Cisco IOS XR – Complete Getting Started Examples Guide, Part1/2

ASR9000_IconEver wanted quick reference for IOS XR in basic security, configuration committing, RIP, OSPF, EIGRP, IS-IS, IPv6 and comparisons with classic IOS? It’s right here fore you. There is not much to learn about IOS XR from a network theory point of view. It is just another command line on a router, but as many people are getting afraid of touching this new beast, I have decided to do myself a reference point on all the basics of the IOS XR. This article is supposed to be summary of some CCNA level configurations on IOS XR. For creating and verifying this article, I have used ASR9000 that I managed to get access to via Cisco partner learning program.

NOTE:  This article expects you have some grasp of the original IOS configuration and this article will go through the IOS similarities and differences. I will not explain all details of network theories behind protocols or IPv4/IPv6 routing. But some basic summary will be given if you need to remember things like IS-IS.

IOS vs. IOS XE vs. IOS XR ?

OK, I know now I have maybe killed some of you with confusion that there are actually three difference types. The point here is evolution. IOS XE is evolution of the original IOS and has nearly exactly the same syntax as original IOS. IOS XE was build to provide better high availability and rapid feature delivery utilizing the existing worldwide knowledge of the IOS Command Line Interface (CLI). In summary the IOS XE is an improved version of IOS internally, but doesn’t mean much for basic configuration.

IOS XR however is completely build from scratch on a micro-kernel architecture, memory-protected and preemptive multitasking. IOS XR have advantages over the original IOS and IOS XE in:

  • Improved high-availability – largely through support for hardware redundancy and fault containment methods such as protected memory space. Also processes are self-restartable.
  • Better Scalability – for large hardware configurations a distributed software infrastructure and two-stage forwarding architecture is available
  • Package-based software distribution model – this allow for installing/removing router features like multicast/MPLS to be added while router is running and with no downtime. Also patches can be installed without outage (potentially).
  • Also web-based GUI for system management (support for XML configuration automation)

What router is running what IOS?

  • IOS – Cisco ISR Series Routers (800,1900,2900,3900 series), Cisco 7200 and 7600 Series and all legacy routers and Catalysts 6500
  • IOS XE – ASR 1000 Series and Catalyst 4500E Series Switches
  • IOS XR – Cisco CRS-1 and CRS-3, Cisco ASR9000 and Cisco XR12000

IOS XR Command Line Access and Configuration Principles

Along with the basic access to physical console and auxiliary port, IOS XR comes with dedicated physical management interfaces. On ASR9000 these are :

If you want IP management access to the router, you need to configure these interfaces with IPs from the management subnet. Either physical or virtual IPs supported.

Additionally, the IOS XR prompt on ASR9000 has the following structure of the prompt:

RP/0/RSP0/CPU0:PE1#

  • RP – route processor
  • 0 – for single rack chassis
  • RSP0 – Route Switch Processor (either RSP0 or RSP1)
  • CPU0 – should always be the same on ASR9000
  • PE1 – the router hostname

Login and access privileges

In the initial IOS XR configuration an “root-system user” username and password is created. This user is the only capable of creating other users in the IOS XR system. You can think of this one as “root” on linux.

Furthermore the IOS XR has a build-in concept of users and task groups. The concept of user group, task group and inheritance is important of understanding permissions.

In the following diagram, I hope to give you the idea of configuration in a task group and configuration as root-system users or Admin.

Login_EXEC_Admin_EXEC

Based on the command line, you are able to identify where you are in the IOS XR command prompt.

EXEC

Global config

Interface and subinterface mode

Protocol and submode config

Admin

Admin config

TIP: You do not have to always go to admin mode to get admin commands output. You can do “admin <XY>” command also in EXEC mode to get a command that is available in admin mode only. For example some command have different outputs depending where you are like “show platform“, if you want admin version of this command, you can use “admin show platform“.

Configuration Editing and Committing on IOS XR

Lets start bluntly, there is no concept of startup-config and running-config on IOS XR. The new way to do things is via a two-step configuration method.

In the first stage you make a collection of changes to the current configuration. You can check you changes for corrections in the system. Personally this is the same as many of us doing changes in a notepad or other txt editor before going to the router to apply it. This is a bit the same thing except directly supported by the IOS XR.

In the second stage, you can commit the configuration to the target configuration. “Commit” is all or nothing acceptance of your changes. If even one of your prepared commands is not correct, the whole configuration changes will not be applied. You can see your configuration changes with “show config“.

There are some other methods of applying the commit command to the router, as I do not want to go to details a quick look to the “commit ?” should be enough.

TIP: To erase current startup configuration you can use “commit replace” with empty configuration changes.

TIP: To load or save configuration from or to a file, use the load or save commands.

Basic committing commands summary:

  • show config – Show uncommitted configuration
  • show config merge – Show future configuration expected after commit
  • show config changes – Show future configuration if “commit replace” used
  • commit best-effort – Commit all configuration that can be committed (this will negate the “all or nothing” logic).
  • commit confirmed seconds – Commit for the duration of the times (unless committed before timer elapses)
  • commit label – commits and adds a description of the changes to the history
  • commit comment – adds a comment to the committed history entry
  • show configuration failed – If your committed changes generate and error and revert back, you can see what went wrong in this output.

Configuration Management and Commits History

Whenever a commit change is applied the configuration both old and new is maintained in the configuration history. This is great because if there are troubles, you can revert back X number of commits.  Each commit is given a unique ID known as commitID to what you can rollback to.

To see the configuration history on IOS XR, issue the “show configuration history as on example below.

You can then rollback using the “rollback configuration” either using relative movement with “rollback configuration last 2” or to a exact commit number with “rollback configuration to 4“. The system automatically checks for feature incompatibility so if you want to revert back to a configuration that has commands not supported by current IOS XR package, you get an error and the operation will fail.

Exclusive Configuration Sessions

Some of you might have now get the idea and realize that there is a potential for two users collisions when two users start to edit the configuration changes. To avoid configuration collisions on the configuration, you can enter configuration not with the normal “configure [terminal]” but instead with the “configure exclusive” command you entered an exclusive mode and you locked out all other users from entering any configuration at all.

If someone else has entered this mode and is preventing you from doing changes, you can find out who is currently holding the exclusive session by using “show configuration lock” and show configuration sessions.

NOTE: Entering configuration mode is possible while someone else is having an exclusive session, but until the exclusive lock is released nobody else can commit their changes.

Basic IOS XR routing protocol configuration examples

Please note that the IOS XR by default uses the Virtual Routing and Forwarding (VRF) and as such these basic examples apply to the default VRF in which all routing is by default.

1. Static Routes Configuration

Interesting to note here is that in IOS XR also static routes are behind the router subsection called “router static”. The following example will configure a static route to the 10.1.10.0/24 network with 192.168.101.11 as next hop. The topology to which I will be adding the static routes looks like this:

Basic topology with ASR9000 and IOS router for STATIC ROUTES

Basic topology with ASR9000 and IOS router for STATIC ROUTES

 

Configuration of the static routes on the ASR9000 is as follows for exact static route.

This is for default route example which is the same as static route using 0.0.0.0/0 as destination.

As with any routing, you can have a look if your routes are working by looking at the routing table with show route.

2. RIPv2 (IPv4) configuration on IOS and IOS XR

In the following example we start the basic RIPv2 (IPv4) on two interfaces of IOS XR router and IOS router configured with the well known RIPv2 configuration. The following picture shows the topology I will be using and the IOS router neighbor RIPv2 configuration.

Basic topology with ASR9000 and IOS router for RIPv2 routing

Basic topology with ASR9000 and IOS router for RIPv2 routing

The following configuration can be applied to the ASR9000 router to enable RIPv2 on the two interfaces and start receiving and announcing routes.

NOTE: On IOS XR the RIP “version 2” is enabled by default.

Verification of RIP working on IOS XR is simple and we just will look if we are getting the 10.1.10.0/24 network from the IOS Router neighbor.

Also on the other side you can verify that the IOS Router is getting the 10.1.1.0/24 route from the IOS XR Router.

To see the RIPv2 basic configuration including timers, you can enter the show rip command.

To also see interfaces associated with interfacesshow protocols rip default-context

3. EIGRP on IOS XR

Lets recreate the scenario from the RIPv2, this time we configure the IOS router with EIGRP with Autonomous System number 100. And we move to configure the IOS XR with EIGRP in the default ipv4 address family with the following configuration syntax:

The whole topology and configuration should look like this.

Basic topology with ASR9000 and IOS router for EIGRP routing

Basic topology with ASR9000 and IOS router for EIGRP routing

On the Cisco IOS XR router you need to manually enable adjactancy neighbour logs in console to see the neighbor IOS router comming up in EIGRP, to do this you can use the following configuration using the “log-neighbor-changes”.

You will see this output on the Cisco IOS XR router when EIGRP adjacency comes up:

The Cisco IOS and IOS XE show ip route eigrp and Cisco IOS XR show route eigrp
commands display the current EIGRP entries in the routing table.

Auto-Summarization

Older IOS routers had auto-summarization enabled by default (before 12.2(33)). New IOS version have it disabled by default. This is also disabled by default on all IOS XR.

To enable auto-summarization, you can go under the address-family and issue “auto-summary” command.

Verification if auto-summary is enabled or disabled can be gained from the show protocols eigrp. Example below.

IPv6 support in EIGRP

EIGRP is a modular protocol that can support multiple different routed protocols including IPv6. Configuration is straight forward, these commands will be done on our IOS XR to configure EIGRP to support IPv6.

Final configuration including the IOS neighbor can be seen on the picture below.

Basic topology with ASR9000 and IOS router forEIGRP IPv6 routing

Basic topology with ASR9000 and IOS router forEIGRP IPv6 routing

Verification can be done quickly with the following commands:

EIGRP Equal and Unequal Cost Load-Balancing

As we all know from our CCNA courses, EIGRP does equal cost load-balancing along by default 4 paths that are valid.

On IOS XR you can get up to 32 maximum paths load-balancing done with the maximum-path parameters under EIGRP. Example:

EIGRP also support unequal load-balancing thanks to the advanced metric that can avoid loops thanks to the feasible backup condition (Advertised Distance < Feasible Distance). To activate this feature, use the variance modification. Configuration:

NOTE: Variance is a value from 1 to 128 (default is 1) that is a multiplier of the best path metric to select unequal paths. To select another route with worse metric as a unequal load-balance candidate, its feasible metric have to be lower than the best route multiplied with the variance. Also in addition, the Feasibility condition have to be met (the Advertized Distance of the route candidate have to be lower than the current best route Feasible Distance).

For example we have a primary route with FD = 500 and AD = 300. And we have two other routes to the same destination. Route 1 with FD = 600 and AD = 400 and Route 2 with FD = 550 and AD = 520.

We change multiplier variance to 2. So the candidates for unequal load-balancing have to have cost less than FD=500*2 = 1000.  Both Route 1 and Route 2 are valid in this perspective. However, only Route 1 is selected as it also is valid for the feasibility condition. Route 2 is invalid for load-balancing because Route 2 AD = 520 is higher than best route FD = 500. This protects from loops in the load-balancing.

EIGRP IOS XR Authentication

For both IPv4 configuration and IPv6 configuration, create first a key change with keys:

Then you can apply the authentication with keychain to either IPv4:

Or to IPv6 address family

NOTE: Because Cisco IOS XR supports only MD5 authentication, there is no need to define authentication mode.

4. OSPF and OSPFv3 on IOS XR configuration example

First of all I would like to point to excellent Cisco OSPF on IOS XR documentation that can be found here. So for anything you do not find here, go to that link.

As this article is not intended to explain everything in regards to OSPF, but some super quick IOS XR logic with OSPF will be presented and will be followed immediately with IPv4 OSPF example configuration for IOS XR and IPv6 OSPF example.

First, on IOS XR, both OSPFv2 (IPv4) and OSPFv3 (IPv6) are implemented. OSPFv2 uses 224.0.0.5 for multicast hello packets and OSPFv3 uses FF02::5 for hello packets. Both versions use 32bit router ID (on cisco represented in IPv4 format for better readability – also in IPv6 environment).

NOTE: In IPv6 environment you have to manually enter “router ID as x.x.x.x”  to have router ID created if no IPv4 interfaces exist on the router.

Adding interfaces to OSPF in IOS, IOS XE and IOS XD comparison

  • Cisco IOS XR : Specify interface under router configuration mode
  • IOS and IOS XE (IPv4 only) : Specify network under router configuration mode
  • IOS and IOS XE : Specify OSPF process under interface configuration mode

Configuration example of IOS XR with IPv4 network

Basic topology with ASR9000 and IOS router for OSPFv2 routing

Basic topology with ASR9000 and IOS router for OSPFv2 routing

Explanation, is that on IOS router with IPv4, you go the usual way by defining the networks and area with the “network” command. This command specifies both networks and interfaces to be used by the ospf process.

On IOS XR, the configuration is used in a more “topological” way. On IOS XR, you define directly the interfaces that should work with OSPFv2.

NOTE: On IOS XR, the neighbors states are not logged as you are maybe used to on IOS, to activate this use the “log adjacency changes detail enable” command.

Configuration example of IOS XR with IPv6 network

Basic IPv6 topology with ASR9000 and IOS router for OSPFv3 routing

Basic IPv6 topology with ASR9000 and IOS router for OSPFv3 routing

Again explanation is that on IOS, the IPv6 routing protocols are configured directly under interfaces (with common configuration under “ipv6 router ospf 1”. Please note that if you have completely IPv6 environment, ergo no interface has IPv4 address, then you need to manually configure the router-id.

On IOS XR, this is nice that the configuration is extremely identical except that you must use the “ospfv3” keyword.

Verification on IOS XR

You can do “show protocols” on IOS XR as an alternative for IOS “show ip protocols“.

If you want to check if your OSPF have found any neighbors already, have a look to “show ospf neighbors” for IPv4 OSPFv2 or “show ospfv3 neighbors” for IPv6 OSPFv3 neighbors.

The same logic applies to verification of routing tables, you can use “show route” for IPv4 routing and “show route ipv6” for IPv6 routing.

OSPF equal cost load-balancing

On IOS you know that OSFP manages by default equal cost load-balancing of maximum 4 paths by defaut, and by 8 is the configurable limit. On IOS XR, the load-balancing maximum is 32 paths, but depending on the platform, it can be reduced:

ASR9000 has by defaut 8, while maximum configuratble is also 8
ASR12000 has by default 16 and maximum configurable is also 16
CSR-1 has by default 32 and maximum configurable is also 32

OSPFv2 and OSPFv3 Authentication on IOS XR and IOS

There is a big difference between OSPFv2 (IPv4) version and OSPFv3 (IPv6) version by nature. OSPFv2 uses plaintext or MD5 has that is internally calculated and added for every OSPF packet and checked internally in OSPF process.

On IOS XR, the OSPFv2 security can be configured in different places. It can be configured under routing process, under area configuration or under interface. The lowest configuration is used in the hierarchy process->area->interface. If lower configuration doesn’t exist, it inherits configuration from above.

Example:

On IOS, the configuration of OSPFv2 was done either in area or interface configuration and the same hierarchy logic applied, however the key could only be configured under interface.

Example:

OSPFv3 relies on IPv6 native security via IP Security (IPSec). For this you need the key, but also something called SPI (Security Parameter Index). SPI is something like a port number for IPSec packets because in IPSec, the AH or ESP header goes directly behind IPv6 header and TCP/UDP ports are not known. When you specify SPI you are telling your router what SPI packets to check for OSPF, otherwise it would have to check all IPSec packets he gets.

On IOS XR the OSPFv3 authentication and encryption can be configured at the same levels as OSPFv2.

Example:

On IOS the authentication of OSPFv3 can be only configured under area configuration.

Example:

5. IS-IS Basics on IOS XR

Intermediate System to Intermediate Systems (IS-IS) is a great protocol, my favorite actually. In summary to its theory, it is a link-state protocol (like OSPF) and it uses dijkstra for path calculation. What is interesting about it is that in runs over a stand-alone routed protocol with its own addressing called Connectionless Network Service (CLNS). So you will not see packets of this protocol use any form of IPv4/IPv6. It has its own.This makes this protocols easily extendable and now supports both IPv4 and IPv6 easily.

Also from architecture point of view, it also uses two layers called Level 1 and Level 2. Level 2 is something like a distributed backbone and Layer 1 is like an area in OSPF, it hosts all other non-core subnets. This concept then also moves to routers position withing the hierarchy, unlike OSPF where borders where place on routers (one interface in area x and another in area y), in IS-IS the borders are on links.

This creates for us routers that can be designated based on their position in the Level1-Level2 hierarchy as follows:

  • Level 1 routers learn about paths withing the area that they connect to (that is intra-area)
  • Level 2 routers are routes propagating paths between areas (that is, interarea)
  • Level 1-2 routers that have paths both interarea and intraarea.

The following diagram should make you understand quickly the principles:

IS-IS Level1-Level2 architecture hierarchy

IS-IS Level1-Level2 architecture hierarchy

NOTE: As boundaries are on links, each IS-IS router belongs to exactly one area.

CLNS Addresses

Ok, I promised no theory but this piece is important. IS-IS requires the use of CLNS addressing to communicate between routers, therefore it is necessary to understand them a little. The most common format for CLNS addresses is called NSAP and is as follows:

  • First 2 bytes set to “49” -> identifies private addresses inside CLNS (like 10.0.0.0/8 in IPv4)
  • 4bytes considered Area ID -> you give numerical ID of the IS-IS area number here
  • 6 bytes considered System ID -> most often people put here the IPv4 address to have link to the IPv4 address of a router easily recognizable
  • NSEL (2bytes) -> this is CLNS integrated alternative to TCP/UDP ports. Normally “.00” means the system management plane and is called “NET address”

Example:

49.0001.1921.6800.1001.00

IS-IS Metric

There is absolutely no metric calculation for a link in IS-IS, every link is by default of metric “10”. If you want something else, you will configure it manually. This is actually very good for most ISP networks. By default the metric is 6bit value for interface metric and 10bit value for complete path metric (called narrow-style). Optionally you can switch to 24bit interface metric and 32bit path metric called (wide-style).

IS-IS Configuration example for IOS and IOS XR

Following the topology used in all examples, here is both IOS XR and IOS configuration for a very limited IS-IS functionality.

Basic topology with ASR9000 and IOS router for ISIS routing

Basic topology with ASR9000 and IOS router for ISIS routing

Explanation,

On both routers we entered “router isis 1” where “1” is the process designation. Configuration of CLNS NET addresses is done here, doesn’t have to occur on interfaces as CLNS addressing logic doesn’t address interfaces but whole nodes. On normal IOS router, ISIS is configured, assigned NET address, set to level2-only mode and metrics set to wide-style, also on IOS, the interfaces have to be explicitelly enabled for ISIS:

On IOS XR, the same configuration is shown, the only different is that on IOS XR, the concept of address-families was added, you will see the benefits when we move to IPv6 for this.

For verification, I would recoment show protocols isis , show isis neighbors and show route on IOS XR:

IS-IS Load Balancing

On IS-IS to load-balance, costs to destination via more paths have to be equal. Maximum paths are then limited based on platform and the same table as on OSPF applies here:

ASR9000 has by defaut 8, while maximum configuratble is also 8
ASR12000 has by default 16 and maximum configurable is also 16
CSR-1 has by default 32 and maximum configurable is also 32

To configure maximum-paths on IOS XR, you can use this example:

On IOS routers the example is a bit less complex:

IS-IS Authentication

IS-IS supports both plaintext and md5 authentication, as usual plaintext is to be avoided at all times. What is interesting is that in IS-IS, you can configure authentication of Hello packets separately toLSP packets.

Configuration examle of IOS router IS-IS authentication for both Hello packets and LSP packets authentication looks like this:

Configuration example of IOS XR IS-IS authentication looks much more simle as the interface level configurations were aggregated under the isis process.

Basic IOS XR router security, User Groups and Task Groups

This section is the most boring as we do not go to much details, simply put these well known IOS commands still work as expected, but do not forget to use commit.

Enable SSH access to the IOS XR router is also nothing new:

Task Groups and User Groups

Now comes the fun part. On IOS XR you can define:

  • User group – a group of users with similar level of authorization to a group of tasks
  • Task group  – Collection of tasks that are identified by unique task ID for each class of actions
  • Task IDs – Permission to perform a given task. This is grouped into a task group and assigned to a group of users.

By diagram, it can look something like this:

User to User Group to Task Group to Task ID hierarchy

User to User Group to Task Group to Task ID hierarchy

Configuration Example of Task Groups, Tasks and Users in User Groups

Lets start with what is predefined already in the IOS XR system. In a freshly booted IOS XR, these user groups already exist with predefined task groups assigned.

  • root-system – Displays and execute all commands for all RSPs in the system.
  • root-lr – Displays and execute all commands with a simple RSP.
  • netadmin – Configure network protocols as BGP and OSPF (used by network administrators)
  • sysadmin – Perform system administration tasks for the router, as maintaining core dumps and setting system core protocols as NTP.
  • operator – Can perform monitoring activities to the system (cannot modify config, cannot do extensive debugging).
  • cisco-support – Can deby and troubleshoot features (usually needed by Cisco TAC people).

You can add your new user to one of the existing groups, or create a specific group all youself. In the next example this will configure task group, user group and assign new user to a new user group to have modification powers over OSPF, ISIS and BGP.

Configuring AAA, RADIUS and TACACS+

Basic AAA configuration is nearly identical to the IOS flavor, therefore only example below from ASR9000 IOS XR config:

Configuring Syslog and SNMP logging

Again very identical to IOS as only as reference:

On IOS XR, you can also periodically store logs from logbuffer to files on flash: or harddrives: with feature called local archive. The example below creates weakly file storage for logs on harddrive.

SNMPv1 ans SNMPv2 are as easily configured as one line of configuration:

SNMPv3 is more complex as it incorporates usernames, groups ans TreeView limits. So I will omit this now for space conservation. IOS XR config guide on cisco.com has much more detail if you are interested in having secure SNMPv3.

Suspending, Resuming, and closing a Telnet sessions.

Again the usual as on IOS devices. If you are telneting from IOS XR to a remote destination and you want to return back to the IOS XR source box without terminating you telnet session, you can pres Ctrl+Shift+6 (or Ctrl+^) followed by “x“.

To resume a suspended session you can use “resume <number>” command. To cancel a connection in the background you can use “disconnect <number>“. To find out what is the number of all currently running/suspended sessions, you can issue show sessions.

Cisco Discovery Protocol on IOS XR

By default both on global and on interface level the CDP is DISABLED on IOS XR platforms. To enable CDP on IOS XR platforms, you have to enable CDP globaly with the cdp command and also enable cdp on any interface with cdp command as in the following example:

Verification can be as simple as showing cdp configuration (times, etc) with the show cdp command and displaying neighbors with show cdp neighbors command:

NetFlow IOS XR configuration

Netflow is a life-saviour sometimes as this is the only thing to allow you to see the traffic going over your IOS XR and IOS routers. Cisco IOS XR supports only NetFlow version 9 and up and basic configuration is as follows for external collector:

Summary

Well, I hope you liked this article, I definitely had a great time remembering all these things and learning a few about IOS XR. I tried to make this article as best structured as possible as it will be serving as a reference for me to search in from time to time. Next in the line is the mighty MPLS, BGP and some more features that needs to be mentioned for IOS XR, but for the extensive coverage of MPLS and BGP, I will leave that to separate another article as MPLS and BGP are big in scale.

PART 2/2 of this IOS XR Getting Started Examples Guide available here.

 

If you enjoyed this blog, please share.

About Peter Havrila

Author’s Profile