Вы находитесь на странице: 1из 73

Operating an ASR 1000

Jason Yang CCIE #10467, Technical Marketing Engineer


BRKARC-2019
Agenda

Platform Introduction Companion Session:


Zero Touch Deployment BRKARC-2001: ASR 1000 System &
Solution Architectures
What and How to Monitor System in
Daily Operation
DoS Attack Detection and Mitigation
Best Practices
Device Programmability (Demo)
IOS XE 16 Migration
Platform Introduction
ASR 1000 Building Blocks
Centralized Forwarding Architecture
FECP
FECP CPU All CPU FECP
FECP

RP

RP
traffic flows through the active ESP,
standby is synchronized with all the states

ESP
ESP

interconn. GE switch interconn.


GE switch QFP
Crypto QFP Crypto
Crypto
Crypto
Assist. Distributed Control Architecture Assist.
Assist.
Assist. PPE BQS
All major system components have a
PPE BQS

Route Processor powerful control processor dedicated for


interconnect
interconn.
Handle control plane interconnect
interconn.
control and management planes
Manages system
Embedded Service Processor
Midplane
Handles forwarding plane traffic

interconnect interconnect interconnect

ELC
SIP

MIP
AGG AGG AGG
IOCP IOCP IOCP
ASIC ASIC ASIC

SPA SPA Built-in GE/10GEs EPA EPA

SPA Interface Processor Ethernet Linecard Modular Interface Processor


Houses Shared Port Adapter (SPA) Built-in GE/10GE ports Houses Ethernet Port Adapter (EPA)
Packets buffer Packets buffer Packets buffer
BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
ASR 1000 Software (IOS XE) Architecture
IOS IOS
active standby
Runs Control Plane
Generates configurations Platform Adaptation Layer

RP
Maintains routing tables (RIB, FIB) (PAL)
Chassis Forwarding Provides abstraction layer between
Initialization of RP processes manager manager hardware & IOS
Initialization of installed cards Manages ESP redundancy
Detects and manages OIR of cards Linux Kernel Maintains copy of FIB and interface list
Manages system status, Communicates FIB status to active &
environments, power, EOBC standby ESP
Control
messaging

Programs QFP forwarding plane and


QFP DRAM QFP client / driver SPASPA
driver Driver Software for SPA interface cards
Statistics collection & RP driver is loaded independently
SPA driver
communication QFP code Failure or upgrade of driver does not
ESP

SIP
Chassis affect other SPAs in the chassis
Chassis Forwarding manager
Communicates with forwarding manager manager
manager on RP
Linux Kernel Linux Kernel
Maintains copy of FIBs
Provides interface to QFP client &
driver

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
ASR 1000 Series Chassis
ASR 1001-X ASR 1002-X ASR 1002-HX ASR 1004 ASR 1006-X ASR 1009-X ASR 1013

RP Slots Integrated Integrated Integrated 1 2 2 2


ESP Slots Integrated Integrated Integrated 1 2 2 (super) 2 (super)
SIP/ELC Slots* Integrated Integrated N/A 2 2 3 6
SPA 1 3 N/A 8 8 12 24
MIP slots* N/A N/A N/A N/A 2 3 6
EPA N/A N/A 1 N/A 4 6 12
NIM 1 N/A 1 N/A N/A N/A N/A
Built-In ports 6xGE+2x10GE 6xGE 8x10GE+8xGE N/A N/A N/A N/A
Redundancy Software Software Software Software Hardware Hardware Hardware
Height 1.75 (1RU) 3.5 (2RU) 3.5 (2RU) 7 (4RU) 10.5 (6RU) 15.7 (9RU) 22.7 (13RU)
Bandwidth 2.5 to 20 Gbps 5 to 36 Gbps 44 to 100Gbps 10 to 40 Gbps 40 to 100 Gbps 40 to 200 Gbps 40 to 200 Gbps
Maximum
250W 470W 600W 765W 5500W 5500W 3200W
Output Power
* Each slot can only seat one SIP or ELC or MIP

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Zero Touch Deployment ?
AutoInstall
Enables the initial configuration of a remote router tftp-server bootflash:ASR1000-bootstrap
automatically !
ip dhcp excluded-address 30.1.1.1
Combined with DHCP and TFTP Server. !
ip dhcp pool ZTP
network 30.1.1.0 255.255.255.0
Facilitate the centralized management of router bootfile ASR1000-bootstrap
installation default-router 30.1.1.1
option 150 ip 30.1.1.1
Supported on Mgmt interface.

DHCP + Option150

Remote Sites TFTP DHCP/TFTP Server

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
APIC-EM Network PnP

Simple Secure Consistent

Zero-Touch provisioning of DC SUDI based device authentication Support for end-to-end


& Branch deployments CA based server (APIC-EM) Enterprise platforms
GUI Based workflows authentication Consistent workflows for all
Robust Discovery HTTPS for image & config. platforms
Mechanisms for all Downloads Integrated w/ PI3.x workflows
deployment types Installer has no access to device
configuration
DHCP DNS
Server Server Unplanned device workflow
Admin selects device

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
16.4
Secured PnP Deployment
ASR1k running DHCP Server
PnP Agent DMZ APIC PnP
Server DC

DHCP Request
PnP Server uses
1 DHCP response self-signed SSL
with options 43 certificate
for server ip
2

PnP Agent initiates HTTP communication with HTTP PnP work request with device serial number (UDI)
the server and sends the device UDI 3

PnP Server receives UDI and


PnP Agent installs the local trust point sends server SSL certificate
for the server SSL certificate 4 over HTTP

HTTPS PnP work request with device serial number (UDI)


PnP Agent initiates HTTPS communication 5
with the server and sends the device UDI PnP Server receives device UDI
and sends the full configuration
and Cisco IOS Software image
6 over the HTTPS channel

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
What and How to Monitor
- Management Interface & Features
Mgmt Interface
ASR 1000 has out-of-band Mgmt GE interface attached to the RP
This interface on a default Mgmt-vrf, can not be removed/changed
Many mgmt features needs to be configured with vrf options or use Gig0 as
source interface: tftp, ntp, snmp, syslogging, tacacs/radius

!!!! ntp !!!! radius server


ntp server vrf Mgmt-intf 10.1.1.1 ! aaa group server radius foo / ip vrf forwarding
!!!! logging Mgmt-intf
logging host 10.1.1.1 vrf Mgmt-intf !!!! tacacs+ server
!!!! domain name assignment aaa group server tacacs+ bar / ip vrf forwarding
ip domain-name vrf Mgmt-intf cisco.com Mgmt-intf
!!!! DNS service !!!! snmp
ip name-server vrf Mgmt-intf 5.20.1.2 snmp-server source-interface traps gigabitEthernet 0
!!!! tftp !!!! FTP service
ip tftp source-interface GigabitEthernet0 ip ftp source-interface gigabitEthernet 0

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Mgmt Interface contd
There are few exceptions: Flexible Netflow Export & NAT/FW High Speed
Logging (HSL).
They are directly exported by QFP.
HSL - ASR 1000 export Netflowv9-like records to an external collector for
session creation/deletion events with 5-tuples.
HSL supported collector Lancope, Isarflow, ActionPacked, Plixer.

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
What and How to Monitor
- Facility & Environment
ASR 1000 PEM (Power Entry Module) = P/S + Integrated
FANs
P/S Failure:
The power supplies are redundant.
Failure of a P/S does not affect the FANs. PEM1

FAN Failure:
PEM2
A single fan failure has no impact on the other fans in
the PEM
On multi fan failure a critical alarm will be
generated. The system will continue to run and the
behavior would be based on where the fan failure
occurred.
Automatic Router Shutdown occurred when PEM1
PEM is removed for more than 5 minutes
Router Internal temperature or P/S is over 100C, If PEM2
facility-alarm critical exceed-action shutdown is
enabled

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
ASR1009-X / ASR1006-X Power Supply

Router#show platform power


ASR1000X-AC-1100W or ASR1000X-DC-950W Chassis type: ASR1006-X
Slot Type State Allocation (W)
DC power supply modules, up to 6 of them. --------- ------------------- --------------------- -------------
1 ASR1000-SIP40 ok 64
R0 ASR1000-RP2 ok, active 105
R1 unknown 0
Power-on-demand F0 ASR1000-ESP100 ok, active 350
P6 ASR1000X-FAN ok 125
P7 ASR1000X-FAN ok 125
Load sharing Slot Type State Capacity (W) Load (W)
--------- ------------------- --------------------- ------------ ------------
P0 ASR1000X-AC-1100W ok 1100 132
Redundancy (N+1) P1
P2
ASR1000X-AC-1100W ok
ASR1000X-AC-1100W ok
1100
1100
144
144
Total load: 420 W, total capacity: 3300 W. Load / Capacity is 12%
[no] platform power redundancy-mode nplus1 Power capacity: 3300 W
Redundant allocation: 1100 W
PS/Fan allocation: 250 W
Hot swappable FRU allocation: 519 W
--------------------------------------------
Excessive Power in Reserve: 1431 W
Excessive / (Capacity - Redundant) is 65%
Power Redundancy Mode: nplus1
Power Allocation Status: Sufficient

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Facility & Environment Monitoring
Facilities & Environment can be monitored via ASR1000# show facility-alarm status
System Totals Critical: 1 Major: 1 Minor: 0

1. SNMP: CISCO-ENTITY-FRU-CONTROL-MIB to Source Severity Description [Index]


monitor FRU status, CISCO-ENTITY- ALARM-MIB ------ -------- -------------------
to monitor power supply and fan, CISCO-ENTITY- Cisco ASR1004 AC Power Sup Critical Power Supply Failure [0]
SPA subslot 0/1 MAJOR Unknown state [0]
SENSOR-MIB to monitor sensors

2. Show command ASR1000# show environment all | inc R0


V1: VMA R0 Normal 1201 mV
V1: VMB R0 Normal 2495 mV
Configure the below CLIs to generate the traps V1: VMC R0 Normal 3295 mV
V1: VMD R0 Normal 2495 mV
snmp-server enable traps fru-ctrl V1: VME R0 Normal 1796 mV
snmp-server enable traps alarms V1: VMF R0 Normal 1528 mV

Temp: Outlet R0 Normal 28 Celsius
Recommended traps to monitor Temp: CPU AIR R0 Normal 30 Celsius
Temp: Inlet R0 Normal 21 Celsius
cefcModuleStatusChange Temp: SCBY AIR R0 Normal 41 Celsius
Temp: MCH DIE R0 Normal 48 Celsius
cefcPowerStatusChange Temp: MCH AIR R0 Normal 36 Celsius
cefcFRUInserted Temp: C2D C0 R0 Normal 32 Celsius
Temp: C2D C1 R0 Normal 32 Celsius
cefcFRURemoved
entConfigChange
entSensorThresholdNotification

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Facility & Environment Monitoring contd
Before using CISCO-ENTITY-SENSOR-MIB to Then search CISCO-ENTITY-SENSOR-MIB for
monitor env, 1st use ENTITY-MIB to find out required data, such as polling RP CPU
entPhysicalDescr ID temperature ENTITY-MIB::entPhysicalDescr.8022
= STRING: Temp: CPU AIR
[root@shmcp-lnx-1 ~]# snmpwalk -v 2c -c public 5.28.28.10
1.3.6.1.2.1.47.1.1.1.1.2 | more [root@shmcp-lnx-1 ~]# snmpwalk -v 2c -c public 5.28.28.10
ENTITY-MIB::entPhysicalDescr.1 = STRING: Cisco ASR1013 Chassis 1.3.6.1.4.1.9.9.91 | grep 8022
ENTITY-MIB::entPhysicalDescr.2 = STRING: CC Slot CISCO-ENTITY-SENSOR-MIB::entSensorValue.8022 = INTEGER: 30
ENTITY-MIB::entPhysicalDescr.3 = STRING: CC Slot
ENTITY-MIB::entPhysicalDescr.4 = STRING: CC Slot CISCO-ENTITY-SENSOR-MIB::entSensorStatus.8022 = INTEGER: ok(1)
ENTITY-MIB::entPhysicalDescr.5 = STRING: CC Slot
ENTITY-MIB::entPhysicalDescr.6 = STRING: CC Slot
ENTITY-MIB::entPhysicalDescr.7 = STRING: CC Slot
ENTITY-MIB::entPhysicalDescr.8 = STRING: RP Slot
ENTITY-MIB::entPhysicalDescr.9 = STRING: RP Slot
ENTITY-MIB::entPhysicalDescr.10 = STRING: FP Slot
ENTITY-MIB::entPhysicalDescr.11 = STRING: FP Slot
ENTITY-MIB::entPhysicalDescr.12 = STRING: Power Supply Bay
ENTITY-MIB::entPhysicalDescr.13 = STRING: Cisco ASR1013 AC Power Supply
ENTITY-MIB::entPhysicalDescr.14 = STRING: PEM Iout
ENTITY-MIB::entPhysicalDescr.15 = STRING: PEM Vout
ENTITY-MIB::entPhysicalDescr.16 = STRING: PEM Vin
ENTITY-MIB::entPhysicalDescr.17 = STRING: Temp: PEM
ENTITY-MIB::entPhysicalDescr.18 = STRING: Temp: FC
ENTITY-MIB::entPhysicalDescr.23 = STRING: Power Supply
ENTITY-MIB::entPhysicalDescr.24 = STRING: Fan
ENTITY-MIB::entPhysicalDescr.25 = STRING: Fan
ENTITY-MIB::entPhysicalDescr.26 = STRING: Fan
ENTITY-MIB::entPhysicalDescr.32 = STRING: Power Supply Bay
ENTITY-MIB::entPhysicalDescr.8022 = STRING: Temp: CPU AIR

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
What and How to Monitor
- System Resources used by Features
QoS Marking/Police
NAT Sessions

Feature <> ESP Resources Dependency IPsec SA


Netflow Cache
FW hash tables
Memory for FECP
QFP client / driver Class/Policy Maps: QoS,
QoS Class maps DPI, FW QoS Queuing
Resource Packet Buffer
FM FP ACL/ACE, Route-map TCAM NAT VFR re-assembly
Statistics DRAM DRAM IPsec headers
IPSec Security Association
ACL ACEs copy class groups, classes, rules
NAT config objects
IPSec/IKE SA QFP complex
NF config data
ZB-FW config objects
Memory Packet Processor Engines BQS
FECP
PPE1 PPE2 PPE3 PPE4
GE, 1Gbps
Bootflash
I2C
ESI
PPE5 PPE6 PPE40 Hypertransport, 10Gbps
Other

Dispatcher Packet Buffer

Memory
Crypto
Chassis Interconnect
Mgmt Bus

RPs RPs ESP RPs SIPs

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Key System Resources to Monitor - Summary
show mem stat 75%
show proc cpu sort

IOS RP memory RP CPU


75%

show platform software status


RP control-processor brief
Forwarding Manager

show platform hardware


TCAM ESP memory
Forwarding Manager qfp active tcam
resource-manager usage resource DRAM
75% FECP CPU
pkt memory
QFP Client Driver show platform hardware qfp
active infra exmem statistics crypto assist QFP

show platform hardware show platform hardware qfp


Datapath crypto-device utilization
ESP active datapath util summary

SIP

Each system resource monitoring is explained in details in following slides


BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Mitigation Plan when run out of resources
Before upgrading RP, Memory or ESP, customer can immediate take following actions to
reduce system resources utilization:
IOS/Control CPU Memory
1. Shutdown routing peers
neighbor {ip-address} shutdown graceful <seconds>
2. Reduce prefixes received from a peer
1. neighbor {ip-address} maximum-prefix <number of prefixes>
3. Turn off Software Redundancy
1. redundancy \ mode none
QFP Resources DRAM
1. Reduce NAT max-entries:
ip nat translation max-entries <number of entries>; nat64 translation max-entries <number of entries>
2. Reduce FW session limit:
1. parameter-map type inspect global \ session total <count>
3. Reduce FNF cache limit:
1. flow monitor M1 \ cache entries <number of entries>

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Key System Resources to Monitor
- IOSd CPU & Memory Utilization

CPU Load in IOSd process


show processes cpu

In IOSd, to investigate the memory is occupied by which process


use the traditional command:
show memory
show memory allocating-process totals

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Key System Resources to Monitor
- Control CPU & Memory Utilization (1)
For an overview of each Module CPU load on the ASR 1000, use the following
command:
Sample EEM script to
ASR1000# show platform software status control-processor brief
trigger the Load
monitoring at section Load Average
end reference slide Slot Status 1-Min 5-Min 15-Min
RP0 Healthy 0.06 0.06 0.01
RP1 Healthy 0.06 0.04 0.01
ESP0 Healthy 0.01 0.00 0.00
ESP1 Healthy 0.00 0.00 0.00
SIP1 Healthy 0.04 0.03 0.01
SIP2 Healthy 0.00 0.00 0.00

Load Average represents the process queue or process contention for CPU resources.
1. On a single core processor, an instantaneous load of 7 would mean that seven
processes were ready to run, one of which is currently running.
2. On a dual core processor, a load of 7 would represent seven processes were ready to
run, two of which are currently running.
BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Key System Resources to Monitor
- Control CPU & Memory Utilization (2)
Status: Critical,
Warning, Healthy.
<continued from last show command output>
Definition in Memory (kB)
reference slide at Slot Status Total Used (Pct) Free (Pct) Committed (Pct)
section end RP0 Critical 3919788 3891940 (95%) 27848 (0%) 2005100 (98%)
RP1 Healthy 3919788 1164924 (28%) 2754864 (66%) 1994212 (48%)
ESP0 Healthy 2030288 520744 (24%) 1509544 (71%) 2816620 (84%)
ESP1 Healthy 2030288 514972 (24%) 1515316 (72%) 2816356 (84%)
SIP1 Healthy 484332 311868 (59%) 172464 (32%) 262472 (50%)
SIP2 Healthy 484332 332252 (63%) 152080 (29%) 317648 (60%)

CPU Utilization
Slot CPU User System Nice Idle IRQ SIRQ IOwait
RP0 0 1.28 1.15 0.00 97.25 0.01 0.10 0.20
RP1 0 0.94 1.23 0.00 97.48 0.00 0.02 0.30
ESP0 0 0.56 0.66 0.00 98.76 0.00 0.00 0.00
ESP1 0 0.52 0.64 0.00 98.82 0.00 0.00 0.00
SIP1 0 0.47 0.45 0.00 99.04 0.00 0.01 0.00
SIP2 0 0.58 0.53 0.00 98.85 0.00 0.01 0.00

Memory utilization is represented by the following:


Total Total physical memory
Used includes buffers and cached memory by linux kernel to allow very efficient memory access.
Free Available memory, become very accurate in XE 16.3.1 as to include reclaimable memory.
Committed the sum of all malloc from user-space processes, processes can malloc more than they need.
BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Key System Resources to Monitor
- Control CPU & Memory Utilization (3)
CPU utilization is a two second relative percentage average of the number of processes
requesting CPU resources at a given time and is represented by the following fields:
CPU The allocated processor
User Non-Linux kernel processes
System Linux kernel process
Nice Low priority processes
Idle Percentage of time the CPU was inactive
IRQ Interrupts
SIRQ System Interrupts
IOwait Percentage of time CPU was waiting for IO

To read real time util:


ASR1000# show platform software process slot RP active monitor cycles 2 | inc Cpu|Mem
Cpu(s): 1.1%us, 1.0%sy, 0.0%ni, 97.9%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 16343244k total, 3988416k used, 12354828k free, 202964k buffers
Swap: 0k total, 0k used, 0k free, 1414668k cached
Cpu(s): 3.8%us, 0.3%sy, 0.0%ni, 95.8%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 16343244k total, 3988788k used, 12354456k free, 202964k buffers
Swap: 0k total, 0k used, 0k free, 1414796k cached

*the first set of values is Invalid. Only the 2nd cycle or higher has valid CPU reported
BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Key System Resources to Monitor
- Control CPU & Memory Utilization (4)
To check process in each Module, use following command to check in VTY

Enter m to sort by memory usage

ASR1000# monitor platform software process fp active


Tasks: 80 total, 4 running, 76 sleeping, 0 stopped, 0 zombie
Cpu(s): 1.0% us, 0.3% sy, 0.0% ni, 98.7% id, 0.0% wa, 0.0% hi, 0.0% si
Mem: 2030288k total, 525260k used, 1505028k free, 21228k buffers
Swap: 0k total, 0k used, 0k free, 192024k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND


4750 root 20 0 645m 92m 31m S 0.7 4.6 26:36.97 cpp_cp_svr
5597 root 20 0 502m 45m 24m S 0.3 2.3 6:00.44 fman_fp_image
5737 root 20 0 16108 5732 4104 R 0.3 0.3 12:39.08 hman
7321 root 20 0 8876 2200 1712 R 0.3 0.1 0:00.03 in.telnetd
7392 binos 20 0 2496 1212 976 R 0.3 0.1 0:00.10 top
1 root 20 0 2132 632 544 S 0.0 0.0 0:10.63 init

*the "monitor" command does not work with console, vty works by default.

*Dont screen shot the 1st output, let the cycle go through few times.

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Key System Resources to Monitor
- Control CPU & Memory Utilization (5)

CISCO-PROCESS-MIB is made to support 64 bits architecture which runs on IOS XE

CISCO-PROCESS-MIB is able to monitor CPUs on RP, ESP and SIP. Only Active RP/ESP
can be monitored, not standby.

Here is an example:

1) Find out the index for the RPs cpmCPUTotal1min


nms-1-76-> getmany -v2c 9.0.0.52 cpmCPUTotalPhysicalIndex
cpmCPUTotalPhysicalIndex.2 = 7031 ->7031 is RP cpu physical index in entity
mib, so use 2 as index for RP cpmCPUTotal1min
2) The OID used to retrieve instance for the RPs cpmCPUTotal1min
nms-1-77-> getone -v2c 9.0.0.52 cpmCPUTotal1min.2
cpmCPUTotal1min.2 = 58
Please note that cpmCPUTotal1min.2 is same as OID 1.3.6.1.4.1.9.9.109.1.1.1.1.4.2

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Key System Resources to Monitor
- QFP & Resource DRAM Utilization (1)

To display the QFP utilization, use the following command:

ASR1000# show platform hardware qfp active datapath utilization summary


CPP 0: 5 secs 1 min 5 min 60 min
Input: Total (pps) 1625349 1625340 1625345 1625345
(bps) 1708810504 1708399184 1708085344 1708039368
Output: Total (pps) 1625333 1625338 1625344 1625344
(bps) 1786828168 1786418448 1786105008 1786059008
Processing: Load (pct) 2 2 2 2

97%+
>=99% indicates
indicates QFP
crypto
chip chip is
is reaching
reaching
perf perf
limitlimit

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Key System Resources to Monitor
- QFP & Resource DRAM Utilization (2)

DRAM on QFP usage can be found on the following command


ASR1000# show platform hardware qfp active infrastructure exmem statistics
QFP exmem statistics
Type: Name: DRAM, QFP: 0
Total: 1073741824
InUse: 124180480
Free: 949561344 %util = InUse/Total
Lowest free water mark: 949561344
Type: Name: IRAM, QFP: 0
Total: 134217728
InUse: 8134656
Free: 126083072
Lowest free water mark: 126083072
Type: Name: SRAM, QFP: 0
Total: 32768
InUse: 15088
Free: 17680
Lowest free water mark: 17680

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Key System Resources to Monitor
- QFP & Resource DRAM Utilization (3)

CISCO-ENTITY-QFP-MIB to monitor QFP Processing & Memory Util


bash-2.05b$ getmany 9.76 ciscoEntityQfpMIB
ceqfpUtilInputTotalPktRate.9072.1 = 0x00018cd05
ceqfpUtilInputTotalPktRate.9072.2 = 0x00018ccfc ceqfpUtilProcessingLoad.9072.1 = 2
ceqfpUtilInputTotalPktRate.9072.3 = 0x00018cd01 ceqfpUtilProcessingLoad.9072.2 = 2
ceqfpUtilInputTotalPktRate.9072.4 = 0x00018cd01 ceqfpUtilProcessingLoad.9072.3 = 2
ceqfpUtilInputTotalBitRate.9072.1 = 0x065da6108 ceqfpUtilProcessingLoad.9072.4 = 2
ceqfpUtilInputTotalBitRate.9072.2 = 0x065d41a50 ceqfpMemoryResTotal.9072.1 = 1073741824
ceqfpUtilInputTotalBitRate.9072.3 = 0x065cf5060 ceqfpMemoryResInUse.9072.1 = 124180480
ceqfpUtilInputTotalBitRate.9072.4 = 0x065ce9cc8 ceqfpMemoryResFree.9072.1 = 949561344
ceqfpUtilOutputTotalPktRate.9072.1 = 0x00018ccf5 ceqfpMemoryResLowFreeWatermark.9072.1 = 949561344
ceqfpUtilOutputTotalPktRate.9072.2 = 0x00018ccfa ceqfpMemoryResRisingThreshold.9072.1 = 97
ceqfpUtilOutputTotalPktRate.9072.3 = 0x00018cd00 ceqfpMemoryResFallingThreshold.9072.1 = 93
ceqfpUtilOutputTotalPktRate.9072.4 = 0x00018cd00
ceqfpUtilOutputTotalBitRate.9072.1 = 0x06a80d588
ceqfpUtilOutputTotalBitRate.9072.2 = 0x06a7a9510
ceqfpUtilOutputTotalBitRate.9072.3 = 0x06a75ccb0
ceqfpUtilOutputTotalBitRate.9072.4 = 0x06a751900

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Key System Resources to Monitor
- QFP & Resource DRAM Utilization (4)

Syslog when throughput exceeds BW license (ASR1001-X, ASR1002-X)


Exceeding 95% threshold: (set platform hardware throughput-monitor threshold)
*Sep 24 10:15:14.249: %BW_LICENSE-5-THROUGHPUT_THRESHOLD_LEVEL: F0:
cpp_ha: Average throughput rate
had exceeded 95 percent of licensed bandwidth 10000000000 bps 1 times, sample period
300 seconds, in last 24 hours

Exceeding total bw:


Sep 24 10:42:28.450: %BW_LICENSE-4-THROUGHPUT_MAX_LEVEL: F0: cpp_ha:
Average throughput rate had
exceeded the total licensed bandwidth 10000000000 bps and dropped 1 times, sample
period 300 seconds, in last 24 hours.

Upgrade throughput via platform hardware throughput level <x> / reload

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Key System Resources to Monitor
- QFP & Resource DRAM Utilization (5)

CISCO-LICENSE-MGMT-MIB to manage throughput license inUse


bash-2.05b$ getmany -v2c 2.0.40.25 clmgmtLicenseFeatureName
clmgmtLicenseFeatureName.7000.2.1 = adventerprise
clmgmtLicenseFeatureName.7000.2.2 = advipservices
clmgmtLicenseFeatureName.7000.2.3 = fwnat_red
clmgmtLicenseFeatureName.7000.2.4 = ipsec
clmgmtLicenseFeatureName.7000.2.5 = lawful_intr
clmgmtLicenseFeatureName.7000.2.6 = sw_redundancy
clmgmtLicenseFeatureName.7000.2.7 = throughput_10g
clmgmtLicenseFeatureName.7000.2.8 = throughput_20g
clmgmtLicenseFeatureName.7000.2.9 = throughput_36g
bash-2.05b$ getmany -v2c 2.0.40.25 clmgmtLicenseStatus
clmgmtLicenseStatus.7000.2.1 = notInUse(2)
clmgmtLicenseStatus.7000.2.2 = notInUse(2)
clmgmtLicenseStatus.7000.2.3 = notInUse(2)
clmgmtLicenseStatus.7000.2.4 = notInUse(2)
clmgmtLicenseStatus.7000.2.5 = notInUse(2)
clmgmtLicenseStatus.7000.2.6 = notInUse(2)
clmgmtLicenseStatus.7000.2.7 = inUse(3)
clmgmtLicenseStatus.7000.2.8 = notInUse(2)
clmgmtLicenseStatus.7000.2.9 = notInUse(2)

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Key System Resources to Monitor
- TCAM
QFP TCAM usage can be found in following command:
ASR1000# show platform hardware qfp active tcam resource-manager usage
QFP TCAM Usage Information

80 Bit Region Information


--------------------------
Name : Leaf Region #0
Number of cells per entry : 1
Current 80 bit entries used : 0
Current used cell entries : 0
Current free cell entries : 0

160 Bit Region Information


--------------------------
Name : Leaf Region #1
Number of cells per entry : 2
Current 160 bits entries used : 6
Current used cell entries : 12
Current free cell entries : 4084

320 Bit Region Information


--------------------------
Name : Leaf Region #2
Number of cells per entry : 4
Current 320 bits entries used : 0
Current used cell entries : 0
Current free cell entries : 0

Total TCAM Cell Usage Information


----------------------------------
Name : TCAM #0 on CPP #0
Total number of regions : 3
Total tcam used cell entries : 12
Total tcam free cell entries : 524276
Threshold status : below critical limit

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Key System Resources to Monitor
- Crypto Chip Utilization (1)

Show platform hardware crypto-device utilization


ASR1000# show platform hardware crypto-device utilization
Past crypto device utilization:
1 min (percentage) : 0%
(decrypt pkt): 220997
(encrypt pkt): 173747 95%+ indicates
5 min (percentage) : 0% crypto chip is
reaching perf limit
(decrypt pkt): 115381
(encrypt pkt): 897157
15 min (percentage) : 0%
(decrypt pkt): 3320368
(encrypt pkt): 2614638

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Key System Resources to Monitor
- Crypto Chip Utilization (2)

CISCO-ENTITY-PERFORMANCE-MIB is able to monitor Crypto Chip Util

bash-2.05b$ getmany 9.76 ciscoEntityPerformanceMIB


cepStatsMeasurement.9028.1.1 = Counter64: 0
cepStatsMeasurement.9028.1.5 = Counter64: 221029
cepStatsMeasurement.9028.1.6 = Counter64: 173838
cepStatsMeasurement.9028.2.1 = Counter64: 0
cepStatsMeasurement.9028.2.5 = Counter64: 1153432
cepStatsMeasurement.9028.2.6 = Counter64: 896529
cepStatsMeasurement.9028.3.1 = Counter64: 0
cepStatsMeasurement.9028.3.5 = Counter64: 3321126
cepStatsMeasurement.9028.3.6 = Counter64: 2614265

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Control-Process Health Definition (1)
Board FIELD WARNING CRITICAL FIELD WARNING CRITICAL FIELD WARNING CRITICAL
SIP10 1-MIN 5 8 5-MIN 5 8 15-MIN 5 8

SIP40 1-MIN 5 8 5-MIN 5 8 15-MIN 5 8

ESP5 1-MIN 5 8 5-MIN 5 8 15-MIN 5 8

ESP10 1-MIN 5 8 5-MIN 5 8 15-MIN 5 8

ESP20 1-MIN 5 8 5-MIN 5 8 15-MIN 5 8

ESP40 1-MIN 5 8 5-MIN 5 8 15-MIN 5 8

ESP100 1-MIN 5 8 5-MIN 5 8 15-MIN 5 8

ESP200 1-MIN 5 8 5-MIN 5 8 15-MIN 5 8

RP1 1-MIN 5 8 5-MIN 5 8 15-MIN 5 8

RP2 1-MIN 5 8 5-MIN 5 8 15-MIN 5 8

ASR1001-X 1-MIN 8 12 5-MIN 8 12 15-MIN 10 15

ASR1002-X 1-MIN 8 12 5-MIN 8 12 15-MIN 10 15

show platform software status control-processor brief output in slide 25, the Load
Average Status can be Healthy, Warning and Critical, this table provides the Warning and
Critical status threshold for each field

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Control-Process Health Definition (2)
Board FIELD WARNING CRITICAL FIELD WARNING CRITICAL FIELD WARNING CRITICAL
SIP10 Committed 95% 100% MemFree 10% 5% MEMUSED 90% 95%

SIP40 Committed 95% 100% MemFree 10% 5% MEMUSED 90% 95%

ESP5 Committed 90% 95% MemFree 10% 5% MEMUSED 90% 95%

ESP10 Committed 90% 95% MemFree 10% 5% MEMUSED 90% 95%

ESP20 Committed 90% 95% MemFree 10% 5% MEMUSED 90% 95%

ESP40 Committed 90% 95% MemFree 10% 5% MEMUSED 90% 95%

ESP100 Committed 90% 95% MemFree 10% 5% MEMUSED 90% 95%

ESP200 Committed 90% 95% MemFree 10% 5% MEMUSED 90% 95%

RP1 Committed 90% 95% MemFree 10% 5% MEMUSED 90% 95%

RP2 Committed 90% 95% MemFree 10% 5% MEMUSED 90% 95%

ASR1001-X Committed 90% 95% MemFree 10% 5% MEMUSED 90% 95%

ASR1002-X Committed 90% 95% MemFree 10% 5% MEMUSED 90% 95%

show platform software status control-processor brief output in slide 26, the Memory
Status can be Healthy, Warning and Critical, this table provides the Warning and Critical
status threshold for each field

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Triggered EEM Script to monitor system load
This is a sample EEM script that monitors RP0 one minute load.
A load of 5 triggers actions 1 through 5.
Action 1 generates a log message when the script triggers.
Actions 2 through 5 run CLI, outputs them to the bootflash, and appends the cpuinfo file

event manager applet capture_cpu_spike


event snmp oid 1.3.6.1.4.1.9.9.109.1.1.1.1.24.2 get-type exact entry-op ge entry-val 500
exit-time 180 poll-interval 2
action 1.0 syslog msg Load is high. Check bootflash:cpuinfo for details."
action 2.0 cli command "en"
action 3.0 cli command "show clock | append bootflash:cpuinfo"
action 4.0 cli command "show platform software status control-processor br | append
bootflash:cpuinfo"
action 5.0 cli command "show platform software process slot rp active monitor | append
bootflash:cpuinfo"

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
DoS Attack Detection and Mitigation
Best Practices
DoS Introduction
DoS attack is basically an attempt to make a resource unavailable to its intended
users.
1. Consumption of computational resources, such as bandwidth, or CPU cycles.
2. Disruption of configuration information, such as routing information.
3. Disruption of state information, such as unsolicited resetting of TCP sessions.
4. Obstructing the communication between the intended users and the router

Additional targets of DoS attacks.


1. Trigger errors in packet forwarding.
2. Trigger errors in the sequencing of instructions, to force instability or lock-up.
3. Buffer starvation and/or system thrashing.
4. Crash the operating system itself

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
DoS Introduction contd
Example Attack Type
1. ICMP
SMURF
PING Flood
2. SYN Flood
3. Teardrop
Mangling packets structure/content
4. Nuke
Rapid packet generation

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
DoS Detection (1)
Typical Router Symptoms:
1. CPUHOG Messages

2. Buffer Overflow messages

3. Packet Memory Out of resources messages

Example:
ASR1000#show logging
Syslog logging: enabled (0 messages dropped, 18 messages rate-limited, 58 flushes, 0 overruns, xml disabled, filtering disabled)
Apr 9 22:12:21.399 JST: %IOSXE-2-PLATFORM: F1: cpp_cp: QFP:00 Thread:077
TS:00022029349683022400 %HAL_PKTMEM-2-OUT_OF_RESOURCES:

Check Buffer Utilization


ASR1000#show buffers
Public buffer pools:
Small buffers, 104 bytes (total 4000, permanent 4000, peak 6010 @ 3w4d):

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
DoS Detection (2)
Check CPU Utilization Check Process Resources

ASR1000# show processes cpu extended ASR1000# show processes 443


Global Statistics
----------------- Process ID 443 [PPPoE Discovery Daemon], TTY 0
5 sec CPU util 72%/26% Timestamp 3w5d Memory usage [in bytes]
Queue Statistics Holding: 822944, Maximum: 0, Allocated: 2941696, Freed: 1176616
---------------- Getbufs: 0, Retbufs: 0, Stack: 43288/48000
Common Process Information CPU usage
------------------------------- PC: 2D9A89F, Invoked: 63684786, Giveups: 31842392, uSec: 55
PID Name Prio Style 5Sec: 71.43%, 1Min: 78.51%, 5Min: 65.63%, Average: 0.00%
------------------------------- Age: 2273107279 msec, Runtime: 3564164 msec
443 PPPoE Discovery M New State: Waiting for Event, Priority: Normal
118 ATM Periodic H New
172 Ethernet Timer C H New
173 Ethernet Msec Ti H New
CPU Intensive processes
-----------------------------------------------------------------
PID Total Exec Quant Burst Burst size Schedcall Schedcall
CPUms Count avg/max Count avg/max(ms) Count Per avg/max
-----------------------------------------------------------------
443 2523 34016 0/9 16997 0/9 17008 0/10

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
DoS Detection (3)
Check FP punt activity Check FP punt policer

ASR1000# show platform software infrastructure packet ASR1000# show platform software punt-policer
Statistics for Punt Path activities: Per Punt-Cause Policer Configuration and Packet Counters
Punt Configured (pps) Conform Packets Dropped Packets
19858208 total packets processed Cause Description Normal High Normal High Normal High
0 minimum packet received, 2048 maximum packet received ---------------------------------------------------------------------------------------------
0 minimum packet process switched, 7 maximum packet process - 2 IPv4 Options 4000 3000 0 0 0 0
3 Layer2 control and legacy 40000 10000 1203060 2146805 0 0
switched 4 PPP Control 2000 1000 0 0 0 0
0 msec minimum clock runtime, 30 msec maximum clock runtime 5 CLNS IS-IS Control 2000 1000 0 0 0 0
0 msec minimum cpu runtime, 2 msec maximum cpu runtime 6 HDLC keepalives 2000 1000 0 0 0 0
7 ARP request or response 2000 1000 0 68540 0 0
6797817 puntpath invocation, 6797817 with message invocation 8 Reverse ARP request or re... 2000 1000 0 0 0 0
FP - Punt Policer: 9 Frame-relay LMI Control 2000 1000 0 0 0 0
10 Incomplete adjacency 2000 1000 0 5 0 0
11 For-us data 40000 5000 803926 0 0 0
ASR1000# show platform hardware qfp active infrastructure punt 12 Mcast Directly Connected ... 2000 1000 0 0 0 0
statistics type global-drop 13 Mcast IPv4 Options data p... 2000 1000 0 0 0 0
Global Drop Statistics 14 MPLS TTL expired 5120 2000 0 0 0 0
19 Mcast Internal Copy 2000 1000 0 0 0 0
Number of global drop counters = 21 20 Mcast IGMP Unroutable 2000 1000 0 0 0 0
Counter ID Drop Counter Name Packets 24 Glean adjacency 2000 5000 0 35052 0 0
------------------------------------------------------------- 25 Mcast PIM signaling 2000 1000 0 0 0 0
27 ESS session control 10000 40000 0 30507493 0 288003062
016 PUNT_CAUSE_GLOBAL_POLICER 27117

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
DoS Detection (4)
Check FP per-cause punt

ASR1000# show platform hardware qfp active infrastructure punt statistics type per-cause clear
Global Per Cause Statistics
Per Inject Cause Statistics
Packets Packets
Counter ID Inject Cause Name Received Transmitted
--------------------------------------------------------------------------------------
000 RESERVED 0 0
001 L2 control/legacy 0 0
002 QFP destination lookup 0 0
003 QFP IPv4/v6 nexthop lookup 0 0
004 QFP generated packet 0 0
005 QFP <->RP keepalive 2 0
006 QFP Fwall generated packet 0 0
007 QFP adjacency-id lookup 0 0
008 Mcast specific inject packet 0 0
009 QFP ICMP generated packet 0 0
010 QFP/RP->QFP ESS data packet 0 0
011 SBC DTMF 0 0
012 ARP request or response 0 0
013 Ethernet OAM loopback packet 0 0
014 Ingress redirect packet 0 0
015 PPPoE discovery packet 48764 48741
016 PPPoE session packet 0 0

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
DoS Mitigation (1)
ASR1000 implemented global policer to rate limit punt packets @ 146484 pps/2.5Gbps, in addition implemented per
cause punt policer based on common feature punt cause to classify punt packets into high & normal queues and set
policing threshold for each.

Per cause policer can be seen via show platform software punt-policer

Control-Plane Policing is a security feature designed to protect control-plane

RP Following classification criteria are supported


IOSd in CoPP:
match access-group
Linux Kernel match dscp
match ip dscp
match ip precedence
match precedence
Global Policer match protocol arp
match protocol ipv6
match protocol pppoe
Per-punt Policer Inject Logic match protocol pppoe-discovery
match qos-group
CoPP match ipv6 acl hbh
ESP

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
DoS Mitigation (2)
Global Config Interface Config

no ip source-route interface GigabitEthernet <num>


ip arp gratuitous none description UNI facing interface
no ip gratuitous-arps no ip directed-broadcast
no ip bootp server ip verify unicast reverse-path
ip access-group <SECURITY> in
ip access-group <SECURITY> out

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
DoS Mitigation (3)
Control Plane Policing - Routing Control-Plane Policing - Management

class-map match-all Routing class-map match-all Management


match access-group name Routing match access-group name Management
! !
ip access-list extended Routing ip access-list extended Management
remark traffic for routing protocol remark NOC traffic for trusted management and monitoring
permit tcp any gt 1024 <router receive block> eq bgp permit tcp <NOC block> <router receive block> eq telnet
permit tcp any eq bgp <router receive block> gt 1024 established permit tcp <NOC block> eq telnet <router receive block>
permit tcp any gt 1024 <router receive block> eq 639 established
permit tcp any eq 639 <router receive block> gt 1024 established permit tcp <NOC block> <router receive block> eq 22
permit tcp any <router receive block> eq 646 permit tcp <NOC block> eq 22 <router receive block> established
permit udp any <router receive block> eq 646 permit udp <NOC block> <router receive block> eq snmp
permit ospf any <router receive block> permit tcp <NOC block> <router receive block> eq www
permit ospf any host 224.0.0.5 permit udp <NOC block> <router receive block> eq 443
permit ospf any host 224.0.0.6 permit tcp <NOC block> <router receive block> eq ftp
permit eigrp any <router receive block> permit tcp <NOC block> <router receive block> eq ftp-data
permit eigrp any host 224.0.0.10 permit udp <NOC block> <router receive block> eq syslog
permit udp any any eq pim-auto-rp permit udp <DNS block> eq domain <router receive block>
---etc--- for other routing protocol traffic... permit udp <NTP block> <router receive block> eq ntp
! ---etc--- for known good management traffic...
policy-map CONTROL-PLANE-POLICY !
class Routing policy-map CONTROL-PLANE-POLICY
police rate 1000 pps burst 1000 packets class Management
conform-action transmit police rate 100 pps burst 100 packets
exceed-action transmit conform-action transmit
exceed-action drop

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
DoS Mitigation (4)
Control Plane Policing - Normal Control-Plane Policing - Undesirable

class-map match-all Normal class-map match-all Undesirable


match access-group name Normal match access-group name Undesirable
! !
ip access-list extended Normal ip access-list extended Undesirable
remark Normal traffic remark deny Undesirable traffic
permit icmp any <router receive block> echo permit icmp any any fragments
permit icmp any <router receive block> echo-reply permit udp any any fragments
permit icmp any <router receive block> ttl-exceeded permit tcp any any fragments
permit icmp any <router receive block> packet-too-big permit ip any any fragments
permit icmp any <router receive block> port-unreachable permit udp any any eq 1434
permit icmp any <router receive block> unreachable permit tcp any any eq 639 rst
permit igmp any any permit tcp any any eq bgp rst
---etc--- for other known good traffic... --- etc. all other known bad things here ...
! !
policy-map CONTROL-PLANE-POLICY policy-map CONTROL-PLANE-POLICY
class Normal class Undesirable
police rate 1 pps burst 100 packets police rate 1 pps burst 1 packets
conform-action transmit conform-action drop
exceed-action drop exceed-action drop

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
DoS Mitigation (5)
Control Plane Policing - ARP Control-Plane Policing Catch-All-IP Control-Plane Policing Class-
default
class-map match-all ARP class-map match-all Catch-All-IP ! L2 keepalives, CDP, CLNS, and other non-
match protocol arp match access-group name Catch-All-IP IP packets
! ! !
policy-map CONTROL-PLANE-POLICY ip access-list extended Catch-All-IP policy-map CONTROL-PLANE-POLICY
class ARP permit tcp any any class class-default
police rate 1 pps burst 50 packets permit udp any any police rate 100 pps burst 100 packets
conform-action transmit permit icmp any any conform-action transmit
exceed-action drop permit ip any any exceed-action transmit
! !
policy-map CONTROL-PLANE-POLICY control-plane
class Catch-All-IP service-policy input CONTROL-PLANE-POLICY
police rate 1 pps burst 100 packets
conform-action transmit
exceed-action drop

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
DoS Mitigation (6)
Control-Plane Policing IPv6 Control

class-map match-all IPv6-CONTROL


match access-group name IPv6-CONTROL
!
ipv6 access-list IPv6-CONTROL
remark Permit NDP RA Type packets
permit icmp any any nd-ns
permit icmp any any nd-na
permit icmp any any router-advertisement
permit icmp any any router-solicitation

!
policy-map CONTROL-PLANE-POLICY
class IPv6-CONTROL
police rate 200 pps burst 1000 packets
conform-action transmit
exceed-action drop

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Device Programmability (Demo)
Device Programmability
gRPC
RESTconf NETCONF
(IOS-XR only)

Data Model

Configuration Operational

Device Device
Standard Standard
Specific Specific

IOS-XE NX-OS IOS-XR Device Features


SNMP
Interface BGP QoS ACL

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
XE16.3 Supported Models
IETF-Interfaces IETF-OSPF v2/v3 IETF-QoS (shape, Cisco-MPLS static
COMMON
MODELS

IETF-VRF Infra ITEF-IPv4/IPv6 RIB bandwidth and Cisco-VxLAN


IETF-IPv4/IPv6 Static Routing IETF-Policy priority)
BFD MPLS Static NHRP LISP
G8032 EVPN PfR IPSec
MPLS-TE VLAN EIGRP VTP
E-OAM L2VPN WAAS Spanning Tree
VPLS OTV AVC-NBAR AAA
MODELS
NATIVE

ISIS Inter-AS AVC-ART TACACS


ACL Bridge Domain/ EVC ESON SNMP
GRE DMVPN Snort NTP
CFM RPL SourceFire MSDP
Interfaces OSPF ZBFW IGMP
BGP VRF FNF PIM
Static Routing Policy/QoS RIB SFC
PLATFORM

ASR 1001-X, ASR1002-X, ASR1002-HX, RP2

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Demo
1. Provision DMVPN Tunnels LB: 2.2.2.2

HUB
2. Unprovision DMVPN Tunnels Tunnel200: 192.99.99.1

3. Introduce an error in the provisioning to


observe the transactional behavior and
rollback
Tunnel200: 192.99.99.3 Tunnel200: 192.99.99.2

Spoke1 Spoke2

LB: 1.1.1.1 LB: 3.3.3.3

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
CLI Config converted to Yang Data Model
IOS XE Config Yang data model

interface Tunnel200 <?xml version="1.0" encoding="utf-8"?> <pim>


description ** DMVPN Tunnel over MPLS ** <rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message- <sparse-mode/>
bandwidth 10000000 id="101"> <nbma-mode/>
ip address 192.99.99.1 255.255.255.0 <edit-config> </pim>
no ip redirects <target> <redirects>false</redirects>
ip mtu 1400 <running/> <tcp>
ip pim nbma-mode </target> <adjust-mss>1360</adjust-mss>
ip pim sparse-mode <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0"> </tcp>
ip nhrp authentication NhrpAuth <native xmlns="urn:ios"> <mtu>1400</mtu>
ip nhrp network-id 101 <interface> </ip>
ip nhrp redirect <Tunnel> <tunnel>
ip tcp adjust-mss 1360 <name>200</name> <source>GigabitEthernet0/0/2</source>
tunnel source GigabitEthernet0/0/2 <description>** DMVPN Tunnel over MPLS **</description> <key>101</key>
tunnel mode gre multipoint <bandwidth> <mode>
tunnel key 101 <kilobits>10000000</kilobits> <gre>
tunnel vrf IWAN-PRIMARY </bandwidth> <multipoint/>
tunnel protection ipsec profile DMVPN- <ip> </gre>
PROFILE1 <address> </mode>
<primary> <protection>
<address>192.99.99.1</address> <ipsec>
<mask>255.255.255.0</mask> <profile>DMVPN-PROFILE1</profile>
</primary> </ipsec>
</address> </protection>
<nhrp> <vrf>IWAN-PRIMARY</vrf>
<authentication>NhrpAuth</authentication> </tunnel>
<network-id>101</network-id> </Tunnel>
<holdtime>600</holdtime> </interface>
<redirect/> </native>
</nhrp> </config>
</edit-config>
BRKARC-2019 2016 Cisco</rpc>
and/or its affiliates. All rights reserved. Cisco Public 58
IOS XE 16 Migration
IOS XE 16
Upgrade Impact on ASR 1000
Open & Extensible Automate and Consistent Customer Same IOS XE software infrastructure, feature,
Platform Orchestrate Experience
functionality, behavior and user experience
Model Driven Patching (i.e. CLI, MIBs)
App Hosting
APIs Device Management
Faster Innovation Troubleshooting Few HW become unsupported
Reduce OPEX
Lower Cost
ISSU incompatible, require ROMmon upgrade
and reload.

Physical and Virtual Infrastructure Release Numbering


Any Platform Any ASIC
16.2.1 Denali
Major Release Number
Feature Release Number Feature Release Name

Build Number

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
What to expect HW (1)

Supported Unsupported

Platforms ASR1001-X, ASR1002-X ASR1001


ASR1002-HX ASR1002
ASR1004, ASR1006
ASR1013
ASR1006-X, ASR1009-X
Route Processors (RP) ASR1000-RP2 ASR1000-RP1

Forwarding Processors (ESP) ASR1000-ESP20 ASR1000-ESP5


ASR1000-ESP40 ASR1000-ESP10
ASR1000-ESP100
ASR1000-ESP200
Line cards ASR1000-SIP40 ASR1000-SIP10
ASR1000-2T+20X1GE
ASR1000-6TGE
ASR1000-MIP100

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
What to expect HW (2)

Supported Unsupported
Ethernet Port EPA-1X100GE N/A
Adapters (EPA) EPA-10X10GE
EPA-18X1GE
Shared Port SPA-8XCHT1/E1-V2, SPA-4XCT3/DS0-V2, SPA-2XCT3/DS0-V2, SPA-2XT3/E3-V2, SPA-8XCHT1/E1,
Adapters (SPA) SPA-4XT3/E3-V2, SPA-8XT3/E3, SPA-1CHSTM1/OC3V2, SPA-1XCHOC12/DS0, SPA- SPA-4XCT3/DS0,
4XT-SERIAL SPA-2XCT3/DS0,
SPA-4X1FE-TX-V2, SPA-8X1FE-TX-V2, SPA-2X1GE-V2, SPA-5X1GE-V2, SPA-8X1GE- SPA-2XT3/E3, SPA-
V2, SPA-10X1GE-V2, SPA-1X10GE-L-V2, SPA-1X10GE-WL-V2 4XT3/E3, SPA-
SPA-2XOC3-POS-V2, SPA-4XOC3-POS-V2, SPA-8XOC3-POS, SPA-1XOC12-POS-V2, 1XCHSTM1/OC3
SPA-2XOC12-POS, SPA-4XOC12-POS, SPA-8XOC12-POS, SPA-1XOC48POS/RPR, SPA-2XOC3-POS,
SPA-2XOC48POS/RPR, SPA-4XOC48POS/RPR, SPA-OC192POS-XFP SPA-4XOC3-POS,
SPA-1XOC3-ATM-V2, SPA-3XOC3-ATM-V2, SPA-1XOC12-ATM-V2 SPA-1XOC12-POS
SPA-DSP SPA-2X1GE-SYNCE
SPA-1CHOC3-CE-ATM, SPA-2CHT3-CE-ATM, SPA-24CHT1-CE-ATM SPA-WMA-K9
Network NIM-1MFT-T1/E1, NIM-2MFT-T1/E1, NIM-4MFT-T1/E1, NIM-8MFT-T1/E1, NIM- N/A
Interface Module 1CE1T1-PRI, NIM-2CE1T1-PRI, NIM-8CE1T1-PRI, NIM-SSD, SSD-SATA-200G, SSD-
(NIM) SATA-400G

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
What to expect - Features
1. Nearly all features in XE3.17 are supported in 16.2, except MACSec and Storm
Control which will be supported in 16.3

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
What to expect image type
XE 3.x XE 16.x
ASR1001-X Universal Image Universal Image
No
ASR1002-X - All the licenses will continue to work as is Change
- No config changes are needed besides the boot image
RP2 based platforms Reformation Image Universal Image + License boot level
IP BASE W/O CRYPTO asr1000rp2-ipbase.* asr1000rpx86-universalk9.* ipbase
IP Base asr1000rp2-ipbasek9.* asr1000rpx86-universalk9_npe.* ipbase
ADVANCED ENTERPRISE asr1000rp2-adventerprisek9_noli.* asr1000rpx86-universalk9_noli.* adventerprise
SERVICES W/O LI
ADVANCED ENTERPRISE W/O asr1000rp2-adventerprise.* asr1000rpx86-universalk9_npe.* adventerprise
CRYPTO
ADVANCED ENTERPRISE asr1000rp2-adventerprisek9.* asr1000rpx86-universalk9.* adventerprise
SERVICES
ADVANCED IP SERVICES W/O LI asr1000rp2-advipservicesk9_noli.* asr1000rpx86-universalk9_noli.* advipservices
ADVANCED IP SERVICES W/O asr1000rp2-advipservices.* asr1000rpx86-universalk9_npe.* advipservices
CRYPTO
ADVANCED IP SERVICES asr1000rp2-advipservicesk9.* asr1000rpx86-universalk9.* advipservices

There is no more non-k9 universal images starting 16.2


BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
What to expect migrate procedure to 16.3.1
1. ASR 1001-X, ASR 1002-X
If the system is running 15.5(3r)S1 ROMmon or later versions Install the 16.3.1 image /
reload
If the system is running earlier ROMmon than 15.5(3r)S1 upgrade to latest ROMmon / reload
/ install the 16.3.1 image / reload

2. RP2
Install the 16.3.1 universal image / reload

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Get yourself ready for a maintenance window
1. Read the IOS XE 16.3.1 Migration Guide
2. Download latest ROMmon image to the router
3. Download IOS XE 16.3.1 universal image to the router
4. Backup your router configuration

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Summary and Take away
Operating an ASR 1000
Summary and Take Away

To improve network reliability and operation simplicity


1. Follow the proper system operation procedure
2. Know features and resources dependency
3. Proactively monitor key system resources
4. Adopt best practices and implement recommendations

Proactive Monitoring

FECP Mem Crypto QFP IOS CPU IOS Mem RP Mem RP CPU TCAM DRAM

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Relevant Sessions at Cisco Live 2016
Breakout Sessions
BRKARC-2001 Cisco ASR1000 Series Routers: System & Solution
Architectures
BRKARC-2031 QoS Config Migrations From Classic IOS to IOS XE
BRKCRS-3147 Advanced troubleshooting of the ASR1K and ISR 4451-X made
easy

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Complete Your Online Session Evaluation
Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 Amazon gift card.
Complete your session surveys
through the Cisco Live mobile
app or from the Session Catalog
on CiscoLive.com/us.

Dont forget: Cisco Live sessions will be available


for viewing on-demand after the event at
CiscoLive.com/Online

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Continue Your Education
Demos in the Cisco campus
Walk-in Self-Paced Labs
Lunch & Learn
Meet the Engineer 1:1 meetings
Related sessions

BRKARC-2019 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Thank you