Cisco IOS XR Virtual Firewall Command Reference, Release 3.7
VASI Commands on Cisco IOS XR Software
Download this chapter
VASI Commands on Cisco IOS XR SoftwareVASI Commands on Cisco IOS XR Software
Download the complete book
Cisco Virtual Firewall Command ReferenceCisco Virtual Firewall Command Reference (PDF - 5 MB)
give_us_feedback

Table Of Contents

VASI Commands on Cisco IOS XR Software

interface vasi

service-location

show interfaces vasi

show services vasi status


VASI Commands on Cisco IOS XR Software

This chapter describes the VRF-Aware Service Infrastructure (VASI) commands on Cisco IOS XR software commands. VASI refers to the capability to use services, such as those that run on an multiservice blade (MSB), within different VPN routing and forwarding instances (VRFs).

interface vasi

To configure a VRF-Aware Service Infrastructure (VASI) interface and enter interface configuration mode, use the interface vasi command in global configuration mode. To delete a VASI configuration, use the no form of this command.

interface {vasileft | vasiright} number

Syntax Description

vasileft | vasiright

Specifies which VASI virtual interface to configure. You must configure both the vasileft and vasiright interfaces for a specific identifier before the interface can become active.

number

Identifier of the VASI interface. Enter an integer from 1 to 65535.


Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release
Modification

Release 3.5.0

This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.

Release 3.6.0

No modification.

Release 3.7.0

No modification.


Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

The two halves of the interface pair are configured separately. It is possible to configure just one half, but this is of no use because the interface does not come up unless both halves are configured. The VASI virtual interface pair is tied to a physical location on the MSB using the service-location preferred-active command. The service-location preferred-active command can be configured on either of the interface halves, but if it is configured on both, the locations given must match exactly. If the service-location preferred-active command is not configured, both halves of the pair remain down.

Task ID
Task ID
Operations

interface

read, write


Examples

The following example shows how to configure a VASI interface: 

RP/0/0/CPU0:router(config)# interface VASILeft 1

RP/0/0/CPU0:router(config-if)# vrf red

RP/0/0/CPU0:router(config-if)# ipv4 address 10.1.2.171 255.255.255.0

RP/0/0/CPU0:router(config-if)# service-location preferred-active 0/3/CPU0

RP/0/0/CPU0:router(config-if)# exit

RP/0/0/CPU0:router(config)# interface VASIRight 1

RP/0/0/CPU0:router(config-if)# vrf green

RP/0/0/CPU0:router(config-if)# ipv4 address 20.1.2.171 255.255.255.0

Related Commands

Command
Description

show interfaces vasi

Displays information about a VRF-Aware Service Infrastructure (VASI) interface.

service-location

Configures a physical interface on the multiservice blade (MSB) to be associated with a virtual firewall or virtual VASI interface.


service-location

To configure a physical interface on the multiservice blade (MSB) to be associated with a virtual firewall or virtual VASI interface, use the service-location command in the appropriate configuration mode. To unassociate the physical interface, use the no form of this command.

service-location preferred-active node-id [preferred-standby node-id] [auto-revert]

no service-location

Syntax Description

preferred-active node-id

Specifies the physical location of the MSB where the virtual firewall is located. The node-id argument is entered in the rack/slot/module notation.

preferred-standby node-id

(Optional) Specifies the physical location of the standby MSB where the virtual firewall is located. The node-id argument is entered in the rack/slot/module notation.

auto-revert

(Optional) Specifies that the virtual firewall will aggressively revert to the preferred active firewall, when the active node comes back up after a switchover.

Note Do not use auto-revert with more than 100 contexts in your configuration.


Defaults

No default behavior or values

Command Modes

Firewall configuration
VASI interface configuration

Command History

Release
Modification

Release 3.5.0

This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.

Release 3.6.0

No modification.

Release 3.7.0

No modification.


Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

To remove the service location from a configuration, you must first remove the default interface name. Removing the service location also removes the firewall configuration.

Use the service-location command to tie a VASI virtual interface pair to a physical location on the MSB. The service-location command can be configured on either of the interface halves, but if it is configured on both, the locations given must match exactly. If the service-location command is not configured, both halves of the pair remain down.

Task ID

Task ID
Operations

firewall

read, write


Examples

The following example shows how to create a firewall named "fw1" in Cisco IOS XR software and associate it with the physical location at 0/0/cpu0: 

RP/0/0/CPU0:router# configure

RP/0/0/CPU0:router(config)# firewall fw1

RP/0/0/CPU0:router(config-firewall)# service-location preferred-active 0/0/CPU0 
preferred-standby 0/1/CPU0 auto-revert

The following example shows how to use the service-location command to enable a VASI interface: 

RP/0/0/CPU0:router# configure 

RP/0/0/CPU0:router(config)# interface vasileft 1 

RP/0/0/CPU0:router(config-if)# vrf red 

RP/0/0/CPU0:router(config-if)# ipv4 address 10.1.2.171 255.255.255.0 

RP/0/0/CPU0:router(config-if)# service-location preferred-active 0/0/CPU0 
preferred-standby 0/1/CPU0 auto-revert

Related Commands

Command
Description

default-interface-name

Configures the default interface that represents any unprotected interface in the router.

failure-action

Configures the action to take if a failure or misconfiguration occurs.

firewall

Configures a virtual firewall in Cisco IOS XR software.

firewall (interface)

Configures the firewall attachment.

interface vasi

Configures a VASI interface and enters interface configuration mode.


show interfaces vasi

To display information about a VRF-Aware Service Infrastructure (VASI) interface, use the show interfaces vasi command in EXEC mode.

show interfaces {vasileft | vasiright} number [accounting [rates] | brief | description | detail | summary] [location node-id]

Syntax Description

vasileft | vasiright

Specifies which VASI virtual interface to configure.

number

Identifier of the VASI interface. Enter an integer from 1 to 65535.

accounting

(Optional) Displays accounting information for all POS interfaces on the router, for a specific POS interface instance, or for all POS interfaces on a specific node.

rates

(Optional) Displays interface accounting rates for all POS interfaces on the router, for a specific POS interface instance, or for all POS interfaces on a specific node.

brief

(Optional) Displays brief output for all POS interfaces on the router, for a specific POS interface instance, or for all POS interfaces on a specific node.

description

Displays descriptive output for all POS interfaces on the router, for a specific POS interface instance, or for all POS interfaces on a specific node.

detail

(Optional) Displays detailed output for all POS interfaces on the router, for a specific POS interface instance, or for all POS interfaces on a specific node.

location node-id

(Optional) Displays detailed POS information for the designated node. The node-id argument is entered in the rack/slot/module notation.

summary

(Optional) Displays summarized POS interface information.


Defaults

No default behavior or values

Command Modes

EXEC

Command History

Release
Modification

Release 3.5.0

This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.

Release 3.6.0

No modification.

Release 3.7.0

No modification.


Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

Task ID
Task ID
Operations

interface

read, write


Examples

The following example shows sample output from the show interface vasileft command: 

RP/0/0/CPU0:router# show interface vasileft 1


VASILeft1 is up, line protocol is up 

  Interface state transitions: 2

  Hardware is VASI Left interface(s)

  Internet address is 35.35.35.35/24

  MTU 9216 bytes, BW 10000000 Kbit

     reliability 255/255, txload 0/255, rxload 0/255

  Encapsulation vasi,  loopback not set,

The following example shows sample output from the show interface vasileft command with the brief keyword: 

RP/0/5/CPU0:router# show interfaces vasileft 1 brief


               Intf          Intf         LineP            Encap    MTU       BW

               Name         State         State             Type (byte)   (Kbps)

--------------------------------------------------------------------------------

                VL1            up            up             vasi  9216  1000000

Table 1 describes the significant fields shown in the display.

Table 1 show interfaces vasi Field Descriptions 

Field
Description

Intf Name

Interface identifier, in the type*rack/slot/module/port notation.

Intf State

Indicates whether the interface is in the admin-up or admin down state.

LineP State

Line protocol state.

Encap Type

Encapsulation type for the specified interface: VASI.

MTU (byte)

Maximum transmission unit (MTU) value configured for the specified interface, in bytes.

BW (Kbps)

Bandwidth of the interface, in kbps.


Related Commands

Command
Description

interface vasi

Configures a VRF-Aware Service Infrastructure (VASI) interface and enters interface configuration mode.


show services vasi status

To display the status of a VRF-Aware Service Infrastructure (VASI) interface pair, use the show services vasi status command in EXEC mode.

show services vasi status [vasileft number | vasiright number] [location node-id]

Syntax Description

vasileft | vasiright

(Optional) Specifies which VASI virtual interface to configure.

number

Identifier of the VASI interface. Enter an integer from 1 to 65535.

location node-id

(Optional) Displays detailed POS information for the designated node. The node-id argument is entered in the rack/slot/module notation.


Defaults

No default behavior or values

Command Modes

EXEC

Command History

Release
Modification

Release 3.5.0

This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.

Release 3.6.0

No modification.

Release 3.7.0

No modification.


Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

Task ID
Task ID
Operations

interface

read, write


Examples

The following example shows sample output from the show services vasi status command: 

RP/0/0/CPU0:router# show services vasi status


Pair name  Active     Standby  LHS state    RHS state    Pair state          

---------- ---------- -------- ------------ ------------ ---------------

VASIPair1  0/1/CPU0   -        Up           Up           Up      

VASIPair2  -          -        Configured   Unconfigured Need VASIRight2     

VASIPair3  -          -        Configured   Configured   Need location 

VASIPair4  0/3/CPU0   -        Up           Admin Down   VASIRight4 Down 

VASIPair5  -          -        Configured   Configured   Card(s) not up

Table 1 describes the significant fields shown in the display.

Table 2 show services vasi status Field Descriptions 

Field
Description

Pair Name

Name of the VASI interface pair.

Active

Physical location of the active MSB where the virtual firewall associated with the VASI interface pair is located.

Standby

Physical location of the standby MSB where the virtual firewall associated with the VASI interface pair is located.

LHS State

State of the vasileft interface. Possible values are as follows:

Up—interface is properly configured and running.

Configured—interface is configured.

Admin down—interface is configured, but administratively down. Check the configuration and use the no shutdown command in the VASI interface submode.

Unconfigured—interface is not configured.

RHS State

State of the vasiright interface. See LHS State above for possible values.

Pair State

State of the VASI interface pair. Possible values are as follows:

Up—the VASI interface pair is operational.

Need VASIRight2—the VASILeft interface is configured, but the VASIRight interface or location is not configured.

Need location—VASIPair3 has VASILeft and VASIRight interfaces configured, but not a location. Reapply the location configuration and watch for errors.

VASIRight4 Down—VASIPair4 has both the VASILeft and VASIRight configured, and a location configured, but VASIRight has been forced down. Check the configuration and use the no shutdown command in the VASIRight interface submode.

Card(s) not up—VASIPair5 is fully configured, but the MSB where the service should be running is not in the "IOS XR RUN" state. Check the output of the show platform command and wait until the MSB is reported to be in the "IOS XR RUN" state.