on 09-23-2016 02:10 AM
In order to check the configurations before a commit or a commit replace, one can see what is being added, removed or replaced in the configuration.
Below you will find the explanation for each of them and when to use them.
It will show what is being added to or removed from the config if the commit is done.
The added parts will have a "+" and the removed parts will have a "-".
RP/0/RSP0/CPU0:ASR9001-1(config)#sh commit changes diff
Fri Sep 23 08:03:07.485 UTC
Building configuration...
!! IOS XR Configuration 5.3.3
- interface Loopback1000
- description test
- ipv4 address 10.10.0.1 255.255.255.255
!
+ multicast-routing
+ address-family ipv4
+ interface Loopback0
+ enable
!
!
!
+ multicast-routing
!
end
The added or removed parts are shown as text.
RP/0/RSP0/CPU0:ASR9001-1(config)#sh configuration
Fri Sep 23 08:31:17.333 UTC
Building configuration...
!! IOS XR Configuration 5.3.3
no interface Loopback1000
multicast-routing
address-family ipv4
interface Loopback0
enable
!
!
!
multicast-routing
!
end
The added parts will have a "+" and the removed parts will have a "-", while the changed configuration lines will have a "#".
RP/0/RSP0/CPU0:ASR9001-1(config)#sh configuration changes diff
Fri Sep 23 08:57:41.575 UTC
Building configuration...
!! IOS XR Configuration 5.3.3
# hostname ASR9001-1
# hostname new-hostname
- cdp
- vrf mgmt
- address-family ipv4 unicast
<omitted>
+ multicast-routing
+ address-family ipv4
+ interface Loopback0
+ enable
+ !
+ !
+ !
+ multicast-routing
+ !
- lldp
- netconf-yang agent
- ssh
- !
- ssh server v2
- ssh server vrf mgmt
Note that all the 3 commands can be run only from global configuration mode and not from any sub-config mode. For this the "root" command can be used.
RP/0/RSP0/CPU0:ASR9001-1(config-if)#root ?
<cr> Exit to the global configuration mode
I personally don't like how Cisco report changes to the config data stores.
Why having the #, and not just + and -? in this case
!! IOS XR Configuration 5.3.3
- hostname ASR9001-1
+ hostname new-hostname
also, why full config replace seems that it re-apply access-list and route policies? when building automation around these, it makes confusing.
For example, if I copy the running configuration to a backup.cfg file
RP/0/RP0/CPU0:edge01.lab01# RP/0/RP0/CPU0:edge01.lab01#copy running-config backup.cfg Tue Jun 25 20:08:16.710 UTC Destination file name (control-c to abort): [/backup.cfg]? The destination file already exists. Do you want to overwrite? [no]: yes Building configuration. 327 lines built in 1 second [OK] RP/0/RP0/CPU0:edge01.lab01#conf Tue Jun 25 20:08:22.379 UTC loRP/0/RP0/CPU0:edge01.lab01(config)#load backup.cfg Loading. 7816 bytes parsed in 1 sec (7777)bytes/sec RP/0/RP0/CPU0:edge01.lab01(config)# RP/0/RP0/CPU0:edge01.lab01(config)#show configuration changes diff Tue Jun 25 20:08:42.215 UTC Building configuration... !! IOS XR Configuration version = 6.5.2 # ipv4 access-list INBOUND_INTERNET_V4 # 10 remark $Id:$ # 20 remark Denies all traffic to internal IPs except established tcp replies. # 30 remark Also denies access to certain public allocations. # 40 remark Ideal for some internal lab/testing types of subnets that are # 50 remark not well trusted, but allowing internal users to access. # 60 remark Apply to ingress interface (to filter traffic coming from lab) # 70 remark accept-dhcp # 80 remark Optional - allow forwarding of DHCP requests. # 90 permit udp any any eq bootps # 100 permit udp any any eq bootpc # 110 remark accept-to-honestdns # 120 remark Allow name resolution using honestdns. # 130 permit udp any host 8.8.4.4 eq domain # 140 permit udp any host 8.8.8.8 eq domain # 150 remark accept-tcp-replies # 160 remark Allow tcp replies to internal hosts. # 170 permit tcp any 10.0.0.0 0.255.255.255 established # 180 permit tcp any 172.16.0.0 0.15.255.255 established # 190 permit tcp any 192.168.0.0 0.0.255.255 established # 200 remark deny-to-internal # 210 remark Deny access to rfc1918/internal. # 220 deny ipv4 any 10.0.0.0 0.255.255.255 # 230 deny ipv4 any 172.16.0.0 0.15.255.255 # 240 deny ipv4 any 192.168.0.0 0.0.255.255 # 250 remark deny-to-specific_hosts # 260 remark Deny access to specified public. # 270 deny ipv4 any host 200.1.1.1 # 280 deny ipv4 any host 200.1.1.2 # 290 deny ipv4 any 200.1.1.4 0.0.0.1 # 300 remark permit-offices # 310 remark Allow Remote Offices # 320 permit ipv4 any 200.1.0.0 0.0.31.255 # 330 permit ipv4 any 200.2.1.0 0.0.0.255 # 340 permit ipv4 any 200.5.1.0 0.0.0.255 # 350 permit ipv4 any 201.1.1.0 0.0.0.255 # 360 remark permit-login-queue # 370 remark Allow Login Queue Servers # 380 permit tcp any 10.20.30.0 0.0.0.7 eq www # 390 permit tcp any 10.20.30.0 0.0.0.7 eq 443 # 400 remark permit-chat-queue # 410 remark Allow Chat Servers # 420 permit tcp any 10.20.50.0 0.0.1.255 eq 4000 # 430 remark permit-apps-servers # 440 remark Allow Apps Servers # 450 permit udp any 100.10.10.0 0.0.0.255 range 5100 5400 # 460 permit udp any 10.20.30.0 0.0.1.255 range 5100 5400 # 470 remark default-deny # 480 remark Deny what's left. # 490 deny ipv4 any any # ! + interface MgmtEth0/RP0/CPU0/0 + ! + interface GigabitEthernet0/0/0/0 + ! + interface GigabitEthernet0/0/0/1 + ! + interface GigabitEthernet0/0/0/2 + ! + interface GigabitEthernet0/0/0/3 + ! # ! # route-policy export_ibgp # pass # end-policy # route-policy export_ibgp # pass # end-policy # route-policy import_ibgp # pass # end-policy # route-policy import_ibgp # pass # end-policy # route-policy EXPORT_RR_V4 # pass # end-policy # route-policy EXPORT_RR_V4 # pass # end-policy # route-policy IMPORT_RR_V4 # pass # end-policy # route-policy IMPORT_RR_V4 # pass # end-policy # route-policy TEMP_DENY_ALL # drop # end-policy # route-policy TEMP_DENY_ALL # drop # end-policy # route-policy export_transit_a # pass # end-policy # route-policy export_transit_a # pass # end-policy # route-policy import_transit_a # pass # end-policy # route-policy import_transit_a # pass # end-policy # route-policy EXPORT_TRANSIT_V4 # pass # end-policy # route-policy EXPORT_TRANSIT_V4 # pass # end-policy # route-policy IMPORT_TRANSIT_V4 # pass # end-policy # route-policy IMPORT_TRANSIT_V4 # pass # end-policy # route-policy export_public_peering_ix_a # pass # end-policy # route-policy export_public_peering_ix_a # pass # end-policy # route-policy export_public_peering_ix_b # pass # end-policy # route-policy export_public_peering_ix_b # pass # end-policy # route-policy import_public_peering_ix_a # pass # end-policy # route-policy import_public_peering_ix_a # pass # end-policy # route-policy import_public_peering_ix_b # pass # end-policy # route-policy import_public_peering_ix_b # pass # end-policy end
In my opinion, this should return an empty string
In the case we run a show commit change diff, I personally not sure what the output means in this case.
RP/0/RP0/CPU0:edge01.lab01(config)# show commit changes diff Tue Jun 25 20:11:49.850 UTC Building configuration... !! IOS XR Configuration version = 6.5.2 ipv4 access-list INBOUND_INTERNET_V4 <- 10 remark $Id:$ <- 20 remark Denies all traffic to internal IPs except established tcp replies. <- 30 remark Also denies access to certain public allocations. <- 40 remark Ideal for some internal lab/testing types of subnets that are <- 50 remark not well trusted, but allowing internal users to access. <- 60 remark Apply to ingress interface (to filter traffic coming from lab) <- 70 remark accept-dhcp <- 80 remark Optional - allow forwarding of DHCP requests. <- 90 permit udp any any eq bootps <- 100 permit udp any any eq bootpc <- 110 remark accept-to-honestdns <- 120 remark Allow name resolution using honestdns. <- 130 permit udp any host 8.8.4.4 eq domain <- 140 permit udp any host 8.8.8.8 eq domain <- 150 remark accept-tcp-replies <- 160 remark Allow tcp replies to internal hosts. <- 170 permit tcp any 10.0.0.0 0.255.255.255 established <- 180 permit tcp any 172.16.0.0 0.15.255.255 established <- 190 permit tcp any 192.168.0.0 0.0.255.255 established <- 200 remark deny-to-internal <- 210 remark Deny access to rfc1918/internal. <- 220 deny ipv4 any 10.0.0.0 0.255.255.255 <- 230 deny ipv4 any 172.16.0.0 0.15.255.255 <- 240 deny ipv4 any 192.168.0.0 0.0.255.255 <- 250 remark deny-to-specific_hosts <- 260 remark Deny access to specified public. <- 270 deny ipv4 any host 200.1.1.1 <- 280 deny ipv4 any host 200.1.1.2 <- 290 deny ipv4 any 200.1.1.4 0.0.0.1 <- 300 remark permit-offices <- 310 remark Allow Remote Offices <- 320 permit ipv4 any 200.1.0.0 0.0.31.255 <- 330 permit ipv4 any 200.2.1.0 0.0.0.255 <- 340 permit ipv4 any 200.5.1.0 0.0.0.255 <- 350 permit ipv4 any 201.1.1.0 0.0.0.255 <- 360 remark permit-login-queue <- 370 remark Allow Login Queue Servers <- 380 permit tcp any 10.20.30.0 0.0.0.7 eq www
<- 390 permit tcp any 10.20.30.0 0.0.0.7 eq 443 <- 400 remark permit-chat-queue <- 410 remark Allow Chat Servers <- 420 permit tcp any 10.20.50.0 0.0.1.255 eq 4000
<- 430 remark permit-apps-servers
<- 440 remark Allow Apps Servers
<- 450 permit udp any 100.10.10.0 0.0.0.255 range 5100 5400
<- 460 permit udp any 10.20.30.0 0.0.1.255 range 5100 5400 <- 470 remark default-deny <- 480 remark Deny what's left. <- 490 deny ipv4 any any ! end
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: