B IR1101config
B IR1101config
B IR1101config
Guide
First Published: 2018-05-18
Last Modified: 2022-12-19
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
© 2018–2022 Cisco Systems, Inc. All rights reserved.
Full Cisco Trademarks with Software License
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL
ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND
RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED
WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL
RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT
ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND
ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE
SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE
FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the
University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating
system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE
OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS. CISCO AND THE
ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING,
WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE
PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL,
CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST
PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE
THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY
OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual
addresses and phone numbers. Any examples, command display output, network topology diagrams, and
other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses
or phone numbers in illustrative content is unintentional and coincidental.
All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current
online version for the latest version.
Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at
www.cisco.com/go/offices.
The documentation set for this product strives to use bias-free language. For purposes of this documentation
set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial
identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be
present in the documentation due to language that is hardcoded in the user interfaces of the product software,
language used based on standards documentation, or language that is used by a referenced third-party product.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and
other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/c/en/us/about/
legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use
of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)
Note The documentation set for this product strives to use bias-free language. For purposes of this
documentation set, bias-free is defined as language that does not imply discrimination based on age,
disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and
intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in
the user interfaces of the product software, language used based on RFP documentation, or language
that is used by a referenced third-party product.
The IR1101 also has two Expansion Modules that add key capabilities such as dual LTE Pluggables, mSATA
SSD FRU, SFP, additional ethernet and async ports,and Digital GPIO connections.
The IR1101 is the first IoT platform to run the Cisco IOS-XE operating system. IOS-XE is a Linux based OS
that comes with many enhancements and more features compared to the classic IOS version.
This secion of the guide also includes:
Item Description
9 Reset Button
• IRM-1100-SPMI
• IRM-1100-SP
The following figure shows the front panel of the IRM-1100-SPMI and highlights some of its capabilities:
Figure 2: IR-1100-SPMI Expansion Module Details
Item Description
2 SFP Connector
3 Pluggable Module
The IR-1100-SP Expansion Module is the same as the IR-1100-SPMI module, without the Digital I/O and
mSATA components.
More information can be found in IRM-1101 Expansion Module, on page 281.
Complete details on the IR1101 can be found in the product data sheet.
The IRM-1100-4A2T Ethernet interfaces are Layer 2 RJ45 10/100/1000 Mbps ports.
The IRM-1100-4A2T serial ports are RJ45 combo ports (RS232/RS485/RS422).
The IR1101 has two sides that expansion modules mount to. The top is called the Expansion side, and the
bottom is called the Compute side. If the additional module is connected to the top, then it is referenced as
the Expansion Module (EM) side. If the additional module is connected on the bottom, then it is referenced
as the Compute Module (CM) side. Functionality differs depending on which side the expansion module is
attached to, and how many and type of expansion modules are in use.
The IRM-1100-4A2T can be managed from the following tools:
• Cisco DNA Center
• WebUI
Would you like to enter the initial configuration dialog? [yes/no]: yes
At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Any interface listed with OK? value "NO" does not have a valid configuration
Note Names and IP addresses in this next section are shown as examples.
hostname <your-hostname>
enable secret 9 $9$Z6fl74fvoEdMgU$XZYs8l4phbqpXsb48l9bzCng3u4Bc2kh1STsoLoHNes
enable password <your-enable-password>
line vty 0 4
password <your-password>
username <your-username> privilege 15 password <your-password>
no snmp-server
!
!
interface GigabitEthernet0/0/0
shutdown
no ip address
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface FastEthernet0/0/4
!
interface Vlan1
no shutdown
ip address 192.168.1.1 255.255.255.0
no mop enabled
ip dhcp pool wDHCPool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
end
[OK]
Use the enabled mode 'configure' command to modify this configuration.
The device now has a basic configuration that you can build upon.
Step 2 (Go to Step 3 if the enable password has not been configured.) At the password prompt, enter your system password:
Password: enablepass
When your password is accepted, the privileged EXEC mode prompt is displayed.
Router#
You now have access to the CLI in privileged EXEC mode and you can enter the necessary commands to complete your
desired tasks.
For more information about AAA services, see the Cisco IOS XE Security Configuration Guide: Secure
Connectivity and the Cisco IOS Security Command Reference documents. For more information about the
login line-configuration command, see the Cisco IOS Terminal Services Command Reference document.
In addition, before you make a Telnet connection to the router, you must have a valid hostname for the router
or have an IP address configured on the router. For more information about the requirements for connecting
to the router using Telnet, information about customizing your Telnet services, and using Telnet key sequences,
see the Cisco IOS Configuration Fundamentals Configuration Guide.
Step 1 From your terminal or PC, enter one of the following commands:
• connect host [port] [keyword]
• telnet host [port] [keyword]
Here, host is the router hostname or IP address, port is a decimal port number (23 is the default), and keyword is a
supported keyword. For more information about these commands, see the Cisco IOS Terminal Services Command
Reference document.
Note If you are using an access server, specify a valid port number, such as telnet 172.20.52.40 2004, in addition to
the hostname or IP address.
The following example shows how to use the telnet command to connect to a router named router:
unix_host% telnet router
Trying 172.20.52.40...
Connected to 172.20.52.40.
Escape character is '^]'.
unix_host% connect
Step 5 When the enable password is accepted, the privileged EXEC mode prompt is displayed:
Router#
Step 6 You now have access to the CLI in privileged EXEC mode and you can enter the necessary commands to complete your
desired tasks.
Step 7 To exit the Telnet session, use the exit or logout command.
Router# logout
The value of minutes sets the amount of time that the CLI waits before timing out. Setting the CLI session timeout
increases the security of a CLI session. Specify a value of 0 for minutes to disable session timeout.
Step 2 Enter the line upon which you want to be able to use the lock command.
Router(config)# line console 0
mode, you can enter interface configuration mode and a variety of other modes, such as protocol-specific
modes.
ROM monitor mode is a separate mode used when the Cisco IOS XE software cannot load properly. If a valid
software image is not found when the software boots or if the configuration file is corrupted at startup, the
software might enter ROM monitor mode.
The following table describes how to access and exit various common command modes of the Cisco IOS XE
software. It also shows examples of the prompts displayed for each mode.
Privileged EXEC From user EXEC mode, Router# To return to user EXEC
use the enable command. mode, use the disable
command.
Keyboard Shortcuts
Commands are not case sensitive. You can abbreviate commands and parameters if the abbreviations contain
enough letters to be different from any other currently available commands or parameters.
The following table lists the keyboard shortcuts for entering and editing commands.
Ctrl-B or the Left Arrow key1 Move the cursor back one character.
Ctrl-F or the Right Arrow key1 Move the cursor forward one character.
Command Purpose
Ctrl-P or the Up Arrow key1 Recalls commands in the history buffer, beginning
with the most recent command. Repeat the key
sequence to recall successively older commands.
Ctrl-N or the Down Arrow key1 Returns to more recent commands in the history buffer
after recalling commands with Ctrl-P or the Up
Arrow key.
Command Purpose
Router# show history While in EXEC mode, lists the last few commands
you entered.
1
The arrow keys function only on ANSI-compatible terminals such as VT100s.
It may take a few minutes to save the configuration. After the configuration has been saved, the following
output is displayed:
[OK]
Router#
show command | {append | begin | exclude | include | redirect | section | tee} regular-expression
The output matches certain lines of information in the configuration file.
Example
In this example, a modifier of the show interface command (include protocol) is used to provide only the
output lines in which the expression protocol is displayed:
Router# show interface | include protocol
GigabitEthernet0/0/0 is administratively down, line protocol is down (disabled)
0 unknown protocol drops
FastEthernet0/0/1 is down, line protocol is down (notconnect)
0 unknown protocol drops
FastEthernet0/0/2 is down, line protocol is down (notconnect)
0 unknown protocol drops
FastEthernet0/0/3 is down, line protocol is down (notconnect)
0 unknown protocol drops
FastEthernet0/0/4 is down, line protocol is down (notconnect)
0 unknown protocol drops
GigabitEthernet0/0/5 is up, line protocol is up (connected)
0 unknown protocol drops
Cellular0/1/0 is up, line protocol is up
0 unknown protocol drops
Cellular0/1/1 is administratively down, line protocol is down
0 unknown protocol drops
Cellular0/3/0 is up, line protocol is up
0 unknown protocol drops
Cellular0/3/1 is administratively down, line protocol is down
0 unknown protocol drops
Async0/2/0 is up, line protocol is down
0 unknown protocol drops
Vlan1 is up, line protocol is up , Autostate Enabled
0 unknown protocol drops
Vlan172 is up, line protocol is down , Autostate Enabled
0 unknown protocol drops
Vlan175 is down, line protocol is down , Autostate Enabled
0 unknown protocol drops
IR1101#
Getting Help
Entering a question mark (?) at the CLI prompt displays a list of commands available for each command
mode. You can also get a list of keywords and arguments associated with any command by using the
context-sensitive help feature.
To get help that is specific to a command mode, a command, a keyword, or an argument, use one of the
following commands.
Command Purpose
itself indicates that no more arguments or keywords are available, and that you must press Enter to complete
the command.
The following table shows examples of using the question mark (?) to assist you in entering commands.
Command Comment
Router> enable Enter the enable command and password to access
Password: <password>
privileged EXEC commands. You are in privileged
Router#
EXEC mode when the prompt changes to a “ # ”
from the “ > ”, for example, Router> to Router#
Router# configure terminal Enter the configure terminal privileged EXEC
Enter configuration commands, one per line. End
command to enter global configuration mode. You
with CNTL/Z.
Router(config)# are in global configuration mode when the prompt
changes to Router (config)#
Router(config)# interface GigabitEthernet ? Enter interface configuration mode by specifying
<0-0> GigabitEthernet interface number
the interface that you want to configure, using the
Router(config)# interface GigabitEthernet 0/? interface GigabitEthernet global configuration
<0-5> Port Adapter number command.
Router (config)# interface GigabitEthernet 0/0/? Enter ? to display what you must enter next on the
<0-63> GigabitEthernet interface number command line.
Router (config)# interface GigabitEthernet When the <cr> symbol is displayed, you can press
0/0/0? Enter to complete the command.
. <0-71>
You are in interface configuration mode when the
Router(config-if)# prompt changes to Router(config-if)#
Command Comment
Router(config-if)# ? Enter ? to display a list of all the interface
Interface configuration commands:
configuration commands available for the interface.
.
. This example shows only some of the available
. interface configuration commands.
ip Interface Internet
Protocol
config commands
keepalive Enable keepalive
lan-name LAN Name command
llc2 LLC2 Interface Subcommands
Command Comment
Router(config-if)# ip ? Enter the command that you want to configure for
Interface IP configuration subcommands: the interface. This example uses the ip command.
access-group Specify access control
for packets Enter ? to display what you must enter next on the
accounting Enable IP accounting on
this interface
command line. This example shows only some of
address Set the IP address of an the available interface IP configuration commands.
interface
authentication authentication subcommands
Router(config-if)# ip address ? Enter the command that you want to configure for
A.B.C.D IP address the interface. This example uses the ip address
negotiated IP Address negotiated over
PPP command.
Router(config-if)# ip address
Enter ? to display what you must enter next on the
command line. In this example, you must enter an
IP address or the negotiated keyword.
A carriage return (<cr>) is not displayed. Therefore,
you must enter additional keywords or arguments
to complete the command.
Router(config-if)# ip address 172.16.0.1 ? Enter the keyword or argument that you want to
A.B.C.D IP subnet mask use. This example uses the 172.16.0.1 IP address.
Router(config-if)# ip address 172.16.0.1
Enter ? to display what you must enter next on the
command line. In this example, you must enter an
IP subnet mask.
<cr> is not displayed. Therefore, you must enter
additional keywords or arguments to complete the
command.
Command Comment
Router(config-if)# ip address 172.16.0.1 Enter the IP subnet mask. This example uses the
255.255.255.0 ? 255.255.255.0 IP subnet mask.
secondary Make this IP address a
secondary address Enter ? to display what you must enter next on the
<cr>
Router(config-if)# ip address 172.16.0.1
command line. In this example, you can enter the
255.255.255.0 secondary keyword, or you can press Enter.
<cr> is displayed. Press Enter to complete the
command, or enter another keyword.
Router(config-if)# ip address 172.16.0.1 Press Enter to complete the command.
255.255.255.0
Router(config-if)#
Release notes are intended to be release-specific for the most current release, and the information provided
in these documents may not be cumulative in providing information about features that first appeared in
previous releases. For cumulative feature information, refer to the Cisco Feature Navigator at:
http://www.cisco.com/go/cfn/.
USB usbflash0:
mSATA msata
Interface names for the different expansion modules are found in the following chapters:
• IRM-1100-4A2T Expansion Module, on page 293
Basic Configuration
The basic configuration is a result of the entries you made during the initial configuration dialog. This means
the router has at least one interface set with an IP address to be reachable, either through WebUI or to allow
the PnP process to work. Use the show running-config command to view the initial configuration, as shown
in the following example:
Router# show running-config
Building configuration...
revocation-check none
rsakeypair TP-self-signed-756885843
!
!
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
D697DF7F 28
quit
crypto pki certificate chain TP-self-signed-756885843
certificate self-signed 01
3082032E 30820216 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 37353638 38353834 33301E17 0D313930 35333130 30303530
385A170D 33303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3735 36383835
38343330 82012230 0D06092A 864886F7 0D010101 05000382 010F0030 82010A02
82010100 D2F61742 3B651909 95856431 9BC2CCB7 D4B04861 DD6E0924 4C3E6A51
8BF2ABD9 5C3A597D 2EE0112C ECA615AA D0297F9E 071B6B5D 9B831332 021E61F4
2352EEC9 EE70742E 46EFBAFC A03744D8 A22E4DA3 AAF919CC 0A7929A7 3BDB3B17
C04DA5B9 028DD3EC 992493A6 EA864ED6 354CB3F4 094D3EBF 5307CAA3 192B5759
E458712D 841A43CD 709D4D9E 72A9DE3E F935A688 59B6F278 65B59EE0 6B72469E
7B97582A 64E511A6 D81735FF 117CE399 4C2A2973 F5FD407D BCEB62A6 FD7C6B08
882E0749 ACE5BD44 32634790 3607ADEA 9F319343 4CA76B0D B1DE6A1C AD144548
E38119E2 8B34F7AC 090C0450 03166B42 8C7C9EA7 5132687F E1F7BF6E B065CD4E
889F02BB 02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F
0603551D 23041830 16801405 77954127 36509205 7025CF4E 84B5D4A2 A3D53730
1D060355 1D0E0416 04140577 95412736 50920570 25CF4E84 B5D4A2A3 D537300D
06092A86 4886F70D 01010505 00038201 01004147 49C6A0A9 56F5BD4D 4892AEE0
22955E06 AF192FA6 868D5556 959ACF05 398F3907 DFE3148B 0E2CFC12 20BEEA05
DC23E8D7 A47DB4AE D6CB6665 BCAE7F39 24D010F0 DB8F0E70 5E7C3F73 25AB1783
1346D540 47BB7E89 2BB1BE4D 16990318 A4612CC5 C7CC9376 7DF1A1F4 C09C0051
4D950D99 3CC0C65B 0A98859A 3B81E324 BAB34EDF 64CA8C38 184DC796 47DDD9DD
F71F8D5E D3B7A962 3D0FDE44 012AC034 D0E7F75A DB1BF12A CF23E2F5 6A4FDA14
A588DCDA 8272CE33 36ABC57A BFF52980 5FFC7C34 4D4307BB AC0C0F18 AA783B9D
27C61E89 0EC1C6AA 6AB3F73B EF8450FD 782DFC63 038F6A27 456CA32B D3FEDB97
C8064523 EBB93FF5 8B98B546 44F853E9 0E04
quit
!
license udi pid IR1101-K9 sn FCW222700KS
!
interface Cellular0/3/1
no ip address
shutdown
!
interface Vlan1
ip address 192.168.10.15 255.255.255.0
!
interface Vlan172
ip address 172.27.167.121 255.255.255.128
!
interface Vlan175
ip address 175.1.1.1 255.255.255.0
!
interface Async0/2/0
no ip address
encapsulation scada
!
ip default-gateway 172.27.167.1
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.27.167.1
ip route 0.0.0.0 0.0.0.0 Cellular0/1/0
ip route 0.0.0.0 0.0.0.0 Cellular0/3/0 253
ip route 8.8.4.0 255.255.255.0 Cellular0/3/0
ip route 171.70.0.0 255.255.0.0 172.27.167.1
ip route 192.1.1.0 255.255.255.0 Cellular0/1/0
ip route 192.168.193.0 255.255.255.0 192.168.10.1
!
!
ip access-list standard 1
10 permit any
dialer watch-list 1 ip 5.6.7.8 255.255.255.255
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 1
dialer watch-list 2 ip 5.6.7.8 255.255.255.255
dialer watch-list 2 delay route-check initial 60
dialer watch-list 2 delay connect 1
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipv6 permit
ipv6 route ::/0 Cellular0/1/0
!
!
snmp-server community public RO
snmp-server community private RW
snmp-server host 171.70.127.43 version 2c public
snmp-server host 172.27.167.220 version 2c public
snmp-server manager
!
control-plane
!
line con 0
exec-timeout 0 0
stopbits 1
speed 115200
line 0/0/0
line 0/2/0
line vty 0 4
exec-timeout 0 0
password cisco
login
IR1101#
Procedure
Step 3 enable password password Specifies a password to prevent unauthorized access to the
router.
Example:
Note In this form of the command, password is not
Router(config)# enable password cr1ny5ho encrypted. To encrypt the password use enable
secret password as noted in the previously
mentioned Device Hardening Guide.
To manually define the Gigabit Ethernet interface, follow these steps, beginning from global configuration
mode.
Procedure
Step 2 ip address ip-address mask Sets the IP address and subnet mask for the specified
interface. Use this Step if you are configuring an IPv4
Example:
address.
Router(config-if)# ip address 192.168.12.2
255.255.255.0
Step 3 ipv6 address ipv6-address/prefix Sets the IPv6 address and prefix for the specified interface.
Use this step instead of Step 2, if you are configuring an
Example:
IPv6 address. IPv6 unicast-routing needs to be set-up as
well, see further information in the IPv6 Addressing and
Router(config-if)# ipv6 address
2001.db8::ffff:1/128
Basic Connectivity Configuration Guide located here:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_
basic/configuration/xe-16-10/ip6b-xe-16-10-book/
read-me-first.html
Step 5 no shutdown Enables the interface and changes its state from
administratively down to administratively up.
Example:
Router(config-if)# no shutdown
Step 6 exit Exits the configuration mode of interface and returns to the
global configuration mode.
Example:
Router(config-if)# exit
Router(config)#interface g0/0/0 ?
<1-4294967295> GigabitEthernet interface number
Router(config-subif)#encapsulation ?
dot1Q IEEE 802.1Q Virtual LAN
Procedure
Step 2 (Option 1) ip address ip-address mask Sets the IP address and subnet mask on the loopback
interface. (If you are configuring an IPv6 address, use the
Example:
ipv6 address ipv6-address/prefix command described
below.
Router(config-if)# ip address 10.108.1.1
255.255.255.0
Step 3 (Option 2) ipv6 address ipv6-address/prefix Sets the IPv6 address and prefix on the loopback interface.
Example:
Step 4 exit Exits configuration mode for the loopback interface and
returns to global configuration mode.
Example:
Router(config-if)# exit
Example
Verifying Loopback Interface Configuration
Enter the show interface loopback command. You should see an output similar to the following
example:
Alternatively, use the ping command to verify the loopback interface, as shown in the following
example:
Note Transport input must be set as explained in the previous Telnet and SSH sections of the guide.
Procedure
Step 2 password password Specifies a unique password for the console terminal line.
Example:
Router(config-line)# login
Step 4 exec-timeout minutes [seconds] Sets the interval during which the EXEC command
interpreter waits until user input is detected. The default is
Example:
10 minutes. Optionally, adds seconds to the interval value.
Router(config-line)# exec-timeout 5 30 The example provided here shows a timeout of 5 minutes
Router(config-line)# and 30 seconds. Entering a timeout of 0 0 specifies never
to time out.
Router(config-line)# exit
Step 6 line [aux | console | tty | vty] line-number Specifies a virtual terminal for remote console access.
Example:
Step 7 password password Specifies a unique password for the virtual terminal line.
Example:
Router(config-line)# login
Router(config-line)# end
Example
The following configuration shows the command-line access commands. Note that transport input
none is the default, but if SSH is enabled this must be set to ssh.
You do not have to input the commands marked default. These commands appear automatically in
the configuration file that is generated when you use the show running-config command.
!
line console 0
exec-timeout 10 0
password 4youreyesonly
login
transport input none (default)
stopbits 1 (default)
line vty 0 4
password secret
login
!
Procedure
Step 2 (Option 2) ipv6 route prefix/mask {ipv6-address | Specifies a static route for the IP packets. See additional
interface-type interface-number [ipv6-address]} information for IPv6 here: https://www.cisco.com/c/en/us/
td/docs/ios-xml/ios/ipv6_basic/configuration/xe-16-10/
Example:
ip6b-xe-16-10-book/read-me-first.html
Router(config)# ipv6 route 2001:db8:2::/64
2001:db8:3::0
Step 3 end Exits global configuration mode and enters privileged EXEC
mode.
Example:
Router(config)# end
In the following configuration example, the static route sends out all IP packets with a destination
IP address of 192.168.1.0 and a subnet mask of 255.255.255.0 on the Gigabit Ethernet interface to
another device with an IP address of 10.10.10.2. Specifically, the packets are sent to the configured
PVC.
You do not have to enter the command marked default. This command appears automatically in the
configuration file generated when you use the running-config command.
!
ip classless (default)
ip route 2001:db8:2::/64 2001:db8:3::0
Verifying Configuration
To verify that you have configured static routing correctly, enter the show ip route command (or
show ipv6 route command) and look for static routes marked with the letter S.
When you use an IPv4 address, you should see verification output similar to the following:
When you use an IPv6 address, you should see verification output similar to the following:
C 2001:DB8:3::/64 [0/0]
via GigabitEthernet0/0/2, directly connected
S 2001:DB8:2::/64 [1/0]
via 2001:DB8:3::1
Procedure
Router(config-router)# version 2
Router(config-router)# end
Example
Verifying Configuration
To verify that you have configured RIP correctly, enter the show ip route command and look for
RIP routes marked with the letter R. You should see an output similar to the one shown in the
following example:
Router# show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Note Async serial cabling is documented in the IR1101 HW installation guide located here:
https://www.cisco.com/c/en/us/td/docs/routers/access/1101/hardware/installation/guide/1101hwinst.html
• Raw-TCP
• Raw-UDP
• SCADA
• Encapsulation Relay
Encapsulation methods are set according to the type of protocol or application you configure in the Cisco IOS
software.
The remaining encapsulation methods are defined in their respective books and chapters describing the
protocols or applications.
Note A Day 0 configuration is defined as a device that is fresh out of the box with no startup-configuration.
After the initial Day 0 configuration, the WebUI can be used for day to day configuration.
Effective with IOS-XE Release 17.3.1, the Day 0 Web User Interface (WebUI) will be supported on the
IR1101. Day 0 WebUI is supported only on LAN ports. These are FastEthernet ports 0/0/1 – 0/0/4 on the
IR1101. Connect a PC to one of the LAN ports of the IR1101 and boot the router on Day 0. The PC should
be configured with a static IP address of 192.168.1.2/255.255.255.0.
Once the router boots up in Day 0, the PC can connect to the 192.168.1.x network and can access WebUI
using the IP address of 192.168.1.1 with any browser. After the configuration is applied through the WebUI,
the router will display the message "Day 0 config done. Stopping autoinstall".
Note Advanced Mode is needed in order to set up Cellular WAN, including public or private APN. This
should be provided by your SIM's service provider.
Note The pluggable interface is not hot swappable. If you wish to change a SIM, power off the router.
PnP will now be able to run with private APN to connect to IOS OD, vManage, or DNA-C.
Configuration Notes
The following are important notes when using the WebUI:
• The WebUI is not supported on the 1G port because this interface is dedicated to PnP. It is only supported
on the 100M ports 1-4. See the figure below:
• Plug and Play (PNP) cannot be used if router is being used to configure using Day 0 WebUI as PNP will
be aborted once the configuration is applied through Day 0 WebUI.
• Starting from release 17.1.2, an explicit write memory is not needed once the configuration is applied
through the WebUI.
• Display resolution—We recommend that you set the screen resolution to 1280 x 800 or higher.
Step 1 Open your browser and enter 192.168.1.1in the address bar. The Login Screen appears. Enter the Username webui and
the Password cisco. Then click Log In.
Figure 3: Login Screen
Step 2 The Welcome Screen appears. Select Advanced Mode or Basic Mode. Basic Mode allows for configuring Basic settings,
LAN, and a Primary WAN. Advanced Mode allows you to configure an additional Backup WAN, AVC, as well as
additional settings. For the purposes of this section, Basic Mode is used. Select Basic Mode.
Figure 4: Welcome Screen
Step 3 Click Go To Account Creation Page. The Create New Account Screen appears. Create a new Login Name and
Password to access the WebUI.
Step 4 Click CREATE & LAUNCH WIZARD. The Basic Settings Screen appears. Provide a Router Name (hostname),
Domain Name, Time Zone and Date & Time Mode.
Figure 6: BASIC SETTINGS Screen
Step 5 Click LAN SETTINGS. The LAN Configuration Screen appears. Enter the webui_dhcp Pool Name, VLAN interface
IP address, and select the interface that is connected to your laptop from the list of available interfaces.
Step 6 Click PRIMARY WAN SETTINGS. The PRIMARY WAN SETTINGS Screen appears. Configure the WAN interface
by selecting the WAN Type and Interface from the available options. Next enter your DNS IP address information and
select Enable/Disable NAT.
Figure 8: Primary WAN Interface Screen
Step 7 Click Day 0 Config Summary. The Review Summary Screen appears. Verify your entries before applying the
configuration.
Step 8 (Optional) You can click on CLI Preview to see the Configuration that is being applied to the router. Close the CLI
Preview and if you are ready, Click Submit.
Figure 10: CLI Preview Screen
Step 9 After clicking on Submit, a dialog box will appear which informs you that the configuration has been applied successfully.
The new WebUI ip address is also presented.
Step 10 If you have web connectivity, the device will try to connect. It is recommended that you close the browser session and
move to the newly configured WebUI ip address.
Figure 12: Test VLAN Connection Screen
Note Advanced Mode is needed in order to set up Cellular WAN, including public or private APN.
Step 1 Open your browser and enter 192.168.1.1in the address bar. The Login Screen appears. Enter the Username webui and
the Password cisco. Then click Log In.
Figure 13: Login Screen
Step 2 The WELCOME screen appears. Select Advanced Mode or Basic Mode. Basic Mode allows for configuring Basic
settings, LAN, and a Primary WAN. Advanced Mode allows you to configure an additional Backup WAN, AVC, as well
as additional settings. For the purposes of this section, Advanced Mode is used.
Figure 14: WELCOME Screen
Step 3 Select Advanced Mode, then click Go To Account Creation Page. The Create New Account screen appears. Create a
new Login Name and Password to access the WebUI.
Step 4 Click CREATE & LAUNCH WIZARD The LAN Configuration screen appears. Provide a Pool Name, Network IP
Address, Subnet, Access VLAN, and Device IP Address. A list of available interfaces is shown to select from. Only
FastEthernet interfaces may be used.
Figure 16: LAN Configuration Screen
Step 5 Click PRIMARY WAN SETTINGS. The WAN Configuration screen appears. Select the WAN Type and Interface
from the pull-downs. Provide an APN (Access Point Name) from your LTE Service Provider, and then select the DNS
and IP Address settings for your network.
Step 6 Click BACKUP WAN SETTINGS. The BACKUP WAN Configuration screen appears. Select the button to Enable or
Disable a backup WAN.
Figure 18: BACKUP WAN Configuration
Step 7 Click Day 0 Config Summary. The SUMMARY screen appears. Verify your entries before applying the configuration.
Figure 19: Summary Screen
Step 8 (Optional) You can click on CLI Preview to see the Configuration that is being applied to the router. Close the CLI
Preview, and if you are ready, click Submit.
Note A CLI Preview example is found at the end of this section.
Step 9 After clicking on Submit, a dialog box will appear which informs you that the configuration has been applied successfully.
The new WebUI ip address is also presented.
Figure 20: Submit Dialog Box
Example
The following is an example of a CLI Preview:
ip domain name cisco.com
clock timezone GMT -6 00
ntp server pool.ntp.org
hostname "IR1101"
interface vlan 1
ip address 10.1.1.1 255.255.255.0
no shutdown
vlan 1
interface FastEthernet0/0/1
switchport access vlan 1
switchport trunk native vlan 1
switchport mode access
no shutdown
interface FastEthernet0/0/2
switchport access vlan 1
switchport trunk native vlan 1
switchport mode access
no shutdown
interface FastEthernet0/0/3
switchport access vlan 1
switchport trunk native vlan 1
switchport mode access
no shutdown
interface FastEthernet0/0/4
switchport access vlan 1
ip dns server
ip dns view default
default dns forwarder
default dns forwarding
default domain lookup
default domain name-server
interface Cellular0/1/0
description primary_wan
ip address negotiated
dialer in-band
dialer-group 1
pulse-time 1
shutdown
no shutdown
ip nat outside
exit
dialer-list 1 protocol ip permit
WebUI Dashboard
After completing the Day 0 setup, the WebUI can now be used for day to day administration. The WebUI
opens up to an easy to use dashboard.
Note WebUI feature support may vary based on the license and platform type of your device.
Note The SSH client functionality is available only when the SSH server is enabled.
User authentication is performed like that in the Telnet session to the device. SSH also supports the following
user authentication methods:
• TACACS+
• RADIUS
• Local authentication and authorization
Related Tasks
Setting Up the IR1101 to Run SSH, on page 55
#unique_62
Procedure
Step 2 hostname hostname Configures a hostname and IP domain name for your device.
Example: Note Follow this procedure only if you are configuring
the device as an SSH server.
IR1101(config)# hostname your_hostname
Step 4 crypto key generate rsa Enables the SSH server for local and remote authentication
on the device and generates an RSA key pair. Generating
Example:
an RSA key pair for the device automatically enables SSH.
IR1101(config)# crypto key generate rsa We recommend that a minimum modulus size of 1024 bits.
When you generate RSA keys, you are prompted to enter
a modulus length. A longer modulus length might be more
secure, but it takes longer to generate and to use.
Note Follow this procedure only if you are configuring
the device as an SSH server.
IR1101(config)# end
Note This procedure is only required if you are configuring the device as an SSH server.
Procedure
Step 2 ip ssh version [2] (Optional) Configures the device to run SSH Version 2.
Example: If you do not enter this command or do not specify a
keyword, the SSH server selects the latest SSH version
IR1101(config)# ip ssh version 2 supported by the SSH client. For example, if the SSH client
supports SSHv1 and SSHv2, the SSH server selects SSHv2.
Step 4 Use one or both of the following: (Optional) Configures the virtual terminal line settings.
• line vty line_number [ending line number] • Enters line configuration mode to configure the virtual
• transport input ssh terminal line settings. For the line_number and
ending_line_number arguments, the range is from 0
Example: to 15.
IR1101(config)# line vty 1 10
• Specifies that the device prevents non-SSH Telnet
connections, limiting the device to only SSH
or
connections.
IR1101(config-line)# transport input ssh
IR1101(config-line)# end
Table 6: Commands for Displaying the SSH Server Configuration and Status
Command Purpose
show ip Shows the version and configuration information for the SSH server.
ssh
show ssh Shows the status of the SSH server.
Note To secure the router for HTTP access by using AAA methods, you must configure the router with the
ip http authentication aaa global configuration command. Configuring AAA authentication does not
secure the router for HTTP access by using AAA methods.
Procedure
Step 3 aaa authentication login default local Sets the login authentication to use the local username
database. The default keyword applies the local user
Example:
database authentication to all ports.
IR1101(config)# aaa authentication login default
local
Step 4 aaa authorization exec local Configures user AAA authorization, check the local
database, and allow the user to run an EXEC shell.
Example:
Step 5 aaa authorization network local Configures user AAA authorization for all network-related
service requests.
Example:
IR1101(config-line)# end
Procedure
Device> enable
Step 4 aaa authentication login {default | list-name} method1 Enables the AAA access control system.
[ method2... ]
Example:
Step 5 username name [privilege level] password Establishes a username-based authentication system.
encryption-type encrypted-password
Note You may omit this step if a network-based
Example: authentication mechanism, such as TACACS+
or RADIUS, has been configured.
Device(config)# username superuser privilege 2
password 0 superpassword
Device(config)# exit
Example
IR1101# copy scp <somefile> your_username@remotehost:/<some/remote/directory>
Additional References
The following sections provide references related to the SSH feature.
Configuring Identity Control policies Session Aware Networking Configuration Guide, Cisco IOS XE Release
and Identity Service templates for 3SE: https://www.cisco.com/en/US/docs/ios-xml/ios/san/configuration/
Session Aware networking. xe-3se/3850/san-xe-3se-3850-book.pdf
Configuring RADIUS, TACACS+, Secure Shell Configuration Guide, Cisco IOS XE Gibraltar 16.11.x:
Secure Shell, 802.1X and AAA. https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/
software/release/16-11/configuration_guide/sec/b_1611_sec_9500_cg/
configuring_secure_shell__ssh_.html
Note This feature is available with IOS XE release 17.6.1. Further information can be found in NTP Clock
Sync with GPS in the Cellular Pluggable Interface Module Configuration Guide.
The GPS time acts as a stratum 0 source, and the Cisco IOS NTP server acts as a stratum 1 device, which in
turn provides clock information to its NTP clients (stratum 2 and 3).
Step 3 To verify the configuration, use the show commands in the following example:
Example:
Router#
Sep 24 19:58:43.046 GMT: %PKI-6-AUTHORITATIVE_CLOCK: The system clock has been set.
Router#show ntp status
Clock is synchronized, stratum 1, reference is .GPS.
nominal freq is 250.0000 Hz, actual freq is 249.9970 Hz, precision is 2**10
ntp uptime is 94000 (1/100 of seconds), resolution is 4016
reference time is E31778F3.0B851ED8 (19:58:43.045 GMT Thu Sep 24 2020)
clock offset is 11.0000 msec, root delay is 0.00 msec
Step 4 Use the debug ntp refclock command to troubleshoot the configuration:
Example:
Router#debug ntp ?
adjust NTP clock adjustments
all NTP all debugging on
core NTP core messages
events NTP events
packet NTP packet debugging
refclock NTP refclock messages
Router#debug ntp re
Router#debug ntp refclock
*Sep 24 19:58:43.045 GMT: GPS: Poll Requested
*Sep 24 19:58:43.045 GMT: GPS (19:58:43.056 GMT Thu Sep 24 2020)
*Sep 24 19:58:43.045 GMT: Valid time rcvd from GPS: 2020/09/24 19:58:43.056 (frac = 0x0E560440)
*Sep 24 19:58:43.045 GMT: RTS poll timestamp (local clock) was 0xE31778F3.0B851ED8
*Sep 24 19:58:43.045 GMT: GPS timestamp is 0xE31778F3.0E560440
*Sep 24 19:58:43.045 GMT: NTP Core(NOTICE): ntpd PPM
*Sep 24 19:58:43.046 GMT: NTP Core(NOTICE): trans state : 5
*Sep 24 19:58:43.046 GMT: NTP Core(NOTICE): Clock is synchronized.
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#app-hosting appid app3
Router(config-app-hosting)#app-vnic gateway0 virtualportgroup 0 guest-interface 0
Router(config-app-hosting-gateway0)#guest-ipaddress 192.168.0.7 netmask 255.255.255.0
Router(config-app-hosting-gateway0)#app-default-gateway 192.168.0.1 guest-interface 0
Router(config-app-hosting)#app-resource docker
Router(config-app-hosting-docker)#run-opts 1 "--entrypoint '/bin/sleep 10000'"
Router(config-app-hosting-docker)#end
Router#
# encapsulation raw-tcp
# encapsulation raw-udp
# raw-socket packet-length
<length>
# raw-socket packet-timer
<timer>
# raw-socket special-char
<value>
# raw-socket tcp server
<port> <ip>
# raw-socket tcp idle-timeout
<value>
# raw-socket tcp client <
dest-ip> <dest-port>
# raw-socket tcp idle-timeout
<timeout>
• Cisco-IOS-XE-rawsocket-oper.yang
This module contains a collection of YANG definitions for Raw Socket Transport operational data.
This module has the following corresponding Cli commands:
Enabling the attach-to-iox command will provide complete control of all Digital IO ports to IOx. The ports
will be exposed as four character devices /dev/dio-[1-4] to IOX applications. You can use read/write functions
to get/set values of the Digital IO ports.
If you wish to update the mode, you can write the mode value to the character device file. This is accomplished
by IOCTL calls to read/write the state, change mode, and read the true analog voltage of the port. Following
this method, you can attach analog sensors to the IR1101. All ports are initially set to Input mode with voltage
pulled up to 3.3v.
The following are examples of IOCTL calls:
Read Digital IO Port:
cat /dev/dio-1
Change mode:
DIO_GET_STATE = 0x1001
DIO_SET_STATE = 0x1002
DIO_GET_MODE = 0x1003
DIO_SET_MODE_OUTPUT = 0x1004
DIO_SET_MODE_INPUT = 0x1005
DIO_GET_THRESHOLD 0x1006
DIO_SET_THRESHOLD = 0x1007
DIO_GET_VOLTAGE = 0x1009
import fcntl
file = open("/dev/dio-1","rw")
fcntl.ioctl(file, DIO_SET_MODE_OUTPUT, 0)
Security Violations
It is a security violation when one of these situations occurs:
• The maximum number of secure MAC addresses have been added to the address table, and a station
whose MAC address is not in the address table attempts to access the interface.
• An address learned or configured on one secure interface is seen on another secure interface in the same
VLAN.
You can configure the interface for one of three violation modes, based on the action to be taken if a violation
occurs:
• protect—when the number of secure MAC addresses reaches the maximum limit allowed on the port,
packets with unknown source addresses are dropped until you remove a sufficient number of secure
MAC addresses to drop below the maximum value or increase the number of maximum allowable
addresses. You are not notified that a security violation has occurred.
Note: If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses
and are removed from the running configuration.
• restrict—when the number of secure MAC addresses reaches the maximum limit allowed on the port,
packets with unknown source addresses are dropped until you remove a sufficient number of secure
MAC addresses to drop below the maximum value or increase the number of maximum allowable
addresses. In this mode, you are notified that a security violation has occurred. An SNMP trap is sent, a
syslog message is logged, and the violation counter increments.
• shutdown—a port security violation causes the interface to become error-disabled and to shut down
immediately, and the port LED turns off. When a secure port is in the error-disabled state, you can bring
it out of this state by entering the errdisable recovery cause psecure-violation global configuration
command, or you can manually re-enable it by entering the shutdown and no shut down interface
configuration commands. This is the default mode.
• shutdown vlan—Use to set the security violation mode per-VLAN. In this mode, the VLAN is error
disabled instead of the entire port when a violation occurs
Router(config-if)#switchport port-security ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
<cr> <cr>
Router(config-if)#switchport port-security mac-address sticky
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
Router(config)#app-hosting signed-verification
Router(config)#
Router(config)#exit
After enabling the signed verification, follow the instructions in the Installing and Uninstalling Apps section
under IOx Application Hosting in order to install the application.
Show Commands
• show run
• show alarm
• show led
Configuration Commands
• alarm contact attach-to-iox
• no alarm contact attach-to-iox
• alarm contact 1 enable enable
• no alarm contact <1-4> enable
• alarm contact <1-4> application <wet | dry>
• no alarm contact <1-4> application
• alarm contact <1-4> description <alarm description>
• no alarm contact <1-4> description
• alarm contact <1-4> severity <critical | major | minor | none>
Command Examples
The following is a sample output of the show software platform software audit summary command:
The following is a sample output of the show software platform software audit all command:
The following is an example of what happens if you answer no to the initial configuration dialog:
.
.
router-1>en
Password:
router-1#sh run | sec enable
enable secret 9 $9$emUzIshVXwlUaE$nTzhgi9STdZKzQc4VJ0kEaCqafjUNdCD7ZUf37SY9qg
After the enable secret is prompted during the first login, and the admin enters a password, the admin entered
password will be always masked. If the admin enters a weak password, they will be prompted again to enter
strong password (i.e. the standard mix of upper/lower case characters, special characters, numbers etc.). The
prompting will continue until the admin enters a strong password. The admin will be prompted to enter the
strong secret password twice for confirming that admin is sure that it is the secret that they want to configure.
In previous documentation, Cisco recommended using the enable secret command instead of the enable
password command because this offers an improved encryption algorithm.
Starting with 17.3.1, the initial dialog has been changed to force setting a new enable password, and also using
the enable secret command instead. The following is an example:
The following is an example of what happens if you answer no to the initial configuration dialog:
.
.
router-1>en
Password:
router-1#sh run | sec enable
enable secret 9 $9$emUzIshVXwlUaE$nTzhgi9STdZKzQc4VJ0kEaCqafjUNdCD7ZUf37SY9qg
After the enable secret is prompted during the first login, and the admin enters a password, the admin entered
password will be always masked. If the admin enters a weak password, they will be prompted again to enter
strong password (i.e. the standard mix of upper/lower case characters, special characters, numbers etc.). The
prompting will continue until the admin enters a strong password. The admin will be prompted to enter the
strong secret password twice for confirming that admin is sure that it is the secret that they want to configure.
Select Cisco Cyber Vision Sensor IOx Application 3.1.1 for IE3400 and IR1101.
Step 2 Install CVC version 3.1.1 on Virtual Machine or on any Hypervisor. The following location is the download link for
different versions of CVC:
https://software.cisco.com/download/home/286325414/type
Release Notes for Cisco Cyber Vision Release 3.1.1:
https://www.cisco.com/c/dam/en/us/td/docs/security/cyber_vision/Cisco-Cyber-Vision_Release-Note-3-1-1.pdf
Step 3 The CVC sensor requires two VirtualPort Group interfaces. One on the platform where one interface is used for IOX
traffic, and the other for mirror traffic which is forwarded to physical, SVI or Tunnel interface which ERSPAN source.
Refer to the following illustration:
Figure 22: CVC over L3 interface
Step 4 The CVC Sensor deployment can be installed from either the LMGUI or CLI.
interface virtualportgroup 0
ip address 169.254.1.1 255.255.255.252
interface virtualportgroup 1
ip nat inside
ip address 169.254.0.1 255.255.255.252
interface gi0/0/0
ip address 101.0.0.151 255.255.255.0
ip nat outside
no shut
ERSPAN Configuration:
CLI Installation
To install the app through the CLI, copy the CVC sensor to bootflash, USB or mSATA. Then install the app
using the app-hosting CLI, and provide the docker options before activating the app. For example:
Router(config-if)#iox
Router# app-hosting install app-id <app-id> package {bootflash:/|usbflash0:|msata:}
app-hosting appid <app-id>
app-vnic gateway0 virtualportgroup 0 guest-interface 0
guest-ipaddress 169.254.1.2 netmask 255.255.255.252
app-vnic gateway1 virtualportgroup 1 guest-interface 1
guest-ipaddress 169.254.0.2 netmask 255.255.255.252
app-default-gateway 169.254.0.1 guest-interface 1
app-resource docker
run-opts 1 "--rm --tmpfs /tmp:rw,size=128m"
Router# app-hosting {activate|start|stop|deactivate|uninstall} app-id <app-id>
LMGUI Installation
Configure the following to reach the LMGUI:
iox
ip http server
ip http secure-server
ip http authentication local
Username cisco privilege 15 password cisco
Login URL: http://<Mgmt_IP>/iox/login
Additional details can be found in Installing CVC Sensor using LM GUI, on page 88
Step 1 Register the IOS-XE Router details on CVC by logging in and navigating to:
Admin > Sensors > Install Sensor Manually
Then click on Cisco IOx Application. Refer to the following:
Step 2 Provide the serial number of the Router. It should be an exact match from the output of show inventory, and then click
on Create Sensor. Refer to the following:
Step 3 Generate the Provisioning file from CVC by clicking on Get Provisioning File. Refer to the following:
Figure 25: Generate Provisioning File
Step 4 Download the provisioning file to a local directory. The file comes as a zip file with a file name like the following:
Example:
sbs-sensor-config-<S/N of Router>.zip
Step 5 Import the Provisioning file to Router through the LM GUI. From the LM GUI Applications, navigate to:
Applications > CVC App (Application Name) > Manage > App-DataDir
Refer to the following:
Step 6 Click Upload. The Upload Configuration window appears. Upload the downloaded provisioned file from CVC with the
same name. Refer to the following:
Figure 27: Upload Configuration
Step 7 Verify the Authentication on CVC. Validate if the installed sensor Status changed to Connected or Waiting for Data.
Refer to the following:
Step 1 Sync the date and time between CVC and Router. To capture the live traffic there should be exact clock sync between
Router and CVC.
Step 2 Simulate IOX Traffic or play captured PCAP files. The CVC Sensor installed on the Router is a docker app. To login to
the console of the App, perform the following command:
Example:
app-hosting connect app-id <app-name> session
Step 3 Upload the PCAP Files to the App from LM-GUI. Navigate to:
Applications > CVC App (Application Name) > Manage >App-Dir
The following commands show how to play the PCAP file:
Example:
sh-5.0#
*Jul 14 08:45:05.603: %SELINUX-3-MISMATCH: R0/0: audispd: type=AVC msg=audit(15! in/busybox.nosuid"
dev="overlay" ino=72930 scontext=system_u:system_r: polaris_bexecute_*
sh-5.0# flowctl read-capture-file /iox_data/appdata/tl04
OK
sh-5.0#
Step 4 Monitor the traffic on CVC. Navigate to Explore > Essential Data > Activity List
Refer to the following:
Figure 29: Activity List
Step 2 Install the sensor virtual application. Once you are logged in, the following menu will appear:
Step 3 Click on Add New. Navigate to the app file, for example, CiscoCyberVision-IOx-aarch64-xxx.tar. Add the name of the
app, for example, CCVSensor.
Configure the sensor virtual application. Refer to the following:
Step 4 Click on Activate to launch the configuration of the sensor application. Click on the CCVSensor Tab, and click on
Resources. Refer to the following:
Step 5 Navigate to Advanced Settings. In advanced options, configure the tmpfs by adding the following in the text area beside
Docker Options:
--tmpfs /tmp:rw,size=128m
Step 6 Bind interfaces in the container to an interface on the host in the Network Configuration section.
What to do next
Move to the next sections Binding eth0 and Binding eth1.
Binding eth0
To configure eth0:
Binding eth1
To configure the eth1 interface:
Step 2 The progress window appears. This may take several seconds to finish.
Figure 43: Activation Progress
Step 3 Click on Applications to display the app status. Refer to the following:
Step 2 The progress window appears. This may take several seconds to finish.
Figure 46: Progress Window
Step 3 After some time, the app status will change to running.
router#config term
router(conf)#controller vdsl 0/0/0
router(conf-if)#capability annex-j
router#(conf-if)#exit
router#
To remove Annex-J:
router#config term
router(conf)#controller vdsl 0/0/0
router(conf-if)#no capability annex-j
router#(conf-if)#exit
router#
17.5.1 adds in a new command rx-padding. This command is used for packets with an MTU less than 64
bytes.
Important If frames less than 64mtu are expected downstream from the service provider, the Vlan configuration
must be vlan 96.
router#config term
router#controller vdsl 0/0/0
router(conf-if)#rx-padding
router(conf-if)#end
VXLAN
VXLAN is a MAC in IP/UDP (MAC-in-UDP) encapsulation technique with a 24-bit segment identifier in
the form of a VXLAN ID. The larger VXLAN ID allows LAN segments to scale to 16 million in a cloud
network. In addition, the IP/UDP encapsulation allows each LAN segment to be extended across existing
Layer 3 networks, making use of Layer 3 Equal-Cost Multi-Path (ECMP).
The configuration for the two devices is shown in the following table:
Router-1 Router-2
bridge-domain 1 bridge-domain 1
member vni 6001 member vni 6001
member Vlan100 service-instance 1 member Vlan100 service-instance 1
! !
interface Loopback1 interface Loopback1
ip address 200.200.200.200 255.255.255.255 ip address 100.100.100.100 255.255.255.255
! !
interface GigabitEthernet0/0/0 interface GigabitEthernet0/0/0
ip address 192.168.1.2 255.255.255.0 ip address 192.168.1.3 255.255.255.0
media-type rj45 media-type rj45
! !
interface FastEthernet0/0/1 interface FastEthernet0/0/1
switchport access vlan 100 switchport access vlan 100
! !
interface Vlan100 interface Vlan100
no ip address no ip address
service instance 1 ethernet service instance 1 ethernet
encapsulation dot1q 100 //untag encapsulation dot1q 100 //untag
! !
interface nve1 interface nve1
no ip address no ip address
source-interface Loopback1 source-interface Loopback1
member vni 6001 member vni 6001
ingress-replication 100.100.100.100 ingress-replication 200.200.200.200
! !
ip forward-protocol nd ip forward-protocol nd
ip pim rp-address 200.200.200.200 ip pim rp-address 100.100.100.100
ip http server no ip http server
ip http secure-server ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.1.3 ip route 0.0.0.0 0.0.0.0 192.168.1.2
! !
Configuration Steps
Step Command Purpose
2 controller Cellular <slot> Enters the interface command mode for the cellular module
controller slot.
3 lte dyinggasp detach enable Enable dying-gasp feature with send detach request
4 lte dyinggasp sms send <phone Configure the phone number to receive SMS text message and
number> <SMS message> the content of text message to be sent by the modem when
platform or module powered down.
Configuration Example
The following example shows how to enable dying-gasp feature on cellular module in slot 0/1/0, specify
phone number receiving the SMS, and the specific SMS text message to be sent by modem upon power failure.
The system code checks for the presence of the tunnel, and if it is not present, data cannot be sent to IOx.
To support this feature there will be two new tunnels created for two cellular modems on the IR1101 and
IR1800. Two tunnels are created by default and whichever modem has the GPS/NMEA enabled, the NMEA
stream will be sent over the corresponding tunnel as follows:
Modem0:
[Linux] /dev/ttyTun5 and /dev/ttyTun6 [IOx]. Soft link to /dev/ttyTun5 will be created named
/dev/ttyTunNMEA0, soft link to /dev/ttyTun6 will be created named /dev/ttyNMEA0 which can be accessed
from IOx.
Modem1:
[Linux] /dev/ttyTun7 and /dev/ttyTun8 [IOx]. Soft link to /dev/ttyTun7 will be created named
/dev/ttyTunNMEA1, soft link to /dev/ttyTun8 will be created named /dev/ttyNMEA1 which can be accessed
from IOx.
The following command shows the state of the GPS:
<device-inventory>
<hw-type>hw-type-ssd</hw-type>
<hw-dev-index>5</hw-dev-index>
<version>V00</version>
<part-number>IR-SSD-MSATA-100G</part-number>
<serial-number>FOC21520XFV</serial-number>
<hw-description>mSATA Module</hw-description>
<dev-name>Expansion module 2 - mSATA Module</dev-name>
<field-replaceable>true</field-replaceable>
<hw-class>hw-class-virtual</hw-class>
<lifetime>99</lifetime>
</device-inventory>
Note Day 0 guestshell provisioning will not work with this approach.
By default, Guest Shell allows applications to access the management network via the management interface.
For platforms like the IR1101, which don't have a dedicated management port, a VirtualPortGroup can be
associated with Guest Shell in the IOS configuration.
Sample guestshell configuration can be found on this page:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/prog/configuration/1612/b_1612_programmability_cg/guest_shell.html#id_45931
To install guestshell on the device, copy the tar file to the router and run the following command:
Once guestshell has been deployed successfully, standard guestshell commands such as guestshell enable,
guestshell run bash, and guestshell run python3 should work.
The following resource talks about running python scripts using guestshell:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/prog/configuration/1612/b_1612_programmability_cg/cli_python_module.html
The output should contain one or more lines with the Product Name “Cisco Services Containers”. If the device
doesn’t have container keys programmed on it, then you won’t be able to install guest shell.
You will see an error like the following:
*Aug 26 15:47:21.484: %IOSXE-3-PLATFORM: R0/0: IOx: App signature verification failed with
non-zero exit code
*Aug 26 15:47:21.588: %IM-6-INSTALL_MSG: R0/0: ioxman: app-hosting: Install failed: App
package signature (package.sign)
verification failed for package manifest file package.mf. Re-sign the application and then
deploy again.
There is no software based mechanism to install container keys on the device. The keys have to be programmed
at the manufacturing facility. IR1100 devices shipped after January 1, 2020, should have the container keys
programmed.
The guest shell tar file is published along with the IOS-XE image for a given release. More information can
be found here:https://developer.cisco.com/docs/iox/#!iox-resource-downloads/downloads
#show power
Main PSU :
Total Power Consumed: 8.77 Watts
Configured Mode : N/A
Current runtime state same : N/A
PowerSupplySource : External PS
Router#config term
Router#(config) snmp-server community public RW
Router#(config) end
<native xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-native">
<controller>
<VDSL xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-controller">
<name>0/0/0</name>
<adsl-pvc xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-adsl">
<vpi-vci>255/65535</vpi-vci>
<bridge-dot1q>21</bridge-dot1q>
<encapsulation>vcmux</encapsulation>
</adsl-pvc>
</VDSL>
</controller>
</native>
</nc:config></nc:edit-config></nc:rpc>
Note The Controller configurations can be retrieved using get and get-config operations with the
Cisco-IOS-XE-native yang model.
DNP3 Enhancement
In some cases, older RTUs were previously used in peer-to-peer mode. These RTUs dynamically swapped
the roles of DNP3 Serial subordinate and primary by setting the bit DIR=1 in the message header. ASE’s
SCADA stack used in Cisco routers are always configured to be DNP3 Serial primary. In this case, all the
packets received from DNP3 serial with DIR=1 were ignored causing many messages from RTU to be
discarded. To handle these scenarios, a new SCADA configuration CLI has been added:
scada-gw protocol ignore direction.
Enabling this CLI will allow the router to accept incoming packets from RTU even when DIR=1. The new
CLI will also be added to the Cisco-IOS-XE-scada-gw.yang config model.
The following is an example usage:
Configuration
Configuration example with scada-gw protocol ignore direction on T101/T104
attach-to-channel mt-chan
sector mt-sec
attach-to-session mt-sess
asdu-addr 101
map-to-sector rt-sec
scada-gw protocol ignore direction
scada-gw enable
conf t
ip dhcp excluded-address 192.0.2.1 192.0.2.80
ip dhcp excluded-address 192.0.2.100 192.0.2.255
ip dhcp use subscriber-id client-id
end
conf t
ip dhcp pool 16
network 192.0.2.0 255.255.255.0
address 192.0.2.90 client-id Fa0/0/1 ascii
end
Note The client-id has to be the short-name of the interface. Use "Fa" for FastEthernet interface. Use "Gi"
for GigabitEthernet interface.
The following command can also be used to gather the MIB values from another SNMP Client (for example,
a linux device):
Digital IO Enhancement
Support has been added to allow some digital I/O ports to be managed by IOSd, and some other digital IO
ports to be managed by IOx container apps. An updated CLI has been added and the YANG model for Digital
IO Enhancement has been updated.
The 17.5.1 version of the CLI is:
Note With release 17.5.1, alarm contact attach-to-iox gave IOX control for ALL digital IO ports (1 thru 4).
Router(config)#alarm contact 1 ?
application Set the alarm application
attach-port-to-iox Enable selected Digital IO Ports access from IOX
description Set alarm description
enable Enable the alarm/digital IO port
output Set mode as output
severity Set the severity level reported
threshold Set the digital IO threshold
trigger Set the alarm trigger
Router#show alarm
Alarm contact 0:
Not enabled.
Digital I/O 1:
Attached to IOX.
Digital I/O 2:
Not enabled.
Digital I/O 3:
Not enabled.
Digital I/O 4:
Not enabled.
In the updated CLI, <1-4> are the number of digital I/O ports to assign to IOx for container apps.
Note With release 17.6.1, each digital IO port can be assigned to IOX individually.
Support 1G SFPs
Release 17.7.1 will add support for the following SFPs:
GLC-T-RGD
CWDM-SFP-1470=
CWDM-SFP-1610=
CWDM-SFP-1530=
DWDM-SFP-3033=
DWDM-SFP-3112=
GLC-BX-D-I=
GLC-BX-U-I=
GLC-TE
GPS and cellular log files are created separately with file names using the timestamp at the time of the creation.
These files are created as follows:
• If the existing file has reached 10Mb, a new file will be created.
• A new file will be created if the feature (GPS, or cellular) is completely disabled, and then re-enabled.
The version with the letter (17.7.1c) will be considered the most updated one.
When comparing two version numbers as follows:
• 17.7.3a
• 17.7.3f
The comparison will be made taking into consideration the alphabetical order. In the case above 17.7.3f will
be considered the most updated one.
Note This only applies to the cellular based GPS. This does not apply to the GPS/GNSS module in IR1800
(DR module), IR8140 (native GPS) and IR8340 (Timing module).
Use the following command to check cellular GPS status:IR1101-4001#sh cellular 0/3/0 gps
Router# show cellular <slot> gps
auto-reset Enable reset modem automatically after configuring GPS enable or mode
Note SMU installation was supported in both bundle boot and install mode. From Cisco IOS XE Release
17.9.x, SMU installation will be stopped if the router is booted up in bundle mode. If the router is booted
up in install mode, SMU installation will keep working as it is in previous releases.
This mode provides a consolidated boot process, using This mode uses the local (bootflash) packages.conf
local (hard disk, flash) or remote (TFTP) .bin image. file for the boot process.
This mode uses a single .bin file. .bin file is replaced with expanded .pkg files in this
mode.
CLI: CLI:
Router(config)#boot system #install add file bootflash: [activate commit]
bootflash:<filename>
To upgrade in this mode, point the boot system to the To upgrade in this mode, use the install commands.
new image.
Image Auto-Upgrade: When a new Field-Replaceable Image Auto-Upgrade: When a new FRU is inserted
Unit (FRU) is inserted in a modular chassis, manual in a modular chassis, the joining FRU is
intervention is required to get the new FRU running auto-upgraded to the image version in sync with the
with the same version as the active FRUs. active FRUs.
Rollback: Rollback to the previous image with Rollback: Enables rollback to an earlier version of
multiple Software Maintenance Updates (SMUs) may Cisco IOS XE software, including multiple patches
require multiple reloads. in single reload.
Note This section only describes new functionality and is not a complete overview of the WebUI.
From the Profiles tab, you can Add, Delete, or Edit the APN. Once the profile is modified, click on Update
& Apply to Device at the bottom of the window.
Click on the Primary SIM Slot pull-down and select slot 1. Click on Update & Apply to Device on the bottom
of the window.
Note Since MACsec is being done through software, performances are not line rate on L2 interfaces.
For an egress packet, SVI only know the packet needs to go out on a vlan without info about any specific
interface. It is up to the switch chip to decide which port to go. All the packets without MACsec tag can come
in as usual. Outgoing L2 packet will also egress without encryption or modification.
Both the NE and NA license support GCM-AES-128. This feature is not available running the NPE image.
The MACsec protocol is defined in IEEE802.1AE.
Feature Limitations
• MACsec is not supported in controller mode in this release.
• There must be a unique vlan id for a MACsec interface.
• Only gcm-aes-128 is supported in this initial release.
• Both explicit and non-explicit SCI are supported on ingress side. The IR1101 sends out only explicit SCI
packets as it is not an end system.
• The IR1101 does not support confidentiality offset.
• Integrity only is not supported in this first release.
• For gcm-aes-128, up to 32 bytes are added to an encrypted packet compared to a plain packet. So the
MTU setup should add 32 for it to work properly.
• The MACsec key is managed by the MKA module. For that device, it requires a static key for MKA to
negotiate MACsec key.
• There is no MIB support.
Related Documentation
Further information can be found at the following:
• MACsec and the MACsec Key Agreement (MKA) Protocol
• MACSEC and MKA Configuration Guide, Cisco IOS XE 17
Show Commands
Show cpp_cp internal info:
show platform hardware cpp active feature soft-macsec server tx [dp] [item]
show platform hardware cpp active feature soft-macsec server rx [dp] [item]
show platform hardware cpp active feature soft-macsec server control [dp] [item]
Clear Statistics
Clear macsec statis int fa 0/0/2
Test Command
Print 10 MKA packet for debug:
test platform software smacsec mka-ingress
To benefit from the HSEC license, a new bandwidth will be available. The new bandwidth is called uncapped,
and it is available with the following CLI from configuration mode:
IR1101(config)# platform hardware throughput level ?
250M throughput in bps
uncapped throughput in bps
IR1101# platform hardware throughput level uncapped
After performing the above commands, write mem and reload the router. The configuration will take effect
when the router comes back up.
License Types
With this new feature, the IR1101 will support the following bandwidth/license types:
• Network-essentials 250 Mbps
• Network-advantage 250 Mbps
• Network-essentials uncapped
• Network-advantage uncapped
• HSEC
Ordering
The following is an example from the IR1101-K9. The license will be available on the IR1101-A-K9 as well.
In the following example, select the SL-1101-NE/UNCP-K9 (Network Essentials Uncapped License):
The L-1101-HSEC-K9 license will get auto included when you select the uncapped license, as shown in the
following:
When the enable secure data wipe is executed, the following will get wiped out:
• IR1101, IR1800, IR8140: NVRAM, rommon variables, bootflash, and msata
• ESR6300: NVARM, rommon variables, bootflash
The router will be in rommon prompt with default factory settings (baud rate 9600) after the command is
executed. The bootflash will not get formatted until booting with IOS image thru usbflash or tftp download
if the platform is supported.
Important This operation may take hours. Please do not power cycle.
To check the log after the command is executed, and booting up IOS XE, perform the following:
Router#show platform software factory-reset secure log
Factory reset log:
#CISCO DATA SANITIZATION REPORT:# IR1800
Purge ACT2 chip at 12-08-2022, 15:17:28
ACT2 chip Purge done at 12-08-2022, 15:17:29
mtd and backup flash wipe start at 12-08-2022, 15:17:29
mtd and backup flash wipe done at 12-08-2022, 15:17:29.
CLI Changes
On IOS-XE platforms starting from 17.10.1a, there is a CLI correction and an additional CLI was added as
part of raw-socket.
The correction is for the raw-socket idle timeout command. There is now an option to configure the timeout
based on minutes and seconds, whereas the previous configuration used only minutes.
Router(config-line)# raw-socket tcp idle-timeout [0-1440] [<0-59> | cr]
The additional CLI is for clearing the raw-socket TCP clients. The command syntax is clear raw-socket line
[1-145|tty|x/y/z] for example:
Router# clear raw-socket line 0/2/0
Note When initiating clear raw-socket line, raw-socket sessions will be cleared for raw-socket clients from
the show raw-socket tcp sessions command. Connections will be re-established after a TCP hand-shake,
which can be done by doing shut/no shut on TCP connection interface.
• nvram: (NVRAM)
• bootflash: (Internal Flash memory)
• usbflash0: (external USB media)
Note Although the show version output always shows the software image running on the device, the model
name shown at the end of this display is the factory configuration and does not change if you upgrade
the software license.
You can also use the dir filesystem: privileged EXEC command to see the directory names of other software
images that you might have stored in flash memory.
Note In order to use secure copy (scp), you must first set up an SSH configuration. See Configuring Secure
Shell.
Password: <your-password>
Sending file modes: C0644 208904396 IR1800-universalk9.17.08.01.SPA.bin
...........
[OK - 208904396 bytes]
208904396 bytes copied in 330.453 secs (632176 bytes/sec)
Copy the running configuration and save it. Then when reloading the router, it restarts with the saved
configuration.
Router# copy running-config startup-config
Destination filename [startup-config]? <enter>
Building configuration...
[OK]
Router# reload
Proceed with reload? [confirm] <enter>
Dec 04 17:42:54.445 R0/0: %PMAN-5-EXITACTION: Process manager is exiting: process exit with
reload
Select Software Management under the Administration tab. Browse to the location of the new IOS XE
image file on your PC.
Select Administration > Management > Backup & Restore. Copy the image file from the laptop to your
router. This example uses HTTP as transport.
Save the configuration by clicking on the floppy drive icon at the top of the WebUI.
This mode provides a consolidated boot process, using This mode uses the local (bootflash) packages.conf
local (hard disk, flash) or remote (TFTP) .bin image. file for the boot process.
This mode uses a single .bin file. .bin file is replaced with expanded .pkg files in this
mode.
CLI: CLI:
Router(config)#boot system #install add file bootflash: [activate commit]
bootflash:<filename>
To upgrade in this mode, point the boot system to the To upgrade in this mode, use the install commands.
new image.
Image Auto-Upgrade: When a new Field-Replaceable Image Auto-Upgrade: When a new FRU is inserted
Unit (FRU) is inserted in a modular chassis, manual in a modular chassis, the joining FRU is
intervention is required to get the new FRU running auto-upgraded to the image version in sync with the
with the same version as the active FRUs. active FRUs.
Rollback: Rollback to the previous image with Rollback: Enables rollback to an earlier version of
multiple Software Maintenance Updates (SMUs) may Cisco IOS XE software, including multiple patches
require multiple reloads. in single reload.
The install add command copies the software package from a local or remote location to the platform. The
command extracts individual components of the .package file into subpackages and packages.conf files. It
also validates the file to ensure that the image file is specific to the platform on which it is being installed.
The location of the software package can be in several places, as shown in the output of the following command:
IR1831#install add file ?
bootflash: Package name
crashinfo: Package name
flash: Package name
ftp: Package name
http: Package name
https: Package name
pram: Package name
rcp: Package name
scp: Package name
sftp: Package name
tftp: Package name
webui: Package name
The install activate command performs the required validations and provisions the packages previously added
using the install add command. It also triggers a system reload.
The install commit command confirms the packages previously activated using the install activate command,
and makes the updates persistent over reloads.
Note Installing an update replaces any previously installed software image. At any time, only one image can
be installed in a device.
install add install add file Copies the contents of the image,
location:filename.bin package, and SMUs to the software
repository. File location may be
local or remote. This command
does the following:
• Validates the file–checksum,
platform compatibility checks,
and so on.
• Extracts individual
components of the package
into subpackages and
packages.conf
• Copies the image into the local
inventory and makes it
available for the next steps.
(install activate) auto abort-timer install activate auto-abort timer The auto-abort timer starts
<30-1200> automatically, with a default value
of 120 minutes. If the install
commit command is not executed
within the time provided, the
activation process is terminated,
and the system returns to the
last-committed state.
• You can change the time value
while executing the install
activate command.
• The install commit command
stops the timer, and continues
the installation process.
• The install activate
auto-abort timer stop
command stops the timer
without committing the
package.
• Use this command with the
prompt-level none keyword
to automatically ignore any
confirmation prompts.
• This command is valid only in
the three-step install variant.
install remove install remove {file <filename> | Deletes inactive packages from the
inactive} platform repository. Use this
command to free up space.
• file: Removes specified files.
• inactive: Removes all the
inactive files.
install rollback to install rollback to {base | label | Rolls back the software set to a
committed | id} saved installation point or to the
last-committed installation point.
The following are the
characteristics of this command:
• Requires reload.
• Is applicable only when the
package is in committed state.
• Use this command with the
prompt-level none keyword
to automatically ignore any
confirmation prompts.
install deactivate install deactivate file <filename> Removes a package from the
platform repository. This command
is supported only for SMUs.
• Use this command with the
prompt-level none keyword
to automatically ignore any
confirmation prompts.
show install log show install log Provides the history and details of
all install operations that have been
performed since the platform was
booted.
show install package show install package <filename> Provides details about the .pkg/.bin
file that is specified.
show install summary show install summary Provides an overview of the image
versions and their corresponding
install states.
show install active show install active Provides information about the
active packages.
show install inactive show install inactive Provides information about the
inactive packages.
show install committed show install committed Provides information about the
committed packages.
show install rollback show install rollback {point-id | Displays the package associated
label} with a saved installation point.
show version show version [rp-slot] [installed Displays information about the
[user-interface] | provisioned | current package, along with
running] hardware and platform information.
If the platform is working in bundle mode, the one-step install procedure must be used to initially convert the
platform from bundle mode to install mode. Subsequent installs and upgrades on the platform can be done
with either one-step or three-step variants.
You can see how your device is set up to boot by using the show romvar and show bootvar commands.
Router#show romvar
ROMMON variables:
PS1 = rommon ! >
CM = IR1100
DEVICE_MANAGED_MODE = autonomous
LICENSE_SUITE =
RET_2_RTS =
THRPUT = 250
BOOT = flash:packages.conf,12;
LICENSE_BOOT_LEVEL = network-advantage,all:IR1101;
BSI = 0
RET_2_RCALTS =
RANDOM_NUM = 212626522
Router#
Router#show bootvar
BOOT variable = flash:packages.conf,12;
CONFIG_FILE variable does not exist
BOOTLDR variable does not exist
Configuration register is 0x2102
Router#
Note • All the CLI actions (for example, add, activate, and so on) are executed.
• The configuration save prompt will appear if an unsaved configuration is detected.
• The reload prompt will appear after the second step in this workflow. Use the prompt-level none
keyword to automatically ignore the confirmation prompts.
• If the prompt-level is set to None, and there is an unsaved configuration, the install fails. You must
save the configuration before reissuing the command.
Use the one-step install procedure described below to convert a platform running in bundle boot mode to
install mode. After the command is executed, the platform reboots in install boot mode.
Later, the one-step install procedure can also be used to upgrade the platform.
This procedure uses the install add file activate commit command in privileged EXEC mode to install a
software package, and to upgrade the platform to a new version.
Procedure
Step 2 install add file location: filename [activate commit] Copies the software install package from a local or remote
location (through FTP, HTTP, HTTPs, or TFTP) to the
Example:
platform and extracts the individual components of the
Device#install add file .package file into subpackages and packages.conf files. It
bootflash:<router_image>.SSA.bin activate commit
also performs a validation and compatibility check for the
platform and image versions, activates the package, and
commits the package to make it persistent across reloads.
The platform reloads after this command is run.
Step 3 exit Exits privileged EXEC mode and returns to user EXEC
mode.
Example:
Device#exit
Three-Step Installation
Note • All the CLI actions (for example, add, activate, and so on) are executed.
• The configuration save prompt will appear if an unsaved configuration is detected.
• The reload prompt will appear after the install activate step in this workflow. Use the prompt-level
none keyword to automatically ignore the confirmation prompts.
The three-step installation procedure can be used only after the platform is in install mode. This option provides
more flexibility and control to the customer during installation.
This procedure uses individual install add, install activate, and install commit commands for installing a
software package, and to upgrade the platform to a new version.
Procedure
Step 2 install add file location: filename Copies the software install package from a remote location
(through FTP, HTTP, HTTPs, or TFTP) to the platform,
Example:
and extracts the individual components of the .package
file into subpackages and packages.conf files.
Step 3 show install summary (Optional) Provides an overview of the image versions
and their corresponding install state.
Example:
Device#show install summary
Step 4 install activate auto-abort-timer <time> Activates the previously added package and reloads the
platform.
Example:
Device# install activate auto-abort-timer 120 • When doing a full software install, do not provide a
package filename.
• In the three-step variant, auto-abort-timer starts
automatically with the install activate command; the
default for the timer is 120 minutes. If the install
commit command is not run before the timer expires,
the install process is automatically terminated. The
platform reloads and boots up with the last committed
version.
Step 5 install abort (Optional) Terminates the software install activation and
returns the platform to the last committed version.
Example:
Device#install abort • Use this command only when the image is in activated
state, and not when the image is in committed state.
Step 6 install commit Commits the new package installation and makes the
changes persistent over reloads.
Example:
Device#install commit
Step 7 install rollback to committed (Optional) Rolls back the platform to the last committed
state.
Example:
Device#install rollback to committed
Step 8 install remove {file filesystem: filename | inactive} (Optional) Deletes software installation files.
Example: • file: Deletes a specific file
Device#install remove inactive
• inactive: Deletes all the unused and inactive
installation files.
Step 9 show install summary (Optional) Displays information about the current state of
the system. The output of this command varies according
Example:
to the install commands run prior to this command.
Device#show install summary
Step 10 exit Exits privileged EXEC mode and returns to user EXEC
mode.
Example:
Device#exit
Note The install rollback command succeeds only if you have not removed the previous file using the install
remove inactive command.
Alternatively, you can downgrade by installing the older image using the install commands.
Configuration Examples
This section shows examples of using install commands.
This operation may require a reload of the system. Do you want to proceed? [y/n]y
........
Loading: bootflash:packages.conf
#
#####################################################################################
#####################################################################################
#################################
--------------------------------------------------------------------------------
Type St Filename/Version
--------------------------------------------------------------------------------
IMG C 17.09.01.0.157857
--------------------------------------------------------------------------------
Auto abort timer: inactive
--------------------------------------------------------------------------------
Install Add
Router# install add file flash:ir1101-universalk9.17.09.01prd1.SPA.bin
install_add: START Tue May 31 01:35:40 UTC 2022
install_add: Adding IMG
--- Starting initial file syncing ---
Copying flash:ir1101-universalk9.17.09.01prd1.SPA.bin from R0 to R0
Info: Finished copying to the selected
Finished initial file syncing
--------------------------------------------------------------------------------
Auto abort timer: inactive
--------------------------------------------------------------------------------
Install Activate
Router#install activate
install_activate: START Tue May 31 01:37:14 UTC 2022
install_activate: Activating IMG
Following packages shall be activated:
/flash/ir1101-mono-universalk9_iot.17.09.01prd1.SPA.pkg
/flash/ir1101-rpboot.17.09.01prd1.SPA.pkg
This operation may require a reload of the system. Do you want to proceed? [y/n]y
........
Loading: bootflash:packages.conf
#
#########################################################################
#########################################################################
#######################
--------------------------------------------------------------------------------
Auto abort timer: inactive
--------------------------------------------------------------------------------
Install Commit
Router#install commit
install_commit: START Tue May 31 01:47:56 UTC 2022
--- Starting Commit ---
Performing Commit on all members
[1] Commit packages(s) on R0
[1] Finished Commit packages(s) on R0
Checking status of Commit on [R0]
Commit: Passed on [R0]
Finished Commit operation
--------------------------------------------------------------------------------
Auto abort timer: inactive
--------------------------------------------------------------------------------
Package: ir1101-mono-universalk9_iot.17.09.01prd1.SPA.pkg
Size: 673776700
Timestamp:
PackageName: mono-universalk9_iot
Build: 17.09.01prd1
CardTypes:
You can determine which package is active using the show install active command.
Router#show install active
[ R0 ] Active Package(s) Information:
State (St): I - Inactive, U - Activated & Uncommitted,
C - Activated & Committed, D - Deactivated & Uncommitted
--------------------------------------------------------------------------------
Type St Filename/Version
--------------------------------------------------------------------------------
IMG C 17.09.01.0.1193
--------------------------------------------------------------------------------
Auto abort timer: inactive
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Auto abort timer: inactive
--------------------------------------------------------------------------------
Router#show install uncommitted
[ R0 ] Uncommitted Package(s) Information:
State (St): I - Inactive, U - Activated & Uncommitted,
C - Activated & Committed, D - Deactivated & Uncommitted
--------------------------------------------------------------------------------
Type St Filename/Version
--------------------------------------------------------------------------------
No Uncommitted Packages
Note This command is used to clean up the boot directory of unused installation files. This will not remove
the bootable image.
Cleaning /flash
Scanning boot directory for packages ... done.
Preparing packages list to delete ...
[R0]: /flash/packages.conf File is in use, will not delete.
[R0]: /flash/ir1101-mono-universalk9_iot.17.09.01prd1.SPA.pkg File is in use, will not
delete.
[R0]: /flash/ir1101-universalk9.17.09.01prd1.SPA.conf File is in use, will not delete.
[R0]: /flash/ir1101-rpboot.17.09.01prd1.SPA.pkg File is in use, will not delete.
[R0]: /flash/ir1101-universalk9.BLD_POLARIS_DEV_LATEST_20220421_143208.SSA.conf
[R0]: /flash/ir1101-rpboot.BLD_POLARIS_DEV_LATEST_20220421_143208.SSA.pkg
Solution Use the following show commands to view installation summary, logs, and software versions.
It is better to upgrade software in a planned period of maintenance when an interruption in service is acceptable.
The router needs to be rebooted for a software upgrade to take effect.
Licensing
This section contains the following:
You can enable licensed features and store license files in the bootflash of your router. Licenses pertain to
consolidated packages, technology packages, or individual features.
The IR1101 uses Smart Licensing, which is discussed in detail in the next chapter.
The IR1101 does not support the Right to Use licenses, and supports only the Specific License Reservation
(SLR)
Consolidated Packages
To obtain software images for the router, go to: https://software.cisco.com/download/home/286319772/type/
282046477/release/Gibraltar-16.11.1
Note All of the IOS-XE feature set may not apply to the IR1101. Some features may not have been implemented
yet, or are not appropriate for this platform.
An image-based license is used to help bring up all the subsystems that correspond to a license. This license
is enforced only at boot time.
One of the following image-based licenses can be pre-installed on the IR1101 router:
• Network-Essentials
• Network-Advantage
Note Details of the Network-Essentials and Network-Advantage contents can be found in the product data
sheet located here:
https://www.cisco.com/c/en/us/products/collateral/routers/1101-industrial-integrated-services-router/
datasheet-c78-741709.html
Network-Essentials
The Network-Essentials technology package includes the baseline features. It also supports security features.
The Network-Essentials_npe technology package (npe = No Payload Encryption) includes all the features
in the Network-Essentials technology package without the payload encryption functionality. This is to fulfill
export restriction requirements. The Network-Essentials_npe is available only in the Network-Essentials_npe
image. The difference in features between the Network-Essentials package and the Network-Essentials_npe
package is therefore the set of payload encryption features such as IPsec and Secure VPN.
Network-Advantage
The Network-Advantage technology package includes all crypto features.
The Network-Advantage_npe package (npe = No Payload Encryption) includes all the features in the
Network-Advantage technology package without the payload-encryption functionality. This is to fulfill
export restriction requirements. The Network-Advantage_npe package is available only in the
Network-Advantage_npe image. The difference in features between the Network-Advantage package and
the Network-Advantage_npe package is therefore the set of payload-encryption-enabling features such as
IPsec and Secure VPN.
Related Documentation
For further information on software licenses, see the Smart Licensing chapter.
Note When the device boots up for first time and if the device requires an upgrade, the entire boot process
may take several minutes. This process will be longer than a normal boot due to the ROMMON upgrade.
Router#reload /verify
[OK]
*Nov 7 00:08:48.101: %SYS-2-PRIVCFG_ENCRYPT: Successfully encrypted private config file
Verifying file integrity of bootflash:/ir1101-universalk9.16.10.01.SPA.bin...........
....................................
ROMMON Images
A ROMMON image is a software package used by ROM Monitor (ROMMON) software on a router. The
software package is separate from the consolidated package normally used to boot the router.
An independent ROMMON image (software package) may occasionally be released and the router can be
upgraded with the new ROMMON software. For detailed instructions, see the documentation that accompanies
the ROMMON image.
Note A new version of the ROMMON image is not necessarily released at the same time as a consolidated
package for a router.
File Systems
The following table provides a list of file systems that can be seen on the Cisco IR1101 router.
nvram: Router NVRAM. You can copy the startup configuration to NVRAM or from
NVRAM.
system: System memory file system, which includes the running configuration.
usbflash0: The Universal Serial Bus (USB) flash drive file systems.
Note The USB flash drive file system is visible only if a USB drive is installed
in the usb port.
Use the ? help option if you find a file system that is not listed in the table above.
After this message is seen, the USB flash drive is accessible. Users can access the USB contents using the
dir usbflash0: command:
Device#dir usbflash0:
Directory of usbflash0:/
5 drwx 512 Aug 23 2019 10:42:18 -07:00 System Volume Information
6 -rwx 35 Aug 27 2019 17:40:38 -07:00 test.txt
206472192 bytes total (206470144 bytes free)
Device#
Contents can be copied to and from the USB flash drive using the copy command. Once the copy is complete,
a log message showing number of bytes copied is displayed.
While hot plug/unplug of a USB flash drive is supported, the functionality comes with security vulnerabilities.
To prevent users from copying sensitive information to the USB flash drive, USB enable/disable functionality
has been added.
By default, the USB flash drive is enabled. If a user wishes to disable USB, they can do so using the disable
command:
Device(config)#end
Once the USB flash drive has been disabled, the file system is not shown on the Device and syslog messages
will not be displayed when the USB is inserted. Users will not be able to access the contents of the USB.
For example:
Device#dir usbflash0:
dir usbflash0:
^
% Invalid input detected at '^' marker.
Device#
Device#config terminal
The USB port could be considered a potential security risk. If you wish to disable the USB port, use these
steps:
Configure terminal
platform usb disable
exit
crashinfo files Crashinfo files may appear in the bootflash: file system.
These files provide descriptive information of a crash and may be useful for
tuning or troubleshooting purposes. However, the files are not part of router
operations, and can be erased without impacting the functioning of the router.
managed directory This directory is created on bootup if a system check is performed. Its
appearance is completely normal and does not indicate any issues with the
router.
• Crashinfo files and files in the core and tracelogs directory can be deleted.
Flash Storage
Subpackages are installed to local media storage, such as flash. For flash storage, use the dir bootflash:
command to list the file names.
LED Indicators
For information on LEDs on the router, see "LED Indicators" in the "Product Overview" section of the Cisco
Catalyst IR1101 Rugged Series Router Hardware Installation Guide
To monitor the LED status of the system, the alarm and interface ports, the show LED command line is
supported in IOS mode.
Router# show LED
SYSTEM LED : Green
Related Documentation
For further information on software licenses, see the Smart Licensing Chapter.
For further information on obtaining and installing feature licenses, see Configuring the Cisco IOS Software
Activation Feature.
Note • The terms Cisco Network Plug and Play, PnP are interchangeably used in this guide and all mean
the same.
• The terms PnP agent, agent, and deployment agent are interchangeably used in this guide and all
mean the same.
• The terms PnP server, server, and deployment server are interchangeably used in this guide and all
mean the same.
Simplified deployment reduces the cost and complexity and increases the speed and security of deployments.
Cisco Network Plug and Play (PnP) agent is a software application that is running on a Cisco IOS or IOS-XE
device. The PnP agent together with the PnP deployment server provides effortless deployment services.
When a device is powered on for the first time, the PnP agent process wakes up in the absence of the startup
config, user input on the device's console, and attempts to discover the address of the PnP server. The PnP
agent uses methods like DHCP, Domain Name System (DNS), and others to acquire the desired IP address
of the PnP server. When the PnP agent successfully acquires the IP address, it initiates a long lived, bidirectional
layer 3 connection with the server and waits for a message from the server. The PnP server application sends
messages to the agent requesting for information and services to be performed on the device.
The PnP agent converges existing solutions into a unified agent and adds functionality to enhance the current
solutions. The main objectives of PnP agent are:
• Provide consistent day 1 deployment solution for all the deployment scenarios.
• Add new features to improve existing solutions.
• Provide day 2 management framework mainly in the context of configuration and image upgrades.
4. Device information
5. File transfer
6. Image install
7. License install
8. PnP tagging
9. Script execution
10. Topology information
Note The PnP server provides an optional checksum tag to be used in the image installation and config upgrade
service requests by the PnP agent. When the checksum is provided in the request, the image install
process compares the checksum against the current running image checksum.
If the checksums are same, the image being installed or upgraded is the same as the current image running
on the device. The image install process will not perform any other operation in this scenario.
If the checksums are not same, then the new image will be copied to the local file system, and checksum
will again be calculated and compared against the checksum provided in the request. If same, the process
will continue to install the new image or upgrade the device to new image. If now, the checksums are
not same, the process will exit with error.
Backoff
A Cisco IOS device that supports PnP protocol (that uses HTTP transport), requires the PnP agent to send the
work request to the PnP server continuously. In case the PnP server does not have any scheduled or outstanding
PnP service for the PnP agent to execute, the continuous no operation work requests exhausts both network
bandwidth and device resource. This PnP backoff service allows the PnP server to inform the PnP agent to
rest for the specified time and call back later.
CLI Execution
Cisco IOS supports two modes of command execution—EXEC mode and global configuration mode. Most
of the EXEC commands are one-time commands, such as show commands, which show the current
configuration status, and clear commands, which clear counters or interfaces. The EXEC commands are not
saved when a device reboots. Configuration modes allow user to make changes to the running configuration.
If you save the configuration, these commands are saved when a device reboots.
Note For show command request and response details and for all PnP configuration commands, see Cisco
Network Plug and Play Agent Command Reference.
Configuration Upgrade
There are two types of configuration upgrades that can happen in a Cisco device—copying a new configuration
files to startup configuration and copying new configuration files to running configuration.
Copying a new configuration files to startup configuration— The new configuration file is copied from the
file server to the device through copy command and file check is performed to check the validity of the file.
If the file is valid, then the file is copied to startup configuration. Backing up the previous configuration file
will be done if there is enough disk space available. The new configuration is seen when the device reloads
again.
Copying new configuration files to running configuration— The new configuration file is copied from the
file server to the device through copy command or configure replace command. Configuration file replace
and rollback may leave the system in an unstable state if rollback is performed efficiently. So configuration
upgrade by copying the files is preferred.
Device Information
The PnP agent provides capability to extract device inventory and other important information to the PnP
server on request. The following five types of device-profile requests are supported:
1. all—returns complete inventory information, which includes unique device identifier (UDI), image,
hardware and file system inventory data.
2. filesystem— returns file system inventory information, which includes file system name and type, local
size in bytes, free size in bytes, read flag, and write flag.
3. hardware— returns hardware inventory information, which includes hostname, vendor string, platform
name, processor type, hardware revision, main memory size, I/O memory size, board ID, board rework
ID, processor revision, midplane revision, and location.
4. image—returns image inventory information, which includes version string, image name, boot variable,
return to rommon reason, bootloader variable, configuration register, configuration register on next boot,
and configuration variable.
5. UDI— returns device UDI.
File Transfer
The PnP file server hosts files that can be copied over by the deploying devices in the network. The file server
can be a dedicated server hosting files or a part of the device hosting the PnP server. The PnP agent uses
standard file transfer protocols to copy files from the remote file server to the device. If the device is running
a crypto image then secured file transfer protocols such as SFTP, SCP, HTTPS are supported. For devices
running non-crypto images, the PnP agent supports unsecured copy protocols such as FTP, TFTP, HTTP.
Image Install
Image installation service enables a PnP-enabled device to perform image upgrade on receiving a request
from the PnP server.
Standalone Devices
When the PnP agent on a standalone device receives a request from the PnP server, the agent parses the XML
payload and identifies the request as an Image Upgrade request. The agent then creates an ImageInstall process,
which identifies the request as a standalone image install request. The PnP agent populates the data structure
defined by the ImageInstall service and passes it to the ImageInstall service.
The Image Install service then performs the following operations to successfully load the device with the new
image:
1. Copies the image from the file server to a local disk (the file server information is provided by the PnP
server in the request).
2. Configures the device to load the new image on next reload by executing the boot system command.
3. Reloads the device and sends a message to the PnP server.
PnP Tagging
Cisco IOS provides capability to assign tags to the devices for better grouping and tracking of all Cisco devices.
The PnP agent provides XML service for configuring the tag information on the device and for propagating
the tag information within the network using Cisco Discovery Protocol (CDP). The purpose of this service is
for the PnP agents to get to know their tag information and to pass on this information to the PnP server upon
request.
Topology Information
By default, every Cisco device on the network runs Cisco Discovery Protocol (CDP). Through CDP, devices
in the network discover their immediate neighbors and populate their databases with the attributes learnt or
derived through the protocol. This neighbor information is stored in the database and is available on demand
by the device to the PNP server. Typical neighbor information comprises neighboring device ID, software
version, hardware platform, interface ip, and the port on which CDP messages are sent or received.
Step 1 Use the install add <filename> command to unpack the package software file and copy it to the boot device (usually
disk0). If the file is on a remote source, use the tftp/ftp option to copy the file to the device.
After the file is copied to the device, information within the package is used to verify compatibility with the target cards
and with the other active software. Actual activation is performed only after the package compatibility and application
program interface (API) compatibility checks are passed.
Step 2 To activate a package, use the install activate <filename> command. The activate operation will run the compatibility
checks and install the software maintenance upgrade package. If it is a reload software maintenance upgrade, it will
automatically initiate a reload.
Step 3 Use the install commit command to commit the changes
Step 4 To deactivate the package, use the install deactivate <filename> command.
Step 5 If you find that you prefer a previous package set over the currently active package set, you can use the install rollback
to committed command to make a previously active package set active again
Step 6 To remove the installed version, use the install remove <filename> command.
This example shows how to install and remove the software maintenance upgrade package on a device.
install add <filename>
install activate <filename>
install commit
The PnP server also communicates with proxy servers like deployment applications on smart phones and PCs,
or other PnP agents acting as Neighbor Assisted Provisioning Protocol (NAPP) servers, and other types of
proxy deployment servers like VPN gateways.
The PnP server can redirect the agent to another deployment server. A common example of redirection is a
PnP server redirecting a device to communicate with it directly after sending the bootstrap configuration
through a NAPP server. A PnP server can be hosted by an enterprise. This solution allows for a cloud based
deployment service provided by Cisco. In this case, a device discovers and communicates with Cisco’s cloud
based deployment service for initial deployment. After that, it can be redirected to the customer’s deployment
server.
In addition to communicating with the devices, the server interfaces with a variety of external systems like
Authentication, Authorizing, and Accounting ( AAA) systems, provisioning systems, and other management
applications.
Assumptions:
• New devices can reach DHCP server
• Customer is willing to configure DHCP server for network devices
Before inserting the option 43, the snooping agent verifies if the DHCP message is from a Cisco device in
the network. The remaining DHCP discovery process is same as described in the previous section.
Figure 53: DHCP Snooping by PnP Server
Assumptions:
• New devices can reach DHCP server
• New devices can reach DNS server
• Customer is not willing to configure DHCP server for network devices
• Upstream switch (SW) is configured to snoop DHCP and insert PnP server IP
Assumptions:
• New devices can reach DHCP server
• Customer deployed PnP server in the network with the name “pnpserver”
Cisco Network Plug and Play Proxy Server for Layer 3 and Layer 2 Devices
This device listens to a specific port for any incoming PnP messages. The Cisco device which is trying to
come up as a PnP device sends a UDP broadcast message to its network every 30 min for ten times. Hence,
if the device does not receive a response, the broadcasts stop after 300 min.
When the device hosting the proxy server process receives the incoming broadcasts, it verifies the version
field in the request and forwards the request to the PnP server if version validation is successful. The proxy
server process also caches the unique device identifier (UDI) of the requesting client coming in via incoming
datagram before forwarding the request to PnP server.
Upon receiving the configlet datagram from PnP server, the proxy server validates UDI in the incoming
datagram with the entries in the UDI cache. If validation is successful, proxy server process broadcasts the
datagram to a specific port number reserved for the proxy client processes to receive datagrams.
Upon receiving the datagrams, devices running proxy client processes, parse the incoming datagram for the
target UDI. If the target UDI in the datagram matches the UDI of the device, proxy client process proceeds
with framing, error control and configuring the configlet.
If the target UDI in the datagram fails to match UDI of the device, the packet is dropped.
Once discovery is complete, the deployment agent starts an unsecured XML stream with the deployment
server over Ethernet. This protocol reserves an Ethertype (0xXX TBD) for this purpose. The deployment
agent and the server then negotiate to use Extensible Authentication Protocol–Transport Layer Security
(EAP-TLS) to protect the communication and complete the EAP-TLS session establishment. The deployment
server then authenticates the device with the HTTP secure (HTTPS) certificate or some other supported
mechanism.
The deployment server presents its certificate to the deployment agent so that the agent can authenticate the
server. Irrespective of whether the agent is able to verify the server certificate, the agent engages the deployment
server in a post-TLS authorization exchange. In this exchange the agent requests the server to present its server
authorization token. In response to this request the server presents the authorization token it had obtained
from Cisco. The agent verifies the signature on the authorization token. If the authorization token is specific
to a Unique Device Identifier (UDI), the agent also ensures its UDI is listed in the authorization-token. At the
end of this step, a secure communication channel is established between the deployment agent and the server.
This secure communication channel is leveraged by the server to send deployment information to the agent.
The field ‘T’ in the PnP string provides an option for the network administrator to specify the location of the
certificate bundle, which can be hosted on a local or remote file server.
If the certificate bundle is available at the specified location, then the agent:
1. Downloads the bundle from the file server to the device.
2. Checks the signature of the downloaded bundle to ensure it has a genuine Cisco signature.
3. Installs the certificates on the device.
If the ‘T’ option is not specified and the transport mechanism is specified in the option 43 string as HTTPs,
the PnP agent looks for the Cisco signed certificate bundle in the default folder of the same server
http://10.30.30.10:443/certificates/default/cert.p7b .
If the certificates are available at the default location then the agent performs the steps mentioned above to
install the certificates.
After the certificates are installed and the server discovery is complete, the agent initiates the HTTPs connection
with the server without any additional configuration. During the HTTPs handshake, the device uses the
certificates installed from the bundle to validate the server certificate.
The following figure shows the end-to-end secured PnP workflow using the CA bundle-based certificate.
Figure 59: Secured PnP Deployment with Trustpool
This flow works only if the server is using a certificate signed by one of the known signing authorities that is
available in the bundle. If the server uses a certificate that is not a part of the bundle then the HTTPs handshake
will fail. When you specify the option 43 string with HTTPs as a transport option and if the bundle download
fails, the agent will not fall back to any of the unsecured communication protocol even if the server is reachable.
If the transport option is specified as HTTP with a parameter 'T' pointing to a valid certificate bundle location,
the agent overrides the transport option HTTP and changes it to HTTPs for secured communication. Generally,
the agent will choose the most secured communication from the available options.
The path specified in the DHCP option 43 to locate the certificate bundle file can be an absolute URL or a
relative URL. If you specify a relative URL, the agent forms a full URL with the server IP address or hostname
as specified in the option 43 string and uses HTTP as the file transfer protocol.
Also, to install the certificates, the agent expects the device to have an updated system clock. Because, you
configure the DHCP server first, you cannot specify the current time in the DHCP server. In such a scenario,
an IP address or a URL can be specified as an alternative parameter in the option 43 with the prefix 'Z', which
can point the device to a NTP server. The agent synchronizes the clock on the device with the NTP server
and then installs the certificates.
DNS-based Discovery
In DNS-based discovery, a DHCP server receives the domain name of the customer network. The domain
name is used to create a PnP-specific, fully qualified domain name (FQDN) such as pnpserver.<domain_name>.
In this method, the customer network resolves this URL to a valid PnP server IP address. Because, there is
no mechanism to specify the certificate location, the agent locates the server certificate to initiate the HTTPs
connection without manual intervention.
During the system boot up, the device acquires IP network information from a DHCP server along with the
domain name. With the customer specific domain name, the Cisco PnP agent creates the following URL
pnpserver.<domain_name> and looks for the Cisco signed certificate bundle in a default folder of the server
<domain_name>/ca/trustpool/cabundle.p7b.
If the certificate bundle is available at the specified location, then the agent:
1. Downloads the bundle from the file server to the device.
2. Checks the signature of the downloaded bundle to ensure it has genuine Cisco signature.
3. Installs the certificates on the device.
If the certificate bundle is not available at the specified location, the PnP agent use a predefined
URL,pnpcertserver.<domain_name> and looks for the Cisco signed certificate bundle in the default folder
of the server, <domain_name>/ca/trustpool/cabundle.p7b.
If the certificates are available at the specified location, then the agent performs the steps specified above to
install the certificates.
After the certificates are installed and the server discovery is complete, the agent initiates the HTTPs connection
with the server at the URL, pnpserver.<domain_name > without any additional configuration. During the
HTTPs handshake, the device uses the certificates that are installed from the bundle to validate the server
certificate.
Also, to install the certificates, the agent expects the device to have an updated system clock. Because, you
configure the DHCP server first, you cannot specify the current time in the DHCP server. In such a scenario,
the agent uses a predefined URL, pnpntpserver.<domain_name> which needs to be mapped to a NTP sever
to synchronize the clock on the device, and then installs the certificates.
However, if the certificate is not present at either URL, the Cisco PnP agent will fall back and establish the
HTTP connection to the server using the created FQDN pnpserver.<domain_name>. With this workflow, the
agent expects the server to use the certificate-install service to install the self-signed certificates first and then
start the provisioning steps.
Step 1 Configure the DNS server with an IPv6 option. To enable the Cisco Network PnP DNS discovery, configure the DNS
server as shown in this example:
ip host pnpntpserver.domain.com 2001::1
ip host pnptrustpool.domain.com 2001::2
ip host pnpserver.domain.com 2001::3
Step 2 DHCPv6 server is discovered through DHCP bootstrap process. The following example shows how to configure the
DHCP server:
ipv6 unicast routing
ipv6 cef
The device sends the DHCPv6 packets to the server over an IPv6 network. After receiving the DHCPv6 packets, the DNS
server information and the domain-name are returned to the device as Option 23 and Option 24 respectively.
Step 3 Configure the NTP server. The following example shows how to configure the NTP server:
ntp master 1
Note Similarly, the device NTP configuration should use the NTPv4 option.
Step 4 Host the trustpool server on an IPv6 network. Trustpool is supported only on DHCP Options T and Z. If the Option T is
configured, specify the URL of the trustpool CA bundle. If the Option Z is configured, specify the NTP server IP address.
Note When the Cisco Network PnP agent attempts to download the trustpool bundle over HTTP by using an IPv6
option, the trustpool server should support HTTP over an IPv6 network. Also, the clock must be syncronized
before configuring the trustpool.
Note Some of the Cisco PnP devices may have root certificate embedded in the devices. These devices will
communicate with the CCO server using HTTPS from the beginning. If the device does not have the
embedded certificate then the legacy behavior is initiated.
When the device boots up without any start-up configuration or authentication certificates, and if the DHCP
and DNS discovery fails, the device tries to contact the Cisco Cloud server at devicehelper.cisco.com.
If the devicehelper.cisco.com is reachable, the Cisco Network PnP agent downloads the trustpool bundle and
establishes a secure HTTP connection with the Cisco Cloud Redirection service. When the device tries the
Cisco cloud discovery for the first time, Cisco Network PnP agent downloads the trustpool from this location
devicehelper.cisco.com/ca/trustpool and saves it to the local flash memory. This location is shared with a
Public Key Infrastructure for a trustpool installation. If the Cisco cloud discovery fails, trustpool bundle is
retained in the flash memory and Cisco Network PnP checks for a copy of the trustpool bundle in the local
device flash memory. If the copy is not available in the local flash memory, it retries to download the trustpool
bundle from this location devicehelper.cisco.com/ca/trustpool download.
Cisco Network PnP agent sends a HTTPS hello message to the Cisco cloud. The Cisco Network PnP redirection
service running at Cisco cloud server replies to the HTTP request. A Cisco cloud server PnP profile is created
on the device as shown in this example.
pnp profile pnp_cco_profile
transport https host devicehelper.cisco.com port 443
After the Cisco cloud profile is created, the device sends a work-information message with its unique device
identifier information to the Cisco cloud server. Cisco Cloud Redirection service sends a redirection non-backoff
PnP request with the Cisco Network PnP server information. It can be an IPv4 address, IPv6 address, or a
hostname. When the redirection is successful, the following redirection profile is configured on the device.
pnp profile pnp_redirection_profile
transport https ipv4 172.19.153.133 port 443
If the non-backoff PnP request is not received within default wait time, Cisco Network PnP discovery process
continues with the next discovery mechanism.
Note To use the 4G interface for the Cisco Network PnP discovery, the 4G NIMs should have an activated
SIM card on it.
Cisco Network PnP Cloud discovery over 4G interfaces works when all the 4G interfaces are activated during
the device bootup by default. In the absence of a startup configuration, the device attempts to bring up the 4G
inutrafec by default and attempts Cicso PnP over cloud. After the device is redirected, the device connects to
the Cisco Network PnP server and downloads the appropriate image and configuration to the device.
Note The DNS server is available as part of the 4G network and the cloud portal should be programmed to
redirect the calling device to an appropriate Cisco Network PnP server for provisioning the device.
Currently, Cisco Network PnP support over 4G interface uses only the IPv4 network.
Ensure that the configuration pushed through the Cisco Network PnP server contains a route to Cisco Network
PnP server over the 4G interface. This can be a default route and should retain the Cisco Network PnP agent
and server communication to continue to work over the 4G interface, after the provisioning is completed.
before initiating an HTTPs connection. The certificate-install service also provides an option to install the
client SSL certificate and instruct the device to use the same SSL certificate during the next device authentication
process.
Along with the above change in the capability-service, the agent adds an additional field under the hardware-info
section of the device-info response, to specify and check whether the SUDI certificate is built into the device.
After, the agent initiates an HTTPs connection with the server and sends a work-request, the server should
be able to use the device authentication service for a challenge request-response. The device authentication
service requires a minimum of one field to generated a string by the server. Optionally, the server can send a
list of encryptions and hashing methods that it can support. The agent checks whether it has the capability to
use any of the listed encryption methods specified by the server, uses the encryption method and sends a
notification to the server. If the agent does not have the capability to use any of the methods specified by the
server, then the agent responds with an error message.
When the server sends a device authentication service request to the agent, the agent does the following:
1. Uses one of the specified encryption and hashing methods.
2. If the agent does not have capability to use one of the specified encryption and hashing methods, the agent
responds with an error message.
3. Encrypts the challenge string provided by the server using the private key using the PKI APIs.
4. Sends a response back with the following:
a. Cipher text
b. Methods used to cipher
c. Certificate (SUDI or client installed certificate)
After, the server receives the above response from the device, the server does the following:
1. Verifies the SUDI or the client certificate against the Cisco or customer CA.
2. Decrypts the cipher-string using the public key that is available in the SUDI or client certificate.
3. Verifies whether the deciphered string matches the original version.
4. Generates a session key (string) and sends it back to the device as an acknowledgment.
After the agent receives the final acknowledgment from the server with the session-key, it associates the
corresponding profile with the provided session-key and sends it to the server as an attribute in the root PnP
section of all the subsequent messages that the agent sends.
The server validates the session-key before sending any message from the device. Optionally, the server
maintains a timer for the session-keys and moves to invalid status when the timer expires. If the agent sends
a message with an expired session-key, the server repeats the device authentication process and generate a
new session-key before sending to the same device again. If the device sends a request without any session-key,
then the server performs the device authentication process and generates a new session-key before sending
to the same device.
The following figure displays the message sequence between the agent and the server to accomplish the device
authentication using the SUDI certificate.
Procedure
Device> enable
Step 3 pnp profile profile-name Creates a PnP agent profile and enters the PnP profile
initialization mode.
Example:
• String of alphanumeric characters that specify a name
Device(config)# pnp profile test-profile-1 for the PnP agent profile. Profile names cannot be
duplicated.
Step 4 end Exits the PnP profile initialization mode and returns to
privileged EXEC mode.
Example:
Device(config-pnp-init)# end
Procedure
Device> enable
Step 3 pnp profile profile-name Creates a PnP agent profile and enters the PnP profile
initialization mode.
Example:
• String of alphanumeric characters that specify a name
Device(config)# pnp profile test-profile-1 for the PnP agent profile. Profile names cannot be
duplicated.
Step 4 device {username username } {password {0 | 7} Configures the PnP agent on the device.
password}
• Establishes a username and password based
Example: authentication system.
Step 5 end Exits the PnP profile initialization mode and returns to
privileged EXEC mode.
Example:
Device(config-pnp-init)# end
Procedure
Device> enable
Step 3 pnp profile profile-name Creates a PnP agent profile and enters the PnP profile
initialization mode.
Example:
• String of alphanumeric characters that specify a name
Device(config)# pnp profile test-profile-1 for the PnP agent profile. Profile names cannot be
duplicated.
Step 4 reconnect [pause-time [exponential-backoff-factor Specifies the time for the PnP agent initiator profile to wait
[random] ] ] before attempting to reconnect a session.
Example: • The pause-time value is the time to wait, in seconds,
before attempting to reconnect after a connection is
Device(config-pnp-init)# reconnect 100 2 random lost. The range is from 1 to 2000000. The default is
60.
• Exponential backoff factor value is the value that
triggers the reconnect attempt exponentially. The range
is from 2 to 9.
Step 5 end Exits the PnP profile initialization mode and returns to
privileged EXEC mode.
Example:
Device(config-pnp-init)# end
Procedure
Device> enable
Step 3 pnp profile profile-name Creates a PnP agent profile and enters the PnP profile
initialization mode.
Example:
• String of alphanumeric characters that specify a name
Device(config)# pnp profile test-profile-1 for the PnP agent profile. Profile names cannot be
duplicated.
Step 4 transport http host host-name [port port-number ] [source Creates a HTTP transport configuration for the PnP agent
interface-type] profile based on the hostname of the server on which the
PnP agent is deployed.
Example:
• The value of the host specifies the host name, port,
Device(config-pnp-init)# transport http host and source of the server.
hostname-1 port 1 source gigabitEthernet 0/0/0
• The value of the port-number specifies the port that is
used.
• The value of the interface-type specifies the interface
on which the agent is connected to the server.
Step 5 transport http ipv4 ipv4-address [port port-number ] Creates a HTTP transport configuration for the PnP agent
[source interface-type] profile based on the IPv4 address of the server on which
the PnP agent is deployed.
Example:
Step 6 transport http ipv6 ipv6-address [port port-number ] Creates a HTTP transport configuration for the PnP agent
[source interface-type interface-number ] profile based on the IPv6 address of the server on which
the PnP agent is deployed.
Example:
Step 7 end Exits the PnP profile initialization mode and returns to
privileged EXEC mode.
Example:
Device(config-pnp-init)# end
Procedure
Device> enable
Step 3 pnp profile profile-name Creates a PnP agent profile and enters the PnP profile
initialization mode.
Example:
• String of alphanumeric characters that specify a name
Device(config)# pnp profile test-profile-1 for the PnP agent profile. Profile names cannot be
duplicated.
Step 4 transport https host host-name [port port-number ][source Creates a HTTPS transport configuration for the PnP agent
interface-type ][localcert trustpoint-name ][remotecert profile based on the hostname of the server on which the
trustpoint-name ] PnP agent is deployed.
Example: • The value of localcert specifies the trustpoint used for
client-side authentication during the transport layer
Device(config-pnp-init)# transport https host security (TLS) handshake.
example.com port 231 source gigabitEthernet 0/0/0
localcert abc remotecert xyz • The value of remotecert specifies the trustpoint used
for server certificate validation.
Step 5 transport https ipv4 ipv4-address [port port-number Creates a HTTPS transport configuration for the PnP agent
][source interface-type ][localcert trustpoint-name profile based on the IPv4 address of the server on which
][remotecert trustpoint-name ] the PnP agent is deployed.
Example:
Step 6 transport https ipv6 ipv6-address [port port-number Creates a HTTPS transport configuration for the PnP agent
][source interface-type interface-number ][localcert profile based on the IPv6 address of the server on which
trustpoint-name ][remotecert trustpoint-name ] the PnP agent is deployed.
Example:
Step 7 end Exits the PnP profile initialization mode and returns to
privileged EXEC mode.
Example:
Device(config-pnp-init)# end
Procedure
Device> enable
Step 3 pnp profile profile-name Creates a PnP agent profile and enters the PnP profile
initialization mode.
Example:
• String of alphanumeric characters that specify a name
Device(config)# pnp profile test-profile-1 for the PnP agent profile. Profile names cannot be
duplicated.
Step 4 backup device {username username } {password {0 | 7} Configures the PnP agent backup profile on the device.
password}
• Establishes a username and password based
Example: authentication system.
Step 5 end Exits the PnP profile initialization mode and returns to
privileged EXEC mode.
Example:
Device(config-pnp-init)# end
Procedure
Device> enable
Step 3 pnp profile profile-name Creates a PnP agent profile and enters the PnP profile
initialization mode.
Example:
• String of alphanumeric characters that specify a name
Device(config)# pnp profile test-profile-1 for the PnP agent profile. Profile names cannot be
duplicated.
Step 4 backup reconnect [pause-time [exponential-backoff-factor Specifies the time for the PnP agent initiator profile to wait
[random] ] ] before attempting to reconnect a session.
Example: • The pause-time value is the time to wait, in seconds,
before attempting to reconnect after a connection is
Device(config-pnp-init)# backup reconnect 100 2 lost. The range is from 1 to 2000000. The default is
random 60.
• Exponential backoff factor value is the value that
triggers the reconnect attempt exponentially. The range
is from 2 to 9.
Device(config-pnp-init)# end
Configuring Backup Cisco Network Plug and Play HTTP Transport Profile
Perform the following task to create a backup HTTP transport profile of the Cisco Network Plug and Play
agent manually on a device.
Procedure
Device> enable
Step 3 pnp profile profile-name Creates a PnP agent profile and enters the PnP profile
initialization mode.
Example:
• String of alphanumeric characters that specify a name
Device(config)# pnp profile test-profile-1 for the PnP agent profile. Profile names cannot be
duplicated.
Step 4 backup transport http host host-name [port port-number Creates a backup HTTP transport configuration for the PnP
] [source interface-type] agent profile based on the hostname of the server on which
the PnP agent is deployed.
Example:
• The value of the host specifies the host name, port,
Device(config-pnp-init)# backup transport http host and source of the server.
hostname-1 port 1 source gigabitEthernet 0/0/0
• The value of the port-number specifies the port that is
used.
• The value of the interface-type specifies the interface
on which the agent is connected to the server.
Step 5 backup transport http ipv4 ipv4-address [port Creates a backup HTTP transport configuration for the PnP
port-number ] [source interface-type] agent profile based on the IPv4 address of the server on
which the PnP agent is deployed.
Example:
Step 6 backup transport http ipv6 ipv6-address [port Creates a backup HTTP transport configuration for the PnP
port-number ] [source interface-type interface-number ] agent profile based on the IPv6 address of the server on
which the PnP agent is deployed.
Example:
Step 7 end Exits the PnP profile initialization mode and returns to
privileged EXEC mode.
Example:
Device(config-pnp-init)# end
Configuring Backup Cisco Network Plug and Play HTTPS Transport Profile
Perform the following task to create a backup HTTPS transport profile of the Cisco Network Plug and Play
agent manually on a device.
Procedure
Device> enable
Step 3 pnp profile profile-name Creates a PnP agent profile and enters the PnP profile
initialization mode.
Example:
• String of alphanumeric characters that specify a name
Device(config)# pnp profile test-profile-1 for the PnP agent profile. Profile names cannot be
duplicated.
Step 4 backup transport https host host-name [port port-number Creates a HTTPS backup transport configuration for the
][source interface-type ][localcert trustpoint-name PnP agent profile based on the hostname of the server on
][remotecert trustpoint-name ] which the PnP agent is deployed.
Example: • The value of localcert specifies the trustpoint used for
client-side authentication during the transport layer
Device(config-pnp-init)# backup transport https security (TLS) handshake.
Step 5 backup transport https ipv4 ipv4-address [port Creates a HTTPS backup transport configuration for the
port-number ][source interface-type ][localcert PnP agent profile based on the IPv4 address of the server
trustpoint-name ][remotecert trustpoint-name ] on which the PnP agent is deployed.
Example:
Step 6 backup transport https ipv6 ipv6-address [port Creates a HTTPS backup transport configuration for the
port-number ][source interface-type interface-number PnP agent profile based on the IPv6 address of the server
][localcert trustpoint-name ][remotecert trustpoint-name on which the PnP agent is deployed.
]
Example:
Step 7 end Exits the PnP profile initialization mode and returns to
privileged EXEC mode.
Example:
Device(config-pnp-init)# end
Procedure
Device> enable
Device(config)# end
Note To collect Cisco Plug and Play server log, see the Cisco Application Policy Infrastructure Controller
Enterprise Module Deployment Guide.
To troubleshoot the device, server and Cisco PnP Agent, use the following commands:
Table 13: Troubleshooting the Device, Server, and Cisco PnP Agent
Command Description
dir nvram Use this command to ensure tht the device does not
have left over certificates.
ping vrf interface-name Use this command to ensure the the device can ping
the controller.
<controller_ip>
show auto install trace Use this command to view auto install trace log.
show boot Use the show boot command to display the current
value for the BOOTLDR variable.
show cdp neighbor Use this command to display all CDP neighbors.
Command Description
Show crypto pki trustpoint Use this command to view the PKI trustpoint.
Show crypto pki trustful Use this command to view the PKI trustful.
show ip interface brief Use this command to view a summary of the router
interfaces.
show ipv6 interface brief Use this command to display the IPv6 interfaces.
show run | inc pnp Uset this command to ensure that only one PnP profile
installed
show pnp trace Use this command to ensure that the device does not
have start-up configuration.
show pnp tech Use this command to view active connections for the
Cisco Plug and Play IOS Agent.
show ntp status Use this command to view the NTP status.
show version Use this command to ensure that the device is running
the latest CCO image
Glossary
PnP Agent: An embedded agent on the device to automate deployment process
PnP Helper Applications: Applications on smart phones and personal computers that facilitate deployment.
PnP helper applications are not specific to a customer or device and can be used in any deployment scenario.
May be needed in limited scenarios
PnP Protocol: Protocol between the PnP agent and PnP server. This is an open protocol allowing third-party
development of PnP servers
PnP Server: A central server that manages and distributes deployment information (images, configurations,
files, and licenses) for the devices being deployed. Cisco Network Plug and Play server provides a north bound
interface for management applications and communicates with the PnP agents on the devices using the PnP
protocol.
PnP commands: Complete command syntax, command mode, command Cisco IOS PnP Command
history, defaults, usage guidelines, and examples Reference
Cisco Network Plug and Play solution Solution Guide for Cisco Network
Plug and Play.
How to use the Cisco Network Plug and Play in the APIC-EM to Configuration Guide for Cisco
configure Cisco network devices. Network Plug and Play on Cisco
APIC-EM.
Getting started with the APIC-EM. Cisco APIC-EM Quick Start Guide.
MIBs
• CISCO-BULK-FILE-MIB To locate and download MIBs for selected platforms, Cisco software
releases, and feature sets, use Cisco MIB Locator found at the
• CISCO-DATA-COLLECTION-MIB following URL:
• CISCO-PROCESS-MIB http://www.cisco.com/go/mibs
• Expression-MIB
SMU Example
This section shows an example of a patch for the CDET CSCvk58743.
Command example:
Router# config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# interface g0/0/0
Router(config-if)# ipv6 nd cache expire 770
Router(config-if)# end
Router#
*Sep 25 12:00:29.978: %SYS-5-CONFIG_I: Configured from console by console
As the following CDET states, the ND Cache expire timer did not appear in the command output of show
ipv6 neighbors g0/0/0
• CSCvk58743
Summary: Show ipv6 interface does not display "ND Cache expire timer"
Component: ipv6
Defective Image: ir1101-universalk9.16.11.01.SPA.bin
Patch Image: ir1101-universalk9.16.11.01.CSCvk58743.SPA.smu.bin
The following is what the required configuration output should look like:
Interface GigabitEthernet0/0/0
no switchport
no ip address
ipv6 address FE80::1 link-local
ipv6 address 2001::1/64
ipv6 nd na glean
end
In the above output, the blue text configures the length of time before an IPv6 neighbor discovery cache entry
expires. The range is from 1 to 65536 seconds.
C - Activated
& Committed, D - Deactivated & Uncommitted
--------------------------------------------------------------------------------
Type St Filename/Version
--------------------------------------------------------------------------------
SMU C /flash1/ir1101-universalk9.16.11.01.CSCvk58743.SPA.smu.bin
IMG C 16.11.1.0.4
--------------------------------------------------------------------------------
Auto abort timer: inactive
--------------------------------------------------------------------------------
Router# install ?
abort Abort the current install operation
activate Activate an installed package
add Install a package file to the system
auto-abort-timer Install auto-abort-timer
commit Commit the changes to the loadpath
deactivate Deactivate an install package
label Add a label name to any installation point
prepare Prepare package for operation
remove Remove installed packages
rollback Rollback to a previous installation point
Router# install rollback to ?
base Rollback to the base image
committed Rollback to the last committed installation point
id Rollback to a specific install point id
label Rollback to a specific install point label
The install rollback to base command removes the entire patch and returns to the base image version with
the found defect.
Note In the above command output, the patch has been removed and the device returns to the base image
version prior to the upgrade.
Note in the above command output the patch for CDET CSCvt63576 has been removed, while the patch for CDET
CSCvq74407 remains.
SLP Overview
Smart Licensing Using Policy (SLP), was previously referred to as Smart Licensing Enhanced (SLE), and is
the default mode starting with IOS-XE release 17.3.2. SLE replaced Smart Software Licensing. The IR1101
only supports SLP. Some of the feature differences are:
• An Authorization Code is required only for export control requirement
• No more EVAL licenses. Authorized status has changed to In Use or Not In Use with an Enforcement
Type class.
• Cisco Smart Licensing Utility (CSLU) is a new tool interfacing between the devices and Cisco Smart
Software Manager (CSSM) in specific customer topologies.
• Throughput is defaulted and capped at 250MB.
Important Examples used throughout the rest of this section show the ESR6300 Router. The IR1101 functions in
the same manner, with the exception of not supporting the higher throughput license.
The vast majority of licenses belong to this enforcement type. Unenforced licenses do not require authorization
before use in air-gapped networks, or registration, in connected networks. The terms of use for such licenses
are as per the end user license agreement (EULA).
• Enforced
Licenses that belong to this enforcement type require authorization before use. The required authorization is
in the form of an authorization code, which must be installed in the corresponding product instance.
An example of an enforced license is the Media Redundancy Protocol (MRP) Client license, which is available
on Industrial Ethernet Switches.
• Export-Controlled
Licenses that belong to this enforcement type are export-restricted by U.S. trade-control laws and these licenses
require authorization before use. The required authorization code must be installed in the corresponding
product instance for these licenses as well. Cisco may pre-install export-controlled licenses when ordered
with hardware purchase.
An example of an export-controlled license is the High Security (HSEC) license, which is available on certain
Cisco Routers.
SLP Architecture
This section explains the various components that can be part of your SLP implementation.
Product Instance
A product instance is a single instance of a Cisco product, identified by a Unique Device Identifier (UDI).
A product instance records and reports license usage (RUM reports), and provides alerts and system messages
about overdue reports, communication failures, etc. The RUM reports and usage data are also stored securely
in the product instance.
A Resource Utilization Measurement report (RUM report) is a license usage report, which fulfils reporting
requirements as specified by the policy. RUM reports are generated by the product instance and consumed
by CSSM. The product instance records license usage information and all license usage changes in an open
RUM report. At system-determined intervals, open RUM reports are closed and new RUM reports are opened
to continue recording license usage. A closed RUM report is ready to be sent to CSSM.
A RUM acknowledgement (RUM ACK or ACK) is a response from CSSM and provides information about
the status of a RUM report. Once the ACK for a report is available on the product instance, it indicates that
the corresponding RUM report is no longer required and can be deleted.
CSSM displays license usage information as per the last received RUM report.
Customer Topologies
IoT Routing platforms use two different topologies.
• Full Offline Access
• CSLU has No Access to CSSM
The following figure illustrates the Full Offline Access:
In this topology, devices do not have connectivity to CSSM (software.cisco.com). The user must copy and
paste information between Cisco products and CSSM to manually check in and out licenses.
The following figure illustrates the CSLU having No Access to CSSM:
In this topology the devices are connected to the CSLU controller, but there is no connectivity between CSLU
and CSSM (Cisco Smart Software Manager – software.cisco.com).
Cisco devices will send usage information to a locally installed CSLU. The user must copy and paste information
between the CSLU and CSSM to manually check-in and check-out licenses.
Step 2 Export the license usage file (slp) to your host laptop/PC.
Step 3 Importing the license usage file to CSSM on Cloud. Click on the Usage Data Files tab.
Figure 61: Usage Data File
Step 4 The Upload Usage Data window appears. Click Browse, and navigate to where the file is.
Step 5 Click on Upload Data.
Step 9 Observe the Smart Software Licensing window. Initially, the Reporting Status state will be Pending. Wait until the
window reflects No Errors before continuing.
Figure 65: Reporting Status
Step 12 Import the ACK file from CSSM to your device using the command line interface.
Step 1 Copy the ACK file from CSSM to your host laptop or usbflash device. In exec mode on the device:
Example:
Router#
Router#show license all | beg Usage Reporting:
Usage Reporting:
Last ACK received: Sep 01 21:12:58 2020 UTC
Next ACK deadline: <none>
Reporting Interval: 0 (no reporting)
Next ACK push check: <none>
Next report push: <none>
Last report push: <none>
Last report file write: <none>
Trust Code Installed: Sep 01 00:28:48 2020 UTC
Step 1 Navigate back to the product instances tab. Locate your device.
Step 2 Click on Actions beside your device, and from those options click Remove.
The Confirm Remove Product Instance window appears.
Figure 68: Confirm Remove Product Instance
Step 1 In CSLU, identify the devices that require an AuthCode, and initiate the request. An AuthCode file is created.
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#platform hardware throughput level 2G
% 2G throughput level requires hseck9 license!
Router(config)#end
Router#sh license udi
UDI: PID:ESR-6300-CON-K9,SN:FOC23032UVB
Step 4 The Edit Multiple Devices window appears. Supply your account password and click Save.
Figure 71: Edit Multiple Devices
Step 5 In the Product Instances window, click on the Actions for Selected Devices Tab.
Step 8 The CSLU downloads a Authorization Request file to your laptop. Click Save.
Step 5 A popup window opens to navigate to where you saved your Authorization Request file on your laptop.
Step 10 Under Quantity per Device, enter the number you wish.
Figure 80: Enter Number
Step 11 If CSSM cannot identify your device from the identifying information, you can select it manually.
Step 12 Click Continue, and the window changes to Review and Confirm.
Figure 82: Review and Confirm
Step 13 Click on Reserve Licenses, and CSSM generates feature authorization codes.
Step 14 Click Download Authorization Codes, and a window opens to navigate to where you wish to save the codes.
Figure 84: Save Authorization Code
Step 3 There are two options to load your file. Drag and Drop, or Browse to where you saved your file. This example shows
Browse.
Figure 86: Browse to File
Step 4 Select your authorization code file, and then click Open. The system uploads the authorization code file, then a successful
upload message appears.
Router#
*Sep 30 18:05:55.654: %SYS-5-CONFIG_I: Configured from console by cisco on console
Router#show license summary
License Reservation is ENABLED License Usage:
License Entitlement tag Count Status
network-advantage_250M (ESR6300_P_250M_A) 1 IN USE
hseck9 (ESR6300_HSEC_License) 1 IN USE
network-advantage_2G (ESR6300_P_2G_A) 1 IN USE
Step 2 Click on Actions beside your device, and from those options click Remove.
The Confirm Remove Product Instance window appears.
Figure 89: Confirm Remove Product Instance
Configuring VLANs
A VLAN is a switched network that is logically segmented by function or application, without regard to the
physical locations of the users. VLANs have the same attributes as physical LANs. However, you can group
end-stations even if they are not physically located on the same LAN segment. Any device port can belong
to a VLAN, unicast, broadcast, and multicast packets are forwarded and flooded only to end-stations in the
VLAN. Each VLAN is considered a logical network, and packets destined for stations that do not belong to
the VLAN must be forwarded through a router or a device supporting fallback bridging. In a device stack,
VLANs can be formed with ports across the stack. Because a VLAN is considered a separate logical network,
it contains its own bridge Management Information Base (MIB) information and can support its own
implementation of spanning tree.
VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet
belong to the same VLAN. Interface VLAN membership on the device is assigned manually on an
interface-by-interface basis. When you assign device interfaces to VLANs by using this method, it is known
as interface-based, or static, VLAN membership.
The device can route traffic between VLANs by using device virtual interfaces (SVIs). An SVI must be
explicitly configured and assigned an IP address to route traffic between VLANs.
Access Ports
An access port belongs to and carries the traffic of only one VLAN (unless it is configured as a voice VLAN
port). Traffic is received and sent in native formats with no VLAN tagging. Traffic arriving on an access port
is assumed to belong to the VLAN assigned to the port. If an access port receives a tagged packet IEEE 802.1Q
tagged), the packet is dropped, and the source address is not learned.
Trunk Ports
A trunk port carries the traffic of multiple VLANs and by default is a member of all VLANs in the VLAN
database. These trunk port types are supported:
• An IEEE 802.1Q trunk port supports simultaneous tagged and untagged traffic. An IEEE 802.1Q trunk
port is assigned a default port VLAN ID (PVID), and all untagged traffic travels on the port default
PVID. All untagged traffic and tagged traffic with a NULL VLAN ID are assumed to belong to the port
default PVID. A packet with a VLAN ID equal to the outgoing port default PVID is sent untagged. All
other traffic is sent with a VLAN tag.
Although by default, a trunk port is a member of every VLAN known to the VTP, you can limit VLAN
membership by configuring an allowed list of VLANs for each trunk port. The list of allowed VLANs does
not affect any other port but the associated trunk port. By default, all possible VLANs (VLAN ID 1 to 4094)
are in the allowed list. A trunk port can become a member of a VLAN only if VTP knows of the VLAN and
if the VLAN is in the enabled state. If VTP learns of a new, enabled VLAN and the VLAN is in the allowed
list for a trunk port, the trunk port automatically becomes a member of that VLAN and traffic is forwarded
to and from the trunk port for that VLAN. If VTP learns of a new, enabled VLAN that is not in the allowed
list for a trunk port, the port does not become a member of the VLAN, and no traffic for the VLAN is forwarded
to or from the port.
For more information on VLANs, see VLAN Configuration Guide, Cisco IOS XE Gibraltar 16.10.x.
The switch that has all of its ports as the designated role or as the backup role is the root switch. The switch
that has at least one of its ports in the designated role is called the designated switch.Spanning tree forces
redundant data paths into a standby (blocked) state. If a network segment in the spanning tree fails and a
redundant path exists, the spanning-tree algorithm recalculates the spanning-tree topology and activates the
standby path. Switches send and receive spanning-tree frames, called bridge protocol data units (BPDUs), at
regular intervals. The switches do not forward these frames but use them to construct a loop-free path. BPDUs
contain information about the sending switch and its ports, including switch and MAC addresses, switch
priority, port priority, and path cost. Spanning tree uses this information to elect the root switch and root port
for the switched network and the root port and designated port for each switched segment.
When two ports on a switch are part of a loop, the spanning-tree port priority and path cost settings control
which port is put in the forwarding state and which is put in the blocking state. The spanning-tree port priority
value represents the location of a port in the network topology and how well it is located to pass traffic. The
path cost value represents the media speed.
For detailed configuration information on STP see the following link:
http://www.cisco.com/c/en/us/td/docs/routers/access/interfaces/NIM/software/configuration/guide/4_
8PortGENIM.html#pgfId-1079138
Example: Spanning Tree Protocol Configuration
The following example shows configuring spanning-tree port priority of a Gigabit Ethernet interface.
If a loop occurs, spanning tree uses the port priority when selecting an interface to put in the forwarding
state.
Router# configure terminal
Router(config)# interface FastEthernet 0/0/1
Router(config-if)# spanning-tree vlan 1 port-priority 64
Router(config-if)# end
The following example shows how to change the spanning-tree port cost of a Gigabit Ethernet
interface. If a loop occurs, spanning tree uses cost when selecting an interface to put in the forwarding
state.
Router#configure terminal
Router(config)# interface FastEthernet 0/0/1
Router(config-if)# spanning-tree cost 18
Router(config-if)# end
The following example shows configuring the bridge priority of VLAN 10 to 33792:
Router# configure terminal
Router(config)# spanning-tree vlan 10 priority 33792
Router(config)# end
The following example shows configuring the hello time for VLAN 10 being configured to 7 seconds.
The hello time is the interval between the generation of configuration messages by the root switch.
Router# configure terminal
Router(config)# spanning-tree vlan 10 hello-time 7
Router(config)# end
The following example shows configuring forward delay time. The forward delay is the number of
seconds an interface waits before changing from its spanning-tree learning and listening states to the
forwarding state.
Router# configure terminal
Router(config)# spanning-tree vlan 10 forward-time 21
Router(config)# end
The following example shows configuring maximum age interval for the spanning tree. The
maximum-aging time is the number of seconds a switch waits without receiving spanning-tree
configuration messages before attempting a reconfiguration.
Router# configure terminal
Router(config)# spanning-tree vlan 20 max-age 36
Router(config)# end
The following example shows the switch being configured as the root bridge for VLAN 10, with a
network diameter of 4.
Router# configure terminal
Router(config)# spanning-tree vlan 10 root primary diameter 4
Router(config)# exit
The address table lists the destination MAC address, the associated VLAN ID, and port associated with the
address and the type (static or dynamic).
See the “Example: MAC Address Table Manipulation” for sample configurations for enabling secure MAC
address, creating a statc entry, set the maximum number of secure MAC addresses and set the aging time.
For detailed configuration information on MAC address table manipulation see the following link:
http://www.cisco.com/c/en/us/td/docs/routers/access/interfaces/software/feature/guide/geshwic_
cfg.html#wp1048223
Example: MAC Address Table Manipulation
The following example shows creating a static entry in the MAC address table.
Router# configure terminal
Router(config)# mac address-table static 0002.0003.0004 interface FastEthernet 0/0/1 vlan
3
Router(config)# end
The following example shows how to configure a gigabit ethernet interface as the destination for a
SPAN session:
Router# configure terminal
Router(config)# monitor session 1 destination FastEthernet 0/0/1
Router(config)# end
The following example shows how to remove gigabit ethernet as a SPAN source for SPAN session
1:
SCADA Overview
SCADA refers to a control and management system employed in industries such as water management, electric
power, and manufacturing. A SCADA system collects data from various types of equipment within the system
and forwards that information back to a Control Center for analysis. Generally, individuals located at the
Control Center monitor the activity on the SCADA system and intervene when necessary.
The Remote Terminal Unit (RTU) acts as the primary control system within a SCADA system. RTUs are
configured to control specific functions within the SCADA system, which can be modified as necessary
through a user interface.
On the IR1101, line is 0/2/0 same as the Async interface.
Key Terms
The following terms are relevant when you configure the T101 and T104 protocol stacks on the IR1101:
• Channel–A channel is configured on each IR1101 serial port interface to provide a connection to a single
RTU for each IP connection to a remote Control Center. Each connection transports a single T101 (RTU)
or T104 (Control Center) protocol stack.
• Link Address–Refers to the device or station address.
• Link Mode (Balanced and Unbalanced)–Refers to the modes of data transfer.
• An Unbalanced setting refers to a data transfer initiated from the master.
• A Balanced setting can refer to either a master or slave initiated data transfer.
• Sector–Refers to a single RTU within a remote site.
• Sessions–Represents a single connection to a remote site.
The following terms are relevant when you configure the DNP3 protocol stacks on the on the IR1101:
• Channel–A channel is configured on the IR1101 serial port interface to provide a connection to a single
RTU for each IP connection to a remote Control Center. Each connection transports a single DNP3 serial
(RTU) or DNP3 IP (Control Center) protocol stack.
• Link Address–Refers to the device or station address.
• Sessions–Represents a single connection to a remote site.
IPSec tunnel protects all traffic between the IR1101 and the Head-end aggregation router. SCADA traffic can
be inspected through an IPS device positioned in the path of the SCADA traffic before it is forwarded to the
proper Control Center.
Figure 90: Routers Within a SCADA System
Prerequisites
RTUs must be configured and operating in the network.
For each RTU that connects to the IR1101, you will need the following information for T101/T104:
• Channel information
• Channel name
• Connection type: serial
• Link transmission procedure setting: unbalanced or balanced
• Address field of the link (number expressed in octets)
• Session information
• Session name
• Size of common address of Application Service Data Unit (ASDU) (number expressed in octets)
• Cause of transmission (COT) size (number expressed in octets)
• Information object address (IOA) size (number expressed in octets)
• Sector information
• Sector name
• ASDU address, (number expressed in octets)
For each RTU that connects to the IR1101, you will need the following information for DNP3:
• Channel information
• Channel name
• Connection type: serial
• Link address
• Session information
• Session name
Default Settings
T101/T104 Parameters Default
Note Before making any configuration changes to a IR1101 operating with Protocol Translation, please review
the section on Starting and Stopping the Protocol Translation Engine, on page 264.
Procedure
Step 2 interface async slot/port/interface Enters the interface command mode for the async
slot/port/interface.
slot –value of 0
port –value of 2
interface –value of 0
Step 4 encapsulation scada Enables encapsulation on the serial port for protocol
translation and other SCADA protocols.
EXAMPLE
This example shows how to enable serial port 0/2/0 and how to enable encapsulation on that interface to
support SCADA protocols.
Prerequisites
Ensure that you have gathered all the required configuration information.
Enable the serial port and SCADA encapsulation.
Procedure
Step 2 scada-gw protocol t101 Enters the configuration mode for the T101 protocol.
Step 3 channel channel_name Enters the channel configuration mode for the T101
protocol.
channel_name –Identifies the channel on which the serial
port of the IR1101 communicates to the RTU.
Note When the entered channel name does not
already exist, the router creates a new channel.
Entering the no form of this command deletes an existing
channel. However, all sessions must be deleted before you
can delete a channel.
Step 4 role master Assigns the master role to the T101 protocol channel
(default).
Step 5 link-mode {balanced | unbalanced} Configures the link-mode as either balanced or unbalanced.
unbalanced–Refers to a data transfer initiated from the
master.
balanced–Refers to either a master or slave data transfer.
Step 6 link-addr-size {none | one | two} Defines the link address size in octets.
Step 7 bind-to-interface async slot/port/interface Defines the IR1101 serial interface on which the system
sends its T101 protocol traffic.
slot –Value of 0
port –Value of 2
interface –Value of 0
Step 8 exit Ends configuration of the channel and exits the channel
configuration mode. Saves all settings.
Step 9 session session_name Enters the session configuration mode and assigns a name
to the session.
Step 11 common-addr-size {one | two | three} Defines the common address size in octets.
Step 12 cot size {one | two | three} Defines the cause of transmission such as spontaneous or
cyclic data schemes in octets.
Step 14 link-addr-size {one | two | three} Defines the link address size in octets.
Step 17 sector sector_name Enters the sector configuration mode and assigns a name
to the sector for the RTU.
sector_name –Identifies the sector.
Step 19 asdu-addr asdu_address Refers to the ASDU structure address of the RTU.
EXAMPLE
This example shows how to configure the parameters for the T101 protocol stack for RTU_10 .
router(config-t101)# exit
router(config)#
Procedure
Step 2 scada-gw protocol t104 Enters the configuration mode for the T104 protocol.
Step 3 channel channel_name Enters the channel configuration mode for the T104
protocol.
channel_name –Identifies the channel on which the router
communicates with the Control Center.
Note When the entered channel name does not
already exist, the router creates a new channel.
Entering the no form of this command deletes an existing
channel. However, all sessions must be deleted before you
can delete a channel.
Step 5 w-value value Sets the maximum number of APDUs for the channel.
value –Range of values from 1 to 32767. Default value is
8 APDUs.
Step 6 t0-timeout value Defines the t0-timeout value for connection establishment
of the T104 channel.
Step 7 t1-timeout value Defines the t1-timeout value for send or test APDUs on
the T104 channel.
Step 9 t3-timeout value Defines the t3-timeout value for sending s-frames in case
of a long idle state on the T104 channel.
Note The t3 value must always be set to a higher
value than the t1 value on the T104 channel.
Step 10 tcp-connection {0|1} local-port {port_number | default} In a configuration where there are redundant Control
remote-ip {A.B.C.D | A.B.C.D/LEN | any} [vrf WORD] Centers, sets the connection value for the secondary
Control Center as defined on the primary Control Center.
port-number –value between 2000 and 65535.
default–value of 2404.
A.B.C.D –single host.
A.B.C.D/nn –subnet A.B.C.D/LEN.
any–any remote hosts 0.0.0.0/0.
WORD–VRF name.
Step 12 session session_name Enters the session configuration mode and assigns a name
to the session.
session_name –Use the same name that you assigned to
the channel in Step 3 .
Step 13 attach-to-channel channel_name Defines the name of the channel that transports the session
traffic.
Step 14 cot size {one | two | three} Defines the cause of transmission (cot), such as
spontaneous or cyclic data schemes in octets.
Step 16 sector sector_name Enters the sector configuration mode and assigns a name
to the sector for the Control Center.
Step 17 attach-to-session session_name Attaches the Control Center sector to the channel.
session_name –Use the same name that you assigned to
the channel in Step 3 .
Step 18 asdu-addr asdu_address Refers to the ASDU structure address. Value entered here
must match the ASDU value on the RTU.
asdu_address –asdu_address –Value of 1 or 2.
Step 20 Return to Step 1 . Repeat all steps in this section for each Control Center
active in the network.
EXAMPLE
This example shows how to configure the parameters for the T104 protocol stack on Control Center 1 and
Control Center 2, both of which are configured as masters , and how to map the T104 sector to the T101
sector.
To configure Control Center 1 (cc_master1 ), enter the following commands.
Configuration Example
The following example shows how to configure the serial port interface for T101 connection, configure T101
and T104 protocol stacks, and starts the Protocol Translation Engine on the IR1101.
router(config-t104)# session
cc_master2
router(config-t104-session)# attach-to-channel cc_master2
router(config-t104-session)# cot-size two
router(config-t104-session)# exit
router(config-t104)# sector cc_master2-sector
router(config-t104-sector)# attach-to-session cc_master2
router(config-t104-sector)# asdu-adr 3
router(config-t104-sector)# map-to-sector rtu_sector
router(config-t104-sector)# exit
router(config-t104)# exit
router(config)# scada-gw enable
This example configures end-to-end communication between Control Centers and RTUs within a SCADA
system using the DNP3 protocol stacks and starts the Protocol Translation Engine on the IR1101:
Note IOA addresses obtained from T101 side are sent to T104 side without any modification by the SCADA
Gateway
Cisco-IOS-XE-scada-gw
This module has the following corresponding Cli commands:
(config-t104)# to-timeout
<value>
(config-t104)# t1-timeout
<value>
(config-t104)# t2-timeout
<value>
(config-t104)# t3-timeout
<value>
(config-t104)# k-value
<value>
(config-t104)# w-value
<value>
(config-t101)# day-of-week
<enable>
(config-t101)# send-ei <
enable>
(config-t104)# session
<session_name>
(config-t104)# attach-to-channel
<channel_name>
(config-t104)# sector
<sector_name>
(config-t104)# attach-to-session
<session-name>
config-t104)# map-to-sector
<sector-name>
(config) scada-gw enable
Cisco-IOS-XE-scada-gw-oper
This module has the following corresponding Cli commands:
Procedure
Step 2 scada-gw protocol dnp3-serial Enters configuration mode for the DNP3 serial protocol.
Step 3 channel channel_name Enters channel configuration mode for the DNP3 serial
protocol.
channel_name –Identifies the channel on which the router
serial port communicates to the RTU.
Note: When the entered channel name does not already
exist, the router creates a new channel
Entering the no form of this command deletes an existing
channel. However, all sessions must be deleted before you
can delete a channel.
Step 4 bind-to-interface async0/2/0 Defines the router async interface on which the system
sends its DNP3 protocol traffic.
Step 5 link-addr source source_address Refers to the link address of the master.
source_address –Range of values from 1 to 65535.
Step 8 session session_name Enters session configuration mode and assigns a name to
the session.
Note: When the entered session name does not already
exist, the router creates a new session.
Entering the no form of this command deletes an existing
session.
Step 10 link-addr dest destination_address Refers to the link address of the slave.
destination_address –Range of values from 1 to 65535.
EXAMPLE
This example shows how to configure the parameters for the DPN3-serial protocol stack:
Configuring DNP3 IP
Follow the steps below for the Control Center that you want to connect to over DNP3 IP. For redundancy,
you can create multiple connections that share the same session configuration under the same session.
Procedure
Step 2 scada-gw protocol dnp3-ip Enters configuration mode for the DNP-IP protocol.
Step 3 channel channel_name Enters channel configuration mode for the DNP-IP
protocol.
channel_name –Identifies the channel on which the router
communicates with the Control Center.
Note: When the entered channel name does not already
exist, the router creates a new channel.
Step 4 link-addr dest destination_address Refers to the link address of the master.
destination_address –Range of values from 1 to 65535.
Step 6 tcp-connection local-port [default | local_port ] Configures the local port number and remote IP address
remote-ip [any | remote_ip | remote_subnet ] for the TCP connection:
• default–20000.
• local_port –Range of values from 2000 to 65535.
• any–Any remote hosts 0.0.0.0/0
• remote_ip –Single host: A.B.C.D
• remote_subnet –Subnet: A.B.C.D/LEN
If remote_subnet is specified, when two channels have the
same local ports, the remote subnets cannot overlap each
other.
Note: Every <local-port, remote-ip> must be unique per
channel. If remote_subnet is specified, when two channels
have the same local ports, the remote subnets cannot
overlap each other.
Step 8 session session_name Enters session configuration mode and assigns a name to
the session.
Note: When the entered session name does not already
exist, the router creates a new session.
Entering the no form of this command deletes an existing
session.
Step 10 link-addr source source_address Refers to the link address of the slave.
source_address –Value of 1-65535.
Step 11 map-to-session session_name Maps the dnp3-ip session to an existing dnp3-serial session.
Note: One dnp3-ip session can be mapped to only one
dnp3-serial session.
EXAMPLE
This example shows how to configure the DNP3 IP parameters:
Procedure
Step 2 [no] scada-gw enable Starts (scada-gw enable) or stops (no scada-gw enable)
the Protocol Translation Engine on the IR1101.
EXAMPLE
To start the protocol translation engine on the router, enter the following commands:
To stop the protocol translation engine on the router, enter the following commands:
Verifying Configuration
Command Purpose
show Shows the configuration of the router including active features and their settings.
running-config
show scada statistics Shows statistics for the SCADA gateway, including the number of messages sent and
received, timeouts, and errors.
show scada tcp Displays TCP connections associated with the SCADA gateway.
This example shows the output from the show scada tcp and show scada statistics commands:
Debug Commands
This section lists some debug commands that are helpful when troubleshooting.
Command Purpose
Command Purpose
TCP Transport
TCP Raw Socket transport uses a client-server model. At most one server and multiple clients can be configured
on a single asynchronous serial line. In client mode, the IR1101 can initiate up to 32 TCP sessions to Raw
Socket servers, which can be other IR1101 routers or third-party devices.
Figure 1 shows a sample Raw Socket TCP configuration. In this example, serial data is transferred between
RTUs and a utility management system across an IP network that includes several IR1101 routers. One IR1101
router (Router 1) acts as a Raw Socket server, listening for TCP connection requests from the other IR1101
routers (Router 2 and Router 3), which are configured as Raw Socket clients.
A Raw Socket client receives streams of serial data from the RTUs and accumulates this data in its buffer,
then places the data into packets, based on user-specified packetization criteria. The Raw Socket client initiates
a TCP connection with the Raw Socket server and sends the packetized data across the IP network to the Raw
Socket server, which retrieves the serial data from the packets and sends it to the serial interface, and on to
the utility management system.
Note When you configure the serial link interface on the router as a server, the interface’s peer is the serial
link interface on the client router and vice versa.
UDP Transport
UDP transport uses a peer-to-peer model. Multiple UDP connections can be configured on an asynchronous
serial line.
Figure 2 shows a sample Raw Socket UDP configuration. In this example, serial data is transferred between
RTUs and a utility management system across an IP network that includes two routers (Router 1 which is an
IR1101 and Router 2 which is an IR807) that are configured as Raw Socket UDP peers.
In this example, the Raw Socket UDP peer receives streams of serial data from the RTUs and accumulates
this data in its buffer, then places the data into packets, based on user-specified packetization criteria. The
Raw Socket UDP peer sends the packetized data across the IP network to the Raw Socket peer at the other
end, which retrieves the serial data from the packets and sends it to the serial interface, and on to the utility
management system.
Prerequisites
Determine how you want Raw Socket traffic transported in your network, including the network devices and
interfaces to use, how the router packetizes the serial data, and whether to use VRF.
Default Settings
Feature Default Setting
Raw Socket mode Best-effort mode is off, not supported on the IR1101.
Procedure
Step 2 interface async0/slot /port Enters the interface command mode for the async slot/port.
Step 4 Do one of the following: Enables Raw Socket TCP encapsulation or UDP
encapsulation for the serial port.
• encapsulation raw-tcp
EXAMPLE
This example shows how to enable serial port 0/2/0 and how to enable Raw Socket TCP encapsulation on
that port.
Procedure
Step 2 line 0/slot /port Enters line command mode for the serial slot/port.
Step 3 raw-socket packet-length length Specifies the packet size that triggers the IR1101 to transmit
the data to the peer. When the IR1101 accumulates this
much data in its buffer, it packetizes the data and forwards
it to the Raw Socket peer.
length— 2 to 1400 bytes.
By default, the packet-length trigger is disabled.
Step 4 raw-socket packet-timer timeout Specifies the maximum time in milliseconds the IR1101
waits to receive the next character in a stream. If a character
is not received by the time the packet-timer expires, the
accumulated data is packetized and forwarded to the Raw
Socket peer.
timeout —3 to 1000 ms.
The default is 15 ms.
What to do next
Use the no form of these commands to return to the default values.
EXAMPLE
router# configure terminal
router(config)# line 0/2/0
router(config-line)# raw-socket packet-length 32
router(config-line)# raw-socket packet-timer 500
router(config-line)# raw-socket special-char 3
Procedure
Step 2 line 0/slot /port Enters line command mode for the serial slot/port.
Step 3 raw-socket tcp server port [ip_address ] Starts the Raw Socket Transport TCP server for an
asynchronous line interface. In Raw Socket server mode,
the IR1101 listens for incoming connection requests from
Raw Socket clients.
port –Port number the server listens on.
ip_address –(Optional) Local IP address on which the server
listens for connection requests.
Step 4 raw-socket tcp idle-timeout session_timeout Sets the Raw Socket Transport TCP session timeout for the
asynchronous line interface. If no data is transferred between
the client and server over this interval, then the TCP session
What to do next
To remove a Raw Socket TCP server, use the no raw-socket tcp server command.
EXAMPLE
This example shows how to configure a Raw Socket TCP server for an asynchronous serial line. The TCP
server listens for TCP client connection requests on local port 4000 and local IP address 10.0.0.1. If no data
is exchanged between the Raw Socket TCP server and one of the TCP clients for 10 minutes, then the TCP
session closes, and the Raw Socket client attempts to reestablish the session with the Raw Socket server.
Procedure
Step 2 line 0/slot /port Enters line command mode for the serial slot/port.
Step 3 raw-socket tcp client dest_ip_address dest_port Specifies settings for Raw Socket Transport TCP client
[local_ip_address ] [local_port ] sessions.
dest_ip_address –Destination IP address of the remote Raw
Socket server.
dest_port –Destination port number to use for the TCP
connection to the remote server.
local_ip_address –(Optional) Local IP address that the
client can also bind to.
Step 4 raw-socket tcp idle-timeout session_timeout Sets the Raw Socket Transport TCP session timeout for the
asynchronous line interface. If no data is transferred between
the client and server over this interval, then the TCP session
is closed. The client then automatically attempts to
reestablish the TCP session with the server.
This timeout setting applies to all Raw Socket Transport
TCP sessions under this particular line.
session_timeout –Currently configured session idle timeout
in minutes. The default is 5 minutes.
Step 5 raw-socket tcp keepalive interval Sets the Raw Socket Transport TCP session keepalive
interval for the asynchronous line interface. The router sends
keepalive messages based on the configured interval. You
may need to configure this interval, for example, when
sending raw TCP traffic over a cellular interface.
interval –Currently configured keepalive interval in seconds.
Range is 1-864000 seconds. The default is 1 second.
What to do next
To remove a Raw Socket TCP client, use the no raw-socket tcp client command.
EXAMPLE
This example shows how to configure a Raw Socket TCP client for an asynchronous serial line. The IR1101
(router), serving as a Raw Socket client, initiates TCP sessions with a Raw Socket server and forwards
packetized serial data to it. The router collects streams of serial data in its buffer; when it accumulates 827
bytes in its buffer, the router packetizes the data and forwards it to the Raw Socket server. If the router and
the Raw Socket server do not exchange any data for 10 minutes, then the TCP session with the Raw Socket
server closes, and the router attempts to reestablish the session with the Raw Socket server.
Procedure
Step 2 line 0/slot /port Enters line command mode for the serial slot/port.
Step 3 raw-socket udp connection dest_ip_address dest_port Specifies settings for Raw Socket Transport UDP
local_port [local_ip_address ] connections.
dest_ip_address –Destination IP address to use for the UDP
connection.
dest_port –Destination port number to use for the UDP
connection.
local_port –Local port number for the UDP connection.
local_ip_address –(Optional) Local IP address for the UDP
connection.
What to do next
To remove a Raw Socket UDP connection, use the no raw-socket udp connection command.
EXAMPLE
This example shows how to configure a Raw Socket UDP connection between router A (local IP address
192.168.0.8) and router B (local IP address 192.168.0.2).
Router A
Router B
Verifying Configuration
Command Purpose
show running-config Shows the configuration of the IR1101, including those features that are
active and their settings.
show raw-socket tcp detail Displays information about Raw Socket Transport TCP activity.
show raw-socket tcp sessions Displays information about Raw Socket Transport TCP sessions.
show raw-socket tcp statistics Displays Raw Socket Transport TCP statistics for each asynchronous serial
line.
show raw-socket udp detail Displays information about Raw Socket Transport UDP activity.
show raw-socket udp sessions Displays information about Raw Socket Transport UDP sessions.
show raw-socket udp statistics Displays Raw Socket Transport UDP statistics for each asynchronous serial
line.
clear raw-socket statistics Clears Raw Socket Transport statistics for a specific TTY interface or for
all asynchronous serial lines.
Configuration Example
The following sections include Raw Socket Transport configuration examples:
The following table displays the configuration of the server and client IR1101s highlighted in Figure 3 :
... ...
interface async0/2/0 interface async0
no ip address no ip address
encapsulation raw-tcp encapsulation raw-tcp
! !
... interface async1
line 0/2/0 no ip address
raw-socket tcp server 5000 10.0.0.1 encapsulation raw-tcp
!
raw-socket packet-timer 3 ...
raw-socket tcp idle-timeout 5 line 1
... raw-socket tcp client 10.0.0.1 5000 10.0.0.2 9000
raw-socket packet-length 32
raw-socket tcp idle-timeout 5
line 2
raw-socket tcp client 10.0.0.1 5000 10.0.0.2 9001
raw-socket packet-length 32
raw-socket tcp idle-timeout 5
From Router1
interface GigabitEthernet0/1
ip address 192.168.0.8 255.255.255.0
duplex auto
speed auto
interface async0/2/0
no ip address
encapsulation raw-udp
line 0/2/0
raw-socket udp connection 192.168.0.2 2 2
From Router2
interface GigabitEthernet0/1
ip address 192.168.0.2 255.255.255.0
load-interval 60
duplex auto
speed auto
no keepalive
interface async0/2/0
no ip address
encapsulation raw-udp
line 0/2/0
raw-socket udp connection 192.168.0.8 2 2
Router1 Configuration
Defining VRF on the router:
interface GigabitEthernet0/0
vrf forwarding router1
ip address 100.100.100.2 255.255.255.0
duplex auto
speed auto
interface async0/2/0
vrf forwarding router1
no ip address
encapsulation raw-tcp
line 0/2/0
raw-socket tcp server 5000 4.4.4.4
Router2 Configuration
Defining VRF on the router:
interface GigabitEthernet0/0
vrf forwarding router1
ip address 100.100.100.1 255.255.255.0
duplex auto
speed auto
interface async0
vrf forwarding router1
no ip address
encapsulation raw-tcp
line 1
raw-socket tcp client 4.4.4.4 5000
Warning It is important to note that just like the Base IR1101, Online Insertion and Removal (OIR) is not supported
on The Expansion Module. If the 4G module (or mSATA) is inserted or pulled out while the device is
powered up, it may damage the module.
The following figure shows the front panel of the IRM-1100-SPMI and highlights some of its capabilities:
Item Description
2 SFP Connector
3 Pluggable Module
The supported hardware interfaces and their naming conventions are in the following table:
mSATA Overview
IOx/Guest-OS legacy systems on which end users can host applications, typically came with a disk storage
of 4GB to store user data. Functionality has been added allowing for a Cisco supported Pluggable mSATA
SSD PID to add 50 GB of available storage. Support for a 100 GB mSATA SSD has the following limitations:
• There is no support for theshow inventory command.
• Supports 55GB (IOx allocation for applications and packages alike), 32B (IOS allocation for storage can
be viewed in ‘dir msata’ on IOS).
Warning It is important to note that Online Insertion and Removal (OIR) is not supported. If the mSATA SSD
is inserted or pulled out while the device is powered up, it may damage the module.
Note As with any IoT platform, for IOx, use the Fog Director, Local Manager, or app-hosting CLI's to install
applications and access the new mSATA disk storage provided.
50 GB mSATA Partitioning
IOS-XE divides the mSATA SSD into 2 partitions. One for IOS-XE and the other for IOx. The percentage
of usage is:
• IOS: 33.33 %
• IOx: 66.66 %
After a router reload, it will take a few minutes (approximately 5) before this data will be populated again.
When the SSD lifetime reduces to 15% and 5% of the lifetime limit, errors start getting reported in syslog.
For example:
SKU OID
IR1100-SSD-100G 1.3.6.1.4.1.9.12.3.1.9.96.176
As part of this enhancement, SNMP support has been added for the following mSATA parameters on the
router:
• lifetime remaining (wear leveling)
• memory usage for the mSATA SSD
The show platform hardware msata command gives information about this MIB.
Related documentation:
https://www.cisco.com/c/en/us/support/cloud-systems-management/iox/tsd-products-support-series-home.html
https://developer.cisco.com/docs/iox/
Feature Details
The following conditions must be met before performing SNMP requests on the Router:
• An active mSATA module must be configured in the router.
• The Integrator must have incorporated the supported pluggable mSATA into their design.
• Verify this using the show platform hardware msata CLI.
Feature Assumptions
• After a router reload it will take approximately 5 minutes before mSATA data will be populated again.
Only SNMP get is allowed on the OID and is marked as read-only. Setting its value will not be allowed.
• Configurations to enable SNMP on the router are necessary for fetching MIB value.
Digital IO
The IR1101 has two different Expansion Modules, the IRM-1100-SP and IRM-1100-SPMI. The
IRM-1100-SPMI comes with a Digital I/O connector which has 4 GPIO connections plus 1 Return connection.
Both Dry and Wet contacts up to 60Volts.
• Dry contact is isolated from a voltage source (or “No Volt”), with an embedded relay function (NPN
transistor), usually used to indicate an event. For example: open/close, alarm.
• Wet contact is a contact with external power (+3.3V to +60V, max 150mA of current allowed at high
voltage) applied, usually used to energize something. For example: solenoid, light.
Digital IO is similar to the ALARM IN and ALARM OUT supported on the IR800 series routers. The
differences are that on the IR800 series, ALARM IN is a dedicated input, the ALARM OUT is a dedicated
output. With Digital IO, it can be input or output. ALARM OUT includes a relay to provide the Normally
Open (NO) or Normally Close (NC) terminals. Digital IO does not include a relay.
There are no traps for alarms on the GPIO.
More information on the Digital IO hardware capabilities can be found in the Cisco Catalyst IR1101 Rugged
Series Router Hardware Installation Guide .
Configuration Commands
You can set the alarm severity to critical, major, minor, or none. The severity is included in the alarm message
when the alarm is triggered.
To configure and show alarms on the IR1101, use the Command Line Interface (CLI).
Command Purpose
alarm contact Enables the alarm contact number. o The contact-number value is from
contact-numberenable 0 to 4. <0-4> Alarm contact number (0: Alarm port, 1-4: Digital I/O).
Alarm contact 0 is located in the base unit (pins 3 and 4) and always in
Output Mode. Additional configurations for Alarm 0 include severity ,
threshold and trigger .
Alarm contact 1-4 (pins 1-4) are located in the IRM-1100 Expansion
Module and can be in Input or Output Mode. Pin 5 is for ground.
Additional configurations for Alarms 1-4 include application , output ,
severity , threshold and trigger .
alarm contact {contact-number • Enter a contact number (0-4) that you are configuring.
{application {dry | wet} | • The description string is up to 80 alphanumeric characters in length
description | enable | {output {1 and is included in any generated system messages.
for High | 0 for Low} | severity • For application, select dry (default) or wet. Only applicable for
{critical | major | minor | none} | Digital I/O ports 1-4.
threshold {1600-2700} | trigger • enable is for enabling the alarm port. A no alarm contact
{closed | open}} contact-number x will disable the alarm port.
• The output is either 1 for High or 0 for Low. Only application for
Digital I/O ports 1-4.
• For severity, enter critical , major , minor or none . If you do not
configure a severity, the default is minor.
• For threshold, select a value between 1600-2700. The default value
is 1600 mv.
• For trigger, enter open or closed . If you do not configure a trigger,
the alarm is triggered when the circuit is closed.
Command Purpose
Configuration Examples
Configure an alarm.
ir1101#conf term
Enter configuration commands, one per line. End with CNTL/Z.
ir1101(config)#alarm contact 1 description
ir1101#
ir1101#show alarm
Alarm contact 0:
Enabled: Yes
Status: Not Asserted
Application: Dry
Description: test
Severity: Critical
Trigger: Open
Threshold: 2000
ir1101# !
*Nov 27 14:54:52.573: %IR1101_ALARM_CONTACT-0-EXTERNAL_ALARM_CONTACT_ASSERT: External alarm
asserted, Severity: Critical
ir1101#show alarm
ALARM CONTACT
Enabled: Yes
Status: Asserted
Application: Dry
Description: test
Severity: Critical
Trigger: Open
Threshold: 2000
Digital I/O 1:
Enabled: No
Status: Not Asserted
Application: Dry
Description: External digital I/O port 1
Severity: Minor
Trigger: Closed
Threshold: 1600
Digital I/O 2:
Enabled: No
Status: Not Asserted
Application: Dry
Description: External digital I/O port 2
Severity: Minor
Trigger: Closed
Threshold: 1600
Digital I/O 3:
Enabled: No
Status: Not Asserted
Application: Dry
Description: External digital I/O port 3
Severity: Minor
Trigger: Closed
Threshold: 1600
Digital I/O 4:
Enabled: Yes
Status: Not Asserted
Description: External digital I/O port 4
Mode: Output
Router#
ir1101# !
*Nov 27 14:55:02.573: %IR1101_ALARM_CONTACT-0-EXTERNAL_ALARM_CONTACT_CLEAR: External alarm
cleared
ir1101#
P-LTEA-LA EM7430 APAC LTE Bands: B1, B3, B5, B7, B8, B18, B19, B21, B28,
B38, B39, B40, B41.
Non-LTE Bands:
B87 - WCDMA (Europe, Japan, and China) 2100 band
B91 - WCDMA US 850 band
B92 - WCDMA Japan 800 band
B114 - WCDMA Europe and Japan 900 band
B115 - WCDMA Japan 1700 band
B125 - WCDMA Japan 850 band
P-LTEA-EA EM7455 USA, Canada, Europe, LTE bands: Bands B2, B4, B5, B13
Latin America
Non-LTE bands:
B87 - WCDMA (Europe, Japan, and China) 2100 band
B88 - WCDMA US PCS 1900 band
B89 - WCDMA (Europe and China) DCS 1800 band
B90 - WCDMA US 1700 band
B91 - WCDMA US 850 band
B114 - WCDMA Europe and Japan 900 band
SFP Support
The SFP interface on the Expansion Module operates differently than on the Base unit. The SFP interface on
the IR1101 base module is part of the combo port (SFP/RJ45) for GigabitEthernet0/0/0. It may be configured
as Layer-3 (default) or Layer-2 interface.
The SFP interface on the Expansion Module is only an SFP interface. It is named GigabitEthernet0/0/5, and
is a Layer-2 interface. For Layer-3 feature set, it must be assigned to a VLAN interface.
Details about the SFP Interface can be displayed using the show interfaces transceiver detail CLI, for
example:
Router#show interfaces transceiver detail
IDPROM for transceiver Gigabitethernet0/0/0:
Description = SFP or SFP+ optics (type 3)
Socket Verification
200: 00 00 00 00 00 00 00 00 00 00
210: 00 00 00 00 00 00 00 00 00 00
220: 00 00 00 00 00 00 00 00 00 00
230: 00 00 00 00 00 00 00 00 00 00
240: 00 00 00 00 00 00 00 00 00 00
250: 00 00 00 00 00 00
Link reach for 9u fiber (km) = SX(550/270m) (0)
1xFC-MM(500/300m) (0)
2xFC-MM(300/150m) (0)
ESCON-MM(2km) (0)
Link reach for 9u fiber (m) = SX(550/270m) (0)
1xFC-MM(500/300m) (0)
2xFC-MM(300/150m) (0)
ESCON-MM(2km) (0)
Link reach for 50u fiber (m) = SR(2km) (0)
IR-1(15km) (0)
IR-2(40km) (0)
LR-1(40km) (0)
LR-2(80km) (0)
LR-3(80km) (0)
DX(40KM) (0)
HX(40km) (0)
ZX(80km) (0)
VX(100km) (0)
1xFC, 2xFC-SM(10km) (0)
ESCON-SM(20km) (0)
Link reach for 62.5u fiber (m) = SR(2km) (0)
IR-1(15km) (0)
IR-2(40km) (0)
LR-1(40km) (0)
LR-2(80km) (0)
LR-3(80km) (0)
DX(40KM) (0)
HX(40km) (0)
ZX(80km) (0)
VX(100km) (0)
1xFC, 2xFC-SM(10km) (0)
ESCON-SM(20km) (0)
Nominal laser wavelength = 16652 nm.
DWDM wavelength fraction = 16652.193 nm.
Supported options = Tx disable
You can find all of the supported SFP Interfaces in the Cisco Catalyst IR1101 Rugged Series Router Hardware
Installation Guide
IRM-1100-4A2T Overview
The IRM-1100-4A2T is an expansion module that can be attached to the IR1101. It offers an additional four
asynchronous serial ports and two Ethernet interfaces to the IR1101. The following graphic shows the
IRM-1100-4A2T.
The IRM-1100-4A2T Ethernet interfaces are Layer 2 RJ45 10/100/1000 Mbps ports.
The IRM-1100-4A2T serial ports are RJ45 combo ports (RS232/RS485/RS422).
The IR1101 has two sides that expansion modules mount to. The top is called the Expansion side, and the
bottom is called the Compute side. If the additional module is connected to the top, then it is referenced as
the Expansion Module (EM) side. If the additional module is connected on the bottom, then it is referenced
as the Compute Module (CM) side. Functionality differs depending on which side the expansion module is
attached to, and how many and type of expansion modules are in use.
Note Additional information can be found in the Cisco Catalyst IR1101 Rugged Series Router Software
Configuration Guide
IRM-1100-SPMI IR1101-ES-6S
IRM-IR1100-4A2T IR1101-ES-7G
Note When an IRM-IR1100-4A2T is connected on both sides of the IR1101-K9, there is a maximum of nine
Async interfaces which can be enumerated. The switch path for the IR1101-K9 will be IR1101-ES-7G.
2 Received Line Signal Detector DCD Input Output TX+ Output TX/RX- <->
Both the IRM-1100-SPMI Expansion Module and the IRM-1100-4A2T Expansion Module have the following
guidelines and limitations:
• The CAT18 LTE module is not supported on the Compute module (bottom) side
• MSATA and GPIO pins are not supported when attached to the Compute Module side.
• The IR1101 can only support a maximum of two LTE interfaces. This means connecting an Expansion
Module with LTE interfaces on both the EM and CM side is not supported. If connected, only the EM
side will be active.
Deployment Scenarios
The IRM-1100-4A2T supports four different deployment scenarios. This section discusses the differences in
functionality between the four.
Interface numbering are enumerated based on the deployment of the IRM-1100-4A2T module.
Scenario One
In this scenario, the IRM-1100-4A2T is mounted on the Expansion side, or the top. See the following figure:
In this configuration, you get full functionality out of the Serial and Ethernet ports.
There is support for 4 additional Async interfaces, and 2 Gigabit ethernet interfaces.
Interface numbering in this scenario is as follows:
Scenario Two
In this scenario, the IRM-1100-4A2T is mounted on the Compute side, or the bottom. In addition, the solution
also has the IRM-1100-SPMI expansion module mounted on the Expansion side, or the top. See the following
figure:
In this configuration, the ethernet ports on the IRM-1100-4A2T will not function. The serial ports have full
functionality.
There is support for 4 Async interfaces and no support for additional layer 2 interfaces.
Interface numbering in this scenario is as follows:
• async 0/4/0 (corresponding line is: line 0/4/0) [Serial]
• async 0/4/1 (corresponding line is: line 0/4/1) [Serial]
• async 0/4/2 (corresponding line is: line 0/4/2) [Serial]
Scenario Three
In this scenario, the IRM-1100-4A2T is mounted on the Expansion side, or the top. In addition, the configuration
also has the IRM-1100-SPMI expansion module mounted on the Compute side, or the bottom. See the following
figure:
In this configuration, the IRM-1100-4A2T is mounted on the Expansion side, or top, and has full functionality.
The SFP port on the IRM-1100-SPMI mounted on the Compute side, or bottom, will not function.
Interface numbering in this scenario is as follows:
• Async 0/3/0 – 0/3/3 [Connected on EM side]
• Async 0/4/0 – 0/4/3 [Connected on CM side]
• Gi0/0/5 and Gi0/0/6 [Layer 2 interfaces from EM side]
• LTE interface on CM side, cellular 0/4/0 and cellular 0/4/1
Scenario Four
In this scenario, there are two IRM-1100-4A2T expansion modules mounted on both the Expansion side and
the Compute side. See the following figure:
In this configuration, the IRM-1100-4A2T mounted on the Expansion side, or top, has full functionality. The
Ethernet ports on the IRM-1100-4A2T mounted on the Compute side, or bottom, will not function.
There is support for 8 more Async interfaces, and 2 Gigabit ethernet interfaces.
Interface numbering in this scenario is as follows:
• Async 0/3/0 – 0/3/3 [Connected on EM side]
• Async 0/4/0 – 0/4/3 [Connected on CM side]
• Gi0/0/5 and Gi0/0/6 [Layer 2 interfaces from EM side]
NAME: "Module 2 - Compute Module", DESCR: "IR1100 expansion module with Pluggable slot,
SFP, mSATA SSD slot and Digital GPIO"
PID: IRM-1100-SPMI , VID: V02 , SN: FCW2502PAP0
NAME: "Module 3 - Expansion Module", DESCR: "IR1100 expansion module with 4 Async ports and
2 copper ports"
PID: IRM-1100-4A2T , VID: V00 , SN: FOC25150ZRJ
Router# sh ip int bri
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0/0 unassigned YES NVRAM administratively down down
FastEthernet0/0/1 unassigned YES unset administratively down down
FastEthernet0/0/2 unassigned YES unset administratively down down
FastEthernet0/0/3 unassigned YES unset administratively down down
FastEthernet0/0/4 unassigned YES unset down down
GigabitEthernet0/0/5 unassigned YES unset administratively down down
GigabitEthernet0/0/6 unassigned YES unset down down
Cellular0/1/0 unassigned YES NVRAM administratively down down
Cellular0/1/1 unassigned YES NVRAM administratively down down
Async0/2/0 unassigned YES unset up up
Async0/3/0 unassigned YES unset up ip
Async0/4/0 unassigned YES unset administratively down down
Async0/3/1 unassigned YES unset administratively down down
Async0/4/1 unassigned YES unset administratively down down
Async0/3/2 unassigned YES unset administratively down down
Async0/4/2 unassigned YES unset administratively down down
Async0/3/3 unassigned YES unset administratively down down
Async0/4/3 unassigned YES unset administratively down down
Vlan1 unassigned YES unset up down
LEDs
There are two LEDs on the front associated with the two Ethernet ports (5 and 6). See the following figure:
Color/State Description
Off No link
GigabitEthernet0/0/0 LED : On
FastEthernet0/0/1 LED : On
FastEthernet0/0/2 LED : Off
FastEthernet0/0/3 LED : Off
FastEthernet0/0/4 LED : Off
GigabitEthernet0/0/5 LED : On
GigabitEthernet0/0/6 LED : Off
*Cellular 0/1*
LTE module Enable LED : Green
LTE module SIM 0 LED : Off
LTE module SIM 1 LED : Off
LTE module GPS LED : Off
LTE module RSSI 0 LED : Off
LTE module RSSI 1 LED : Off
LTE module RSSI 2 LED : Off
LTE module RSSI 3 LED : Off
Async Ports
IOS-XE release 17.7.1 software provides support for an additional module (IRM-1100-4A2T) that has 4 Async
ports and 2 gigabit ethernet interfaces. The software enumerates the interface numbers depending on which
side of the Base IR1101 the expansion module is attached to.
The base router (IR1101) async port is async 0/2/0, with the out of bound management port being async 0/2/1.
When the IRM-1100-4A2T is mounted on the Expansion side, or top, the async ports are numbered as:
• async 0/3/0 (corresponding line is: line 0/3/0)
• async 0/3/1 (corresponding line is: line 0/3/1)
• async 0/3/2 (corresponding line is: line 0/3/2)
• async 0/3/3 (corresponding line is: line 0/3/3)
When the IRM-1100-4A2T is mounted on the Compute side, or bottom, the async ports are numbered as:
• async 0/4/0 (corresponding line is: line 0/4/0)
• async 0/4/1 (corresponding line is: line 0/4/1)
• async 0/4/2 (corresponding line is: line 0/4/2)
• async 0/4/3 (corresponding line is: line 0/4/3)
All ports follow the RS232 signal standard, with a max baud rate of 115Kbps supported. The following table
shows pinouts for the four ports:
4 Signal Ground — —
Default Configuration
The default configuration for all ports of the serial expansion module is RS232.
Router#sh run int Async0/3/0
Building configuration...
interface Async0/3/0
no ip address
encapsulation scada
shutdown
media-type rs232
Building configuration...
Note Based on the above output, all the Async ports 0/3/0 to 0/3/3 are configured with default media-type
RS232.
Note Based on the above output, Async port 0/4/2 is configured with RS485 Half-duplex, and remaining ports
Async0/4/0,0/4/1 and 0/4/3 are configured with default media-type RS232.
Note Based on the above output, Async port 0/3/3 is configured with RS485 Full-duplex, and the remaining
ports Asyn0/3/0, Async0/3/1 and Async0/3/2 are configured with default media-type RS232.
Debug Commands
There is a debug command available for troubleshooting the GPIO configuration:
Router# debug condition interface <ASYNC_INTERFACE_SLOT> event
Note This command is not supported for the Async 0/2/0 interface.
T101/T104
Figure 96: T101/T104 Configuration Example
DNP3 IP/Serial
Figure 97: DNP3 IP/Serial Configuration Example
Serial Relay
Serial relay can be supported on all of the Async ports of IRM-1100-4A2T. You can map in any order. Mapping
of Async interfaces with “encapsulation relay-line” configured on interface. For Example:
• relay line 0/0/0 0/2/0
• relay line 0/0/1 0/3/2
Refer to the Serial Relay Service chapter in the IR1101 Configuration Guide for additional detail.
Step 2 Double click on the interface you want to edit. The Edit Interface <Interface Number> window appears.
The Async0/2/0 interface on the base IR1101 supports media-type RS232 by default. You cannot change any media-type
associated with this interface.
If needed, you can change the encapsulation for the Async0/2/0 interface, and the associated line interface. Select any
value from the drop down list that is supported for the Async interface on the IR1101.
Step 4 Perform the same steps to navigate to the Edit Interface window to configure the Async ports on the IRM-1100-4A2T.
For example, edit the Async0/3/3 interface:
The ports on the IRM-1100-4A2T can have the media type changed from the drop down box. If RS485 is selected, you
can select either full or half duplex.
Figure 103: Edit Interface Async0/3/3 (Encapsulation Tab)
Step 5 When satisfied with your selections, click on Update & Apply to Device.
The process lifecycle notification component failed, Note the time of the message and investigate the
preventing proper detection of a process start and stop. kernel error message logs to learn more about the
This problem is likely the result of a software defect problem and see if it is correctable. If the problem
in the software subpackage. cannot be corrected or the logs are not helpful, copy
the error message exactly as it appears on the console
along with the output of the show tech-support
command and provide the gathered information to a
Cisco technical support representative.
Error Message: %PMAN-0-PROCFAILCRIT A critical process [chars] has failed (rc [dec])
A process important to the functioning of the router Note the time of the message and investigate the error
has failed. message logs to learn more about the problem. If the
problem persists, copy the message exactly as it
appears on the console or in the system log. Research
and attempt to resolve the issue using the tools and
utilities provided at: http://www.cisco.com/tac. With
some messages, these tools and utilities will supply
clarifying information. Search for resolved software
issues using the Bug Search Tool at:
http://www.cisco.com/cisco/psn/bssprt/bss. If you still
require assistance, open a case with the Technical
Assistance Center at:
http://tools.cisco.com/ServiceRequestTool/create/, or
contact your Cisco technical support representative
and provide the representative with the information
you have gathered. Attach the following information
to your case in nonzipped, plain-text (.txt) format: the
output of the show logging and show tech-support
commands and your pertinent troubleshooting logs.
Error Message: %PMAN-3-PROCFAILOPT An optional process [chars] has failed (rc [dec])
A process that does not affect the forwarding of traffic Note the time of the message and investigate the
has failed. kernel error message logs to learn more about the
problem. Although traffic will still be forwarded after
receiving this message, certain functions on the router
may be disabled because of this message and the error
should be investigated. If the logs are not helpful or
indicate a problem you cannot correct, copy the
message exactly as it appears on the console or in the
system log. Research and attempt to resolve the issue
using the tools and utilities provided at
http://www.cisco.com/tac. With some messages, these
tools and utilities will supply clarifying information.
Search for resolved software issues using the Bug
Search Tool at:
http://www.cisco.com/cisco/psn/bssprt/bss. If you still
require assistance, open a case with the Technical
Assistance Center at:
http://tools.cisco.com/ServiceRequestTool/create/, or
contact your Cisco technical support representative
and provide the representative with the information
you have gathered. Attach the following information
to your case in nonzipped, plain-text (.txt) format: the
output of the show logging and show tech-support
commands and your pertinent troubleshooting logs.
Error Message: %PMAN-3-PROCFAIL The process [chars] has failed (rc [dec])
The process has failed as the result of an error. This message will appear with other messages related
to the process. Check the other messages to determine
the reason for the failures and see if corrective action
can be taken. If the problem persists, copy the message
exactly as it appears on the console or in the system
log. Research and attempt to resolve the issue using
the tools and utilities provided at:
http://www.cisco.com/tac. With some messages, these
tools and utilities will supply clarifying information.
Search for resolved software issues using the Bug
Search Tool at:
http://www.cisco.com/cisco/psn/bssprt/bss. If you still
require assistance, open a case with the Technical
Assistance Center at:
http://tools.cisco.com/ServiceRequestTool/create/, or
contact your Cisco technical support representative
and provide the representative with the information
you have gathered. Attach the following information
to your case in nonzipped, plain-text (.txt) format: the
output of the show logging and show tech-support
commands and your pertinent troubleshooting logs.
Error Message: %PMAN-3-PROCFAIL_IGNORE [chars] process exits and failures are being ignored
due to debug settings. Normal router functionality will be affected. Critical router
functions like RP switchover, router reload, FRU resets, etc. may not function properly.
A process failure is being ignored due to the If this behavior is desired and the debug settings are
user-configured debug settings. set according to a user's preference, no action is
needed. If the appearance of this message is viewed
as a problem, change the debug settings. The router
is not expected to behave normally with this debug
setting. Functionalities such as SSO switchover, router
reloads, FRU resets, and so on will be affected. This
setting should only be used in a debug scenario. It is
not normal to run the router with this setting.
Error Message: %PMAN-3-PROCHOLDDOWN The process [chars] has been helddown (rc [dec])
The process was restarted too many times with This message will appear with other messages related
repeated failures and has been placed in the hold-down to the process. Check the other messages to determine
state. the reason for the failures and see if corrective action
can be taken. If the problem persists, copy the message
exactly as it appears on the console or in the system
log. Research and attempt to resolve the issue using
the tools and utilities provided at:
http://www.cisco.com/tac. With some messages, these
tools and utilities will supply clarifying information.
Search for resolved software issues using the Bug
Search Tool at:
http://www.cisco.com/cisco/psn/bssprt/bss. If you still
require assistance, open a case with the Technical
Assistance Center at:
http://tools.cisco.com/ServiceRequestTool/create/, or
contact your Cisco technical support representative
and provide the representative with the information
you have gathered. Attach the following information
to your case in nonzipped, plain-text (.txt) format: the
output of the show logging and show tech-support
commands and your pertinent troubleshooting logs.
The route processor is being reloaded because there Ensure that the reload is not due to an error condition.
is no ready standby instance.
The RP is being reloaded. Ensure that the reload is not due to an error condition.
If it is due to an error condition, collect information
requested by the other log messages.
The system is being reloaded. Ensure that the reload is not due to an error condition.
If it is due to an error condition, collect information
requested by the other log messages.
The executable file used for the process is bad or has Ensure that the named executable is replaced with the
permission problem. correct executable.
The executable file used for the process is missing, Ensure that the named executable is present and the
or a dependent library is bad. dependent libraries are good.
The executable file used for the process is empty. Ensure that the named executable is non-zero in size.
The process manager is exiting. Ensure that the process manager is not exiting due to
an error condition. If it is due to an error condition,
collect information requested by the other log
messages.
The process has gracefully shut down. No user action is necessary. This message is provided
for informational purposes only.
The process has launched and is operating properly. No user action is necessary. This message is provided
for informational purposes only.
The process has requested a stateless restart. No user action is necessary. This message is provided
for informational purposes only.
Environmental Monitoring
The router provides a robust environment-monitoring system with several sensors that monitor the system
temperatures. The following are some of the key functions of the environmental monitoring system:
• Monitoring temperature of CPUs and Motherboard
• Recording abnormal events and generating notifications
• Monitoring Simple Network Management Protocol (SNMP) traps
• Generating and collecting Onboard Failure Logging (OBFL) data
• Sending call home event notifications
• Logging system error messages
• Displaying present settings and status
The following table displays the levels of status conditions used by the environmental monitoring system.
Table 19: Levels of Status Conditions Used by the Environmental Monitoring System
Warning The system has exceeded a specified threshold. The system continues to
operate, but operator action is recommended to bring the system back to a
normal state.
The environmental monitoring system sends system messages to the console, for example, when the conditions
described here are met:
These commands show the current values of parameters such as temperature and voltage.
The environmental monitoring system updates the values of these parameters every 60 seconds. Brief examples
of these commands are shown below:
Router#
Router#
Slot: 0, IR1101-K9
Running state : ok
Internal state : online
Internal operational state : ok
Physical insert detect time : 00:00:25 (5d02h ago)
Software declared up time : 00:01:07 (5d02h ago)
CPLD version :
Firmware version : 1.3
Router#
Router#
EEPROM version : 4
Compatible Type : 0xFF
Controller Type : 3457
Hardware Revision : 0.2
PCB Part Number : 73-18820-03
Board Revision : 02
Deviation Number : 0
Fab Version : 02
PCB Serial Number : FOC22106KKH
Top Assy. Part Number : 68-6479-03
Top Assy. Revision : 04
Chassis Serial Number : FCW2213TH07
Deviation Number : 0
RMA Test History : 00
RMA Number : 0-0-0-0
RMA History : 00
Product Identifier (PID) : IR1101-K9
Version Identifier (VID) : V00
CLEI Code : UNASSIGNED
Manufacturing Test Data : 00 00 00 00 00 00 00 00
Field Diagnostics Data : 00 00 00 00 00 00 00 00
Chassis MAC Address : 682c.7b4d.7880
MAC Address block size : 128
Asset ID :
Asset Alias :
PCB Part Number : 73-18821-03
Board Revision : 03
Deviation Number : 0
Fab Version : 02
PCB Serial Number : FOC22106KHD
PCB Part Number : 73-19117-02
Board Revision : 02
Deviation Number : 0
Fab Version : 01
PCB Serial Number : FOC22106KJ9
Asset ID :
Router#
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
------------------------------------------------------------------------------
Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------------------
network-advantage Smart License network-advantage
cisco IR1101-K9 (ARM64) processor (revision 1.2 GHz) with 711867K/6147K bytes of memory.
Processor board ID FCW2150TH0F
1 Virtual Ethernet interface
4 FastEthernet interfaces
1 Gigabit Ethernet interface
1 Serial interface
1 terminal line
32768K bytes of non-volatile configuration memory.
4038072K bytes of physical memory.
3110864K bytes of Bootflash at bootflash:.
0K bytes of WebUI ODM Files at webui:.
30670832K bytes of USB Flash at usbflash0:.
Router#
Additional References
The following sections provide references related to the power efficiency management feature.
MIBs
CISCO-ENTITY-FRU-CONTROL-MIB To locate and download MIBs for selected platforms, Cisco IOS
releases, and feature sets, use the Cisco MIB Locator at:
http://www.cisco.com/go/mibs.
Technical Assistance
Description Link
Application Hosting
A hosted application is a software as a service solution, and it can be run remotely using commands. Application
hosting gives administrators a platform for leveraging their own tools and utilities.
This module describes the Application Hosting feature and how to enable it.
IOx Overview
IOx is a Cisco-developed end-to-end application framework that provides application hosting capabilities for
different application types on Cisco network platforms.
IOx architecture for the IR1101 is different compared to other Cisco platforms that use the hypervisor approach.
In other platforms, IOx runs as a virtual machine. IOx is running as a process on the IR1101.
IOXMAN
IOXMAN is a process that establishes a tracing infrastructure to provide logging or tracing services for guest
applications, except Libvirt, that emulates serial devices. IOXMAN is based on the lifecycle of the guest
application to enable and disable the tracing service, to send logging data to IOS syslog, to save tracing data
to IOx tracelog, and to maintain IOx tracelog for each guest application.
Note The IR1101 CPU is not based on x86 architecture like other Routers. Therefore, this requires the
application to comply with the ARM 64-bits architecture.
Application hosting can be achieved using the app-hosting cli's as well using the Local Manager and Fog
Director.
The command no ip http server will turn off the web server without https. The next command ip http
secure-server is to turn on the https mode.
If you include only OPENRESTY_PKI AND NG_WEBUI, then you will be enabling ONLY the IOX local
manager modules, and hence ALL users can ONLY access the IOX local manager if they have privilege 15,
https://IR1101-IP-ADDRESS/iox/login.
And for ALL user, the WebUI access , https://IR1101-IP-ADDRESS will be disabled.
Note This method will disable the main web page https://IR1101-IP-ADDRESS for all users and will enable
only https://IR1101-IP-ADDRESS/iox/login for all users. Use this method if you do not use the IR1101
main router WebUI for general administration and configuration.
VirtualPortGroup
The VirtualPortGroup is a software construct on Cisco IOS that maps to a Linux bridge IP address. As such,
the VirtualPortGroup represents the switch virtual interface (SVI) of the Linux container. Each bridge can
contain multiple interfaces; each mapping to a different container. Each container can also have multiple
interfaces.
VirtualPortGroup interfaces are configured by using the interface virtualportgroup command. Once these
interfaces are created, IP address and other resources are allocated.
The VirtualPortGroup interface connects the application hosting network to the IOS routing domain. The
Layer 3 interface of the application receives routed traffic from IOS. The VirtualPortGroup interface connects
through the SVC Bridge to the container/application interface.
The following graphic helps to understand the relationship between the VirtualPortGroup and other interfaces,
as it is different than the IR8x9 routers.
vNIC
For the container life cycle management, the Layer 3 routing model that supports one container per internal
logical interface is used. This means that a virtual Ethernet pair is created for each application; and one interface
of this pair, called vNIC is part of the application container. The other interface, called vpgX is part of the
host system.
NIC is the standard Ethernet interface inside the container that connects to the platform dataplane for the
sending and receiving of packets. IOx is responsible for the gateway (VirtualPortGroup interface), IP address,
and unique MAC address assignment for each vNIC in the container.
The vNIC inside the container/application are considered as standard Ethernet interfaces.
Note In the steps that follow, IP HTTP commands do not enable IOX, but allow the user to access the WebUI
to connect the IOX Local Manager.
DETAILED STEPS
1. enable Enables
privileged
Example:
EXEC
mode.
Device>enable
Enter your
password if
prompted.
3. iox Enables
IOx
Example:
Device(config)#iox
7. end Exits
interface
Example:
configuration
mode and
Device(config-if)#end
returns to
privileged
EXEC
mode.
DETAILED STEPS
Device>enable
Device#configure terminal
Device(config)#interface
gigabitethernet 0/0/0
Device(config-if)#ip address
10.1.1.1 255.255.255.0
Device(config)#interface
virtualportgroup 0
Device(config-if)#ip address
192.168.0.1 255.255.255.0
Device#configure terminal
Device(config-app-hosting)#app-vnic
gateway0 virtualportgroup 0
guest-interface 0
Device(config-app-hosting-gateway0)#guest-ipaddress
192.168.0.2 netmask
255.255.255.0
Device(config-app-hosting-gateway0)#app-default-gateway
192.168.0.1 guest-interface
0
Device>enable
Device#app-hosting deactivate
appid app1
DETAILED STEPS
Device>enable
Device#configure terminal
Device(config-app-resource-profile-custom)#
memory 512
Device(config-app-resource-profile-custom)#
vcpu 2
Device>enable
2. show iox-service
Displays the status of all IOx services
Example:
Network interfaces
---------------------------------------
eth0:
MAC address : 52:54:dd:fa:25:ee
Data Paths
On the IR1101, IOS-XE has complete control over the data path and control path of the Async Serial port.
This aspect is essential to other encapsulations supported on the Aysnc port such as PPP, raw-socket, SCADA,
etc. The IOx app is never allowed to exercise full control over the device. All data and configurations are
passed through IOS-XE before going to the device. Instead of exposing the actual Serial port to IOx apps, the
Serial relay service creates a software emulated serial tty device enumerated as /dev/ttyTun0 (shown below).
The pair of devices /dev/ttyTun0 and /dev/ttyTun1 represent a data tunnel whose primary function is to act
as a pass-through gateway during any data transfer. /dev/ttyTun1 is open by IOS-XE and all the ingress/egress
data from IOS to the app uses this device during data transfer. Line 0/0/0 is used to communicated with
/dev/ttyTun1. Serial relay service should be configured beforehand to allow the connection between two lines.
Data Path:
1. When the IOx app sends a character to /dev/ttyTun0, the tunnel driver automatically pushes the data to
/dev/ttyTun1.
2. IOS reads the data which it then passes to the Serial relay service.
3. The Serial relay service retrieves information about the other end of the relay service (Line 0/2/0 in this
case) and forwards the data to the Line's buffer.
4. The line driver actively pushes the data into the actual serial device (/dev/ttyS1) based on buffer availability.
5. The reverse path functions the same with the roles of /dev/ttyS1 and /dev/tun0 reversed.
Control Path:
1. When the IOx app performs TCGETS ioctl call on /dev/ttyTun0, the tunnel driver uses /dev/cttyTun to
send request to the CTTY handler service running in IOS.
2. CTTY handler service and the kernel driver use a client-server architecture to communicate configuration
objects.
3. Upon receiving the request about TCGETS from /dev/cttyTun, the CTTY handler examines the request
and requests Line driver to populate the required data into control data structures.
4. Upon receiving the control data structures, CTTY handler sends out a response to /dev/cttyTun which
eventually goes back to /dev/ttyTun0.
5. /dev/ttyTun0 passes the control data to IOx app as requested.
6. Similar path can be extrapolated for TCSETS where the CTTY handler requests the Line driver to update
the settings of the underneath /dev/ttyS1 driver.
7. Line driver of Line 0/2/0 and driver config on /dev/ttyTun0 are always in sync with each other. Any
configuration changes such as baud rate modification is transparently propagated to the Line driver without
any additional configuration overhead. This emulates the propagation feature of Serial relay on the IR800
series where the virtual serial port can configure the parameters of the real serial port.
Configuration Commands
IR1101#configure terminal
IR1101(config)#interface async 0/2/0
IR1101(config-if)#encapsulation relay-line
IR1101(config-if)#exit
IR1101(config)#relay line 0/2/0 0/0/0
IR1101(config)#exit
IR1101#
While Cisco SD-WAN is a cloud-first architecture, some of the components can be deployed on-premisis.
Refer to the Cisco SD-WAN landing page for further information on the capabilities of SD-WAN.
Starting with IOS XE release 17.3.2, the IOS XE image can be configured as controller mode to run SD-WAN.
A single universalk9 image is used to deploy Cisco IOS XE SD-WAN and Cisco IOS XE functionality. This
universalk9 image supports two modes - Autonomous mode (for Cisco IOS XE features) and Controller mode
(for Cisco SD-WAN features).
Access the Cisco IOS XE and Cisco IOS XE SD-WAN functionality through Autonomous and Controller
execution modes, respectively. The Autonomous mode is the default mode for the router and includes the
Cisco IOS XE functionality. To access Cisco IOS XE SD-WAN functionality, switch to the Controller mode.
You can use the existing Plug and Play Workflow to determine the mode of the device.
See the Cisco SD-WAN Getting Started Guide for further information.
Related Documentation
Cisco SDWAN documentation is available from the following sources:
https://www.cisco.com/c/en/us/support/routers/sd-wan/tsd-products-support-series-home.html
https://sdwan-docs.cisco.com/Product_Documentation/Software_Features
All of the technical documentation for Cisco SD-WAN can be found here:
https://www.cisco.com/c/en/us/support/routers/sd-wan/tsd-products-support-series-home.html
need to use ROM Monitor mode. When the maintenance in ROM Monitor mode is complete, you change the
configuration register so the router reboots with the Cisco IOS XE software.
Note TFTP access variables are currently not supported on the IR1101 platform.
Router#show rom-monitor r0
System Bootstrap, Version 1.2, RELEASE SOFTWARE
Copyright (c) 1994-2018 by cisco Systems, Inc.
LICENSE_BOOT_LEVEL =
BOOT = bootflash:ir1101_crashkernel.bin,1;
CRASHINFO = bootflash:crashinfo_RP_00_00_20180619-204307-UTC
RET_2_RCALTS =
BSI = 0
RANDOM_NUM = 1662155698
Router# reload
If your configuration register was set to hex value 0x0 or 0x1820, reload operation will bring you to the
ROMmon mode command prompt (rommon 1>). Invoking the set command at the prompt (rommon 1> set)
will display the same information as "show romvar" above in IOS/XE exec mode.
boot image –o config-file-path Manually boots the Cisco IOS XE software with a temporary alternative
administration configuration file.
Examples
The following example shows what appears when you enter the ? command on a router:
rommon 1 > ?
alias set and display aliases command
boot boot up an external process
confreg configuration register utility
dev list the device table
dir list files in file system
help monitor builtin command help
history monitor command history
meminfo main memory information
repeat repeat a monitor command
reset system reset
set display the monitor variables
showmon display currently selected ROM monitor
sync write monitor environment to NVRAM
token display board's unique token identifier
unalias unset an alias
unset unset a monitor variable
Changing the prompt is useful if you are working with multiple routers in ROM Monitor at the same time.
This example specifies that the prompt should be “IR1101 rommon ”, followed by the line number, and then
followed by “ > “ by the line number.
The configuration register setting is labeled Virtual Configuration Register . Enter the no command to avoid
changing the configuration register setting.
IP_ADDRESS=10.0.0.2
Under normal operating conditions, you do not need to modify these variables. They are cleared or set only
when you need to make changes to the way ROM Monitor operates.
This section includes the following topics:
BOOT=path/file Identifies the boot software for a node. This variable is usually set automatically
when the router boots.
Note Environmental values that are not saved with the sync command are discarded whenever the system is
reset or booted.
Procedure
Step 2 Respond to each prompt as instructed. See the example that follows this procedure for more
information.
Configuration Example
rommon 3 > confreg
Configuration Summary
(Virtual Configuration Register: 0x0)
enabled are:
[ 0 ] break/abort has effect
[ 1 ] console baud: 9600
boot: ...... the ROM Monitor
do you wish to change the configuration? y/n [n]: y
enable "diagnostic mode"? y/n [n]:
enable "use net in IP bcast address"? y/n [n]:
enable "load rom after netboot fails"? y/n [n]:
enable "use all zero broadcast"? y/n [n]:
disable "break/abort has effect"? y/n [n]:
enable "ignore system config info"? y/n [n]:
change console baud rate? y/n [n]:
change the boot characteristics? y/n [n]:
Configuration Summary
Procedure
You enable WANMon to monitor your WAN links and initiate link recovery actions on receipt of link failure
triggers.
Each level has two time-based thresholds based on which built-in recovery actions are taken. The following
are the default settings for each level:
• threshold is the wait time in minutes after receipt of a link failure trigger to initiate the recovery action
as set in the specified level.
• mintime is the frequency to perform the recovery action if the link remains down.
Level 10 min 10 min Triggers Level 0 actions 10 minutes after the link went down. Repeat no more
0 than every 10 minutes.
Level 60 min 60 min Triggers Level 1 actions 10 minutes after the link went down. Repeat no more
1 than every 60 minutes.
Level 480 min 60 min Triggers Level 2 actions 480 minutes after the link went down. Repeat no more
2 than every 60 minutes.
Note If threshold values are specified as 0, no recovery actions are taken for that level. You can use this to
avoid system reload (the built-in Level 2 recovery action) on receipt of a link failure trigger where other
WAN links may be operational.
Prerequisites
Ensure that the WANMon module is available. The WANMon module is included in the IOS-XE image as
the tm_wanmon.tcl policy file.
Configuring WANMon
You can enable WANMon on the router and assign WAMMon support to specific interfaces. Optionally, you
can override the built-in recovery actions, define custom recovery links, and define an event manager
environment policy to set the track object value and disable IP address checking. WANMon is disabled by
default.
Procedure
Step 2 event manager environment wanmon_if_list <instance> Configures WANMon for the interfaces in your WAN, and
{interface name {ipsla <instance>}} indicates that this is an interface configuration command.
Note Any environment variable with the prefix
wanmon_if_list constitutes an interface
configuration.
Multiple interfaces are allowed by specifying an instance.
Be sure to specify the full interface name (for example,
cellular0/1/0 or cellular0/3/0).
You can set the IP SLA icmp-echo trigger, if desired.
Multiple IP SLA triggers are allowed by specifing an
instance.
Note WANMon only looks at the status of the SLA
ID. Even though icmp-echo is most common, if
needed any other type of SLA probe (for
example, udp-echo) can be used instead.
Step 3 event manager environment wanmon_if_listx {interface (Optional) Overrides the built-in thresholds.
name {recovery Level0 {Level1 } Level2}}
Step 4 publish-event sub-system 798 type 2000 arg1 <interface (Optional) Configures custom recovery actions using link
name> arg2 <level > resetter applets.
<interface > is the full interface name (for example,
cellular0/1/0 or cellular0/3/0).
<level > is 0, 1, or 2 to match the desired link recovery
action.
Step 5 {stub <track-stub-id > } (Optional) Allows an event manager environment policy
to set the track object value. WANMon can set a
track-stub-object value to reflect the link state so that an
external applet can track the stub object.
Step 6 event manager environment wanmon_if_listx {<interface (Optional) Disables IP address checking.
name > {checkip <instance >}}
What to do next
EXAMPLES
The following examples are Event Manager commands to configure cellular and Ethernet interfaces:
where:
• The Level 0 threshold is set to 20 minutes after the link failure trigger. Level 0 recovery actions are
performed for the cellular interface. Repeats indefinitely, no more than every 10 minutes (default).
• Level 1 threshold is set to 90 minutes. Level 1 recovery actions are performed for the cellular interface.
Repeats no more frequently than every 75 minutes.
• The Level 2 threshold is set to 600 minutes (10 hours).
conf t
track 21 stub-object
event manager environment wanmon_if_list {cellular0/1/0 {ipsla 1} {stub 21}
Procedure
Step 2 show event manager environment Displays the interface environment variables set during
interface configuration.
What to do next
EXAMPLE
Configuration Examples
The following examples are provided:
Overview
The router adds DSL capability by using a Small Form-factor Pluggable (SFP) network interface module.
The DSL solution supports the following Annex:
ADSL2 (A), ADSL2+(A,J, where J only supported by the 17.5.1 release). VDSL2 supports Annex A,B. All
in compliance with TR100, TR105, TR114, TR115.
IOS-XE release 17.5.1 adds in support for Annex-J configuration in the controller interface.
17.5.1 adds in a new command rx-padding. This command is used for packets with an MTU less than 64
bytes.
Note If frames less than 64mtu are expected downstream from the service provider, the Vlan configuration
must be vlan 96. If frames less than 64mtu are expected downstream from the service provider, only a
Single VLAN is supported in a single-PVC, i.e.Vlan96. In future releases, there is plan to extend the
range of vlan support to range from Vlan44 to 1024, single-vlan in single-pvc option.
Feature Caveats
This section provides a list of what features are supported and unsupported.
• The DSL SFP operates only when inserted in the IR1101 base unit. It is NOT supported in the IRM-1100
expansion unit. The IR1101 can support only a single DSL SFP on GI0/0/0
• VDSL2 only supports profiles 8a through 17a, 30a is not supported.
• The SFP currently does not have Yang support. This will be provided in a future release.
• Supports Radius and AAA when authenticating and configuring DSL users.
• The DSL interface requires a minimum configuration dependent of the DSL services, therefore Plug and
Play (PnP) features are not available on the DSL interface.
• Zero-Touch-Deployment (ZTD) is only supported through IIoT Field Network Director. From FND, use
cgna wsma based ZTD only, PnP based ZTD is not supported over the DSL interface. For ZTD, stage
with basic minimum configuration and parameters depending on the service provider requirements.
The IR1101 must be on IOS-XE 17.4.1 or above for DSL support.
• The show controller vdsl 0/0/0 command is used to display all DSL [VDSL2/ADSL2/ADSL2+] controller
information, similar to the c111x platforms. Although the controller command is vdsl, is actually means
dsl and is used for adsl and vdsl alike.
• For ADSL2/2+ configurations, there is no ATM interface as with c111x platforms. All configurations
are on the DSL SFP WAN g0/0/0 interface, its sub-interface options, and controller vdsl0/0/0 itself. ATM
packets are handled by the DSL SFP and re-assembled as Ethernet packets. Annex A, L is supported.
• Using the WebUI, interface g0/0/0 can be configured/monitored as normal. No specific options to
monitor/configuration option for Controller vdsl 0/0/0 on release 17.4.1.
• VDSL2 and ADSL2+ various MIBS support only trickle in 17.5.1 and beyond releases. MIB information
is available later in this section.
• For ADSL2/2+ ATM configuration, if your scenario expects frames <64 byte MTU downstream from
Service Provider, please ensure following steps:
1. rx-padding cli is enabled
2. Vlan96 value is used in interface configuration
3. There is no multi-VLAN support in single-PVC in this specific scenario
Dying gasp is when the the router is using some residual power on capacity to send outage messages to the
DSLAM. You can verify your router is ready to send out dying gasp messages by using the show controller
vdsl 0/0/0 local command:
Router#show controllers vdsl 0/0/0 local
SFP Vendor PID: SFPV5311TR
SFP Vendor SN: V021932028C
Firmware embedded in IOS-XE: 1_62_8463
Running Firmware Version: 1_62_8455
Management Link: up
DSL Status: showtime
Dumping internal info: idle
Dying Gasp: armed
Dumping DELT info: idle
Note If Dying Gasp is disabled, the output will show Dying gasp: disarmed.
There is no configuration for Dying Gasp. The Software takes care internally for the implementation. Once
an SFP shut/no shut has been triggered, 1-2 notifications are sent within 50ns.
Warning It is critical that the installer read these instructions and be familiar with the correct method of inserting
and removing the SFP. Failure to do so may result in damage to the SFP.
The minimum IOS-XE release for DSL SFP support is 17.4.1 on the IR1101.
Basic Configuration
Once the SFP is installed, it requires a basic configuration to bring it up. Follow these steps:
configure t
Router(conf)#interface g0/0/0
Router(conf-if)#media-type sfp
Router(conf-if)#no shut
Router(conf-if)#exit
SFP Verification
After safely installing the SFP, you can check its status with the show inventory command:
Router#show inventory
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
INFO: Please use "show license UDI" to get serial number for licensing.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
In the below output, ignore the Description and bitrate. The PID/Serial number information are true to the
SFP.
Router#show interfaces transceiver detail
IDPROM for transceiver Gigabitethernet0/0/0:
Description = SFP or SFP+ optics (type 3)
Transceiver Type: = GE T (26)
Product Identifier (PID) = SFP-VADSL2+-I
Vendor Revision = V5.1
Serial Number (SN) = MET2023000A
Vendor Name = CISCO-METANOIA
Vendor OUI (IEEE company ID) = 00.00.00 (0)
CLEI code =
Cisco part number = 74-124941
Device State = Enabled.
Date code (yy/mm/dd) = 20/23/
Connector type = .
Encoding = 8B10B (1)
Nominal bitrate = GE (1300 Mbits/s)
Minimum bit rate as % of nominal bit rate = not specified
Maximum bit rate as % of nominal bit rate = not specified
Socket Verification
020: 43 49 53 43 4F 2D 4D 45 54 41
030: 4E 4F 49 41 20 20 00 00 00 00
040: 53 46 50 56 35 33 31 31 54 52
050: 35 31 43 53 20 20 56 35 2E 31
060: 00 00 00 3F 08 00 00 00 4D 45
070: 54 32 30 32 33 30 30 30 41 20
080: 20 20 20 20 32 30 32 33 20 20
090: 20 20 00 00 00 6D 63 00 30 60
100: FE 53 E4 C1 54 F1 F1 C1 FA 1A
110: 98 EC 6B E0 7F 00 00 00 00 00
120: 00 00 00 00 8C D0 5C F7 00 00
130: 00 00 00 00 00 00 00 00 37 34
140: 2D 31 32 34 39 34 31 20 56 30
150: 31 20 CF EC 55 00 00 00 00 D4
160: 00 00 00 00 00 00 00 00 00 00
170: 00 00 00 00 00 00 00 00 00 00
180: 00 00 00 00 00 00 00 00 00 00
190: 00 00 53 46 50 2D 56 41 44 53
200: 4C 32 2B 2D 49 20 20 20 20 20
210: 20 20 00 00 17 00 00 00 00 00
220: 00 00 00 5A
HX(40km) (0)
ZX(80km) (0)
VX(100km) (0)
1xFC, 2xFC-SM(10km) (0)
ESCON-SM(20km) (0)
Link reach for 62.5u fiber (m) = SR(2km) (0)
IR-1(15km) (0)
IR-2(40km) (0)
LR-1(40km) (0)
LR-2(80km) (0)
LR-3(80km) (0)
DX(40KM) (0)
HX(40km) (0)
ZX(80km) (0)
VX(100km) (0)
1xFC, 2xFC-SM(10km) (0)
ESCON-SM(20km) (0)
Nominal laser wavelength = 0 nm.
DWDM wavelength fraction = 0.0 nm.
No transceiver present
Note There is no show platform led support for the SFP LED. Use the show controller vdsl 0/0/0 local
command for DSL link status.
LED Indications
The following table describes the SFP LED indications:
SFP no shut triggered from the CLI Flashing, then Solid Green
Auto-Negotiation
You can tell the status of auto-negotiation based on the LED on the SFP. On shut/no shut or during
auto-negotiation, the following sequence should be observed:
If the SFP LED is toggling between slow flashing green and fast flashing green, it usually means it is in
auto-negotiation mode. If this continues for a long time, the DSLAM and Router DSL SFP parameters need
to be rechecked. The following chapters cover more details on Router xDSL configuration.
Check your firmware levels by executing show controller vdsl 0/0/0 local command.
Router#show controllers vdsl 0/0/0 local
SFP Vendor PID: SFPV5311TR
SFP Vendor SN: V021932028C
Firmware embedded in IOS-XE: 1_62_8463
Running Firmware Version: 1_62_8455
Management Link: up
DSL Status: showtime
Dumping internal info: idle
Dying Gasp: armed
Dumping DELT info: idle
The command loads the new firmware, and then performs a shut/no shut on the interface to reset the SFP.
Note In 17.5.1 and beyond, the capability exists to upgrade standalone SFP Firmware, in addition to the SFP
Firmware bundled with IOS image. For example:
MTU Limitation
As per the SFP Data sheet specification, the following are MTU limitations:
• For VDSL, the MTU range on the DSL SFP interface is between 64 - 1800 Bytes
• For ADSL2/2+, the MTU range on the DSL SFP interface is between 64 - 1700 Bytes
ADSL2/2+
ADSL2/2+ Overview
This section provides an overview for ADSL2/2+
Important The Router SFP based DSL support differs in configuration and troubleshooting in comparison to other
ISR DSL platforms. There is no ATM interface, ethernet to ATM packet translation is handled internally
via Adaption Layer5 (AAL5). All configurations are on the controller vdsl 0/0/0 and g0/0/0
interface/sub-interface. UBR is recommended over AAL5.
• All PPPoX encapsulation is configured via PPPoE only. Internally, packet translation is handled via
ATM. There is no PPPoA configuration like there is with the c111x ISR.
• ADSL-PVC is configurable in the Controller VDSL 0/0/0: Each SFP supports 8 PVCs.
• Each PVC supports mapping to/from 802.1q Vlan tagging.
• VPI range is 0-255, VCI range is 32-65535.
The 'mode' reflected in show controller vdsl 0/0/0 will always be PTM (Packet transfer mode). Internally
packet translation to ATM is handled (AAL5).
Configuring ADSL2/2+
The Router supports Asymmetric Digital Subscriber Line (ADSL) 2/2+ .
Procedure
Step 3 controller vdsl <port> Enters configuration mode for the ADSL2/2+ controller.
Example:
router(config)# controller vdsl 0/0/0
Step 4 adsl-pvc <vpi/vci> Configures the PVC's VPI and VCI parameters. Refer to
ADSL2/2+ PVC Sub Mode, on page 374 for detailed
Example:
sub-commands.
router(config-controller)#adsl-pvc 0/35
Step 6 encapsulation llcsnap|vcmux Disabled by default. Can be either llcsnap or vcmux. This
example shows the PVC encapsulation as LLCSNAP.
Example:
router(config-controller-adsl-pvc)#encapsulation
llcsnap
carrier-set carrier-set [a43 a43 a43c b43 DSL SFP Carrier Set c111x defines these
a43c b43] tones under the
modem vdsl option.
For example, v43
has to be disabled
via cli. In the
Router, tone v43 is
disabled by default.
no Negate a command
or set its defaults
vlanid-rx vlanid-rx <1-4094> Depends on Configure the DSL Only on IoT Routers
bridge-dot1q SFP to set the
VLAN ID of the
Ethernet packet
received by the DSL
SFP to be sent to the
router.
Used in conjunction
with the DSL SFP
VLAN operation
vlanop-rx to either
remove or replace
the VLAN ID from
the Ethernet packet.
vlanid-tx vlanid-tx <1-4094> Depends on Configure the DSL Only on IoT Routers
bridge-dot1q SFP to set VLAN ID
of the Ethernet
packet for
transmission to the
network.
Used in conjunction
with the DSL SFP
VLAN operation
vlanop-tx to either
remove or replace
the VLAN ID from
the Ethernet packet
before transmitting
the packet to the
network.
ADSL2+ Example
The following example is from an ADSL2+ configuration:
Note For an explanation of some of the key output messages, see Controller Status Messages, on page 393.
Daemon Status: UP
TC Mode: PTM
Selftest Result: 0x00
DELT configuration: disabled
DELT state: not running
Modem FW Version:
Modem PHY Version:
Modem PHY Source: System
Line 0:
Note For an explanation of some of the key output messages, see Controller Status Messages, on page 393.
Modem FW Version:
Modem PHY Version:
Modem PHY Source: System
Line 0:
XTU-R (DS) XTU-C (US)
Trellis: ON ON
SRA: enabled enabled
SRA count: 0 0
Bit swap: enabled enabled
Bit swap count: 0 0
Line Attenuation: 1.4 dB dB
Signal Attenuation: 2.4 dB 0.0 dB
Noise Margin: 9.5 dB 6.3 dB
Attainable Rate: 23550 kbits/s 1105 kbits/s
Actual Power: 0.0 dBm 12.2 dBm
Total FECC: 1 0
Total ES: 1 396
Total SES: 0 317
Total LOSS: 0 287
Total UAS: 57 3344
Total LPRS: 0 0
Total LOFS: 0 0
Total LOLS: 0 0
DS Channel1 DS Channel0 US Channel1 US Channel0
Note For an explanation of some of the key output messages, see Controller Status Messages, on page 393.
Trellis: ON ON
SRA: enabled enabled
SRA count: 0 0
Bit swap: enabled enabled
Bit swap count: 0 0
Line Attenuation: 2.5 dB dB
Signal Attenuation: 5.7 dB 0.0 dB
Noise Margin: 7.0 dB 6.2 dB
Attainable Rate: 10164 kbits/s 288 kbits/s
VDSL2
VDSL2 Overview
This section provides an overview for VDSL2,
The Router DSL SFP-VADSL2+-I provides VDSL2 Annex A, B support in conformance to ITU-T standards
G.993.2 (VDSL2). This xDSL SFP is also in compliance with TR-114 (VDSL2 Annex A and B performance)
and TR-115 (VDSL2 Feature validation tests by University of New Hampshire). The SFP complies with
ITU-T G.99x standard with supporting AVD2 CPEmode only.
• Configurable Band Plan, conforms to North America Annex A (G.998) and Europe Annex B (G.997,
998) Band Plans subject to the 3072/4096 and 8-band/4-passband constraints.
• Supports all VDSL2 profiles (8a/b/c/d, 12a/b, 17a, 30a).
• Supports EU type Upstream Band 0 (US0).
• Complies with ITU-T G.994.1 Handshake Procedure for DSL TRx.
• Complies with ITU-T G.997.1 Physical Layer Management for DSL TRx
• Complies with ITU-T G.993.5 Self-FEXT Cancellation (Vectoring) for CPE mode
• Supports Robust Overhead Channel (ROC)
• Supports Online Reconfiguration (OLR) including Seamless Rate Adaptation (SRA) with D/L change
and Bit Swapping
• Supports Upstream /Downstream Power Back Off (UPBO/DPBO)
• Supports DELT
• Supported maximum MTU size on VDSL2 is 1800 Bytes
• Standard compliance VDSL2 mode is PTM (Packet transfer mode)
For configuration and display commands, see the detailed sections below. The show controller vdsl 0/0/0 is
the fundamental command for validation.
Configuring VDSL2
The Router supports Very-high-bit-rate Digital Subscriber Line (VDSL2).
Procedure
Step 3 controller vdsl 0/0/0 Enters configuration mode for the VDSL2 controller.
Example:
router(config-controller)# controller vdsl 0/0/0
Step 4 carrier-set a43 a43c b43 Configures the carrier set. Multiple choice. Default is a43
a43c b43. v43 is disabled by default.
Example:
router(config-controller)# carrier-set a43|a43c|b43
carrier-set carrier-set [a43 b43 a43 b43 a43c DSL SFP Carrier Set
a43c]
mac-address mac-address <MAC The default is the MAC is DSL SFP MAC Address.
address> preconfigured. There is no need to
configure anything to get
the controller working.
VDSL Example
The following example is from a VDSL configuration:
show controllers vdsl 0/0/0
Controller VDSL 0/0/0 is UP
Daemon Status: UP
XTU-R (DS) XTU-C (US)
TC Mode: PTM
Modem FW Version:
Modem PHY Version:
Modem PHY Source: System
Line 0:
XTU-R (DS) XTU-C (US)
Trellis: ON ON
SRA: enabled enabled
SRA count: 0 0
Bit swap: enabled enabled
Bit swap count: 0 0
Line Attenuation: 2.7 dB dB
Signal Attenuation: 3.9 dB dB
Noise Margin: 7.2 dB 24.8 dB
Attainable Rate: 113289 kbits/s 86904 kbits/s
Actual Power: 9.3 dBm 8.1 dBm
Per Band Status: D1 D2 D3 U0 U1 U2 U3
Line Attenuation(dB): 0.0 1.5 2.5 N/A 0.2 0.2 0.6
Signal Attenuation(dB): 0.0 2.0 4.0 N/A 0.0 0.0 0.0
Noise Margin(dB): 0.0 7.2 7.2 0.0 24.7 24.8 24.8
Total FECC: 0 2203
Total ES: 1 2280
Total SES: 0 2199
Total LOSS: 0 2199
Total UAS: 81 2199
Total LPRS: 0 0
Total LOFS: 0 0
Total LOLS: 0 0
DS Channel1 DS Channel0 US Channel1 US Channel0
For an explanation of some of the key output messages, see Controller Status Messages, on page 393.
Troubleshooting
This section provides information for troubleshooting and debugging if the DSL control and/or datapath is
not up.
Problem: If the controller is UP, but show controller vdsl 0/0/0 shows the DSL Link Idle.
Solution: Try the following:
• Ensure show controller vdsl 0/0/0 local shows Running FW = System FW. If not, upgrade FW and
shut/no shut g0/0/0. Refer to DSL SFP Firmware Upgrade, on page 370
• Ensure carrier-set match (in controller vdsl 0/0/0) configuration with DSLAM
• Restart DSLAM interface if any config changes have been made
• Fine-tune the Power Spectrum Density, Freq Bandplan, profile, operating mode, vlan, etc... on the DSLAM
end. On the Router DSL controller end, auto mode is the default and no configuration is required except
possibly carrier-set. For example: If DSLAM only supports POTS, recommended to set carrier-set to
a43. By default, Cisco allows a43, a43c, b43.
• Ensure the DSLAM profile ONLY includes supported Profiles, bands, etc as per VDSL2/ADSL2/2+
Refer to the tables in DSL Feature Specifications, on page 365.
• When using the service internal command test vdsl rawcli "basic show summary 1" consecutively,
do you see the status move from Idle/Handshake/Training back to Idle, or stuck in Idle? If former case,
recheck DSLAM profile configs. If latter, share L1 debug logs.
• If the DSLAM has the same configuration that used to work, and then after an image upgrade, or new
SFP change the controller is UP but no negotiation , then please provide following to Cisco:
• SFP LED status
• Capture show version, show running-config, show run all | sec controller, show interface
gigabitethernet 0/0/0, and show controller vdsl 0/0/0 local.
• Possible workaround: After providing logs to Cisco, attempt to write erase and reload the router. Also,
shut/no shut the DSLAM interface tied to this device, and unplug/plug SFP and cables again.
Problem: If Controller is up, profile with DSLAM up in show controller vdsl 0/0/0, but Dialer did not acquire
IP
Solution: Try the following:
• Check routes
• Check the output of debug dialer to see if it offers any information. If dialer idle time is resetting too
soon, modify dialer idle-timeout (default is 120s , which ideally should be enough).
• Ensure there are SW Licenses (datak9, securityk9, and network-advantage) on both PPPoE server
and the PPPoE Client/CPE.
• The following is a basic Dialer configuration that works:
interface Dialer1
ip address negotiated
no ip redirects
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname WORD
ppp chap password 0 WORD
ppp ipcp route default
!
ip route 0.0.0.0 0.0.0.0 Dialer1 (or any route that works in user environment)
• Possible workaround: After gathering the above logs in sequence for Cisco, you can try to write erase
and reload Peer and Router. Specifically removing the Dialer interface with PPP configurations and
reapplying. As a last resort, try to shut/no shut DSLAM interface attached to this Router DSL SFP
interface. Additionally, to isolate behavior, validate this SFP on another Router if available. If it works,
then validate multiple SFPs on same Router (to narrow down if it is an SFP or Router issue).
Problem: If controller is Up, Dialer is Up, but Dialer did not acquire IP, Authentication works only with PAP
and does not work with CHAP.
Solution: Suppose there is a scenario where:
show controller vdsl 0/0/0 shows showtime
show pppoe session shows PPP session established.
Then we see Virtual Access bound with Dialer successfully, but still Dialer didn't acquire an IP with PAP
config in dialer all as well, but CHAP would not work On PPPoE Server end, it showed CHAP authentication
passed and device ack too, but still IP not acquiring on PPPoE Client/device end.
debug ppp packet showed everything was okay, but still IP not acquiring. In such cases, enable following to
monitor: debug ppp authentication enabled, we may notice that after successful chap handshake, there was
another attempt by our device/client to validate based on local hostname set on Router CLI required to disable,
if there is default local hostname set for chap in Router client (or any IOS router):
config t
service internal
Int Dialer1
no ppp chap ignoreus
no shut
exit
For further information see the Understanding and Configuring PPP CHAP Authentication
link:https://www.cisco.com/c/en/us/support/docs/wan/point-to-point-protocol-ppp/
25647-understanding-ppp-chap.html
Problem If controller is up, Dialer acquired an IP, but cannot self-ping Dialer or ping PPPoE Server
Solution: Try the following:
• Ensure the appropriate SW licenses (datak9, securityk9, and network-advantage) are enabled on both
the PPPoe Server and Client
• Verify if icmp is enabled on PPPoE client session (enable via access list)
• Ensure pap/chap authentication match is seen in debug pppoe session.
• show pppoe session should reflect session (virtual-access binding with Dialer)
• For PPPoE session debugging, this section is common to all IOS platforms: https://www.cisco.com/c/
en/us/td/docs/routers/ir910/software/release/1_0/configuration/guide/ir910scg/swpppoe.pdf
• Apply Static IP on g0/0/0 DSL interface and check if you can ping the DSLAM and Peer (to isolate DSL
SFP issues)
• The following is a Basic PPPoE Server and PPPoE client configuration that works, presuming PPPoE
Server is a Cisco IOS device as well:
PPPoE Server
ip dhcp excluded-address 41.41.41.1 41.41.41.9
!
ip dhcp pool 41-41-41-pool
network 41.41.41.0 255.255.255.0
default-router 41.41.41.1
lease 2
!
username dslpeer password 0 dslpeerpass
!!
bba-group pppoe global
virtual-template 1
!
interface GigabitEthernet0/0/0
no ip address
media-type sfp
!
interface GigabitEthernet0/0/0.1
encapsulation dot1Q 1 native
ip address 41.41.41.1 255.255.255.0
pppoe enable group global
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/0/0.1
peer default ip address dhcp-pool 41-41-41-pool
ppp authentication pap chap
!
>>>>>> Add routes as relevant, next hop being the IP that Router Dialer acquires
!
ip route 10.0.0.0 255.255.255.0 41.41.41.3 >> dialer ip, change as necessary
PPPoE Client:
controller VDSL 0/0/0
Carrier-set a43 >>> Can set to whichever [a43, b43, a43c, v43 depending on DSLAM support]
interface GigabitEthernet0/0/0
no ip address
media-type sfp
!
interface GigabitEthernet0/0/0.1
encapsulation dot1Q 1 native
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Dialer1
ip address negotiated
no ip redirects
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname dslpeer
ppp chap password 0 dslpeerpass
ppp ipcp route default
!
ip route 0.0.0.0 0.0.0.0 Dialer1
Problem: If DSL traffic has been going through for a while, however bandwidth drops in time:
Solution: Try the following:
• Ensure DSLAM profile PSD, Freq band plan configurations are fine-tuned (in such cases, ideally unrelated
to Router DSL SFP).
• Ensure ip arp timeout is increased in the Cisco Router DSL interface, Dialer interface - this may specially
help in bursty traffic or during congestion.
Interface Status:
Router#show ip interface brief
Use this command to validate if Dialer acquired an IP address
Inventory Status:
Router#show inventory
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
INFO: Please use "show license UDI" to get serial number for licensing.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
There are some debugging commands that will also reflect the status of auto-negotiation:
Router#configure terminal
Router#service internal
Router#exit
The following test command will reflect auto-negotiation status:
Router#test vdsl rawcli "basic show summary 1"
Link time Rate US/DS Mode Status Annex TxPkts/RxPkts
4 1097/12491 ADSL2 Showtime AnnexA 0/0
Question: The training log in show controller vdsl 0/0/0 is not working. There is no option to start/stop.
Answer: This option is only specific to the c111x platform and not the Router DSL SFP. For Router platform
L1 debugging, refer to: L1 Training Logs, on page 394
Question: In ADSL2/2+ if burst size (peak cell rate and sustainable cell rate ) are configured to the maximum
5500, dialer keeps flapping.
Answer: If Dialer is flapping, could be receiving Peer upstream and was unable to handle high rate of
downstream traffic. Either disable ip keepalive in dialer configuration, or increase default keepalive to
the maximum.
Answer: Ensure you exit out of controller configuration mode for the configuration to take effect. As a
workaround, shut/no shut the controller interface. Ideally this should reflected the moment you 'exit' out of
controller config mode. Check the DSLAM for matching profile criteria, unsupported bands/profiles should
be removed as they may delay the Handshake.
Question: In ADSL2/2+ controller configuration, Maximum Burst Size configuration is not taking affect.
Answer: When configuring either nrt-VBR or rt-VBR, only the configuration of Peak Cell Rate (PCR) and
Sustainable Cell Rate (SCR) are supported. The optional Maximum Burst Size (MBS) is not supported.
Question: System hangs during L1 Debug Logs capture, taking very long. show commands are not working.
Answer: When debug vdsl controller 0/0/0 dump internal folder_name is executed, it drains most of the
system resources. A warning syslog to that effect is displayed as well. This takes approximately 10 minutes
to complete depending on state of controller. Multiple times during the process the controller is shut/no shut,
during this activity do NOT intervene. Once complete, you should observe 'DONE' in syslog and prompted
to shut/no shut g0/0/0.
Caution When inserting the SFP, make sure you hear it lock in. Insert the cable and then close the latch. You
should hear the click again. If you force the latch and it breaks, the SFP will be stuck in the Router.
Workaround is to remove the faceplate and remove the SFP.
Chip Vendor Specific: 0x0000 0x0762 SFP Metanoia Chip Information burnt in EEPROM
programming
Modem Version Far: <value> Ignore if empty, the above Near version is what is
important
DSL Config Mode: AUTO Always in AUTO mode, no specific CLI to configure
for ADSL2/2+, VDSL2
Trained Mode: G.992.3 (ADSL2) Annex A Specifies ITU and Annex type
L1 Training Logs
To configure the device perform the following:
Router#configure terminal
Router#service internal
Router#logging console
Router#exit
When the L1 debug dump starts you should see the following:
%VDSL_SFP_MGR-5-DUMP_START: Dump internal info started on interface GigabitEthernet0/0/0
Important At this point, the device is unusable. Wait approximately 10 minutes until it completes.
To recover the device into normal operational mode, preform the following:
Router#configure terminal
Router#interface g0/0/0
Router#shut
Router#no shut
Router#exit
Note Cisco recommends that each time you start a new log or debug, save it to a new directory rather than
append to the existing information.
status
Link time Rate US/DS Mode Status Annex TxPkts/RxPkts
773 1089/23628 ADSL2+ Showtime AnnexA 470/338
Router#test vdsl option 6 0x0 If functional, State = 2 should display. This command shows
basic L1 bringup of DSL SFP and it's states. Provide to Cisco for L1 troubleshooting.
Debug flags: 0x8000
Seq 0: slot=0 slot_port=0 bay=0 port=0 Name:MetaMgr0_0_0
MetanoiaPort=0 SFP type: 1 State: 2 cnt=855
MAC:00:00:00:00:00:00 Choice:0
hw interface:GigabitEthernet0/0/0 sw interface:GigabitEthernet0/0/0
Firmware file: /etc/SFP_V5311-T-R_CSP.b, size=491520, version=1_62_8463
SFP version: 1_62_8463
Notification Seq: 0x1 cnt: 0xB3 Stat Cycle:255
VDSL State: 5
EBM Tx: 21039 Rx: 21031
EBM Wait Timeout: 8 Rx Loss: 0
G994 vid CO: BDCM CPE: META
Serial No CO: CPE: MET2023000A V5311TR 1_62_8463
Version CO: CPE: 1_62_8463 MT5311
Capability CO: 000000000001000000 CPE: 000000000001000000
Line Attn: UP: 65535 DOWN: 13
This option will force the entire subslot to reload, including the software module. So if connectivity is via
telnet/ssh you might lose access for 1-2 minutes, and then all messages/syslogs buffered will print out.
OOB Topology
The following graphic illustrates the physical connection between two IR1101 routers:
The blue line above is a USB 2.0 Type A to USB 2.0 mini USB Type B cable. Refer to this topology for the
following configuration.
Feature Caveats
Prior to configuring each router, ensure that both routers have a basic serial configuration:
line con 0
stopbits 1
speed 9600
Note Depending on how old the IR1101 is, the default baud rate is 9600 or 115200.
• Plug and Play is not supported. Cable must be installed prior to configuration.
• OOB only works for async0/2/1, which is the USB port. Async0/2/0 is the serial interface on the IR1101
• To exit from the feature, press “Ctrl-Shift-6”, then “x”, then “disconnect”.
OOB Configuration
Refer to the previous figure for examples of Router A and Router B. To access Router B console from Router
A:
Power on Router A and configure the following:
interface Async0/2/1
ip address 20.0.0.1 255.0.0.0
encapsulation relay-line
!
line 0/2/1
transport input all
transport output all
Make sure that the speed of line 51 is the same speed as the console on Router B:
IR1101-A#show line
Tty Line Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
* 0 0 CTY - - - - - 4 0 0/0 -
0/0/0 2 TTY 0/0 - - - - - 0 0 0/0 -
0/2/0 50 TTY 9600/9600 - - - - - 4 0 0/0 -
0/2/1 51 TTY 9600/9600 - - - - - 4 0 0/0 -
74 74 VTY - - - - - 3 0 0/0 -
75 75 VTY - - - - - 1 0 0/0 -
76 76 VTY - - - - - 0 0 0/0 -
77 77 VTY - - - - - 0 0 0/0 -
78 78 VTY - - - - - 0 0 0/0 -
79 79 VTY - - - - - 0 0 0/0 -
80 80 VTY - - - - - 0 0 0/0 -
81 81 VTY - - - - - 0 0 0/0 -
82 82 VTY - - - - - 0 0 0/0 -
83 83 VTY - - - - - 0 0 0/0 -
84 84 VTY - - - - - 0 0 0/0 -
85 85 VTY - - - - - 0 0 0/0 -
86 86 VTY - - - - - 0 0 0/0 -
87 87 VTY - - - - - 0 0 0/0 -
88 88 VTY - - - - - 0 0 0/0 -
IR1101-B#
IR1101-A#disconnect
Closing connection to 20.0.0.1 [confirm]
Processor memory
The show process cpu command displays Cisco IOS CPU utilization average:
Router# show process cpu
CPU utilization for five seconds: 0%/0%; one minute: 0%; five minutes: 0%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
1 0 17 0 0.00% 0.00% 0.00% 0 Chunk Manager
2 552 1205 458 0.00% 0.00% 0.00% 0 Load Meter
3 0 1 0 0.00% 0.00% 0.00% 0 PKI Trustpool
4 0 1 0 0.00% 0.00% 0.00% 0 Retransmission o
5 0 1 0 0.00% 0.00% 0.00% 0 IPC ISSU Dispatc
6 36 13 2769 0.00% 0.00% 0.00% 0 RF Slave Main Th
7 0 1 0 0.00% 0.00% 0.00% 0 EDDRI_MAIN
8 0 1 0 0.00% 0.00% 0.00% 0 RO Notify Timers
9 4052 920 4404 0.23% 0.09% 0.06% 0 Check heaps
10 12 101 118 0.00% 0.00% 0.00% 0 Pool Manager
11 0 1 0 0.00% 0.00% 0.00% 0 DiscardQ Backgro
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
12 0 2 0 0.00% 0.00% 0.00% 0 Timers
13 0 163 0 0.00% 0.00% 0.00% 0 WATCH_AFS
14 0 2 0 0.00% 0.00% 0.00% 0 ATM AutoVC Perio
15 0 2 0 0.00% 0.00% 0.00% 0 ATM VC Auto Crea
16 76 3024 25 0.00% 0.00% 0.00% 0 IOSXE heartbeat
17 0 13 0 0.00% 0.00% 0.00% 0 DB Lock Manager
18 0 1 0 0.00% 0.00% 0.00% 0 DB Notification
19 0 1 0 0.00% 0.00% 0.00% 0 IPC Apps Task
20 0 1 0 0.00% 0.00% 0.00% 0 ifIndex Receive
21 36 1210 29 0.00% 0.00% 0.00% 0 IPC Event Notifi
22 72 5904 12 0.00% 0.00% 0.00% 0 IPC Mcast Pendin
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
23 0 1 0 0.00% 0.00% 0.00% 0 Platform appsess
24 0 101 0 0.00% 0.00% 0.00% 0 IPC Dynamic Cach
25 16 1210 13 0.00% 0.00% 0.00% 0 IPC Service NonC
26 0 1 0 0.00% 0.00% 0.00% 0 IPC Zone Manager
27 64 5904 10 0.00% 0.00% 0.00% 0 IPC Periodic Tim
28 76 5904 12 0.00% 0.00% 0.00% 0 IPC Deferred Por
29 0 1 0 0.00% 0.00% 0.00% 0 IPC Process leve
30 0 1 0 0.00% 0.00% 0.00% 0 IPC Seat Manager
31 8 346 23 0.00% 0.00% 0.00% 0 IPC Check Queue
32 0 1 0 0.00% 0.00% 0.00% 0 IPC Seat RX Cont
33 0 1 0 0.00% 0.00% 0.00% 0 IPC Seat TX Cont
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
34 48 606 79 0.00% 0.00% 0.00% 0 IPC Keep Alive M
35 28 1210 23 0.00% 0.00% 0.00% 0 IPC Loadometer
36 0 1 0 0.00% 0.00% 0.00% 0 IPC Session Deta
37 0 1 0 0.00% 0.00% 0.00% 0 SENSOR-MGR event
38 4 606 6 0.00% 0.00% 0.00% 0 Compute SRP rate
39 0 1 0 0.00% 0.00% 0.00% 0 MEMLEAK PROCESS
40 0 1 0 0.00% 0.00% 0.00% 0 ARP Input
41 112 6331 17 0.00% 0.00% 0.00% 0 ARP Background
42 0 2 0 0.00% 0.00% 0.00% 0 ATM Idle Timer
43 0 1 0 0.00% 0.00% 0.00% 0 ATM ASYNC PROC
44 0 1 0 0.00% 0.00% 0.00% 0 CEF MIB API
--More--
...
show process cpu platform sorted
CPU utilization for five seconds: 11%, one minute: 12%, five minutes: 12%
Core 0: CPU utilization for five seconds: 1%, one minute: 3%, five minutes: 3%
Core 1: CPU utilization for five seconds: 1%, one minute: 3%, five minutes: 3%
Core 2: CPU utilization for five seconds: 1%, one minute: 1%, five minutes: 1%
Core 3: CPU utilization for five seconds: 42%, one minute: 42%, five minutes: 42%
Pid PPid 5Sec 1Min 5Min Status Size Name
--------------------------------------------------------------------------------
18246 17700 34% 34% 34% S 272500 qfp-ucode-sparr
18297 16477 1% 1% 1% S 165768 fman_fp_image
9992 9121 1% 1% 1% S 743608 linux_iosd-imag
27122 26048 0% 0% 0% S 8460 nginx
26048 25864 0% 0% 0% S 19252 nginx
25928 1 0% 0% 0% S 2960 rotee
25864 1 0% 0% 0% S 3532 pman.sh
24212 2 0% 0% 0% S 0 kworker/u8:0
19648 8282 0% 0% 0% S 220 sleep
19635 10903 0% 0% 0% S 212 sleep
18121 17675 0% 0% 0% S 10968 ngiolite
17979 1 0% 0% 0% S 1660 rotee
17863 2 0% 0% 0% S 0 kworker/1:0
17859 1 0% 0% 0% S 2836 rotee
17737 17095 0% 0% 0% S 56828 iomd
17700 13380 0% 0% 0% S 3556 pman.sh
17675 12798 0% 0% 0% S 3524 pman.sh
17518 16854 0% 0% 0% S 15024 hman
17312 1 0% 0% 0% S 2828 rotee
17095 12798 0% 0% 0% S 3568 pman.sh
17085 1 0% 0% 0% S 2876 rotee
16942 2 0% 0% 0% S 0 kworker/0:1
16892 14768 0% 0% 0% S 108952 cpp_cp_svr
16854 13380 0% 0% 0% S 3568 pman.sh
16716 1 0% 0% 0% S 2996 rotee
16664 15963 0% 0% 0% S 51096 cpp_sp_svr
16477 13380 0% 0% 0% S 3540 pman.sh
16326 15536 0% 0% 0% S 39852 cpp_ha_top_leve
16270 1 0% 0% 0% S 2972 rotee
15963 13380 0% 0% 0% S 3528 pman.sh
15779 15163 0% 0% 0% S 55208 cpp_driver
15730 1 0% 0% 0% S 1640 rotee
15536 13380 0% 0% 0% S 3528 pman.sh
15412 1 0% 0% 0% S 1716 rotee
15274 14681 0% 0% 0% S 15004 hman
15163 13380 0% 0% 0% S 3624 pman.sh
15083 14361 0% 0% 0% S 26792 cman_fp
15057 1 0% 0% 0% S 1660 rotee
14891 1 0% 0% 0% S 2868 rotee
14768 13380 0% 0% 0% S 3568 pman.sh
14722 14127 0% 0% 0% S 27536 cmcc
14717 14108 0% 0% 0% S 15220 btman
14681 12798 0% 0% 0% S 3572 pman.sh
14627 1 0% 0% 0% S 2996 rotee
14361 13380 0% 0% 0% S 3596 pman.sh
14338 1 0% 0% 0% S 2984 rotee
14314 1 0% 0% 0% S 2824 rotee
14155 13577 0% 0% 0% S 15128 btman
14127 12798 0% 0% 0% S 3612 pman.sh
14108 13380 0% 0% 0% S 3572 pman.sh
13813 13380 0% 0% 0% S 252 inotifywait
--More--
The following sections describe the fields in the show platform software status control-processor command
output.
Load Average
Load average represents the process queue or process contention for CPU resources. For example, on a
single-core processor, an instantaneous load of 7 would mean that seven processes are ready to run, one of
which is currently running. On a dual-core processor, a load of 7 would mean that seven processes are ready
to run, two of which are currently running.
Memory Utilization
Memory utilization is represented by the following fields:
• Total—Total system memory
• Used—Consumed memory
• Free—Available memory
• Committed—Virtual memory committed to processes
CPU Utilization
CPU utilization is an indication of the percentage of time the CPU is busy, and is represented by the following
fields:
• CPU—Allocated processor
• User—Non-Linux kernel processes
• System—Linux kernel process
• Nice—Low-priority processes
• Idle—Percentage of time the CPU was inactive
• IRQ—Interrupts
• SIRQ—System Interrupts
• IOwait—Percentage of time CPU was waiting for I/O
Memory (kB)
Slot Status Total Used (Pct) Free (Pct) Committed (Pct)
RP0 Healthy 4038072 2872672 (71%) 1165400 (29%) 2349820 (58%)
CPU Utilization
Slot CPU User System Nice Idle IRQ SIRQ IOwait
RP0 0 0.70 0.20 0.00 98.58 0.30 0.20 0.00
1 1.10 0.90 0.00 97.59 0.30 0.10 0.00
2 0.40 1.31 0.00 97.87 0.40 0.00 0.00
3 8.00 26.55 0.00 56.33 8.99 0.11 0.00
If alarm severity is not specified, alarm messages for all severity levels are sent to logging devices.
Network Management System Alerts a Network Administrator when an Alarm is Reported Through
SNMP
The SNMP is an application-layer protocol that provides a standardized framework and a common language
used for monitoring and managing devices in a network.
SNMP provides notification of faults, alarms, and conditions that might affect services. It allows a network
administrator to access router information through a network management system (NMS) instead of reviewing
logs, polling devices, or reviewing log reports.
To use SNMP to get alarm notification, use the following MIBs:
In the diagnostic mode, a subset of the commands that are available in user EXEC mode are made available
to the users. Among other things, these commands can be used to:
• Inspect various states on the router, including the IOS state.
• Replace or roll back the configuration.
• Provide methods of restarting the IOS or other processes.
• Reboot hardware, such as the entire router, a module, or possibly other hardware components.
• Transfer files into or off of the router using remote access methods such as FTP, TFTP, and SCP.
The diagnostic mode provides a more comprehensive user interface for troubleshooting than previous routers,
which relied on limited access methods during failures, such as ROMMON, to diagnose and troubleshoot
Cisco IOS problems. The diagnostic mode commands can work when the Cisco IOS process is not working
properly. These commands are also available in privileged EXEC mode on the router when the router is
working normally.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
------------------------------------------------------------------------------
Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------------------
network-essentials Smart License network-essentials
cisco IR1101-K9 (ARM64) processor (revision 1.2 GHz) with 711861K/6147K bytes of memory.
Processor board ID FCW222700MY
3 Virtual Ethernet interfaces
4 FastEthernet interfaces
1 Gigabit Ethernet interface
1 Serial interface
1 terminal line
2 Cellular interfaces
32768K bytes of non-volatile configuration memory.
4038072K bytes of physical memory.
3110864K bytes of Bootflash at bootflash:.
0K bytes of WebUI ODM Files at webui:.
Router#
Note Altering the configuration register is only for advanced troubleshooting and should only be done with
guidance from Cisco support.
The configuration register can be used to change router behavior. This includes controlling how the router
boots. Set the configuration register to 0x0 to boot into ROM, by using one of the following commands:
• In Cisco IOS configuration mode, use the config-reg 0x0 command.
• From the ROMMON prompt, use the confreg 0x0 command.
Note Setting the configuration register to 0x2102 will set the router to autoboot the Cisco IOS XE software.
Procedure
rommon 2>
Step 4 Initialize the router by entering the reset command: The router cycles its power, and the configuration register
is set to 0x142. The router uses the boot ROM system
Example:
image, indicated by the system configuration dialog:
rommon 2> reset
Example:
Router>
Step 7 Enter the enable command to enter enable mode. The prompt changes to the privileged EXEC prompt:
Configuration changes can be made only in enable mode:
Example:
Router> enable
Example:
Router#
What to do next
If you are recovering an enable password, do not perform the steps in the Reset the Password and Save Your
Changes section. Instead, complete the password recovery process by performing the steps in the Reset the
Configuration Register Value section.
If you are recovering an enable secret password, it is not displayed in the show startup-config command
output. Complete the password recovery process by performing the steps in the Reset the Password and Save
Your Changes section.
Note Recovering a lost password is only possible when you are connected to the router through the console
port. These procedures cannot be performed through a Telnet session.
Tip See the “Hot Tips” section on Cisco.com for additional information on replacing enable secret passwords.
Procedure
Step 2 Enter the enable secret command to reset the enable secret
password in the router:
Example:
Router(config)# exit
Note Ensure a valid Cisco IOS image is present in flash before enabling this feature. Failure to do so will
result in the router going into a into boot loop. Hard power reset button is disabled if system has no
service password recovery.
The following events will cause the router to go into rommon mode as standard IOS-XE behavior:
• config-reg setting is manual boot
• User opts to reset to factory default option
Procedure
Router(config)# config-reg
value
Step 3 Enter exit to exit configuration mode: Note To return to the configuration being used before
you recovered the lost enable password, do not
Example:
save the configuration changes before rebooting
the router.
Router(config)# exit
Procedure
Router> enable
Step 3 transport-map type console transport-map-name Creates and names a transport map for handling console
connections, and enters transport map configuration mode.
Example:
Step 4 connection wait [allow [interruptible] | none Specifies how a console connection will be handled using
[disconnect]] this transport map.
Example: • allow interruptible—The console connection waits
for a Cisco IOS VTY line to become available, and
Router(config-tmap)# connection wait none also allows users to enter diagnostic mode by
interrupting a console connection that is waiting for a
Cisco IOS VTY line to become available. This is the
default setting.
Note Users can interrupt a waiting connection by
entering Ctrl-C or Ctrl-Shift-6.
• none—The console connection immediately enters
diagnostic mode.
Step 5 (Optional) banner [diagnostic | wait] banner-message (Optional) Creates a banner message that will be seen by
users entering diagnostic mode or waiting for the Cisco IOS
Example:
VTY line because of the console transport map
configuration.
Router(config-tmap)# banner diagnostic X
Enter TEXT message. End with the character 'X'. • diagnostic—Creates a banner message seen by users
--Welcome to Diagnostic Mode--
directed to diagnostic mode because of the console
X
Router(config-tmap)# transport map configuration.
Note Users can interrupt a waiting connection by
entering Ctrl-C or Ctrl-Shift-6.
• wait—Creates a banner message seen by users waiting
for Cisco IOS VTY to become available.
• banner-message—Banner message, which begins and
ends with the same delimiting character.
Router(config-tmap)# exit
Step 7 transport type console console-line-number input Applies the settings defined in the transport map to the
transport-map-name console interface.
Example:
Examples
The following example shows how to create a transport map to set console port access policies and
attach to console port 0:
Router(config)# transport-map type console consolehandler
Router(config-tmap)# connection wait allow interruptible
Router(config-tmap)# banner diagnostic X
Enter TEXT message. End with the character 'X'.
--Welcome to diagnostic mode--
X
Router(config-tmap)# banner wait X
Enter TEXT message. End with the character 'X'.
Waiting for IOS vty line
X
Router(config-tmap)# exit
Router(config)# transport type console 0 input consolehandler
Example
The following example shows transport maps that are configured on the router: console port (consolehandler):
Router# show transport-map all
Transport Map:
Name: consolehandler Type: Console Transport
Connection:
Wait option: Wait Allow Interruptable Wait banner:
Connection:
Wait option: Wait Allow Interruptable Wait banner:
Connection:
Wait option: Wait Allow Interruptable Wait banner:
Use the show platform software configuration access policy command to view the current configurations
for handling the incoming console port, SSH, and Telnet connections. The output of this command provides
the current wait policy for each type of connection (Telnet, SSH, and console), as well as information on the
currently configured banners.
Unlike the show transport-map command, the show platform software configuration access policy
command is available in diagnostic mode so that it can be entered in scenarios where you need transport map
configuration information, but cannot access the Cisco IOS CLI.
Example
The following example shows the show platform software configuration access policy command.
Router# show platform software configuration access policy
The current access-policies
Method : telnet
Rule : wait with interrupt Shell banner:
Welcome to Diagnostic Mode
Wait banner :
Waiting for IOS Process
Method : console
Rule : wait with interrupt Shell banner:
Wait banner :
The factory-reset all command erases the bootflash, nvram, rommon variables, licenses, and logs.
Router#factory-reset all
The factory reset operation is irreversible for all operations. Are you sure? [confirm]
*Enter*
*May 12 09:55:45.831: %SYS-5-RELOAD: Reload requested by Exec. Reload Reason: Factory Reset.