Tag Archives: IOS-XR

IOS-XR Secure Domain Router (SDR)

Before we start with SDR concept, we need an introduction about virtualization techniques for creating virtualized router entities. A Hardware-Isolated Virtual Router (HVR) has hardware-based resource isolation between routing entities, whereas a Software-Isolated Virtual Router (SVR) comprises software-based resource isolation between routing entities.

Within SVRs, there are several models for achieving virtualization. One model allows for multiple guest operating systems to overlay on a host operating system.This approach tends to have a detrimental impact on scale because it introduces significant contention of resources.
In contrast, the HVR approach dedicates both control plane and data plane resources on a per-module boundary to individual virtual entities, so there is no sharing of either control plane or data plane resources.

Secure Domain Routers

Cisco routers (running IOS XR) can be partitioned into multiple, independent routers known as secure domain routers (SDRs), not VRFs’. With SDRs we can split a single physical system into multiple logically separated routers, with their own routing functions, but they share resources with the rest of the system. For example, the software, configurations, protocols, and routing tables assigned to an SDR belong to that SDR only, but other functions, such as chassis-control and switch fabric, are shared with the rest of the system.
To accommodate the high bandwidth and control plane needs in provider networks, especially POPs, Cisco IOS XR Software includes support for an HVR technology known as Secure Domain Routers (SDRs). SDRs provide full isolation between virtualized routing instances through the use of Distributed Route Processors (DRPs) for extra control plane resources. SDRs are defined on per-slot boundaries, with entire Route Processors (RPs) and Modular Services Cards (MSCs) dedicated to an SDR.


Comparison of Virtualization Technologies with Cisco IOS XR Software-Supported Secure Domain Router


Cisco IOS-XR Basics

IOS-XR code is really new for me, so i will write a few posts about it. So i will start with the basics. You can see this Operating System on CRS generations, ASR 9000 and NCS Box’s.

Configure Username and Group

The root-system means priviledge 15 in normal IOS

RP/0/0/CPU0:XR-4(config)#username cocheno
RP/0/0/CPU0:XR-4(config-un)# group root-system
RP/0/0/CPU0:XR-4(config-un)# password cocheno

The predefined groups are as follows:

  • cisco-support: This group is used by the Cisco support team.
  • netadmin: Has the ability to control and monitor all system and network parameters.
  • operator: A demonstration group with basic privileges.
  • root-lr: Has the ability to control and monitor the specific secure domain router.
  • root-system: Has the ability to control and monitor the entire system.
  • sysadmin: Has the ability to control and monitor all system parameters but cannot configure network protocols.
  • serviceadmin: Service administration tasks, for example, Session Border Controller (SBC).

Configure Hostname

RP/0/0/CPU0:XR(config)#hostname XR-4

Assigning IP Addresses

IOS-XR has some alias configured, it will interpret correctly if you not use ipv4 in this case

RP/0/0/CPU0:XR-4(config)#int gigabitEthernet 0/0/0/0.201
RP/0/0/CPU0:XR-4(config-subif)#encapsulation dot1q 201
ipv4 ipv6
RP/0/0/CPU0:XR-4(config-subif)#ip add

Check where your are in config hierarchy

RP/0/0/CPU0:XR-4(config-subif)#pwdSun Mar 6 17:37:05.948 UTC
interface GigabitEthernet0/0/0/0.201

Save Config

Saving the Config is a 2 step, you work on a candidate config instead of running-config protecting you from misconfig.

Showing config before commit it in running-config

RP/0/0/CPU0:XR-4(config)#show configuration
Sun Mar 6 16:03:23.913 UTC
Building configuration…
!! IOS XR Configuration 5.2.2
interface GigabitEthernet0/0/0/0.201
ipv4 address
encapsulation dot1q 201
Sun Mar 6 16:05:19.315 UTC

we can also assign a label to the commit, and rollback based on it as well

RP/0/0/CPU0:XR-4(config)#commit label IPV4_v201

Rolling back change we did previously

RP/0/0/CPU0:XR-4#rollback configuration last 1
Sun Mar 6 16:10:35.003 UTC
Loading Rollback Changes.
Loaded Rollback Changes in 1 sec
4 items committed in 1 sec (3)items/sec
Updated Commit database in 1 sec
Configuration successfully rolled back 1 commits.

You can use a time based commit, you need to accept the commit in 120 seconds, or it will rollback the changes

RP/0/0/CPU0:XR-4(config)#commit confirmed 120

Check the last system commits

RP/0/0/CPU0:XR-4(config)#show config commit list detail
Sun Mar 6 16:21:30.499 UTC1) CommitId: 1000000004 Label: IPV4_v201
UserId: cisco Line: con0_0_CPU0
Client: CLI Time: Sun Mar 6 16:21:28 2016
Comment: NONE2) CommitId: 1000000003 Label: NONE
UserId: cisco Line: con0_0_CPU0
Client: Rollback Time: Sun Mar 6 16:10:36 2016
Comment: NONE


RP/0/0/CPU0:XR-4#show configuration rollback changes last 1
Sun Mar 6 16:24:50.435 UTC
Building configuration…
!! IOS XR Configuration 5.2.2
no interface GigabitEthernet0/0/0/0.201

Configure Telnet/SSH

RP/0/0/CPU0:XR-4(config)#telnet vrf default ipv4 server max-servers 5
RP/0/0/CPU0:XR-4#crypto key generate dsa
Sun Mar 6 17:52:29.135 UTC
The name for the keys will be: the_default
Choose the size of your DSA key modulus. Modulus size can be 512, 768, or 1024 bits. Choosing a key modulus
How many bits in the modulus [1024]:
Generating DSA keys …
Done w/ crypto generate keypair
[OK]RP/0/0/CPU0:XR-4#conf t
Sun Mar 6 17:52:44.114 UTC
RP/0/0/CPU0:XR-4(config)#domain name cocheno.com
RP/0/0/CPU0:XR-4(config)#ssh server v2

Check SSH Sessions

RP/0/0/CPU0:XR-5#show ssh
Sun Mar 6 17:55:15.633 UTC
SSH version : Cisco-2.0id pty location state userid host ver authentication
Incoming sessions
0 vty0 0/0/CPU0 SESSION_OPEN cisco v2 password

Check commit failures

RP/0/0/CPU0:XR-4(config)#show configuration failed

After you change candidate config, you can abort without commit it


Replace the entire config by the candidate, if your candidate is empty will you have factory default

RP/0/0/CPU0:XR-4(config)#commit replace
Sun Mar 6 16:47:46.101 UTCThis commit will replace or remove the entire running configuration. This
operation can be service affecting.
Do you wish to proceed? [no]: