ASR104-ASR1000系列路由器基本操作PPT学习课件

1、ASR1000系列培训-104 ASR1000基本操作,Page:1,Page:2,IOS-XE-Cisco针对下一代企业网基础设施的核心操作系统(IOS XE中间件结构及平台抽象层）,IOS XE 平台抽象层,IOS,使得IOS可以运行在MIPS、ARM、Intel X86等多种控制平台上， 中间件结构使转发平面可以选择多种功能的芯片 平台抽象层可以使得新平台的开发速度加快并保证全系列产品功能和行为一致 操作一致性： 用户使用IOS-XE和传统的IOS平台没有区别， 用户接口完全一致,ASR1000 IOS XE 硬件转发使用QFP,IOS XE 平台抽象层,IOS,CAT4500/3850

2、 IOS XE 硬件转发使用交换芯片,IOS XE 平台抽象层,IOS,ISR4400系列 IOS XE 硬件转发使用商用网络处理器,IOS XE 平台抽象层,IOS,CSR1000V IOS XE Intel X86和虚拟化技术,ASR1000初始化,Page:3,Page:4,ASR1000基本操作,1.配置主机名 Router# configure terminal Router(config)# hostname RACK1-ASR RACK1-ASR(config)# 2.启用CDP, 默认ASR1000是关闭CDP服务的 RACK1-ASR(config)# cdp run Rac

3、k1-ASR(config)# interface range gi0/0/0 - 3 Rack1-ASR(config-if-range)# cdp enable Rack1-ASR(config-if-range)# interface gi0 Rack1-ASR(config-if)# cdp enable 3.检查硬件模块工作状态及ROMON/CPLD版本 SHN4-15-ASR1K-WAN#show platform Chassis type: ASR1004 Slot Type State Insert time (ago) - - - - 0 ASR1000-SIP10 ok 1

4、8w6d 0/0 SPA-1X10GE-L-V2 ok 18w6d 0/1 SPA-2X1GE-V2 ok 18w6d R0 ASR1000-RP2 ok, active 18w6d F0 ASR1000-ESP40 ok, active 18w6d P0 ASR1004-PWR-AC ok 18w6d P1 ASR1004-PWR-AC ok 18w6d Slot CPLD Version Firmware Version - - - 0 07091401 15.2(1r)S R0 10021901 15.2(1r)S F0 1003190E 15.2(1r)S,Page:5,ASR1000

5、管理接口配置,1.配置管理接口 ASR1000在路由控制引擎(RP)上的MGMT Ethernet接口可以用作带外管理(Out-of-band mamagement)接口使用 该接口默认属于Mgmt-intf的VRF, 并且不可以更改为其它VRF. 因此在配置该接口的路由等业务时,需要注意VRF相关的配置. Rack1-ASR(config)# interface gigabitEthernet 0 Rack1-ASR(config-if)# ip address 81 Rack1-ASR(config-if)# no shutdown Rack1

6、-ASR(config-if)# ip route vrf Mgmt-intf 2.验证管理接口连通性, 使用携带VRF Mgmt-intf的Ping验证网关 Rack1-ASR# ping vrf Mgmt-intf Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds: ! Success rate is 100 percent (5/5), round-trip min/avg/

7、max = 1/1/1 ms 3.如果需要使用管理口处理FTP和TFTP文件拷贝, 则需要键入以下命令: Rack1-ASR(config)# ip ftp source-interface gigabitEthernet 0 Rack1-ASR(config)# ip tftp source-interface gigabitEthernet 0,Page:6,ASR1000配置系统时钟,1.配置时区 ASR1002-X1(config)# clock timezone China 8 2.配置NTP时钟 Rack1-ASR(config)# ntp authentication-key 1

8、 md5 cisco123 Rack1-ASR(config)# ntp trusted-key 1 Rack1-ASR(config)# ntp server vrf Mgmt-intf key 1 Rack1-ASR(config)# do show ntp association address ref clock st when poll reach delay offset disp * 50 3 14 64 1 0.000 2.000 189.45 * sys.peer, # selected, + candidate,

9、- outlyer, x falseticker, configured 3.查看时钟 Rack1-ASR(config)# do show clock 07:07:51.806 china Wed Oct 17 2012,Page:7,ASR1000升级ROMMON,1.拷贝ROMMON文件到RP Bootflash或harddisk Rack1-ASR#copy ftp:/asr:asr5/asr1000-rommon.152-1r.S.pkg bootflash: Accessing ftp:/*:*5/asr1000-rommon.152-1r.S.

10、pkg. Loading asr1000-rommon.152-1r.S.pkg ! OK - 1253680/4096 bytes 2.升级ROMMON Rack1-ASR#upgrade rom-monitor filename bootflash:asr1000-rommon.152-1r.S.pkg all Chassis model ASR1001 has a single rom-monitor. Upgrade rom-monitor Target copying rom-monitor image file File /tmp/rommon_upgrade/latest.bin

11、 is a FIPS ROMMON image 65536+0 records in 1114112+0 records out Upgrade flash partition MD5 signature is fe18056d332dced800d0632a0f629675 ROMMON upgrade complete. To make the new ROMMON permanent, you must restart the RP. 3.重启机箱: Rack1-ASR# reload 升级完成后使用show platform查看Firmware version,Page:8,ASR10

12、00 SPA卡FPD固件升级,升级原因: 由于SPA接口卡模块支持Cisco多个平台, 因此出厂时的固件版本不一定符合ASR1000的需求, 通常会产生如下日志, 此时我们需要将SPA的软件进行升级. *Sep 10 03:30:47.921: %SPA_OIR-3-SPA_POWERED_OFF: subslot 0/0: SPA 1xOC3 ATM SPA powered off after 5 failures within 1200 seconds *Sep 10 03:30:47.921: %SPA_OIR-6-OFFLINECARD: SPA (SPA-1XOC3-ATM-V2)

13、offline in subslot 0/0 *Sep 10 03:30:47.913: %ATMSPA-3-HW_ERROR: SIP0/0: SPA-1XOC3-ATM-V20/0 Error 0 x1C53 SPI4 initialization failed Router#sh plat Chassis type: ASR1006 Slot Type State Insert time (ago) - - - - 0 ASR1000-SIP40 ok 00:03:31 0/1 SPA-1XOC3-ATM-V2 out of service 00:00:55 R0 ASR1000-RP2

14、 ok, active 00:03:31 F0 ASR1000-ESP40 ok, active 00:03:31 P0 ASR1006-PWR-AC ps, fail 00:03:15 P1 ASR1006-PWR-AC ok 00:03:15 检查SPA FPD版本 Router# show hw-module subslot all fpd = = = = H/W Field Programmable Current Min. Required Slot Card Type Ver. Device: ID-Name Version Version = = = = = = 0/1 SPA-

15、1XOC3-AT 1.80 ? ?.? ?.? = = = =,Page:9,ASR1000 SPA卡FPD固件升级-续,手工升级SPA FPD: Router# upgrade hw-module subslot 0/1 fpd bundled % Cannot get FPD version information from SPA-1XOC3-ATM-V2 in subslot 0/1. If a previous upgrade attempt on the target card was interrupted, then the corruption of FPD image mi

16、ght have prevented the card from coming online. If this is the case, then a recovery upgrade would be required to fix the failure. (Hit ENTER to proceed with recovery upgrade operation) confirm -敲回车 % The following FPD will be upgraded for SPA-1XOC3-ATM-V2 (H/W ver = 1.80) in subslot 0/1: = = = = Fi

17、eld Programmable Current Upgrade Estimated Device: ID-Name Version Version Upgrade Time = = = = 1-I/O FPGA ?.? 2.2 00:07:00 = = = = % NOTES: - Use show upgrade fpd progress command to view the progress of the FPD upgrade. - Since the target card is currently in disabled state, it will be automatical

18、ly reloaded after the upgrade operation for the changes to take effect. % Do you want to perform the recovery upgrade operation? no: yes -确认升级 % Starting recovery upgrade operation in the background . (Use show upgrade fpd progress command to see upgrade progress) *Sep 9 22:44:10.604: %FPD_MGMT-6-UP

19、GRADE_TIME: Estimated total FPD image upgrade time for SPA-1XOC3-ATM-V2 card in subslot 0/1 = 00:07:00. *Sep 9 22:44:10.873: %FPD_MGMT-6-UPGRADE_START: I/O FPGA (FPD ID=1) image upgrade in progress for SPA-1XOC3-ATM-V2 card in subslot 0/1. Updating to version 2.2. PLEASE DO NOT INTERRUPT DURING THE

20、UPGRADE PROCESS (estimated upgrade completion time = 00:07:00) . 查看SPA FPD升级过程 Router# show upgrade fpd progress FPD Image Upgrade Progress Table: = = = Approx. Field Programmable Time Elapsed Slot Card Type Device : ID-Name Needed Time State = = = = = = 0/1 SPA-1XOC3-ATM-V2 1-I/O FPGA 00:07:00 00:0

21、2:52 Updating. = = =,配置ASR1000的安全登陆和授权 SSH登陆和TACACS+授权,Page:10,Page:11,ASR1000配置TACACS+授权-1,1.对CONSOLE口使用本地授权 Rack1-ASR(config)# aaa new-model Rack1-ASR(config)# aaa authentication login CONSOLE local Rack1-ASR(config)# username cisco privilege 15 password cisco123 Rack1-ASR(config)# line console 0

22、Rack1-ASR(config-line)# login authentication CONSOLE 2.配置TACACS+服务 注意由于管理接口使用Mgmt-intf VRF 因此需要按照如下方法进行配置: Rack1-ASR(config)# aaa group server tacacs+ ACS Rack1-ASR(config-sg-tacacs+)# server-private 54 key cisco123 Rack1-ASR(config-sg-tacacs+)# ip vrf forwarding Mgmt-intf Rack1-ASR(config-

23、sg-tacacs+)# ip tacacs source-interface GigabitEthernet 0 如果使用数据平面接口进行TACACS+通信则不需配置VRF相关的信息只需指定源接口(source-interface)即可 3.配置AAA授权和认证服务 Rack1-ASR(config)# aaa authentication login REMOTE group tacacs+ group ACS Rack1-ASR(config)# aaa authorization exec REMOTE tacacs+ group ACS Rack1-ASR(config)# aaa

24、authorization commands 15 REMOTE tacacs+ group ACS Rack1-ASR(config)# aaa authorization config-commands,Page:12,ASR1000配置TACACS+授权-2,1.添加ASR1000到Cisco Secure ACS中 使用54:2002登陆ACS添加新的AAA客户端, 然后点击左侧按钮”Network Configuration”,点击”ASR1K-TME”设备组, 然后在ASR1K-TME AAA Clients下方点击”Add Entry”,Page:1

25、3,ASR1000配置TACACS+授权-3,添加设备类型为TACACS+(Cisco IOS), 地址为ASR1000管理口地址, 密码为cisco123, 配置完成后点击”Submit+Apply”,2.针对不同登陆用户权限进行命令授权 点击左侧Shared Profile Components, 查看”Shell Command Authorized Sets”,Page:14,ASR1000配置TACACS+授权-4,创建两个组,一个名为Admin, 另一个为NetOps, 其中Admin有所有的配置权限(unmatched commands permit),NetOps仅有更改IP路

26、由(ip route命令)的权限,Page:15,ASR1000配置TACACS+授权-5,3.添加命令行控制权限到用户组,点击”Group Setup” , 配置了两个Group(Admin/NetOps).其中TACACS+ Setting中, 配置Shell(exec)和Privilege Level, 并且在Shell Command Authorization Set 中配置选用” Assign a Shell Command Authorization Set for any network device”,Page:16,ASR1000配置TACACS+授权-6,4.添加用户到用

27、户组,点击”User Setup” 输入用户名rackyyadmin/rackyyops 点击”Add/Edit” , 例如rack1admin, 密码为cisco123, 用户组选择为Admin或者NetOps,5.配置登陆使用的VTY并激活SSH登陆,配置域名和密钥启用SSH登陆, 注意密钥长度要大于1024才能使用SSHv2登陆 Rack1-ASR(config)# ip domain-name Rack1-ASR(config)# crypto key generate rsa modulus 1024 % You already have RSA keys defined named

28、 Rack1-ASR. % They will be replaced. % The key modulus size is 1024 bits % Generating 1024 bit RSA keys, keys will be non-exportable. OK (elapsed time was 0 seconds) 配置VTY,并仅允许SSH登陆 Rack1-ASR(config-line)# line vty 0 90 Rack1-ASR(config-line)# authorization commands 15 REMOTE Rack1-ASR(config-line)#

29、 authorization exec REMOTE Rack1-ASR(config-line)# login authentication REMOTE Rack1-ASR(config-line)# transport input ssh,软件授权(License 安装) 仅ASR1001/ASR1002-X/CSR1000v需要使用,Page:17,软件版本授权 ASR1001和ASR1002-X使用通用的操作系统文件(universalk9), 单个IOS XE软件包支持IP Base/ Advanced IP Service / Advanced Enterprise Servic

30、e等三种软件版本, 可以通过使用软件授权的方式进行版本切换 ASR1002/ASR1004/ASR1006/ASR1013则是采用三种不同的IOS XE文件来实现不同版本的切换 吞吐量授权 ASR1001默认为2.5Gbps吞吐量, 可以通过软件授权升级到5Gbps ASR1002-X默认为5Gbps吞吐量,可以通过软件授权升级到10Gbps/20Gbps/36Gbps 特殊软件功能授权 对于IPSec/防火墙/AVC等功能有单独的软件授权License, 这些授权仅在ASR1001和ASR1002-X上使用,ASR1000系列路由器软件特性授权详解,Page:18,Page:19,Page:

31、20,ASR1000软件授权安装方式,查看License需要的序列号: Router# show license udi SlotID PID SN UDI - *6 ASR1002-X JAE16370304 ASR1002-X:JAE16370304 使用PID和SN申请License后, 将邮件获得的License文件拷贝到ASR1000中: ASR1002-X1# copy t67/ASR/JAE16370304_20121115072219026.lic bootflash: Destination filename JAE16370304_201211

32lic? Accessing t67/ASR/JAE16370304_20121115072219026.lic. Loading ASR/JAE16370304_20121115072219026.lic from 67 (via GigabitEthernet0): ! OK - 3287 bytes 3287 bytes copied in 0.029 secs (113345 bytes/sec) 安装License ASR1002-X1# license install bootflash:JAE1637030

33、4_20121115072219026.lic Installing licenses from bootflash:JAE16370304_20121115072219026.lic Installing.Feature:internal_service.Successful:Supported Installing.Feature:adventerprise.Successful:Supported Installing.Feature:throughput_36g.Successful:Supported 3/3 licenses were successfully installed

34、0/3 licenses were existing licenses 0/3 licenses were failed to install,Page:21,ASR1000软件授权安装方式-2,安装完成后重启: 启动时的系统日志: *Nov 15 18:36:50.019: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = asr1002x Next reboot level = adventerprise and License = adventerprise *Nov 15 18:37:02.188: %LINK-

35、3-UPDOWN: Interface Lsmpi0, changed state to up *Nov 15 18:37:02.188: %LINK-3-UPDOWN: Interface EOBC0, changed state to up *Nov 15 18:37:02.188: %LINEPROTO-5-UPDOWN: Line protocol on Interface VoIP-Null0, changed state to up *Nov 15 18:37:02.188: %LINEPROTO-5-UPDOWN: Line protocol on Interface LI-Nu

36、ll0, changed state to up *Nov 15 18:37:02.188: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to down *Nov 15 18:37:03.207: %LINEPROTO-5-UPDOWN: Line protocol on Interface LIIN0, changed state to up *Nov 15 18:36:52.876: %CMLIB-6-THROUGHPUT_VALUE: R0/0: cmand: Throughput license found, th

37、roughput set to 40000000 kbps 检查License ASR1002-X1# show license feature Feature name Enforcement Evaluation Subscription Enabled RightToUse adventerprise yes yes no yes yes advipservices yes yes no no yes ipbase no no no no no avc no no no no no broadband no no no no no cube_video_b2btp no no no no

38、 no firewall no no no no no internal_service yes no no no no ipsec yes yes no no yes otv no no no no no sw_redundancy yes yes no no yes throughput_10g yes yes no no yes throughput_20g yes yes no no yes throughput_36g yes yes no yes yes vpls no no no no no,开启软件冗余 仅ASR1001/ASR1002-X/ASR1004可以使用 ASR100

39、6/ASR1013使用硬件冗余,IOS XE(Linux Kernel),IOS Active,IOS Standby,Page:22,Page:23,ASR1000软件冗余配置,开启软件冗余前仅一个IOS引擎: ASR1002-X1#show platform Chassis type: ASR1002-X Slot Type State Insert time (ago) - - - - 0 ASR1002-X ok 00:15:48 0/0 6XGE-BUILT-IN ok 00:15:07 0/1 SPA-1XOC3-ATM-V2 ok 00:15:07 R0 ASR1002-X ok

40、, active 00:15:48 F0 ASR1002-X ok, active 00:15:48 P0 ASR1002-PWR-AC ok 00:15:26 P1 ASR1002-PWR-AC ok 00:15:25 Slot CPLD Version Firmware Version - - - 0 12042303 15.2(4r)S R0 12042303 15.2(4r)S F0 12042303 15.2(4r)S ASR1002-X1(config)#redundancy ASR1002-X1(config-red)#mode sso Feature Name:sw_redun

41、dancy Activation of the software command line interface will be evidence of your acceptance of this agreement. ACCEPT? (yes/no): yes *Nov 15 18:53:46.171: %LICENSE-6-EULA_ACCEPTED: EULA for feature sw_redundancy 1.0 has been accepted. UDI=ASR1002-X:JAE16370304; StoreIndex=5:Built-In License Storage

42、*Nov 15 18:53:46.566: %CMRP-6-DUAL_IOS_REBOOT_REQUIRED: R0/0: cmand: Configuration must be saved and the chassis must be rebooted for IOS redundancy changes to take effect *Nov 15 18:53:46.568: % Redundancy mode change to SSO,IOS XE(Linux Kernel),IOS Active,IOS Standby,Page:24,ASR1000软件冗余配置-2,重启后: A

43、SR1002-X1#show platform Chassis type: ASR1002-X Slot Type State Insert time (ago) - - - - 0 ASR1002-X ok 00:01:02 0/0 6XGE-BUILT-IN ok 00:00:21 0/1 SPA-1XOC3-ATM-V2 ok 00:00:21 R0 ASR1002-X ok 00:01:02 R0/0 ok, active 00:01:02 R0/1 init, standby never F0 ASR1002-X ok, active 00:01:02 P0 ASR1002-PWR-

44、AC ok 00:00:39 P1 ASR1002-PWR-AC ok 00:00:39 Slot CPLD Version Firmware Version - - - 0 12042303 15.2(4r)S R0 12042303 15.2(4r)S F0 12042303 15.2(4r)S,IOS XE(Linux Kernel),IOS Active,IOS Standby,ASR1000接口地址和路由协议配置,Page:25,Page:26,ASR1000接口配置,POS接口配置 ASR1002-X1(config)# interface pos0/2/0 ASR1002-X1(

45、config-if)# pos framing sonet ASR1002-X1(config-if)# keepalive 10 ASR1002-X1(config-if)# clock source internal ASR1002-X1(config-if)# no pos scramble-atm ASR1002-X1(config-if)# load-interval 30 ASR1002-X1(config-if)# encapsulation ppp ASR1002-X1(config-if)# ip address ATM接口 AS

46、R1002-X1(config)# interface atm0/1/0 ASR1002-X1(config-if)#atm clock internal ASR1002-X1(config-if)#no shutdown ASR1002-X1(config-if)#interface atm0/1/0.1 point ASR1002-X1(config-subif)#ip address ASR1002-X1(config-subif)#pvc 10/100 ASR1002-X1(config-if-atm-vc)# vbr-nrt 30720

47、30720 ASR1002-X1(config-if-atm-vc)# oam-pvc manage ASR1002-X1(config-if-atm-vc)# oam retry 3 3 1 ASR1002-X1(config-if-atm-vc)# protocol ip broadcast ASR1002-X1(config-if-atm-vc)# encapsulation aal5snap,E1接口配置 ASR1002-X1(config)#card type e1 0 1 ASR1002-X1(config)#controller E1 0/1/0 ASR1002

48、-X1(config-controller)#channel-group 0 timeslots 1-31 ASR1002-X1(config-controller)#interface serial 0/1/0:0 ASR1002-X1(config-if)#encapsulation hdlc ASR1002-X1(config-if)#ip address 以太网口 ASR1002-X1(config)#interface Gi0/1/0.100 ASR1002-X1(config-if)#encapsulation dot1q 100 AS

49、R1002-X1(config-if)#ip address ,Page:27,ASR1000路由协议配置,静态路由 ip route RIP router rip version 2 network network OSPF (启用BFD功能) interface GigabitEthernet0/1/2 ip address bfd interval 50 min_rx 50 multiplier

50、3 no bfd echo ip ospf bfd ! router ospf 100 network 55 area 0 bfd all-interfaces BGP router bgp 100 neighbor remote-as 100 neighbor update-source loopback 0 ! address-family ipv4 unicast network mask ,EIGRP router eigrp 100 network redist

51、ribute static route-map agg-routes default-metric 1000 1 255 1 1500 distribute-list 20 out serial0/1/0:0 ! ip route null0 ! route-map agg-routes permit 10 match ip address 10 match interface serial 0/1/0:0 ! access-list 10 permit 55 access-list 20 permit 55 策略路由（PBR） interface gi0/0/0