Cisco Systems Comprehensive Guide to Configuring Secure Domain Routers (SDR) on Cisco IOS XR Software
Page 11

Configuring Secure Domain Routers on Cisco IOS XR Software

Information About Configuring Secure Domain Routers

another 30 seconds. This causes an inconsistent system view in the named SDR using DRP paired across the rack in which the DRP loses control Ethernet connectivity, but the LR plane is still working and can bring the named SDR into an inconsistent view if the named SDR is across the rack.

To support DSC migration in Cisco IOS XR Software Release 3.3.2 and higher, we recommend that you:

Keep the default placement of all four RPs in the owner SDR. When the owner SDR spans both LCCs, the impact on the SDR resources is minimal in the remaining rack. Existing connections are not interrupted for the resources in the remaining rack, but a delay in routing new connections can occur while the routing tables are updated.

Run all routing protocols in a named SDR. In addition, by running all routing protocols in a named SDR, which requires a distributed route processor (DRP) paired across the rack, the operation of Cisco Nonstop Forwarding (NSF) and Cisco Nonstop Routing (NSR) continues.

An election process selects the node that is to receive the DSC role upon DSC migration. The basis of the election is the shelf number. The shelf with the lowest number is designated to receive the DSC role.

DSC migration can cause a very short interruption to traffic flowing through the owner SDR. Although the time can vary with the addition of new features to DSC management and other factors, in the current release the time is likely to be around 20 to 30 seconds.

The reason for the traffic loss is because virtual Interfaces (VI), such as loopback, null, tunnels, and bundles are hosted on the DSDRSC of an SDR. For the owner SDR, the DSDRSC is the same node as the DSC itself. For DSC migration to occur, both active and standby DSC must be lost. Therefore, for the owner SDR, both active and standby DSDRSC are lost. VI's must be recreated on the new DSC, which is also the new DSDRSC. This operation takes some time, during which routing protocols such as BGP that use loopback or null interfaces are affected. Similarly, tunnels and bundles must also be recreated, affecting protocols such as MPLS. As a result, there is a drop in traffic in the default or owner SDR.

Note In Cisco IOS XR Software Release 3.3.0 and higher, DSC migration is disabled if the RPs in both LCCs are assigned to different SDRs.

To minimize the impact of DSC migration, create named SDRs that operate on DRP in each LCC. If the DSC rack fails, any named SDRs on the failed rack also fail. However, named SDRs on the unaffected rack can continue through DSC migration without any interruption in service. If the failure in the DSC rack affects only the RP cards, the named SDR in the affected rack cannot function after the RPs on that rack go down.

Cisco IOS XR Software Package Management

Software packages are added to the DSC of the system from Administration Exec mode. Once added, a package can be activated for all SDRs in the system, or for a specific SDR.

Note In Release 3.3.0, SDR-specific activation is supported for specific packages and upgrades, such as optional packages and SMUs. Packages that do not support SDR-specific activation can only be activated for all SDRs in the system. For detailed instructions, see the “Managing Cisco IOS XR Software Packages” module of the Cisco IOS XR Getting Started Guide. See also the “Software Package Management Commands on Cisco IOS XR Software” module of the Cisco IOS XR System Management Command Reference.

Cisco IOS XR System Management Configuration Guide

SMC-137

Page 10 Page 12
Image 11
Page 10 Page 12
Contents Contents Configuring Secure Domain Routers on Cisco IOS XR SoftwareSMC-128 Prerequisites for Configuring Secure Domain RoutersSMC-129 Information About Configuring Secure Domain RoutersWhat Is a Secure Domain Router? Owner SDR and Administration Configuration ModeSMC-130 SDR Access PrivilegesNon-Owner SDRs Root-System UsersSMC-131 Root-lr UsersOther SDR Users SMC-132 Designated Secure Domain Router System Controller DsdrscDSCs and DSDRSCs in a Cisco CRS-1 Router SMC-133 DSC and DSDRSCs in a Cisco XR 12000 Series RouterSMC-134 SMC-135 Default Configuration for New Non-Owner SDRsRemoving a Dsdrsc Configuration Default Software Profile for SDRsDsdrsc Redundancy Fault IsolationRebooting an SDR High Availability ImplicationsSMC-137 Cisco IOS XR Software Package ManagementSMC-138 DSC Migration on Cisco CRS-1 Multishelf SystemsSMC-139 CaveatsCreating SDRs How to Configure Secure Domain RoutersContents SMC-141 Summary StepsSMC-142 Command or Action PurposeExample SMC-143 To assign a DRP pair as the DsdrscTo assign a single DRP node as the Dsdrsc To assign an RP pair as the DsdrscSMC-144 To add a single nodeTo add a DRP pair To add an RP pairSMC-145 Creating SDRs in a 12000 Series RouterSMC-146 DSDRSCs in a Cisco XR 12000 Series Router section onSee the DSC and DSDRSCs in a Cisco XR 12000 Series Router section on page SMC-133SMC-147 Refer to the Adding Nodes to a Non-Owner SDR sectionSMC-148 Adding Nodes to a Non-Owner SDRAdding Nodes to an SDR in a Cisco CRS-1 Router SMC-149 Creating SDRs in a Cisco CRS-1 RouterSMC-150 Adding Nodes to an SDR in a Cisco XR 12000 Series RouterSMC-151 Removing Nodes and SDRsA Cisco XR 12000 Series Router section on SMC-152 To remove an RP pair To remove a DsdrscTo remove a single node To remove a DRP pairSMC-154 SMC-155 Nodes to an SDR in a Cisco XR 12000 Series RouterSection on page SMC-150 SMC-156 Removing a Secure Domain RouterSMC-157 Configuring a Username and Password for a Non-Owner SDRSMC-158 Group root-lr End or commit ExitSMC-159 System Security Configuration Guide for moreSMC-160 SMC-161 Disabling Remote Login for SDRsSee Disabling Remote Login for SDRs, page SMC-161for SMC-162 Configuration Examples for Secure Domain RoutersCreating a New SDR on a Cisco CRS-1 Router Creating an SDR on a Cisco XR 12000 Series RouterSMC-163 MIBs Additional ReferencesRelated Documents StandardsDescription Link RFCsTechnical Assistance RFCs TitleSMC-166
Top Page Image Contents