This document describes the IOSConvert program. It is one of the front-ends of the Netopeer router configuration system. Netopeer is a part of Liberouter project . Purpose of the Netopeer system is to create a software system for platform-independent configuration of routers and entire networks. Therefore, for backward compatibility with currently used routers, conversion tool from platform dependent to platform independent configuration is needed.
The Cisco IOS frontend is designed to perform batch conversion from the IOS configuration format into platform independent XML format, according to Netopeer DTD (see , samples in CVS). It parses IOS file (Cisco router configuration) and creates XML DOM tree containing same configuration information. The DOM tree is then written into file. All supported Cisco commands are converted into XML elements or attributes
The main task of this converter is to transform existing Cisco configuration files into Netopeer compatible configurations in order to use them on other platform or to process them in other front-end. The program runs in batch mode, eg. input IOS file is converted into output XML file, no command line interface is provided. The resulting XML file can be put into repository, loaded into other application (XML parser) an so on.
IOSConvert program is written in C/C++ language under common Liberouter license.
Packages:
Compiler: GNU C (gcc/g++)
The
The
Switches:
no switch prints only line number info
This section describes each supported IOS command and their Netopeer XML equivalents. It provides the reference for the "status-quo" of the IOS supported commands. Unlisted commands found in IOS configuration file are put into <platform-special> element (see below).
Comment, everything on the line is ignored. It can be also finishing character for previous section, if it is only character on the line.
! This is just a comment for following section
None
Unnamed access list, both standard and extended are supported. See the ACL section below.
access-list 100 permit tcp host 120.25.35.1 any eq telnet access-list 11 deny ip host 120.25.35.1 any
See below in ACL section
Login banner text (like /etc/issue). First two characters are taken as terminating and the text is processed until the second occurrence of terminating characters. Banner motd and login are taken as equal.
banner login ^CWelcome to burcak!^C
<banner>Welcome to burcak!</banner>
End of whole configuration, data after this command are not processed
Name of the router
hostname router-prg-c7200
<system hostname="router-prg-c7200">
Start of a interface subsection - commands related to one interface only. Valid for usual L2 interfaces, Tunnels and VLANs
interface FastEthernet10/0/1
<device id="cd1" name="FastEthernet10/0/1">
interface FastEthernet10/0/1.1
<vlan-interface device="cd1" id="cd1.1" name="FastEthernet 10/0/1.1">
interface Tunnel1
<tunnel id="ct1" name="Tunnel1">
Set the type of ARP protocol. Valid type are: arpa, frame-relay, snap, probe. DTD equivalent is to enable ARP only.
arp arpa
<device arp="on">
arp frame-relay
<device arp="on">
arp snap
<device arp="on">
arp probe
<device arp="on">
Specifies text info (description) for the current interface
description Link to server segment
<description>Link to server segment</description>
Set duplex operation mode on Ethernet devices.
duplex full
<device duplex="full">
duplex half
<device duplex="half">
duplex auto
<device duplex="auto">
Set the type of VLAN. Valid types are: dot1q (IEEE 802.1q), isl (Cisco Inter Switch Link)
encapsulation dot1q
<vlan-interface encapsulation="802.1q">
encapsulation isl
<vlan-interface encapsulation="isl">
Set the type of layer-2 protocol. Valid types are: ppp (Point-to-Point Protocol), x25, smds (switched multimegabit data service), atm-dxi
encapsulation ppp
<device encapsulation="ppp">
encapsulation frame-relay
<device encapsulation="frame-relay">
encapsulation x25
<device encapsulation="x25">
encapsulation smds
<device encapsulation="smds">
encapsulation atm-dxi
<device encapsulation="atm-dxi">
Set the IPv4 address and network mask of this interface. Address family is ipv4
Example:
ip address 192.168.1.2 255.255.255.0
<ipv4-address address="192.168.1.2" device="cdX" masklen="24" af="ipv4"/>
Set the secondary IPv4 address and network mask of this interface.
ip address 192.168.1.3 255.255.255.0 secondary
<ipv4-address address="192.168.1.2" device="cdX" masklen="24"
role="secondary"/>
Enables multicast routing.
<device multicast="on">
Sets the version of sent RIP information on this interface
ip rip send version 2
<rip-interface send=yes out-version="2"/>
Sets the version of received RIP information on this interface, both versions are received by default
ip rip receive version 2
<rip-interface receive=yes in-version="2">
ip rip receive version 1 2
<rip-interface receive=yes in-version="both">
Sets the RIP authentication type on this interface. Valid types are: text (plaintext), md5 (hashed text)
ip rip authentication mode text
<rip-interface> <rip-authentication mode="simple"> </rip-interface>
ip rip authentication mode md5
<rip-interface> <rip-authentication mode="md5"> </rip-interface>
Sets the RIP authentication key-chain on this interface. It should be defined before in the "key" section.
ip rip authentication key-chain mychain
<rip-interface> <rip-authentication password="SeCrEt"> </rip-interface>(where "mychain" is the name for key chain that includes the string "SeCrEt" as the password, see key section)
Apllies acces control list (packet filter chain) on the input traffic on this interface.
ip access-group 101 in
<device filter-in="101"/>
Apllies acces control list (packet filter chain) on the output traffic on this interface.
ip access-group 101 out
<device filter-out="101"/>
Set the IPv6 address and network mask of this interface. Address family (af attribute) is ipv6. Attribute "link" specifies forced link-local address on this interface
ip address 2001:718:1f02::1/64
<ipv6-address address="2001:718:1f02::1" device="cd1"
masklen="64" af="ipv6"/>
ip address FFFE:718:1f02::1/64 link-local
<ipv6-address address="FFFE:718:1f02::1" device="cd1"
masklen="64" af="ipv6" scope="link"/>
Enabling the RIPng protocol distribution on this interface
<ripng> <ripng-interface device="cd1"/> </ripng>
Set the MAC address of NIC on this device.
mac-address 00:00:a0:3f:19:0d
<device macaddr="00:00:a0:3f:19:0d"/>
Set the Maximum Trasmit Unit parameter of the link.
mtu 512
<device mtu="512"/>
Negativize the command on the rest of line.
no ip address
None
Administratively disable the interface.
<device disable="yes"/>
Set the speed in Mbit/s on Ethernet devices.
speed auto
<device speed="auto"/>
speed 100
<device speed="100"/>
speed 10
<device speed="10"/>
Enables the checking of checksum in tunnel. Default is: off
<tunnel checksum="on"/>
Tunnel selector or security key
tunnel key mykey
<tunnel key="mykey"/>
Set the tunnel encapsulation type. Valid types are: gre
tunnel mode gre
<tunnel mode="gre"/>
Enables the path MTU discovery in tunnel. Default is: off
tunnel path-mtu-discovery
<tunnel pmtudisc="on"/>
Enables the checking of the correct sequnce of datagrams in tunnel. Default is: off
tunnel sequence-datagrams
<tunnel sequence="on"/>
Set the source point of the tunnel - interface.
tunnel source Serial0/1
<tunnel> <tunnel-source-interface device="cd4"/> </tunnel>Where "cd4" is device "Serial0/1".
Set the source point of the tunnel - address.
tunnel source 132.177.5.10
<tunnel> <tunnel-source-address address="132.177.5.10"/> </tunnel>
tunnel destination 222.22.2.3
! This is just a comment for following section
<tunnel> <tunnel-destination-address address="222.22.2.3"/> </tunnel>
Set the TTL parameter of the tunnel.
tunnel ttl 64
<tunnel ttl="64"/>
Set the length of transmitting (output) data queue on interface.
tx-ring-limit 100
<device txqlen="100"/>
Specifies the section the named packet filter chain (access control list). Both standard and extended ACLs are supported. See the section of ACLs below.
ip access-list standard mylist-stand deny 10.1.0.0 0.0.255.255 permit any any ip access-list extended mylist-ext deny ip 10.1.0.0 0.0.255.255 10.2.6.0 0.0.0.255 eq telnet permit icmp any any 10 12
See below (ACL section)
Specifies a domain name for domain lookups. There can be more domain-list commands in one configuration. If both domain-name and domain-list commands are present, domain-list is used.
ip domain-list cesnet.cz ip domain-list muni.cz
<system>
<dns>
<search>
<domain-suffix suffix="cesnet.cz"/>
<domain-suffix suffix="muni.cz"/>
</search>
</dns>
</system>
Specifies a domain name for domain lookups. There can be only one domain-name command in one configuration. If both domain-name and domain-list commands are present, domain-list is used.
ip domain-name muni.cz
<system>
<dns>
<search>
<domain-suffix suffix="muni.cz"/>
</search>
</dns>
</system>
Enables multicast routing on given machine.
<system multicast-routing="on">
Specifies a DNS server in numeric form for domain lookups.
ip name-server 192.168.1.1
<system>
<dns>
<dns-server address="192.168.1.1"/>
</dns>
</system>
Specifies a static IPv4 route in form: target network+subnet mask+next hop. Next hop could be IP address or name of point-to-point interface. If the name of "next-hop" interface is "Null", then the packet will be discarded silently (route into blackhole).
ip route 192.168.1.0 255.255.255.0 192.168.3.1 110
<static-routes>
<route af="ipv4" preference="110">
<destination address="192.168.1.0" length="24"/>
<nexthop via="192.168.3.1"/>
</route>
</static-routes>
ip route 192.168.1.0 255.255.255.0 Null
<static-routes>
<route af="ipv4" type="blackhole">
<destination address="192.168.1.0" length="24"/>
</route>
</static-routes>
Specifies a static IPv6 route in form: target network+subnet mask+next hop. Next hop could be IP address or name of point-to-point interface. If the name of "next-hop" interface is "Null", then the packet will be discarded silently (route into blackhole).
ipv6 route 2001:718:0:4::/64 2001:718:1f00::1
<static-routes>
<route af="ipv6">
<destination address="2001:718:0:4::" length="64"/>
<nexthop via="2001:718:1f00::1"/>
</route>
</static-routes>
ipv6 route 2001:718:0:4::/64 Null
<static-routes>
<route af="ipv6" type="blackhole">
<destination address="2001:718:0:4::" length="64"/>
</route>
</static-routes>
Declares a section of global commands for IPv6 RIPng
Includes IPv6 routes from other routing protocols in RIPng updates (via routing table, routes are exported from routing table)
redistribute static
<ripng>
<route-export chain="ripng-export"/>
</ripng>
<routing>
<route-filters>
<route-filter-chain id="ripng-export"
name="ripng-export-filter-chain">
<route-filter-rule>
<route-match-list>
<match-route-source source="static"/>
</route-match-list>
<route-action-list>
<accept-action/>
</route-action-list>
</route-filter-rule>
</route-filter-chain>
</route-filters>
<routing>
Enables IPv6 unicast routing on given machine.
None
Start of key chain section
key chain mychain
None (converted into elements that use this key chain, please
see RIP authentication section)
Specifies the text string (password) for this key chain.
key string SeCrEt
None (converted into elements that use this key chain, see RIP authentication section.)
Negativize the command on the rest of line.
Turns off split horizon for RIP on all RIP enabled interfaces
<rip> <rip-interface device="cd4" split-horizon="no"/> <rip-interface device="cd5" split-horizon="no"/> </rip>(Where cd4 and cd5 are interfaces, that run RIP)
Declares a section of global commands for IPv4 RIP.
<rip disable="no">
Includes IPv4 network prefix in RIP updates
network 146.1.0.0 network 146.2.0.0
<rip> <rip-interface device="cd4"/> <rip-interface device="cd5"/> </rip>(Where cd4 corresponds to the interface with 146.1.x.x/16 subnet and cd5 corresponds to the interface with 146.2.x.x/16 subnet)
Specifies administrative distance of RIP routes (120 by default).
distance 120
<rip preference="120"/>
Specifies the default metric of RIP routes.
default-metric 2
<rip default-metric="2"/>
Specifies unicast RIP neighbor (mostly on NBMA networks)
neighbor 192.168.1.16
<rip> <rip-neighbor address="192.168.1.16"/> </rip>
Disables any RIP activity on specified interface
passive-interface FastEthernet0/1
<rip-interface device="cd4" send="no" receive="no"/>Where "cd4" is the "FastEthernet0/1 interface."
Includes IPv4 routes from other routing protocols in RIP updates (via routing table)
<rip> <route-export chain="rip-export"/> </rip>(see RIPng "redistribute" section to see "rip-export" static routes definition - same as "ripng-export")
Specifies version of RIP protocol (can be overwritten on interfaces). Default value is to accept version 1 and 2 and distribute only version 1 broadcasts.
<rip version="12in1out"/>(by default whe no other IOS command is present)
version 1
<rip version="1"/>
version 2
<rip version="2"/>
Specifies the version of IOS system for which the configuration file was intended
version 12.2
<platform-special platform="ios" version="12.2"/>
Unknown parts of IOS configuration (=those that are not currently supported by DTD) are placed into "platform-special" element. Netopeer Cisco backend may use these information to restore complete configuration (next to XML data) for Cisco router. The aim of this element is to allow working with whole Cisco IOS configuration on Cisco routers in Netopeer without losing information even if some IOS commands are not supported in DTD. Supported commands are moved into other XML elements and the rest is put here. If some commands of configuration sub-section (eg. interface or routing protocols subsection) are unsupported, then subsection is made in the "platform-special" element also (separated by the exclamation mark "!"; and only unsupported commands are put into it). Unsupported flags in ACLs rules are ignored now (these are not put into "platform-special" element now).
router bgp 100 neighbor 152.13.12.11 !
<platform-special platform="ios"> router bgp 100 neighbor 152.13.12.11 ! </platform-special>
Access Control List is group of lines (=criterias+actions) that are matched against data to accept or reject these data by given criteria. Cisco IOS uses two types of IP access lists: simpler "standard" ACLs and complex ACLs called "extended". Standard ACLs:
access-list 100 permit tcp any host 120.25.35.1 eq telnet access-list 100 permit tcp any host 120.25.35.1 eq http access-list 100 permit tcp any host 120.25.35.1 eq 443 access-list 100 deny ip any host 120.25.35.1
ip access-list standard mylist-stand deny 10.1.0.0 0.0.255.255 deny 10.2.0.0 0.0.255.255 deny 10.3.0.0 0.0.255.255 permit any any ip access-list extended mylist-ext permit tcp 10.1.0.0 0.0.255.255 host 10.2.6.1 eq telnet deny tcp 10.1.0.0 0.0.255.255 10.2.6.0 0.0.0.255 eq telnet permit icmp any any 10 12
As you can see, named ACL has a kind of "header" with identification info. Header starts a section of lines that belong to same access list (specified in header). Numbered ACLs do not have the first "header" line, they include identification info on each line in the list. Each line is one rule in the list. They are interpreted consecutive from the first one to the last one. If a match is found, appropriate action (specified on matched line) is taken and the processing of the ACL is finished. If no match is found, the implicit "reject" action is taken
General template for specifying standard numbered ACLs is:
access-list number action source_address_with_mask log
General template for specifying extended numbered ACLs is:
access-list number action protocol source_address_with_mask [source_port] destination_address_with_mask [destination_port] [various_protocol_options] [log | log-input]
Template for the named form of ACL is similar - remove initial "
Legend:
Following values are criteria:
There are few abbreviations for this field:
The port number can be specified either as an decimal number or as text string (for well-known ports like 21=ftp, 23=telnet, 25=smtp, 80=http)
One line of access list means one
access-list XXX permit XXX access-list XXX permit XXX log access-list XXX deny XXX log-input
<packet-action-list>
<accept-action count="no" />
</packet-action-list>
<packet-action-list>
<accept-action count="no" />
<log-action count="no" />
</packet-action-list>
<packet-action-list>
<drop-action count="no" />
<log-action count="no" level="notice"/>
</packet-action-list>
Remarks are stored in
access-list 100 remark This is remark to the next rule in chain...
<packet-filters>
<packet-filter-chain default-policy="drop-action" id="100">
<packet-filter-rule>
<description>
This is remark to the next rule in chain...
</description>
</packet-filter-rule>
</packet-filter-chain>
</packet-filters>
Source and destination addresses with their subnet masks are represented as
cp2 represents "
<prefix-lists>
<prefix-list id="cp2" name="cp2">
<match-prefix address="0.0.0.0" length="32" af="ipv4" />
</prefix-list>
<prefix-list id="cp3" name="cp3">
<match-prefix address="217.155.135.2" length="32" af="ipv4" />
</prefix-list>
</prefix-lists>
Protocol criteria field is represented by following elements (all of the are subelements of
access-list NUMBER ACTION ip SRC_ADDRESS_MASK DST_ADDRESS_MASK
fragments [dscp 12 | tos 3]
<match-ipv4 fragments="subseq"> <match-source list="SRC_ADDRESS_MASK"/> <match-destination list="DST_ADDRESS_MASK"/> [<match-dsfield dscp="12"/> | <match-ecnfield ect="on" ce="on"/>] </match-ipv4>IPv6 element is similar to IPv4 element.
access-list NUMBER ACTION icmp SRC_ADDRESS_MASK DST_ADDRESS_MASK 15 12
<match-icmp type="15" code="12"/>
access-list NUMBER ACTION tcp SRC_ADDRESS_MASK gt 1024
DST_ADDRESS_MASK eq 22 ack syn
<match-tcp> <match-source-port-range lo="1024" hi="65535" negate="no"/> <match-destination-port-range lo="22" hi="22" negate="no"/> <match-tcp-flags syn="on" ack="on" .../> </match-tcp>
access-list NUMBER ACTION udp SRC_ADDRESS_MASK lt 1024
DST_ADDRESS_MASK neq 53
<match-udp> <match-source-port-range lo="0" hi="1024" negate="no"/> <match-destination-port-range lo="53" hi="53" negate="yes"/> </match-udp>
The criteria are specified in
access-list 1 permit host 217.155.135.2 access-list 1 deny any
<packet-filters>
<packet-filter-chain default-policy="drop-action" id="1">
<packet-filter-rule>
<packet-match-list>
<match-ipv4 fragment="all">
<match-source list="cp3" negate="no" />
</match-ipv4>
</packet-match-list>
<packet-action-list>
<accept-action count="no" />
</packet-action-list>
</packet-filter-rule>
<packet-filter-rule>
<packet-match-list>
<match-ipv4 fragment="all">
<match-source list="cp2" negate="no" />
</match-ipv4>
</packet-match-list>
<packet-action-list>
<drop-action count="no" />
</packet-action-list>
</packet-filter-rule>
</packet-filter-chain>
</packet-filters>