ページ1に含まれる内容の要旨
Configuring Secure Domain Routers on
Cisco IOS XR Software
Secure domain routers (SDRs) are a means of dividing a single physical system into multiple logically
separated routers. SDRs are isolated from each other in terms of their resources, performance, and
availability.
Note SDRs were previously known as Logical Routers (LRs). The name was changed for Release 3.3.0.
Feature History for Configuring Secure Domain Routers on Cisco IOS XR Software
Release Modification
Release 3.2 This featu
ページ2に含まれる内容の要旨
Configuring Secure Domain Routers on Cisco IOS XR Software Prerequisites for Configuring Secure Domain Routers Prerequisites for Configuring Secure Domain Routers Before configuring SDRs, the following conditions must be met: Initial configuration The router must be running the Cisco IOS XR software, including a Designated System Controller (DSC). The root-system username and password must be assigned as part of the initial configuration. For more information on booting a router and pe
ページ3に含まれる内容の要旨
Configuring Secure Domain Routers on Cisco IOS XR Software Information About Configuring Secure Domain Routers Information About Configuring Secure Domain Routers Review the following topics before configuring secure domain routers: What Is a Secure Domain Router?, page SMC-129 Owner SDR and Administration Configuration Mode, page SMC-129 Non-Owner SDRs, page SMC-130 SDR Access Privileges, page SMC-130 – Root-System Users, page SMC-130 – root-lr Users, page SMC-131 – Other SDR Users, pag
ページ4に含まれる内容の要旨
Configuring Secure Domain Routers on Cisco IOS XR Software Information About Configuring Secure Domain Routers See the “SDR Access Privileges” section on page SMC-130 for more information. Note The Administration modes cannot be used to configure the features within a non-owner SDR, or view the router configuration for a non-owner SDR. After the SDR is created, users must log into the non-owner SDR directly to change the local configuration and manage the SDR. See the “Non-Owner SDRs” section
ページ5に含まれる内容の要旨
Configuring Secure Domain Routers on Cisco IOS XR Software Information About Configuring Secure Domain Routers Ability to assign nodes (RPs, DRPs, and LCs) to SDRs. Ability to create other users with similar or lower privileges. Complete authority over the chassis. Ability to log in to non-owner SDRs using admin plane authentication. Admin plane authentication allows the root-system user to log in to a non-owner SDR regardless of the configuration set by the root-lr user. See the “Conf
ページ6に含まれる内容の要旨
Configuring Secure Domain Routers on Cisco IOS XR Software Information About Configuring Secure Domain Routers Designated Secure Domain Router System Controller (DSDRSC) In a router running the Cisco IOS XR software, one Route Processor is assigned the role of Designated System Controller (DSC). The DSC provides system-wide administration and control capability, including access to the Administration EXEC and Administration configuration modes. For more information on DSCs, refer to Cisco IOS
ページ7に含まれる内容の要旨
Configuring Secure Domain Routers on Cisco IOS XR Software Information About Configuring Secure Domain Routers DRPs are supported in the Cisco CRS-1 only. DRPs are not supported in the Cisco XR 12000 Series Routers. Note DRPs can also be used to provide additional processing capacity in a Cisco CRS-1 router. For additional information on DRPs, refer to Cisco CRS-1 Carrier Routing System 16-Slot Line Card Chassis System Description. For instructions on installing DRPs, refer to Installing th
ページ8に含まれる内容の要旨
Configuring Secure Domain Routers on Cisco IOS XR Software Information About Configuring Secure Domain Routers Designated System Controller (DSC) in a Cisco XR 12000 Series Router The first RP to be booted with the Cisco IOS XR software in a Cisco XR 12000 Series Router will become the Designated System Controller (DSC) for the router. This DSC is also the DSDRSC for the owner SDR. The DSC (owner DSDRSC) cannot be removed from the router configuration or reassigned to another SDR. For more
ページ9に含まれる内容の要旨
Configuring Secure Domain Routers on Cisco IOS XR Software Information About Configuring Secure Domain Routers Removing a DSDRSC Configuration There are two ways to remove a DSDRSC from an SDR: First remove all other nodes from the SDR configuration, and then remove the DSDRSC node. You cannot remove the DSDRSC node when other nodes are in the SDR configuration. Remove the entire SDR. Removing an SDR name deletes the SDR and moves all nodes back to the owner SDR inventory. See the “Removi
ページ10に含まれる内容の要旨
Configuring Secure Domain Routers on Cisco IOS XR Software Information About Configuring Secure Domain Routers High Availability Implications Fault Isolation Because the CPU and memory of an SDR are not shared with other SDRs, configuration problems that cause out-of-resources conditions in one SDR do not affect other SDRs. Rebooting an SDR Each non-owner SDR can be rebooted independently of the other SDRs in the system. If you reboot the owner SDR, however, then all non-owner SDRs in the sy
ページ11に含まれる内容の要旨
Configuring Secure Domain Routers on Cisco IOS XR Software Information About Configuring Secure Domain Routers another 30 seconds. This causes an inconsistent system view in the named SDR using DRP paired across the rack in which the DRP loses control Ethernet connectivity, but the LR plane is still working and can bring the named SDR into an inconsistent view if the named SDR is across the rack. To support DSC migration in Cisco IOS XR Software Release 3.3.2 and higher, we recommend that you:
ページ12に含まれる内容の要旨
Configuring Secure Domain Routers on Cisco IOS XR Software Information About Configuring Secure Domain Routers To access install commands, you must be a member of the root-system user group with access to the Administration EXEC mode. Most show install commands can be used in the EXEC mode of an SDR to view the details of the active packages for that SDR. Note For information, see Default Configuration for New Non-Owner SDRs, page SMC-135 DSC Migration on Cisco CRS-1 Multishelf Systems De
ページ13に含まれる内容の要旨
Configuring Secure Domain Routers on Cisco IOS XR Software Information About Configuring Secure Domain Routers which is also the new DSDRSC. This operation takes some time, during which routing protocols such as BGP that use loopback or null interfaces are affected. Similarly, tunnels and bundles must also be recreated, affecting protocols such as MPLS. As a result, there is a drop in traffic in the default or owner SDR. Note In Cisco IOS XR Software Release 3.3.0 and higher, DSC migration is
ページ14に含まれる内容の要旨
Configuring Secure Domain Routers on Cisco IOS XR Software How to Configure Secure Domain Routers How to Configure Secure Domain Routers To create an SDR, configure an SDR name and then add nodes to the configuration. In Cisco CRS-1 routers, at least one node in each SDR must be explicitly configured as the DSDRSC. In the Cisco XR 12000 Series Router, the DSDRSC is created automatically when you add an RP to the configuration. After the SDR is created, you can add or remove additional nodes a
ページ15に含まれる内容の要旨
Configuring Secure Domain Routers on Cisco IOS XR Software How to Configure Secure Domain Routers Complete the following steps to create a non-owner SDR. Note The procedures in this section can be performed only on a router that is already running the Cisco IOS XR software. For instructions to boot a router and perform the initial configuration, see the Cisco IOS XR Getting Started Guide. When a router is booted, the owner SDR is automatically created, and cannot be removed. This also includ
ページ16に含まれる内容の要旨
Configuring Secure Domain Routers on Cisco IOS XR Software How to Configure Secure Domain Routers DETAILED STEPS Command or Action Purpose Step 1 admin Enters Administration EXEC mode. Example: RP/0/RP0/CPU0:router# admin Step 2 configure Enters Administration configuration mode. Example: RP/0/RP0/CPU0:router(admin)# configure Step 3 pairing pair-name (Optional) Enter DRP pairing configuration mode. If the DRP name does not exist, the DRP pair is created when you add nodes, as described in
ページ17に含まれる内容の要旨
Configuring Secure Domain Routers on Cisco IOS XR Software How to Configure Secure Domain Routers Command or Action Purpose pair pair-name primary Step 7 Specifies a DSDRSC for the non-owner SDR. You can assign a or redundant DRP pair, an RP pair, or a single DRP as the location partially-qualified-nodeid primary DSDRSC. You cannot assign a single RP as the DSDRSC. Every SDR must contain a DSDRSC. Example: We recommend the use of DRP pairs as the DSDRSC for RP/0/RP0/CPU0:router(admin-conf
ページ18に含まれる内容の要旨
Configuring Secure Domain Routers on Cisco IOS XR Software How to Configure Secure Domain Routers Command or Action Purpose location partially-qualified-nodeid Step 8 Adds additional nodes, DRP pairs, or RP pairs to the SDR. or location pair-name To add a single node Enter the location partially-qualified-nodeid command. The Example: value of the partially-qualified-nodeid argument is entered in RP/0/RP0/CPU0:router(admin-config-sdr:rname the rack/slot/* notation. Node IDs are always specifie
ページ19に含まれる内容の要旨
Configuring Secure Domain Routers on Cisco IOS XR Software How to Configure Secure Domain Routers Creating SDRs in a 12000 Series Router To create a non-owner SDR in a Cisco XR 12000 Series Router, create an SDR name, add an RP (that can act as DSDRSC) or 2 RPs in adjacent redundancy slots (that can act as the DSDRSC & standby DSDRSC) and then add additional (non-RP) nodes to the configuration Note The procedures in this section can only be performed on a router that is already running the Ci
ページ20に含まれる内容の要旨
Configuring Secure Domain Routers on Cisco IOS XR Software How to Configure Secure Domain Routers Command or Action Purpose sdr sdr-name Step 3 Enters the Administration configuration mode for the specified SDR. Example: If this SDR does not yet exist, it is created when you add a RP/0/0/CPU0:router(admin-config)# sdr rname node as described in the following step. If this SDR existed previously, complete the following steps to add additional nodes. Note For the Cisco XR 12000 Series Route