Upgrading Code on Cisco ASR 1001-X Router

 Hi guys we will  see what needs to be done  to do code upgrade on cisco ASR 1001-X Routers.

1. check your current OS , command to check that " show version" you see that from below output

it is running code 03.13.05.S

 

2.  Go to cisco website under software downloads select you router in this case ASR 1001-X router

then select images marked as star by cisco it is basically image cisco recommends.

below is screenshot for reference.

3. Go through release notes to make sure there is no specific  open caveats that matches features you have installed. From above screenshot you will see reference link to downloads release notes.

We need to make sure we also check rommon code for IOS XE code we are planning to upgrade.

run command "show platform: to check firmware version 

As you can see from below command firmware version is 15.4(2r)s

For Example  if we are planning to upgrade ASR 1001-X router to IOS XE code 17.3.2  we need to upgrade rommon to code 17.3(1r) as shown in below screenshot

4. once you decided on image for IOS XE and Rommon code  check on free space in flash.

#dir flash:

from below output you can see that 24715264 bytes are available

5. copy both images to flash 

 copy tftp://serverip/image bootflash:

6. verify /md5 checksum for images it should match value mentioned on cisco page.

# verify /md5 bootlash:image

it will execute command and display value which should match hash value displayed on cisco portal

7. First you to need if required upgrade Rommon code.

# upgrade rom-monitor image name .pkg all

8. #write memory 

9. #reload

10. once router comes up run command show platform to verify Firmware version.

Next we will proceed with IOS XE Code Upgrade

11. Image we have already copied to bootflash , just change bootvariable 

#boot system flash:asr1001x-universalk9.17.03.02.SPA.bin

12  #wr mem 

13. #sh bootvar to check boot variable

14. #reload 

15. #once reload is complete do sh version to check new version.

LAB 4 – Layer 2 Interface with Spanning Tree .

 LAB 4 – Layer 2 Interface with Spanning Tree .

In Below diagram we can see that it is layer 2 interface lab in which we have two switches connecting two ports each to firewall thus spanning tree comes in play.

Interfaces on Palo Alto  

We can see that interface eth1/1 and eth1/2 is connected to SW1 and eth1/3 and eth1/4 is connected to SW3. 

Below is screenshot of how interface config looks like.

Vlan Config is shown Below.

Layer 3 Vlan INterface.

On switches interfaces are just configured as trunk.

Verification

ping from PC1 and PC2

lets Check Spanning Tree Status on SW3

On SW3 we can see port eth0/0 and eth1/0 are uplink to firewall. 

Eth0/0 is in forwarding state and eth1/0 in blocking. 

If we shutdown interface eth0/0 eth1/0 will be in forwarding state.

Below is vlan status on firewall.

Lab 3 - Extending Connectivity to Internet cont to LAB 2

 As we have seen in earlier LAB i.e LAB 2 using palo alto layer 2 interface we were able to control traffic between subnets.Now in this case we can want to extend connectivity so that PC1,PC2 and PC3 can reach ISP Router.

Diagram

Interface Config 

L3 Vlan 

Zones 

Vlans

Virtual Routers

Configuration for L2 switch is same as earlier LAB

 

On PC1 , PC2 and PC3 add default route pointing to l2 vlan 1 ( 192.168.0.1)

Verification

PC1#ping 5.5.5.5

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/3 ms

PC1#ping 192.168.20.100 re

PC1#ping 192.168.20.100 repeat 100

Type escape sequence to abort.

Sending 100, 100-byte ICMP Echos to 192.168.20.100, timeout is 2 seconds:

...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Success rate is 97 percent (97/100), round-trip min/avg/max = 1/1/9 ms

LAB 2 - Layer 2 Single IP subnet with Multiple vlan’s and rewriting vlan tags .

Layer 2 Single IP with Multiple vlan’s and rewriting vlan tags

As we can see  in below diagram we have used same IP subnet that has span's in multiple vlan’s.Using Palo alto L2 interface mode we can secure traffic between Vlan’s.

Diagram

Interfaces config 

Zone Config.

Vlan Config.

Security Policy 

In below security policy we can see that ping application is allowed to talk from vlan 100 to vlan 200 and vlan 300.

L2 Switch Config

eth0/0 is trunk is trunk interface.

eth0/1 , eth0/2 and eth0/3 is access ports.

Verification

Ping from PC1 (192.168.10.100) To PC2 (192.168.20.100)

Ping from PC2 (192.168.20.100) To PC1 192.168.10.100 failing  

-------------------------------------------------- ---------------END-----------------------------------------------------------------------------

Lab 1 - Intervlan Routing in Palo Alto Firewall.

  Intervlan Routing in Palo Alto Firewall.

In Palo Alto firewall using Layer 3 interface type and creating sub interfaces  we can do intervlan routing. 

As shown in below diagram 

eth1/1 is egress interface facing internet

eth1/2 is ingress interface facing LAN

Configuration of Zone

Configuration of VR

Configuration of Interfaces looks like -

L2 Switch configuration

On L2 Switch

 

int eth0/0

Switchport mode trunk

Switchport trunk encap dot1q

 

int eth0/1

Switchport mode access

Switchport access vlan 100

 

int eth0/2

Switchport mode access

Switchport access vlan 200

 

int eth0/3

Switchport mode access

Switchport access vlan 300

 

Configuration on PC1 , PC2 and PC3 

PC1

int eth0/0

ip address 192.168.10.100 255.255.255.0

no shut

ip route 0.0.0.0 0.0.0.0 192.168.10.1 ( L3 on PA eth1/2.100)

PC2

int eth0/0

ip address 192.168.20.100 255.255.255.0

no shut

ip route 0.0.0.0 0.0.0.0 192.168.20.1 ( L3 on PA eth1/2.200)

PC3

int eth0/0

ip address 192.168.30.100 255.255.255.0

no shut

ip route 0.0.0.0 0.0.0.0 192.168.30.1 ( L3 on PA eth1/3.200)

Verification 

From PC1 ping 5.5.5.5 loopback on ISP

GRE ( Generic Routing Encapsulation )

 GRE is using to build logical connection over untrusted network. 

Why we need to use GRE ? 

There might be infrastructure where requirement does not get met using protocol being used or it lacks routing information to route packet or it des not support multicast or broadcast in such cases we can make of GRE.

 Private IP address used on remote side packets can get routed across other site by using GRE as it encapsulates packet inside new header and reaching ther end it decap it and route packet accordingly.

With support for multicast traffic hello messages created by protocol reaches remote side using GRE tunnel. 

Use Case ?

To establish remote connectivity between two  sites over public internet for example Internet.

In that scenario GRE creates a logical tunnel between two sites during communication packet destined to destination network gets encapsulated in new IP header , GRE adds 24 byte extra header.

 

 

 

 

In above Diagram GRE is Setup between Firewall 1 and 2.

Packet Capture 

When R2 ( HOST IP – 192.168.3.2) try to ping  R4 ( HOST IP – 192.168.2.2).

There is default route on R2 that will send traffic to FW ETH2 ( 192.168.3.1)

Firewall will do route lookup  for destination IP 192.168.2.2.

It will find static route  for network 192.168.2.0 pointing to Tunne1.

Packet gets encapsulated by Tunnel1 as by default interface type for Tunnel is GRE.

GRE Adds 24 Bytes header -  20 Byte IP header and 4 Byte GRE.

As show in below screen shot ICMP request packet is handed over to IP header with SRC IP 192.168.3.2 and DST 192.168.2.2

Once it reaches Tunnel interface GRE header of 4 bytes is added and IP header of 20 byte with source IP 1.1.1.1 and DST IP 2.2.2.1 is added.

Then firewall again does routing lookup to find 2.2.2.2 it goes to egress interface and reverse process happen.

 

Below is image showing GRE and IP header adding 4 bytes and 20 bytes.