Cisco ASR1K - 100M link issue. [SOLVED]

I was labbing today and hit one strange issue - a link between Cisco ASR1001-X (GLC-T transceiver) and Catalyst 3750 switch (100Mbps ports) was up at both sides, but CDP didn’t work, I didn’t see MAC addresses learned on the switch side. To fix an issue I had to disable auto-negotiation and hardcode 100M speed on ASR side.

interface GigabitEthernet0/0/0
 no negotiation auto
 speed 100

Even more, on Catalyst side I had to hardcode “duplex full” to get rid of duplex mismatch issue. Looks like it’s an issue with ASR or a transceivers. Anyways, it’s strange and annoying to see the link UP on both ends, but without actual connectivity:

Good luck!

Cisco 10G SPA - Difference between WAN and LAN modes.

As you know, Cisco 10G SPA (Shared Port Adapter) modules could have two modes - WAN and LAN.

There’re actually two different modules:

• SPA-1X10GE-L-V2 (supports LAN mode only)
• SPA-1X10GE-WL-V2 (supports WAN and LAN modes)

CiscoASR#show inventory

NAME: "SPA subslot 1/2", DESCR: "1-port 10 Gigabit Ethernet Shared Port Adapter XFP based"
PID: SPA-1X10GE-L-V2   , VID: V02, SN: JAE1325CKI7

NAME: "SPA subslot 1/3", DESCR: "1-port 10 Gigabit Ethernet Shared Port Adapter XFP based"
PID: SPA-1X10GE-WL-V2  , VID: V01, SN: JAE14063H6T

By default, WAN-capable modules are in WAN mode. If you have two SPA-1X10GE-WL-V2 modules and trying to make a link between each other it will be no problem, but when you connect SPA-1X10GE-WL-V2 to any other regular 10G ethernet port (to your uplink provider or to any other 10G ethernet router/switch, etc) the link will not come up.

Unfortunately, “show interface” output doesn’t tell you anything other than the link is down and hardware is SPA-1X10GE-WL-V2. What you can do is to check incoming optical signal level to make sure it’s not an issue with remote side or transceiver:

CiscoASR#show hw-module subslot 1/1 transceiver 0 status
The Transceiver in slot 1 subslot 1 port 0 is enabled.
  Module temperature                        = 27.238 C
  Transceiver Tx bias current               = 6800 uAmps
  Transceiver Tx power                      = -2.1 dBm
  Transceiver Rx optical power              = -2.5 dBm

You can also check optical signal level on peering device. In my case it was Cisco Nexus:

N5K-1# show int eth1/9 transceiver details
    transceiver is present
    type is 10Gbase-SR
    name is CISCO-FINISAR
    part number is FTLX8571D3BCL-C2
    revision is A
    serial number is FNS15531MJA
    nominal bitrate is 10300 MBit/sec
    Link length supported for 50/125um OM2 fiber is 82 m
    Link length supported for 50/125um OM3 fiber is 300 m
    Link length supported for 62.5/125um fiber is 26 m
    cisco id is --
    cisco extended id number is 4

           SFP Detail Diagnostics Information (internal calibration)
                Current              Alarms                  Warnings
                Measurement     High        Low         High          Low
  Temperature   37.64 C        75.00 C     -5.00 C     70.00 C        0.00 C
  Voltage        3.28 V         3.63 V      2.97 V      3.46 V        3.13 V
  Current        7.99 mA       11.80 mA     4.00 mA    10.80 mA       5.00 mA
  Tx Power       -2.29 dBm       1.69 dBm  -11.30 dBm   -1.30 dBm     -7.30 dBm
  Rx Power       -3.01 dBm       1.99 dBm  -13.97 dBm   -1.00 dBm     -9.91 dBm
  Note: ++  high-alarm; +  high-warning; --  low-alarm; -  low-warning


The next step is to check current mode:

CiscoASR#show controllers wanphy 1/1/0
Mode of Operation: WAN Mode
  LOF = 2             LOS    = 1                            BIP(B1) = 19
  AIS = 2             RDI    = 0          FEBE = 0          BIP(B2) = 3842
  AIS = 2             RDI    = 0          FEBE = 4          BIP(B3) = 4
  LOP = 0             NEWPTR = 0          PSE  = 0          NSE     = 0
  SER    = 2          FELCDP = 1          FEAISP = 1
  WLOS   = 1          PLCD   = 0
  LFEBIP = 569        PBEC   = 4         

Active Alarms[All defects]: SWLOF LAIS PAIS SER
Active Alarms[Highest Alarms]: SWLOF
Alarm reporting enabled for: SF SWLOF B1-TCA B2-TCA PLOP WLOS 

  Rx(K1/K2): 00/00  Tx(K1/K2): 00/00
  S1S0 = 00, C2 = 0x1A
  Remote J1 Byte : 

BER thresholds:  SD = 10e-6  SF = 10e-3
TCA thresholds:  B1 = 10e-6  B2 = 10e-6  B3 = 10e-6


To switch to LAN mode:

CiscoASR#conf t
CiscoASR(config)#hw-module subslot 1/1 enable lan

3378009: Jan 15 2019 19:02:33.081 PST: %IOSXE_OIR-6-SYNCSPA: SPA (SPA-1X10GE-WL-V2) reloading to come up in LAN mode
3378010: Jan 15 2019 19:02:33.287 PST: %IOSXE_OIR-6-SOFT_RELOADSPA: SPA(SPA-1X10GE-WL-V2) reloaded on subslot 1/1
3378011: Jan 15 2019 19:02:33.291 PST: %SPA_OIR-6-OFFLINECARD: SPA (SPA-1X10GE-WL-V2) offline in subslot 1/1
3378012: Jan 15 2019 19:02:41.898 PST: %SPA_OIR-6-ONLINECARD: SPA (SPA-1X10GE-WL-V2) online in subslot 1/1
3378013: Jan 15 2019 19:02:41.939 PST: %IOSXE_SPA-6-UPDOWN: Interface TenGigabitEthernet1/1/0, link down due to remote fault
3378014: Jan 15 2019 19:02:43.713 PST: %LINK-3-UPDOWN: Interface TenGigabitEthernet1/1/0, changed state to down
3378015: Jan 15 2019 19:02:44.703 PST: %IOSXE_SPA-6-UPDOWN: Interface TenGigabitEthernet1/1/0, link down due to remote fault
3378016: Jan 15 2019 19:02:43.936 PST: %LINK-3-UPDOWN: SIP1/1: Interface TenGigabitEthernet1/1/0, changed state to down
3378017: Jan 15 2019 19:02:47.543 PST: %LINK-3-UPDOWN: Interface TenGigabitEthernet1/1/0, changed state to up
3378018: Jan 15 2019 19:02:46.700 PST: %LINK-3-UPDOWN: SIP1/1: Interface TenGigabitEthernet1/1/0, changed state to up
3378019: Jan 15 2019 19:02:48.544 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet1/1/0, changed state to up

Here is how it looks like in LAN mode:

CiscoASR#show controllers wanphy 1/1/0
Mode of Operation: LAN Mode


More information about WAN-PHY and LAN-PHY can be found in Datasheet for Cisco 1-Port 10 Gigabit Ethernet LAN/WAN-PHY Shared Port Adapter and Cisco ASR 1000 Series Aggregation Services Routers SIP and SPA Software Configuration Guide:

Overview of LAN/WAN-PHY Controllers

LAN/WAN-PHY support in Cisco IOS XE Software Release 3.3.0S and later is based on the IEEE 802.3ae standard. WAN-PHY controllers can only be used as Path Terminating Equipment (PTE). When deploying Ethernet WAN interfaces as endpoints or as PTE between routers, the other endpoint must be an Ethernet WAN interface. WAN-PHY does not interoperate nor terminate on a Packet over Sonet (PoS) or an Ethernet over Sonet (EoS) port.

The purpose of WAN-PHY is to render a 10-Gigabit Ethernet compatible with the SONET STS-192c format and data rate, as defined by ANSI, as well as the SDH VC-4-64c container specified by ITU. To achieve this compatibility, a WAN Interface Sublayer (WIS) is inserted between the 10-Gigabit Ethernet Physical Coding Sublayer (PCS) and the serial Physical Medium Attachment sublayer/Physical Medium Dependent sublayer (PMA/PMD). When the controller is in WAN-PHY mode, the WIS sublayer transports 10-Gigabit Ethernet frames in an OC-192c SONET payload that can interoperate with SONET section or line-level repeaters. This effectively bridges the asynchronous world of Ethernet data with synchronous SONET/SDH transport, allowing the 10-Gigabit Ethernet to be transparently carried over current DWDM networks without having to directly map the Ethernet frames into SONET/SDH.

Following is a list of the WIS characteristics and the functions it performs:

• The WIS allows WAN-PHY equipment to generate an Ethernet data stream to be mapped to an OC-192c or VC-4-64c concatenated payload at the PHY level without any MAC or higher layer processing.
• A 10GBASE-W interface cannot interoperate directly with SONET or SDH equipment because WAN-PHY is not fully compliant with SONET or SDH optical and electrical specifications. In practice, SONET or SDH and 10GBASE-W interfaces can interoperate.
• From a MAC perspective, WAN-PHY does not appear any different from LAN-PHY (no WIS) with the exception of the sustained data rate. In the case of LAN-PHY, the maximum data rate is 10.3125 Gbps, while at WAN-PHY, it is 9.95328 Gbps (as required by SONET or SDH).
• The WIS implements a subset of the SONET functions, including creating the section, line, path overhead headers, calculating the Bit Interleaved Parity (BIP) bytes for error monitoring and managing a variety of alarms and defect indications.

Good luck!

Cisco IOS - BGP - set as-path prepend last-as [EXPLAINED]

This post is for those engineers who want to elaborate more universal configuration to do BGP AS_PATH prepending by using “set as-path prepend last-as” parameters. You should know that “set as-path prepend last-as” skips your own BGP AS and works only on transit AS. If you’d like to add your own BGP AS to AS_PATH you have to specify AS number:

route-map RM-PREPEND
 set as-path prepend 123 123 123

router bgp 123
 neighbor x.x.x.x route-map RM-PREPEND out

Good luck!

How to activate Evaluation License on Cisco ISR G2. [TESTED]

For those who use real hardware for CCIE Collaboration or Security Lab preparation…


Understating Cisco IOS v15 Licenses.
Understanding CME-SRST License Activation.

Example - Enabling Security feature

conf t
 license boot module c2900 technology-package securityk9
wri mem

Checking results:

Router#show version | b License
License Info:

License UDI:

Device#   PID                   SN
*0        CISCO2911/K9          FGL111111A1

Technology Package License Information for Module:'c2900'

Technology    Technology-package           Technology-package
              Current       Type           Next reboot
ipbase        ipbasek9      Permanent      ipbasek9
security      securityk9    EvalRightToUse securityk9
uc            None          None           None
data          datak9        Permanent      datak9

Configuration register is 0x2102

Router#show license
Index 2 Feature: securityk9
        Period left: 8  weeks 4  days
        Period Used: 0  minute  0  second
        License Type: EvalRightToUse
        License State: Active, In Use
        License Count: Non-Counted
        License Priority: Low
Router(config)#crypto ?
  call          Configure Crypto Call Admission Control
  ctcp          Configure cTCP encapsulation
  dynamic-map   Specify a dynamic crypto map template
  engine        Enter a crypto engine configurable menu
  gdoi          Configure GDOI policy
  identity      Enter a crypto identity list
  ikev2         Configure IKEv2 Options
  ipsec         Configure IPSEC policy
  isakmp        Configure ISAKMP policy
  key           Long term key operations
  keyring       Key ring commands
  logging       logging messages
  map           Enter a crypto map
  mib           Configure Crypto-related MIB Parameters
  pki           Public Key components
  provisioning  Secure Device Provisioning
  wui           Crypto HTTP configuration interfaces
  xauth         X-Auth parameters


IOS-XE and MD5 file verification. [TESTED]

I was needed to download core dump file (.core.gz) from ASR1001. For some reason, FTP didn’t work, I didn’t attempts from VRF-aware management interface, so I had to have TFTP is in use. To verify the file before and after I used the following commands:

ASR1001#verify /md5 flash:/core/ASR1001_RP_0_fman_fp_image_7420_1231952006.core.gz
verify /md5 (bootflash:/core/ASR1001_RP_0_fman_fp_image_7420_1231952006.core.gz) = 4fa581dd2df1476eef9624bfcf88cd46


To copy this file:

ASR1001#copy flash:/core/ASR1001_RP_0_fman_fp_image_7420_1231952006.core.gz tftp://
Address or name of remote host []?
Destination filename [ASR1001_RP_0_fman_fp_image_7420_1231952006.core.gz]?
6614390 bytes copied in 7.711 secs (857786 bytes/sec)

To verify MD5 after copying using embedded in Windows 7 command:

c:\Temp>CertUtil -hashfile C:\TFTP\ASR1001_RP_0_fman_fp_image_7420_1231952006.core.gz MD5
MD5 hash of file C:\TEMP\ASR1001_RP_0_fman_fp_image_7420_1231952006.core.gz:
4f a5 81 dd 2d f1 47 6e ef 96 24 bf cf 88 cd 46
CertUtil: -hashfile command completed successfully.


Admin area