cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12966
Views
0
Helpful
27
Comments
Nicolas Fevrier
Cisco Employee
Cisco Employee

Quick and dirty copy/paste of the different steps used for this installation on the VSM card.

First, it's important to remind that the system does not operate in stand-alone mode, you need to pair it with a Peakflow SP (the netflow collector + attack detector + controller of the entire solution) and you need to use the proper licenses.

Before you install TMS-VSM software on the VSM blade, do the following:

0. Configure "allow TFTP" in the CoPP:

control-plane
 management-plane
  inband
  interface all
    allow TFTP

1. Insert the VSM blade in the ASR 9000 router backplane

2. Connect a serial console or laptop to the ASR 9000 router

3. Use telnet or ssh to log on to the CLI of the ASR 9000 router that has the VSM blade

4. Use the ASR 9000 CLI to perform the following tasks:

virtual-service enable 
commit

- Verify that virtual services are initialized with:

show virtual-service list

- Enter the following commands to uninstall any existing services on the VSM blade:

config
no virtual-service tmsX
commit
exit
virtual-service uninstall name tmsX

To install the TMS-VSM software on the VSM blade:

1. Log on to the CLI of the ASR 9000 router that has the VSM blade.

2. To copy the .ova file to the router:

copy tftp:/Peakflow-TMS-7.0-EKU0.ova disk0:

Use the correct path/filename for your build.

- At the prompt Address or name of remote host[]?, type the IP address for the remote host (for example, 10.8.22.116)

- At the prompt Destination filename, press enter.

3. To verify that the .ova file was copied:

dir disk0:

The file should appear at the end of the directory file list.

4. To find the node name for your VSM blade:

show inventory all | include "Virtualized Services Module"

The node name will be of the form 0/slot/CPU0.

Note: To verify the node name:

 show virtual-service list

5. To install the virtual service:

virtual-service install name tms3 package /disk0:/Peakflow-TMS-7.0-EKU0.ova node 0/n/CPU0

where:
n = the slot number for the VSM blade.

Allow approximately 10 to 12 minutes for installation to complete.

6. To verify that the virtual service is installed:

show virtual-service list

Note: If the installation is initializing, this show command does not show any data. If installation is in process, this command shows the message Installing. When installation is complete, you can rerun this show command to verify that the virtual service is listed as installed.

To map VNIC interfaces on the router to TMS interfaces on the VSM blade:

1. To map the interfaces, enter the following commands, replacing n with the slot number for the VSM blade:

virtual-service enable
virtual-service tmsn
vnic interface TenGigE0/n/1/0
vnic interface TenGigE0/n/1/1
vnic interface TenGigE0/n/1/2
vnic interface TenGigE0/n/1/3
vnic interface TenGigE0/n/1/4
vnic interface TenGigE0/n/1/5
vnic interface TenGigE0/n/1/6
vnic interface TenGigE0/n/1/7
vnic interface TenGigE0/n/1/8
vnic interface TenGigE0/n/1/9
vnic interface TenGigE0/n/1/10
vnic interface TenGigE0/n/1/11
commit
activate
commit

To verify that all interfaces are activated:

 show virtual-service list

2. Create the interface bundle for mitigation interfaces tmsx0-3 and tmsx7-10 and to bundle the subinterfaces


3. Set up the management interfaces, tmsx5-6


4. Set up the unused interfaces, tmsx4 and tmsx11

Configuration will finally look like this:


vrf onRamp
address-family ipv4 unicast
!
address-family ipv6 unicast
!
!
vrf offRamp
address-family ipv4 unicast
!
address-family ipv6 unicast
!
!
snmp-server host 25.2.1.10 traps arbor
snmp-server community arbor
virtual-service enable
virtual-service TMS1
vnic interface TenGigE0/1/1/0
vnic interface TenGigE0/1/1/1
vnic interface TenGigE0/1/1/2
vnic interface TenGigE0/1/1/3
vnic interface TenGigE0/1/1/4
vnic interface TenGigE0/1/1/5
vnic interface TenGigE0/1/1/6
vnic interface TenGigE0/1/1/7
vnic interface TenGigE0/1/1/8
vnic interface TenGigE0/1/1/9
vnic interface TenGigE0/1/1/10
vnic interface TenGigE0/1/1/11
activate
!
control-plane
management-plane
inband
interface TenGigE0/2/0/6
allow TFTP
allow SNMP
allow SNMP peer
address ipv4 25.2.1.10
!
!
interface Bundle-Ether2
description bundle to-from vsm1
load-interval 30
!
interface Bundle-Ether2.100
description offramp subinterface
ipv4 address 13.37.13.37 255.255.255.252
bundle load-balancing hash src-ip
load-interval 30
encapsulation dot1q 100
!
interface Bundle-Ether2.101
description onramp subinterface
vrf onramp
ipv4 address 13.37.13.41 255.255.255.252
load-interval 30
encapsulation dot1q 101
!
interface Loopback0
ipv4 address 4.4.4.4 255.255.255.255
!
interface MgmtEth0/RSP0/CPU0/0
ipv4 address 1.2.3.4 255.255.255.0
!
interface TenGigE0/1/1/0
bundle id 2 mode on
load-interval 30
!
interface TenGigE0/1/1/1
bundle id 2 mode on
load-interval 30
!
interface TenGigE0/1/1/2
bundle id 2 mode on
load-interval 30
!
interface TenGigE0/1/1/3
bundle id 2 mode on
load-interval 30
!
interface TenGigE0/1/1/4
load-interval 30
!
interface TenGigE0/1/1/5
description mgt0 on TMS1
ipv4 address 25.3.1.1 255.255.255.0
load-interval 30
!
interface TenGigE0/1/1/6
description mgt1 on TMS1
load-interval 30
!
interface TenGigE0/1/1/7
bundle id 2 mode on
load-interval 30
!
interface TenGigE0/1/1/8
bundle id 2 mode on
load-interval 30
!
interface TenGigE0/1/1/9
bundle id 2 mode on
load-interval 30
!
interface TenGigE0/1/1/10
bundle id 2 mode on
load-interval 30
!
interface TenGigE0/1/1/11
shutdown
!

Last step will consist in configuring the BGP peers and BGP flowspec peers according to the divertion (offRamp/onRamp) strategy.

—————


Sun Dec 7 17:31:13.867 UTC

Trying 192.0.131.3...

Connected to 192.0.131.3.

Escape sequence is '^^e'.

010: Using CD-ROM

018: No system configuration found

020: Configuring CD-ROM

Do you want to begin the install process?

This will remove all current data and configuration [n/y] y

Initializing filesystem "boot"..........................done.

Writing boot blocks....done.

Initializing filesystem "system"..........................done.

Initializing filesystem "data"..........................done.

Initializing swap partition......done.

system: clean, 11/512064 files, 53444/2048000 blocks

data: clean, 11/407360 files, 53327/3107840 blocks

boot: clean, 28/128016 files, 26963/510976 blocks

Installing software package "cdrom:arbos-6.1-ELDN-x86_64"

Extracting package...done.

Changes to ArbOS will take effect after the next reload.

Installing software package "cdrom:Peakflow-TMS-7.0-ELDN-vm"

Extracting package...done.

Collecting inventory information..done

Building databases.......................................................................done.

virtual-service connect name TMS1 console node 0/1/CPU0

Sun Dec 7 17:31:13.867 UTC

Trying 192.0.131.3...

Connected to 192.0.131.3.

Escape sequence is '^^e'.

010: Using CD-ROM

018: No system configuration found

020: Configuring CD-ROM

Do you want to begin the install process?

This will remove all current data and configuration [n/y] y

Initializing filesystem "boot"..........................done.

Writing boot blocks....done.

Initializing filesystem "system"..........................done.

Initializing filesystem "data"..........................done.

Initializing swap partition......done.

system: clean, 11/512064 files, 53444/2048000 blocks

data: clean, 11/407360 files, 53327/3107840 blocks

boot: clean, 28/128016 files, 26963/510976 blocks

Installing software package "cdrom:arbos-6.1-ELDN-x86_64"

Extracting package...done.

Changes to ArbOS will take effect after the next reload.

Installing software package "cdrom:Peakflow-TMS-7.0-ELDN-vm"

Extracting package...done.

Collecting inventory information..done

Building databases.......................................................................done.

Do you want to begin the install process?

This will remove all current data and configuration [n/y] y

Initializing filesystem "boot"..........................done.

Writing boot blocks....done.

Initializing filesystem "system"..........................done.

Initializing filesystem "data"..........................done.

Initializing swap partition......done.

.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................*****..*************boot: …

system: clean, 24175/512064 files, 171499/2048000 blocks

data: clean, 419/407360 files, 61114/3107840 blocks

boot: clean, 64/128016 files, 129079/510976 blocks

005: Configuring swap devices

006: Configuring software packages

Collecting inventory information..done

007: Restoring system configuration

020: Configuring CD-ROM

021: Done rc.sysinit

ArbOS/6.1 (arbos)

arbos login: admin

Password:

Peakflow TMS v7.0

Copyright (c) 2000-2014 Arbor Networks, Inc. All Rights Reserved.

Welcome to ArbOS


———————————————————————————————————

Comments
mkhalil10
Spotlight
Spotlight

Dear Nicolas

Thanks for the great post

I was in a discussion with Cisco TAC regarding the same subject , according to them , I cannot use more than a service per VSM module

I am already running NAT44 service and am attaching virtual-interfaces to it

When I asked them about how many virtual-interfaces do I need , they told me I need another module?

What do u think?

BR,

Mohammad

Nicolas Fevrier
Cisco Employee
Cisco Employee

Hi Mohammad,

the TAC engineer is right, we don't support multiple VMs over a single VSM.

If you need to run both the TMS app and the CGN app, you need two VSM cards in the chassis.

On the TMS case, among the 12 interfaces: 8 are gathered in a bundle for traffic and 2 are assigned to management (2 last are shut down).

BR,

N.

lemmocisco
Level 1
Level 1

Hi,

I am having some trouble with the TMS VM...

this is the output I get from the activate command:

RP/0/RSP0/CPU0:BB-ASR9K(config)#virtual-service tms3
RP/0/RSP0/CPU0:BB-ASR9K(config-virt-service)#activate
RP/0/RSP0/CPU0:BB-ASR9K(config-virt-service)#comm
Mon Mar 13 17:03:20.343 MET
RP/0/RSP0/CPU0:2017 Mar 13 17:03:21.721 MET: service_mgr[413]: %OS-LIB_VMAN-3-START_FAILED : Virtual Service[tms3]::Start failed::Failed to start the virtual service::Resource Manager: vm_resource_allocate_best_effort :Failed to allocate socket resources   
RP/0/RSP0/CPU0:2017 Mar 13 17:03:22.945 MET: service_mgr[413]: %OS-SMGR-3-VM_ACTIVATE_FAIL : Service VM 'tms3' activation failed

Do you have any idea what could be the problem?

Thank you.

Aleksandar Vidakovic
Cisco Employee
Cisco Employee

Which IOS XR release are you running and which Arbor TMS version?

regards,

/Aleksandar

lemmocisco
Level 1
Level 1

Cisco IOS XR Software is Version 5.3.4 while TMS is Peakflow-TMS-7.5.1-FJBK.ova

Nitin Pabbi
Cisco Employee
Cisco Employee

TMS 7.5.1 is not compatible with 5.3.4 because we have introduced memory composition for VSM operations.

kindly use TMS 8.1 with 5.3.4. TMS 8.1 was released in Dec '16 and have better memory consumption model along with better performance capabilities.

Thanks

Nitin Pabbi

Jerry Ebanks
Level 1
Level 1

Hi Nicolas:

this step below that is blod:

Do you want to begin the install process?

This will remove all current data and configuration [n/y] y

Initializing filesystem "boot"..........................done.

Writing boot blocks....done.

Initializing filesystem "system"..........................done.

Initializing filesystem "data"..........................done.

Initializing swap partition......done.

does that mean that it will reboot the entire router or just the VSM card. Am asking because am placing a vsm card and the router is a live node that has live traffic and can affect service.

Your advice would be greatly appreciated.

Thank you.

smailmilak
Level 4
Level 4

No way that the whole router will be rebooted because of one module.

We have a couple of ISM-100 and the installation process restarts only the module.

Jerry Ebanks
Level 1
Level 1

Hi Smailmilak:

Thanks for the feedback. I can see that but just wanted to be sure. is ISM-100 like VSM? or have you done VSM card installation?

lemmocisco
Level 1
Level 1

Hi Jerry,

I have installed the TMS on a VSM-500 and the ASR does not reboot, actually, regarding the point:

This will remove all current data and configuration [n/y] y

it means the Virtual MAchine will be restarted, not even the VSM.

This is the whole log from the installation:

RP/0/RSP0/CPU0:BB-ASR9K#virtual-service connect name TMS console node 0/1/CPU0
Tue Mar 21 17:45:00.818 MET
Trying 192.0.129.3...
Connected to 192.0.129.3.
Escape sequence is '^^e'.

Do you want to begin the install process?
This will remove all current data and configuration [n/y] y

Initializing filesystem "boot"..........................done.
Writing boot blocks....done.
Initializing filesystem "system"..........................done.
Initializing filesystem "data"..........................done.
Initializing swap partition......done.
system: clean, 11/512064 files, 53444/2048000 blocks
data: clean, 11/407360 files, 53327/3107840 blocks
boot: clean, 28/128016 files, 26963/510976 blocks

Installing software package "cdrom:arbos-6.2-GLBL-x86_64"
Checking package integrity...done.
Checking package preconditions...done.
Extracting package...!done.
Changes to ArbOS will take effect after the next reload.
Installing software package "cdrom:Arbor-TMS-8.1.0-GLBL-x86_64"
Checking package integrity...done.
Checking package preconditions...done.
Extracting package...!done.
Collecting inventory information..done
Building databases.....................................................done.

System hostname? [arbos] TMS
160: Invalid hostname
System hostname? [arbos] ARBOR

IP address for interface mgt0: [none] 10.10.20.41
Netmask for interface mgt0: [255.255.255.0] 255.255.255.252
Media for interface mgt0: [none]
IP address for interface mgt1: [none]
Default route: [none] 10.10.20.42

bgp access from which network? [done]

http access from which network? [done] 10.10.0.0/24
http access from which network? [done]

https access from which network? [done] 10.10.0.0/24
https access from which network? [done]

openflow access from which network? [done] 10.10.0.0/24
openflow access from which network? [done]

ping access from which network? [done] 10.10.0.0/24
ping access from which network? [done]

snmp access from which network? [done] 10.10.0.0/24
snmp access from which network? [done]

ssh access from which network? [done] 10.10.0.0/24
ssh access from which network? [done]
Generating new SSH host key file.....done.

Current time and date: [031316082017.42] 032116532017.50
Tue Mar 21 16:53:50 GMT 2017
NTP server IP address: [done] 10.10.20.42
NTP server IP address: [done]


init: sysinit main process (4023) killed by TERM signal
Error opening /base/mnt/huge: No such file or directory
717: Cannot stop /base
Sending all processes the TERM signal...
Sending all processes the KILL signal...
Syncing hardware clock to system time
Unmounting loopback filesystems
Unmounting remaining filesystems
Remounting remaining filesystems readonly
Please stand by while rebooting the system...
[ 1021.507463] reboot: Restarting system
Press any key to continue.
Press any key to continue.
Press any key to continue.
Press any key to continue.
Press any key to continue.

GNU GRUB version 0.97 (639K lower / 2882536K upper memory)

+-------------------------------------------------------------------------+
Use the ^ and v keys to select which entry is highlighted.
Press enter to boot the selected OS, 'e' to edit the
commands before booting, 'a' to modify the kernel arguments
.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................*****.*************Superblock last write time (Tue Mar 21 16:57:21 2017,
now = Mon Mar 13 16:12:04 2017) is in the future.
Fix? yes

boot: clean, 64/128016 files, 156038/510976 blocks
..******.*****002: Scanning for filesystems
003: Using system disk
004: Checking file system integrity
Superblock last write time (Tue Mar 21 16:57:28 2017,
now = Mon Mar 13 16:12:15 2017) is in the future.
Fix? yes

system: clean, 33702/512064 files, 210306/2048000 blocks
Superblock last write time (Tue Mar 21 16:57:21 2017,
now = Mon Mar 13 16:12:17 2017) is in the future.
Fix? yes

data: clean, 1098/407360 files, 64053/3107840 blocks
boot: clean, 64/128016 files, 156038/510976 blocks
005: Configuring swap devices
006: Configuring software packages
Collecting inventory information..done
007: Restoring system configuration
020: Configuring CD-ROM
021: Done rc.sysinit


Arbor TMS/8.1.0 (ARBOR)

ARBOR login: admin
Password:

Arbor TMS v8.1.0
Copyright (c) 2000-2016 Arbor Networks, Inc. All Rights Reserved.


Welcome to ArbOS

admin@ARBOR:/#

Jerry Ebanks
Level 1
Level 1

Hi Lemmocisco:

Thanks. This is what i needed to know. Just want to be sure because the router (ASR9k) which we are installing the VSM card is a production router and I didn't want to disrupt services.

Thank you for the feedback.

Jerry Ebanks
Level 1
Level 1

Whenever I try to break the process for VSM I use ctrl +e but I notice sometimes it does not break it. what exactly is the break sequence. What does this mean Escape sequence is '^^e'.

haitham.jneid
Level 1
Level 1

Hi All,

I need to understand the solution regarding arbor deployment on VSM card in ASR9000. how the solution works? what happens exactly?. is there any document that describe the solution?

thanks,

Haitham Jneid

Nitin Pabbi
Cisco Employee
Cisco Employee

Hey Haiham,

Peakflow TMS (Threat Management System) on VSM-500 (Cisco CGN card) is used for Arbor’s Peakflow TMS and ArbOS x86_64bit software running on a Cisco Virtualized Services Module (“VSM blade”) for Cisco’s ASR 9000 series routers. Each ASR 9000 chassis can support one Peakflow TMS-VSM.

This solution addresses ISPs, cloud providers and enterprises customers common concerns of DDoS (Distributed Denial of Service) attacks which impacts customers operations and reduce network availability.

Peakflow TMS network SW provide an important traffic-scrubbing component of the Peakflow solution. The Peakflow TMS can be deployed inline to provide “always on” protection and also supports a mitigation architecture called “diversion/reinjection.” In this mode only the traffic stream carrying the DDoS attack is redirected to the Peakflow TMS through routing updates issued by the Peakflow solution. The Peakflow Threat
Management System removes only the malicious traffic from that stream and forwards
the legitimate traffic to its intended destination.

We have published a CCO doc explaining this solution details:-

http://www.cisco.com/c/en/us/products/collateral/routers/asr-9000-series-aggregation-services-routers/solution-overview-c22-736143.html

At the bottom of this link you will find links for whitepaper and solution information.

Kindly go through from these and share your feedback. Accordingly we will add/modify the content for better understanding of this solution.

Thanks

Nitin Pabbi

haitham.jneid
Level 1
Level 1

Hi Nitin,

thanks for the great information you provided. it was very useful for me.

the design I am trying to work on is as the following:

- 1xASR9006

- 1xVSM Module

- Peakflow SP on Cisco UCS.

As per Cisco documentation the requirements will be as the below:

Hardware:

   Fixed and modular Ethernet line cards (second-generation and later)

   Route Switch Processor 440 (RSP440) or Route Switch Processor 880 (RSP880)

   Cisco ASR 9000 Series Route Processor 1 (RP1) or Route Processor 2 (RP2) for Cisco ASR 9912 and ASR 9922 systems

   Virtualized Services Module (VSM)

Software:

   Cisco IOS® XR Software Release 5.3.0 and later

   Arbor TMS Version 7.0.1 and later

I need resources about the following if possible:

- Installation/Configuration of VSM inside ASR9000

- Pair VSM TMS with Peakflow SP

- Netflow/BGP configuration on TMS,ASR and Peakflow SP

- TMS policies/rules configuration guide

- Install/activate licenses

Appreciate your valuable support.

thanks,

Haitham Jneid

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links