Monitoring Cisco ASR 1002 with IOS-XE in IPM 4.2
We are running LMS 3.2 with IPM 4.2 installed....and we are looking to do IPSLA monitoring on a couple of our Cisco ASR's with IOS-XE code installed.
I looked at the IPSLA feature mapping and it only talks about supported IOS code....do we need to upgrade our current IPM module to a current version?
Hi Konstantin,
Regarding "It is strange that these commands cleaned from sh run view.": this is normal for many default configuration commands.
Mine is a lab device so I cannot really comment on stability or provide you a recommendation based on that. However, I see that the download section from Cisco.com mentiones the following release as the recommended based on quality, stability and longevity:
asr1002x-universal.03.07.04a.S.152-4.S4a.SPA.bin
The best would be for you to check this with yor cisco Account Team or Advanced Services Team as normally they are the proper point of contacts for SW advisory.
Regards.
Similar Messages
-
What is the Max Nat Session supported on ASR 1002 with ASR1002-5G/K9
Hello,
I am going for ASR 1002 With ASR1002-5G/K9 ESP, Can any 1 help me to know how many NAT translation is possible.
As I got the Datasheet for ASR1000 it say’s 1M translation is Supported by ESP10 but it’s not giving any information regarding ESP5.
Thanks in advanceFirewall or NAT: 250,000 sessions and 50,000 sessions-per-sec setup rate
This is from the datasheet. Pls check.
Table 3. Cisco ASR 1000 Series 5-Gbps ESP Module Performance and Scaling
Regards
Durga Prasad - Datasoft Comnet
Pls rate helpful posts
Sent from Cisco Technical Support Android App -
ASR 1006 with IOS 3.13.1S, NetFlow commands not working
Hi,
We have Cisco ASR1006 router with IOS asr1000rp1-advipservicesk9.03.13.01.S.154-3.S1-ext.bin, we have recently upgrade IOS from asr1000rp1-advipservicesk9.02.03.02.122-33.XNC2.bin.
After upgrading the IOS ip flow ingress and ip flow egress command is not working.
Please suggest on configuring NetFlow commands on this.
Regards
MACAlso try this link, found if you follow the URL above, and I have made some notes about configuring inbound and outbound flow monitoring :-
http://docwiki.cisco.com/wiki/Migrating_from_Traditional_to_Flexible_NetFlow#Flexible_NetFlow_Migration_in_Practice
That article was referred in these release notes but don’t follow the link in the release notes, use the link above as it seems to have moved;
http://www.cisco.com/c/en/us/td/docs/routers/asr1000/release/notes/asr1k_rn_rel_notes/asr1k_feats_important_notes_313s.html#pgfId-3455900
The syntax I have used is almost the same, except that I don’t think you can quite have the 2 options they mention in the last line;
flow exporter FlowExporter1
destination 192.168.9.101
transport udp 9996
export-protocol netflow-v5
source FastEthernet 0/1
flow monitor FlowMonitor1
record netflow ipv4 original-input
exporter FlowExporter1
cache timeout active 1
cache timeout inactive 15
interface FastEthernet 0/1
ip flow monitor FlowMonitor1 [input|output] <<< with the netflow record above only input is ok
According to the command reference I looked at when you use the ipv4 ‘netflow’ flow record with ‘original-input’, it can only monitor inbound packets and vice-versa for ‘original-output’, therefore I think you need the pair of settings as we have done.
[see here http://www.cisco.com/c/en/us/td/docs/ios/fnetflow/configuration/guide/12_2sr/fnf_12_2_sr_book/get_start_cfg_fnflow.html#wp1059480 ]
flow monitor FlowMonitor1
record netflow ipv4 original-input
flow monitor FlowMonitor2
record netflow ipv4 original-output
interface FastEthernet 0/1
ip flow monitor FlowMonitor1 input
ip flow monitor FlowMonitor2 output
Rgds
Ian -
Does the router Cisco ASR 1002 support ESP module of 10GB?
if not what is the limit ?Hi hendrikus1982, the ASR 1002 can only support the 5GB built in ESP it does not support the module for 10GB. Can I ask what you are planning to do maybe i can provide you with an alternative. please feel free to email me directly at [email protected] hope this helps!
-
Hello All.
I started using asr 1002-x with IOS XE instead of 7201 as ISG + AAA + RADIUS.
I had a question on IOS XE 3.11, 3.10, 3.9.
Command "radius-server vsa send ..." is in a configuration, however it isn't applied and doesn't appear in running-config.
cod-r8(config)#radius-server vsa send?
accounting Send in accounting requests
authentication Send in access requests
cisco-nas-port Send cisco-nas-port VSA (2)
<cr>
cod-r8(config)#radius-server vsa send accounting
cod-r8(config)#radius-server vsa send authentication
cod-r8(config)#radius-server vsa send cisco-nas-port
cod-r8(config)#do sh run | include vsa
radius-server vsa send cisco-nas-port</cr>
It turns out that vsa is included by default or doesn't work at all?
Thanks.
KonstantinHi Konstantin,
Regarding "It is strange that these commands cleaned from sh run view.": this is normal for many default configuration commands.
Mine is a lab device so I cannot really comment on stability or provide you a recommendation based on that. However, I see that the download section from Cisco.com mentiones the following release as the recommended based on quality, stability and longevity:
asr1002x-universal.03.07.04a.S.152-4.S4a.SPA.bin
The best would be for you to check this with yor cisco Account Team or Advanced Services Team as normally they are the proper point of contacts for SW advisory.
Regards. -
Cisco ASR 1002- performance issue due to access list
Hi,
We are planning to implement inbound access-list to block subnets from particular country. Since the subnets are not contiguous, we have about 16000 lines of acl entries.
I want to know, would there be any performance or latency issues after applying 16k lines of acl?
Is there a good document where I can read more about ACL limitations and performance issues on ASR.
This is for ASR1002, running IOS-XE 15.3(1)S1.
ThanksDisclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Sorry, I don't know the answer to your questions, but I'm writing to mention a 7200 feature, that if supported on the ASR, might help in your situation. See http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html#turbo -
ASR 1002 with SFP GE-T ( Interface not came UP )
Hi Team,
e are trying to connect an ASR1002 ( 4XGE-BUILT-IN ) with SFP GE-T to a C3750 Switch but the interface never came up in the ASR and also at Cisco 3750 end.
The interfaces are configured in both sides with no negotiation auto and with speed 1000 and duplex full.
sh int gi0/0/1
GigabitEthernet0/0/1 is down, line protocol is down
Hardware is 4XGE-BUILT-IN, address is 8843.e179.3301 (bia 8843.e179.3301)
Description: *** Connect to Cisco 3750 ***
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not supported
Full Duplex, 1000Mbps, link type is force-up, media type is T
output flow-control is on, input flow-control is on
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
show hw-module subslot 0/0 transceiver 1 idprom
IDPROM for transceiver GigabitEthernet0/0/1:
Description = SFP optics (type 3)
Transceiver Type: = GE T (26)
Product Identifier (PID) = N/A
Vendor Revision = A
Serial Number (SN) = F15MB614
Vendor Name = CIS-COMPAT-F
Vendor OUI (IEEE company ID) = 00.0B.40 (2880)
CLEI code = N/A
Cisco part number = N/A
Device State = Enabled.
Date code (yy/mm/dd) = 09/08/26
Connector type = Unknown.
Encoding = 8B10B
NRZ
Nominal bitrate = GE (1300 Mbits/s)
Minimum bit rate as % of nominal bit rate = not specified
Maximum bit rate as % of nominal bit rate = not specified
Please help to get any solution.
Thanks in ADV,I have seen this before. Take a picture of the SFP. I want to see the front label which contains the serial number.
If I remembered correctly, ASR will only accept GLC-T with hardware version of "-03". -
Cisco ASR 9006 IOS XR 4.3.0 aaa authorization
Hi,
I've configured two Cisco ASR 9006 with IOS XR 4.3.0 with the aaa. I've a problem with the authorization statement.
I need to distiguish two groups.
Network Administrator (Full access, show, configuration etc etc)
Network Viewer (Users in this group can use only the show command)
I cannot find anything clear on the documentation. Can you help me?
Below the actual configuration (without authorization)
tacacs source-interface Loopback0 vrf default
tacacs-server host 10.10.10.1 port 49
tacacs-server key 7 XXXXXXXXXX
tacacs-server timeout 10
username emergency
group netadmin
password 7 XXXXXXXXXXXXXXX
aaa accounting exec default start-stop group ACS
aaa accounting system default start-stop group ACS
aaa group server tacacs+ ACS
server 10.10.10.1
aaa authentication login default group ACS local
I have configured two Shell Command Authorization Sets in my ACS. One for ReadOnly and one for Full Access.
The ReadOnly Group (called AccessoSolaLettura) is on the attacched png called asr_1.PNG
The Full Access Group (called AccessCompleto) is on the attached png called asr_2.PNG
I associated this Shell Authorization sets to two users group. (Network Administrator and Network Viewer).
The first one with Level 15 and the second one with Level 7. (Attached file ACS_1.png and ACS_2.png)
Can you tell me if the ACS configuration is right and which configuration is needed on the ASR?
The ACS Release is 4.2(0) Build 124.
Tnx
LeonardoHi Leonardo,
In XR we have the concept of tasks and taskgroup for determining what a user can do, and we recommend using this. For tasks we have the read/write/execute/debug permissions.
For instance to run 'show bgp summary' we need the read permission on the task BGP. Instead of assigning individual permissions per user we can create a taskgroup and the user can inherit everything from a taskgroup.
So for instance we can add read BGP, read OSPF, and read system to the taskgroup test. We can then have the user inherit the taskgroup test and get all the permissions that taskgroup has. We can inherit multiple tasks and taskgroups.
In addition we have some predefined task groups (for the full access user you will want the cisco-support and root-system taskgroups).
You can find some more information in the following posts
http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-3/security/configuration/guide/b_syssec_cg43xasr9k/b_syssec_cg43asr9k_chapter_010.html
https://supportforums.cisco.com/docs/DOC-15944
HTH,
Sam -
Hello all,
I have 1 Cisco ASR 1002 configured as a normal edge router connecting to ISP.
When i used ftp service from PC outside to servers inside, the FTP service ran normally in the morning but it is slower by afternoon and till the end of the working day, client PC couldn't work anymore
So, i restarted ASR 1002 and it did work well again
The next day, i replaced ASR 1002 with Cisco router 2801, configured the same extractly. And there's not problem anymore.
Then, I tried ASR 1002 and it's in trouble again. Now, i have to use 2801.....
I have checked log and see:
*Feb 19 14:10:58.143: %QFPOOR-4-LOWRSRC_PERCENT: F0: cpp_ha: QFP 0 DRAM resource low - 97 percent depleted
*Feb 19 14:36:22.271: %QFPOOR-4-LOWRSRC_PERCENT: F0: cpp_ha: QFP 0 DRAM resource low - 98 percent depleted
*Feb 19 15:02:16.368: %QFPOOR-4-LOWRSRC_PERCENT: F0: cpp_ha: QFP 0 IRAM resource low - 99 percent depleted
So i did use command:
show platform hardware qfp active infra exmem statistics user:
Type: Name: IRAM, QFP: 0
Allocations Bytes-Alloc Bytes-Total User-Name
1 115200 115712 CPP_FIA
1902 125440704 126597120 NAT
Type: Name: GLOBAL, QFP: 0
Allocations Bytes-Alloc Bytes-Total User-Name
7 14544 18432 P/I
7 270696 274432 CEF
1 512 1024 B2B HA
1 1138256 1138688 QM RM
1 16384 16384 Qm 16
1 524288 524288 TCAM
3 4210688 4210688 ING_EGR_UIDB
1 835584 835584 ING EGR INPUT CHUNK_Config_0
1 16384 16384 ING EGR INPUT CHUNK_Sm_Name_0
1 32768 32768 ING EGR INPUT CHUNK_Lg_Name_0
1 770048 770048 ING EGR OUTPUT CHUNK_Config_0
1 16384 16384 ING EGR OUTPUT CHUNK_Sm_Name_0
1 32768 32768 ING EGR OUTPUT CHUNK_Lg_Name_0
1 16384 16384 ING EGR OUTPUT CHUNK_Queue_0
1 16384 16384 ING-EGR_IfMap_0
4 25856 28672 GIC
1 1048576 1048576 PLU Mgr_CEF_0_0
1 1048576 1048576 PLU Mgr_CEF_0_3
1 1048576 1048576 PLU Mgr_CEF_0_7
1 1572864 1572864 PLU Mgr_CEF_0_8
1 1048576 1048576 PLU Mgr_PLU_GLOBAL_0_0
1 1048576 1048576 PLU Mgr_PLU_GLOBAL_0_1
1 786432 786432 PLU Mgr_PLU_GLOBAL_0_2
1 1048576 1048576 PLU Mgr_PLU_GLOBAL_0_3
1 1310720 1310720 PLU Mgr_PLU_GLOBAL_0_4
1 786432 786432 PLU Mgr_PLU_GLOBAL_0_5
1 917504 917504 PLU Mgr_PLU_GLOBAL_0_6
1 1048576 1048576 PLU Mgr_PLU_GLOBAL_0_7
1 1572864 1572864 PLU Mgr_PLU_GLOBAL_0_8
21 5223968 5235712 ALG
3 4400 7168 LI
1 64 1024 cpp_li_sbs_client
Type: Name: GLOBAL, QFP: 0
Allocations Bytes-Alloc Bytes-Total User-Name
5 34836 38912 SSLVPN
1 2048 2048 SMI
1 40 1024 cpp_smi_sbs_client
1 6528 7168 cpp_pbr_sbs_client
3 1540836 1543168 TD
787 64665040 65135616 NAT
3 24000 24576 TUNNEL
1 4384 5120 ERSPAN
1 112 1024 cpp_erspan_sbs_client
12 627008 630784 ESS
2 32 2048 ICMP
1 32000 32768 cpp_icmp_sb_chunk
1 524288 524288 QoS 1024
1 4096 4096 SPAMARMOT
1 32768 32768 ethernet
1 16384 16384 PALCI CLIENT
3 8064 9216 cpp_punt_sbs_client
1 320 1024 punt path chunk 0
1 32000 32768 punt subblock chunk
21 8064 21504 punt policer chunk
17 515984 529408 PKTLOG
1 512 1024 queue info chunk 0
1 16 1024 CPP IPHC
7 1286432 1288192 IPFRAG
1 16000 16384 cpp_ipfrag_sb_chunk
10 26048 34816 cpp_ipfrag_sbs_client
1 32000 32768 cpp_ipreass_sb_chunk
1 16000 16384 cpp_ipreass_cur_dgram_cnt_chunk
1 64000 64512 cpp_ipvfr_sb_chunk
1 64000 64512 cpp_ipv6reass_sb_chunk
1 6528 7168 sbs_cef
1 16000 16384 cpp_tunnel_subblock
Type: Name: GLOBAL, QFP: 0
Allocations Bytes-Alloc Bytes-Total User-Name
1 32000 32768 cpp_ipv4_tunnel_hash_elem
1 4096 4096 NAT SB
1 16384 16384 cpp_pbr_action_chunk
I found : NAT is the feature that hold most of the memory. What can i do nowOn the Cisco ASR 1000 Series Routers, IOS runs as one of many processes within the operating system. This is different than on traditional Cisco IOS, where all processes are run within Cisco IOS.
This architecture allows for software redundancy opportunities that are not available on other platforms that run Cisco IOS software. Specifically, a standby IOS process can be available on the same Route Processor as the active IOS process. This standby IOS process can be switched to in the event of an IOS failure, and can also be used to upgrade subpackage software in some scenarios as the standby IOS process in an ISSU upgrade.
Following Table shows Software Redundancy Overview:
Router
Support for Two IOS Processes on Same Route Processor
Support for a Second IOS Process on Standby Route Processor
Explanation
Cisco ASR 1001 Router1
Yes
N/A
The Cisco ASR 1001 Router only supports one RP, so dual IOS processes run on the lone RP.
Cisco ASR 1002 Router
Yes
N/A
The Cisco ASR 1002 Router only supports one RP, so dual IOS processes run on the lone RP.
Cisco ASR 1004 Router
Yes
N/A
The Cisco ASR 1004 Router only supports one RP, so dual IOS processes run on the lone RP.
Cisco ASR 1006 Router
No
Yes
The Cisco ASR 1006 Router supports a second Route Processor, so the second IOS process can only run on the standby Route Processor.
For more details check:
Software Redundancy on the Cisco ASR 1000 Series Routers
-Thanks
Vinod
**Encourage Contributors. RATE Them.** -
Hello,
Does anyone who uses NAT/PAT (nat overload) limit the max number of NAT translations that any one internal IP address can have? We have had issues where people do port scans and utilise a large majority of our NAT pool. We are doing NAT on a ASR 1002 with an ESP5. It can do up to 250,000 NAT translations total and 50,000 new a second.
Now I found out that the ASR in a pool will only use the last available IP to do PAT.. The rest of the IP addresses are used for 1-1 NAT.
Here is our NAT config
> ip nat translation tcp-timeout 1800
> ip nat translation udp-timeout 1800
> ip nat translation max-entries 250000
> ip nat pool Level3Pool some-ip-address some-ip-address netmask 255.255.255.248
> ip nat inside source list NAT pool Level3Pool overload
Any idea about:
ip nat settings mode cgn
ip nat settings mode cgn
ThanksFirewall or NAT: 250,000 sessions and 50,000 sessions-per-sec setup rate
This is from the datasheet. Pls check.
Table 3. Cisco ASR 1000 Series 5-Gbps ESP Module Performance and Scaling
Regards
Durga Prasad - Datasoft Comnet
Pls rate helpful posts
Sent from Cisco Technical Support Android App -
Hello,
we got a new cisco ASR 1002 ,does it require a license to work as BRAS??
ThnxYes, it does.
The feature licenses for ASR1K can be viewed at Table 2 on the URL http://www.cisco.com/en/US/prod/collateral/routers/ps9343/product_bulletin_c25-448292.html
You would need a license to enable broadband (FLASR1-BB-RTU) and another license with the appropriate number of sessions.
Cheers -
Hello
I have one Adtran Router on platform: NetVanta 4660 EoX L2/L3 Router having OS version R10.11.0.E. I want to replace this router with Cisco ASR 1002 router. There is EVC configured on Adtran router having the following configuration:
interface gigabit-eth 0/1
speed 1000 nonegotiate
no shutdown
interface gigabit-eth 0/1.2
ce-vlan-id 10
connect evc dolphin
ip address 1.1.1.1 255.255.255.252
no shutdown
interface gigabit-eth 0/1.3
ce-vlan-id 20
connect evc dolphin
ip address 2.2.2.1 255.255.255.252
shutdown
evc dolphin
s-tag 150
connect men-port gigabit-ethernet 0/1
no shutdown
Now we want to configure this type of configuration on ASR 1002. So can anybody help me to achieve this?
Regards
Mukesh Kumar
Network Engineer
Spooster IT ServicesHi
You could try with bridging. Something like this
Interface bvi 1
no ip address
interface gig0
bridge-gropup 1
interface gig1
bridge-group 1
/Mikael -
Dear Cisco Support,
Want to find out if the cisco ASR 1002 router can work without the esp module installed.
Thanks
Edwin K PhiriThanks for taking the time to rate our posts, Edwin. :)
-
ASR 1002 cisco IOS hashing code is not macthed with cisco CODE ???!!
Hi
im not sure if i tested correctly or not
Name of the ios on the router :
asr1000rp1-adventerprisek9.03.11.00.S.154-1.S-std.bin
i dd verify command to my ios of the router and here is the result :
verification testing on the router :
Embedded Hash SHA1 : 7F67671B4C91DA68E750B3EC83729E2B6311B376
Computed Hash SHA1 : 7F67671B4C91DA68E750B3EC83729E2B6311B376% Error: Software Authenticity commands not supported
Embedded hash verification successful.
from cisco.com the same IOS name ,
Cisco MD5 hashing checksum:
isco ASR 1000 Series RP1 ADVANCED ENTERPRISE SERVICES
Release: 3.11.0S
Release Date: 21/Nov/2013
File Name: asr1000rp1-adventerprisek9.03.11.00.S.154-1.S-std.bin
Min Memory: DRAM 4096 MB Flash 1024 MB
Size: 353.35 MB (370512468 bytes)
MD5 Checksum: 330d64f46404b925af81a33318d2e548
asr1000rp1-adventerprisek9.03.11.00.S.154-1.S-std.bin
as we see the two codes not matched ??!!!!
is that natural ?1. Copy the IOS into the appliance's bootflash directory.
2. Change the boot variable string.
3. Reboot. -
I have an ASR 1002 that I have placed the following config on:
monitor session 1 type local
source interface Gi0/0/2 , Gi0/3/0
destination interface Gi0/3/4
I am not receiving any traffic on the destination port, is this really supported on the ASR?Hello,
Please see below.
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/lanswitch/configuration/xe-3s/asr1000/lanswitch-xe-3s-asr1000-book/lnsw-conf-erspan.html#GUID-152D9875-169B-461F-A34B-ABAABD0C1FF8
"The monitor session span-session-number type local command is not supported on Cisco ASR 1000 Series Routers."
===You may though configure ERSPAN to work as a local SPAN===
* Make sure that both the source session and destination session have the same erspan-id
* Use one locally configured IPv4 address to configure the "ip address" and "origin ip address" in source session and "ip address" in destination session
Example snip: Monitor interface Gig0/0/0 traffic, and then send out through interface Gig0/0/1..
monitor session 10 type erspan-source
source interface Gi0/0/0
destination
erspan-id 10
ip address 10.10.10.1
origin ip address 10.10.10.1
monitor session 20 type erspan-destination
destination interface Gi0/0/1
source
erspan-id 10
ip address 10.10.10.1
Maybe you are looking for
-
Hello - I'm about to purchase an Airport Express to connect to my home stereo receiver via audio-cable. Planning to be able to output the sound usually coming out of my iPad thru my big stereo system, from Apps such as YouTube, Pandora, TuneIn Radio,
-
<p>Is there a procedure to convert reports written in 8.5 to 11?</p><p>Please let me know</p><p>P.S. We are on SQL Server 2000 and all the reports are based on the stored procedures.</p><p>Alex</p>
-
Dear all, Could anyone help me to clarify the following point on DLSw redundancy? Is it true if DLSw redundancy (or recover) are transparent to user if the end stations lie on a token ring network ? On the other hand if the end stations lie on the et
-
Hi There, From my previous posts, you might know that I am quite regular in this forum. I have managed to solve the problems I encountered with your help. Now Im clueless about what is wrong with my code. Basically, I am writing a certain data (16 bi
-
Hi, I'm trying to get Flash, .flv, to work in Dreamweaver CS3. If I click on the Flash Icon on the toolbar I get the error mesage which is attached regarding .js being empty. If I use the Flash Icon and choose, Flash Video, I can import the file an