Cisco IOS XR Virtual Firewall Configuration Guide, Release 3.8 - Managing the Virtual Firewall Software [Cisco IOS XR Software (End-of-Sale)]

Table Of Contents

Managing the Virtual Firewall Software

Contents

Prerequisites

Saving Configuration Files

Saving the Configuration File in Flash Memory

Saving Configuration Files to a Remote Server

Copying the Configuration File to the disk0: File System

Merging the Startup-Configuration File with the Running-Configuration File

Viewing Configuration Files

Clearing the Startup-Configuration File

Loading Configuration Files from a Remote Server

Using the File System on the VFW Application

Listing the Files in a Directory

Copying Files

Copying Files to Another Directory on the VFW Application

Copying a Packet Capture Buffer

Copying Files to a Remote Server

Copying Files from a Remote Server

Uncompressing Files in the disk0: File System

Untarring Files in the disk0: File System

Creating a New Directory

Deleting an Existing Directory

Moving Files

Deleting Files

Displaying File Contents

Saving Show Command Output to a File

Viewing and Copying Core Dumps

Copying Core Dumps

Clearing the Core Directory

Deleting a Core Dump File

Capturing and Copying Packet Information

Capturing Packet Information

Copying Capture Buffer Information

Viewing Packet Capture Information

Using the Configuration Checkpoint and Rollback Service

Creating a Configuration Checkpoint

Deleting a Configuration Checkpoint

Rolling Back a Running Configuration

Displaying Checkpoint Information

Reformatting Flash Memory

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Managing the Virtual Firewall Software

This module describes how to manage the software running on the VFW application.

Feature History for Software Management on the VFW Application

Release

Modification

Release 3.5.0

This feature was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.

Release 3.6.0

No modification.

Release 3.7.0

No modification.

Release 3.8.0

No modification.

Contents

•Prerequisites

•Saving Configuration Files

•Loading Configuration Files from a Remote Server

•Using the File System on the VFW Application

•Viewing and Copying Core Dumps

•Capturing and Copying Packet Information

•Using the Configuration Checkpoint and Rollback Service

•Reformatting Flash Memory

•Additional References

Prerequisites

You must attach from the route processor to the VFW application before you can perform the tasks described in this module. See the "Attaching to the VFW Application" section.

Saving Configuration Files

Upon startup, the VFW application loads the startup-configuration file stored in flash memory (nonvolatile memory) to the running configuration stored in RAM (volatile memory). When you partition your VFW application into multiple contexts, each context contains its own startup-configuration file.

Flash memory stores the startup-configuration files for each existing context. When the administrator creates a new context, the VFW application creates a new context directory in flash memory to store the context-specific startup-configuration files. When you copy a configuration file from the VFW application, you create a copy of the configuration information of the context from where you executed the command.

Use the show startup-config command in EXEC mode to display the contents of the startup-configuration file associated with the current context (see the "Viewing Configuration Files" section).

When you make configuration changes, the VFW application places those changes in a virtual running-configuration file called running-config, which is associated with the context you are working in. When you enter a CLI command, the change is made only to the running-configuration file in volatile memory. Before you log out or reboot the VFW application, copy the contents of the running-configuration file to the startup-configuration file (startup-config) to save configuration changes for the current context to flash memory. The VFW application uses the startup-configuration file on subsequent reboots.

This section includes the following topics:

•Saving the Configuration File in Flash Memory

•Saving Configuration Files to a Remote Server

•Copying the Configuration File to the disk0: File System

•Merging the Startup-Configuration File with the Running-Configuration File

•Viewing Configuration Files

•Clearing the Startup-Configuration File

Saving the Configuration File in Flash Memory

After you create or update the running-configuration file in RAM (volatile memory), save the contents to the startup-configuration file for the current context in flash memory (nonvolatile memory) on the VFW application. To copy the contents of the running-configuration file to the startup-configuration file, use the copy running-config startup-config command from EXEC mode.

You can also use the write memory command to copy the contents of the running- configuration file for the current context to the startup-configuration file. The write memory command is equivalent to the copy running-config startup-config command.

The optional write memory all keyword saves configurations for all existing contexts. This keyword is available only in the Admin context.

If you intend to use the write memory command to save the contents of the running-configuration file for the current context to the startup-configuration file, be sure to also specify this command in the Admin context. This step is important to save changes to the Admin context startup-configuration file; the Admin context startup-configuration file contains all configurations used to create each user context.

Saving Configuration Files to a Remote Server

To save the running-configuration file or startup-configuration file to a remote server using FTP, SFTP, or TFTP, use the copy running-config or copy startup-config command in EXEC mode. The copy serves as a backup file for the running-configuration file or startup-configuration file for the current context. Before installing or migrating to a new software version, back up the VFW application startup-configuration file to a remote server using FTP, SFTP, or TFTP. When you name the backup file, we recommend that you name it in such a way that you can easily tell the context source of the file (for example, running-config-ctx1, startup-config-ctx1).

Copying the Configuration File to the disk0: File System

After you create or update the running-configuration file or the startup-configuration file, you can copy the file to the disk0: file system in flash memory on the VFW application.

•To save the contents of the running-configuration file to the disk0: file system, use the copy running-config disk0: command in EXEC mode.

•To save the contents of the startup-configuration file to the disk0: file system, use the copy startup-config disk0: command in EXEC mode.

Merging the Startup-Configuration File with the Running-Configuration File

To merge the contents of the startup configuration file into the running configuration file, use the copy startup-config running-config command in EXEC mode. This command copies any additional configurations from the startup configuration file into the running configuration file. If any common commands exist in both files, the startup configuration overwrites the attributes in the running configuration file.

Viewing Configuration Files

To display the VFW application running-configuration file associated with the current context, use the show running-config command in EXEC mode. Configuration entries within each mode in the running-configuration file appear in chronological order, based on the order in which you configure the VFW application. The VFW application does not display default configurations in the VFW application running-configuration file.

Note The write terminal command can also be used to display the VFW application running-configuration file. The write terminal command is equivalent to the copy running-config command.

Use the following commands to view the content of the running-configuration and startup-configuration files:

•To view the running-configuration file, use the show running-config command.

•To view the startup-configuration file, use the show startup-config command.

For example, to view the entire contents of the running-configuration file on the VFW application, enter:
firewall/Admin# show running-config
Generating configuration....
logging enable
logging timestamp
logging history 6
logging buffered 6
logging monitor 4
logging device-id context-name
login timeout 0
line vty
  session-limit 20
hostname firewall
access-list all_in line 10 extended permit ip any any 
access-list all_in line 20 extended permit icmp any any 
access-list all_out line 10 extended permit ip any any 
access-list all_out line 20 extended permit icmp any any 
telnet maxsessions 10
class-map type management match-any MGMT_ALLOW_CLASS
  2 match protocol snmp any
  3 match protocol http any
  4 match protocol https any
  5 match protocol telnet any
policy-map type management first-match MGMT_ALLOW_POLICY
  class MGMT_ALLOW_CLASS
    permit
service-policy input MGMT_ALLOW_POLICY
interface outside
  access-group input all_in
  access-group output all_out
  no shutdown
ft interface ha
  ip address 10.1.2.2 255.255.255.0
  peer ip address 10.1.1.1 255.255.255.0
  no shutdown
ft peer 1
  heartbeat interval 10
  heartbeat count 10
  ft-interface ha
ft group 1
  peer 1
  associate-context Admin
  inservice
context ctx1
context ctx2
Clearing the Startup-Configuration File

To clear the contents of the VFW application startup-configuration file of the current context in flash memory, use either the clear startup-config command or the write erase command in EXEC mode. Both commands reset the startup- configuration file to the default settings and take effect immediately. The running-configuration file is not affected. In addition, the clear startup-config and write erase commands do not clear the boot variables, such as config-register and boot system settings.

Before you clear the contents of the VFW application startup-configuration file, back up your startup-configuration file to a remote server (see the "Saving Configuration Files to a Remote Server" section). When you clear the startup-configuration file, you can perform one of the following processes to recover a copy of an existing configuration:

•Use the copy running-config startup-config command to copy the contents of the existing running-configuration file to the startup-configuration file. See the "Saving the Configuration File in Flash Memory" section.

•Upload a backup of a previously saved startup-configuration file from a remote server. See the "Loading Configuration Files from a Remote Server" section.

For example, to reset the VFW application startup-configuration file, enter:
firewall/Admin# clear startup-config
Loading Configuration Files from a Remote Server

You can configure the VFW application by loading configuration files previously backed up to a remote FTP, SFTP, or TFTP server. Before you begin loading a configuration file from a remote server, ensure that:

•You know the location of the configuration file to be loaded from the remote server.

•Permissions of the configuration file are set to world-read.

•The VFW application has a route to the remote server. The VFW application and the remote server must be in the same subnetwork if you do not have a router or default gateway to route traffic between subnets. To check connectivity to the remote server, use the ping or traceroute command in EXEC mode.

When you copy the backup configuration file to the VFW application, you copy the configuration information to the context from where you initially executed the copy command. When you copy a configuration file to the VFW application, ensure that the configuration file is appropriate for use in the current context. For example, copy the backup configuration file startup-config-ctx1 to context 1.

To configure the VFW application using a running-configuration file or startup-configuration file downloaded from a remote server, use the copy command in EXEC mode.

For example, to copy a startup-configuration file from a remote FTP server to the VFW application, enter:
firewall/Admin# copy ftp://192.168.1.2/configs/startup-config-Adm_ctx startup-config
Using the File System on the VFW Application

Flash memory stores the operating system, startup-configuration files, software licenses, core dump files, system message log files, SSL certificates and keys, and other data on the VFW application. Flash memory comprises a number of individual file systems, or partitions, that include this data.

The file systems, or partitions, contained in the VFW application include:

•disk0:—Contains all startup-configuration files, software licenses, system message log files, SSL certificates and keys, and user-generated data for all existing contexts on the VFW application.

•image:—Contains a general file system that can only be viewed from the Admin context.

•core:—Contains the core files generated after each time the VFW application becomes unresponsive.

•volatile:—Contains the files residing in the temporary (volatile:) directory. The volatile: directory provides temporary storage; files in temporary storage are erased when the VFW application reboots.

The Admin context supports all four file systems in the VFW application. The user context supports only the disk0: and volatile: file systems.

When the administrator creates a new context, the VFW application creates a new context directory in flash memory to store context-specific data such as startup-configuration files.

The VFW application provides a number of useful commands to help you manage the software configuration and image, and files. This section provides a series of procedures to help you manage files on the VFW application. It includes the following procedures:

•Listing the Files in a Directory

•Copying Files

•Uncompressing Files in the disk0: File System

•Untarring Files in the disk0: File System

•Creating a New Directory

•Deleting an Existing Directory

•Moving Files

•Deleting Files

•Displaying File Contents

•Saving Show Command Output to a File

Listing the Files in a Directory

To display the directory contents of a specified file system, use the dir command in EXEC mode. This command displays a detailed list of directories and files contained within the specified file system on the VFW application, including names, sizes, and time created. You may optionally specify the name of a directory to list.

For example, to list the files in the disk0: file system, enter:
firewall/Admin# dir disk0:
1024  Jan 01 00:07:33 2000 cv/
           Usage for disk0: filesystem 
                    1074176 bytes total used
                  100455424 bytes free
                  101529600 bytes available
For example, to list the core dump files in flash memory, enter:
firewall/Admin# dir core:
254894  Jul 24 20:09:48 2007 0x901_vsh_log.989.tar.gz
254775  Jul 24 20:13:25 2007 0x901_vsh_log.1053.tar.gz
           Usage for core: filesystem 
                    1580032 bytes total used
                  201517056 bytes free
                  203097088 bytes available
Copying Files

This section covers the following procedures:

•Copying Files to Another Directory on the VFW Application

•Copying a Packet Capture Buffer

•Copying Files to a Remote Server

•Copying Files from a Remote Server

Copying Files to Another Directory on the VFW Application

To copy a file from one directory in the disk0: file system of flash memory to another directory in disk0:, use the copy disk0: command.

Note Use the dir disk0: command to view the files available in disk0:.

For example, to copy the file called SAMPLEFILE to the MYSTORAGE directory in the disk0: file system, enter:
firewall/Admin# copy disk0:samplefile disk0:MYSTORAGE/SAMPLEFILE
Copying a Packet Capture Buffer

To copy an existing packet capture buffer to the disk0: file system, use the copy capture command in EXEC mode.

For example, to copy a packet capture buffer to the disk0: file system, enter:
firewall/Admin# copy capture packet_capture_Jan_17_06 disk0:
Copying Files to a Remote Server

To copy a file from flash memory on the VFW application to a remote server using FTP, SFTP, or TFTP, use the copy command in EXEC mode. The copy serves as a backup file for such files as the capture buffer file, core dump, VFW application licenses in .tar format, running-configuration file, or startup-configuration file.

For example, to save a running-configuration file to a remote FTP server, enter:
firewall/Admin# copy running-config ftp://192.168.215.124/running-config_Adminctx
Enter username[]? user1
Enter the file transfer mode[bin/ascii]: [bin]
Password: password1
Passive mode on.
Hash mark printing on (1024 bytes/hash mark).
####
Note The bin (binary) file transfer mode is intended for transferring compiled files (executables). The ascii file transfer mode is intended for transferring text files, such as config files. The default selection of bin should be sufficient in all cases when copying files to a remote FTP server.

For example, to save a core dump file to a remote FTP server, enter:
firewall/Admin# copy core:0x401_vsh_log.8249.tar.gz ftp://192.168.1.2 
Copying Files from a Remote Server

To copy a file from a remote server to a location on the VFW application using FTP, SFTP, or TFTP, use the copy command in EXEC mode.

For example, to copy a startup-configuration file from a remote FTP server to the disk0: file system, enter:
firewall/Admin# copy ftp://192.168.1.2/ startup-config
Enter source filename[]? startup_config_Adminctx
File already exists, do you want to overwrite?[y/n]: [y] y
Enter username[]? user1
Enter the file transfer mode[bin/ascii]: [bin]
Password:
Passive mode on.
Hash mark printing on (1024 bytes/hash mark).
Note The bin (binary) file transfer mode is intended for transferring compiled files (executables). The ascii file transfer mode is intended for transferring text files, such as config files. The default selection of bin should be sufficient in all cases when copying files to a remote FTP server.

Uncompressing Files in the disk0: File System

To uncompress (unzip) LZ77 coded files in the disk0: file system (for example, zipped probe script files), use the gunzip command in EXEC mode. This command is useful in uncompressing large files. The filename must end with a .gz extension for the file to be uncompressed using the gunzip command. The .gz extension indicates a file zipped by the gzip (GNU zip) compression utility.

For example, to unzip a compressed series of probe script files residing in the disk0: file system, enter:
firewall/Admin# gunzip disk0:PROBE_SCRIPTS.gz 
Untarring Files in the disk0: File System

A .tar file keeps related files together and facilitates the transfer of multiple files. A .tar file is a series of separate files, typically not compressed, added together into a single file by a UNIX TAR program. The resulting file is known as a tarball, which is similar to a zip file but without the compression. The files in a .tar file must be extracted before they can be used.

To untar a single file with a .tar extension in the disk0: file system, use the untar command in EXEC mode. Use this command to untar the sample scripts file. The filename must end with a .tar extension for you to use the untar command.

Creating a New Directory

To create a directory in the disk0: file system of flash memory, use the mkdir disk0: command in EXEC mode.

For example, to create a directory called TEST_DIRECTORY in the disk0: file system, enter:
firewall/Admin# mkdir disk0:TEST_DIRECTORY
Deleting an Existing Directory

To remove an existing directory from the disk0: file system of flash memory, use the rmdir disk0: command in EXEC mode. The directory must be empty to be deleted.

Note Use the delete command to remove a file from the VFW application file system (see the "Deleting Files" section).

For example, to delete a directory called TEST_DIRECTORY from the disk0: file system, enter:
firewall/Admin# rmdir disk0:TEST_DIRECTORY
Moving Files

To move a file between directories in the disk0: file system, use the move command in EXEC mode. If a file with the same name already exists in the destination directory, that file is overwritten by the moved file.

Note Use the dir disk0: command to view the files available in the disk0: file system.

For example, to move the file called SAMPLEFILE to the MYSTORAGE directory in the disk0: file system, enter:
firewall/Admin# move disk0:SAMPLEFILE disk0:MYSTORAGE/SAMPLEFILE
Deleting Files

To delete a file from a specific file system in the VFW application, use the delete command in EXEC mode. When you delete a file, the VFW application erases the file from the specified file system.

Note Use the rmdir command to remove a directory from the VFW application file system (see the "Deleting an Existing Directory" section).

For example, to delete a copy of the running-configuration file called my_running-config1 from the mystorage directory on the disk0: file system, enter:
firewall/Admin# delete disk0:mystorage/my_running-config1
Displaying File Contents

To display the contents of a specified file in a directory in flash memory or in nonvolatile memory, use the show file command.

For example, to display the contents of a file residing in the current directory, enter:
firewall/Admin# show file disk0:myfile md5sum 3d8e05790155150734eb8639ce98a331
Saving Show Command Output to a File

You can force all show screen output to be directed to a file by appending > filename to any command. For example, you can enter show interface > filename at the EXEC mode CLI prompt to redirect the interface configuration command output to a file created at the same directory level.

Viewing and Copying Core Dumps

A core dump occurs when the VFW application experiences a fatal error. The VFW application writes information about the fatal error to the core: file system in flash memory before a switchover or reboot occurs. The core: file system is the storage location for all core files generated during a fatal error. Three minutes after the VFW application reboots, the saved last core is restored from the core: file system back to its original RAM location. This restoration is a background process and is not visible to the user.

You can view the list of core files in the core: file system by using the dir core: command in EXEC mode.

The core: file system is available only from the Admin context.

Note Core dump information is for Cisco Technical Support use only. If the VFW application becomes unresponsive, you can view the dump information in the core through the show cores command. We recommend contacting Cisco Technical Support for assistance in interpreting the information in the core dump.

The time stamp on the restored last core file displays the time when the VFW application booted up, not when the last core was actually dumped. To obtain the exact time of the last core dump, check the corresponding log file with the same process identifier (PID).

This section includes the following topics:

•Copying Core Dumps

•Clearing the Core Directory

•Deleting a Core Dump File

Copying Core Dumps

You can save a core dump from the VFW application to the disk0: file system or to a remote server. To save a core to a remote server, use the copy core: command in EXEC mode. The VFW application copies a single file based on the provided process identifier. The copy core: command is available only in the Admin context.

To display the list of available core files, use the dir core: command. Copy the complete filename (for example, 0x401_vsh_log.25256.tar.gz) into the copy core: command.

For example, to copy a core file from the VFW application to a remote FTP server, enter:
firewall/Admin# copy core:0x401_vsh_log.8249.tar.gz ftp://192.168.1.2 
Enter the destination filename[]? [0x401_vsh_log.8249.tar.gz]
Enter username[]? user1
Enter the file transfer mode[bin/ascii]: [bin]
Password:
Passive mode on.
Hash mark printing on (1024 bytes/hash mark).
Note The bin (binary) file transfer mode is intended for transferring compiled files (executables). The ascii file transfer mode is intended for transferring text files, such as configuration files. The default selection of bin should be sufficient in all cases when copying files to a remote FTP server.

Clearing the Core Directory

Use the clear cores command in EXEC mode of the Admin context to clear out all of the core dumps stored in the core: file system.

For example, to clear out all of the core dumps stored in the core: file system, enter:
firewall/Admin# clear cores
Deleting a Core Dump File

Use the delete core: command in EXEC mode of the Admin context to delete a core dump file from the core: file system in flash memory. Use the dir core: command to view the core dump files available in flash memory.

For example, to delete the file 0x401_VSH_LOG.25256.TAR.GZ from the core: file system, enter:
firewall/Admin# delete core:0x401_VSH_LOG.25256.TAR.GZ
Capturing and Copying Packet Information

Capturing packets is useful as an aid in troubleshooting connectivity problems with the VFW application or for monitoring suspicious activity. The VFW application can track packet information for network traffic that passes through the VFW application. The attributes of the packet are defined by an ACL. The VFW application buffers the captured packets, and you can copy the buffered contents to a file in flash memory on the VFW application or to a remote server. You can also display the captured packet information on your console or terminal.

This section contains the following topics:

•Capturing Packet Information

•Copying Capture Buffer Information

•Viewing Packet Capture Information

Capturing Packet Information

To enable the packet capture function on the VFW application for packet sniffing and network fault isolation, use the capture command in EXEC mode. As part of the packet capture process, you specify whether to capture packets from all input interfaces or from an individual interface.

Note The packet capture function enables access-control lists (ACLs) to control what packets are captured by the VFW application on the input interface. If the ACLs are selecting an excessive amount of traffic for the packet capture operation, the VFW application sees a heavy load, which can cause a degradation in performance. We recommend that you avoid using the packet capture function when high network performance is critical.

The capture packet function works on an individual context basis. The VFW application traces only the packets that belong to the current context where you execute the capture command in EXEC mode. The context ID is passed along with the packet, which can be used to isolate packets that belong to a specific context. To trace the packets for a specific context, use the changeto command in EXEC mode to enter the specified context and execute the capture command.

The VFW application does not automatically save the packet capture to a file. To copy the capture buffer information as a file in flash memory or to a remote server, use the copy capture command (see the "Copying Capture Buffer Information" section).

For example, to enable packet capture on an interface, enter the following:
firewall/Admin# access-list acl1 line 10 extended permit ip any any
firewall/Admin# capture capture1 interface management ctx1 access-list acl1
firewall/Admin# capture capture1 start
To stop the packet capture function on the interface, enter the following:
firewall/Admin# capture capture1 stop
Copying Capture Buffer Information

To copy an existing packet capture buffer to the disk0: file system, use the copy capture command in EXEC mode.

For example, to copy a packet capture buffer to the disk0: file system as a file on disk0: called mycapture1, enter:
firewall/Admin# copy capture packet_capture_Jan_17_06 disk0:mycapture1
To clear the capture packet buffer, use the clear capture command in EXEC mode.

For example, to clear the capture buffer for the capture buffer packet_capture_Jan_17_06, enter:
firewall/Admin# clear capture packet_capture_Jan_17_06
Viewing Packet Capture Information

To display the captured packet information on your console or terminal, use the show capture command in EXEC mode.

For example, to display captured packet information for packet capture buffer capture1, enter:
firewall/Admin# show capture capture1
0001: msg_type: ACE_HIT ace_id: 41 action_flag: 11 
0002: msg_type: CON_SETUP con_id: 1090519041 out_con_id: 16777218
0003: msg_type: PKT_RCV con_id: 16777218 other_con_id: 0 
0004: msg_type: PKT_RCV con_id: 1090519041 other_con_id: 0 
0005: msg_type: PKT_RCV con_id: 16777218 other_con_id: 0 
0006: msg_type: PKT_RCV con_id: 16777218 other_con_id: 0 
0007: msg_type: PKT_RCV con_id: 16777218 other_con_id: 0 
0008: msg_type: PKT_RCV con_id: 1090519041 other_con_id: 0 
0009: msg_type: PKT_RCV con_id: 1090519041 other_con_id: 0 
0010: msg_type: PKT_RCV con_id: 16777218 other_con_id: 0 
0011: msg_type: PKT_RCV con_id: 16777218 other_con_id: 0 
0012: msg_type: PKT_RCV con_id: 1090519041 other_con_id: 0 
0013: msg_type: PKT_RCV con_id: 16777218 other_con_id: 0 
0014: msg_type: PKT_RCV con_id: 16777218 other_con_id: 0 
0015: msg_type: PKT_RCV con_id: 1090519041 other_con_id: 0 
For example, to display packet capture status information, enter:
firewall/Admin# show capture capture1 status
Capture session : cap1 
Buffer size     : 64 K
Circular        : no 
Buffer usage    : 19.00%
Status          : stopped
For example, to display protocol information for a range of captured packets, enter:
firewall/Admin# show capture capture1 detail range 2-3
0002: msg_type: CON_SETUP 
con_id: 1090519041       out_con_id: 16777218
src_addr: 10.7.107.11      src_port: 30212 
dst_addr: 10.7.107.15      dst_port: 23 
l3_protocol: 0          l4_protocol: 0 
message_hex_dump: 
0x0000: 0000 0101 4100 0001 0100 0002 0000 0000  ....A...........
0x0010: 0a07 6b0b 0a07 6b0f 0619 0001 7604 0017  ..k...k.....v...
0x0020: 0000 0000 0002 0000 05b4 0000 0100 0002  ................
0x0030: 0000 0000 0010 0481 0208 0000 0000 0000  ................
0x0040: 0000 0000 1020 0010 0000 0000 19b2 fb3c  ...............<
0x0050: 000c 40ae 0000 0029 0000 0000 000c 40ae  ..@....)......@.
0x0060: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0x0070: 0a07 6b0f 0a07 6b0b 0610 0001 0017 7604  ..k...k.......v.
0x0080: 0000 0000 0002 0000 05b4 0004 4100 0001  ............A...
0x0090: 0000 0000 0010 0480 0208 0000 0000 0000  ................
0x00a0: 0000 0000 1020 0010 0000 0000 19b2 fb3c  ...............<
0x00b0: 000c 40ae 0000 0029 0000 0000 000c 40ae  ..@....)......@.
0x00c0: 0000 0000 0000 0000 0000 0000            ............
0003: msg_type: PKT_RCV 
con_id: 16777218                other_con_id: 0 
message_hex_dump: 
0x0000: 8900 004e 0050 8034 0038 000a 0010 0a06  ...N.P.4.8......
0x0010: 0000 0005 9a3b 95d9 0011 5d6a f800 0800  .....;....]j....
0x0020: 45c0 002c b0de 0000 ff06 2005 0a07 6b0b  E..,..........k.
0x0030: 0a07 6b0f 7604 0017 19b2 fb3b 0000 0000  ..k.v......;....
0x0040: 6002 1020 12d5 00                        `......
For example, to display captured packet information in tcpdump format, enter:
firewall/Admin# show capture capture1 detail
0001: msg_type: ACE_HIT 
ace_id: 41              action_flag: 0xb 
src_addr: 10.7.107.11      src_port: 30212 
dst_addr: 10.7.107.15      dst_port: 23 
l3_protocol: 0          l4_protocol: 6 
message_hex_dump: 
0x0000: 0000 0104 0000 0029 0000 0000 0a07 6b0b  .......)......k.
0x0010: 0a07 6b0f 0609 0001 7604 0017 0000 0000  ..k.....v.......
0x0020: 0000 0000 0000 0000 0000 0029 0b06 0000  ...........)....
0x0030: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0x0040: 0000 0000 0000 0001                      ........
0002: msg_type: CON_SETUP 
con_id: 1090519041       out_con_id: 16777218
src_addr: 10.7.107.11      src_port: 30212 
dst_addr: 10.7.107.15      dst_port: 23 
l3_protocol: 0          l4_protocol: 0 
message_hex_dump: 
0x0000: 0000 0101 4100 0001 0100 0002 0000 0000  ....A...........
0x0010: 0a07 6b0b 0a07 6b0f 0619 0001 7604 0017  ..k...k.....v...
0x0020: 0000 0000 0002 0000 05b4 0000 0100 0002  ................
0x0030: 0000 0000 0010 0481 0208 0000 0000 0000  ................
0x0040: 0000 0000 1020 0010 0000 0000 19b2 fb3c  ...............<
0x0050: 000c 40ae 0000 0029 0000 0000 000c 40ae  ..@....)......@.
0x0060: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0x0070: 0a07 6b0f 0a07 6b0b 0610 0001 0017 7604  ..k...k.......v.
0x0080: 0000 0000 0002 0000 05b4 0004 4100 0001  ............A...
0x0090: 0000 0000 0010 0480 0208 0000 0000 0000  ................
0x00a0: 0000 0000 1020 0010 0000 0000 19b2 fb3c  ...............<
0x00b0: 000c 40ae 0000 0029 0000 0000 000c 40ae  ..@....)......@.
0x00c0: 0000 0000 0000 0000 0000 0000            ............
0003: msg_type: PKT_RCV 
con_id: 16777218                other_con_id: 0 
message_hex_dump: 
0x0000: 8900 004e 0050 8034 0038 000a 0010 0a06  ...N.P.4.8......
0x0010: 0000 0005 9a3b 95d9 0011 5d6a f800 0800  .....;....]j....
0x0020: 45c0 002c b0de 0000 ff06 2005 0a07 6b0b  E..,..........k.
0x0030: 0a07 6b0f 7604 0017 19b2 fb3b 0000 0000  ..k.v......;....
0x0040: 6002 1020 12d5 00                        `......
0004: msg_type: PKT_RCV 
con_id: 1090519041              other_con_id: 0 
message_hex_dump: 
0x0000: 0840 004e 0050 8034 0000 000a 0000 0000  .@.N.P.4........
0x0010: 0004 0011 5d6a f800 0005 9a3b 95d9 0800  ....]j.....;....
0x0020: 4500 002c 0000 4000 4006 50a4 0a07 6b0f  E..,..@.@.P...k.
0x0030: 0a07 6b0b 0017 7604 f31b 6f71 19b2 fb3c  ..k...v...oq...<
0x0040: 6012 16d0 a986 00                        `......
0005: msg_type: PKT_RCV 
con_id: 16777218                other_con_id: 0 
message_hex_dump: 
0x0000: 8900 004e 0050 8034 0038 000a 0010 0a06  ...N.P.4.8......
0x0010: 0000 0005 9a3b 95d9 0011 5d6a f800 0800  .....;....]j....
0x0020: 45c0 0028 b0df 0000 ff06 2008 0a07 6b0b  E..(..........k.
0x0030: 0a07 6b0f 7604 0017 19b2 fb3c f31b 6f72  ..k.v......<..or
0x0040: 5010 1020 c7f3 00                        P......
0006: msg_type: PKT_RCV 
con_id: 16777218                other_con_id: 0 
message_hex_dump: 
0x0000: 8900 005a 0050 8034 0038 000a 0010 0a06  ...Z.P.4.8......
0x0010: 0000 0005 9a3b 95d9 0011 5d6a f800 0800  .....;....]j....
0x0020: 45c0 003a b0e0 0000 ff06 1ff5 0a07 6b0b  E..:..........k.
0x0030: 0a07 6b0f 7604 0017 19b2 fb3c f31b 6f72  ..k.v......<..or
0x0040: 5018 1020 9a8a 0000 fffd 03ff fb18 fffb  P...............
0x0050: 17ff fb                                  ...
0007: msg_type: PKT_RCV 
con_id: 16777218                other_con_id: 0 
message_hex_dump: 
0x0000: 8900 004e 0050 8034 0038 000a 0010 0a06  ...N.P.4.8......
0x0010: 0000 0005 9a3b 95d9 0011 5d6a f800 0800  .....;....]j....
0x0020: 45c0 0028 b0e1 0000 ff06 2006 0a07 6b0b  E..(..........k.
0x0030: 0a07 6b0f 7604 0017 19b2 fb4e f31b 6f72  ..k.v......N..or
0x0040: 5010 1020 c7e1 00                        P......
0008: msg_type: PKT_RCV 
con_id: 1090519041              other_con_id: 0 
message_hex_dump: 
0x0000: 0840 004e 0050 8034 0000 000a 0000 0000  .@.N.P.4........
0x0010: 0004 0011 5d6a f800 0005 9a3b 95d9 0800  ....]j.....;....
0x0020: 4500 0028 7b6e 4000 4006 d539 0a07 6b0f  E..({n@.@..9..k.
0x0030: 0a07 6b0b 0017 7604 f31b 6f72 19b2 fb4e  ..k...v...or...N
0x0040: 5010 16d0 c131 00                        P....1.
Using the Configuration Checkpoint and Rollback Service

At some point, you may want to modify your running configuration. If you run into a problem with the modified configuration, you may need to reboot your VFW application. To prevent having to reboot your module after unsuccessfully modifying a running configuration, you can create a checkpoint (a snapshot in time) of a known stable running configuration before you begin to modify it. That way, if you encounter a problem with the modifications to the running configuration, you can roll back the configuration to the previous stable configuration checkpoint.

The VFW application supports checkpointing a configuration at the context level. The VFW application stores the checkpoint for each context in a hidden directory in flash memory. If, after you enter additional commands to modify the current running configuration, you enter the rollback command option, the VFW application causes the running configuration to revert to the checkpointed configuration.

This section describes how to checkpoint (make a snapshot of) a running configuration on your VFW application and how to use the rollback service to revert to the last known stable configuration. For details about using the checkpoint and rollback features, see the following sections:

•Creating a Configuration Checkpoint

•Deleting a Configuration Checkpoint

•Rolling Back a Running Configuration

•Displaying Checkpoint Information

Creating a Configuration Checkpoint

To create a configuration checkpoint, use the checkpoint create command in EXEC mode in the context for which you want to create a checkpoint. The VFW application supports a maximum of 10 checkpoints for each context.

Be sure that the current running configuration is stable and is the configuration you want to checkpoint. If you change your mind after creating the checkpoint, you can delete it. See the "Deleting a Configuration Checkpoint" section.

For example, enter:
firewall/Admin# checkpoint create MYCHECKPOINT
Generating configuration....
Created checkpoint 'MYCHECKPOINT'
If the checkpoint already exists, you are prompted to overwrite it as follows:
Checkpoint already exists
Do you want to overwrite it? (y/n)  [n] y Generating configuration....
Created checkpoint 'MYCHECKPOINT'
The default is n. If you do not want to overwrite the existing checkpoint, press Enter. To overwrite the existing checkpoint, enter y.

Deleting a Configuration Checkpoint

To delete a configuration checkpoint, use the checkpoint delete command in EXEC mode. Before you use this command, be sure that you want to delete the checkpoint. When you enter this command, the VFW application removes the checkpoint from flash memory.

For example, enter:
firewall/Admin# checkpoint delete MYCHECKPOINT
Deleted checkpoint 'MYCHECKPOINT'
Rolling Back a Running Configuration

To roll back the current running configuration to the previously checkpointed running configuration for the current context, use the checkpoint rollback command in EXEC mode.

For example, enter:
firewall/Admin# checkpoint rollback MYCHECKPOINT
This operation will rollback the system's running configuration to the checkpoint's 
configuration.
Do you wish to proceed? (y/n)  [n] y
Rollback in progress, please wait...
Generating configuration....
Rollback succeeded
switch/Admin#
Displaying Checkpoint Information

To display checkpoint information, use the show checkpoint command in EXEC mode.

For example, to display the running configuration for a specific checkpoint, enter:
firewall/Admin# show checkpoint detail MYCHECKPOINT
Reformatting Flash Memory

Caution We recommend that you use the format command to reformat the VFW application flash memory only under the guidance and supervision of Cisco Technical Support.

The VFW application uses the file allocation table (FAT16) as the base file system. The file system is used to allocate and organize storage space for various types of storage, such as startup-configuration files, SSL certificate storage, core files, image storage, and log files. To reformat flash memory on the VFW application, use the format command. The format command allows you to erase all data on the flash memory and reformat it with the FAT16 version of the file allocation table. All user-defined configuration information is erased. The MSB is rebooted after you use the format command.

Before you reformat flash memory, we recommend that you copy the following VFW application operation and configuration files or objects to a remote server:

•VFW application software image

•VFW application license

•Startup-configuration file of each context

•Running-configuration file of each context

•Core dump files of each context

•Packet capture buffers of each context

See the "Copying Files" section for details on using the copy command to save configuration files or objects such as the existing startup-configuration files, running-configuration files, licenses, core dump files, or packet capture buffers to a remote FTP, SFTP, or TFTP server.

For example, to erase all information in flash memory, enter:
firewall/Admin# format disk0:
Warning!! This will reboot the system after formatting disk0.
Do you wish to proceed anyway? (y/n)  [n] y 
After you reformat the flash memory, you need to import the startup-configuration and running-configuration files into the associated context using the copy command (see the "Loading Configuration Files from a Remote Server" section).

Additional References

The following sections provide references related to managing the firewall software.

Related Documents

Related Topic

Document Title

Virtual firewall system and file management command syntax

System and File Management Commands on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Command Reference

Standards

Standards

Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

—

MIBs

MIBs

MIBs Link

—

To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

RFCs

RFCs

Title

No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.

—

Technical Assistance

Description

Link

The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/techsupport