Secure Domain Routers on the Cisco ASR 9000 Series Router
Secure domain routers (SDRs) are a means of dividing a single physical system into multiple logically separated routers. Cisco ASR 9000 Series Routers are single-shelf routers that only support one SDR—the owner SDR.
Table 1 Feature History for Secure Domain Routers on Cisco IOS XR Software
Prerequisites for Working with Secure Domain Routers
The router must be running the Cisco IOS XR software .
The root-system username and password must be assigned as part of the initial configuration.
For more information on booting a router and performing initial configuration, see Cisco ASR 9000 Series Aggregation Services Router Getting Started Guide.
Required Cards for Each SDR
Route switch processor (RSP) pair must be installed for the SDR.
Task ID Requirements
You must be in a user group associated with a task group that includes the proper task IDs. The command reference guides include the task IDs required for each command. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Maximum SDR Configurations
Only one owner SDR is supported. Non-owner SDRs are not supported
Information About Configuring Secure Domain Routers
Cisco routers running Cisco IOS XR software can be partitioned into multiple, independent routers known as secure domain routers (SDRs). SDRs are a means of dividing a single physical system into multiple logically separated routers. SDRs perform routing functions the same as a physical router, but they share resources with the rest of the system. For example, the software, configurations, protocols, and routing tables assigned to an SDR belong to that SDR only, but other functions, such as chassis-control and switch fabric, are shared with the rest of the system.
Cisco ASR 9000 Series Routers are single-shelf routers that only support one SDR—the owner SDR.
Owner SDR and Administration Configuration Mode
The owner SDR is created at system startup and cannot be removed. This owner SDR performs system-wide functions, including the creation of additional non-owner SDRs. You cannot create the owner SDR because it always exists, nor can you completely remove the owner SDR because it is necessary to manage the router. By default, all nodes in the system belong to the owner SDR.
The owner SDR also provides access to the administration EXEC and administration configuration modes. Only users with root-system privileges can access the administration modes by logging in to the primary route switch processor (RSP) for the owner SDR (called the designated shelf controller, or DSC).
Administration modes are used to view and manage system-wide resources and logs.
Each SDR in a router has a separate AAA configuration that defines usernames, passwords, and associated privileges.
Only users with root-system privileges can access the administration EXEC and administration configuration modes.
Users with other access privileges can access features according to their assigned privileges for a specific SDR.
For more information about AAA policies, see the Configuring AAA Services on the Cisco ASR 9000 Series Router module of Cisco ASR 9000 Series Aggregation Services Router System Security Configuration Guide.
Users with root-system privileges have access to system-wide features and resources. The root-system user is created during the initial boot and configuration of the router.
The root-system user has the following privileges:
Access to administration EXEC and administration configuration commands.
Ability to create other users with similar or lower privileges.
Complete authority over the chassis.
Ability to install and activate software packages for the router.
Ability to view the following admin plane events (owner SDR logging system only):
Software installation operations and events.
System card boot operations, such as card booting notifications and errors, heartbeat-missed notifications, and card reloads.
Card alphanumeric display changes.
Environment monitoring events and alarms.
Fabric control events.
Upgrade progress information.
Users with root-lr privileges can log in to an SDR only and perform configuration tasks that are specific to that SDR. The root-lr group has the following privileges:
Ability to configure interfaces and protocols.
Ability to create other users with similar or lower privileges on the SDR.
Ability to view the resources assigned to their particular SDR.
The following restrictions apply to root-lr users:
Users with root-lr privileges cannot enter administration EXEC or configuration modes.
Users with root-lr privileges cannot add or remove nodes from an SDR.
Users with root-lr privileges cannot create root-system users.
The highest privilege a non-owner SDR user can have is root-lr.
Other SDR Users
Additional usernames and passwords can be created by the root-system or root-lr users to provide more restricted access to the configuration and management capabilities of the owner SDR.
Designated Shelf Controller (DSC)
In a router running Cisco IOS XR software, one RSP is assigned the role of DSC. The DSC provides system-wide administration and control capability, including access to the administration EXEC and administration configuration modes. For more information on DSCs, refer to Cisco ASR 9000 Series Aggregation Services Router Getting Started Guide.
Default Configuration of the Router
When a router is brought up, the nodes assigned to the router are activated with the default software package profile. In Cisco IOS XR software, the default software profile is defined by the last install operation.
To view the default software profile, use the showinstallactivesummary command in administration EXEC mode. Any new nodes that are configured to the router boot with the default software profile listed in the output of this command.
RP/0/RSP0/CPU0:router# show install active summary
Tue Jul 21 06:10:48.321 DST
For detailed instructions to add and activate software packages, see the Upgrading and Managing Cisco IOS XR Software module of the Cisco ASR 9000 Series Aggregation Services Router System Management Configuration Guide. See also the Software Package Management Commands on Cisco IOS XR Software module of the Cisco ASR 9000 Series Aggregation Services Router System Management Command Reference.
Cisco IOS XR Software Package Management
Software packages are added to the DSC of the system from administration EXEC mode. Once added, a package can be activated for the system. For detailed instructions regarding software package management, see the Upgrading and Managing Cisco IOS XR Software module of Cisco ASR 9000 Series Aggregation Services Router System Management Configuration Guide. See also the Software Package Management Commands on the Cisco ASR 9000 Series Router module of Cisco ASR 9000 Series Aggregation Services Router System Management Command Reference.
To access install commands, you must be a member of the root-system user group with access to the administration EXEC mode.
Most showinstall commands can be used in the EXEC mode of an SDR to view the details of the active packages for that SDR.
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.