Configuring Secure Domain Routers on Cisco IOS XR Software Secure domain routers (SDRs) are a means of dividing a single physical system into multiple logically separated routers. SDRs are isolated from each other in terms of their resources, performance, and availability. Note SDRs were previously known as Logical Routers (LRs). The name was changed for Release 3.3.0. Feature History for Configuring Secure Domain Routers on Cisco IOS XR Software Release Modification Release 3.
Configuring Secure Domain Routers on Cisco IOS XR Software Prerequisites for Configuring Secure Domain Routers Prerequisites for Configuring Secure Domain Routers Before configuring SDRs, the following conditions must be met: Initial configuration • The router must be running the Cisco IOS XR software, including a Designated System Controller (DSC). • The root-system username and password must be assigned as part of the initial configuration.
Configuring Secure Domain Routers on Cisco IOS XR Software Information About Configuring Secure Domain Routers Information About Configuring Secure Domain Routers Review the following topics before configuring secure domain routers: • What Is a Secure Domain Router?, page SMC-129 • Owner SDR and Administration Configuration Mode, page SMC-129 • Non-Owner SDRs, page SMC-130 • SDR Access Privileges, page SMC-130 – Root-System Users, page SMC-130 – root-lr Users, page SMC-131 – Other SDR Users, page SM
Configuring Secure Domain Routers on Cisco IOS XR Software Information About Configuring Secure Domain Routers See the “SDR Access Privileges” section on page SMC-130 for more information. Note The Administration modes cannot be used to configure the features within a non-owner SDR, or view the router configuration for a non-owner SDR. After the SDR is created, users must log into the non-owner SDR directly to change the local configuration and manage the SDR.
Configuring Secure Domain Routers on Cisco IOS XR Software Information About Configuring Secure Domain Routers • Ability to assign nodes (RPs, DRPs, and LCs) to SDRs. • Ability to create other users with similar or lower privileges. • Complete authority over the chassis. • Ability to log in to non-owner SDRs using admin plane authentication. Admin plane authentication allows the root-system user to log in to a non-owner SDR regardless of the configuration set by the root-lr user.
Configuring Secure Domain Routers on Cisco IOS XR Software Information About Configuring Secure Domain Routers Designated Secure Domain Router System Controller (DSDRSC) In a router running the Cisco IOS XR software, one Route Processor is assigned the role of Designated System Controller (DSC). The DSC provides system-wide administration and control capability, including access to the Administration EXEC and Administration configuration modes.
Configuring Secure Domain Routers on Cisco IOS XR Software Information About Configuring Secure Domain Routers • Note DRPs are supported in the Cisco CRS-1 only. DRPs are not supported in the Cisco XR 12000 Series Routers. DRPs can also be used to provide additional processing capacity in a Cisco CRS-1 router. For additional information on DRPs, refer to Cisco CRS-1 Carrier Routing System 16-Slot Line Card Chassis System Description.
Configuring Secure Domain Routers on Cisco IOS XR Software Information About Configuring Secure Domain Routers Designated System Controller (DSC) in a Cisco XR 12000 Series Router • The first RP to be booted with the Cisco IOS XR software in a Cisco XR 12000 Series Router will become the Designated System Controller (DSC) for the router. This DSC is also the DSDRSC for the owner SDR. The DSC (owner DSDRSC) cannot be removed from the router configuration or reassigned to another SDR.
Configuring Secure Domain Routers on Cisco IOS XR Software Information About Configuring Secure Domain Routers Removing a DSDRSC Configuration There are two ways to remove a DSDRSC from an SDR: • First remove all other nodes from the SDR configuration, and then remove the DSDRSC node. You cannot remove the DSDRSC node when other nodes are in the SDR configuration. • Remove the entire SDR. Removing an SDR name deletes the SDR and moves all nodes back to the owner SDR inventory.
Configuring Secure Domain Routers on Cisco IOS XR Software Information About Configuring Secure Domain Routers High Availability Implications Fault Isolation Because the CPU and memory of an SDR are not shared with other SDRs, configuration problems that cause out-of-resources conditions in one SDR do not affect other SDRs. Rebooting an SDR Each non-owner SDR can be rebooted independently of the other SDRs in the system.
Configuring Secure Domain Routers on Cisco IOS XR Software Information About Configuring Secure Domain Routers another 30 seconds. This causes an inconsistent system view in the named SDR using DRP paired across the rack in which the DRP loses control Ethernet connectivity, but the LR plane is still working and can bring the named SDR into an inconsistent view if the named SDR is across the rack. To support DSC migration in Cisco IOS XR Software Release 3.3.
Configuring Secure Domain Routers on Cisco IOS XR Software Information About Configuring Secure Domain Routers Note • To access install commands, you must be a member of the root-system user group with access to the Administration EXEC mode. • Most show install commands can be used in the EXEC mode of an SDR to view the details of the active packages for that SDR.
Configuring Secure Domain Routers on Cisco IOS XR Software Information About Configuring Secure Domain Routers which is also the new DSDRSC. This operation takes some time, during which routing protocols such as BGP that use loopback or null interfaces are affected. Similarly, tunnels and bundles must also be recreated, affecting protocols such as MPLS. As a result, there is a drop in traffic in the default or owner SDR. Note In Cisco IOS XR Software Release 3.3.
Configuring Secure Domain Routers on Cisco IOS XR Software How to Configure Secure Domain Routers How to Configure Secure Domain Routers To create an SDR, configure an SDR name and then add nodes to the configuration. In Cisco CRS-1 routers, at least one node in each SDR must be explicitly configured as the DSDRSC. In the Cisco XR 12000 Series Router, the DSDRSC is created automatically when you add an RP to the configuration.
Configuring Secure Domain Routers on Cisco IOS XR Software How to Configure Secure Domain Routers Complete the following steps to create a non-owner SDR. Note The procedures in this section can be performed only on a router that is already running the Cisco IOS XR software. For instructions to boot a router and perform the initial configuration, see the Cisco IOS XR Getting Started Guide. When a router is booted, the owner SDR is automatically created, and cannot be removed.
Configuring Secure Domain Routers on Cisco IOS XR Software How to Configure Secure Domain Routers DETAILED STEPS Step 1 Command or Action Purpose admin Enters Administration EXEC mode. Example: RP/0/RP0/CPU0:router# admin Step 2 configure Enters Administration configuration mode. Example: RP/0/RP0/CPU0:router(admin)# configure Step 3 pairing pair-name Example: RP/0/RP0/CPU0:router(admin-config)# pairing drp1 (Optional) Enter DRP pairing configuration mode.
Configuring Secure Domain Routers on Cisco IOS XR Software How to Configure Secure Domain Routers Step 7 Command or Action Purpose pair pair-name primary or location partially-qualified-nodeid primary Specifies a DSDRSC for the non-owner SDR. You can assign a redundant DRP pair, an RP pair, or a single DRP as the DSDRSC. You cannot assign a single RP as the DSDRSC. Every SDR must contain a DSDRSC.
Configuring Secure Domain Routers on Cisco IOS XR Software How to Configure Secure Domain Routers Step 8 Command or Action Purpose location partially-qualified-nodeid or location pair-name Adds additional nodes, DRP pairs, or RP pairs to the SDR.
Configuring Secure Domain Routers on Cisco IOS XR Software How to Configure Secure Domain Routers Creating SDRs in a 12000 Series Router To create a non-owner SDR in a Cisco XR 12000 Series Router, create an SDR name, add an RP (that can act as DSDRSC) or 2 RPs in adjacent redundancy slots (that can act as the DSDRSC & standby DSDRSC) and then add additional (non-RP) nodes to the configuration Note The procedures in this section can only be performed on a router that is already running the Cisco IOS XR s
Configuring Secure Domain Routers on Cisco IOS XR Software How to Configure Secure Domain Routers Step 3 Command or Action Purpose sdr sdr-name Enters the Administration configuration mode for the specified SDR. Example: • If this SDR does not yet exist, it is created when you add a node as described in the following step. • If this SDR existed previously, complete the following steps to add additional nodes.
Configuring Secure Domain Routers on Cisco IOS XR Software How to Configure Secure Domain Routers Step 6 Command or Action Purpose location partially-qualified-nodeid Assigns additional nodes to the SDR. • Enter the value of the partially-qualified-nodeid argument to specify a single node. The value of the nodeid argument is entered in the rack/slot/* notation. Node IDs are always specified at the slot level, so the wildcard (*) is used to specify the CPU.
Configuring Secure Domain Routers on Cisco IOS XR Software How to Configure Secure Domain Routers Adding Nodes to a Non-Owner SDR When adding nodes to an existing non-owner SDR, the following rules apply: • By default, all nodes in a new system belong to the owner SDR. When a node is assigned to a non-owner SDR, the node is removed from the owner SDR inventory and added to the non-owner SDR. • When a node is removed from a non-owner SDR, it is automatically returned to the owner SDR inventory.
Configuring Secure Domain Routers on Cisco IOS XR Software How to Configure Secure Domain Routers DETAILED STEPS Step 1 Command or Action Purpose admin Enters Administration EXEC mode. Example: RP/0/RP0/CPU0:router# admin Step 2 configure Enters Administration configuration mode. Example: RP/0/RP0/CPU0:router(admin)# configure Step 3 sdr sdr-name Enters the SDR configuration submode for the specified SDR. • sdr-name is the name assigned to the SDR.
Configuring Secure Domain Routers on Cisco IOS XR Software How to Configure Secure Domain Routers Step 5 Command or Action Purpose end Saves configuration changes. or • commit When you issue the end command, the system prompts you to commit changes: Uncommitted changes found. Commit them? Example: – Entering yes saves configuration changes to the running RP/0/RP0/CPU0:router (admin-config-sdr:rname2)# end configuration file, exits the configuration session, and returns the router to EXEC mode.
Configuring Secure Domain Routers on Cisco IOS XR Software How to Configure Secure Domain Routers Step 4 Command or Action Purpose location partially-qualified-nodeid Adds additional nodes to the SDR. • Enter the value of the partially-qualified-nodeid argument to specify a single node. The value of the nodeid argument is entered in the rack/slot/* notation. Node IDs are always specified at the slot level, so the wildcard (*) is used to specify the CPU.
Configuring Secure Domain Routers on Cisco IOS XR Software How to Configure Secure Domain Routers • You must first remove a node from a non-owner SDR before it can be reassigned to another non-owner SDR. • To remove a node from the owner SDR inventory, assign the node to an non-owner SDR. • The owner SDR cannot be removed, and the owner DSDRSC (DSC) cannot be removed. Removing Nodes from a Secure Domain Router in a Cisco CRS-1 Router SUMMARY STEPS 1. admin 2. configure 3. sdr sdr-name 4.
Configuring Secure Domain Routers on Cisco IOS XR Software How to Configure Secure Domain Routers Step 4 Command or Action Purpose no location partially-qualified-nodeid or no location pair-name Removes a node, DRP pair, or RP pair from a non-owner SDR.
Configuring Secure Domain Routers on Cisco IOS XR Software How to Configure Secure Domain Routers Removing Nodes from a Secure Domain Router: Cisco XR 12000 Series Router SUMMARY STEPS 1. admin 2. configure 3. sdr sdr-name 4. no location partially-qualified-nodeid 5. end or commit DETAILED STEPS Step 1 Command or Action Purpose admin Enters Administration EXEC mode. Example: RP/0/0/CPU0:router# admin Step 2 configure Enters Administration configuration mode.
Configuring Secure Domain Routers on Cisco IOS XR Software How to Configure Secure Domain Routers Step 4 Command or Action Purpose no location partially-qualified-nodeid Removes a node from a non-owner SDR. • When a node is removed from an SDR, it is automatically added to the owner SDR inventory. This node may now be assigned to a different SDR, as described in the “Adding Nodes to an SDR in a Cisco XR 12000 Series Router” section on page SMC-150.
Configuring Secure Domain Routers on Cisco IOS XR Software How to Configure Secure Domain Routers Removing a Secure Domain Router This section provides instructions to remove a secure domain router from either a Cisco CRS-1 or a Cisco XR 12000 Series Router. To remove an SDR, you can either remove all the nodes in the SDR individually or remove the SDR name. This section contains instructions to remove the SDR name and return all nodes to the owner SDR inventory. Note The owner SDR cannot be removed.
Configuring Secure Domain Routers on Cisco IOS XR Software How to Configure Secure Domain Routers Step 4 Command or Action Purpose end Saves configuration changes. or • commit When you issue the end command, the system prompts you to commit changes: Uncommitted changes found. Commit them? Example: – Entering yes saves configuration changes to the RP/0/RP0/CPU0:router (admin-config)# end running configuration file, exits the configuration session, and returns the router to EXEC mode.
Configuring Secure Domain Routers on Cisco IOS XR Software How to Configure Secure Domain Routers 5. end or commit 6. Connect a terminal to the console port of the non-owner SDR DSDRSC. 7. Log in to the non-owner SDR using admin plane authentication: Username:username@admin Password:xxxx 8. configure 9. username username 10. secret password 11. group root-lr 12. end or commit 13. exit 14. Username:username Password:xxxx 15. Provide the new username and password to the user. 16.
Configuring Secure Domain Routers on Cisco IOS XR Software How to Configure Secure Domain Routers Step 4 Command or Action Purpose aaa authentication login remote local Enables admin plane authentication. • The remote keyword specifies a method list that uses remote non-owner SDR for authentication. • The local keyword specifies a method list that uses the local username database method for authentication.
Configuring Secure Domain Routers on Cisco IOS XR Software How to Configure Secure Domain Routers Step 7 Command or Action Purpose Log in to the non-owner SDR using admin plane authentication: Logs a root-system user into the SDR using admin plane authentication. Username:xxxx@admin Password:xxxx Note Where it says “Username:xxxx@admin,” replace xxxx with your username. Example: Username:xxxx@admin Password:xxxx Step 8 configure Enters configuration mode.
Configuring Secure Domain Routers on Cisco IOS XR Software How to Configure Secure Domain Routers Step 14 Command or Action Purpose Username:xxxx Password:xxxx Logs back in with the SDR administrator username and password you created. This username is used to configure the secure domain router and create other users with fewer privileges. Example: Press RETURN to get started. Username:user1 Password:xxxxx Step 15 Provide the new username and password to the user.
Configuring Secure Domain Routers on Cisco IOS XR Software Configuration Examples for Secure Domain Routers Step 3 Command or Action Purpose no aaa authentication login remote local Disables remote login. Example: RP/0/RP0/CPU0:router(admin-config)# no aaa authentication login remote local Step 4 Saves configuration changes. end or • commit When you issue the end command, the system prompts you to commit changes: Uncommitted changes found.
Configuring Secure Domain Routers on Cisco IOS XR Software Configuration Examples for Secure Domain Routers Adding nodes to an SDR: Cisco CRS-1 Router RP/0/RP0/CPU0:router# admin RP/0/RP0/CPU0:router(admin)# configure RP/0/RP0/CPU0:router(admin-config)# sdr rname2 RP/0/RP0/CPU0:router(admin-config-sdr:rname2)# location 0/0/* RP/0/RP0/CPU0:router(admin-config-sdr:rname2)# end Adding nodes to an SDR: Cisco XR 12000 Series Router RP/0/0/CPU0:router# admin RP/0/0/CPU0:router(admin)# configure RP/0/0/CPU0:rout
Configuring Secure Domain Routers on Cisco IOS XR Software Additional References Additional References The following sections provide references related to SDR configuration. Related Documents Related Topic Document Title SDR command reference. Secure Domain Router Commands on Cisco IOS XR Software DRP pairing command reference.
Configuring Secure Domain Routers on Cisco IOS XR Software Additional References RFCs RFCs Title No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature. — Technical Assistance Description Link http://www.cisco.com/techsupport The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.
Configuring Secure Domain Routers on Cisco IOS XR Software Additional References Cisco IOS XR System Management Configuration Guide SMC-166
