Cisco Catalyst 8300 and Catalyst 8200 Series Edge Platforms Software Configuration Guide

Cisco Catalyst 8300 and Catalyst 8200 Series Edge Platforms Software
Configuration Guide
Last Modified: 2021-12-15
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
© 2022 Cisco Systems, Inc. All rights reserved.
CONTENTS
PREFACE Preface xv
Objectives xv
Important Information on Features and Commands xv
Related Documentation xv
Document Conventions xvi
Obtaining Documentation and Submitting a Service Request xvii
CHAPTER 1 Overview 1
Introduction 1
Switch Between Controller and Autonomous Modes Using Cisco CLI 2
Switch Between Controller and Autonomous Modes using Bootstrap Configuration Files 2
Supported Modules and Features-on Cisco 8300 and 8200 Series Edge Platforms 3
CHAPTER 2 Basic Platform Configuration 5
Default Configuration 5
Configuring Global Parameters 9
Configuring Gigabit Ethernet Interfaces 10
Configuring a Loopback Interface 11
Configuring Module Interfaces 12
Dynamic Allocation of Cores 12
Enabling Cisco Discovery Protocol 14
Configuring Command-Line Access 14
Configuring Static Routes 16
Configuring Dynamic Routes 18
Configuring Routing Information Protocol 18
Configuring Enhanced Interior Gateway Routing Protocol 22
Cisco Catalyst 8300 and Catalyst 8200 Series Edge Platforms Software Configuration Guide
iii
Contents
CHAPTER 3 Using Cisco IOS XE Software 25
Using Cisco IOS XE Software 25

25
Accessing the CLI Using a Directly-Connected Console 25

Connecting to the Console Port 26
Using the Console Interface 26
Using SSH to Access Console 26
Accessing the CLI from a Remote Console Using Telnet 27
Preparing to Connect to the Device Console Using Telnet 27
Using Telnet to Access a Console Interface 28
Accessing the CLI from a USB Serial Console Port 29
Using Keyboard Shortcuts 29
Using the History Buffer to Recall Commands 29
Understanding Command Modes 30
Understanding Diagnostic Mode 31
Getting Help 32
Using the no and default Forms of Commands 35
Saving Configuration Changes 35
Managing Configuration Files 36
Filtering Output from the show and more Commands 36
Powering Off a Device 36
Finding Support Information for Platforms and Cisco Software Images 37
Using Cisco Feature Navigator 37
Using Software Advisor 37
Using Software Release Notes 37
CLI Session Management 37

Information About CLI Session Management 38
Changing the CLI Session Timeout 38
Locking a CLI Session 38
CHAPTER 4 Licenses and Licensing Models 39
Feature Information for Available Licenses and Licensing Models 39

Available Licenses 41
iv
Contents
Cisco DNA License 41

Guidelines for Using a Cisco DNA License 42
Ordering Considerations for a Cisco DNA License 43
High Security License 43
Guidelines for Using an HSECK9 License 44

Ordering Considerations for an HSECK9 License 44
Cisco CUBE License 44
Cisco Unified CME License 44
Cisco Unified SRST License 45
Throughput 45
Throughput as a Numeric Value 46
Throughput and System Hardware Throttling Specifications in the Autonomous Mode 47

Throughput and System Hardware Throttling Specifications in the SD-WAN Controller Mode 49
Throughput as a Tier 50
Numeric vs. Tier-Based Throughput Configuration 52
How to Configure Available Licenses and Throughput 54
Configuring a Boot Level License 54

Installing SLAC for an HSECK9 License 57
Configuring a Numeric Throughput 58
Configuring a Tier-Based Throughput 61
Converting From a Numeric Throughput Value to a Tier 65
Upgrading from a Release Supporting Numeric Throughput to a Release Supporting Tiers 68
Downgrading from a Release Supporting Tiers to a Release Supporting Only Numeric Throughput 68
Available Licensing Models 69
CHAPTER 5 Change of Authorization 71
Feature Information for Change of Authorization 71

Information About Change of Authorization 72
Change of Authorization-Reauthentication Procedure 72
Change of Authorization 74
Restrictions for Change of Authorization 74
How to Configure Change of Authorization 75
Essential dot1x | SANet Configuration 75
Configure Change of Authorization 75
v
Contents
Configuration Examples for Change of Authorization 76

Example: Check if the RADIUS Server is Active 76
Example: Device Tracking Policy 76
CHAPTER 6 Managing the Device Using Web User Interface 79
Setting Up Factory Default Device Using Web UI 79
Using Basic or Advanced Mode Setup Wizard 80

Configure LAN Settings 80
Configure Primary WAN Settings 81
Configure Secondary WAN Settings 82
Configure Security Settings 82
Using Web User Interface for Day One Setup 83
Monitor and Troubleshoot Device Plug and Play (PnP) Onboarding using WebUI 84
CHAPTER 7 Console Port, Telnet, and SSH Handling 87
Notes and Restrictions for Console Port, Telnet, and SSH 87

Console Port Overview 87
Console Port Handling Overview 88
Telnet and SSH Overview 88
Configuring a Console Port Transport Map 88
Configuring Persistent SSH 90
Viewing Console Port, SSH, and Telnet Handling Configurations 93
CHAPTER 8 Installing the Software 99
Overview 99
ROMMON Images 100
Provisioning Files 100
File Systems 100
Autogenerated File Directories and Files 101
Flash Storage 102
Configuring the Configuration Register for Autoboot 102
How to Install and Upgrade the Software 103
Managing and Configuring a Device to Run Using a Consolidated Package 103
Managing and Configuring a Consolidated Package Using Copy and Boot Commands 103
vi
Contents
Configuring a Device to Boot the Consolidated Package via TFTP Using the Boot Command:
Example 105
Installing the Software Using install Commands 108
Restrictions for Installing the Software Using install Commands 108
Information About Installing the Software Using install Commands 108
Install Mode Process Flow 109
Booting the Platform in Install Mode 114
One-Step Installation or Converting from Bundle Mode to Install Mode 115
Three-Step Installation 116
Upgrading in Install Mode 117
Downgrading in Install Mode 118
Terminating a Software Installation 118
Configuration Examples for Installing the Software Using install Commands 118
Troubleshooting Software Installation Using install Commands 130
Managing and Configuring a Device to Run Using Individual Packages 131
Installing Subpackages from a Consolidated Package 131
Installing Subpackages from a Consolidated Package on a Flash Drive 137
Upgrading the Firmware on NIMs 138
Installing a Firmware Subpackage 147
Configuring No Service Password-Recovery 153
How to Enable No Service Password-Recovery 153
CHAPTER 9 Slot and Subslot Configuration 159
Configuring the Interfaces 159

Configuring Gigabit Ethernet Interfaces 159
Configuring the Interfaces: Example 161
Viewing a List of All Interfaces: Example 161
Viewing Information About an Interface: Example 162
CHAPTER 10 Cisco Thousand Eyes Enterprise Agent Application Hosting 163
Cisco ThousandEyes Enterprise Agent Application Hosting 163

Feature Information for Cisco ThousandEyes Enterprise Agent Application Hosting 164
Supported Platforms and System Requirements 164
Workflow to Install and Run the Cisco ThousandEyes Application 165
vii
Contents
Workflow to Host the Cisco ThousandEyes Application 166
Downloading and Copying the Image to the Device 167

Connecting the Cisco ThousandEyes Agent with the Controller 169
Modifying the Agent Parameters 169
Uninstalling the Application 169
Troubleshooting the Cisco ThousandEyes Application 170
CHAPTER 11 Process Health Monitoring 171

Monitoring Control Plane Resources 171
Avoiding Problems Through Regular Monitoring 171
Cisco IOS Process Resources 172
Overall Control Plane Resources 173
Monitoring Hardware Using Alarms 175
Device Design and Monitoring Hardware 175
BootFlash Disk Monitoring 176
Approaches for Monitoring Hardware Alarms 176
Onsite Network Administrator Responds to Audible or Visual Alarms 176
Viewing the Console or Syslog for Alarm Messages 177
Network Management System Alerts a Network Administrator when an Alarm is Reported Through
SNMP 179
CHAPTER 12 System Messages 181
Information About Process Management 181

How to Find Error Message Details 181
CHAPTER 13 Trace Management 187

Tracing Overview 187
How Tracing Works 187
Tracing Levels 188
Viewing a Tracing Level 189
Setting a Tracing Level 191
Viewing the Content of the Trace Buffer 191
CHAPTER 14 Environmental Monitoring and PoE Management 193
viii
Contents
Environmental Monitoring 193

Environmental Monitoring and Reporting Functions 193
Environmental Monitoring Functions 194
Environmental Reporting Functions 196
Configuring Power Supply Mode 207
Configuring the Edge Platforms Power Supply Mode 208
Configuring the External PoE Service Module Power Supply Mode 208
Examples for Configuring Power Supply Mode 208
Available PoE Power 210
CHAPTER 15 Configuring High Availability 213
About Cisco High Availability 213

Interchassis High Availability 213
IPsec Failover 214
Bidirectional Forwarding Detection 214
Bidirectional Forwarding Detection Offload 215
Configuring Cisco High Availability 215
Configuring Interchassis High Availability 215
Configuring Bidirectional Forwarding 216
Configuring BFD Offload 216
Verifying Interchassis High Availability 216
Verifying BFD Offload 223
CHAPTER 16 Configuring Secure Storage 227
Enabling Secure Storage 227
Disabling Secure Storage 228
Verifying the Status of Encryption 229

Verifying the Platform Identity 229
CHAPTER 17 Configuring Call Home 231
Finding Feature Information 231

Prerequisites for Call Home 231
Information About Call Home 232
Benefits of Using Call Home 232
ix
Contents
Obtaining Smart Call Home Services 233

Anonymous Reporting 233
How to Configure Call Home 234
Configuring Smart Call Home (Single Command) 234
Configuring and Enabling Smart Call Home 235
Enabling and Disabling Call Home 236
Configuring Contact Information 236
Configuring Destination Profiles 238
Creating a New Destination Profile 239
Copying a Destination Profile 240
Setting Profiles to Anonymous Mode 241
Subscribing to Alert Groups 241
Periodic Notification 244
Message Severity Threshold 245
Configuring a Snapshot Command List 245
Configuring General E-Mail Options 246
Specifying Rate Limit for Sending Call Home Messages 248
Specifying HTTP Proxy Server 249
Enabling AAA Authorization to Run IOS Commands for Call Home Messages 250
Configuring Syslog Throttling 250
Configuring Call Home Data Privacy 251
Sending Call Home Communications Manually 252
Sending a Call Home Test Message Manually 252
Sending Call Home Alert Group Messages Manually 252
Submitting Call Home Analysis and Report Requests 253
Manually Sending Command Output Message for One Command or a Command List 255
Configuring Diagnostic Signatures 256
Information About Diagnostic Signatures 257
Diagnostic Signatures Overview 257
Prerequisites for Diagnostic Signatures 258
Downloading Diagnostic Signatures 258
Diagnostic Signature Workflow 258
Diagnostic Signature Events and Actions 259
Diagnostic Signature Event Detection 259
x
Contents
Diagnostic Signature Actions 259
Diagnostic Signature Variables 260

How to Configure Diagnostic Signatures 260
Configuring the Call Home Service for Diagnostic Signatures 260
Configuring Diagnostic Signatures 262
Displaying Call Home Configuration Information 264
Default Call Home Settings 270
Alert Group Trigger Events and Commands 270
Message Contents 277
CHAPTER 18 Managing Cisco Enhanced Services and Network Interface Modules 283
Information About Cisco Service Modules and Network Interface Modules 283
Modules Supported 284
Network Interface Modules and Enhanced Service Modules 284
Implementing SMs and NIMs on Your Platforms 284
Downloading the Module Firmware 284
Installing SMs and NIMs 284
Accessing Your Module Through a Console Connection or Telnet 284
Online Insertion and Removal 285
Preparing for Online Removal of a Module 285
Deactivating a Module 286
Deactivating Modules and Interfaces in Different Command Modes 287
Deactivating and Reactivating an SSD/HDD Carrier Card NIM 288
Reactivating a Module 289
Verifying the Deactivation and Activation of a Module 289
Managing Modules and Interfaces 292
Managing Module Interfaces 292
Configuration Examples 292
CHAPTER 19 Cellular IPv6 Address 295
Cellular IPv6 Address 295

IPv6 Unicast Routing 295
Link-Lock Address 296
Global Address 296
xi
Contents
Configuring Cellular IPv6 Address 296
CHAPTER 20 Radio Aware Routing 299
Benefits of Radio Aware Routing 299

Restrictions and Limitations 300
License Requirements 300
System Components 300
QoS Provisioning on PPPoE Extension Session 301
Example: Configuring the RAR Feature in Bypass Mode 301
Example: Configuring the RAR Feature in Aggregate Mode 303
Verifying RAR Session Details 304
Troubleshooting Radio Aware Routing 310
CHAPTER 21 Configuring Voice Functionality 311
Call Waiting 311

Call Transfers 311
Feature Group D Configuration 311
Media and Signaling Authentication and Encryption 313
Multicast Music-on-Hold 313
TLS 1.2 support on SCCP Gateways 314
CHAPTER 22 Dying Gasp Through SNMP, Syslog and Ethernet OAM 319
Prerequisites for Dying Gasp Support 319

Restrictions for Dying Gasp Support 319
Information About Dying Gasp Through SNMP, Syslog and Ethernet OAM 320
Dying Gasp 320
How to Configure Dying Gasp Through SNMP, Syslog and Ethernet OAM 320
Dying Gasp Trap Support for Different SNMP Server Host/Port Configurations 320
Environmental Settings on the Network Management Server 320
Message Displayed on the Peer Router on Receiving Dying Gasp Notification 321
Displaying SNMP Configuration for Receiving Dying Gasp Notification 321
Configuration Examples for Dying Gasp Through SNMP, Syslog and Ethernet OAM 321
Example: Configuring SNMP Community Strings on a Router 321
Example: Configuring SNMP-Server Host Details on the Router Console 322
xii
Contents
CHAPTER 23 Troubleshooting 323
Troubleshooting 323
System Report 323
APPENDIX A Unsupported Commands 325
xiii
Contents
xiv
Preface
This section briefly describes the objectives of this document and provides links to additional information on
related products and services:
• Objectives, on page xv
• Important Information on Features and Commands, on page xv
• Related Documentation, on page xv
• Document Conventions, on page xvi
• Obtaining Documentation and Submitting a Service Request, on page xvii
Objectives
This guide provides an overview of the Cisco Catalyst 8300 and 8200 Series Edge Platforms and explains
how to configure the various features on these routers.
Important Information on Features and Commands

For more information about Cisco IOS XE software, including features available on the router (described in
configuration guides), see the Cisco IOS XE 17 Software Documentation set.
To verify support for specific features, use Cisco Feature Navigator. For more information about this, see
Using Cisco Feature Navigator, on page 37.
To find reference information for a specific Cisco IOS XE command, see the Cisco IOS Master Command
List, All Releases.
Related Documentation
• Hardware Installation Guide for the Cisco C8000 Series Router
• Release Notes for the Cisco C8000 Series Routers
xv
Preface
Document Conventions
Commands
Cisco IOS XE commands are identical in look, feel, and usage to Cisco IOS commands on most platforms.
To find reference information for a specific Cisco IOS XE command, see the Cisco IOS Master Command
List, All Releases document.
Features
The router runs Cisco IOS XE software which is used on multiple platforms. To verify support for specific
features, use the Cisco Feature Navigator tool. For more information, see Using Cisco Feature Navigator, on
page 37.
Document Conventions
This documentation uses the following conventions:
Convention Description
^ or Ctrl The ^ and Ctrl symbols represent the Control key.

For example, the key combination ^D or Ctrl-D
means hold down the Control key while you press
the D key. Keys are indicated in capital letters but are
not case sensitive.
string A string is a nonquoted set of characters shown in

italics. For example, when setting an SNMP
community string to public, do not use quotation
marks around the string or the string will include the
quotation marks.
Command syntax descriptions use the following conventions:
bold Bold text indicates commands and keywords that you

enter exactly as shown.
italics Italic text indicates arguments for which you supply

values.
[x] Square brackets enclose an optional element (keyword

or argument).
| A vertical line indicates a choice within an optional

or required set of keywords or arguments.
[x | y] Square brackets enclosing keywords or arguments

separated by a vertical line indicate an optional choice.
{x | y} Braces enclosing keywords or arguments separated

by a vertical line indicate a required choice.
xvi
Preface
Obtaining Documentation and Submitting a Service Request
Nested sets of square brackets or braces indicate optional or required choices within optional or required
elements. For example:
[x {y | z}] Braces and a vertical line within square brackets

indicate a required choice within an optional element.
Examples use the following conventions:
screen Examples of information displayed on the screen are

set in Courier font.
bold screen Examples of text that you must enter are set in Courier
bold font.
<> Angle brackets enclose text that is not printed to the

screen, such as passwords.
! An exclamation point at the beginning of a line

indicates a comment line. (Exclamation points are
also displayed by the Cisco IOS XE software for
certain processes.)
[] Square brackets enclose default responses to system

prompts.
Caution Means reader be careful. In this situation, you might do something that could result in equipment damage or
loss of data.
Note Means reader take note. Notes contain helpful suggestions or references to materials that may not be contained
in this manual.
Obtaining Documentation and Submitting a Service Request

• To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.
• To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.
• To submit a service request, visit Cisco Support.
• To discover and browse secure, validated enterprise-class apps, products, solutions and services, visit
Cisco Marketplace.
• To obtain general networking, training, and certification titles, visit Cisco Press.
xvii
Preface
Preface
• To find warranty information for a specific product or product family, access Cisco Warranty Finder.
xviii
CHAPTER 1
Overview
This chapter includes information about Cisco Catalyst 8300 and 8200 Series Edge Platforms and describes
the autonomous mode and controller mode. It contains the following sections:
• Introduction, on page 1
• Supported Modules and Features-on Cisco 8300 and 8200 Series Edge Platforms, on page 3
Introduction
The Cisco Catalyst 8300 and 8200 Series Edge Platforms are best-of-breed, 5G-ready, cloud edge platforms
designed for accelerated services, multi-layer security, cloud-native agility, and edge intelligence to accelerate
your journey to cloud.
Cisco Catalyst 8300 and 8200 Series Edge Platforms with Cisco IOS XE SD-WAN Software deliver Cisco’s
secure, cloud-scale SD-WAN solution for the branch. The Cisco Catalyst 8300 and 8200 Series Edge Platforms
is built for high performance and integrated SD-WAN Services along with flexibility to deliver security and
networking services together from the cloud or on premises. It provides higher WAN port density and a
redundant power supply capability. The Cisco Catalyst 8300 and 8200 Series Edge Platforms have a wide
variety of interface options to choose from—ranging from lower and higher module density with backward
compatibility to a variety of existing WAN, LAN, LTE, voice, and compute modules. Powered by Cisco IOS
XE, fully programmable software architecture, and API support, these platforms can facilitate automation at
scale to achieve zero-touch IT capability while migrating workloads to the cloud. The Cisco Catalyst 8300
and 8200 Series Edge Platforms also come with Trustworthy Solutions 2.0 infrastructure that secures the
platforms against threats and vulnerabilities with integrity verification and remediation of threats.
The Cisco Catalyst 8300 and 8200 Series Edge Platforms are well suited for medium-sized and large enterprise
branch offices for high WAN IPsec performance with integrated SD-WAN services.
Cisco Catalyst 8300 and 8200 Series Edge Platforms target these use-cases:
• Enterprise Branch office, Managed Service Provide CPE, Internet Gateway for DIA, SASE cloud platform
with SD-WAN
• Next-generation of Software Defined (SD) Branch routing platforms
This document is a summary of software functionality that is specific to the Cisco Catalyst 8300 and 8200
Series Edge Platforms. You can access the Cisco IOS XE and Cisco IOS XE SD-WAN functionality through
Autonomous and Controller execution modes, respectively. The Autonomous mode is the default mode for
the device and includes the Cisco IOS XE functionality. To access Cisco IOS XE SD-WAN functionality
1
Overview
Switch Between Controller and Autonomous Modes Using Cisco CLI
switch to the Controller mode. You can use the existing Plug and Play workflow to determine the mode of
the device.
You can use the universalk9 image to deploy both Cisco IOS XE SD-WAN and Cisco IOS XE on Cisco IOS
XE platforms. The Cisco IOS XE Amsterdam 17.3 helps in seamless upgrades of both the SD-WAN and
non-SDWAN features and deployments.
Switch Between Controller and Autonomous Modes Using Cisco CLI

Use the controller-mode command in Privileged EXEC mode to switch between controller and autonomous
modes.
The controller-mode disable command switches the device to autonomous mode.
Device# controller-mode disable
The controller-mode enable command switches the device to controller mode.

Device# controller-mode enable
Note When the device mode is switched from autonomous to controller, the startup configuration and the information
in NVRAM (certificates), are erased. This action is same as the write erase.
When the device mode is switched from controller to autonomous, all Yang-based configuration is preserved
and can be reused if you switch back to controller mode. If you want to switch the mode from controller to
autonomous, ensue that the configuration on the device is set to auto-boot.
Switch Between Controller and Autonomous Modes using Bootstrap

Configuration Files
On a device that already runs a Cisco IOS XE non SD-WAN image, after installing Cisco IOS XE Release
17.3.2 or later image, the device boots up in autonomous mode.
On a device that already runs a Cisco IOS XE SD-WAN image, after installing Cisco IOS XE Release17.3.1r
or later image, the device boots up in controller mode.
To switch modes, use the controller-mode enable command to switch from autonomous to controller mode
and controller-mode disable command to switch from controller mode to autonomous mode. After the device
boots up, the configuration present in the configuration file is applied.
After the device boots up in controller mode, the configuration present in the configuration file is applied.
For more information on how to use a single universalk9 image to deploy Cisco IOS XE SD-WAN and Cisco
IOS XE functionality on all the supported devices, see the Install and Deploy Cisco IOS XE and Cisco IOS
XE SD-WAN Functionality on Edge Platforms guide.
The following are the Cisco Catalyst 8300 and 8200 Series Edge Platforms models:
• C8300-2N2S-4T2X
• C8300-2N2S-6T
• C8300-1N1S-4T2X
2
Overview
Supported Modules and Features-on Cisco 8300 and 8200 Series Edge Platforms
• C8300-1N1S-6T
• C8200-1N-4T
• C8200L-1N-4T
Supported Modules and Features-on Cisco 8300 and 8200 Series

Edge Platforms
The following table provides the supported modules and features on Cisco Catalyst 8300 and 8200 Series
Edge Platforms.
Table 1: Supported Modules and Features on Cisco 8300 and 8200 Series Edge Platforms
Features Cisco 8300 Cisco 8200 Cisco 8200L
Service Plane Yes No No

Applications (UTD,
AppQoE, and TcpOpt)
CPU Core 8 Core 8 Core 4 Core

C8300-2N2S-4T2X
supports 12 Core
CPU Memory 8G 8G 4G
Backplane Support 10 G 10 G 1G
3
Overview
Supported Modules and Features-on Cisco 8300 and 8200 Series Edge Platforms
4
CHAPTER 2
Basic Platform Configuration
This section includes information about some basic platform configuration in Autonomous mode, and contains
the following sections:
• Default Configuration, on page 5
• Configuring Global Parameters, on page 9
• Configuring Gigabit Ethernet Interfaces, on page 10
• Configuring a Loopback Interface, on page 11
• Configuring Module Interfaces, on page 12
• Dynamic Allocation of Cores, on page 12
• Enabling Cisco Discovery Protocol, on page 14
• Configuring Command-Line Access, on page 14
• Configuring Static Routes, on page 16
• Configuring Dynamic Routes, on page 18
Default Configuration
When you boot up the device in autonomous mode, the device looks for a default file name-the PID of the
device. For example, the Cisco Catalyst 8000 Series Edge Platforms look for a file named c8000.cfg. The
device looks for this file before finding the standard files-router-confg or the ciscortr.cfg.
The device looks for the c8000.cfg file in the bootflash. If the file is not found in the bootflash, the device
then looks for the standard files-router-confg and ciscortr.cfg. If none of the files are found, the device then
checks for any inserted USB that may have stored these files in the same particular order.
Note If there is a configuration file with the PID as its name in an inserted USB, but one of the standard files are
in bootflash, the system finds the standard file for use.
Use the show running-config command to view the initial configuration, as shown in the following example:
Router# show running-config
Building configuration...
Current configuration : 6504 bytes

!
! Last configuration change at 05:04:58 UTC Mon Jul 6 2020
!
5
version 17.3
service config
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 1G
!
hostname Router
!
boot-start-marker
boot system bootflash:c8000be-universalk9.17.03.01prd8.SPA.bin
boot-end-marker
!
!
!
no aaa new-model
!
!
!
login on-success log
!
!
subscriber templating
!
!
multilink bundle-name authenticated
no device-tracking logging theft
!
!
!
crypto pki trustpoint TP-self-signed-2347094934
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2347094934
revocation-check none
rsakeypair TP-self-signed-2347094934
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-2347094934
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32333437 30393439 3334301E 170D3230 30353238 32333331
30325A17 0D333030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33343730
39343933 34308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
8B2FA1A7 29F5E8BD 57EB2459 CBBA7D64 4471BD34 0EC80AF2 0B693D0C 8DC3F771

5D377065 57F16FD6 1B7AE4D3 3C5824B5 46FCDA97 4A5CA003 8B0BF2C9 E04A84E5
E34E5EC6 AF94ACF3 DE5F9295 AA1C474F 30902D92 77F67A29 E4934212 DB9B253F
1EC8F61F FD32D662 2F062666 13B8DC71 031F2119 551A487F 77E3BD46 3E5E7BBD
9669BD8E FC4AEE6E EAD00DA5 DD56E370 716EC5CC 67DA7F35 6F4B3428 AD6EF6BD
92868FAD 84871242 08C4FBED D5DB5249 336EB488 0D9A0B02 8BEE4BF9 5D03C416
266E0F49 81030203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF
301F0603 551D2304 18301680 14AE8751 EF7BF338 F7AB9FD8 E3EB151C F9E68DFA
6
8A301D06 03551D0E 04160414 AE8751EF 7BF338F7 AB9FD8E3 EB151CF9 E68DFA8A

300D0609 2A864886 F70D0101 05050003 82010100 925E6454 796E21F8 6401B0D1
F2E09800 0B41752A B72F240E 21466633 1A2DAF8B 6F1C81B5 CE069EE0 F88888E4
F6BAB34D 8328C2C7 781C4A6C FBB3DBCE 6F5C7100 388A6ADD 97D0E0CB 9407A5A3
FF51FBD7 816E3D74 41769DAD C861B83B 68C58783 0A369849 32C27426 04513E09
E3393274 201F3C44 D3EA63B2 EAB62240 B57200FE 3E3018C6 8013136A D9A51431
DAB97350 17CEBF1F 2CFC553A 2C95A041 8426DABC AEFC27F7 B4A9F3F3 8C58C682
2BDD7B4C 77F419A7 3F0B775B 8110B16F A67FEFE1 41EF7FE1 C9F0268B 943A9C62
E367846A D2208BEF FE2562B3 FE96D8A9 2D2D4FB0 74C40850 914A0BDD 2B7C2C6E
23F9BEB8 52A23129 4265A869 C2FA2BA5 039F4933
quit
quit
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
D697DF7F 28
quit
!
!
license feature hseck9
license udi pid C8300-1N1S-6T sn FDO2320A0CF
diagnostic bootup level minimal

!
spanning-tree extend system-id
!
!
redundancy
mode none
!
!
!
!
!
!
interface GigabitEthernet0/0/0
ip dhcp client client-id ascii FDO2320A0CF
ip address dhcp
7
negotiation auto
!
no ip address
negotiation auto
!
no ip address
negotiation auto
!
no ip address
negotiation auto
!
no ip address
negotiation auto
!
no ip address
negotiation auto
!
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/0
ip forward-protocol nd
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
dspfarm profile 7 conference security
shutdown
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
transport input ssh
!
call-home
! If contact email address in call-home is configured as [email protected]
! the email address configured in Cisco Smart License Portal will be used as contact email
address to send SCH notifications.
contact-email-addr [email protected]
profile "CiscoTAC-1"
active
destination transport-method http
8
Configuring Global Parameters
!
!
end
Configuring Global Parameters

To configure the global parameters for your device, follow these steps.
SUMMARY STEPS
1. configure terminal
2. hostname name
3. enable secret password
4. no ip domain-lookup
DETAILED STEPS
Command or Action Purpose

Step 1 configure terminal Enters global configuration mode when using the console
port.
Example:
Use the following to connect to the device with a remote
Router> enable terminal:
Router# configure terminal
Router(config)# telnet router-name or address
Login: login-id
Password: *********
Router> enable
Step 2 hostname name Specifies the name for the device.

Example:
Router(config)# hostname Router
Step 3 enable secret password Specifies an encrypted password to prevent unauthorized

access to the device.
Example:
Router(config)# enable secret cr1ny5ho
Step 4 no ip domain-lookup Disables the device from translating unfamiliar words

(typos) into IP addresses.
Example:
For complete information on global parameter commands,
Router(config)# no ip domain-lookup see the Cisco IOS Release Configuration Guide
documentation set.
9
Configuring Gigabit Ethernet Interfaces

To manually define onboard Gigabit Ethernet interfaces, follow these steps, beginning from global configuration
mode.
SUMMARY STEPS
1. interface gigabitethernet slot/bay/port
2. ip address ip-address mask
3. ipv6 address ipv6-address/prefix
4. no shutdown
5. exit
DETAILED STEPS

Step 1 interface gigabitethernet slot/bay/port Enters the configuration mode for a Gigabit Ethernet
interface on the device.
Example:
Router(config)# interface gigabitethernet 0/0/1
Step 2 ip address ip-address mask Sets the IP address and subnet mask for the specified
Gigabit Ethernet interface. Use this Step if you are
Example:
configuring an IPv4 address.
Router(config-if)# ip address 192.0.2.2
255.255.255.0
Step 3 ipv6 address ipv6-address/prefix Sets the IPv6 address and prefix for the specified Gigabit
Ethernet interface. Use this step instead of Step 2, if you
Example:
are configuring an IPv6 address.
Router(config-if)# ipv6 address
2001.db8::ffff:1/128
Step 4 no shutdown Enables the Gigabit Ethernet interface and changes its state
from administratively down to administratively up.
Example:
Router(config-if)# no shutdown
Step 5 exit Exits configuration mode for the Gigabit Ethernet interface
and returns to privileged EXEC mode.
Example:
Router(config-if)# exit
10
Configuring a Loopback Interface
Configuring a Loopback Interface

Before you begin
The loopback interface acts as a placeholder for the static IP address and provides default routing information.
To configure a loopback interface, follow these steps.
SUMMARY STEPS
1. interface type number
2. (Option 1) ip address ip-address mask
3. (Option 2) ipv6 address ipv6-address/prefix
4. exit
DETAILED STEPS

Step 1 interface type number Enters configuration mode on the loopback interface.
Example:
Router(config)# interface Loopback 0
Step 2 (Option 1) ip address ip-address mask Sets the IP address and subnet mask on the loopback
interface. (If you are configuring an IPv6 address, use the
Example:
ipv6 address ipv6-address/prefix command described
below.
255.255.255.0
Step 3 (Option 2) ipv6 address ipv6-address/prefix Sets the IPv6 address and prefix on the loopback interface.
Example:
Router(config-if)# 2001:db8::ffff:1/128
Step 4 exit Exits configuration mode for the loopback interface and
returns to global configuration mode.
Example:
Router(config-if)# exit
Example
Verifying Loopback Interface Configuration

This configuration example shows the loopback interface configured on the Gigabit Ethernet interface
with an IP address of 203.0.113.1/32, which acts as a static IP address. The loopback interface points
back to virtual-template1, which has a negotiated IP address.
11
Configuring Module Interfaces
!
interface loopback 0
ip address 203.0.113.1 255.255.255.255 (static IP address)
ip nat outside
!
interface Virtual-Template1
ip unnumbered loopback0
no ip directed-broadcast
ip nat outside
Enter the show interface loopback command. You should see an output similar to the following
example:
Router# show interface loopback 0

Loopback0 is up, line protocol is up
Hardware is Loopback
Internet address is 203.0.113.1/32
MTU 1514 bytes, BW 8000000 Kbit/sec, DLY 5000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation LOOPBACK, loopback not set
Keepalive set (10 sec)
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
Output 0 broadcasts (0 IP multicasts)
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
Alternatively, use the ping command to verify the loopback interface, as shown in the following
example:
Router# ping 203.0.113.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 203.0.113.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Configuring Module Interfaces

For detailed information about configuring service modules, see "Service Modules" in the "Service Module
Management" section of the Cisco Service Module Configuration Guide.
Dynamic Allocation of Cores

Dynamic core allocations on the Catalyst 8000 Series Edge platforms provide flexibility for users to leverage
the CPU cores for different services and/or CEF/IPSec performances. The Catalyst 8000 Series Edge platforms
are equipped with a minimum of 8 CPU cores and have the flexibility to allocate cores into the service plane
12
Dynamic Allocation of Cores
from the data plane. The core allocation is based on the customer configuration of the different services
available on these platforms.
From Cisco IOS XE Release 17.4 onwards, you can use the platform resource { service-plane-heavy |
data-plane-heavy } command to adjust the cores across service plane and data plane. However, you have to
reboot the device for the configured profile to take effect.
Router(config)# platform resource { service-plane-heavy | data-plane-heavy }
From Cisco IOS XE Release 17.5.1 onwards, Catalyst 8000 Series Edge Platforms supports changing the core
allocation dynamically. You do not have to reboot the devices to have the new allocation to take effect.
Following are the list of Catalyst 8000 Series Edge platforms that support changing the core allocations
dynamically:
• C8300-2N1S-6T
• C8300-2N1S-4T2X
• C8300-2N2S-6T
• C8300-2N2S-4T2X
• C8200-1N-4T
Note By default, when a device boots up, the mode is service-plane-heavy.
The following show command output shows the CPU cores allocaiton for the data plane :
Router# show platform software cpu alloc
CPU alloc information:

Control plane cpu alloc: 0
Data plane cpu alloc: 1-7
Service plane cpu alloc: 0
Template used: CLI-data_plane_heavy
Note In the above example, the maximum data plane core allocation is 7.
The following show command output shows the CPU cores allocaiton for the service plane:
Router# show platform software cpu alloc
CPU alloc information:

Control plane cpu alloc: 0
Data plane cpu alloc: 4-7
Service plane cpu alloc: 1-3
Template used: CLI-service_plane_heavy
The following show command output shows the PPE status:

Router# show platform hardware qfp active datapath infrastructure sw-cio
Credits Usage:
ID Port Wght Global WRKR0 WRKR1 Total

1 rcl0 1: 474 0 38 512
13
Enabling Cisco Discovery Protocol
1 rcl0 128: 480 0 32 512

2 ipc 1: 508 0 3 511
3 vxe_punti 1: 474 0 38 512
4 fpe0 1: 976 0 48 1024
5 fpe1 1: 976 0 48 1024
6 fpe2 1: 976 0 48 1024
7 fpe3 1: 976 0 48 1024
Core Utilization over preceding 5475356.7738 seconds

----------------------------------------------------
ID: 0 1
% PP: 0.63 0.00
% RX: 0.00 1.54
% TM: 0.00 1.63
% COFF: 0.00 0.69
% IDLE: 99.37 96.15
Enabling Cisco Discovery Protocol

Cisco Discovery Protocol (CDP) is enabled by default on the router.
For more information on using CDP, see Cisco Discovery Protocol Configuration Guide.
Configuring Command-Line Access

To configure parameters to control access to the device, follow these steps.
SUMMARY STEPS
1. line [| console | tty | vty] line-number
2. password password
3. login
4. exec-timeout minutes [seconds]
5. exit
6. line [| console | tty | vty] line-number
7. password password
8. login
9. end
DETAILED STEPS

Step 1 line [| console | tty | vty] line-number Enters line configuration mode, and specifies the type of
line.
Example:
The example provided here specifies a console terminal for
Router(config)# line console 0 access.
Step 2 password password Specifies a unique password for the console terminal line.
Example:
14
Configuring Command-Line Access
Router(config-line)# password 5dr4Hepw3
Step 3 login Enables password checking at terminal session login.

Example:
Router(config-line)# login
Step 4 exec-timeout minutes [seconds] Sets the interval during which the EXEC command
interpreter waits until user input is detected. The default is
Example:
10 minutes. Optionally, adds seconds to the interval value.
Router(config-line)# exec-timeout 5 30 The example provided here shows a timeout of 5 minutes
Router(config-line)# and 30 seconds. Entering a timeout of 0 0 specifies never
to time out.
Step 5 exit Exits line configuration mode to re-enter global

configuration mode.
Example:
Router(config-line)# exit
Step 6 line [| console | tty | vty] line-number Specifies a virtual terminal for remote console access.
Example:
Router(config)# line vty 0 4

Router(config-line)#
Step 7 password password Specifies a unique password for the virtual terminal line.
Example:
Router(config-line)# password aldf2ad1
Step 8 login Enables password checking at the virtual terminal session

login.
Example:
Router(config-line)# login
Step 9 end Exits line configuration mode, and returns to privileged

EXEC mode.
Example:
Router(config-line)# end
Example
The following configuration shows the command-line access commands.
You do not have to input the commands marked default. These commands appear automatically in
the configuration file that is generated when you use the show running-config command.
15
Configuring Static Routes
!
line console 0
exec-timeout 10 0
password 4youreyesonly
login
transport input none (default)
stopbits 1 (default)
line vty 0 4
password secret
login
!

Static routes provide fixed routing paths through the network. They are manually configured on the device.
If the network topology changes, the static route must be updated with a new route. Static routes are private
routes unless they are redistributed by a routing protocol.
To configure static routes, follow these steps.
SUMMARY STEPS
1. (Option 1) ip route prefix mask {ip-address | interface-type interface-number [ip-address]}
2. (Option 2) ipv6 route prefix/mask {ipv6-address | interface-type interface-number [ipv6-address]}
3. end
DETAILED STEPS

Step 1 (Option 1) ip route prefix mask {ip-address | Specifies a static route for the IP packets. (If you are
interface-type interface-number [ip-address]} configuring an IPv6 address, use the ipv6 route command
described below.)
Example:
Router(config)# ip route 192.0.2.8 255.255.0.0

10.10.10.2
Step 2 (Option 2) ipv6 route prefix/mask {ipv6-address | Specifies a static route for the IP packets.
interface-type interface-number [ipv6-address]}
Example:
Router(config)# ipv6 route 2001:db8:2::/64

2001:DB8:3000:1
16

Step 3 end Exits global configuration mode and enters privileged EXEC
mode.
Example:
Router(config)# end
Verifying Configuration
In the following configuration example, the static route sends out all IP packets with a destination
IP address of 192.0.2.8 and a subnet mask of 255.255.255.0 on the Gigabit Ethernet interface to
another device with an IP address of 10.10.10.2. Specifically, the packets are sent to the configured
interface.
You do not have to enter the command marked default. This command appears automatically in the
configuration file generated when you use the running-config command.
!
ip classless (default)
ip route 192.0.2.8 255.255.255.0 10.10.10.2
To verify that you have configured static routing correctly, enter the show ip route command (or
show ipv6 route command) and look for static routes marked with the letter S.
When you use an IPv4 address, you should see verification output similar to the following:
Router# show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is 10.0.10.1 to network 192.0.2.6
S* 192.0.2.6/0 [254/0] via 10.0.10.1

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.0.10.0/24 is directly connected, GigabitEthernet0/0/0
L 10.0.10.13/32 is directly connected, GigabitEthernet0/0/0
C 10.108.1.0/24 is directly connected, Loopback0
L 10.108.1.1/32 is directly connected, Loopback0
When you use an IPv6 address, you should see verification output similar to the following:
Router# show ipv6 route

IPv6 Routing Table - default - 5 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, H - NHRP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external, ND - ND Default, NDp - ND Prefix, DCE -
Destination
17
Configuring Dynamic Routes
NDr - Redirect, O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1

OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
ls - LISP site, ld - LISP dyn-EID, a - Application
C 2001:DB8:3::/64 [0/0]
via GigabitEthernet0/0/2, directly connected
S 2001:DB8:2::/64 [1/0]
via 2001:DB8:3::1
Configuring Dynamic Routes

In dynamic routing, the network protocol adjusts the path automatically, based on network traffic or topology.
Changes in dynamic routes are shared with other devices in the network.
A device can use IP routing protocols, such as Routing Information Protocol (RIP) or Enhanced Interior
Gateway Routing Protocol (EIGRP), to learn about routes dynamically.
• Configuring Routing Information Protocol, on page 18
• Configuring Enhanced Interior Gateway Routing Protocol, on page 22
Configuring Routing Information Protocol

To configure the RIP on a router, follow these steps.
SUMMARY STEPS
1. router rip
2. version {1 | 2}
3. network ip-address
4. no auto-summary
5. end
DETAILED STEPS

Step 1 router rip Enters router configuration mode, and enables RIP on the
router.
Example:
Router(config)# router rip
Step 2 version {1 | 2} Specifies use of RIP version 1 or 2.

Example:
Router(config-router)# version 2
18

Step 3 network ip-address Specifies a list of networks on which RIP is to be applied,
using the address of the network of each directly connected
Example:
network.
Router(config-router)# network 192.0.2.8
Router(config-router)# network 10.10.7.1
Step 4 no auto-summary Disables automatic summarization of subnet routes into

network-level routes. This allows subprefix routing
Example:
information to pass across classful network boundaries.
Router(config-router)# no auto-summary
Step 5 end Exits router configuration mode, and enters privileged

EXEC mode.
Example:
Router(config-router)# end
Example
Verifying Configuration
To see this configuration, use the show running-config command from privileged EXEC mode.
!

!
! Last configuration change at 05:04:58 UTC Mon Jul 6 2020
!
version 17.3
service config
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 1G
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
login on-success log
!
subscriber templating
!
19
!
multilink bundle-name authenticated
no device-tracking logging theft
!
crypto pki trustpoint TP-self-signed-2347094934
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2347094934
revocation-check none
rsakeypair TP-self-signed-2347094934
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
!
crypto pki certificate chain SLA-TrustPoint

certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
D697DF7F 28
quit
!
!
license feature hseck9
license udi pid C8300-1N1S-6T sn FDO2320A0CF

!
spanning-tree extend system-id
!
!
redundancy
mode none
!
ip dhcp client client-id ascii FDO2320A0CF
20
ip address dhcp
negotiation auto
!
no ip address
negotiation auto
!
!
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/0
ip forward-protocol nd
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
shutdown
!
line con 0
exec-timeout 0 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
transport input ssh
!
call-home
! If contact email address in call-home is configured as [email protected]
! the email address configured in Cisco Smart License Portal will be used as contact email
address to send SCH notifications.
contact-email-addr [email protected]
profile "CiscoTAC-1"
active
destination transport-method http
!
!
end
To verify that you have configured RIP correctly, enter the show ip route command and look for
RIP routes marked with the letter R. You should see an output similar to the one shown in the
following example:
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
21
Configuring Enhanced Interior Gateway Routing Protocol
E1 - OSPF external type 1, E2 - OSPF external type 2

o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 1 subnets

C 10.108.1.0 is directly connected, Loopback0
R 192.0.2.3/8 [120/1] via 192.0.2.2, 00:00:02, Ethernet0/0/0

To configure Enhanced Interior Gateway Routing Protocol (EIGRP), follow these steps.
SUMMARY STEPS
1. router eigrp as-number
2. network ip-address
3. end
DETAILED STEPS

Step 1 router eigrp as-number Enters router configuration mode, and enables EIGRP on
the router. The autonomous-system number identifies the
Example:
route to other EIGRP routers and is used to tag the EIGRP
information.
Router(config)# router eigrp 109
Step 2 network ip-address Specifies a list of networks on which EIGRP is to be

applied, using the IP address of the network of directly
Example:
connected networks.
Router(config)# network 192.0.2.8
Router(config)# network 10.10.12.15
Step 3 end Exits router configuration mode, and enters privileged

EXEC mode.
Example:
Router(config-router)# end
Verifying the Configuration

The following configuration example shows the EIGRP routing protocol enabled in IP networks
192.0.2.8 and 10.10.12.15. The EIGRP autonomous system number is 109. To see this configuration,
use the show running-config command.
.
.
.
!
22
router eigrp 109

network 192.0.2.8
network 10.10.12.15
!
.
.
.
To verify that you have configured IP EIGRP correctly, enter the show ip route command, and look
for EIGRP routes marked by the letter D. You should see verification output similar to the following:
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
o - ODR, P - periodic downloaded static route

C 10.108.1.0 is directly connected, Loopback0
D 192.0.2.3/8 [90/409600] via 192.0.2.2, 00:00:02, Ethernet0/0
23
24
CHAPTER 3
Using Cisco IOS XE Software
This chapter describes the basics of using the Cisco IOS XE software in autonomous mode and includes the
following section:
• Using Cisco IOS XE Software, on page 25

Before you begin
Use the console (CON) port to access the command-line interface (CLI) directly or when using Telnet.
The following sections describe the main methods of accessing the device:
Procedure

Step 1 Accessing the CLI Using a Directly-Connected Console,
on page 25
Step 2 Using SSH to Access Console, on page 26
Step 3 Accessing the CLI from a Remote Console Using Telnet,
on page 27
Step 4 Accessing the CLI from a USB Serial Console Port, on page
29
Accessing the CLI Using a Directly-Connected Console

The CON port is an EIA/TIA-232 asynchronous, serial connection with no-flow control and an RJ-45 connector.
The CON port is located on the front panel of the chassis.
The following sections describe the procedure to access the control interface:
• Connecting to the Console Port, on page 26
• Using the Console Interface, on page 26
25
Connecting to the Console Port
Connecting to the Console Port
Step 1 Configure your terminal emulation software with the following settings:
• 9600 bits per second (bps)
• 8 data bits
• No parity
• No flow control
Step 2 Connect to the CON port using the RJ-45-to-RJ-45 cable and the RJ-45-to-DB-25 DTE adapter or the RJ-45-to-DB-9
DTE adapter (labeled Terminal).
Using the Console Interface
Step 1 Enter the following command:

Router> enable
Step 2 (Go to Step 3 if the enable password has not been configured.) At the password prompt, enter your system password:
Password: enablepass
When your password is accepted, the privileged EXEC mode prompt is displayed.
Router#
You now have access to the CLI in privileged EXEC mode and you can enter the necessary commands to complete your
desired tasks.
Step 3 If you enter the setup command, see “Using Cisco Setup Command Facility” in the “Initial Configuration” section of
the Hardware Installation Guide for Cisco Catalyst 8300 Series Edge Platform.
Step 4 To exit the console session, enter the quit command:
Router# quit
Using SSH to Access Console

Secure Shell (SSH) is a protocol which provides a secure remote access connection to network devices. To
enable SSH support on the device:
Step 1 Configure the hostname:

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Here, host name is the device hostname or IP address.
Step 2 Configure the DNS domain of the device:
26
Accessing the CLI from a Remote Console Using Telnet
Router(config)# ip domain name cisco.com
Step 3 Generate an SSH key to be used with SSH:

Router(config)# crypto key generate rsa
The name for the keys will be: Router.xxx.cisco.com Choose the size of the key modulus in the range
of 360 to 4096 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few
minutes.
How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)
Router(config)#
Step 4 By default, the vtys? transport is Telnet. In this case, Telnet is disabled and only SSH is supported:
Router(config)#line vty 0 4
xxx_lab(config-line)#transport input ssh
Step 5 Create a username for SSH authentication and enable login authentication:
Router(config)# username jsmith privilege 15 secret 0 p@ss3456
Router(config)#line vty 0 4
Router(config-line)# login local
Step 6 Verify remote connection to the device using SSH.
Accessing the CLI from a Remote Console Using Telnet

The following topics describe the procedure to access the CLI from a remote console using Telnet:
• Preparing to Connect to the Device Console Using Telnet, on page 27
• Using Telnet to Access a Console Interface, on page 28
Preparing to Connect to the Device Console Using Telnet

To access the device remotely using Telnet from a TCP/IP network, configure the device to support virtual
terminal lines using the line vty global configuration command. Configure the virtual terminal lines to require
users to log in and specify a password.
See the Cisco IOS Terminal Services Command Reference document for more information about the line vty
global configuration command.
To add a line password to the vty, specify a password with the password command when you configure the
login command.
If you are using authentication, authorization, and accounting (AAA), configure the login authentication
command. To prevent disabling login on a line for AAA authentication when you configure a list with the
login authentication command, you must also configure that list using the aaa authentication login global
configuration command.
For more information about AAA services, see the Cisco IOS XE Security Configuration Guide: Secure
Connectivity and the Cisco IOS Security Command Reference documents. For more information about the
login line-configuration command, see the Cisco IOS Terminal Services Command Reference document.
27
Using Telnet to Access a Console Interface
In addition, before you make a Telnet connection to the device, you must have a valid hostname for the device
or have an IP address configured on the device. For more information about the requirements for connecting
to the device using Telnet, information about customizing your Telnet services, and using Telnet key sequences,
see the Cisco IOS Configuration Fundamentals Configuration Guide.
Using Telnet to Access a Console Interface
Step 1 From your terminal or PC, enter one of the following commands:
• connect host [port] [keyword]
• telnet host [port] [keyword]
Here, host is the device hostname or IP address, port is a decimal port number (23 is the default), and keyword is a
supported keyword. For more information about these commands, see the Cisco IOS Terminal Services Command
Reference document.
Note If you are using an access server, specify a valid port number, such as telnet 198.51.100.2 2004, in addition to
the hostname or IP address.
The following example shows how to use the telnet command to connect to a device named router:
unix_host% telnet router
Trying 198.51.100.2...
Connected to 198.51.100.2.
Escape character is '^]'.
unix_host% connect
Step 2 Enter your login password:

User Access Verification
Password: mypassword
Note If no password has been configured, press Return.
Step 3 From user EXEC mode, enter the enable command:

Router> enable
Step 4 At the password prompt, enter your system password:

Password: enablepass
Step 5 When the enable password is accepted, the privileged EXEC mode prompt is displayed:
Router#
Step 6 You now have access to the CLI in privileged EXEC mode and you can enter the necessary commands to complete your
desired tasks.
Step 7 To exit the Telnet session, use the exit or logout command.
Router# logout
28
Accessing the CLI from a USB Serial Console Port
Accessing the CLI from a USB Serial Console Port

The router provides an additional mechanism for configuring the system: a type B miniport USB serial console
that supports remote administration of the router using a type B USB-compliant cable. See the “Connecting
to a Console Terminal or Modem” section in the following documents:
• Hardware Installation Guide for Cisco Catalyst 8300 Series Edge Platform
• Hardware Installation Guide for Cisco Catalyst 8200 Series Edge Platforms
Using Keyboard Shortcuts

Commands are not case sensitive. You can abbreviate commands and parameters if the abbreviations contain
enough letters to be different from any other currently available commands or parameters.
The following table lists the keyboard shortcuts for entering and editing commands.
Table 2: Keyboard Shortcuts
Key Name Purpose
Ctrl-B or the Left Arrow key1 Move the cursor back one character.
Ctrl-F or the Right Arrow key1 Move the cursor forward one character.
Ctrl-A Move the cursor to the beginning of the command

line.
Ctrl-E Move the cursor to the end of the command line.
Esc B Move the cursor back one word.
Esc F Move the cursor forward one word.
Using the History Buffer to Recall Commands

The history buffer stores the last 20 commands you entered. History substitution allows you to access these
commands without retyping them, by using special abbreviated commands.
The following table lists the history substitution commands.
Table 3: History Substitution Commands
Command Purpose
Ctrl-P or the Up Arrow key1 Recalls commands in the history buffer, beginning
with the most recent command. Repeat the key
sequence to recall successively older commands.
Ctrl-N or the Down Arrow key1 Returns to more recent commands in the history buffer
after recalling commands with Ctrl-P or the Up
Arrow key.
29
Understanding Command Modes
Command Purpose
Router# show history While in EXEC mode, lists the last few commands
you entered.
1
The arrow keys function only on ANSI-compatible terminals such as VT100s.
Understanding Command Modes

The command modes available in Cisco IOS XE are the same as those available in traditional Cisco IOS. This
is supported only on the autonomous mode. Use the CLI to access Cisco IOS XE software. Because the CLI
is divided into many different modes, the commands available to you at any given time depend on the mode
that you are currently in. Entering a question mark (?) at the CLI prompt allows you to obtain a list of commands
available for each command mode.
When you log in to the CLI, you are in user EXEC mode. User EXEC mode contains only a limited subset
of commands. To have access to all commands, you must enter privileged EXEC mode, normally by using a
password. From privileged EXEC mode, you can issue any EXEC command—user or privileged mode—or
you can enter global configuration mode. Most EXEC commands are one-time commands. For example, show
commands show important status information, and clear commands clear counters or interfaces. The EXEC
commands are not saved when the software reboots.
Configuration modes allow you to make changes to the running configuration. If you later save the running
configuration to the startup configuration, these changed commands are stored when the software is rebooted.
To enter specific configuration modes, you must start at global configuration mode. From global configuration
mode, you can enter interface configuration mode and a variety of other modes, such as protocol-specific
modes.
ROM monitor mode is a separate mode used when the Cisco IOS XE software cannot load properly. If a valid
software image is not found when the software boots or if the configuration file is corrupted at startup, the
software might enter ROM monitor mode.
The following table describes how to access and exit various common command modes of the Cisco IOS XE
software. It also shows examples of the prompts displayed for each mode.
Table 4: Accessing and Exiting Command Modes
Command Mode Access Method Prompt Exit Method
User EXEC Log in. Router> Use the logout command.
Privileged EXEC From user EXEC mode, Router# To return to user EXEC
use the enable command. mode, use the disable
command.
Global configuration From privileged EXEC Router(config)# To return to privileged

mode, use the configure EXEC mode from global
terminal command. configuration mode, use
the exit or end command.
30
Understanding Diagnostic Mode
Command Mode Access Method Prompt Exit Method
Interface configuration From global configuration Router(config-if)# To return to global

mode, specify an interface configuration mode, use
using an interface the exit command.
command.
To return to privileged
EXEC mode, use the end
command.
Diagnostic The device boots up or Router(diag)# If failure of the Cisco IOS

accesses diagnostic mode process is the reason for
in the following scenarios: entering diagnostic mode,
the Cisco IOS problem
• In some cases,
must be resolved and the
diagnostic mode will
device rebooted to get out
be reached when the
of diagnostic mode.
Cisco IOS process or
processes fail. In If the device is in
most scenarios, diagnostic mode because
however, the device of a transport-map
will reload. configuration, access the
device through another
• A user-configured port or by using a method
access policy is that is configured to
configured using the connect to the Cisco IOS
transport-map CLI.
command that directs
a user into diagnostic
mode.
• A break signal
(Ctrl-C,
Ctrl-Shift-6, or the
send break
command) is entered
and the device is
configured to go to
diagnostic mode
when the break
signal is received.
ROM monitor From privileged EXEC rommon#> To exit ROM monitor

mode, use the reload mode, manually boot a
EXEC command. Press valid image or perform a
the Break key during the reset with autoboot set so
first 60 seconds while the that a valid image is
system is booting. loaded.
Understanding Diagnostic Mode

The device boots up or accesses diagnostic mode in the following scenarios:
31
Getting Help
• The IOS process or processes fail, in some scenarios. In other scenarios, the system resets when the IOS
process or processes fail.
• A user-configured access policy was configured using the transport-map command that directs the user
into the diagnostic mode.
• A send break signal (Ctrl-C or Ctrl-Shift-6) was entered while accessing the device, and the device was
configured to enter diagnostic mode when a break signal was sent.
In the diagnostic mode, a subset of the commands that are available in user EXEC mode are made available
to the users. Among other things, these commands can be used to:
• Inspect various states on the device, including the IOS state.
• Replace or roll back the configuration.
• Provide methods of restarting the IOS or other processes.
• Reboot hardware, such as the entire device, a module, or possibly other hardware components.
• Transfer files into or off of the device using remote access methods such as FTP, TFTP, and SCP.
The diagnostic mode provides a more comprehensive user interface for troubleshooting than previous devices,
which relied on limited access methods during failures, such as ROMMON, to diagnose and troubleshoot
Cisco IOS problems. The diagnostic mode commands can work when the Cisco IOS process is not working
properly. These commands are also available in privileged EXEC mode on the device when the device is
working normally.
Getting Help
Entering a question mark (?) at the CLI prompt displays a list of commands available for each command
mode. You can also get a list of keywords and arguments associated with any command by using the
context-sensitive help feature.
To get help that is specific to a command mode, a command, a keyword, or an argument, use one of the
following commands.
Command Purpose
help Provides a brief description of the help system in any

command mode.
abbreviated-command-entry? Provides a list of commands that begin with a

particular character string.
Note There is no space between the command
and the question mark.
abbreviated-command-entry<Tab> Completes a partial command name.
? Lists all the commands that are available for a

particular command mode.
32
Finding Command Options: Example
Command Purpose
command ? Lists the keywords or arguments that you must enter

next on the command line.
Note There is a space between the command and
the question mark.

This section provides information about how to display the syntax for a command. The syntax can consist of
optional or required keywords and arguments. To display keywords and arguments for a command, enter a
question mark (?) at the configuration prompt or after entering a part of a command followed by a space. The
Cisco IOS XE software displays a list and brief descriptions of the available keywords and arguments. For
example, if you are in global configuration mode and want to see all the keywords and arguments for the arap
command, you should type arap ?.
The <cr> symbol in command help output stands for carriage return. On older keyboards, the carriage return
key is the Return key. On most modern keyboards, the carriage return key is the Enter key. The <cr> symbol
at the end of command help output indicates that you have the option to press Enter to complete the command
and that the arguments and keywords in the list preceding the <cr> symbol are optional. The <cr> symbol by
itself indicates that no more arguments or keywords are available, and that you must press Enter to complete
the command.
The following table shows examples of using the question mark (?) to assist you in entering commands.
Table 5: Finding Command Options
Command Comment
Router> enable Enter the enable command and password to access
Password: <password>
privileged EXEC commands. You are in privileged
Router#
EXEC mode when the prompt changes to a “ # ”
from the “ > ”, for example, Router> to Router#
Router# configure terminal Enter the configure terminal privileged EXEC
Enter configuration commands, one per line.
command to enter global configuration mode. You
End with CNTL/Z.
Router(config)# are in global configuration mode when the prompt
changes to Router (config)#
Router(config)# interface GigabitEthernet ? Enter interface configuration mode by specifying
<0-1> GigabitEthernet interface number the interface that you want to configure, using the
Router(config)# interface GigabitEthernet 0/? interface GigabitEthernet global configuration
<0-5> Port Adapter number command.
Router (config)# interface GigabitEthernet 0/0/? Enter ? to display what you must enter next on the
command line.
<0-63> GigabitEthernet interface number
When the <cr> symbol is displayed, you can press
Router (config)# interface GigabitEthernet0/0/1? Enter to complete the command.
. <0-5>
Router(config-if)# You are in interface configuration mode when the
prompt changes to Router(config-if)#
33
Command Comment
Router(config-if)# ? Enter ? to display a list of all the interface
Interface configuration commands:
configuration commands available for the interface.
.
. This example shows only some of the available
. interface configuration commands.
ip Interface Internet Protocol
config commands
keepalive Enable keepalive
lan-name LAN Name command
llc2 LLC2 Interface Subcommands
logging Configure logging for interface
mls mls router sub/interface commands
mpoa MPOA interface configuration
commands
mtu Set the interface MTU
no Negate a command or set its
defaults
ntp Configure NTP
.
.
.
Router(config-if)#
Router(config-if)# ip ? Enter the command that you want to configure for

Interface IP configuration subcommands: the interface. This example uses the ip command.
access-group Specify access control for
packets Enter ? to display what you must enter next on the
accounting Enable IP accounting on this
interface
command line. This example shows only some of
address Set the IP address of an the available interface IP configuration commands.
interface
authentication authentication subcommands
cgmp Enable/disable CGMP
dvmrp DVMRP interface commands
hello-interval Configures IP-EIGRP hello
interval
hold-time Configures IP-EIGRP hold time
.
.
.
Router(config-if)# ip
Router(config-if)# ip address ? Enter the command that you want to configure for
A.B.C.D IP address the interface. This example uses the ip address
negotiated IP Address negotiated over
PPP command.
Router(config-if)# ip address
Enter ? to display what you must enter next on the
command line. In this example, you must enter an
IP address or the negotiated keyword.
A carriage return (<cr>) is not displayed. Therefore,
you must enter additional keywords or arguments
to complete the command.
34
Using the no and default Forms of Commands
Command Comment
Router(config-if)# ip address 198.51.100.5 ? Enter the keyword or argument that you want to
A.B.C.D IP subnet mask use. This example uses the 198.51.100.5 IP address.
Enter ? to display what you must enter next on the
command line. In this example, you must enter an
IP subnet mask.
<cr> is not displayed. Therefore, you must enter
additional keywords or arguments to complete the
command.
Router(config-if)# ip address 198.51.100.5 Enter the IP subnet mask. This example uses the
255.255.255.0 ? 255.255.255.0 IP subnet mask.
secondary Make this IP address a
secondary address Enter ? to display what you must enter next on the
<cr>
command line. In this example, you can enter the
255.255.255.0 secondary keyword, or you can press Enter.
<cr> is displayed. Press Enter to complete the
command, or enter another keyword.
Router(config-if)# ip address 198.51.100.5 Press Enter to complete the command.
255.255.255.0
Router(config-if)#
Using the no and default Forms of Commands

Almost every configuration command has a no form. In general, use the no form to disable a function. Use
the command without the no keyword to re-enable a disabled function or to enable a function that is disabled
by default. For example, IP routing is enabled by default. To disable IP routing, use the no ip routing command;
to re-enable IP routing, use the ip routing command. The Cisco IOS software command reference publications
provide the complete syntax for the configuration commands and describe what the no form of a command
does.
Many CLI commands also have a default form. By issuing the <command> default command-name, you
can configure the command to its default setting. The Cisco IOS software command reference publications
describe the function from a default form of the command when the default form performs a different function
than the plain and no forms of the command. To see what default commands are available on your system,
enter default ? in the appropriate command mode.
Saving Configuration Changes

Use the copy running-config startup-config command to save your configuration changes to the startup
configuration so that the changes will not be lost if the software reloads or a power outage occurs. For example:
Router# copy running-config startup-config
It may take a few minutes to save the configuration. After the configuration has been saved, the following
output is displayed:
[OK]
Router#
35
Managing Configuration Files
This task saves the configuration to the NVRAM.
Managing Configuration Files

The startup configuration file is stored in the nvram: file system and the running configuration files are stored
in the system: file system. This configuration file storage setup is also used on several other Cisco router
platforms.
As a matter of routine maintenance on any Cisco router, users should back up the startup configuration file
by copying the startup configuration file from NVRAM to one of the router’s other file systems and,
additionally, to a network server. Backing up the startup configuration file provides an easy method of
recovering the startup configuration file if the startup configuration file in NVRAM becomes unusable for
any reason.
The copy command can be used to back up startup configuration files.
For more detailed information on managing configuration files, see the “Managing Configuration Files”
section in the Cisco IOS XE Configuration Fundamentals Configuration Guide.
Filtering Output from the show and more Commands

You can search and filter the output of show and more commands. This functionality is useful if you need to
sort through large amounts of output or if you want to exclude output that you need not see.
To use this functionality, enter a show or more command followed by the “pipe” character ( | ); one of the
keywords begin, include, or exclude; and a regular expression on which you want to search or filter (the
expression is case sensitive):
show command | {append | begin | exclude | include | redirect | section | tee} regular-expression
The output matches certain lines of information in the configuration file.
Example
In this example, a modifier of the show interface command (include protocol) is used to provide only the
output lines in which the expression protocol is displayed:
Router# show interface | include protocol
GigabitEthernet0/0/0 is administratively down, line protocol is down
0 unknown protocol drops
GigabitEthernet0 is up, line protocol is up
Loopback0 is up, line protocol is up
Powering Off a Device

The device can be safely turned off at any time by moving the device’s power supply switch to the Off position.
However, any changes to the running config since the last WRITE of the config to the NVRAM is lost.
36
Finding Support Information for Platforms and Cisco Software Images
Ensure that any configuration needed after startup is saved before powering off the device. The copy
running-config startup-config command saves the configuration in NVRAM and after the device is powered
up, the device initializes with the saved configuration.
Finding Support Information for Platforms and Cisco Software Images

The Cisco IOS XE software is packaged in feature sets consisting of software images that support specific
platforms. The group of feature sets that are available for a specific platform depends on which Cisco software
images are included in a release. To identify the set of software images available in a specific release or to
find out if a feature is available in a given Cisco IOS XE software image, you can use Cisco Feature Navigator
or see the Release Notes for Cisco IOS XE.
Using Cisco Feature Navigator

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco
Feature Navigator is a tool that enables you to determine which Cisco IOS XE software images support a
specific software release, feature set, or platform. To use the navigator tool, an account on Cisco.com is not
required.
Using Software Advisor

Cisco maintains the Software Advisor tool. See Tools and Resources. Use the Software Advisor tool to see
if a feature is supported in a Cisco IOS XE release, to locate the software document for that feature, or to
check the minimum software requirements of Cisco IOS XE software with the hardware installed on your
device. You must be a registered user on Cisco.com to access this tool.
Using Software Release Notes

See the Release Notes document for Cisco Catalyst 8000 Series Edge Platforms for information about the
following:
• Memory recommendations
• Open and resolved severity 1 and 2 caveats
Release notes are intended to be release-specific for the most current release, and the information provided
in these documents may not be cumulative in providing information about features that first appeared in
previous releases. For cumulative feature information, refer to the Cisco Feature Navigator at:
http://www.cisco.com/go/cfn/.
CLI Session Management

An inactivity timeout is configurable and can be enforced. Session locking provides protection from two users
overwriting changes that the other has made. To prevent an internal process from using all the available
capacity, some spare capacity is reserved for CLI session access. For example, this allows a user to remotely
access a router.
• Changing the CLI Session Timeout, on page 38
• Locking a CLI Session, on page 38
37
Information About CLI Session Management
Information About CLI Session Management

An inactivity timeout is configurable and can be enforced. Session locking provides protection from two users
overwriting changes that each other has made. To prevent an internal process from using all the available
capacity, some spare capacity is reserved for CLI session access. For example, this allows a user to remotely
access the router.
Changing the CLI Session Timeout
Step 1 configure terminal
Enters global configuration mode
Step 2 line console 0

Step 3 session-timeout minutes
The value of minutes sets the amount of time that the CLI waits before timing out. Setting the CLI session timeout
increases the security of a CLI session. Specify a value of 0 for minutes to disable session timeout.
Step 4 show line console 0

Verifies the value to which the session timeout has been set, which is shown as the value for " Idle Session ".
Locking a CLI Session
Before you begin

To configure a temporary password on a CLI session, use the lock command in EXEC mode. Before you can
use the lock command, you need to configure the line using the lockable command. In this example the line
is configured as lockable, and then the lock command is used and a temporary password is assigned.
Step 1 Router# configure terminal
Enters global configuration mode.
Step 2 Enter the line upon which you want to be able to use the lock command.
Router(config)# line console 0
Step 3 Router(config)# lockable
Enables the line to be locked.
Step 4 Router(config)# exit

Step 5 Router# lock
The system prompts you for a password, which you must enter twice.
Password: <password>
Again: <password>
Locked
38
CHAPTER 4
Licenses and Licensing Models
This chapter provides information about the licenses that are available on Cisco Catalyst 8000 Edge Platforms
Family, supported throughput options, and how to configure the available licenses and throughput. It also
outlines the licensing models available on Cisco Catalyst 8000 Edge Platforms Family.
Note The information in this chapter applies predominantly to a device operating in the autonomous mode. References
to the controller mode are included in certain sections for the sake of comparison and completeness. Where
the information applies to controller mode, this has been called-out categorically.
For a more detailed overview on Cisco Licensing, go to https://cisco.com/go/licensingguide.

This chapter includes the following major sections:
• Feature Information for Available Licenses and Licensing Models, on page 39
• Available Licenses , on page 41
• Throughput , on page 45
• How to Configure Available Licenses and Throughput , on page 54
• Available Licensing Models, on page 69
Feature Information for Available Licenses and Licensing

Models
The following table provides release information about the feature or features described in this module. This
table lists only the software release that introduced support for a given feature in a given software release
train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
39
Feature Information for Available Licenses and Licensing Models
Table 6: Feature Information for Available Licenses and Licensing Models
Feature Name Releases Feature Information
Aggregate Throughput Cisco IOS XE Cupertino On the physical platforms of Cisco Catalyst 8000
Throttling 17.8.1a Edge Platforms Family, for throughput levels greater
than 250 Mbps and Tier 2 and higher tiers, when you
configure the bidirectional throughput value on the
device, aggregate throughput throttling is effective.
This means that traffic is throttled in an aggregate
manner irrespective of the distribution of the traffic
in the upstream and downstream direction.
The bidirectional throughput is represented in the
license PID (For example, DNA-C-500M-E-3Y and
DNA-C-T2-E-3Y). The aggregate throughput is
double the bidirectional throughput.
See Throughput as a Numeric Value , on page 46 and
Throughput as a Tier, on page 50.
Tier-Based Licenses Cisco IOS XE Cupertino Support for tier-based throughput configuration was
17.7.1a introduced in addition to existing bandwidth-based
(numeric) throughput configuration.
Starting with the lowest throughput level, the available
tiers are Tier 0 (T0), Tier 1 (T1), Tier 2 (T2), and
Tier3 (T3). Each tier represents a throughput level.
If the license PID for a product is tier-based, the
license is displayed with the tier value in the CSSM
Web UI.
For a product with a tier-based license, you can
configure a tier-based throughput value, and you can
also convert to a tier-based throughput value.
Cisco Digital Network Cisco IOS XE Amsterdam Support for Cisco DNA licenses was introduced on
Architecture (DNA) 17.3.2 Cisco Catalyst 8000 Edge Platforms Family.
licenses
Cisco DNA Licenses are categorised into
network-stack licenses and a DNA-stack add-on
licenses.
High Security License Cisco IOS XE Amsterdam Support for the HSECK9 license was introduced on
(HSECK9) 17.3.2 Cisco Catalyst 8000 Edge Platforms Family.
40
Available Licenses
Cisco Unified Border Cisco IOS XE Amsterdam Support for Cisco UBE, Cisco Unified CME, Cisco
Element license (Cisco 17.3.2 Unified SRST licenses was introduced on Cisco
UBE license) Catalyst 8000 Edge Platforms Family
Cisco Unified
Communications Manager
Express license (Cisco
Unified CME license)
Cisco Unified Survivable
Remote Site Telephony
license (Cisco Unified
SRST license)
Available Licenses
This section lists all the licenses that are available on Cisco Catalyst 8000 Edge Platforms Family, usage
guidelines, and ordering considerations.
Cisco DNA License

A Cisco Digital Network Architecture (DNA) software license combines several feature-specific licenses.
Note A Cisco DNA license includes all feature licenses except the following: High Security (HSECK9), Cisco
Unified Border Element (Cisco UBE), Cisco Unified Communications Manager Express (Cisco Unified
CME), and Cisco Unified Survivable Remote Site Telephony (Cisco Unified SRST). See Ordering
Considerations for a Cisco DNA License, on page 43.
Cisco DNA licenses are categorized into network-stack licenses and DNA-stack add-on licenses.
Cisco DNA Licenses Available on Catalyst 8000V Edge Software, Catalyst 8200, and 8300 Series Edge
Platforms:
Network-stack licenses:
• Network Essentials
• Network Advantage: includes features available with Network Essentials, and more.
• Network Premier: includes features available Network Essentials, Network Advantage, and more.
DNA-stack add-on licenses:

• Cisco DNA Essentials: add-on license available only with Network Essentials.
• Cisco DNA Advantage: add-on license available only with Network Advantage. Includes features available
with DNA Essentials and more.
41
Guidelines for Using a Cisco DNA License
• Cisco DNA Premier: add-on license available only with Network Premier. Includes features available
with DNA Essentials, DNA Advantage and more.
Cisco DNA Licenses Available on Catalyst 8500 Series Edge Platforms:

Network-stack licenses:
• Network Advantage
• Network Premier: includes features available Network Advantage, and more.
DNA-stack add-on licenses:

• Cisco DNA Advantage
• Cisco DNA Premier: add-on license available only with Network Premier. Includes features available
with DNA Advantage and more.
Guidelines for Using a Cisco DNA License

• Guidelines that apply to all platforms in the Cisco Catalyst 8000 Edge Platforms Family:
• A network-stack license is a perpetual or permanent license and has no expiration date.
• A DNA-stack add-on license is a subscription or term license and is valid only until a certain date.
A 3-year and 5-year option is available for all DNA-stack add-on licenses. A 7-year subscription
option is available for certain DNA-stack add-on licenses.
• If you order a Cisco DNA license when purchasing new hardware, the license is not preconfigured
on the device. You must configure the boot level license and then the throughput, on the device.
• If you configure tier-based throughput, which is supported from Cisco IOS XE Cupertino 17.7.1a,
Tier 3 (T3) is not supported with the Network Essentials and DNA Essentials licenses.
This means, to configure T3 (throughput greater than or equal to 2.5 G), you must configure Network
Advantage/ DNA Advantage, or Network Premier/DNA Premier as the boot level license.
This also means that if you have configured T3 as the throughput, you cannot change the boot level
license to Network Essentials and DNA Essentials.
• Guidelines that apply only to Catalyst 8000V Edge Software:

On Catalyst 8000V Edge Software, when you configure a network-stack license, you must also configure
the corresponding DNA-stack add-on license.
• Guidelines that apply only to Catalyst 8200, 8300, 8500 Series Edge Platforms:
• The DNA-stack add-on license that is available with each network-stack license is optional. You
can configure a network-stack license without a DNA-stack add-on license, but you cannot configure
DNA-stack add-on license without the corresponding network-stack license.
• If you use a DNA-stack add-on license, renew the license before term expiry to continue using it,
or deactivate the DNA-stack add-on license and then reload the device to continue operating with
the network-stack license capabilities.
42
Ordering Considerations for a Cisco DNA License
Ordering Considerations for a Cisco DNA License

A Cisco DNA license subsumes all performance, boost, and technology package licenses (securityk9, uck9,
and appxk9). This means that when you order a Cisco DNA network-stack license, or a Cisco DNA-stack
add-on license, if a performance, boost, and technology package license is required or applicable, it is
automatically added to the order.
The license Product ID (PID) you purchase can only be a DNA-stack add-on license PID.
The license PID also indicates the throughput you are entitled to. The throughput may be represented by a
numeric value or a tier. For example:
• DNA-C-10M-E-3Y, is a license PID where the throughput is represented by a numeric value. The 10M
means that you are entitled to 10 Mbps bidirectional throughput.
For more information about a numeric throughput value and related concepts, see sections Throughput
, on page 45 and Throughput as a Numeric Value , on page 46.
• DNA-C-T0-E-3Y, is a license PID where the throughput is represented by a tier value. The T0 means
that you are entitled to up to 15 Mbps bidirectional throughput.
For more information about a tier-based throughput value and related concepts, see sections Throughput
, on page 45 and Throughput as a Tier, on page 50.
If the throughput you order is greater than 250 Mbps, or Tier 2 or a higher tier, an HSECK9 license is also
required. See High Security License , on page 43.
High Security License

The High Security (HSECK9) license is an export-controlled license. It authorizes the use of full cryptographic
functionality and throughput greater than 250 Mbps or Tier 2 and higher tiers.
Note The term "throughput" refers to encrypted throughput on physical platforms. On virtual platforms, it refers
to encrypted and unencrypted throughput - combined.
On all devices in the Cisco Catalyst 8000 Edge Platforms Family, the HSECK9 license as displayed as: Router
US Export Lic. for DNA (DNA_HSEC). For example:
Device# show license authorization
Overall status:
Active: PID:C8300-1N1S-4T2X,SN:FDO2250A0J5
Status: SMART AUTHORIZATION INSTALLED on Dec 03 08:24:35 2021 UTC
Last Confirmation code: 418b11b3
Authorizations:
Router US Export Lic. for DNA (DNA_HSEC):
Description: U.S. Export Restriction Compliance license for DNA based Routers
Total available count: 1
Enforcement type: EXPORT RESTRICTED
Term information:
Authorization type: SMART AUTHORIZATION INSTALLED
License type: PERPETUAL
Term Count: 1
43
Guidelines for Using an HSECK9 License
Purchased Licenses:
No Purchase Information Available
Guidelines for Using an HSECK9 License

An export-controlled license is restricted by U.S. export control laws and requires authorization before use.
This authorization is in the form of a Smart Licensing Authorization Code (SLAC) and must be installed on
the device before full cryptographic functionality is available and throughput restrictions can be lifted. A
SLAC is required for each HSECK9 license you want to use. Details are provided in the configuration section
of this chapter.
Ordering Considerations for an HSECK9 License

If you order your DNA license(s) in the same configuration as Catalyst 8000 hardware platforms, the option
to order an HSECK9 license is available or is selected, if applicable.
If you order your DNA license(s) in a separate configuration as your Catalyst 8000 hardware platforms, you
must order the HSECK9 license in the configuration for the Catalyst 8000 hardware platforms, if required.
If you plan to use an HSECK9 license with new hardware that you are ordering, provide your Smart Account
and Virtual Account information with the hardware order. This enables Cisco to factory-install SLAC for the
HSECK9 license on the hardware. You must still configure throughput on the device before you start using
it.
Note If the HSECK9 license is ordered separately (not with the hardware order), SLAC cannot be factory-installed.
Cisco CUBE License

A Cisco Unified Border Element License (Cisco UBE license) does not require any boot level configuration
before you enable it. After purchase, you can refer to the configuration guide to configure the available Cisco
UBE features.
For information about the features available with a Cisco UBE license, see the Cisco Unified Border Element
Configuration Guide for the required release at: https://www.cisco.com/c/en/us/support/unified-communications/
unified-border-element/products-installation-and-configuration-guides-list.html.
For information about supported platforms and about purchasing a Cisco UBE license, see the datasheet at:
https://www.cisco.com/c/en/us/products/collateral/unified-communications/unified-border-element/data-sheet-c78-729692.html.
You must order a Cisco UBE license separately if required. It is not automatically included with any other
license.
For information about how to report usage of a Cisco UBE license, see Smart Licensing Using Policy for
Cisco Enterprise Routing Platforms. In the context of this licensing model, a Cisco UBE license is an unenforced
license.
Cisco Unified CME License

A Cisco Unified Communications Manager Express License (Cisco Unified CME license) does not require
any boot level configuration before you enable it. After purchase, you can refer to the configuration guide to
configure the available Cisco UBE features.
44
Cisco Unified SRST License
For information about the features available with a Cisco Unified CME license, see the Cisco Unified
Communications Manager Express System Administrator Guide.
For information about supported platforms and about purchasing a Cisco Unified CME license, see the
datasheet at:
https://www.cisco.com/c/en/us/products/collateral/unified-communications/unified-communications-manager-express/datasheet-c78-744069.html.
You must order a Cisco Unified CME license separately if required. It is not automatically included with any
other license.
For information about how to report usage of a Cisco Unified CME license, see Smart Licensing Using Policy
for Cisco Enterprise Routing Platforms. In the context of this licensing model, a Cisco UBE license is an
unenforced license.
Cisco Unified SRST License

A Cisco Unified Survivable Remote Site Telephony License (Cisco Unified SRST license) does not require
any boot level configuration before you enable it. After purchase, you can refer to the configuration guide to
configure the available Unified SRST features.
For information about the features available with a Cisco Unified SRST license, see the Cisco Unified SCCP
and SIP SRST System Administrator Guide (All Versions).
For information about supported platforms and about purchasing a Cisco Unified SRST license, see the
datasheet at:
https://www.cisco.com/c/en/us/products/collateral/unified-communications/unified-communications-manager-express/datasheet-c78-744069.html.
You must order a Cisco Unified SRST license separately if required. It is not automatically included with any
other license.
For information about how to report usage of a Unified SRST license, see Smart Licensing Using Policy for
Cisco Enterprise Routing Platforms. In the context of this licensing model, a Unified SRST license is an
unenforced license.
Throughput
The throughput tells you how much data is allowed to be transferred on the device. You can configure this
value in the autonomous mode. If you don’t explicitly configure a throughput, the default throughput is
effective.
Encrypted and Unencrypted Throughput

Encrypted throughput, also known as crypto throughput, is throughput that is protected by a cryptographic
algorithm.
Unencrypted throughput on the other hand, is in plain text. Unencrypted throughput is also referred to as Cisco
Express Forwarding (CEF) traffic.
Throttled and Unthrottled Throughput

Throttled throughput refers to the enforcement of a restriction on the throughput.
Unthrottled throughput means no limit is enforced, and the device throughput is at the maximum capability
of the device.
45
Throughput as a Numeric Value
Important For physical platforms (Catalyst 8200, 8300, and 8500 Series Edge Platforms), all references to “throughput”
in this document refer to crypto throughput. Further, on physical platforms unencrypted throughput is unthrottled
by default.
For virtual platforms (Catalyst 8000V Edge Software), all references to “throughput” in this document refer
to crypto throughput and unencrypted throughput - combined.
Throughput Value
The throughput you are entitled to, is represented in the License product ID (PID) when you order a Cisco
DNA license.
• An example of a license PID with a numeric throughput value: DNA-C-10M-E-3Y
• An example of a license PID with a tier-based throughput value: DNA-C-T0-E-3Y
Depending on the software version running on the device and the license PID you have purchased, refer to
the corresponding section below for further details.
Throughput as a Numeric Value

The numeric throughput value in the license PID is bi-directional - it is the maximum throughput that is
allowed in each direction (upstream and downstream). The aggregate throughput is the sum of the throughput
in both directions and therefore double the bi-directional throughput.
For example, if you order license PID DNA-C-10M-E-3Y, 10 Mbps is the bi-directional throughput, and the
throughput value you configure on the device. When you configure this value, a maximum of 10 Mbps
upstream and 10 Mbps downstream throughput is supported. The aggregate throughput available is 20 Mbps.
Starting with Cisco IOS XE Cupertino 17.8.1a, for throughput levels greater than 250 Mbps, when you
configure the bidirectional throughput value on the device, aggregate throughput throttling is effective. This
means that traffic is throttled in an aggregate manner irrespective of the distribution of the traffic in the
upstream and downstream direction. This is supported only on physical platforms.
• Example: Throttling when throughput is greater than 250 Mbps
You order license PID DNA-C-500M-A-3Y. 500 Mbps is the bi-directional throughput and 1Gbps is
the aggregate throughput. The release-wise configuration and behaviour is as follows:
• Until Cisco IOS XE Cupertino 17.7.x, on physical and virtual plaforms: You configure a throughput
of 500 Mbps on the device, and a maximum of 500 Mbps upstream and 500 Mbps downstream
throughput is supported.
• From Cisco IOS XE Cupertino 17.8.1a:
On physical platforms, you configure a throughput of 500 Mbps on the device. A maximum of 1
Gbps upstream traffic and 0 Mbps downstream traffic, or 100 Mbps upstream traffic and 900 Mbps
downstream traffic or any other ratio within the aggregate 1 Gbps limit, is supported.
On virtual platforms, you configure a throughput of 500 Mbps on the device. A maximum of 500
Mbps upstream and 500 Mbps downstream throughput is supported.
• Example: Throttling when throughput is equal to or lesser than 250 Mbps
46
Throughput and System Hardware Throttling Specifications in the Autonomous Mode
You order license PID DNA-C-250M-A-3Y. 250 Mbps is the bi-directional throughput, 500 Mbps is
the aggregate throughput. The release-wise configuration and behaviour is as follows:
For all releases, on physical and virtual plaforms, you configure a throughput of 250 Mbps on the device.
A maximum of 250 Mbps upstream and 250 Mbps downstream throughput is available.
Note On C8200-1N-4T-L, if you configure a numeric value of 250 Mbps,

a maximum of 250 Mbps is available in each direction. But if you
configure a tier-based value (T2), 500 Mbps is available for use in
any upstream and downstream ratio.
The recommended way to arrive at the required throughput for your network is to first calculate the aggregate
throughput (upstream and downstream) and divide that by 2 to arrive at the bidirectional throughput value.
Finally, select the license PID that is equal to or greater than the bidirectional throughput.
The tables below provide throughput specifications for all devices in the Cisco Catalyst 8000 Edge Platforms
Family:
Note Separate tables are provided for throughput specifications in the autonomous mode and SD-WAN controller
mode.

• Supported throughput: The throughput values you can configure on the device. These are the only
throughput values you can configure on the specified device.
• Hardware throttled throughput: The throttling limit imposed by the system’s hardware, for a supported
throughput level. This column in the tables below tell you if hardware is throttled for each supported
throughput level and what that hardware throttled level is. Where the value is listed as unthrottled, it
means that throughput is not throttled even if you configure a limit.
• Require HSECK9?: Indicates if a supported throughput level requires an HSECK9 license (anything
lesser than or equal to 250 Mbps does not require HSECK9).
• Throughput Type: All throughput values in the tables are bi-directional - this is also mentioned in the
table for clarity. This column also confirms if the throughput values are encrypted or unencrypted -
encrypted on physical platforms; encrypted and unencrypted on virtual platforms.
47
PID Supported Hardware Supported Require Throughput

Throughput Throttled Release HSECK9? Type
Throughput
C8300-1N1S-4T2X 10M, 15M, 25M, 250M >= 17.4.1 No Bi-directional;

50M, 100M, 250M encrypted
(default 10M)
500M 500M >= 17.4.1 Yes
1G 1G >= 17.4.1 Yes
2.5G unthrottled >= 17.4.1 Yes
C8300-2N2S-6T 10M, 15M, 25M, 250M >= 17.4.1 No Bi-directional;

(default 10M)
500M 500M >= 17.4.1 Yes
1G 1G >= 17.4.1 Yes
C8300-1N1S-6T 10M, 15M, 25M, 250M >= 17.4.1 No Bi-directional;

(default 10M)
500M 500M >= 17.4.1 Yes
1G 1G >= 17.4.1 Yes
C8300-2N2S-4T2X 10M, 15M, 25M, 250M >= 17.4.1 No Bi-directional;

(default 10M)
500M 500M >= 17.4.1 Yes
1G 1G >= 17.4.1 Yes
2.5G unthrottled >= 17.4.1 Yes
C8200-1N-4T 10M, 15M, 25M, 250M >= 17.4.1 No Bi-directional;

(default 10M)
500M 500M >= 17.4.1 Yes
C8200-1N-4T-L 10M, 15M, 25M, 250M >= 17.5.1 No Bi-directional;

(default 10M)
C8500-12X4QC 2.5G 2.5G >= 17.4.1 Yes Bi-directional;

encrypted
(default 2.5G) 5G 5G >= 17.4.1 Yes
10G unthrottled >= 17.4.1 Yes
48
Throughput and System Hardware Throttling Specifications in the SD-WAN Controller Mode
PID Supported Hardware Supported Require Throughput

Throughput Throttled Release HSECK9? Type
Throughput
C8500-12X 2.5G 2.5G >= 17.4.1 Yes Bi-directional;

encrypted
(default 2.5G) 5G 5G >= 17.4.1 Yes
C8500L-8S4X 1G 1G >= 17.5.1 Yes Bi-directional;

encrypted
(default 1G) 2.5G 2.5G >= 17.5.1 Yes
5G 5G >= 17.5.1 Yes
C8000v 10M 10M >= 17.4.1 No Bi-directional;

encrypted
(default 10M) 25M 25M >= 17.4.1 No and
unencrypted
50M 50M >= 17.4.1 No throughput
100M 100M >= 17.4.1 No
250M 250M >= 17.4.1 No
500M 500M >= 17.4.1 Yes
1G 1G >= 17.4.1 Yes
2.5G 2.5G >= 17.4.1 Yes
5G 5G >= 17.4.1 Yes
10G 10G >= 17.4.1 Yes
Throughput and System Hardware Throttling Specifications in the SD-WAN Controller Mode
PID Throughput Throughput With Supported Throughput Type
Without HSECK9 HSECK9 Release
C8300-1N1S-4T2X 250M unthrottled >=17.4.1 Bi-directional; encrypted
(default 250M)
C8300-2N2S-6T 250M 1G >=17.4.1 Bi-directional; encrypted

(default 250M)
C8300-1N1S-6T 250M 1G >=17.4.1 Bi-directional; encrypted

(default 250M)
49
Throughput as a Tier
PID Throughput Throughput With Supported Throughput Type

Without HSECK9 HSECK9 Release
C8300-2N2S-4T2X 250M unthrottled >=17.4.1 Bi-directional; encrypted
(default 250M)
C8200-1N-4T 250M 500M >=17.4.1 Bi-directional; encrypted

(default 250M)
C8200-1N-4T-L 250M 250M >=17.5.1 Bi-directional; encrypted

(default 250M)
C8500-12X4QC unthrottled Unthrottled >=17.4.1 Bi-directional; encrypted

(default
unthrottled)
C8500-12X unthrottled unthrottled >=17.4.1 Bi-directional; encrypted

(default
unthrottled)
C8500L-8S4X unthrottled unthrottled >=17.5.1 Bi-directional; encrypted

(default
unthrottled)
C8000v 250M unthrottled >=17.4.1 Bi-directional; encrypted and

unencrypted throughput
(default 250M)
Tier-based throughput configuration is supported starting with Cisco IOS XE Cupertino 17.7.1a.
A tier represents a throughput level. Starting with the lowest throughput level, the available tiers are Tier 0
(T0), Tier 1 (T1), Tier 2 (T2), and Tier 3 (T3). T2 and higher tiers require an HSECK9 license.
All tiers are not available with all Cisco DNA licenses. For example, T3 is not available with the Network
Essentials and DNA-Essentials licenses. This also means that if you have T3 as the configured throughput,
you cannot change the boot level license to Network Essentials and DNA Essentials.
The tier-based throughput value in a license PID is bi-directional - it is the maximum throughput that is allowed
in each direction (upstream and downstream). The aggregate throughput is a sum of the throughput in both
directions and therefore double the bi-directional throughput. For example, if you order license PID
DNA-C-T0-A-3Y, T0 is the bi-directional throughput, and the throughput value you configure on the device.
When you configure this value, T0 upstream and T0 downstream, is supported. T0 tier supports upto 15 Mbps
throughput. Therefore the aggregate throughput is 30 Mbps.
50
Note Different platforms support different maximum throughput levels, therefore each tier means a different value
for different platforms. For example, T2 means 1G throughput for C8300-2N2S-4T2, 500M for C8200-1N-4T,
and 250M for C8200-1N-4T-L. See table Tier and Numeric Throughput Mapping for information about how
numeric throughput values are mapped to tiers.
Starting with Cisco IOS XE Cupertino 17.8.1a, when you configure T2 or a highter tier, aggregate throughput
throttling is effective. This means that traffic is throttled in an aggregate manner irrespective of the distribution
of the traffic in the upstream and downstream direction. This is supported only on physical platforms.
• Example: Throttling when throughput is T2 or a higher tier
You order license PID DNA-C-T2-A-3Y. With T2, the bi-directional throughput can be upto 1 Gbps
and the aggregate throughput can be upto 2 Gbps. The release-wise configuration and behaviour is as
follows:
• Until Cisco IOS XE Cupertino 17.7.x, on physical and virtual plaforms: You configure T2 on the
device, and depending on the device a maximum of up to 1 Gbps upstream and up to 1 Gbps
downstream throughput is supported.
• From Cisco IOS XE Cupertino 17.8.1a:
On physical platforms, you configure T2, and depending on the device, up to 2 Gbps of aggregate
throughput is available for use in any upstream and downstream ratio.
Note On C8200-1N-4T-L, if you configure T2, 500 Mbps is available

for use in any upstream and downstream ratio. But if you
configure a numeric value of 250M, a maximum of 250 Mbps
is available in each direction.
On virtual platforms, you configure a throughput of T2 on the device. A maximum of 1 Gbps

upstream and 1 Gbps downstream throughput is available.
• Example: Throttling when throughput is is T0 or T1

You order license PID DNA-C-T1-A-3Y. With T1, 100 Mbps is the bi-directional throughput, 200 Mbps
is the aggregate throughput. The release-wise configuration and behaviour is as follows:
For all releases, on physical and virtual plaforms, you configure a throughput of T1 on the device. A
maximum of 100 Mbps upstream and 100 Mbps downstream throughput is available.
Tier and Numeric Throughput Mapping

: Network Premium and DNA Premium
: Network Advantage and DNA Advantage
: Network Essentials and DNA Essentials
PID T0 T1 T2* T3*
*HSECK9 License Required
51
Numeric vs. Tier-Based Throughput Configuration
PID T0 T1 T2* T3*
10M 15M 25M 50M 100M 250M 500M 1G 2.5G 5G 10G
C8300-1N1S-6T
C8300-2N2S-6T
C8300-1N1S-4T2X
C8300-2N2S-4T2X
C8200-1N-4T
C8200-1N-4T-L
C8500-12X
C8500-12X4QC
C8500L-8S4X
C8000v

With the introduction of tier-based throughput configuration in Cisco IOS XE Cupertino 17.7.1a, when you
configure throughput on the device, both numeric and tier-based options are available. This section provides
information about when to configure a numeric throughput value and when to configure tier-based throughput.
Cisco Smart Software Manager (CSSM) is a portal that enables you to manage all your Cisco software licenses.
All the license PIDs you purchase are listed in the CSSM Web UI at: https://software.cisco.com → Manage
licenses. Log in to the portal and in the corresponding Smart Account and Virtual Account, navigate to
Inventory > Licences, to display the numeric and tier-based licenses in the account. Figure Figure 1: Numeric
and Tier Values Displayed in the CSSM Web UI, on page 53 shows you how to distinguish between the two.
• If you purchase a numeric license PID, the license is displayed with the numeric throughput value and
tier-based value in the CSSM Web UI. For such a license, we recommend that you configure only a
numeric throughput value.
See Configuring a Numeric Throughput, on page 58.
• If you purchase a tier-based license PID, the license is displayed with only the tier value in the CSSM
Web UI. For such a license, you can either configure a tier-based throughput value to match the display
in the CSSM Web UI, or you can configure a numeric throughput value.
See Configuring a Tier-Based Throughput, on page 61 or Configuring a Numeric Throughput, on page
58.
Note There is no functional impact if you have tier-based license PID in

CSSM and you configure a numeric throughput value on the device.
52
Figure 1: Numeric and Tier Values Displayed in the CSSM Web UI
The following scenarios further clarify when you can convert from numeric to tier-based throughput
configuration, or from tier-based throughput configuration to numeric, when conversion is required, and when
it is optional:
• You have configured a numeric throughput value on the device and the license PID is a numeric license:
You must not convert to tier-based throughput value.
53
How to Configure Available Licenses and Throughput
• You have configured a numeric throughput value on the device and the license PID is a tier-based license:
You can convert the throughput configuration to tier-based value - but this is optional. There is no
functional impact if you do not convert to a tier-based throughput value.
If you want to convert to a tier-based value, see Converting From a Numeric Throughput Value to a Tier,
on page 65
• You are upgrading to a release where tier-based throughput values are supported and the license PID is
tier-based: You can convert the throughput to tier-based value after upgrade - but this is optional. There
is no functional impact if you do not convert to a tier-based throughput value.
See Upgrading from a Release Supporting Numeric Throughput to a Release Supporting Tiers, on page
68.
• You are upgrading to a release where tier-based throughput values are supported, and your license PID
is numeric: You must not convert to a tier-based throughput value.
• You are downgrading to a release where only numeric throughput values are supported and your license
PID and throughput configuration are tier-based: You must change configuration to a numeric throughput
value, before you downgrade.
See Downgrading from a Release Supporting Tiers to a Release Supporting Only Numeric Throughput,
on page 68.
How to Configure Available Licenses and Throughput

This section provides information about the tasks you must complete, for the licenses available on the Cisco
Catalyst 8000 Edge Platforms Family - before you can start using them.
For a Cisco DNA license: Configure a Boot Level License → Configure Numeric or Tier-Based
Throughput → Implement a Smart Licensing Using Policy Topology → Report License Usage (If
Applicable).
For an HSECK9 license: Configure a Boot Level License → Implement a Smart Licensing Using Policy
Topology → Install SLAC1 → Enable HSECK9 on applicable platforms2→ Configure Numeric or
Tier-Based Throughput → Report License Usage (If Applicable).
For a Cisco UBE, or Cisco Unified CME, or Cisco Unified SRST license: Implement a Smart Licensing
Using Policy Topology → Report License Usage (If Applicable).
Configuring a Boot Level License

If you have purchased a Cisco DNA license for a new device, or if you have an existing device and you want
to change (upgrade or downgrade, add or remove) the currently configured license on your device, complete
the following task.
This sets a boot level license and requires a reload before the configured changes are effective.
1
If a SLAC has been factory-installed by Cisco manufactory (in case of new hardware), skip this step
2
Enter the license feature hseck9 command in global configuration mode for Catalyst 8200, and 8300 Series Edge Platforms only.
54
SUMMARY STEPS
1. show version
3. Depending on whether the device is a physical or virtual one, configure the applicable command:
• For physical platforms: [no] license boot level {network-advantage [addon dna-advantage] |
network-essentials [addon dna-essentials] | network-premier [addon dna-premier] }
• For virtual platforms: [no] license boot level {network-advantage {addon dna-advantage} |
network-essentials {addon dna-essentials} | network-premier {addon dna-premier} }
4. exit
5. copy running-config startup-config
6. reload
7. show version
8. show license summary
9. Complete usage reporting - if required
DETAILED STEPS

Step 1 show version Displays the currently set boot level license.
Example: In the accompanying example, Network Advantage and
Device# show version DNA Advantage licences are configured on the device.
<output truncated>
Technology Package License Information:
-----------------------------------------------------------------
Technology Type Technology-package
Technology-package
Current Next
Reboot
-----------------------------------------------------------------
Smart License Perpetual network-advantage
network-advantage
Smart License Subscription dna-advantage
dna-advantage
<output truncated>
Step 2 configure terminal Enters global configuration mode.

Example:
Device# configure terminal
Step 3 Depending on whether the device is a physical or virtual Sets a boot level license.
one, configure the applicable command:
On all platforms, first configure a network-stack license.
• For physical platforms: [no] license boot level Only after this can you configure the corresponding add-on
{network-advantage [addon dna-advantage] | license.
network-essentials [addon dna-essentials] |
In the command syntax note how the configuration of a
network-premier [addon dna-premier] }
DNA-stack add-on license is optional on physical platforms,
• For virtual platforms: [no] license boot level but mandatory on virtual platforms.
{network-advantage {addon dna-advantage} |
55

network-essentials {addon dna-essentials} | The accompanying example, shows configuration on a
network-premier {addon dna-premier} } C8300-1N1S-4T2X router, which is a physical platform.
The network-stack license, Network Premier and the
Example:
corresponding add-on license, DNA-Premier are configured.
Device(config)# license boot level network-premier
addon dna-premier
% use 'write' command to make license boot config
take effect on next boot
Step 4 exit Exits global configuration mode and returns to privileged

EXEC mode.
Example:
Device# exit
Step 5 copy running-config startup-config Saves your entries in the configuration file.
Example:
Device# copy running-config startup-config
Destination filename [startup-config]?
[OK]
<output truncated>
Step 6 reload Reloads the device. License levels configured in Step 3 are
effective and displayed only after this reload.
Example:
Device# reload
Proceed with reload? [confirm]
*Dec 8 01:04:12.287: %SYS-5-RELOAD: Reload

requested by console.
Reload Reason: Reload Command.
<output truncated>
Step 7 show version Displays the currently set boot level license.
Example: In the accompanying example, the output confirms that
Device# show version Network Premier and DNA-Premier licenses are configured.
<output truncated>
-----------------------------------------------------------------
Technology Type Technology-package
Technology-package
Current Next
Reboot
-----------------------------------------------------------------
Smart License Perpetual network-premier
network-premier
Smart License Subscription dna-premier
dna-premier
<output truncated>
Step 8 show license summary Displays a summary of license usage, which includes
information about licenses being used, the count, and status.
Example:
Device# show license summary
Account Information:
56
Installing SLAC for an HSECK9 License

Smart Account: Eg-SA As of Dec 08 08:10:33 2021
UTC
Virtual Account: Eg-VA
License Usage:
License Entitlement Tag
Count Status
-----------------------------------------------------------------------------
network-premier_T2 (NWSTACK_T2_P)
1 IN USE
dna-premier_T2 (DSTACK_T2_P)
1 IN USE
Step 9 Complete usage reporting - if required After you configure a license level, you may have to send
a RUM report (Resource Utilization Measurement Report)
to CSSM to report license usage information. To know if
reporting is required, you can wait for a system message or
refer to the policy using show commands.
• The system message, which indicates that reporting is
required:
%SMART_LIC-6-REPORTING_REQUIRED: A
Usage report acknowledgement will be required in
[dec] days. [dec] is the amount of time (in days) left
to meet reporting requirements.
• If using show commands, refer to the output of the
show license status privileged EXEC command and
check the Next ACK deadline field. This means a
RUM report must be sent and the acknolwedgement
(ACK) from CSSM must be installed by this date.
How you send the RUM report, depends on the topology

you have implemented in the Smart Licensing Using Policy
environment. For more information, see How to Configure
Smart Licensing Using Policy: Workflows by Topology.
Installing SLAC for an HSECK9 License

A Smart Licensing Authorization Code (SLAC) is generated in and obtained from Cisco Smart Software
Manager (CSSM) portal.
There are multiple ways in which a product may be connected to the CSSM, in order to obtain a SLAC. Each
way of connecting to CSSM is called a topology. You must implement one of the supported topologies so
you can then install SLAC in the corresponding method.
For information about all the methods, see the Supported Topologies section of the Smart Licensing Using
Policy for Cisco Enterprise Routing Platforms document.
Required Tasks After Installing SLAC

Complete the following required tasks after installing SLAC - only if applicable to the platform:
57
Configuring a Numeric Throughput
Platform Required Tasks After Installing SLAC
For Catalyst 8200 and 8300 Series Enter the license feature hseck9 command in global configuration
Edge Platforms mode. This enables the HSECK9 license on these platforms.
For the C8500L models of the Reload the device after installing SLAC.
Catalyst 8500 Series Edge
Platforms

This task shows you how to change the numeric throughput level on physical and virtual platforms. If you do
not configure a throughput level, the platform's default throughput level is effective.
Configuration of a throughput level requires a reload on physical platforms (Catalyst 8200, 8300, and 8500
Series Edge Platforms). A reload is not required for virtual platforms (Catalyst 8000V Edge Software).
Before you begin

• Read the Throughput as a Numeric Value , on page 46 and Numeric vs. Tier-Based Throughput
Configuration, on page 52 sections.
• Ensure that a boot level license is already configured on the device. See Configuring a Boot Level License,
on page 54. In the output of the show version privileged EXEC command ensure that a license is
mentioned in the License Level field.
• If you are configuring throughput greater than 250 Mbps, ensure that you have already installed a Smart
Licensing Authorization Code (SLAC) according to the method that applies to your topology in the Smart
Licensing Using Policy environment. See Installing SLAC for an HSECK9 License, on page 57.
• Note the throughput you are entitled to. This is indicated in the Cisco DNA license PID you purchase.
SUMMARY STEPS
1. Depending on whether the device is a physical or virtual one, enter the applicable command:
• For physical platforms: show platform hardware throughput crypto
• For virtual platforms: show platform hardware throughput level
• For physical platforms: platform hardware throughput crypto {100M | 10M | 15M | 1G | 2.5G |
250M | 25M | 500M | 50M}
• For virtual platforms: platform hardware throughput level MB {100 | 1000 | 10000 | 15 | 25 | 250
| 2500 | 50 | 500 | 5000}
4. exit
6. reload
58
DETAILED STEPS

Step 1 Depending on whether the device is a physical or virtual Displays the currently running throughput on the device.
one, enter the applicable command:
In the accompanying examples,
• For physical platforms: show platform hardware
• The show platform hardware throughput crypto
throughput crypto
sample output is of a physical platform (a
• For virtual platforms: show platform hardware C8300-2N2S-4T2X). Here the throughput level is
throughput level throttled at 250M.
Example:
• The show platform hardware throughput level
Device# show platform hardware throughput crypto sample output is of a virtual platform (a C8000V).
Current configured crypto throughput level: 250M
Level is saved, reboot is not required
Current enforced crypto throughput level: 250M
Crypto Throughput is throttled at 250M
Default Crypto throughput level: 10M
Current boot level is network-advantage
OR
Device# show platform hardware throughput level

The current throughput level is 1000000 kb/s

Example:
Step 3 Depending on whether the device is a physical or virtual Configures the throughput level. The displayed throughput
one, configure the applicable command: options depend on the device.
• For physical platforms: platform hardware The following apply to both physical and virtual platforms:
throughput crypto {100M | 10M | 15M | 1G | 2.5G
• At a minimum, you must have configured a
| 250M | 25M | 500M | 50M}
network-stack license already. Otherwise the command
• For virtual platforms: platform hardware throughput is not recognized as a valid one on the command line
level MB {100 | 1000 | 10000 | 15 | 25 | 250 | 2500 | interface.
50 | 500 | 5000}
• If you are configuring throughput greater than 250
Example:
Mbps, you must have already installed SLAC. Options
Device(config)# platform hardware throughput crypto greater than 250 Mbps are displayed only if SLAC is
?
100M 100 mbps bidirectional thput
installed.
10M 10 mbps bidirectional thput In the accompanying examples,

15M 15 mbps bidirectional thput • 1 Gbps is configured on the physical platform.
Aggregate throughput throttling (Cisco IOS XE
1G 2 gbps aggregate thput
Cupertino 17.8.1a and later) is effective. After reboot,
2.5G 5 gbps aggregate thput irrespective of the distribution of traffic in the upstream
and downstream direction, an aggregate throughput
250M 250 mbps bidirectional thput limit of 2 Gbps is effective.
59

• 5000 Mbps is configured on the virtual platform. A
maximum of 5000 Mbps upstream and 5000 Mbps
500M 1gbps aggregate thput downstream throughput is supported.
Device(config)# platform hardware throughput crypto

1G
% These values don't take effect until the next
reboot.
Please save the configuration.
OR
Device(config)# platform hardware throughput level

MB 5000
%Throughput has been set to 5000 Mbps.

EXEC mode.
Example:
Device# exit
Example:
Step 6 reload Reloads the device.

Example: Note Perform this step only if the device you are
Device# reload configuring throughput on is a physical platform
(Catalyst 8200, 8300, and 8500 Series Edge
Platforms).
Skip this step if you are configuring throughput
on a virtual platform (Catalyst 8000V Edge
Software).
Note On physical platforms, you can also enter the
• For physical platforms: show platform hardware show platform hardware qfp active feature
throughput crypto ipsec state privileged EXEC command to display
• For virtual platforms: show platform hardware the configured throughput level.
throughput level
Example:
Device# show platform hardware throughput crypto
Current configured crypto throughput level: 1G
Current enforced crypto throughput level: 1G
Crypto Throughput is throttled at 2G(Aggregate)
60
Configuring a Tier-Based Throughput

OR


This task shows you how to configure a tier-based throughput level on physical and virtual platforms. If you
do not configure a throughput level, the platform's default throughput level is effective.
Tier-based throughput levels are supported starting with Cisco IOS XE Cupertino 17.7.1a only.
Configuration of a throughput level requires a reload on physical platforms (Catalyst 8200, 8300, and 8500
Series Edge Platforms). A reload is not required for virtual platforms (Catalyst 8000V Edge Software).
Before you begin

• Read the Throughput as a Tier, on page 50 and Numeric vs. Tier-Based Throughput Configuration, on
page 52 sections.
• Ensure that a boot level license is already configured on the device. See Configuring a Boot Level License,
on page 54. In the output of the show version privileged EXEC command, ensure that the license is
mentioned.
• If you want to configure Tier 3 (T3) ensure that the boot level license is Network Advantage/ DNA
Advantage, or Network Premier/DNA Premier. T3 is not supported with Network Essentials and DNA
Essentials.
• If you are configuring Tier 2 (T2) or a higher tier, ensure that you have already installed a Smart Licensing
Authorization Code (SLAC) according to the method that applies to your topology in the Smart Licensing
Using Policy environment. See Installing SLAC for an HSECK9 License, on page 57.
• On physical platforms, T2 or higher tiers are not displayed if SLAC is not installed.
• On virtual platforms, all tier options are displayed even if SLAC is not installed. But SLAC is
required if you want to configure T2 or a higher tier.
• Note the throughput you are entitled to. This is indicated in the Cisco DNA license PID you purchase.
SUMMARY STEPS
2. show license authorization
• For physical platforms: platform hardware throughput crypto {T0 | T1 | T2 | T3}
• For virtual platforms: platform hardware throughput level MB {T0 | T1 | T2 | T3 }
61
5. exit
7. reload
DETAILED STEPS

In the accompanying examples:
• The show platform hardware throughput crypto
throughput crypto
sample output is of a physical platform (a
• For virtual platforms: show platform hardware C8300-2N2S-4T2X). Here throughput is currently
throughput level throttled at 250 Mbps.
Example:
• The show platform hardware throughput level
Device# show platform hardware throughput crypto sample output is of a virtual platform (a C8000V).
show platform hardware throughput crypto
Here the current throughput level is 10 Mbps.
Current boot level is network-premier
OR

Step 2 show license authorization (Optional) Displays SLAC information on the product
instance.
Example:
Device# show license authorization In the accompanying example:
Overall status:
Active: PID:C8300-2N2S-4T2X,SN:FDO2250A0J5 • SLAC is installed on the physical platform. This is so
Status: SMART AUTHORIZATION INSTALLED on Mar we can configure T2 in the subsequent steps.
02 05:05:19 2022 UTC
Last Confirmation code: 418b11b3 • SLAC is not available on the virtual platform. Note
how this affects throughput configuration in the
Authorizations: subsequent steps.
Router US Export Lic. for DNA (DNA_HSEC):
Description: U.S. Export Restriction Compliance
license for
DNA based Routers
Total available count: 1
Enforcement type: EXPORT RESTRICTED
Term information:
Authorization type: SMART AUTHORIZATION
INSTALLED
License type: PERPETUAL
Term Count: 1
62
Purchased Licenses:
No Purchase Information Available
OR
Device# show license authorization

Overall status:
Active: PID:C8000V,SN:9I8GRCH8CMN
Status: NOT INSTALLED

Example:
Step 4 Depending on whether the device is a physical or virtual Configures a tier-based throughput. The throughput options
one, configure the applicable command: that are displayed, depend on the device.
• For physical platforms: platform hardware Note Only tiers are mentioned in command, for the
throughput crypto {T0 | T1 | T2 | T3} sake of clarity. When you enter the command on
• For virtual platforms: platform hardware throughput the CLI, numeric and tier values are displayed -
level MB {T0 | T1 | T2 | T3 } as shown in the accompanying examples.
Example: The following apply to both physical and virtual platforms:
? • You have configured a boot level license already.
100M 100 mbps bidirectional thput Otherwise the command for throughput configuration
is not recognized as a valid one on the command line
interface.
• If you are configuring T2 or a higher tier, you have
1G 2 gbps aggregate thput installed SLAC.
2.5G 5 gbps aggregate thput Note On a physical platform, you will not be able
to configure T2 or a higher tier if SLAC is
250M 250 mbps bidirectional thput not installed.
25M 25 mbps bidirectional thput On a virtual platform, if you configure T2
or a higher tier without SLAC, the product
500M 1gbps aggregate thput
instance automatically tries to reach CSSM
50M 50 mbps bidirectional thput to request and install SLAC. If it is
successful, throughput is set to the
T0 T0(up to 15 mbps) bidirectional thput configured tier. If it is not successful, the
T1 T1(up to 100 mbps) bidirectional thput
system sets the throughput to 250 Mbps. If
and when SLAC is installed, the throughput
T2 T2(up to 2 gbps) aggregate thput is automatically set to the last configured
value.
T3 T3(up to 5 gbps) aggregate thput

T2
% These values don't take effect until the next • On the physical platform (platform hardware
reboot.
throughput crypto), tiers T2 and higher tiers are
*Mar 02 05:06:19.042: displayed, because SLAC is installed. If SLAC were
63

%CRYPTO_SL_TP_LEVELS-6-SAVE_CONFIG_AND_RELOAD: not available, T1 would have been the highest tier
New throughput level not applied until reload;
displayed.
please save config
Further, aggregate throughput throttling (Cisco IOS
OR
XE Cupertino 17.8.1a and later) is effective. After
MB ? reboot, irrespective of the distribution of traffic in the
100 Mbps upstream and downstream direction, an aggregate
1000 Mbps throughput limit of 2 Gbps is supported.
10000 Mbps
15 Mbps • On the virtual platform (platform hardware
25 Mbps
250 Mbps
throughput level MB), all tiers are displayed. After
2500 Mbps T2 is configured, the system message alerts you to the
50 Mbps fact that the configuration is not set, because SLAC is
500 Mbps not installed.
5000 Mbps
T0 Tier0(up to 15M throughput)
T1 Tier1(up to 100M throughput)
T2 Tier2(up to 1G throughput)
T3 Tier3(up to 10G throughput)
T4 Tier4(unthrottled)

MB T2
%Requested throughput will be set once HSEC
authorization
code is installed

EXEC mode.
Example:
Device# exit
Example:
[OK]

Example: Note A reload is required only for physical platforms.
Device# reload
*Mar 02 05:07:00.979: %SYS-5-RELOAD: Reload
Reload Reason: Reload Command.
• On the physical platform, the tier value is set to T2.
throughput crypto
64
Converting From a Numeric Throughput Value to a Tier

• For virtual platforms: show platform hardware Note On physical platforms, you can also enter
throughput level the show platform hardware qfp active
feature ipsec state privileged EXEC
Example:
command to display the configured
Device# show platform hardware throughput crypto throughput level.
Current configured crypto throughput level: T2
Current enforced crypto throughput level: 1G • On the virtual platform, throughput is set to 250 Mbps.
Crypto Throughput is throttled at 2G(Aggregate) If and when SLAC is installed, the throughput will be
automatically set to the last configured value, which
is T2.
OR


This task shows you how to convert a numeric throughput value to a tier-based throughput value. To know
how numeric throughput values are mapped to tier values refer to the table here: Tier and Numeric Throughput
Mapping.
Converting the throughput level requires a reload on physical platforms (Catalyst 8200, 8300, and 8500 Series
Edge Platforms). A reload is not required for virtual platforms (Catalyst 8000V Edge Software).
Before you begin

• Read the Numeric vs. Tier-Based Throughput Configuration, on page 52 section.
• If you are converting numeric throughput that is equal or greater than 250 Mbps, ensure that a SLAC is
installed on the device. See Installing SLAC for an HSECK9 License, on page 57.
• The software version running on the product instance is Cisco IOS XE Cupertino 17.7.1a or a later
release.
SUMMARY STEPS
• For physical platforms: license throughput crypto auto-convert
• For virtual platforms: license throughput level auto-convert
4. reload
65
6. Verify that conversion is complete.

• For physical platforms: license throughput crypto auto-convert
• For virtual platforms: license throughput level auto-convert
DETAILED STEPS

throughput crypto
• For virtual platforms: show platform hardware
throughput level
Example:
OR

Step 2 Depending on whether the device is a physical or virtual Converts the numeric throughput to a tier-based throughput
one, enter the applicable command: value. The converted tier value is displayed on the CLI.
• For physical platforms: license throughput crypto
auto-convert
• For virtual platforms: license throughput level
auto-convert
Example:
Device# license throughput crypto auto-convert
Crypto throughput auto-convert from level 500M to
T2
% These values don't take effect until the next

reboot.
*Dec 8 03:21:01.401:
%CRYPTO_SL_TP_LEVELS-6-SAVE_CONFIG_AND_RELOAD:
New throughput level
not applied until reload; please save config
OR
Device# license throughput level auto-convert

%Throughput tier set to T1 (100 Mbps)
% Tier conversion is successful.
Please write memory to save the tier config
66

Example: Note Even though the command you use to convert
Device# copy running-config startup-config from numeric to tier-based throughput is a
Destination filename [startup-config]? privileged EXEC command, it changes running
Building configuration... configuration from a numeric value to a
[OK]
tier-based value. You must therefore save
configuration for the next reload to be displayed
with a tier value.

Example: Note A reload is required only on physical platforms.
Device# reload
*Dec 8 03:24:09.534: %SYS-5-RELOAD: Reload
Reload Reason:
Reload Command
throughput crypto
• For virtual platforms: show platform hardware
throughput level
Example:
Current configured crypto throughput level: T2
Current enforced crypto throughput level: 1G
Crypto Throughput is throttled at 1G
OR

Step 6 Verify that conversion is complete. Tip To cross-check that conversion is complete, you
can also enter the conversion command again.
• For physical platforms: license throughput crypto
If the numeric throughput value has already been
auto-convert
converted, the system displays a message
• For virtual platforms: license throughput level confirming this.
auto-convert
Example:
Device# license throughput crypto auto-convert
Crypto throughput is already tier based, no need
to convert.
OR
67
Upgrading from a Release Supporting Numeric Throughput to a Release Supporting Tiers
Device# license throughput level auto-convert

% Tier conversion not possible since the device is
already
in tier licensing
Upgrading from a Release Supporting Numeric Throughput to a Release

Supporting Tiers
If you are upgrading to Cisco IOS XE Cupertino 17.7.1 or later release and the license PID is a tier-based
one, you can convert throughput configuration to a tier-based value, or you can retain the numeric throughput
configuration.
Note There is no functional impact if you have tier-based license PID in CSSM and a numeric throughput value is
configured on the device.
If you want to convert to a tier-based value note the required action depending on the throughput level that
is configured:
Throughput Configuration Action Before Upgrade Action After Upgrade to 17.7.1 or Later
Before Upgrade
Lesser than 250 Mbps No action required. Converting From a Numeric Throughput
Value to a Tier, on page 65
Equal to 250 Mbps Obtain an HSECK9 license and install Converting From a Numeric Throughput
SLAC if you want to convert to T2. Value to a Tier, on page 65
Greater than 250 Mbps No action required. Converting From a Numeric Throughput
Value to a Tier, on page 65
Downgrading from a Release Supporting Tiers to a Release Supporting Only

Numeric Throughput
If you are downgrading to a release where only numeric throughput configuration is supported, you must
convert tier-based throughput configuration to a numeric throughput value before downgrade. This is applicable
even if the license PID is a tier-based license PID.
Caution If a tier-based throughput value was configured before downgrade and you downgrade without changing to
a numeric value, tier configuration is not recognized by a pre-17.7.1 image and configuration fails. Further,
throughput may not be restored to the pre-downgrade level and you have to configure a numeric throughput
level after downgrade.
68
Available Licensing Models
Throughput Configuration Action Before Downgrade Action After Downgrade to a pre-17.7.1

Before Downgrade Version
Numeric No action required. No action required.
Tier Configuring a Numeric Throughput, on No action required.

page 58

The licensing model defines how you account for or report the licenses that you use, to Cisco. The following
licensing models are available on the Cisco Catalyst 8000 Edge Platforms Family:
Smart Licensing Using Policy

With this licensing model, you purchase the licenses you want to use, configure them on the device, and then
report license usage – as required. You do not have to complete any licensing-specific operations, such as
registering or generating keys before you start using the software and the licenses that are tied to it - unless
you are using export-controlled and enforced licenses.
This licensing model is supported on all products in the Cisco Catalyst 8000 Edge Platforms Family.
For more information, see Smart Licensing Using Policy for Cisco Enterprise Routing Platforms.
Pay As You Go (PAYG) Licensing
Note This licensing model is available only on Catalyst 8000V Edge Software.
Cisco Catalyst 8000V supports the PAYG licensing model with Amazon Web Services (AWS) and Microsoft
Azure Marketplace - in both the autonomous mode and the controller mode. The Cisco Catalyst 8000V
hourly-billed Amazon Machine Image (AMI) or the Pay As You Go licensing model allows you to consume
an instance for a defined period of time.
• In the autonomous mode, you can directly launch an instance from the AWS or Azure Marketplace and
start using it. The licenses are embedded in the image and the selected license package and configured
throughput level are effective when you launch the instance
• In the controller mode, which is supported from Cisco IOS-XE Bengaluru 17.5.1, you must first onboard
the device into Cisco SD-WAN as per Onboard Cisco Catalyst 8000V Edge Software Hosted by a Cloud
Service, Using PAYG Licensing. After this, when you launch the instance from AWS, the device comes-up
with the license already installed for unlimited throughput.
Managed Service Licensing Agreement

Managed Service Licensing Agreement (MSLA) is a consumption-based software licensing model designed
for Cisco’s Managed Service Provider business. It is available with Cisco SD-WAN controller mode.
69
Note This licensing model is supported on all products in the Cisco Catalyst 8000 Edge Platforms Family in the
Cisco SD-WAN controller mode.
For more information, see:

Managed Service Licensing Agreement (MSLA) for Cisco SD-WAN At-a-Glance
Cisco SD-WAN Getting Started Guide → Manage Licenses for Smart Licensing Using Policy.
Cisco vManage How-Tos for Cisco IOS XE SD-WAN Devices → Manage Licenses for Smart Licensing
Using Policy.
70
CHAPTER 5
Change of Authorization
Change of Authorization (CoA) provides a mechanism to change the attributes of an authentication,
authorization, and accounting (AAA) session after it is authenticated.
Identity-Based Networking Services supports change of authorization (CoA) commands for session query,
reauthentication, and termination, port bounce and port shutdown, and service template activation and
deactivation.
• Feature Information for Change of Authorization, on page 71
• Information About Change of Authorization, on page 72
• Restrictions for Change of Authorization, on page 74
• How to Configure Change of Authorization, on page 75
• Configuration Examples for Change of Authorization, on page 76
Feature Information for Change of Authorization

Table 7: Feature Information for Change of Authorization
Change of Cisco IOS XE The Change of Authorization

Authorization Amsterdam 17.4.1
The following commands were introduced by this feature:
show aaa servers, show aaa group radius, show
device-tracking policies, show device-tracking database
show access-session interface interface-name
Change of Cisco IOS XE The Change of Authorization

Authorization Amsterdam 17.3.1a
The following commands were introduced by this feature:
show ip access-lists, show ip access-list interface , debug
epm plugin acl event, debug epm plugin acl errors
71
Information About Change of Authorization
Information About Change of Authorization

Change of Authorization-Reauthentication Procedure
Change of Authorization (CoA) provides a mechanism to change the attributes of an authentication,
authorization, and accounting (AAA) session after it is authenticated. The main steps in this procedure are:
• Authentication
• Posture Assessment
• CoA Re-Authentication
• Network Access Authorization
When a policy changes for a user or user group in AAA, administrators can send RADIUS CoA packets from
the AAA server, such as a Cisco Identity Secure Engine (ISE) to reinitialize authentication and apply the new
policy. This section provides an overview of the RADIUS interface including available primitives and how
they are used during a CoA.
The RADIUS CoA provides a mechanism to change the attributes of an AAA session after it is authenticated.
When policy changed on user or user group in RADIUS server, administrators can initiate RADIUS CoA
process from RADIUS server to re-authenticate or re-authorize new policy
72
Change of Authorization-Reauthentication Procedure
By default, the RADIUS interface is enabled on the device. However, some basic configuration is required
for the following attributes:
• Security and Password
• Accounting
After posture assessment is succeessful, full network access is pushed down to the device for specific client
through CoA re-authentication command based on its compliance state derived from last assessment. It is
optional to enforce downloadable ACLs with Permit-ALL or limited access to certain resources to corresponding
clients. Per-session CoA requests are supported for session identification, session termination, host
reauthentication, port shutdown, and port bounce. This model comprises one request (CoA-Request) and two
possible response codes:
• CoA acknowledgement (ACK) [CoA-ACK]
• CoA nonacknowledgement (NAK) [CoA-NAK]
73
Change of Authorization (CoA) is a critical part of a solution to initiate re-authenticate or re-authorization to
an endpoint’s network access based on its posture assessment result. This feature is integrated with Cisco
AnyConnect, version 4.8 and Cisco ISE, version 2.6.
The network topology below shows a typical Cisco 1000 Series Integrated Services Router as a branch router
in a network for secure access with ISE and other network services deployed in Campus or Data Center.
Figure 2: Cisco ISR1000 in a Network for Secure Access with ISE and other Network Services
CoA is critical part of the solution to initiate re-authenticate or re-authorization to endpoint’s network access
based on its posture assessment result. Downloadable ACL is the Target/Purpose of the entire solution. The
per-client basis customized security policies are achieved by it.
Restrictions for Change of Authorization

• Only 8 ports SKUs have TCAM to support DACL and Redirect ACL
• xACL can only match exact value(>,<,>=,<= are not supported)
• Switch ASIC TCAM has only 255 entries (IPv4 ACL entries) in total
• No IPv4 option header support, no IP fragment support in ACL packet inspection
• IPv6 is not supported in this feature
• Port ACL is not supported in this feature
• SISF: Only support none-secure device-tracking (tracking policy with security level ‘glean’)
• Multi-auth vlan is not supported on Cisco 1000 Series Integrated Services Routers
74
How to Configure Change of Authorization
• Tracking is not getting replaced by ‘enable tracking‘

• VLAN change does not happen consistently with multiple iterations on client interfaces
How to Configure Change of Authorization

Essential dot1x | SANet Configuration
aaa new-model
aaa authentication dot1x default group coa-ise
aaa authorization network default group coa-ise
dot1x system-auth-control
aaa group server radius coa-ise
server name coa
radius server coa
address ipv4 10.10.1.10 auth-port 1812 acct-port 1813
key cisco123
policy-map type control subscriber simple_coa
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x
interface gigabitethernet0/0/1
switchport access vlan 22
switchport mode access
access-session closed
access-session port-control auto
dot1x pae authenticator
service-policy type control subscriber simple_coa
Configure Change of Authorization

aaa server radius dynamic-author
client
server-key ******
auth-type any
ignore server-key
ip access-list extended redirect_acl
20 deny udp any eq bootps any
25 deny udp any eq domain any
30 deny udp any any eq bootpc
40 deny udp any eq bootpc any
50 deny ip any host %{ise.ip}
60 permit tcp any any eq www
70 permit tcp any any eq 443
device-tracking tracking
device-tracking policy tracking_test
security-level glean
no protocol ndp
no protocol dhcp6
tracking enable
interface 0/0/1
device-tracking attach-policy tracking_test
75
Configuration Examples for Change of Authorization
Configuration Examples for Change of Authorization

Example: Check if the RADIUS Server is Active
Device# show aaa servers
RADIUS: id 1, priority 1, host 10.75.28.231, auth-port 1812, acct-port 1813, hostname host
State: current UP, duration 188755s, previous duration 0s
Dead: total time 0s, count 0
Platform State from SMD: current UP, duration 188755s, previous duration 0s
Example: Device Tracking Policy

Device# show aaa group radius coa3 **** port 1813 new-code
User successfully authenticated
USER ATTRIBUTES
username 0 "coa3"
To check if the parameters are enabled:

Device# show device-tracking policies
Target Type Policy Feature Target range
Gi0/1/1 PORT tracking_test Device-tracking vlan all
To check the SISF table:

Device# show device-tracking database
Binding Table has 1 entries, 1 dynamic (limit 100000)
0001:MAC and LLA match 0002:Orig trunk 0004:Orig access
0008:Orig trusted trunk 0010:Orig trusted access 0020:DHCP assigned
0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned
Network Address Link Address Interface vlan prlvl age state Time
left
ARP 10.11.22.20 0050.5683.3f97 Gi0/1/4 22 0005 11s REACHABLE
295 s
To check if the access-session is authenticated and autorized:

Device# show access-session interface gigabitEthernet 0/1/7 detail
Interface: GigabitEthernet0/1/7
IIF-ID: 0x0DB9315A
MAC Address: b496.913d.4f9b
IPv6 Address: Unknown
IPv4 Address: 10.10.22.27
User-Name: coa2
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: 611C4B0A00000053F483D7B0
76
Acct Session ID: Unknown

Handle: 0x21000049
Current Policy: POLICY_COA
Server Policies: Filter-ID: Filter_ID_COA2
Method status list: Method State
dot1x Authc Success
77
78
CHAPTER 6
Managing the Device Using Web User Interface
The Web User Interface (Web UI) is an embedded GUI-based device-management tool that provides the
ability to provision the device, to simplify device deployment and manageability, and to enhance the user
experience. It comes with the default image, so there is no need to enable anything or install any license on
the device. You can use WebUI to build configurations, and to monitor and troubleshoot the device without
having CLI expertise. This chapter includes the these sections:
• Setting Up Factory Default Device Using Web UI , on page 79
• Using Web User Interface for Day One Setup, on page 83
• Monitor and Troubleshoot Device Plug and Play (PnP) Onboarding using WebUI , on page 84
Setting Up Factory Default Device Using Web UI

Quick Setup Wizard allows you perform the basic router configuration. To configure the router:
Note Before you access the Web UI, you need to have the basic configuration on the device.
Step 1 Connect the RJ-45 end of a serial cable to the RJ-45 console port on the router.
Step 2 After the device initial configuration wizard appears, enter No to get into the device prompt when the following system
message appears on the router.
Would you like to enter the initial configuration dialog? [yes/no]: no
Step 3 From the configuration mode, enter the following configuration parameters.
!
ip dhcp pool WEBUIPool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
username admin privilege 15 password 0 default

!
interface gig 0/0/1
ip address 192.168.1.1 255.255.255.0
!
Step 4 Connect the PC to the router using an Ethernet cable to the gig 0/0/1 interface.
79
Using Basic or Advanced Mode Setup Wizard
Step 5 Set up your PC as a DHCP client to obtain the IP address of the router automatically.
Step 6 Launch the browser and enter the device IP address in your browser’s address line. For a secure connection, type
https://192.168.1.1/#/dayZeroRouting. For a less secure connection, enter http://192.168.1.1/#/dayZeroRouting.
Step 7 Enter the default username (admin) and the password as default.
Using Basic or Advanced Mode Setup Wizard

To configure the router using the basic or advanced mode setup:
Step 1 Choose the Basic Mode or Advanced Mode and click Go To Account Creation Page.
Step 2 Enter the username and password. Reenter the password to confirm.
Step 3 Click Create and Launch Wizard.
Step 4 Enter the device name and domain name.
Step 5 Select the appropriate time zone from the Time Zone drop-down list.
Step 6 Select the appropriate date and time mode from the Date and Time drop-down list.
Step 7 Click LAN Settings.
Configure LAN Settings
Step 1 Choose the Web DHCP Pool/DHCP Pool name or the Create and Associate Access VLAN option.
a) If you choose the Web DHCP Pool, specify the following:
Pool Name—Enter the DHCP Pool Name.
Network—Enter network address and the subnet mask.
b) If you choose the Create and Associate Access VLAN option, specify the following:
Access VLAN—Enter the Access VLAN identification number. The range is from 1 to 4094.
80
Configure Primary WAN Settings
Network—Enter the IP address of the VLAN.

Management Interfaces—Select the interface and move to the selected list box using the right and left arrows. You
can also double click or drag and drop to move the interface to the selected list box.
Step 2 Click Primary WAN Settings.
Configure Primary WAN Settings
Step 1 Select the primary WAN type. You con configure Serial, 3G/4G, Ethernet, or Broadband (xDSL) as primary WAN
depending on the WAN types supported by the router.
Step 2 Select the interface from the drop-down list.
Step 3 Check the Get DNS Server info directly from ISP check box to get the DNS server information directly from the service
provider. You can also manually enter the Primary DNS and Secondary DNS.
Step 4 Check the Get IP automatically from ISP check box to get the IP address information directly from the service provider.
You can also manually enter the IP address and subnet mask.
Step 5 Check the Enable NAT check box to enable NAT. It is recommended to enable NAT.
Step 6 Check the Enable PPPOE check box to enable PPPoE. If you have enabled PPPoE, select the required authentication
mode. The options are: PAP and CHAP.
Step 7 Enter the user name and password provided by the service provider.
Step 8 Click Security / APP Visibility WAN Settings.
81
Configure Secondary WAN Settings
Configure Secondary WAN Settings

For advanced configuration, you should configure the secondary WAN connection.
Step 1 Select the secondary WAN type. You con configure Serial, 3G/4G, Ethernet, or Broadband (xDSL) as a secondary WAN
depending on the WAN types supported by the router.
Step 2 Select the interface from the drop-down list.
Step 3 Check the Get DNS Server info directly from ISP check box to get the DNS server information directly from the service
provider. You can also manually enter the Primary DNS and Secondary DNS.
Step 4 Check the Get IP automatically from ISP check box to get the IP address information directly from the service provider.
You can also manually enter the IP address and subnet mask.
Step 5 Check the Enable NAT check box to enable NAT. It is recommended to enable NAT.
Step 6 Check the Enable PPPOE check box to enable PPPoE. If you have enabled PPPoE, select the required authentication
mode. The options are PAP and CHAP .
Step 7 Enter the user name and password provided by the service provider.
Step 8 Click Security / APP Visibility WAN Settings.
Configure Security Settings
Step 1 Check the Enable Cisco Recommended Security Settings check box to ensure that all passwords are not shown in plain
text. The passwords are encrypted.
Step 2 Click Day 0 Config Summary.
Step 3 To preview the configuration, click CLI Preview to preview the configuration.
Step 4 Click Finish to complete the Day Zero setup.
82
Using Web User Interface for Day One Setup
Using Web User Interface for Day One Setup

To configure the Web user interface:
Step 1 Configure the HTTP server. By default, the HTTP server configuration should be present on the device. Ensure the
configuration by checking if the ip http server and ip http secure-server commands are present in the running
configuration.
Device #configure terminal
Device (config)#ip http server
Device (config)#ip http secure-server
Step 2 Set up the authentication options to log into Web UI. You can use one of these methods to authenticate:
a) You can authenicate using local database. To use a local database for Web UI authentication, ensure to have the ip
http authentication local command in the running configuration. This command is preconfigured on the device. If
the command is not present, configure the device as shown in this example:
Device (config)#ip http authentication local
Note You need a user with privilege 15 to access the configuration screens on Web UI. If the privilege is less
than 15, you can access only the Dashboard and Monitoring screens on Web UI.
To create a user account, use the username <username> privilege <privilege> password 0 <passwordtext>
Device (config)# username <username> privilege <privilege> password 0 <passwordtext>
b) Authenticate using AAA options. To use AAA authentication for Web UI, ensure to configure ‘ip http authentication
aaa’ on the device. Also, ensure that the required AAA server configuration is present on the device.
Device (config)#ip http authentication local
83
Monitor and Troubleshoot Device Plug and Play (PnP) Onboarding using WebUI
Step 3 Launch the browser. In the address bar, type the IP address of the device. For a secure connection, type https://ip-address.
Step 4 Enter the default username (cisco) and password provided with the device
Step 5 Click Log In.
Monitor and Troubleshoot Device Plug and Play (PnP)

Onboarding using WebUI
Table 8: Feature History
Feature Name Release Information Description
Monitor and Troubleshoot Device Cisco IOS XE Release 17.5.1a You can now monitor and
PnP Onboarding using WebUI troubleshoot your Day-0 device
onboarding using WebUI through
PnP onboarding. If the automated
PnP onboarding fails, you can
manually onboard your device.
A device can be automatically onboarded to Cisco vManage through either Zero Touch Provisioning (ZTP)
or the Plug and Play (PnP) process. This section describes the procedure to monitor and troubleshoot device
onboarding through the PnP method. This feature on WebUI enables you to monitor and troubleshoot the PnP
onboarding process, and also see its real-time status. If this onboarding is stuck or fails, you can terminate
the process and onboard your device manually.
Prerequisites
• Your device (a computer that can run a web browser) running the WebUI and the device you are
onboarding must be connected through an L2 switch port (NIM) on the device.
• The DHCP client-identifier on your device must be set to string “webui”.
• Your device must support Cisco SD-WAN Day-0 device onboarding on WebUI.
Troubleshoot Device PnP Onboarding

To troubleshoot device onboarding through PnP in controller mode:
1. Enter the controller mode in WebUI:
• Switching from autonomous mode to controller mode:
Usually, when you boot your device for the first time it is in autonomous mode. Go to the URL
https://192.168.1.1/webui/ and log in using the default credentials— webui/cisco. If your device
supports Cisco SD-WAN Day-0 device onboarding on WebUI, you can switch to the controller
mode by selecting Controller Mode. A dialogue box appears, asking if you want to continue.
Click Yes. Your device reloads to switch to controller mode.
• Booting your device in controller mode:
If your device is already in the controller mode, you do not have to make any changes to the mode.
Go to the URL https://192.168.1.1 or https://192.168.1.1/webui. If your device supports Cisco
84
SD-WAN Day-0 device onboarding on WebUI, the URL is redirected to

https://192.168.1.1/ciscosdwan/ and you can log in using the default credentials for Cisco IOS XE
SD-WAN devices - admin/admin.
Note If the device does not have start-up configuration at the time of PnP onboarding, the WebUI is
enabled by default on supported devices.
2. On the Welcome to Cisco SDWAN Onboarding Wizard page, click Reset Default Password.
Note The default password of your Day-0 device is weak. Therefore, for a secure log in, you must reset
the password when you first log in to the device on WebUI. The WebUI configuration is
automatically deleted after the device is onboarded successfully. In rare cases where the template
configuration for your device on Cisco vManage has the WebUI configuration, it is not deleted
even after a successful device onboarding.
3. You are redirected to the Device hardware and software details page. Enter your password and click
Submit.
4. The next page displays the onboarding progress and lists statuses of different components of the PnP
Connect Portal and Cisco SD-WAN controllers. If the PnP IPv4 component fails, it indicates that the
device PnP onboarding has failed.
To view and download logs for the onboarding process, click the information icon on the right hand
side of the SDWAN Onboarding Progress bar.
5. If the automated PnP onboarding fails, click Terminate Automated Onboarding. This allows you to
onboard your device manually.
6. A dialogue box appears. To continue with the termination, click Yes. It might take a few minutes for
the termination to complete.
7. On the Bootstrap Configuration page click Select File and choose the bootstrap file for your device.
This file can be either a generic bootstrap file (common platform-specific file) or a full configuration
bootstrap file that you can download from Cisco vManage. This file must contain details such as the
vBond number, UUID, WAN interface, root CA and configuration.
8. Click Upload.
9. After your file is successfully uploaded, click Submit.
10. You can see the SDWAN Onboarding Progress page again with statuses of the Cisco SD-WAN
controllers. To open the Controller Connection History table click the information icon on the right
hand side of the SDWAN Control Connections bar. In this table you can see the state of your onboarded
device. After the onboarding is complete, the state of your device changes to connect.
85
86
CHAPTER 7
Console Port, Telnet, and SSH Handling
This chapter includes the following sections:
• Notes and Restrictions for Console Port, Telnet, and SSH, on page 87
• Console Port Overview, on page 87
• Console Port Handling Overview, on page 88
• Telnet and SSH Overview, on page 88
• Configuring a Console Port Transport Map, on page 88
• Configuring Persistent SSH, on page 90
• Viewing Console Port, SSH, and Telnet Handling Configurations, on page 93
Notes and Restrictions for Console Port, Telnet, and SSH

• Telnet and Secure Shell (SSH) settings configured in the transport map override any other Telnet or SSH
settings when the transport map is applied to the Ethernet management interface.
• Only local usernames and passwords can be used to authenticate users entering a Ethernet management
interface. AAA authentication is not available for users accessing the device through a Ethernet
management interface using persistent Telnet or persistent SSH.
• Applying a transport map to a Ethernet management interface with active Telnet or SSH sessions can
disconnect the active sessions. Removing a transport map from an interface, however, does not disconnect
any active Telnet or SSH session.
• Configuring the diagnostic and wait banners is optional, but recommended. The banners are especially
useful as indicators to users about the status of their Telnet or SSH attempts.
Console Port Overview

The console port on the device is an EIA/TIA-232 asynchronous, serial connection with no flow control and
an RJ-45 connector. The console port is used to access the device and is located on the front panel of the
Route Processor.
For information on accessing the device using the console port, see Using Cisco IOS XE Software, on page
25.
87
Console Port Handling Overview
Console Port Handling Overview

If you are using the console port to access the router, you are automatically directed to the Cisco IOS
command-line interface (CLI).
If you are trying to access the router through the console port and send a break signal (by entering Ctrl-C or
Ctrl-Shift-6, or by entering the send break command at the Telnet prompt) before connecting to the CLI,
you are directed to a diagnostic mode if the non-RPIOS subpackages are accessible. These settings can be
changed by configuring a transport map for the console port and applying that transport map to the console
interface.
Telnet and SSH Overview

Telnet and SSH on the device can be configured and handled like Telnet and SSH on other Cisco platforms.
For information on traditional Telnet, see the line command in the Cisco IOS Terminal Services Command
Reference, Release 12.2 document. For more information on AAA authentiction methods, see the line command
in the Authentication Commands chapter.
For information on configuring traditional SSH, see the “Configuring Secure Shell” chapter in the Cisco IOS
Terminal Services Command Reference, Release 12.2 document.
On the device, persistent Telnet and persistent SSH allow network administrators to more clearly define the
treatment of incoming traffic when users access the device through the management ethernet port using Telnet
or SSH. Notably, persistent Telnet and persistent SSH provide more robust network access by allowing the
device to be configured to be accessible through the Ethernet management port using Telnet or SSH even
when the Cisco IOS process has failed.
Configuring a Console Port Transport Map

This task describes how to configure a transport map for a console port interface on the device.
SUMMARY STEPS
1. enable
3. transport-map type console transport-map-name
4. connection wait [allow [interruptible] | none [disconnect]]
5. (Optional) banner [diagnostic | wait] banner-message
6. exit
7. transport type console console-line-number input transport-map-name
DETAILED STEPS

Step 1 enable Enables privileged EXEC mode.
Example: Enter your password if prompted.
88
Configuring a Console Port Transport Map
Router> enable

Example:
Step 3 transport-map type console transport-map-name Creates and names a transport map for handling console
connections, and enters transport map configuration mode.
Example:
Router(config)# transport-map type console

consolehandler
Step 4 connection wait [allow [interruptible] | none Specifies how a console connection will be handled using
[disconnect]] this transport map.
Example: • allow interruptible—The console connection waits
for a Cisco IOS VTY line to become available, and
Router(config-tmap)# connection wait none also allows users to enter diagnostic mode by
interrupting a console connection that is waiting for a
Cisco IOS VTY line to become available. This is the
default setting.
Note Users can interrupt a waiting connection by
entering Ctrl-C or Ctrl-Shift-6.
• none—The console connection immediately enters
diagnostic mode.
Step 5 (Optional) banner [diagnostic | wait] banner-message (Optional) Creates a banner message that will be seen by
users entering diagnostic mode or waiting for the Cisco IOS
Example:
VTY line because of the console transport map
configuration.
Router(config-tmap)# banner diagnostic X
Enter TEXT message. End with the character 'X'. • diagnostic—Creates a banner message seen by users
--Welcome to Diagnostic Mode--
directed to diagnostic mode because of the console
X
Router(config-tmap)# transport map configuration.
Note Users can interrupt a waiting connection by
entering Ctrl-C or Ctrl-Shift-6.
• wait—Creates a banner message seen by users waiting
for Cisco IOS VTY to become available.
• banner-message—Banner message, which begins and
ends with the same delimiting character.
Step 6 exit Exits transport map configuration mode to re-enter global

configuration mode.
Example:
Router(config-tmap)# exit
89
Configuring Persistent SSH

Step 7 transport type console console-line-number input Applies the settings defined in the transport map to the
transport-map-name console interface.
Example: The transport-map-name for this command must match the
transport-map-name defined in the transport-map type
Router(config)# transport type console 0 input console command.
consolehandler
Examples
The following example shows how to create a transport map to set console port access policies and
attach to console port 0:
Router(config)# transport-map type console consolehandler
Router(config-tmap)# connection wait allow interruptible
Enter TEXT message. End with the character 'X'.
--Welcome to diagnostic mode--
X
Router(config-tmap)# banner wait X
Waiting for IOS vty line
X
Router(config)# transport type console 0 input consolehandler

This task describes how to configure persistent SSH on the device.
SUMMARY STEPS
1. enable
3. transport-map type persistent ssh transport-map-name
4. connection wait [allow [interruptible] | none [disconnect]]
5. rsa keypair-name rsa-keypair-name
6. (Optional) authentication-retries number-of-retries
7. (Optional) banner [diagnostic | wait] banner-message
8. (Optional) time-out timeout-interval
9. transport interface gigabitethernet 0
10. exit
11. transport type persistent ssh input transport-map-name
DETAILED STEPS

90

Router> enable

Example:
Step 3 transport-map type persistent ssh Creates and names a transport map for handling persistent
transport-map-name SSH connections, and enters transport map configuration
mode.
Example:
Router(config)# transport-map type persistent

telnet telnethandler
Step 4 connection wait [allow [interruptible] | none Specifies how a persistent SSH connection will be handled
[disconnect]] using this transport map:
Example: • allow—The SSH connection waits for a Cisco IOS
VTY line to become available, and exits the device
Router(config-tmap)# connection wait interruptible if interrupted.
• allow interruptible—The SSH connection waits for
the VTY line to become available, and also allows a
user to enter diagnostic mode by interrupting an SSH
connection waiting for the VTY line to become
available. This is the default setting.
Note Users can interrupt a waiting connection
by entering Ctrl-C or Ctrl-Shift-6.
• none—The SSH connection immediately enters
diagnostic mode.
• none disconnect—The SSH connection does not wait
for the VTY line and does not enter diagnostic mode.
Therefore, all SSH connections are rejected if no VTY
line is immediately available.
Step 5 rsa keypair-name rsa-keypair-name Names the RSA keypair to be used for persistent SSH
connections.
Example:
For persistent SSH connections, the RSA keypair name
Router(config)# rsa keypair-name sshkeys must be defined using this command in transport map
configuration mode. The RSA keypair definitions defined
elsewhere on the device, such as through the use of the ip
ssh rsa keypair-name command, do not apply to persistent
SSH connections.
No rsa-keypair-name is defined by default.
91

Step 6 (Optional) authentication-retries number-of-retries (Optional) Specifies the number of authentication retries
before dropping the connection.
Example:
The default number-of-retries is 3.
Router(config-tmap)# authentication-retries 4
Step 7 (Optional) banner [diagnostic | wait] (Optional) Creates a banner message that will be seen by
banner-message users entering diagnostic mode or waiting for the VTY
line because of the persistent SSH configuration.
Example:
• diagnostic—Creates a banner message seen by users
Router(config-tmap)# banner diagnostic X directed to diagnostic mode because of the persistent
Enter TEXT message. End with the character 'X'. SSH configuration.
--Welcome to Diagnostic Mode--
X • wait—Creates a banner message seen by users
Router(config-tmap)#
waiting for the VTY line to become available.
• banner-message—The banner message, which begins
and ends with the same delimiting character.
Step 8 (Optional) time-out timeout-interval (Optional) Specifies the SSH time-out interval, in seconds.
Example: The default timeout-interval is 120 seconds.
Router(config-tmap)# time-out 30
Step 9 transport interface gigabitethernet 0 Applies the transport map settings to the Ethernet
management interface (interface gigabitethernet 0).
Example:
Persistent SSH can be applied only to the Ethernet
Router(config-tmap)# transport interface management interface on the router.
gigabitethernet 0/0/0
Step 10 exit Exits transport map configuration mode to re-enter global

configuration mode.
Example:
Step 11 transport type persistent ssh input Applies the settings defined in the transport map to the
transport-map-name Ethernet management interface.
Example: The transport-map-name for this command must match
the transport-map-name defined in the transport-map
Router(config)# transport type persistent ssh type persistent ssh command.
input sshhandler
Examples
The following example shows a transport map that will make all SSH connections wait for the VTY
line to become active before connecting to the router being configured and applied to the Ethernet
management interface (interface gigabitethernet 0/0/0). The RSA keypair is named sshkeys.
This example only uses the commands required to configure persistent SSH.
92
Viewing Console Port, SSH, and Telnet Handling Configurations
Router(config)# transport-map type persistent ssh sshhandler

Router(config-tmap)# connection wait allow
Router(config-tmap)# rsa keypair-name sshkeys
Router(config-tmap)# transport interface gigabitethernet 0/0/0
X
--Waiting for IOS IOS Process--
X
Router(config)# transport type persistent telnet input telnethandler
In the following example, a transport map is configured and will apply the following settings to users
attempting to access the Ethernet management port via SSH:
• SSH users will wait for the VTY line to become active, but will enter diagnostic mode if the
attempt to access the Cisco IOS software through the VTY line is interrupted.
• The RSA keypair name is sshkeys.
• The connection allows one authentication retry.
• The banner --Welcome to Diagnostic Mode-- will appear if diagnostic mode is entered as
a result of SSH handling through this transport map.
• The banner --Waiting for vty line-- will appear if the connection is waiting for the VTY
line to become active.
• The transport map is then applied to the interface when the transport type persistent ssh input
command is entered to enable persistent SSH:

Router(config-tmap)# authentication-retries 1
X
--Waiting for vty line--
X
Router(config-tmap)# time-out 30
Router(config)# transport type persistent ssh input sshhandler

Use the following commands to view console port, SSH, and Telnet handling configurations:
• show transport-map
• show platform software configuration access policy
93
Use the show transport-map command to view transport map configurations.

show transport-map [all | name transport-map-name | type [console | persistent [ssh | telnet]]]
This command can be used either in user EXEC mode or privileged EXEC mode.
Example
The following example shows transport maps that are configured on the device: a console port
(consolehandler), persistent SSH (sshhandler), and persistent Telnet transport (telnethandler):
Router# show transport-map all
Transport Map:
Name: consolehandler
Type: Console Transport
Connection:
Wait option: Wait Allow Interruptable
Wait banner:
Waiting for the IOS CLI
bshell banner:
Welcome to Diagnostic Mode
Transport Map:
Name: sshhandler
Type: Persistent SSH Transport
Interface:
GigabitEthernet0/0/0
Connection:
Wait banner:
Waiting for IOS prompt
Bshell banner:
Router# show transport-map type console

Transport Map:
Connection:
Wait banner:
Bshell banner:
Router# show transport-map type persistent ssh

Transport Map:
94
Name: sshhandler
Type: Persistent SSH Transport
Interface:
GigabitEthernet0
Connection:
Wait banner:
Waiting for IOS prompt
Bshell banner:
SSH:
Timeout: 120
Authentication retries: 5
RSA keypair: sshkeys
Router# show transport-map name consolehandler

Transport Map:
Connection:
Wait banner:
Bshell banner:
Use the show platform software configuration access policy command to view the current configurations
for handling the incoming console port, SSH, and Telnet connections. The output of this command provides
the current wait policy for each type of connection (Telnet, SSH, and console), as well as information on the
currently configured banners.
Unlike the show transport-map command, the show platform software configuration access policy
command is available in diagnostic mode so that it can be entered in scenarios where you need transport map
configuration information, but cannot access the Cisco IOS CLI.
Example
Router# show platform software configuration access policy
The current access-policies
Method : telnet
Rule : wait
Shell banner:
Wait banner :
Method : ssh
95
Rule : wait
Shell banner:
Wait banner :
Method : console
Rule : wait with interrupt
Shell banner:
Wait banner :
Example
The following example shows the show platform software configuration access policy command
being issued both before and after a new transport map for SSH are configured. During the
configuration, the connection policy and banners are set for a persistent SSH transport map, and the
transport map for SSH is enabled.
Method : telnet
Shell banner:
Wait banner :
Waiting for IOS Process
Method : ssh
Rule : wait
Shell banner:
Wait banner :
Method : console
Shell banner:
Wait banner :

Welcome to Diag Mode
X
Waiting for IOS
X
Router(config-tmap)# transport interface gigabitethernet 1
Router(config)# transport type persistent ssh input sshhandler
Router(config)# exit

Method : telnet
96
Shell banner:
Wait banner :
Waiting for IOS process
Method : ssh
Shell banner:
Welcome to Diag Mode
Wait banner :
Waiting for IOS
Method : console
Shell banner:
Wait banner :
97
98
CHAPTER 8
Installing the Software
• Overview, on page 99
• ROMMON Images, on page 100
• Provisioning Files, on page 100
• File Systems, on page 100
• Autogenerated File Directories and Files, on page 101
• Flash Storage, on page 102
• Configuring the Configuration Register for Autoboot, on page 102
• How to Install and Upgrade the Software, on page 103
• Installing the Software Using install Commands, on page 108
• Managing and Configuring a Device to Run Using Individual Packages, on page 131
• Upgrading the Firmware on NIMs, on page 138
• Installing a Firmware Subpackage, on page 147
• Configuring No Service Password-Recovery, on page 153
Overview
Installing software on the router involves installing a consolidated package (bootable image). This consists
of a bundle of subpackages (modular software units), with each subpackage controlling a different set of
functions.
These are the two main methods to install the software:
• Managing and Configuring a Device to Run Using a Consolidated Package, on page 103—This method
allows for individual upgrade of subpackages and generally has reduced boot times compared to the
method below. Use this method if you want to individually upgrade a module's software.
• Managing and Configuring a Device to Run Using Individual Packages, on page 131—This a simple
method that is similar to a typical Cisco router image installation and management that is supported
across Cisco routers.
It is better to upgrade software in a planned period of maintenance when an interruption in service is acceptable.
The router needs to be rebooted for a software upgrade to take effect.
99
ROMMON Images
ROMMON Images
A ROMMON image is a software package used by ROM Monitor (ROMMON) software on a router. The
software package is separate from the consolidated package normally used to boot the router. For more
information on ROMMON, see Hardware Installation Guide for the Cisco Catalyst 8000 Series Edge Platforms..
An independent ROMMON image (software package) may occasionally be released and the router can be
upgraded with the new ROMMON software. For detailed instructions, see the documentation that accompanies
the ROMMON image.
Note A new version of the ROMMON image is not necessarily released at the same time as a consolidated package
for a router.
Provisioning Files
This section provides background information about the files and processes used in Managing and Configuring
a Device to Run Using Individual Packages, on page 131.
The consolidated package on a device consists of a collection of subpackages and a provisioning file titled
packages.conf. To run the software, the usual method used is to boot the consolidated package, which is
copied into memory, expanded, mounted, and run within memory. The provisioning file's name can be renamed
but subpackage file's names cannot be renamed. The provisioning file and subpackage files must be kept in
the same directory. The provisioning file does not work properly if any individual subpackage file is contained
within a different directory.
Note An exception to this is that if a new or upgraded module firmware package is subsequently installed, it need
not be in the same directory as the provisioning file.
Configuring a device to boot, using the provisioning file packages.conf, is beneficial because no changes have
to be made to the boot statement after the Cisco IOS XE software is upgraded.
File Systems
The following table provides a list of file systems that can be seen on the Cisco Catalyst 8000 Series Edge
Platform.
Table 9: Device File Systems
File System Description
bootflash: Boot flash memory file system.
flash: Alias to the boot flash memory file system above.
100
Autogenerated File Directories and Files
File System Description
harddisk: Hard disk file system (NVME-M2-600G or USB-M2-16G or USB-M2-32G with the
CLI command harddisk).
cns: Cisco Networking Services file directory.
nvram: Device NVRAM. You can copy the startup configuration to NVRAM or from
NVRAM.
obfl: File system for Onboard Failure Logging (OBFL) files.
system: System memory file system, which includes the running configuration.
tar: Archive file system.
tmpsys: Temporary system files file system.
usb0: USB 3.0 Type- The Universal Serial Bus (USB) flash drive file systems.
A
Note The USB flash drive file system is visible only if a USB drive is installed
usb1: USB 3.0 in usb0: or usb1: ports.
Type-B
Use the ? help option, or use the copy command in command reference guides, if you find a file system that
is not listed in the table above.
Autogenerated File Directories and Files

This section discusses the autogenerated files and directories that can be created, and how the files in these
directories can be managed.
Table 10: Autogenerated Files
File or Directory Description
crashinfo files Crashinfo files may appear in the bootflash: file system.
These files provide descriptive information of a crash and may be useful for
tuning or troubleshooting purposes. However, the files are not part of device
operations, and can be erased without impacting the functioning of the device.
core directory The storage area for .core files.

If this directory is erased, it will automatically regenerate itself at bootup.
The .core files in this directory can be erased without impacting any device
functionality, but the directory itself should not be erased.
lost+found directory This directory is created on bootup if a system check is performed. Its
appearance is completely normal and does not indicate any issues with the
device.
101
Flash Storage
File or Directory Description
tracelogs directory The storage area for trace files.

Trace files are useful for troubleshooting. If the Cisco IOS process fails, for
instance, users or troubleshooting personnel can access trace files using
diagnostic mode to gather information related to the Cisco IOS failure.
Trace files, however, are not a part of device operations, and can be erased
without impacting the device's performance.
Important Notes About Autogenerated Directories

Important information about autogenerated directories include:
• Autogenerated files on the bootflash: directory should not be deleted, renamed, moved, or altered in any
way unless directed by Cisco customer support.
Note Altering autogenerating files on the bootflash: may have unpredictable

consequences for system performance.
• Crashinfo, core, and trace files can be deleted.
Flash Storage
Subpackages are installed to local media storage, such as flash. For flash storage, use the dir bootflash:
command to list the file names.
Note Flash storage is required for successful operation of a device.
Configuring the Configuration Register for Autoboot

The configuration register can be used to change behavior. This includes controlling how the device boots.
Set the configuration register to 0x0 to boot into ROM, by using one of the following commands:
• In Cisco IOS configuration mode, use the config-reg 0x0 command.
• From the ROMMON prompt, use the confreg 0x0 command.
For more information about the configuration register, see Use of the Configuration Register on All Cisco
Routers.
Note Setting the configuration register to 0x2102 will set the device to autoboot the Cisco IOS XE software.
102
How to Install and Upgrade the Software
Note The console baud rate is set to 9600 after changing the confreg to 0x2102 or 0x0. If you cannot establish a
console session after setting confreg, or garbage output appears, change the setting on your terminal emulation
software to 9600.
How to Install and Upgrade the Software

To install or upgrade the software, use one of the following methods to use the software from a consolidated
package or an individual package. Also see the overview section.
• Managing and Configuring a Device to Run Using a Consolidated Package, on page 103
• Managing and Configuring a Device to Run Using Individual Packages, on page 131
Managing and Configuring a Device to Run Using a Consolidated Package
Note Do not use these procedures if you also need to install any optional subpackages or plan to upgrade individual
subpackages. See Managing and Configuring a Device to Run Using Individual Packages, on page 131.
• Managing and Configuring a Consolidated Package Using Copy and Boot Commands, on page 103
• Configuring a Device to Boot the Consolidated Package via TFTP Using the Boot Command: Example,
on page 105
Managing and Configuring a Consolidated Package Using Copy and Boot Commands
To upgrade a consolidated package, copy the consolidated package to the bootflash: directory on the router
using the copy command. After making this copy of the consolidated package, configure the router to boot
using the consolidated package file.
The following example shows the consolidated package file being copied to the bootflash: file system via
TFTP. The config register is then set to boot using boot system commands, and the boot system commands
instruct the router to boot using the consolidated package stored in the bootflash: file system. The new
configuration is then saved using the copy running-config startup-config command, and the system is then
reloaded to complete the process.
Router# dir bootflash:
Directory of bootflash:/
81921 drwx 237568 Jul 8 2020 11:17:27 -07:00 tracelogs

98305 drwx 4096 Jun 24 2020 17:26:48 -07:00 license_evlog
237569 drwx 4096 Jun 24 2020 17:26:48 -07:00 core
131073 drwx 4096 Jun 24 2020 17:26:45 -07:00 onep
16 -rw- 30 Jun 24 2020 17:26:38 -07:00 throughput_monitor_params
13 -rw- 134458 Jun 24 2020 17:26:37 -07:00 memleak.tcl
401409 drwx 4096 Jun 24 2020 17:26:23 -07:00 .dbpersist
15 -rwx 1314 Jun 24 2020 17:26:21 -07:00 trustidrootx3_ca.ca
14 -rw- 20109 Jun 24 2020 17:26:21 -07:00 ios_core.p7b
73729 drwx 4096 Jun 24 2020 17:26:19 -07:00 gs_script
103
Managing and Configuring a Consolidated Package Using Copy and Boot Commands
12 -rw- 182 Jun 24 2020 17:26:19 -07:00 mode_event_log

221185 drwx 4096 Jun 24 2020 17:26:13 -07:00 .prst_sync
212993 drwx 4096 Jun 24 2020 17:25:59 -07:00 .ssh
368641 drwx 4096 Jun 24 2020 17:25:55 -07:00 .rollback_timer
376833 drwx 4096 Jun 24 2020 17:25:55 -07:00 .installer
458753 drwx 4096 Jun 24 2020 17:25:47 -07:00 sysboot
11 -rw- 696368193 Jun 24 2020 17:15:13 -07:00
Router# copy tftp: bootflash:Address or name of remote host []? 203.0.113.2

Source filename []? /auto/tftp-ngio/test/c8000be-universalk9.17.03.01prd14.SPA.bin
Destination filename [c8000be-universalk9.17.03.01prd14.SPA.bin]?
Accessing tftp://203.0.113.2//auto/tftp-ngio/test/c8000be-universalk9.17.03.01prd14.SPA.bin...
%Error opening
tftp://203.0.113.2//auto/tftp-ngio/test/c8000be-universalk9.17.03.01prd14.SPA.bin (Timed
out)
C8300-Router#
C8300-Router#copy tftp bootflash
Address or name of remote host [203.0.113.2]? 203.0.113.2
Source filename [/auto/tftp-ngio/test/c8000be-universalk9.17.03.01prd14.SPA.bin]?
Destination filename [c8000be-universalk9.17.03.01prd14.SPA.bin]?
Accessing tftp://203.0.113.2//auto/tftp-ngio/test/c8000be-universalk9.17.03.01prd14.SPA.bin...
Loading /auto/tftp-ngio/test/c8000be-universalk9.17.03.01prd14.SPA.bin from 203.0.113.2
(via GigabitEthernet0/0/0):
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!
[OK - 696368193 bytes]
696368193 bytes copied in 478.600 secs (1455011 bytes/sec)


11 -rw- 696368193 Jul 8 2020 11:34:28 -07:00
c8000be-universalk9.17.03.01prd14.SPA.bin
458753 drwx 4096 Jun 24 2020 17:25:47 -07:00 sysboot
7693897728 bytes total (5950341120 bytes free)

Router(config)# boot system flash bootflash:c8000be-universalk9.17.03.01prd14.SPA.bin
Router(config)# config-reg 0x2102
Router# show run | include boot
boot-start-marker
boot system flash bootflash:c8000be-universalk9.17.03.01prd14.SPA.bin
boot-end-marker
Router# copy run start
104
Configuring a Device to Boot the Consolidated Package via TFTP Using the Boot Command: Example
[OK]
Router# reload
Configuring a Device to Boot the Consolidated Package via TFTP Using the
Boot Command: Example
Router#configure terminal
Router(config)#boot system
tftp://10.81.116.4/auto/cebu-tftpboot/test/release/rommon/bin/test-17-3-2r
Router(config)#config-register 0x2102
Router(config)#exit
Router#
*Jul 7 01:43:52.098: %SYS-5-CONFIG_I: Configured from console by console
Router#show run | include boot
boot-start-marker
boot system tftp://10.81.116.4/auto/mcebu-tftpboot/test/release/rommon/bin/test-17-3-1r
boot-end-marker
license boot level network-essentials
Router#copy running-config startup-config
[OK]
Router#reload
*Jul 7 01:55:28.639: %SYS-5-RELOAD:

Reload requested by console. Reload Reason: Reload Command.Jul 7 01:55:36.715:
%PMAN-5-EXITACvp: Process manager is exiting: process exit with reload chassis code
Initializing Hardware ...
Checking for PCIe device presence...done

System integrity status: 0x610
Rom image verified correctly
System Bootstrap, Version 1RU-20191104, DEVELOPMENT SOFTWARE

Copyright (c) 1994-2019 by cisco Systems, Inc.
Current image running: Boot ROM1
Last reset cause: LocalSoft

C8300-1N1S-6T platform with 8388608 Kbytes of main memory
........
Located c8000be-universalk9.17.03.01prd14.SPA.bin
#############################################################################################################################################################################################
#############################################################################################################################################################################################
#############################################################################################################################################################################################
#############################################################################################################################################################################################
#############################################################################################################################################################################################
#############################################################################################################################################################################################
Package header rev 3 structure detected

IsoSize = 655712256
105
Calculating SHA-1 hash...Validate package: SHA-1 hash:

calculated DF67D179:DAB875C9:D61FB9E7:2E25B30B:48E86BFC
expected DF67D179:DAB875C9:D61FB9E7:2E25B30B:48E86BFC
RSA Signed RELEASE Image Signature Verification Successful.
Image validated

Image validated
Jul 7 01:58:19.327: %BOOT-5-OPMODE_LOG: R0/0: binos: System booted in AUTONOMOUS mode
Restricted Rights Legend
Use, duplication, or disclosure by the Government is

subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.

San Jose, California 95134-1706
Cisco IOS Software [Amsterdam], c8000be Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version

17.3.1prd8, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2020 by Cisco Systems, Inc.
Compiled Tue 19-May-20 12:00 by mcpre
This software version supports only Smart Licensing as the software licensing mechanism.
PLEASE READ THE FOLLOWING TERMS CAREFULLY. INSTALLING THE LICENSE OR

LICENSE KEY PROVIDED FOR ANY CISCO SOFTWARE PRODUCT, PRODUCT FEATURE,
AND/OR SUBSEQUENTLY PROVIDED SOFTWARE FEATURES (COLLECTIVELY, THE
"SOFTWARE"), AND/OR USING SUCH SOFTWARE CONSTITUTES YOUR FULL
ACCEPTANCE OF THE FOLLOWING TERMS. YOU MUST NOT PROCEED FURTHER IF YOU
ARE NOT WILLING TO BE BOUND BY ALL THE TERMS SET FORTH HEREIN.
Your use of the Software is subject to the Cisco End User License Agreement
(EULA) and any relevant supplemental terms (SEULA) found at
http://www.cisco.com/c/en/us/about/legal/cloud-and-software/software-terms.html.
You hereby acknowledge and agree that certain Software and/or features are
licensed for a particular term, that the license to such Software and/or
features is valid only for the applicable term and that such Software and/or
features may be shut down or otherwise terminated by Cisco after expiration
of the applicable license term (e.g., 90-day trial period). Cisco reserves
the right to terminate any such Software feature electronically or by any
other means available. While Cisco may provide alerts, it is your sole
responsibility to monitor your usage of any such term Software feature to
ensure that your systems and networks are prepared for a shutdown of the
Software feature.
All TCP AO KDF Tests Pass

cisco C8300-1N1S-6T (1RU) processor with 3763047K/6147K bytes of memory.
Processor board ID FDO2320A0CF
Router operating mode: Autonomous
6 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
106
8388608K bytes of physical memory.

7090175K bytes of flash memory at bootflash:.
28884992K bytes of M.2 USB at harddisk:.
Dspfarm profile 7 :: No resource, check voice card or dspfarm service is not configured
Press RETURN to get started!
Router>show version
Cisco IOS XE Software, Version 17.03.01prd8
Cisco IOS-XE software, Copyright (c) 2005-2020 by cisco Systems, Inc.

All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.
ROM: (c)
This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to

[email protected].
-----------------------------------------------------------------
Technology Type Technology-package Technology-package
Current Next Reboot
-----------------------------------------------------------------
Smart License Perpetual network-essentials network-essentials
Smart License Subscription None None
The current crypto throughput level is 1000000 kbps

107
Installing the Software Using install Commands

Configuration register is 0x2102
Installing the Software Using install Commands

From Cisco IOS XE Cupertino 17.7.1a, Cisco Catalyst 8000 Edge platforms are shipped in install mode by
default. Users can boot the platform, and upgrade or downgrade to Cisco IOS XE software versions using a
set of install commands.
Restrictions for Installing the Software Using install Commands

• ISSU is not covered in this feature.
• Install mode requires a reboot of the system.
Information About Installing the Software Using install Commands

From Cisco IOS XE Cupertino 17.7.1a release, for routers shipped in install mode, a set of install commands
can be used for starting, upgrading and downgrading of platforms in install mode. This update is applicable
to the Cisco Catalyst 8000 Edge platforms.
The following table describes the differences between Bundle mode and Install mode:
Table 11: Bundle Mode vs Install Mode
Bundle Mode Install Mode
This mode provides a consolidated boot process, using This mode uses the local (bootflash) packages.conf
local (hard disk, flash) or remote (TFTP) .bin image. file for the boot process.
This mode uses a single .bin file. .bin file is replaced with expanded .pkg files in this
mode.
CLI: CLI:
#boot system file <filename> #install add file bootflash: [activate commit]
To upgrade in this mode, point the boot system to the To upgrade in this mode, use the install commands.
new image.
Image Auto-Upgrade: When a new Field-Replaceable Image Auto-Upgrade: When a new FRU is inserted
Unit (FRU) is inserted in a modular chassis, manual in a modular chassis, the joining FRU is
intervention is required to get the new FRU running auto-upgraded to the image version in sync with the
with the same version as the active FRUs. active FRUs.
Rollback: Rollback to the previous image with Rollback: Enables rollback to an earlier version of
multiple Software Maintenance Updates (SMUs) may Cisco IOS XE software, including multiple patches
require multiple reloads. in single reload.
108
Install Mode Process Flow

The install mode process flow comprises three commands to perform installation and upgrade of software on
platforms–install add, install activate, and install commit.
The following flow chart explains the install process with install commands:
The install add command copies the software package from a local or remote location to the platform. The
location can be FTP, HTTP, HTTPs, or TFTP. The command extracts individual components of the .package
file into subpackages and packages.conf files. It also validates the file to ensure that the image file is specific
to the platform on which it is being installed.
The install activate command performs the required validations and provisions the packages previously added
using the install add command. It also triggers a system reload.
The install commit command confirms the packages previously activated using the install activate command,
and makes the updates persistent over reloads.
Note Installing an update replaces any previously installed software image. At any time, only one image can be
installed in a device.
The following set of install commands is available:
109
Table 12: List of install Commands
Command Syntax Purpose
install add install add file Copies the contents of the image,
location:filename.bin package, and SMUs to the software
repository. File location may be
local or remote. This command
does the following:
• Validates the file–checksum,
platform compatibility checks,
and so on.
• Extracts individual
components of the package
into subpackages and
packages.conf
• Copies the image into the local
inventory and makes it
available for the next steps.
install activate install activate Activates the package added using

the install add command.
• Use the show install
summary command to see
which image is inactive. This
image will get activated.
• System reloads on executing
this command. Confirm if you
want to proceed with the
activation. Use this command
with the prompt-level none
keyword to automatically
ignore any confirmation
prompts.
110
(install activate) auto abort-timer install activate auto-abort timer The auto-abort timer starts
<30-1200> automatically, with a default value
of 120 minutes. If the install
commit command is not executed
within the time provided, the
activation process is terminated,
and the system returns to the
last-committed state.
• You can change the time value
while executing the install
activate command.
• The install commit command
stops the timer, and continues
the installation process.
• The install activate
auto-abort timer stop
command stops the timer
without committing the
package.
• Use this command with the
prompt-level none keyword
to automatically ignore any
confirmation prompts.
• This command is valid only in
the three-step install variant.
install commit install commit Commits the package activated

using the install activate
command, and makes it persistent
over reloads.
• Use the show install
summary command to see
which image is uncommitted.
This image will get
committed.
111
install abort install abort Terminates the installation and

returns the system to the
last-committed state.
• This command is applicable
only when the package is in
activated status (uncommitted
state).
• If you have already committed
the image using the install
commit command, use the
install rollback to command
to return to the preferred
version.
install remove install remove {file <filename> | Deletes inactive packages from the
inactive} platform repository. Use this
command to free up space.
• file: Removes specified files.
• inactive: Removes all the
inactive files.
install rollback to install rollback to {base | label | Rolls back the software set to a
committed | id} saved installation point or to the
last-committed installation point.
The following are the
characteristics of this command:
• Requires reload.
• Is applicable only when the
package is in committed state.
Note If you are performing

install rollback to a
previous image, the
previous image must be
installed in install mode.
Only SMU rollback is
possible in bundle
mode.
112
install deactivate install deactivate file <filename> Removes a package from the
platform repository. This command
is supported only for SMUs.
The following show commands are also available:
Table 13: List of show Commands
show install log show install log Provides the history and details of
all install operations that have been
performed since the platform was
booted.
show install package show install package <filename> Provides details about the .pkg/.bin
file that is specified.
show install summary show install summary Provides an overview of the image
versions and their corresponding
install states for all the FRUs.
• The table that is displayed will
state for which FRUs this
information is applicable.
• If all the FRUs are in sync in
terms of the images present
and their state, only one table
is displayed.
• If, however, there is a
difference in the image or state
information among the FRUs,
each FRU that differs from the
rest of the stack is listed in a
separate table.
show install active show install active Provides information about the
active packages for all the FRUs.
If there is a difference in the
information among the FRUs, each
FRU that differs from the rest of
the stack is listed in a separate
table.
113
Booting the Platform in Install Mode
show install inactive show install inactive Provides information about the
inactive packages, if any, for all the
FRUs.
table.
show install committed show install committed Provides information about the
committed packages for all the
FRUs.
table.
show install uncommitted show install uncommitted Provides information about

uncommitted packages, if any, for
all the FRUs.
table.
show install rollback show install rollback {point-id | Displays the package associated
label} with a saved installation point.
show version show version [rp-slot] [installed Displays information about the
[user-interface] | provisioned | current package, along with
running] hardware and platform information.
From Cisco IOS XE 17.7.1a, these commands replace the old install workflow as the default mode on supported
platforms. The installation workflow for Cisco IOS XE 17.6.x release or earlier, described in section Overview,
on page 99, is supported for Cisco IOS XE 17.7.x, and is the default for Cisco Catalyst 8000 Edge platforms
with Cisco IOS XE 17.6.x or earlier.
Booting the Platform in Install Mode

You can install, activate, and commit a software package using a single command (one-step install) or multiple
separate commands (three-step install).
If the platform is working in bundle mode, the one-step install procedure must be used to initially convert the
platform from bundle mode to install mode. Subsequent installs and upgrades on the platform can be done
with either one-step or three-step variants.
114
One-Step Installation or Converting from Bundle Mode to Install Mode
One-Step Installation or Converting from Bundle Mode to Install Mode
Note • All the CLI actions (for example, add, activate, and so on) are executed on all the available FRUs.
• The configuration save prompt will appear if an unsaved configuration is detected.
• The reload prompt will appear after the second step in this workflow. Use the prompt-level none keyword
to automatically ignore the confirmation prompts.
• If the prompt-level is set to None, and there is an unsaved configuration, the install fails. You must save
the configuration before reissuing the command.
Use the one-step install procedure described below to convert a platform running in bundle boot mode to
install mode. After the command is executed, the platform reboots in install boot mode.
Later, the one-step install procedure can also be used to upgrade the platform.
This procedure uses the install add file activate commit command in privileged EXEC mode to install a
software package, and to upgrade the platform to a new version.
SUMMARY STEPS
1. enable
2. install add file location: filename [activate commit]
3. exit
DETAILED STEPS

Step 1 enable Enables privileged EXEC mode. Enter your password, if
prompted.
Example:
Device>enable
Step 2 install add file location: filename [activate commit] Copies the software install package from a local or remote
location (through FTP, HTTP, HTTPs, or TFTP) to the
Example:
platform and extracts the individual components of the
Device#install add file .package file into subpackages and packages.conf files. It
bootflash:c8000be-universalk9.BLD_V177_THROTTLE_LATEST_20211021_031123_V17_7_0_117.SSA.bin
activate commit also performs a validation and compatibility check for the
platform and image versions, activates the package, and
commits the package to make it persistent across reloads.
The platform reloads after this command is run.
Step 3 exit Exits privileged EXEC mode and returns to user EXEC
mode.
Example:
Device#exit
115
Three-Step Installation
Three-Step Installation
Note • All the CLI actions (for example, add, activate, and so on) are executed on all the available FRUs.
• The configuration save prompt will appear if an unsaved configuration is detected.
• The reload prompt will appear after the install activate step in this workflow. Use the prompt-level none
keyword to automatically ignore the confirmation prompts.
The three-step installation procedure can be used only after the platform is in install mode. This option provides
more flexibility and control to the customer during installation.
This procedure uses individual install add, install activate, and install commit commands for installing a
software package, and to upgrade the platform to a new version.
SUMMARY STEPS
1. enable
2. install add file location: filename
3. show install summary
4. install activate [auto-abort-timer <time>]
5. install abort
6. install commit
7. install rollback to committed
8. install remove {file filesystem: filename | inactive}
9. show install summary
10. exit
DETAILED STEPS

Step 1 enable Enables privileged EXEC mode. Enter your password, if
prompted.
Example:
Device>enable
Step 2 install add file location: filename Copies the software install package from a remote location
(through FTP, HTTP, HTTPs, or TFTP) to the platform,
Example:
and extracts the individual components of the .package
Device#install add file file into subpackages and packages.conf files.
Step 3 show install summary (Optional) Provides an overview of the image versions
and their corresponding install state for all the FRUs.
Example:
Device#show install summary
116
Upgrading in Install Mode

Step 4 install activate [auto-abort-timer <time>] Activates the previously added package and reloads the
platform.
Example:
Device# install activate auto-abort-timer 120 • When doing a full software install, do not provide a
package filename.
• In the three-step variant, auto-abort-timer starts
automatically with the install activate command; the
default for the timer is 120 minutes. If the install
commit command is not run before the timer expires,
the install process is automatically terminated. The
platform reloads and boots up with the last committed
version.
Step 5 install abort (Optional) Terminates the software install activation and
returns the platform to the last committed version.
Example:
Device#install abort • Use this command only when the image is in activated
state, and not when the image is in committed state.
Step 6 install commit Commits the new package installation and makes the
changes persistent over reloads.
Example:
Device#install commit
Step 7 install rollback to committed (Optional) Rolls back the platform to the last committed
state.
Example:
Device#install rollback to committed
Step 8 install remove {file filesystem: filename | inactive} (Optional) Deletes software installation files.
Example: • file: Deletes a specific file
Device#install remove inactive
• inactive: Deletes all the unused and inactive
installation files.
Step 9 show install summary (Optional) Displays information about the current state of
the system. The output of this command varies according
Example:
to the install commands run prior to this command.
Device#show install summary
Step 10 exit Exits privileged EXEC mode and returns to user EXEC
mode.
Example:
Device#exit
Upgrading in Install Mode

Use either the one-step installation or the three-step installation to upgrade the platform in install mode.
117
Downgrading in Install Mode
Downgrading in Install Mode

Use the install rollback command to downgrade the platform to a previous version by pointing it to the
appropriate image, provided the image you are downgrading to was installed in install mode.
The install rollback command reloads the platform and boots it with the previous image.
Note The install rollback command succeeds only if you have not removed the previous file using the install
remove inactive command.
Alternatively, you can downgrade by installing the older image using the install commands.
Terminating a Software Installation

You can terminate the activation of a software package in the following ways:
• When the platform reloads after activating a new image, the auto-abort-timer is triggered (in the three-step
install variant). If the timer expires before issuing the install commit command, the installation process
is terminated, and the platform reloads and boots with the last committed version of the software image.
Alternatively, use the install auto-abort-timer stop command to stop this timer, without using the install
commit command. The new image remains uncommitted in this process.
• Using the install abort command returns the platform to the version that was running before installing
the new software. Use this command before issuing the install commit command.
Configuration Examples for Installing the Software Using install Commands

The following is an example of the one-step installation or converting from bundle mode to install
mode:
Router# install add file
activate commit
install_add_activate_commit: START Thu Oct 28 21:57:21 UTC 2021
System configuration has been modified.

Press Yes(y) to save the configuration and proceed.
Press No(n) for proceeding without saving the configuration.
Press Quit(q) to exit, you may save configuration and re-enter the command. [y/n/q]y
[OK]Modified configuration has been saved
*Oct 28 21:57:39.818: %SYS-6-PRIVCFG_ENCRYPT_SUCCESS: Successfully encrypted private config

file
*Oct 28 21:57:39.925: %INSTALL-5-INSTALL_START_INFO: R0/0: install_engine: Started install
one-shot
bootflash:c8000be-universalk9.BLD_V177_THROTTLE_LATEST_20211021_031123_V17_7_0_117.SSA.bininstall_add_activate_commit:
Adding PACKAGE
install_add_activate_commit: Checking whether new add is allowed ....
--- Starting Add ---

Performing Add on Active/Standby
118
[1] Add package(s) on R0

[1] Finished Add on R0
Checking status of Add on [R0]
Add: Passed on [R0]
Finished Add
Image added. Version: 17.07.01.0.1515

install_add_activate_commit: Activating PACKAGE
Following packages shall be activated:
/bootflash/c8000be-rpboot.BLD_V177_THROTTLE_LATEST_20211021_031123_V17_7_0_117.SSA.pkg
/bootflash/c8000be-mono-universalk9.BLD_V177_THROTTLE_LATEST_20211021_031123_V17_7_0_117.SSA.pkg
/bootflash/c8000be-firmware_sm_nim_adpt.BLD_V177_THROTTLE_LATEST_20211021_031123_V17_7_0_117.SSA.pkg
/bootflash/c8000be-firmware_sm_dsp_sp2700.BLD_V177_THROTTLE_LATEST_20211021_031123_V17_7_0_117.SSA.pkg
/bootflash/c8000be-firmware_sm_async.BLD_V177_THROTTLE_LATEST_20211021_031123_V17_7_0_117.SSA.pkg
/bootflash/c8000be-firmware_sm_1t3e3.BLD_V177_THROTTLE_LATEST_20211021_031123_V17_7_0_117.SSA.pkg
/bootflash/c8000be-firmware_sm_10g.BLD_V177_THROTTLE_LATEST_20211021_031123_V17_7_0_117.SSA.pkg
/bootflash/c8000be-firmware_prince.BLD_V177_THROTTLE_LATEST_20211021_031123_V17_7_0_117.SSA.pkg
/bootflash/c8000be-firmware_nim_xdsl.BLD_V177_THROTTLE_LATEST_20211021_031123_V17_7_0_117.SSA.pkg
/bootflash/c8000be-firmware_nim_ssd.BLD_V177_THROTTLE_LATEST_20211021_031123_V17_7_0_117.SSA.pkg
/bootflash/c8000be-firmware_nim_shdsl.BLD_V177_THROTTLE_LATEST_20211021_031123_V17_7_0_117.SSA.pkg
/bootflash/c8000be-firmware_nim_ge.BLD_V177_THROTTLE_LATEST_20211021_031123_V17_7_0_117.SSA.pkg
/bootflash/c8000be-firmware_nim_cwan.BLD_V177_THROTTLE_LATEST_20211021_031123_V17_7_0_117.SSA.pkg
/bootflash/c8000be-firmware_nim_bri_st_fw.BLD_V177_THROTTLE_LATEST_20211021_031123_V17_7_0_117.SSA.pkg
/bootflash/c8000be-firmware_nim_async.BLD_V177_THROTTLE_LATEST_20211021_031123_V17_7_0_117.SSA.pkg
/bootflash/c8000be-firmware_ngwic_t1e1.BLD_V177_THROTTLE_LATEST_20211021_031123_V17_7_0_117.SSA.pkg
/bootflash/c8000be-firmware_dsp_tilegx.BLD_V177_THROTTLE_LATEST_20211021_031123_V17_7_0_117.SSA.pkg
/bootflash/c8000be-firmware_dsp_sp2700.BLD_V177_THROTTLE_LATEST_20211021_031123_V17_7_0_117.SSA.pkg
/bootflash/c8000be-firmware_dsp_analogbri.BLD_V177_THROTTLE_LATEST_20211021_031123_V17_7_0_117.SSA.pkg
/bootflash/c8000be-firmware_dreamliner.BLD_V177_THROTTLE_LATEST_20211021_031123_V17_7_0_117.SSA.pkg
This operation may require a reload of the system. Do you want to proceed? [y/n]y
--- Starting Activate ---
Performing Activate on Active/Standby
*Oct 28 22:05:49.484: %INSTALL-5-INSTALL_AUTO_ABORT_TIMER_PROGRESS: R0/0: rollback_timer:

Install auto abort timer will expire in 7200 seconds [1] Activate package(s) on R0
[1] Finished Activate on R0
Checking status of Activate on [R0]
Activate: Passed on [R0]
Finished Activate
--- Starting Commit ---

Performing Commit on Active/Standby
[1] Commit package(s) on R0
[1] Finished Commit on R0
Checking status of Commit on [R0]
Commit: Passed on [R0]
Finished Commit
[OK]
*Oct 28 22:06:55.375: %SYS-6-PRIVCFG_ENCRYPT_SUCCESS: Successfully encrypted private config
fileSend model notification for install_add_activate_commit before reload
Install will reload the system now!
SUCCESS: install_add_activate_commit Thu Oct 28 22:07:22 UTC 2021
Router#
*Oct 28 22:07:22.661: %INSTALL-5-INSTALL_COMPLETED_INFO: R0/0: install_engine: Completed
install one-shot PACKAGE
bootflash:c8000be-universalk9.BLD_V177_THROTTLE_LATEST_20211021_031123_V17_7_0_117.SSA.binOct
28 22:07:26.864: %PMAN-5-EXITACTION: R0/0: pvp: Process manager is exiting: reload action
requested
119
The following is an example of the three-step installation:

Router# install add file
install_add: START Thu Oct 28 22:36:43 UTC 2021

add
bootflash:c8000be-universalk9.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.bininstall_add:
Adding PACKAGE
install_add: Checking whether new add is allowed ....

Add: Passed on [R0]
Finished Add
Image added. Version: 17.07.01.0.1601

SUCCESS: install_add Thu Oct 28 22:40:25 UTC 2021
Router#
install add PACKAGE
Router# show install log

[0|install_op_boot]: START Thu Oct 28 22:09:29 Universal 2021
[0|install_op_boot(INFO, )]: Mount IMG INI state base image
[0|install_op_boot]: END SUCCESS Thu Oct 28 22:09:30 Universal 2021
[0|install_op_boot(INFO, )]: cleanup_trap remote_invocation 0 operation install_op_boot
.. 0 .. 0
[1|display_install_log]: START Thu Oct 28 22:12:11 UTC 2021
[2|install_add]: START Thu Oct 28 22:36:43 UTC 2021
[2|install_add(INFO, )]: Set INSTALL_TYPE to PACKAGE
[2|install_add(CONSOLE, )]: Adding PACKAGE
[2|install_add(CONSOLE, )]: Checking whether new add is allowed ....
[2|install_add(INFO, )]: check_add_op_allowed: Install type PACKAGE
[remote|install_add]: START Thu Oct 28 22:37:12 UTC 2021
[remote|install_add]: END SUCCESS Thu Oct 28 22:40:10 UTC 2021
[remote|install_add(INFO, )]: cleanup_trap remote_invocation 1 operation install_add .. 0
.. 0
[2|install_add(INFO, )]: Remote output from R0
[2|install_add(INFO, )]: install_add: START Thu Oct 28 22:37:12 UTC 2021
Expanding image file:
Verifying parameters
Expanding superpackage
... parameters verified
Validating package type
... package type validated
Copying package files
c8000be-firmware_dreamliner.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
120
c8000be-firmware_dsp_analogbri.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
c8000be-firmware_dsp_sp2700.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
c8000be-firmware_dsp_tilegx.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
c8000be-firmware_ngwic_t1e1.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
c8000be-firmware_nim_async.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
c8000be-firmware_nim_bri_st_fw.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
c8000be-firmware_nim_cwan.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
c8000be-firmware_nim_ge.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
c8000be-firmware_nim_shdsl.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
c8000be-firmware_nim_ssd.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
c8000be-firmware_nim_xdsl.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
c8000be-firmware_prince.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
c8000be-firmware_sm_10g.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
c8000be-firmware_sm_1t3e3.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
c8000be-firmware_sm_async.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
c8000be-firmware_sm_dsp_sp2700.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
c8000be-firmware_sm_nim_adpt.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
c8000be-mono-universalk9.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
c8000be-rpboot.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
WARNING: A different version of provisioning file packages.conf already exists in bootflash:
WARNING: The provisioning file from the expanded bundle will be saved as
WARNING: bootflash:c8000be-universalk9.BLD_V177_THROTTLE_LATEST_20211027_0.conf
... package files copied
SUCCESS: Finished expanding all-in-one software package.
Image file expanded
SUCCESS: install_add Thu Oct 28 22:40:10 UTC 2021
[2|install_add]: END SUCCESS Thu Oct 28 22:40:25 UTC 2021
[2|install_add(INFO, )]: cleanup_trap remote_invocation 0 operation install_add .. 0 .. 0
[3|COMP_CHECK]: START Thu Oct 28 22:40:26 UTC 2021
[3|COMP_CHECK]: END FAILED exit(1) Thu Oct 28 22:40:27 UTC 2021
[3|COMP_CHECK(INFO, )]: cleanup_trap remote_invocation 0 operation COMP_CHECK .. 1 .. 1
[4|install_activate]: START Thu Oct 28 22:42:53 UTC 2021
[4|install_activate(INFO, require user prompt)]: install_cli
[4|install_activate(CONSOLE, )]: Activating PACKAGE
[4|install_activate(INFO, )]: Acquiring transaction lock...
[4|install_activate(INFO, )]: global_trans_lock:
/bootflash/.installer/install_global_trans_lock
[4|install_activate(INFO, )]: tmp_global_trans_lock: /tmp/tmp_install_global_trans_lock
[4|install_activate(INFO, )]: tmp lock does not exist: /tmp/tmp_install_global_trans_lock
[4|install_activate(INFO, )]: tmp_global_trans_lock: /tmp/tmp_install_global_trans_lock
[4|install_activate(INFO, )]: local_trans_lock: /bootflash/.installer/install_local_trans_lock
[4|install_activate(INFO, )]: validate_lock: lock_duration is 7200
[4|install_activate(INFO, )]: install type stored in lock PACKAGE, install type PACKAGE,
install operation install_activate
[4|install_activate(INFO, )]: lock duration: 7200
[4|install_activate(INFO, )]: extend trans lock done.
[4|install_activate(INFO, require user prompt)]: install_cli
121
[4|install_activate( FATAL)]: Cannot proceed activate because of user input

[4|install_activate(INFO, )]: cleanup_trap remote_invocation 0 operation install_activate
.. 6 .. 0
[5|install_add]: START Thu Oct 28 22:45:48 UTC 2021
[5|install_add(INFO, )]: Set INSTALL_TYPE to PACKAGE
[5|install_add(CONSOLE, )]: Adding PACKAGE
[5|install_add(CONSOLE, )]: Checking whether new add is allowed ....
[5|install_add(INFO, )]: check_add_op_allowed: Install type PACKAGE
[5|install_add( FATAL)]: Super package already added. Add operation not allowed. install
remove inactive can be used to discard added packages
Router# install activate

install_activate: START Thu Oct 28 23:57:57 UTC 2021
install_activate: Activating PACKAGE

activateFollowing packages shall be activated:
/bootflash/c8000be-rpboot.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
/bootflash/c8000be-mono-universalk9.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
/bootflash/c8000be-firmware_sm_nim_adpt.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
/bootflash/c8000be-firmware_sm_dsp_sp2700.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
/bootflash/c8000be-firmware_sm_async.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
/bootflash/c8000be-firmware_sm_1t3e3.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
/bootflash/c8000be-firmware_sm_10g.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
/bootflash/c8000be-firmware_prince.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
/bootflash/c8000be-firmware_nim_xdsl.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
/bootflash/c8000be-firmware_nim_ssd.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
/bootflash/c8000be-firmware_nim_shdsl.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
/bootflash/c8000be-firmware_nim_ge.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
/bootflash/c8000be-firmware_nim_cwan.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
/bootflash/c8000be-firmware_nim_bri_st_fw.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
/bootflash/c8000be-firmware_nim_async.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
/bootflash/c8000be-firmware_ngwic_t1e1.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
/bootflash/c8000be-firmware_dsp_tilegx.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
/bootflash/c8000be-firmware_dsp_sp2700.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
/bootflash/c8000be-firmware_dsp_analogbri.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
/bootflash/c8000be-firmware_dreamliner.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
*Oct 29 00:04:19.400: %INSTALL-5-INSTALL_AUTO_ABORT_TIMER_PROGRESS: R0/0: rollback_timer:

Install auto abort timer will expire in 7200 seconds [1] Activate package(s) on R0
--- Starting list of software package changes ---
Old files list:
Modified
Modified
Modified
Modified
Modified
Modified
Modified
Modified
122
Modified
Modified
Modified
Modified
Modified
Modified
Modified
Modified
Modified
Modified
Modified
Modified c8000be-rpboot.BLD_V177_THROTTLE_LATEST_20211021_031123_V17_7_0_117.SSA.pkg
New files list:
Added
Added
Added
Added
Added
Added
Added
Added
Added
Added
Added
Added
Added
Added
Added
Added
Added
Added
123
Added
Added c8000be-rpboot.BLD_V177_THROTTLE_LATEST_20211027_030841_V17_7_0_120.SSA.pkg
Finished list of software package changes
Finished Activate
Send model notification for install_activate before reload

SUCCESS: install_activate Fri Oct 29 00:05:09 UTC 2021
Router#
install activate PACKAGEOct 29 00:05:14.494: %PMAN-5-EXITACTION: R0/0: pvp: Process manager
is exiting: reload action requested

System Bootstrap, Version 17.3(4.1r), RELEASE SOFTWARE

Current image running : Boot ROM1

Last reset cause : LocalSoft
Router# install commit

install_commit: START Fri Oct 29 00:13:58 UTC 2021
install_commit: Committing PACKAGE


commit [1] Commit package(s) on R0
Finished Commit
SUCCESS: install_commit Fri Oct 29 00:14:03 UTC 2021
Router#
install commit PACKAGE
The following is an example of downgrading in install mode:

ROUTER# install activate file bootflash:c8000be-universalk9.17.06.01a.SPA.bin activate
commit
install_add_activate_commit: START Fri Dec 10 18:07:17 GMT 2021
124
*Dec 10 18:07:18.405 GMT: %INSTALL-5-INSTALL_START_INFO: R0/0: install_engine: Started

install one-shot bootflash:c8000be-universalk9.17.06.01a.SPA.bininstall_add_activate_commit:
Adding PACKAGE
install_add_activate_commit: Checking whether new add is allowed ....

Add: Passed on [R0]
Finished Add
Image added. Version: 17.06.01a.0.298

install_add_activate_commit: Activating PACKAGE
Following packages shall be activated:
/bootflash/c8000be-rpboot.17.06.01a.SPA.pkg
/bootflash/c8000be-mono-universalk9.17.06.01a.SPA.pkg
/bootflash/c8000be-firmware_sm_nim_adpt.17.06.01a.SPA.pkg
/bootflash/c8000be-firmware_sm_dsp_sp2700.17.06.01a.SPA.pkg
/bootflash/c8000be-firmware_sm_async.17.06.01a.SPA.pkg
/bootflash/c8000be-firmware_sm_1t3e3.17.06.01a.SPA.pkg
/bootflash/c8000be-firmware_sm_10g.17.06.01a.SPA.pkg
/bootflash/c8000be-firmware_prince.17.06.01a.SPA.pkg
/bootflash/c8000be-firmware_nim_xdsl.17.06.01a.SPA.pkg
/bootflash/c8000be-firmware_nim_ssd.17.06.01a.SPA.pkg
/bootflash/c8000be-firmware_nim_shdsl.17.06.01a.SPA.pkg
/bootflash/c8000be-firmware_nim_ge.17.06.01a.SPA.pkg
/bootflash/c8000be-firmware_nim_cwan.17.06.01a.SPA.pkg
/bootflash/c8000be-firmware_nim_bri_st_fw.17.06.01a.SPA.pkg
/bootflash/c8000be-firmware_nim_async.17.06.01a.SPA.pkg
/bootflash/c8000be-firmware_ngwic_t1e1.17.06.01a.SPA.pkg
/bootflash/c8000be-firmware_dsp_tilegx.17.06.01a.SPA.pkg
/bootflash/c8000be-firmware_dsp_sp2700.17.06.01a.SPA.pkg
/bootflash/c8000be-firmware_dsp_analogbri.17.06.01a.SPA.pkg
/bootflash/c8000be-firmware_dreamliner.17.06.01a.SPA.pkg
[1] Activate package(s) on R0
Finished Activate

[1] Commit package(s) on R0

Finished Commit
[OK]
*Dec 10 18:14:57.782 GMT: %SYS-6-PRIVCFG_ENCRYPT_SUCCESS: Successfully encrypted private
config fileSend model notification for install_add_activate_commit before reload
/usr/binos/conf/install_util.sh: line 164: /bootflash/.prst_sync/reload_info: No such file
or directory
/usr/binos/conf/install_util.sh: line 168: /bootflash/.prst_sync/reload_info: No such file
or directory
cat: /bootflash/.prst_sync/reload_info: No such file or directory
125

SUCCESS: install_add_activate_commit Fri Dec 10 18:15:23 GMT 2021
ROUTER#
*Dec 10 18:15:23.955 GMT: %INSTALL-5-INSTALL_COMPLETED_INFO: R0/0: install_engine: Completed
install one-shot PACKAGE bootflash:c8000be-universalk9.17.06.01a.SPA.binDec 10 18:15:27.708:
%PMAN-5-EXITACTION: R0/0: pvp: Process manager is exiting: reload action requested

System Bootstrap, Version 17.3(5r), RELEASE SOFTWARE


ROUTER platform with 8388608 Kbytes of main memory
ROUTER#
ROUTER# show version
Cisco IOS XE Software, Version 17.06.01a
Cisco IOS Software [Bengaluru], c8000be Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version
17.6.1a, RELEASE SOFTWARE (fc2)
Compiled Sat 21-Aug-21 03:27 by mcpre

software.
ROM: 17.3(5r)
ROUTER uptime is 0 minutes

Uptime for this control processor is 2 minutes
System returned to ROM by LocalSoft
System image file is "bootflash:packages.conf"
Last reload reason: LocalSoft

126

[email protected].
-----------------------------------------------------------------
Current Next Reboot
-----------------------------------------------------------------
Smart License Perpetual None None
Smart Licensing Status: Registration Not Applicable/Not Applicable
cisco ROUTER (1RU) processor with 3747220K/6147K bytes of memory.

Processor board ID FDO2521M27S
2 2.5 Gigabit Ethernet interfaces
2 Cellular interfaces
1875361792K bytes of NVMe SSD at harddisk:.
16789568K bytes of USB flash at usb0:.
The following is an example of terminating a software installation:

Router# install abort
install_abort: START Fri Oct 29 02:42:51 UTC 2021
This install abort would require a reload. Do you want to proceed? [y/n]
*Oct 29 02:42:52.789:
%INSTALL-5-INSTALL_START_INFO: R0/0: install_engine: Started install aborty
--- Starting Abort ---
Performing Abort on Active/Standby
[1] Abort package(s) on R0

[1] Finished Abort on R0
Checking status of Abort on [R0]
Abort: Passed on [R0]
Finished Abort
Send model notification for install_abort before reload

SUCCESS: install_abort Fri Oct 29 02:44:47 UTC 2021
Router#
install abort PACKAGEOct 29 02:44:51.577: %PMAN-5-EXITACTION: R0/0: pvp: Process manager
is exiting: reload action requested
127
System Bootstrap, Version 17.3(4.1r), RELEASE SOFTWARE

Current image running : Boot ROM1

Last reset cause : LocalSoft
The following are sample outputs for show commands:

show install log
Device# show install log
[0|install_op_boot]: START Thu Oct 28 22:09:29 Universal 2021
[0|install_op_boot(INFO, )]: Mount IMG INI state base image
[0|install_op_boot]: END SUCCESS Thu Oct 28 22:09:30 Universal 2021
show install summary

Device# show install summary
[ R0 ] Installed Package(s) Information:
State (St): I - Inactive, U - Activated & Uncommitted,
C - Activated & Committed, D - Deactivated & Uncommitted
--------------------------------------------------------------------
Type St Filename/Version
--------------------------------------------------------------------
IMG C 17.07.01.0.1515
--------------------------------------------------------------------
Auto abort timer: inactive
--------------------------------------------------------------------
show install package filesystem: filename

Device# show install package
Package: c8000be-universalk9.BLD_V177_THROTTLE_LATEST_20211021_031123_V17_7_0_117.SSA.bin
Size: 831447859
Timestamp: 2021-10-23 17:08:14 UTC
Canonical path:
/bootflash/c8000be-universalk9.BLD_V177_THROTTLE_LATEST_20211021_031123_V17_7_0_117.SSA.bin
Raw disk-file SHA1sum:

5c4e7617a6c71ffbcc73dcd034ab58bf76605e3f
Header size: 1192 bytes
Package type: 30000
Package flags: 0
Header version: 3
Internal package information:

Name: rp_super
BuildTime: 2021-10-21_13.00
ReleaseDate: 2021-10-21_03.11
BootArchitecture: i686
RouteProcessor: radium
128
Platform: C8000BE
User: mcpre
PackageName: universalk9
Build: BLD_V177_THROTTLE_LATEST_20211021_031123_V17_7_0_117
CardTypes:
Package is bootable from media and tftp.

Package contents:
Package:
Size: 2966620
Timestamp: 2021-10-21 20:10:44 UTC

501d59d5f152ca00084a0da8217bf6f6b95dddb1
Package type: 40000
Package flags: 0
Header version: 3

Name: firmware_nim_ge
BuildTime: 2021-10-21_13.00
ReleaseDate: 2021-10-21_03.11
BootArchitecture: none
Platform: C8000BE
User: mcpre
PackageName: firmware_nim_ge
CardTypes:
Package is not bootable.

Package:
Size: 10204252
Timestamp: 2021-10-21 20:10:43 UTC

a57bed4ddecfd08af3b456f69d11aaeb962865ea
Package type: 40000
Package flags: 0
Header version: 3

Name: firmware_prince
BuildTime: 2021-10-21_13.00
ReleaseDate: 2021-10-21_03.11
BootArchitecture: none
Platform: C8000BE
User: mcpre
PackageName: firmware_prince
CardTypes:
Package is not bootable.
show install active

Device# show install active
[ R0 ] Active Package(s) Information:
129
Troubleshooting Software Installation Using install Commands

--------------------------------------------------------------------
--------------------------------------------------------------------
IMG C 17.07.01.0.1515
--------------------------------------------------------------------
--------------------------------------------------------------------
show install inactive

Device# show install inactive
[ R0 ] Inactive Package(s) Information:
--------------------------------------------------------------------
--------------------------------------------------------------------
No Inactive Packages
show install committed

Device# show install committed
[ R0 ] Committed Package(s) Information:
--------------------------------------------------------------------
--------------------------------------------------------------------
IMG C 17.07.01.0.1515
--------------------------------------------------------------------
--------------------------------------------------------------------
show install uncommitted

Device# show install uncommitted
[ R0 ] Uncommitted Package(s) Information:
--------------------------------------------------------------------
--------------------------------------------------------------------
No Uncommitted Packages
Troubleshooting Software Installation Using install Commands

Problem Troubleshooting the software installation
Solution Use the following show commands to view installation summary, logs, and software versions.
• show install summary

• show install log
• show version
• show version running
Problem Other installation issues
130
Managing and Configuring a Device to Run Using Individual Packages
Solution Use the following commands to resolve installation issue:
• dir <install directory>

• more location:packages.conf
• show tech-support install: this command automatically runs the show commands that display information
specific to installation.
• request platform software trace archive target bootflash <location>: this command archives all the
trace logs relevant to all the processes running on the system since the last reload, and saves this
information in the specified location.
Managing and Configuring a Device to Run Using Individual

Packages
To choose between running individual packages or a consolidated package, see Overview section.
The following topics are included in this section:
• Installing Subpackages from a Consolidated Package, on page 131
• Installing a Firmware Subpackage, on page 147
• Installing Subpackages from a Consolidated Package on a Flash Drive, on page 137
Installing Subpackages from a Consolidated Package

Perform the following procedure to obtain the consolidated package from a TFTP server.
Another variation of this procedure obtains the consolidated package from a USB flash drive. This is described
in Installing Subpackages from a Consolidated Package on a Flash Drive.
Before you begin

Copy the consolidated package to the TFTP server.
SUMMARY STEPS
1. show version
2. dir bootflash:
3. show platform
4. mkdir bootflash: URL-to-directory-name
5. request platform software package expand file URL-to-consolidated-package to
URL-to-directory-name
6. reload
7. boot URL-to-directory-name/packages.conf
8. show version installed
131
DETAILED STEPS

Step 1 show version Shows the version of software running on the router. This
can later be compared with the version of software to be
Example:
installed.
Router# show version
Cisco IOS Software, IOS-XE Software
Step 1
(X86_64_LINUX_IOSD-UNIVERSALK9-M), Experimental
Version 15.3(20120627:221639) [build_151722 111]
Compiled Thu 28-Jun-12 15:17 by mcpre
.
.
.
Step 2 dir bootflash: Displays the previous version of software and that a package
is present.
Example:
Step 3 show platform Displays the inventory.

Example:
Router# show platform
Chassis type: c8000be/K9
Step 4 mkdir bootflash: URL-to-directory-name Creates a directory to save the expanded software image.
Example: You can use the same name as the image to name the
Router# mkdir bootflash:mydir directory.
Step 5 request platform software package expand file Expands the software image from the TFTP server
URL-to-consolidated-package to URL-to-directory-name (URL-to-consolidated-package) into the directory used to
save the image (URL-to-directory-name), which was created
Example:
in Step 4.
Router# request platform software package expand
file
bootflash:c8000be-universalk9-NIM.bin to
bootflash:mydir
Step 6 reload Enables ROMMON mode, which allows the software in

the consolidated file to be activated.
Example:
Router# reload
rommon >
Step 7 boot URL-to-directory-name/packages.conf Boots the consolidated package, by specifying the path and
name of the provisioning file: packages.conf.
Example:
rommon 1 > boot bootflash:mydir/packages.conf
Step 8 show version installed Displays the version of the newly installed software.
Example:
132

Router# show version installed
Package: Provisioning File, version: n/a, status:
active
Examples
The initial part of the example shows the consolidated package,
c8000be-universalk9.17.03.01prd14.SPA.bin , being copied to the TFTP server. This is a prerequisite
step. The remaining part of the example shows the consolidated file, packages.conf, being booted.
Router# copy tftp:c8000be-universalk9.17.03.01prd14.SPA.bin bootflash:
ddress or name of remote host []? 203.0.113.6
Destination filename [c8000be-universalk9.17.03.01prd14.SPA.bin]
Accessing tftp://203.0.113.6/c8000be/ic8000be-universalk9.17.03.01prd8.SPA.bin...
Loading c8000be/c8000be-universalk9.17.03.01prd14.SPA.bin from 192.0.2.4 (via
GigabitEthernet0): !!!!!!!!
[OK - 410506248 bytes]

Compiled Tue 16-Jun-20 23:44 by mcpre

software.
ROM: 17.3(1r)
C8300-Router uptime is 15 minutes

System returned to ROM by Reload Command
System image file is "bootflash:c8000be-universalk9.17.03.01prd14.SPA.bin"
Last reload reason: Reload Command

133

[email protected].
-----------------------------------------------------------------
Current Next Reboot
-----------------------------------------------------------------
Smart License Perpetual None None
Smart Licensing Status: UNREGISTERED/No Licenses in Use
cisco C8300-1N1S-4T2X (1RU) processor with 3763577K/6147K bytes of memory.

Processor board ID FDO2401A038
1 Virtual Ethernet interface
4 2.5 Gigabit Ethernet interfaces
5 Ten Gigabit Ethernet interfaces
7819328K bytes of USB flash at usb0:.


360449 drwx 4096 Jul 8 2020 11:51:37 -07:00 license_evlog
212993 drwx 4096 Jul 8 2020 11:51:37 -07:00 core
262145 drwx 4096 Jul 8 2020 11:51:35 -07:00 onep
16 -rw- 30 Jul 8 2020 11:51:27 -07:00 throughput_monitor_params
13 -rw- 134458 Jul 8 2020 11:51:27 -07:00 memleak.tcl
311297 drwx 4096 Jul 8 2020 11:51:12 -07:00 .dbpersist
15 -rwx 1314 Jul 8 2020 11:51:10 -07:00 trustidrootx3_ca.ca
14 -rw- 20109 Jul 8 2020 11:51:10 -07:00 ios_core.p7b
327681 drwx 4096 Jul 8 2020 11:51:08 -07:00 gs_script
12 -rw- 182 Jul 8 2020 11:51:08 -07:00 mode_event_log
237569 drwx 4096 Jul 8 2020 11:51:02 -07:00 .prst_sync
114689 drwx 4096 Jul 8 2020 11:50:48 -07:00 .ssh
368641 drwx 4096 Jul 8 2020 11:50:44 -07:00 .rollback_timer
401409 drwx 4096 Jul 8 2020 11:50:44 -07:00 .installer
458753 drwx 4096 Jul 8 2020 11:50:36 -07:00 sysboot
11 -rw- 696368193 Jul 8 2020 11:34:28 -07:00
c8000be-universalk9.17.03.01prd14.SPA.bin

Chassis type: C8300-1N1S-4T2X
134
Slot Type State Insert time (ago)

--------- ------------------- --------------------- -----------------
0 C8300-1N1S-4T2X ok 00:18:53
0/0 4x1G-2xSFP+ ok 00:18:03
0/1 C-NIM-1X ok 00:18:03
1 C8300-1N1S-4T2X ok 00:18:53
1/0 C-SM-X-16G4M2X ok 00:18:03
R0 C8300-1N1S-4T2X ok, active 00:18:53
F0 C8300-1N1S-4T2X ok, active 00:18:53
P0 PWR-CC1-250WAC ok 00:18:30
P1 Unknown empty never
P2 C8300-FAN-1R ok 00:18:30
Slot CPLD Version Firmware Version

--------- ------------------- ---------------------------------------
0 20011540 17.3(1r)
1 20011540 17.3(1r)
R0 20011540 17.3(1r)
F0 20011540 17.3(1r)
Router# mkdir bootflash:c8000be-universalk9.17.03.01.dir1

Create directory filename [c8000be-universalk9.17.03.01.dir1]?
Created dir bootflash:/c8000be-universalk9.17.03.01.dir1
Router# request platform software package expand file
bootflash:c8000be-universalk9.17.03.01.NIM.bin
to bootflash:c8000be-universalk9.17.03.01.dir1
Router# reload
*Jul 13 19:39:06.354: %SYS-5-RELOAD: Reload requested by console.Reload Reason: Reload

Command.
rommon 1 > boot bootflash:c8000be-universalk9.17.03.01.dir1/packages.conf
File size is 0x00002836

Located c8000be-universalk9.17.03.01.dir1/packages.conf
Image size 10294 inode num 324484, bks cnt 3 blk size 8*512
#
File is comprised of 1 fragments (33%)
is_valid_sha1hash: SHA-1 hash:

calculated 62f6235a:fc98eb3a:85ce183e:834f1cb3:8a1f71d1
expected 62f6235a:fc98eb3a:85ce183e:834f1cb3:8a1f71d1
File size is 0x04b3dc00
Located
c8000be-universalk9.17.03.01.dir1/c8000be-mono-universalk9.17.03.01-build_164422SSA.pkg
##############################################################################################
.....

Package: Provisioning File, version: n/a, status: active
Role: provisioning file
File: bootflash:sysboot/packages.conf, on: RP0
Built: n/a, by: n/a
135
File SHA1 checksum: d86dda7aeb6f8bade683712734932e5dd4c2587b
Package: mono-universalk9, version: 17.03.01prd14, status: active

Role: rp_base
File: bootflash:sysboot/c8000be-mono-universalk9.17.03.01prd14.SPA.pkg, on: RP0
Built: 2020-06-17_00.17, by: mcpre
File SHA1 checksum: 5621bed407a53fcbefe5e3dc567c073e0728d541
Package: rpboot, version: 17.03.01prd14, status: active

Role: rp_boot
File: bootflash:sysboot/c8000be-rpboot.17.03.01prd14.SPA.pkg, on: RP0
Built: 2020-06-17_00.17, by: mcpre
File SHA1 checksum: n/a
Package: firmware_dreamliner, version: 17.03.01prd14, status: active

Role: firmware_dreamliner
File: bootflash:sysboot/c8000be-firmware_dreamliner.17.03.01prd14.SPA.pkg, on: RP0/0
Built: 2020-06-17_00.17, by: mcpre
File SHA1 checksum: 1ce360c1e100f86a37fd707461ea2495f8a50abd
Package: firmware_dsp_analogbri, version: 17.03.01prd14, status: active

Role: firmware_dsp_analogbri
File: bootflash:sysboot/c8000be-firmware_dsp_analogbri.17.03.01prd14.SPA.pkg, on: RP0/0
Built: 2020-06-17_00.17, by: mcpre
File SHA1 checksum: 33e13705ab791cb466ed2f4e787e978d40af27da
Package: firmware_dsp_sp2700, version: 17.03.01prd14, status: active

Role: firmware_dsp_sp2700
File: bootflash:sysboot/c8000be-firmware_dsp_sp2700.17.03.01prd14.SPA.pkg, on: RP0/0
Built: 2020-06-17_00.17, by: mcpre
File SHA1 checksum: cdefc7b39e8383be190fca59c9a01286dc2a2842
Package: mono-universalk9, version: 17.03.01prd14, status: n/a

Role: rp_security
File: bootflash:sysboot/c8000be-mono-universalk9.17.03.01prd14.SPA.pkg, on: RP1/1
Built: 2020-06-17_00.17, by: mcpre
Package: mono-universalk9, version: 17.03.01prd14, status: n/a

Role: rp_webui
File: bootflash:sysboot/c8000be-mono-universalk9.17.03.01prd14.SPA.pkg, on: RP1/1
Built: 2020-06-17_00.17, by: mcpre

Role: fp
File: bootflash:sysboot/c8000be-mono-universalk9.17.03.01prd14.SPA.pkg, on: ESP0
Built: 2020-06-17_00.17, by: mcpre
Package: fp, version: unknown, status: n/a

Role: fp
File: unknown, on: ESP1
Built: unknown, by: unknown
File SHA1 checksum: unknown

Role: cc_spa
File: bootflash:sysboot/c8000be-mono-universalk9.17.03.01prd14.SPA.pkg, on: SIP0
Built: 2020-06-17_00.17, by: mcpre

Role: cc
136
Installing Subpackages from a Consolidated Package on a Flash Drive
File: bootflash:sysboot/c8000be-mono-universalk9.17.03.01prd14.SPA.pkg, on: SIP0/0

Built: 2020-06-17_00.17, by: mcpre

Role: cc
File: bootflash:sysboot/c8000be-mono-universalk9.17.03.01prd14.SPA.pkg, on: SIP0/1
Built: 2020-06-17_00.17, by: mcpre
Package: cc, version: unknown, status: n/a

Role: cc
File: unknown, on: SIP0/2

Role: cc

Role: cc

Role: cc

Role: cc_spa
File: bootflash:sysboot/c8000be-mono-universalk9.17.03.01prd14.SPA.pkg, on: SIP1
Built: 2020-06-17_00.17, by: mcpre
Installing Subpackages from a Consolidated Package on a Flash Drive

The steps for installing subpackages from a consolidated package on a USB flash drive are similar to those
described in Installing Subpackages from a Consolidated Pacakage section .
Step 1 show version

Step 2 dir usbn:
Step 3 show platform
Step 4 mkdir bootflash:URL-to-directory-name
Step 5 request platform software package expand fileusbn: package-name to URL-to-directory-name
Step 6 reload
Step 7 boot URL-to-directory-name/packages.conf
Step 8 show version installed
137
Upgrading the Firmware on NIMs

To upgrade the firmware on a Network Interface Module (NIM), perform these steps:
Before you begin

When you boot the device in packages.conf mode with the Cisco IOS XE image (super package) during the
installation period, you can upgrade or downgrade the firmware without reloading the device. You need to
follow the steps described in Installing a Firmware Subpackage section before proceeding with the firmware
upgrade.
If you do not boot the device in packages.conf mode with the Cisco IOS XE image, you need to follow the
below prerequisites before proceeding with the firmware upgrade:
• Copy the firmware subpackage (NIM firmware) into bootflash:/mydir.
• Send a request to the platform software package expand file boot flash:/mydir/<IOS-XE image> to
expand the super package.
• Reload the hardware module subslot to boot the module with the new firmware.
• Verify that the module is booted up with the new firmware using the show platform software subslot
x/y module firmware command.
SUMMARY STEPS
1. copy Cisco IOS XE image into bootflash: mydir.
2. request platform software package expand file bootflash:/mydir /<IOS-XE image to expand
super package.
3. reload.
4. boot bootflash:mydir/ /packages.conf.
5. copy NIM firmware subpackage to the folder bootflash:mydir/.
6. request platform software package install rp 0 file bootflash:/mydir/<firmware subpackage>.
7. hw-module subslot x/y reload to boot the module with the new firmware.
8. show platform software subslot 0/2 module firmware to verify that the module is booted up with
the new firmware.
DETAILED STEPS

Step 1 copy Cisco IOS XE image into bootflash: mydir. Creates a directory to save the expanded software image.
Step 2 request platform software package expand file Expands the platform software package to super package.
bootflash:/mydir /<IOS-XE image to expand super
package.
Example:
138

Router# request platform software package expand
file
bootflash:/mydir/c8000be-universalk9.03.14.00.S.155-1.S-std.SPA.bin
Step 3 reload. Enables ROMMON mode, which allows the software in

the super package file to be activated.
Example:
Router# reload
rommon >
Step 4 boot bootflash:mydir/ /packages.conf. Boots the super package by specifying the path and name
of the provisioning file: packages.conf.
Example:
Step 5 copy NIM firmware subpackage to the folder Copies the NIM firmware subpackage into bootflash:mydir.
bootflash:mydir/.
Example:
Router#copy
bootflash:c8000be-firmware_nim_xdsl.2020-07-01_11.05_39n.SSA.pkg
bootflash:mydir/
Step 6 request platform software package install rp 0 file Installs the software package.
bootflash:/mydir/<firmware subpackage>.
Example:
Router#equest platform software package install rp
0 file
bootflash:mydir/c8000be-firmware_nim_xdsl.2020-07-01_11.05_39n.SSA.pkg
Step 7 hw-module subslot x/y reload to boot the module with Reloads the hardware module subslot and boots the module
the new firmware. with the new firmware.
Example:
Router#hw-module subslot 0/2 reload
Step 8 show platform software subslot 0/2 module firmware Displays the version of the newly installed firmware.
to verify that the module is booted up with the new
firmware.
Example:
Router# show platform software subslot 0/2 module
firmware
Pe
Examples
The following example shows how to perform firmware upgrade in a device module:
Routermkdir bootflash:mydir
Create directory filename [mydir]?
Created dir bootflash:/mydir
Router#c
139
Router#copy bootflash:c8000be-universalk9.17.03.01prd14.S-std.SPA.bin bootflash:mydir/

Destination filename [mydir/c8000be-universalk9.17.03.01prd14.S-std.SPA.bin]?
Copy in progress...CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCC
Router#
Router#
Router#dir bootflash:mydir
Directory of bootflash:/mydir/
632738 -rw- 425288648 Dec 12 2014 09:16:42 +00:00

c8000be-universalk9.17.03.01prd14.S-std.SPA.bin

Router#
Router#request platform software package

expand file bootflash:/mydir/c8000be-universalk9.17.03.01prd14.S-std.SPA.bin.S-std.SPA.bin
Router#reload
*Jul 8 11:48:30.917 PDT: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload
Command.
*Jul 8 11:48:32.768 PDT: %IOSXE_INFRA-3-RELOAD_INFO_SAVE_FAIL: Unable to save reload
information: 23: Invalid argument.
Jul 8 11:48:38.652: %PMAN-TACTION: R0/0: pvp: Process manager is exiting: process exit
with reload chassis code



C8300-1N1S-4T2X platform with 8388608 Kbytes of main memory
rommon 1 boot bootflash:mydir/packages.conf
File size is 0x000028f1

Located mydir/packages.conf
Image size
10481 inode num 632741, bks cnt 3 blk size 8*512
140
#
File size is 0x150ae3cc
Located mydir/c8000be-universalk9.17.03.01prd14.S-std.SPA.pkg
###################################################################
######################################################################
Boot image size = 353035212 (0x150ae3cc) bytes
Package header rev 1 structure detected

Calculating SHA-1 hash...done
validate_package: SHA-1 hash:
calculated 8e966678:8afb08f4:8a88bb8f:fe591121:8bddf4b3
expected 8e966678:8afb08f4:8a88bb8f:fe591121:8bddf4b3

Package Load Test Latency : 3799 msec
Image validated
Dec 12 09:28:50.338 R0/0: %FLASH_CHECK-3-DISK_QUOTA: Flash disk quota exceeded
[free space is 61864 kB] - Please clean up files on bootflash.
Restricted Rights Legend
Use, duplication, or disclosure by the Government is

subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.

San Jose, California 95134-1706

Compiled Tue 16-Jun-20 23:44 by mcpre

software.

141

[email protected].
cisco c8000be1-X/K9 (2RU) processor with 1681388K/6147K bytes of memory.

Processor board ID FTX1736AJUT
2 Ethernet interfaces
2 ATM interfaces
*Dec 12 09:28:58.922:
%IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL:
Module name = esg Next reboot level = appxk9 and License = appxk9
*Dec 12 09:28:58.943:
%IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL:
Module name = esg Next reboot level = ipbasek9 and License = ipbasek9
*Dec 12 09:28:58.981:
%Cat_THROUGHPUT-6-LEVEL: Throughput level has been set to 1000000 kbps
*Dec 12 09:29:13.302: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
*Dec 12 09:29:14.142: %LINK-3-UPDOWN: Interface Lsmpi0, changed state to up
*Dec 12 09:29:14.142: %LINK-3-UPDOWN: Interface EOBC0, changed state to up
*Dec 12 09:29:14.142: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to down
*Dec 12 09:29:14.142: %LINK-3-UPDOWN: Interface LIIN0, changed state to up
*Dec 12 09:28:51.438: %CMRP-3-PFU_MISSING:cmand: The platform does not detect a power
supply in slot 1
*Dec 12 09:29:01.256: %CMLIB-6-THROUGHPUT_VALUE:cmand: Throughput license found, throughput
set to 1000000 kbps
*Dec 12 09:29:03.223: %CPPHA-7-START:cpp_ha: CPP 0 preparing ucode
*Dec 12 09:29:03.238: %CPPHA-7-START:cpp_ha: CPP 0 startup init
*Dec 12 09:29:11.335: %CPPHA-7-START:cpp_ha: CPP 0 running init
*Dec 12 09:29:11.645: %CPPHA-7-READY:cpp_ha: CPP 0 loading and initialization complete
*Dec 12 09:29:11.711: %IOSXE-6-PLATFORM:cpp_cp:
Process CPP_PFILTER_EA_EVENT__API_CALL__REGISTER
*Dec 12 09:29:16.280:
%IOSXE_MGMTVRF-6-CREATE_SUCCESS_INFO:
Management vrf Mgmt-intf created with ID 1, ipv4 table-id 0x1, ipv6 table-id 0x1E000001
*Dec 12 09:29:16.330:
%LINEPROTO-5-UPDOWN: Line protocol on Interface Lsmpi0, changed state to up
*Dec 12 09:29:16.330:
%LINEPROTO-5-UPDOWN: Line protocol on Interface EOBC0, changed state to up
*Dec 12 09:29:16.330:
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to down
*Dec 12 09:29:16.330:
%LINEPROTO-5-UPDOWN: Line protocol on Interface LIIN0, changed state to up
*Dec 12 09:29:17.521: %SYS-5-LOG_CONFIG_CHANGE: Buffer logging disabled
*Dec 12 09:29:18.867: %SYS-5-CONFIG_I: Configured from memory by console
*Dec 12 09:29:18.870:
%IOSXE_OIR-6-REMSPA: SPA removed from subslot 0/0, interfaces disabled
*Dec 12 09:29:18.870:
*Dec 12 09:29:18.871:
*Dec 12 09:29:18.873:
%SPA_OIR-6-OFFLINECARD: SPA (c8000be-X-4x1GE) offline in subslot 0/0
*Dec 12 09:29:18.874: %SPA_OIR-6-OFFLINECARD: SPA (NIM-VA-B) offline in subslot 0/1
*Dec 12 09:29:18.874: %SPA_OIR-6-OFFLINECARD: SPA (NIM-VAB-A) offline in subslot 0/2
*Dec 12 09:29:18.876: %IOSXE_OIR-6-INSCARD: Card (fp) inserted in slot F0
142
*Dec 12 09:29:18.876: %IOSXE_OIR-6-ONLINECARD: Card (fp) online in slot F0

*Dec 12 09:29:18.882: %IOSXE_OIR-6-INSSPA: SPA inserted in subslot 0/0
*Dec 12 09:29:18.935: %SYS-5-RESTART: System restarted --
Cisco IOS Software, c8000be Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(1)S,
RELEASE SOFTWARE (fc5)
Compiled Thu 20-Nov-14 18:28 by mcpre
*Dec 12 09:29:18.895: %SPA-3-ENVMON_NOT_MONITORED:iomd: Environmental monitoring
is not enabled for c8000be-X-4x1GE[0/0]
*Dec 12 09:29:19.878: %LINK-5-CHANGED: Interface GigabitEthernet0,
changed state to administratively down

*Dec 12 09:29:22.419: %SPA_OIR-6-ONLINECARD: SPA (c8000be-X-4x1GE) online in subslot 0/0
*Dec 12 09:29:22.610: %SYS-6-BOOTTIME: Time taken to reboot after reload = 194 seconds
*Dec 12 09:29:24.354: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/0,
changed state to down
changed state to up
changed state to up
changed state to up
*Dec 12 09:29:31.919: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/0/0, changed state to up
*Dec 12 09:29:31.930: %LINEPROTO-5-UPDOWN: Line protocol on
Interface GigabitEthernet0/0/2, changed state to up
*Dec 12 09:29:31.936: %LINEPROTO-5-UPDOWN: Line protocol on
Interface GigabitEthernet0/0/3, changed state to up
*Dec 12 09:29:34.147: %SSH-5-ENABLED: SSH 1.99 has been enabled
*Dec 12 09:30:29.152: %SPA_OIR-6-ONLINECARD: SPA (NIM-VA-B) online in subslot 0/1
*Dec 12 09:30:29.470: %SPA_OIR-6-ONLINECARD: SPA (NIM-VAB-A) online in subslot 0/2
*Dec 12 09:30:31.152: %LINK-3-UPDOWN: Interface Ethernet0/1/0, changed state to down
*Dec 12 09:30:31.152: %LINK-3-UPDOWN: Interface ATM0/1/0, changed state to down
*Dec 12 09:31:03.074: %CONTROLLER-5-UPDOWN: Controller VDSL 0/2/0, changed state to up
*Dec 12 09:31:05.075: %LINK-3-UPDOWN: Interface Ethernet0/2/0, changed state to up
*Dec 12 09:31:06.076: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/2/0,
changed state to up
*Dec 12 09:31:12.559: %CONTROLLER-5-UPDOWN: Controller VDSL 0/1/0, changed state to up
*Dec 12 09:31:20.188: %LINK-3-UPDOWN: Interface ATM0/1/0, changed state to up
*Dec 12 09:31:21.188: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM0/1/0,
changed state to up
Router>
Router>en
Password:
Router#
Router#show controller vdsl 0/2/0
Controller VDSL 0/2/0 is UP
Daemon Status: UP
XTU-R (DS) XTU-C (US)

Chip Vendor ID: 'BDCM' 'BDCM'
Chip Vendor Specific: 0x0000 0xA41B
Chip Vendor Country: 0xB500 0xB500
Modem Vendor ID: 'CSCO' ' '
143
Modem Vendor Specific: 0x4602 0x0000

Modem Vendor Country: 0xB500 0x0000
Serial Number Far:
Modem Version Near: 15.5(1)S
Modem Version Far: 0xa41b
Modem Status(L1): TC Sync (Showtime!)

DSL Config Mode: VDSL2
Trained Mode(L1): G.993.2 (VDSL2) Profile 30a
TC Mode: PTM
Selftest Result: 0x00
DELT configuration: disabled
DELT state: not running
Failed full inits: 0

Short inits: 0
Failed short inits: 0
Modem FW Version: 4.14L.04

Modem PHY Version: A2pv6F039h.d24o_rc1
Line 1:
XTU-R (DS) XTU-C (US)

Trellis: ON ON
SRA: disabled disabled
SRA count: 0 0
Bit swap: enabled enabled
Bit swap count: 9 0
Profile 30a: enabled
Line Attenuation: 3.5 dB 0.0 dB
Signal Attenuation: 0.0 dB 0.0 dB
Noise Margin: 30.9 dB 12.4 dB
Attainable Rate: 200000 kbits/s 121186 kbits/s
Actual Power: 13.3 dBm 7.2 dBm
Per Band Status: D1 D2 D3 U0 U1 U2 U3
Line Attenuation(dB): 0.9 1.5 5.5 N/A 0.1 0.9 3.8
Signal Attenuation(dB): 0.8 1.5 5.5 N/A 0.0 0.2 3.2
Noise Margin(dB): 31.1 31.0 30.9 N/A 12.3 12.4 12.5
Total FECC: 0 0
Total ES: 0 0
Total SES: 0 0
Total LOSS: 0 0
Total UAS: 51 51
Total LPRS: 0 0
Total LOFS: 0 0
Total LOLS: 0 0
DS Channel1 DS Channel0 US Channel1 US Channel0

Speed (kbps): NA 100014 NA 100014
SRA Previous Speed: NA 0 NA 0
Previous Speed: NA 0 NA 0
Reed-Solomon EC: NA 0 NA 0
CRC Errors: NA 0 NA 0
Header Errors: NA 0 NA 0
Interleave (ms): NA 9.00 NA 0.00
Actual INP: NA 4.00 NA 0.00
Training Log : Stopped

Training Log Filename : flash:vdsllog.bin
Router#
144
Router#
Router#copy bootflash:c8000be-firmware_nim_xdsl.2014-11-17_11.05_39n.SSA.pkg
bootflash:mydir/
Destination filename [mydir/c8000be-firmware_nim_xdsl.2014-11-17_11.05_39n.SSA.pkg]?
Copy in progress...CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
Router#
Router#request platform software package install rp 0 file

bootflash:mydir/c8000be-firmware_nim_xdsl.2014-11-17_11.05_39n.SSA.pkg
--- Starting local lock acquisition on R0 ---
Finished local lock acquisition on R0
--- Starting file path checking ---

Finished file path checking
--- Starting image file verification ---

Checking image file names
Locating image files and validating name syntax
Found c8000be-firmware_nim_xdsl.2014-11-17_11.05_39n.SSA.pkg
Verifying image file locations
Inspecting image file types
Processing image file constraints
Creating candidate provisioning file
Finished image file verification
--- Starting candidate package set construction ---

Verifying existing software set
Processing candidate provisioning file
Constructing working set for candidate package set
Constructing working set for running package set
Checking command output
Constructing merge of running and candidate packages
Checking if resulting candidate package set would be complete
Finished candidate package set construction
--- Starting ISSU compatiblity verficiation ---

Verifying image type compatibility
Checking IPC compatibility with running software
Checking candidate package set infrastructure compatibility
Checking infrastructure compatibility with running software
Checking package specific compatibility
Finished ISSU compatiblity verficiation
--- Starting impact testing ---

Checking operational impact of change
Finished impact testing
--- Starting list of software package changes ---

Old files list:
Removed c8000be-firmware_nim_xdsl.03.14.00.S.155-1.S-std.SPA.pkg
New files list:
Added c8000be-firmware_nim_xdsl.2014-11-17_11.05_39n.SSA.pkg
Finished list of software package changes
--- Starting commit of software changes ---

Updating provisioning rollback files
Creating pending provisioning file
Committing provisioning file
Finished commit of software changes
--- Starting analysis of software changes ---
145
Finished analysis of software changes
--- Starting update running software ---

Blocking peer synchronization of operating information
Creating the command set placeholder directory
Finding latest command set
Finding latest command shortlist lookup file
Finding latest command shortlist file
Assembling CLI output libraries
Assembling CLI input libraries
Skipping soft links for firmware upgrade
Skipping soft links for firmware upgrade
Assembling Dynamic configuration files
Applying interim IPC and database definitions
rsync: getaddrinfo: cc2-0 873: Name or service not known rsync error:
error in socket IO (code 10) at /auto/mcpbuilds19/
release/03.14.00.S/BLD-V03_14_00_S_FC5/contrib/rsync/clientserver.c(104) [sender=2.6.9]
error in socket IO (code 10) at /auto/mcpbuilds19
/release/03.14.00.S/BLD-V03_14_00_S_FC5/contrib/rsync/clientserver.c(104) [sender=2.6.9]
Replacing running software
Replacing CLI software
Restarting software
Applying final IPC and database definitions
Generating software version information
Notifying running software of updates
Unblocking peer synchronization of operating information
Unmounting old packages
Cleaning temporary installation files
Finished update running software
SUCCESS: Finished installing software.

Router#
Router#show platform software subslot 0/2 module firmware
Avg Load info
-------------------------------------------
1.83 1.78 1.44 3/45 607
Kernel distribution info

-------------------------------------------
Linux version 3.4.11-rt19 (sapanwar@blr-atg-001) (gcc version 4.6.2
(Buildroot 2011.11) ) #3 SMP PREEMPT Fri Nov 7 09:26:19 IST 2014
Module firmware versions

-------------------------------------------
Modem Fw Version: 4.14L.04
Modem Phy Version: A2pv6F039h.d24o_rc1
Boot Loader: Secondry

-------------------------------------------
Version: 1.1
Modem Up time
-------------------------------------------
0D 0H 25M 38S
Router#
146
Installing a Firmware Subpackage
Router#hw-module subslot 0/2 reload

Proceed with reload of module? [confirm]
Router#
*Dec 12 09:55:59.645: %IOSXE_OIR-6-SOFT_RELOADSPA: SPA(NIM-VAB-A)
reloaded on subslot 0/2
*Dec 12 09:55:59.647: %CONTROLLER-5-UPDOWN: Controller VDSL 0/2/0, changed state to down
*Dec 12 09:57:22.514: new extended attributes received from iomd(slot 0 bay 2 board 0)
*Dec 12 09:57:22.514: %IOSXE_OIR-6-SOFT_RELOADSPA: SPA(NIM-VAB-A)
reloaded on subslot 0/2
Router#
Router#
*Dec 12 09:58:35.471: %SPA_OIR-6-ONLINECARD: SPA (NIM-VAB-A) online in subslot 0/2
Router#
Router#show platform software subslot 0/2 module firmware

Avg Load info
-------------------------------------------
0.84 0.23 0.08 1/45 598
Kernel distribution info

-------------------------------------------
Linux version 3.4.11-rt19 (sapanwar@blr-atg-001) (gcc version 4.6.2 (Buildroot 2011.11) )
#6 SMP PREEMPT Mon Nov 17 10:51:41 IST 2014
Module firmware versions

-------------------------------------------
Modem Fw Version: 4.14L.04
Modem Phy Version: A2pv6F039n.d24o_rc1
Boot Loader: Secondry

-------------------------------------------
Version: 1.1
Modem Up time
-------------------------------------------
0D 0H 0M 42S
Router#

Before you begin
Obtain a consolidated package that contains your required firmware package and expand the package. (See
Managing and Configuring a Device to Run Using Individual Packages, on page 131.) Make a note of the
location and name of the firmware package and use this information in the steps below for
URL-to-package-name.
You can install a firmware subpackage if the device has been configured using, for example, Managing and
Configuring a Device to Run Using Individual Packages, on page 131.
Firmware subpackages are not released individually. You can select a firmware package from within a
consolidated package after expanding the consolidated package. The firmware package can then be installed
as shown in the procedure below.
147
Note Read the Release Notes document pertaining to the consolidated package to verify that the firmware within
the consolidated package is compatible with the version of Cisco IOS XE software that is currently installed
on a device.
SUMMARY STEPS
1. show version
2. dir bootflash:
3. show platform
4. mkdir bootflash: URL-to-directory-name
5. request platform software package expand file URL-to-consolidated-package to
URL-to-directory-name
6. reload
7. boot URL-to-directory-name /packages.conf
8. show version installed
DETAILED STEPS

Step 1 show version Shows the version of software running on the device. This
can later be compared with the version of software to be
Example:
installed.
Cisco IOS Software, IOS-XE Software
(X86_64_LINUX_IOSD-UNIVERSALK9-M), Experimental
Version 15.3(20120627:221639) [build_151722 111]
.
.
.
Step 2 dir bootflash: Displays the previous version of software and that a package
is present.
Example:
Step 3 show platform Checks the inventory.

Example: Also see the example in Installing Subpackages from a
Router# show platform Consolidated Package section.
Step 4 mkdir bootflash: URL-to-directory-name Creates a directory to save the expanded software image.
Step 5 request platform software package expand file Expands the software image from the TFTP server
URL-to-consolidated-package to URL-to-directory-name (URL-to-consolidated-package) into the directory used to
148

Example: save the image (URL-to-directory-name), which was created
Router# request platform software package expand in the Step 4.
file
bootflash:c8000be-universalk9-NIM.bin to
bootflash:mydir
Step 6 reload Enables ROMMON mode, which allows the software in

the consolidated file to be activated.
Example:
Router# reload
rommon >
Step 7 boot URL-to-directory-name /packages.conf Boots the consolidated package by specifying the path and
name of the provisioning file: packages.conf.
Example:
Step 8 show version installed Displays the version of the newly installed software.
Example:
Package: Provisioning File, version: n/a, status:
active
Examples
The initial part of the following example shows the consolidated package,
c8000be-universalk9.164422SSA.bin, being copied to the TFTP server. This is a prerequisite step.
The remaining part of the example shows the consolidated file, packages.conf, being booted.
Router# tftp:c8000be/c8000be-universalk9.164422SSA.bin bootflash:
Address or name of remote host []? 192.0.2.1
Destination filename [c8000be-universalk9.164422SSA.bin]?
Accessing tftp://192.0.2.1/c8000be/c8000be-universalk9.164422SSA.bin...
Loading c8000be/c8000be-universalk9.164422SSA.bin from 192.0.2.1 (via GigabitEthernet0):
!!!!!!!!
[OK - 410506248 bytes]

Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Experimental Version
15.3(20120627:221639) [build_151722 111]

IOS XE Version: 2012-06-28_15.31_mcpre

149

software.
ROM: IOS-XE ROMMON
Router uptime is 0 minutes

System returned to ROM by reload
System image file is "tftp:c8000be/c8000be.bin"


[email protected].
License Level: adventerprise

License Type: EvalRightToUse
Next reload license Level: adventerprise
cisco c8000be/K9 (2RU) processor with 1136676K/6147K bytes of memory.
Processor board ID FGL161611AB
7393215K bytes of Compact flash at bootflash:.

11 drwx 16384 May 3 2012 19:58:37 +00:00 lost+found

178465 drwx 4096 Jun 6 2012 15:20:20 +00:00 core
584065 drwx 4096 Jul 13 2012 19:19:00 +00:00 .prst_sync
405601 drwx 4096 May 3 2012 19:59:30 +00:00 .rollback_timer
113569 drwx 40960 Jul 13 2012 19:19:32 +00:00 tracelogs
64897 drwx 4096 May 3 2012 19:59:42 +00:00 .installer
13 -rw- 1305 May 7 2012 17:43:42 +00:00 startup-config
14 -rw- 1305 May 7 2012 17:43:55 +00:00 running-config
15 -r-- 1541 Jun 4 2012 18:32:41 +00:00 debug.conf
16 -rw- 1252 May 22 2012 19:58:39 +00:00 running-config-20120522
519169 drwx 4096 Jun 4 2012 15:29:01 +00:00 vman_fdb


--------- ------------------- --------------------- -----------------
0 c8000be/K9 ok 15:57:33
150
0/0 c8000be-6X1GE ok 15:55:24

1 Ic8000be/K9 ok 15:57:33
1/0 SM-1T3/E3 ok 15:55:24
2 c8000be/K9 ok 15:57:33
2/0 SM-1T3/E3 ok 15:55:24
R0 c8000be/K9 ok, active 15:57:33
F0 c8000be-FP ok, active 15:57:33
P0 Unknown ps, fail never
P1 XXX-XXXX-XX ok 15:56:58
P2 ACS-4450-FANASSY ok 15:56:58

--------- ------------------- ---------------------------------------
0 12090323 15.3(01r)S [ciscouser-c8000beRO...
R0 12090323 15.3(01r)S [ciscouser-c8000beRO...
F0 12090323 15.3(01r)S [ciscouser-c8000beRO...
Router# mkdir bootflash:c8000be-universalk9.dir1

Create directory filename [c8000be-universalk9.dir1]?
Created dir bootflash:/c8000be-universalk9.dir1
Router# request platform software package expand file bootflash:c8000be-universalk9.NIM.bin
to
bootflash:c8000be-universalk9.dir1
Router# reload
*Jul 13 19:39:06.354: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload

Command.
rommon 1 > boot bootflash:c8000be-universalk9.dir1/packages.conf
File size is 0x00002836

Located c8000be-universalk9.dir1/packages.conf
#
is_valid_sha1hash: SHA-1 hash:

calculated 62f6235a:fc98eb3a:85ce183e:834f1cb3:8a1f71d1
expected 62f6235a:fc98eb3a:85ce183e:834f1cb3:8a1f71d1
File size is 0x04b3dc00
Located c8000be-universalk9.dir1/c8000be-mono-universalk9-build_164422SSA.pkg
##############################################################################################
.....

Package: Provisioning File, version: n/a, status: active
File: bootflash:c8000be-universalk9.dir1/packages.conf, on: RP0
Built: n/a, by: n/a
File SHA1 checksum: ad09affd3f8820f4844f27acc1add502e0b8f459
Package: rpbase, version: 2012-07-10_16.22_mcpre, status: active

File: bootflash:c8000be-universalk9.dir1/c8000be-mono-universalk9-build_164422SSA.pkg, on:
151
RP0
Built: 2012-07-10_16.22, by: mcpre
File SHA1 checksum: 5e95c9cbc4eaf5a4a5a1ac846ee2d0f41d1a026b
Package: firmware_attributes, version: 2012-07-10_16.22_mcpre, status: active

File: bootflash:c8000be-universalk9.dir1/c8000be-firmware_attributes_164422SSA.pkg, on:
RP0/0
Built: 2012-07-10_16.22, by: mcpre
File SHA1 checksum: 71614f2d9cbe7f96d3c6e99b67d514bd108c6c99
Package: firmware_dsp_sp2700, version: 2012-07-10_16.22_mcpre, status: active

File: bootflash:c8000be-universalk9.dir1/c8000be-firmware_dsp_164422SSA.pkg, on: RP0/0
Built: 2012-07-10_16.22, by: mcpre
File SHA1 checksum: 8334565edf7843fe246783b1d5c6ed933d96d79e
Package: firmware_fpge, version: 2012-07-10_16.22_mcpre, status: active
File: bootflash:c8000be-universalk9.dir1/c8000be-firmware_fpge_164422SSA.pkg, on: RP0/0
Built: 2012-07-10_16.22, by: mcpre
File SHA1 checksum: eb72900ab32c1c50652888ff486cf370ac901dd7
Package: firmware_sm_1t3e3, version: 2012-07-10_16.22_mcpre, status: active

File: bootflash:c8000be-universalk9.dir1/c8000be-firmware_sm_1t3e3_164422SSA.pkg, on: RP0/0
Built: 2012-07-10_16.22, by: mcpre
File SHA1 checksum: 803005f15d8ea71ab088647e2766727ac2269871
Package: rpcontrol, version: 2012-07-10_16.22_mcpre, status: active

File: bootflash:c8000be-universalk9.dir1/c8000be-mono-universalk9_164422SSA.pkg, on: RP0/0
Built: 2012-07-10_16.22, by: mcpre
File SHA1 checksum: 980fd58fe581e9346c44417b451d1c09ebb640c2
Package: rpios-universalk9, version: dir1, status: active

Built: 2012-07-10_16.23, by: mcpre
File SHA1 checksum: 27084f7e30a1d69d45a33e05d1b00345040799fb
Package: rpaccess, version: 2012-07-10_16.22_mcpre, status: active
Built: 2012-07-10_16.22, by: mcpre
File SHA1 checksum: 0119802deda2da91c38473c47a998fb3ed423448
Package: rpcontrol, version: 2012-07-10_16.22_mcpre, status: n/a

File: bootflash:c8000be-universalk9.dir1/c8000be-rpcontrol-BLD-BLD_MCP_DEV_LATEST_20120710_
164422SSA.pkg, on: RP0/1
Built: 2012-07-10_16.22, by: mcpre
File SHA1 checksum: 980fd58fe581e9346c44417b451d1c09ebb640c2
Package: rpios-universalk9, version: 2012-07-10_16.23_mcpre, status: n/a

File: bootflash:c8000be-universalk9.dir1/c8000be-rpios-universalk9-BLD-BLD_MCP_DEV_LATEST_
20120710_164422SSA.pkg, on: RP0/1
Built: 2012-07-10_16.23, by: mcpre
File SHA1 checksum: 27084f7e30a1d69d45a33e05d1b00345040799fb
Package: rpaccess, version: 2012-07-10_16.22_mcpre, status: n/a

File: bootflash:c8000be-universalk9.dir1/c8000be-rpaccess-BLD-BLD_MCP_DEV_LATEST_20120710_
164422SSA.pkg, on: RP0/1
Built: 2012-07-10_16.22, by: mcpre
File SHA1 checksum: 0119802deda2da91c38473c47a998fb3ed423448
Package: rpbase, version: 2012-07-10_16.22_mcpre, status: n/a

File: bootflash:c8000be-universalk9.dir1/c8000be-rpbase-BLD-BLD_MCP_DEV_LATEST_20120710_
164422SSA.pkg, on: RP1
Built: 2012-07-10_16.22, by: mcpre
File SHA1 checksum: 5e95c9cbc4eaf5a4a5a1ac846ee2d0f41d1a026b
Package: firmware_fpge, version: 2012-07-10_16.22_mcpre, status: n/a
152
Configuring No Service Password-Recovery
Configuring No Service Password-Recovery

The Cisco IOS password recovery procedure allows you to to gain access, using the console, to the ROMMON
mode by using the Break key during system startup and reload. When the device software is loaded from
ROMMON mode, the configuration is updated with the new password. The password recovery procedure
makes anyone with console access have the ability to access the device and its network.
The No Service Password-Recovery feature is designed to prevent the service password-recovery procedure
from being used to gain access to the device and network.
Configuration Registers and System Boot Configuration

The lowest four bits of the configuration register (bits 3, 2, 1, and 0) form the boot field. The boot field
determines if the device boots manually from ROM or automatically from flash or the network. For example,
when the configuration register boot field value is set to any value from 0x2 to 0xF, the device uses the register
boot field value to form a default boot filename for autobooting from a network server.
Bit 8, when set to 1, ignores the startup configuration. Bit 6, when set to 1, enables break key detection. You
must set the configuration register to autoboot to enable this feature. Any other configuration register setting
will prevent the feature from being enabled.
Note By default, the no confirm prompt and messages are not displayed after reloads.
How to Enable No Service Password-Recovery

You can enable the No Service Password-Recovery in the following two ways:
• Using the no service password-recovery command. This option allows password recovery once it is
enabled.
• Using the no service password-recovery strict command. This option does not allow for device recovery
once it is enabled.
Note As a precaution, a valid Cisco IOS image should reside in the bootflash: before this feature is enabled.
If you plan to enter the no service password-recovery command, Cisco recommends that you save a copy of
the system configuration file in a location away from the device.
Befor you beging, ensure that this feature is disabled before making any change to the device regardless of
the significance of the change—such as a configuration, module, software version, or ROMMON version
change.
The configuration register boot bit must be enabled to load the startup configuration by setting bit-8 to 0, to
ignore the break key in Cisco IOS XE by setting bit-6 to 0, and to auto boot a Cisco IOS XE image by setting
the lowest four bits 3-0, to any value from 0x2 to 0xF. Changes to the configuration register are not saved
after the No Service Password-Recovery feature is enabled.
153
Note If Bit-8 is set to 1, the startup configuration is ignored. If Bit-6 is set to 1, break key detection is enabled in
Cisco IOS XE. If both Bit-6 and Bit-8 are set to 0, the No Service Password-Recovery feature is enabled.
This example shows how to enable the No Service Password-Recovery feature:

Router> enable
Router(config)# config-register 0x2012
Router(config)# no service password-recovery
Recovering a Device with the No Service Password-Recovery Feature Enabled

To recover a device after the no service password-recovery feature is enabled using the no service
password-recovery command, look out for the following message that appears during the boot: “PASSWORD
RECOVERY FUNCTIONALITY IS DISABLED.” As soon as “.. ” appears, press the Break key. You are
then prompted to confirm the Break key action:
• If you confirm the action, the startup configuration is erased and the device boots with the factory default
configuration with the No Service Password-Recovery enabled.
• If you do not confirm the Break key action, the device boots normally with the No Service
Password-Recovery feature enabled.
Note You cannot recover a device if the No Service Password-Recovery feature was enabled using the no service
password-recovery strict command.
This example shows a Break key action being entered during boot up, followed by confirmation of the break
key action. The startup configuration is erased and the device then boots with the factory default configuration
with the No Service Password-Recovery feature enabled.



PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
..
telnet> send brk
154
..
PASSWORD RECOVERY IS DISABLED.
Do you want to reset the router to the factory default

configuration and proceed [y/n] ? y
Router clearing configuration. Please wait for ROMMON prompt...
File size is 0x17938a80
Located c8000be-universalk9.BLD_V153_3_S_XE310_THROTTLE_LATEST_20130623_234109.SSA.bin
This example shows a Break key action being entered during boot up, followed by the non-confirmation of
the break key action. The device then boots normally with the No Service Password-Recovery feature enabled.



..
telnet> send brk
...
PASSWORD RECOVERY IS DISABLED.
Do you want to reset the router to the factory default

configuration and proceed [y/n] ? n
Router continuing with existing configuration...
File size is 0x17938a80
Located c8000be-universalk9.BLD_V153_3_S_XE310_THROTTLE_LATEST_20130623_234109.SSA.bin
######################################################################## …
Configuration Examples for No Service Password-Recovery

The following example shows how to obtain the configuration register setting (which is set to autoboot),
disable password recovery capability, and then verify that the configuration persists through a system reload:
Cisco Internetwork Operating System Software
155
IOS (tm) 5300 Software (C7200-P-M), Version 12.3(8)YA, RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Compiled Wed 05-Mar-04 10:16 by xxx
Image text-base: 0x60008954, data-base: 0x61964000
ROM: System Bootstrap, Version 12.3(8)YA, RELEASE SOFTWARE (fc1)
...
125440K bytes of ATA PCMCIA card at slot 0 (Sector size 512 bytes).
8192K bytes of Flash internal SIMM (Sector size 256K).
Router(config)# no service password-recovery
WARNING:
Executing this command will disable the password recovery mechanism.
Do not execute this command without another plan for password recovery.
Are you sure you want to continue? [yes]: yes
...
Router#
Router# reload
Proceed with reload? [confirm] yes
00:01:54: %SYS-5-RELOAD: Reload requested
System Bootstrap, Version 12.3...
C7400 platform with 262144 Kbytes of main memory
...
The following example shows how to disable password recovery capability using the no service
password-recovery strict command:
Router(config)# no service password-recovery strict
WARNING:
Do not execute this command without another plan for password recovery.
156
Are you sure you want to continue? [yes]: yes
..
157
158
CHAPTER 9
Slot and Subslot Configuration
This chapter contains information on slots and subslots. Slots specify the chassis slot number in your device
and subslots specify the slot where the service modules are installed.
For further information on the slots and subslots, see the “About Slots and Interfaces” sections:
The following section is included in this chapter:

• Configuring the Interfaces, on page 159
Configuring the Interfaces

The following sections describe how to configure Gigabit interfaces and also provide examples of configuring
the router interfaces:
• Configuring Gigabit Ethernet Interfaces, on page 159
• Configuring the Interfaces: Example, on page 161
• Viewing a List of All Interfaces: Example, on page 161
• Viewing Information About an Interface: Example, on page 162

SUMMARY STEPS
1. enable
3. interface GigabitEthernet slot/subslot/port
4. ip address ip-address mask [secondary] dhcp pool
5. negotiation auto
6. end
159
DETAILED STEPS

Router> enable

Example:
Step 3 interface GigabitEthernet slot/subslot/port Configures a GigabitEthernet interface.

Example: • GigabitEthernet—Type of interface.
Router(config)# interface GigabitEthernet 0/0/1

• slot—Chassis slot number.
• /subslot—Secondary slot number. The slash (/) is
required.
• /port—Port or interface number. The slash (/) is
required.
Step 4 ip address ip-address mask [secondary] dhcp pool Assigns an IP address to the GigabitEthernet
Example: • ip address ip-address—IP address for the interface.

• mask—Mask for the associated IP subnet.
255.255.255.0 dhcp pool
• secondary (optional)—Specifies that the configured
address is a secondary IP address. If this keyword is
omitted, the configured address is the primary IP
address.
• dhcp—IP address negotiated via DHCP.
• pool—IP address autoconfigured from a local DHCP
pool.
Step 5 negotiation auto Selects the negotiation mode.

Example: • auto—Performs link autonegotiation.
Router(config-if)# negotiation auto
Step 6 end Ends the current configuration session and returns to

privileged EXEC mode.
Example:
Router(config-if)# end
160
Configuring the Interfaces: Example
Configuring the Interfaces: Example

The following example shows the interface gigabitEthernet command being used to add the interface and
set the IP address. 0/0/0 is the slot/subslot/port. The ports are numbered 0 to 5.
Router# show running-config interface gigabitEthernet 0/0/0
!
interface gigabitEthernet0/0/0
no ip address
negotiation auto
end

Router(config)# interface gigabitEthernet 0/0/0
Viewing a List of All Interfaces: Example

In this example, the show platform software interface summary, show interfaces summary, and show
platform software status control-process brief commands are used to display all the interfaces:
Router# show platform software interface summary
Interface IHQ IQD OHQ OQD RXBS RXPS TXBS TXPS TRTL
-----------------------------------------------------------------------------
* GigabitEthernet0/0/0 0 0 0 0 0 0 0 0 0
* Te0/0/4 0 0 0 0 0 0 0 0 0
* Te0/0/5 0 0 0 0 0 0 0 0 0
Router# show interfaces summary

*: interface is up
IHQ: pkts in input hold queue IQD: pkts dropped from input queue
OHQ: pkts in output hold queue OQD: pkts dropped from output queue
RXBS: rx rate (bits/sec) RXPS: rx rate (pkts/sec)
TXBS: tx rate (bits/sec) TXPS: tx rate (pkts/sec)
TRTL: throttle count
Interface IHQ IQD OHQ OQD RXBS RXPS TXBS TXPS TRTL
------------------------------------------------------------------------------------------
* Te0/0/4 0 0 0 0 0 0 0 0 0
* Te0/0/5 0 0 0 0 0 0 0 0 0
Router#show platform software status control-process brief
Load Average
Slot Status 1-Min 5-Min 15-Min
RP0 Healthy 0.83 0.91 0.91
Memory (kB)
Slot Status Total Used (Pct) Free (Pct) Committed (Pct)
RP0 Healthy 7768456 2654936 (34%) 5113520 (66%) 3115212 (40%)
CPU Utilization
161
Viewing Information About an Interface: Example
Slot CPU User System Nice Idle IRQ SIRQ IOwait

RP0 0 2.70 1.70 0.00 95.59 0.00 0.00 0.00
1 0.00 0.00 0.00 100.00 0.00 0.00 0.00
2 0.00 0.00 0.00 100.00 0.00 0.00 0.00
3 0.00 0.00 0.00 100.00 0.00 0.00 0.00
4 2.40 1.40 0.00 96.19 0.00 0.00 0.00
5 0.80 1.60 0.00 97.59 0.00 0.00 0.00
6 12.40 12.30 0.00 75.30 0.00 0.00 0.00
7 11.20 12.40 0.00 76.40 0.00 0.00 0.00
8 2.80 1.80 0.00 95.40 0.00 0.00 0.00
9 0.00 0.00 0.00 100.00 0.00 0.00 0.00
10 0.00 0.00 0.00 100.00 0.00 0.00 0.00
11 0.00 0.00 0.00 100.00 0.00 0.00 0.00
Viewing Information About an Interface: Example

The following example shows how to display a brief summary of an interface's IP information and status,
including the virtual interface bundle information, by using the show ip interface brief command:
Router# show ip interface brief
GigabitEthernet0/0/0 10.10.3.1 YES NVRAM up up
GigabitEthernet0/0/1 192.0.5.2 YES NVRAM up up
GigabitEthernet0/0/2 192.0.2.5 YES NVRAM down down
GigabitEthernet0/0/3 unassigned YES NVRAM down down
Te0/0/4 unassigned YES NVRAM down down
Te0/0/5 10.20.4.8 YES NVRAM down down
Te0/1/0 unassigned YES NVRAM down down
162
CHAPTER 10
Cisco Thousand Eyes Enterprise Agent
Application Hosting
This chapter provides information on Cisco Thousand Eyes Enterprise Agent Application Hosting. The
following sections are included in this chapter:
• Cisco ThousandEyes Enterprise Agent Application Hosting, on page 163
• Supported Platforms and System Requirements, on page 164
• Workflow to Install and Run the Cisco ThousandEyes Application, on page 165
• Modifying the Agent Parameters, on page 169
• Uninstalling the Application, on page 169
• Troubleshooting the Cisco ThousandEyes Application, on page 170
Cisco ThousandEyes Enterprise Agent Application Hosting

Cisco ThousandEyes is a network intelligence platform that allows you to use its agents to run a variety of
tests from its agents to monitor the network and application performance. This application enables you to
view end-to-end paths across networks and services that impact your business. Cisco ThousandEyes application
actively monitors the network traffic paths across internal, external, and internet networks in real time, and
helps to analyse the network performance. Also, Cisco ThousandEyes application provides
application-availability insights that are enriched with routing and device data for a multidimensional view
of digital experience.
From Cisco IOS XE Release 17.6.1, you can use application-hosting capabilities to deploy the Cisco
ThousandEyes Enterprise Agent as a container application on Cisco Catalyst 8300 and Catalyst 8200 Series
Edge Platforms. This agent application runs as a docker image using Cisco IOx docker-type option. For more
information on how to configure Cisco ThousandEyes in controller mode, see Cisco SD-WAN Systems and
Interfaces Configuration Guide.
163
Cisco Thousand Eyes Enterprise Agent Application Hosting
Feature Information for Cisco ThousandEyes Enterprise Agent Application Hosting
Figure 3: Network View through ThousandEyes Application
Feature Information for Cisco ThousandEyes Enterprise Agent Application

Hosting
Table 14: Feature Information for ThousandEyes Enterprise Agent Application Hosting
Cisco ThousandEyes Cisco IOS XE The Cisco ThousandEyes Enterprise Agent Application
Enterprise Agent Application 17.7.1a introduces the functionality to inherit the Domain Name
Hosting Server (DNS) information from the device. With this
enhancement, the DNS field in the vManage ThousandEyes
feature template is an optional parameter.
Cisco ThousandEyes Cisco IOS XE With the integration of ThousandEyes Agent Application
Enterprise Agent Application 17.6.1 running on routing platforms using the app-hosting
Hosting capabilities as container, you can have visibility into
application experience with deep insights into the Internet,
cloud providers, and enterprise networks.
Supported Platforms and System Requirements

The following table lists the supported platforms and system requirements.
164
Workflow to Install and Run the Cisco ThousandEyes Application
Table 15: Supported Platforms and System Requirements
Platforms Bootflash FRU Storage DRAM
Catalyst 8300 Series Edge Platforms

C8300-1N1S-6T 8 GB 16 GB M.2 USB (Default) 8 GB
C8300-1N1S-4T2X 8 GB 16 GB M.2 USB (Default) 8 GB
C8300-2N2S-6T 8 GB 16 GB M.2 USB (Default) 8 GB
C8300-2N2S-4T2X 8 GB 16 GB M.2 USB (Default) 8 GB
Catalyst 8200 Series Edge Platforms
C8200-1N-4T 8 GB 16 GB M.2 USB (Default) 8 GB
C8200L-1N-4T 8 GB 16 GB M.2 USB 8 GB

(Recommended)
Note The minimum DRAM and storage requirement for running Cisco ThousandEyes Enterprise Agent is 8 GB.
If the device does not have enough memory or storage, we recommend that you upgrade DRAM or add an
external storage such as M.2 USB. When the available resources are not sufficient to run other applications,
Cisco IOx generates an error message.
Workflow to Install and Run the Cisco ThousandEyes

Application
To install and run the Cisco ThousandEyes image on a device, perform these steps:
Step 1 Create a new account on the Cisco ThousandEyes portal.

Step 2 Download the Cisco ThousandEyes application package from the software downloads page and ensure that you use the
agent version 4.0.2.
Step 3 Copy the image on the device.
Step 4 Install and launch the image.
Step 5 Connect the agent to the controller.
Note When you order platforms that support Cisco ThousandEyes application with Cisco IOS XE 17.6.1 software,
the Cisco ThousandEyes application package is available in the bootflash of the device.
165
Workflow to Host the Cisco ThousandEyes Application
Workflow to Host the Cisco ThousandEyes Application

To install and launch the application, perform these steps:
Before you begin

Create a new account on the Cisco ThousandEyes portal and generate the token. The Cisco ThousandEyes
agent application uses this token to authenticate and check into the correct Cisco ThousandEyes account. If
you see a message stating that your token is invalid and you want to troubleshoot the issue, see Troubleshooting
the Cisco ThousandEyes Application, on page 170.
Note If you configure the correct token and Domain Name Server (DNS) information, the device is discovered
automatically.
Step 1 Enable Cisco IOx application environment on the device.

• Use the following commands for non-SD-WAN (autonomous mode) images:
config terminal
iox
end
write
• Use the following commands for SD-WAN (controller mode) images:
config-transaction
iox
commit
Step 2 If the IOx command is accepted, wait for a few seconds and check whether the IOx process is up and running by using
the show iox command. The output must display that the show IOxman process is running.
Device #show iox
IOx Infrastructure Summary:

---------------------------
IOx service (CAF) 192.0.2.8 : Running
IOx service (HA) : Not Supported
IOx service (IOxman) : Running
IOx service (Sec storage) : Not Supported
Libvirtd 1.3.4 : Running
Step 3 Ensure that the ThousandEyes application LXC tarball is available in the device's bootflash:.
Step 4 Create a virtual port group interface to enable the traffic path to the Cisco ThousandEyes application:
interface VirtualPortGroup 0
ip address 192.0.2.22 255.255.255.0
exit
Step 5 Configure the app-hosting application with the generated token:

app-hosting appid te
app-vnic gateway1 virtualportgroup 0 guest-interface 0
166
Downloading and Copying the Image to the Device
guest-ipaddress 192.0.2.22 netmask 255.255.255.0

app-default-gateway 192.0.2.22 guest-interface 0
app-resource docker
prepend-pkg-opts Required to get the default run-time options from package.yaml
run-opts 1 "--hostname thousandeyes"
run-opts 2 "-e TEAGENT_ACCOUNT_TOKEN=<ThousandEyes token>"
run-opts 3 "-e TEAGENT_PROXY_TYPE=STATIC -e TEAGENT_PROXY_LOCATION=proxy.something.other:80"
name-server0 192.0.2.10 ISP’s DNS server
end
app-resource docker
prepend-pkg-opts
run-opts 2 “--hostname
Note You can use the proxy configuration only if the Cisco ThousandEyes agent does not have an internet access
without a proxy. Also, the hostname is optional. If you do not provide the hostname during the installation, the
device hostname is used as the Cisco ThousandEyes agent hostname. The device hostname is displayed on the
Cisco ThousandEyes portal. The DNS name server information is optional. If the Cisco ThousandEyes agent
uses a private IP address, ensure that you establish a connection to the device through NAT.
Step 6 Configure the start command to run the application automatically when the application is installed on the device using
the install command:
start
Step 7 Install the ThousandEyes application:
app-hosting install appid <appid> package [bootflash: | harddisk: | https:]
Select a location to install the ThousandEyes application from these options:

Device# app-hosting install appid te package ?
bootflash: Package path ISR4K case if image is locally available in bootflash:
harddisk: Package path Cat8K case if image is locally available in M.2 USB
https: Package path Download over the internet if image is not locally present in
router. URL to ThousandEyes site hosting agent image to be provided here
Step 8 Check if the application is up and running:
Device#show app-hosting list

App id State
---------------------------------------------------------
te RUNNING
Note If any of these steps fail, use the show logging command and check the IOx error message. If the error message
is about insufficient disk space, clean the storage media (bootflash or hard disk) to free up the space. Use the
show app-hosting resource command to check the CPU and disk memory.

To download and copy the image to bootflash, perform these steps:
167
Step 1 Check if the Cisco ThousandEyes image is precopied to bootflash:/<directory name>.

Step 2 If the image is not available in the device directory, perform these steps:
a) If the device has a direct access to internet, use the https:. option in the application install command. This option
downloads the image from the Cisco ThousandEyes software downloads page into bootflash:/apps and installs the
application.
Device# app-hosting install appid <appid string> package [bootflash: | flash | http | https://
| ftp | ] URL to image location hosted on ThousandEyes portal
Device# app-hosting install appid te1000 package

https://downloads.thousandeyes.com/enterprise-agent/thousandeyes-enterprise-agent-4.0.2.cisco.tar
Installing package
'https://downloads.thousandeyes.com/enterprise-agent/thousandeyes-enterprise-agent-4.0.2.cisco.tar'
for 'te1000'.
Use 'show app-hosting list' for progress.

*Jun 29 23:43:29.244: %IOSXE-6-PLATFORM: R0/0: IOx: App verification successful
*Jun 29 23:45:00.449: %IM-6-INSTALL_MSG: R0/0: ioxman: app-hosting: Install succeeded: te1000
installed successfully Current state is DEPLOYED
*Jun 29 23:45:01.801: %IOSXE-6-PLATFORM: R0/0: IOx: App verification successful
*Jun 29 23:45:51.054: %IM-6-START_MSG: R0/0: ioxman: app-hosting: Start succeeded: te1000 started
successfully Current state is RUNNING
Device#show app-hosting detail appid te1000 ( Details of Application)

App id : te1000
Owner : iox
State : RUNNING
Application
Type : docker
Name : ThousandEyes Enterprise Agent
Version : 4.0
Author : ThousandEyes <[email protected]>
Path : bootflash:thousandeyes-enterprise-agent-4.0-22.cisco.tar
Resource reservation
Memory : 500 MB
Disk : 1 MB
CPU : 1500 units
CPU-percent : 70 %
b) If the device has a proxy server, copy the image manually to bootflash:/apps.
c) Download the Cisco ThousandEyes application package from the software downloads page and ensure that you use
the agent version 4.0.2.
d) Create an application directory in the bootflash: to copy the image:
Device# mkdir bootflash:apps
Create directory filename [apps]?
Created dir bootflash:/apps
e) Copy the Cisco ThousandEyes image to the bootflash:apps directory.

f) Validate the image using the verify command:
verify /md5 bootflash:apps/<file name>
168
Connecting the Cisco ThousandEyes Agent with the Controller
Connecting the Cisco ThousandEyes Agent with the Controller

Before you begin
Ensure that you have an Internet connection before you connect the agent with the controller.
After the Cisco ThousandEyes application is up and running, the agent (ThousandEyes-agent ) process connects to the
controller that is running on the cloud environment.
Note If you have issues related to connectivity, the application logs the relevant error messages in the
application-specific logs (/var/logs).
Modifying the Agent Parameters

To modify the agent parameters, perform these actions:
Step 1 Stop the application using the app-hosting stop appid appid command.
Step 2 Deactivate the application using the app-hosting deactivate appid appid command.
Step 3 Make the required changes to the app-hosting configuration.
Step 4 Activate the application using the app-hosting activate appid appid command.
Step 5 Start the application using the app-hosting start appid appid command.
Uninstalling the Application

To uninstall the application, perform these steps:
Step 1 Stop the application using the app-hosting stop appid te command.
Step 2 Check if the application is in active state using the show app-hosting list command.
Step 3 Deactivate the application using the app-hosting deactivate appid te command.
Step 4 Ensure that the application is not in active state. Use the show app-hosting list command to check status of the application.
Step 5 Uninstall the application using the app-hosting uninstall appid te command.
Step 6 After the uninstallation process is complete, use the show app-hosting list command to check if the application is
uninstalled successfully.
169
Troubleshooting the Cisco ThousandEyes Application
Troubleshooting the Cisco ThousandEyes Application

To troubleshoot the Cisco ThousandEyes application, perform these steps:
1. Connect to Cisco ThousandEyes agent application using the app-hosting connect appid appid session
/bin/bash command.
2. Verify the configuration applied to the application /etc/te-agent.cfg.
3. View the logs in /var/log/agent/te-agent.log. You can use these logs to troubleshoot the configuration.
Checking the ThousandEyes Application Status

When the Cisco ThousandEyes application is in running state, it is registered on the ThousandEyes portal. If
the application does not show up in a few minutes after the agent is in running state, check using the
app-hosting connect appid thousandeyes_enterprise_agent session command.
Device#app-hosting connect appid thousandeyes_enterprise_agent session
Device# cat /var/log/agent/te-agent.log
2021-02-04 08:59:29.642 DEBUG [e4736a40] [te.agent.AptPackageInterface] {} Initialized APT
package interface
2021-02-04 08:59:29.642 INFO [e4736a40] [te.agent.main] {} Agent version 1.103.0 starting.
Max core size is 0 and max open files is 1024
2021-02-04 08:59:29.642 DEBUG [e4736a40] [te.agent.db] {} Vacuuming database
2021-02-04 08:59:29.643 INFO [e4736a40] [te.agent.db] {} Found version 0, expected version
50
2021-02-04 08:59:29.672 INFO [e4708700] [te.probe.ServerTaskExecutor] {} ProbeTaskExecutor
started with 2 threads.
2021-02-04 08:59:29.673 INFO [e2f05700] [te.probe.ProbeTaskExecutor.bandwidth] {}
ProbeTaskExecutor started with 1 threads.
2021-02-04 08:59:29.673 INFO [e2704700] [te.probe.ProbeTaskExecutor.realtime] {}
2021-02-04 08:59:29.673 INFO [e1f03700] [te.probe.ProbeTaskExecutor.throughput] {}
2021-02-04 08:59:29.674 DEBUG [e4736a40] [te.agent.DnssecTaskProceessor] {} Agent is not
running bind
2021-02-04 08:59:29.674 DEBUG [e4736a40] [te.snmp.RequestDispatcher] {} Initialised SNMP++
session
session
session
2021-02-04 08:59:29.674 INFO [e4736a40] [te.agent.main] {} Agent starting up
2021-02-04 08:59:29.675 INFO [e4736a40] [te.agent.main] {} No agent id found, attempting
to obtain one
2021-02-04 08:59:29.675 INFO [e4736a40] [te.agent.ClusterMasterAdapter] {} Attempting to
get agent id from sc1.thousandeyes.com
2021-02-04 08:59:29.679 ERROR [e4736a40] [te.agent.main] {} Error calling create_agent:
Curl error - Couldn't resolve host name
2021-02-04 08:59:29.680 INFO [e4736a40] [te.agent.main] {} Sleeping for 30 seconds
Note :
Note Check the DNS server connection. If the Cisco ThousandEyes agent is assigned to a private IP address, check
the NAT configuration.
170
CHAPTER 11
Process Health Monitoring
This chapter describes how to manage and monitor the health of various components of your device. It contains
the following sections:
• Monitoring Control Plane Resources, on page 171
• Monitoring Hardware Using Alarms, on page 175
Monitoring Control Plane Resources

The following sections explain the of memory and CPU monitoring from the perspective of the Cisco IOS
process and the overall control plane:
• Avoiding Problems Through Regular Monitoring, on page 171
• Cisco IOS Process Resources, on page 172
• Overall Control Plane Resources, on page 173
Avoiding Problems Through Regular Monitoring

Processes should provide monitoring and notification of their status/health to ensure correct operation. When
a process fails, a syslog error message is displayed and either the process is restarted or the device is rebooted.
A syslog error message is displayed when a monitor detects that a process is stuck or has crashed. If the
process can be restarted, it is restarted; else, the device is restarted.
Monitoring system resources enables you to detect potential problems before they occur, thus avoiding outages.
The following are the advantages of regular monitoring:
• Lack of memory on line cards that are in operation for a few years can lead to major outages. Monitoring
memory usage helps to identify memory issues in the line cards and enables you to prevent an outage.
• Regular monitoring establishes a baseline for a normal system load. You can use this information as a
basis for comparison when you upgrade hardware or software—to see if the upgrade has affected resource
usage.
171
Cisco IOS Process Resources
Cisco IOS Process Resources

You can view CPU utilization statistics on active processes and see the amount of memory being used in these
processes using the show memory command and the show process cpu command. These commands provide
a representation of memory and CPU utilization from the perspective of only the Cisco IOS process; they do
not include information for resources on the entire platform. For example, when the show memory command
is used in a system with 8 GB RAM running a single Cisco IOS process, the following memory usage is
displayed:
Router# show memory
Tracekey : 1#08d3ff66f05826cb63fb2b7325fcbed0
Head Total(b) Used(b) Free(b) Lowest(b) Largest(b)

Processor 7FB733EC4048 3853903068 193512428 3660390640 707918492 3145727908
reserve P 7FB733EC40A0 102404 92 102312 102312 102312
lsmpi_io 7FB7320C11A8 6295128 6294304 824 824 412
Dynamic heap limit(MB) 3000 Use(MB) 0
The show process cpu command displays Cisco IOS CPU utilization average:
Router# show process cpu
CPU utilization for five seconds: 1%/0%; one minute: 1%; five minutes: 1%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
1 1 14 71 0.00% 0.00% 0.00% 0 Chunk Manager
2 127 872 145 0.00% 0.00% 0.00% 0 Load Meter
3 0 1 0 0.00% 0.00% 0.00% 0 Policy bind Proc
4 0 1 0 0.00% 0.00% 0.00% 0 Retransmission o
5 0 1 0 0.00% 0.00% 0.00% 0 IPC ISSU Dispatc
6 11 13 846 0.00% 0.00% 0.00% 0 RF Slave Main Th
7 0 1 0 0.00% 0.00% 0.00% 0 EDDRI_MAIN
8 0 1 0 0.00% 0.00% 0.00% 0 RO Notify Timers
9 1092 597 1829 0.00% 0.01% 0.00% 0 Check heaps
10 8 73 109 0.00% 0.00% 0.00% 0 Pool Manager
11 0 1 0 0.00% 0.00% 0.00% 0 DiscardQ Backgro
12 0 2 0 0.00% 0.00% 0.00% 0 Timers
13 0 32 0 0.00% 0.00% 0.00% 0 WATCH_AFS
14 0 1 0 0.00% 0.00% 0.00% 0 MEMLEAK PROCESS
15 1227 40758 30 0.00% 0.02% 0.00% 0 ARP Input
16 41 4568 8 0.00% 0.00% 0.00% 0 ARP Background
17 0 2 0 0.00% 0.00% 0.00% 0 ATM Idle Timer
18 0 1 0 0.00% 0.00% 0.00% 0 ATM ASYNC PROC
19 0 1 0 0.00% 0.00% 0.00% 0 CEF MIB API
20 0 1 0 0.00% 0.00% 0.00% 0 AAA_SERVER_DEADT
21 0 1 0 0.00% 0.00% 0.00% 0 Policy Manager
22 0 2 0 0.00% 0.00% 0.00% 0 DDR Timers
23 60 23 2608 0.00% 0.00% 0.00% 0 Entity MIB API
24 43 45 955 0.00% 0.00% 0.00% 0 PrstVbl
25 0 2 0 0.00% 0.00% 0.00% 0 Serial Backgroun
26 0 1 0 0.00% 0.00% 0.00% 0 RMI RM Notify Wa
27 0 2 0 0.00% 0.00% 0.00% 0 ATM AutoVC Perio
28 0 2 0 0.00% 0.00% 0.00% 0 ATM VC Auto Crea
29 30 2181 13 0.00% 0.00% 0.00% 0 IOSXE heartbeat
30 1 9 111 0.00% 0.00% 0.00% 0 Btrace time base
31 5 182 27 0.00% 0.00% 0.00% 0 DB Lock Manager
32 16 4356 3 0.00% 0.00% 0.00% 0 GraphIt
33 0 1 0 0.00% 0.00% 0.00% 0 DB Notification
34 0 1 0 0.00% 0.00% 0.00% 0 IPC Apps Task
35 0 1 0 0.00% 0.00% 0.00% 0 ifIndex Receive
36 4 873 4 0.00% 0.00% 0.00% 0 IPC Event Notifi
37 49 4259 11 0.00% 0.00% 0.00% 0 IPC Mcast Pendin
38 0 1 0 0.00% 0.00% 0.00% 0 Platform appsess
39 2 73 27 0.00% 0.00% 0.00% 0 IPC Dynamic Cach
40 5 873 5 0.00% 0.00% 0.00% 0 IPC Service NonC
172
Overall Control Plane Resources
41 0 1 0 0.00% 0.00% 0.00% 0 IPC Zone Manager

42 38 4259 8 0.00% 0.00% 0.00% 0 IPC Periodic Tim
43 18 4259 4 0.00% 0.00% 0.00% 0 IPC Deferred Por
44 0 1 0 0.00% 0.00% 0.00% 0 IPC Process leve
45 0 1 0 0.00% 0.00% 0.00% 0 IPC Seat Manager
46 3 250 12 0.00% 0.00% 0.00% 0 IPC Check Queue
47 0 1 0 0.00% 0.00% 0.00% 0 IPC Seat RX Cont
48 0 1 0 0.00% 0.00% 0.00% 0 IPC Seat TX Cont
49 22 437 50 0.00% 0.00% 0.00% 0 IPC Keep Alive M
50 25 873 28 0.00% 0.00% 0.00% 0 IPC Loadometer
51 0 1 0 0.00% 0.00% 0.00% 0 IPC Session Deta
52 0 1 0 0.00% 0.00% 0.00% 0 SENSOR-MGR event
53 2 437 4 0.00% 0.00% 0.00% 0 Compute SRP rate

Control plane memory and CPU utilization on each control processor allows you to keep a tab on the overall
control plane resources. You can use the show platform resources command to monitor the overall system
health and resource usage for the IOS XE platforms. Also, you can use the show platform software status
control-processor brief command (summary view) or the show platform software status control-processor
command (detailed view) to view control plane memory and CPU utilization information.
All control processors should show status, Healthy. Other possible status values are Warning and Critical.
Warning indicates that the device is operational, but that the operating level should be reviewed. Critical
implies that the device is nearing failure.
If you see a Warning or Critical status, take the following actions:
• Reduce the static and dynamic loads on the system by reducing the number of elements in the configuration
or by limiting the capacity for dynamic services.
• Reduce the number of routes and adjacencies, limit the number of ACLs and other rules, reduce the
number of VLANs, and so on.
The following sections describe the fields in the show platform software status control-processor command
output.
Load Average
Load average represents the process queue or process contention for CPU resources. For example, on a
single-core processor, an instantaneous load of 7 would mean that seven processes are ready to run, one of
which is currently running. On a dual-core processor, a load of 7 would mean that seven processes are ready
to run, two of which are currently running.
Memory Utilization
Memory utilization is represented by the following fields:
• Total—Total line card memory
• Used—Consumed memory
• Free—Available memory
• Committed—Virtual memory committed to processes
173
CPU Utilization
CPU utilization is an indication of the percentage of time the CPU is busy, and is represented by the following
fields:
• CPU—Allocated processor
• User—Non-Linux kernel processes
• System—Linux kernel process
• Nice—Low-priority processes
• Idle—Percentage of time the CPU was inactive
• IRQ—Interrupts
• SIRQ—System Interrupts
• IOwait—Percentage of time CPU was waiting for I/O
Example: show platform software status control-processor Command

The following are some examples of using the show platform software status control-processor
command:
Router# show platform software status control-processor
RP0: online, statistics updated 3 seconds ago
Load Average: healthy
1-Min: 1.35, status: healthy, under 9.30
Memory (kb): healthy
Total: 7768456
Used: 2572568 (33%), status: healthy
Free: 5195888 (67%)
Committed: 3112968 (40%), under 90%
Per-core Statistics
CPU0: CPU Utilization (percentage of time spent)
User: 3.00, System: 2.40, Nice: 0.00, Idle: 94.60
IRQ: 0.00, SIRQ: 0.00, IOwait: 0.00
User: 0.00, System: 0.00, Nice: 0.00, Idle:100.00
IRQ: 0.00, SIRQ: 0.00, IOwait: 0.00
IRQ: 0.00, SIRQ: 0.00, IOwait: 0.00
IRQ: 0.00, SIRQ: 0.00, IOwait: 0.00
IRQ: 0.00, SIRQ: 0.00, IOwait: 0.00
IRQ: 0.00, SIRQ: 0.00, IOwait: 0.00
IRQ: 0.00, SIRQ: 0.00, IOwait: 0.00
174
Monitoring Hardware Using Alarms
IRQ: 0.00, SIRQ: 0.00, IOwait: 0.00

IRQ: 0.00, SIRQ: 0.00, IOwait: 0.00
IRQ: 0.00, SIRQ: 0.00, IOwait: 0.00
IRQ: 0.00, SIRQ: 0.00, IOwait: 0.00
IRQ: 0.00, SIRQ: 0.00, IOwait: 0.00
Router# show platform software status control-processor brief

Load Average
Slot Status 1-Min 5-Min 15-Min
RP0 Healthy 1.14 1.07 1.02
Memory (kB)
Slot Status Total Used (Pct) Free (Pct) Committed (Pct)
RP0 Healthy 7768456 2573416 (33%) 5195040 (67%) 3115096 (40%)
CPU Utilization
Slot CPU User System Nice Idle IRQ SIRQ IOwait
RP0 0 2.80 1.80 0.00 95.39 0.00 0.00 0.00
1 0.00 0.00 0.00 100.00 0.00 0.00 0.00
2 0.00 0.00 0.00 100.00 0.00 0.00 0.00
3 0.00 0.00 0.00 100.00 0.00 0.00 0.00
4 6.80 1.80 0.00 91.39 0.00 0.00 0.00
5 3.20 1.60 0.00 95.19 0.00 0.00 0.00
6 16.30 12.60 0.00 71.10 0.00 0.00 0.00
7 12.40 13.70 0.00 73.90 0.00 0.00 0.00
8 2.40 2.40 0.00 95.19 0.00 0.00 0.00
9 0.00 0.00 0.00 100.00 0.00 0.00 0.00
10 0.00 0.00 0.00 100.00 0.00 0.00 0.00
11 0.00 0.00 0.00 100.00 0.00 0.00 0.00
Monitoring Hardware Using Alarms

• Device Design and Monitoring Hardware, on page 175
• BootFlash Disk Monitoring, on page 176
• Approaches for Monitoring Hardware Alarms, on page 176
Device Design and Monitoring Hardware

The router sends alarm notifications when problems are detected, allowing you to monitor the network remotely.
You do not need to use show commands to poll devices on a routine basis; however, you can perform onsite
monitoring if you choose.
175
BootFlash Disk Monitoring
BootFlash Disk Monitoring

The bootflash disk must have enough free space to store two core dumps. This condition is monitored, and if
the bootflash disk is too small to store two core dumps, a syslog alarm is generated, as shown in the following
example:
Aug 22 13:40:41.038 R0/0: %FLASH_CHECK-3-DISK_QUOTA: Flash disk quota exceeded
[free space is 7084440 kB] - Please clean up files on bootflash.
The size of the bootflash disk must be at least of the same size as that of the physical memory installed on the
device. If this condition is not met, a syslog alarm is generated as shown in the following example:
%IOSXEBOOT-2-FLASH_SIZE_CHECK: (rp/0): Flash capacity (8 GB) is insufficient for fault
analysis based on
installed memory of RP (16 GB)
%IOSXEBOOT-2-FLASH_SIZE_CHECK: (rp/0): Please increase the size of installed flash to at
least 16 GB (same as
physical memory size)
Approaches for Monitoring Hardware Alarms

• Onsite Network Administrator Responds to Audible or Visual Alarms, on page 176
• Viewing the Console or Syslog for Alarm Messages, on page 177
• Network Management System Alerts a Network Administrator when an Alarm is Reported Through
SNMP, on page 179
Onsite Network Administrator Responds to Audible or Visual Alarms

• About Audible and Visual Alarms, on page 176
• Clearing an Audible Alarm, on page 176
• Clearing a Visual Alarm, on page 177
About Audible and Visual Alarms

An external element can be connected to a power supply using the DB-25 alarm connector on the power
supply. The external element is a DC light bulb for a visual alarm and a bell for an audible alarm.
If an alarm illuminates the CRIT, MIN, or MAJ LED on the faceplate of the device, and a visual or audible
alarm is wired, the alarm also activates an alarm relay in the power supply DB-25 connector, and either the
bell rings or the light bulb flashes.
Clearing an Audible Alarm

To clear an audible alarm, perform one of the following tasks:
• Press the Audible Cut Off button on the faceplate.
• Enter the clear facility-alarm command.
176
Clearing a Visual Alarm
Clearing a Visual Alarm

To clear a visual alarm, you must resolve the alarm condition. The clear facility-alarm command does not
clear an alarm LED on the faceplate or turn off the DC light bulb. For example, if a critical alarm LED is
illuminated because an active module was removed without a graceful deactivation, the only way to resolve
that alarm is to replace the module.
Viewing the Console or Syslog for Alarm Messages

The network administrator can monitor alarm messages by reviewing alarm messages sent to the system
console or to a system message log (syslog).
• Enabling the logging alarm Command, on page 177
• Examples of Alarm Messages, on page 177
• Reviewing and Analyzing Alarm Messages, on page 179
Enabling the logging alarm Command

The logging alarm command must be enabled for the system to send alarm messages to a logging device,
such as the console or a syslog. This command is not enabled by default.
You can specify the severity level of the alarms to be logged. All the alarms at and above the specified threshold
generate alarm messages. For example, the following command sends only critical alarm messages to logging
devices:
Router(config)# logging alarm critical
If alarm severity is not specified, alarm messages for all severity levels are sent to logging devices.
Examples of Alarm Messages

The following are examples of alarm messages that are sent to the console when a module is removed before
performing a graceful deactivation. The alarm is cleared when the module is reinserted.
Module Removed
*Aug 22 13:27:33.774: %C-SM-X-16G4M2X: Module removed from subslot 1/1, interfaces disabled
*Aug 22 13:27:33.775: %SPA_OIR-6-OFFLINECARD: Module (SPA-4XT-SERIAL) offline in subslot
1/1
Module Reinserted
*Aug 22 13:32:29.447: %CC-SM-X-16G4M2X: Module inserted in subslot 1/1
*Aug 22 13:32:34.916: %SPA_OIR-6-ONLINECARD: Module (SPA-4XT-SERIAL) online in subslot 1/1
*Aug 22 13:32:35.523: %LINK-3-UPDOWN: SIP1/1: Interface EOBC1/1, changed state to up
Alarms
To view alarms, use the show facility-alarm status command. The following example shows a critical alarm
for the power supply:
Router# show facility-alarm status
System Totals Critical: 1 Major: 0 Minor: 0
Source Time Severity Description [Index]

------ ------ -------- -------------------
177
Examples of Alarm Messages
Power Supply Bay 1 Jul 08 2020 11:51:34 CRITICAL Power Supply/FAN Module
Missing [0]
POE Bay 0 Jul 08 2020 11:51:34 INFO Power Over Ethernet Module
Missing [0]
POE Bay 1 Jul 08 2020 11:51:34 INFO Power Over Ethernet Module
Missing [0]
xcvr container 0/0/4 Jul 08 2020 11:51:47 INFO Transceiver Missing - Link
Down [1]
TenGigabitEthernet0/1/0 Jul 08 2020 11:52:24 INFO Physical Port Administrative

State Down [2]
GigabitEthernet1/0/0 Jul 08 2020 11:56:35 INFO Physical Port Administrative

State Down [2]

State Down [2]

State Down [2]

State Down [2]

State Down [2]

State Down [2]

State Down [2]

State Down [2]
TwoGigabitEthernet1/0/17 Jul 08 2020 11:56:35 INFO Physical Port Administrative

State Down [2]

State Down [2]

State Down [2]
To view critical alarms, use the show facility-alarm status critical command, as shown in the following
example:
Router# show facility-alarm status critical

------ ------ -------- -------------------
Power Supply Bay 1 Jul 08 2020 11:51:34 CRITICAL Power Supply/FAN Module
Missing [0]
To view the operational state of the major hardware components on the device, use the show platform diag
command.
178
Reviewing and Analyzing Alarm Messages
Router# show platform diag

Chassis type: C8300-1N1S-4T2X
Slot: 0, C8300-1N1S-4T2X
Running state : ok
Internal state : online
Internal operational state : ok
Physical insert detect time : 00:00:24 (01:29:20 ago)
Software declared up time : 00:01:01 (01:28:44 ago)
CPLD version : 20011540
Firmware version : 17.3(1r)
Sub-slot: 0/0, 4x1G-2xSFP+

Operational status : ok
Internal state : inserted
Logical insert detect time : 00:01:14 (01:28:30 ago)
Sub-slot: 0/1, C-NIM-1X

Slot: 1, C8300-1N1S-4T2X
Running state : ok
Software declared up time : 00:01:02 (01:28:43 ago)
Firmware version : 17.3(1r)
Sub-slot: 1/0, C-SM-X-16G4M2X

Slot: R0, C8300-1N1S-4T2X

Running state : ok, active
Reviewing and Analyzing Alarm Messages

To facilitate the review of alarm messages, you can write scripts to analyze alarm messages sent to the console
or syslog. Scripts can provide reports on events such as alarms, security alerts, and interface status.
Syslog messages can also be accessed through Simple Network Management Protocol (SNMP) using the
history table defined in the CISCO-SYSLOG-MIB.
Network Management System Alerts a Network Administrator when an Alarm is Reported Through
SNMP
The SNMP is an application-layer protocol that provides a standardized framework and a common language
used for monitoring and managing devices in a network. Of all the approaches to monitor alarms, SNMP is
the best approach to monitor more than one device in an enterprise and service provider setup.
SNMP provides notification of faults, alarms, and conditions that might affect services. It allows a network
administrator to access device information through a network management system (NMS) instead of reviewing
logs, polling devices, or reviewing log reports.
179
Network Management System Alerts a Network Administrator when an Alarm is Reported Through SNMP
To use SNMP to get alarm notification, use the following MIBs:

• ENTITY-MIB, RFC 4133 (required for the CISCO-ENTITY-ALARM-MIB and
CISCO-ENTITY-SENSOR-MIB to work)
• CISCO-ENTITY-ALARM-MIB
• CISCO-ENTITY-SENSOR-MIB (for transceiver environmental alarm information, which is not provided
through the CISCO-ENTITY-ALARM-MIB)
180
CHAPTER 12
System Messages
System messages are saved in a log file or directed to other devices from the software running on a router.
These messages are also known as syslog messages. System messages provide you with logging information
for monitoring and troubleshooting purposes.
The following sections are included in this chapter:
• Information About Process Management, on page 181
• How to Find Error Message Details, on page 181
Information About Process Management

You can access system messages by logging in to the console through Telnet protocol and monitoring your
system components remotely from any workstation that supports the Telnet protocol.
Starting and monitoring software is referred to as process management. The process management infrastructure
for a router is platform independent, and error messages are consistent across platforms running on Cisco IOS
XE. You do not have to be directly involved in process management, but we recommend that you read the
system messages that refer to process failures and other issues.
How to Find Error Message Details

To see further details about a process management or a syslog error message, see the System Error Messages
Guide For Access and Edge Routers Guide.
The following are examples of the description and the recommended action displayed by the error messages.
Error Message: %PMAN-0-PROCESS_NOTIFICATION : The process lifecycle notification component
failed because [chars]
Explanation Recommended Action
181
System Messages
The process lifecycle notification component failed, Note the time of the message and investigate the
preventing proper detection of a process start and stop. kernel error message logs to learn more about the
This problem is likely the result of a software defect problem and see if it is correctable. If the problem
in the software subpackage. cannot be corrected or the logs are not helpful, copy
the error message exactly as it appears on the console
along with the output of the show tech-support
command and provide the gathered information to a
Cisco technical support representative.
Error Message: %PMAN-0-PROCFAILCRIT A critical process [chars] has failed (rc [dec])
A process important to the functioning of the router Note the time of the message and investigate the error
has failed. message logs to learn more about the problem. If the
problem persists, copy the message exactly as it
appears on the console or in the system log. Research
and attempt to resolve the issue using the tools and
utilities provided at: http://www.cisco.com/tac. With
some messages, these tools and utilities will supply
clarifying information. Search for resolved software
issues using the Bug Search Tool at:
http://www.cisco.com/cisco/psn/bssprt/bss. If you still
require assistance, open a case with the Technical
Assistance Center at:
http://tools.cisco.com/ServiceRequestTool/create/, or
contact your Cisco technical support representative
and provide the representative with the information
you have gathered. Attach the following information
to your case in nonzipped, plain-text (.txt) format: the
output of the show logging and show tech-support
commands and your pertinent troubleshooting logs.
Error Message: %PMAN-3-PROCFAILOPT An optional process [chars] has failed (rc [dec])
182
System Messages
A process that does not affect the forwarding of traffic Note the time of the message and investigate the
has failed. kernel error message logs to learn more about the
problem. Although traffic will still be forwarded after
receiving this message, certain functions on the router
may be disabled because of this message and the error
should be investigated. If the logs are not helpful or
indicate a problem you cannot correct, copy the
message exactly as it appears on the console or in the
system log. Research and attempt to resolve the issue
using the tools and utilities provided at
http://www.cisco.com/tac. With some messages, these
tools and utilities will supply clarifying information.
Search for resolved software issues using the Bug
Search Tool at:
Error Message: %PMAN-3-PROCFAIL The process [chars] has failed (rc [dec])
The process has failed as the result of an error. This message will appear with other messages related
to the process. Check the other messages to determine
the reason for the failures and see if corrective action
can be taken. If the problem persists, copy the message
exactly as it appears on the console or in the system
log. Research and attempt to resolve the issue using
the tools and utilities provided at:
Search Tool at:
183
System Messages
Error Message: %PMAN-3-PROCFAIL_IGNORE [chars] process exits and failures are being ignored
due to debug settings. Normal router functionality will be affected. Critical router
functions like RP switchover, router reload, FRU resets, etc. may not function properly.
A process failure is being ignored due to the If this behavior is desired and the debug settings are
user-configured debug settings. set according to a user's preference, no action is
needed. If the appearance of this message is viewed
as a problem, change the debug settings. The router
is not expected to behave normally with this debug
setting. Functionalities such as SSO switchover, router
reloads, FRU resets, and so on will be affected. This
setting should only be used in a debug scenario. It is
not normal to run the router with this setting.
Error Message: %PMAN-3-PROCHOLDDOWN The process [chars] has been helddown (rc [dec])
The process was restarted too many times with This message will appear with other messages related
repeated failures and has been placed in the hold-down to the process. Check the other messages to determine
state. the reason for the failures and see if corrective action
can be taken. If the problem persists, copy the message
exactly as it appears on the console or in the system
log. Research and attempt to resolve the issue using
the tools and utilities provided at:
Search Tool at:
Error Message: %PMAN-3-RELOAD_RP_SB_NOT_READY : Reloading: [chars]
The route processor is being reloaded because there Ensure that the reload is not due to an error condition.
is no ready standby instance.
Error Message: %PMAN-3-RELOAD_RP : Reloading: [chars]
184
System Messages
The RP is being reloaded. Ensure that the reload is not due to an error condition.
If it is due to an error condition, collect information
requested by the other log messages.
Error Message: %PMAN-3-RELOAD_SYSTEM : Reloading: [chars]
The system is being reloaded. Ensure that the reload is not due to an error condition.
If it is due to an error condition, collect information
requested by the other log messages.
Error Message: %PMAN-3-PROC_BAD_EXECUTABLE : Bad executable or permission problem with

process [chars]
The executable file used for the process is bad or has Ensure that the named executable is replaced with the
permission problem. correct executable.
Error Message: %PMAN-3-PROC_BAD_COMMAND:Non-existent executable or bad library used for

process <process name>
The executable file used for the process is missing, Ensure that the named executable is present and the
or a dependent library is bad. dependent libraries are good.
Error Message: %PMAN-3-PROC_EMPTY_EXEC_FILE : Empty executable used for process [chars]
The executable file used for the process is empty. Ensure that the named executable is non-zero in size.
Error Message: %PMAN-5-EXITACTION : Process manager is exiting: [chars]
The process manager is exiting. Ensure that the process manager is not exiting due to
an error condition. If it is due to an error condition,
collect information requested by the other log
messages.
Error Message: %PMAN-6-PROCSHUT : The process [chars] has shutdown
The process has gracefully shut down. No user action is necessary. This message is provided
for informational purposes only.
Error Message: %PMAN-6-PROCSTART : The process [chars] has started
185
System Messages
The process has launched and is operating properly. No user action is necessary. This message is provided
Error Message: %PMAN-6-PROCSTATELESS : The process [chars] is restarting stateless
The process has requested a stateless restart. No user action is necessary. This message is provided
186
CHAPTER 13
Trace Management
• Tracing Overview, on page 187
• How Tracing Works, on page 187
• Tracing Levels, on page 188
• Viewing a Tracing Level, on page 189
• Setting a Tracing Level, on page 191
• Viewing the Content of the Trace Buffer, on page 191
Tracing Overview
Tracing is a function that logs internal events. Trace files containing trace messages are automatically created
and saved to the tracelogs directory on the hard disk: file system on the router, which stores tracing files in
bootflash.
The contents of trace files are useful for the following purposes:
• Troubleshooting—Helps to locate and solve an issue with a router. The trace files can be accessed in
diagnostic mode even if other system issues are occurring simultaneously.
• Debugging—Helps to obtain a detailed view of system actions and operations.
How Tracing Works

Tracing logs the contents of internal events on a router. Trace files containing all the trace output pertaining
to a module are periodically created and updated and stored in the tracelog directory. Trace files can be erased
from this directory to recover space on the file system without impacting system performance. The files can
be copied to other destinations using file transfer functions (such as FTP and TFTP) and opened using a plain
text editor.
Note Tracing cannot be disabled on a router.
Use the following commands to view trace information and set tracing levels:
187
Trace Management
Tracing Levels
• show logging process module—Shows the most recent trace information for a specific module. This
command can be used in privileged EXEC and diagnostic modes. When used in diagnostic mode, this
command can gather trace log information during a Cisco IOS XE failure.
• set platform software trace—Sets a tracing level that determines the types of messages that are stored
in the output. For more information on tracing levels, see Tracing Levels, on page 188.
Tracing Levels
Tracing levels determine how much information should be stored about a module in the trace buffer or file.
The following table shows all the tracing levels that are available and provides descriptions of what types of
messages are displayed with each tracing level.
Table 16: Tracing Levels and Descriptions
Tracing Level Level Number Description
Emergency 0 The message is regarding an issue

that makes the system unusable.
Alert 1 The message is regarding an action

that must be taken immediately.
Critical 2 The message is regarding a critical

condition. This is the default setting
for every module on the router.
Error 3 The message is regarding a system

error.
Warning 4 The message is regarding a system

warning.
Notice 5 The message is regarding a

significant issue, but the router is
still working normally.
Informational 6 The message is useful for

informational purposes only.
Debug 7 The message provides debug-level

output.
Verbose 8 All possible tracing messages are

sent.
188
Trace Management
Viewing a Tracing Level
Tracing Level Level Number Description
Noise — All possible trace messages

pertaining to a module are logged.
The noise level is always equal to
the highest possible tracing level.
Even if a future enhancement to
tracing introduces a higher tracing
level than verbose level, the noise
level will become equal to the level
of the newly introduced tracing
level.
If a tracing level is set, messages are collected from both lower tracing levels and from its own level.
For example, setting the tracing level to 3 (error) means that the trace file will contain output messages for
levels: 0 (emergencies), 1 (alerts), 2 (critical), and 3 (error).
If you set the trace level to 4 (warning), it results in output messages for levels: 0 (emergencies), 1 (alerts), 2
(critical), 3 (error), and 4 (warning).
The default tracing level for every module on the router is 5 (notice).
A tracing level is not set in a configuration mode, which results in tracing-level settings being returned to
default values after the router reloads.
Caution Setting the tracing level of a module to debug level or higher can have a negative impact on the performance.
Caution Setting high tracing levels on a large number of modules can severely degrade performance. If a high tracing
level is required in a specific context, it is almost always preferable to set the tracing level of a single module
to a higher level rather than setting multiple modules to high levels.

By default, all the modules on a router are set to 5 (notice). This setting is maintained unless changed by a
user.
To see the tracing level for a module on a router, enter the show logging process command in privileged
EXEC mode or diagnostic mode.
The following example shows how the show logging process command is used to view the tracing levels of
the forwarding manager processes on an active RP:
Router# showlogging process forwarding-manager rp active
Module Name Trace Level
-----------------------------------------------
acl Notice
binos Notice
binos/brand Notice
bipc Notice
189
Trace Management
bsignal Notice
btrace Notice
cce Notice
cdllib Notice
cef Notice
chasfs Notice
chasutil Notice
erspan Notice
ess Notice
ether-channel Notice
evlib Notice
evutil Notice
file_alloc Notice
fman_rp Notice
fpm Notice
fw Notice
icmp Notice
interfaces Notice
iosd Notice
ipc Notice
ipclog Notice
iphc Notice
IPsec Notice
mgmte-acl Notice
mlp Notice
mqipc Notice
nat Notice
nbar Notice
netflow Notice
om Notice
peer Notice
qos Notice
route-map Notice
sbc Notice
services Notice
sw_wdog Notice
tdl_acl_config_type Notice
tdl_acl_db_type Notice
tdl_cdlcore_message Notice
tdl_cef_config_common_type Notice
tdl_cef_config_type Notice
tdl_dpidb_config_type Notice
tdl_fman_rp_comm_type Notice
tdl_fman_rp_message Notice
tdl_fw_config_type Notice
tdl_hapi_tdl_type Notice
tdl_icmp_type Notice
tdl_ip_options_type Notice
tdl_ipc_ack_type Notice
tdl_IPsec_db_type Notice
tdl_mcp_comm_type Notice
tdl_mlp_config_type Notice
tdl_mlp_db_type Notice
tdl_om_type Notice
tdl_ui_message Notice
tdl_ui_type Notice
tdl_urpf_config_type Notice
tdllib Notice
trans_avl Notice
uihandler Notice
uipeer Notice
uistatus Notice
urpf Notice
vista Notice
190
Trace Management
Setting a Tracing Level
wccp Notice
Setting a Tracing Level

To set a tracing level for a module on a router, or for all the modules within a process on a router, enter the
set platform software trace command in the privileged EXEC mode or diagnostic mode.
The following example shows the tracing level for the ACL module in the Forwarding Manager of the ESP
processor in slot 0 set to info:
set platform software trace forwarding-manager F0 acl info
Viewing the Content of the Trace Buffer

To view the trace messages in the trace buffer or file, enter the show logging process command in privileged
EXEC or diagnostic mode. In the following example, the trace messages for the Host Manager process in
Route Processor slot 0 are viewed using the show logging process command:
Router# show logging process host-manager R0
08/23 12:09:14.408 [uipeer]: (info): Looking for a ui_req msg
08/23 12:09:14.408 [uipeer]: (info): Start of request handling for con 0x100a61c8
08/23 12:09:14.399 [uipeer]: (info): Accepted connection for 14 as 0x100a61c8
08/23 12:09:14.399 [uipeer]: (info): Received new connection 0x100a61c8 on descriptor 14
08/23 12:09:14.398 [uipeer]: (info): Accepting command connection on listen fd 7
08/23 11:53:57.440 [uipeer]: (info): Going to send a status update to the shell manager in
slot 0
08/23 11:53:47.417 [uipeer]: (info): Going to send a status update to the shell manager in
slot 0
191
Trace Management
Viewing the Content of the Trace Buffer
192
CHAPTER 14
Environmental Monitoring and PoE Management
The Cisco Catalyst 8300 Series Edge Platform have hardware and software features that periodically monitor
the router's environment. This chapter provides information on the environmental monitoring features on your
router that allow you to monitor critical events and generate statistical reports on the status of various router
components. This chapter includes the following sections:
• Environmental Monitoring, on page 193
• Environmental Monitoring and Reporting Functions, on page 193
• Configuring Power Supply Mode, on page 207
Environmental Monitoring
The router provides a robust environment-monitoring system with several sensors that monitor the system
temperatures. Microprocessors generate interrupts to the HOST CPU for critical events and generate a periodic
status and statistics report. The following are some of the key functions of the environmental monitoring
system:
• Monitoring temperature of CPUs, motherboard, and midplane
• Monitoring fan speed
• Recording abnormal events and generating notifications
• Monitoring Simple Network Management Protocol (SNMP) traps
• Generating and collecting Onboard Failure Logging (OBFL) data
• Sending call home event notifications
• Logging system error messages
• Displaying present settings and status
Environmental Monitoring and Reporting Functions

Monitoring and reporting functions allow you to maintain normal system operation by identifying and resolving
adverse conditions prior to loss of operation.
• Environmental Monitoring Functions, on page 194
193
Environmental Monitoring Functions
• Environmental Reporting Functions, on page 196

Environmental monitoring functions use sensors to monitor the temperature of the cooling air as it moves
through the chassis.
The local power supplies provide the ability to monitor:
• Input and output current
• Output voltage
• Input and output power
• Temperature
• Fan speed
The device is expected to meet the following environmental operating conditions:

• Operating Temperature Nominal—32°F to 104°F (0°C to 40°C)
• Operating Humidity Nominal—10% to 85% RH noncondensing
• Operating Humidity Short Term—10% to 85% RH noncondensing
• Operating Altitude—Sea level 0 ft to 10,000 ft (0 to 3000 m)
• AC Input Range—85 to 264 VAC
In addition, each power supply monitors its internal temperature and voltage. A power supply is either within
tolerance (normal) or out of tolerance (critical). If an internal power supply's temperature or voltage reaches
a critical level, the power supply shuts down without any interaction with the system processor.
The following table displays the levels of status conditions used by the environmental monitoring system.
Table 17: Levels of Status Conditions Used by the Environmental Monitoring System
Status Level Description
Normal All monitored parameters are within normal tolerance.
Warning The system has exceeded a specified threshold. The system continues to
operate, but operator action is recommended to bring the system back to a
normal state.
Critical An out-of-tolerance temperature or voltage condition exists. Although the

system continues to operate, it is approaching shutdown. Immediate operator
action is required.
The environmental monitoring system sends system messages to the console, for example, when the conditions
described here are met:
194
Fan Failure
When the system power is on, all the fans should be operational. Although the system continues to operate if
a fan fails, the system displays the following message:
%IOSXE_PEM-3-FANFAIL: The fan in slot 2/0 is encountering a failure condition
Sensors Out of Range

When sensors are out of range, the system displays the following message:
%ENVIRONMENTAL-1-ALERT: V: 1.0v PCH, Location: R0, State: Warning, Reading: 1102 mV
%ENVIRONMENTAL-1-ALERT: V: PEM Out, Location: P1, State: Warning, Reading: 0 mV
%ENVIRONMENTAL-1-ALERT: Temp: Temp 3, Location R0, State : Warning, Reading : 90C
Fan Tray (Slot P2) Removed

When the fan tray for slot P2 is removed, the system displays the following message:
%IOSXE_PEM-6-REMPEM_FM: PEM/FM slot P2 removed
Fan Tray (Slot P2) Reinserted

When the fan tray for slot P2 is reinserted, the system displays the following message:
%IOSXE_PEM-6-INSPEM_FM: PEM/FM slot P2 inserted
Fan Tray (Slot 2) is Working Properly

When the fan tray for slot 2 is functioning properly, the system displays the following message:
%IOSXE_PEM-6-PEMOK: The PEM in slot P2 is functioning properly
Fan 0 in Slot 2 (Fan Tray) is Not Working

When Fan 0 in the fan tray of slot 2 is not functioning properly, the system displays the following message:
%IOSXE_PEM-3-FANFAIL: The fan in slot 2/0 is encountering a failure condition
Fan 0 in Slot 2 (Fan Tray) is Working Properly

When Fan 0 in the fan tray of slot 2 is functioning properly, the system displays the following message:
%IOSXE_PEM-6-FANOK: The fan in slot 2/0 is functioning properly
Main Power Supply in Slot 1 is Powered Off

When the main power supply in slot 1 is powered off, the system displays the following message:
%IOSXE_PEM-3-PEMFAIL: The PEM in slot 1 is switched off or encountering a
failure condition.
Main Power Supply is Inserted in Slot 1

When the main power supply is inserted in slot 1, the system displays the following messages:
%IOSXE_PEM-6-INSPEM_FM: PEM/FM slot P1 inserted
%IOSXE_PEM-6-PEMOK: The PEM in slot 1 is functioning properly
195
Environmental Reporting Functions
Temperature and Voltage Exceed Max/Min Thresholds

The following example shows the warning messages indicating the maximum and minimum thresholds of
the temperature or voltage:
Warnings :
--------
For all the temperature sensors (name starting with “Temp:”) above,
the critical warning threshold is 100C (100C and higher)
the warning threshold is 80C (range from 80C to 99C)
the low warning threshold is 1C (range from -inf to 1C).
For all voltage sensors (names starting with "V:"),

the high warning threshold starts at that voltage +10%. (voltage + 10% is warning)
the low warning threshold starts at the voltage -10%. (voltage - 10% is warning)

You can retrieve and display environmental status reports using the following commands:
• debug environment
• debug platform software cman env monitor polling
• debug ilpower
• debug power [inline | main]
• show diag all eeprom
• show diag slot R0 eeprom detail
• show environment
• show environment all
• show inventory
• show platform all
• show platform diag
• show platform software status control-processor
• show version
• show power
• show power inline
These commands show the current values of parameters such as temperature and voltage.
The environmental monitoring system updates the values of these parameters every 60 seconds. Brief examples
of these commands are shown below:
debug environment: Example

Router# debug environment location P0
Environmental sensor Temp: Temp 1 P0 debugging is on
196

Environmental sensor V: PEM Out P0 debugging is on
Environmental sensor I: PEM In P0 debugging is on
Environmental sensor I: PEM Out P0 debugging is on
Environmental sensor W: In pwr P0 debugging is on
Environmental sensor W: Out pwr P0 debugging is on
Environmental sensor RPM: fan0 P0 debugging is on
*Jul 8 21:49:23.292 PDT: Sensor: Temp: Temp 1 P0, In queue 1

*Jul 8 21:49:23.292 PDT: State=Normal Reading=35
*Jul 8 21:49:23.292 PDT: Rotation count=0 Poll period=20000
*Jul 8 21:49:23.292 PDT: Sensor: Temp: Temp 1 P0 State=Normal Reading=35
*Jul 8 21:49:23.292 PDT: Inserting into queue 1 on spoke 189.
*Jul 8 21:49:23.292 PDT: Rotation count=20 Displacement=0
*Jul 8 21:49:23.292 PDT: Sensor: V: PEM In P0, In queue 1
*Jul 8 21:49:23.293 PDT: Sensor: V: PEM In P0 State=Normal Reading=118501
*Jul 8 21:49:23.293 PDT: Sensor: V: PEM Out P0, In queue 1
*Jul 8 21:49:23.293 PDT: Sensor: V: PEM Out P0 State=Normal Reading=12000
*Jul 8 21:49:23.293 PDT: Sensor: I: PEM In P0, In queue 1
*Jul 8 21:49:23.293 PDT: Sensor: I: PEM In P0 State=Normal Reading=828
*Jul 8 21:49:23.293 PDT: Sensor: I: PEM Out P0, In queue 1
*Jul 8 21:49:23.293 PDT: Sensor: I: PEM Out P0 State=Normal Reading=7100
*Jul 8 21:49:23.293 PDT: Sensor: P: In pwr P0, In queue 1
*Jul 8 21:49:23.293 PDT: Sensor: P: In pwr P0 State=Normal Reading=98
*Jul 8 21:49:23.293 PDT: Sensor: P: Out pwr P0, In queue 1
*Jul 8 21:49:23.293 PDT: Sensor: P: Out pwr P0 State=Normal Reading=89
*Jul 8 21:49:23.293 PDT: Sensor: RPM: fan0 P0, In queue 1
197

*Jul 8 21:49:23.293 PDT: Sensor: RPM: fan0 P0 State=Normal Reading=5824
debug platform software cman env monitor polling: Example

Router# debug platform software cman env monitor polling
platform software cman env monitor polling debugging is on
Router#
*Jul 8 21:56:23.351 PDT: IOS-RP-ENVMON: sensor READ callback Temp: Temp 1, P0, 35
*Jul 8 21:56:23.351 PDT: Sensor: V: PEM In P0, In queue 1
*Jul 8 21:56:23.351 PDT: IOS-RP-ENVMON: sensor READ callback V: PEM In, P0, 118501
*Jul 8 21:56:23.351 PDT: Sensor: V: PEM In P0 State=Normal Reading=118501
*Jul 8 21:56:23.351 PDT: Sensor: V: PEM Out P0, In queue 1
*Jul 8 21:56:23.351 PDT: IOS-RP-ENVMON: sensor READ callback V: PEM Out, P0, 12000
198
*Jul 8 21:56:23.351 PDT: Sensor: V: PEM Out P0 State=Normal Reading=12000

*Jul 8 21:56:23.351 PDT: Sensor: I: PEM In P0, In queue 1
*Jul 8 21:56:23.351 PDT: IOS-RP-ENVMON: sensor READ callback I: PEM In, P0, 828
*Jul 8 21:56:23.351 PDT: Sensor: I: PEM In P0 State=Normal Reading=828
*Jul 8 21:56:23.351 PDT: Sensor: I: PEM Out P0, In queue 1
*Jul 8 21:56:23.351 PDT: IOS-RP-ENVMON: sensor READ callback I: PEM Out, P0, 7100
*Jul 8 21:56:23.352 PDT: Sensor: I: PEM Out P0 State=Normal Reading=7100
*Jul 8 21:56:23.352 PDT: Sensor: P: In pwr P0, In queue 1
*Jul 8 21:56:23.352 PDT: IOS-RP-ENVMON: sensor READ callback P: In pwr, P0, 98
*Jul 8 21:56:23.352 PDT: Sensor: P: In pwr P0 State=Normal Reading=98
*Jul 8 21:56:23.352 PDT: Sensor: P: Out pwr P0, In queue 1
*Jul 8 21:56:23.352 PDT: IOS-RP-ENVMON: sensor READ callback P: Out pwr, P0, 88
*Jul 8 21:56:23.352 PDT: Sensor: P: Out pwr P0 State=Normal Reading=88
*Jul 8 21:56:23.352 PDT: Sensor: RPM: fan0 P0, In queue 1
*Jul 8 21:56:23.352 PDT: IOS-RP-ENVMON: sensor READ callback RPM: fan0, P0, 5888
*Jul 8 21:56:23.352 PDT: IOS-RP-ENVMON: sensor READ callback P: pwr, P2, 8
*Jul 8 21:56:23.352 PDT: IOS-RP-ENVMON: sensor READ callback Temp: Inlet 1, R0, 29
*Jul 8 21:56:23.352 PDT: IOS-RP-ENVMON: sensor READ callback Temp: Inlet 2, R0, 30
*Jul 8 21:56:23.352 PDT: IOS-RP-ENVMON: sensor READ callback Temp: Outlet 1, R0, 35
*Jul 8 21:56:23.352 PDT: IOS-RP-ENVMON: sensor READ callback Temp: Outlet 2, R0, 36
*Jul 8 21:56:23.352 PDT: IOS-RP-ENVMON: sensor READ callback Temp: CP-CPU, R0, 42
*Jul 8 21:56:23.352 PDT: IOS-RP-ENVMON: sensor READ callback V: 12v, R0, 12127
*Jul 8 21:56:23.352 PDT: IOS-RP-ENVMON: sensor READ callback V: 5v, R0, 5022
*Jul 8 21:56:23.352 PDT: IOS-RP-ENVMON: sensor READ callback V: 3.3v, R0, 3308
*Jul 8 21:56:23.352 PDT: IOS-RP-ENVMON: sensor READ callback V: 1.2v_CPU, R0, 1201
*Jul 8 21:56:23.352 PDT: IOS-RP-ENVMON: sensor READ callback V: 1.05v_CPU, R0, 1052
*Jul 8 21:56:23.352 PDT: IOS-RP-ENVMON: sensor READ callback P: pwr, R0, 86
*Jul 8 21:56:25.352 PDT: IOS-RP-ENVMON: sensor READ callback P: pwr: Pwr, 0/1, 5
*Jul 8 21:56:32.354 PDT: IOS-RP-ENVMON: sensor READ callback P: pwr: Pwr, 1/0, 27
199
debug ilpower: Example

Router# debug ilpower ?
cdp ILPOWER CDP messages
controller ILPOWER controller
event ILPOWER event
ha ILPOWER High-Availability
port ILPOWER port management
powerman ILPOWER powerman
registries ILPOWER registries
scp ILPOWER SCP messages
upoe ILPOWER upoe
debug power [inline|main]: Example

In this example, there is one 1000W power supply and one 450W power supply. Inline and main
power output is shown.
Router# debug power ?
inline ILPM inline power related
main Main power related
<cr> <cr>
Router# debug power
POWER all debug debugging is on
Router# show debugging | include POWER

POWER:
POWER main debugging is on
POWER inline debugging is on
Router#
..
*Jul 8 21:56:23.351: %ENVIRONMENTAL-6-NOTICE: V: PEM Out, Location: P1, State: Warning,

Reading: 0 mV
*Jul 8 21:56:23.351: %IOSXE_PEM-6-PEMOK: The PEM in slot P1 is functioning properly
*Jul 8 21:56:23.351: %PLATFORM_POWER-6-MODEMATCH: Main power is in Boost mode
*Jul 8 21:56:23.351: Power M: Received Msg for 12V/Main, total power 1450, Run same as cfg
Yes
*Jul 8 21:56:23.351: Power M: Received Msg for POE/ILPM, total power 500, Run same as cfg
No
*Jul 8 21:56:23.351: Power I: Updating pool power is 500 watts
*Jul 8 21:56:23.351: Power I: Intimating modules of total power 500 watts
*Jul 8 21:56:23.351: Power M: Received Msg for 12V/Main, total power 1450, Run same as cfg
Yes
*Jul 8 21:56:23.351: Power M: Received Msg for POE/ILPM, total power 500, Run same as cfg
No
*Jul 8 21:56:23.351: Power I: Updating pool power is 500 watts
*Jul 8 21:56:23.351: Power I: Intimating modules of total power 500 watts
Router#
show diag all eeprom: Example

Router# show diag all eeprom
MIDPLANE EEPROM data:
Product Identifier (PID) : C8300-1N1S-6T

Version Identifier (VID) : V00
PCB Serial Number : FDO231403QE
Hardware Revision : 1.0
200
CLEI Code : TBDTBDTBDT

Power/Fan Module P0 EEPROM data:
Product Identifier (PID) : PWR-4430-AC

PCB Serial Number : LIT23032XFS
CLEI Code : IPUPAMFAAB
Power/Fan Module P1 EEPROM data is not initialized
External PoE Module POE0 EEPROM data is not initialized
External PoE Module POE1 EEPROM data is not initialized
Internal PoE is not present
Slot R0 EEPROM data:

Slot F0 EEPROM data:

Slot 0 EEPROM data:

Slot 1 EEPROM data:

SPA EEPROM data for subslot 0/0:
Product Identifier (PID) : 4x1G-2xSFP

PCB Serial Number :
Top Assy. Part Number : 68-2236-01
Top Assy. Revision : A0
CLEI Code : CNUIAHSAAA
SPA EEPROM data for subslot 0/1 is not available
201
show environment: Example

In this example, note the output for the slots POE0 and POE1.
Router# show environment
Number of Critical alarms: 0
Number of Major alarms: 0
Number of Minor alarms: 0
Slot Sensor Current State Reading

Threshold(Minor,Major,Critical,Shutdown)
---------- -------------- --------------- ------------
---------------------------------------
P0 Temp: Temp 1 Normal 34 Celsius (na ,na ,na ,na )(Celsius)
P0 V: PEM In Normal 119001mV na
P0 V: PEM Out Normal 12100mV na
P0 I: PEM In Normal 820 mA na
P0 I: PEM Out Normal 7200 mA na
P0 P: In pwr Normal 97 Watts na
P0 P: Out pwr Normal 88 Watts na
P0 RPM: fan0 Normal 5760 RPM na
P2 RPM: fan0 Normal 12600RPM na
P2 P: pwr Normal 8 Watts na
R0 Temp: Inlet 1 Normal 29 Celsius (na ,na ,48 ,na )(Celsius)
R0 Temp: Inlet 2 Normal 30 Celsius (na ,na ,na ,na )(Celsius)
R0 Temp: Outlet 1 Normal 34 Celsius (na ,na ,81 ,na )(Celsius)
R0 Temp: Outlet 2 Normal 35 Celsius (na ,na ,81 ,na )(Celsius)
R0 Temp: CP-CPU Normal 42 Celsius (na ,na ,97 ,na )(Celsius)
R0 V: 12v Normal 12119mV na
R0 V: 5v Normal 5022 mV na
R0 V: 3.3v Normal 3308 mV na
R0 V: 1.2v_CPU Normal 1201 mV na
R0 V: 1.05v_CPU Normal 1054 mV na
R0 P: pwr Normal 85 Watts na
0/1 P: pwr: Pwr Normal 5 Watts na
1/0 P: pwr: Pwr Normal 28 Watts na
202
show environment all: Example

Router# show environment all
Sensor List: Environmental Monitoring
Sensor Location State Reading
Temp: Temp 1 P0 Normal 36 Celsius
V: PEM In P0 Normal 206502 mV
V: PEM Out P0 Normal 12000 mV
I: PEM In P0 Normal 281 mA
I: PEM Out P0 Normal 3500 mA
P: In pwr P0 Normal 53 Watts
P: Out pwr P0 Normal 43 Watts
RPM: fan0 P0 Normal 3712 RPM
P: pwr P2 Normal 3 Watts
Temp: Inlet 1 R0 Normal 19 Celsius
Temp: Inlet 2 R0 Normal 21 Celsius
Temp: Outlet 1 R0 Normal 25 Celsius
Temp: Outlet 2 R0 Normal 23 Celsius
Temp: CP-CPU R0 Normal 29 Celsius
V: 12v R0 Normal 11984 mV
V: 5v R0 Normal 5018 mV
V: 3.3v R0 Normal 3311 mV
V: 1.2v_CPU R0 Normal 1200 mV
V: 1.05v_CPU R0 Normal 1051 mV
P: pwr R0 Normal 45 Watts
show inventory: Example

Router# show inventory
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
INFO: Please use "show license UDI" to get serial number for licensing.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
NAME: "Chassis", DESCR: "Cisco C8300-1N1S-6T Chassis"

PID: C8300-1N1S-6T , VID: V00 , SN: FDO2320A0C
NAME: "Fan Tray", DESCR: "Cisco C8300 1RU Fan Assembly"

PID: C8300-FAN-1R , VID: , SN:
NAME: "module 0", DESCR: "Cisco C8300-1N1S-6T Built-In NIM controller"

PID: C8300-1N1S-6T , VID: , SN:
NAME: "NIM subslot 0/0", DESCR: "Front Panel 6 ports Gigabitethernet Module"
PID: 4x1G-2xSFP , VID: V01 , SN:
NAME: "module 1", DESCR: "Cisco C8300-1N1S-6T Built-In SM controller"
203
PID: C8300-1N1S-6T , VID: , SN:
NAME: "module R0", DESCR: "Cisco C8300-1N1S-6T Route Processor"

PID: C8300-1N1S-6T , VID: V00 , SN: FDO231403QE
NAME: "module F0", DESCR: "Cisco C8300-1N1S-6T Forwarding Processor"

PID: C8300-1N1S-6T , VID: , SN:
show platform: Example

Chassis type: C8300-1N1S-6T

--------- ------------------- --------------------- -----------------
0 C8300-1N1S-6T ok 2d03h
0/0 4x1G-2xSFP ok 2d03h
1 C8300-1N1S-6T ok 2d03h
R0 C8300-1N1S-6T ok, active 2d03h
F0 C8300-1N1S-6T ok, active 2d03h
P0 PWR-4430-AC ok 2d03h
P1 Unknown empty never
P2 C8300-FAN-1R ok 2d03h

--------- ------------------- ---------------------------------------
0 19121329 1RU-20191104
1 19121329 1RU-20191104
R0 19121329 1RU-20191104
F0 19121329 1RU-20191104
show platform diag: Example

Router# show platform diag
Chassis type: C8300-1N1S-6T
Slot: 0, C8300-1N1S-6T
Running state : ok
Physical insert detect time : 00:00:29 (2d03h ago)
Software declared up time : 00:01:05 (2d03h ago)
Firmware version : 1RU-20191104
Sub-slot: 0/0, 4x1G-2xSFP

Logical insert detect time : 00:01:27 (2d03h ago)
Slot: 1, C8300-1N1S-6T
Running state : ok
204
Slot: R0, C8300-1N1S-6T

Slot: F0, C8300-1N1S-6T

Hardware ready signal time : 00:00:58 (2d03h ago)
Packet ready signal time : 00:01:05 (2d03h ago)
Slot: P0, PWR-4430-AC

State : ok
Slot: P1, Unknown

State : empty
Physical insert detect time : 00:00:00 (never ago)
Slot: P2, C8300-FAN-1R

State : ok
Slot: POE0, Unknown

State : empty
Slot: POE1, Unknown

State : empty
Slot: GE-POE, Unknown

State : NA
show platform software status control-processor: Example

Router# show platform software status control-processor
Load Average: healthy
Memory (kb): healthy
Total: 3884836
Used: 1976928 (51%), status: healthy
Free: 1907908 (49%)
Committed: 3165956 (81%), under 90%
Per-core Statistics
205

IRQ: 0.00, SIRQ: 0.00, IOwait: 0.00
IRQ: 0.00, SIRQ: 0.10, IOwait: 0.00
IRQ: 0.00, SIRQ: 0.00, IOwait: 0.00
IRQ: 0.00, SIRQ: 0.00, IOwait: 0.00
show diag slot RO eeprom detail: Example

Router# show diag slot R0 eeprom detail
Slot R0 EEPROM data:
EEPROM version : 4
Compatible Type : 0xFF
PCB Serial Number : FDO23470DHV
Controller Type : 4268
PCB Part Number : 73-19423-07
Board Revision : A0
Top Assy. Part Number : 800-105842-02
Deviation Number : 551831
Fab Version : 07
Product Identifier (PID) : C8300-1N1S-4T2X
CLEI Code : CMM6J00ARA
Processor type : D0
Chassis Serial Number : FDO2401A038
Chassis MAC Address : c4b2.399e.b6c0
MAC Address block size : 144
Manufacturing Test Data : 00 00 00 00 00 00 00 00
Asset ID :
show version: Example


17.3.1prd8, RELEASE SOFTWARE
(fc1)

software.
206
Configuring Power Supply Mode
ROM: (c)
Router uptime is 2 days, 3 hours, 26 minutes

Uptime for this control processor is 2 days, 3 hours, 27 minutes
System returned to ROM by Reload Command
System image file is "bootflash:c8000be-universalk9.17.03.01prd8.SPA.bin"


[email protected].
-----------------------------------------------------------------
Current Next Reboot
-----------------------------------------------------------------
Smart License Perpetual network-essentials network-essentials
Smart Licensing Status: UNREGISTERED/EVAL MODE

Configuring Power Supply Mode

You can configure the power supplies of both the device and a connected Power over Ethernet (PoE) module.
• Configuring the Edge Platforms Power Supply Mode, on page 208
• Configuring the External PoE Service Module Power Supply Mode, on page 208
207
Configuring the Edge Platforms Power Supply Mode
• Examples for Configuring Power Supply Mode, on page 208

• Available PoE Power, on page 210
For more information on the Power Supply Mode, See the Overview of the Power Options section.
• Hardware Installation Guide for Cisco Catalyst 8300 Series Edge Platform
Configuring the Edge Platforms Power Supply Mode

Configure the main power supply on the Edge Platforms using the power main redundant command:
• power main redundant—Sets the main power supply in redundant mode.
• no power main redundant—Sets the main power supply in boost mode.
The boost mode is supported only on C8300-2N2S-4T2X and C8300-2N2S-6T platforms.
Note The default mode for the device power supply is redundant mode.
Configuring the External PoE Service Module Power Supply Mode

Configure the power supply of an external PoE service module using the power inline redundant command:
• power inline redundant—Sets the external PoE service module power supply in redundant mode.
• no power inline redundant—Sets the external PoE service module power supply in boost mode. The
boost mode is supported only on C8300-2N2S-4T2X and C8300-2N2S-6T platforms.
Note The default mode for the external PoE service module power supply is redundant mode.
The show power command shows whether boost or redundant mode is configured and whether this mode is
currently running on the system.
Examples for Configuring Power Supply Mode
Example—Configured Mode of Boost for Main PSU and PoE Module

The Boost mode is supported only on C8300-2N2S-4T2X and C8300-2N2S-6T platforms. In this
example, the show power command shows the configured mode as Boost, which is also the current
runtime state. The Main PSU shows information about the main power supply. The POE Module shows
information about the inline/PoE power. In this example, the current run-time state for the main
power supply is the same as the configured state (Boost mode).
Router# show power
Main PSU :
208
Examples for Configuring Power Supply Mode
Configured Mode : Boost

Current runtime state same : Yes
Total power available : 2000 Watts
POE Module :
Router#
Example—Configured Mode of Boost for Main PSU and PoE Module

In this example, the show power command shows the power supplies that are present in the device.
The Main PSU and POE Module are configured to the Boost mode, which differs from the current
runtime state. The current runtime state is the Redundant mode. A likely explanation for this is that
there is only one main power supply present in the router. See mode example 4 in the table titled
"Modes of Operation" in Available PoE Power, on page 210.
You can enter the show platform command to show the power supplies that are present in the device.
Router# show power
Main PSU :
Current runtime state same : No
POE Module :
Router#
Example—Configured Mode of Redundant for Main PSU and PoE Module

In this example, the show power command shows the configured mode is Redundant for both the
main and inline power. The system has one 450 W and one 100 W power supply.
Router# show powerMain PSU :
Configured Mode : Redundant
POE Module :
Router#
Example—Configured Mode of Boost for Main Power

In this example, the main power is configured to be in boost mode by using the no form of the power
main redundant command. This sets the main power to boost mode with 1450 W and inline power
to redundant mode with 500 W.
Router(config)# no power main redundant
Router(config)#
*Jan 31 03:35:22.284: %PLATFORM_POWER-6-MODEMATCH: Inline power is in Redundant mode
209
Available PoE Power
Router(config)#
Router#
*Jan 31 03:36:13.111: %SYS-5-CONFIG_I: Configured from console by console
Router# show power
Main PSU :
POE Module :
Router#
Example—Configured Mode of Boost for PoE Power

In this example, an attempt is made to configure the inline power in boost mode by using the no form
of the power inline redundant command. The inline power mode is not changed to boost mode
because that would require a total power available in redundant mode of 1000 W. The inline power
mode is redundant and is shown by the following values for the PoE Module:
• Configured Mode : Boost
• Current runtime state same : No

Router(config)# no power inline redundant
Router(config)#
*Jan 31 03:42:40.947: %PLATFORM_POWER-6-MODEMISMATCH: Inline power not in Boost mode
Router(config)#
Router#
*Jan 31 03:36:13.111: %SYS-5-CONFIG_I: Configured from console by console
Router# show power
Main PSU :
POE Module :
Router#
Available PoE Power

For the PoE feature to be available on the external PoE module, the total power from the power supplies must
be 500 W or higher.
Note To ensure the PoE feature is functional on the external PoE module, verify the availability of PoE power on
your router using the show platform and show power commands.
210
Available PoE Power
To determine there is enough PoE power for use by an external PoE service module, use the show platform
and show power commands to calculate the available PoE power based on the wattage values of the main
power supplies and PoE inverters.
Take the values of your main P0 and P1 power supplies to give the Total Power (for main power supplies.)
Then take the values of your PoE1 and PoE2 power inverters to calculate the Total PoE Power.
The following table shows example modes of operation, which may be similar to your configuration.
The Total PoE Power value, in the final column of the table needs to be 500 W or higher for the PoE feature
to be functional on a connected PoE service module.
Note Add power inverters to the router before inserting an external PoE module. Otherwise, even if the Total PoE
Power is sufficient, the PoE power will not be used by the external PoE module and the module will need to
be re-booted for the PoE feature to be functional.
Configuring a power mode of boost or redundant on the main power supplies, or PoE inverters, may affect
the value for Total PoE Power.
The following table shows all power values in Watts. The wattage ratings of the main power supplies are
shown in columns Main P0 and Main P1. The wattage ratings of the PoE inverters are shown in columns
PoE0 and PoE1.
Table 18: Modes of Operation
Mode Main P0 Main P1 Config Total PoE0 PoE1 Config Total PoE
Example Mode Power Mode Power
(Main)
1 450 None Redundant 450 None 500 Redundant 0 (None)

or Boost or Boost
2 450 450 Boost 900 None 500 Redundant 0 (None)

or Boost
3 450 450 Redundant 450 500 None Redundant 0 (None)

or Boost
4 1000 None Redundant 1000 500 None Redundant 500

or Boost or Boost
5 1000 450 Redundant 450 500 500 Redundant 0 (None)

or Boost
6 1000 450 Boost 1450 500 500 Boost 500
7 1000 1000 Redundant 1000 500 500 Boost 500
8 1000 1000 Boost 2000 500 500 Boost 1000
211
Available PoE Power
Note In the table above, for 500 W or higher Total PoE Power to be available, the "Total Power" (of the main power
supplies) must be 1000 W or higher.
For 1000 W Total PoE Power (see Mode Example 8 above), there must be two 1000 W main power supplies
(in Boost mode) and two PoE inverters (also in Boost mode).
Caution Care should be taken while removing the power supplies and power inverters (especially in Boost mode of
operation). If the total power consumption is higher than can be supported by one power supply alone and in
this condition a power supply is removed, the hardware can be damaged. This may then result in the system
being unstable or unusable.
Similarly, in the case where there is only one PoE inverter providing PoE power to a service module, and in
this condition the PoE inverter is removed, the hardware may be damaged, and may result in the system being
unstable or unusable.
212
CHAPTER 15
Configuring High Availability
The Cisco High Availability (HA) technology enable network-wide protection by providing quick recovery
from disruptions that may occur in any part of a network. A network's hardware and software work together
with Cisco High Availability technology, which besides enabling quick recovery from disruptions, ensures
fault transparency to users and network applications.
The following sections describe how to configure Cisco High Availability features on your device:
• About Cisco High Availability, on page 213
• Interchassis High Availability, on page 213
• Bidirectional Forwarding Detection, on page 214
• Configuring Cisco High Availability, on page 215
About Cisco High Availability

The unique hardware and software architecture of your router is designed to maximize router uptime during
any network event, and thereby provide maximum uptime and resilience within any network scenario.
This section covers some aspects of Cisco High Availability that may be used on the Cisco Catalyst 8300
Series Edge Platform:
• Interchassis High Availability, on page 213
• Bidirectional Forwarding Detection, on page 214
Interchassis High Availability

The Interchassis High Availability feature is also known as the box-to-box redundancy feature. Interchassis
High Availability enables the configuration of pairs of devices to act as backup for each other. This feature
can be configured to determine the active device based on several failover conditions. When a failover occurs,
the standby device seamlessly takes over and starts processing call signaling and performing media forwarding
tasks.
Groups of redundant interfaces are known as redundancy groups. The following figure depicts the active-standby
device scenario. It shows how the redundancy group is configured for a pair of devices that have a single
outgoing interface.
213
IPsec Failover
Figure 4: Redundancy Group Configuration
The device are joined by a configurable control link and data synchronization link. The control link is used
to communicate the status of the devices. The data synchronization link is used to transfer stateful information
to synchronize the stateful database for the calls and media flows. Each pair of redundant interfaces are
configured with the same unique ID number, also known as the RII. For information on configuring Interchassis
HA on your device, see Configuring Interchassis High Availability, on page 215.
IPsec Failover
The IPsec Failover feature increases the total uptime (or availability) of your IPsec network. Traditionally,
the increased availability of your IPsec network is accomplished by employing a redundant (standby) device
in addition to the original (active) device. When the active device becomes unavailable for a reason, the
standby device takes over the processing of IKE and IPsec. IPsec failover falls into two categories: stateless
failover and stateful failover.
On the device, only the stateless form of IPsec failover is supported. This stateless failover uses protocols
such as the Hot Standby Router Protocol (HSRP) to provide primary to secondary cutover and also allows
the active and standby VPN gateways to share a common virtual IP address.
Bidirectional Forwarding Detection

Bidirectional Forwarding Detection (BFD) is a detection protocol designed to provide fast-forwarding
path-failure detection times for all media types, encapsulations, topologies, and routing protocols. In addition
to fast-forwarding path-failure detection, BFD provides a consistent failure detection method for network
administrators. Because a network administrator can use BFD to detect forwarding path failures at a uniform
rate rather than variable rates for different routing protocol hello mechanisms, network profiling and planning
is easier, and reconvergence time is consistent and predictable.
For more information on BFD, see the “Bidirectional Forwarding Detection” section in the IP Routing: BFD
Configuration Guide .
214
Bidirectional Forwarding Detection Offload
Bidirectional Forwarding Detection Offload

The Bidirectional Forwarding Detection Offload feature allows the offload of BFD session management to
the forwarding engine for improved failure detection times. BFD offload reduces the overall network
convergence time by sending rapid failure detection packets (messages) to the routing protocols for recalculating
the routing table. See Configuring BFD Offload, on page 216.
Configuring Cisco High Availability

• Configuring Interchassis High Availability, on page 215
• Configuring Bidirectional Forwarding, on page 216
• Verifying Interchassis High Availability, on page 216
• Verifying BFD Offload, on page 223
Configuring Interchassis High Availability

Prerequisites
• The active device and the standby device must run on the identical version of the Cisco IOS XE software.
• The active device and the standby device must be connected through an L2 connection for the control
path.
• Either the Network Time Protocol (NTP) must be configured or the clock must be set identical on both
devices to allow timestamps and call timers to match.
• Virtual Routing and Forwarding (VRF) must be defined in the same order on both active and standby
devices for an accurate synchronization of data.
• The latency times must be minimal on all control and data links to prevent timeouts.
• Physically redundant links, such as Gigabit EtherChannel, must be used for the control and data paths.
Restrictions
• The failover time for a box-to-box application is higher for a non-box-to-box application.
• LAN and MESH scenarios are not supported.
• VRFs are not supported and cannot be configured under ZBFW High Availability data and control
interfaces.
• The maximum number of virtual MACs supported by the Front Panel Gigabit Ethernet (FPGE) interfaces
depends on the platform. For information about the FPGE interfaces, see the Hardware Installation Guide
for Cisco Catalyst 8300 Edge Platform.
• When the configuration is replicated to the standby device, it is not committed to the startup configuration;
it is in the running configuration. A user must run the write memory command to commit the changes
that have been synchronized from the active device, on the standby device.
215
Configuring Bidirectional Forwarding
How to Configure Interchassis High Availability

For more information on configuring Interchassis High Availability on the device, see the IP Addressing:
NAT Configuration Guide, Cisco IOS XE Release 3S.
Configuring Bidirectional Forwarding

For information on configuring BFD on your device, see the IP Routing BFD Configuration Guide.
For BFD commands, see the Cisco IOS IP Routing: Protocol-Independent Command Reference document.
Configuring BFD Offload
Restrictions
• Only BFD version 1 is supported.
• When configured, only offloaded BFD sessions are supported;, BFD session on RP are not supported.
• Only Asynchronous mode or no echo mode of BFD is supported.
• 511 asynchronous BFD sessions are supported.
• BFD hardware offload is supported for IPv4 sessions with non-echo mode only.
• BFD offload is supported only on port-channel interfaces.
• BFD offload is supported only for the Ethernet interface.
• BFD offload is not supported for IPv6 BFD sessions.
• BFD offload is not supported for BFD with TE/FRR.
How to Configure BFD Offload

BFD offload functionality is enabled by default. You can configure BFD hardware offload on the route
processor. For more information, see Configuring BFD and the IP Routing BFD Configuration Guide.
Verifying Interchassis High Availability

Use the following show commands to verify the Interchassis High Availability.
Note Prerequisites and links to additional documentation configuring Interchassis High Availability are listed in
Configuring Interchassis High Availability, on page 215.
• show redundancy application group [group-id | all]

• show redundancy application transport {client | group [group-id]}
• show redundancy application control-interface group [group-id]
• show redundancy application faults group [group-id]
216
• show redundancy application protocol {protocol-id | group [group-id]}

• show redundancy application if-mgr group [group-id]
• show redundancy application data-interface group [group-id]
The following example shows the redundancy application groups configured on the device:
Router# show redundancy application group
Group ID Group Name State
-------- ---------- -----
1 Generic-Redundancy-1 STANDBY
2 Generic-Redundancy2 ACTIVE
The following example shows the details of redundancy application group 1:

Router# show redundancy application group 1
Group ID:1
Group Name:Generic-Redundancy-1
Administrative State: No Shutdown

Aggregate operational state : Up
My Role: STANDBY
Peer Role: ACTIVE
Peer Presence: Yes
Peer Comm: Yes
Peer Progression Started: Yes
RF Domain: btob-one
RF state: STANDBY HOT
Peer RF state: ACTIVE
The following example shows the details of redundancy application group 2:

Router# show redundancy application group 2
Group ID:2
Group Name:Generic-Redundancy2
Administrative State: No Shutdown

Aggregate operational state : Up
My Role: ACTIVE
Peer Role: STANDBY
Peer Presence: Yes
Peer Comm: Yes
Peer Progression Started: Yes
RF Domain: btob-two
RF state: ACTIVE
Peer RF state: STANDBY HOT
The following example shows details of the redundancy application transport client:
Router# show redundancy application transport client
Client Conn# Priority Interface L3 L4
( 0)RF 0 1 CTRL IPV4 SCTP
( 1)MCP_HA 1 1 DATA IPV4 UDP_REL
( 4)AR 0 1 ASYM IPV4 UDP
( 5)CF 0 1 DATA IPV4 SCTP
The following example shows configuration details for the redundancy application transport group:
Router# show redundancy application transport group
Transport Information for RG (1)
217
Client = RF
TI conn_id my_ip my_port peer_ip peer_por intf L3 L4
0 0 192.0.2.8 59000 192.0.2.4 59000 CTRL IPV4 SCTP
Client = MCP_HA
1 1 10.10.2.10 53000 10.10.6.9 53000 DATA IPV4 UDP_REL
Client = AR
2 0 192.0.2.3 0 192.0.2.3 0 NONE_IN NONE_L3 NONE_L4
Client = CF
3 0 10.10.2.10 59001 10.10.6.9 59001 DATA IPV4 SCTP
Client = RF
8 0 192.0.2.8 59004 192.0.2.2 59004 CTRL IPV4 SCTP
Client = MCP_HA
9 1 10.10.2.10 53002 10.10.6.9 53002 DATA IPV4 UDP_REL
Client = AR
Client = CF
11 0 10.10.2.10 59005 10.10.6.9 59005 DATA IPV4 SCTP
The following example shows the configuration details of redundancy application transport group 1:
Router# show redundancy application transport group 1
Client = RF
0 0 192.0.2.8 59000 192.0.2.4 59000 CTRL IPV4 SCTP
Client = MCP_HA
1 1 10.10.2.10 53000 10.10.2.10 53000 DATA IPV4 UDP_REL
Client = AR
Client = CF
3 0 10.10.2.10 59001 10.10.2.10 59001 DATA IPV4 SCTP
The following example shows configuration details of redundancy application transport group 2:
Router# show redundancy application transport group 2
Client = RF
8 0 192.0.2.8 59004 192.0.2.4 59004 CTRL IPV4 SCTP
Client = MCP_HA
9 1 10.10.2.10 53002 10.10.2.10 53002 DATA IPV4 UDP_REL
Client = AR
Client = CF
11 0 10.10.2.10 59005 10.10.2.10 59005 DATA IPV4 SCTP
The following example shows configuration details of the redundancy application control-interface group:
Router# show redundancy application control-interface group
The control interface for rg[1] is GigabitEthernet0/0/0
Interface is Control interface associated with the following protocols: 2 1
BFD Enabled
218
Interface Neighbors:
Peer: 192.0.2.4 Active RGs: 1 Standby RGs: 2 BFD handle: 0

BFD Enabled
The following example shows configuration details of the redundancy application control-interface group 1:
Router# show redundancy application control-interface group 1
BFD Enabled
The following example shows configuration details of the redundancy application control-interface group 2:
Router# show redundancy application control-interface group 2
BFD Enabled
The following example shows configuration details of the redundancy application faults group:
Router# show redundancy application faults group
Faults states Group 1 info:
Runtime priority: [50]
RG Faults RG State: Up.
Total # of switchovers due to faults: 0
Total # of down/up state changes due to faults: 2
The following example shows configuration details specific to redundancy application faults group 1:
Router# show redundancy application faults group 1
The following example shows configuration details specific to redundancy application faults group 2:
Router# show redundancy application faults group 2
The following example shows configuration details for the redundancy application protocol group:
Router# show redundancy application protocol group
RG Protocol RG 1
------------------
Role: Standby
Negotiation: Enabled
219
Priority: 50
Protocol state: Standby-hot
Ctrl Intf(s) state: Up
Active Peer: address 192.0.4.2, priority 150, intf Gi0/0/0
Standby Peer: Local
Log counters:
role change to active: 0
role change to standby: 1
disable events: rg down state 1, rg shut 0
ctrl intf events: up 2, down 1, admin_down 1
reload events: local request 0, peer request 0
RG Media Context for RG 1

--------------------------
Ctx State: Standby
Protocol ID: 1
Media type: Default
Control Interface: GigabitEthernet0/0/0
Current Hello timer: 3000
Configured Hello timer: 3000, Hold timer: 10000
Peer Hello timer: 3000, Peer Hold timer: 10000
Stats:
Pkts 117, Bytes 7254, HA Seq 0, Seq Number 117, Pkt Loss 0
Authentication not configured
Authentication Failure: 0
Reload Peer: TX 0, RX 0
Resign: TX 0, RX 0
Active Peer: Present. Hold Timer: 10000
RG Protocol RG 2
------------------
Role: Active
Priority: 135
Protocol state: Active
Active Peer: Local
Standby Peer: address 192.0.4.2, priority 130, intf Gi0/0/0
Log counters:

--------------------------
Ctx State: Active
Protocol ID: 2
Media type: Default
Stats:
Resign: TX 0, RX 1
220
Standby Peer: Present. Hold Timer: 10000

The following example shows configuration details for the redundancy application protocol group 1:
Router# show redundancy application protocol group 1
RG Protocol RG 1
------------------
Role: Standby
Priority: 50
Protocol state: Standby-hot
Active Peer: address 192.0.4.2, priority 150, intf Gi0/0/0
Standby Peer: Local
Log counters:

--------------------------
Ctx State: Standby
Protocol ID: 1
Media type: Default
Stats:
Resign: TX 0, RX 0
Active Peer: Present. Hold Timer: 10000
The following example shows configuration details for the redundancy application protocol group 2:
Router# show redundancy application protocol group 2
RG Protocol RG 2
------------------
Role: Active
Priority: 135
Protocol state: Active
Active Peer: Local
Standby Peer: address 192.0.4.2, priority 130, intf Gi0/0/0
Log counters:

--------------------------
Ctx State: Active
Protocol ID: 2
Media type: Default
221

Stats:
Resign: TX 0, RX 1
Standby Peer: Present. Hold Timer: 10000
The following example shows configuration details for the redundancy application protocol 1:
Router# show redundancy application protocol 1
Protocol id: 1, name: rg-protocol-1
BFD: ENABLE
Hello timer in msecs: 3000
Hold timer in msecs: 10000
OVLD-1#show redundancy application protocol 2
Protocol id: 2, name: rg-protocol-2
BFD: ENABLE
Hello timer in msecs: 3000
Hold timer in msecs: 10000
The following example shows configuration details for redundancy application interface manager group:
Router# show redundancy application if-mgr group
RG ID: 1
==========
interface GigabitEthernet0/0/3.152
---------------------------------------
VMAC 0007.b421.4e21
VIP 203.0.113.1
Shut shut
Decrement 10
---------------------------------------
VMAC 0007.b421.5209
VIP 203.0.113.4
Shut shut
Decrement 10
RG ID: 2
==========
---------------------------------------
VMAC 0007.b422.14d6
VIP 203.0.113.6
Shut no shut
Decrement 10
---------------------------------------
VMAC 0007.b422.0d06
VIP 203.0.113.9
Shut no shut
Decrement 10
The following examples shows configuration details for redundancy application interface manager group 1
and group 2:
222
Verifying BFD Offload
Router# show redundancy application if-mgr group 1
RG ID: 1
==========
---------------------------------------
VMAC 0007.b421.4e21
VIP 203.0.113.3
Shut shut
Decrement 10
---------------------------------------
VMAC 0007.b421.5209
VIP 203.0.113.2
Shut shut
Decrement 10
Router# show redundancy application if-mgr group 2

RG ID: 2
==========
---------------------------------------
VMAC 0007.b422.14d6
VIP 203.0.113.5
Shut no shut
Decrement 10
---------------------------------------
VMAC 0007.b422.0d06
VIP 203.0.113.7
Shut no shut
Decrement 10
The following example shows configuration details for redundancy application data-interface group:
Router# show redundancy application data-interface group
The data interface for rg[1] is GigabitEthernet0/0/1
The following examples show configuration details specific to redundancy application data-interface group
1 and group 2:
Router# show redundancy application data-interface group 1
Router # show redundancy application data-interface group 2


Use the following commands to verify and monitor BFD offload feature on your device.
Note Configuration of BFD Offload is described in Configuring Bidirectional Forwarding, on page 216.
• show bfd neighbors [details]
223
• debug bfd [packet | event]

• debug bfd event
The show bfd neighbors command displays the BFD adjacency database:
Router# show bfd neighbor
IPv4 Sessions
NeighAddr LD/RD RH/RS State Int
192.0.2.1 362/1277 Up Up Gi0/0/1.2
192.0.2.5 445/1278 Up Up Gi0/0/1.3
192.0.2.3 1093/961 Up Up Gi0/0/1.4
192.0.2.2 1244/946 Up Up Gi0/0/1.5
192.0.2.6 1094/937 Up Up Gi0/0/1.6
192.0.2.7 1097/1260 Up Up Gi0/0/1.7
192.0.2.4 1098/929 Up Up Gi0/0/1.8
192.0.2.9 1111/928 Up Up Gi0/0/1.9
192.0.2.8 1100/1254 Up Up Gi0/0/1.10
The debug bfd neighbor detail command displays the debugging information related to BFD packets:
Router# show bfd neighbor detail
IPv4 Sessions
NeighAddr LD/RD RH/RS State Int
192.0.2.1 362/1277 Up Up Gi0/0/1.2
Session state is UP and not using echo function.
Session Host: Hardware
OurAddr: 192.0.2.2
Handle: 33
Local Diag: 0, Demand mode: 0, Poll bit: 0
MinTxInt: 50000, MinRxInt: 50000, Multiplier: 3
Received MinRxInt: 50000, Received Multiplier: 3
Holddown (hits): 0(0), Hello (hits): 50(0)
Rx Count: 3465, Rx Interval (ms) min/max/avg: 42/51/46
Tx Count: 3466, Tx Interval (ms) min/max/avg: 39/52/46
Elapsed time watermarks: 0 0 (last: 0)
Registered protocols: CEF EIGRP
Uptime: 00:02:50
Last packet: Version: 1 - Diagnostic: 0
State bit: Up - Demand bit: 0
Poll bit: 0 - Final bit: 0
C bit: 1
Multiplier: 3 - Length: 24
My Discr.: 1277 - Your Discr.: 362
Min tx interval: 50000 - Min rx interval: 50000
Min Echo interval: 0
The show bfd summary command displays the BFD summary:

Router# show bfd summary
Session Up Down
Total 400 400 0
The show bfd drops command displays the number of packets dropped in BFD:
Router# show bfd drops
BFD Drop Statistics
IPV4 IPV6 IPV4-M IPV6-M MPLS_PW MPLS_TP_LSP
Invalid TTL 0 0 0 0 0 0
BFD Not Configured 0 0 0 0 0 0
No BFD Adjacency 33 0 0 0 0 0
224
Invalid Header Bits 0 0 0 0 0 0

Invalid Discriminator 1 0 0 0 0 0
Session AdminDown 94 0 0 0 0 0
Authen invalid BFD ver 0 0 0 0 0 0
Authen invalid len 0 0 0 0 0 0
Authen invalid seq 0 0 0 0 0 0
Authen failed 0 0 0 0 0 0
The debug bfd packet command displays debugging information about BFD control packets.
Router# debug bfd packet
*Nov 12 23:08:27.982: BFD-DEBUG Packet: Rx IP:192.0.2.1 ld/rd:1941/0 diag:0(No Diagnostic)
Down C cnt:4 ttl:254 (0)
*Nov 12 23:08:27.982: BFD-DEBUG Packet: Tx IP:192.0.2.1 ld/rd:983/1941 diag:3(Neighbor
Signaled Session Down) Init C cnt:44 (0)
Up PC cnt:4 ttl:254 (0)
*Nov 12 23:08:28.007: BFD-DEBUG Packet: Tx IP:192.0.2.1 ld/rd:983/1941 diag:0(No Diagnostic)
Up F C cnt:0 (0)
Up FC cnt:0 ttl:254 (0)
Up C cnt:0 (0)
Down C cnt:3 ttl:254 (0)
*Nov 12 23:08:28.311: BFD-DEBUG Packet: Tx IP:192.0.2.3 ld/rd:993/1907 diag:3(Neighbor
Signaled Session Down) Init C cnt:43 (0)
Up C cnt:0 ttl:254 (0)
Up PC cnt:3 ttl:254 (0)
Up F C cnt:0 (0)
Up FC cnt:0 ttl:254 (0)
Up C cnt:0 (0)
The debug bfd event displays debugging information about BFD state transitions:
Router# deb bfd event
*Nov 12 23:11:29.503: BFD-DEBUG Event: notify client(EIGRP) IP:192.0.2.6, ld:1401, handle:77,

event:DOWN adminDown, (0)
*Nov 12 23:11:29.503: BFD-DEBUG Event: notify client(CEF) IP:192.0.2.6, ld:1401, handle:77,
225

*Nov 12 23:11:30.639: BFD-HW-API: Handle 1404: Timers: Tx timer 1000000 Detect timer 0
*Nov 12 23:11:30.639: BFD-HW-API: Handle 1404: Flags: Poll 0 Final 0
*Nov 12 23:11:30.639: BFD-HW-API: Handle 1404: Buffer: 0x23480318 0x0000057C 0x00000000
0x000F4240 0x000F4240 0x00000000 size 24
*Nov 12 23:11:30.641: BFD-HW-API: Handle 1405: Timers: Tx timer 1000000 Detect timer 0
*Nov 12 23:11:30.641: BFD-HW-API: Handle 1405: Flags: Poll 0 Final 0
*Nov 12 23:11:30.641: BFD-HW-API: Handle 1405: Buffer: 0x23480318 0x0000057D 0x00000000
0x000F4240 0x000F4240 0x00000000 size 24
*Nov 12 23:11:30.649: BFD-DEBUG Packet: Rx IP:192.0.2.6 ld/rd:1601/1404
diag:7(Administratively Down) AdminDown C cnt:0 ttl:254 (0)
*Nov 12 23:11:30.650: BFD-DEBUG Event: V1 FSM ld:1404 handle:207 event:RX ADMINDOWN state:UP
(0)
*Nov 12 23:11:30.650: BFD-DEBUG Event: resetting timestamps ld:1404 handle:207 (0)
*Nov 12 23:11:30.650: BFD-DEBUG Packet: Tx IP:192.0.2.1 ld/rd:1404/0 diag:3(Neighbor Signaled
Session Down) Down C cnt:0 (0)
*Nov 12 23:11:30.650: BFD-DEBUG Packet: Rx IP:192.0.2.1 ld/rd:1620/1405
diag:7(Administratively Down) AdminDown C cnt:0 ttl:254 (0)
*Nov 12 23:11:30.650: BFD-DEBUG Event: V1 FSM ld:1405 handle:209 event:RX ADMINDOWN state:UP
(0)
*Nov 12 23:11:30.650: BFD-DEBUG Event: resetting timestamps ld:1405 handle:209 (0)
*Nov 12 23:11:30.650: BFD-DEBUG Packet: Tx IP:192.0.2.7 ld/rd:1405/0 diag:3(Neighbor Signaled
Session Down) Down C cnt:0 (0)
*Nov 12 23:11:31.035: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 192.0.2.8
226
CHAPTER 16
Configuring Secure Storage
Secure Storage feature allows you to secure critical configuration information by encrypting it. It encrypts
VPN, IPSec, and other asymmetric key-pairs, pre-shared secrets, the type 6 password encryption key and
certain credentials. An instance-unique encryption key is stored in the hardware trust anchor to prevent it from
being compromised.
By default, this feature is enabled on platforms that come with a hardware trust anchor. This feature is not
supported on platforms that do not have hardware trust anchor.
• Enabling Secure Storage , on page 227
• Disabling Secure Storage , on page 228
• Verifying the Status of Encryption, on page 229
• Verifying the Platform Identity, on page 229
Enabling Secure Storage

Before you begin
By default, this feature is enabled on a platform. Use this procedure on a platform where it is disabled.
SUMMARY STEPS
1. Config terminal
2. service private-config-encryption
3. do write memory
DETAILED STEPS

Step 1 Config terminal Enters the configuration mode.
Example:
router#config terminal
Step 2 service private-config-encryption Enables the Secure Storage feature on your platform.
Example:
227
Disabling Secure Storage

router(config)# service private-config-encryption
Step 3 do write memory Encrypts the private-config file and saves the file in an
encrypted format.
Example:
router(config)# do write memory
Example
The following example shows how to enable Secure Storage:
router(config)# service private-config-encryption
Disabling Secure Storage

Before you begin
To disable Secure Storage feature on a platform, perform this task:
SUMMARY STEPS
1. Config terminal
2. no service private-config-encryption
3. do write memory
DETAILED STEPS

Step 1 Config terminal Enters the configuration mode.
Example:
Step 2 no service private-config-encryption Disables the Secure Storage feature on your platform.
Example:
router(config)# no service
private-config-encryption
Step 3 do write memory Decrypts the private-config file and saves the file in plane
format.
Example:
228
Verifying the Status of Encryption
Example
The following example shows how to disable Secure Storage:
router(config)# no service private-config-encryption
Verifying the Status of Encryption

Use the show parser encrypt file status command to verify the status of encryption. The following command
output indicates that the feature is available but the file is not encrypted. The file is in ‘plain text’ format.
router#show parser encrypt file status
Feature: Enabled
File Format: Plain Text
Encryption Version: Ver1
The following command output indicates that the feature is enabled and the file is encrypted. The file is in
‘cipher text’ format.
router#show parser encrypt file status
Feature: Enabled
File Format: Cipher Text
Encryption Version: Ver1
Verifying the Platform Identity

Use the show platform sudi certificate command to display the SUDI certificate in standard PEM format.
The command output helps you verify the platform identity.
In the command output, the first certificate is the Cisco Root CA 2048 and the second is the Cisco subordinate
CA (ACT2 SUDI CA). The third is the SUDI certificate.
router#show platform sudi certificate sign nonce 123
-----BEGIN CERTIFICATE-----
MIIDQzCCAiugAwIBAgIQX/h7KCtU3I1CoxW1aMmt/zANBgkqhkiG9w0BAQUFADA1
MRYwFAYDVQQKEw1DaXNjbyBTeXN0ZW1zMRswGQYDVQQDExJDaXNjbyBSb290IENB
IDIwNDgwHhcNMDQwNTE0MjAxNzEyWhcNMjkwNTE0MjAyNTQyWjA1MRYwFAYDVQQK
Ew1DaXNjbyBTeXN0ZW1zMRswGQYDVQQDExJDaXNjbyBSb290IENBIDIwNDgwggEg
MA0GCSqGSIb3DQEBAQUAA4IBDQAwggEIAoIBAQCwmrmrp68Kd6ficba0ZmKUeIhH
xmJVhEAyv8CrLqUccda8bnuoqrpu0hWISEWdovyD0My5jOAmaHBKeN8hF570YQXJ
FcjPFto1YYmUQ6iEqDGYeJu5Tm8sUxJszR2tKyS7McQr/4NEb7Y9JHcJ6r8qqB9q
VvYgDxFUl4F1pyXOWWqCZe+36ufijXWLbvLdT6ZeYpzPEApk0E5tzivMW/VgpSdH
jWn0f84bcN5wGyDWbs2mAag8EtKpP6BrXruOIIt6keO1aO6g58QBdKhTCytKmg9l
Eg6CTY5j/e/rmxrbU6YTYK/CfdfHbBcl1HP7R2RQgYCUTOG/rksc35LtLgXfAgED
o1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUJ/PI
FR5umgIJFq0roIlgX9p7L6owEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEF
BQADggEBAJ2dhISjQal8dwy3U8pORFBi71R803UXHOjgxkhLtv5MOhmBVrBW7hmW
Yqpao2TB9k5UM8Z3/sUcuuVdJcr18JOagxEu5sv4dEX+5wW4q+ffy0vhN4TauYuX
cB7w4ovXsNgOnbFp1iqRe6lJT37mjpXYgyc81WhJDtSd9i7rp77rMKSsH0T8lasz
Bvt9YAretIpjsJyp8qS5UwGH0GikJ3+r/+n6yUA4iGe0OcaEb1fJU9u6ju7AQ7L4
CYNu/2bPPu8Xs1gYJQk0XuPL1hS27PKSb3TkL4Eq1ZKR4OCXPDJoBYVL0fdX4lId
kxpUnwVwwEpxYB5DC2Ae/qPOgRnhCzU=
-----END CERTIFICATE-----
229
Verifying the Platform Identity
MIIEPDCCAySgAwIBAgIKYQlufQAAAAAADDANBgkqhkiG9w0BAQUFADA1MRYwFAYD
VQQKEw1DaXNjbyBTeXN0ZW1zMRswGQYDVQQDExJDaXNjbyBSb290IENBIDIwNDgw
HhcNMTEwNjMwMTc1NjU3WhcNMjkwNTE0MjAyNTQyWjAnMQ4wDAYDVQQKEwVDaXNj
bzEVMBMGA1UEAxMMQUNUMiBTVURJIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA0m5l3THIxA9tN/hS5qR/6UZRpdd+9aE2JbFkNjht6gfHKd477AkS
5XAtUs5oxDYVt/zEbslZq3+LR6qrqKKQVu6JYvH05UYLBqCj38s76NLk53905Wzp
9pRcmRCPuX+a6tHF/qRuOiJ44mdeDYZo3qPCpxzprWJDPclM4iYKHumMQMqmgmg+
xghHIooWS80BOcdiynEbeP5rZ7qRuewKMpl1TiI3WdBNjZjnpfjg66F+P4SaDkGb
BXdGj13oVeF+EyFWLrFjj97fL2+8oauV43Qrvnf3d/GfqXj7ew+z/sXlXtEOjSXJ
URsyMEj53Rdd9tJwHky8neapszS+r+kdVQIDAQABo4IBWjCCAVYwCwYDVR0PBAQD
AgHGMB0GA1UdDgQWBBRI2PHxwnDVW7t8cwmTr7i4MAP4fzAfBgNVHSMEGDAWgBQn
88gVHm6aAgkWrSugiWBf2nsvqjBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vd3d3
LmNpc2NvLmNvbS9zZWN1cml0eS9wa2kvY3JsL2NyY2EyMDQ4LmNybDBQBggrBgEF
BQcBAQREMEIwQAYIKwYBBQUHMAKGNGh0dHA6Ly93d3cuY2lzY28uY29tL3NlY3Vy
aXR5L3BraS9jZXJ0cy9jcmNhMjA0OC5jZXIwXAYDVR0gBFUwUzBRBgorBgEEAQkV
AQwAMEMwQQYIKwYBBQUHAgEWNWh0dHA6Ly93d3cuY2lzY28uY29tL3NlY3VyaXR5
L3BraS9wb2xpY2llcy9pbmRleC5odG1sMBIGA1UdEwEB/wQIMAYBAf8CAQAwDQYJ
KoZIhvcNAQEFBQADggEBAGh1qclr9tx4hzWgDERm371yeuEmqcIfi9b9+GbMSJbi
ZHc/CcCl0lJu0a9zTXA9w47H9/t6leduGxb4WeLxcwCiUgvFtCa51Iklt8nNbcKY
/4dw1ex+7amATUQO4QggIE67wVIPu6bgAE3Ja/nRS3xKYSnj8H5TehimBSv6TECi
i5jUhOWryAK4dVo8hCjkjEkzu3ufBTJapnv89g9OE+H3VKM4L+/KdkUO+52djFKn
hyl47d7cZR4DY4LIuFM2P1As8YyjzoNpK/urSRI14WdIlplR1nH7KNDl5618yfVP
0IFJZBGrooCRBjOSwFv8cpWCbmWdPaCQT2nwIjTfY8c=
-----END CERTIFICATE-----
MIIDhzCCAm+gAwIBAgIEAJT3DDANBgkqhkiG9w0BAQsFADAnMQ4wDAYDVQQKEwVD
aXNjbzEVMBMGA1UEAxMMQUNUMiBTVURJIENBMB4XDTE1MTExNDA5MzMzN1oXDTI1
MTExNDA5MzMzN1owczEsMCoGA1UEBRMjUElEOldTLUMzNjUwLTEyWDQ4VVEgU046
RkRPMTk0NkJHMDUxDjAMBgNVBAoTBUNpc2NvMRgwFgYDVQQLEw9BQ1QtMiBMaXRl
IFNVREkxGTAXBgNVBAMTEFdTLUMzNjUwLTEyWDQ4VVEwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQC6SARWyImWrRV/x7XQogAE+02WmzKki+4arMVBvl9o
GgvJfkoJDdaHOROSUkEE3qXtd8N3lfKy3TZ+jtHD85m2aGz6+IRx/e/lLsQzi6dl
WIB+N94pgecFBONPR9wJriox1IGD3B43b0hMLkmro4R5Zrs8XFkDo9k1tBU7F2O7
GEzb/WkO5NLexznef2Niglx9fCDL0HC27BbsR5+03p8jhG0+mvrp8M9du1HKiGin
ZIV4XgTMp1/k/TVaIepEGZuWM3hxdUZjkNGG1c1m+oB8vLX3UlSL76sDBBoiaprD
rjXBgBIozyFW8tTjh50jMDG84hKD5s31ifOe4KpqEcnVAgMBAAGjbzBtMA4GA1Ud
DwEB/wQEAwIF4DAMBgNVHRMBAf8EAjAAME0GA1UdEQRGMESgQgYJKwYBBAEJFQID
oDUTM0NoaXBJRD1VWUpOTlZJMENBUkhVM1Z1SUVSbFl5QXlPQ0F4TXpvek5Ub3lN
U0EwS0NnPTANBgkqhkiG9w0BAQsFAAOCAQEADjtM8vdlf+p1WKSKX1C1qQ4aEnD5
p8T5e4iTer7Y1fbCrHIEEm3mnip+568j299z0H8V7PDp1ljuLHyMFTC+945F9RfA
eAuVWVb5A9dnGL8MssBJe2lVSnZwrWkT1EIdxLYrTiPAQHtll6CN77S4u/f71oYE
tzPE5AGfyGw7ro1MEPVGffaQmYUDAwKFNBH1uI7c2S1qlwk4WWZ6xxci+lhaQnIG
pWzapaiAYL1XrcBz4KwFc1ZZpQT6hHw24jzYaYimvCo+/kSKuA9xNdtSu18ycox0
zKnXQ17s6aChMMt7Y8Nh4iz9BDejoOF6/b3sM0wRi+2/4j+6/GhcMRs0Og==
-----END CERTIFICTAE
Signature version: 1
Signature:
405C70D802B73947EDBF8D0D2C8180F10D4B3EF9694514219C579D2ED52F7D583E0F40813FC4E9F549B2EB1C21725F7C
B1C79F98271E47E780E703E67472380FB52D4963E1D1FB9787B38E28B8E696570A180B7A2F131B1F174EA79F5DB4765DF67386126D8
9E07EDF6C26E0A81272EA1437D03F2692937082756AE1F1BFAFBFACD6BE9CF9C84C961FACE9FA0FE64D85AE4FA086969D0702C536ABD
B8FBFDC47C14C17D02FEBF4F7F5B24D2932FA876F56B4C07816270A0B4195C53D975C85AEAE3A74F2DBF293F52423ECB7B853967080A
9C57DA3E4B08B2B2CA623B2CBAF7080A0AEB09B2E5B756970A3A27E0F1D17C8A243
230
CHAPTER 17
Configuring Call Home
The Call Home feature provides e-mail-based and web-based notification of critical system events. A versatile
range of message formats are available for optimal compatibility with pager services, standard e-mail, or
XML-based automated parsing applications. Common uses of this feature may include direct paging of a
network support engineer, e-mail notification to a Network Operations Center, XML delivery to a support
website, and use of Cisco Smart Call Home services for direct case generation with the Cisco Systems Technical
Assistance Center (TAC).
• Finding Feature Information, on page 231
• Prerequisites for Call Home, on page 231
• Information About Call Home, on page 232
• How to Configure Call Home, on page 234
• Configuring Diagnostic Signatures, on page 256
• Displaying Call Home Configuration Information, on page 264
• Default Call Home Settings, on page 270
• Alert Group Trigger Events and Commands, on page 270
• Message Contents, on page 277
Finding Feature Information

Your software release may not support all of the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release.
Use the Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS
software image support. To access Cisco Feature Navigator, see http://tools.cisco.com/ITDIT/CFN/. A Cisco
account is not required to access the Cisco Feature Navigator.
Prerequisites for Call Home

The following are the prerequisites before you configure Call Home:
• Contact e-mail address (required for full registration with Smart Call Home, optional if Call Home is
enabled in anonymous mode), phone number (optional), and street address information (optional) should
be configured so that the receiver can determine the origin of messages received.
231
Information About Call Home
• At least one destination profile (predefined or user-defined) must be configured. The destination profile
you use depends on whether the receiving entity is a pager, an e-mail address, or an automated service
such as Cisco Smart Call Home.
If the destination profile uses e-mail message delivery, you must specify a Simple Mail Transfer Protocol
(SMTP) server.
• The router must have IP connectivity to an e-mail server or the destination HTTP server.
• If Cisco Smart Call Home is used, an active service contract covering the device is required to provide
full Cisco Smart Call Home service.
Information About Call Home

The Call Home feature can deliver alert messages containing information on configuration, environmental
conditions, inventory, syslog, snapshot, and crash events. It provides these alert messages as either e-mail-based
or web-based messages. Multiple message formats are available, allowing for compatibility with pager services,
standard e-mail, or XML-based automated parsing applications. This feature can deliver alerts to multiple
recipients, referred to as Call Home destination profiles, each with configurable message formats and content
categories. A predefined destination profile is provided for sending alerts to the Cisco TAC
([email protected]). You can also define your own destination profiles.
Flexible message delivery and format options make it easy to integrate specific support requirements.
This section contains the following subsections:
• Benefits of Using Call Home
• Obtaining Smart Call Home Services
Benefits of Using Call Home

The Call Home feature offers the following benefits:
• Multiple message-format options, which include:
• Short Text—Suitable for pagers or printed reports.
• Plain Text—Full formatted message information suitable for human reading.
• XML—Machine-readable format using XML and Adaptive Markup Language (AML) document
type definitions (DTDs). The XML format enables communication with the Cisco TAC.
• Multiple concurrent message destinations.

• Multiple message categories including configuration, environmental conditions, inventory, syslog,
snapshot, and crash events.
• Filtering of messages by severity and pattern matching.
• Scheduling of periodic message sending.
232
Obtaining Smart Call Home Services
Obtaining Smart Call Home Services

If you have a service contract directly with Cisco, you can register for the Smart Call Home service. Smart
Call Home analyzes Smart Call Home messages and provides background information and recommendations.
For known issues, particularly online diagnostics failures, Automatic Service Requests are generated with the
Cisco TAC.
Smart Call Home offers the following features:
• Continuous device health monitoring and real-time diagnostic alerts.
• Analysis of Smart Call Home messages and, if needed, Automatic Service Request generation routed to
the correct TAC team, including detailed diagnostic information to speed problem resolution.
• Secure message transport directly from your device or through an HTTP proxy server or a downloadable
Transport Gateway (TG). You can use a TG aggregation point to support multiple devices or in cases
where security dictates that your devices may not be connected directly to the Internet.
• Web-based access to Smart Call Home messages and recommendations, inventory, and configuration
information for all Smart Call Home devices provides access to associated field notices, security advisories,
and end-of-life information.
You need the following items to register for Smart Call Home:
• SMARTnet contract number for your router
• Your e-mail address
• Your Cisco.com username
For more information about Smart Call Home, see https://supportforums.cisco.com/community/4816/

smart-call-home.
Anonymous Reporting
Smart Call Home is a service capability included with many Cisco service contracts and is designed to assist
customers resolve problems more quickly. In addition, the information gained from crash messages helps
Cisco understand equipment and issues occurring in the field. If you decide not to use Smart Call Home, you
can still enable Anonymous Reporting to allow Cisco to securely receive minimal error and health information
from the device. If you enable Anonymous Reporting, your customer identity will remain anonymous, and
no identifying information will be sent.
Note When you enable Anonymous Reporting, you acknowledge your consent to transfer the specified data to
Cisco or to vendors operating on behalf of Cisco (including countries outside the United States). Cisco
maintains the privacy of all customers. For information about how Cisco treats personal information, see the
Cisco Privacy Statement at http://www.cisco.com/web/siteassets/legal/privacy.html.
When Call Home is configured in an anonymous way, only crash, inventory, and test messages are sent to
Cisco. No customer identifying information is sent.
For more information about what is sent in these messages, see Alert Group Trigger Events and Commands,
on page 270.
233
How to Configure Call Home
How to Configure Call Home

The following sections show how to configure Call Home using a single command:
• Configuring Smart Call Home (Single Command), on page 234
• Configuring and Enabling Smart Call Home, on page 235
The following sections show detailed or optional configurations:

• Enabling and Disabling Call Home, on page 236
• Configuring Contact Information, on page 236
• Configuring Destination Profiles, on page 238
• Subscribing to Alert Groups, on page 241
• Configuring General E-Mail Options, on page 246
• Specifying Rate Limit for Sending Call Home Messages, on page 248
• Specifying HTTP Proxy Server, on page 249
• Enabling AAA Authorization to Run IOS Commands for Call Home Messages, on page 250
• Configuring Syslog Throttling, on page 250
• Configuring Call Home Data Privacy, on page 251
• Sending Call Home Communications Manually, on page 252
Configuring Smart Call Home (Single Command)

To enable all Call Home basic configurations using a single command, perform the following steps:
SUMMARY STEPS
2. call-home reporting {anonymous | contact-email-addr email-address} [http-proxy {ipv4-address
| ipv6-address | name} port port-number]
DETAILED STEPS

Step 1 configure terminal Enters configuration mode.
Example:
Step 2 call-home reporting {anonymous | contact-email-addr Enables the basic configurations for Call Home using a
email-address} [http-proxy {ipv4-address | single command.
ipv6-address | name} port port-number]
234
Configuring and Enabling Smart Call Home

Example: • anonymous—Enables Call-Home TAC profile to send
Router(config)# call-home reporting only crash, inventory, and test messages and send the
contact-email-addr [email protected] messages anonymously.
• contact-email-addr—Enables Smart Call Home
service full reporting capability and sends a full
inventory message from Call-Home TAC profile to
Smart Call Home server to start full registration
process.
• http-proxy {ipv4-address | ipv6-address |
name}—Configures an ipv4 or ipv6 address or server
name. Maximum length is 64 characters.
• port port-number—Port number.
Range is 1 to 65535.
Note The HTTP proxy option allows you to make use

of your own proxy server to buffer and secure
Internet connections from your devices.
Note After successfully enabling Call Home either in

anonymous or full registration mode using the
call-home reporting command, an inventory
message is sent out. If Call Home is enabled in
full registration mode, a Full Inventory message
for full registration mode is sent out. If Call
Home is enabled in anonymous mode, an
anonymous inventory message is sent out. For
more information about what is sent in these
messages, see Alert Group Trigger Events and
Commands, on page 270.
Configuring and Enabling Smart Call Home

For application and configuration information about the Cisco Smart Call Home service, see the “Getting
Started” section of the Smart Call Home User Guide at https://supportforums.cisco.com/community/4816/
smart-call-home. This document includes configuration examples for sending Smart Call Home messages
directly from your device or through a transport gateway (TG) aggregation point.
Note For security reasons, we recommend that you use the HTTPS transport options, due to the additional payload
encryption that HTTPS offers. The Transport Gateway software is downloadable from Cisco.com and is
available if you require an aggregation point or a proxy for connection to the Internet.
235
Enabling and Disabling Call Home
Enabling and Disabling Call Home

To enable or disable the Call Home feature, perform the following steps:
SUMMARY STEPS
2. service call-home
3. no service call-home
DETAILED STEPS

Example:
Step 2 service call-home Enables the Call Home feature.

Example:
Router(config)# service call-home
Step 3 no service call-home Disables the Call Home feature.

Example:
Router(config)# no service call-home
Configuring Contact Information

Each router must include a contact e-mail address (except if Call Home is enabled in anonymous mode). You
can optionally include a phone number, street address, contract ID, customer ID, and site ID.
To assign the contact information, perform the following steps:
SUMMARY STEPS
2. call-home
3. contact-email-addr email-address
4. phone-number +phone-number
5. street-address street-address
6. customer-id text
7. site-id text
8. contract-id text
236
Configuring Contact Information
DETAILED STEPS

Example:
Step 2 call-home Enters the Call Home configuration submode.

Example:
Router(config)# call-home
Step 3 contact-email-addr email-address Designates your e-mail address. Enter up to 200 characters
in e-mail address format with no spaces.
Example:
Router(cfg-call-home)# contact-email-addr
[email protected]
Step 4 phone-number +phone-number (Optional) Assigns your phone number.

Example: Note The number must begin with a plus (+) prefix
Router(cfg-call-home)# phone-number +1-800-555-4567 and may contain only dashes (-) and numbers.
Enter up to 17 characters. If you include spaces,
you must enclose your entry in quotes (“”).
Step 5 street-address street-address (Optional) Assigns your street address where RMA
equipment can be shipped. Enter up to 200 characters. If
Example:
you include spaces, you must enclose your entry in quotes
Router(cfg-call-home)# street-address “1234 Picaboo (“”).
Street, Any city, Any state, 12345“
Step 6 customer-id text (Optional) Identifies customer ID. Enter up to 64 characters.

If you include spaces, you must enclose your entry in quotes
Example:
(“”).
Router(cfg-call-home)# customer-id Customer1234
Step 7 site-id text (Optional) Identifies customer site ID. Enter up to 200
characters. If you include spaces, you must enclose your
Example:
entry in quotes (“”).
Router(cfg-call-home)# site-id Site1ManhattanNY
Step 8 contract-id text (Optional) Identifies your contract ID for the router. Enter
up to 64 characters. If you include spaces, you must enclose
Example:
your entry in quotes (“”).
Router(cfg-call-home)# contract-id Company1234
Example
The following example shows how to configure contact information:
Router(cfg-call-home)# contact-email-addr [email protected]
237
Configuring Destination Profiles
Router(cfg-call-home)# phone-number +1-800-555-4567

Router(cfg-call-home)# street-address “1234 Picaboo Street, Any city, Any state, 12345”
Router(cfg-call-home)# customer-id Customer1234
Router(cfg-call-home)# site-id Site1ManhattanNY
Router(cfg-call-home)# contract-id Company1234
Router(cfg-call-home)# exit
Configuring Destination Profiles

A destination profile contains the required delivery information for an alert notification. At least one destination
profile is required. You can configure multiple destination profiles of one or more types.
You can create and define a new destination profile or copy and use the predefined destination profile. If you
define a new destination profile, you must assign a profile name.
Note If you use the Cisco Smart Call Home service, the destination profile must use the XML message format.
You can configure the following attributes for a destination profile:

• Profile name—String that uniquely identifies each user-defined destination profile. The profile name is
limited to 31 characters and is not case-sensitive.
Note You cannot use all as a profile name.
• Transport method—Transport mechanism, either e-mail or HTTP (including HTTPS), for delivery of
alerts.
• For user-defined destination profiles, e-mail is the default, and you can enable either or both transport
mechanisms. If you disable both methods, e-mail is enabled.
• For the predefined Cisco TAC profile, you can enable either transport mechanism, but not both.
• Destination address—The actual address related to the transport method to which the alert should be
sent.
• Message formatting—The message format used for sending the alert. The format options for a user-defined
destination profile are long-text, short-text, or XML. The default is XML. For the predefined Cisco TAC
profile, only XML is allowed.
• Message size—The maximum destination message size. The valid range is 50 to 3,145,728 Bytes. The
default is 3,145,728 Bytes.
Anonymous reporting—You can choose for your customer identity to remain anonymous, and no
identifying information is sent.
• Subscribing to interesting alert-groups—You can choose to subscribe to alert-groups highlighting your
interests.

• Creating a New Destination Profile, on page 239
238
Creating a New Destination Profile
• Copying a Destination Profile, on page 240

• Setting Profiles to Anonymous Mode, on page 241
Creating a New Destination Profile

To create and configure a new destination profile, perform the following steps:
SUMMARY STEPS
2. call-home
3. profile name
4. [no] destination transport-method {email | http}
5. destination address {email email-address | http url}
6. destination preferred-msg-format {long-text | short-text | xml}
7. destination message-size-limit bytes
8. active
9. end
10. show call-home profile {name | all}
DETAILED STEPS

Example:

Example:
Step 3 profile name Enters the Call Home destination profile configuration
submode for the specified destination profile. If the
Example:
specified destination profile does not exist, it is created.
Router(config-call-home)# profile profile1
Step 4 [no] destination transport-method {email | http} (Optional) Enables the message transport method. The no
option disables the method.
Example:
Router(cfg-call-home-profile)# destination
transport-method email
Step 5 destination address {email email-address | http Configures the destination e-mail address or URL to which
url} Call Home messages are sent.
Example: Note When entering a destination URL, include either
Router(cfg-call-home-profile)# destination address http:// or https://, depending on whether the
email [email protected] server is a secure server.
239
Copying a Destination Profile

Step 6 destination preferred-msg-format {long-text | (Optional) Configures a preferred message format. The
short-text | xml} default is XML.
Example:
preferred-msg-format xml
Step 7 destination message-size-limit bytes (Optional) Configures a maximum destination message

size for the destination profile.
Example:
message-size-limit 3145728
Step 8 active Enables the destination profile. By default, the profile is

enabled when it is created.
Example:
Router(cfg-call-home-profile)# active
Step 9 end Returns to privileged EXEC mode.

Example:
Router(cfg-call-home-profile)# end
Step 10 show call-home profile {name | all} Displays the destination profile configuration for the
specified profile or all configured profiles.
Example:
Router# show call-home profile profile1
Copying a Destination Profile

To create a new destination profile by copying an existing profile, perform the following steps:
SUMMARY STEPS
2. call-home
3. copy profile source-profile target-profile
DETAILED STEPS

Example:

Example:
240
Setting Profiles to Anonymous Mode

Step 3 copy profile source-profile target-profile Creates a new destination profile with the same
configuration settings as the existing destination profile.
Example:
Router(cfg-call-home)# copy profile profile1
profile2
Setting Profiles to Anonymous Mode

To set an anonymous profile, perform the following steps:
SUMMARY STEPS
2. call-home
3. profile name
4. anonymous-reporting-only
DETAILED STEPS

Example:

Example:
Step 3 profile name Enables the profile configuration mode.

Example:
Router(cfg-call-home) profile Profile-1
Step 4 anonymous-reporting-only Sets the profile to anonymous mode.

Example: Note By default, Call Home sends a full report of all
Router(cfg-call-home-profile)# types of events subscribed in the profile. When
anonymous-reporting-only anonymous-reporting-only is set, only crash,
inventory, and test messages will be sent.
Subscribing to Alert Groups

An alert group is a predefined subset of Call Home alerts supported in all routers. Different types of Call
Home alerts are grouped into different alert groups depending on their type. The following alert groups are
available:
• Crash
241
• Configuration
• Environment
• Inventory
• Snapshot
• Syslog

• Periodic Notification, on page 244
• Message Severity Threshold, on page 245
• Configuring a Snapshot Command List, on page 245
The triggering events for each alert group are listed in Alert Group Trigger Events and Commands, on page
270, and the contents of the alert group messages are listed in Message Contents, on page 277.
You can select one or more alert groups to be received by a destination profile.
Note A Call Home alert is only sent to destination profiles that have subscribed to the alert group containing that
Call Home alert. In addition, the alert group must be enabled.
To subscribe a destination profile to one or more alert groups, perform the following steps:
SUMMARY STEPS
2. call-home
3. alert-group {all | configuration | environment | inventory | syslog | crash | snapshot}
4. profile name
5. subscribe-to-alert-group all
6. subscribe-to-alert-group configuration [periodic {daily hh:mm | monthly date hh:mm |
weekly day hh:mm}]
7. subscribe-to-alert-group environment [severity {catastrophic | disaster | fatal | critical |
major | minor | warning | notification | normal | debugging}]
8. subscribe-to-alert-group inventory [periodic {daily hh:mm | monthly date hh:mm | weekly
day hh:mm}]
9. subscribe-to-alert-group syslog [severity {catastrophic | disaster | fatal | critical | major
| minor | warning | notification | normal | debugging}]
10. subscribe-to-alert-group crash
11. subscribe-to-alert-group snapshot periodic {daily hh:mm | hourly mm | interval mm |
monthly date hh:mm | weekly day hh:mm}
12. exit
242
DETAILED STEPS

Example:
Step 2 call-home Enters Call Home configuration submode.

Example:
Step 3 alert-group {all | configuration | environment | Enables the specified alert group. Use the keyword all to
inventory | syslog | crash | snapshot} enable all alert groups. By default, all alert groups are
enabled.
Example:
Router(cfg-call-home)# alert-group all
Step 4 profile name Enters the Call Home destination profile configuration
submode for the specified destination profile.
Example:
Router(cfg-call-home)# profile profile1
Step 5 subscribe-to-alert-group all Subscribes to all available alert groups using the lowest
severity.
Example:
Router(cfg-call-home-profile)# You can subscribe to alert groups individually by specific
subscribe-to-alert-group all type, as described in Step 6 through Step 11.
Note This command subscribes to the syslog debug
default severity. This causes a large number of
syslog messages to generate. You should
subscribe to alert groups individually, using
appropriate severity levels and patterns when
possible.
Step 6 subscribe-to-alert-group configuration [periodic Subscribes this destination profile to the Configuration
{daily hh:mm | monthly date hh:mm | weekly day alert group. The Configuration alert group can be
hh:mm}] configured for periodic notification, as described in
Periodic Notification, on page 244.
Example:
Router(cfg-call-home-profile)#
subscribe-to-alert-group configuration
periodic daily 12:00
Step 7 subscribe-to-alert-group environment [severity Subscribes this destination profile to the Environment alert
{catastrophic | disaster | fatal | critical | major group. The Environment alert group can be configured to
| minor | warning | notification | normal | filter messages based on severity, as described in Message
debugging}] Severity Threshold, on page 245.
Example:
subscribe-to-alert-group environment severity
major
243
Periodic Notification

Step 8 subscribe-to-alert-group inventory [periodic {daily Subscribes this destination profile to the Inventory alert
hh:mm | monthly date hh:mm | weekly day group. The Inventory alert group can be configured for
hh:mm}] periodic notification, as described in Periodic Notification,
on page 244.
Example:
subscribe-to-alert-group inventory periodic
monthly 1 12:00
Step 9 subscribe-to-alert-group syslog [severity Subscribes this destination profile to the Syslog alert group.
{catastrophic | disaster | fatal | critical | major The Syslog alert group can be configured to filter messages
| minor | warning | notification | normal | based on severity, as described in Message Severity
debugging}] Threshold, on page 245.
Example: You can specify a text pattern to be matched within each
Router(cfg-call-home-profile)# syslog message. If you configure a pattern, a Syslog alert
subscribe-to-alert-group environment severity group message is sent only if it contains the specified
major pattern and meets the severity threshold. If the pattern
contains spaces, you must enclose it in quotes (“”). You
can specify up to five patterns for each destination profile.
Step 10 subscribe-to-alert-group crash Subscribes to the Crash alert group in user profile. By
default, TAC profile subscribes to the Crash alert group
Example:
and cannot be unsubscribed.
Router(cfg-call-home-profile)# [no | default]
subscribe-to-alert-group crash
Step 11 subscribe-to-alert-group snapshot periodic {daily Subscribes this destination profile to the Snapshot alert
hh:mm | hourly mm | interval mm | monthly date group. The Snapshot alert group can be configured for
hh:mm | weekly day hh:mm} periodic notification, as described in Periodic Notification,
on page 244.
Example:
Router(cfg-call-home-profile)# By default, the Snapshot alert group has no command to
subscribe-to-alert-group snapshot periodic daily run. You can add commands into the alert group, as
12:00 described in Configuring a Snapshot Command List, on
page 245. In doing so, the output of the commands added
in the Snapshot alert group will be included in the snapshot
message.
Step 12 exit Exits the Call Home destination profile configuration

submode.
Example:
Router(cfg-call-home-profile)# exit
Periodic Notification
When you subscribe a destination profile to the Configuration, Inventory, or Snapshot alert group, you can
choose to receive the alert group messages asynchronously or periodically at a specified time. The sending
period can be one of the following:
• Daily—Specifies the time of day to send, using an hour:minute format hh:mm, with a 24-hour clock (for
example, 14:30).
244
Message Severity Threshold
• Weekly—Specifies the day of the week and time of day in the format day hh:mm, where the day of the
week is spelled out (for example, Monday).
• Monthly—Specifies the numeric date, from 1 to 31, and the time of day, in the format date hh:mm.
• Interval—Specifies the interval at which the periodic message is sent, from 1 to 60 minutes.
• Hourly—Specifies the minute of the hour at which the periodic message is sent, from 0 to 59 minutes.
Note Hourly and by interval periodic notifications are available for the Snapshot alert group only.
Message Severity Threshold

When you subscribe a destination profile to the Environment or Syslog alert group, you can set a threshold
for the sending of alert group messages based on the level of severity of the message. Any message with a
value lower than the destination profile specified threshold is not sent to the destination.
The severity threshold is configured using the keywords listed in the following table. The severity threshold
ranges from catastrophic (level 9, highest level of urgency) to debugging (level 0, lowest level of urgency).
If no severity threshold is configured for the Syslog or Environment alert groups, the default is debugging
(level 0). The Configuration and Inventory alert groups do not allow severity configuration; severity is always
set as normal.
Note Call Home severity levels are not the same as system message logging severity levels.
Table 19: Severity and Syslog Level Mapping
Level Keyword Syslog Level Description

9 catastrophic — Network-wide catastrophic failure.
8 disaster — Significant network impact.
7 fatal Emergency (0) System is unusable.
6 critical Alert (1) Critical conditions, immediate attention needed.
5 major Critical (2) Major conditions.
4 minor Error (3) Minor conditions.
3 warning Warning (4) Warning conditions.
2 notification Notice (5) Basic notification and informational messages. Possibly
independently insignificant.
1 normal Information (6) Normal event signifying return to normal state.
0 debugging Debug (7) Debugging messages.
Configuring a Snapshot Command List

To configure a snapshot command list, perform the following steps:
245
Configuring General E-Mail Options
SUMMARY STEPS
2. call-home
3. [no | default] alert-group-config snapshot
4. [no | default] add-command command string
5. exit
DETAILED STEPS

Example:

Example:
Step 3 [no | default] alert-group-config snapshot Enters snapshot configuration mode.

Example: The no or default command will remove all snapshot
Router(cfg-call-home)# alert-group-config snapshot command.
Step 4 [no | default] add-command command string Adds the command to the Snapshot alert group. The no or
default command removes the corresponding command.
Example:
Router(cfg-call-home-snapshot)# add-command “show • command string—IOS command. Maximum length is
version” 128.
Step 5 exit Exits and saves the configuration.

Example:
Router(cfg-call-home-snapshot)# exit

To use the e-mail message transport, you must configure at least one Simple Mail Transfer Protocol (SMTP)
e-mail server address. You can configure the from and reply-to e-mail addresses, and you can specify up to
four backup e-mail servers.
Note the following guidelines when configuring general e-mail options:
• Backup e-mail servers can be defined by repeating the mail-server command using different priority
numbers.
• The mail-server priority number parameter can be configured from 1 to 100. The server with the highest
priority (lowest priority number) is tried first.
To configure general e-mail options, perform the following steps:
246
SUMMARY STEPS
2. call-home
3. mail-server [{ipv4-address | ipv6-address} | name] priority number
4. sender from email-address
5. sender reply-to email-address
6. source-interface interface-name
7. vrf vrf-name
DETAILED STEPS

Example:

Example:
Step 3 mail-server [{ipv4-address | ipv6-address} | name] Assigns an e-mail server address and its relative priority
priority number among configured e-mail servers.
Example: Provide either of these:
Router(cfg-call-home)# mail-server stmp.example.com • The e-mail server’s IP address.
priority 1
• The e-mail server’s fully qualified domain name
(FQDN) of 64 characters or less.
Assign a priority number between 1 (highest priority) and

100 (lowest priority).
Step 4 sender from email-address (Optional) Assigns the e-mail address that appears in the
from field in Call Home e-mail messages. If no address is
Example:
specified, the contact e-mail address is used.
Router(cfg-call-home)# sender from
[email protected]
Step 5 sender reply-to email-address (Optional) Assigns the e-mail address that appears in the
reply-to field in Call Home e-mail messages.
Example:
Router(cfg-call-home)# sender reply-to
[email protected]
Step 6 source-interface interface-name Assigns the source interface name to send call-home
messages.
Example:
Router(cfg-call-home)# source-interface loopback1 • interface-name—Source interface name. Maximum
length is 64.
247
Specifying Rate Limit for Sending Call Home Messages

Note For HTTP messages, use the ip http client
source-interface interface-name command
in global configuration mode to configure
the source interface name. This allows all
HTTP clients on the device to use the same
source interface.
Step 7 vrf vrf-name (Optional) Specifies the VRF instance to send call-home
e-mail messages. If no vrf is specified, the global routing
Example:
table is used.
Router(cfg-call-home)# vrf vpn1
Note For HTTP messages, if the source interface is
associated with a VRF, use the ip http client
source-interface interface-name command in
global configuration mode to specify the VRF
instance that will be used for all HTTP clients
on the device.
Example
The following example shows the configuration of general e-mail parameters, including a primary
and secondary e-mail server:
Router(cfg-call-home)# mail-server smtp.example.com priority 1
Router(cfg-call-home)# mail-server 192.0.2.1 priority 2
Router(cfg-call-home)# sender from [email protected]
Router(cfg-call-home)# sender reply-to [email protected]
Router(cfg-call-home)# source-interface loopback1
Router(cfg-call-home)# vrf vpn1
Router(cfg-call-home)# exit
Router(config)#
Specifying Rate Limit for Sending Call Home Messages

To specify the rate limit for sending Call Home messages, perform the following steps:
SUMMARY STEPS
2. call-home
3. rate-limit number
248
Specifying HTTP Proxy Server
DETAILED STEPS

Example:

Example:
Step 3 rate-limit number Specifies a limit on the number of messages sent per minute.
Example: • number—Range is 1 to 60. The default is 20.
Router(cfg-call-home)# rate-limit 40
Specifying HTTP Proxy Server

To specify an HTTP proxy server for sending Call Home HTTP(S) messages to a destination, perform the
following steps:
SUMMARY STEPS
2. call-home
3. http-proxy {ipv4-address | ipv6-address | name} port port-number
DETAILED STEPS

Example:

Example:
Step 3 http-proxy {ipv4-address | ipv6-address | name} port Specifies the proxy server for the HTTP request.
port-number
Example:
Router(cfg-call-home)# http-proxy 192.0.2.1 port
1
249
Enabling AAA Authorization to Run IOS Commands for Call Home Messages
Enabling AAA Authorization to Run IOS Commands for Call Home Messages
following steps:
SUMMARY STEPS
2. call-home
3. aaa-authorization
4. aaa-authorization [username username]
DETAILED STEPS

Example:

Example:
Step 3 aaa-authorization Enables AAA authorization.

Example: Note By default, AAA authorization is disabled for
Router(cfg-call-home)# aaa-authorization Call Home.
Step 4 aaa-authorization [username username] Specifies the username for authorization.

Example: • username username—Default username is callhome.
Router(cfg-call-home)# aaa-authorization username Maximum length is 64.
user
Configuring Syslog Throttling

following steps:
SUMMARY STEPS
2. call-home
3. [no] syslog-throttling
250
Configuring Call Home Data Privacy
DETAILED STEPS

Example:

Example:
Step 3 [no] syslog-throttling Enables or disables call-home syslog message throttling

and avoids sending repetitive call-home syslog messages.
Example:
Router(cfg-call-home)# syslog-throttling Note By default, syslog message throttling is enabled.
Configuring Call Home Data Privacy

The data-privacy command scrubs data, such as IP addresses, from running configuration files to protect the
privacy of customers. Enabling the data-privacy command can affect CPU utilization when scrubbing a large
amount of data. Currently, the show command output is not being scrubbed except for configuration messages
in the outputs for the show running-config all and theshow startup-config data commands.
SUMMARY STEPS
2. call-home
3. data-privacy {level {normal | high} | hostname}
DETAILED STEPS

Example:

Example:
Step 3 data-privacy {level {normal | high} | hostname} Scrubs data from running configuration file to protect the
privacy of the user. The default data-privacy level is normal.
Example:
Router(cfg-call-home)# data-privacy level high Note Enabling the data-privacy command can affect
CPU utilization when scrubbing a large amount
of data.
• normal—Scrubs all normal-level commands.
251
Sending Call Home Communications Manually

• high—Scrubs all normal-level commands plus the IP
domain name and IP address commands.
• hostname—Scrubs all high-level commands plus the
hostname command.
Note Scrubbing the hostname from configuration

messages can cause Smart Call Home processing
failure on some platforms.
Sending Call Home Communications Manually

You can manually send several types of Call Home communications. To send Call Home communications,
perform the tasks in this section. This section contains the following subsections:
• Sending a Call Home Test Message Manually, on page 252
• Sending Call Home Alert Group Messages Manually, on page 252
• Submitting Call Home Analysis and Report Requests, on page 253
• Manually Sending Command Output Message for One Command or a Command List, on page 255
Sending a Call Home Test Message Manually

You can use the call-home test command to send a user-defined Call Home test message.
To manually send a Call Home test message, perform the following step:
SUMMARY STEPS
1. call-home test [“test-message”] profile name
DETAILED STEPS

Step 1 call-home test [“test-message”] profile name Sends a test message to the specified destination profile.
The user-defined test message text is optional but must be
Example:
enclosed in quotes (“”) if it contains spaces. If no
Router# call-home test profile profile1 user-defined message is configured, a default message is
sent.
Sending Call Home Alert Group Messages Manually

You can use the call-home send command to manually send a specific alert group message.
Note the following guidelines when manually sending a Call Home alert group message:
• Only the crash, snapshot, configuration, and inventory alert groups can be sent manually.
252
Submitting Call Home Analysis and Report Requests
• When you manually trigger a crash, snapshot, configuration, or inventory alert group message and you
specify a destination profile name, a message is sent to the destination profile regardless of the profile’s
active status, subscription status, or severity setting.
• When you manually trigger a crash, snapshot, configuration, or inventory alert group message and do
not specify a destination profile name, a message is sent to all active profiles that have either a normal
or periodic subscription to the specified alert group.
To manually trigger Call Home alert group messages, perform the following steps:
SUMMARY STEPS
1. call-home send alert-group snapshot [profile name]
2. call-home send alert-group crash [profile name]
3. call-home send alert-group configuration [profile name]
4. call-home send alert-group inventory [profile name]
DETAILED STEPS

Step 1 call-home send alert-group snapshot [profile name] Sends a snapshot alert group message to one destination
profile if specified, or to all subscribed destination profiles.
Example:
Router# call-home send alert-group snapshot profile
profile1
Step 2 call-home send alert-group crash [profile name] Sends a crash alert group message to one destination profile
if specified, or to all subscribed destination profiles.
Example:
Router# call-home send alert-group crash profile
profile1
Step 3 call-home send alert-group configuration [profile Sends a configuration alert group message to one destination
name] profile if specified, or to all subscribed destination profiles.
Example:
Router# call-home send alert-group configuration
profile profile1
Step 4 call-home send alert-group inventory [profile name] Sends an inventory alert group message to one destination
profile if specified, or to all subscribed destination profiles.
Example:
Router# call-home send alert-group inventory
profile profile1

You can use the call-home request command to submit information about your system to Cisco to receive
helpful analysis and report information specific to your system. You can request a variety of reports, including
security alerts, known bugs, best practices, and command references.
Note the following guidelines when manually sending Call Home analysis and report requests:
253
• If a profile name is specified, the request is sent to the profile. If no profile is specified, the request is
sent to the Cisco TAC profile. The recipient profile does not need to be enabled for the call-home request.
The profile should specify the e-mail address where the transport gateway is configured so that the request
message can be forwarded to the Cisco TAC and the user can receive the reply from the Smart Call Home
service.
• The ccoid user-id is the registered identifier of the Smart Call Home user. If the user-id is specified, the
response is sent to the e-mail address of the registered user. If no user-id is specified, the response is sent
to the contact e-mail address of the device.
• Based on the keyword specifying the type of report requested, the following information is returned:
• config-sanity—Information on best practices as related to the current running configuration.
• bugs-list—Known bugs in the running version and in the currently applied features.
• command-reference—Reference links to all commands in the running configuration.
• product-advisory—Product Security Incident Response Team (PSIRT) notices, End of Life (EOL)
or End of Sales (EOS) notices, or field notices (FN) that may affect the devices in your network.
To submit a request for analysis and report information from the Cisco Output Interpreter tool, perform the
following steps:
SUMMARY STEPS
1. call-home request output-analysis “show-command” [profile name] [ccoid user-id]
2. call-home request {config-sanity | bugs-list | command-reference | product-advisory} [profile
name] [ccoid user-id]
DETAILED STEPS

Step 1 call-home request output-analysis “show-command” Sends the output of the specified show command for
[profile name] [ccoid user-id] analysis. The show command must be contained in quotes
(“”).
Example:
Router# call-home request output-analysis “show
diag” profile TG
Step 2 call-home request {config-sanity | bugs-list | Sends the output of a predetermined set of commands such
command-reference | product-advisory} [profile as the show running-config all, show version or show
name] [ccoid user-id] module commands, for analysis. In addition, the call home
request product-advisory sub-command includes all
Example:
inventory alert group commands. The keyword specified
Router# call-home request config-sanity profile TG after request specifies the type of report requested.
Example
The following example shows a request for analysis of a user-specified show command:
Router# call-home request output-analysis "show diag" profile TG
254
Manually Sending Command Output Message for One Command or a Command List
Manually Sending Command Output Message for One Command or a Command List
You can use the call-home send command to execute an IOS command or a list of IOS commands and send
the command output through HTTP or e-mail protocol.
Note the following guidelines when sending the output of a command:
• The specified IOS command or list of IOS commands can be any run command, including commands
for all modules. The command must be contained in quotes (“”).
• If the e-mail option is selected using the “email” keyword and an e-mail address is specified, the command
output is sent to that address. If neither the e-mail nor the HTTP option is specified, the output is sent in
long-text format with the specified service request number to the Cisco TAC ([email protected]).
• If neither the “email” nor the “http” keyword is specified, the service request number is required for both
long-text and XML message formats and is provided in the subject line of the e-mail.
• If the HTTP option is specified, the CiscoTac-1 profile destination HTTP or HTTPS URL is used as the
destination. The destination e-mail address can be specified so that Smart Call Home can forward the
message to the e-mail address. The user must specify either the destination e-mail address or an SR
number but they can also specify both.
To execute a command and send the command output, perform the following step:
SUMMARY STEPS
1. call-home send {cli command | cli list} [email email msg-format {long-text | xml} | http
{destination-email-address email}] [tac-service-request SR#]
DETAILED STEPS

Step 1 call-home send {cli command | cli list} [email email Executes the CLI or CLI list and sends output via e-mail or
msg-format {long-text | xml} | http HTTP.
{destination-email-address email}] [tac-service-request
• {cli command | cli list}—Specifies the IOS command
SR#]
or list of IOS commands (separated by ‘;’). It can be
Example: any run command, including commands for all
Router# call-home send “show version;show modules. The commands must be contained in quotes
running-config;show inventory” email (“”).
[email protected] msg-format xml
• email email msg-format {long-text | xml}—If the
email option is selected, the command output will be
sent to the specified e-mail address in long-text or
XML format with the service request number in the
subject. The e-mail address, the service request
number, or both must be specified. The service request
number is required if the e-mail address is not specified
(default is [email protected] for long-text format and
[email protected] for XML format).
• http {destination-email-address email}—If the http
option is selected, the command output will be sent to
255
Configuring Diagnostic Signatures

Smart Call Home backend server (URL specified in
TAC profile) in XML format.
destination-email-address email can be specified so
that the backend server can forward the message to
the e-mail address. The e-mail address, the service
request number, or both must be specified.
• tac-service-request SR#—Specifies the service request
number. The service request number is required if the
e-mail address is not specified.
Example
The following example shows how to send the output of a command to a user-specified e-mail
address:
Router# call-home send “show diag” email [email protected]
The following example shows the command output sent in long-text format to [email protected],
with the SR number specified:
Router# call-home send “show version; show run” tac-service-request 123456
The following example shows the command output sent in XML message format to
[email protected]:
Router# call-home send “show version; show run” email [email protected] msg-format xml
The following example shows the command output sent in XML message format to the Cisco TAC
backend server, with the SR number specified:
Router# call-home send “show version; show run” http tac-service-request 123456
The following example shows the command output sent to the Cisco TAC backend server through
the HTTP protocol and forwarded to a user-specified email address:
Router# call-home send “show version; show run” http destination-email-address
[email protected]

The Diagnostic Signatures feature downloads digitally signed signatures to devices. Diagnostic Signatures
(DS) files are formatted files that collate knowledge of diagnostic events and provide methods to troubleshoot
them without a need to upgrade the Cisco software. The aim of DS is to deliver flexible intelligence that can
detect and collect troubleshooting information that can be used to resolve known problems in customers
networks.
256
Information About Diagnostic Signatures
Information About Diagnostic Signatures

• Diagnostic Signatures Overview, on page 257
• Prerequisites for Diagnostic Signatures, on page 258
• Downloading Diagnostic Signatures, on page 258
• Diagnostic Signature Workflow, on page 258
• Diagnostic Signature Events and Actions, on page 259
• Diagnostic Signature Event Detection, on page 259
• Diagnostic Signature Actions , on page 259
• Diagnostic Signature Variables, on page 260
Diagnostic Signatures Overview

Diagnostic signatures (DS) for the Call Home system provides a flexible framework that allows the defining
of new events and corresponding CLIs that can analyze these events without upgrading the Cisco software.
DSs provide the ability to define more types of events and trigger types than the standard Call Home feature
supports. The DS subsystem downloads and processes files on a device as well as handles callbacks for
diagnostic signature events.
The Diagnostic Signature feature downloads digitally signed signatures that are in the form of files to devices.
DS files are formatted files that collate the knowledge of diagnostic events and provide methods to troubleshoot
these events.
DS files contain XML data to specify the event description, and these files include CLI commands or scripts
to perform required actions. These files are digitally signed by Cisco or a third party to certify their integrity,
reliability, and security.
The structure of a DS file can be one of the following formats:
• Metadata-based simple signature that specifies the event type and contains other information that can be
used to match the event and perform actions such as collecting information by using the CLI. The signature
can also change configurations on the device as a workaround for certain bugs.
• Embedded Event Manager (EEM) Tool Command Language (Tcl) script-based signature that specifies
new events in the event register line and additional action in the Tcl script.
• Combination of both the formats above.
The following basic information is contained in a DS file:

• ID (unique number)—Unique key that represents a DS file that can be used to search a DS.
• Name (ShortDescription)—Unique description of the DS file that can be used in lists for selection.
• Description—Long description about the signature.
• Revision—Version number, which increments when the DS content is updated.
• Event & Action—Defines the event to be detected and the action to be performed after the event happens.
257
Prerequisites for Diagnostic Signatures
Prerequisites for Diagnostic Signatures

Before you download and configure diagnostic signatures (DSs) on a device, you must ensure that the following
conditions are met:
• You must assign one or more DSs to the device. For more information on how to assign DSs to devices,
see Downloading Diagnostic Signatures, on page 258.
• HTTP/Secure HTTP (HTTPS) transport is required for downloading DS files. You must install the
certification authority (CA) certificate to enable the authentication of the destination HTTPS server.
Note If you configure the trustpool feature, the CA certificate is not required.
Downloading Diagnostic Signatures

To download the diagnostic signature (DS) file, you require the secure HTTP (HTTPS) protocol. If you have
already configured an email transport method to download files on your device, you must change your assigned
profile transport method to HTTPS to download and use DS.
Cisco software uses a PKI Trustpool Management feature, which is enabled by default on devices, to create
a scheme to provision, store, and manage a pool of certificates from known certification authorities (CAs).
The trustpool feature installs the CA certificate automatically. The CA certificate is required for the
authentication of the destination HTTPS servers.
There are two types of DS update requests to download DS files: regular and forced-download. Regular
download requests DS files that were recently updated. You can trigger a regular download request either by
using a periodic configuration or by initiating an on-demand CLI. The regular download update happens only
when the version of the requested DS is different from the version of the DS on the device. Periodic download
is only started after there is any DS assigned to the device from DS web portal. After the assignment happens,
the response to the periodic inventory message from the same device will include a field to notify device to
start its periodic DS download/update. In a DS update request message, the status and revision number of the
DS is included such that only a DS with the latest revision number is downloaded.
Forced-download downloads a specific DS or a set of DSes. You can trigger the forced-download update
request only by initiating an on-demand CLI. In a force-download update request, the latest version of the DS
file is downloaded irrespective of the current DS file version on the device.
The DS file is digitally signed, and signature verification is performed on every downloaded DS file to make
sure it is from a trusted source.
Diagnostic Signature Workflow

The diagnostic signature feature is enabled by default in Cisco software. The following is the workflow for
using diagnostic signatures:
• Find the DS(es) you want to download and assign them to the device. This step is mandatory for regular
periodic download, but not required for forced download.
• The device downloads all assigned DS(es) or a specific DS by regular periodic download or by on-demand
forced download.
258
Diagnostic Signature Events and Actions
• The device verifies the digital signature of every single DS. If verification passes, the device stores the
DS file into a non-removable disk, such as bootflash or hard disk, so that DS files can be read after the
device is reloaded. On the router, the DS file is stored in the bootflash:/call home directory.
• The device continues sending periodic regular DS download requests to get the latest revision of DS and
replace the older one in device.
• The device monitors the event and executes the actions defined in the DS when the event happens.
Diagnostic Signature Events and Actions

The events and actions sections are the key areas used in diagnostic signatures. The event section defines all
event attributes that are used for event detection. The action section lists all actions which should be performed
after the event happens, such as collecting show command outputs and sending them to Smart Call Home to
parse.
Diagnostic Signature Event Detection

Event detection in a DS is defined in two ways: single event detection and multiple event detection.
Single Event Detection

In single event detection, only one event detector is defined within a DS. The event specification format is
one of the following two types:
• DS event specification type: syslog, periodic, configuration, Online Insertion Removal (OIR) immediate,
and call home are the supported event types, where “immediate” indicates that this type of DS does not
detect any events, its actions are performed once it is downloaded, and the call-home type modifies the
current CLI commands defined for existing alert-group.
• The Embedded Event Manager (EEM) specification type: supports any new EEM event detector without
having to modify the Cisco software.
Other than using EEM to detect events, a DS is triggered when a Tool Command Language (Tcl) script
is used to specify event detection types.
Multiple Event Detection

Multiple event detection involves defining two or more event detectors, two ore more corresponding tracked
object states, and a time period for the events to occur. The specification format for multiple event detection
can include complex event correlation for tracked event detectors. For example, three event detectors (syslog,
OIR, and IPSLA) are defined during the creation of a DS file. The correlation that is specified for these event
detectors is that the DS will execute its action if both syslog and OIR events are triggered simultaneously, or
if IPSLA is triggered alone.
Diagnostic Signature Actions

The diagnostic signature (DS) file consists of various actions that must be initiated when an event occurs. The
action type indicates the kind of action that will be initiated in response to a certain event.
Variables are elements within a DS that are used to customize the files.
DS actions are categorized into the following four types:
• call-home
259
Diagnostic Signature Variables
• command
• emailto
• script
DS action types call-home and emailto collect event data and send a message to call-home servers or to the
defined email addresses. The message uses “diagnostic-signature” as its message type and DS ID as the
message sub-type.
The commands defined for the DS action type initiate CLI commands that can change configuration of the
device, collect show command outputs, or run any EXEC command on the device. The DS action type script
executes Tcl scripts.
Diagnostic Signature Variables

Variables are referenced within a DS and are used to customize the DS file. All DS variable names have the
prefix ds_ to separate them from other variables. The following are the supported DS variable types:
• System variable: variables assigned automatically by the device without any configuration changes. The
Diagnostic Signatures feature supports two system variables: ds_hostname and ds_signature_id.
• Environment variable: values assigned manually by using the environment variable-name variable-value
command in call-home diagnostic-signature configuration mode. Use the show call-home
diagnostic-signature command to display the name and value of all DS environment variables. If the
DS file contains unresolved environment variables, this DS will stay in pending status until the variable
gets resolved.
• Prompt variable: values assigned manually by using the call-home diagnostic-signature install ds-id
command in privileged EXEC mode. If you do not set this value, the status of the DS indicates pending.
• Regular expression variable: values assigned from a regular expression pattern match with predefined
CLI command outputs. The value is assigned during the DS run.
• Syslog event variable: values assigned during a syslog event detection in the DS file. This variable is
valid only for syslog event detection.
How to Configure Diagnostic Signatures

• Configuring the Call Home Service for Diagnostic Signatures, on page 260
• Configuring Diagnostic Signatures, on page 262
Configuring the Call Home Service for Diagnostic Signatures

Configure the Call Home Service feature to set attributes such as the contact email address where notifications
related with diagnostic signatures (DS) are sent and destination HTTP/secure HTTP (HTTPS) URL to download
the DS files from.
You can also create a new user profile, configure correct attributes and assign it as the DS profile. For periodic
downloads, the request is sent out just following full inventory message. By changing the inventory periodic
configuration, the DS periodic download also gets rescheduled.
260
Configuring the Call Home Service for Diagnostic Signatures
Note The predefined CiscoTAC-1 profile is enabled as a DS profile by default and we recommend that you use it.
If used, you only need to change the destination transport-method to the http setting.
SUMMARY STEPS
2. service call-home
3. call-home
4. contact-email-addr email-address
5. mail-server {ipv4-addr | name} priority number
6. profile profile-name
7. destination transport-method {email | http}
8. destination address {email address | http url}
9. subscribe-to-alert-group inventory [periodic {daily hh:mm | monthly day hh:mm | weekly
day hh:mm}]
10. exit
DETAILED STEPS

Example:
Step 2 service call-home Enables Call Home service on a device.

Example:
Step 3 call-home Enters call-home configuration mode for the configuration

of Call Home settings.
Example:
Step 4 contact-email-addr email-address (Optional) Assigns an email address to be used for Call
Home customer contact.
Example:
Router(cfg-call-home)# contact-email-addr
[email protected]
Step 5 mail-server {ipv4-addr | name} priority number (Optional) Configures a Simple Mail Transfer Protocol
(SMTP) email server address for Call Home. This
Example:
command is only used when sending email is part of the
Router(cfg-call-home)# mail-server 10.1.1.1 actions defined in any DS.
priority 4
Step 6 profile profile-name Configures a destination profile for Call Home and enters
call-home profile configuration mode.
Example:
261

Router(cfg-call-home)# profile user1
Step 7 destination transport-method {email | http} Specifies a transport method for a destination profile in
the Call Home.
Example:
Router(cfg-call-home-profile)# destination Note To configure diagnostic signatures, you must
transport-method http use the http option.
Step 8 destination address {email address | http url} Configures the address type and location to which
call-home messages are sent.
Example:
Router(cfg-call-home-profile)# destination address Note To configure diagnostic signatures, you must
http use the http option.
https://tools.cisco.com/its/service/oddce/services/DDCEService
Step 9 subscribe-to-alert-group inventory [periodic {daily Configures a destination profile to send messages for the
hh:mm | monthly day hh:mm | weekly day hh:mm}] Inventory alert group for Call Home.
Example: • This command is used only for the periodic
Router(cfg-call-home-profile)# downloading of DS files.
subscribe-to-alert-group inventory periodic daily
14:30
Step 10 exit Exits call-home profile configuration mode and returns to

call-home configuration mode.
Example:
What to do next
Set the profile configured in the previous procedure as the DS profile and configure other DS parameters.
Before you begin

Configure the Call Home feature to set attributes for the Call Home profile. You can either use the default
CiscoTAC-1 profile or use the newly-created user profile.
SUMMARY STEPS
1. call-home
2. diagnostic-signature
3. profile ds-profile-name
4. environment ds_env-var-name ds-env-var-value
5. end
6. call-home diagnostic-signature [{deinstall | download} {ds-id | all} | install ds-id]
7. show call-home diagnostic-signature [ds-id {actions | events | prerequisite | prompt |
variables | failure | statistics | download}]
262
DETAILED STEPS

Step 1 call-home Enters call-home configuration mode for the configuration
of Call Home settings.
Example:
Step 2 diagnostic-signature Enters call-home diagnostic signature mode.

Example:
Router(cfg-call-home)# diagnostic-signature
Step 3 profile ds-profile-name Specifies the destination profile on a device that DS uses.
Example:
Router(cfg-call-home-diag-sign)# profile user1
Step 4 environment ds_env-var-name ds-env-var-value Sets the environment variable value for DS on a device.
Example:
Router(cfg-call-home-diag-sign)# environment
ds_env1 envarval
Step 5 end Exits call-home diagnostic signature mode and returns to

privileged EXEC mode.
Example:
Router(cfg-call-home-diag-sign)# end
Step 6 call-home diagnostic-signature [{deinstall | Downloads, installs, and uninstalls diagnostic signature
download} {ds-id | all} | install ds-id] files on a device.
Example:
Router# call-home diagnostic-signature download
6030
Step 7 show call-home diagnostic-signature [ds-id {actions Displays the call-home diagnostic signature information.
| events | prerequisite | prompt | variables | failure
| statistics | download}]
Example:
Router# show call-home diagnostic-signature actions
Configuration Examples for Diagnostic Signatures

The following example shows how to enable the periodic downloading request for diagnostic signature
(DS) files. This configuration will send download requests to the service call-home server daily at
2:30 p.m. to check for updated DS files. The transport method is set to HTTP.
Router> enable
Router(cfg-call-home)# contact-email-addr [email protected]
Router(cfg-call-home)# mail-server 10.1.1.1 priority 4
Router(cfg-call-home)# profile user-1
263
Displaying Call Home Configuration Information
Router(cfg-call-home-profile)# destination transport-method http

Router(cfg-call-home-profile)# destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
Router(cfg-call-home-profile)# subscribe-to-alert-group inventory periodic daily 14:30
Router(cfg-call-home)# diagnostic-signature
Router(cfg-call-home-diag-sign)# profile user1
Router(cfg-call-home-diag-sign)# environment ds_env1 envarval
Router(cfg-call-home-diag-sign)# end
The following is sample output from the show call-home diagnostic-signature command for the
configuration displayed above:
outer# show call-home diagnostic-signature
Current diagnostic-signature settings:

Diagnostic-signature: enabled
Profile: user1 (status: ACTIVE)
Environment variable:
ds_env1: abc
Downloaded DSes:
DS ID DS Name Revision Status Last Update (GMT+00:00)
-------- ------------------------------- -------- ---------- -------------------
6015 CronInterval 1.0 registered 2013-01-16 04:49:52
6030 ActCH 1.0 registered 2013-01-16 06:10:22
6032 MultiEvents 1.0 registered 2013-01-16 06:10:37
6033 PureTCL 1.0 registered 2013-01-16 06:11:48

You can use variations of the show call-home command to display Call Home configuration information.
To display the configured Call Home information, perform the following:
SUMMARY STEPS
1. show call-home
2. show call-home detail
3. show call-home alert-group
4. show call-home mail-server status
5. show call-home profile {all | name}
6. show call-home statistics [detail | profile profile_name]
DETAILED STEPS

Step 1 show call-home Displays the Call Home configuration in summary.
Example:
Router# show call-home
Step 2 show call-home detail Displays the Call Home configuration in detail.
Example:
264

Router# show call-home detail
Step 3 show call-home alert-group Displays the available alert groups and their status.
Example:
Router# show call-home alert-group
Step 4 show call-home mail-server status Checks and displays the availability of the configured e-mail
server(s).
Example:
Router# show call-home mail-server status
Step 5 show call-home profile {all | name} Displays the configuration of the specified destination
profile. Use the all keyword to display the configuration of
Example:
all destination profiles.
Router# show call-home profile all
Step 6 show call-home statistics [detail | profile Displays the statistics of Call Home events.
profile_name]
Example:
Router# show call-home statistics
Examples
Call Home Information in Summary
Call Home Information in Detail
Available Call Home Alert Groups
E-Mail Server Status Information
Information for All Destination Profiles
Information for a User-Defined Destination Profile
Call Home Statistics

The following examples show the sample output when using different options of the show call-home
command.
Router# show call-home
Current call home settings:
call home feature : enable
call home message's from address: [email protected]
call home message's reply-to address: [email protected]
vrf for call-home messages: Not yet set up
contact person's email address: [email protected]
265
contact person's phone number: +1-408-555-1234

street address: 1234 Picaboo Street, Any city, Any state, 12345
customer ID: ExampleCorp
contract ID: X123456789
site ID: SantaClara
source ip address: Not yet set up

source interface: GigabitEthernet0/0
Mail-server[1]: Address: 192.0.2.1 Priority: 1
http proxy: 192.0.2.2:80
aaa-authorization: disable
aaa-authorization username: callhome (default)
data-privacy: normal
syslog throttling: enable
Rate-limit: 20 message(s) per minute
Snapshot command[0]: show version

Snapshot command[1]: show clock
Available alert groups:

Keyword State Description
------------------------ ------- -------------------------------
configuration Enable configuration info
crash Enable crash and traceback info
environment Enable environmental info
inventory Enable inventory info
snapshot Enable snapshot info
syslog Enable syslog info
Profiles:
Profile Name: campus-noc
Profile Name: CiscoTAC-1
Router#
Router# show call-home detail
Current call home settings:
call home feature : enable
call home message's from address: [email protected]
call home message's reply-to address: [email protected]
vrf for call-home messages: Not yet set up
contact person's email address: [email protected]
contact person's phone number: +1-408-555-1234

street address: 1234 Picaboo Street, Any city, Any state, 12345
customer ID: ExampleCorp
contract ID: X123456789
site ID: SantaClara
source ip address: Not yet set up

source interface: GigabitEthernet0/0
http proxy: 192.0.2.2:80
aaa-authorization: disable
aaa-authorization username: callhome (default)
data-privacy: normal
syslog throttling: enable
Rate-limit: 20 message(s) per minute
266
Snapshot command[0]: show version

Snapshot command[1]: show clock

------------------------ ------- -------------------------------
Profiles:

Profile status: ACTIVE
Preferred Message Format: xml
Message Size Limit: 3145728 Bytes
Transport Method: email
Email address(es): [email protected]
HTTP address(es): Not yet set up
Alert-group Severity
------------------------ ------------
configuration normal
crash normal
environment debug
inventory normal
Syslog-Pattern Severity
------------------------ ------------
.*CALL_LOOP.* debug

Profile status: INACTIVE
Profile mode: Full Reporting
HTTP address(es): https://tools.cisco.com/its/service/oddce/services/DDCEService
Periodic configuration info message is scheduled every 14 day of the month at 11:12
Periodic inventory info message is scheduled every 14 day of the month at 10:57
------------------------ ------------
crash normal
environment minor
------------------------ ------------
.*CALL_LOOP.* debug
Router#
Router# show call-home alert-group
------------------------ ------- -------------------------------
267

Router#
Router# show call-home mail-server status
Please wait. Checking for mail server status ...
Mail-server[1]: Address: 192.0.2.1 Priority: 1 [Not Available]

Mail-server[2]: Address: 209.165.202.254 Priority: 2 [Available]
Router#
Router# show call-home profile all

------------------------ ------------
crash normal
environment debug
inventory normal
------------------------ ------------
.*CALL_LOOP.* debug

Profile status: INACTIVE
Profile mode: Full Reporting
HTTP address(es): https://tools.cisco.com/its/service/oddce/services/DDCEService
Periodic configuration info message is scheduled every 14 day of the month at 11:12
Periodic inventory info message is scheduled every 14 day of the month at 10:57
------------------------ ------------
crash normal
environment minor
------------------------ ------------
.*CALL_LOOP.* debug
Router#
Router# show call-home profile campus-noc
268
------------------------ ------------
crash normal
environment debug
inventory normal
------------------------ ------------
.*CALL_LOOP.* debug
Router#
Router# show call-home statistics
Message Types Total Email HTTP
------------- -------------------- -------------------- ------------------
Total Success 3 3 0
Config 3 3 0
Crash 0 0 0
Environment 0 0 0
Inventory 0 0 0
Snapshot 0 0 0
SysLog 0 0 0
Test 0 0 0
Request 0 0 0
Send-CLI 0 0 0
Total In-Queue 0 0 0
Config 0 0 0
Crash 0 0 0
Environment 0 0 0
Inventory 0 0 0
Snapshot 0 0 0
SysLog 0 0 0
Test 0 0 0
Request 0 0 0
Send-CLI 0 0 0
Total Failed 0 0 0
Config 0 0 0
Crash 0 0 0
Environment 0 0 0
Inventory 0 0 0
Snapshot 0 0 0
SysLog 0 0 0
Test 0 0 0
Request 0 0 0
Send-CLI 0 0 0
Total Ratelimit
-dropped 0 0 0
Config 0 0 0
Crash 0 0 0
Environment 0 0 0
Inventory 0 0 0
Snapshot 0 0 0
SysLog 0 0 0
Test 0 0 0
Request 0 0 0
Send-CLI 0 0 0
Last call-home message sent time: 2011-09-26 23:26:50 GMT-08:00

Router#
269
Default Call Home Settings
Default Call Home Settings

The following table lists the default Call Home settings.
Table 20: Default Call Home Settings
Parameters Default
Call Home feature status Disabled
User-defined profile status Active
Predefined Cisco TAC profile status Inactive
Transport method E-mail
Message format type XML
Destination message size for a message sent in long 3,145,728
text, short text, or XML format
Alert group status Enabled
Call Home message severity threshold Debug
Message rate limit for messages per minute 20
AAA Authorization Disabled
Call Home syslog message throttling Enabled
Data privacy level Normal
Alert Group Trigger Events and Commands

Call Home trigger events are grouped into alert groups, with each alert group assigned commands to execute
when an event occurs. The command output is included in the transmitted message. The following table lists
the trigger events included in each alert group, including the severity level of each event and the executed
commands for the alert group.
270
Table 21: Call Home Alert Groups, Events, and Actions
Alert Group Call Home Trigger Syslog Event Severity Description and
Event Commands
Executed
Crash SYSTEM_ CRASH – – Events related to
software crash.
The following
commands are
executed:
show version
show logging
show region
show inventory
show stack
crashinfo file (this
command shows the
contents of the
crashinfo file)
– TRACEBACK – – Detects software

traceback events.
The following
commands are
executed:
show version
show logging
show region
show stack
271
Event Commands
Executed
Configuration – – – User-generated
request for
configuration or
configuration
change event.
The following
commands are
executed:
show platform
show inventory
show
running-config all
show
startup-config
show version
Environmental – – – Events related to

power, fan, and
environment sensing
elements such as
temperature alarms.
The following
commands are
executed:
show environment
show inventory
show platform
show logging
– – SHUT 0 Environmental
Monitor initiated
shutdown.
– – ENVCRIT 2 Temperature or
voltage
measurement
exceeded critical
threshold.
– – BLOWER 3 Required number of

fan trays is not
present.
272
Event Commands
Executed
– – ENVWARN 4 Temperature or
voltage
measurement
exceeded warning
threshold.
– – RPSFAIL 4 Power supply may

have a failed
channel.
– ENVM PSCHANGE 6 Power supply name

change.
– – PSLEV 6 Power supply state

change.
– – PSOK 6 Power supply now

appears to be
working correctly.
273
Event Commands
Executed
Inventory – – –
274
Event Commands
Executed
Inventory status
should be provided
whenever a unit is
cold-booted or when
FRUs are inserted or
removed. This is
considered a
noncritical event,
and the information
is used for status and
entitlement.
Commands executed
for all Inventory
messages sent in
anonymous mode
and for Delta
Inventory message
sent in full
registration mode:
show diag all
eeprom detail
show version
show inventory oid
show platform
Commands executed
for Full Inventory
message sent in full
registration mode:
show platform
show diag all
eeprom detail
show version
show inventory oid
show bootflash: all
show
data-corruption
show interfaces
show file systems
show memory
statistics
275
Event Commands
Executed
show process
memory
show process cpu
show process cpu
history
show license udi
show license detail
show buffers
– HARDWARE_ REMCARD 6 Card removed from

REMOVAL slot %d, interfaces
disabled.
– HARDWARE_ INSCARD 6 Card inserted in slot

INSERTION %d, interfaces
administratively shut
down.
Syslog – – – Event logged to

syslog.
The following
commands are
executed:
show inventory
show logging
– SYSLOG LOG_EMERG 0 System is unusable.
– SYSLOG LOG_ALERT 1 Action must be

taken immediately.
– SYSLOG LOG_CRIT 2 Critical conditions.
– SYSLOG LOG_ERR 3 Error conditions.
– SYSLOG LOG_WARNING 4 Warning conditions.
– SYSLOG LOG_NOTICE 5 Normal but

signification
condition.
– SYSLOG LOG_INFO 6 Informational.
– SYSLOG LOG_DEBUG 7 Debug-level

messages.
276
Message Contents
Event Commands
Executed
Test – TEST – User-generated test
message.
The following
commands are
executed:
show platform
show inventory
show version
Message Contents
This section consists of tables which list the content formats of alert group messages.
The following table lists the content fields of a short text message.
Table 22: Format for a Short Text Message
Data Item Description

Device identification Configured device name
Date/time stamp Time stamp of the triggering event
Error isolation message Plain English description of triggering event
Alarm urgency level Error level such as that applied to a system message
The following table shows the content fields that are common to all long text and XML messages. The fields
specific to a particular alert group message are inserted at a point between the common fields. The insertion
point is identified in the table.
Table 23: Common Fields for All Long Text and XML Messages
Data Item (Plain Text and XML) Description (Plain Text and XML) Call-Home Message Tag (XML
Only)
Time stamp Date and time stamp of event in CallHome/EventTime

ISO time notation: YYYY-MM-DD
HH:MM:SS GMT+HH:MM.
Message name Name of message. Specific event For short text message only
names are listed in the Alert Group
Trigger Events and Commands, on
page 270.
Message type Specifically “Call Home”. CallHome/Event/Type
277
Message Contents
Only)
Message subtype Specific type of message: full, CallHome/Event/SubType

delta, test
Message group Specifically “reactive”. Optional For long-text message only
because default is “reactive”.
Severity level Severity level of message (see Body/Block/Severity
Message Severity Threshold, on
page 245).
Source ID Product type for routing through For long-text message only
the workflow engine. This is
typically the product family name.
Device ID Unique device identifier (UDI) for CallHome/CustomerData/
end device generating message. ContractData/DeviceId
This field should be empty if the
message is nonspecific to a fabric
switch. The format is
type@Sid@serial.
• type is the product model
number from backplane
IDPROM.
• @ is a separator character.
• Sid is C, identifying the serial
ID as a chassis serial number.
• serial is the number identified
by the Sid field.
Example:
CISCO3845@C@12345678
Customer ID Optional user-configurable field CallHome/CustomerData/

used for contract information or ContractData/CustomerId
other ID by any support service.
Contract ID Optional user-configurable field CallHome/CustomerData/
used for contract information or ContractData/CustomerId
other ID by any support service.
Site ID Optional user-configurable field CallHome/CustomerData/
used for Cisco-supplied site ID or ContractData/CustomerId
other data meaningful to alternate
support service.
278
Message Contents
Only)
Server ID If the message is generated from For long text message only.
the fabric switch, this is the unique
device identifier (UDI) of the
switch.
• type is the product model
number from backplane
IDPROM.
• @ is a separator character.
• Sid is C, identifying the serial
ID as a chassis serial number.
• serial is the number identified
by the Sid field.
Example:
CISCO3845@C@12345678
Message description Short text describing the error. CallHome/MessageDescription
Device name Node that experienced the event. CallHome/CustomerData/

This is the host name of the device. SystemInfo/NameName
Contact name Name of person to contact for CallHome/CustomerData/

issues associated with the node SystemInfo/Contact
experiencing the event.
Contact e-mail E-mail address of person identified CallHome/CustomerData/
as contact for this unit. SystemInfo/ContactEmail
Contact phone number Phone number of the person CallHome/CustomerData/

identified as the contact for this SystemInfo/ContactPhoneNumber
unit.
Street address Optional field containing street CallHome/CustomerData/
address for RMA part shipments SystemInfo/StreetAddress
associated with this unit.
Model name Model name of the router. This is CallHome/Device/Cisco_Chassis/Model
the “specific model as part of a
product family name.
Serial number Chassis serial number of the unit. CallHome/Device/Cisco_Chassis/
SerialNumber
Chassis part number Top assembly number of the CallHome/Device/

chassis. Cisco_Chassis/AdditionalInformation/
AD@name=“PartNumber”
279
Message Contents
Only)
System object ID System Object ID that uniquely CallHome/Device/

identifies the system. Cisco_Chassis/AdditionalInformation/
AD@name=“sysObjectID”
System description System description for the managed CallHome/Device/

element. Cisco_Chassis/AdditionalInformation/
AD@name=“sysDescr”
The following table shows the inserted fields specific to a particular alert group message.
Note The following fields may be repeated if multiple commands are executed for this alert group.
Table 24: Inserted Fields Specific to a Particular Alert Group Message
Command output name Exact name of the issued command. /aml/Attachments/Attachment/Name

Attachment type Attachment type. Usually “inline”. /aml/Attachments/Attachment@type
MIME type Normally “text” or “plain” or /aml/Attachments/Attachment/
encoding type. Data@encoding
Command output text Output of command automatically /mml/attachments/attachment/atdata
executed (see Alert Group Trigger
Events and Commands, on page
270).
The following table shows the inserted content fields for reactive messages (system failures that require a
TAC case) and proactive messages (issues that might result in degraded system performance).
Table 25: Inserted Fields for a Reactive or Proactive Event Message
Only)
Chassis hardware version Hardware version of chassis CallHome/Device/Cisco_Chassis/
HardwareVersion
Supervisor module software version Top-level software version CallHome/Device/Cisco_Chassis/
AdditionalInformation/AD@name=
“SoftwareVersion”
Affected FRU name Name of the affected FRU CallHome/Device/Cisco_Chassis/
generating the event message Cisco_Card/Model
Affected FRU serial number Serial number of affected FRU CallHome/Device/Cisco_Chassis/
Cisco_Card/SerialNumber
Affected FRU part number Part number of affected FRU CallHome/Device/Cisco_Chassis/
Cisco_Card/PartNumber
280
Message Contents
Only)
FRU slot Slot number of FRU generating the CallHome/Device/Cisco_Chassis/
event message Cisco_Card/LocationWithinContainer
FRU hardware version Hardware version of affected FRU CallHome/Device/Cisco_Chassis/
Cisco_Card/HardwareVersion
FRU software version Software version(s) running on CallHome/Device/Cisco_Chassis/
affected FRU Cisco_Card/SoftwareIdentity/
VersionString
The following table shows the inserted content fields for an inventory message.
Table 26: Inserted Fields for an Inventory Event Message
Data Item (Plain Text and XML) Description (Plain Text and XML) Call-Home Message Tag (XML Only)
Chassis hardware version Hardware version of chassis CallHome/Device/Cisco_Chassis/
HardwareVersion
Supervisor module software Top-level software version CallHome/Device/Cisco_Chassis/
version AdditionalInformation/AD@name=
“SoftwareVersion”
FRU name Name of the affected FRU CallHome/Device/Cisco_Chassis/
generating the event message Cisco_Card/Model
FRU s/n Serial number of FRU CallHome/Device/Cisco_Chassis/
Cisco_Card/SerialNumber
FRU part number Part number of FRU CallHome/Device/Cisco_Chassis/
Cisco_Card/PartNumber
FRU slot Slot number of FRU CallHome/Device/Cisco_Chassis/
Cisco_Card/LocationWithinContainer
FRU hardware version Hardware version of FRU CallHome/Device/Cisco_Chassis/
CiscoCard/HardwareVersion
FRU software version Software version(s) running on CallHome/Device/Cisco_Chassis
FRU /Cisco_Card/SoftwareIdentity/
VersionString
281
Message Contents
282
CHAPTER 18
Managing Cisco Enhanced Services and Network
Interface Modules
The router supports Cisco Enhanced Services Modules (SMs) and Cisco Network Interface Modules (NIMs).
The modules are inserted into the router using an adapter, or carrier card, into various slots. For more
information, see the following documents:
• Hardware Installation Guide for the Cisco Catalyst 8300 Series Edge Platform.

• Information About Cisco Service Modules and Network Interface Modules, on page 283
• Modules Supported, on page 284
• Network Interface Modules and Enhanced Service Modules, on page 284
• Implementing SMs and NIMs on Your Platforms, on page 284
• Managing Modules and Interfaces, on page 292
• Configuration Examples, on page 292
Information About Cisco Service Modules and Network

Interface Modules
The router configures, manages, and controls the supported Cisco Service Modules (SMs), Network Interface
Modules (NIMs) and PIM (Pluggable Interface Modules) using the module management facility built in its
architecture. This new centralized module management facility provides a common way to control and monitor
all the modules in the system regardless of their type and application. All Cisco Enhanced Service and Network
Interface Modules supported on your router use standard IP protocols to interact with the host router. Cisco
IOS software uses alien data path integration to switch between the modules.
• Modules Supported, on page 284
• Network Interface Modules and Enhanced Service Modules, on page 284
283
Managing Cisco Enhanced Services and Network Interface Modules
Modules Supported
Modules Supported
For information about the interfaces and modules supported by the Cisco Catalyst 8000 Edge Platform, see
Hardware Installation Guide for Cisco Catalyst 8000 Series Edge Platform.
Network Interface Modules and Enhanced Service Modules

For more information on the supported Network Interface Modules and Service Modules, refer to the Cisco
Catalyst 8300 Series Edge Platforms datasheet.
Implementing SMs and NIMs on Your Platforms

• Downloading the Module Firmware, on page 284
• Installing SMs and NIMs, on page 284
• Accessing Your Module Through a Console Connection or Telnet, on page 284
• Online Insertion and Removal, on page 285
Downloading the Module Firmware

Module firmware must be loaded to the router to be able to use a service module. For more information, see
Installing a Firmware Subpackage, on page 147.
The modules connect to the RP via the internal eth0 interface to download the firmware. Initially, the module
gets an IP address for itself via BOOTP. The BOOTP also provides the address of the TFTP server used to
download the image. After the image is loaded and the module is booted, the module provides an IP address
for the running image via DHCP.
Installing SMs and NIMs

For more information, see "Installing and Removing NIMs and SMs" in the Hardware Installation Guide for
Cisco Catalyst 8300 Edge Platform and Hardware Installation Guide for Cisco Catalyst 8200 Series Edge
Platforms.
Note Service modules are not supported on Cisco Catalyst 8200 Series Edge Platforms.
Accessing Your Module Through a Console Connection or Telnet

Before you can access the modules, you must connect to the host router through the router console or through
Telnet. After you are connected to the router, you must configure an IP address on the Gigabit Ethernet
interface connected to your module. Open a session to your module using the hw-module session command
in privileged EXEC mode on the router.
284
Online Insertion and Removal
To establish a connection to the module, connect to the router console using Telnet or Secure Shell (SSH)
and open a session to the switch using the hw-module session slot/subslot command in privileged EXEC
mode on the router.
Use the following configuration examples to establish a connection:
• The following example shows how to open a session from the router using the hw-module session
command:
Router# hw-module session slot/card
Router# hw-module session 0/1 endpoint 0
Establishing session connect to subslot 0/1
• The following example shows how to exit a session from the router, by pressing Ctrl-A followed by
Ctrl-Q on your keyboard:
type ^a^q
picocom v1.4
port is : /dev/ttyDASH2
flowcontrol : none
baudrate is : 9600
parity is : none
databits are : 8
escape is : C-a
noinit is : no
noreset is : no
nolock is : yes
send_cmd is : ascii_xfr -s -v -l10
receive_cmd is : rz -vv
Online Insertion and Removal

The router supports online insertion and removal (OIR) of Cisco Enhanced Services Modules and Cisco
Network Interface Modules. You can perform the following tasks using the OIR function:
• Preparing for Online Removal of a Module, on page 285
• Deactivating a Module, on page 286
• Deactivating Modules and Interfaces in Different Command Modes, on page 287
• Deactivating and Reactivating an SSD/HDD Carrier Card NIM, on page 288
• Reactivating a Module, on page 289
• Verifying the Deactivation and Activation of a Module, on page 289
Preparing for Online Removal of a Module

The router supports the OIR of a module, independent of removing another module installed in your router.
This means that an active module can remain installed in your router, while you remove another module from
one of the subslots. If you are not planning to immediately replace a module, ensure that you install a blank
filler plate in the subslot.
285
Deactivating a Module
Deactivating a Module
A module can be removed from the router without first being deactivated. However, we recommend that you
perform a graceful deactivation (or graceful power down) of the module before removing it. To perform a
graceful deactivation, use the hw-module subslot slot/subslot stop command in EXEC mode.
Note When you are preparing for an OIR of a module, it is not necessary to independently shut down each of the
interfaces before deactivating the module. The hw-module subslot slot/subslot stop command in EXEC mode
automatically stops traffic on the interfaces and deactivates them along with the module in preparation for
OIR. Similarly, you do not have to independently restart any of the interfaces on a module after OIR.
The following example shows how to use the show facility-alarm status command to verify if any critical
alarm is generated when a module is removed from the system:
Router# show facility-alarm status

------ ------ -------- -------------------
Power Supply Bay 1 Sep 28 2020 10:02:34 CRITICAL Power Supply/FAN Module
Missing [0]
POE Bay 0 Sep 28 2020 10:02:34 INFO Power Over Ethernet Module
Missing [0]
POE Bay 1 Sep 28 2020 10:02:34 INFO Power Over Ethernet Module
Missing [0]
GigabitEthernet0/0/2 Sep 28 2020 10:02:46 INFO Physical Port Administrative
State Down [2]
GigabitEthernet0/0/3 Sep 28 2020 10:02:46 INFO Physical Port Administrative
State Down [2
xcvr container 0/0/4 Sep 28 2020 10:02:46 INFO Transceiver Missing - Link
Down [1]
TenGigabitEthernet0/0/5 Sep 28 2020 10:02:54 CRITICAL Physical Port Link Down [1]
TenGigabitEthernet0/1/0 Sep 28 2020 10:03:26 INFO Physical Port Administrative
State Down [2]
GigabitEthernet1/0/0 Sep 28 2020 10:07:35 CRITICAL Physical Port Link Down [1]
TwoGigabitEthernet1/0/16 Sep 28 2020 10:07:35 INFO Physical Port Administrative
State Down [2]
State Down [2]
State Down [2]
State Down [2]
Down [1]
Down [1]1]
Note A critical alarm (Active Card Removed OIR Alarm) is generated even if a module is removed after performing
graceful deactivation.
286
Deactivating Modules and Interfaces in Different Command Modes
Deactivating Modules and Interfaces in Different Command Modes

You can deactivate a module and its interfaces using the hw-module subslot command in one of the following
modes:
• If you choose to deactivate your module and its interfaces by executing the hw-module subslot slot/subslot
shutdown unpowered command in global configuration mode, you are able to change the configuration
in such a way that no matter how many times the router is rebooted, the module does not boot. This
command is useful when you need to shut down a module located in a remote location and ensure that
it does not boot automatically when the router is rebooted.
• If you choose to use the hw-module subslot slot/subslot stop command in EXEC mode, you cause the
module to gracefully shut down. The module is rebooted when the hw-module subslot slot/subslot start
command is executed.
To deactivate a module and all of its interfaces before removing the module, use one of the following commands
in global configuration mode.
Procedure

Step 1 hw-module subslot slot/subslot shutdown unpowered Deactivates the module located in the specified slot and
subslot of the router, where:
Example:
Router# hw-module subslot 0/2 shutdown unpowered • slot—Specifies the chassis slot number where the
module is installed.
• subslot—Specifies the subslot number of the chassis
where the module is installed.
• shutdown—Shuts down the specified module.
• unpowered—Removes all interfaces on the module
from the running configuration and the module is
powered off.
Step 2 hw-module subslot slot/subslot [reload | stop | start] Deactivates the module in the specified slot and subslot,
where:
Example:
Router# hw-module subslot 0/2 stop • slot—Specifies the chassis slot number where the
module is installed.
• subslot—Specifies the subslot number of the chassis
where the module is installed.
• reload—Stops and restarts the specified module.
• stop—Removes all interfaces from the module and
the module is powered off.
• start—Powers on the module similar to a physically
inserted module in the specified slot. The module
firmware reboots and the entire module initialization
sequence is executed in the IOSd and Input/Output
Module daemon (IOMd) processes.
287
Deactivating and Reactivating an SSD/HDD Carrier Card NIM
Deactivating and Reactivating an SSD/HDD Carrier Card NIM

The following restrictions apply:
• Deactivating or reactivating an SSD/HDD Carrier Card NIM without an SSD or HDD disk is not supported.
• Only a single (SSD or HDD) Carrier Card NIM can be plugged into a bay. If you plug an additional
(SSD or HDD) Carrier Card NIM into another bay, the module powers down and kernel, log, or error
messages are displayed on the Cisco IOS console. In rare cases, the file system may get corrupted on the
additional drive.
Caution Deactivation of an SSD/HDD Carrier Card NIM may cause loss of data.
To deactivate an SSD/HDD Carrier Card NIM, perform the following steps:
Procedure

Step 1 virtual-service name Identifies the kWAAS service (by name), supported on your
router, in preparation for the router to be shut down by the
Example:
no activate command. We recommend that you use this
Router(config)# virtual-service my-kwaas-instance command before reseating or replacing an SSD or HDD.
Step 2 no activate Shuts down the kWAAS instance on your router. kWAAS
services remain installed. The service will have to be
Example:
reactivated after the HDD/SSD NIM (module) is restarted.
Router(config-virt-serv)# no activate
Step 3 hw-module subslot slot/subslot [reload | stop | start] Deactivates or reactivates the module in the specified slot
and subslot.
Example:
Router# hw-module subslot 0/2 stop • slot—The chassis slot number where the module is
Proceed with stop of module? [confirm] installed.
Router#
*Mar 6 15:13:23.997: %SPA_OIR-6-OFFLINECARD: SPA • subslot—The subslot number of the chassis where the
(NIM-SSD) offline in subslot 0/2 module is installed.
...
• reload—Deactivates and reactivates (stops and
restarts) the specified module.
• stop—Removes all interfaces from the module and
the module is powered off.
• start—Powers on the module similar to a physically
inserted module in the specified slot. The module
firmware reboots and the entire module initialization
sequence is executed in the IOSd and IOMd processes.
Step 4 Wait for the EN (Enable) LED to turn off, and then remove
the SSD/HDD Carrier Card NIM.
288
Reactivating a Module
Reactivating a Module
If, after deactivating a module using the hw-module subslot slot/subslot stop command, you want to reactivate
it without performing an OIR, use one of the following commands (in privileged EXEC mode):
• hw-module subslot slot/subslot start
• hw-module subslot slot/subslot reload
Verifying the Deactivation and Activation of a Module

When you deactivate a module, the corresponding interfaces are also deactivated. This means that these
interfaces will no longer appear in the output of the show interface command.
1. To verify the deactivation of a module, enter the show hw-module subslot all oir command in privileged
EXEC configuration mode.
Observe the "Operational Status" field associated with the module that you want to verify. In the following
example, the module located in subslot 1 of the router is administratively down.
Router# show hw-module subslot all oir
Module Model Operational Status

----------------------- -------------------- ------------------------
subslot 0/0 4x1G-2xSFP+ ok
subslot 0/1 C-NIM-1X ok
subslot 1/0 SM-X-16G4M2X ok
RadiumPP#
2. To verify activation and proper operation of a module, enter the show hw-module subslot all oir command
and observe "ok" in the Operational Status field as shown in the following example:
Router# show hw-module subslot all oir
Module Model Operational Status

----------------------- -------------------- ------------------------
subslot 0/0 4x1G-2xSFP+ ok
subslot 0/1 C-NIM-1X ok
subslot 1/0 SM-X-16G4M2X ok
RadiumPP#
Router# show platform hardware backplaneswitch-manager R0 status
slot bay port enable link status speed(Mbps) duplex autoneg pause_tx
pause_rx mtu
------------------------------------------------------------------------------------------------------------
0 0 CP True Up 1000 Full ENABLED ENABLED
ENABLED 10240
1 0 GE1 True Up 1000 Full DISABLED ENABLED
ENABLED 10240
ENABLED 10240
ENABLED 10240
ENABLED 10240
0 1 GE1 True Down 1000 Full DISABLED ENABLED
ENABLED 10240
ENABLED 10240
ENABLED 10240
289

ENABLED 10240
ENABLED 10240
ENABLED 10240
ENABLED 10240
ENABLED 10240
0 0 FFP True Up 10000 Full ENABLED DISABLED
DISABLED 10240
slot bay port mac vid modid flags - Layer 2
------------------------------------------------------------------------------
0 0 FFP 2c54.2dd2.661b 2351 1 0x20
0 0 FFP 2c54.2dd2.661b 2352 1 0x20
0 0 CP 2c54.2dd2.661e 2351 0 0xC60
0 0 CP 2c54.2dd2.661e 2352 0 0x20
1 0 GE0 58bf.ea3a.00f6 2350 0 0x460
0 0 FFP 2c54.2dd2.661b 2350 1 0x20
1 0 GE0 58bf.ea3a.00f6 2352 0 0x20
0 0 CP 2c54.2dd2.661e 2350 0 0x20
1 0 GE0 58bf.ea3a.00f6 2351 0 0xC60
Port block masks: rows=from port, columns=to port, u=unknown unicast, m=unknown multicast,
b=broadcast, A=all
CP FFP 1/0/1 1/0/0 2/0/1 2/0/0 0/1/1 0/1/0 0/2/1 0/2/0 0/3/1
0/3/0 0/4/1 0/4/0 drops
-------------------------------------------------------------------------------------------------------------
CP - A um um um um um um um um um
um um um 1
FFP A - - - - - - - - - -
- - - 0
1/0/1 um umb - umb umb umb umb umb umb umb umb
umb umb umb 0
1/0/0 um umb umb - umb umb umb umb umb umb umb
umb umb umb 6
2/0/1 um umb umb umb - umb umb umb umb umb umb
umb umb umb 0
2/0/0 um umb umb umb umb - umb umb umb umb umb
umb umb umb 6
0/1/1 um umb umb umb umb umb - umb umb umb umb
umb umb umb 0
0/1/0 um umb umb umb umb umb umb - umb umb umb
umb umb umb 0
0/2/1 um umb umb umb umb umb umb umb - umb umb
umb umb umb 0
0/2/0 um umb umb umb umb umb umb umb umb - umb
umb umb umb 0
0/3/1 um umb umb umb umb umb umb umb umb umb -
umb umb umb 0
0/3/0 um umb umb umb umb umb umb umb umb umb umb
- umb umb 0
umb - umb 0
umb umb - 0
Port VLAN membership: [untagged vlan] U=untagged T=tagged <VLAN range begin>-<VLAN range
end>
CP [2352] U:0001-0001 T:0002-2351 U:2352-2352 T:2353-4095

FFP [2352] T:0001-4095
1/0/1 [2352] T:0002-2351 U:2352-2352 T:2353-4095
290
1/0/0 [2352] T:0002-2351 U:2352-2352 T:2353-4095

2/0/1 [2352] T:0002-2351 U:2352-2352 T:2353-4095
2/0/0 [2352] T:0002-2351 U:2352-2352 T:2353-4095
0/1/1 [2352] T:0002-2351 U:2352-2352 T:2353-4095
0/1/0 [2352] T:0002-2351 U:2352-2352 T:2353-4095
0/2/1 [2352] T:0002-2351 U:2352-2352 T:2353-4095
0/2/0 [2352] T:0002-2351 U:2352-2352 T:2353-4095
0/3/1 [2352] T:0002-2351 U:2352-2352 T:2353-4095
0/3/0 [2352] T:0002-2351 U:2352-2352 T:2353-4095
0/4/1 [2352] T:0002-2351 U:2352-2352 T:2353-4095
0/4/0 [2352] T:0002-2351 U:2352-2352 T:2353-4095
show platform hardware backplaneswitch-manager rp active ffp statistics: Example

Router# show platform hardware backplaneswitch-manager rp active ffp statistics
Broadcom 10G port(e.g: FFP) status:
Rx pkts Rx Bytes Tx Pkts Tx Bytes
-----------------------------------------------------------------------------------------
All 0 0 0 0
=64 0 0
65~127 0 0
128~255 0 0
256~511 0 0
512~1023 0 0
1024~1518 0 0
1519~2047 0 0
2048~4095 0 0
4096~9216 0 0
9217~16383 0 0
Max 0 0
Good 0 0
CoS 0 0 0
CoS 1 0 0
CoS 2 0 0
CoS 3 0 0
CoS 4 0 0
CoS 5 0 0
CoS 6 0 0
CoS 7 0 0
Unicast 0 0
Multicast 0 0
Broadcast 0 0
Control 0
Errored
FCS 0 0
Undersize 0
Ether len 0
Fragment 0 0
Jabber 0
MTU ck, good 0
MTU ck, bad 0
Tx underflow 0
err symbol 0
frame err 0
junk 0
Drops
CoS 0 0 0
CoS 1 0 0
CoS 2 0 0
CoS 3 0 0
CoS 4 0 0
CoS 5 0 0
291
Managing Modules and Interfaces
CoS 6 0 0
CoS 7 0 0
STP 0
backpress 0
congest 0 0
purge/cell 0
no destination 0
Pause PFC 0 0
CoS 0 0
CoS 1 0
CoS 2 0
CoS 3 0
CoS 4 0
CoS 5 0
CoS 6 0
CoS 7 0
Managing Modules and Interfaces

The router supports various modules. For a list of supported modules, see Modules Supported, on page 284.
The module management process involves bringing up the modules so that their resources can be utilized.
This process consists of tasks such as module detection, authentication, configuration by clients, status
reporting, and recovery.
For a list of small-form-factor pluggable (SFP) modules supported on your router, see the "Installing and
Upgrading Internal Modules and FRUs" section in the Hardware Installation Guide for Cisco Catalyst 8300
Edge Platform.
The following sections provide additional information on managing the modules and interfaces:
• Managing Module Interfaces, on page 292
Managing Module Interfaces

After a module is in service, you can control and monitor its module interface. Interface management includes
configuring clients with shut or no shut commands and reporting on the state of the interface and the
interface-level statistics.
Configuration Examples
This section provides examples of deactivating and activating modules.
Deactivating a Module Configuration: Example

You can deactivate a module to perform OIR of that module. The following example shows how to deactivate
a module (and its interfaces) and remove power to the module. In this example, the module is installed in
subslot 0 of the router.
Router(config)# hw-module slot 1 subslot 1/0 shutdown unpowered
292
Activating a Module Configuration: Example

You can activate a module if you have previously deactivated it. If you have not deactivated a module and its
interfaces during OIR, then the module is automatically reactivated upon reactivation of the router.
The following example shows how to activate a module. In this example, the module is installed in subslot
0, located in slot 1 of the router:
Router(config)# hw-module slot 1 subslot 1/0 start
293
294
CHAPTER 19
Cellular IPv6 Address
This chapter provides an overview of the IPv6 addresses and describes how to configure Cellular IPv6 address
on Cisco Catalyst 8000 Series Edge Platform.
This chapter includes this section:
• Cellular IPv6 Address, on page 295

IPv6 addresses are represented as a series of 16-bit hexadecimal fields separated by colons (:) in the format:
x:x:x:x:x:x:x:x. Following are two examples of IPv6 addresses:
• 2001:CDBA:0000:0000:0000:0000:3257:9652
• 2001:CDBA::3257:9652 (zeros can be omitted)
IPv6 addresses commonly contain successive hexadecimal fields of zeros. Two colons (::) may be used to
compress successive hexadecimal fields of zeros at the beginning, middle, or end of an IPv6 address (the
colons represent successive hexadecimal fields of zeros). The table below lists compressed IPv6 address
formats.
An IPv6 address prefix, in the format ipv6-prefix/prefix-length, can be used to represent bit-wise contiguous
blocks of the entire address space. The ipv6-prefix must be in the form documented in RFC 2373 where the
address is specified in hexadecimal using 16-bit values between colons. The prefix length is a decimal value
that indicates how many of the high-order contiguous bits of the address comprise the prefix (the network
portion of the address). For example, 2001:cdba::3257:9652 /64 is a valid IPv6 prefix.
IPv6 Unicast Routing

An IPv6 unicast address is an identifier for a single interface, on a single node. A packet that is sent to a unicast
address is delivered to the interface identified by that address.
Cisco Catalyst 8300 Edge Platform support the following address types:
• Link-Lock Address , on page 296
• Global Address, on page 296
295
Link-Lock Address
Link-Lock Address
A link-local address is an IPv6 unicast address that can be automatically configured on any interface using
the link-local prefix FE80::/10 (1111 1110 10) and the interface identifier in the modified EUI-64 format. An
link-local address is automatically configured on the cellular interface when an IPv6 address is enabled.
After the data call is established, the link-local address on the celluar interface is updated with the host generated
link-local address that consists of the link-local prefix FF80::/10 (1111 1110 10) and the auto-generated
interface identifier from the USB hardware address.
Global Address
A global IPv6 unicast address is defined by a global routing prefix, a subnet ID, and an interface ID. The
routing prefix is obtained from the PGW. The Interface Identifier is automatically generated from the USB
hardware address using the interface identifier in the modified EUI-64 format. The USB hardware address
changes after the router reloads.
Configuring Cellular IPv6 Address

To configure the cellular IPv6 address, perform these steps:
SUMMARY STEPS
2. ipv6 unicast-routing
3. interface Cellular {type|number}
4. ip address negotiated
5. load-intervalseonds
6. dialer in-band
7. dialer idle-timeout seonds
8. dialer-groupgroup-number
9. no peer default ip address
10. ipv6 address autoconfig or ipv6 enable
11. dialer-listdialer-groupprotocolprotocol-name {permit |deny|list |access-list-number
| access-group }
12. ipv6 route ipv6-prefix/prefix-length 128
13. End
DETAILED STEPS

Example:
Step 2 ipv6 unicast-routing Enables forwarding of IPv6 unicast data packets.

Example:
Router(config)# ipv6 unicast-routing
296

Step 3 interface Cellular {type|number} Specifies the cellular interface.
Example:
Router(config)# interface cellular 0/1/0
Step 4 ip address negotiated Specifies that the IP address for a particular interface is
dynamically obtained.
Example:
Router(config-if)# ip address negotiated
Step 5 load-intervalseonds Specifies the length of time for which data is used to
compute load statistics.
Example:
Router(config-if)# load-interval 30
Step 6 dialer in-band Enables DDR and configures the specified serial interface
to use in-band dialing.
Example:
Router(config-if)# dialer in-band
Step 7 dialer idle-timeout seonds Specifies the dialer idle timeout period.
Example:
Router(config-if)# dialer idle-timeout 0
Step 8 dialer-groupgroup-number Specifies the number of the dialer access group to which
the specific interface belongs.
Example:
Router(config-if)# dialer-group 1
Step 9 no peer default ip address Removes the default address from your configuration.
Example:
Router(config-if)# no peer default ip address
Step 10 ipv6 address autoconfig or ipv6 enable Enables automatic configuration of IPv6 addresses using
stateless autoconfiguration on an interface and enables
Example:
IPv6 processing on the interface.
Router(config-if)# ipv6 address autoconfig
or
Router(config-if)# ipv6 enable
Step 11 dialer-listdialer-groupprotocolprotocol-name {permit Defines a dial-on-demand routing (DDR) dialer list for
|deny|list |access-list-number | dialing by protocol or by a combination of a protocol and
access-group } a previously defined access list.
Example:
Router(config)# dialer-list 1 protocol ipv6 permit
Step 12 ipv6 route ipv6-prefix/prefix-length 128

Example:
Router(config)#ipv6 route 2001:1234:1234::3/128
Cellular0/1/0
297

Step 13 End Exits to global configuration mode.
Example:
Router(config-if)#end
Examples
The following example shows the Cellular IPv6 configuration for NIM-LTEA-EA and NIM-LTEA-LA
modules.
Router(config)# interface Cellular0/1/0

ip address negotiated
load-interval 30
dialer in-band
dialer idle-timeout 0
lte dialer-group 1
no peer default ip address
ipv6 address autoconfig
!
interface Cellular0/1/1
load-interval 30
dialer in-band
dialer-group 1
ipv6 address autoconfig
The following example shows the Cellular IPv6 configuration for P-LTEAP18-GL, P-LTEA-XX,
and P-LTE-XX modules.
Router(config)# interface Cellular0/2/0

load-interval 30
dialer in-band
lte dialer-group 1
ipv6 enable
!
interface Cellular0/2/1
load-interval 30
dialer in-band
dialer-group 1
ipv6 enable
298
CHAPTER 20
Radio Aware Routing
Radio-Aware Routing (RAR) is a mechanism that uses radios to interact with the routing protocol OSPFv3
to signal the appearance, disappearance, and link conditions of one-hop routing neighbors.
In a large mobile networks, connections to the routing neighbors are often interrupted due to distance and
radio obstructions. When these signals do not reach the routing protocols, protocol timers are used to update
the status of a neighbor. Routing protocols have lengthy timer, which is not recommended in mobile networks.
• Benefits of Radio Aware Routing, on page 299
• Restrictions and Limitations, on page 300
• License Requirements, on page 300
• System Components, on page 300
• QoS Provisioning on PPPoE Extension Session, on page 301
• Example: Configuring the RAR Feature in Bypass Mode, on page 301
• Example: Configuring the RAR Feature in Aggregate Mode, on page 303
• Verifying RAR Session Details, on page 304
• Troubleshooting Radio Aware Routing, on page 310
Benefits of Radio Aware Routing

The Radio Aware Routing feature offers the following benefits:
• Provides faster network convergence through immediate recognition of changes.
• Enables routing for failing or fading radio links.
• Allows easy routing between line-of-sight and non-line-of-sight paths.
• Provides faster convergence and optimal route selection so that delay-sensitive traffic, such as voice and
video, is not disrupted
• Provides efficient radio resources and bandwidth usage.
• Reduces impact on the radio links by performing congestion control in the router.
• Allows route selection based on radio power conservation.
• Enables decoupling of the routing and radio functionalities.
• Provides simple Ethernet connection to RFC 5578, R2CP, and DLEP compliant radios.
299
Radio Aware Routing
Restrictions and Limitations
Restrictions and Limitations

The Radio Aware Routing feature has the following restrictions and limitations:
• The DLEP and R2CP protocols are not supported on Cisco Catalyst 8300 Edge Platform.
• Multicast traffic is not supported in aggregate mode.
• Cisco High Availability (HA) technology is not supported.
License Requirements
This feature is made available with the AppX license.
System Components
The Radio Aware Routing (RAR) feature is implemented using the MANET (Mobile adhoc network)
infrastructure comprising of different components such as PPPoE, Virtual multipoint interface (VMI), QoS,
routing protocol interface and RAR protocols.
Point-to-Point Protocol over Ethernet PPPoE or PPPoE

PPPoE is a well-defined communication mechanism between the client and the server. In the RAR
implementation, radio takes the role of the PPPoE client and router takes the role of the PPPoE server. This
allows a loose coupling of radio and router, while providing a well-defined and predictable communication
mechanism.
As PPPoE is a session or a connection oriented protocol, it extends the point-to-point radio frequency (RF)
link from an external radio to an IOS router.
PPPoE Extensions
PPPoE extensions are used when the router communicates with the radio. In the Cisco IOS implementation
of PPPoE, each individual session is represented by virtual access interface (connectivity to a radio neighbor)
on which, QoS can be applied with these PPPoE extensions.
RFC5578 provides extensions to PPPoE to support credit-based flow control and session-based real time link
metrics, which are very useful for connections with variable bandwidth and limited buffering capabilities
(such as radio links).
Virtual Multipoint Interface (VMI)

Though PPPoE Extensions provides the most of the setup to communicate between a router and a radio, VMI
addresses the need to manage and translate events that higher layers (example, routing protocols) consume.
In addition, VMI operates in the Bypass mode.
In Bypass mode, every Virtual Access Interface (VAI) representing a radio neighbor is exposed to routing
protocols OSPFv3 and EIGRP, so that, the routing protocol directly communicates with the respective VAI
for both unicast and multicast routing protocol traffic.
300
Radio Aware Routing
QoS Provisioning on PPPoE Extension Session
In Aggregae mode, VMI is exposed to the routing protocols (OSPF) so that the routing protocols can leverage
VMI for their optimum efficiency. When the network neighbors are viewed as a collection of networks on a
point-to-multipoint link with broadcast and multicast capability at VMI, VMI helps in aggregating the multiple
virtual access interfaces created from PPPoE. VMI presents a single multi access layer 2 broadcast capable
interface. The VMI layer handles re-directs unicast routing protocol traffic to the appropriate P2P link
(Virtual-Access interface), and replicats any Multicast/Broadcast traffic that needs to flow. Since the routing
protocol communicates to a single interface, the size of the topology database is reduced, without impacting
the integrity of the network.
QoS Provisioning on PPPoE Extension Session

The following example describes QoS provisioning on PPPoE extension session:
policy-map rar_policer
class class-default
police 10000 2000 1000 conform-action transmit exceed-action drop violate-action drop
policy-map rar_shaper
class class-default
shape average percent 1
ip address 192.0.2.7 255.255.255.0
no keepalive
service-policy input rar_policer
end
Example: Configuring the RAR Feature in Bypass Mode

The following example is an end-to-end configuration of RAR in the bypass mode:
Note Before you being the RAR configuration, you must first configure the subscriber authorization
enable command to bring up the RAR session. Without enbaling authorization, the Point-to-Point
protocol does not recognize this as a RAR session and may not tag manet_radio in presentation of
a PPPoE Active Discovery Initiate (PADI). By default, bypass mode does not appears in the
configuration. It appears only if the mode is configured as bypass.
Configure a Service for RAR

policy-map type service rar-lab
pppoe service manet_radio //note: Enter the pppoe service policy name as manet_radio
!
Configure Broadband
bba-group pppoe VMI2
virtual-template 2
service profile rar-lab
!
301
Radio Aware Routing
Example: Configuring the RAR Feature in Bypass Mode
description Connected to Client1

negotiation auto
pppoe enable group VMI2
!

!
Configuration in Bypass Mode

• IP Address Configured under Virtual-Template Explicitly
ip address 192.0.2.7 255.255.255.0
no ip redirects
peer default ip address pool PPPoEpool2
ipv6 enable
ospfv3 1 network manet
ospfv3 1 ipv4 area 0
no keepalive
service-policy input rar_policer Or/And
service-policy output rar_shaper
• VMI Unnumbered Configured under Virtual Template
ip unnumbered vmi2
no ip redirects
peer default ip address pool PPPoEpool2
ipv6 enable
ospfv3 1 network manet
no keepalive
Configure the Virtual Multipoint Interface in Bypass Mode
interface vmi2 //configure the virtual multi interface

ip address 192.0.2.5 255.255.255.0
physical-interface GigabitEthernet0/0/0
mode bypass
interface vmi3//configure the virtual multi interface
ip address 192.0.2.6 255.255.255.0
mode bypass
Configure OSPF Routing

router ospfv3 1
router-id 192.0.2.1
302
Radio Aware Routing
Example: Configuring the RAR Feature in Aggregate Mode
!
address-family ipv4 unicast
redistribute connected metric 1 metric-type 1
log-adjacency-changes
exit-address-family
!
redistribute connected metric-type 1
exit-address-family
!
ip local pool PPPoEpool2 192.0.2.8 192.0.2.4
Example: Configuring the RAR Feature in Aggregate Mode

The following example is an end-to-end configuration of RAR in the aggregate mode:
Note Before you being the RAR configuration, you must first configure the subscriber authorization
enable command to bring up the RAR session. Without enabling authorization, the Point-to-Point
protocol does not recognize this as a RAR session and may not tag manet_radio in PADI.

!
Configure Broadband
bba-group pppoe VMI2
virtual-template 2
service profile rar-lab
!
description Connected to Client1
negotiation auto
pppoe enable group VMI2

!
Configuration in Aggregate Mode
ip unnumbered vmi2
no ip redirects
303
Radio Aware Routing
Verifying RAR Session Details

ipv6 enable
no keepalive
Configure the Virtual Multipoint Interface in Aggregate Mode
interface vmi2 //configure the virtual multi interface

ip address 192.0.2.8 255.255.255.0
mode aggregate
interface vmi3//configure the virtual multi interface
ip address 192.0.2.4 255.255.255.0
no ip redirects
no ip split-horizon eigrp 1
mode aggregate
Configure OSPF Routing

router ospfv3 1
router-id 192.0.2.1
!
redistribute connected metric 1 metric-type 1
exit-address-family
!
redistribute connected metric-type 1
exit-address-family
!

To retrieve RAR session details, use the following show commands:
Router#show pppoe session packets all
Total PPPoE sessions 2
session id: 9
local MAC address: 006b.f10e.a5e0, remote MAC address: 0050.56bc.424a
virtual access interface: Vi2.1, outgoing interface: Gi0/0/0
1646 packets sent, 2439363 received
176216 bytes sent, 117250290 received
PPPoE Flow Control Stats

Local Credits: 65535 Peer Credits: 65535 Local Scaling Value 64 bytes
Credit Grant Threshold: 28000 Max Credits per grant: 65535
Credit Starved Packets: 0
PADG xmit Seq Num: 32928 PADG Timer index: 0
PADG last rcvd Seq Num: 17313
304
Radio Aware Routing
PADG last nonzero Seq Num: 17306

PADG last nonzero rcvd amount: 2
PADG Timers: (ms) [0]-1000 [1]-2000 [2]-3000 [3]-4000 [4]-5000
PADG xmit: 33308 rcvd: 17313
PADC xmit: 17313 rcvd: 19709
In-band credit pkt xmit: 7 rcvd: 2434422
Last credit packet snapshot
PADG xmit: seq_num = 32928, fcn = 0, bcn = 65535
PADC rcvd: seq_num = 32928, fcn = 65535, bcn = 65535
PADG rcvd: seq_num = 17313, fcn = 0, bcn = 65535
PADC xmit: seq_num = 17313, fcn = 65535, bcn = 65535
In-band credit pkt xmit: fcn = 61, bcn = 65533
In-band credit pkt rcvd: fcn = 0, bcn = 65534
==== PADQ Statistics ====
PADQ xmit: 0 rcvd: 0
session id: 10
local MAC address: 006b.f10e.a5e1, remote MAC address: 0050.56bc.7dcb
virtual access interface: Vi2.2, outgoing interface: Gi0/0/1
1389302 packets sent, 1852 received
77869522 bytes sent, 142156 received

PADG Timers: (ms) [0]-1000 [1]-2000 [2]-3000 [3]-4000 [4]-5000
Router#show pppoe session packets

Total PPPoE sessions 2
SID Pkts-In Pkts-Out Bytes-In Bytes-Out

9 2439391 1651 117252098 176714
10 1858 1389306 142580 77869914
Router#show vmi counters

Interface vmi2: - Last Clear Time =
Input Counts:
Process Enqueue = 0 (VMI)
Fastswitch = 0
VMI Punt Drop:
Queue Full = 0
Output Counts:
305
Radio Aware Routing
Transmit:
VMI Process DQ = 4280
Fastswitch VA = 0
Fastswitch VMI = 0
Drops:
Total = 0
QOS Error = 0
VMI State Error = 0
Mcast NBR Error = 0
Ucast NBR Error = 0
Input Counts:
Fastswitch = 0
VMI Punt Drop:
Queue Full = 0
Output Counts:
Transmit:
VMI Process DQ = 2956
Fastswitch VA = 0
Fastswitch VMI = 0
Drops:
Total = 0
QOS Error = 0
VMI State Error = 0
Mcast NBR Error = 0
Ucast NBR Error = 0
Input Counts:
Fastswitch = 0
VMI Punt Drop:
Queue Full = 0
Output Counts:
Transmit:
VMI Process DQ = 0
Fastswitch VA = 0
Fastswitch VMI = 0
Drops:
Total = 0
QOS Error = 0
VMI State Error = 0
Mcast NBR Error = 0
Ucast NBR Error = 0
Router#
Router#show vmi neighbor details

1 vmi2 Neighbors
1 vmi3 Neighbors
0 vmi4 Neighbors
2 Total Neighbors
vmi2 IPV6 Address=FE80::21E:E6FF:FE43:F500

IPV6 Global Addr=::
IPV4 Address=192.0.2.6, Uptime=05:15:01
Output pkts=89, Input pkts=0
No Session Metrics have been received for this neighbor.
Transport PPPoE, Session ID=9
INTERFACE STATS:
306
Radio Aware Routing
VMI Interface=vmi2,
Input qcount=0, drops=0, Output qcount=0, drops=0
V-Access intf=Virtual-Access2.1,
Physical intf=GigabitEthernet0/0/0,

PADG Timers: (ms) [0]-1000 [1]-2000 [2]-3000 [3]-4000 [4]-5000
vmi3 IPV6 Address=FE80::21E:7AFF:FE68:6100

IPV6 Global Addr=::
METRIC DATA: Total rcvd=1, Avg arrival rate (ms)=0
CURRENT: MDR=128000 bps, CDR=128000 bps
Lat=0 ms, Res=100, RLQ=100, load=0
MDR Max=128000 bps, Min=128000 bps, Avg=128000 bps
CDR Max=128000 bps, Min=128000 bps, Avg=128000 bps
Latency Max=0, Min=0, Avg=0 (ms)
Resource Max=100%, Min=100%, Avg=100%
RLQ Max=100, Min=100, Avg=100
Load Max=0%, Min=0%, Avg=0%
INTERFACE STATS:
VMI Interface=vmi3,

PADG Timers: (ms) [0]-1000 [1]-2000 [2]-3000 [3]-4000 [4]-5000
307
Radio Aware Routing

Router#show vmi neighbor details vmi 2

1 vmi2 Neighbors
vmi2 IPV6 Address=FE80::21E:E6FF:FE43:F500

IPV6 Global Addr=::
No Session Metrics have been received for this neighbor.
INTERFACE STATS:
VMI Interface=vmi2,

PADG Timers: (ms) [0]-1000 [1]-2000 [2]-3000 [3]-4000 [4]-5000
Router#show platform hardware qfp active feature ess session

Current number sessions: 2
Current number TC flow: 0
Feature Type: A=Accounting D=Policing(DRL) F=FFR M=DSCP Marking L=L4redirect P=Portbundle
T=TC
Session Type Segment1 SegType1 Segment2 SegType2 Feature Other

----------------------------------------------------------------------------------------
21 PPP 0x0000001500001022 PPPOE 0x0000001500002023 LTERM -------
24 PPP 0x0000001800003026 PPPOE 0x0000001800004027 LTERM -------
308
Radio Aware Routing
Router#show platform software subscriber pppoe_fctl evsi 21

PADG Timers: (ms) [0]-1000 [1]-2000 [2]-3000 [3]-4000 [4]-5000
BQS buffer statistics

Current packets in BQS buffer: 0
Total en-queue packets: 0 de-queue packets: 0
Total dropped packets: 0
Internal flags: 0x0
Router#show platform hardware qfp active feature ess session id 21

Session ID: 21
EVSI type: PPP

SIP Segment ID: 0x1500001022
SIP Segment type: PPPOE
FSP Segment ID: 0x1500002023
FSP Segment type: LTERM
QFP if handle: 16
QFP interface name: EVSI21
SIP TX Seq num: 0
SIP RX Seq num: 0
FSP TX Seq num: 0
FSP RX Seq num: 0
Condition Debug: 0x00000000
session
Router#show ospfv3 neighbor
OSPFv3 1 address-family ipv4 (router-id 192.0.2.3)
Neighbor ID Pri State Dead Time Interface ID Interface

192.0.2.1 0 FULL/ - 00:01:32 19 Virtual-Access2.1
OSPFv3 1 address-family ipv6 (router-id 192.0.2.3)
Neighbor ID Pri State Dead Time Interface ID Interface

192.0.2.1 0 FULL/ - 00:01:52 19 Virtual-Access2.1
Router#
309
Radio Aware Routing
Troubleshooting Radio Aware Routing
Router#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
192.0.2.8/8 is variably subnetted, 3 subnets, 2 masks

C 192.0.2.5/24 is directly connected, Virtual-Access2.1
O 192.0.2.6/32 [110/1] via 192.0.2.22, 00:00:03, Virtual-Access2.1
L 192.0.2.7/32 is directly connected, Virtual-Access2.1
C 192.0.2.20 is directly connected, Virtual-Access2.1
Troubleshooting Radio Aware Routing

To troubleshoot the RAR, use the following debug commands:
• debug pppoe errors
• debug pppoe events
• debug ppp error
• debug vmi error
• debug vmi neighbor
• debug vmi packet
• debug vmi pppoe
• debug vmi registries
• debug vmi multicast
• debug vtemplate cloning
• debug vtemplate event
• debug vtemplate error
• debug plat hard qfp ac feature subscriber datapath pppoe detail
310
CHAPTER 21
Configuring Voice Functionality
This chapter provides information about configuring the voice functionality in the Cisco Catalyst 8000 Edge
Platforms.
This chapter includes these sections:
• Call Waiting, on page 311
• Feature Group D Configuration, on page 311
• Media and Signaling Authentication and Encryption, on page 313
• Multicast Music-on-Hold, on page 313
• TLS 1.2 support on SCCP Gateways, on page 314
Call Waiting
With the Call Waiting feature, you can receive a second call while you are on the phone attending to another
call. When you receive a second call, you hear a call-waiting tone (a tone with a 300 ms duration). Caller ID
appears on phones that support caller ID. You can use hookflash to answer a waiting call and place the
previously active call on hold. By using hookflash, you can toggle between the active and a call that is on
hold. If the Call Waiting feature is disabled, and you hang up the current call, the second call will hear a busy
tone. For more information on Call Waiting, see the https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/
sip/configuration/15-mt/sip-config-15-mt-book/voi-sip-hookflash.html
Call Transfers
Call transfers are when active calls are put on hold while a second call is established between two users. After
you establish the second call and terminate the active call, the call on hold will hear a ringback. The Call
Transfer feature supports all three types of call transfers—blind, semi-attended, and attended.
Feature Group D Configuration

To configure the Feature Group D signaling, perform these steps:
311
Feature Group D Configuration
Before you begin

Feature Group D service is a trunk side connection that enables telephone customers to choose their long
distance network and use the same number of digits irrespective of carrier they use. Routers interface with
interexchange carriers using Feature Group D to support voice traffic in the carrier environment.
Before you attempt this configuration, ensure that you meet these prerequisites:
• The platform must be using Digital T1/E1 Packet Voice Trunk Network Modules.
• The Digital T1/E1 Packet Voice Trunk Network Module can have one or two slots for voice/WAN
Interface Network Modules (NIMs); NIM supports one to eight ports. Only the dual-mode (voice/WAN)
multiple trunk cards are supported in the digital E1 packet voice trunk network module, not older VICs.
• Drop-and-Insert capability is supported only between two ports on the same multiple card.
SUMMARY STEPS
1. configure terminal {ip-address | interface-type interface-number [ip-address]}
2. voice-card slot/subslot
3. controller T1/E1 slot/subslot/port
4. framing {sf | esf }
5. linecode {b8zs | ami}
6. ds0-group ds0-group-notimeslots timeslot-list type{e&m-fgd | fgd-eana}
7. no shutdown
8. exit
DETAILED STEPS

Step 1 configure terminal {ip-address | interface-type Enters global configuration mode.
interface-number [ip-address]}
Example:
Router(config)# configure terminal
Step 2 voice-card slot/subslot Enters voice card interface configuration mode and specify
the slot location by using a value from 0 to 5, depending
Example:
upon your router.
Router(config)# voice-card slot/subslot
Step 3 controller T1/E1 slot/subslot/port Enters controller configuration mode for the T1 controller
at the specified slot/port location. Valid values for slot and
Example:
port are 0 and 1.
Router(config)# controller T1 slot/subslot/port
Step 4 framing {sf | esf } Sets the framing according to your service provider's
instructions. Choose Extended Superframe (ESF) format
Example:
or Superframe (SF) format.
Router(config)# framing {sf | esf}
312
Media and Signaling Authentication and Encryption

Step 5 linecode {b8zs | ami} Sets the line encoding according to your service provider's
instructions. Bipolar-8 zero substitution (B8ZS) encodes a
sequence of eight zeros in a unique binary sequence to detect
line coding violations. Alternate mark inversion (AMI)
represents zeros using a 01 during each bit cell, and ones
are represented by 11 or 00, alternately, during each bit cell.
AMI requires that the sending device maintain ones density.
Ones density is not maintained independent of the data
stream.
Step 6 ds0-group ds0-group-notimeslots timeslot-list Defines the T1 channels for use by compressed voice calls
type{e&m-fgd | fgd-eana} as well as the signaling method the router uses to connect
to the PBX or CO. ds0-group-no is a value from 0 to 23
that identifies the DS0 group. Note The ds0-group command
automatically creates a logical voice port that is numbered
as follows: slot/port:ds0-group-no. Although only one voice
port is created, applicable calls are routed to any channel
in the group. timeslot-list is a single number, numbers
separated by commas, or a pair of numbers separated by a
hyphen to indicate a range of timeslots. For T1, allowable
values are from 1 to 24. To map individual DS0 timeslots,
define additional groups. The system maps additional voice
ports for each defined group. The signaling method selection
for type depends on the connection that you are making.
The e&m-fgd setting allows E&M interface connections
for PBX trunk lines (tie lines) and telephone equipment to
use feature group D switched-access service. The fgd-eana
setting supports the exchange access North American
(EANA) signaling.
Step 7 no shutdown Activates the controller.
Step 8 exit Exits controller configuration mode. Skip the next step if
you are not setting up Drop and Insert .
Media and Signaling Authentication and Encryption

The Media and Signaling Authentication and Encryption Feature for Cisco IOS MGCP Gateways feature
implements voice security features that include signaling authentication along with media and signaling
encryption on MGCP gateways. For more information on Media and Signaling Authentication and Encryption
Feature, see the http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/mgcp/configuration/15-mt/
vm-15-mt-book/vm-gw-med-sig.html
Multicast Music-on-Hold
The Music-on-Hold (MOH) feature enables you to subscribe to a music streaming service when you are using
a Cisco IOS MGCP voice gateway. Music streams from an MOH server to the voice interfaces of on-net and
313
TLS 1.2 support on SCCP Gateways
off-net callers that have been placed on hold. Cisco Communications Manager supports the capability to place
callers on hold with music supplied from a streaming multicast MOH server.
By means of a preconfigured multicast address on the Cisco Unified Communications Manager or gateway,
the gateway can "listen" for Real-Time Transport Protocol (RTP) packets that are broadcast from a default
router in the network and can relay the packets to designated voice interfaces in the network. You can initiate
the call on hold. However, you cannot initiate music on hold on a MGCP controlled analog phone. Whenever
a called party places a calling party on hold, Cisco Communications Manager requests the MOH server to
stream RTP packets to the "on-hold" interface through the preconfigured multicast address. In this way, RTP
packets are relayed to appropriately configured voice interfaces that have been placed on hold. When you
configure a multicast address on a gateway, the gateway sends an Internet Gateway Management Protocol
(IGMP) "join" message to the default router, indicating to the default router that the gateway is ready to receive
RTP multicast packets.
Multiple MOH servers can be present in the same network, but each server must have a different Class D IP
address, and the address must be configured in Cisco Communications Manager and the MGCP voice gateways.
For more information on configuring MOH, see the http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/
cminterop/configuration/15-0m/vc-15-0m-book/
vc-ucm-mgcp-gw.html#GUID-A3461142-2F05-4420-AEE6-032FCA3B7952

The TLS 1.2 support on SCCP Gateways feature details the configuration of TLS 1.2 on SCCP protocol for
digital signal processor (DSP) farm including Unicast conference bridge
(CFB), Media Termination Point (MTP), and SCCP telephony control (STC) application (STCAPP).
DSP on gateways can be used as media resources for transrating or transcoding. Each media resource uses
Secure Skinny Client Control Protocol (SCCP) to communicate with Cisco Unified Communications Manager.
Currently SSL 3.1, which is equivalent to TLS1.0, is used for sending secure signals. This feature enhances
the support to TLS 1.2. From Cisco IOS XE Cupertino 17.7.1a, TLS 1.2 is enhanced to support the
Next-Generation Encryption (NGE) cipher suites.
Note Cisco Unified Communications Manager (CUCM) Version 14SU2 has been enhanced to support Secured
SCCP gateways with the Subject Name field (CN Name) with or without colons, for example, AA:22:BB:44:55
or AA22BB4455.
CUCM checks the CN field of the incoming certificate from the SCCP Gateway and verifies it against the
DeviceName configured in CUCM for this gateway. DeviceName contains MAC address of the gateway.
CUCM converts the MAC address in the DeviceName to MAC address with colons (for example:
AA:22:BB:44:55) and validates with the CN name in the Gateway's certificate. Therefore, CUCM mandates
Gateway to use MAC address with colons for the CN field in the certificate, that is, subject name.
Due to new guidelines from Defense Information Systems Agency (DISA), it is a requirement not to use
colons for the subject name field CN. For example, AA22BB4455.
SCCP TLS connection

CiscoSSL is based on OpenSSL. SCCP uses CiscoSSL to secure the communication signals.
314
If a resource is configured in the secure mode, the SCCP application initiates a process to complete Transport
Layer Security (TLS) handshaking. During the handshake, the server sends information to CiscoSSL about
the TLS version and cipher suites supported. Previously, only SSL3.1 was supported for SCCP secure signalling.
SSL3.1 is equivalent to TLS 1.0. The TLS 1.2 Support feature introduces TLS1.2 support to SCCP secure
signalling.
After TLS handshaking is complete, SCCP is notified and SCCP kills the process.
If the handshaking is completed successfully, a REGISTER message is sent to Cisco Unified Communications
Manager through the secure tunnel. If handshaking fails and a retry is needed, a new process is initiated.
Note For SCCP-based signalling, only TLS_RSA_WITH_AES_128_CBC_SHA cipher suite is supported.
Cipher Suites
For SCCP-based signaling, TLS_RSA_WITH_AES_128_CBC_SHA cipher suite is supported.
From Cisco IOS XE Cupertino 17.7.1a, the following NGE cipher suites are also supported:
• ECDHE-RSA-AES128-GCM-SHA256
• ECDHE-RSA-AES256-GCM-SHA384
These cipher suites enable secure voice signaling for both the STCAPP analog phone and the SCCP DSPFarm
conferencing service. The cipher suite selection is negotiated between gateway and CUCM.
The following prerequisites are applicable for using NGE cipher suites:
• Configure TLS 1.2. For more information, see Configuring TLS Version for STC application, on page
315.
• Use CUCM Release 14.1 SU1 or later, and Voice Gateways or platforms that support TLS 1.2.
• From the CUCM Web UI, navigate to Cipher Management and set the CIPHER switch as NGE. For
more information, see Cipher Management.
For more information about verifying cipher suites, see Verifying TLS Version and Cipher Suites, on page
316.
For the SRTP-encrypted media, you can use higher-grade cipher suites - AEAD-AES-128-GCM or
AEAD-AES-256-GCM. The selection of these cipher suites is automatically negotiated between GW and
CUCM for both secure analog voice and hardware conference bridge voice media. Authenticated Encryption
with Associated Data (AEAD) ciphers simultaneously provide confidentiality, integrity, and authenticity,
without built-in SHA algorithms to validate message integrity.
Supported Platforms
The TLS 1.2 support on the SCCP Gateways feature is supported on the following platforms:
• Cisco Catalyst 8200 and 8300 Series Edge Platforms
Configuring TLS Version for STC application

Perform the following task to configure a TLS version for the STC application:
315
enable
configure terminal
stcapp security tls-version v1.2
exit
Note The stcapp security tls command sets the TLS version to v.1.0, v1.1, or v1.2 only. If not configured explicitly,
TLS v1.0 is selected by default.
Configuring TLS Version in Secure Mode for DSP Farm Profile

Perform the following task to configure the TLS version in secure mode for DSP farm profile:
enable
configure terminal
tls-version v1.2
exit
Note Note: The tls command can be configured only in security mode.
Verifying TLS Version and Cipher Suites

Perform the following task to verify the TLS version and cipher suite:
# show dspfarm profile 100
Dspfarm Profile Configuration
Profile ID = 100, Service = CONFERENCING, Resource ID = 2

Profile Service Mode : secure
Trustpoint : Overlord_DSPFarm_GW
TLS Version : v1.2
TLS Cipher : ECDHE-RSA-AES256-GCM-SHA384
Profile Admin State : UP
Profile Operation State : ACTIVE
Application : SCCP Status : ASSOCIATED
Resource Provider : FLEX_DSPRM Status : UP
Total Number of Resources Configured : 10
Total Number of Resources Available : 10
Total Number of Resources Out of Service : 0
Total Number of Resources Active : 0
Maximum conference participants : 8
Codec Configuration: num_of_codecs:6
Codec : g711ulaw, Maximum Packetization Period : 30 , Transcoder: Not Required
Codec : g711alaw, Maximum Packetization Period : 30 , Transcoder: Not Required
Codec : g729ar8, Maximum Packetization Period : 60 , Transcoder: Not Required
Codec : g729abr8, Maximum Packetization Period : 60 , Transcoder: Not Required
Codec : g729r8, Maximum Packetization Period : 60 , Transcoder: Not Required
Codec : g729br8, Maximum Packetization Period : 60 , Transcoder: Not Required
Verifying STCAPP Application TLS Version

Perform the following tasks to verify TLS version of the STCAPP application:
Device# show call application voice stcapp
App Status: Active
CCM Status: UP
316
CCM Group: 120

Registration Mode: CCM
Total Devices: 0
Total Calls in Progress: 0
Total Call Legs in Use: 0
ROH Timeout: 45
TLS Version: v1.2
# show stcapp dev voice 0/1/0

Port Identifier: 0/1/0
Device Type: ALG
Device Id: 585
Device Name: ANB3176C85F0080
Device Security Mode : Encrypted
TLS version : TLS version 1.2
TLS cipher : ECDHE-RSA-AES256-GCM-SHA384
Modem Capability: None
Device State: IS
Diagnostic: None
Directory Number: 80010
Dial Peer(s): 100
Dialtone after remote onhook feature: activated
Busytone after remote onhook feature: not activated
Last Event: STCAPP_CC_EV_CALL_MODIFY_DONE
Line State: ACTIVE
Line Mode: CALL_CONF
Hook State: OFFHOOK
mwi: DISABLE
vmwi: OFF
mwi config: Both
Privacy: Not configured
HG Status: Unknown
PLAR: DISABLE
Callback State: DISABLED
CWT Repetition Interval: 0 second(s) (no repetition)
Number of CCBs: 1
Global call info:
Total CCB count = 3
Total call leg count = 6
Call State for Connection 2 (ACTIVE): TsConnected

Connected Call Info:
Call Reference: 33535871
Call ID (DSP): 187
Local IP Addr: 198.51.100.2
Local IP Port: 8234
Remote IP Addr: 198.51.100.20
Remote IP Port: 8154
Calling Number: 80010
Called Number:
Codec: g711ulaw
SRTP: on
RX Cipher: AEAD_AES_256_GCM
TX Cipher: AEAD_AES_256_GCM
Perform the following task to verify the sRTP cipher suite for the DSPfarm connection.
# show sccp connection detail
bridge-info(bid, cid) - Normal bridge information(Bridge id, Calleg id)

mmbridge-info(bid, cid) - Mixed mode bridge information(Bridge id, Calleg id)
sess_id conn_id call-id codec pkt-period dtmf_method type

bridge-info(bid, cid) mmbridge-info(bid, cid) srtp_cryptosuite dscp
317
call_ref spid conn_id_tx
16778224 - 125 N/A N/A rfc2833_pthru confmsp All RTPSPI

Callegs All MM-MSP Callegs N/A N/A
- - -
16778224 16777232 126 g711u 20 rfc2833_pthru s- rtpspi (101,125)

N/A AEAD_AES_256_GCM 184
30751576 16777219 -
16778224 16777231 124 g711u 20 rfc2833_pthru s- rtpspi (100,125)

N/A AEAD_AES_256_GCM 184
30751576 16777219 -
Total number of active session(s) 1, connection(s) 2, and callegs 3
Verifying Call Information

To display call information for TDM and IVR calls stored in the Forwarding Plane Interface (FPI), use the
showvoipfpi calls command. You can select a call ID and verify the cipher suite using the show voip fpi
calls confID call_id_number command. In this example, cipher suite 6 is AES_256_GCM.
#show voip fpi calls
Number of Calls : 2
---------- ---------- ---------- ----------- --------------- ---------------
confID correlator AcallID BcallID state event
---------- ---------- ---------- ----------- --------------- ---------------
1 1 87 88 ALLOCATED DETAIL_STAT_RSP
21 21 89 90 ALLOCATED DETAIL_STAT_RSP
#show voip fpi calls confID 1

---------------------------------------------------------------------------
VoIP-FPI call entry details:
---------------------------------------------------------------------------
Call Type : TDM_IP confID : 1
correlator : 1 call_state : ALLOCATED
last_event : DETAIL_STAT_RSP alloc_start_time : 1796860810
modify_start_time: 0 delete_start_time: 0
Media Type(SideA): SRTP cipher suite : 6
---------------------------------------------------------------------------
FPI State Machine Stats:
------------------------
create_req_call_entry_inserted : 1
………
Table 27: Feature Information for TLS 1.2 support on SCCP Gateways
Support for NGE Cipher Suites Cisco IOS XE Cupertino 17.7.1a This feature supports NGE cipher
suites for secure voice signaling
and secure media. These cipher
suites are applicable for both the
STCAPP analog phone and the
SCCP DSPFarm conferencing
service.
318
CHAPTER 22
Dying Gasp Through SNMP, Syslog and Ethernet
OAM
A dying gasp is a message (or signal) sent by a Customer Premises Equipment (CPE) to equipment managed
by an Internet Service Provider to indicate that the CPE has lost power. The message is sent when one of the
following occurs:
• System reload
• Interface shutdown
• Power failure—supported on specific platforms
This type of condition is vendor specific. An Ethernet Operations, Administration, and Maintenance (OAM)
notification about the condition may be sent immediately.
• Prerequisites for Dying Gasp Support, on page 319
• Restrictions for Dying Gasp Support, on page 319
• Information About Dying Gasp Through SNMP, Syslog and Ethernet OAM, on page 320
• How to Configure Dying Gasp Through SNMP, Syslog and Ethernet OAM, on page 320
• Configuration Examples for Dying Gasp Through SNMP, Syslog and Ethernet OAM, on page 321
Prerequisites for Dying Gasp Support

You must enable Ethernet OAM before configuring Simple Network Management Protocol (SNMP) for dying
gasp feature. For more information, see Enabling Ethernet OAM on an Interface.
Restrictions for Dying Gasp Support

• The dying gasp feature is not supported if you remove the power supply unit (PSU) from the system.
• SNMP trap is sent only on power failure or removal of power supply cable on selected platforms.
• The dying gasp support feature cannot be configured using CLI. To configure hosts using SNMP, refer
to the SNMP host configuration examples below.
319
Dying Gasp Through SNMP, Syslog and Ethernet OAM
Information About Dying Gasp Through SNMP, Syslog and Ethernet OAM
Information About Dying Gasp Through SNMP, Syslog and

Ethernet OAM
Dying Gasp
One of the OAM features as defined by IEEE 802.3ah is Remote Failure Indication, which helps in detecting
faults in Ethernet connectivity that are caused by slowly deteriorating quality. Ethernet OAM provides a
mechanism for an OAM entity to convey these failure conditions to its peer via specific flags in the OAM
PDU. One of the failure condition method to communicate is Dying Gasp, which indicates that an unrecoverable
condition has occurred; for example, when an interface is shut down. This type of condition is vendor specific.
A notification about the condition may be sent immediately and continuously.
How to Configure Dying Gasp Through SNMP, Syslog and

Ethernet OAM
Dying Gasp Trap Support for Different SNMP Server Host/Port Configurations
Note You can configure up to five different SNMP server host/port configurations.
Environmental Settings on the Network Management Server
setenv SR_TRAP_TEST_PORT UDP port

setenv SR_UTIL_COMMUNITY public
setenv SR_UTIL_SNMP_VERSION v2c
setenv SR_MGR_CONF_DIR Path to the executable snmpinfo.DAT file
The following example shows SNMP trap configuration on the host:

Router(config)#
Router(config)# snmp-server host 192.0.2.12 vrf Mgmt-intf version 2c public udp-port 6264
Router(config)#
Router(config)# ^Z
Router#
After performing a power cycle, the following output is displayed on the router console:
320
Message Displayed on the Peer Router on Receiving Dying Gasp Notification
Router#
ystem Bootstrap, Version 17.3(1.2r), RELEASE SOFTWARE
rommon 1 >
=======================================
Dying Gasp Trap Received for the Power failure event:
-----------------------------------------------------
Trap on the Host
++++++++++++++
snmp-server host = 192.0.2.12 (nms1-lnx) and SR_TRAP_TEST_PORT=6264

/auto/sw/packages/snmpr/192.0.2.9/bin> /auto/sw/packages/snmpr/192.0.2.9/bin/traprcv
Waiting for traps.
Received SNMPv2c Trap:
Community: public
From: 192.0.2.34
snmpTrapOID.0 = ciscoMgmt.305.1.3.5.0.2
ciscoMgmt.305.1.3.6 = Dying Gasp - Shutdown due to power loss
Message Displayed on the Peer Router on Receiving Dying Gasp Notification

001689: *May 30 14:16:47.746 IST: %ETHERNET_OAM-6-RFI: The client on interface Gi0/0/0 has
received a remote failure indication from its remote peer(failure reason = remote client
power failure action = )
Displaying SNMP Configuration for Receiving Dying Gasp Notification

Use the show running-config command to display the SNMP configuration for receiving dying gasp notification:
Router# show running-config | i snmp

snmp-server community public RW
snmp-server host 192.0.2.20 vrf Mgmt-intf version 2c public udp-port 6264
Router#
Configuration Examples for Dying Gasp Through SNMP, Syslog

and Ethernet OAM
Example: Configuring SNMP Community Strings on a Router
Setting up the community access string to permit access to the SNMP:
321
Example: Configuring SNMP-Server Host Details on the Router Console
Router> enable
Router(config)# snmp-server community public RW
For more information on command syntax and examples, refer to the Cisco IOS Network Management
Command Reference.
Example: Configuring SNMP-Server Host Details on the Router Console

Specifying the recipient of a SNMP notification operation:
Router> enable
Router(config)# snmp-server host X.X.X.XXX vrf mgmt-intf version 2c public udp-port 9800
For more information on command syntax and examples, refer to the Cisco IOS Network Management
Command Reference.
322
CHAPTER 23
Troubleshooting
• Troubleshooting, on page 323
Troubleshooting
System Report
System reports or crashinfo files save information that helps Cisco technical support representatives to debug
problems that caused the Cisco IOS image to crash. It is necessary to collect critical crash information quickly
and reliably and bundle it in a way that it can be identified with a specific crash occurrence. System reports
are generated and saved into the ‘/core’ directory, either on harddisk: or flash: filesystem. The system does
not generate reports in case of a reload.
In case of a system crash, the following details are collected:
1. Full process core
• IOSd core file and IOS crashinfo file if there was an IOSd process crash
2. Tracelogs
3. System process information
4. Bootup logs
5. Certain types of /proc information
This report is generated before the router goes down to rommon/bootloader. The information is stored in
separate files which are then archived and compressed into the tar.gz bundle. This makes it convenient to get
a crash snapshot in one place, and can be then moved off the box for analysis.
Device hostname, the ID of the module that generated the system report and its creation timestamp are
embedded in the file name:
<hostname>_<moduleID>-system-report_<timestamp>.tar.gz
Example:
323
Troubleshooting
System Report
Router1_RP_0-system-report_20210204-163559-UTC
A device with hostname Router1 experienced an unexpected reload of RP0 module and the system-report
was generated on 4th February 2021 at 4:39:59 PM UTC.
├── bootflash/
│ └── pd_info/
│ ├── dmesg_output-20210204-163538-UTC.log
│ ├── filesystems-20210204-163538-UTC.log
│ ├── memaudit-20210204-163538-UTC.log
│ ├── proc_cpuinfo-20210204-163538-UTC.log
│ ├── proc_diskstats-20210204-163538-UTC.log
│ ├── proc_interrupts-20210204-163538-UTC.log
│ ├── proc_oom_stats-20210204-163538-UTC.log
│ ├── proc_softirqs-20210204-163538-UTC.log
│ ├── system_report_trigger.log
│ └── top_output-20210204-163538-UTC.log
├── harddisk/
│ ├── core/
│ │ └── Router1_RP_0_hman_17716_20210212-123836-UTC.core.gz
│ └── tracelogs/
├── tmp/
│ ├── fp/
│ │ └── trace/
│ ├── maroon_stats/
│ ├── rp/
│ │ └── trace/
│ └── Router1_RP_0-bootuplog-20210204-163559-UTC.log
└── var/
└── log/
└── audit/
└── audit.log
324
APPENDIX A
Unsupported Commands
The C8000 Series routers contain a series of commands with the logging or platform keywords that either
produce no output or produce output that is not useful for customer purposes. Such commands that are not
useful for customer purposes are considered as unsupported commands. You will not find any further Cisco
documentation for the unsupported commands.
The following is a list of unsupported commands for the C8000 Series routers:
• backplaneswitchport
• clear logging onboard slot f0 dram
• clear logging onboard slot f0 voltage
• clear logging onboard slot f0 temperature
• show logging onboard slot f0 dram
• show logging onboard slot f0 serdes
• show logging onboard slot f0 status
• show logging onboard slot f0 temperature
• show logging onboard slot f0 uptime
• show logging onboard slot f0 uptime latest
• show logging onboard slot f0 voltage
• show logging onboard slot 0 dram
• show logging onboard slot 0 serdes
• show logging onboard slot 0 status
• show logging onboard slot 0 temperature
• show logging onboard slot 0 uptime
• show logging onboard slot 0 uptime latest
• show logging onboard slot 0 voltage
• show platform software adjacency r0 special
325
• show platform software adjacency rp active special

• show platform hardware backplaneswitch-manager RP active summary
• show platform hardware backplaneswitch-manager RP active subslot GEO statistics
• show platform software backplaneswitch-manager RP [active [detail]]
• show platform hardware backplaneswitch-manager [R0 [status] | RP]
• show platform hardware backplaneswitch-manager RPactive CP statistics
• platform hardware backplaneswitch-manager rp active subslot GEO statistics
• show platform software ethernet rp active l2cp
• show platform software ethernet rp active l2cp interface GigabitEthernet0
• show platform software ethernet rp active loopback
• show platform software ethernet rp active vfi
• show platform software ethernet r0 vfi
• show platform software ethernet r0 vfi id 0
• show platform software ethernet r0 vfi name GigabitEthernet0
• show platform software ethernet r0 l2cp
• show platform software ethernet r0 l2cp interface GigabitEthernet0
• show platform software ethernet r0 bridge-domain statistics
• show platform software flow r0 exporter name GigabitEthernet0
• show platform software flow r0 exporter statistics
• show platform software flow r0 global
• show platform software flow r0 flow-def
• show platform software flow r0 interface
• show platform software flow r0 ios
• show platform software flow r0 monitor
• show platform software flow r0 sampler
• show platform hardware qfp active classification feature-manager label GigabitEthernet 0 0
• show platform software interface f0 del-track
• show platform software interface fp active del-track
• show platform software rg r0 services
• show platform software rg r0 services rg-id 0
• show platform software rg r0 services rg-id 0 verbose
• show platform software rg r0 services verbose
326
• show platform software rg r0 statistics

• show platform software rg rp active services
• show platform software rg rp active services rg-id 0
• show platform software rg rp active services rg-id 0 verbose
• show platform software rg rp active statistics
• show platform hardware slot 0 dram statistics
• show platform hardware slot f0 dram statistics
• show platform hardware slot 0 eobc interface primary rmon
• show platform hardware slot 0 eobc interface primary status
• show platform hardware slot 0 eobc interface standby rmon
• show platform hardware slot 0 eobc interface standby status
• show platform hardware slot f0 eobc interface primary rmon
• show platform hardware slot f0 eobc interface primary status
• show platform hardware slot f0 eobc interface standby rmon
• show platform hardware slot f0 eobc interface standby status
• show platform hardware slot f0 sensor consumer
• show platform hardware slot f0 sensor producer
327
328

Cisco Catalyst 8300 and Catalyst 8200 Series Edge Platforms Software Configuration Guide

Uploaded by

Document Informationclick to expand document information

Document Informationclick to expand document information

Copyright:

Available Formats

Cisco Catalyst 8300 and Catalyst 8200 Series Edge Platforms Software Configuration Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco Catalyst 8300 and Catalyst 8200 Series Edge Platforms Software Configuration Guide

Uploaded by

Copyright:

Available Formats

Cisco Catalyst 8300 and Catalyst 8200 Series Edge Platforms Software

CHAPTER 2 Basic Platform Configuration 5

CHAPTER 3 Using Cisco IOS XE Software 25

Using Cisco IOS XE Software 25

Accessing the CLI Using a Directly-Connected Console 25

Using Software Release Notes 37

CLI Session Management 37

CHAPTER 4 Licenses and Licensing Models 39

Feature Information for Available Licenses and Licensing Models 39

Cisco DNA License 41

Guidelines for Using an HSECK9 License 44

Throughput as a Numeric Value 46

Throughput and System Hardware Throttling Specifications in the Autonomous Mode 47

Configuring a Boot Level License 54

CHAPTER 5 Change of Authorization 71

Feature Information for Change of Authorization 71

Configuration Examples for Change of Authorization 76

CHAPTER 6 Managing the Device Using Web User Interface 79

Setting Up Factory Default Device Using Web UI 79

Using Basic or Advanced Mode Setup Wizard 80

CHAPTER 7 Console Port, Telnet, and SSH Handling 87

Notes and Restrictions for Console Port, Telnet, and SSH 87

CHAPTER 8 Installing the Software 99

CHAPTER 9 Slot and Subslot Configuration 159

Configuring the Interfaces 159

CHAPTER 10 Cisco Thousand Eyes Enterprise Agent Application Hosting 163

Cisco ThousandEyes Enterprise Agent Application Hosting 163

Workflow to Host the Cisco ThousandEyes Application 166

Downloading and Copying the Image to the Device 167

CHAPTER 11 Process Health Monitoring 171

CHAPTER 12 System Messages 181

Information About Process Management 181

CHAPTER 13 Trace Management 187

CHAPTER 14 Environmental Monitoring and PoE Management 193

Environmental Monitoring 193

CHAPTER 15 Configuring High Availability 213

About Cisco High Availability 213

CHAPTER 16 Configuring Secure Storage 227

Enabling Secure Storage 227

Disabling Secure Storage 228

Verifying the Status of Encryption 229

CHAPTER 17 Configuring Call Home 231

Finding Feature Information 231

Obtaining Smart Call Home Services 233

Diagnostic Signature Actions 259

Diagnostic Signature Variables 260

CHAPTER 19 Cellular IPv6 Address 295

Cellular IPv6 Address 295

Global Address 296

Configuring Cellular IPv6 Address 296

CHAPTER 20 Radio Aware Routing 299

Benefits of Radio Aware Routing 299

CHAPTER 21 Configuring Voice Functionality 311

Call Waiting 311

Prerequisites for Dying Gasp Support 319

CHAPTER 23 Troubleshooting 323

APPENDIX A Unsupported Commands 325