ASR104-ASR1000系列路由器基本操作ppt课件

1、Page:1ASR1000系列培训-104ASR1000基本操作Page:2IOS-XE-Cisco针对下一代企业网基础设施的核心操作系统(IOS XE中间件结构及平台抽象层）IOS XE 平台抽象层IOS使得IOS可以运行在MIPS、ARM、Intel X86等多种控制平台上， 中间件结构使转发平面可以选择多种功能的芯片平台抽象层可以使得新平台的开发速度加快并保证全系列产品功能和行为一致操作一致性： 用户使用IOS-XE和传统的IOS平台没有区别， 用户接口完全一致ASR1000 IOS XE硬件转发使用QFPIOS XE 平台抽象层IOSCAT4500/3850 IOS XE硬件转发使用交

2、换芯片IOS XE 平台抽象层IOSISR4400系列 IOS XE硬件转发使用商用网络处理器IOS XE 平台抽象层IOSCSR1000V IOS XEIntel X86和虚拟化技术Page:3ASR1000初始化Page:4ASR1000基本操作1.配置主机名Router# configure terminal Router(config)# hostname RACK1-ASRRACK1-ASR(config)#2.启用CDP, 默认ASR1000是关闭CDP服务的RACK1-ASR(config)# cdp runRack1-ASR(config)# interface range g

3、i0/0/0 - 3Rack1-ASR(config-if-range)# cdp enableRack1-ASR(config-if-range)# interface gi0Rack1-ASR(config-if)# cdp enable3.检查硬件模块工作状态及ROMON/CPLD版本SHN4-15-ASR1K-WAN#show platform Chassis type: ASR1004 Slot Type State Insert time (ago) - - - - 0 ASR1000-SIP10 ok 18w6d 0/0 SPA-1X10GE-L-V2 ok 18w6d 0/1

4、SPA-2X1GE-V2 ok 18w6d R0 ASR1000-RP2 ok, active 18w6d F0 ASR1000-ESP40 ok, active 18w6d P0 ASR1004-PWR-AC ok 18w6d P1 ASR1004-PWR-AC ok 18w6d Slot CPLD Version Firmware Version - - - 0 07091401 15.2(1r)S R0 10021901 15.2(1r)S F0 1003190E 15.2(1r)S Page:5ASR1000管理接口配置1.配置管理接口ASR1000在路由控制引擎(RP)上的MGMT

5、Ethernet接口可以用作带外管理(Out-of-band mamagement)接口使用该接口默认属于Mgmt-intf的VRF, 并且不可以更改为其它VRF. 因此在配置该接口的路由等业务时,需要注意VRF相关的配置. Rack1-ASR(config)# interface gigabitEthernet 0Rack1-ASR(config-if)# ip address 81 Rack1-ASR(config-if)# no shutdownRack1-ASR(config-if)# ip route vrf Mgmt-intf 0.0.0

6、.0 2.验证管理接口连通性, 使用携带VRF Mgmt-intf的Ping验证网关Rack1-ASR# ping vrf Mgmt-intf Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms3.如果需要使用管理口处理FTP和TFTP文件拷贝, 则需要键入以下命令:

7、Rack1-ASR(config)# ip gigabitEthernet 0Rack1-ASR(config)# ip t gigabitEthernet 0Page:6ASR1000配置系统时钟1.配置时区ASR1002-X1(config)# clock timezone China 8 2.配置NTP时钟Rack1-ASR(config)# ntp authentication-key 1 md5 cisco123Rack1-ASR(config)# ntp trusted-key 1Rack1-ASR(config)# ntp server vrf Mgmt-intf 10.74.5

8、.1 key 1Rack1-ASR(config)# do show ntp association address ref clock st when poll reach delay offset disp* 50 3 14 64 1 0.000 2.000 189.45 * sys.peer, # selected, + candidate, - outlyer, x falseticker, configured 3.查看时钟Rack1-ASR(config)# do show clock07:07:51.806 china Wed Oct 17

9、 2012Page:7ASR1000升级ROMMON1.拷贝ROMMON文件到RP Bootflash或harddiskRack1-ASR#copy bootflash:Accessing *:*5/asr1000-rommon.152-1r.S.pkg.Loading asr1000-rommon.152-1r.S.pkg !OK - 1253680/4096 bytes2.升级ROMMONRack1-ASR#upgrade rom-monitor bootflash:asr1000-rommon.152-1r.S.pkg allChassis model ASR1001

10、has a single rom-monitor.Upgrade rom-monitorTarget copying rom-monitor image file is a FIPS ROMMON image65536+0 records in1114112+0 records outUpgrade flash partition MD5 signature is fe18056d332dced800d0632a0f629675ROMMON upgrade complete.To make the new ROMMON permanent, you must restart the RP.3.

11、重启机箱:Rack1-ASR# reload升级完成后使用show platform查看Firmware versionPage:8ASR1000 SPA卡FPD固件升级升级原因:由于SPA接口卡模块支持Cisco多个平台, 因此出厂时的固件版本不一定符合ASR1000的需求, 通常会产生如下日志, 此时我们需要将SPA的软件进行升级.*Sep 10 03:30:47.921: %SPA_OIR-3-SPA_POWERED_OFF: subslot 0/0: SPA 1xOC3 ATM SPA powered off after 5 failures within 1200 seconds*S

12、ep 10 03:30:47.921: %SPA_OIR-6-OFFLINECARD: SPA (SPA-1XOC3-ATM-V2) offline in subslot 0/0*Sep 10 03:30:47.913: %ATMSPA-3-HW_ERROR: SIP0/0: SPA-1XOC3-ATM-V20/0 Error 0 x1C53 SPI4 initialization failedRouter#sh platChassis type: ASR1006 Slot Type State Insert time (ago) - - - - 0 ASR1000-SIP40 ok 00:0

13、3:31 0/10/1 SPA-1XOC3-ATM-V2SPA-1XOC3-ATM-V2 out of serviceout of service 00:00:5500:00:55 R0 ASR1000-RP2 ok, active 00:03:31 F0 ASR1000-ESP40 ok, active 00:03:31 P0 ASR1006-PWR-AC ps, fail 00:03:15 P1 ASR1006-PWR-AC ok 00:03:15 检查SPA FPD版本Router# show hw-module subslot all fpd = = = = H/W Field Pro

14、grammable Current Min. RequiredSlot Card Type Ver. Device: ID-Name Version Version= = = = = =0/1 SPA-1XOC3-AT 1.80 ? ?.? ?.?= = = =Page:9ASR1000 SPA卡FPD固件升级-续手工升级SPA FPD:Router# upgrade hw-module subslot 0/1 fpd bundled % Cannot get FPD version information from SPA-1XOC3-ATM-V2 in subslot 0/1. If a

15、previous upgrade attempt on the target card was interrupted, then the corruption of FPD image might have prevented the card from coming online. If this is the case, then a recovery upgrade would be required to fix the failure. (Hit ENTER to proceed with recovery upgrade operation) confirm -敲回车敲回车 %

16、The following FPD will be upgraded for SPA-1XOC3-ATM-V2 (H/W ver = 1.80) in subslot 0/1: = = = = Field Programmable Current Upgrade Estimated Device: ID-Name Version Version Upgrade Time = = = = 1-I/O FPGA ?.? 2.2 00:07:00 = = = = % NOTES: - Use show upgrade fpd progress command to view the progress

17、 of the FPD upgrade. - Since the target card is currently in disabled state, it will be automatically reloaded after the upgrade operation for the changes to take effect. % Do you want to perform the recovery upgrade operation? no: yes -确认升级确认升级% Starting recovery upgrade operation in the background

18、 . (Use show upgrade fpd progress command to see upgrade progress) *Sep 9 22:44:10.604: %FPD_MGMT-6-UPGRADE_TIME: Estimated total FPD image upgrade time for SPA-1XOC3-ATM-V2 card in subslot 0/1 = 00:07:00.*Sep 9 22:44:10.873: %FPD_MGMT-6-UPGRADE_START: I/O FPGA (FPD ID=1) image upgrade in progress f

19、or SPA-1XOC3-ATM-V2 card in subslot 0/1. Updating to version 2.2. PLEASE DO NOT INTERRUPT DURING THE UPGRADE PROCESS (estimated upgrade completion time = 00:07:00) .查看SPA FPD升级过程Router# show upgrade fpd progress FPD Image Upgrade Progress Table:= = = Approx. Field Programmable Time ElapsedSlot Card

20、Type Device : ID-Name Needed Time State= = = = = = 0/1 SPA-1XOC3-ATM-V2 1-I/O FPGA 00:07:00 00:02:52 Updating.= = =Page:10配置ASR1000的安全登陆和授权SSH登陆和TACACS+授权Page:11ASR1000配置TACACS+授权-11.对CONSOLE口使用本地授权Rack1-ASR(config)# aaa new-modelRack1-ASR(config)# aaa authentication login CONSOLE local Rack1-ASR(co

21、nfig)# username cisco privilege 15 password cisco123 Rack1-ASR(config)# line console 0Rack1-ASR(config-line)# login authentication CONSOLE2.配置TACACS+服务注意由于管理接口使用Mgmt-intf VRF 因此需要按照如下方法进行配置:Rack1-ASR(config)# aaa group server tacacs+ ACSRack1-ASR(config-sg-tacacs+)# server-private 54 key ci

22、sco123 Rack1-ASR(config-sg-tacacs+)# ip vrf forwarding Mgmt-intfRack1-ASR(config-sg-tacacs+)# ip tacacs source-interface GigabitEthernet 0如果使用数据平面接口进行TACACS+通信则不需配置VRF相关的信息只需指定源接口(source-interface)即可3.配置AAA授权和认证服务Rack1-ASR(config)# aaa authentication login REMOTE group tacacs+ group ACSRack1-ASR(con

23、fig)# aaa authorization exec REMOTE tacacs+ group ACSRack1-ASR(config)# aaa authorization commands 15 REMOTE tacacs+ group ACSRack1-ASR(config)# aaa authorization config-commandsPage:12ASR1000配置TACACS+授权-21.添加ASR1000到Cisco Secure ACS中使用登陆ACS添加新的AAA客户端, 然后点击左侧按钮”Network Configuration”点击”ASR1K-TME”设备组

24、, 然后在ASR1K-TME AAA Clients下方点击”Add Entry”Page:13ASR1000配置TACACS+授权-3添加设备类型为TACACS+(Cisco IOS), 地址为ASR1000管理口地址, 密码为cisco123, 配置完成后点击”Submit+Apply”2.针对不同登陆用户权限进行命令授权点击左侧Shared Pro, 查看”Shell Command Authorized Sets”Page:14ASR1000配置TACACS+授权-4创建两个组,一个名为Admin, 另一个为NetOps, 其中Admin有所有的配置权限(unmatched comma

25、nds permit)NetOps仅有更改IP路由(ip route命令)的权限Page:15ASR1000配置TACACS+授权-53.添加命令行控制权限到用户组点击”Group Setup” , 配置了两个Group(Admin/NetOps).其中TACACS+ Setting中, 配置Shell(exec)和Privilege Level, 并且在Shell Command Authorization Set 中配置选用” Assign a Shell Command Authorization Set for any network device”Page:16ASR1000配置TA

26、CACS+授权-64.添加用户到用户组点击”User Setup” 输入用户名rackyyadmin/rackyyops 点击”Add/Edit” , 例如rack1admin, 密码为cisco123, 用户组选择为Admin或者NetOps5.配置登陆使用的VTY并激活SSH登陆配置域名和密钥启用SSH登陆, 注意密钥长度要大于1024才能使用SSHv2登陆Rack1-ASR(config)# ip domain-name Rack1-ASR(config)# crypto key generate rsa modulus 1024 % You already have RSA keys

27、defined named Rack1-ASR.% They will be replaced. % The key modulus size is 1024 bits% Generating 1024 bit RSA keys, keys will be non-exportable.OK (elapsed time was 0 seconds)配置VTY,并仅允许SSH登陆Rack1-ASR(config-line)# line vty 0 90Rack1-ASR(config-line)# authorization commands 15 REMOTERack1-ASR(config-

28、line)# authorization exec REMOTERack1-ASR(config-line)# login authentication REMOTERack1-ASR(config-line)# transport input sshPage:17软件授权(License 安装)仅ASR1001/ASR1002-X/CSR1000v需要使用Page:18软件版本授权ASR1001和ASR1002-X使用通用的操作系统文件(universalk9), 单个IOS XE软件包支持IP Base/ Advanced IP Service / Advanced Enterprise

29、Service等三种软件版本, 可以通过使用软件授权的方式进行版本切换ASR1002/ASR1004/ASR1006/ASR1013则是采用三种不同的IOS XE文件来实现不同版本的切换吞吐量授权ASR1001默认为2.5Gbps吞吐量, 可以通过软件授权升级到5GbpsASR1002-X默认为5Gbps吞吐量,可以通过软件授权升级到10Gbps/20Gbps/36Gbps特殊软件功能授权对于IPSec/防火墙/AVC等功能有单独的软件授权License, 这些授权仅在ASR1001和ASR1002-X上使用ASR1000系列路由器软件特性授权详解Page:19Page:20ASR1000软件

30、授权安装方式查看License需要的序列号:Router# show license udishow license udiSlotID PID SN UDI-*6 ASR1002-X JAE16370304 ASR1002-X:JAE16370304使用PID和SN申请License后, 将邮件获得的License文件拷贝到ASR1000中:ASR1002-X1# copy t bootflash:copy t bootflash:Destination JAE16370304_201211.lic? Accessing t.Loading ASR/JAE16370304_201211.li

31、c from 67 (via GigabitEthernet0): !OK - 3287 bytes3287 bytes copied in 0.029 secs (113345 bytes/sec)安装LicenseASR1002-X1# license install bootflash:JAE16370304_201211.lic license install bootflash:JAE16370304_201211.lic Installing licenses from bootflash:JAE16370304_201211.lic Installing.Fe

32、ature:internal_service.Successful:SupportedInstalling.Feature:adventerprise.Successful:SupportedInstalling.Feature:throughput_36g.Successful:Supported3/3 licenses were successfully installed 0/3 licenses were existing licenses0/3 licenses were failed to installPage:21ASR1000软件授权安装方式-2安装完成后重启:启动时的系统日

33、志:*Nov 15 18:36:50.019: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = asr1002x Next reboot level = adventerprise and License = adventerprise*Nov 15 18:37:02.188: %LINK-3-UPDOWN: Interface Lsmpi0, changed state to up*Nov 15 18:37:02.188: %LINK-3-UPDOWN: Interface EOBC0, changed state

34、to up*Nov 15 18:37:02.188: %LINEPROTO-5-UPDOWN: Line protocol on Interface VoIP-Null0, changed state to up*Nov 15 18:37:02.188: %LINEPROTO-5-UPDOWN: Line protocol on Interface LI-Null0, changed state to up*Nov 15 18:37:02.188: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to down*Nov 15

35、18:37:03.207: %LINEPROTO-5-UPDOWN: Line protocol on Interface LIIN0, changed state to up*Nov 15 18:36:52.876: %CMLIB-6-THROUGHPUT_VALUE: R0/0: cmand: Throughput license found, throughput set to 40000000 kbps检查LicenseASR1002-X1# show license feature show license feature Feature name Enforcement Evalu

36、ation Subscription Enabled RightToUse adventerprise yes yes no yes adventerprise yes yes no yes yes yes advipservices yes yes no no advipservices yes yes no no yes yes ipbase no no no no no avc no no no no no broadband no no no no no cube_video_b2btp no no no no no firewall no no no no no internal_s

37、ervice yes no no no no ipsec yes yes no no yes otv no no no no no sw_redundancy yes yes no no yes throughput_10g yes yes no no throughput_10g yes yes no no yes yes throughput_20g yes yes no no throughput_20g yes yes no no yes yes throughput_36g yes yes no yes throughput_36g yes yes no yes yes yes vp

38、ls no no no no no Page:22开启软件冗余仅ASR1001/ASR1002-X/ASR1004可以使用ASR1006/ASR1013使用硬件冗余IOS XE(Linux Kernel)IOSActiveIOSStandbyPage:23ASR1000软件冗余配置开启软件冗余前仅一个IOS引擎:ASR1002-X1#show platformASR1002-X1#show platformChassis type: ASR1002-X Slot Type State Insert time (ago) - - - - 0 ASR1002-X ok 00:15:48 0/0 6

39、XGE-BUILT-IN ok 00:15:07 0/1 SPA-1XOC3-ATM-V2 ok 00:15:07 R0 ASR1002-X ok, active 00:15:48 R0 ASR1002-X ok, active 00:15:48 F0 ASR1002-X ok, active 00:15:48 P0 ASR1002-PWR-AC ok 00:15:26 P1 ASR1002-PWR-AC ok 00:15:25 Slot CPLD Version Firmware Version - - - 0 12042303 15.2(4r)S R0 12042303 15.2(4r)S

40、 F0 12042303 15.2(4r)SASR1002-X1(config)#redundancyASR1002-X1(config)#redundancyASR1002-X1(config-red)#mode ssoASR1002-X1(config-red)#mode sso Feature Name:sw_redundancyActivation of the software command line interface will be evidence ofyour acceptance of this agreement.ACCEPT? (yes/no): yes*Nov 15

41、 18:53:46.171: %LICENSE-6-EULA_ACCEPTED: EULA for feature sw_redundancy 1.0 has been accepted. UDI=ASR1002-X:JAE16370304; StoreIndex=5:Built-In License Storage*Nov 15 18:53:46.566: %CMRP-6-DUAL_IOS_REBOOT_REQUIRED: R0/0: cmand: Configuration must be saved and the chassis must be rebooted for IOS red

42、undancy changes to take effect*Nov 15 18:53:46.568: % Redundancy mode change to SSOIOS XE(Linux Kernel)IOSActiveIOSStandbyPage:24ASR1000软件冗余配置-2重启后:ASR1002-X1#show platformASR1002-X1#show platformChassis type: ASR1002-X Slot Type State Insert time (ago) - - - - 0 ASR1002-X ok 00:01:02 0/0 6XGE-BUILT

43、-IN ok 00:00:21 0/1 SPA-1XOC3-ATM-V2 ok 00:00:21 R0 ASR1002-X ok R0 ASR1002-X ok 00:01:02 00:01:02 R0/0 ok, active R0/0 ok, active 00:01:02 00:01:02 R0/1 init, R0/1 init, standby never standby never F0 ASR1002-X ok, active 00:01:02 P0 ASR1002-PWR-AC ok 00:00:39 P1 ASR1002-PWR-AC ok 00:00:39 Slot CPL

44、D Version Firmware Version - - - 0 12042303 15.2(4r)S R0 12042303 15.2(4r)S F0 12042303 15.2(4r)S IOS XE(Linux Kernel)IOSActiveIOSStandbyPage:25ASR1000接口地址和路由协议配置Page:26ASR1000接口配置POS接口配置ASR1002-X1(config)# interface pos0/2/0ASR1002-X1(config-if)# pos framing sonetASR1002-X1(config-if)# keepalive 10

45、ASR1002-X1(config-if)# clock source internalASR1002-X1(config-if)# no pos scramble-atmASR1002-X1(config-if)# load-interval 30ASR1002-X1(config-if)# encapsulation pppASR1002-X1(config-if)# ip address ATM接口ASR1002-X1(config)# interface atm0/1/0ASR1002-X1(config-if)#atm clock inte

46、rnalASR1002-X1(config-if)#no shutdownASR1002-X1(config-if)#interface atm0/1/0.1 pointASR1002-X1(config-subif)#ip address ASR1002-X1(config-subif)#pvc 10/100ASR1002-X1(config-if-atm-vc)# vbr-nrt 30720 30720ASR1002-X1(config-if-atm-vc)# oam-pvc manageASR1002-X1(config-if-atm-vc)#

47、 oam retry 3 3 1 ASR1002-X1(config-if-atm-vc)# protocol ip broadcast ASR1002-X1(config-if-atm-vc)# encapsulation aal5snapE1接口配置ASR1002-X1(config)#card type e1 0 1ASR1002-X1(config)#controller E1 0/1/0ASR1002-X1(config-controller)#channel-group 0 timeslots 1-31ASR1002-X1(config-controller)#i

48、nterface serial 0/1/0:0ASR1002-X1(config-if)#encapsulation hdlcASR1002-X1(config-if)#ip address 以太网口ASR1002-X1(config)#interface Gi0/1/0.100ASR1002-X1(config-if)#encapsulation dot1q 100ASR1002-X1(config-if)#ip address Page:27ASR1000路由协议配置静态路由ip route 0.

49、0.0.0 RIProuter rip version 2 network network OSPF (启用BFD功能)interface GigabitEthernet0/1/2 ip address bfd interval 50 min_rx 50 multiplier 3 no bfd echo ip ospf bfd!router ospf 100 network 55 area 0 bfd all-interfaces BGPr

50、outer bgp 100 neighbor remote-as 100 neighbor update-source loopback 0!address-family ipv4 unicast network mask EIGRProuter eigrp 100 network redistribute static route-map agg-routes default-metric 1000 1 255 1 1500 distribute-list 20 out serial0/1/0:0!ip route null0!route-map agg-routes permit 10 match ip address 10 match interface serial 0/1/0:0!access-list 10 permit 55access-list 20 permit 55策