Cisco Router – Configuring NTP Client and Server

Doc: Great Scott! Jennifer could conceivably encounter her future self! The consequences of that could be disastrous!
Marty: Doc, what do you mean?
Doc: I foresee two possibilities. One, coming face to face with herself 30 years older would put her into shock and she’d simply pass out. Or two, the encounter could create a time paradox, the results of which could cause a chain reaction that would unravel the very fabric of the space time continuum, and destroy the entire universe! Granted, that’s a worse case scenario. The destruction might in fact be very localized, limited to merely our own galaxy.
Marty: Well, that’s a relief.

– Back to the Future Part II
– Robert Zemeckis and Bob Gale

NTP Server and NTP client

NTP Server and NTP client

Configuring a Cisco router as an NTP Client

To view the system time on a router, use the show clock detail command:

Marty>
Marty>en
Marty#show clock detail
*00:00:50.151 UTC Mon Mar 1 1993
No time source

The asterisk in front of the time indicates that the time value is not authoritative. A time of March 1 1993 is the default time value when you turn on a router that has neither NTP configured, nor a manually-configured time.

So let’s set up Marty as an NTP client with the ntp server command:

Marty#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Marty(config)#ntp server 8.8.8.1

To view the NTP associations, use show ntp associations command:

Marty#show ntp associations

      address         ref clock     st  when  poll reach  delay  offset    disp
 ~8.8.8.1          0.0.0.0          16     -    64    0     0.0    0.00  16000.
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

No ref clock and reach(ability) value of 0 usually means the NTP server is not responding to our NTP client. We have not set up an NTP server yet, so that’s probably why the NTP client isn’t getting a response.

To view more details about the NTP associations, use the show ntp associations detail command:

Marty#show ntp associations detail
8.8.8.1 configured, insane, invalid, unsynced, stratum 16
ref ID 0.0.0.0, time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.00, reach 0, sync dist 0.000
delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00
precision 2**5, version 3
org time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
rcv time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
xmt time AF3BD180.285DEA34 (00:04:16.157 UTC Mon Mar 1 1993)
filtdelay =     0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00
filtoffset =    0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00
filterror =  16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0

Yep, “insane” and “invalid” and a ref time of 1900 means our NTP server has not responded. The clock on the NTP client has not changed, even though it now says that its time source is NTP. And there is an asterisk before the time value, indicating that the time is not authoritative:

Marty#show clock detail
*00:02:16.051 UTC Mon Mar 1 1993
Time source is NTP

Now let’s switch over to the NTP server and set it up.

Configuring a Cisco router as an NTP Server

On the router that is going to be our NTP master, the out put from show clock detail shows that it is using a user-configured time:

DocBrown#show clock detail
22:08:45.951 PST Thu Nov 12 2015
Time source is user configuration

To make it an NTP master server, use the ntp master command.

DocBrown(config)#ntp master

Verifying the connection from the NTP Client

Now let’s go back to our NTP client and see if it has picked up the time from the NTP master:

Marty#show clock
*00:03:52.959 UTC Mon Mar 1 1993
Marty#show ntp asso d
8.8.8.1 configured, insane, invalid, unsynced, stratum 16
ref ID 0.0.0.0, time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.00, reach 0, sync dist 0.000
delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00
precision 2**5, version 3
org time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
rcv time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
xmt time AF3BD180.285DEA34 (00:04:16.157 UTC Mon Mar 1 1993)
filtdelay =     0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00
filtoffset =    0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00
filterror =  16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0

No joy. the NTP client is still stuck in 1993. Maybe the NTP server is unreachable?

Marty#ping 8.8.8.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Marty#sh ip int b
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0                  88.88.88.2      YES NVRAM  up                    up
Serial0                    unassigned      YES NVRAM  administratively down down

The NTP server does not respond to my ping. Oh for fecks sake, I have configured the NTP client with the wrong IP address for the NTP server. Of course it cannot get a time if it is trying to contact the wrong IP address. So let’s change the NTP client to use the correct IP address:

Marty#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Marty(config)#no ntp server 8.8.8.1
Marty(config)#ntp server 88.88.88.1
Marty(config)#exit
Marty#ping 88.88.88.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 88.88.88.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/12/28 ms

Now the NTP client is configured with the correct IP address for the NTP server. So let’s check its clock:

Marty#show clock detail
06:13:06.605 UTC Fri Nov 13 2015
Time source is NTP

Yep, Marty has picked up the time from Doc Brown. And there is no longer an asterisk in front of the time value, meaning that the time on Marty is now authoritative.

Marty#sh ntp associations

      address         ref clock     st  when  poll reach  delay  offset    disp
*~88.88.88.1       127.127.7.1       8     4    64  377     7.0   12.34     0.1
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured
Marty#sh ntp associations detail
88.88.88.1 configured, our_master, sane, valid, stratum 8
ref ID 127.127.7.1, time D9EFFDD5.E89DD4AA (06:12:37.908 UTC Fri Nov 13 2015)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.03, reach 377, sync dist 3.571
delay 6.97 msec, offset 12.3388 msec, dispersion 0.06
precision 2**18, version 3
org time D9EFFDFA.3E4C8002 (06:13:14.243 UTC Fri Nov 13 2015)
rcv time D9EFFDFA.3C089F3E (06:13:14.234 UTC Fri Nov 13 2015)
xmt time D9EFFDFA.3A316B5A (06:13:14.227 UTC Fri Nov 13 2015)
filtdelay =     7.03    6.97    6.97    6.96    7.03    6.99    7.00    7.03
filtoffset =   12.37   12.34   12.37   12.36   12.39   12.39   12.40   12.41
filterror =     0.02    0.03    0.05    0.06    0.08    0.09    0.11    0.12

One more thing. Marty is displaying time in UTC, whereas DocBrown is configured for PST. Not a problem if the two routers are in different timezones, but it makes for easier for log analysis if all the devices on a network are set to the same timezone. During, or after an incident, you’re looking for a picture of what is happening (or, has happened) on the network. You want to check logs on different machines, and it makes for easier correlation of this-happened-then-that-happened if you do not have to mentally adjust the timestamps on different devices.

So, let’s move Marty to PST as well.

Marty(config)#clock timezone PST -8 
Marty(config)#exit
Marty#show clock detail
22:27:48.883 PST Thu Nov 12 2015
Time source is NTP

Additional Information:

clock set command in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2

clock timezone command in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2

show clock command in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2

Posted in geek, mecha, v4vendetta | Tagged , , | 7 Responses

Cisco Router – Configuring Time Manually

Marty: You’re not gonna believe this. We have to go back to 1955
Doc: I don’t believe it!
Marty: That’s right, Doc. November 12th, 1955.
Doc: Unbelievable that Old Biff could’ve chosen that particular date. It could mean that that point in time inherently contains some sort of cosmic significance, almost as if it were the temporal junction point of the entire space-time continuum. On the other hand, it could just be an amazing coincidence.

– Back to the Future Part II
– Robert Zemeckis and Bob Gale

To view the system time on a router, use the show clock command:

DocBrown>en
Password:
DocBrown#show clock
*04:53:21.590 UTC Wed Mar 1 1993

The asterisk in front of the time indicates that the time value is not authoritative. A time of March 1 1993 is the default time value when you turn on a router that has neither NTP configured, nor a manually-configured time.

A show clock detail confirms that no time source has been configured:

DocBrown>en
Password:
DocBrown#show clock detail
*04:55:06.999 UTC Wed Mar 1 1993
No time source

To set up the system time manually, use clock timezone (to set the timezone) and the clock set (to set the time). Configure the timezone before you configure the time because any change from the default UTC timezone will also alter the system time, and you’ll have to reconfigure the time again. So, save a step and do the timezone first:

DocBrown#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
DocBrown(config)#clock timezone PST -8
DocBrown(config)#exit

DocBrown#clock set 22:04:00 12 November 1955
                                        ^
% Invalid input detected at '^' marker.

DocBrown#clock set 22:04:00 12 November ?
    Year

DocBrown#clock set 22:04:00 12 November 2015

Doc Brown cannot go back to 1965 because the acceptable range of values for year is 1993 to 2035. So, let’s send him to 2015 instead.

To verify, use the show clock command:

DocBrown#show clock
22:04:05.311 PST Thu Nov 12 2015

The asterisk in front of the time is gone now, indicating that the time value is authoritative.

Now show clock detail shows that it is a user-configured time:

DocBrown#sh clock detail
22:48:59.047 PST Thu Nov 12 2015
Time source is user configuration

Additional Information:

clock set command in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2

clock timezone command in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2

show clock command in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2

Posted in geek, mecha, v4vendetta | Tagged , , , , | 2 Responses

Cisco ASA – 802.1q VLAN Tagging

The Cisco ASA supports 802.1q tagging, which inserts a tag into the original Ethernet frame. The 802.1q tag contains 4 fields:

  1. TPID (Tag Protocol Identifier)
  2. 16-bit field. A value of 0x8100 identifies the frame as an IEEE 802.1q-tagged frame.

  3. Priority
  4. 3-bit field describing the frame priority level. Value can range from 0 to 7.

  5. CFI (Canonical Format Indicator)
  6. 1-bit field. If the value is 1, the MAC address is in noncanonical format. If the value is 0, the MAC address is in canonical format.

  7. VID (VLAN Identifier)
  8. T2-bit field, identifying the VLAN to which the frame belongs. Value can range from 0 to 4095.

802.1q Tag Inserted into an Ethernet Frame

802.1q Tag Inserted into an Ethernet Frame

Configuration Example

On my Cisco ASA 5520, I’ve set up the GigabitEthernet0/1 interface with a generic setup (name and IP address). I’ve created two subinterfaces off GigabitEthernet0/1: GigabitEthernet0/1.10 which belongs to VLAN 10, and GigabitEthernet0/1.20 which belongs to VLAN 20. I’ve given the subinterfaces new MAC addresses with the mac-address command. The show run interface coughs up this information:

ciscoasa# sh ru int
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 5.5.5.1 255.255.255.0
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.30.1.1 255.255.255.0
!
interface GigabitEthernet0/1.10
 mac-address 1010.1010.1010
 vlan 10
 nameif SubnetTen
 security-level 100
 ip address 10.30.10.1 255.255.255.0
!
interface GigabitEthernet0/1.20
 mac-address 2020.2020.2020
 vlan 20
 nameif SubnetTwenty
 security-level 0
 ip address 10.30.20.1 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only

I have a packet sniffer (Wireshark) snuffling up the packets coming out of the GigabitEthernet0/1 interface. It will also capture packets originating from the two subinterfaces.

So now let’s generate packets and see what the 802.1q tag looks like. First, let’s generate an untagged packet from the ASA. When I tell the ASA to ping 10.30.1.10, the ASA first does an ARP for the destination.

ciscoasa# ping 10.30.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.30.1.10, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

And Wireshark picks up Ethernet frames like the one below, which are untagged since they originate from the GigabitEthernet0/1 interface (which has an IP address of 10.30.1.1 and is therefore the interface used to reach the 10.30.1.0 network):

Untagged Ethernet Frame Captured in Wireshark

Untagged Ethernet Frame Captured in Wireshark

When I tell the ASA to ping 10.30.10.10, the ASA uses the GigabitEthernet0/1.10 interface to ARP for the destination.

ciscoasa# ping 10.30.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.30.10.10, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

Now Wireshark picks up Ethernet frames like the one below, which originate from MAC address 10:10:10:10:10:10 and are tagged with VLAN 10:

Ethernet Frame Tagged with VLAN 10 Captured in Wireshark

Ethernet Frame Tagged with VLAN 10 Captured in Wireshark

And when I tell the ASA to ping 10.30.20.10:

ciscoasa# ping 10.30.20.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.30.20.10, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

We get frames originating from MAC address 20:20:20:20:20:20 that are tagged with VLAN 20:

Ethernet Frame Tagged with VLAN 20 Captured in Wireshark

Ethernet Frame Tagged with VLAN 20 Captured in Wireshark

Additional Information:

nameif command in the Cisco ASA 8.4 and 8.5 Command Reference.

security-level command in the Cisco ASA 8.4 and 8.5 Command Reference.

ip address command in the Cisco ASA 8.4 and 8.5 Command Reference.

mac-address command in the Cisco ASA 8.4 and 8.5 Command Reference.

show run interface command in the Cisco ASA 8.4 and 8.5 Command Reference.

vlan command in the Cisco ASA 8.4 and 8.5 Command Reference.

Posted in geek, mecha, v4vendetta | Tagged , , , , , , , , | 1 Response

Cisco ASA 5520 – Creating Subinterfaces

5:05 p.m. at the courier’s office.

Me and the cabling guys arrive to do the network cutover. We knock on the funny little door where customers pick up their packages. It is a Dutch door, split horizontally at waist-level like a stable door. During business hours, they swing open the upper half of the door, and the whole affair serves as a reception counter for the steady trickle of customers that amble by to collect their packages. At waist-height, just where top and bottom half meet, there is a narrow ledge where you can perch a package, or sign a clipboard. You only ever open the bottom half of the door if you need to walk through it.

But at 5:05 p.m., everyone in the office has buggered off, and it does not matter which half of the door we jiggle. We’re locked out. Our customer (the IT manager for the courier’s office) is running late. Fabulous. Do we wait here, or go find a pub?

The youngest of our cabling guys eyes the open transom above the door speculatively. He hops up on the narrow ledge and hands himself through the open transom with a fluid motion, feet-first. He lands with a soft thud on the other side of the door, and unlocks it from the inside for us, with a flash of gold teeth. I’ve seen David Belle do this move before on TV. The French King of Parkour.

We clap the grinning cabling guy on the shoulder and shuffle through the entryway; a single door frame that actually contains 3 doors.

Why Use Subinterfaces?

On the Cisco ASA 5510 and higher models, you can configure subinterfaces on any physical, redundant or EtherChannel interface. So, a single interface can be divided into multiple logical interfaces, each tagged with a different VLAN ID. An interface (physical, redundant, EtherChannel) with one or more VLAN subinterfaces is automatically configured as an 802.1q trunk.

By using VLANs and subinterfaces, you have the ability to separate traffic that is sharing the same physical interface. Thus, you do not need to add additional physical interfaces.

The number of VLANs per physical interface is limited by licensing. (See licensing requirements for each model here.)

Configuration Example

On my Cisco ASA 5520, I’ve enabled the GigabitEthernet0/1 interface with the no shutdown command, but I have not configured anything else. The show run interface coughs up this information:

ciscoasa(config-if)# sh ru int         
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 5.5.5.1 255.255.255.0 
!
interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only

I’m going to add a subinterface for the 10.30.10.0/24 network on the GigabitEthernet 0/1 interface, and give it a name and IP address:

ciscoasa# con t
ciscoasa(config)# int g 0/1.10
ciscoasa(config-subif)# vlan 10
ciscoasa(config-subif)# nameif SubnetTen
INFO: Security level for "SubnetTen" set to 0 by default.
ciscoasa(config-subif)# ip address 10.30.10.1 255.255.255.0

And I’m adding another subinterface for the 10.30.20.0/24 network:

ciscoasa(config-subif)# int g 0/1.20
ciscoasa(config-subif)# vlan 20
ciscoasa(config-subif)# nameif SubnetTwenty
INFO: Security level for "SubnetTwenty" set to 0 by default.
ciscoasa(config-subif)# ip address 10.30.20.1 255.255.255.0

Now a show run interface command shows that two subinterfaces have been created on the GigabitEthernet 0/1 interface:

ciscoasa(config-subif)# sh ru int
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 5.5.5.1 255.255.255.0 
!
interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1.10
 vlan 10
 nameif SubnetTen
 security-level 0
 ip address 10.30.10.1 255.255.255.0 
!
interface GigabitEthernet0/1.20
 vlan 20
 nameif SubnetTwenty
 security-level 0
 ip address 10.30.20.1 255.255.255.0 
!
interface GigabitEthernet0/2
 shutdown
 no nameif    
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only

Additional Information:

nameif command in the Cisco ASA 8.4 and 8.5 Command Reference.

security-level command in the Cisco ASA 8.4 and 8.5 Command Reference.

ip address command in the Cisco ASA 8.4 and 8.5 Command Reference.

shutdown command in the Cisco ASA 8.4 and 8.5 Command Reference.

show run interface command in the Cisco ASA 8.4 and 8.5 Command Reference.

vlan command in the Cisco ASA 8.4 and 8.5 Command Reference.

Posted in geek, mecha, v4vendetta | Tagged , , , , , | 4 Responses

Cisco ASA 5520 – Basic Interface Configuration

The Cisco ASA 5520 is one of the mid-range ASAs. 4 Gigabit Ethernet ports. Max 450 Mbps throughput under ideal conditions. Good for mid-sized offices. Has an expansion slot where you can install an add-on card that does content filtering (e.g. email and web) or intrusion prevention. Or you can install an expansion card that gives your ASA more physical ports.

The lowest-end ASA is the 5505 model, which is a more like a switch with VLANs (see 5505 interface config here). But on the 5510 models and up, interface config is akin to that of a router.

Factory Default Settings on the ASA 5520

Out of the box, or with the configure factory-default command, the ASA 5520 is configured thusly:

Interface Name Security Level IP Address State
GigabitEthernet0/0
GigabitEthernet0/1
GigabitEthernet0/2
GigabitEthernet0/3
no nameif no security-level no ip address Shutdown
Management0/0 management 100 192.168.1.1 Management-only

Configuration Example

On a Cisco ASA 5520 with a factory default config, a show run interface coughs up this information:

interface GigabitEthernet0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only

With nothing configured on the interfaces, the routing table on a factory default ASA shows only the loopback interface:

ciscoasa(config-if)# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

C    127.0.0.0 255.255.0.0 is directly connected, cplane

To make an interface operational, it needs a name, an IP address, a security level and it needs to be administratively brought up with the no shutdown command.

So let’s give the GigabitEthernet0/0 interface a name and an IP address.

ciscoasa# con t
ciscoasa(config)# interface gigabitEthernet 0/0
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# ip address 5.5.5.1

When an interface is named “outside”, the ASA automatically assigns the interface a security level of 0. If an interface is named “inside”, it is automatically given a security level of 100.

To view the config on all interfaces, use the show run interface command. To view just one interface, use the show run interface command and specify the interface:

ciscoasa(config-if)# sh ru int g 0/0
!
interface GigabitEthernet0/0
 shutdown
 nameif outside
 security-level 0
 ip address 5.5.5.1 255.0.0.0

Because I did not specify a subnet mask when I configured the IP address, the interface was automatically assigned a classful subnet mask. I can specify the subnet mask in the ip address command.

ciscoasa(config-if)# ip address 5.5.5.1 255.255.255.0
ciscoasa(config-if)# sh ru int g 0/0
!
interface GigabitEthernet0/0
 shutdown
 nameif outside
 security-level 0
 ip address 5.5.5.1 255.255.255.0

When I am ready to bring the interface up, I use the no shutdown command.

ciscoasa(config-if)# no shut
ciscoasa(config-if)# sh ru int g 0/0
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 5.5.5.1 255.255.255.0

The show run ip address command shows all interfaces that have IP addresses.

ciscoasa(config-if)# sh ru ip
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 5.5.5.1 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0

The show ip address command also displays all IP addresses, along with the method used to configure the IP address. (“System IP Addresses” refer to the primary IP addresses used for failover. “Current IP Addresses” are the currently-used IP addresses on the interface(s). So, in an active/standby ASA pair, the active ASA would have the same “System” and “Current” IP addresses. The standby ASA would have different “System” and “Current” IP addresses.)

ciscoasa(config-if)# sh ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0/0       outside                5.5.5.1         255.255.255.0   manual
Management0/0            management             192.168.1.1     255.255.255.0   manual
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0/0       outside                5.5.5.1         255.255.255.0   manual
Management0/0            management             192.168.1.1     255.255.255.0   manual

After a write memory and a reload, when you do show ip address, the “Method” on these manually-configured interfaces changes to CONFIG, signifying that they were loaded from the startup config:

ciscoasa# sh ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0/0       outside                5.5.5.1         255.255.255.0   CONFIG
Management0/0            management             192.168.1.1     255.255.255.0   CONFIG
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0/0       outside                5.5.5.1         255.255.255.0   CONFIG
Management0/0            management             192.168.1.1     255.255.255.0   CONFIG

Now a show route command displays the directly-connected route to the 5.5.5.0 subnet.

ciscoasa(config-if)# sh ro

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

C    5.5.5.0 255.255.255.0 is directly connected, outside
C    127.0.0.0 255.255.0.0 is directly connected, cplane

From the show run interface command, we can see that there is nothing configured on the g 0/1 interface. Let’s set it as a DHCP client and bring it up.

ciscoasa(config-if)# sh ru int g 0/1
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# ip add dhcp
ciscoasa(config-if)# no shut

The show run interface command will show that g 0/1 is a DHCP client, but it will not display the dynamically-assigned IP address on the interface. To view the DHCP IP address, use the show ip address command.

ciscoasa(config-if)# sh ip add
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0/0       outside                5.5.5.1         255.255.255.0   CONFIG
GigabitEthernet0/1       inside                 10.30.1.101     255.255.255.0   DHCP
Management0/0            management             192.168.1.1     255.255.255.0   CONFIG
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet0/0       outside                5.5.5.1         255.255.255.0   CONFIG
GigabitEthernet0/1       inside                 10.30.1.101     255.255.255.0   DHCP
Management0/0            management             192.168.1.1     255.255.255.0   CONFIG

Note that the “Method” for g 0/1 is “DHCP”.

You can also display all IP addresses on all interfaces with the show interface ip brief command.

ciscoasa(config-if)# sh int ip b
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         5.5.5.1         YES CONFIG up                    up
GigabitEthernet0/1         10.30.1.101     YES DHCP   up                    up
GigabitEthernet0/2         unassigned      YES unset  administratively down down
GigabitEthernet0/3         unassigned      YES unset  administratively down down
Internal-Control0/0        127.0.1.1       YES unset  up                    up
Internal-Data0/0           unassigned      YES unset  up                    up
Management0/0              192.168.1.1     YES CONFIG down                  down
Virtual254                 unassigned      YES unset  up                    up

Additional Information:

configure factory-default command in the Cisco ASA 8.4 and 8.5 Command Reference.

nameif command in the Cisco ASA 8.4 and 8.5 Command Reference.

security-level command in the Cisco ASA 8.4 and 8.5 Command Reference.

ip address command in the Cisco ASA 8.4 and 8.5 Command Reference.

ip address dhcp command in the Cisco ASA 8.4 and 8.5 Command Reference.

management-only command in the Cisco ASA 8.4 and 8.5 Command Reference.

shutdown command in the Cisco ASA 8.4 and 8.5 Command Reference.

reload command in the Cisco ASA 8.4 and 8.5 Command Reference.

write memory command in the Cisco ASA 8.4 and 8.5 Command Reference.

show run interface command in the Cisco ASA 8.4 and 8.5 Command Reference.

show run ip address command in the Cisco ASA 8.4 and 8.5 Command Reference.

show interface ip brief command in the Cisco ASA 8.4 and 8.5 Command Reference.

show route command in the Cisco ASA 8.4 and 8.5 Command Reference.

Posted in geek, mecha, v4vendetta | Tagged , , , , , , , , | Leave a comment