'CISCO' 카테고리의 글 목록

안녕하세요.

오늘은 [2025][C8200][#3] Reset Smart license 대해서 알아보겠습니다.

17.3.2 이상부터는 smart licensing using policy 사용합니다. 장비가 발주가 될때 이미 SV/VA가 등록이 되어서 장비가 전달 됩니다.

SV = KOREA
VA = JAPAN

근데 만약에 고객사에 요청으로 인하여 VA를 USA로 변경해야 한다면, cisco license team에 요청해서 라이센스를 VA =USA 변경 가능 합니다.

하지만 장비를 부팅하고 show license status 하면 아래처럼 표시 됩니다.

Router#show license status
Utility:
  Status: DISABLED

Smart Licensing Using Policy:
  Status: ENABLED

Account Information:
  Smart Account: KOREA
  Virtual Account: JAPAN

이 상태에서 CSSM에서 아래 환경에서 TOKEN를 발급해서 장비에 등록을 해도 정상적으로 동작하지 않습니다.

SA: KOREA

VA: USA

이상태에서 장비에 기존에 있는 SA/VA정보를 초기화 해야 합니다.

Router#license smart factory re
Router#license smart factory reset
%Warning: reload required after "license smart factory reset" command
Router#
Router#
Router#reload
WARNING:

장비가 부팅이 완료 되면 아래처럼 show license status 확인합니다

초기화 되었습니다.

Router#show license status
Utility:
  Status: DISABLED

Smart Licensing Using Policy:
  Status: ENABLED

Account Information:
  Smart Account: <none>
  Virtual Account: <none>

이상태에서 장비를 CSSM에 등록 하면 정상적으로 동작 합니다.

아래처럼 정상적으로 CSSM에 등록 되었습니다.

Router#license smart trust idtoken OGJjMmQwZDgtMWY3Zi00ZTdlLTk1YzctYjRjMzQ0Y all force

Router#
*Mar  4 04:56:30.279: %CRYPTO_ENGINE-5-KEY_DELETED: A key named SLA-KeyPair has been removed from key storage[OK]
*Mar  4 04:56:32.118: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named SLA-KeyPair has been generated or imported by crypto-engine
*Mar  4 04:56:32.177: %PKI-6-CONFIGAUTOSAVE: Running configuration saved to NVRAM
*Mar  4 04:56:34.590: %SYS-6-PRIVCFG_ENCRYPT_SUCCESS: Successfully encrypted private config file
*Mar  4 04:56:37.118: %SMART_LIC-6-TRUST_INSTALL_SUCCESS: A new licensing trust code was successfully installed on P:C8200-1N-4T,S:XXXXXX.
Router#
Router#
Router#
Router#

CSSM에서 Event Log를 보면 정상적으로 등록 되었습니다.

저작자표시

'CISCO > 라우팅' 카테고리의 다른 글

[2025][C8200][#2] Register License to CSSM - smart licensing using policy (0)	2025.02.13
[2025][C8200][#1] Router IOS XE upgrade (0)	2025.02.10
[ISR4221]-Performance License Install(PAK) (0)	2024.07.30
[ISR4221]-Cisco Router IOS Upgrade (2)	2024.07.29

안녕하세요.

오늘은 C9800 WLC DHCP에 대해서 알아보겠습니다.

토폴로지

DC에 9800WLC가 있습니다.

1. SSID: TEST01

2. TEST01 VLAN110

3. WLC안에서 DHCP기능을 실행 합니다.

Office에서 유저가 TEST01 - AP에 접속 합니다.

유저 노트북에서 DC에 있는 백본 스위치에서 IP주소를 받습니다.

1. WLC VLAN110 설정

Configuration ->Tags & Profiles -> WLANs

2. Click Add버튼

3. 아래처럼 설정 합니다.

Profile Name: TEST01

Status: Enable

Broadcase SSID: Enable

6GHz: Disabled

Security -> Layter2 -> None를 설정해서 SSID 패스워드 없이 접속 가능 하게 합니다.

테스트 용도이기 때문에 이렇게 설정합니다.

그리고 Save버튼을 클릭 합니다.

4. VLAN 설정

Configuration -> Layer2 -> VLAN

Add버튼을 클릭 합니다.

4. Policy 설정

아래처럼 설정합니다.

아래처럼 VLAN를 설정하고 나머지를 디폴트 값으로 두고 SAVE버튼을 클릭 합니다.

5. TAG설정 - POLICY

Name: TEST01-POLICY-TAG

WLAN: TEST01

PLOICY: TEST01_POLICY

6. TAG 설정 - SITE

Name: TEST_SITE_TAG

아래처럼 설정 합니다.

6. AP에 TAG 설정

7. 설정값을 적용하면 AP가 재부팅이 됩니다.

8. WLC에서 자체 DHCP기능 설정

10. Lookback interface 생성

11. WLAN에서 DHCP Relay Look IP로 설정

WLAN VLAN 110이 DHCP relay로 직접 WLC DHCP 기능으로 IP할당 가능.

10. WLC interface IP주소

WLC01#show ip int brie
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet1       unassigned      YES unset  up                    up
GigabitEthernet2       unassigned      YES unset  up                    up
GigabitEthernet3       192.168.10.182  YES NVRAM  up                    up
Loopback10             1.1.1.1         YES TFTP   up                    up
Port-channel1          unassigned      YES unset  up                    up
Vlan1                  unassigned      YES NVRAM  up                    up
Vlan100                192.168.100.182 YES NVRAM  up                    up
Vlan110                192.168.110.254 YES NVRAM  up                    up
Vlan120                192.168.120.254 YES NVRAM  up                    up
Vlan130                192.168.130.254 YES NVRAM  up                    up
WLC01#

10. Client 에서 TEST01를 접속하고 IP주소를 확 합니다.

11. WLC에서 DHCP Binding 확인

WLC01#show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address      Client-ID/              Lease expiration        Type       State      Interface
                Hardware address/
                User name
192.168.110.11  0056.6c31.3130          Mar 01 2025 12:48 PM    Automatic  Selecting  Vlan110
WLC01#

지금까지 [C9800CL][#14]- DHCP - WLC Internal DHCP - option 5 글을 읽어주셔서 감사합니다.

저작자표시

'CISCO > 무선' 카테고리의 다른 글

[C9800CL][#13]- DHCP - WLAN DHCP Relay - option4 (0)	2025.03.01
[C9800CL][#12]- DHCP Relay (SVI) on Switch - option3 (0)	2025.03.01
[C9800CL][#11]- DHCP Relay (SVI) on WLC - Option2 (0)	2025.03.01
[C9800CL][#10]- DHCP Bridging - BackBone SW DHCP - Option1 (0)	2025.03.01
[C9800CL][#9]- WLAN Guest (0)	2024.12.26

안녕하세요.

오늘은 C9800 WLC DHCP에 대해서 알아보겠습니다.

토폴로지

DC에 9800WLC가 있습니다.

1. SSID: TEST01

2. TEST01 VLAN110

3. WLC WLAN에서 DHCP Reply를 설정 합니다.

4. WINDOWS 서버 IP주소 192.168.10.224

Office에서 유저가 TEST01 - AP에 접속 합니다.

유저 노트북에서 DC에 있는 백본 스위치에서 IP주소를 받습니다.

1. WLC VLAN110 설정

Configuration ->Tags & Profiles -> WLANs

2. Click Add버튼

3. 아래처럼 설정 합니다.

Profile Name: TEST01

Status: Enable

Broadcase SSID: Enable

6GHz: Disabled

Security -> Layter2 -> None를 설정해서 SSID 패스워드 없이 접속 가능 하게 합니다.

테스트 용도이기 때문에 이렇게 설정합니다.

그리고 Save버튼을 클릭 합니다.

4. VLAN 설정

Configuration -> Layer2 -> VLAN

Add버튼을 클릭 합니다.

4. Policy 설정

아래처럼 설정합니다.

아래처럼 VLAN를 설정하고 나머지를 디폴트 값으로 두고 SAVE버튼을 클릭 합니다.

5. TAG설정 - POLICY

Name: TEST01-POLICY-TAG

WLAN: TEST01

PLOICY: TEST01_POLICY

6. TAG 설정 - SITE

Name: TEST_SITE_TAG

아래처럼 설정 합니다.

6. AP에 TAG 설정

7. 설정값을 적용하면 AP가 재부팅이 됩니다.

8. WLC WLAN에서 DHCP Rely설정

9. 서버 IP주소 확인

윈도우서버에서 DHCP 서버 설정

10. Client 에서 TEST01를 접속하고 IP주소를 확 합니다.

11. 서에서 DHCP Binding 확인

지금까지 [C9800CL][#13]- DHCP - option4 - WLAN DHCP Relay 글을 읽어주셔서 감사합니다.

저작자표시

'CISCO > 무선' 카테고리의 다른 글

[C9800CL][#14]- DHCP - WLC Internal DHCP - option 5 (0)	2025.03.01
[C9800CL][#12]- DHCP Relay (SVI) on Switch - option3 (0)	2025.03.01
[C9800CL][#11]- DHCP Relay (SVI) on WLC - Option2 (0)	2025.03.01
[C9800CL][#10]- DHCP Bridging - BackBone SW DHCP - Option1 (0)	2025.03.01
[C9800CL][#9]- WLAN Guest (0)	2024.12.26

안녕하세요.

오늘은 C9800 WLC DHCP에 대해서 알아보겠습니다.

토폴로지

DC에 9800WLC가 있습니다.

1. SSID: TEST01

2. TEST01 VLAN110

3. DC 백본 스위치에서 INT VLAN110 - DHCP Rely설정

4. WINDOWS 서버 IP주소 192.168.10.224

Office에서 유저가 TEST01 - AP에 접속 합니다.

유저 노트북에서 DC에 있는 백본 스위치에서 IP주소를 받습니다.

1. WLC VLAN110 설정

Configuration ->Tags & Profiles -> WLANs

2. Click Add버튼

3. 아래처럼 설정 합니다.

Profile Name: TEST01

Status: Enable

Broadcase SSID: Enable

6GHz: Disabled

Security -> Layter2 -> None를 설정해서 SSID 패스워드 없이 접속 가능 하게 합니다.

테스트 용도이기 때문에 이렇게 설정합니다.

그리고 Save버튼을 클릭 합니다.

4. VLAN 설정

Configuration -> Layer2 -> VLAN

Add버튼을 클릭 합니다.

4. Policy 설정

아래처럼 설정합니다.

아래처럼 VLAN를 설정하고 나머지를 디폴트 값으로 두고 SAVE버튼을 클릭 합니다.

5. TAG설정 - POLICY

Name: TEST01-POLICY-TAG

WLAN: TEST01

PLOICY: TEST01_POLICY

6. TAG 설정 - SITE

Name: TEST_SITE_TAG

아래처럼 설정 합니다.

6. AP에 TAG 설정

7. 설정값을 적용하면 AP가 재부팅이 됩니다.

8. WLC VLAN110에 대해서 DHCP Rely설정

9. 서버 IP주소 확인

윈도우서버에서 DHCP 서버 설정

10. 백본 스위치에서 DHCP Relay 설정

interface Vlan110
ip address 192.168.110.1 255.255.255.0
ip helper-address 192.168.10.224

11. Client 에서 TEST01를 접속하고 IP주소를 확 합니다.

11. 서에서 DHCP Binding 확인

지금까지 [C9800CL][#12]- DHCP - option3 - SW dhcp Relay 글을 읽어주셔서 감사합니다.

저작자표시

'CISCO > 무선' 카테고리의 다른 글

[C9800CL][#14]- DHCP - WLC Internal DHCP - option 5 (0)	2025.03.01
[C9800CL][#13]- DHCP - WLAN DHCP Relay - option4 (0)	2025.03.01
[C9800CL][#11]- DHCP Relay (SVI) on WLC - Option2 (0)	2025.03.01
[C9800CL][#10]- DHCP Bridging - BackBone SW DHCP - Option1 (0)	2025.03.01
[C9800CL][#9]- WLAN Guest (0)	2024.12.26

안녕하세요.

오늘은 C9800 WLC DHCP에 대해서 알아보겠습니다.

토폴로지

DC에 9800WLC가 있습니다.

1. SSID: TEST01

2. TEST01 VLAN110

3. WLC SVI에서 DHCP Relay를 설정 합니다.

4. WINDOWS 서버 IP주소 192.168.10.224

Office에서 유저가 TEST01 - AP에 접속 합니다.

유저 노트북에서 DC에 있는 백본 스위치에서 IP주소를 받습니다.

1. WLC VLAN110 설정

Configuration ->Tags & Profiles -> WLANs

2. Click Add버튼

3. 아래처럼 설정 합니다.

Profile Name: TEST01

Status: Enable

Broadcase SSID: Enable

6GHz: Disabled

Security -> Layter2 -> None를 설정해서 SSID 패스워드 없이 접속 가능 하게 합니다.

테스트 용도이기 때문에 이렇게 설정합니다.

그리고 Save버튼을 클릭 합니다.

4. VLAN 설정

Configuration -> Layer2 -> VLAN

Add버튼을 클릭 합니다.

4. Policy 설정

아래처럼 설정합니다.

아래처럼 VLAN를 설정하고 나머지를 디폴트 값으로 두고 SAVE버튼을 클릭 합니다.

5. TAG설정 - POLICY

Name: TEST01-POLICY-TAG

WLAN: TEST01

PLOICY: TEST01_POLICY

6. TAG 설정 - SITE

Name: TEST_SITE_TAG

아래처럼 설정 합니다.

6. AP에 TAG 설정

7. 설정값을 적용하면 AP가 재부팅이 됩니다.

8. WLC VLAN110에 대해서 DHCP Rely설정

9. 서버 IP주소 확인

윈도우서버에서 DHCP 서버 설정

10. Client 에서 TEST01를 접속하고 IP주소를 확 합니다.

11. 서에서 DHCP Binding 확인

지금까지 [C9800CL][#11]- DHCP Relay (SVI) - Option2 글을 읽어주셔서 감사합니다.

저작자표시

'CISCO > 무선' 카테고리의 다른 글

[C9800CL][#13]- DHCP - WLAN DHCP Relay - option4 (0)	2025.03.01
[C9800CL][#12]- DHCP Relay (SVI) on Switch - option3 (0)	2025.03.01
[C9800CL][#10]- DHCP Bridging - BackBone SW DHCP - Option1 (0)	2025.03.01
[C9800CL][#9]- WLAN Guest (0)	2024.12.26
[C9800CL][#8]- Data Interface Redundancy - Port Channel (0)	2024.12.25

안녕하세요.

오늘은 C9800 WLC DHCP에 대해서 알아보겠습니다.

토폴로지

DC에 9800WLC가 있습니다.

1. SSID: TEST01

2. TEST01 VLAN110

3. DC 백본 스위치에서 DHCP 기능을 활성화 합니다.

Office에서 유저가 TEST01 - AP에 접속 합니다.

유저 노트북에서 DC에 있는 백본 스위치에서 IP주소를 받습니다.

1. WLC VLAN110 설정

Configuration ->Tags & Profiles -> WLANs

2. Click Add버튼

3. 아래처럼 설정 합니다.

Profile Name: TEST01

Status: Enable

Broadcase SSID: Enable

6GHz: Disabled

Security -> Layter2 -> None를 설정해서 SSID 패스워드 없이 접속 가능 하게 합니다.

테스트 용도이기 때문에 이렇게 설정합니다.

그리고 Save버튼을 클릭 합니다.

4. VLAN 설정

Configuration -> Layer2 -> VLAN

Add버튼을 클릭 합니다.

4. Policy 설정

아래처럼 설정합니다.

아래처럼 VLAN를 설정하고 나머지를 디폴트 값으로 두고 SAVE버튼을 클릭 합니다.

5. TAG설정 - POLICY

Name: TEST01-POLICY-TAG

WLAN: TEST01

PLOICY: TEST01_POLICY

6. TAG 설정 - SITE

Name: TEST_SITE_TAG

아래처럼 설정 합니다.

6. AP에 TAG 설정

7. 설정값을 적용하면 AP가 재부팅이 됩니다.

8. DC SWITCH에서 DHCP 설정

DHCP
ip dhcp excluded-address 192.168.110.1 192.168.110.230
!
ip dhcp pool VL110
network 192.168.110.0 255.255.255.0
default-router 192.168.110.1
dns-server 8.8.8.8
!
VLAN 110
!
Int vlan 110
ip add 192.168.110.1 255.255.255.0
no shutdown

9. DHCP Binding 확인

SW01#show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address      Client-ID/              Lease expiration        Type       State      Interface
                Hardware address/
                User name
SW01#

10. Client 에서 TEST01를 접속하고 IP주소를 확 합니다.

11. DC BackBone Swtich에서 DHCP Binding 확인

SW01#show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address      Client-ID/              Lease expiration        Type       State      Interface
                Hardware address/
                User name
192.168.110.239 011e.e792.411c.f0       Mar 02 2025 06:56 AM    Automatic  Active     Vlan110
SW01#

SW01#ping 192.168.110.239
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.110.239, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/19/48 ms
SW01#

지금까지 [C9800CL][#10]- DHCP Bridging - Option1 - BackBone SW DHCP 글을 읽어주셔서 감사합니다.

저작자표시

'CISCO > 무선' 카테고리의 다른 글

[C9800CL][#12]- DHCP Relay (SVI) on Switch - option3 (0)	2025.03.01
[C9800CL][#11]- DHCP Relay (SVI) on WLC - Option2 (0)	2025.03.01
[C9800CL][#9]- WLAN Guest (0)	2024.12.26
[C9800CL][#8]- Data Interface Redundancy - Port Channel (0)	2024.12.25
[C9800CL][#7]- AP authentication - AP MAC on WLC (0)	2024.12.25

안녕하세요.

오늘은 C8200라우터는 smart licensing using policy 모드를 사용 합니다.

IOS XE버전별로 License 동작하는 방식이 다릅니다.

IOS XE Release	Platform Requirements	CUBE Licensing
16.6.1 to 16.9.x	Smart Licensing mode is optional	RTU licensing only
16.10.x	Smart Licensing mode only	RTU licensing only
16.11.1a to 17.1.x	Smart Licensing mode only Continued registration is required to enable CUBE features	Smart Licensing only* Trunk license requests are set by manual configuration No license policing if out of compliance SIP processing disabled in the 'Eval-Expired' state
17.2.1r to 17.3.1a	Smart Licensing mode only Continued registration is required in order to enable CUBE features	Smart Licensing only* Trunk license requests are set dynamically by usage No license policing if out of compliance SIP processing disabled in the 'Eval-Expired' state
17.3.2 onwards	Smart Licensing with the use of Policy mode only License use must be reported within the account policy to enable CUBE features	Smart Licensing only* Trunk license use is measured periodically and reported as per the Smart Account policy In accordance with policy, license policing reports are not acknowledged (SIP processing is disabled otherwise)

Step Summary

conf t

license boot level network-essentials

interface GigabitEthernet 0/0/0

ip add [IP address] [subnet] or ip add dhcp

no shutdown

exit

ip name-server 8.8.8.8

ip domain lookup source-interface GigabitEthernet 0/0/0

ip http client source-interface GigabitEthernet 0/0/0

license smart transport smart

license smart url default

ip route 0.0.0.0 0.0.0.0 [nexthop] if dhcp no need ip route command

end

show run

show ip int brie

show ip route

확인 후 저장 그리고 재부팅

write memory

reload

1. show version를 통해서 IOS XE버전을 확인 합니다.

2. 기본 설정을 합니다.

conf t
license boot level network-essentials
interface GigabitEthernet 0/0/0
ip add dhcp
no shutdown
exit
ip name-server 8.8.8.8
ip domain lookup source-interface GigabitEthernet 0/0/0
ip http client source-interface GigabitEthernet 0/0/0
license smart transport smart
license smart url default

3. 인터페이스 상태 확인 라우팅 상태 확인

그리고 외부 통신 확인

Router#show ip int brie
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0/0   172.20.10.3     YES DHCP   up                    up
GigabitEthernet0/0/1   unassigned      YES unset  administratively down down
GigabitEthernet0/0/2   unassigned      YES unset  administratively down down
GigabitEthernet0/0/3   unassigned      YES unset  administratively down down

Router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
       n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       H - NHRP, G - NHRP registered, g - NHRP registration summary
       o - ODR, P - periodic downloaded static route, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR
       & - replicated local route overrides by connected

Gateway of last resort is 172.20.10.1 to network 0.0.0.0

S*    0.0.0.0/0 [254/0] via 172.20.10.1
      172.20.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.20.10.0/28 is directly connected, GigabitEthernet0/0/0
L        172.20.10.3/32 is directly connected, GigabitEthernet0/0/0
Router#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!

4. 저장후 재부팅

wr
reload

5. Cisco CSSM에서 Idtoken를 생성 합니다.

cisco CSSM에서 Idtoken를 복사합니다.

ODVkNDkyYmUtNzc4MS00OWZiLWEzMzMtZTY2YmZhYTQxNjA5LTE3NDEzMzc2%0AMDYzNzN8L0pjaVh0K09pT3J1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

license smart trust idtoken ODVkNDkyYmUtNzc4MS00OWZiLWEzMzMtZTY2YmZhYTQxNjA5LTE3NDEzMzc2%0AMDYzNzN8L0pjaVh0K09pT3J1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX all force　

Router#
*Feb 13 01:38:52.352: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named SLA-KeyPair has been generated or imported by crypto-engine
*Feb 13 01:38:52.414: %PKI-6-CONFIGAUTOSAVE: Running configuration saved to NVRAM[OK]
*Feb 13 01:38:55.470: %SYS-6-PRIVCFG_ENCRYPT_SUCCESS: Successfully encrypted private config file
*Feb 13 01:38:55.493: %CRYPTO_SL_TP_LEVELS-6-VAR_NEW_VALUE: Setting crypto bidir throughput to: 10000 kbps
*Feb 13 01:38:58.298: %SMART_LIC-6-TRUST_INSTALL_SUCCESS: A new licensing trust code was successfully installed on P:C8200L-1N-4T,XXXXXXXXXXX
Router#

정상적으로 등록 되면 위에처럼 표시 됩니다.

6. License를 확인 합니다.

아래처럼 SA/VA에 고객사 정보가 확인 되면 정상적으로 등록 된것입니다.

Router#show license summary
Account Information:
  Smart Account: 고객사 정보 확인 가능
  Virtual Account: XXXXX

License Usage:
  License                 Entitlement Tag               Count Status
  -----------------------------------------------------------------------------
  network-essentials_10M  (ESR_P_10M_E)                     1 IN USE
  Router US Export Lic... (DNA_HSEC)                        0 NOT IN USE

또는 아래 명령어도 주로 사용 됩니다.

Router#show license status
Utility:
  Status: DISABLED

Smart Licensing Using Policy:
  Status: ENABLED

Account Information:
  Smart Account: 고객사 정보
  Virtual Account: XXXXX

Data Privacy:
  Sending Hostname: yes
    Callhome hostname privacy: DISABLED
    Smart Licensing hostname privacy: DISABLED
  Version privacy: DISABLED

Transport:
  Type: Smart
  URL: https://smartreceiver.cisco.com/licservice/license
  Proxy:
    Not Configured
  VRF: <empty>

Policy:
  Policy in use: Merged from multiple sources.
  Reporting ACK required: yes (CISCO default)
  Unenforced/Non-Export Perpetual Attributes:
    First report requirement (days): 365 (CISCO default)
    Reporting frequency (days): 0 (CISCO default)
    Report on change (days): 90 (CISCO default)
  Unenforced/Non-Export Subscription Attributes:
    First report requirement (days): 90 (CISCO default)
    Reporting frequency (days): 90 (CISCO default)
    Report on change (days): 90 (CISCO default)
  Enforced (Perpetual/Subscription) License Attributes:
    First report requirement (days): 0 (CISCO default)
    Reporting frequency (days): 0 (CISCO default)
    Report on change (days): 0 (CISCO default)
  Export (Perpetual/Subscription) License Attributes:
    First report requirement (days): 0 (CISCO default)
    Reporting frequency (days): 0 (CISCO default)
    Report on change (days): 0 (CISCO default)

Miscellaneous:
  Custom Id: <empty>

Usage Reporting:
  Last ACK received: <none>
  Next ACK deadline: Feb 13 01:31:19 2026 UTC
  Reporting push interval: 0 (no reporting)
  Next ACK push check: Feb 13 02:09:10 2025 UTC
  Next report push: <none>
  Last report push: Feb 13 01:39:08 2025 UTC
  Last report file write: <none>

Trust Code Installed: Feb 13 01:38:58 2025 UTC

Router#

지금까지 [2025][C8200][#2] Register License to CSSM - smart licensing using policy 글을 읽어주셔서 감사합니다.

저작자표시

'CISCO > 라우팅' 카테고리의 다른 글

[2025][C8200][#3] Reset Smart license (0)	2025.03.04
[2025][C8200][#1] Router IOS XE upgrade (0)	2025.02.10
[ISR4221]-Performance License Install(PAK) (0)	2024.07.30
[ISR4221]-Cisco Router IOS Upgrade (2)	2024.07.29

안녕하세요.

오늘은 C8200L Router IOS XE를 업그레이드를 해보겠습니다.

1. 현재 장비에서 show version를 통해서 version를 확인 합니다.

Router#show version
Cisco IOS XE Software, Version 17.06.06a
Cisco IOS Software [Bengaluru], c8000be Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 17.6.6a, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2023 by Cisco Systems, Inc.
Compiled Fri 20-Oct-23 18:26 by mcpre

2. cisco 홈페이지에서 현재 시점에서 8200 router ios xe 추천 버전을 확인 합니다.

3. 파일을 다운로드 받고 파일을 USB에 복사합니다.

4. MD5 Checksum를 확인 합니다. 추후에 파일을 라우터에 복사하고 MD5 Checksum를 이용해서 파일이 잘 복사 되었는지 확인합니다. 만약에 파일이 깨진 상태에서 Upgrdae 업그레이드 하면 Upgrade가 Failed하고 Rommon mode로 빠질수 있습니다. 꼭 업그레이드 또는 다운그레이드 전에 파일 복사 후 MD5 체크섬을 확인 합니다.

C8200 라우터 Firmware Install 방식은 2가지가 있습니다.

1. ios xe file를 파일로 복사하고 boot config를 통해서 부팅 시키는 방법

2. install mode로 펌웨어를 설치하는 방법

현재 라우터 install mode인지 레거시 모드인지 확인하는 방법

아래처럼 표시 되면 install mode입니다.

Router#show install summary
[ R0 ] Installed Package(s) Information:
State (St): I - Inactive, U - Activated & Uncommitted,
            C - Activated & Committed, D - Deactivated & Uncommitted
--------------------------------------------------------------------------------
Type  St   Filename/Version
--------------------------------------------------------------------------------
IMG   C    17.06.06a.0.6

--------------------------------------------------------------------------------
Auto abort timer: inactive
--------------------------------------------------------------------------------

Router#

또는 Bin 파일이 없고, Package 파일만 보이면 install mode입니다.

Router#dir flash:
Directory of bootflash:/

429089  drwx            57344  Feb 10 2025 05:32:00 +00:00  tracelogs
267169  drwx             4096  Feb 10 2025 05:19:36 +00:00  pnp-tech
11      -rw-              248  Feb 10 2025 05:19:29 +00:00  .iox_dir_list
412897  drwx             4096  Feb 10 2025 05:19:23 +00:00  license_evlog
24295   -rw-               30  Feb 10 2025 05:18:46 +00:00  throughput_monitor_params
24292   -rw-           134899  Feb 10 2025 05:18:40 +00:00  memleak.tcl
24290   -rw-             1092  Feb 10 2025 05:18:09 +00:00  mode_event_log
89057   drwx             4096  Feb 10 2025 05:17:48 +00:00  .installer
12      drwx             4096  Feb 10 2025 04:29:43 +00:00  lost+found
226689  drwx             4096  Aug 26 2024 16:49:41 +00:00  .prst_sync
275265  drwx             4096  Aug 26 2024 16:42:04 +00:00  .dbpersist
437185  drwx             4096  Aug 26 2024 16:33:30 +00:00  sysboot
420993  drwx             4096  Aug 26 2024 16:31:49 +00:00  .rollback_timer
291458  -rw-             9338  Aug 26 2024 16:28:08 +00:00  packages.conf
291478  -rw-         43301928  Aug 26 2024 16:28:08 +00:00  c8000be-rpboot.17.06.06a.SPA.pkg
291477  -rw-        623141956  Aug 26 2024 16:27:18 +00:00  c8000be-mono-universalk9.17.06.06a.SPA.pkg
291476  -rw-           156728  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_nim_adpt.17.06.06a.SPA.pkg
291475  -rw-          2094136  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_dsp_sp2700.17.06.06a.SPA.pkg
291474  -rw-         14259252  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_async.17.06.06a.SPA.pkg
291473  -rw-         11093044  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_1t3e3.17.06.06a.SPA.pkg
291472  -rw-          2475056  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_10g.17.06.06a.SPA.pkg
291471  -rw-         10253360  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_prince.17.06.06a.SPA.pkg
291470  -rw-          5571636  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_nim_xdsl.17.06.06a.SPA.pkg
291469  -rw-          5334068  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_ssd.17.06.06a.SPA.pkg
291468  -rw-         11523124  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_shdsl.17.06.06a.SPA.pkg
291467  -rw-          2966576  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_ge.17.06.06a.SPA.pkg
291466  -rw-         17646644  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_cwan.17.06.06a.SPA.pkg
291465  -rw-          4793400  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_bri_st_fw.17.06.06a.SPA.pkg
291464  -rw-         12870708  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_async.17.06.06a.SPA.pkg
291463  -rw-         11310132  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_ngwic_t1e1.17.06.06a.SPA.pkg
291462  -rw-         18342964  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dsp_tilegx.17.06.06a.SPA.pkg
291461  -rw-          1963060  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dsp_sp2700.17.06.06a.SPA.pkg
291460  -rw-          6681656  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dsp_analogbri.17.06.06a.SPA.pkg
291459  -rw-            54324  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dreamliner.17.06.06a.SPA.pkg
186209  drwx             4096  Aug 26 2024 16:20:23 +00:00  iox_host_data_share
364321  drwx             4096  Aug 26 2024 16:20:17 +00:00  core
210497  drwx             4096  Aug 26 2024 16:20:02 +00:00  guest-share
170017  drwx             4096  Aug 26 2024 16:19:55 +00:00  onep
129537  drwx             4096  Aug 26 2024 16:19:54 +00:00  pnp-info
121441  drwx             4096  Aug 26 2024 16:19:23 +00:00  virtual-instance
24294   -rw-             1923  Aug 26 2024 16:19:18 +00:00  trustidrootx3_ca_092024.ca
24293   -rw-            20109  Aug 26 2024 16:19:18 +00:00  ios_core.p7b
340033  drwx             4096  Aug 26 2024 16:19:03 +00:00  ss_disc
24291   -rw-          5242880  Aug 26 2024 16:19:03 +00:00  ssd
307649  drwx             4096  Aug 26 2024 16:18:49 +00:00  .ssh

7361155072 bytes total (6161752064 bytes free)
Router#

그럼 Firmware Upgrade를 합니다.

1. USB를 C8200 Router에 연결 합니다.

아래처럼 로그가 발생하면 정상적으로 usb가 인식 되었습니다.

Router#
*Feb 10 05:34:02.622: %IOSD_INFRA-6-IFS_DEVICE_OIR: Device usb0 added

Router#dir usb0:/TC_8200
Directory of usb0:/TC_8200/

819 -rwx 859360566 Feb 10 2025 12:36:56 +00:00 c8000be-universalk9.17.09.05e.SPA.bin

2. 파일 복사하기

Router#copy usb0:/TC_8200/c8000be-universalk9.17.09.05e.SPA.bin flash:
Destination filename [c8000be-universalk9.17.09.05e.SPA.bin]?
Copy in progress...CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
859360566 bytes copied in 40.479 secs (21229787 bytes/sec)
Router#

파일 확인하기

아래 c8000be-universalk9.17.09.05e.SPA.bin 복사 되었습니다.

Router#dir flash:
Directory of bootflash:/

429089  drwx            57344  Feb 10 2025 06:07:00 +00:00  tracelogs
13      -rw-        859360566  Feb 10 2025 06:06:59 +00:00  c8000be-universalk9.17.09.05e.SPA.bin
267169  drwx             4096  Feb 10 2025 05:19:36 +00:00  pnp-tech
11      -rw-              248  Feb 10 2025 05:19:29 +00:00  .iox_dir_list
412897  drwx             4096  Feb 10 2025 05:19:23 +00:00  license_evlog
24295   -rw-               30  Feb 10 2025 05:18:46 +00:00  throughput_monitor_params
24292   -rw-           134899  Feb 10 2025 05:18:40 +00:00  memleak.tcl
24290   -rw-             1092  Feb 10 2025 05:18:09 +00:00  mode_event_log
89057   drwx             4096  Feb 10 2025 05:17:48 +00:00  .installer
12      drwx             4096  Feb 10 2025 04:29:43 +00:00  lost+found
226689  drwx             4096  Aug 26 2024 16:49:41 +00:00  .prst_sync
275265  drwx             4096  Aug 26 2024 16:42:04 +00:00  .dbpersist
437185  drwx             4096  Aug 26 2024 16:33:30 +00:00  sysboot
420993  drwx             4096  Aug 26 2024 16:31:49 +00:00  .rollback_timer
291458  -rw-             9338  Aug 26 2024 16:28:08 +00:00  packages.conf
291478  -rw-         43301928  Aug 26 2024 16:28:08 +00:00  c8000be-rpboot.17.06.06a.SPA.pkg
291477  -rw-        623141956  Aug 26 2024 16:27:18 +00:00  c8000be-mono-universalk9.17.06.06a.SPA.pkg
291476  -rw-           156728  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_nim_adpt.17.06.06a.SPA.pkg
291475  -rw-          2094136  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_dsp_sp2700.17.06.06a.SPA.pkg
291474  -rw-         14259252  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_async.17.06.06a.SPA.pkg
291473  -rw-         11093044  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_1t3e3.17.06.06a.SPA.pkg
291472  -rw-          2475056  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_10g.17.06.06a.SPA.pkg
291471  -rw-         10253360  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_prince.17.06.06a.SPA.pkg
291470  -rw-          5571636  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_nim_xdsl.17.06.06a.SPA.pkg
291469  -rw-          5334068  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_ssd.17.06.06a.SPA.pkg
291468  -rw-         11523124  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_shdsl.17.06.06a.SPA.pkg
291467  -rw-          2966576  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_ge.17.06.06a.SPA.pkg
291466  -rw-         17646644  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_cwan.17.06.06a.SPA.pkg
291465  -rw-          4793400  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_bri_st_fw.17.06.06a.SPA.pkg
291464  -rw-         12870708  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_async.17.06.06a.SPA.pkg
291463  -rw-         11310132  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_ngwic_t1e1.17.06.06a.SPA.pkg
291462  -rw-         18342964  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dsp_tilegx.17.06.06a.SPA.pkg
291461  -rw-          1963060  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dsp_sp2700.17.06.06a.SPA.pkg
291460  -rw-          6681656  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dsp_analogbri.17.06.06a.SPA.pkg
291459  -rw-            54324  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dreamliner.17.06.06a.SPA.pkg
186209  drwx             4096  Aug 26 2024 16:20:23 +00:00  iox_host_data_share
364321  drwx             4096  Aug 26 2024 16:20:17 +00:00  core
210497  drwx             4096  Aug 26 2024 16:20:02 +00:00  guest-share
170017  drwx             4096  Aug 26 2024 16:19:55 +00:00  onep
129537  drwx             4096  Aug 26 2024 16:19:54 +00:00  pnp-info
121441  drwx             4096  Aug 26 2024 16:19:23 +00:00  virtual-instance
24294   -rw-             1923  Aug 26 2024 16:19:18 +00:00  trustidrootx3_ca_092024.ca
24293   -rw-            20109  Aug 26 2024 16:19:18 +00:00  ios_core.p7b
340033  drwx             4096  Aug 26 2024 16:19:03 +00:00  ss_disc
24291   -rw-          5242880  Aug 26 2024 16:19:03 +00:00  ssd
307649  drwx             4096  Aug 26 2024 16:18:49 +00:00  .ssh

7361155072 bytes total (5311582208 bytes free)
Router#

3. MD5 Checksum 확인

789f0f212ccd155b8aef19ce93c8476e

Router#verify /md5 flash:/c8000be-universalk9.17.09.05e.SPA.bin
.............................................................................................................................................................................................
.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................Done!
verify /md5 (bootflash:/c8000be-universalk9.17.09.05e.SPA.bin) = 789f0f212ccd155b8aef19ce93c8476e

Router#

파일이 잘 복사 되었습니다.

4. 이제 새로운 ios xe를 설치 합니다.

SUMMARY STEPS

enable
install add file location: filename
show install summary
install activate [auto-abort-timer <time>]
install abort
install commit
install rollback to committed
install remove {file filesystem: filename | inactive}
show install summary
exit

install add file flash:c8000be-universalk9.17.09.05e.SPA.bin activate commit

System configuration has been modified.
Press Yes(y) to save the configuration and proceed.
Press No(n) for proceeding without saving the configuration.
Press Quit(q) to exit, you may save configuration and re-enter the command. [y/n/q] y
Building configuration...
[OK]Modified configuration has been saved

*Feb 10 06:15:04.641: %SYS-6-PRIVCFG_ENCRYPT_SUCCESS: Successfully encrypted private config file
*Feb 10 06:15:05.160: %INSTALL-5-INSTALL_START_INFO: R0/0: install_engine: Started install one-shot bootflash:c8000be-universalk9.17.09.05e.SPA.bininstall_add_activate_commit: Adding PACKAGE
install_add_activate_commit: Checking whether new add is allowed ....

--- Starting Add ---
Performing Add on Active/Standby
  [1] Add package(s) on R0
  [1] Finished Add on R0
Checking status of Add on [R0]
Add: Passed on [R0]
Finished Add

Image added. Version: 17.09.05e.0.80
install_add_activate_commit: Activating PACKAGE

*Feb 10 06:19:52.040: %EVENTLIB-3-CPUHOG: C0/0: iomd: uipeer downlink listener: 1520ms, Traceback=1#150f3a63e6e344df147a5440723734c6  evlib:7F79718AB000+A1D6 c:7F793381E000+3B3B0 ld-linux-x86-64:7F7983E83000+A974 ld-linux-x86-64:7F7983E83000+B4C5 ld-linux-x86-64:7F7983E83000+10085 ld-linux-x86-64:7F7983E83000+16BCA bipc:7F7972F08000+A381 bipc:7F7972F08000+412F uipeer:7F79739AB000+1EF7C evlib:7F79718AB000+8E16 evlib:7F79718AB000+9B60Following packages shall be activated:
/bootflash/c8000be-rpboot.17.09.05e.SPA.pkg
/bootflash/c8000be-mono-universalk9.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_sm_nim_adpt.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_sm_dsp_sp2700.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_sm_async.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_sm_1t3e3.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_sm_10g.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_prince.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_nim_xdsl.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_nim_ssd.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_nim_shdsl.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_nim_ge.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_nim_cwan.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_nim_bri_st_fw.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_nim_async.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_ngwic_t1e1.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_dsp_tilegx.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_dsp_sp2700.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_dsp_analogbri.17.09.05e.SPA.pkg
/bootflash/c8000be-firmware_dreamliner.17.09.05e.SPA.pkg

This operation may require a reload of the system. Do you want to proceed? [y/n] y
--- Starting Activate ---
Performing Activate on Active/Standby

재부팅이 완료 될때까지 기다립니다.

5. Version 확인

Router# show install summary
[ R0 ] Installed Package(s) Information:
State (St): I - Inactive, U - Activated & Uncommitted,
            C - Activated & Committed, D - Deactivated & Uncommitted
--------------------------------------------------------------------------------
Type  St   Filename/Version
--------------------------------------------------------------------------------
IMG   C    17.09.05e.0.80

--------------------------------------------------------------------------------
Auto abort timer: inactive
--------------------------------------------------------------------------------

Router#

6. 기존에 Package가 Flash:에 존재 합니다. 필요없는 파일은 삭제합니다.

Router#dir flash:
Directory of bootflash:/

89057   drwx             4096  Feb 10 2025 06:29:40 +00:00  .installer
412897  drwx             4096  Feb 10 2025 06:28:09 +00:00  license_evlog
24295   -rw-               30  Feb 10 2025 06:28:09 +00:00  throughput_monitor_params
24292   -rw-           137940  Feb 10 2025 06:28:05 +00:00  memleak.tcl
226689  drwx             4096  Feb 10 2025 06:27:59 +00:00  .prst_sync
24289   -rw-             1939  Feb 10 2025 06:27:50 +00:00  trustidrootx3_ca_062035.ca
24290   -rwx             1274  Feb 10 2025 06:27:45 +00:00  mode_event_log
429089  drwx            57344  Feb 10 2025 06:27:42 +00:00  tracelogs
64769   drwx             4096  Feb 10 2025 06:27:04 +00:00  SHARED-IOX
420993  drwx             4096  Feb 10 2025 06:25:25 +00:00  .rollback_timer
16      -rw-             9330  Feb 10 2025 06:24:28 +00:00  packages.conf
404802  -rw-             9330  Feb 10 2025 06:18:05 +00:00  c8000be-universalk9.17.09.05e.SPA.conf
226691  -rw-         38283450  Feb 10 2025 06:18:05 +00:00  c8000be-rpboot.17.09.05e.SPA.pkg
404821  -rw-        679469056  Feb 10 2025 06:17:20 +00:00  c8000be-mono-universalk9.17.09.05e.SPA.pkg
404820  -rw-           167936  Feb 10 2025 06:17:08 +00:00  c8000be-firmware_sm_nim_adpt.17.09.05e.SPA.pkg
404819  -rw-          2138112  Feb 10 2025 06:17:08 +00:00  c8000be-firmware_sm_dsp_sp2700.17.09.05e.SPA.pkg
404818  -rw-         14557184  Feb 10 2025 06:17:08 +00:00  c8000be-firmware_sm_async.17.09.05e.SPA.pkg
404817  -rw-         11366400  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_sm_1t3e3.17.09.05e.SPA.pkg
404816  -rw-          2535424  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_sm_10g.17.09.05e.SPA.pkg
404815  -rw-         10432512  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_prince.17.09.05e.SPA.pkg
404814  -rw-          5677056  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_nim_xdsl.17.09.05e.SPA.pkg
404813  -rw-          5431296  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_nim_ssd.17.09.05e.SPA.pkg
404812  -rw-         11714560  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_nim_shdsl.17.09.05e.SPA.pkg
404811  -rw-          2994176  Feb 10 2025 06:17:06 +00:00  c8000be-firmware_nim_ge.17.09.05e.SPA.pkg
404810  -rw-         17960960  Feb 10 2025 06:17:06 +00:00  c8000be-firmware_nim_cwan.17.09.05e.SPA.pkg
404809  -rw-          4894720  Feb 10 2025 06:17:06 +00:00  c8000be-firmware_nim_bri_st_fw.17.09.05e.SPA.pkg
404808  -rw-         13139968  Feb 10 2025 06:17:06 +00:00  c8000be-firmware_nim_async.17.09.05e.SPA.pkg
404807  -rw-         11497472  Feb 10 2025 06:17:05 +00:00  c8000be-firmware_ngwic_t1e1.17.09.05e.SPA.pkg
404806  -rw-         18649088  Feb 10 2025 06:17:05 +00:00  c8000be-firmware_dsp_tilegx.17.09.05e.SPA.pkg
404805  -rw-          2007040  Feb 10 2025 06:17:04 +00:00  c8000be-firmware_dsp_sp2700.17.09.05e.SPA.pkg
404804  -rw-          6799360  Feb 10 2025 06:17:04 +00:00  c8000be-firmware_dsp_analogbri.17.09.05e.SPA.pkg
404803  -rw-            65536  Feb 10 2025 06:17:04 +00:00  c8000be-firmware_dreamliner.17.09.05e.SPA.pkg
13      -rw-        859360566  Feb 10 2025 06:06:59 +00:00  c8000be-universalk9.17.09.05e.SPA.bin
267169  drwx             4096  Feb 10 2025 05:19:36 +00:00  pnp-tech
11      -rw-              248  Feb 10 2025 05:19:29 +00:00  .iox_dir_list
12      drwx             4096  Feb 10 2025 04:29:43 +00:00  lost+found
275265  drwx             4096  Aug 26 2024 16:42:04 +00:00  .dbpersist
437185  drwx             4096  Aug 26 2024 16:33:30 +00:00  sysboot
291478  -rw-         43301928  Aug 26 2024 16:28:08 +00:00  c8000be-rpboot.17.06.06a.SPA.pkg
291477  -rw-        623141956  Aug 26 2024 16:27:18 +00:00  c8000be-mono-universalk9.17.06.06a.SPA.pkg
291476  -rw-           156728  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_nim_adpt.17.06.06a.SPA.pkg
291475  -rw-          2094136  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_dsp_sp2700.17.06.06a.SPA.pkg
291474  -rw-         14259252  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_async.17.06.06a.SPA.pkg
291473  -rw-         11093044  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_1t3e3.17.06.06a.SPA.pkg
291472  -rw-          2475056  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_sm_10g.17.06.06a.SPA.pkg
291471  -rw-         10253360  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_prince.17.06.06a.SPA.pkg
291470  -rw-          5571636  Aug 26 2024 16:27:07 +00:00  c8000be-firmware_nim_xdsl.17.06.06a.SPA.pkg
291469  -rw-          5334068  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_ssd.17.06.06a.SPA.pkg
291468  -rw-         11523124  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_shdsl.17.06.06a.SPA.pkg
291467  -rw-          2966576  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_ge.17.06.06a.SPA.pkg
291466  -rw-         17646644  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_cwan.17.06.06a.SPA.pkg
291465  -rw-          4793400  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_bri_st_fw.17.06.06a.SPA.pkg
291464  -rw-         12870708  Aug 26 2024 16:27:06 +00:00  c8000be-firmware_nim_async.17.06.06a.SPA.pkg
291463  -rw-         11310132  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_ngwic_t1e1.17.06.06a.SPA.pkg
291462  -rw-         18342964  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dsp_tilegx.17.06.06a.SPA.pkg
291461  -rw-          1963060  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dsp_sp2700.17.06.06a.SPA.pkg
291460  -rw-          6681656  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dsp_analogbri.17.06.06a.SPA.pkg
291459  -rw-            54324  Aug 26 2024 16:27:05 +00:00  c8000be-firmware_dreamliner.17.06.06a.SPA.pkg
186209  drwx             4096  Aug 26 2024 16:20:23 +00:00  iox_host_data_share
364321  drwx             4096  Aug 26 2024 16:20:17 +00:00  core
210497  drwx             4096  Aug 26 2024 16:20:02 +00:00  guest-share
170017  drwx             4096  Aug 26 2024 16:19:55 +00:00  onep
129537  drwx             4096  Aug 26 2024 16:19:54 +00:00  pnp-info
121441  drwx             4096  Aug 26 2024 16:19:23 +00:00  virtual-instance
24294   -rw-             1923  Aug 26 2024 16:19:18 +00:00  trustidrootx3_ca_092024.ca
24293   -rw-            20109  Aug 26 2024 16:19:18 +00:00  ios_core.p7b
24291   -rw-          5242880  Aug 26 2024 16:19:03 +00:00  ssd
307649  drwx             4096  Aug 26 2024 16:18:49 +00:00  .ssh

Router#install remove inactive
install_remove: START Mon Feb 10 06:34:40 UTC 2025
install_remove: Removing IMG
Cleaning up unnecessary package files
No path specified, will use booted path /bootflash/packages.conf

Cleaning /bootflash
  Scanning boot directory for packages ... done.
  Preparing packages list to delete ...
    [R0]: /bootflash/packages.conf File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_dreamliner.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_dsp_analogbri.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_dsp_sp2700.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_dsp_tilegx.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_ngwic_t1e1.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_nim_async.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_nim_bri_st_fw.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_nim_cwan.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_nim_ge.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_nim_shdsl.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_nim_ssd.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_nim_xdsl.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_prince.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_sm_10g.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_sm_1t3e3.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_sm_async.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_sm_dsp_sp2700.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-firmware_sm_nim_adpt.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-mono-universalk9.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-rpboot.17.09.05e.SPA.pkg File is in use, will not delete.
    [R0]: /bootflash/c8000be-universalk9.17.09.05e.SPA.conf File is in use, will not delete.

The following files will be deleted:
    [R0]: /bootflash/c8000be-firmware_dreamliner.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_dsp_analogbri.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_dsp_sp2700.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_dsp_tilegx.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_ngwic_t1e1.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_nim_async.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_nim_bri_st_fw.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_nim_cwan.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_nim_ge.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_nim_shdsl.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_nim_ssd.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_nim_xdsl.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_prince.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_sm_10g.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_sm_1t3e3.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_sm_async.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_sm_dsp_sp2700.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-firmware_sm_nim_adpt.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-mono-universalk9.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-rpboot.17.06.06a.SPA.pkg
    [R0]: /bootflash/c8000be-universalk9.17.09.05e.SPA.bin

Do you want to remove the above files?
                                      *Feb 10 06:34:40.411: %INSTALL-5-INSTALL_START_INFO: R0/0: install_mgr: Started install remove [y/n]y

Deleting file /bootflash/c8000be-firmware_dreamliner.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_dsp_analogbri.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_dsp_sp2700.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_dsp_tilegx.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_ngwic_t1e1.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_nim_async.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_nim_bri_st_fw.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_nim_cwan.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_nim_ge.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_nim_shdsl.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_nim_ssd.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_nim_xdsl.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_prince.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_sm_10g.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_sm_1t3e3.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_sm_async.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_sm_dsp_sp2700.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-firmware_sm_nim_adpt.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-mono-universalk9.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-rpboot.17.06.06a.SPA.pkg ... done.
Deleting file /bootflash/c8000be-universalk9.17.09.05e.SPA.bin ... done.
SUCCESS: Files deleted.

--- Starting Post_Remove_Cleanup ---
Performing REMOVE_POSTCHECK on all members
Finished Post_Remove_Cleanup
SUCCESS: install_remove Mon Feb 10 06:35:12 UTC 2025

Router#
*Feb 10 06:35:12.911: %INSTALL-5-INSTALL_COMPLETED_INFO: R0/0: install_mgr: Completed install remove
Router#
Router#
Router#
Router#
Router#
Router#
Router#
Router#dir flash:
Directory of bootflash:/

89057   drwx             4096  Feb 10 2025 06:35:13 +00:00  .installer
412897  drwx             4096  Feb 10 2025 06:28:09 +00:00  license_evlog
24295   -rw-               30  Feb 10 2025 06:28:09 +00:00  throughput_monitor_params
24292   -rw-           137940  Feb 10 2025 06:28:05 +00:00  memleak.tcl
226689  drwx             4096  Feb 10 2025 06:27:59 +00:00  .prst_sync
24289   -rw-             1939  Feb 10 2025 06:27:50 +00:00  trustidrootx3_ca_062035.ca
24290   -rwx             1274  Feb 10 2025 06:27:45 +00:00  mode_event_log
429089  drwx            57344  Feb 10 2025 06:27:42 +00:00  tracelogs
64769   drwx             4096  Feb 10 2025 06:27:04 +00:00  SHARED-IOX
420993  drwx             4096  Feb 10 2025 06:25:25 +00:00  .rollback_timer
16      -rw-             9330  Feb 10 2025 06:24:28 +00:00  packages.conf
404802  -rw-             9330  Feb 10 2025 06:18:05 +00:00  c8000be-universalk9.17.09.05e.SPA.conf
226691  -rw-         38283450  Feb 10 2025 06:18:05 +00:00  c8000be-rpboot.17.09.05e.SPA.pkg
404821  -rw-        679469056  Feb 10 2025 06:17:20 +00:00  c8000be-mono-universalk9.17.09.05e.SPA.pkg
404820  -rw-           167936  Feb 10 2025 06:17:08 +00:00  c8000be-firmware_sm_nim_adpt.17.09.05e.SPA.pkg
404819  -rw-          2138112  Feb 10 2025 06:17:08 +00:00  c8000be-firmware_sm_dsp_sp2700.17.09.05e.SPA.pkg
404818  -rw-         14557184  Feb 10 2025 06:17:08 +00:00  c8000be-firmware_sm_async.17.09.05e.SPA.pkg
404817  -rw-         11366400  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_sm_1t3e3.17.09.05e.SPA.pkg
404816  -rw-          2535424  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_sm_10g.17.09.05e.SPA.pkg
404815  -rw-         10432512  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_prince.17.09.05e.SPA.pkg
404814  -rw-          5677056  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_nim_xdsl.17.09.05e.SPA.pkg
404813  -rw-          5431296  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_nim_ssd.17.09.05e.SPA.pkg
404812  -rw-         11714560  Feb 10 2025 06:17:07 +00:00  c8000be-firmware_nim_shdsl.17.09.05e.SPA.pkg
404811  -rw-          2994176  Feb 10 2025 06:17:06 +00:00  c8000be-firmware_nim_ge.17.09.05e.SPA.pkg
404810  -rw-         17960960  Feb 10 2025 06:17:06 +00:00  c8000be-firmware_nim_cwan.17.09.05e.SPA.pkg
404809  -rw-          4894720  Feb 10 2025 06:17:06 +00:00  c8000be-firmware_nim_bri_st_fw.17.09.05e.SPA.pkg
404808  -rw-         13139968  Feb 10 2025 06:17:06 +00:00  c8000be-firmware_nim_async.17.09.05e.SPA.pkg
404807  -rw-         11497472  Feb 10 2025 06:17:05 +00:00  c8000be-firmware_ngwic_t1e1.17.09.05e.SPA.pkg
404806  -rw-         18649088  Feb 10 2025 06:17:05 +00:00  c8000be-firmware_dsp_tilegx.17.09.05e.SPA.pkg
404805  -rw-          2007040  Feb 10 2025 06:17:04 +00:00  c8000be-firmware_dsp_sp2700.17.09.05e.SPA.pkg
404804  -rw-          6799360  Feb 10 2025 06:17:04 +00:00  c8000be-firmware_dsp_analogbri.17.09.05e.SPA.pkg
404803  -rw-            65536  Feb 10 2025 06:17:04 +00:00  c8000be-firmware_dreamliner.17.09.05e.SPA.pkg
267169  drwx             4096  Feb 10 2025 05:19:36 +00:00  pnp-tech
11      -rw-              248  Feb 10 2025 05:19:29 +00:00  .iox_dir_list
12      drwx             4096  Feb 10 2025 04:29:43 +00:00  lost+found
275265  drwx             4096  Aug 26 2024 16:42:04 +00:00  .dbpersist
437185  drwx             4096  Aug 26 2024 16:33:30 +00:00  sysboot
186209  drwx             4096  Aug 26 2024 16:20:23 +00:00  iox_host_data_share
364321  drwx             4096  Aug 26 2024 16:20:17 +00:00  core
210497  drwx             4096  Aug 26 2024 16:20:02 +00:00  guest-share
170017  drwx             4096  Aug 26 2024 16:19:55 +00:00  onep
129537  drwx             4096  Aug 26 2024 16:19:54 +00:00  pnp-info
121441  drwx             4096  Aug 26 2024 16:19:23 +00:00  virtual-instance
24294   -rw-             1923  Aug 26 2024 16:19:18 +00:00  trustidrootx3_ca_092024.ca
24293   -rw-            20109  Aug 26 2024 16:19:18 +00:00  ios_core.p7b
24291   -rw-          5242880  Aug 26 2024 16:19:03 +00:00  ssd
307649  drwx             4096  Aug 26 2024 16:18:49 +00:00  .ssh

7361155072 bytes total (6116417536 bytes free)
Router#

show version

Router#               show version
Cisco IOS XE Software, Version 17.09.05e
Cisco IOS Software [Cupertino], c8000be Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 17.9.5e, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2024 by Cisco Systems, Inc.
Compiled Thu 12-Dec-24 19:05 by mcpre

Cisco IOS-XE software, Copyright (c) 2005-2024 by cisco Systems, Inc.
All rights reserved.  Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0.  The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0.  For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.

ROM: 17.6(8.1r)

Router uptime is 9 minutes
Uptime for this control processor is 9 minutes
System returned to ROM by Reload Command
System image file is "bootflash:packages.conf"
Last reload reason: Reload Command

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Technology Package License Information:

-----------------------------------------------------------------
Technology     Type         Technology-package Technology-package
                            Current            Next Reboot
-----------------------------------------------------------------
Smart License  Perpetual    None               None
Smart License  Subscription None               None

The current crypto throughput level is 250000 kbps

Smart Licensing Status: Smart Licensing Using Policy

cisco C8200L-1N-4T (1RU) processor with 1653598K/6147K bytes of memory.
Processor board ID FGL2835L17V
Router operating mode: Autonomous
4 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
7245823K bytes of flash memory at bootflash:.

Configuration register is 0x2102

Router#

다시 한번 재부팅해서 제대로 부팅되는지 확인합니다.

Router#reload
Proceed with reload? [confirm]

*Feb 10 06:37:38.872: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command.

정상적으로 부팅이 잘 됩니다.

지금까지 [2025][C8200] Router IOS XE upgrade 글을 읽어주셔서 감사합니다.

저작자표시

'CISCO > 라우팅' 카테고리의 다른 글

[2025][C8200][#3] Reset Smart license (0)	2025.03.04
[2025][C8200][#2] Register License to CSSM - smart licensing using policy (0)	2025.02.13
[ISR4221]-Performance License Install(PAK) (0)	2024.07.30
[ISR4221]-Cisco Router IOS Upgrade (2)	2024.07.29

안녕하세요.

오늘은 Cisco License Type에 대해서 알아보겠습니다.

Traditional - PAK

Smart License Mode -

Smart License use Policy Mode -

IOS 버전에 따라서 지원하는 모드가 다릅니다.

Smart Licensing Requirements by Release

The support for Smart Licensing started with Cisco IOS XE 16.10.1. In the Cisco IOS XE 17.3.2 and 17.4.1, support to a simplified method for Smart Licensing with the use of Policies mode only License was started.

IOS XE Release	Platform Requirements	CUBE Licensing
16.6.1 to 16.9.x	Smart Licensing mode is optional	RTU licensing only
16.10.x	Smart Licensing mode only	RTU licensing only
16.11.1a to 17.1.x	Smart Licensing mode only Continued registration is required to enable CUBE features	Smart Licensing only* Trunk license requests are set by manual configuration No license policing if out of compliance SIP processing disabled in the 'Eval-Expired' state
17.2.1r to 17.3.1a	Smart Licensing mode only Continued registration is required in order to enable CUBE features	Smart Licensing only* Trunk license requests are set dynamically by usage No license policing if out of compliance SIP processing disabled in the 'Eval-Expired' state
17.3.2 onwards	Smart Licensing with the use of Policy mode only License use must be reported within the account policy to enable CUBE features	Smart Licensing only* Trunk license use is measured periodically and reported as per the Smart Account policy In accordance with policy, license policing reports are not acknowledged (SIP processing is disabled otherwise)

Cisco 공식 홈페이지 정보 입니다.

https://www.cisco.com/c/en/us/support/docs/cx/common-licensing-issues/how-to/other/cx217847-configure-smart-licensing-on-ios-xe-plat.html

Configure Smart Licensing on Cisco IOS XE Platforms for CUBE

This document describes the concept and need behind the Cisco Smart Software Licensing for Cisco Unified Border Element (CUBE).

www.cisco.com

reference cisco site

https://www.cisco.com/c/en/us/td/docs/routers/sl_using_policy/b-sl-using-policy/info_about.html

Smart Licensing Using Policy for Cisco Enterprise Routing Platforms - Information About Smart Licensing Using Policy [Cisco IOS

Provides an overview of how one operates in the Smart Licensing Using Policy environment. Covers the list of products that this guide is applicable to. Covers the components that may be part of your implementation. Covers the key concepts that help you und

www.cisco.com

저작자표시

'CISCO > 스위칭' 카테고리의 다른 글

Cisco IOS recommendation (0)	2025.01.11
C9300 - Configure SSH2 (0)	2024.10.24
C9300-Stack Switch IOS Upgrade (1)	2024.10.24
Cat9300 Switch Stack Installation (1)	2024.10.24
Cat9300L Switch License Registration to cisco CSSM (0)	2024.10.02

안녕하세요.

현재 Firepower 제품군은 unified software image 지원 합니다.

FTD - Firepower Threat Defense - Next-genration Firewall 이미지를 사용 합니다.

만약에 FTD에 Cisco ASA code로 변환해서 사용을 하면 Next-Generation Firewall에서 제공하는 기능들을 사용 못합니다.

그리고 Cisco ASA code는 현재는 제공하지만 점차 제공하지 않을 예정이기 때문에 Cisco 에서도 FTD를 이미지를 권장합니다.

지금까지 글을 읽어주셔서 감사합니다.

저작자표시

'CISCO > FTD 방화벽' 카테고리의 다른 글

[FTD-#2]-FTD GUI 503 service unavailable issue troubleshoot (0)	2024.11.08
[FTD-#1]-FTD Basic Configuration (0)	2024.11.08

안녕하세요.

오늘은 cisco ASA에 Remote Access VPN User를 확인해보겠습니다.

show vpn-sessiondb anyconnect

ASAv# show vpn-sessiondb anyconnect

Session Type: AnyConnect

Username     : kevin                  Index        : 62470
Assigned IP  : 192.168.200.100        Public IP    : 192.168.10.102
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Premium
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)AES-GCM-256  DTLS-Tunnel: (1)AES256
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA384  DTLS-Tunnel: (1)SHA1
Bytes Tx     : 58544                  Bytes Rx     : 54607
Group Policy : ANYCONNECT_POLICY      Tunnel Group : MY_TUNNEL
Login Time   : 12:24:54 UTC Sun Feb 2 2025
Duration     : 0h:12m:24s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : 0a0101fe0f406000679f6416
Security Grp : none
ASAv#

아래 명령어를 통해서 라이센스 남은 갯수도 확인 가능 합니다.

ASAv# show vpn-sessiondb license-summary
---------------------------------------------------------------------------
VPN Licenses and Configured Limits Summary
---------------------------------------------------------------------------
                                     Status : Capacity : Installed :  Limit
                                  -----------------------------------------
AnyConnect Premium               :  ENABLED :      250 :         2 :   NONE
AnyConnect Essentials            : DISABLED :      250 :         0 :   NONE
Other VPN (Available by Default) :  ENABLED :      250 :       250 :   NONE
Shared License Server            : DISABLED
Shared License Participant       : DISABLED
AnyConnect for Mobile            : DISABLED(Requires Premium or Essentials)
Advanced Endpoint Assessment     : DISABLED(Requires Premium)
AnyConnect for Cisco VPN Phone   : DISABLED
VPN-3DES-AES                     :  ENABLED
VPN-DES                          :  ENABLED
---------------------------------------------------------------------------

---------------------------------------------------------------------------
VPN Licenses Usage Summary
---------------------------------------------------------------------------
                          Local : Shared :   All  :   Peak :  Eff.  :
                         In Use : In Use : In Use : In Use :  Limit : Usage
                       ----------------------------------------------------
AnyConnect Premium     :      1 :      0 :      1 :      2 :      2 :   50%
  AnyConnect Client    :                 :      1 :      1          :   50%
    AnyConnect Mobile  :                 :      0 :      0          :    0%
  Clientless VPN       :                 :      0 :      1          :    0%
  Generic IKEv2 Client :                 :      0 :      0          :    0%
Other VPN              :                 :      0 :      0 :    250 :    0%
  Cisco VPN Client     :                 :      0 :      0          :    0%
  L2TP Clients
  Site-to-Site VPN     :                 :      0 :      0          :    0%
---------------------------------------------------------------------------

ASAv#

anyconnect Permium 라이센스가 2개 이고, 현재 PC에서 접속 해서 한개를 사용하고 있고, Usage에 50% 표시 되었습니다.

ASAv# show version

Cisco Adaptive Security Appliance Software Version 9.8(1)
Firepower Extensible Operating System Version 2.2(1.47)
Device Manager Version 7.22(1)

Compiled on Wed 10-May-17 15:38 PDT by builders
System image file is "boot:/asa981-smp-k8.bin"
Config file at boot was "startup-config"

ASAv up 6 hours 21 mins

Hardware:   ASAv, 2048 MB RAM, CPU Xeon E5 series 2394 MHz,
Model Id:   ASAv10
Internal ATA Compact Flash, 8192MB
Slot 1: ATA Compact Flash, 8192MB
BIOS Flash Firmware Hub @ 0x0, 0KB

0: Ext: Management0/0       : address is 50fd.e000.3500, irq 11
1: Ext: GigabitEthernet0/0  : address is 50fd.e000.3501, irq 11
2: Ext: GigabitEthernet0/1  : address is 50fd.e000.3502, irq 10
3: Ext: GigabitEthernet0/2  : address is 50fd.e000.3503, irq 10
4: Ext: GigabitEthernet0/3  : address is 50fd.e000.3504, irq 11
5: Ext: GigabitEthernet0/4  : address is 50fd.e000.3505, irq 11
6: Ext: GigabitEthernet0/5  : address is 50fd.e000.3506, irq 10
7: Ext: GigabitEthernet0/6  : address is 50fd.e000.3507, irq 10

License mode: Smart Licensing
ASAv Platform License State: Unlicensed
No active entitlement: no feature tier and no throughput level configured
*Memory resource allocation is more than the permitted limit.

Licensed features for this platform:
Maximum VLANs                     : 50
Inside Hosts                      : Unlimited
Failover                          : Active/Standby
Encryption-DES                    : Enabled
Encryption-3DES-AES               : Enabled
Security Contexts                 : 0
Carrier                           : Disabled
AnyConnect Premium Peers          : 2
AnyConnect Essentials             : Disabled
Other VPN Peers                   : 250
Total VPN Peers                   : 250

지금까지 [ASA #06] - Remote Access VPN current user check 글을 읽어주셔서 감사합니다.

저작자표시

'CISCO > ASA 방화벽' 카테고리의 다른 글

[ASA #05] - Remote Access VPN License (0)	2025.02.02
[ASA #04] - Remote Access VPN (0)	2025.02.02
[ASA #03] - ASDM Install (0)	2025.02.02
[ASA #02] - TFTP Install (0)	2025.02.02
[ASA #01] - Basic Config (0)	2025.02.02

안녕하세요.

오늘은 cisco asa remote access VPN license를 확인하는 방법에 대해서 알아보겠습니다.

아래처럼 shwo version을 입력하면 아래처럼 기본적으로 2개까지 제공되며, 추가적으로 사용시 License를 구매해야 합니다.

AnyConnect Premium Peers : 2

ASAv# show version

Cisco Adaptive Security Appliance Software Version 9.8(1)
Firepower Extensible Operating System Version 2.2(1.47)
Device Manager Version 7.22(1)

Compiled on Wed 10-May-17 15:38 PDT by builders
System image file is "boot:/asa981-smp-k8.bin"
Config file at boot was "startup-config"

ASAv up 6 hours 4 mins

Hardware:   ASAv, 2048 MB RAM, CPU Xeon E5 series 2394 MHz,
Model Id:   ASAv10
Internal ATA Compact Flash, 8192MB
Slot 1: ATA Compact Flash, 8192MB
BIOS Flash Firmware Hub @ 0x0, 0KB

0: Ext: Management0/0       : address is 50fd.e000.3500, irq 11
1: Ext: GigabitEthernet0/0  : address is 50fd.e000.3501, irq 11
2: Ext: GigabitEthernet0/1  : address is 50fd.e000.3502, irq 10
3: Ext: GigabitEthernet0/2  : address is 50fd.e000.3503, irq 10
4: Ext: GigabitEthernet0/3  : address is 50fd.e000.3504, irq 11
5: Ext: GigabitEthernet0/4  : address is 50fd.e000.3505, irq 11
6: Ext: GigabitEthernet0/5  : address is 50fd.e000.3506, irq 10
7: Ext: GigabitEthernet0/6  : address is 50fd.e000.3507, irq 10

License mode: Smart Licensing
ASAv Platform License State: Unlicensed
No active entitlement: no feature tier and no throughput level configured
*Memory resource allocation is more than the permitted limit.

Licensed features for this platform:
Maximum VLANs                     : 50
Inside Hosts                      : Unlimited
Failover                          : Active/Standby
Encryption-DES                    : Enabled
Encryption-3DES-AES               : Enabled
Security Contexts                 : 0
Carrier                           : Disabled
AnyConnect Premium Peers          : 2
AnyConnect Essentials             : Disabled
Other VPN Peers                   : 250
Total VPN Peers                   : 250
AnyConnect for Mobile             : Disabled
AnyConnect for Cisco VPN Phone    : Disabled
Advanced Endpoint Assessment      : Disabled
Shared License                    : Disabled
Total TLS Proxy Sessions          : 2
Botnet Traffic Filter             : Enabled
Cluster                           : Disabled

Serial Number: 9A2U9VPUTQH

Image type          : Release
Key version         : A

Configuration last modified by enable_15 at 12:15:07.479 UTC Sun Feb 2 2025
ASAv#

ASAv# show vpn-sessiondb license-summary

ASAv는 Anyconnect Capacity는 250개 까지 가능하고 License 기본제공 2개 까지만 가능 합니다.

아래 정보를 보시면 현재 라이센스 사용수, 최대치 사용수까지 확인 가능 합니다.

ASAv# show vpn-sessiondb license-summary
---------------------------------------------------------------------------
VPN Licenses and Configured Limits Summary
---------------------------------------------------------------------------
                                     Status : Capacity : Installed :  Limit
                                  -----------------------------------------
AnyConnect Premium               :  ENABLED :      250 :         2 :   NONE
AnyConnect Essentials            : DISABLED :      250 :         0 :   NONE
Other VPN (Available by Default) :  ENABLED :      250 :       250 :   NONE
Shared License Server            : DISABLED
Shared License Participant       : DISABLED
AnyConnect for Mobile            : DISABLED(Requires Premium or Essentials)
Advanced Endpoint Assessment     : DISABLED(Requires Premium)
AnyConnect for Cisco VPN Phone   : DISABLED
VPN-3DES-AES                     :  ENABLED
VPN-DES                          :  ENABLED
---------------------------------------------------------------------------

---------------------------------------------------------------------------
VPN Licenses Usage Summary
---------------------------------------------------------------------------
                          Local : Shared :   All  :   Peak :  Eff.  :
                         In Use : In Use : In Use : In Use :  Limit : Usage
                       ----------------------------------------------------
AnyConnect Premium     :      0 :      0 :      0 :      2 :      2 :    0%
  AnyConnect Client    :                 :      0 :      1          :    0%
    AnyConnect Mobile  :                 :      0 :      0          :    0%
  Clientless VPN       :                 :      0 :      1          :    0%
  Generic IKEv2 Client :                 :      0 :      0          :    0%
Other VPN              :                 :      0 :      0 :    250 :    0%
  Cisco VPN Client     :                 :      0 :      0          :    0%
  L2TP Clients
  Site-to-Site VPN     :                 :      0 :      0          :    0%
---------------------------------------------------------------------------

ASAv#

ASAv# show vpn-sessiondb
---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
                               Active : Cumulative : Peak Concur : Inactive
                             ----------------------------------------------
AnyConnect Client            :      0 :         17 :           1 :        0
  SSL/TLS/DTLS               :      0 :         17 :           1 :        0
Clientless VPN               :      0 :          2 :           1
  Browser                    :      0 :          2 :           1
---------------------------------------------------------------------------
Total Active and Inactive    :      0             Total Cumulative :     19
Device Total VPN Capacity    :    250
Device Load                  :     0%
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Tunnels Summary
---------------------------------------------------------------------------
                               Active : Cumulative : Peak Concurrent
                             ----------------------------------------------
Clientless                   :      0 :          2 :               1
AnyConnect-Parent            :      0 :         17 :               1
SSL-Tunnel                   :      0 :         17 :               1
DTLS-Tunnel                  :      0 :          5 :               1
---------------------------------------------------------------------------
Totals                       :      0 :         41
---------------------------------------------------------------------------

ASAv#

하드웨어적으로 최대 지원되는 Anyconnect 유저수

지금까지 [ASA #05] - Remote Access VPN License 글을 읽어주셔서 감사합니다.

저작자표시

'CISCO > ASA 방화벽' 카테고리의 다른 글

[ASA #06] - Remote Access VPN current user check (0)	2025.02.02
[ASA #04] - Remote Access VPN (0)	2025.02.02
[ASA #03] - ASDM Install (0)	2025.02.02
[ASA #02] - TFTP Install (0)	2025.02.02
[ASA #01] - Basic Config (0)	2025.02.02

안녕하세요.

오늘은 Cisco ASA Remote Acess VPN에 대해서 알아보겠습니다.

CLI 기준입니다.

1. Secure Client를 다운로드 받습니다. pkg 확장자입니다.

https://software.cisco.com/download/home/286330811/type/282364313/release/5.1.7.80

2. 다운로드 파일을 TFTP 폴더에 복사 합니다.

3. 이 파일을 cisco ASA에 업로드 합니다.

ASAv# copy tftp flash

Address or name of remote host []? 192.168.10.102

Source filename []? cisco-secure-client-win-5.1.7.80-webdeploy-k9.pkg

Destination filename [cisco-secure-client-win-5.1.7.80-webdeploy-k9.pkg]?

Accessing tftp://192.168.10.102/cisco-secure-client-win-5.1.7.80-webdeploy-k9.pkg...!!!

ASAv# dir flash:

Directory of disk0:/

7      -rwx  0            11:39:22 May 21 2017  use_ttyS0
11     drwx  4096         03:12:34 Feb 02 2025  smart-log
8      drwx  4096         03:10:50 Feb 02 2025  log
12     drwx  4096         03:12:40 Feb 02 2025  coredumpinfo
84     -rwx  204561552    07:24:47 Feb 02 2025  asdm-openjre-7221.bin
85     -rwx  154655608    08:11:13 Feb 02 2025  cisco-secure-client-win-5.1.7.80-webdeploy-k9.pkg

8571076608 bytes total (8190124032 bytes free)

ASAv#

4. Cisco Remote Access VPN 설정값입니다.

4-1 Secure Client를 통해서 User가 ASA VPN에 연결 되면 IP주소는 192.168.200.100~ 192.168.200.200 사이에 IP주소를 할당 받습니다.

4-2 SPLIT_TUNNEL 10.1.1.0/24 대역 통신 할때는 VPN에 접속 합니다.

4-3 SSL_USER 계정은 VPN용으로만 사용 가능 합니다.

아래 처럼 그냥 COPY and PASTE하면 cisco ASA Remote Access VPN이 동작 합니다.

webvpn
anyconnect image flash:/cisco-secure-client-win-5.1.7.80-webdeploy-k9.pkg
enable outside
anyconnect enable
http redirect OUTSIDE 80
ip local pool VPN_POOL 192.168.200.100-192.168.200.200 mask 255.255.255.0
access-list SPLIT_TUNNEL standard permit 10.1.1.0 255.255.255.0
access-list SPLIT_TUNNEL standard permit 10.10.10.0 255.255.255.0

group-policy ANYCONNECT_POLICY internal
group-policy ANYCONNECT_POLICY attributes
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
dns-server value 8.8.8.8
webvpn
anyconnect keep-installer installed
anyconnect ask none default anyconnect
anyconnect dpd-interval client 30
exit

tunnel-group MY_TUNNEL type remote-access
tunnel-group MY_TUNNEL general-attributes
default-group-policy ANYCONNECT_POLICY
address-pool VPN_POOL
exit

tunnel-group MY_TUNNEL webvpn-attributes
group-alias SSL_USERS enable

webvpn
tunnel-group-list enable

username SSL_USER password XXXXXXX

username SSL_USER attributes
service-type remote-access

5. https://192.168.10.78 접속 합니다

ASAv# show nameif
Interface                Name                     Security
GigabitEthernet0/0       outside                    0
GigabitEthernet0/1       inside                   100
Management0/0            MGMT                       0
ASAv# show int
ASAv# show interface ip brie
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         192.168.10.78   YES manual up                    up
GigabitEthernet0/1         10.1.1.254      YES manual up                    up
GigabitEthernet0/2         unassigned      YES unset  administratively down down
GigabitEthernet0/3         unassigned      YES unset  administratively down down
GigabitEthernet0/4         unassigned      YES unset  administratively down down
GigabitEthernet0/5         unassigned      YES unset  administratively down down
GigabitEthernet0/6         unassigned      YES unset  administratively down down
Management0/0              192.168.100.250 YES manual up                    up
ASAv#

6. Download가 완료되면 설치 합니다. 설치 과정은 생략 하겠습니다.

7. 설치가 완료되면 Cisco Secure Client를 실행해서 접속 합니다.

Connect Anyway를 클릭 합니다.

만약에 아래처럼 실행 오류가 나면 아래처럼 추가적으로 설정이 필요합니다.

ASDM 에 접속해서 아래처럼 접속합니다.

Remote-Access VPN -> Network Client Access -> Secure Client Profile -> Add

아래처럼 LocalUserOnly -> AllowRemoteUser로 수정 합니다.

다시 접속을 시도 합니다.

정상적으로 접속 되었습니다.

Remote Access User가 VPN통해서 내부에 있는 자원에 통신 할려고 방화벽 정책이 필요 합니다.

G0/0 outside - ACL name - outsideacl

G0/1 inside - ACL name - insideacl

G0/2 DMZ - ACL name -dmzacl

ASAv# show interface ip  brie
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         192.168.10.78   YES manual up                    up
GigabitEthernet0/1         10.1.1.254      YES manual up                    up
GigabitEthernet0/2         10.10.10.254    YES manual up                    up
GigabitEthernet0/3         unassigned      YES unset  administratively down down
GigabitEthernet0/4         unassigned      YES unset  administratively down down
GigabitEthernet0/5         unassigned      YES unset  administratively down down
GigabitEthernet0/6         unassigned      YES unset  administratively down down
Management0/0              192.168.100.250 YES manual up                    up
ASAv#

SW 설정

interface GigabitEthernet0/1
no switchport
ip address 10.10.10.10 255.255.255.0
negotiation auto
ip route 0.0.0.0 0.0.0.0 10.10.10.254

방화벽 정책 설정

ASAv(config)# access-list outsideacl extended permit ip 192.168.200.0 255.255.255.0 10.10.10.0 255.255.255.0
ASAv(config)# access-group outsideacl in interface outside

Secure Client 접속후 Ping 10.10.10.10 하면 아래처럼 성공 합니다.

ASAv# show access-list
access-list cached ACL log flows: total 1, denied 1 (deny-flow-max 4096)
alert-interval 300
access-list SPLIT_TUNNEL; 2 elements; name hash: 0x63aa8f22
access-list SPLIT_TUNNEL line 1 standard permit 10.1.1.0 255.255.255.0 (hitcnt=0) 0x96d75e6a
access-list SPLIT_TUNNEL line 2 standard permit 10.10.10.0 255.255.255.0 (hitcnt=0) 0x23138585
access-list outsideacl; 1 elements; name hash: 0x945119d1
access-list outsideacl line 1 extended permit ip 192.168.200.0 255.255.255.0 10.10.10.0 255.255.255.0 (hitcnt=1) 0xb46d0730
ASAv#

만약에 Remote Access VPN USER들은 outbound access-list 없이 그냥 BYpass하고 싶으면 아래 명령어를 입력합니다.

ASA1(config)# sysopt connection permit-vpn

지금까지 [ASA #04] - Remote Access VPN 글을 읽어주셔서 감사합니다.

저작자표시

'CISCO > ASA 방화벽' 카테고리의 다른 글

[ASA #06] - Remote Access VPN current user check (0)	2025.02.02
[ASA #05] - Remote Access VPN License (0)	2025.02.02
[ASA #03] - ASDM Install (0)	2025.02.02
[ASA #02] - TFTP Install (0)	2025.02.02
[ASA #01] - Basic Config (0)	2025.02.02

안녕하세요.

오늘은 ASA에 ASDM file를 업로드 하고 PC에 ASDM 프로그램을 설치해보겠습니다.

1. 현재 asa에서 version를 확인 합니다.

ASAv# show version

Cisco Adaptive Security Appliance Software Version 9.8(1)
Firepower Extensible Operating System Version 2.2(1.47)
Device Manager Version 7.8(1)

Compiled on Wed 10-May-17 15:38 PDT by builders
System image file is "boot:/asa981-smp-k8.bin"
Config file at boot was "startup-config"

ASAv up 53 mins 52 secs

Hardware: ASAv, 2048 MB RAM, CPU Xeon E5 series 2394 MHz,
Model Id: ASAv10
Internal ATA Compact Flash, 8192MB
Slot 1: ATA Compact Flash, 8192MB
BIOS Flash Firmware Hub @ 0x0, 0KB

9.8 버전을 사용중에 있습니다.

2. ASDM 사용하기 위해서는 ASA에 ASDM file이 Flash메모리에 저장되어야 합니다.

3. TFTP 설치 합니다. 이전 글에서 설치 하였습니다. 이번글에서는 설치 과정은 생략 합니다.

https://itblog-kr.tistory.com/185

[ASA #02] - TFTP Install

안녕하세요. ASDM를 설치 하기 위해서는 ASDM 파일에 cisco ASA flash 저장 되어져 있어야 합니다. TFTP통해서 asdm파일을 cisco asa에 업로드 해보겠습니다. 이번에는 TFTP 설치에 대해서 알아보겠습니

itblog-kr.tistory.com

4. C드라이브에 TFTP폴더를 만들고 ASDM 파일을 복사합니다.

5. TFTP를 실행합니다.

그리고 폴더 위치랑 IP주소를 수정 합니다.

6. 아래처럼 tftp서버 IP랑 asdm 파일 이름을 입력해서 asdm를 cisco asa 업로드 합니다.

ASAv# copy tftp: flash:

Address or name of remote host []? 192.168.10.102

Source filename []? asdm-openjre-7221.bin

Destination filename [asdm-openjre-7221.bin]?

Accessing tftp://192.168.10.102/asdm-openjre-7221.bin...!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Verifying file disk0:/asdm-openjre-7221.bin...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/asdm-openjre-7221.bin...

204561552 bytes copied in 628.840 secs (325734 bytes/sec)
ASAv#

7. dir flash:를 통해서 asdm 이미지 파일을 확인 합니다.

ASAv# dir flash:

Directory of disk0:/

7      -rwx  0            11:39:22 May 21 2017  use_ttyS0
11     drwx  4096         03:12:34 Feb 02 2025  smart-log
8      drwx  4096         03:10:50 Feb 02 2025  log
12     drwx  4096         03:12:40 Feb 02 2025  coredumpinfo
84     -rwx  204561552    07:24:47 Feb 02 2025  asdm-openjre-7221.bin

8. ASDM를 사용하기 위해서 아래처럼 설정 합니다.

ASAv# conf t
ASAv(config)# asdm image disk0:/asdm-openjre-7221.bin
ASAv(config)# http server enable
ASAv(config)# http 0.0.0.0 0.0.0.0 inside
ASAv(config)# username kevin password XXXXXXX privilege 15
ASAv(config)#

9. inside interface는 Gi0/1이고 IP주소는 10.1.1.254입니다.

ASAv# show int ip brie
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         192.168.10.78   YES manual up                    up
GigabitEthernet0/1         10.1.1.254      YES manual up                    up
GigabitEthernet0/2         unassigned      YES unset  administratively down down
GigabitEthernet0/3         unassigned      YES unset  administratively down down
GigabitEthernet0/4         unassigned      YES unset  administratively down down
GigabitEthernet0/5         unassigned      YES unset  administratively down down
GigabitEthernet0/6         unassigned      YES unset  administratively down down
Management0/0              192.168.100.250 YES manual up                    up
ASAv#

ASAv# show nameif
Interface                Name                     Security
GigabitEthernet0/0       outside                    0
GigabitEthernet0/1       inside                   100
Management0/0            MGMT                       0
ASAv#

아래처럼 접속을 시도 합니다. 그리고 Install ASDM Launcher를 클릭 합니다.

로그인을 합니다.

로그인이 성공하면 아래처럼 파일이 다운로드 됩니다.

10. 실행해서 설치 합니다. Next를 클릭 합니다.

11. Next를 클릭 합니다.

12. Install클릭 합니다.

설치가 진행 됩니다.

13. ASDM이 설치가 완료 되었습니다. 바탕화면에 ASDM 아이콘이 생성 되었습니다.

14. 실행 했을때 아래처럼 에러 메시지가 발생하면 추가적으로 수정이 필요합니다.

경로값이를 아래처럼 수정 합니다.

C:\Windows\System32\wscript.exe invisible.vbs run.bat

접속을 시도 합니다.

100% 완료 될때까지 기다립니다.

접속이 완료 되었습니다.

지금까지 [ASA #03] - ASDM Install 글을 읽어주셔서 감사합니다.

저작자표시

'CISCO > ASA 방화벽' 카테고리의 다른 글

[ASA #06] - Remote Access VPN current user check (0)	2025.02.02
[ASA #05] - Remote Access VPN License (0)	2025.02.02
[ASA #04] - Remote Access VPN (0)	2025.02.02
[ASA #02] - TFTP Install (0)	2025.02.02
[ASA #01] - Basic Config (0)	2025.02.02

안녕하세요.

ASDM를 설치 하기 위해서는 ASDM 파일에 cisco ASA flash 저장 되어져 있어야 합니다.

TFTP통해서 asdm파일을 cisco asa에 업로드 해보겠습니다.

이번에는 TFTP 설치에 대해서 알아보겠습니다.

가장 많이 쓰는 Free TFTP 프로그램은

아래 링크를 통해서 다운로드 받습니다.

https://pjo2.github.io/tftpd64/

TFTPD64 : an opensource IPv6 ready TFTP server/service for windows : TFTP server

Tftpd64 The industry standardTFTP server Tftpd64 is a free, lightweight, opensource IPv6 ready application which includes DHCP, TFTP, DNS, SNTP and Syslog servers as well as a TFTP client. The TFTP client and server are fully compatible with TFTP option su

pjo2.github.io

2. Download Page를 클릭 합니다.

3. TFTPD64-4.64-setup.exe 파일을 클릭 합니다.

4. 파일을 클릭 해서 실행 합니다.

5. I agree를 클릭 합니다.

6. Next버튼을 클릭 합니다.

7. Install 버튼을 클릭 합니다.

8. Close버튼을 클릭 합니다.

지금까지 [ASA #02] - TFTP Install 글을 읽어주셔서 감사합니다.

저작자표시

'CISCO > ASA 방화벽' 카테고리의 다른 글

[ASA #06] - Remote Access VPN current user check (0)	2025.02.02
[ASA #05] - Remote Access VPN License (0)	2025.02.02
[ASA #04] - Remote Access VPN (0)	2025.02.02
[ASA #03] - ASDM Install (0)	2025.02.02
[ASA #01] - Basic Config (0)	2025.02.02

안녕하세요.

이번에 고객사에서 사용중인 ASA Firewall를 FTD로 Migration를 해야하는데 CISCO ASA 방화벽을 너무 오랜간만에 다시 다루게 되어서 ASA Anyconnect - Remote Access VPN에 대해서 공부해 보겠습니다.

EVE-NG에서 아래처럼 구성도를 만들었습니다.

EVE-NG ASA 설치 과정은 아래 글을 확인 부탁드립니다.

https://itblog-kr.tistory.com/19#google_vignette

[2024][EVE-NG #9] ASAv 방화벽 설치하기

안녕하세요. 오늘은 [2024][EVE-NG #9] ASAv 방화벽 설치하기입니다. 1. 공식적인 사이트 링크는 아래와 같습니다. https://www.eve-ng.net/index.php/documentation/howtos/howto-add-cisco-asav/ Cisco ASAv -Versions this gui

itblog-kr.tistory.com

1. EVE-NG에서 토폴로지를 아래와 같이 만듭니다.

2. 기본설정을 합니다.

E0/0 - zone - outside - ip 192.168.10.77/24

E0/1 - zone - inside - ip 10.1.1.1/24

GW: 192.168.10.253

ciscoasa# conf t
ciscoasa# hostname asa
ASA#
ASA(config)# int e0
ASA(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ASA(config-if)# ip add 192.168.10.77 255.255.255.0
ASA(config-if)# no sh
ASA(config)# int e1
ASA(config-if)# nameif inside
ASA(config-if)# ip add 10.1.1.254 255.255.255.0
ASA(config-if)# no sh
ASA(config-if)#

ASA(config)# route outside 0.0.0.0 0.0.0.0 192.168.10.253
ASA(config)#

Nameif 확인

ASAv# show nameif
Interface                Name                     Security
GigabitEthernet0/0       outside                    0
GigabitEthernet0/1       inside                   100
ASAv#

Interface 확인

ASAv# show interface ip brie
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         192.168.10.78   YES manual up                    up
GigabitEthernet0/1         10.1.1.254      YES manual up                    up
GigabitEthernet0/2         unassigned      YES unset  administratively down down
GigabitEthernet0/3         unassigned      YES unset  administratively down down
GigabitEthernet0/4         unassigned      YES unset  administratively down down
GigabitEthernet0/5         unassigned      YES unset  administratively down down
GigabitEthernet0/6         unassigned      YES unset  administratively down down
Management0/0              unassigned      YES unset  administratively down up
ASAv#

Default Gateway 확인

ASAv# show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 192.168.10.253 to network 0.0.0.0

S*       0.0.0.0 0.0.0.0 [1/0] via 192.168.10.253, outside
C        10.1.1.0 255.255.255.0 is directly connected, inside
L        10.1.1.254 255.255.255.255 is directly connected, inside
C        192.168.10.0 255.255.255.0 is directly connected, outside
L        192.168.10.78 255.255.255.255 is directly connected, outside

2. PC에서 Ping 192.168.10.77

지금 까지 [ASA #01] - Basic Config 대해서 알아보았습니다.

다음글은 ASDM를 설치해서 cisco ASA 접속해보겠습니다.

저작자표시

'CISCO > ASA 방화벽' 카테고리의 다른 글

[ASA #06] - Remote Access VPN current user check (0)	2025.02.02
[ASA #05] - Remote Access VPN License (0)	2025.02.02
[ASA #04] - Remote Access VPN (0)	2025.02.02
[ASA #03] - ASDM Install (0)	2025.02.02
[ASA #02] - TFTP Install (0)	2025.02.02

PALOALTO랑 2FA를 설정할때 제약 사항.

PALOALTO MGMT PORT또는 DATA PORT로 LDAP또는 RADIUS Packet를 전달 한다.

하지만 아래 사진 처럼 SOURCE INTERFACE를 한개만 설정 할수 있다.

아래 같은 상황을 설정해 봅니다.

내부에 서버가 있습니다.

ISP01 - 192.168.1.2 통해서 GP연결하는 유저는 Production server에 접속 함.

ISP01 - 192.168.1.3 통해서 GP연결하는 유저는 Test server에 접속 함.

PRODUCTION SERVER - 192.168.150.100 - Active Directory and Cisco DUO

TEST SERVER - 192.168.151.100 - Active Directory and Cisco DUO

Production GP USER - Portal Authentication - AD

1. GP User - 192.168.1.2 접속

2. PA E1/3 LDAP Traffic 전달

192.168.150.254 Source -> LDAP 192.168.150.100 same L2

3. LDAP Server 인증 체크

4. 인증 리턴 패킷을 다시 192.168.150.100 Source -> 192.168.150.254 Destination 전달

5. PAloalto는 다시 유저에게 전달해서 Portal authentication 완료 됩니다.

Cisco DUO authentication

1. RADIUS TRAFFIC 전달

Source 192.168.150.254 -> Destination 192.168.150.100

2. Cisco DUO Proxy -> Cisco DUO CLOUD 전달

Source 192.168.150.100이 API를 통해서 Cisco DUO전달

3. Cisco DUO CLOUD에 User에 포함된 모바일폰 정보를 확인후 Push Notification 전달

지금까지는 LDAP and Radius Source Interface IP가 192.168.150.254 <-> 192.168.150.100 LDAP and DUO서버랑 같은 L2 도메인 이라서 통신 되는데 문제가 없습니다.

***** 하지만 Test Server에 접속 할때는 상황이 다릅니다. ******

GP Portal IP - 192.168.1.3

LDAP02 and DUO02 - 192.168.151.100

PALOALTO Source LDAP and RADIUS IP - 192.168.150.254

1. GP User가 ISP01 192.168.1.3에 접속 합니다.

2. PA E1/3 192168.150.254를 Source해서 192.168.151.100으로 접속을 시도 합니다.

하지만 실제 E1/4 192.168.151.254 <-> 192.168.151.100 같은 L2이기때문에, 패킷이 E1/3이 아니라 E1/4 전달 됩니다.

리턴 패킷도 E1/3이 아니라 E1/4로 받아서 AD 인증 cisco DUO 인증 모두 실패 합니다.

라우팅을 변경 하면 해결 됩니다.

1. PALOALTO에서 192.168.151.100/32를 E1/3를 통해서 Internet PA - E1/2 192.168.168.150으로 전달 합니다

2. INTNET PA입장에서는 192.168.151.1 <-> 192.168.151.100 같은 L2도메인이기때문에,

INTERNET PA E1/3 192.168.151.1를 통해서 192.168.151.100 통신 합니다

3. 192.168.151.100 - AD02 DUO02는 Default Gateway가 192.168.151.1이고 AD02/DUO02는 패킷을 INTERNET PA로 전달 합니다.

4. INTERNET PA는 E1/3를 받아서 192.168.1.2 E1/2 전달합니다.

5. GP PALOALTO는 E1/3 192.168.1.254로 AD2/DUO2패킷을 전달 받습니다.

이렇게 하면 이 문제가 해결 됩니다.

GP PA1에서 단순히 Static Routing를 아래처럼 설정하면 됩니다.

192.168.151.0/24 - E1/4 연결 되었지만 아래처럼 192.168.151.100/32로 E1/3강제로 라우팅을 변경 가능합니다.

그 이유는 Longest Match Rule에 의해서 가능 합니다

Aysmetric 구조가 아니고 PA AD/DUO source interface로 패킷이 나가서 라우팅만 잘 되고 다시 그 인터페이스로 패킷을 전달 받으면 제대로 동작하는 것을 확인 하였습니다.

저작자표시

'CISCO > Cisco DUO' 카테고리의 다른 글

[Cisco DUO][#4]- synchronize active directory user to cisco duo cloud (0)	2024.11.16
[Cisco DUO][#2]- Windows Server Login or RDP 2FA - Bypass function (0)	2024.11.15
[Cisco DUO][#1]- Windows Server Login or RDP 2FA인증 (0)	2024.11.15

안녕하세요.

이번에는 windows 10 PC를 Active Directory에 Join하겠습니다.

토폴로지는 아래와 같습니다.

추후에 wire 802.1x를 설정하기 위해서는 PC가 Switch에 연결되어야 합니다.

PC는 아래 구름을 통해서 VMware ESXi안에 있는 Windows Server통신 가능 합니다.

PC

IP: 192.168.10.169

Netmask: 255.255.255.0

GW: 192.168.10.253

DNS: 192.168.10.193

DNS: 8.8.8.8

AD Server IP: 192.168.10.253

Domain: test.local

1. Windows Server에서 windows 10에서 IP주소를 설정 합니다.

2. ping test.local

3.

컴퓨터 이름을 수정합니다.

USERPC01

Domain: test.local

Active Directory 계정을 입력 합니다.

4. OK버튼을 클릭 합니다.

재부팅 합니다.

5. 윈도우 서버에서 User를 생성 합니다.

user01

AD user 계정으로 로그인중입니다.

지금까지 [2025][CISCO ISE#39] - Windows 10 PC Active Directory Join 글을 읽어주셔서 감사합니다.

저작자표시

'CISCO > CISCO ISE' 카테고리의 다른 글

[2025][CISCO ISE#38] - Admin login with Active Directory (0)	2025.01.14
[2025][CISCO ISE#37] - Admin Access - Settings Menu (0)	2025.01.14
[2025][CISCO ISE#36] - Admin Access - Administrators Menu (0)	2025.01.14
[2025][CISCO ISE#35] - Admin Access - Authorization Menu (0)	2025.01.14
[2025][CISCO ISE#34] - Admin Access - Authentication Menu (0)	2025.01.14

안녕하세요.

cisco ise 로그인 할때 Local Database를 이용해서 로그인 하였습니다 - Local User on cisco ise

이번에는 Active Directory에 User를 통해서 Cisco ISE 로그인 해보겠습니다.

Active Directory는 이전 강의에서 설명 하였습니다.

https://itblog-kr.tistory.com/133

[2025][CISCO ISE#7] - Active Directory install

안녕하세요. 이번에는 cisco ISE 실습을 위해서 Active Directory를 윈도우 서버에 설치해보겠습니다.Diagram 1. Add Roles and Features 클릭 합니다. 2. Next를 클릭 합니다. 3. next를 클릭 합니다. 4. Next를

itblog-kr.tistory.com

1. 윈도우서버에 접속해서 아래처럼 테스트를 위해서 그룹과 계정을 생성합니다.

AdminGroup - admin user

SupportGroup - support user

2. AD를 연동 합니다.

정상적으로 등록 되었습니다.

이번에는 Active Direcotry에 있는 Group를 cisco ise에 불러오겠습니다.

아래처럼 AdminGroup과 SupportGroup를 선택하고 OK버튼을 클릭 합니다.

3. Admin 로그인 할때 Local User가 아닌 Active Directory 선택합니다.

4. Group를 생성합니다.

AdminGroup

SupportGroup

위에 처럼 Admin Groups이 생성 되었습니다.

5. Authorization -> Permissions -> RBAC Policy 클릭합니다

Action 버튼을 클릭후 Insert New Policy를 선택합니다.

Rule Name: AdminGroup-Policy

Admin Groups: AdminGroup

Permissions: Super Admin Menu Access and Super Admin Data Acess

User가 AdminGroup에 속하면 권환을 Super Admin Menu랑 Super Admin Data를 부여하라는 뜻입니다.

Rule Name: SupportGroup-Policy

Admin Groups: SupportGroup

Permissions: HelpDesk Admin Menu and Read Only Admin Data

User가 SupportGroup에 속하면 권환을 Helpesk admin menu랑 Read Only Admin Data를 부여하라는 뜻입니다.

Save버튼을 클릭 합니다.

6 . 이제 테스트를 합니다. 다른 브라우저를 열고 cisco ISE GUI 접속 합니다.

로그인 가능하고 모든 메뉴를 볼수 있습니다.

이번에는 support user를 로그인 합니다.

Support유저는 제한된 메뉴만 볼수 있습니다. HelpDesk 유저이기 때문에

이번에는 테스트를 위해서 Admin 계정에서 AdminGroup를 제거 합니다.

그리고 다시 admin 계정으로 로그인 합니다

admin이 admingroup에 속하지 않기때문에, 로그인에 실패 하였습니다.

AD가 문제가 생겨서 로그인 못하면 옵션에서 Internal로 변경하고 기존에 있는 admin local user로 로그인 가능 합니다.

아래처럼 로그인 가능 합니다.

다음 테스트를 위해서 Admin 계정에 다시 AdminGroup를 추가 합니다.

지금까지 [2025][CISCO ISE#38] - Admin login with Active Directory 글을 읽어주셔서 감사합니다.

저작자표시

'CISCO > CISCO ISE' 카테고리의 다른 글

[2025][CISCO ISE#39] - Windows 10 PC Active Directory Join (0)	2025.01.14
[2025][CISCO ISE#37] - Admin Access - Settings Menu (0)	2025.01.14
[2025][CISCO ISE#36] - Admin Access - Administrators Menu (0)	2025.01.14
[2025][CISCO ISE#35] - Admin Access - Authorization Menu (0)	2025.01.14
[2025][CISCO ISE#34] - Admin Access - Authentication Menu (0)	2025.01.14

안녕하세요.

오늘은 Admin Access에서 Setting Menu에 대해서 알아보겠습니다.

1. Administration -> System -> Admin Access -> Settings -> Access

배너 설정도 가능 합니다.

GUI 동시 접속자수 설정 가능

CLI 동시 접속자수 설정 가능

IP access - 기본설정으로 모든 IP는 cisco ISE접속 가능

아래처럼 특정 IP만 cisco ise GUI/CLI 접속 가능 하게 설정 가능

MnT Access 도 IP Access랑 똑같습니다.

** Session Timeout **

Session이 Idel 일때 특정 시간이 되면 자동으로 Logout가능 하게 합니다.

현재 CISCO ISE접속한 유저들을 표시 합니다.

지금까지 [2025][CISCO ISE#37] - Admin Access - Settings Menu 글을 읽어주셔서 감사합니다.

저작자표시

'CISCO > CISCO ISE' 카테고리의 다른 글

[2025][CISCO ISE#39] - Windows 10 PC Active Directory Join (0)	2025.01.14
[2025][CISCO ISE#38] - Admin login with Active Directory (0)	2025.01.14
[2025][CISCO ISE#36] - Admin Access - Administrators Menu (0)	2025.01.14
[2025][CISCO ISE#35] - Admin Access - Authorization Menu (0)	2025.01.14
[2025][CISCO ISE#34] - Admin Access - Authentication Menu (0)	2025.01.14

안녕하세요.

오늘은 Admin Access에서 Administrators Menu에 대해서 알아보겠습니다.

1. Administration - System - Administrators - Admin Users

아래처럼 Administrators 계정을 관리 할 수 있습니다.

생성/삭제/수정 가능 합니다.

유저들은 groups에 포함 되어야 합니다. 유저가 group에 포함되는 순간 group관련 정책들이 적용 됩니다.

유저 생성

지금까지 [2025][CISCO ISE#36] - Admin Access - Administrators Menu 글을 읽어주셔서 감사합니다.

저작자표시

'CISCO > CISCO ISE' 카테고리의 다른 글

[2025][CISCO ISE#38] - Admin login with Active Directory (0)	2025.01.14
[2025][CISCO ISE#37] - Admin Access - Settings Menu (0)	2025.01.14
[2025][CISCO ISE#35] - Admin Access - Authorization Menu (0)	2025.01.14
[2025][CISCO ISE#34] - Admin Access - Authentication Menu (0)	2025.01.14
[2025][CISCO ISE#33] - Upgrade Version (0)	2025.01.13

안녕하세요

오늘은 Admin Access에서 Authorization에 대해서 알아보겠습니다.

Administation -> System -> Admin Access -> Authorzation

** Menu Access **

Navigational Visibility on ISE

어떤 메뉴를 유저(그룹)에 대해서 어떤 메뉴를 보여줄수 설정 가능 합니다.

EX) 아랯럼 특정 메뉴를 Show 또는 Hide로 설정 가능 합니다.

*** Data Access ***

Ability - Read/Access/Modify the identity data on cisco ise. Access관련 권환에 대해서 설정 가능 합니다.

Permmission can be configured only for Admin groups, iser identity group, Endpoint identity group and network device groups.

1. Full Access

2. Read Only Access

3. No Access

** RBAC Policy **

RBAC stands for Role-based access control. which a user belongs can be configured to use the desired menu and data access policies

지금까지 [2025][CISCO ISE#35] - Admin Access - Authorization Menu 글을 읽어주셔서 감사합니다.

저작자표시

'CISCO > CISCO ISE' 카테고리의 다른 글

[2025][CISCO ISE#37] - Admin Access - Settings Menu (0)	2025.01.14
[2025][CISCO ISE#36] - Admin Access - Administrators Menu (0)	2025.01.14
[2025][CISCO ISE#34] - Admin Access - Authentication Menu (0)	2025.01.14
[2025][CISCO ISE#33] - Upgrade Version (0)	2025.01.13
[2025][CISCO ISE#32] - Export/Import Certificate (0)	2025.01.13

안녕하세요.

오늘은 Admin Access 에 대해서 알아보겠습니다.

1. 아래처럼 Admin Access 를 확인 할 수 있습니다.

administration -> system -> Admin Access에서 아래처럼 Authentication에 대해서 알아보겠습니다.

1. Authentication

** Authentication Mehtod **

Password Based 또는 Certificate Based 선택 가능 합니다.

그리고 Identity Source에서

Internal - ISE local database 에서 인증

Active Directory - AD를 통해서 User인증 등을 선택 할 수 있습니다.

*** Password Policy ***

Password를 생성할때 조건 사항들을 선택 할수 있습니다.

Passowrd 총 길이는 10개 이상 이어야 하고 대문자 숫자 특수 문자는 몇개를 포함하여야 특정 문자는 선택 할수 없고 등등을 정의 할 수 있습니다.

*** Account Disable Policy ***

계정이 특정 기간 동안 로그인 하지 않으면 그 계정을 Disable하는 기능 입니다.

EX) 10 days 정의하면 사용자가 10일동안 로그인 하지 않으면 이 계정을 Disable 합니다.

*** Lock/Suspend Settings ***

로그인을 몇번 시도해서 틀렸을경우 몇분 동안 다시 로그인을 하지 못하게 정의 할 수 있습니다.

위에 기본 설정에서 보시면, 패스워드를 3번 틀리면 15분 동안 다시 로그인 할 수 없게 합니다.

이유는 해킹툴로 패스워드를 임의에 수로 계속 로그인 하게 시도 할 수 있습니다. 위에 기능을 설정하면 보안상 좋습니다.

지금까지 [2025][CISCO ISE#33] - Admin Access - Authentication Menu 글을 읽어주셔서 감사합니다.

저작자표시

'CISCO > CISCO ISE' 카테고리의 다른 글

[2025][CISCO ISE#36] - Admin Access - Administrators Menu (0)	2025.01.14
[2025][CISCO ISE#35] - Admin Access - Authorization Menu (0)	2025.01.14
[2025][CISCO ISE#33] - Upgrade Version (0)	2025.01.13
[2025][CISCO ISE#32] - Export/Import Certificate (0)	2025.01.13
[2025][CISCO ISE#31] - restore (0)	2025.01.13

안녕하세요.

이번에는 cisco ise version upgrade하는 방법에 대해서 알아보겠습니다.

1. 현재 사용중인 cisco ise version를 확인 합니다.

2. cisco homepage 접속해서 Upgrade 버전을 확인 합니다.

아래 사지너럼 3.3 ise upgradebundle를 다운로드 받습니다.

3. 그리고 FTP Repository에 다운로드한 파일을 업로드 합니다.

4. Configuration Backup, Operation Backup, Certificate Backup를 합니다.

이제 cisco ISE upgrade할 준비가 완료 되었습니다.

1. Administration -> System -> Upgrade

그리고 Split Upgrade 선택하고 Start Upgrade버튼을 클릭 합니다..

2. Upgrade 버튼을 클릭 합니다.

Proceed 버튼을 클릭 합니다.

3. 아래 Check박스 선택하고 Continue버튼을 클릭 합니다.

4. 아래처럼 선택하고 Download 버튼을 클릭 합니다.

5. FTP Repostory를 선택하고 Upgrade 파일을 선택하고 Confirm 버튼을 클릭 합니다.

6. 그러면 cisco ise upgrade파일을 FTP repostory폴더로 부터 다운로드 합니다.

7. 다운로드가 완료 되면 마지막으로 Upgrade버튼을 클릭 합니다.

지금까지 [2025][CISCO ISE#33] - Upgrade Version 글을 읽어주셔서 감사합니다.

저작자표시

'CISCO > CISCO ISE' 카테고리의 다른 글

[2025][CISCO ISE#35] - Admin Access - Authorization Menu (0)	2025.01.14
[2025][CISCO ISE#34] - Admin Access - Authentication Menu (0)	2025.01.14
[2025][CISCO ISE#32] - Export/Import Certificate (0)	2025.01.13
[2025][CISCO ISE#31] - restore (0)	2025.01.13
[2025][CISCO ISE#30] - schedule backup (0)	2025.01.13

안녕하세요.

오늘은 Cisco ISE certification export하는 방법에 대해서 알아보겠습니다.

Cisco ISE configuration backup 실행해도 Certificate은 Backup되지 않습니다.

수동으로 백업 해야합니다.

cisco ISE certificate은 다양하게 사용 됩니다. Web GUI, Web Portals, EAP, Pxgrid 등등.

그래서 꼭 Certificate를 백업 해야 합니다. 설정값을 백업하고 Certificate를 백업하지 않으면 Cisco ISE 장비가 망가져서 RMA 또는 새로운 Cisco ISE설치 했을때 난감한 상황을 맞이 할 수 있습니다.

1. Self Signed Certificate

2. 3rd party signed Certificate

Self Signed Certificate경우 - Import Public Key of certificate under trusted certificates

3rd Party Signed Certificate경우 - Import Root and all other intermediate certificates of the certificate

1. 아래 페이지에 접속 합니다.

administrator - system - certificates - sytem certificates

ISE01-TEST-CERT를 Check하고 Export버튼을 클릭 합니다.

아래처럼 설정 합니다.

아래처럼 파일이 다운로드 되었습니다.

압축된 폴더를 클릭 하면, 아래처럼 Public Key랑 Private Key가 있습니다.

2번째는 Trusted Certifiate 항목에 있는 인증서를 백업 합니다.

1. Trsuted Crtificates 클릭

2. 저번에 windows CA서버랑 인증서 발급 했던 SERVER-CA-ROOT를 체크 하고 백업합니다.

이렇게 Certificate 백업하면 됩니다.

인증서 Import는 cisco ISE에 있는 Import버튼을 눌러서 인증서를 Import하면 됩니다. 이 부분은 생략 하겠습니다.

이번에는 CLI모드에서 인증서를 백업 해보겠습니다.

ISE01/admin#application configure ise

Selection configuration option
[1]Reset M&T Session Database
[2]Rebuild M&T Unusable Indexes
[3]Purge M&T Operational Data
[4]Reset M&T Database
[5]Refresh Database Statistics
[6]Display Profiler Statistics
[7]Export Internal CA Store
[8]Import Internal CA Store
[9]Create Missing Config Indexes
[10]Create Missing M&T Indexes
[12]Generate Daily KPM Stats
[13]Generate KPM Stats for last 8 Weeks
[14]Enable/Disable Counter Attribute Collection
[15]View Admin Users
[16]Get all Endpoints
[19]Establish Trust with controller
[20]Reset Context Visibility
[21]Synchronize Context Visibility With Database
[22]Generate Heap Dump
[23]Generate Thread Dump
[24]Force Backup Cancellation
[25]CleanUp ESR 5921 IOS Crash Info Files
[26]Recreate undotablespace
[27]Reset Upgrade Tables
[28]Recreate Temp tablespace
[29]Clear Sysaux tablespace
[30]Fetch SGA/PGA Memory usage
[31]Generate Self-Signed Admin Certificate
[32]View Certificates in NSSDB or CA_NSSDB
[0]Exit

7번 Export Internal CA store

7
Export Repository Name: FTP
Enter encryption-key for export:
15:33:28.552 [main] INFO  cohttp://m.cisco.epm.pap.PAPFacade - Initializing Inprocess PAP
15:33:29.628 [main] INFO  cohttp://m.cisco.epm.pap.PAPFacade - In PAP Facade initialize ...
15:33:29.629 [main] INFO  cohttp://m.cisco.epm.pap.PAPFacade - Retrieving CEPM Location
15:33:29.639 [main] INFO  cohttp://m.cisco.epm.pap.PAPFacade - Loading [ oracle ] Database Queries
15:33:29.640 [main] INFO  cohttp://m.cisco.epm.pap.PAPFacade - QueryStore config file [ oracle.xml ]
15:33:29.700 [main] INFO  cohttp://m.cisco.epm.pap.PAPFacade - Queries are loaded
15:33:29.700 [main] INFO  cohttp://m.cisco.epm.pap.PAPFacade - Loading Pre-hook Handlers.....
15:33:29.700 [main] INFO  cohttp://m.cisco.epm.pap.PAPFacade - Handler Definitions config file [ api_configuration.xml ]
15:33:29.720 [main] INFO  cohttp://m.cisco.epm.pap.PAPFacade - Pre-hook Handlers are loaded
15:33:29.721 [main] INFO  cohttp://m.cisco.epm.pap.PAPFacade - Handlers are loaded..
15:33:29.721 [main] INFO  cohttp://m.cisco.epm.pap.PAPFacade - Initializing Connection Pool
15:33:29.723 [main] INFO  cohttp://m.cisco.epm.db.DatabaseConnectionFactory - Pool is going to be initialized with poolName as Default Domain
15:33:29.727 [main] INFO  cohttp://m.cisco.epm.db.DatabaseConnectionFactory - The Implementation Class for Connection Pooling is............... cohttp://m.cisco.epm.db.ApacheConnectionPool
15:33:29.727 [main] INFO  cohttp://m.cisco.epm.db.ConnectionPool - Initing the ConnectionPool with Properties
15:33:29.736 [main] INFO  cohttp://m.cisco.epm.db.DBApacheContextFactory - In DBApacheContextFactory Class
15:33:29.760 [main] INFO  cohttp://m.cisco.epm.db.DBApacheContextFactory - Starting the abandoned pool reaper thread
15:33:29.762 [AbandonedTransactionReaper] INFO  cohttp://m.cisco.epm.db.AbandonedTransactionReaper - In AbandonedTransactionReaper :  MaxActive : 200 CurrentActive : 0 MaxIdle : 200 MinIdle : 0 CurrentIdle : 0
15:33:29.780 [main] INFO  cohttp://m.cisco.epm.pap.api.services.persistance.dao.RepositoryDAO - In DAO listRepositoryDetails method
15:33:29.950 [main] INFO  cohttp://m.cisco.epm.db.DatabaseConnectionFactory - Factory contains this poolName Default Domain
15:33:29.950 [main] INFO  cohttp://m.cisco.epm.pap.PAPFacade - Initializing Handlers
15:33:31.207 [main] INFO  cohttp://m.cisco.epm.pap.api.services.persistance.dao.EntitlementServerDAO - Checking isEntitlementServer Exist for EntitlementServer Name:  'PDPServer '
15:33:31.222 [main] INFO  cohttp://m.cisco.epm.pap.api.services.persistance.dao.ApplicationDAO - Getting  ApplicationType with name 'Default'  under application group name 'Global'
15:33:31.400 [main] WARN  cohttp://m.cisco.epm.pap.PAPFacade - Node roleType=[PRIMARY,TranportType=[null]
15:33:31.419 [main] INFO  cohttp://m.cisco.epm.util.NodeCheck - Inside confirmAndDemoteIfNotPrimary
15:33:31.419 [main] INFO  cohttp://m.cisco.epm.pap.api.services.persistance.dao.DistributionDAO - In DAO getRepository method for HostConfig Type: PAP
15:33:31.430 [main] INFO  cohttp://m.cisco.epm.util.NodeCheck - Now checking against secondary pap ISE02
15:33:31.431 [main] INFO  cohttp://m.cisco.epm.util.NodeCheckHelper -  inside getHostConfigRemoteServer
Security Protocol list Start
15:33:31.532 [main] INFO  cohttp://m.cisco.epm.ssl.SSLManagerFactory - DEFAULT SSL Protocol at returnTLSv1.2
15:33:31.533 [main] INFO  cohttp://m.cisco.epm.ssl.SSLManagerFactory - DEFAULT SSL Protocols List at return[TLSv1.2]
15:33:33.637 [main] INFO  cohttp://m.cisco.cpm.nsf.api.PasswordValidator - Integritycheck Openssl digest output from verification with Swims release key: Verified OK
15:33:33.638 [main] INFO  cohttp://m.cisco.cpm.nsf.api.PasswordValidator - Integritycheck Output: Verified signature of integritycheck program with Swims release key

15:34:13.804 [main] INFO  cohttp://m.cisco.cpm.nsf.api.PasswordValidator - Integritycheck Output: Verified signature of integritycheck.sums file with Swims release key
15:34:13.805 [main] INFO  cohttp://m.cisco.cpm.nsf.api.PasswordValidator - Integritycheck PASSED
Inside Session facade init
15:34:13.844 [main] INFO  cohttp://m.cisco.cpm.infrastructure.platform.impl.PlatformProfileServiceImpl - inside isCloudDeployment function cloud URL http://169.254.169.254/latest/dynamic/instance-identity/document Requested method GET
15:34:13.844 [main] INFO  cohttp://m.cisco.cpm.infrastructure.platform.impl.PlatformProfileServiceImpl - URI for cloud API call ================ URL: http://169.254.169.254/latest/dynamic/instance-identity/document , Request Method: GET
15:34:13.858 [main] ERROR cohttp://m.cisco.cpm.infrastructure.platform.impl.PlatformProfileServiceImpl - ==========exception in getURLForHTTPConnection null
15:34:13.858 [main] INFO  cohttp://m.cisco.cpm.infrastructure.platform.impl.PlatformProfileServiceImpl - inside isCloudDeployment function cloud URL http://169.254.169.254/metadata/instance?api-version=2021-01-01 Requested method GET
15:34:13.858 [main] INFO  cohttp://m.cisco.cpm.infrastructure.platform.impl.PlatformProfileServiceImpl - URI for cloud API call ================ URL: http://169.254.169.254/metadata/instance?api-version=2021-01-01 , Request Method: GET
15:34:14.877 [main] ERROR cohttp://m.cisco.cpm.infrastructure.platform.impl.PlatformProfileServiceImpl - ==========exception in getURLForHTTPConnection null
15:34:14.877 [main] INFO  cohttp://m.cisco.cpm.infrastructure.platform.impl.PlatformProfileServiceImpl - inside isCloudDeployment function cloud URL http://169.254.169.254/opc/v1/instance/ Requested method GET
15:34:14.877 [main] INFO  cohttp://m.cisco.cpm.infrastructure.platform.impl.PlatformProfileServiceImpl - URI for cloud API call ================ URL: http://169.254.169.254/opc/v1/instance/ , Request Method: GET
15:34:15.901 [main] ERROR cohttp://m.cisco.cpm.infrastructure.platform.impl.PlatformProfileServiceImpl - ==========exception in getURLForHTTPConnection null
Old Memory Size : 16204356
15:34:15.919 [main] INFO  cohttp://m.cisco.cpm.infrastructure.platform.impl.PlatformProperties - PlatformProperties whoami: root

15:34:16.129 [main] INFO  cohttp://m.cisco.cpm.infrastructure.platform.impl.PlatformProperties - PlatformProperties{udiPid='ISE-VM-K9', udiVid='V01', udiSn='EFHGJBGCGFB', memorySizeKb=16204356, numberOfCpuCores=16, vmDiskSpace=}
15:34:16.133 [main] INFO  cohttp://m.cisco.cpm.infrastructure.platform.impl.PlatformProfileServiceImpl - inside mapVmToProfile function cloud check valuesfalsefalsefalse
15:34:16.589 [main] INFO  cohttp://m.cisco.epm.pdp.PDPFacade - loadSystemProperties
In the init method of PDPFacade
15:34:16.685 [main] INFO  cohttp://m.cisco.epm.pdp.PDPFacade - In the init method of PDPFacade
15:34:16.698 [main] INFO  cohttp://m.cisco.epm.db.DatabaseConnectionFactory - Factory contains this poolName Default Domain
15:34:16.698 [main] INFO  cohttp://m.cisco.epm.pdp.PDPFacade - Started checking of Authetication
15:34:16.778 [main] INFO  cohttp://m.cisco.epm.pdp.AppPoliciesStatus - updating   AppName  PAP Application Group:PAP Application   Status    0
15:34:16.779 [main] INFO  cohttp://m.cisco.epm.pdp.AppPoliciesStatus - updating   AppName  Prime group:Prime portal   Status    0
15:34:16.779 [main] INFO  cohttp://m.cisco.epm.pdp.AppPoliciesStatus - updating   AppName  NAC Group:NAC   Status    0
15:34:16.783 [main] INFO  cohttp://m.cisco.epm.pdp.PDPFacade - Started to load Pip's....
15:34:16.957 [main] INFO  cohttp://m.cisco.epm.pip.db.DataBasePIPMetaData - DataBasePIPMetaData
15:34:16.964 [main] INFO  cohttp://m.cisco.epm.db.DatabaseConnectionFactory - PoolName is  Global:Entitlement Repository
15:34:16.964 [main] INFO  cohttp://m.cisco.epm.db.DatabaseConnectionFactory - Pool is going to be initialized with poolName as Global:Entitlement Repository
15:34:16.965 [main] INFO  cohttp://m.cisco.epm.db.ConnectionPool - Initing the ConnectionPool with Properties
15:34:16.965 [main] INFO  cohttp://m.cisco.epm.db.DBApacheContextFactory - In DBApacheContextFactory Class
15:34:16.966 [main] INFO  cohttp://m.cisco.epm.db.DBApacheContextFactory - Starting the abandoned pool reaper thread
15:34:16.967 [AbandonedTransactionReaper] INFO  cohttp://m.cisco.epm.db.AbandonedTransactionReaper - In AbandonedTransactionReaper :  MaxActive : 200 CurrentActive : 0 MaxIdle : 200 MinIdle : 0 CurrentIdle : 0
15:34:16.973 [main] INFO  cohttp://m.cisco.epm.pip.PipMetaDataFactory - Initialization of PIP's and Attributes is done
15:34:18.914 [main] INFO  cohttp://m.cisco.epm.pdp.PDPFacade - Pip's are loaded and started
15:34:18.915 [main] INFO  cohttp://m.cisco.epm.pdp.PDPFacade - Lodaing data into in memory
15:34:18.933 [main] INFO  cohttp://m.cisco.epm.util.NodeCheck - Inside confirmAndDemoteIfNotPrimary
15:34:18.934 [main] INFO  cohttp://m.cisco.epm.pap.api.services.persistance.dao.DistributionDAO - In DAO getRepository method for HostConfig Type: PAP
15:34:18.942 [main] INFO  cohttp://m.cisco.epm.util.NodeCheck - Now checking against secondary pap ISE02
15:34:18.942 [main] INFO  cohttp://m.cisco.epm.util.NodeCheckHelper -  inside getHostConfigRemoteServer
15:34:18.943 [main] WARN  cohttp://m.cisco.epm.util.NodeCheckHelper - Unable to retrieve the host config from standby pap java.lang.NullPointerException
15:34:18.943 [main] WARN  cohttp://m.cisco.epm.util.NodeCheckHelper - returning null from getHostConfigRemoteServer
15:34:18.943 [main] INFO  cohttp://m.cisco.epm.util.NodeCheck - remotePrimaryConfig.getNodeRoleStatus() NULL
15:34:18.943 [main] INFO  cohttp://m.cisco.epm.util.NodeCheck - remoteClusterInfo.getDeploymentName NULL
15:34:18.943 [main] INFO  cohttp://m.cisco.epm.util.NodeCheck - Ended checkAndDemoteIfNotPrimary
15:34:18.943 [main] INFO  cohttp://m.cisco.epm.db.DatabaseConnectionFactory - Factory contains this poolName Default Domain
15:34:18.955 [DataLoaderInitializer-0] INFO  cohttp://m.cisco.epm.pdp.cache.DataLoader - In loadInMemoryData method
15:34:19.001 [main] INFO  cohttp://m.cisco.epm.pdp.PDPFacade - All Queries are loaded..
15:34:19.009 [main] WARN  cohttp://m.cisco.epm.pdp.PDPFacade - In PDPFacade=[false],transportType=[null]
15:34:19.010 [main] INFO  cohttp://m.cisco.epm.pdp.PDPFacade - Replication type=[null]
Time taken for NSFAdminServiceFactory to load5203
15:34:19.576 [DataLoaderInitializer-0] INFO  cohttp://m.cisco.epm.pdp.cache.DataLoader - Loaded Global users,groups,roles done
15:34:19.895 [DataLoaderInitializer-0] INFO  cohttp://m.cisco.epm.pdp.cache.DataLoader - Loaded Application group users,groups,roles,contexts[PAP Application Group] Done
15:34:20.298 [DataLoaderInitializer-0] INFO  cohttp://m.cisco.epm.pdp.cache.DataLoader - Loaded Application  users,groups,roles,contexts[PAP Application Group:PAP Application] Done
15:34:20.426 [DataLoaderInitializer-0] INFO  cohttp://m.cisco.epm.pdp.cache.DataLoader - Loaded Application group users,groups,roles,contexts[Prime group] Done
15:34:20.560 [DataLoaderInitializer-0] INFO  cohttp://m.cisco.epm.pdp.cache.DataLoader - Loaded Application  users,groups,roles,contexts[Prime group:Prime portal] Done
15:34:20.682 [DataLoaderInitializer-0] INFO  cohttp://m.cisco.epm.pdp.cache.DataLoader - Loaded Application group users,groups,roles,contexts[NAC Group] Done
15:34:21.517 [DataLoaderInitializer-0] INFO  cohttp://m.cisco.epm.pdp.cache.DataLoader - Loaded Application  users,groups,roles,contexts[NAC Group:NAC] Done
15:34:21.518 [DataLoaderInitializer-0] INFO  cohttp://m.cisco.epm.pdp.cache.DataLoader - Creating resources and assosiated policyies  intiated...
15:34:35.547 [main] ERROR cohttp://m.cisco.epm.edf2.internal.SessionConfig - Class not a DefaultEDFSession cohttp://m.cisco.cpm.edf2.sga.SgaEDFManager
15:34:36.072 [main] INFO  cohttp://m.cisco.epm.ssl.SSLManagerFactory - SSLManagerFactory initialized in Non-FIPS mode
15:34:36.072 [main] INFO  cohttp://m.cisco.epm.ssl.SSLManagerFactory - SSLManagerFactory initialized with TLSv1 and with SHA1.
15:34:36.072 [main] INFO  cohttp://m.cisco.epm.ssl.SSLManagerFactory - SSLManagerFactory initialized with TLSv1 and without SHA1.
15:34:36.073 [main] INFO  cohttp://m.cisco.epm.ssl.SSLManagerFactory - SSLManagerFactory initialized without TLSv1 and with SHA1.
15:34:36.073 [main] INFO  cohttp://m.cisco.epm.ssl.SSLManagerFactory - SSLManagerFactory initialized without TLSv1 and without SHA1.
15:34:36.620 [main] INFO  cohttp://m.cisco.epm.util.NodeCheckHelper - this is the host config returned ISE02
15:34:36.620 [main] INFO  cohttp://m.cisco.epm.util.NodeCheckHelper - this is the Cluster Info returned 94d90c20-d161-11ef-8dfa-024597b71001
15:34:36.628 [main] INFO  cohttp://m.cisco.epm.util.NodeCheck - remotePrimaryConfig.getNodeRoleStatus() SECONDARY
15:34:36.628 [main] INFO  cohttp://m.cisco.epm.util.NodeCheck - remoteClusterInfo.getDeploymentName ISEDeployment-i3RiE
15:34:36.629 [main] INFO  cohttp://m.cisco.epm.util.NodeCheck - Ended checkAndDemoteIfNotPrimary
15:34:36.635 [main] INFO  cohttp://m.cisco.epm.pap.PAPFacade - Policy Administration Point started successfully
15:34:36.635 [main] INFO  cohttp://m.cisco.epm.pap.PAPFacade - PAPFacade Initialization Complete
15:34:36.640 [main] INFO  cohttp://m.cisco.epm.util.NodeCheck - Inside confirmAndDemoteIfNotPrimary
15:34:36.642 [main] INFO  cohttp://m.cisco.epm.pap.api.services.persistance.dao.DistributionDAO - In DAO getRepository method for HostConfig Type: PAP
15:34:36.665 [main] INFO  cohttp://m.cisco.epm.util.NodeCheck - Now checking against secondary pap ISE02
15:34:36.665 [main] INFO  cohttp://m.cisco.epm.util.NodeCheckHelper -  inside getHostConfigRemoteServer
15:34:36.929 [main] INFO  cohttp://m.cisco.epm.util.NodeCheckHelper - this is the host config returned ISE02
15:34:36.930 [main] INFO  cohttp://m.cisco.epm.util.NodeCheckHelper - this is the Cluster Info returned 94d90c20-d161-11ef-8dfa-024597b71001
15:34:36.930 [main] INFO  cohttp://m.cisco.epm.util.NodeCheck - remotePrimaryConfig.getNodeRoleStatus() SECONDARY
15:34:36.931 [main] INFO  cohttp://m.cisco.epm.util.NodeCheck - remoteClusterInfo.getDeploymentName ISEDeployment-i3RiE
15:34:36.931 [main] INFO  cohttp://m.cisco.epm.util.NodeCheck - Ended checkAndDemoteIfNotPrimary
15:34:43.714 [main] ERROR cohttp://m.cisco.cpm.prrt.impl.PrRTNotificationHandler - Cannot parse environment variable TRUSTSEC_CONFIG_DELAY/TRUSTSEC_CONFIG_DELAY_SINGLE.Probably not an application server.
15:34:43.715 [main] INFO  cohttp://m.cisco.cpm.prrt.impl.PrRTNotificationHandler - Timer for trustsec changes will not be scheduled, since window period is 0.
15:34:43.757 [main] INFO  cohttp://m.cisco.cpm.trustsec.notification.TrustsecNotificationHandler - Registering TrustsecNotification handler for HostConfig notifications
15:34:43.758 [main] INFO  cohttp://m.cisco.cpm.trustsec.notification.TrustsecNotificationHandler - Registered TrustsecNotification handler...
15:34:43.758 [main] INFO  cohttp://m.cisco.cpm.trustsec.notification.TrustsecNotificationHandler - Inside isStandaloneNode
15:34:43.761 [main] INFO  cohttp://m.cisco.cpm.trustsec.notification.TrustsecNotificationHandler - localHostConfig name ISE01 nodeRoleStatus PRIMARY
15:34:43.798 [main] INFO  cohttp://m.cisco.cpm.es.api.EPLoginConfigInitializer - ESCredentialHandler Intializer Invoked
15:34:43.850 [main] INFO  cohttp://m.cisco.cpm.es.api.EPLoginConfigInitializer - End : EndpointLoginConfig init
15:34:43.924 [main] INFO  cohttp://m.cisco.cpm.posture.runtime.visibility.PostureEdfNotificationHandler - Posture: Registering EDF event for endpoint
15:34:43.926 [main] INFO  cohttp://m.cisco.cpm.posture.runtime.visibility.PostureEdfNotificationHandler - Posture: isSelfStandaloneOrPanNode: true
15:34:43.920 [PxGrid-RefreshLoop] INFO  cohttp://m.cisco.cpm.pxgrid.cert.ConfigChangeHandler - pxGrid config handler start
15:34:44.003 [main] INFO  cohttp://m.cisco.cpm.posture.runtime.visibility.PostureEdfNotificationHandler - Posture: Ignored Since PostureEdfNotificationHandler already registered
15:34:44.003 [main] INFO  cohttp://m.cisco.cpm.posture.runtime.visibility.PostureEdfNotificationHandler - Posture: Registered EDF event for endpoint
15:34:44.013 [main] INFO  cohttp://m.cisco.cpm.posture.runtime.visibility.VisibilityHandler - Posture VisibilityHandler localhost fqdn is ISE01.test.local, isSelfStandaloneOrPanNode: true
Old Memory Size : 16204356
15:34:44.275 [main] INFO  cohttp://m.cisco.cpm.infrastructure.platform.impl.PlatformProfileServiceImpl - inside mapVmToProfile function cloud check valuesfalsefalsefalse
15:34:44.278 [main] WARN  cohttp://m.cisco.profiler.api.event.ProbeEventHandler - Failed to get queue size limit from platform limits null
15:34:45.224 [main] INFO  cohttp://m.cisco.cpm.infrastructure.confd.RESTConfHandler - CallStatus value for get method : 200
Export in progress...Old Memory Size : 16204356
15:34:48.251 [main] INFO  cohttp://m.cisco.cpm.infrastructure.platform.impl.PlatformProfileServiceImpl - inside mapVmToProfile function cloud check valuesfalsefalsefalse
15:34:48.255 [main] INFO  com.cisco.profiler.persistence.LocalDb - Read  profiler.redis.maxactive from platform properties: null
15:34:48.255 [main] INFO  com.cisco.profiler.persistence.LocalDb - Value of max active redis connections: 35
15:34:48.329 [main] ERROR com.cisco.profiler.persistence.LocalDb - Failed to populate profiler partitions:null
java.lang.NullPointerException
        at cohttp://m.cisco.profiler.api.Util.isLSDEnabled(Util.java:4784)
        at com.cisco.profiler.persistence.JedisEpAsHashHandler.<init>(JedisEpAsHashHandler.java:139)
        at com.cisco.profiler.persistence.LocalDb.<clinit>(LocalDb.java:136)
        at cohttp://m.cisco.cpm.infrastructure.certmgmt.api.EpCertJedisHandler.<init>(EpCertJedisHandler.java:58)
        at cohttp://m.cisco.cpm.infrastructure.certmgmt.api.CertMgmtService.<clinit>(CertMgmtService.java:118)
        at cohttp://m.cisco.cpm.infrastructure.systemconfig.ImportCAStoreFromRepository.isCertInTrustStore(ImportCAStoreFromRepository.java:583)
        at cohttp://m.cisco.cpm.infrastructure.systemconfig.ExportCAStoreToRepository.exportCAStoreToRepo(ExportCAStoreToRepository.java:112)
        at cohttp://m.cisco.cpm.infrastructure.systemconfig.ExportCAStoreToRepository.main(ExportCAStoreToRepository.java:70)

15:34:48.330 [main] INFO  com.cisco.profiler.persistence.LocalDb - Local db registration EndpointCert, index 0
15:34:48.331 [main] INFO  com.cisco.profiler.persistence.LocalDb - About to persist the partitions to /opt/CSCOcpm/appsrv/apache-tomcat/config/redisPartitions.properties
15:34:48.332 [main] INFO  com.cisco.profiler.persistence.LocalDb - Updated properties : /opt/CSCOcpm/appsrv/apache-tomcat/config/redisPartitions.properties

15:34:50.825 [DataLoaderInitializer-0] INFO  cohttp://m.cisco.epm.pdp.cache.DataLoader - Creatiion of resources and assosiated policyies  done
15:34:52.588 [DataLoaderInitializer-0] INFO  cohttp://m.cisco.epm.pdp.db.oracle.PolicyCacheDAO - Size  of LogicalMap 103
15:34:52.589 [DataLoaderInitializer-0] INFO  cohttp://m.cisco.epm.pdp.cache.DataLoader - Time taken to load the blob data for dictinary bucket [246]
15:34:52.589 [DataLoaderInitializer-0] INFO  cohttp://m.cisco.epm.pdp.cache.DataLoader - Number of Users loaded into Memory[18]
15:34:52.590 [DataLoaderInitializer-0] INFO  cohttp://m.cisco.epm.pdp.cache.DataLoader - Number of Groupss loaded into Memory[344]
15:34:52.590 [DataLoaderInitializer-0] INFO  cohttp://m.cisco.epm.pdp.cache.DataLoader - Number of Roles loaded into Memory[56]
15:34:52.590 [DataLoaderInitializer-0] INFO  cohttp://m.cisco.epm.pdp.cache.DataLoader - Number of Resourcess loaded into Memory[11777]
15:34:52.590 [DataLoaderInitializer-0] INFO  cohttp://m.cisco.epm.pdp.cache.DataLoader - Number of Context's   :  [1]
15:34:52.590 [DataLoaderInitializer-0] INFO  cohttp://m.cisco.epm.pdp.cache.DataLoader - Total memory utilized[291]M.B
15:34:52.590 [DataLoaderInitializer-0] INFO  cohttp://m.cisco.epm.pdp.cache.DataLoader - Time taken to load below entities into memory[33659]m.s

15:34:54.270 [main] INFO  cohttp://m.cisco.cpm.infrastructure.confd.repository.impl.RepositoryServiceImpl - copyOut json {
  "sourceFile" : "/opt/ca_export/ise_ca_key_pairs_of_ISE01",
  "RepoName" : "FTP"
}
15:34:54.500 [main] INFO  cohttp://m.cisco.cpm.infrastructure.confd.RESTConfHandler - The Value of CallStatus for post method : 200
The following 5 CA key pairs were exported to repository 'FTP' at 'ise_ca_key_pairs_of_ISE01':
        Subject:CN=Certificate Services Root CA - ISE01
        Issuer:CN=Certificate Services Root CA - ISE01
        Serial#:0x413c9d5d-c09747fb-9c348f1d-7fd4cf7f

        Subject:CN=Certificate Services Node CA - ISE01
        Issuer:CN=Certificate Services Root CA - ISE01
        Serial#:0x5841ef07-45b14321-809f1f89-84880a6a

        Subject:CN=Certificate Services Endpoint Sub CA - ISE01
        Issuer:CN=Certificate Services Node CA - ISE01
        Serial#:0x182e0062-bca04359-808d8ced-5a4fbab8

        Subject:CN=Certificate Services Endpoint RA - ISE01
        Issuer:CN=Certificate Services Endpoint Sub CA - ISE01
        Serial#:0x4351ef77-1d74489e-aa438fe2-846bcfb8

        Subject:CN=Certificate Services OCSP Responder - ISE01
        Issuer:CN=Certificate Services Endpoint Sub CA - ISE01
        Serial#:0x15e01788-34114c7f-aff55275-a1cc761d

ISE CA keys export completed successfully

이렇게 인증서 백업이 완료 되었습니다.

FTP 서버에 폴더에서 확인 합니다.

CLI에서 [8]Import Internal CA Store 눌러서 복구도 가능 합니다.

이부분은 생략 하갰습니다.

지금까지 [2025][CISCO ISE#32] - Export/Import Certificate에 대해서 알아보았습니다.

저작자표시

'CISCO > CISCO ISE' 카테고리의 다른 글

[2025][CISCO ISE#34] - Admin Access - Authentication Menu (0)	2025.01.14
[2025][CISCO ISE#33] - Upgrade Version (0)	2025.01.13
[2025][CISCO ISE#31] - restore (0)	2025.01.13
[2025][CISCO ISE#30] - schedule backup (0)	2025.01.13
[2025][CISCO ISE#29] - operation backup (0)	2025.01.13

안녕하세요.

오늘은 cisco ise configuration restore에 대해서 알아보겠습니다.

1. 아래처럼 접속 합니다.

Administration -> System -> Backup & Restore

FTP Repository를 선택하고 Configuration 메뉴를 선택합니다.

2. administration -> Identity management -> Users

백업을 실행하기 전에 Local User 하나를 생성합니다.

username: KDDITEST

그리고 맨 아래에 Submit버튼을 클릭 합니다.

그리고 복구 버튼을 클릭 합니다.

아래처럼 패스워드를 입력하고 Restore버튼을 클릭 합니다.

** Restore ADE-OS **

ADE-OS stands for Application Deployment Engine Operating System. This is the operating system on which ISE runs, which is based on Red Hat Enterprise Linux (RHEL). When restoring ADE-OS you would be restoring OS level configuration. This would include all of the operating system configuration data that is configured when setting up the ISE node. Things like hostname, IP addresses, NTP, enabling SSH, default gateway, and name servers.

Restoring the ADE-OS configuration would be used if you want an exact duplicate of the ISE server the backup was taken from. However, this can cause issues if these servers exist on the same network at the same time for obvious reasons. If you want to stand up a new ISE server with the same configuration but with a different IP and hostname, it is not recommended to restore the ADE-OS configuration.

자동으로 로그아웃되고 GUI에서 더 이상 복구 진행 상황을 확인이 불가능 합니다.

Putty로 cisco ise에 접속 합니다.

ISE01/admin#show restore status
%% Configuration restore status
%% ----------------------------
%      backup name: 20250113-BACKUP-CFG10-250113-1242.tar.gpg
%       repository: FTP
%       start date: Mon Jan 13 13:22:01 SGT 2025
%        scheduled: no
%   triggered from: Admin web UI
%             host: ISE01.test.local
%           status: Restore is in progress...
%       progress %: 30
% progress message: Extracting backup data

%% Operation restore status
%% ------------------------
%  No data found. Try 'show restore history' or ISE operation audit report
ISE01/admin#

위와 같이 CLI에서 확인 가능 합니다. 100%까지 기다립니다.

100% 완료 되면 아래처럼 표시 됩니다.

ISE01/admin#show restore status
%% Configuration restore status
%% ----------------------------
%      backup name: 20250113-BACKUP-CFG10-250113-1242.tar.gpg
%       repository: FTP
%       start date: Mon Jan 13 13:22:01 SGT 2025
%        scheduled: no
%   triggered from: Admin web UI
%             host: ISE01.test.local
%           status: restore 20250113-BACKUP-CFG10-250113-1242.tar.gpg from repository FTP: success

%% Operation restore status
%% ------------------------
%  No data found. Try 'show restore history' or ISE operation audit report
ISE01/admin#
ISE01/admin#

ISE01/admin#show restore history
Mon Jan 13 14:24:40 +08 2025: restore 20250113-BACKUP-CFG10-250113-1242.tar.gpg from repository FTP: success
ISE01/admin#

복구가 완료 되었습니다.

cisco ISE GUI접속해서 복구 하기전에 생성 했던 User가 사라졌는지 확인 합니다.

지금까지 [2025][CISCO ISE#31] - configuration restore 글을 읽어주셔서 감사합니다.

저작자표시

'CISCO > CISCO ISE' 카테고리의 다른 글

[2025][CISCO ISE#33] - Upgrade Version (0)	2025.01.13
[2025][CISCO ISE#32] - Export/Import Certificate (0)	2025.01.13
[2025][CISCO ISE#30] - schedule backup (0)	2025.01.13
[2025][CISCO ISE#29] - operation backup (0)	2025.01.13
[2025][CISCO ISE#28] - configuration backup (0)	2025.01.12

안녕하세요.

오늘은 cisco ise schedule backup에 대해서 알아보겠습니다.

1. 아래 경로에 접속 합니다.

Administrator -> system -> backup& Restore

아래처럼 configuration backup schedule 또는 operation backup schedule를 선택 할 수 있습니다.

2. 아래처럼 입력 합니다. 그리고 Save버튼을 클릭 합니다.

위에 처럼 입력하면 Save버튼을 클릭 했을때 Error메시지가 출력 됩니다.

Start Date는 무조건 현재 날짜보다 미래여야 합니다.

Operation date Backup도 위와 처럼 설정 가능 합니다.

지금까지 [2025][CISCO ISE#30] - schedule backup 글을 읽어주셔서 감사합니다.

저작자표시

'CISCO > CISCO ISE' 카테고리의 다른 글

[2025][CISCO ISE#32] - Export/Import Certificate (0)	2025.01.13
[2025][CISCO ISE#31] - restore (0)	2025.01.13
[2025][CISCO ISE#29] - operation backup (0)	2025.01.13
[2025][CISCO ISE#28] - configuration backup (0)	2025.01.12
[2025][CISCO ISE#27] - Backup and Restore (0)	2025.01.12

안녕하세요.

오늘은 cisco ise operation backup에 대해서 알아보겠습니다.

configuration backup - 설정관련 백업

operation backup - Data log 그리고 troubleshoot 관련 log를 백업 합니다.

1.cisco ise를 접속 합니다.

administration -> system -> Backup & Restore

2. 아래처럼 입력 합니다. 그리고 Backup버튼을 클릭 합니다.

Backup이 완료 될때까지 기다립니다.

cisco ISE CLI에서도 확인 가능 합니다.

operation backup status부분을 확인 합니다.

ISE01/admin#show backup status
%% Configuration backup status
%% ----------------------------
%      backup name: 20250113-BACKUP
%       repository: FTP
%       start date: Mon Jan 13 12:42:30 SGT 2025
%        scheduled: no
%   triggered from: Admin web UI
%             host: ISE01.test.local
%           status: backup 20250113-BACKUP-CFG10-250113-1242.tar.gpg to repository FTP: success

%% Operation backup status
%% ------------------------
%      backup name: 20250113-Operational-Backup
%       repository: FTP
%       start date: Mon Jan 13 13:02:08 SGT 2025
%        scheduled: no
%   triggered from: Admin web UI
%             host: ISE01.test.local
%           status: Backup is in progress...
%       progress %: 20
% progress message: starting dbbackup using expdp....
ISE01/admin#

완료 되면 아래처럼 표시 됩니다

ISE01/admin#show backup status
%% Configuration backup status
%% ----------------------------
%      backup name: 20250113-BACKUP
%       repository: FTP
%       start date: Mon Jan 13 12:42:30 SGT 2025
%        scheduled: no
%   triggered from: Admin web UI
%             host: ISE01.test.local
%           status: backup 20250113-BACKUP-CFG10-250113-1242.tar.gpg to repository FTP: success

%% Operation backup status
%% ------------------------
%      backup name: 20250113-Operational-Backup
%       repository: FTP
%       start date: Mon Jan 13 13:02:08 SGT 2025
%        scheduled: no
%   triggered from: Admin web UI
%             host: ISE01.test.local
%           status: backup 20250113-Operational-Backup-OPS10-250113-1302.tar.gpg to repository FTP: success
ISE01/admin#

GUI에서 확인 합니다.

FTP파일서버에서 아래처럼 확인 가능 합니다.

지금까지 [2025][CISCO ISE#29] - operation backup 글을 읽어주셔서 감사합니다.

저작자표시

'CISCO > CISCO ISE' 카테고리의 다른 글

[2025][CISCO ISE#31] - restore (0)	2025.01.13
[2025][CISCO ISE#30] - schedule backup (0)	2025.01.13
[2025][CISCO ISE#28] - configuration backup (0)	2025.01.12
[2025][CISCO ISE#27] - Backup and Restore (0)	2025.01.12
[2025][CISCO ISE#26] - Patch Update (0)	2025.01.07

안녕하세요.

오늘은 cisco ise configuration backup과 restore를 실습해보겠습니다.

configuration backup는 설정값에 대해서 백업 합니다.

operation backup - log랑 troubleshooting data를 백업 합니다.

1. cisco ise 접속 후 administration > system > backup and Restore를 클릭 합니다.

2. 아래처럼 입력 합니다.

Repository에서 FTP를 선택 합니다.

설정 방법은 이전글을 확인 합니다.

https://itblog-kr.tistory.com/152

[2025][CISCO ISE#25] - Repository

안녕하세요. 오늘은 cisco ise Repository에 대해서 알아보겠습니다. 1. ISE Repository는 GUI또는 CLI에서 설정 가능 합니다.2. Repository는 Backup또는 REstore 할때 사용 됩니다. 3. 또는 cisco ISE upgrade 또는 Patch

itblog-kr.tistory.com

Windows FTP구축 방법

https://itblog-kr.tistory.com/139

[2025][CISCO ISE#13] - File Server

안녕하세요. cisco ISE에 설정값등을 백업하고 복구 하기 위해서 windows server에 file 서버를 구축해 보겠습니다. 1. Add Roles and Features를 선택 합니다. 2. Next버튼을 클릭 합니다. 3. Next버튼을 클

itblog-kr.tistory.com

패스워드는 복구 할때 사용 합니다. 꼭 password를 기억하고 있어야 합니다.

Password를 모르면 복구가 불가능 합니다.

백업이 완료 될때까지 기다립니다.

Putty에서 cisco ise접속 합니다.

CLI에서도 아래처럼 확인 가능 합니다.

ISE01/admin#show backup status
%% Configuration backup status
%% ----------------------------
%      backup name: 20250113-BACKUP
%       repository: FTP
%       start date: Mon Jan 13 12:42:30 SGT 2025
%        scheduled: no
%   triggered from: Admin web UI
%             host: ISE01.test.local
%           status: Backup is in progress...
%       progress %: 20 --------- 현재 몇% 완료중인지 표시 됩니다.
% progress message: Backing up ISE Configuration Data

%% Operation backup status
%% ------------------------
%  No data found. Try 'show backup history' or ISE operation audit report
ISE01/admin#

완료 되면 아래처럼 표시 됩니다.
ISE01/admin#show backup status
%% Configuration backup status
%% ----------------------------
%      backup name: 20250113-BACKUP
%       repository: FTP
%       start date: Mon Jan 13 12:42:30 SGT 2025
%        scheduled: no
%   triggered from: Admin web UI
%             host: ISE01.test.local
%           status: backup 20250113-BACKUP-CFG10-250113-1242.tar.gpg to repository FTP: success

%% Operation backup status
%% ------------------------
%  No data found. Try 'show backup history' or ISE operation audit report
ISE01/admin#

Backup History도 확인 가능 합니다.

ISE01/admin#show backup history
Mon Jan 13 12:52:40 +08 2025: backup 20250113-BACKUP-CFG10-250113-1242.tar.gpg to repository FTP: success
ISE01/admin#

GUI에서 확인한 결과 입니다.

실제 FTP서버에서 폴더를 확인해 보면 아래처럼 백업 파일이 생성 되었습니다.

지금까지 [2025][CISCO ISE#28] - configuration backup 글을 읽어주셔서 감사합니다.

저작자표시

'CISCO > CISCO ISE' 카테고리의 다른 글

[2025][CISCO ISE#30] - schedule backup (0)	2025.01.13
[2025][CISCO ISE#29] - operation backup (0)	2025.01.13
[2025][CISCO ISE#27] - Backup and Restore (0)	2025.01.12
[2025][CISCO ISE#26] - Patch Update (0)	2025.01.07
[2025][CISCO ISE#25] - Repository (0)	2025.01.07

안녕하세요.

오늘은 cisco ise backup and Restore에 대해서 알아보겠습니다.

1. Standard-alone ISE node에서 Backup 및 Restore 가능

2. If ISE is HA mode, only Primary node만 Backup 및 Restore 가능

3. Backup/Resotre은 CLI또는 GUI에서도 가능

4. Backup/Resotre은 Repository가 필요 합니다.

5. Schedule Backup 가능 - Daily, weekly or monthly

6. 만약에 Internal CA를 사용하면, CLI에서 Certificates과 Key등을 export해야 합니다.

7. ISE GUL에서 Baclup하면 CA (Certificate Authority)는 백업이 되지 않음

8. 복구 절차는 cisco ise deploment type에 따라 다를수 있음

9. Monitoring Backup은 백업 가능

10. 복구하면 cisco ISE는 자동으로 재시작 됩니다.

11. 2가지 백업 TYPE - Configuration backup, Operational Backup

*** Configuration Backup *** -- configuration data only. - backup related in configuration

*** Operational Backup ** - Monitoring and trhoubleshooting data. - backup related in log data and troubleshooting information

Administration - System - Backup & Restore

지금까지 [2025][CISCO ISE#27] - Backup and Restore 글을 읽어주셔서 감사합니다.

다음 글에서는 Configuration backup & Resotre를 실습해 보겠습니다.

저작자표시

'CISCO > CISCO ISE' 카테고리의 다른 글

[2025][CISCO ISE#29] - operation backup (0)	2025.01.13
[2025][CISCO ISE#28] - configuration backup (0)	2025.01.12
[2025][CISCO ISE#26] - Patch Update (0)	2025.01.07
[2025][CISCO ISE#25] - Repository (0)	2025.01.07
[2025][CISCO ISE#24] - High Availability (0)	2025.01.07

CISCO

'CISCO > 라우팅' 카테고리의 다른 글

'CISCO > 무선' 카테고리의 다른 글

'CISCO > 무선' 카테고리의 다른 글

'CISCO > 무선' 카테고리의 다른 글

'CISCO > 무선' 카테고리의 다른 글

'CISCO > 무선' 카테고리의 다른 글

'CISCO > 라우팅' 카테고리의 다른 글

SUMMARY STEPS

'CISCO > 라우팅' 카테고리의 다른 글

Smart Licensing Requirements by Release

'CISCO > 스위칭' 카테고리의 다른 글

'CISCO > FTD 방화벽' 카테고리의 다른 글

'CISCO > ASA 방화벽' 카테고리의 다른 글

'CISCO > ASA 방화벽' 카테고리의 다른 글

'CISCO > ASA 방화벽' 카테고리의 다른 글

'CISCO > ASA 방화벽' 카테고리의 다른 글

'CISCO > ASA 방화벽' 카테고리의 다른 글

'CISCO > ASA 방화벽' 카테고리의 다른 글

'CISCO > Cisco DUO' 카테고리의 다른 글

'CISCO > CISCO ISE' 카테고리의 다른 글

'CISCO > CISCO ISE' 카테고리의 다른 글

'CISCO > CISCO ISE' 카테고리의 다른 글

'CISCO > CISCO ISE' 카테고리의 다른 글

'CISCO > CISCO ISE' 카테고리의 다른 글

'CISCO > CISCO ISE' 카테고리의 다른 글

'CISCO > CISCO ISE' 카테고리의 다른 글

'CISCO > CISCO ISE' 카테고리의 다른 글

'CISCO > CISCO ISE' 카테고리의 다른 글

'CISCO > CISCO ISE' 카테고리의 다른 글

'CISCO > CISCO ISE' 카테고리의 다른 글

'CISCO > CISCO ISE' 카테고리의 다른 글

'CISCO > CISCO ISE' 카테고리의 다른 글

티스토리툴바