Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. RANCID>
  3. Users
FXOS on FirePower 4140
cbs at noc
Feb 8, 2019, 11:02 AM
Post #1 of 4 (1271 views)
Permalink
I'm using fxlogin and fxos.pm from the development branch against a FirePoweer
4140 running 2.4(1.122). The default command table from rancid.types.base
isn't working.

After logging in to the 4110, I have access to:

fw# show
chassis cli clock
cloud-connector configuration eth-uplink
event fabric-interconnect fault
identity license ntp-overall-status
org post registry-repository
security sel server
service-profile system timezone
ucspe-tech-support version


If I do a 'connect fxos' I can get running-config and other information:

fw(fxos)# show
aaa incompatibility role
access-lists ingress-vlan-groups routing
accounting ingress-vp-groups routing-context
banner install rscn
boot interface running-config
callhome inventory san-port-channel
cdp ip scsi-target
cfs ipmc-groups snm_batch_status
class-map ipv6 snmp
cli klm sprom
clock l2-class-id ssh
cluster-state l2-table startup-config
configuration lacp svs
copyright ldap-server switchname
debug line system
device-alias lldp tacacs-server
diagnostic loadbalancing tech-support
ecmp-groups locator-led telnet
environment logging terminal
fc2 mac topology
fc2d module track
fcalias monitor trunk
fcdomain msp udld
fcdroplatency nsm user-account
fcflow ntp users
fcid-allocation phy-bypass vdc
fcns platform version
fcroute policy-map vifs
fcs port vlan
fctimer port-channel vms
fdmi port-profile vmware
flogi port-security vrf
fp queuing vsan
fspf radius-server wwn
hardware redundancy xml
hostname resource zone
hosts rlir zoneset
in-order-guarantee rmon



Does the fxos module assume a FirePower running FTD? I also have access to an
FP 2110 running FTD and fxos works fine there.

I don't have enough experience with the FirePower platform and fxos to know if
the current fxos module depends on running FTD, or if there are other
differences in fxos on the 2110 with FTD and the 4140 that are causing the fxos
module to fail.

Any pointers or suggestions?



-Chris

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: FXOS on FirePower 4140 [ In reply to ]
erikm at buh
Feb 8, 2019, 12:26 PM
Post #2 of 4 (1270 views)
Permalink
On 2/8/19 14:02 , Chris Stromsoe wrote:
> I'm using fxlogin and fxos.pm from the development branch against a
> FirePoweer 4140 running 2.4(1.122).? The default command table from
> rancid.types.base isn't working.
>
> After logging in to the 4110, I have access to:
>
> fw# show
> chassis????????????? cli????????????????? clock
...

> If I do a 'connect fxos' I can get running-config and other information:
>
> fw(fxos)# show
> aaa?????????????????? incompatibility?????? role
> access-lists????????? ingress-vlan-groups?? routing
...
> Does the fxos module assume a FirePower running FTD?? I also have access to
> an FP 2110 running FTD and fxos works fine there.
>
> I don't have enough experience with the FirePower platform and fxos to know
> if the current fxos module depends on running FTD, or if there are other
> differences in fxos on the 2110 with FTD and the 4140 that are causing the
> fxos module to fail.
>
> Any pointers or suggestions?

The current fxos module assumes FTD on a 2100 platform (and I'm currently
testing support for ASA on 2100). My understanding is that the 4100 and
9300 have a bit of a different architecture from the 2100, but I've not
touched those to be able to say how exactly they differ.

It looks like the initial login layer on the 4100 must be different. Is
there any other "connect" option from either the initial login layer or the
fxos layer, where the actual firewall functions are exposed?

On a 2100 the first layer you connect to is the FTD application (similar to
legacy ASA platform), with a simple ">" prompt and a config syntax like:
> show running-config
: Serial Number: J..........
: Hardware: FPR-2130, 14854 MB RAM, CPU MIPS 1200 MHz, 1 CPU (12 cores)
:
NGFW Version 6.2.3.4
!
hostname firepower
...
!
interface Ethernet1/1
nameif border1
...

After that in the fxos layer, the config is more like the the UCS FI:
> connect fxos
Cisco Firepower Extensible Operating System (FX-OS) Software
xxx-fw01# sho configuration
scope org
enter bios-policy SRIOV
set acpi10-support-config acpi10-support platform-default
...


and there's a much more limited command list available:
xxx-fw01# show
chassis cli clock
configuration eth-uplink event
fabric-interconnect fault identity
ntp-overall-status registry-repository security
sel server system
tech-support timezone version

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: FXOS on FirePower 4140 [ In reply to ]
cbs at noc
Feb 8, 2019, 1:35 PM
Post #3 of 4 (1270 views)
Permalink
On Fri, 8 Feb 2019, Erik Muller wrote:

> The current fxos module assumes FTD on a 2100 platform (and I'm
> currently testing support for ASA on 2100). My understanding is that
> the 4100 and 9300 have a bit of a different architecture from the 2100,
> but I've not touched those to be able to say how exactly they differ.
>
> It looks like the initial login layer on the 4100 must be different.
> Is there any other "connect" option from either the initial login layer
> or the fxos layer, where the actual firewall functions are exposed?

It looks like logging in to the 4100 drops you straight into fxos.

Options for connect are

fw# connect
adapter Mezzanine Adapter
cimc Cisco Integrated Management Controller
fxos Connect to FXOS CLI
local-mgmt Connect to Local Management CLI
module Security Module Console


The connect command is not available after running "connect fxos". You
have to "exit" to return to the initial layer.



> On a 2100 the first layer you connect to is the FTD application (similar to
> legacy ASA platform), with a simple ">" prompt and a config syntax like:
>> show running-config
> : Serial Number: J..........
> : Hardware: FPR-2130, 14854 MB RAM, CPU MIPS 1200 MHz, 1 CPU (12 cores)
> :
> NGFW Version 6.2.3.4
> !
> hostname firepower
> ...
> !
> interface Ethernet1/1
> nameif border1
> ...
>
> After that in the fxos layer, the config is more like the the UCS FI:
> > connect fxos
> Cisco Firepower Extensible Operating System (FX-OS) Software
> xxx-fw01# sho configuration
> scope org
> enter bios-policy SRIOV
> set acpi10-support-config acpi10-support platform-default
> ...


The login layers on the 4100 seems to be reversed when compared to the
2100 with ftd.

The initial login layer on the 4100 resembles the 2100 after having run
"connect fxos", and has a limited command list.

Running "connect fxos" on the 4100 resembles the initial login layer on
the 2100, and has an extensive command list.

I've copied all of the fxos definitions in rancid.types.base to fxos-ftd
and updated router.db for my 2100/FTD devices. I removed the fxos entries
that don't run on the 4100 and re-ordered the commands. I have a working
configuration for the 4140, though none of the output from "show
running-config" is getting picked up. Maybe using WriteTermFTD isn't
right for that.

fxos;command;fxos::RunCommand;term len 0
fxos;command;fxos::RunCommand;connect fxos; prompt changes
fxos;command;fxos::ShowInventory;show inventory
fxos;command;fxos::WriteTermFTD;show running-config
fxos;command;fxos::RunCommand;exit; prompt changes
fxos;command;fxos::ShowFirmware;show system firmware detail
fxos;command;fxos::ShowChassis;show chassis detail
fxos;command;fxos::ShowChassis;show chassis inventory detail
fxos;command;fxos::ShowChassis;show chassis environment expand detail
fxos;command;fxos::WriteTerm;show configuration




-Chris

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: FXOS on FirePower 4140 [ In reply to ]
cgauthier at comscore
Feb 11, 2019, 7:14 AM
Post #4 of 4 (1266 views)
Permalink
We have a FirePower 2110 and it is architected differently than the 4100's. This Cisco blog post explains it well: https://blogs.cisco.com/perspectives/firepower-2100-the-architectural-need-to-know. We are using the ASA mode on the 2110. For SSH purposes, the IPs are different between FX-OS CLI and ASA CLI, so you do not have to use the "connect asa" CLI commands. I don't know what the best method is, separate or not. On the 2110, the FX-OS configuration is primarily setting up the ethernet interfaces (enable/disable, LACP). Also, there is no "connect fxos" that I really saw, though we are also still just deploying this platform.

--Chris


?
Chris Gauthier Senior Network Engineer | Comscore
t +1 (503) 331-2704 |
cgauthier@comscore.com
comscore.com
???This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
-----Original Message-----
From: Rancid-discuss <rancid-discuss-bounces@shrubbery.net> on behalf of Chris Stromsoe <cbs@noc.ucla.edu>
Date: Friday, February 8, 2019 at 1:35 PM
To: Erik Muller <erikm@buh.org>
Cc: rancid list <rancid-discuss@shrubbery.net>
Subject: Re: [rancid] FXOS on FirePower 4140

On Fri, 8 Feb 2019, Erik Muller wrote:

> The current fxos module assumes FTD on a 2100 platform (and I'm
> currently testing support for ASA on 2100). My understanding is that
> the 4100 and 9300 have a bit of a different architecture from the 2100,
> but I've not touched those to be able to say how exactly they differ.
>
> It looks like the initial login layer on the 4100 must be different.
> Is there any other "connect" option from either the initial login layer
> or the fxos layer, where the actual firewall functions are exposed?

It looks like logging in to the 4100 drops you straight into fxos.

Options for connect are

fw# connect
adapter Mezzanine Adapter
cimc Cisco Integrated Management Controller
fxos Connect to FXOS CLI
local-mgmt Connect to Local Management CLI
module Security Module Console


The connect command is not available after running "connect fxos". You
have to "exit" to return to the initial layer.



> On a 2100 the first layer you connect to is the FTD application (similar to
> legacy ASA platform), with a simple ">" prompt and a config syntax like:
>> show running-config
> : Serial Number: J..........
> : Hardware: FPR-2130, 14854 MB RAM, CPU MIPS 1200 MHz, 1 CPU (12 cores)
> :
> NGFW Version 6.2.3.4
> !
> hostname firepower
> ...
> !
> interface Ethernet1/1
> nameif border1
> ...
>
> After that in the fxos layer, the config is more like the the UCS FI:
> > connect fxos
> Cisco Firepower Extensible Operating System (FX-OS) Software
> xxx-fw01# sho configuration
> scope org
> enter bios-policy SRIOV
> set acpi10-support-config acpi10-support platform-default
> ...


The login layers on the 4100 seems to be reversed when compared to the
2100 with ftd.

The initial login layer on the 4100 resembles the 2100 after having run
"connect fxos", and has a limited command list.

Running "connect fxos" on the 4100 resembles the initial login layer on
the 2100, and has an extensive command list.

I've copied all of the fxos definitions in rancid.types.base to fxos-ftd
and updated router.db for my 2100/FTD devices. I removed the fxos entries
that don't run on the 4100 and re-ordered the commands. I have a working
configuration for the 4140, though none of the output from "show
running-config" is getting picked up. Maybe using WriteTermFTD isn't
right for that.

fxos;command;fxos::RunCommand;term len 0
fxos;command;fxos::RunCommand;connect fxos; prompt changes
fxos;command;fxos::ShowInventory;show inventory
fxos;command;fxos::WriteTermFTD;show running-config
fxos;command;fxos::RunCommand;exit; prompt changes
fxos;command;fxos::ShowFirmware;show system firmware detail
fxos;command;fxos::ShowChassis;show chassis detail
fxos;command;fxos::ShowChassis;show chassis inventory detail
fxos;command;fxos::ShowChassis;show chassis environment expand detail
fxos;command;fxos::WriteTerm;show configuration




-Chris

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,Agg4564IheFG90UwbAiAvZo1BLU69Z103Kv4VMySZ9xUTsjcwcvBBjtDdFnki_6XviMgM65aIammA_v80clw10SrZ9ffw-PSCud_gVcZhZE,&typo=1

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal