Who needs Quagga? The Cisco Linux Router

Standard

I make several posts talking about how you can use Linux shells on your Cisco device. But what about opposite? In this post we’ll have a look at the Embedded Service Router which is running a full Cisco router application on a Linux host. This is mostly meant for IoT solutions but it is also a great lab solution if you can get your hands on it.

There are no prerequisites for the  ESR though if your running a 64 bit of Linux (and you should be!) you will need to install 32bit libraries since its a 32 bit app.

First we need to create a /opt/cisco folder

[root@rhel01 ~]# mkdir /opt/cisco

Then we need to upload the file to that folder and then extract the TAR

[root@rhel01 ~]# cd /opt/cisco/
[root@rhel01 cisco]# ls
c5921i86-universalk9-tar.SPA.157-3.M
[root@rhel01 cisco]# tar -xvf c5921i86-universalk9-tar.SPA.157-3.M
c5921i86-universalk9-ms.157-3.M/FAQ_C5921.txt
c5921i86-universalk9-ms.157-3.M/README_C5921.txt
c5921i86-universalk9-ms.157-3.M/RELEASE_NOTES_C5921.txt
c5921i86-universalk9-ms.157-3.M/SWROPTIONS.example.txt
c5921i86-universalk9-ms.157-3.M/c5921-swr-init.sh
c5921i86-universalk9-ms.157-3.M/c5921i86-universalk9-ms.SPA
c5921i86-universalk9-ms.157-3.M/c5921i86-universalk9-ms.md5
c5921i86-universalk9-ms.157-3.M/libdyncs.so
c5921i86-universalk9-ms.157-3.M/swr-application.1
c5921i86-universalk9-ms.157-3.M/swr_reload
c5921i86-universalk9-ms.157-3.M/swr_reload.1
c5921i86-universalk9-ms.157-3.M/swroptions.1
c5921i86-universalk9-ms.157-3.M/swrvcon
c5921i86-universalk9-ms.157-3.M/swrvcon.1

Once that is done we need to rename the folder to be c5921, yes I could have done it with the TAR command but here we are.

[root@rhel01 cisco]# mv c5921i86-universalk9-ms.157-3.M/ c5921/

When we get into the SWROPTIONS we need to map the interfaces between Linux and Cisco, lets have a look at ifconfig to see what is on my RHEL8 box.

[root@rhel01 c5921]# ifconfig
ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.20.2.80 netmask 255.255.255.0 broadcast 10.20.2.255
inet6 fe80::6196:43cc:3955:715c prefixlen 64 scopeid 0x20<link>
inet6 2001:cc1e:9989:0:286b:7faf:b0f2:87ab prefixlen 64 scopeid 0x0<global>
inet6 2001:cc1e:9988:0:fc24:75e7:e6c1:aa66 prefixlen 64 scopeid 0x0<global>
inet6 2001:1234:bbaa:0:a6c9:ac04:2ba4:9d5b prefixlen 64 scopeid 0x0<global>
ether 00:50:56:8a:46:3b txqueuelen 1000 (Ethernet)
RX packets 18772387 bytes 4560184387 (4.2 GiB)
RX errors 0 dropped 103001 overruns 0 frame 0
TX packets 5685854 bytes 597519104 (569.8 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

ens193: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 00:50:56:8a:6d:e8 txqueuelen 1000 (Ethernet)
RX packets 81112 bytes 45212072 (43.1 MiB)
RX errors 0 dropped 27 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 00:50:56:8a:14:83 txqueuelen 1000 (Ethernet)
RX packets 120891 bytes 7254330 (6.9 MiB)
RX errors 0 dropped 947 overruns 0 frame 0
TX packets 10 bytes 1470 (1.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

ens256: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 00:50:56:8a:98:0f txqueuelen 1000 (Ethernet)
RX packets 148571 bytes 49934321 (47.6 MiB)
RX errors 0 dropped 28 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Next we can rename SWROPTIONS.example.txt to SWROPTIONS and then edit the file so the interfaces match what we see in ifconfig

#Use launchapp=c5921i86-universalk9_npe-ms.SSA for NPE image

soft-rommon=./
launchapp=c5921i86-universalk9-ms.SPA
ram=512
ethernet-slots=2
node-lock-type=machine

#This variable has to be set to true for kernel versions that has the patch(RHEL bug 1135347) and 
#to false for kernel versions that does not have the patch. 
#Not required for Centos Linux distributions except kernel version 2.6.36. 
#Mandatory for all other Liinux distributions
#For example for kernel 2.6.32-504.23.4 set flag as below

linux-vlan-stripped-from-pak=true


### FILE MAPPING SECTION ###

[filemap]
ios=flash0
linux=/opt/cisco/c5921/
access=rw


### INTERFACE MAPPING SECTION ###

# Map Linux eth0 to IOS e0/0, type raw
# Set promiscuous true
# Make speed/duplex interface configs available for e0/0 in IOS.
# Monitor and Pull Linux interface changes like speed/duplex/MTU/MAC 
# of eth0 to IOS e0/0.
# Push changes like speed/duplex/MAC of IOS e0/0 to Linux eth0.

[interface]
linux=ens192
ios=e0/0
type=raw
promiscuous=true
monitor-state=true
push-mon-int=true

# Map Linux eth1 to IOS e0/1, type raw
# Set promiscuous true
# Make speed/duplex interface configs NOT available for e0/1 in IOS 
# Monitor and Pull Linux interface changes like speed/duplex/MTU/MAC 
# of eth1 to IOS e0/1.
# Push MAC changes of IOS e0/1 to Linux eth1.
# Speed/Duplex of e0/1 could not be changed by IOS and hence not 
# pushed to Linux eth1.

[interface]
linux=ens193
ios=e0/1
type=raw
promiscuous=true
monitor-state=true
push-mon-int=false

# Map Linux eth2 to IOS e0/2, type raw
# Set promiscuous true
# Make speed/duplex interface configs available for e0/2 in IOS 
# DO NOT Monitor/Pull Linux interface changes like speed/duplex/MTU/MAC 
# of eth2 to IOS e0/2.
# DO NOT Push IOS e0/2 changes to Linux eth2.

[interface]
linux=ens224
ios=e0/2
type=raw
promiscuous=true
monitor-state=false
push-mon-int=true

[interface]
linux=ens256
ios=e0/3
type=raw
promiscuous=true
monitor-state=false
push-mon-int=true

[interface]
linux=tap0
ios=e1/0
type=tap
monitor-state=true

Once that is done we can start it up with c5921-swr-init.sh script

[root@rhel01 c5921]# ./c5921-swr-init.sh start
starting ./swr_reload...\n

[root@rhel01 c5921]# Loading Image:./c5921i86-universalk9-ms.SPA
./c5921i86-universalk9-ms.SPA running SWR the background, pid=23691, SWR=23692
Child process will exec swr image now....

Then we can access the virtual console with swrvcon and a number for the console session, I tend to use 100

[root@rhel01 c5921]# ./swrvcon 100

Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706

Cisco IOS Software, C5921 Software (C5921_I86-UNIVERSALK9-M), Version 15.7(3)M, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Thu 27-Jul-17 01:38 by prod_rel_team


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco C5921 (Intel-x86) processor with 370083K bytes of memory.
Processor board ID 100
8 Ethernet interfaces
512K bytes of NVRAM.

--- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]: no
Press RETURN to get started!

Router>

From this point this is a regular IOS router that we can setup.

Router(config)#hostname ESR01
ESR01(config)#ip domain-name testlab.com
ESR01(config)#line con 0
ESR01(config-line)#logg synch
ESR01(config-line)#line vty 0 15
ESR01(config-line)#logg synch 
ESR01(config-line)#transport input ssh 
ESR01(config-line)#exit
ESR01(config)#username admin sec meowcatPass
ESR01(config)#aaa new
ESR01(config)#aaa authentication login default local
ESR01(config)#enable sec meowcatPass

We can give interfaces IPs, these are different from the IPs on the Linux interfaces.

ESR01(config)#int e0/0
ESR01(config-if)#ip add 10.20.2.141 255.255.255.0
ESR01(config-if)#no shut
ESR01(config-if)#exit
ESR01(config)#ip route 0.0.0.0 0.0.0.0 10.20.2.1

We can go ahead and setup some routing, everything in IOS is supported.

ESR01(config)#router ospf 1
ESR01(config-router)#network 0.0.0.0 0.0.0.0 area 0
*Sep 8 20:33:45.424: %OSPF-5-ADJCHG: Process 1, Nbr 10.0.254.1 on Ethernet0/0 from LOADING to FULL, Loading Done
*Sep 8 20:33:45.424: %OSPF-5-ADJCHG: Process 1, Nbr 10.20.2.142 on Ethernet0/0 from LOADING to FULL, Loading Done

A great thing for Collab people is that unlike IOL, the ESR fully supports all phone features, we can do everything from CUCME to call routing to even SAF.

ESR01(config)#telephony-service 
ESR01(config-telephony)#max-dn 5
ESR01(config-telephony)#max-ephones 5
ESR01(config-telephony)#ip source-address 10.20.2.141
ESR01(config-telephony)#create cnf-file

*Sep 8 20:35:17.319: %EDSP-6-VEC_CHANGE: EDSP0's LES switching vector set to CEF switching
*Sep 8 20:35:17.320: %EDSP-6-VEC_CHANGE: EDSP0's LES switching vector set to CEF switching
*Sep 8 20:35:17.321: %EDSP-6-IPV6_ENABLED: IPv6 on interface EDSP0 added.
*Sep 8 20:35:17.330: %EDSP-6-IPV6_ENABLED: IPv6 on interface EDSP0.1 added.
*Sep 8 20:35:17.331: %EDSP-6-IPV6_ENABLED: IPv6 on interface EDSP0.2 added.
*Sep 8 20:35:17.331: %EDSP-6-IPV6_ENABLED: IPv6 on interface EDSP0.3 added.
*Sep 8 20:35:17.332: %EDSP-6-IPV6_ENABLED: IPv6 on interface EDSP0.4 added.
*Sep 8 20:35:17.332: %EDSP-6-IPV6_ENABLED: IPv6 on interface EDSP0.5 added.
*Sep 8 20:35:18.319: %LINEPROTO-5-UPDOWN: Line protocol on Interface EDSP0, changed state to up

The last thing we need to do is pick a license, otherwise it will stay at 8kbs.

ESR01(config)#license platform throughput level ?
c5921-x86-level0 5 Mbps throughput rate
c5921-x86-level1 10 Mbps throughput rate
c5921-x86-level2 25 Mbps throughput rate
c5921-x86-level3 50 Mbps throughput rate
c5921-x86-level4 100 Mbps throughput rate
c5921-x86-level5 200 Mbps throughput rate
c5921-x86-level6 500 Mbps throughput rate

ESR01(config)#license platform throughput level c5921-x86-level4
ESR01(config)#
*Sep 8 20:39:25.235: %SMART_LIC-5-EVAL_START: Entering evaluation period
ESR01(config)#
*Sep 8 20:39:25.235: %LICENSE_C5920-6-LICENSE_ACTIVATED: Installed license for feature c5921-x86-level4 now in use. Forwarding bandwidth limited to 100 Mbps

Right now we have a working Cisco router on linux! But you may be wondering how the Linux OS can route things through the router. We can use tap interfaces to get working.

If you recall the SWROPTIONS file we made, there was a tap interface defined for the e1/0 interface.

[interface]
linux=tap0
ios=e1/0
type=tap
monitor-state=true

So all we need to do is configure that interface on the ESR and then the tap interface on my RHEL8 box.  If we want more taps we can just change the type in the SWROPTIONS file to tap and add a new tap interface.

[root@rhel01 c5921]# ifconfig tap0 up
[root@rhel01 c5921]# ifconfig tap0 10.255.11.1/24

ESR01(config)#int e1/0
ESR01(config-if)#ip add 10.255.11.254 255.255.255.0
ESR01(config-if)#no shut

At this point we can now ping the ESR through the tap interface!

[root@rhel01 c5921]# ping 10.255.11.254 -c 5
PING 10.255.11.254 (10.255.11.254) 56(84) bytes of data.
64 bytes from 10.255.11.254: icmp_seq=1 ttl=255 time=0.745 ms
64 bytes from 10.255.11.254: icmp_seq=2 ttl=255 time=0.641 ms
64 bytes from 10.255.11.254: icmp_seq=3 ttl=255 time=0.724 ms
64 bytes from 10.255.11.254: icmp_seq=4 ttl=255 time=0.729 ms
64 bytes from 10.255.11.254: icmp_seq=5 ttl=255 time=0.572 ms

--- 10.255.11.254 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 95ms
rtt min/avg/max/mdev = 0.572/0.682/0.745/0.067 ms

Now we just need to add a static route that points to the ESR through the Tap interface, or we can get fancy and install FRR to do full routing with the ESR.  I’ll go with the static route this time.

[root@rhel01 ~]# ip route add 192.168.0.0/16 via 10.255.11.254
[root@rhel01 ~]# ping 192.168.255.111
PING 192.168.255.111 (192.168.255.111) 56(84) bytes of data.
64 bytes from 192.168.255.111: icmp_seq=1 ttl=255 time=0.698 ms
64 bytes from 192.168.255.111: icmp_seq=2 ttl=255 time=0.754 ms
64 bytes from 192.168.255.111: icmp_seq=3 ttl=255 time=0.727 ms

With all that in place we can go ahead and join our ESR to a DMVPN etc to give our Linux box full access to everything.

 

Advertisements

Leave a Reply