[rancid] FXOS on FirePower 4140

Gauthier, Chris cgauthier at comscore.com
Mon Feb 11 15:14:28 UTC 2019 

We have a FirePower 2110 and it is architected differently than the 4100's.  This Cisco blog post explains it well: https://blogs.cisco.com/perspectives/firepower-2100-the-architectural-need-to-know.  We are using the ASA mode on the 2110.  For SSH purposes, the IPs are different between FX-OS CLI and ASA CLI, so you do not have to use the "connect asa" CLI commands.  I don't know what the best method is, separate or not.  On the 2110, the FX-OS configuration is primarily setting up the ethernet interfaces (enable/disable, LACP).  Also, there is no "connect fxos" that I really saw, though we are also still just deploying this platform.

--Chris



Chris Gauthier Senior Network Engineer | Comscore
t +1 (503) 331-2704 | 
cgauthier at comscore.com
comscore.com
​​​This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system and notify sender.
-----Original Message-----
From: Rancid-discuss <rancid-discuss-bounces at shrubbery.net> on behalf of Chris Stromsoe <cbs at noc.ucla.edu>
Date: Friday, February 8, 2019 at 1:35 PM
To: Erik Muller <erikm at buh.org>
Cc: rancid list <rancid-discuss at shrubbery.net>
Subject: Re: [rancid] FXOS on FirePower 4140

On Fri, 8 Feb 2019, Erik Muller wrote:

> The current fxos module assumes FTD on a 2100 platform (and I'm 
> currently testing support for ASA on 2100).  My understanding is that 
> the 4100 and 9300 have a bit of a different architecture from the 2100, 
> but I've not touched those to be able to say how exactly they differ.
>
> It looks like the initial login layer on the 4100 must be different. 
> Is there any other "connect" option from either the initial login layer 
> or the fxos layer, where the actual firewall functions are exposed?

It looks like logging in to the 4100 drops you straight into fxos.

Options for connect are

fw# connect
   adapter     Mezzanine Adapter
   cimc        Cisco Integrated Management Controller
   fxos        Connect to FXOS CLI
   local-mgmt  Connect to Local Management CLI
   module      Security Module Console


The connect command is not available after running "connect fxos".  You 
have to "exit" to return to the initial layer.



> On a 2100 the first layer you connect to is the FTD application (similar to 
> legacy ASA platform), with a simple ">" prompt and a config syntax like:
>> show running-config
> : Serial Number: J..........
> : Hardware:   FPR-2130, 14854 MB RAM, CPU MIPS 1200 MHz, 1 CPU (12 cores)
> :
> NGFW Version 6.2.3.4
> !
> hostname firepower
> ...
> !
> interface Ethernet1/1
> nameif border1
> ...
>
> After that in the fxos layer, the config is more like the the UCS FI:
> > connect fxos
> Cisco Firepower Extensible Operating System (FX-OS) Software
> xxx-fw01# sho configuration
> scope org
>     enter bios-policy SRIOV
>         set acpi10-support-config acpi10-support platform-default
> ...


The login layers on the 4100 seems to be reversed when compared to the 
2100 with ftd.

The initial login layer on the 4100 resembles the 2100 after having run 
"connect fxos", and has a limited command list.

Running "connect fxos" on the 4100 resembles the initial login layer on 
the 2100, and has an extensive command list.

I've copied all of the fxos definitions in rancid.types.base to fxos-ftd 
and updated router.db for my 2100/FTD devices.  I removed the fxos entries 
that don't run on the 4100 and re-ordered the commands.  I have a working 
configuration for the 4140, though none of the output from "show 
running-config" is getting picked up.  Maybe using WriteTermFTD isn't 
right for that.

fxos;command;fxos::RunCommand;term len 0
fxos;command;fxos::RunCommand;connect fxos; prompt changes
fxos;command;fxos::ShowInventory;show inventory
fxos;command;fxos::WriteTermFTD;show running-config
fxos;command;fxos::RunCommand;exit; prompt changes
fxos;command;fxos::ShowFirmware;show system firmware detail
fxos;command;fxos::ShowChassis;show chassis detail
fxos;command;fxos::ShowChassis;show chassis inventory detail
fxos;command;fxos::ShowChassis;show chassis environment expand detail
fxos;command;fxos::WriteTerm;show configuration




-Chris

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net
https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.shrubbery.net%2fmailman%2flistinfo%2francid-discuss&c=E,1,Agg4564IheFG90UwbAiAvZo1BLU69Z103Kv4VMySZ9xUTsjcwcvBBjtDdFnki_6XviMgM65aIammA_v80clw10SrZ9ffw-PSCud_gVcZhZE,&typo=1

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20190211/89083ef1/attachment.html>

More information about the Rancid-discuss mailing list