SFP is stuck in the Router.


Answer: This can occur on older models of the IR1101. There was a faceplate rework.
Follow these steps to ensure the SFP Latch is handled cautiously (as with all SFPs). When doing a hot removal
of SFP:
• Remove the latch (hear the click) and tilt to ~ 45deg - 90deg, without pressuring it or forcing it to snap.
• Remove the cable.
• Remove the SFP

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


392
Configuring Digital Subscriber Line (DSL)
Controller Status Messages

Caution When inserting the SFP, make sure you hear it lock in. Insert the cable and then close the latch. You
should hear the click again. If you force the latch and it breaks, the SFP will be stuck in the Router.
Workaround is to remove the faceplate and remove the SFP.

Controller Status Messages


This section explains some of the key output messages from the show controller vdsl 0/0/0
command.
Refer to the following table:

Output message Description

Controller VDSL 0/0/0 is UP State of the controller

Daemon Status: UP State of internal IOS DSL Daemon

Chip Vendor ID: 'META' 'BDCM'. SFP Metanoia Chip information

Chip Vendor Specific: 0x0000 0x0762 SFP Metanoia Chip Information burnt in EEPROM
programming

Chip Vendor Country: 0xB500 0xB500 SFP Metanoia Chip information

Modem Vendor ID: 'META' SFP Metanoia Chip information

Modem Vendor Specific: 0x0000 0x0000 SFP Metanoia Chip information

Modem Vendor Country: 0xB500 0x0000 SFP Metanoia Chip information

Serial Number Near: MET2023000A V5311TR SFP Metanoia Chip information


1_62_8463

Serial Number Far: SFP Metanoia Chip information, ignore if empty,


Serial Number Near is the value required

Modem Version Near: 1_62_8463 MT5311. Modem Firmware information

Modem Version Far: <value> Ignore if empty, the above Near version is what is
important

Modem Status: TC Sync (Showtime!) Shows L1 SFP auto-negotiation status.


When SFP is shut/no shut, you see following
auto-negotiation sequence:
Idle , Handshake, Training, Showtime! Showtime
implies auto-neg complete

DSL Config Mode: AUTO Always in AUTO mode, no specific CLI to configure
for ADSL2/2+, VDSL2

Trained Mode: G.992.3 (ADSL2) Annex A Specifies ITU and Annex type

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


393
Configuring Digital Subscriber Line (DSL)
L1 Training Logs

Output message Description

TC Mode: PTM Always in Packet Transfer Mode, even for ADSL2/+.


The SFP is already translating ATM to Ethernet
frames.

SRA: enabled enabled. Default is enabled

Bit swap: enabled enabled. Default is enabled

L1 Training Logs
To configure the device perform the following:
Router#configure terminal
Router#service internal
Router#logging console
Router#exit

To configure debug, perform the following:


Router#debug vdsl sfp debug | error | event | info | packet For SFP level debuging
Router#debug vdsl controller 0/0/0 dump internal {dir} For L1 debugging

When the L1 debug dump starts you should see the following:
%VDSL_SFP_MGR-5-DUMP_START: Dump internal info started on interface GigabitEthernet0/0/0

Important At this point, the device is unusable. Wait approximately 10 minutes until it completes.

At that point you should see the following:


%VDSL_SFP_MGR-4-DUMP_DONE: Dump internal info done, please shut/no shut on interface
GigabitEthernet0/0/0 to recover

To recover the device into normal operational mode, preform the following:
Router#configure terminal
Router#interface g0/0/0
Router#shut
Router#no shut
Router#exit

Provide directory logs saved in bootflash: to Cisco.

Note Cisco recommends that each time you start a new log or debug, save it to a new directory rather than
append to the existing information.

To enable Metanoia SFP debug commands, perform the following:


Router#configure terminal
Router#service internal
Router#exit
Router#test vdsl rawcli “basic show summary 1” This command shows the L1 auto-negotiation

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


394
Configuring Digital Subscriber Line (DSL)
L1 Training Logs

status
Link time Rate US/DS Mode Status Annex TxPkts/RxPkts
773 1089/23628 ADSL2+ Showtime AnnexA 470/338

Router#test vdsl option 6 0x0 If functional, State = 2 should display. This command shows
basic L1 bringup of DSL SFP and it's states. Provide to Cisco for L1 troubleshooting.
Debug flags: 0x8000
Seq 0: slot=0 slot_port=0 bay=0 port=0 Name:MetaMgr0_0_0
MetanoiaPort=0 SFP type: 1 State: 2 cnt=855
MAC:00:00:00:00:00:00 Choice:0
hw interface:GigabitEthernet0/0/0 sw interface:GigabitEthernet0/0/0
Firmware file: /etc/SFP_V5311-T-R_CSP.b, size=491520, version=1_62_8463
SFP version: 1_62_8463
Notification Seq: 0x1 cnt: 0xB3 Stat Cycle:255
VDSL State: 5
EBM Tx: 21039 Rx: 21031
EBM Wait Timeout: 8 Rx Loss: 0
G994 vid CO: BDCM CPE: META
Serial No CO: CPE: MET2023000A V5311TR 1_62_8463
Version CO: CPE: 1_62_8463 MT5311
Capability CO: 000000000001000000 CPE: 000000000001000000
Line Attn: UP: 65535 DOWN: 13

Tips for resetting the SFP:


• Ideally g0/0/0 shut/no shut will work in most cases (for example: after firmware upgrade, hot OIR, etc).

For hard reload of SFP, perform the following:


Router#hw-module subslot 0/0 reload

This option will force the entire subslot to reload, including the software module. So if connectivity is via
telnet/ssh you might lose access for 1-2 minutes, and then all messages/syslogs buffered will print out.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


395
Configuring Digital Subscriber Line (DSL)
L1 Training Logs

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


396
CHAPTER 37
Out Of Band Management (OOB)
This chapter contains the following sections:
• Out Of Band Management (OOB), on page 397
• OOB Topology, on page 397
• Feature Caveats, on page 398
• OOB Configuration, on page 398

Out Of Band Management (OOB)


OOB offers a method for connecting two routers together with a USB cable for extra redundancy in case of
4G failure. This allows you to retain out-of-band connectivity by connecting the USB port for Router A to
the USB console of Router B, as well as the ability to access Router B console port from Router A.
This feature will need to be implemented with IOS CLI. The user should be able to do a reverse telnet via tty
line (/dev/ttyUSB) to another router's USB console.

OOB Topology
The following graphic illustrates the physical connection between two IR1101 routers:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


397
Out Of Band Management (OOB)
Feature Caveats

Figure 107: Topology

The blue line above is a USB 2.0 Type A to USB 2.0 mini USB Type B cable. Refer to this topology for the
following configuration.

Feature Caveats
Prior to configuring each router, ensure that both routers have a basic serial configuration:
line con 0
stopbits 1
speed 9600

Note Depending on how old the IR1101 is, the default baud rate is 9600 or 115200.

• Plug and Play is not supported. Cable must be installed prior to configuration.
• OOB only works for async0/2/1, which is the USB port. Async0/2/0 is the serial interface on the IR1101
• To exit from the feature, press “Ctrl-Shift-6”, then “x”, then “disconnect”.

OOB Configuration
Refer to the previous figure for examples of Router A and Router B. To access Router B console from Router
A:
Power on Router A and configure the following:
interface Async0/2/1
ip address 20.0.0.1 255.0.0.0
encapsulation relay-line
!
line 0/2/1
transport input all
transport output all

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


398
Out Of Band Management (OOB)
OOB Configuration

Make sure that the speed of line 51 is the same speed as the console on Router B:
IR1101-A#show line

Tty Line Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
* 0 0 CTY - - - - - 4 0 0/0 -
0/0/0 2 TTY 0/0 - - - - - 0 0 0/0 -
0/2/0 50 TTY 9600/9600 - - - - - 4 0 0/0 -
0/2/1 51 TTY 9600/9600 - - - - - 4 0 0/0 -
74 74 VTY - - - - - 3 0 0/0 -
75 75 VTY - - - - - 1 0 0/0 -
76 76 VTY - - - - - 0 0 0/0 -
77 77 VTY - - - - - 0 0 0/0 -
78 78 VTY - - - - - 0 0 0/0 -
79 79 VTY - - - - - 0 0 0/0 -
80 80 VTY - - - - - 0 0 0/0 -
81 81 VTY - - - - - 0 0 0/0 -
82 82 VTY - - - - - 0 0 0/0 -
83 83 VTY - - - - - 0 0 0/0 -
84 84 VTY - - - - - 0 0 0/0 -
85 85 VTY - - - - - 0 0 0/0 -
86 86 VTY - - - - - 0 0 0/0 -
87 87 VTY - - - - - 0 0 0/0 -
88 88 VTY - - - - - 0 0 0/0 -

Line(s) not in async mode -or- with no hardware support:


1, 3-49, 52-73, 89-735

Configure line 0/2/1 on Router A:


IR1101-A#configure term
Enter configuration commands, one per line. End with CNTL/Z.
IR1101-A(config)#line 0/2/1
IR1101-A(config-line)#speed 9600
IR1101-A(config-line)#

Telnet to Router B via Router A IP, port 2051:


IR1101-A#telnet 20.0.0.1 2051
Trying 20.0.0.1, 2051 ... Open

IR1101-B#

IR1101-B# <== to exit, press “Ctrl-Shift-6”, then “x”, then “disconnect”

IR1101-A#disconnect
Closing connection to 20.0.0.1 [confirm]

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


399
Out Of Band Management (OOB)
OOB Configuration

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


400
CHAPTER 38
Process Health Monitoring
This chapter describes how to manage and monitor the health of various components of your router. It contains
the following sections:
• Monitoring Control Plane Resources, on page 401
• Monitoring Hardware Using Alarms, on page 407

Monitoring Control Plane Resources


The following sections explain the details of memory and CPU monitoring from the perspective of the Cisco
IOS process and the overall control plane:
• Avoiding Problems Through Regular Monitoring, on page 401
• Cisco IOS Process Resources, on page 401
• Overall Control Plane Resources, on page 405

Avoiding Problems Through Regular Monitoring


Processes should provide monitoring and notification of their status/health to ensure correct operation. When
a process fails, a syslog error message is displayed and either the process is restarted or the router is rebooted.
A syslog error message is displayed when a monitor detects that a process is stuck or has crashed. If the
process can be restarted, it is restarted; else, the router is restarted.
Monitoring system resources enables you to detect potential problems before they occur, thus avoiding outages.
It also establishes a baseline for a normal system load. You can use this information as a basis for comparison,
when you upgrade hardware or software to see if the upgrade has affected resource usage.

Cisco IOS Process Resources


You can view CPU utilization statistics on active processes and see the amount of memory being used in these
processes using the show memory command and the show process cpu command. These commands provide
a representation of memory and CPU utilization from the perspective of only the Cisco IOS process; they do
not include information for resources on the entire platform. When the show memory command is used in a
system with 4 GB RAM running a single Cisco IOS process, the following memory usage is displayed:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


401
Process Health Monitoring
Cisco IOS Process Resources

Router# show memory


Tracekey : 1#33e0077971693714bd2b0bc347d77489
Address Bytes Prev Next Ref PrevF NextF what Alloc PC

Head Total(b) Used(b) Free(b) Lowest(b) Largest(b)


Processor 7F68ECD010 728952276 281540188 447412088 445683380 234766720
lsmpi_io 7F6852A1A8 6295128 6294304 824 824 412
Dynamic heap limit(MB) 200 Use(MB) 0

Processor memory

Address Bytes Prev Next Ref PrevF NextF what Alloc PC


7F68ECD010 0000000568 00000000 7F68ECD2A0 001 -------- -------- *Init* :400000+60E37C4
7F68ECD2A0 0000032776 7F68ECD010 7F68ED5300 001 -------- -------- Managed Chunk Q
:400000+60D12A8
7F68ED5300 0000000056 7F68ECD2A0 7F68ED5390 001 -------- -------- *Init* :400000+3B0C610
7F68ED5390 0000012808 7F68ED5300 7F68ED85F0 001 -------- -------- *Init* :400000+B8A5D64
Address Bytes Prev Next Ref PrevF NextF what Alloc PC
7F68ED85F0 0000032776 7F68ED5390 7F68EE0650 001 -------- -------- List Elements
:400000+60A4A9C
7F68EE0650 0000032776 7F68ED85F0 7F68EE86B0 001 -------- -------- List Headers :400000+60A4AD8
7F68EE86B0 0000032776 7F68EE0650 7F68EF0710 001 -------- -------- IOSXE Process S
:400000+11924CC
7F68EF0710 0000032776 7F68EE86B0 7F68EF8770 001 -------- -------- IOSXE Queue Pro
:400000+1192510
7F68EF8770 0000065544 7F68EF0710 7F68F087D0 001 -------- -------- IOSXE Queue Bal
:400000+1192554
7F68F087D0 0000000328 7F68EF8770 7F68F08970 001 -------- -------- *Init* :400000+B89E1D8
7F68F08970 0000000328 7F68F087D0 7F68F08B10 001 -------- -------- *Init* :400000+B89E1D8
7F68F08B10 0000000328 7F68F08970 7F68F08CB0 001 -------- -------- *Init* :400000+B89E1D8
7F68F08CB0 0000000360 7F68F08B10 7F68F08E70 001 -------- -------- Process Events
:400000+60F9CD4
7F68F08E70 0000000056 7F68F08CB0 7F68F08F00 001 -------- -------- SDB String :400000+605981C
7F68F08F00 0000000080 7F68F08E70 7F68F08FA8 001 -------- -------- Init :400000+60599E4
Address Bytes Prev Next Ref PrevF NextF what Alloc PC
7F68F08FA8 0000036872 7F68F08F00 7F68F12008 001 -------- -------- *Init* :400000+11891E8
7F68F12008 0000010008 7F68F08FA8 7F68F14778 001 -------- -------- Platform VM Pag
:400000+11AD244
7F68F14778 0000002008 7F68F12008 7F68F14FA8 001 -------- -------- *Init*
iosd_crb_ir1101_unix:7F8EB59000+5CC1C
7F68F14FA8 0000200712 7F68F14778 7F68F46008 001 -------- -------- Interrupt Stack
:400000+11891E8
7F68F46008 0000003008 7F68F14FA8 7F68F46C20 001 -------- -------- Watched Semapho
:400000+60FE448
7F68F46C20 0000000328 7F68F46008 7F68F46DC0 001 -------- -------- *Init* :400000+B89E1D8
7F68F46DC0 0000000096 7F68F46C20 7F68F46E78 001 -------- -------- Init :400000+60599E4
7F68F46E78 0000000216 7F68F46DC0 7F68F46FA8 001 -------- -------- *Init* :400000+60ED228
7F68F46FA8 0000036872 7F68F46E78 7F68F50008 001 -------- -------- *Init* :400000+11891E8
7F68F50008 0000000896 7F68F46FA8 7F68F503E0 001 -------- -------- Watched Message
:400000+60FE4A8
7F68F503E0 0000002008 7F68F50008 7F68F50C10 001 -------- -------- Watcher Message
:400000+60FE4D8
Address Bytes Prev Next Ref PrevF NextF what Alloc PC
7F68F50C10 0000000360 7F68F503E0 7F68F50DD0 001 -------- -------- Process Events
:400000+60F9CD4
7F68F50DD0 0000000184 7F68F50C10 7F68F50EE0 001 -------- -------- *Init* :400000+60ED918
7F68F50EE0 0000000112 7F68F50DD0 7F68F50FA8 001 -------- -------- *Init* :400000+60B57CC
7F68F50FA8 0000036872 7F68F50EE0 7F68F5A008 001 -------- -------- *Init* :400000+11891E8
7F68F5A008 0000002336 7F68F50FA8 7F68F5A980 001 -------- -------- Process Array
:400000+6102A4C
7F68F5A980 0000000184 7F68F5A008 7F68F5AA90 001 -------- -------- *Init* :400000+60ED918

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


402
Process Health Monitoring
Cisco IOS Process Resources

7F68F5AA90 0000000184 7F68F5A980 7F68F5ABA0 001 -------- -------- *Init* :400000+60ED918


7F68F5ABA0 0000000184 7F68F5AA90 7F68F5ACB0 001 -------- -------- *Init* :400000+60ED918
7F68F5ACB0 0000000184 7F68F5ABA0 7F68F5ADC0 001 -------- -------- *Init* :400000+60ED918
7F68F5ADC0 0000000184 7F68F5ACB0 7F68F5AED0 001 -------- -------- *Init* :400000+60ED918

The show process cpu command displays Cisco IOS CPU utilization average:
Router# show process cpu
CPU utilization for five seconds: 0%/0%; one minute: 0%; five minutes: 0%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
1 0 17 0 0.00% 0.00% 0.00% 0 Chunk Manager
2 552 1205 458 0.00% 0.00% 0.00% 0 Load Meter
3 0 1 0 0.00% 0.00% 0.00% 0 PKI Trustpool
4 0 1 0 0.00% 0.00% 0.00% 0 Retransmission o
5 0 1 0 0.00% 0.00% 0.00% 0 IPC ISSU Dispatc
6 36 13 2769 0.00% 0.00% 0.00% 0 RF Slave Main Th
7 0 1 0 0.00% 0.00% 0.00% 0 EDDRI_MAIN
8 0 1 0 0.00% 0.00% 0.00% 0 RO Notify Timers
9 4052 920 4404 0.23% 0.09% 0.06% 0 Check heaps
10 12 101 118 0.00% 0.00% 0.00% 0 Pool Manager
11 0 1 0 0.00% 0.00% 0.00% 0 DiscardQ Backgro
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
12 0 2 0 0.00% 0.00% 0.00% 0 Timers
13 0 163 0 0.00% 0.00% 0.00% 0 WATCH_AFS
14 0 2 0 0.00% 0.00% 0.00% 0 ATM AutoVC Perio
15 0 2 0 0.00% 0.00% 0.00% 0 ATM VC Auto Crea
16 76 3024 25 0.00% 0.00% 0.00% 0 IOSXE heartbeat
17 0 13 0 0.00% 0.00% 0.00% 0 DB Lock Manager
18 0 1 0 0.00% 0.00% 0.00% 0 DB Notification
19 0 1 0 0.00% 0.00% 0.00% 0 IPC Apps Task
20 0 1 0 0.00% 0.00% 0.00% 0 ifIndex Receive
21 36 1210 29 0.00% 0.00% 0.00% 0 IPC Event Notifi
22 72 5904 12 0.00% 0.00% 0.00% 0 IPC Mcast Pendin
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
23 0 1 0 0.00% 0.00% 0.00% 0 Platform appsess
24 0 101 0 0.00% 0.00% 0.00% 0 IPC Dynamic Cach
25 16 1210 13 0.00% 0.00% 0.00% 0 IPC Service NonC
26 0 1 0 0.00% 0.00% 0.00% 0 IPC Zone Manager
27 64 5904 10 0.00% 0.00% 0.00% 0 IPC Periodic Tim
28 76 5904 12 0.00% 0.00% 0.00% 0 IPC Deferred Por
29 0 1 0 0.00% 0.00% 0.00% 0 IPC Process leve
30 0 1 0 0.00% 0.00% 0.00% 0 IPC Seat Manager
31 8 346 23 0.00% 0.00% 0.00% 0 IPC Check Queue
32 0 1 0 0.00% 0.00% 0.00% 0 IPC Seat RX Cont
33 0 1 0 0.00% 0.00% 0.00% 0 IPC Seat TX Cont
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
34 48 606 79 0.00% 0.00% 0.00% 0 IPC Keep Alive M
35 28 1210 23 0.00% 0.00% 0.00% 0 IPC Loadometer
36 0 1 0 0.00% 0.00% 0.00% 0 IPC Session Deta
37 0 1 0 0.00% 0.00% 0.00% 0 SENSOR-MGR event
38 4 606 6 0.00% 0.00% 0.00% 0 Compute SRP rate
39 0 1 0 0.00% 0.00% 0.00% 0 MEMLEAK PROCESS
40 0 1 0 0.00% 0.00% 0.00% 0 ARP Input
41 112 6331 17 0.00% 0.00% 0.00% 0 ARP Background
42 0 2 0 0.00% 0.00% 0.00% 0 ATM Idle Timer
43 0 1 0 0.00% 0.00% 0.00% 0 ATM ASYNC PROC
44 0 1 0 0.00% 0.00% 0.00% 0 CEF MIB API
--More--
...
show process cpu platform sorted

CPU utilization for five seconds: 11%, one minute: 12%, five minutes: 12%

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


403
Process Health Monitoring
Cisco IOS Process Resources

Core 0: CPU utilization for five seconds: 1%, one minute: 3%, five minutes: 3%
Core 1: CPU utilization for five seconds: 1%, one minute: 3%, five minutes: 3%
Core 2: CPU utilization for five seconds: 1%, one minute: 1%, five minutes: 1%
Core 3: CPU utilization for five seconds: 42%, one minute: 42%, five minutes: 42%
Pid PPid 5Sec 1Min 5Min Status Size Name
--------------------------------------------------------------------------------
18246 17700 34% 34% 34% S 272500 qfp-ucode-sparr
18297 16477 1% 1% 1% S 165768 fman_fp_image
9992 9121 1% 1% 1% S 743608 linux_iosd-imag
27122 26048 0% 0% 0% S 8460 nginx
26048 25864 0% 0% 0% S 19252 nginx
25928 1 0% 0% 0% S 2960 rotee
25864 1 0% 0% 0% S 3532 pman.sh
24212 2 0% 0% 0% S 0 kworker/u8:0
19648 8282 0% 0% 0% S 220 sleep
19635 10903 0% 0% 0% S 212 sleep
18121 17675 0% 0% 0% S 10968 ngiolite
17979 1 0% 0% 0% S 1660 rotee
17863 2 0% 0% 0% S 0 kworker/1:0
17859 1 0% 0% 0% S 2836 rotee
17737 17095 0% 0% 0% S 56828 iomd
17700 13380 0% 0% 0% S 3556 pman.sh
17675 12798 0% 0% 0% S 3524 pman.sh
17518 16854 0% 0% 0% S 15024 hman
17312 1 0% 0% 0% S 2828 rotee
17095 12798 0% 0% 0% S 3568 pman.sh
17085 1 0% 0% 0% S 2876 rotee
16942 2 0% 0% 0% S 0 kworker/0:1
16892 14768 0% 0% 0% S 108952 cpp_cp_svr
16854 13380 0% 0% 0% S 3568 pman.sh
16716 1 0% 0% 0% S 2996 rotee
16664 15963 0% 0% 0% S 51096 cpp_sp_svr
16477 13380 0% 0% 0% S 3540 pman.sh
16326 15536 0% 0% 0% S 39852 cpp_ha_top_leve
16270 1 0% 0% 0% S 2972 rotee
15963 13380 0% 0% 0% S 3528 pman.sh
15779 15163 0% 0% 0% S 55208 cpp_driver
15730 1 0% 0% 0% S 1640 rotee
15536 13380 0% 0% 0% S 3528 pman.sh
15412 1 0% 0% 0% S 1716 rotee
15274 14681 0% 0% 0% S 15004 hman
15163 13380 0% 0% 0% S 3624 pman.sh
15083 14361 0% 0% 0% S 26792 cman_fp
15057 1 0% 0% 0% S 1660 rotee
14891 1 0% 0% 0% S 2868 rotee
14768 13380 0% 0% 0% S 3568 pman.sh
14722 14127 0% 0% 0% S 27536 cmcc
14717 14108 0% 0% 0% S 15220 btman
14681 12798 0% 0% 0% S 3572 pman.sh
14627 1 0% 0% 0% S 2996 rotee
14361 13380 0% 0% 0% S 3596 pman.sh
14338 1 0% 0% 0% S 2984 rotee
14314 1 0% 0% 0% S 2824 rotee
14155 13577 0% 0% 0% S 15128 btman
14127 12798 0% 0% 0% S 3612 pman.sh
14108 13380 0% 0% 0% S 3572 pman.sh
13813 13380 0% 0% 0% S 252 inotifywait
--More--

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


404
Process Health Monitoring
Overall Control Plane Resources

Overall Control Plane Resources


Control plane memory and CPU utilization on each control processor allows you to keep a tab on the overall
control plane resources. You can use the show platform software status control-processor brief command
(summary view) or the show platform software status control-processor command (detailed view) to view
control plane memory and CPU utilization information.
All control processors should show status, Healthy. Other possible status values are Warning and Critical.
Warning indicates that the router is operational, but that the operating level should be reviewed. Critical
implies that the router is nearing failure.
If you see a Warning or Critical status, take the following actions:
• Reduce the static and dynamic loads on the system by reducing the number of elements in the configuration
or by limiting the capacity for dynamic services.
• Reduce the number of routes and adjacencies, limit the number of ACLs and other rules, reduce the
number of VLANs, and so on.

The following sections describe the fields in the show platform software status control-processor command
output.

Load Average
Load average represents the process queue or process contention for CPU resources. For example, on a
single-core processor, an instantaneous load of 7 would mean that seven processes are ready to run, one of
which is currently running. On a dual-core processor, a load of 7 would mean that seven processes are ready
to run, two of which are currently running.

Memory Utilization
Memory utilization is represented by the following fields:
• Total—Total system memory
• Used—Consumed memory
• Free—Available memory
• Committed—Virtual memory committed to processes

CPU Utilization
CPU utilization is an indication of the percentage of time the CPU is busy, and is represented by the following
fields:
• CPU—Allocated processor
• User—Non-Linux kernel processes
• System—Linux kernel process
• Nice—Low-priority processes
• Idle—Percentage of time the CPU was inactive
• IRQ—Interrupts

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


405
Process Health Monitoring
Overall Control Plane Resources

• SIRQ—System Interrupts
• IOwait—Percentage of time CPU was waiting for I/O

Example: show platform software status control-processor Command


The following are some examples of using the show platform software status control-processor
command:
Router# show platform software status control-processorRP0: online, statistics updated 4
seconds ago
Load Average: healthy
1-Min: 0.29, status: healthy, under 5.00
5-Min: 0.51, status: healthy, under 5.00
15-Min: 0.54, status: healthy, under 5.00
Memory (kb): healthy
Total: 4038072
Used: 2872136 (71%), status: healthy
Free: 1165936 (29%)
Committed: 2347228 (58%), under 90%
Per-core Statistics
CPU0: CPU Utilization (percentage of time spent)
User: 1.00, System: 0.70, Nice: 0.00, Idle: 97.88
IRQ: 0.30, SIRQ: 0.10, IOwait: 0.00
CPU1: CPU Utilization (percentage of time spent)
User: 0.70, System: 0.30, Nice: 0.00, Idle: 98.48
IRQ: 0.30, SIRQ: 0.20, IOwait: 0.00
CPU2: CPU Utilization (percentage of time spent)
User: 0.20, System: 1.11, Nice: 0.00, Idle: 98.27
IRQ: 0.40, SIRQ: 0.00, IOwait: 0.00
CPU3: CPU Utilization (percentage of time spent)
User: 8.23, System: 24.37, Nice: 0.00, Idle: 58.00
IRQ: 9.26, SIRQ: 0.11, IOwait: 0.00

Router# show platform software status control-processor briefLoad Average


Slot Status 1-Min 5-Min 15-Min
RP0 Healthy 0.28 0.46 0.52

Memory (kB)
Slot Status Total Used (Pct) Free (Pct) Committed (Pct)
RP0 Healthy 4038072 2872672 (71%) 1165400 (29%) 2349820 (58%)

CPU Utilization
Slot CPU User System Nice Idle IRQ SIRQ IOwait
RP0 0 0.70 0.20 0.00 98.58 0.30 0.20 0.00
1 1.10 0.90 0.00 97.59 0.30 0.10 0.00
2 0.40 1.31 0.00 97.87 0.40 0.00 0.00
3 8.00 26.55 0.00 56.33 8.99 0.11 0.00

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


406
Process Health Monitoring
Monitoring Hardware Using Alarms

Monitoring Hardware Using Alarms


Router Design and Monitoring Hardware
The router sends alarm notifications when problems are detected, allowing you to monitor the network remotely.
You do not need to use show commands to poll devices on a routine basis; however, you can perform onsite
monitoring if you choose.

BootFlash Disk Monitoring


The bootflash disk must have enough free space to store two core dumps. This condition is monitored, and if
the bootflash disk is too small to store two core dumps, a syslog alarm is generated, as shown in the following
example:
Oct 6 14:10:56.292: %FLASH_CHECK-3-DISK_QUOTA: R0/0: flash_check: Flash disk quota exceeded

[free space is 1429020 kB] - Please clean up files on bootflash.

Approaches for Monitoring Hardware Alarms


Viewing the Console or Syslog for Alarm Messages
The network administrator can monitor alarm messages by reviewing alarm messages sent to the system
console or to a system message log (syslog).

Enabling the logging alarm Command


The logging alarm command must be enabled for the system to send alarm messages to a logging device,
such as the console or a syslog. This command is not enabled by default.
You can specify the severity level of the alarms to be logged. All the alarms at and above the specified threshold
generate alarm messages. For example, the following command sends only critical alarm messages to logging
devices:
Router(config)# logging alarm critical

If alarm severity is not specified, alarm messages for all severity levels are sent to logging devices.

Network Management System Alerts a Network Administrator when an Alarm is Reported Through
SNMP
The SNMP is an application-layer protocol that provides a standardized framework and a common language
used for monitoring and managing devices in a network.
SNMP provides notification of faults, alarms, and conditions that might affect services. It allows a network
administrator to access router information through a network management system (NMS) instead of reviewing
logs, polling devices, or reviewing log reports.
To use SNMP to get alarm notification, use the following MIBs:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


407
Process Health Monitoring
Network Management System Alerts a Network Administrator when an Alarm is Reported Through SNMP

• ENTITY-MIB, RFC4133 (required for the CISCO-ENTITY-ALARM-MIB, ENTITY-STATE-MIB and


CISCO-ENTITY-SENSOR-MIB to work)
• CISCO-ENTITY-ALARM-MIB
• ENTITY-STATE-MIB
• CISCO-ENTITY-SENSOR-MIB (for transceiver environmental alarm information, which is not provided
through the CISCO-ENTITY-ALARM-MIB)

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


408
CHAPTER 39
Troubleshooting
This section describes the troubleshooting scenarios.
Before troubleshooting a software problem, you must connect a PC to the router via the console port. With a
connected PC, you can view status messages from the router and enter commands to troubleshoot a problem.
You can also remotely access the interface by using Telnet. The Telnet option assumes that the interface is
up and running.
• Understanding Diagnostic Mode, on page 409
• Before Contacting Cisco or Your Reseller, on page 410
• show interfaces Troubleshooting Command, on page 410
• Software Upgrade Methods, on page 410
• Change the Configuration Register, on page 411
• Recovering a Lost Password, on page 414

Understanding Diagnostic Mode


The router boots up or accesses diagnostic mode in the following scenarios:
• The IOS process or processes fail, in some scenarios. In other scenarios, the system resets when the IOS
process or processes fail.
• A user-configured access policy was configured using the transport-map command that directs the user
into the diagnostic mode.
• A send break signal (Ctrl-C or Ctrl-Shift-6) was entered while accessing the router, and the router was
configured to enter diagnostic mode when a break signal was sent.

In the diagnostic mode, a subset of the commands that are available in user EXEC mode are made available
to the users. Among other things, these commands can be used to:
• Inspect various states on the router, including the IOS state.
• Replace or roll back the configuration.
• Provide methods of restarting the IOS or other processes.
• Reboot hardware, such as the entire router, a module, or possibly other hardware components.
• Transfer files into or off of the router using remote access methods such as FTP, TFTP, and SCP.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


409
Troubleshooting
Before Contacting Cisco or Your Reseller

The diagnostic mode provides a more comprehensive user interface for troubleshooting than previous routers,
which relied on limited access methods during failures, such as ROMMON, to diagnose and troubleshoot
Cisco IOS problems. The diagnostic mode commands can work when the Cisco IOS process is not working
properly. These commands are also available in privileged EXEC mode on the router when the router is
working normally.

Before Contacting Cisco or Your Reseller


If you cannot locate the source of a problem, contact your local reseller for advice. Before you call, you should
have the following information ready:
• Chassis type and serial number
• Maintenance agreement or warranty information
• Type of software and version number
• Date you received the hardware
• Brief description of the problem
• Brief description of the steps you have taken to isolate the problem

show interfaces Troubleshooting Command


Use the show interfaces command to display the status of all physical ports and logical interfaces on the
router. #unique_500 unique_500_Connect_42_tab_1055127describes messages in the command output.
The IR1101 supports the following interfaces:
GigabitEthernet 0/0/0
Cellular 0/1/0
FastEthernet 0/0/1 to 0/0/4
Async 0/2/0

Software Upgrade Methods


Several methods are available for upgrading software on the Cisco IR1101 Routers, including:
• Copy the new software image to flash memory over LAN or WAN when the existing Cisco IOS software
image is in use.
• Copy the new software image to flash memory over the LAN while the boot image (ROM monitor) is
operating.
• Copy the new software image over the console port while in ROM monitor mode.
• From ROM monitor mode, boot the router from a software image that is loaded on a TFTP server. To
use this method, the TFTP server must be on the same LAN as the router.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


410
Troubleshooting
Change the Configuration Register

Change the Configuration Register


To change a configuration register, follow these steps:

Step 1 Connect a PC to the CONSOLE port on the router.


Step 2 At the privileged EXEC prompt (router_name #), enter the show version command to display the existing configuration
register value (shown in bold at the bottom of this output example):
Example:

Router# show version


Cisco IOS XE Software, Version 16.10.01
Cisco IOS Software [Gibraltar], ISR Software (ARMV8EL_LINUX_IOSD-UNIVERSALK9-M), Version 16.10.1,
RELEASE
SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Fri 09-Nov-18 18:08 by mcpre

Cisco IOS-XE software, Copyright (c) 2005-2018 by cisco Systems, Inc.


All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.

ROM: IOS-XE ROMMON

Router uptime is 14 hours, 36 minutes


Uptime for this control processor is 14 hours, 37 minutes
System returned to ROM by reload
System restarted at 08:47:04 GMT Mon Nov 12 2018
System image file is "bootflash:ir1101-universalk9.16.10.01.SPA.bin"
Last reload reason: Reload Command

This product contains cryptographic features and is subject to United


States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to


[email protected].

Technology Package License Information:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


411
Troubleshooting
Configuring the Configuration Register for Autoboot

------------------------------------------------------------------------------
Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------------------
network-essentials Smart License network-essentials

Smart Licensing Status: UNREGISTERED/EVAL MODE

cisco IR1101-K9 (ARM64) processor (revision 1.2 GHz) with 711861K/6147K bytes of memory.
Processor board ID FCW222700MY
3 Virtual Ethernet interfaces
4 FastEthernet interfaces
1 Gigabit Ethernet interface
1 Serial interface
1 terminal line
2 Cellular interfaces
32768K bytes of non-volatile configuration memory.
4038072K bytes of physical memory.
3110864K bytes of Bootflash at bootflash:.
0K bytes of WebUI ODM Files at webui:.

Configuration register is 0x1821

Router#

Step 3 Record the setting of the configuration register.


Step 4 To enable the break setting (indicated by the value of bit 8 in the configuration register), enter the config-register 0x01
command from privileged EXEC mode.
• Break enabled—Bit 8 is set to 0.
• Break disabled (default setting)—Bit 8 is set to 1.

Configuring the Configuration Register for Autoboot

Note Altering the configuration register is only for advanced troubleshooting and should only be done with
guidance from Cisco support.

The configuration register can be used to change router behavior. This includes controlling how the router
boots. Set the configuration register to 0x0 to boot into ROM, by using one of the following commands:
• In Cisco IOS configuration mode, use the config-reg 0x0 command.
• From the ROMMON prompt, use the confreg 0x0 command.

Note Setting the configuration register to 0x2102 will set the router to autoboot the Cisco IOS XE software.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


412
Troubleshooting
Reset the Router

Reset the Router


To reset the router, follow these steps:

Procedure

Command or Action Purpose


Step 1 If break is disabled, turn the router off (O), wait 5 seconds, Note Some terminal keyboards have a key labeled
and turn it on (|) again. Within 60 seconds, press the Break Break . If your keyboard does not have a Break
key. The terminal displays the ROM monitor prompt. key, see the documentation that came with the
terminal for instructions on how to send a break.

Step 2 Press break. The terminal displays the following prompt:


Example:

rommon 2>

Step 3 Enter confreg 0x142 to reset the configuration register:


Example:

rommon 2> confreg 0x142

Step 4 Initialize the router by entering the reset command: The router cycles its power, and the configuration register
is set to 0x142. The router uses the boot ROM system
Example:
image, indicated by the system configuration dialog:
rommon 2> reset

Example:

--- System Configuration Dialog ---

Step 5 Enter no in response to the prompts until the following


message is displayed:
Example:

Press RETURN to get started!

Step 6 Press Return. The following prompt appears:


Example:

Router>

Step 7 Enter the enable command to enter enable mode. The prompt changes to the privileged EXEC prompt:
Configuration changes can be made only in enable mode:
Example:

Router> enable

Example:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


413
Troubleshooting
Recovering a Lost Password

Command or Action Purpose

Router#

Step 8 Enter the show startup-config command to display an


enable password in the configuration file:
Example:

Router# show startup-config

What to do next
If you are recovering an enable password, do not perform the steps in the Reset the Password and Save Your
Changes section. Instead, complete the password recovery process by performing the steps in the Reset the
Configuration Register Value section.
If you are recovering an enable secret password, it is not displayed in the show startup-config command
output. Complete the password recovery process by performing the steps in the Reset the Password and Save
Your Changes section.

Recovering a Lost Password


To recover a lost enable or lost enable-secret password, refer to the following sections:
1. Change the Configuration Register
2. Reset the Router
3. Reset the Password and Save your Changes (for lost enable secret passwords only)
4. Reset the Configuration Register Value.
5. If you have performed a write erase, or used the reset button, you will need to add the license.
IR1101#config term
IR1101#license smart reservation

Note Recovering a lost password is only possible when you are connected to the router through the console
port. These procedures cannot be performed through a Telnet session.

Tip See the “Hot Tips” section on Cisco.com for additional information on replacing enable secret passwords.

Reset the Password and Save Your Changes


To reset your password and save the changes, follow these steps:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


414
Troubleshooting
Password Recovery Disable

Procedure

Command or Action Purpose


Step 1 Enter the configure terminal command to enter global
configuration mode:
Example:

Router# configure terminal

Step 2 Enter the enable secret command to reset the enable secret
password in the router:
Example:

Router(config)# enable secret


password

Step 3 Enter exit to exit global configuration mode:


Example:

Router(config)# exit

Step 4 Save your configuration changes:


Example:

Router# copy running-config startup-config

Password Recovery Disable


The No Service Password-Recovery is a Cisco IOS Platform independent feature/CLI which is available in
Cisco IOS-XE devices. When the No Service Password-Recovery security feature is enabled, it prevents
anyone with console access from using a break sequence (Control+C) during bootup to enter into rommon.

Note Ensure a valid Cisco IOS image is present in flash before enabling this feature. Failure to do so will
result in the router going into a into boot loop. Hard power reset button is disabled if system has no
service password recovery.

The following events will cause the router to go into rommon mode as standard IOS-XE behavior:
• config-reg setting is manual boot
• User opts to reset to factory default option

For more information and configuration steps, refer to the following:https://www.cisco.com/c/en/us/td/docs/


ios-xml/ios/sec_usr_cfg/configuration/15-sy/sec-usr-cfg-15-sy-book/sec-no-svc-pw-recvry.html

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


415
Troubleshooting
Reset the Configuration Register Value

Config register change issue with service password recovery update


When service password recovery is disabled, then the config register cannot be changed and will be stuck at
0x01. This issue was found on the IR1101 Router. For additional information see the tech note Understand
Configuration Register Usage on all Routers.

Reset the Configuration Register Value


To reset the configuration register value after you have recovered or reconfigured a password, follow these
steps:

Procedure

Command or Action Purpose


Step 1 Enter the configure terminal command to enter global
configuration mode:
Example:

Router# configure terminal

Step 2 Enter the configure register command and the original


configuration register value that you recorded.
Example:

Router(config)# config-reg
value

Step 3 Enter exit to exit configuration mode: Note To return to the configuration being used before
you recovered the lost enable password, do not
Example:
save the configuration changes before rebooting
the router.
Router(config)# exit

Step 4 Reboot the router, and enter the recovered password.

Configuring a Console Port Transport Map


This task describes how to configure a transport map for a console port interface on the router.

Procedure

Command or Action Purpose


Step 1 enable Enables privileged EXEC mode.
Example: Enter your password if prompted.

Router> enable

Step 2 configure terminal Enters global configuration mode.


Example:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


416
Troubleshooting
Configuring a Console Port Transport Map

Command or Action Purpose

Router# configure terminal

Step 3 transport-map type console transport-map-name Creates and names a transport map for handling console
connections, and enters transport map configuration mode.
Example:

Router(config)# transport-map type console


consolehandler

Step 4 connection wait [allow [interruptible] | none Specifies how a console connection will be handled using
[disconnect]] this transport map.
Example: • allow interruptible—The console connection waits
for a Cisco IOS VTY line to become available, and
Router(config-tmap)# connection wait none also allows users to enter diagnostic mode by
interrupting a console connection that is waiting for a
Cisco IOS VTY line to become available. This is the
default setting.
Note Users can interrupt a waiting connection by
entering Ctrl-C or Ctrl-Shift-6.
• none—The console connection immediately enters
diagnostic mode.

Step 5 (Optional) banner [diagnostic | wait] banner-message (Optional) Creates a banner message that will be seen by
users entering diagnostic mode or waiting for the Cisco IOS
Example:
VTY line because of the console transport map
configuration.
Router(config-tmap)# banner diagnostic X
Enter TEXT message. End with the character 'X'. • diagnostic—Creates a banner message seen by users
--Welcome to Diagnostic Mode--
directed to diagnostic mode because of the console
X
Router(config-tmap)# transport map configuration.
Note Users can interrupt a waiting connection by
entering Ctrl-C or Ctrl-Shift-6.
• wait—Creates a banner message seen by users waiting
for Cisco IOS VTY to become available.
• banner-message—Banner message, which begins and
ends with the same delimiting character.

Step 6 exit Exits transport map configuration mode to re-enter global


configuration mode.
Example:

Router(config-tmap)# exit

Step 7 transport type console console-line-number input Applies the settings defined in the transport map to the
transport-map-name console interface.
Example:

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


417
Troubleshooting
Viewing Console Port, SSH, and Telnet Handling Configurations

Command or Action Purpose


The transport-map-name for this command must match the
Router(config)# transport type console 0 input
transport-map-name defined in the transport-map type
consolehandler
console command.

Examples
The following example shows how to create a transport map to set console port access policies and
attach to console port 0:
Router(config)# transport-map type console consolehandler
Router(config-tmap)# connection wait allow interruptible
Router(config-tmap)# banner diagnostic X
Enter TEXT message. End with the character 'X'.
--Welcome to diagnostic mode--
X
Router(config-tmap)# banner wait X
Enter TEXT message. End with the character 'X'.
Waiting for IOS vty line
X
Router(config-tmap)# exit
Router(config)# transport type console 0 input consolehandler

Viewing Console Port, SSH, and Telnet Handling Configurations


Use the following commands to view console port, SSH, and Telnet handling configurations:
• show transport-map
• show platform software configuration access policy

Use the show transport-map command to view transport map configurations.


show transport-map [all | name transport-map-name | type [console ]]
This command can be used either in user EXEC mode or privileged EXEC mode.

Example
The following example shows transport maps that are configured on the router: console port (consolehandler):
Router# show transport-map all
Transport Map:
Name: consolehandler Type: Console Transport

Connection:
Wait option: Wait Allow Interruptable Wait banner:

Waiting for the IOS CLI bshell banner:


Welcome to Diagnostic Mode

Router# show transport-map type console


Transport Map:
Name: consolehandler

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


418
Troubleshooting
Using the factory reset Commands

REVIEW DRAFT - CISCO CONFIDENTIAL

Type: Console Transport

Connection:
Wait option: Wait Allow Interruptable Wait banner:

Waiting for the IOS CLI Bshell banner:


Welcome to Diagnostic Mode

Router# show transport-map type persistent ssh


Transport Map:
Name: consolehandler Type: Console Transport

Connection:
Wait option: Wait Allow Interruptable Wait banner:

Waiting for the IOS CLI Bshell banner:


Welcome to Diagnostic Mode

Use the show platform software configuration access policy command to view the current configurations
for handling the incoming console port, SSH, and Telnet connections. The output of this command provides
the current wait policy for each type of connection (Telnet, SSH, and console), as well as information on the
currently configured banners.
Unlike the show transport-map command, the show platform software configuration access policy
command is available in diagnostic mode so that it can be entered in scenarios where you need transport map
configuration information, but cannot access the Cisco IOS CLI.

Example
The following example shows the show platform software configuration access policy command.
Router# show platform software configuration access policy
The current access-policies

Method : telnet
Rule : wait with interrupt Shell banner:
Welcome to Diagnostic Mode

Wait banner :
Waiting for IOS Process

Method : ssh Rule : wait Shell banner: Wait banner :

Method : console
Rule : wait with interrupt Shell banner:
Wait banner :

Using the factory reset Commands


The factory reset commands are used to remove all the customer specific data on a router/switch that has
been added. The data can be configuration, log files, boot variables, core files, and so on.

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


419
Troubleshooting
Using the factory reset Commands

The factory-reset all command erases the bootflash, nvram, rommon variables, licenses, and logs.

Router#factory-reset all
The factory reset operation is irreversible for all operations. Are you sure? [confirm]
*Enter*

*May 12 09:55:45.831: %SYS-5-RELOAD: Reload requested by Exec. Reload Reason: Factory Reset.

***Return to ROMMON Prompt

Cisco Catalyst IR1101 Rugged Series Router Software Configuration Guide


420

You might also like