Upload
mario-nikic
View
35
Download
1
Tags:
Embed Size (px)
DESCRIPTION
IOSXR
Citation preview
1© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
IOS XRPractical Introduction
2© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
IOS XR Introduction Agenda
• Command Modes and Node Addresses• Configuration Model• Command Authorization• Basic Security• Software Installation
3© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
XR Command Modes
SDR Exec – Normal operations - monitoring routing and CEF
SDR Config – Configuration for L3 Node
Admin – Chassis operations, outside of SDRs
RP/0/RP0/CPU0:router#show ipv4 interfaces brief show running-configshow install active show cef summary location 0/5/CPU0
Admin Config
RP/0/RP0/CPU0:router(config)#router bgp 100 taskgroup admins policy-map foo mpls ldp ipv4 access-list block-junk
RP/0/RP0/CPU0:router(admin)#show controllers fabric plane all config-register 0x0 install add tftp://7.7.7.77/[filename] show platform
RP/0/RP0/CPU0:router(admin-config)#sdr backbone location 0/5/* pairing reflector location 0/3/* 0/4/*
4© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Node Addressing on CRS-1
FABRIC
FABRIC
MSCMSC
MSCMSC
PLIMPLIM
PLIMPLIM
CABLE MGMT
CABLE MGMT
AIR OUT
FAN TRAY
FAN TRAY
POWERSUPPLIES
CABLE MGMT
POWERSUPPLIES
AIRINTAKE
FAN
CTRL
R RP P
CRS-1interface gig[RACK/SLOT/BAY/PORT]
[RACK]/RP1/CPU0
[RACK]/0/CPU0
[RACK]/0/SM0
[RACK]/SM0/SP
RP/0/RP0/CPU0:CRS(admin)#show platformNode Type PLIM State Config State--------------------------------------------------------------------------0/0/SP UNKNOWN(SP) N/A PRESENT PWR,NSHUT,MON0/2/SP MSC(SP) N/A IOS XR RUN PWR,NSHUT,MON0/2/CPU0 MSC 4OC192-POS/DPT IOS XR RUN PWR,NSHUT,MON0/5/SP MSC(SP) N/A IOS XR RUN PWR,NSHUT,MON0/5/CPU0 MSC Jacket Card IOS XR RUN PWR,NSHUT,MON0/5/0 MSC(SPA) 8X1GE OK PWR,NSHUT,MON0/7/SP UNKNOWN(SP) N/A PRESENT PWR,NSHUT,MON0/RP0/CPU0 RP(Active) N/A IOS XR RUN PWR,NSHUT,MON0/SM0/SP FC/S(SP) N/A IOS XR RUN PWR,NSHUT,MON0/SM1/SP FC/S(SP) N/A IOS XR RUN PWR,NSHUT,MON0/SM2/SP FC/S(SP) N/A IOS XR RUN PWR,NSHUT,MON0/SM3/SP FC/S(SP) N/A IOS XR RUN WR,NSHUT,MON
5© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Configuration Model and Tools
6© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Configuration Key Concepts
• Two Stage Commit
• Config History Database
• Rollback
• Atomic vs. Best Effort
• Multiple Config Sessions
7© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Two Stage Commit
interface gig 0/3/0/0 ipv4 address 9.9.9.9/24
router ospf 100 area 0 interface gig 0/3/0/0 area 1 interface pos 0/4/0/0
Enter Proposed Changes
Target Configuration
Commit
Changes take effect
hostname Backbone-CRSline default exec-timeout 1440 0! Interface gig 0/3/0/0 ipv4 address 9.9.9.9/24!taskgroup ops task read boot task write boot task execute bgp!router ospf 100 area 0 interface gig 0/3/0/0 area 1 interface pos 0/4/0/0!router static address-family ipv4 unicast 0.0.0.0/0 7.1.9.1 7.7.7.77/32 7.1.9.1
hostname Backbone-CRSline default exec-timeout 1440 0!taskgroup ops task read boot task write boot task execute bgp!router static address-family ipv4 unicast 0.0.0.0/0 7.1.9.1 7.7.7.77/32 7.1.9.1
Active ConfigurationBefore Commit
Active ConfigurationAfter Commit
8© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Two Stage Commit – VerificationSyntax first, then full check during commit
interface gig 0/3/0/0 ipv4 address 9.9.9.9/24
router ospf 100 area 0 interface gig 0/3/0/0 area 1 interface pos 0/4/0/0
Syntax Checkafter each line
Target Configuration
Semantic Checkduring commit
hostname Backbone-CRSline default exec-timeout 1440 0!taskgroup ops task read boot task write boot task execute bgp!router static address-family ipv4 unicast 0.0.0.0/0 7.1.9.1 7.7.7.77/32 7.1.9.1
hostname Backbone-CRSline default exec-timeout 1440 0! Interface gig 0/3/0/0 ipv4 address 9.9.9.9/24!taskgroup ops task read boot task write boot task execute bgp!router ospf 100 area 0 interface gig 0/3/0/0 area 1 interface pos 0/4/0/0!router static address-family ipv4 unicast 0.0.0.0/0 7.1.9.1 7.7.7.77/32 7.1.9.1
Active ConfigurationBefore Commit
Active ConfigurationAfter Commit
9© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Commit History and Labels
interface gig 0/3/0/0 ipv4 address 9.9.9.9/24
router ospf 100 area 0 interface gig 0/3/0/0 area 1 interface pos 0/4/0/0
Enter Proposed Changes
Target Configuration
Commit
hostname Backbone-CRSline default exec-timeout 1440 0! Interface gig 0/3/0/0 ipv4 address 9.9.9.9/24!taskgroup ops task read boot task write boot task execute bgp!router ospf 100 area 0 interface gig 0/3/0/0 area 1 interface pos 0/4/0/0!router static address-family ipv4 unicast 0.0.0.0/0 7.1.9.1 7.7.7.77/32 7.1.9.1
Commit Historyinterface gig 0/3/0/5 ipv4 address 9.9.9.9/24
router ospf 100 area 0 interface gig 0/3/0/5
router bgp 100 address-family ipv4 unicast neighbor 5.5.5.5 remote-as 87
interface gig 0/3/0/2 ipv4 address 9.19.9.9/24
router ospf 100 area 0 interface gig 0/3/0/2
interface gig 0/3/0/0 ipv4 address 9.9.9.9/24
router ospf 100 area 0 interface gig 0/3/0/0
#1
#2 BGP Change
#3
#4
Changes added tocommit history
Earlier commitwith optional label
Unique ID AutomaticallyGenerated
10© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Rollback a Specific Commit(config)#load rollback changes BGP_Change (or commit id)
no router bgp 100
Target Configuration
Commit
hostname Backbone-CRSline default exec-timeout 1440 0! Interface gig 0/3/0/0 ipv4 address 9.9.9.9/24!taskgroup ops task read boot task write boot task execute bgp!router ospf 100 area 0 interface gig 0/3/0/0 area 1 interface pos 0/4/0/0!router static address-family ipv4 unicast 0.0.0.0/0 7.1.9.1 7.7.7.77/32 7.1.9.1
Commit Historyinterface gig 0/3/0/5 ipv4 address 9.9.9.9/24
router ospf 100 area 0 interface gig 0/3/0/5
router bgp 100 address-family ipv4 unicast neighbor 5.5.5.5 remote-as 87
interface gig 0/3/0/2 ipv4 address 9.19.9.9/24
router ospf 100 area 0 interface gig 0/3/0/2
interface gig 0/3/0/0 ipv4 address 9.9.9.9/24
router ospf 100 area 0 interface gig 0/3/0/0
#1
#2 BGP_Change
#3
#4
Rollbackinterface gig 0/3/0/5 no ipv4 address 9.9.9.9/24
router ospf 100 area 0 no interface gig 0/3/0/5
no router bgp 100
interface gig 0/3/0/2 no ipv4 address 9.19.9.9/24
router ospf 100 area 0 no interface gig 0/3/0/2
interface gig 0/3/0/0 no ipv4 address 9.9.9.9/24
router ospf 100 area 0 no interface gig 0/3/0/0
no router bgp 100 #5 router bgp 100
address-family ipv4 unicast neighbor 5.5.5.5 remote-as 87
Another entry in commithistory generated
11© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Rollback To Previous Commit(config)#load rollback changes to BGP_Change (or commit id)
no router bgp 100interface gig 0/3/0/2 no ipv4 address 9.19.9.9/24interface gig 0/3/0/0 no ipv4 address 9.9.9.9/24
router ospf 100 area 0 no interface gig 0/3/0/2 no interface gig 0/3/0/0
Target Configuration
Commit
Commit Historyinterface gig 0/3/0/5 ipv4 address 9.9.9.9/24
router ospf 100 area 0 interface gig 0/3/0/5
router bgp 100 address-family ipv4 unicast neighbor 5.5.5.5 remote-as 87
interface gig 0/3/0/2 ipv4 address 9.19.9.9/24
router ospf 100 area 0 interface gig 0/3/0/2
interface gig 0/3/0/0 ipv4 address 9.9.9.9/24
router ospf 100 area 0 interface gig 0/3/0/0
#1
#2 BGP_Change
#3
#4
Rollbackinterface gig 0/3/0/5 no ipv4 address 9.9.9.9/24
router ospf 100 area 0 no interface gig 0/3/0/5
no router bgp 100
interface gig 0/3/0/2 no ipv4 address 9.19.9.9/24
router ospf 100 area 0 no interface gig 0/3/0/2
interface gig 0/3/0/0 no ipv4 address 9.9.9.9/24
router ospf 100 area 0 no interface gig 0/3/0/0
no router bgp 100interface gig 0/3/0/2 no ipv4 address 9.19.9.9/24interface gig 0/3/0/0 no ipv4 address 9.9.9.9/24
router ospf 100 area 0 no interface gig 0/3/0/2 no interface gig 0/3/0/0
#5no router bgp 100interface gig 0/3/0/2 no ipv4 address 9.19.9.9/24interface gig 0/3/0/0 no ipv4 address 9.9.9.9/24
router ospf 100 area 0 no interface gig 0/3/0/2 no interface gig 0/3/0/0
All changes back to andincluding those made withthe commit referenced
hostname Backbone-CRSline default exec-timeout 1440 0!taskgroup ops task read boot task write boot task execute bgp!router ospf 100 area 0 area 1 interface pos 0/4/0/0!router static address-family ipv4 unicast 0.0.0.0/0 7.1.9.1 7.7.7.77/32 7.1.9.1hostname Backbone-CRSline default exec-timeout 1440 0!taskgroup ops task read boot task write boot task execute bgp!router ospf 100 area 0 area 1 interface pos 0/4/0/0!router static address-family ipv4 unicast 0.0.0.0/0 7.1.9.1 7.7.7.77/32 7.1.9.1hostname Backbone-CRSline default exec-timeout 1440 0!taskgroup ops task read boot task write boot task execute bgp!router ospf 100 area 0 area 1 interface pos 0/4/0/0!router static address-family ipv4 unicast 0.0.0.0/0 7.1.9.1 7.7.7.77/32 7.1.9.1
12© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Rollback Last X Commits(config)#load rollback changes last 2
interface gig 0/3/0/2 no ipv4 address 9.19.9.9/24interface gig 0/3/0/0 no ipv4 address 9.9.9.9/24
router ospf 100 area 0 no interface gig 0/3/0/2 no interface gig 0/3/0/0
Target Configuration
Commit
hostname Backbone-CRSline default exec-timeout 1440 0!taskgroup ops task read boot task write boot task execute bgp!router ospf 100 area 0 area 1 interface pos 0/4/0/0!router static address-family ipv4 unicast 0.0.0.0/0 7.1.9.1 7.7.7.77/32 7.1.9.1hostname Backbone-CRSline default exec-timeout 1440 0!taskgroup ops task read boot task write boot task execute bgp!router ospf 100 area 0 area 1 interface pos 0/4/0/0!router static address-family ipv4 unicast 0.0.0.0/0 7.1.9.1 7.7.7.77/32 7.1.9.1hostname Backbone-CRSline default exec-timeout 1440 0!taskgroup ops task read boot task write boot task execute bgp!router ospf 100 area 0 area 1 interface pos 0/4/0/0!router static address-family ipv4 unicast 0.0.0.0/0 7.1.9.1 7.7.7.77/32 7.1.9.1
Commit Historyinterface gig 0/3/0/5 ipv4 address 9.9.9.9/24
router ospf 100 area 0 interface gig 0/3/0/5
router bgp 100 address-family ipv4 unicast neighbor 5.5.5.5 remote-as 87
interface gig 0/3/0/2 ipv4 address 9.19.9.9/24
router ospf 100 area 0 interface gig 0/3/0/2
interface gig 0/3/0/0 ipv4 address 9.9.9.9/24
router ospf 100 area 0 interface gig 0/3/0/0
#1
#2 BGP_Change
#3
#4
Rollbackinterface gig 0/3/0/5 no ipv4 address 9.9.9.9/24
router ospf 100 area 0 no interface gig 0/3/0/5
no router bgp 100
interface gig 0/3/0/2 no ipv4 address 9.19.9.9/24
router ospf 100 area 0 no interface gig 0/3/0/2
interface gig 0/3/0/0 no ipv4 address 9.9.9.9/24
router ospf 100 area 0 no interface gig 0/3/0/0
interface gig 0/3/0/2 no ipv4 address 9.19.9.9/24interface gig 0/3/0/0 no ipv4 address 9.9.9.9/24
router ospf 100 area 0 no interface gig 0/3/0/2 no interface gig 0/3/0/0
#5interface gig 0/3/0/2 ipv4 address 9.19.9.9/24interface gig 0/3/0/0 ipv4 address 9.9.9.9/24
router ospf 100 area 0 interface gig 0/3/0/2interface gig 0/3/0/0
13© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Load Changes from Last 2 Commits(config)#load commit changes last 2
interface gig 0/3/0/2 ipv4 address 9.19.9.9/24!interface gig 0/3/0/0 ipv4 address 9.9.9.9/24!router ospf 100 area 0 interface gig 0/3/0/0 interface gig 0/3/0/2
Target Configuration
Commit
Commit Historyinterface gig 0/3/0/5 ipv4 address 9.9.9.9/24
router ospf 100 area 0 interface gig 0/3/0/5
router bgp 100 address-family ipv4 unicast neighbor 5.5.5.5 remote-as 87
interface gig 0/3/0/2 ipv4 address 9.19.9.9/24
router ospf 100 area 0 interface gig 0/3/0/2
interface gig 0/3/0/0 ipv4 address 9.9.9.9/24
router ospf 100 area 0 interface gig 0/3/0/0
#1
#2 BGP_Change
#3
#4
Rollbackinterface gig 0/3/0/5 no ipv4 address 9.9.9.9/24
router ospf 100 area 0 no interface gig 0/3/0/5
no router bgp 100
interface gig 0/3/0/2 no ipv4 address 9.19.9.9/24
router ospf 100 area 0 no interface gig 0/3/0/2
interface gig 0/3/0/0 no ipv4 address 9.9.9.9/24
router ospf 100 area 0 no interface gig 0/3/0/0
interface gig 0/3/0/2 ipv4 address 9.19.9.9/24!interface gig 0/3/0/0 ipv4 address 9.9.9.9/24!router ospf 100 area 0 interface gig 0/3/0/0 interface gig 0/3/0/2
#5interface gig 0/3/0/0 no ipv4 address 9.9.9.9/24interface gig 0/3/0/2 no ipv4 address 9.19.9.9/24
router ospf 100 area 0 no interface gig 0/3/0/2 no interface gig 0/3/0/0
hostname Backbone-CRSline default exec-timeout 1440 0!taskgroup ops task read boot task write boot task execute bgp!router ospf 100 area 0 area 1 interface pos 0/4/0/0!router static address-family ipv4 unicast 0.0.0.0/0 7.1.9.1 7.7.7.77/32 7.1.9.1hostname Backbone-CRSline default exec-timeout 1440 0!taskgroup ops task read boot task write boot task execute bgp!router ospf 100 area 0 area 1 interface pos 0/4/0/0!router static address-family ipv4 unicast 0.0.0.0/0 7.1.9.1 7.7.7.77/32 7.1.9.1hostname Backbone-CRSline default exec-timeout 1440 0!taskgroup ops task read boot task write boot task execute bgp!router ospf 100 area 0 area 1 interface pos 0/4/0/0!router static address-family ipv4 unicast 0.0.0.0/0 7.1.9.1 7.7.7.77/32 7.1.9.1
14© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Commit Atomic – Default Commit BehaviorAll or Nothing – Any semantic failure stops commit
interface gig 0/3/0/0 ipv4 address 9.9.9.9/24
taskgroup bgp task read bgp task write bgp
Syntax Checkafter each line
PASSES
Target Configuration
Semantic Checkduring commit
FAILSBGP cannot betaskgroup name
hostname Backbone-CRSline default exec-timeout 1440 0!taskgroup ops task read boot task write boot task execute bgp!router static address-family ipv4 unicast 0.0.0.0/0 7.1.9.1 7.7.7.77/32 7.1.9.1
hostname Backbone-CRSline default exec-timeout 1440 0!taskgroup ops task read boot task write boot task execute bgp!router static address-family ipv4 unicast 0.0.0.0/0 7.1.9.1 7.7.7.77/32 7.1.9.1
Active ConfigurationBefore Commit
Active ConfigurationAfter Commit
No Change
15© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Commit Best EffortCommit as much as possible, even if semantic check fails
interface gig 0/3/0/0 ipv4 address 9.9.9.9/24
taskgroup bgp task read bgp task write bgp
Syntax Checkafter each line
PASSES
Target Configuration
hostname Backbone-CRSline default exec-timeout 1440 0!taskgroup ops task read boot task write boot task execute bgp!router static address-family ipv4 unicast 0.0.0.0/0 7.1.9.1 7.7.7.77/32 7.1.9.1
hostname Backbone-CRSline default exec-timeout 1440 0!interface gig 0/3/0/0 ipv4 address 9.9.9.9/24!taskgroup ops task read boot task write boot task execute bgp!router static address-family ipv4 unicast 0.0.0.0/0 7.1.9.1 7.7.7.77/32 7.1.9.1
Active ConfigurationBefore Commit
Active ConfigurationAfter Commit
Partial Commit
Semantic Checkduring commit
FAILSBGP cannot betaskgroup name
16© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Behavior With Multiple CommitsTwo or more users in config mode at same time
interface gig 0/3/0/0 ipv4 address 9.9.9.9/24
router ospf 100 area 0 interface gig 0/3/0/0 area 1 interface pos 0/4/0/0
Enter Proposed Changes
First to Commit
interface gig 0/3/0/0 ipv4 address 9.9.9.7/24
router ospf 100 area 2 interface gig 0/3/0/0 area 4 interface pos 0/4/0/0
Enter Proposed Changes
Second to Commit
One or more commits have occurred fromother configuration sessions since thissession started or since the last commitwas made from this session.You can use the 'show configuration commitchanges‘ command to browse the changes.Do you wish to proceed with this commitanyway? [no]: Normal Commit
only first user’s changes
Use config exclusive to blockother users from committing
17© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Other Commit/Config Options
• commit confirmed - Automatic rollback if not confirmed
• commit replace – Replaces active config with target (WARNING)
• commit label – Adds label which can be used to reference commit
• commit comment – Adds a comment (cannot be referenced)
• clear – Clear target config, go to top level, stay in config mode
• abort – Clear target config mode, exit config mode
18© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Preconfiguration / OIR
• Interfaces can be preconfiguredConfiguration will become active when matching HW inserted
• Future interface can be assigned to routing protocols
• OIR moves configuration to preconfigured state
19© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Monitoring ConfigurationFrom Config Mode
• show – Display target config for current sub-mode
• show config – Display entire target config
• show config merged – Display target and active config together
• show config running – Display active config
• show config rollback – Display possible rollback options
• show config failed – Display config that failed semantic check
20© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Monitoring ConfigurationFrom SDR Exec Mode
RP/0/RP0/CPU0:CRS#show config commit historySNo. Label/ID User Line Client Time Stamp~~~~ ~~~~~~~~ ~~~~ ~~~~ ~~~~~~ ~~~~~~~~~~1 1000000296 ww con0_RP0_C CLI 12:17:03 UTC Wed Jun 28 20062 1000000295 ww con0_RP0_C CLI 12:16:47 UTC Wed Jun 28 20063 1000000294 ww vty0 CLI 12:09:03 UTC Wed Jun 28 20064 1000000293 admin vty0 CLI 06:47:51 UTC Wed Jun 28 20065 1000000292 admin vty0 CLI 06:47:18 UTC Wed Jun 28 2006
RP/0/RP0/CPU0:CRS#show config commit changes last 5Building configuration...hostname CRSpolicy-map edge class prec_5 bandwidth remaining percent 50
RP/0/RP0/CPU0:CRS#show config sessionsSession Line User Date Lock00000201-0014e0da-00000000 vty0 ww Wed Jun 28 12:58:14 2006 *
RP/0/RP0/CPU0:CRS#show running-configBuilding configuration...!! Last configuration change at 12:17:03 UTC Wed Jun 28 2006 by ww!hostname CRSline default exec-timeout 1440 0…
21© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Configuration Notes
• Default configurations not shownshow running isn’t effective for system inventory
• Unconfigured interfaces not shown
• Individual config blocks can be displayed
RP/0/RP0/CPU0:CRS#show run router bgprouter bgp 65000 address-family ipv4 unicast ! neighbor 10.254.254.1 remote-as 1 address-family ipv4 unicast route-policy inbound in ! ! neighbor 192.168.0.1 remote-as 2 address-family ipv4 unicast route-policy inbound in
22© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Task Based Command Authorization
23© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Command Authorization Key Concepts
• Tasks
• Task Groups
• User Groups
• Inheritance
• On-Box vs. TACACS/RADIUS
24© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Tasks
• Building blocks for on-box authorization scheme
• 4 types of permissions per taskRead
Write
Execute
Debug
route-policymulticasthost-servicesconfig-mgmt
route-mapmpls-tehdlccisco-support
vrrproot-systemmpls-staticfrcef
vlanroot-lrmpls-ldpfirewallcdp
universalripmonitorfilesystembundle
tunnelriblptsfault-mgrboot
tty-accessqosloggingfabricbgp
transportpppisisext-accessbfd
systempos-dptipv6eigrpbcdl
sysmgrpkg-mgmtipv4driversbasic-services
staticouniip-servicesdisallowedatm
sonet-sdhospfinventorydiagadmin
snmpnetworkinterfacecryptoacl
sbcnetflowhsrpconfig-servicesaaa
Tasks
25© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Task and User Group Example
bfdbfdbfdbfdbgpbgpbgpbgp
bcdlbcdlbcdlbcdlbasic-servicesbasic-
servicesbasic-
servicesbasic-
services
atmatmatmatmadminadminadminadmin
aclaclaclaclaaaaaaaaaaaa
DebugExecuteWriteRead
taskgroup basic-admin task read acl task read bfd task read bgp task write acl task write bfd task write bgp task debug bgp
usergroup noc-staff taskgroup operator taskgroup basic-admin inherit usergroup all-users!usergroup allusers taskgroup basic-stuff
26© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Which Tasks are Required?
RP/0/5/CPU0:iox(config)#describe router bgp 100Package: c12k-rout c12k-rout V3.3.0[00] Routing protocols for 124xx Vendor : Cisco Systems Desc : Routing protocols for 124xx Build : Built on Wed May 10 10:30:27 UTC 2006 Source : By edde-bld1 in /vws/aga/production/3.3.0… Card(s): RP, DRP, DRPSC Restart information: Default: parallel impacted processes restart
Component: ipv4-bgp V[r33x/3] IPv4 Border Gateway Protocol (BGP)
User needs ALL of the following taskids:
bgp (READ WRITE)
27© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
On-Box vs. Off-Box Authorization
• On-Box authorization must use task model
• Off-Box authorization with RADIUS/TACACSCan configure per-command authorization
28© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Basic XR Security
29© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
XR Access List Concepts
• All ACLs are NamedNumbers ok, but treated as text
• ACLs have sequence numbersAllows removal of specific lineresequence command to renumber
ipv4 access-list ingress-filter 10 permit tcp any any eq 2342 20 permit udp any host 7.7.7.7 30 deny ipv4 any host 6.6.6.6 40 permit ipv4 any any
30© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Software Installation
31© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Software Install Terminology
Mini?
PIE?SMU?Package?
32© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Packages – Bundles of Software
MPLS MCAST
MGBL SEC
Mandatory
Optional
OS-MBI
Base
Admin
Forwarding
Line card
Routing
33© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
PIE – Package Installation Envelope
• PIEs are a delivery mechanism for packagesUsed to deliver
Major release – New functionality (3.3, 3.4, 3.5)Maintenance release – SW fixes (3.3.1, 3.3.2)SMU – Fix for a specific bug
• Includes authentication info• Installed from IOS XR admin mode
• .vm files are the other delivery mechanism.vm files are bootable imagesUsed as the Initial Install for GSR migration
34© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Mini – Bundle of Mandatory Packages
• Composite image with mandatory packages• Two types - .vm and .pie (both approx 80MB)
• Multiple usesQuickly test an image without installing it (.vm)
Initial install of IOS XR on 12000 series (.vm)
Recovery if system is corrupted (.vm)
Major/Maintenance upgrade (.pie)
• “Full” image for CRS-1= mini + all optional PIEs
35© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Release Deliverables
• From CCO - CRS-1-iosxr-3.3.0.tar
• Which includesUnicast Routing Composite PIE (aka mini)
Routing, LC, Forwarding, Admin, Base, MBI (min boot image)
Optional PIEsManageability
MPLS
Multicast
Security
36© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Release Deliverables – 3.2.2 RP
RP/0/RP0/CPU0:CRS#show install active detail…Node 0/RP0/CPU0 [RP] Boot Image: /disk0/hfr-os-mbi-3.2.2/mbihfr-rp.vm Active Packages: disk0:hfr-mgbl-3.2.2 disk0:hfr-mpls-3.2.2 disk0:comp-hfr-mini-3.2.2 disk0:hfr-rout-3.2.2 disk0:hfr-lc-3.2.2 disk0:hfr-fwdg-3.2.2 disk0:hfr-admin-3.2.2 disk0:hfr-base-3.2.2 disk0:hfr-os-mbi-3.2.2
37© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Release Deliverables – 3.2.2 SP & LC RP/0/RP0/CPU0:CRS#show install active detail … Node 0/2/SP [SP] Boot Image: /disk0/hfr-os-mbi-3.2.2/sp/mbihfr-sp.vm Active Packages: disk0:comp-hfr-mini-3.2.2 disk0:hfr-admin-3.2.2 disk0:hfr-base-3.2.2 disk0:hfr-os-mbi-3.2.2
Node 0/2/CPU0 [LC] Boot Image: /disk0/hfr-os-mbi-3.2.2/lc/mbihfr-lc.vm Active Packages: disk0:hfr-mpls-3.2.2 disk0:comp-hfr-mini-3.2.2 disk0:hfr-lc-3.2.2 disk0:hfr-fwdg-3.2.2 disk0:hfr-admin-3.2.2 disk0:hfr-base-3.2.2 disk0:hfr-os-mbi-3.2.2
38© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
EFT & Beta Release Numbering
3.3.8x3.2.8x
EFTReleases
3.2.1, 3.2.23.2.03.2.9x3.1.13.1.03.1.9x
3.3.0
3.0.0
FCSVersion
3.3.1, 3.3.23.3.9x
3.0.13.0.9x
MaintenanceReleases
BetaReleases
• IOS XR numbers releases differently than IOS
• Internal & Beta builds are HIGHER than released build
• Last part is reset to 0 for the major release (FCS)
39© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
SMU Delivery
• SMU is named by release and bugid
• Usually 50-200kb PIE file
• Exampleshfr-rout-3.2.2.CSCei63263.pie
hfr-base-3.2.2.CSCeh52427.pie
40© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Potential Install Destinations
MEM DISKDRP0
MEM DISKDRP1
MEM DISKRP0
MEM DISKRP1
MEM
FlashLC0
MEM
FlashLC1
MEM
FlashLC2
MEM
FlashLC3
MEM
FlashLC4
MEM
FlashLC5
MEM
FlashLC6
MEM
FlashLC7
MEM DISKDRP0
MEM DISKDRP1
MEM DISKRP0
MEM DISKRP1
MEM MEM MEM MEM MEM MEM MEM MEM
CRS-1
XR 12000
LC0 LC1 LC2 LC3 LC4 LC5 LC6 LC7
CRS has flashto store imageon MSC
41© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
TURBOBOOT Install (CRS-1)Boot from .vm file and install to RP disks and LC flash
OS-MBI
Base
Admin
Forwarding
Line card
Routing
Disk0, Disk1, or TFTP Server
Step 1Load “mini” .vm image into memory
Boot from disk or network
Step 2Router installs packages to flashdisks on RPs and flash on LCs
Step 3Reload from disk
MEM DISKDRP0
MEM DISKDRP1
MEM DISKRP0
MEM DISKRP1
MEM
FlashLC0
MEM
FlashLC1
MEM
FlashLC2
MEM
FlashLC3
MEM
FlashLC4
MEM
FlashLC5
MEM
FlashLC6
MEM
FlashLC7
42© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
TURBOBOOT Install (12000)
OS-MBI
Base
Admin
Forwarding
Line card
Routing
Disk0, Disk1, or TFTP Server
Step 1Load “mini” .vm image into memory
Step 2Router installs packages to
RP flash disks
Step 3Reload from disk
MEM DISKDRP0
MEM DISKDRP1
MEM DISKRP0
MEM DISKRP1
MEMLC0
MEMLC1
MEMLC2
MEMLC3
MEMLC4
MEMLC5
MEMLC6
MEMLC7
43© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
\
TURBOBOOT: Copying the packages to disk0:
RP/0/7/CPU0:May 18 11:21:28.390 : instdir[196]: %INSTALL-INSTMGR-6-INSTALL_OPERATION_STARTED : Install operation 1 'install copy-package mem: todisk0:' started by user '(Unknown)'
Install operation 1 'install copy-package mem: to disk0:' started by user'(Unknown)' at 11:21:28 UTC Thu May 18 2006.
Info: Checking available free space in disk0:Info: Copying installed files from mem: to disk0:Info: Copying component 'boot-mbi-prp-drp' size > 9 MB.Info: Copying component 'c12000-boot-mbiprp.4k' size > 7 MB.Info: Copying component 'boot-mbi-prp' size > 9 MB.Info: Copying component 'installmgr' size > 2 MB.Info: Copying component 'config-cfgmgr' size > 1 MB.Info: Copying component 'doc-hfr-base' size > 2 MB.Info: Copying component 'ifmgr.4k' size > 1 MB.Info: Copying component 'ifmgr' size > 1 MB.Info: Copying component 'infra-distrib.4k' size > 1 MB.Info: Copying component 'infra-distrib' size > 1 MB.Info: Copying component 'doc-hfr-admin' size > 1 MB.Info: Copying component 'drivers-vpa-infra.4k' size > 1 MB.
TURBOBOOT In Action
44© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
PIE Installation Concepts
• PIE install used once system is operational
• Packages can be added or upgraded
• System performs sanity checks
• CLI for PIE install in admin mode
• 3 phase installAdd – Copy package and unpack
Activate – Restart processes/nodes with new codeCommit – Lock activated packages through reload
45© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
install add CommandCopy image to disk, verify, and unpack
RP/0/0/CPU0:P4(admin)#install add tftp://172.21.116.8/c12k-mcast.pie-3.2.85.3I
Install: The idle timeout on this line will be suspended for synchronous install operationsInstall: Starting install operation. Do not insert or remove cards until the operationcompletes.RP/0/0/CPU0:P4(admin)#Install: Now operating in asynchronous mode. Do not attempt subsequent install operationsuntil this operation is complete.Install 3: [ 0%] Install operation 'add /tftp://172.21.116.8/c12k-mcast.pie-3.2.85.3I todisk0:' assigned request id: 3Install 3: [ 1%] Downloading PIE file from /tftp://172.21.116.8/c12k-mcast.pie-3.2.85.3IInstall 3: [ 1%] Transferred 3298994 Bytes Install 3: [ 1%] Downloaded the package to the routerInstall 3: [ 1%] Verifying the package Install 3: [ 1%] [OK]Install 3: [ 1%] Verification of the package successful [OK]Install 3: [ 95%] Going ahead to install the package...Install 3: [ 95%] Add of '/tftp://172.21.116.8/c12k-mcast.pie-3.2.85.3I' completed.Install 3: [100%] Add successful.Install 3: [100%] The following package(s) and/or SMU(s) are now available to be activated:Install 3: [100%] disk0:c12k-mcast-3.2.85Install 3: [100%] Please carefully follow the instructions in the release notes whenactivating any softwareInstall 3: [100%] Idle timeout on this line will now be resumed for synchronous installoperations
46© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
RP/0/0/CPU0:P4(admin)#install activate disk0:c12k-mcast-3.2.85Install: The idle timeout on this line will be suspended for synchronous installoperationsInstall: Starting install operation. Do not insert or remove cards until the operation...RP/0/0/CPU0:P4(admin)#Install: Now operating in asynchronous mode. Do not attempt subsequent install operationsuntil this operation is complete.Install 3: [ 0%] Install operation 'activate disk0:c12k-mcast-3.2.85' assigned request id: 3Install 3: [ 1%] Performing Inter-Package Card/Node/Scope Version Dependency ChecksInstall 3: [ 1%] [OK]Install 3: [ 1%] Checking API compatibility in software configurations...Install 3: [ 1%] [OK]Install 3: [ 10%] Updating software configurations.Install 3: [ 10%] RP,DRP:Install 3: [ 10%] Activating c12k-mcast-3.2.85Install 3: [ 10%] Checking running configuration version compatibility with newly activated…Install 3: [ 10%] No incompatibilities found between the activated software and router…configuration.…RP/0/0/CPU0:Nov 12 14:24:01.249 : instdir[181]: %INSTMGR-6-SOFTWARE_CHANGE_END :Software change transaction 3 is COMPLETE.Install 3: [100%] Performing software changeInstall 3: [100%] Activation operation successful.Install 3: [100%] NOTE: The changes made to software configurations will not beInstall 3: [100%] persistent across RP reloads. Use the command 'install commit'Install 3: [100%] to make changes persistent.Install 3: [100%] Idle timeout on this line will now be resumed for synchronousinstall operations
install activate CommandBegin executing new software
47© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
install commit CommandLock in activated software across reload
RP/0/0/CPU0:P5(admin)#install commit Install: The idle timeout on this line will be suspended for synchronousinstall operationsInstall 5: [ 1%] Install operation 'commit' assigned request id: 5 Install 5: [100%] Committing uncommitted changes in software configurations.Install 5: [100%] Commit operation successful.Install 5: [100%] Idle timeout on this line will now be resumed forsynchronous operations
48© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Deactivating Packages
RP/0/0/CPU0:P5(admin)#install deactivate disk0:c12k-rp-mgbl-3.2.85Install: The idle timeout on this line will be suspended for synchronous installoperationsInstall: Starting install operation. Do not insert or remove cards until the operationcompletes.RP/0/0/CPU0:P5(admin)#Install: Now operating in asynchronous mode. Do not attempt subsequent install operationsuntil this operation is complete.Install 8: [ 0%] Install operation 'deactivate disk0:c12k-mgbl-3.2.85' assignedrequest id: 8Install 8: [ 1%] Package 'disk0:c12k-mgbl-3.2.85' is not active and cannot be deactivated.Install 8: [ 1%] Idle timeout on this line will now be resumed for synchronousinstall operations
Package features no longer availablePackage still installedPackage can be reactivated
49© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Display Installation Log
RP/0/0/CPU0:P4(admin)#show install log
Request id 1 by cisco at Tue May 31 10:41:12 2005: 1 pie added to disk0:: /tftp://172.21.116.8/c12k-mcast.pie-3.2.85.3I
Request id 2 by cisco at Tue May 31 11:02:51 2005: 1 pie added to disk0:: /tftp://172.21.116.8/c12k-mpls.pie-3.2.85.3I
Request id 3 by cisco at Tue May 31 11:06:31 2005: 1 package activated: disk0:c12k-mpls-3.2.85 test - Failed - 'Install Manager' detected the 'fatal' condition 'Package compatibility check failed, incompatibilities detected.'
Request id 4 by cisco at Wed Jun 01 10:20:52 2005: 1 pie added to disk0:: /disk0:c12k-mini.pie-3.2.85.3I
Request id 5 by cisco at Wed Jun 01 11:02:24 2005: 1 package activated: disk0:c12k-mini-3.2.85 More information available via the command 'show install log 5'
Request id 6 by cisco at Wed Jun 01 11:26:32 2005: Committed loadpath changes
5 entries shown (max log size 50 entries)
50© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Display Installation Entries
RP/0/RP0/CPU0:P1(admin)#show install log 2
Request id 2 by cisco at Tue Apr 05 21:16:16 2005: 1 pie added to disk0:: /tftp://10.0.0.100/hfr-mpls-p.pie-3.2.83.1i
Status Information Logs:
Downloading PIE file from /tftp://10.0.0.100/hfr-mpls-p.pie-3.2.83.1i Downloaded the package to the router Verifying the package [OK] Verification of the package successful [OK] Going ahead to install the package... Add of '/tftp://10.0.0.100/hfr-mpls-p.pie-3.2.83.1i' completed. Add successful. The following package(s) and/or SMU(s) are now available to be activated: disk0:hfr-mpls-3.2.83 Please carefully follow the instructions in the release notes
when activating any software
51© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Installation Notes
• On CRS-1, LC software is stored on LCs (MSCs)
• On 12000, LC image must be loaded over fabric• Option to Install multiple packages at once
install add tftp://1.1.1.1/A tftp://1.1.1.1/B tftp://1.1.1.1/C
• Option to add and activate at same timeinstall add tftp://1.1.1.1/A activate
• System does sanity checking, can be overridden• Clock must be set correctly
52© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Package Installation Process Summary
• admin CLI mode required• install add from tftp/ftp/disk to disk0:
• install activate to trigger the actual upgradeWill trigger any process/LC/RP resets that are needed
• install commit to lock in upgrade
53© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential
Q and A
54© 2006 Cisco Systems, Inc. All rights reserved.XR Training / lwigley Cisco Confidential