(Examples performed on ISR 1921 G2)
Before we get into the details, I would suggest that instead of backing up your key, you just pull the new key from the new router and update your scripts. You will need to get onto the router without SSH to load the config/enable SSH anyways. This can be done with a script and console cable... you can even pull the new SSH public key out and update your scripts automatically (router#sh ip ssh). I think this is a more secure option. However to answer the question of backing up SSH keys:
You need to generate exportable keys for use with SSH and then export them to a PEM file with a password. Unfortunately the only two options for encrypting them are des and 3des.
Generate the key:
home-1921(config)#crypto key generate rsa general-keys exportable label example modulus 4096
The name for the keys will be: example
% The key modulus size is 4096 bits
% Generating 4096 bit RSA keys, keys will be exportable...
[OK] (elapsed time was 658 seconds)
Jun 15 11:10:05.158: %SSH-5-ENABLED: SSH 1.99 has been enabled
home-1921(config)#
Assign to SSH if not already assigned:
home-1921(config)#ip ssh rsa keypair-name example
home-1921(config)#
Jun 15 11:11:22.467: %SSH-5-DISABLED: SSH 1.99 has been disabled
Jun 15 11:11:22.467: %SSH-5-ENABLED: SSH 1.99 has been enabled
Export the key:
This will export the key to the terminal which can be saved to a file via script or manually.
home-1921(config)#$export rsa example pem terminal 3des somepassword
% Key name: example
Usage: General Purpose Key
Key data:
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsWwtMdoyj/LKPzXRf53z
8yhIkRAbODN6DXne8JH53PAwtgQ2FrPARvnjWsqWn2EgkHEMkZl5y5tZ0iLITCPf
bK8pXC/9kiLC2VDGQLbHD57AN/+6+0CoXxGW4FtV1dW4tVzo0YafL3L0rrNY8Snk
nPXUu89RxYu0rnJCJGv3VQ5DS/LMx7RcKdB0oKh5NxrzMGR5AXCtK0d5giHIu5o7
UAO8Q0JHYjHVHTtk8tnK5jhSMT68e4GxtsNSAaf5iA2qXY0E4KSZ+NCQJzM7RKa/
/Sj8wmSHRhGYwEzfVdh+Cp3SRjiNSF4nVcECSEsEo5XzhM+yMHUJWeXw18pVFfED
koen7IRw9Sj+uw0pegIwS4D/eniv/SMfPgjVd6RIm2k35GiH59Y73Bufu23+TOoB
siYsZcbQ3QFohe5ix08pTeyvNXl6d6WlZWsyUfl7B9qIf5dICOfxu22xsFkdd3UX
URyQum/oQPBLEGAaX01vto+oRW/DYXnIz4GXchTVnZMPxk5NGA3Li6advTWT3Vb8
rH0aDSdtybrg0wVyOhEPW9Kx5Kx8ycxisZ7dM9iryvxjNtmmhxn9FS2uSI6mnOmR
aQOG44Jyn/ihzaYuAsfbxHvDnKQKIJtQoJtrbrgjAh93GT/HIyHRLz1iRwGwNwlj
3GUBV1NsL+HVZN68GPOyHfkCAwEAAQ==
-----END PUBLIC KEY-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,0243F61FBCFF9FFD
i4lMwdfFZpC48ZFF3RnEOpLZzmv+vSgrHH6DGI/Gm1hB4KK+MC/a1TrrNbNzKPzY
HFs74jLpGvYGb0jL5PbqrCL435F92h+N9SAkp4Tz8x78y4hUnM/2I9X9MhcGXJqE
5U2r47KSYjUO+L41gWRDwwq7uZPXdJMEOr3JhJ6wv1UJx8BkxatmoZyeKMHIAcfQ
JcwHnFnVZP3bNRYSwaMGemrfhg8HiT/JT3gUFj5d8r2pAouY8Vs9j4fM7EIn+CHz
zGdZf9j3wIYOLjOhGLs7zABRmu4Ik7yv7iNqIOpZLMVegC9iQc6RMav8M3ivt+wU
eNBR7+VLOYAz1J7bKEx1ZMk9XR4zdNTJlw+4UuYtXDDlW3OOsBFq/05mKPvaQWCE
/NUrxSSEpgqaLJNJS5V4rgPKhSbg51GeIhkig+NkFIS7EtF/VCMXqaWd0lp7kYig
3arRF0BdZXLsMDhZKmi1JA+rcmCSQIYVaBDc29SMs/Wou99vVazQIs2e1Dkl06Ia
U7VeIwhEJykIl0MhBw+kwD3pNsiPth1xIg3DsDU+bq3gMNhcsl6Pj8FUP+PXdqaa
HSGOy2tnYB60xxFv4vfRiW7JaFse9+uaesRiPDOC5YUx47yP65xEhiCmKMXD+9xU
K/ZFYe9AvbJ4A65JjO/QQm5mg82cw5q4x/YQ1EC9T1w5kdjKJg9MkYoZmhHfttUZ
2zuGBFm9FUiW5SnRRp4Pil0aTAMgj8uZaxUdq1nGfyJo2p7TTNXKsE8YMkSwu93p
L914L64/bI2RLVQCciLZtVnVwAMffNpwtOJQzDDeUDI3i1ZItzehcsXXAWCN5xcQ
+0lF6Q3KlrDNGZCtO8vrbDioaFT25ikdAlF0B+pnadetQkXlLs8xdBxxF9lUZjgw
NqkbrYoY/c7Jf7dsWfC7fRqo3EjBxEFPwrdJJpvTtzgp4/Zk+dcHg0j4K2pFVMeT
sZZzDaWlCaRoKw+OSh2KyzWjGKSzh/mm+cdp/4T+bbhUseRF6eGb0Qk0lMyQv3ja
EE0GnyOYSlcavvIrqpx9v1iLEJLGWi58UiOASnzBlRh33nRqF+uoE5p6k/jgoUWC
CccW2SfyEfXJDOg6fqGyKw3XjAJQ0/t1qWbiIXxtNjH8haO9OgWUn3pKI6PjZwQk
6Eb5ow8WABZXb/pXJ/xjmLKjsmlxeqD31I2CaArV6hRCJoTKXkS2TWHCoHGRAPfL
jrDBiFJ1+KVnCtuGN1kxRG6fyIMMyFBG7qEzNnHmNnLGP19XHvgSJe0QYNdrkFpZ
iG+Kqz5bHcdEsucB0Efn/N7huu++R5XnSRYJnf6iPOTme6qwul3H1YQoaNNAbuch
u98JaciIiSGLesBU4P28FEC4kesslKWcM8Z4GfvX//9zqkB6T1E5/jUs+x6YtPhp
kMg9ZR195mP11E4MbgP9czk7HnK4Xgrns/DmXRdT1/d0dPtfng02jWjvOgNUQ1EJ
ZvFd9ZN67nV4ZiDtcVi3756m7UEI2p/2431ecpigy2OUA+d8YKYEbAreMDE7W4Iq
AlUalEiRmjwoerVIgQeB3oa2GElg2IN6llEa1UndI79ma13SJmgpLM+YUW+nS7k6
COiuKllSbLBSF9s4+ErEXciAAJCGFi7kfFDB59whv1IbmDEGNAamB6oibCewbF0T
xusyjhb2wA0KDq5C3ThlM5KU0g0ACSEuOl/A4AuubwxD7vvC6jiVFw/bCQrRJLJ6
UuEcBTp0vEecdF12NtQWPpg/+K2PYBi7Yzzc8DZcF97afFmZAtnF3EFLJltywjjK
qcGGCNyDj9MSBEnJigK7m0nYKjsOw5myt5LOhwWMr81OC7s6vgMBdf7qFCHiOUUB
5MwpAzjGgaR85uYqCpCOmW5pjRpRptEocJPxeW6Uy+aFPAEQu92HvFjHk/tvefGX
ttSsOPU5BC1J5xGZIoUfGPRFPYkjLauwQ34hGdQrbhJ3DrEe1pDAwd8/yIhzNp0o
N8uZDWKegLPrRg1B6CvmY3+Axiz0ZJZ86LOLa67ZsEkbWpQoy4F8D+z131JFrRcK
v0glY5b2GESUXtVxO668LqbmcO/eoDgBIhNvbrJT1QVgM/rr3poeeARGgff9OQ0i
FpsA4yk4uOqS/TS4OfpG6ymneGao1tJfktXmiR37cpGfkKjHPvI5kE8/KTOZSdSk
5RYjuCaWW363ysn7XA21Y9NiMYZesKCw8XdxVfVDZB6IphawYZ/a4cyvkYfD5HKw
QeLE7Rv7fGhlUPPWr1WQZOBgnnmAZoxNxkPhC4S62WvdiJNmiIeLrmD50n22zukH
aCj5S6sqXRuHdLB8FiZdi24s9tISBt0kAzK4bg3bvPoaqj3nSL8eirr1qWED/O+5
xxjJrR7fgY0BdzbqU5gXK22o6PLGzlOIpgFep12dnoYUVL2igRJfTAGSHyMPeJpv
e5mmAqxCz8FGgztZVP+v8MEkz/fDd/bIA0zkeA+0ugedbI/IkDkS25RdZkpvUpXH
2+SNL1RJyoYT/uoShAuVv6y9uyvoojX9XNDVmLX10ip8tSsTVbJx97MPzNSaTABe
Zbc5rgU4FJnUIIjb4igmccUrdW7ZknKk2cV9xRv7BHFYAl4hsitcsdKe8IPdX+2E
WOXl2i2+ndUkzoqGlr4q8nOgAcr53Msjnn1ljasWHXDpeXRW+kraX+88UUmv9zEf
T4gyl7shs/J24IlgHhJbqD5g10thG9esp8KvaxgeHyuBVpPniWWrecwajKFjfVKp
J9EcxDXRUZH3c4jDIWxpKsGQFFsx9e7p286tcUXwGDBFkYOao9NOcyllltRq+ECH
93Sc6hLp/Fd7hIAdZFbnjaemp2llA81cNKIVRUpJ4OyoVSOwhMp+j3m5SOmJdAxu
SWcMKENRU6RSjqZOt15acOktCRRrMbLSxZY+fW+1g5IvA1j6mFiK57F569ouYZeP
zvMgPgkDN/ATMd/RkHAWq5/EjeNmhey52XnHSqyAPmP4mX9qoaYtRYgBTGrKEFNo
05V14xLunvGz+FEsqZ/IwSZYbYkGCpfczQWlRLnLkb8X7gbL/esfKfb3tSsbOluZ
F/bAHniMg51uU2MmpspuWR+SzyWuabWiCkEq7lvXLTwdJGBYduaRH9u14bBCWUuA
-----END RSA PRIVATE KEY-----
home-1921(config)#
Login test:
demo-mac:~ demo$ ssh demo@<cleared>.205
The authenticity of host '<cleared>.205 (<cleared>.205)' can't be established.
RSA key fingerprint is af:6e:a0:fa:c3:45:ab:2d:a9:60:84:fe:0b:96:de:cc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '<cleared>.205' (RSA) to the list of known hosts.
Password:
home-1921#
Ok so we know it works... time to erase the NVRAM and restart.
home-1921#erase nvram:
Erasing the nvram filesystem will remove all configuration files! Continue? [co]
[OK]
Erase of nvram: complete
home-1921#
Jun 15 11:16:19.268: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
home-1921#reload
System configuration has been modified. Save? [yes/no]: no
Proceed with reload? [confirm]
Now we reconfigure the test router to allow SSH again:
Note: I am only generating a brand new key to demo that my terminal rejects the new key but then accepts the restored key. This step is unnecessary unless you're verifying that it works.
router>en
router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#int G0/0
router(config-if)#ip add <cleared>.205 255.255.255.0
router(config-if)#no shutdown
router(config-if)#exit
router(config)#ip domain-name example.com
router(config)#aaa new-model
router(config)#aaa authen log def loc
router(config)#aaa author exe def loc
router(config)#username demo priv 15 sec demo
router(config)#cry key gen rsa mod 4096
The name for the keys will be: router.example.com
% The key modulus size is 4096 bits
% Generating 4096 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 117 seconds)
Jun 15 11:17:55.247: %SSH-5-ENABLED: SSH 1.99 has been enabled
router(config)#
Now the rejection of the key:
demo-mac:~ demo$ ssh demo@<cleared>.205
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
8c:62:d4:75:0f:4c:59:a8:81:d2:01:1b:68:9d:08:cb.
Please contact your system administrator.
Add correct host key in /Users/demo/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/demo/.ssh/known_hosts:90
RSA host key for <cleared>.205 has changed and you have requested strict checking.
Host key verification failed.
demo-mac:~ demo$
Ok so lets restore the key and see what happens:
router(config)#$crypto key import rsa example-restored pem terminal somepassword
% Enter PEM-formatted public General Purpose key or certificate.
% End with a blank line or "quit" on a line by itself.
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsWwtMdoyj/LKPzXRf53z
8yhIkRAbODN6DXne8JH53PAwtgQ2FrPARvnjWsqWn2EgkHEMkZl5y5tZ0iLITCPf
bK8pXC/9kiLC2VDGQLbHD57AN/+6+0CoXxGW4FtV1dW4tVzo0YafL3L0rrNY8Snk
nPXUu89RxYu0rnJCJGv3VQ5DS/LMx7RcKdB0oKh5NxrzMGR5AXCtK0d5giHIu5o7
UAO8Q0JHYjHVHTtk8tnK5jhSMT68e4GxtsNSAaf5iA2qXY0E4KSZ+NCQJzM7RKa/
/Sj8wmSHRhGYwEzfVdh+Cp3SRjiNSF4nVcECSEsEo5XzhM+yMHUJWeXw18pVFfED
koen7IRw9Sj+uw0pegIwS4D/eniv/SMfPgjVd6RIm2k35GiH59Y73Bufu23+TOoB
siYsZcbQ3QFohe5ix08pTeyvNXl6d6WlZWsyUfl7B9qIf5dICOfxu22xsFkdd3UX
URyQum/oQPBLEGAaX01vto+oRW/DYXnIz4GXchTVnZMPxk5NGA3Li6advTWT3Vb8
rH0aDSdtybrg0wVyOhEPW9Kx5Kx8ycxisZ7dM9iryvxjNtmmhxn9FS2uSI6mnOmR
aQOG44Jyn/ihzaYuAsfbxHvDnKQKIJtQoJtrbrgjAh93GT/HIyHRLz1iRwGwNwlj
3GUBV1NsL+HVZN68GPOyHfkCAwEAAQ==
-----END PUBLIC KEY-----
% Enter PEM-formatted encrypted private General Purpose key.
% End with "quit" on a line by itself.
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,0243F61FBCFF9FFD
i4lMwdfFZpC48ZFF3RnEOpLZzmv+vSgrHH6DGI/Gm1hB4KK+MC/a1TrrNbNzKPzY
HFs74jLpGvYGb0jL5PbqrCL435F92h+N9SAkp4Tz8x78y4hUnM/2I9X9MhcGXJqE
5U2r47KSYjUO+L41gWRDwwq7uZPXdJMEOr3JhJ6wv1UJx8BkxatmoZyeKMHIAcfQ
JcwHnFnVZP3bNRYSwaMGemrfhg8HiT/JT3gUFj5d8r2pAouY8Vs9j4fM7EIn+CHz
zGdZf9j3wIYOLjOhGLs7zABRmu4Ik7yv7iNqIOpZLMVegC9iQc6RMav8M3ivt+wU
eNBR7+VLOYAz1J7bKEx1ZMk9XR4zdNTJlw+4UuYtXDDlW3OOsBFq/05mKPvaQWCE
/NUrxSSEpgqaLJNJS5V4rgPKhSbg51GeIhkig+NkFIS7EtF/VCMXqaWd0lp7kYig
3arRF0BdZXLsMDhZKmi1JA+rcmCSQIYVaBDc29SMs/Wou99vVazQIs2e1Dkl06Ia
U7VeIwhEJykIl0MhBw+kwD3pNsiPth1xIg3DsDU+bq3gMNhcsl6Pj8FUP+PXdqaa
HSGOy2tnYB60xxFv4vfRiW7JaFse9+uaesRiPDOC5YUx47yP65xEhiCmKMXD+9xU
K/ZFYe9AvbJ4A65JjO/QQm5mg82cw5q4x/YQ1EC9T1w5kdjKJg9MkYoZmhHfttUZ
2zuGBFm9FUiW5SnRRp4Pil0aTAMgj8uZaxUdq1nGfyJo2p7TTNXKsE8YMkSwu93p
L914L64/bI2RLVQCciLZtVnVwAMffNpwtOJQzDDeUDI3i1ZItzehcsXXAWCN5xcQ
+0lF6Q3KlrDNGZCtO8vrbDioaFT25ikdAlF0B+pnadetQkXlLs8xdBxxF9lUZjgw
NqkbrYoY/c7Jf7dsWfC7fRqo3EjBxEFPwrdJJpvTtzgp4/Zk+dcHg0j4K2pFVMeT
sZZzDaWlCaRoKw+OSh2KyzWjGKSzh/mm+cdp/4T+bbhUseRF6eGb0Qk0lMyQv3ja
EE0GnyOYSlcavvIrqpx9v1iLEJLGWi58UiOASnzBlRh33nRqF+uoE5p6k/jgoUWC
CccW2SfyEfXJDOg6fqGyKw3XjAJQ0/t1qWbiIXxtNjH8haO9OgWUn3pKI6PjZwQk
6Eb5ow8WABZXb/pXJ/xjmLKjsmlxeqD31I2CaArV6hRCJoTKXkS2TWHCoHGRAPfL
jrDBiFJ1+KVnCtuGN1kxRG6fyIMMyFBG7qEzNnHmNnLGP19XHvgSJe0QYNdrkFpZ
iG+Kqz5bHcdEsucB0Efn/N7huu++R5XnSRYJnf6iPOTme6qwul3H1YQoaNNAbuch
u98JaciIiSGLesBU4P28FEC4kesslKWcM8Z4GfvX//9zqkB6T1E5/jUs+x6YtPhp
kMg9ZR195mP11E4MbgP9czk7HnK4Xgrns/DmXRdT1/d0dPtfng02jWjvOgNUQ1EJ
ZvFd9ZN67nV4ZiDtcVi3756m7UEI2p/2431ecpigy2OUA+d8YKYEbAreMDE7W4Iq
AlUalEiRmjwoerVIgQeB3oa2GElg2IN6llEa1UndI79ma13SJmgpLM+YUW+nS7k6
COiuKllSbLBSF9s4+ErEXciAAJCGFi7kfFDB59whv1IbmDEGNAamB6oibCewbF0T
xusyjhb2wA0KDq5C3ThlM5KU0g0ACSEuOl/A4AuubwxD7vvC6jiVFw/bCQrRJLJ6
UuEcBTp0vEecdF12NtQWPpg/+K2PYBi7Yzzc8DZcF97afFmZAtnF3EFLJltywjjK
qcGGCNyDj9MSBEnJigK7m0nYKjsOw5myt5LOhwWMr81OC7s6vgMBdf7qFCHiOUUB
5MwpAzjGgaR85uYqCpCOmW5pjRpRptEocJPxeW6Uy+aFPAEQu92HvFjHk/tvefGX
ttSsOPU5BC1J5xGZIoUfGPRFPYkjLauwQ34hGdQrbhJ3DrEe1pDAwd8/yIhzNp0o
N8uZDWKegLPrRg1B6CvmY3+Axiz0ZJZ86LOLa67ZsEkbWpQoy4F8D+z131JFrRcK
v0glY5b2GESUXtVxO668LqbmcO/eoDgBIhNvbrJT1QVgM/rr3poeeARGgff9OQ0i
FpsA4yk4uOqS/TS4OfpG6ymneGao1tJfktXmiR37cpGfkKjHPvI5kE8/KTOZSdSk
5RYjuCaWW363ysn7XA21Y9NiMYZesKCw8XdxVfVDZB6IphawYZ/a4cyvkYfD5HKw
QeLE7Rv7fGhlUPPWr1WQZOBgnnmAZoxNxkPhC4S62WvdiJNmiIeLrmD50n22zukH
aCj5S6sqXRuHdLB8FiZdi24s9tISBt0kAzK4bg3bvPoaqj3nSL8eirr1qWED/O+5
xxjJrR7fgY0BdzbqU5gXK22o6PLGzlOIpgFep12dnoYUVL2igRJfTAGSHyMPeJpv
e5mmAqxCz8FGgztZVP+v8MEkz/fDd/bIA0zkeA+0ugedbI/IkDkS25RdZkpvUpXH
2+SNL1RJyoYT/uoShAuVv6y9uyvoojX9XNDVmLX10ip8tSsTVbJx97MPzNSaTABe
Zbc5rgU4FJnUIIjb4igmccUrdW7ZknKk2cV9xRv7BHFYAl4hsitcsdKe8IPdX+2E
WOXl2i2+ndUkzoqGlr4q8nOgAcr53Msjnn1ljasWHXDpeXRW+kraX+88UUmv9zEf
T4gyl7shs/J24IlgHhJbqD5g10thG9esp8KvaxgeHyuBVpPniWWrecwajKFjfVKp
J9EcxDXRUZH3c4jDIWxpKsGQFFsx9e7p286tcUXwGDBFkYOao9NOcyllltRq+ECH
93Sc6hLp/Fd7hIAdZFbnjaemp2llA81cNKIVRUpJ4OyoVSOwhMp+j3m5SOmJdAxu
SWcMKENRU6RSjqZOt15acOktCRRrMbLSxZY+fW+1g5IvA1j6mFiK57F569ouYZeP
zvMgPgkDN/ATMd/RkHAWq5/EjeNmhey52XnHSqyAPmP4mX9qoaYtRYgBTGrKEFNo
05V14xLunvGz+FEsqZ/IwSZYbYkGCpfczQWlRLnLkb8X7gbL/esfKfb3tSsbOluZ
F/bAHniMg51uU2MmpspuWR+SzyWuabWiCkEq7lvXLTwdJGBYduaRH9u14bBCWUuA
-----END RSA PRIVATE KEY-----
quit
% Key pair import succeeded.
router(config)#
Now assign it to SSH again:
router(config)#ip ssh rsa keypair-name example-restored
router(config)#
Jun 15 11:25:36.619: %SSH-5-DISABLED: SSH 1.99 has been disabled
Jun 15 11:25:36.623: %SSH-5-ENABLED: SSH 1.99 has been enabled
router(config)#
And try logging in again:
demo-mac:~ demo$ ssh demo@<cleared>.205
Password:
router#
All set!
EDIT:
Note: When importing the key, make sure there are no extra spaces around the key info. If you copy and paste from a console, this may put trailing spaces on every line and you need to remove those before importing.
I don't have SUP7 to test, but it works on SUP6 and SUP32, I would presume SUP7 retains this functionality.
I've tested between JNPR M320 <-> SUP32, and 'vlan mapping JNPR SUP32' works just fine.
There is no need for QinQ, what the QinQ option does is it adds top tag to one particularly tag. So switchport vlan mapping 1042 dot1q-tunnel 42
would map incoming [1042] stack to [42 1042] stack.
As opposed to switchport vlan mapping 1042 42
which maps incoming dot1q Vlan [1042] to dot1q Vlan [42].
JNPR M320 config:
{master}[edit interfaces ge-0/1/0 unit 1042]
user@m320# show
vlan-id 1042;
family inet {
address 10.42.42.1/24;
}
{master}[edit interfaces ge-0/1/0 unit 1042]
user@m320# run show interfaces ge-0/1/0
Physical interface: ge-0/1/0, Enabled, Physical link is Up
Interface index: 135, SNMP ifIndex: 506
Description: B: SUP32 ge5/1
Link-level type: Flexible-Ethernet, MTU: 9192, Speed: 1000mbps, BPDU Error: None,
MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled,
Auto-negotiation: Enabled, Remote fault: Online
Device flags : Present Running
Interface flags: SNMP-Traps Internal: 0x4000
CoS queues : 8 supported, 8 maximum usable queues
Current address: 00:12:1e:d5:90:7f, Hardware address: 00:12:1e:d5:90:7f
Last flapped : 2013-02-19 09:14:29 UTC (19w6d 21:12 ago)
Input rate : 4560 bps (5 pps)
Output rate : 6968 bps (4 pps)
Active alarms : None
Active defects : None
Interface transmit statistics: Disabled
SUP32 config:
SUP32#show run int giga5/1
Building configuration...
Current configuration : 365 bytes
!
interface GigabitEthernet5/1
description F: M320 ge-0/1/0
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
switchport vlan mapping enable
switchport vlan mapping 1042 42
mtu 9216
bandwidth 1000000
speed nonegotiate
no cdp enable
spanning-tree portfast edge trunk
spanning-tree bpdufilter enable
end
SUP32#show ru int vlan42
Building configuration...
Current configuration : 61 bytes
!
interface Vlan42
ip address 10.42.42.2 255.255.255.0
end
SUP32#sh int GigabitEthernet5/1 vlan mapping
State: enabled
Original VLAN Translated VLAN
------------- ---------------
1042 42
SUP32#sh int vlan42
Vlan42 is up, line protocol is up
Hardware is EtherSVI, address is 0005.ddee.6000 (bia 0005.ddee.6000)
Internet address is 10.42.42.2/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not supported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:09, output 00:01:27, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
L2 Switched: ucast: 17 pkt, 1920 bytes - mcast: 0 pkt, 0 bytes
L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes mcast
L3 out Switched: ucast: 0 pkt, 0 bytes mcast: 0 pkt, 0 bytes
38 packets input, 3432 bytes, 0 no buffer
Received 21 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
26 packets output, 2420 bytes, 0 underruns
0 output errors, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
And
SUP32#ping 10.42.42.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.42.42.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
SUP32#sh arp | i 10.42.42.1
Internet 10.42.42.1 12 0012.1ed5.907f ARPA Vlan42
SUP32#show mac address-table dynamic address 0012.1ed5.907f
Legend: * - primary entry
age - seconds since last seen
n/a - not available
vlan mac address type learn age ports
------+----------------+--------+-----+----------+--------------------------
Active Supervisor:
* 450 0012.1ed5.907f dynamic Yes 0 Gi5/1
* 50 0012.1ed5.907f dynamic Yes 0 Gi5/1
* 40 0012.1ed5.907f dynamic Yes 0 Gi5/1
* 42 0012.1ed5.907f dynamic Yes 5 Gi5/1
user@m320# run ping 10.42.42.2 count 2
PING 10.42.42.2 (10.42.42.2): 56 data bytes
64 bytes from 10.42.42.2: icmp_seq=0 ttl=255 time=0.495 ms
64 bytes from 10.42.42.2: icmp_seq=1 ttl=255 time=0.651 ms
--- 10.42.42.2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.495/0.573/0.651/0.078 ms
{master}[edit interfaces ge-0/1/0 unit 1042]
user@m320# run show arp no-resolve |match 10.42.42.2
00:05:dd:ee:60:00 10.42.42.2 ge-0/1/0.1042 none
Best Answer
It seems like there is some confusion going on here. While Cisco typically appears to try to avoid re-using product line numbering, there are exceptions (and possibly more recently). The 2900 ISR router series is one of them. It overlaps with an older switching product line, the Catalyst 2900 series.
To muddy the waters more, your current 800 ISR series router is a router with a switch built in, allowing it to support some switch commands in addition to the normal router commands. Specifically, IIRC (been a while since I configured one of these, maybe I can find one to play with later today) all the "LAN" ports are actually part of this switch and as such cannot be configured like a router interface.
The whole ISR series of routers is designed to provide functionality of multiple platforms into one integrated platform. As I understand the 2900 ISR platform, you will only have certain commands/features available if the associated hardware is installed and/or licensed. Specifically, to add VLANs like you are attempting, you would need to have one of the Gigabit EtherSwitch modules.
My best guess is that you don't have one of these modules installed in the router and you only really have router interfaces available. These will need to be configured differently than the configuration in your old router.
To confirm, you would have to provide more details in your question about the specifics of the hardware installed in your router.