0% found this document useful (0 votes)
182 views86 pages

B System Setup CG ncs5000 77x

Uploaded by

nihadabed77
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
182 views86 pages

B System Setup CG ncs5000 77x

Uploaded by

nihadabed77
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 86

System Setup and Software Installation Guide for Cisco NCS 5000

Series Routers, IOS XR Release 7.7.x


First Published: 2022-07-01

Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of
the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.

All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.

Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (1721R)
© 2022 Cisco Systems, Inc. All rights reserved.
CONTENTS

CHAPTER 1 New and Changed Feature Information 1

New and Changed System Setup Features 1

CHAPTER 2 Cisco NCS 5000 Series Product Overview 3

Cisco NCS 5000 Series Product Overview 4


Command Modes 5

CHAPTER 3 Bring-up the Router 7

Boot the Router 7


Setup Root User Credentials 8
Access the System Admin Console 9
Configure the Management Port 10
Perform Clock Synchronization with NTP Server 12

CHAPTER 4 Perform Preliminary Checks 13


Verify Software Version 13
Verify Status of Hardware Modules 14
Verify Firmware Version 14
Verify Interface Status 16

CHAPTER 5 Create User Profiles and Assign Privileges 19

Create User Groups 20


Configure User Groups in XR VM 21
Create a User Group in System Admin VM 22
Create Users 24

Create a User Profile in XR VM 24

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
iii
Contents

Create a User Profile in System Admin VM 26


Create Command Rules 28
Create Data Rules 30
Change Disaster-recovery Username and Password 33
Recover Password using PXE Boot 34

CHAPTER 6 Perform System Upgrade and Install Feature Packages 35

Upgrading the System 35


View Supported Software Upgrade or Downgrade Versions 36
Upgrading Features 40
Install Packages 41
Install Prepared Packages 45
Uninstall Packages 47

CHAPTER 7 Manage Automatic Dependency 51

Update RPMs and SMUs 52


Upgrade Base Software Version 52
Downgrade an RPM 53

CHAPTER 8 Customize Installation using Golden ISO 57

Limitations 58
Customize Installation using Golden ISO 58
Limitations 59
Golden ISO Workflow 59
Build Golden ISO 60
Build Golden ISO Using Script 61
Install Golden ISO 66

CHAPTER 9 Disaster Recovery 71

Boot using USB Drive 71


Create a Bootable USB Drive Using Compressed Boot File 71
Boot the Router Using USB 72
Boot the Router Using iPXE 73
Zero Touch Provisioning 73

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
iv
Contents

Setup DHCP Server 73


Invoke ZTP 75
Invoke ZTP Manually 76
Additional Commands for Manually Invoking ZTP 77
Boot the Router Using iPXE 78
Disaster Recovery Using Manual iPXE Boot 78

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
v
Contents

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
vi
CHAPTER 1
New and Changed Feature Information
This table summarizes the new and changed feature information for the System Setup and Software Installation
Guide for Cisco NCS 5000 Series Routers.
• New and Changed System Setup Features, on page 1

New and Changed System Setup Features


Feature Description Changed in
Release
None None None

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
1
New and Changed Feature Information
New and Changed System Setup Features

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
2
CHAPTER 2
Cisco NCS 5000 Series Product Overview
Cisco NCS 5001 Overview
Cisco NCS 5001 is a dense 10/100 Gigabit Ethernet Router in 1 RU form factor. It is designed for service
provider access and aggregation network. The Cisco NCS 5001 runs the industry-leading Cisco IOS XR
Software operating system, with robust features and functions such as application hosting, machine to machine
interface, telemetry, and flexible package delivery.
NCS 5001 contains the following ports:
• 40 x 10G SFP+ Ports:
• 16 x Regular 10G SFP+ Ports
• 24 x DWDM & ZR Capable 10G SFP+ Ports

• 4 x 100G QSFP28 Ports

Features
The Cisco NCS 5001 router has the following features:
• 10Gbps bandwidth for each of the 40 fixed SFP+ ports
• Four QSPF ports capable of providing 100Gbps bandwidth
• Two 1+1 redundant, hot-swappable power supplies, which provide port side intake or exhaust for cooling
• Two N+1 redundant, hot-swappable fan modules, which provide port side intake or exhaust for cooling
• A management console and USB interface on the fan side of the router

Cisco NCS 5002 Overview


Cisco NCS 5002 is a dense 10/100 Gigabit Ethernet Router in 2RU form factor. It is designed for service
provider access and aggregation network. The Cisco NCS 5002 runs the industry-leading Cisco IOS XR
Software operating system, with robust features and functions such as application hosting, machine to machine
interface, telemetry, and flexible package delivery.
NCS 5002 contains the following ports:
• 80 x 10G SFP+ Ports:
• 40 x Regular 10G SFP+ Ports

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
3
Cisco NCS 5000 Series Product Overview
Cisco NCS 5000 Series Product Overview

• 40 x DWDM & ZR Capable 10G SFP+ Ports

• 4 x 100G QSFP28 Ports

Features
The Cisco NCS 5002 router has the following features:
• 10Gbps bandwidth for each of the 80 fixed SFP+ ports
• Four QSPF ports capable of providing 100Gbps bandwidth
• Two 1+1 redundant, hot-swappable power supplies, which provide port side intake or exhaust for cooling
• Two N+1 redundant, hot-swappable fan modules, which provide port side intake or exhaust for cooling
• A management console and USB interface on the fan side of the router

• Cisco NCS 5000 Series Product Overview, on page 4


• Command Modes, on page 5

Cisco NCS 5000 Series Product Overview


Cisco NCS 5001 Overview
Cisco NCS 5001 is a dense 10/100 Gigabit Ethernet Router in 1 RU form factor. It is designed for service
provider access and aggregation network. The Cisco NCS 5001 runs the industry-leading Cisco IOS XR
Software operating system, with robust features and functions such as application hosting, machine to machine
interface, telemetry, and flexible package delivery.
NCS 5001 contains the following ports:
• 40 x 10G SFP+ Ports:
• 16 x Regular 10G SFP+ Ports
• 24 x DWDM & ZR Capable 10G SFP+ Ports

• 4 x 100G QSFP28 Ports

Features
The Cisco NCS 5001 router has the following features:
• 10Gbps bandwidth for each of the 40 fixed SFP+ ports
• Four QSPF ports capable of providing 100Gbps bandwidth
• Two 1+1 redundant, hot-swappable power supplies, which provide port side intake or exhaust for cooling
• Two N+1 redundant, hot-swappable fan modules, which provide port side intake or exhaust for cooling
• A management console and USB interface on the fan side of the router

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
4
Cisco NCS 5000 Series Product Overview
Command Modes

Cisco NCS 5002 Overview


Cisco NCS 5002 is a dense 10/100 Gigabit Ethernet Router in 2RU form factor. It is designed for service
provider access and aggregation network. The Cisco NCS 5002 runs the industry-leading Cisco IOS XR
Software operating system, with robust features and functions such as application hosting, machine to machine
interface, telemetry, and flexible package delivery.
NCS 5002 contains the following ports:
• 80 x 10G SFP+ Ports:
• 40 x Regular 10G SFP+ Ports
• 40 x DWDM & ZR Capable 10G SFP+ Ports

• 4 x 100G QSFP28 Ports

Features
The Cisco NCS 5002 router has the following features:
• 10Gbps bandwidth for each of the 80 fixed SFP+ ports
• Four QSPF ports capable of providing 100Gbps bandwidth
• Two 1+1 redundant, hot-swappable power supplies, which provide port side intake or exhaust for cooling
• Two N+1 redundant, hot-swappable fan modules, which provide port side intake or exhaust for cooling
• A management console and USB interface on the fan side of the router

Command Modes
The router runs on virtualized Cisco IOS XR software. Therefore, the CLI commands must be executed on
virtual machines, namely the XR LXC and the System Admin LXC.
The command modes are applicable for the Cisco Series Routers. This table lists the command modes for the
LXCs.

Command Mode Description


XR EXEC mode Run commands on the XR LXC to display the operational state of
the router.
(XR LXC execution mode)
Example:
RP/0/RP0/CPU0:router#

XR Config mode Perform security, routing, and other XR feature configurations on


the XR LXC.
(XR LXC configuration mode)
Example:
RP/0/RP0/CPU0:router#configure
RP/0/RP0/CPU0:router(config)#

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
5
Cisco NCS 5000 Series Product Overview
Command Modes

Command Mode Description


System Admin EXEC mode Run commands on the System Admin LXC to display and monitor
the operational state of the router hardware. The chassis or
(System Admin LXC execution mode)
individual hardware modules can be reloaded from this mode.
Example:
RP/0/RP0/CPU0:router#admin
sysadmin-vm:0_RP0#

System Admin Config mode Run configuration commands on the System Admin LXC to manage
and operate the hardware modules of the entire chassis.
(System Admin LXCconfiguration
mode) Example:
RP/0/RP0/CPU0:router#admin
sysadmin-vm:0_RP0#config
sysadmin-vm:0_RP0(config)#

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
6
CHAPTER 3
Bring-up the Router
After installing the hardware, boot the router. Connect to the XR console port and power on the router. The
router completes the boot process using the pre-installed operating system (OS) image. If no image is available
within the router, the router can be booted using PXE boot or an external bootable USB drive.
After booting is complete, create the root username and password, and then use it to log on to the XR console
and get the router prompt. The first user created in XR console is synchronized to the System Admin console.
From the XR console, access the System Admin console to configure system administration settings.
• Boot the Router, on page 7
• Setup Root User Credentials, on page 8
• Access the System Admin Console, on page 9
• Configure the Management Port, on page 10
• Perform Clock Synchronization with NTP Server, on page 12

Boot the Router


Use the console port on the Route Processor (RP) to connect to a new router. The console port connect to the
XR console by default. If necessary, subsequent connections can be established through the management port,
after it is configured.

Step 1 Connect a terminal to the console port of the RP.


Step 2 Start the terminal emulation program on your workstation.
• For modular chassis RP, the console settings are baud rate 9600 bps, no parity, 1 stop bits and 8 data bits
• For fixed chassis, the console settings are baud rate 115200 bps, no parity, 1 stop bits and 8 data bits.

The baud rate is set by default and cannot be changed.


For NCS5001 and 5002 systems, the baud rate is 115200 bps, no parity, 2 stop bits and 8 data bits. For NCS5011 system,
the console settings are baud rate 9600 bps, no parity, 2 stop bits and 8 data bits.

Step 3 Power on the router.


Connect the power cord to Power Entry Module (PEM) and the router boots up. The boot process details are displayed
on the console screen of the terminal emulation program.

Step 4 Press Enter.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
7
Bring-up the Router
Setup Root User Credentials

The boot process is complete when the system prompts to enter the root-system username. If the prompt does not appear,
wait for a while to give the router more time to complete the initial boot procedure, then press Enter.
Important If the boot process fails, it may be because the preinstalled image on the router is corrupt. In this case, the
router can be booted using an external bootable USB drive.

Note We recommended that you check the md5sum of the image after copying from source location to the server
from where router boots up with new version. This ensures that if md5sum mismatch is observed, you can
remove the corrupted file and ensure that a working copy of the image file is available for setup to begin.

What to do next
Specify the root username and password.

Setup Root User Credentials


When you boot the router for the first time, the system prompts you to configure root credentials (username
and password). These credentials are configured as the root user on the XR (root-lr) console, the System
Admin VM (root-system), and as disaster-recovery credentials.

Before you begin


The boot process must be complete.

Step 1 Enter root-system username: username


Enter the username of the root user. The character limit is 1023. In this example, the name of the root user is "root".
Important The specified username is mapped to the "root-lr" group on the XR console. It is also mapped as the
"root-system" user on the System Admin console.

When starting the router for the first time, or after a reimage, the router does not have any user configuration. In such
cases, the router prompts you to specify the "root-system username". However, if the router has been configured previously,
the router prompts you to enter the "username", as described in Step 4.

Step 2 Enter secret: password


Enter the password for the root user. The character range of the password is from 6 through 253 characters. The password
that you type is not displayed on the CLI for security reasons.
The root username and password must be safeguarded as it has the superuser privileges. It is used to access the complete
router configuration.

Step 3 Enter secret again: password


Reenter the password for the root user. The password is not accepted if it does not match the password that is entered in
the previous step. The password that you type is not displayed on the CLI for security reasons.

Step 4 Username: username


Enter the root-system username to login to the XR VM console.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
8
Bring-up the Router
Access the System Admin Console

Step 5 Password: password


Enter the password of the root user. The correct password displays the router prompt. You are now logged into the XR
VM console.

Step 6 (Optional) show run username


Displays user details.

username root
group root-lr
group cisco-support
secret 5 $1$NBg7$fHs1inKPZVvzqxMv775UE/
!

Note The NCS 5000 series routers running IOS XR 64-bit OS can operate as a standalone device, ZTP-controlled
device or as an nV satellite.
When the router ships from the factory, the mode in which the router must operate is not predefined. Therefore,
the software scans for a few events based on the usage, post-rack mounting, and power up, before deciding
the mode of operation. Now, there is a time window when the software is making this decision. During this
duration, the router that is intended to operate in standalone or ZTP modes, could be compromised to fall
into the nV satellite mode. Thereby, opening up privileged control of the router to a hostile external entity.
Ensure that the external entity has access to the same network as the autoplay ports (highest 10G and lowest
100G ports) in order to gain control. Once compromised, the router could become inaccessible to legitimate
users but can be recovered by physical disconnection to the network and reset to factory defaults.
For deployments within insecure or public networks, it is recommended to explicitly change the operating
mode of NCS 5000 series router to the standalone mode using the set sdac system-mode standalone command
in EXEC mode. This will be a one-time staging step for the first boot after unboxing, or after factory reset
of the router before it is connected to an insecure network. Especially, if the links connecting to the router
on the lowest 100G and the highest 10G ports are not known to be secure.
If you want to change the standalone mode to the satellite mode, use the set sdac system-mode satellite
command in EXEC mode, and reload the router.

What to do next
• Configure routing functions from the XR console.
• Configure system administration settings from the System Admin prompt. The System Admin prompt
is displayed on accessing the System Admin console. For details on how to get the System Admin prompt,
see Access the System Admin Console, on page 9.

Access the System Admin Console


You must log in to the System Admin console through the XR console to perform all system administration
and hardware management setups.

Step 1 Log in to the XR console as the root user.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
9
Bring-up the Router
Configure the Management Port

Step 2 (Optional) Disable the login banner on console port when accessing the System Admin mode from XR mode.
a) configure
b) service sysadmin-login-banner disable
Example:
RP/0/RP0/CPU0:router(config)#service sysadmin-login-banner disable

Disable the login banner on console port in System Admin mode.


c) commit
d) end
Step 3 admin
Example:
The login banner is enabled by default. The following example shows the command output with the login banner enabled:
RP/0/RP0/CPU0:router#admin

Mon May 22 06:57:29.350 UTC

root connected from 127.0.0.1 using console on host


sysadmin-vm:0_RP0# exit
Mon May 22 06:57:32.360 UTC

The following example shows the command output with the login banner disabled:
RP/0/RP0/CPU0:router#admin
Thu Mar 01:07:14.509 UTC
sysadmin-vm:0_RP0# exit

Step 4 (Optional) exit


Return to the XR mode from the System Admin mode.

Configure the Management Port


To use the Management port for system management and remote communication, you must configure an IP
address and a subnet mask for the management ethernet interface. To communicate with devices on other
networks (such as remote management stations or TFTP servers), you need to configure a default (static) route
for the router.

Before you begin


• Consult your network administrator or system planner to procure IP addresses and a subnet mask for the
management interface.
• Physical port Ethernet 0 and Ethernet 1 on RP are the management ports. Ensure that the port is connected
to management network.

SUMMARY STEPS
1. configure
2. interface MgmtEth rack/slot/port

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
10
Bring-up the Router
Configure the Management Port

3. ipv4 address ipv4-address subnet-mask


4. ipv4 address ipv4 virtual address subnet-mask
5. no shutdown
6. exit
7. router static address-family ipv4 unicast 0.0.0.0/0 default-gateway
8. Use the commit or end command.

DETAILED STEPS

Step 1 configure
Example:

RP/0/RP0/CPU0:router# configure

Enters mode.

Step 2 interface MgmtEth rack/slot/port


Example:
RP/0/RP0/CPU0:router(config)#interface mgmtEth 0/RP0/CPU0/0

Enters interface configuration mode for the management interface of the primary RP.

Step 3 ipv4 address ipv4-address subnet-mask


Example:
RP/0/RP0/CPU0:router(config-if)#ipv4 address 10.1.1.1/8

Assigns an IP address and a subnet mask to the interface.

Step 4 ipv4 address ipv4 virtual address subnet-mask


Example:
RP/0/RP0/CPU0:router(config-if)#ipv4 address 1.70.31.160 255.255.0.0

Assigns a virtual IP address and a subnet mask to the interface.

Step 5 no shutdown
Example:
RP/0/RP0/CPU0:router(config-if)#no shutdown

Places the interface in an "up" state.

Step 6 exit
Example:
RP/0/RP0/CPU0:router(config-if)#exit

Exits the Management interface configuration mode.

Step 7 router static address-family ipv4 unicast 0.0.0.0/0 default-gateway


Example:
RP/0/RP0/CPU0:router(config)#router static address-family ipv4 unicast 0.0.0.0/0 12.25.0.1

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
11
Bring-up the Router
Perform Clock Synchronization with NTP Server

Specifies the IP address of the default-gateway to configure a static route; this is to be used for communications with
devices on other networks.

Step 8 Use the commit or end command.


commit —Saves the configuration changes and remains within the configuration session.
end —Prompts user to take one of these actions:
• Yes — Saves configuration changes and exits the configuration session.
• No —Exits the configuration session without committing the configuration changes.
• Cancel —Remains in the configuration session, without committing the configuration changes.

What to do next
Connect to the management port to the ethernet network. With a terminal emulation program, establish a SSH
or telnet connection to the management interface port using its IP address. Before establishing a telnet session,
use the telnet ipv4|ipv6 server max-servers command in the XR Config mode, to set number of allowable
telnet sessions to the router.

Perform Clock Synchronization with NTP Server


There are independent system clocks for the XR console and the System Admin console. To ensure that these
clocks do not deviate from true time, they need to be synchronized with the clock of a NTP server. In this
task you will configure a NTP server for the XR console. After the XR console clock is synchronized, the
System Admin console clock will automatically synchronize with the XR console clock.

Before you begin


Configure and connect to the management port.

Step 1 configure
Example:

RP/0/RP0/CPU0:router# configure

Enters mode.

Step 2 ntp server server_address


Example:
RP/0/RP0/CPU0:router(config)#ntp server 64.90.182.55

The XR console clock is configured to be synchronized with the specified sever.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
12
CHAPTER 4
Perform Preliminary Checks
After successfully logging into the console, you must perform some preliminary checks to verify the default
setup. If any setup issue is detected when these checks are performed, take corrective action before making
further configurations. These preliminary checks are:
• Verify Software Version, on page 13
• Verify Status of Hardware Modules, on page 14
• Verify Firmware Version, on page 14
• Verify Interface Status, on page 16

Verify Software Version


The router is shipped with the Cisco IOS XR software pre-installed. Verify that the latest version of the
software is installed. If a newer version is available, perform a system upgrade. This will install the newer
version of the software and provide the latest feature set on the router.
Perform this task to verify the version of Cisco IOS XR software running on the router.

SUMMARY STEPS
1. show version

DETAILED STEPS

show version
Example:
RP/0/RP0/CPU0:router# show version

Displays the version of the various software components installed on the router. The result includes the version of Cisco
IOS XR software and its various components.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
13
Perform Preliminary Checks
Verify Status of Hardware Modules

Example

What to do next
Verify the result to ascertain whether a system upgrade or additional package installation is required. If that
is required, refer to the tasks in the chapter Perform System Upgrade and Install Feature Packages.

Verify Status of Hardware Modules


Hardware modules include RPs, fan trays, and so on. On the router, multiple hardware modules are installed.
Perform this task to verify that all hardware modules are installed correctly and are operational.

Before you begin


Ensure that all required hardware modules have been installed on the router.

SUMMARY STEPS
1. show hw-module fpd

DETAILED STEPS

show hw-module fpd


Example:
RP/0/RP0/CPU0:router# show hw-module fpd

Displays the list of hardware modules detected on the router.

FPD Versions
=================
Location Card type HWver FPD device ATR Status Running Programd
-------------------------------------------------------------------
0/RP0 NCS5002 3.0 DB-MIFPGA CURRENT 0.13 0.13
0/RP0 NCS5002 3.0 MB-MIFPGA CURRENT 0.13 0.13
0/RP0 NCS5002 3.0 BIOS CURRENT 1.07 1.07
0/RP0 NCS5002 3.0 IOFPGA CURRENT 0.16 0.16

Verify Firmware Version


The firmware on various hardware components of the router must be compatible with the Cisco IOS XR
image installed. Incompatibility might cause the router to malfunction. Complete this task to verify the firmware
version.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
14
Perform Preliminary Checks
Verify Firmware Version

SUMMARY STEPS
1. show hw-module fpd

DETAILED STEPS

show hw-module fpd


Example:
RP/0/RP0/CPU0:router# show hw-module fpd
FPD Versions
=================
Location Card type HWver FPD device ATR Status Running Programd
------------------------------------------------------------------------------
0/RP0 NCS5002 3.0 DB-MIFPGA CURRENT 0.13 0.13
0/RP0 NCS5002 3.0 MB-MIFPGA CURRENT 0.13 0.13
0/RP0 NCS5002 3.0 BIOS CURRENT 1.07 1.07
0/RP0 NCS5002 3.0 IOFPGA CURRENT 0.16 0.16

Displays the list of hardware modules detected on the router.


Note This command can be run from both XR VM and System Admin VM modes.

In the above output, some of the significant fields are:


• FPD Device- Name of the hardware component such as FPD, CFP, and so on.
• ATR-Attribute of the hardware component. Some of the attributes are:
• B- Backup Image
• S-Secure Image
• P-Protected Image

• Status- Upgrade status of the firmware. The different states are:


• CURRENT-The firmware version is the latest version.
• READY-The firmware of the FPD is ready for an upgrade.
• NOT READY-The firmware of the FPD is not ready for an upgrade.
• NEED UPGD-A newer firmware version is available in the installed image. It is recommended that an upgrade
be performed.
• RLOAD REQ-The upgrade has been completed, and the ISO image requires a reload.
• UPGD DONE-The firmware upgrade is successful.
• UPGD FAIL- The firmware upgrade has failed.
• BACK IMG-The firmware is corrupted. Reinstall the firmware.
• UPGD SKIP-The upgrade has been skipped because the installed firmware version is higher than the one
available in the image.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
15
Perform Preliminary Checks
Verify Interface Status

• Running- Current version of the firmware running on the FPD.

What to do next
• Upgrade the required firmware by using the upgrade hw-module location all fpd command in the
EXEC mode. For the FPD upgrade to take effect, the router needs a power cycle.
• It is recommended to upgrade all FPGAs on a given node using the upgrade hw-module fpd all location
{all | node-id} command. Do not upgrade the FPGA on a node using the upgrade hw-module fpd
<individual-fpd> location {all | node-id} as it may cause errors in booting the card.
• If required, turn on the auto fpd upgrade function. To do so, use the fpd auto-upgrade enable command
in the XR configuration [(config)#] mode. After it is enabled, if there are new FPD binaries present in
the image being installed on the router, FPDs are automatically upgraded during the system upgrade
operation.

Verify Interface Status


After the router has booted, all available interfaces must be discovered by the system. If interfaces are not
discovered, it might indicate a malfunction in the unit. Complete this task to view the number of discovered
interfaces.

SUMMARY STEPS
1. show ipv4 interface summary

DETAILED STEPS

show ipv4 interface summary


Example:
RP/0/RP0/CPU0:router#show ipv4 interface summary

When a router is turned on for the first time, all interfaces are in the 'unassigned' state. Verify that the total number of
interfaces displayed in the result matches with the actual number of interfaces present on the router.

IP address State State State State


config up,up up,down down,down shutdown,down
----------------------------------------------------------------------
Assigned 0 0 0 0
Unnumbered 0 0 0 0
Unassigned 0 0 0 84

In the above result:


• Assigned— An IP address is assigned to the interface.
• Unnumbered— Interface which has borrowed an IP address already configured on one of the other interfaces of the
router.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
16
Perform Preliminary Checks
Verify Interface Status

• Unassigned—No IP address is assigned to the interface.

You can also use the show interfaces brief and show interfaces summary commands in the XR EXEC mode to verify
the interface status.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
17
Perform Preliminary Checks
Verify Interface Status

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
18
CHAPTER 5
Create User Profiles and Assign Privileges
To provide controlled access to the XR and System Admin configurations on the router, user profiles are
created with assigned privileges. The privileges are specified using command rules and data rules.
The authentication, authorization, and accounting (aaa) commands are used for the creation of users, groups,
command rules, and data rules. The aaa commands are also used for changing the disaster-recovery password.

Note You cannot configure the external AAA server and services from the System Admin VM. It can be configured
only from the XR VM.
Configure AAA authorization to restrict users from uncontrolled access. If AAA authorization is not configured,
the command and data rules associated to the groups that are assigned to the user are bypassed. An IOS-XR
user can have full read-write access to the IOS-XR configuration through Network Configuration Protocol
(NETCONF), google-defined Remote Procedure Calls (gRPC) or any YANG-based agents. In order to avoid
granting uncontrolled access, enable AAA authorization before setting up any configuration.

Note If any user on XR is deleted, the local database checks whether there is a first user on System Admin VM.
• If there is a first user, no syncing occurs.
• If there is no first user, then the first user on XR (based on the order of creation) is synced to System
Admin VM.
• When a user is added in XR, if there is no user on System Admin mode, then the user is synced to
sysadmin-vm. After the synchronization, any changes to the user on XR VM does not synchronize on
the System Admin VM.
• A user added on the System Admin VM does not synchronize with XR VM.
• Only the first user or disaster-recovery user created on System Admin VM synchronizes with the host
VM.
• Changes to credentials of first user or disaster-recovery user on System Admin VM synchronizes with
the host VM.
• The first user or disaster-recovery user deleted on System Admin VM does not synchronize with the host
VM. The host VM retains the user.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
19
Create User Profiles and Assign Privileges
Create User Groups

Users are authenticated using username and password. Authenticated users are entitled to execute commands
and access data elements based on the command rules and data rules that are created and applied to user
groups. All users who are part of a user group have such access privileges to the system as defined in the
command rules and data rules for that user group.
The workflow for creating user profile is represented in this flow chart:
Figure 1: Workflow for Creating User Profiles

Note The root-lr user, created for the XR VM during initial router start-up, is mapped to the root-system user for
the System Admin VM. The root-system user has superuser permissions for the System Admin VM and
therefore has no access restrictions.

Use the show run aaa command in the Config mode to view existing aaa configurations.
The topics covered in this chapter are:
• Create User Groups, on page 20
• Create Users , on page 24
• Create Command Rules, on page 28
• Create Data Rules, on page 30
• Change Disaster-recovery Username and Password, on page 33
• Recover Password using PXE Boot, on page 34

Create User Groups


Create a new user group to associate command rules and data rules with it. The command rules and data rules
are enforced on all users that are part of the user group.
For extensive information about creating user groups, task groups, RADIUS and TACACS configurations,
see the Configuring AAA Services chapter in the System Security Configuration Guide for Cisco NCS 5000
Series Routers. For detailed information about commands, syntax and their description, see the Authentication,
Authorization, and Accounting Commands chapter in the System Security Command Reference for Cisco
NCS 5000 Series Routers.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
20
Create User Profiles and Assign Privileges
Configure User Groups in XR VM

Configure User Groups in XR VM


User groups are configured with the command parameters for a set of users, such as task groups. Entering the
usergroup command accesses the user group configuration submode. Users can remove specific user groups
by using the no form of the usergroup command. Deleting a usergroup that is still referenced in the system
results in a warning.

Before you begin

Note Only users associated with the WRITE:AAA task ID can configure user groups. User groups cannot inherit
properties from predefined groups, such as owner-sdr.

SUMMARY STEPS
1. configure
2. usergroup usergroup-name
3. description string
4. inherit usergroup usergroup-name
5. taskgroup taskgroup-name
6. Repeat Step for each task group to be associated with the user group named in Step 2.
7. Use the commit or end command.

DETAILED STEPS

Step 1 configure
Example:

RP/0/RP0/CPU0:router# configure

Enters mode.

Step 2 usergroup usergroup-name


Example:
RP/0/RP0/CPU0:router(config)# usergroup beta

Creates a name for a particular user group and enters user group configuration submode.
• Specific user groups can be removed from the system by specifying the no form of the usergroup command.

Step 3 description string


Example:
RP/0/RP0/CPU0:router(config-ug)#
description this is a sample user group description

(Optional) Creates a description of the user group named in Step 2.

Step 4 inherit usergroup usergroup-name

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
21
Create User Profiles and Assign Privileges
Create a User Group in System Admin VM

Example:
RP/0/RP0/CPU0:router(config-ug)#
inherit usergroup sales

• Explicitly defines permissions for the user group.

Step 5 taskgroup taskgroup-name


Example:
RP/0/RP0/CPU0:router(config-ug)# taskgroup beta

Associates the user group named in Step 2 with the task group named in this step.
• The user group takes on the configuration attributes (task ID list and permissions) already defined for the entered
task group.

Step 6 Repeat Step for each task group to be associated with the user group named in Step 2.
Step 7 Use the commit or end command.
commit —Saves the configuration changes and remains within the configuration session.
end —Prompts user to take one of these actions:
• Yes — Saves configuration changes and exits the configuration session.
• No —Exits the configuration session without committing the configuration changes.
• Cancel —Remains in the configuration session, without committing the configuration changes.

Create a User Group in System Admin VM


Create a user group for the System Admin VM.
The router supports a maximum of 32 user groups.

Before you begin


Create a user profile. See the Create User section.

SUMMARY STEPS
1. admin
2. config
3. aaa authentication groups group group_name
4. users user_name
5. gid group_id_value
6. Use the commit or end command.

DETAILED STEPS

Step 1 admin

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
22
Create User Profiles and Assign Privileges
Create a User Group in System Admin VM

Example:

RP/0/RP0/CPU0:router# admin

Enters mode.

Step 2 config
Example:
sysadmin-vm:0_RP0#config

Enters System Admin Config mode.

Step 3 aaa authentication groups group group_name


Example:
sysadmin-vm:0_RP0(config)#aaa authentication groups group gr1

Creates a new user group (if it is not already present) and enters the group configuration mode. In this example, the user
group "gr1" is created.
Note By default, the user group "root-system" is created by the system at the time of root user creation. The root
user is part of this user group. Users added to this group will get root user permissions.

Step 4 users user_name


Example:
sysadmin-vm:0_RP0(config-group-gr1)#users us1

Specify the name of the user that should be part of the user group.
You can specify multiple user names enclosed withing double quotes. For example, users "user1 user2 ...".

Step 5 gid group_id_value


Example:
sysadmin-vm:0_RP0(config-group-gr1)#gid 50

Specify a numeric value. You can enter any 32 bit integer.

Step 6 Use the commit or end command.


commit —Saves the configuration changes and remains within the configuration session.
end —Prompts user to take one of these actions:
• Yes — Saves configuration changes and exits the configuration session.
• No —Exits the configuration session without committing the configuration changes.
• Cancel —Remains in the configuration session, without committing the configuration changes.

What to do next
• Create command rules. See Create Command Rules, on page 28.
• Create data rules. See Create Data Rules, on page 30.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
23
Create User Profiles and Assign Privileges
Create Users

Create Users
You can create new users and include the user in a user group with certain privileges. The router supports a
maximum of 1024 user profiles.

Note Users created in the System Admin VM are different from the ones created in XR VM. As a result, the
username and password of a System Admin VM user cannot be used to access the XR VM, and vice versa.

XR VM and System Admin VM User Profile Synchronization


When you create a user profile for the first time in XR VM, the user name and password are synchronized to
the System Admin VM if a user does not exist in System Admin VM. However, the System Admin VM does
not synchronize subsequent password changes or user deletion.
Therefore, the passwords in XR VM and System Admin VM may not be the same. Also, the user synced with
the System Admin VM is not deleted if the user is deleted in XR VM.
For extensive information about creating user groups, task groups, RADIUS and TACACS configurations,
see the Configuring AAA Services chapter in the System Security Configuration Guide for Cisco NCS 5000
Series Routers. For detailed information about commands, syntax and their description, see the Authentication,
Authorization, and Accounting Commands chapter in the System Security Command Reference for Cisco
NCS 5000 Series Routers.

Create a User Profile in XR VM


Each user is identified by a username that is unique across the administrative domain. Each user must be a
member of at least one user group. Deleting a user group may orphan the users associated with that group.
The AAA server authenticates orphaned users but most commands are not authorized.
For more information about AAA, and creating users, see the Configuring AAA Services chapter in the System
Security Configuration Guide for Cisco NCS 5000 Series Routers. For detailed information about related
commands, syntax and their description, see the Authentication, Authorization, and Accounting Commands
chapter in the System Security Command Reference for Cisco NCS 5000 Series Routers.

Step 1 configure
Example:

RP/0/RP0/CPU0:router# configure

Enters mode.

Step 2 username user-name


Example:
RP/0/RP0/CPU0:router(config)# username user1

Creates a name for a new user (or identifies a current user) and enters username configuration submode.
• The user-name argument can be only one word. Spaces and quotation marks are not allowed.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
24
Create User Profiles and Assign Privileges
Create a User Profile in XR VM

Step 3 Do one of the following:


• password {0 | 7} password
• secret {0 | 5 | 8 | 9 | 10} secret
Example:
Router(config-un)# password 0 pwd1

or
Router(config-un)# secret 0 sec1

Specifies a password for the user named in Step 2.


• Use the secret command to create a secure login password for the user names specified in Step 2.
• Entering 0 following the password command specifies that an unencrypted (clear-text) password follows. Entering
7 following the password command specifies that an encrypted password follows.
• For the secret command, the following values can be entered:
• 0 : specifies that a secure unencrypted (clear-text) password follows
• 5 : specifies that a secure encrypted password follows that uses MD5 hashing algorithm
• 8 : specifies that Type 8 secret that uses SHA256 hashing algorithm follows
• 9 : specifies that Type 9 secret that uses SCrypt hashing algorithm follows
Note The Type 8 and Type 9 secrets are supported on the IOS XR 64-bit operating system starting from
Cisco IOS XR Software Release 7.0.1. Prior to this release, it was supported only on the IOS XR
32-bit operating system.

• 10 : specifies Type 10 secret that uses SHA512 hashing algorithm


Note • Type 10 secret is supported only for Cisco IOS XR 64 bit platform.
• Backward compatibility issues such as configuration loss, authentication failure, and so on,
are expected when you downgrade to lower versions that still use MD5 or SHA256 encryption
algorithms. If there are any type 10 secrets, convert the secrets to type 5 if you are downgrading
the system from versions 7.0.1 and above to versions 6.5.3 and above. If you are downgrading
the system from versions 7.0.1 and above to versions below 6.5.3, then un-configure all users
from the XR-vm and sysadmin-vm before executing install activate.
• In a first user configuration scenario or when you reconfigure a user, the system synchronises
only the Type 5 and Type 10 secrets from XR VM to System Admin VM and Host VM. It
does not synchronize the Type 8 and Type 9 secrets in such scenarios.

• Type 0 is the default for the password and secret commands.


• From Cisco IOS XR Software Release 7.0.1 and later, the default hashing type is 10 (SHA512) when clear text
secret is configured without choosing the type in the configuration.

Step 4 group group-name


Example:
RP/0/RP0/CPU0:router(config-un)# group sysadmin

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
25
Create User Profiles and Assign Privileges
Create a User Profile in System Admin VM

Assigns the user named in Step 2 to a user group that has already been defined through the usergroup command.
• The user takes on all attributes of the user group, as defined by that user group’s association to various task groups.
• Each user must be assigned to at least one user group. A user may belong to multiple user groups.

Step 5 Repeat step 4 for each user group to be associated with the user specified in step 2.
Step 6 Use the commit or end command.
commit —Saves the configuration changes and remains within the configuration session.
end —Prompts user to take one of these actions:
• Yes — Saves configuration changes and exits the configuration session.
• No —Exits the configuration session without committing the configuration changes.
• Cancel —Remains in the configuration session, without committing the configuration changes.

Create a User Profile in System Admin VM


Create new users for the System Admin VM. Users are included in a user group and assigned certain privileges.
The users have restricted access to the commands and configurations in the System Admin VM console, based
on assigned privileges.
The router supports a maximum of 1024 user profiles.
The root-lr user of XR VM can access the System Admin VM by entering Admin command in the XR EXEC
mode. The router does not prompt you to enter any username and password. The XR VM root-lr user is
provided full access to the System Admin VM.

SUMMARY STEPS
1. admin
2. config
3. aaa authentication users user user_name
4. password password
5. uid user_id_value
6. gid group_id_value
7. ssh_keydir ssh_keydir
8. homedir homedir
9. Use the commit or end command.

DETAILED STEPS

Step 1 admin
Example:

RP/0/RP0/CPU0:router# admin

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
26
Create User Profiles and Assign Privileges
Create a User Profile in System Admin VM

Enters mode.

Step 2 config
Example:
sysadmin-vm:0_RP0#config

Enters System Admin Config mode.

Step 3 aaa authentication users user user_name


Example:
sysadmin-vm:0_RP0(config)#aaa authentication users user us1

Creates a new user and enters user configuration mode. In the example, the user "us1" is created.

Step 4 password password


Example:
sysadmin-vm:0_RP0(config-user-us1)#password pwd1

Enter the password that will be used for user authentication at the time of login into System Admin VM.

Step 5 uid user_id_value


Example:
sysadmin-vm:0_RP0(config-user-us1)#uid 100

Specify a numeric value. You can enter any 32 bit integer.

Step 6 gid group_id_value


Example:
sysadmin-vm:0_RP0(config-user-us1)#gid 50

Specify a numeric value. You can enter any 32 bit integer.

Step 7 ssh_keydir ssh_keydir


Example:
sysadmin-vm:0_RP0(config-user-us1)#ssh_keydir dir1

Specify any alphanumeric value.

Step 8 homedir homedir


Example:
sysadmin-vm:0_RP0(config-user-us1)#homedir dir2

Specify any alphanumeric value.

Step 9 Use the commit or end command.


commit —Saves the configuration changes and remains within the configuration session.
end —Prompts user to take one of these actions:
• Yes — Saves configuration changes and exits the configuration session.
• No —Exits the configuration session without committing the configuration changes.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
27
Create User Profiles and Assign Privileges
Create Command Rules

• Cancel —Remains in the configuration session, without committing the configuration changes.

Create Command Rules


Command rules are rules based on which users of a user group are either permitted or denied the use of certain
commands. Command rules are associated to a user group and get applied to all users who are part of the user
group.
A command rule is created by specifying whether an operation is permitted, or denied, on a command. This
table lists possible operation and permission combinations:

Operation Accept Permission Reject Permission


Read (R) Command is displayed on the CLI when Command is not displayed on the CLI when
"?" is used. "?" is used.
Execute (X) Command can be executed from the CLI. Command cannot be executed from the CLI.
Read and Command is visible on the CLI and can be Command is neither visible nor executable
execute (RX) executed. from the CLI.

By default, all permissions are set to Reject.


Each command rule is identified by a number associated with it. When multiple command rules are applied
to a user group, the command rule with a lower number takes precedence. For example, cmdrule 5 permits
read access, while cmdrule10 rejects read access. When both these command rules are applied to the same
user group, the user in this group gets read access because cmdrule 5 takes precedence.
As an example, in this task, the command rule is created to deny read and execute permissions for the "show
platform" command.

Before you begin


Create an user group. See Create a User Group in System Admin VM, on page 22.

SUMMARY STEPS
1. admin
2. config
3. aaa authorization cmdrules cmdrule command_rule_number
4. command command_name
5. ops {r | x | rx}
6. action {accept | accept_log | reject}
7. group user_group_name
8. context connection_type
9. Use the commit or end command.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
28
Create User Profiles and Assign Privileges
Create Command Rules

DETAILED STEPS

Step 1 admin
Example:

RP/0/RP0/CPU0:router# admin

Enters mode.

Step 2 config
Example:
sysadmin-vm:0_RP0#config

Enters System Admin Config mode.

Step 3 aaa authorization cmdrules cmdrule command_rule_number


Example:
sysadmin-vm:0_RP0(config)#aaa authorization cmdrules cmdrule 1100

Specify a numeric value as the command rule number. You can enter a 32 bit integer.
Important Do no use numbers between 1 to 1000 because they are reserved by Cisco.
This command creates a new command rule (if it is not already present) and enters the command rule configuration mode.
In the example, command rule "1100" is created.
Note By default "cmdrule 1" is created by the system when the root-system user is created. This command rule
provides "accept" permission to "read" and "execute" operations for all commands. Therefore, the root user
has no restrictions imposed on it, unless "cmdrule 1" is modified.

Step 4 command command_name


Example:
sysadmin-vm:0_RP0(config-cmdrule-1100)#command "show platform"

Specify the command for which permission is to be controlled.


If you enter an asterisk '*' for command, it indicates that the command rule is applicable to all commands.

Step 5 ops {r | x | rx}


Example:
sysadmin-vm:0_RP0(config-cmdrule-1100)#ops rx

Specify the operation for which permission has to be specified:


• r — Read
• x — Execute
• rx — Read and execute

Step 6 action {accept | accept_log | reject}


Example:
sysadmin-vm:0_RP0(config-cmdrule-1100)#action reject

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
29
Create User Profiles and Assign Privileges
Create Data Rules

Specify whether users are permitted or denied the use of the operation.
• accept — users are permitted to perform the operation
• accept_log— users are permitted to perform the operation and every access attempt is logged.
• reject— users are restricted from performing the operation.

Step 7 group user_group_name


Example:
sysadmin-vm:0_RP0(config-cmdrule-1100)#group gr1

Specify the user group on which the command rule is applied.

Step 8 context connection_type


Example:
sysadmin-vm:0_RP0(config-cmdrule-1100)#context *

Specify the type of connection to which this rule applies. The connection type can be netconf (Network Configuration
Protocol), cli (Command Line Interface), or xml (Extensible Markup Language ). It is recommended that you enter an
asterisk '*'; this indicates that the command rule applies to all connection types.

Step 9 Use the commit or end command.


commit —Saves the configuration changes and remains within the configuration session.
end —Prompts user to take one of these actions:
• Yes — Saves configuration changes and exits the configuration session.
• No —Exits the configuration session without committing the configuration changes.
• Cancel —Remains in the configuration session, without committing the configuration changes.

What to do next
Create data rules. See Create Data Rules, on page 30.

Create Data Rules


Data rules are rules based on which users of the user group are either permitted, or denied, accessing and
modifying configuration data elements. The data rules are associated to a user group. The data rules get applied
to all users who are part of the user group.
Each data rule is identified by a number associated to it. When multiple data rules are applied to a user group,
the data rule with a lower number takes precedence.

Before you begin


Create an user group. See Create a User Group in System Admin VM, on page 22.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
30
Create User Profiles and Assign Privileges
Create Data Rules

SUMMARY STEPS
1. admin
2. config
3. aaa authorization datarules datarule data_rule_number
4. keypath keypath
5. ops operation
6. action {accept | accept_log | reject}
7. group user_group_name
8. context connection type
9. namespace namespace
10. Use the commit or end command.

DETAILED STEPS

Step 1 admin
Example:

RP/0/RP0/CPU0:router# admin

Enters mode.

Step 2 config
Example:
sysadmin-vm:0_RP0#config

Enters System Admin Config mode.

Step 3 aaa authorization datarules datarule data_rule_number


Example:
sysadmin-vm:0_RP0(config)#aaa authorization datarules datarule 1100

Specify a numeric value as the data rule number. You can enter a 32 bit integer.
Important Do no use numbers between 1 to 1000 because they are reserved by Cisco.
This command creates a new data rule (if it is not already present) and enters the data rule configuration mode. In the
example, data rule "1100" is created.
Note By default "datarule 1" is created by the system when the root-system user is created. This data rule provides
"accept" permission to "read", "write", and "execute" operations for all configuration data. Therefore, the
root user has no restrictions imposed on it, unless "datarule 1" is modified.

Step 4 keypath keypath


Example:
sysadmin-vm:0_RP0(config-datarule-1100)#keypath /aaa/disaster-recovery

Specify the keypath of the data element. The keypath is an expression defining the location of the data element. If you
enter an asterisk '*' for keypath , it indicates that the command rule is applicable to all configuration data.

Step 5 ops operation

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
31
Create User Profiles and Assign Privileges
Create Data Rules

Example:
sysadmin-vm:0_RP0(config-datarule-1100)#ops rw

Specify the operation for which permission has to be specified. Various operations are identified by these letters:
• c—Create
• d—Delete
• u—Update
• w— Write (a combination of create, update, and delete)
• r—Read
• x—Execute

Step 6 action {accept | accept_log | reject}


Example:
sysadmin-vm:0_RP0(config-datarule-1100)#action reject

Specify whether users are permitted or denied the operation.


• accept — users are permitted to perform the operation
• accept_log— users are permitted to perform the operation and every access attempt is logged
• reject— users are restricted from performing the operation

Step 7 group user_group_name


Example:
sysadmin-vm:0_RP0(config-datarule-1100)#group gr1

Specify the user group on which the data rule is applied. Multiple group names can also be specified.

Step 8 context connection type


Example:
sysadmin-vm:0_RP0(config-datarule-1100)#context *

Specify the type of connection to which this rule applies. The connection type can be netconf (Network Configuration
Protocol), cli (Command Line Interface), or xml (Extensible Markup Language ). It is recommended that you enter an
asterisk '*', which indicates that the command applies to all connection types.

Step 9 namespace namespace


Example:
sysadmin-vm:0_RP0(config-datarule-1100)#namespace *

Enter asterisk '*' to indicate that the data rule is applicable for all namespace values.

Step 10 Use the commit or end command.


commit —Saves the configuration changes and remains within the configuration session.
end —Prompts user to take one of these actions:
• Yes — Saves configuration changes and exits the configuration session.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
32
Create User Profiles and Assign Privileges
Change Disaster-recovery Username and Password

• No —Exits the configuration session without committing the configuration changes.


• Cancel —Remains in the configuration session, without committing the configuration changes.

Change Disaster-recovery Username and Password


When you define the root-system username and password initially after starting the router, the same username
and password gets mapped as the disaster-recovery username and password for the System Admin console.
However, it can be changed.
The disaster-recovery username and password is useful in these scenarios:
• Access the system when the AAA database, which is the default source for authentication in System
Admin console is corrupted.
• Access the system through the management port, when, for some reason, the System Admin console is
not working.
• Create new users by accessing the System Admin console using the disaster-recovery username and
password, when the regular username and password is forgotten.

Note On the router, you can configure only one disaster-recovery username and password at a time.

SUMMARY STEPS
1. admin
2. config
3. aaa disaster-recovery username username password password
4. Use the commit or end command.

DETAILED STEPS

Step 1 admin
Example:

RP/0/RP0/CPU0:router# admin

Enters mode.

Step 2 config
Example:
sysadmin-vm:0_RP0#config

Enters System Admin Config mode.

Step 3 aaa disaster-recovery username username password password

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
33
Create User Profiles and Assign Privileges
Recover Password using PXE Boot

Example:
sysadmin-vm:0_RP0(config)#aaa disaster-recovery username us1 password pwd1

Specify the disaster-recovery username and the password. You have to select an existing user as the disaster-recovery
user. In the example, 'us1' is selected as the disaster-recovery user and assigned the password as 'pwd1'. The password
can be entered as a plain text or md5 digest string.
When you need to make use of the disaster recovery username, you need to enter it as username@localhost.

Step 4 Use the commit or end command.


commit —Saves the configuration changes and remains within the configuration session.
end —Prompts user to take one of these actions:
• Yes — Saves configuration changes and exits the configuration session.
• No —Exits the configuration session without committing the configuration changes.
• Cancel —Remains in the configuration session, without committing the configuration changes.

Recover Password using PXE Boot


If you are unable to login or lost your XR and System administration passwords, use the following steps to
create new password. A lost password cannot be recovered, instead a new username and password must be
created with a non-graceful PXE boot.

Step 1 Boot the router using PXE.


Note PXE boot is fully intrusive. The router state, configuration and image is reset.

To PXE boot a router, see Boot the Router Using iPXE, on page 78.

Step 2 Reset the password.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
34
CHAPTER 6
Perform System Upgrade and Install Feature
Packages
The system upgrade and package installation processes are executed using install commands on the router.
The processes involve adding and activating the iso images (.iso) and feature packages on the router. These
files are accessed from a network server and then activated on the router. If the installed package or SMU
causes any issue on the router, it can be uninstalled.
The topics covered in this chapter are:
• Upgrading the System, on page 35
• View Supported Software Upgrade or Downgrade Versions, on page 36
• Upgrading Features, on page 40
• Install Packages, on page 41
• Install Prepared Packages, on page 45
• Uninstall Packages, on page 47

Upgrading the System


Upgrading the system is the process of installing a new version of the Cisco IOS XR operating system on the
router. The router comes preinstalled with the Cisco IOS XR image. However, you can install the new version
in order to keep router features up to date. The system upgrade operation is performed from the XR VM.
However, during system upgrade, the software that runs on both the XR VM and the System Admin VM get
upgraded.

Note If an interface on a router doesn’t have a configuration and is brought up by performing no-shut operation,
then upon router reload, the interface state changes to admin-shutdown automatically.

Note Ensure that you have adequate disk space. Run the fsck command to check the status of the file system, for
a successful IOS XR upgrade. You must run the fsck command in the System Admin EXEC mode to install
a System Admin package, and in the XR EXEC mode to install the XR package. All install commands are
applicable in both the System Admin EXEC mode and in XR EXEC mode. System Admin install operations
are done from XR EXEC mode.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
35
Perform System Upgrade and Install Feature Packages
View Supported Software Upgrade or Downgrade Versions

Perform a system upgrade by installing a base package–Cisco IOS XR Unicast Routing Core Bundle. To
install this bundle, run the install command. The filename for the Cisco IOS XR Unicast Routing Core Bundle
bundle is ncs5k-mini-x.iso.

Caution Do not perform any install operations when the router is reloading.
Do not reload the router during an upgrade operation.

Note If you perform a manual or automatic system reload without completing the transaction with the install commit
command, the action will revert the system to the point before the install transaction commenced, including
any configuration changes. Only the log is preserved for debugging.
This action clears all configuration rollback points available. You’ll not be able to roll back to, or view, any
commits made until the install rollback event. Any new commits made after the install rollback event starts
from commit ID ‘1000000001’.

Note Ensure that you perform a chassis reload to enable hardware programming if a chassis upgrade through ISSU
to IOS XR Release 7.6.x and later from an earlier software version. The chassis reload is mandatory, if you
must enable a maximum MTU value of 9646 on applicable interfaces.

View Supported Software Upgrade or Downgrade Versions


Table 1: Feature History Table

Feature Name Release Information Description

Supported Software Upgrade or Release 7.5.1 You can determine whether a


Downgrade IOS XR Versions software version can be upgraded
or downgraded to another version
using this functionality. Before an
actual upgrade or downgrade
process, you can also view the
hardware or software limitations
that could cause the upgrade or
downgrade to fail. This feature
helps you plan successful software
upgrades or downgrades.
This feature introduces the show
install upgrade-matrix command.

Your Cisco router comes preinstalled with IOS XR software. You either upgrade the software release to use
new features and software fixes, or you downgrade the software. To leverage new features that are added or
software fixes that are provided, it is important that you upgrade your router to a current version.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
36
Perform System Upgrade and Install Feature Packages
View Supported Software Upgrade or Downgrade Versions

To help you select a Cisco IOS XR software release that aligns with Cisco-certified upgrade and downgrade
paths, this feature provides answers to the following questions:
• What upgrade or downgrade releases are supported for the current release?
• I plan to upgrade from Release X to Release Y. Does my router support upgrade to Release Y?
• Are there any bridging SMUs that must be installed before I upgrade the software?

This feature provides a mechanism to determine whether the current release supports an upgrade to a target
release. This task is run at the start of a software upgrade or downgrade through the install replace command.
If the validation fails, the software upgrade is blocked, and the system notifies the reason for the failure. This
feature allows you to proactively examine whether you can upgrade or downgrade to a certain release, saving
time and effort involved in planning and upgrading the software.
The feature provides the following information to help you understand the prerequisites or limitations related
to the specific software upgrade or downgrade:
• Required bridging SMU RPMs
• Blocking SMU RPMs
• Unsupported hardware
• Caveats or restrictions

You can overwrite the automatic validation using the force keyword in the install replace command. With
this option, the system displays warning messages when the upgrade fails but does not block the software
upgrade. Use the force ? keyword to understand any other impact to system functionalities apart from the
disabling of this process that determines the supported releases for software upgrade or downgrade.
You can view the support information using the following show commands or through the operational data.

Command Description

show install upgrade-matrix running Displays all supported software upgrades from the
current version according to the support data installed
on the running system

show install upgrade-matrix iso path-to-ISO Displays details about the software upgrade from the
current version to the version of the target ISO
according to the support data in both the running
system and the ISO image

show install upgrade-matrix iso path-to-ISO all Displays all supported software upgrades from any
version according to the support data in the target ISO
image

show install upgrade-matrix iso path-to-ISO Displays details about the software upgrade from the
from-running current version to the version of ISO according to the
support matrices in both the running system and the
target ISO image

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
37
Perform System Upgrade and Install Feature Packages
View Supported Software Upgrade or Downgrade Versions

View All Supported Software Upgrade from Running Version


The following example shows all supported releases for upgrade from the current version 7.5.1 on
the router:
Router#show install upgrade-matrix running
Fri Jul 29 10:12:47.740 IST

This may take a while ...

The current software [7.5.1] can be upgraded from and downgraded to the following releases:

================================================================================
From To Bridge SMUs Required Caveats
================================================================================
7.5.1 7.4.1 None None
--------------------------------------------------------------------------------
7.5.1 7.1.3 None None
--------------------------------------------------------------------------------
7.5.1 7.1.2 None None
--------------------------------------------------------------------------------
7.5.1 7.2.1 None None
--------------------------------------------------------------------------------
7.5.1 7.2.2 None None
--------------------------------------------------------------------------------
7.5.1 7.3.1 None None
--------------------------------------------------------------------------------
7.5.1 7.3.2 None None
--------------------------------------------------------------------------------
7.4.1 7.5.1 None None
--------------------------------------------------------------------------------
7.1.3 7.5.1 None None
--------------------------------------------------------------------------------
7.1.2 7.5.1 None None
--------------------------------------------------------------------------------
7.2.1 7.5.1 None None
--------------------------------------------------------------------------------
7.2.2 7.5.1 None None
--------------------------------------------------------------------------------
7.3.1 7.5.1 None None
--------------------------------------------------------------------------------
7.3.2 7.5.1 None None
--------------------------------------------------------------------------------

View Supported Releases to Upgrade Software From Current Version to Target Version
This example shows the supported release to upgrade software from the current version to a target
version.
Router#show install upgrade-matrix iso harddisk:/ncs5k-golden-x-7.5.2-rev1.iso
Fri July 29 09:47:10.730 IST
This may take a while ...

Upgrade from the current software [7.5.1] to 7.5.2 is not supported.


Please use one of the following intermediate releases to upgrade to 7.5.2:

================================================================================
From To Bridge SMUs Required Caveats
================================================================================
7.5.1 7.1.2 None None

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
38
Perform System Upgrade and Install Feature Packages
View Supported Software Upgrade or Downgrade Versions

--------------------------------------------------------------------------------
7.1.2 7.5.2 None None
--------------------------------------------------------------------------------

The current image has the upgrade matrix that specifies only its supported upgrade or downgrade
versions up to a certain version. If you want to determine the upgrade path of a newer version of ISO
that is higher than the version in the current matrix, the upgrade matrix from the new ISO provides
the supported upgrade or downgrade paths.

View Supported Releases from Current Version to an ISO Version


The following example shows the software upgrade paths, downgrade paths, and restrictions to an
upgrade from the current version to the target ISO version:
Router#show install upgrade-matrix iso harddisk:/ncs5k-golden-x-7.5.2-rev1.iso all
Fri Jul 29 09:48:10.076 IST
This may take a while ...

7.5.2 can be upgraded from and downgraded to the following releases:

================================================================================
From To Bridge SMUs Required Caveats
================================================================================
7.5.2 6.5.3 None None
--------------------------------------------------------------------------------
7.5.2 7.1.2 None None
--------------------------------------------------------------------------------
7.1.2 7.5.2 None None
--------------------------------------------------------------------------------
6.5.3 7.5.2 None None
--------------------------------------------------------------------------------

View Supported Releases from Running Version to an ISO Version


The following example displays details about the software upgrade from the current version to the
version of ISO according to the support matrices in both the running system and the target ISO image:
Router#show install upgrade-matrix iso harddisk:/ncs5k-golden-x-7.5.2-rev1.iso from-running

Fri Jul 29 10:17:35.583 IST


This may take a while ...

Upgrade from the current software [7.5.1] to 7.5.2 is not supported.


Please use one of the following intermediate releases to upgrade to 7.5.2:

================================================================================
From To Bridge SMUs Required Caveats
================================================================================
7.5.1 7.1.2 None None
--------------------------------------------------------------------------------
7.1.2 7.5.2 None None
--------------------------------------------------------------------------------

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
39
Perform System Upgrade and Install Feature Packages
Upgrading Features

Upgrading Features
Upgrading features is the process of deploying new features and software patches on the router. Perform a
feature upgrade by installing package files, also called packages. Perform a software patch installation by
installing Software Maintenance Upgrade (SMU) files.
Installing a package on the router installs specific features that are part of that package. Cisco IOS XR Software
is divided into various software packages; this enables you to select the features to run on your router. Each
package contains components that perform a specific set of router functions, such as routing, security, and so
on.
For example, the components of the routing package are split into individual RPMs such as BGP and OSPF.
BGP is a part of the base software version and is a mandatory RPM, and hence can’t be removed. However,
you can add and remove optional RPMs such as OSPF as required.
The naming convention of the package is <platform>-<pkg>-<pkg version>-<release
version>.<architecture>.rpm.

Package Requirement Example

BGP Mandatory ncs5k-bgp-1.0.0.0-<release-number>.x86_64.rpm

NCS5K RM Mandatory ncs5k-rm-1.0.0.0-<release-number>.x86_64.rpm

NCS 5K Forwarding Mandatory ncs5k-fwding-1.0.0.0-<release-number>.x86_64.rpm

ios-xr CE Mandatory ncs5k-iosxr-ce-1.0.0.0-<release-number>.x86_64.rpm

iosxr-fwding Mandatory ncs5k-iosxr-fwding-1.0.0.0-<release-number>.x86_64.rpm

iosxr-infra Mandatory ncs5k-iosxr-infra-1.0.0.0-<release-number>.x86_64.rpm

iosxr-infra-test Optional ncs5k-infra-test-1.0.0.0-<release-number>.x86_64.rpm

iosxr-mgbl Optional ncs5k-iosxr-mgbl-1.0.0.0-<release-number>.x86_64.rpm

iosxr-mpls Optional ncs5k-iosxr-mpls-1.0.0.0-<release-number>.x86_64.rpm

iosxr-os Mandatory ncs5k-iosxr-os-1.0.0.0-<release-number>.x86_64.rpm

iosxr-routing Mandatory ncs5k-iosxr-routing-1.0.0.0-<release-number>.x86_64.rpm

iosxr-security Optional ncs5k-k9sec-1.0.0.0-<release-number>.x86_64.rpm

os-support Mandatory ncs5k-os-support-1.0.0.0-<release-number>.x86_64.rpm

base Mandatory ncs5k-base-1.0.0.0-<release-number>.x86_64.rpm

mcast Optional ncs5k-mcast-1.0.0.0-<release-number>.x86_64.rpm

Use the install commands to install package and SMU. For more information about the install process, see
Install Packages, on page 41.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
40
Perform System Upgrade and Install Feature Packages
Install Packages

Note Ensure that you have adequate disk space. Run the fsck command to check the status of the file system, for
a successful IOS XR upgrade. You must run the fsck command in the System Admin EXEC mode to install
a System Admin package, and in the XR EXEC mode to install the XR package. All install commands are
applicable in both the System Admin EXEC mode and in XR EXEC mode. System Admin install operations
are done from XR EXEC mode.

There are separate packages and SMUs for the XR VM and the System Admin VM. They can be identified
by their filenames.
The XR packages or SMUs are activated from the XR VM, whereas the System Admin packages or SMUs
are activated from the System Admin VM.
You can alternatively perform a cross VM operation, by activating or deactivating the System Admin packages
and SMUs from XR.

Install Packages
Complete this task to upgrade the system or install a patch. The system upgrade is done using an ISO image
file, while the patch installation is done using packages and SMUs. You can also include SMUs in an upgrade
operation along with mini ISO.
This task is also used to install .rpm files. The .rpm file contains multiple packages and SMUs that are merged
into a single file. The packaging format defines one RPM per component, without dependency on the card
type.

Note Ensure that you have adequate disk space. Run the fsck command to check the status of the file system, for
a successful IOS XR upgrade. You must run the fsck command in the System Admin EXEC mode to install
a System Admin package, and in the XR EXEC mode to install the XR package. All install commands are
applicable in both the System Admin EXEC mode and in XR EXEC mode. System Admin install operations
are done from XR EXEC mode.

Note • The system upgrade is supported only from XR EXEC mode.


• While the System Admin package can be executed using install commands in the System Admin EXEC
mode and XR EXEC mode, the XR package can only be executed using the install commands in XR
EXEC mode. All install commands are applicable in both these modes.
• While the System Admin SMUs can be installed in System Admin EXEC mode and XR EXEC mode,
the XR SMUs can only be installed through the XR EXEC mode.
• Install operation over IPv6 is not supported.

The workflow for installing a package is shown in this flowchart.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
41
Perform System Upgrade and Install Feature Packages
Install Packages

Figure 2: Installing Packages Workflow

Before you begin


• Configure and connect to the management port. The installable file is accessed through the management
port.
• Copy the package to be installed either on the router's hard disk or on a network server to which the
router has access.

Step 1 Execute one of these:


• install add source <http or shttp transfer protocol>/package_path/ filename1 filename2 ...
• install add source <tftp transfer protocol>/package_path/ filename1 filename2 ...
• install add source <ftp or sftp transfer protocol>//user@server:/package_path/ filename1 filename2 ...
Example:
or
RP/0/RP0/CPU0:router#install add source sftp://[email protected]:/auto/ncs/package/
ncs5k-mcast-1.0.0.0-<release-number>.x86_64.rpm ncs5k-iosxr-mpls-1.0.0.0-<release-number>.x86_64.rpm

or

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
42
Perform System Upgrade and Install Feature Packages
Install Packages

RP/0/RP0/CPU0:router#install add source sftp://[email protected]:/auto/ncs/package/


ncs5k-mcast-1.0.0.0-<release-number>.x86_64.rpm ncs5k-iosxr-mpls-1.0.0.0-<release-number>.x86_64.rpm

Note A space must be provided between the package_path and filename.

The software files are unpacked from the package, validated, and then added to the software repository. This operation
might take time depending on the size of the files being added. The operation is performed in asynchronous mode. The
install add command runs in the background, and the EXEC prompt is returned as soon as possible.
Note The repositories for the XR VM and the System Admin VM are different. The system automatically adds a
routing package to the XR VM repository and a system administration package to the System Admin VM
repository.

Step 2 show install request


Example:
RP/0/RP0/CPU0:router#show install request

(Optional) Displays the operation ID of the add operation and its status. The operation ID can be later used to execute
the activate command.
Install operation 8 is still in progress

Step 3 show install repository


Example:
RP/0/RP0/CPU0:router#show install repository

Displays packages that are added to the repository. Packages are displayed only after the install add operation is
complete.

Step 4 show install inactive


Example:
RP/0/RP0/CPU0:router#show install inactive

Displays inactive packages that are present in the repository. Only inactive packages can be activated.

Step 5 Execute one of these:


• install activate package_name
• install activate id operation_id
Example:
RP/0/RP0/CPU0:router#install activate ncs5k-mcast-1.0.0.0-<release-number>.x86_64.rpm
ncs5k-iosxr-mpls-1.0.0.0-<release-number>.x86_64.rpm

or
RP/0/RP0/CPU0:router#install activate id 8

The operation_id is that of the install add operation. This command can also be run from System Admin mode. The
package configurations are made active on the router. As a result, new features and software fixes take effect. This
operation is performed in asynchronous mode, as this is the default. The install activate command runs in the background,
and the EXEC prompt is returned.
You can run the activate operation either through the synchronous mode or by selecting the sync option from the CLI.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
43
Perform System Upgrade and Install Feature Packages
Install Packages

If you use the operation ID, all packages that were added in the specified operation are activated together. For example,
if 5 packages are added in operation 8, by executing install activate id 8, all 5 packages are activated together. You do
not have to activate the packages individually.
Activation does not happen instantaneously, but takes some time. Upon activation completion, the system reloads
automatically. For restart SMU activation, the SMU takes effect once the processes impacted by the SMU are restarted.
If the SMU has dependency on both XR VM and System Admin VM, perform the reload after activating the SMU in
both VMs so that they take effect simultaneously. To reload the router, use the hw-module location all reload command
from the System Admin EXEC mode.

Step 6 show install active


Example:
RP/0/RP0/CPU0:router#show install active

Displays packages that are active.

RP/0/RP0/CPU0:skywarp-tb#show install active


Tue Dec 22 16:02:46.873 UTC
Node 0/RP0/CPU0 [RP]
Boot Partition: xr_lv55
Active Packages: 2
ncs5k-xr-<release-number> version=<release-number> [Boot image]
ncs5k-k9sec-1.0.0.0-<release-number>

From the result, verify that the same image and package versions are active on all RPs and LCs.

Step 7 install commit


Example:
RP/0/RP0/CPU0:router#install commit

Commits the Host, XR, and System Admin newly active software.
Note On Multi-SDR mode, you can use the install commit sdr to commit just the sdr from where the CLI is being
triggered.

Installing Packages: Related Commands

Related Commands Purpose


show install log Displays the log information for the install process; this can be used for
troubleshooting in case of install failure.

show install package Displays the details of the packages that have been added to the repository.
Use this command to identify individual components of a package.

install prepare Makes pre-activation checks on an inactive package, to prepare it for


activation.

show install prepare Displays the list of package that have been prepared and are ready for
activation.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
44
Perform System Upgrade and Install Feature Packages
Install Prepared Packages

What to do next
• Ensure that you commit the upgrade using install commit.
• After performing a system upgrade, upgrade FPD by using the upgrade hw-module location all fpd
all command from the System Admin EXEC mode. The progress of FPD upgrade process can be monitored
using the show hw-module fpd command in the System Admin EXEC mode. Reload the router after
the FPD upgrade is completed.
• Verify the installation using the install verify packages command.
• Uninstall the packages or SMUs if their installation causes any issues on the router. See Uninstall Packages,
on page 47.

Note ISO images cannot be uninstalled. However, you can perform a system downgrade
by installing an older ISO version.

Install Prepared Packages


A system upgrade or feature upgrade is performed by activating the ISO image file, packages, and SMUs. It
is possible to prepare these installable files before activation. During the prepare phase, preactivation checks
are made and the components of the installable files are loaded on to the router setup. The prepare process
runs in the background and the router is fully usable during this time. When the prepare phase is over, all the
prepared files can be activated instantaneously. The advantages of preparing before activation are:
• If the installable file is corrupted, the prepare process fails. This provides an early warning of the problem.
If the corrupted file was activated directly, it might cause router malfunction.
• Directly activating an ISO image for system upgrade takes considerable time during which the router is
not usable. However, if the image is prepared before activation, not only does the prepare process run
asynchronously, but when the prepared image is subsequently activated, the activation process too takes
less time. As a result, the router downtime is considerably reduced.
• Performs disk-space check that is required for a successful operation. This quantifies the disk-space
deficit, and provides you possible alternatives to free up space in the filesystem.
• Performs package compatibility check. This ensures that all the required installation packages are available.
For any package compatibility check error, details of the package and version are logged.

Complete this task to upgrade the system and install packages by making use of the prepare operation.

Note Depending on whether you are installing a System Admin package or a XR package, execute the install
commands in the System Admin EXEC mode or XR EXEC mode respectively. All install commands are
applicable in both these modes. System Admin install operations can be done from XR mode.

Step 1 Add the required ISO image and packages to the repository.
For details, see Install Packages, on page 41.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
45
Perform System Upgrade and Install Feature Packages
Install Prepared Packages

Step 2 show install repository


Example:
RP/0/RP0/CPU0:router#show install repository

Perform this step to verify that the required installable files are available in the repository. Packages are displayed only
after the "install add" operation is complete.

Step 3 Execute one of these:


• install prepare package_name
• install prepare id operation_id
Example:
RP/0/RP0/CPU0:router#install prepare ncs5k-mcast-1.0.0.0-r60014I.x86_64.rpm

or
RP/0/RP0/CPU0:router#install prepare id 8

The prepare process takes place. This operation is performed in asynchronous mode. The install prepare command runs
in the background, and the EXEC prompt is returned as soon as possible.
If you use the operation ID, all packages that were added in the specified operation are prepared together. For example,
if 5 packages are added in operation 8, by executing install prepare id 8, all 5 packages are prepared together. You do
not have to prepare the packages individually.

Step 4 show install prepare


Example:
RP/0/RP0/CPU0:router#show install prepare

Displays packages that are prepared. From the result, verify that all the required packages have been prepared.

Step 5 install activate


Example:
RP/0/RP0/CPU0:router#install activate

All the packages that have been prepared are activated together to make the package configurations active on the router.
Note You should not specify any package name or operation ID in the CLI.
Activations of some SMUs require manual reload of the router. When such SMUs are activated, a warning message is
displayed to perform reload. The components of the SMU get activated only after the reload is complete. Perform router
reload immediately after the execution of the install activate command is completed.

Step 6 show install active


Example:
RP/0/RP0/CPU0:router#show install active

Displays packages that are active.

Node 0/RP0/CPU0 [RP]


Boot Partition: xr_lv55
Active Packages: 2
ncs5k-xr-6.0.0 version=6.0.0 [Boot image]
ncs5k-k9sec-1.0.0.0-r600

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
46
Perform System Upgrade and Install Feature Packages
Uninstall Packages

From the result, verify that on all RPs and LCs, the same image and package versions are active.

Step 7 install commit


Example:
RP/0/RP0/CPU0:router#install commit

Installing Packages: Related Commands

Related Commands Purpose


show install log Displays the log information for the install process; this can be used for
troubleshooting in case of install failure.

show install package Displays the details of the packages that have been added to the repository.
Use this command to identify individual components of a package.

install prepare clean Clears the prepare operation and removes all the packages from the
prepared state.

What to do next
• After performing a system upgrade, upgrade FPD by using the upgrade hw-module location all fpd
all command from the System Admin EXEC mode. The progress of FPD upgrade process can be monitored
using the show hw-module fpd command in the System Admin EXEC mode. Reload the router after
the FPD upgrade is completed.
• Verify the installation using the install verify packages command.
• Uninstall the packages or SMUs if their installation causes any issues on the router. See Uninstall Packages.

Note ISO images cannot be uninstalled. However, you can perform a system downgrade
by installing an older ISO version.

Uninstall Packages
Complete this task to uninstall a package. All router functionalities that are part of the uninstalled package
are deactivated. Packages that are added in the XR VM cannot be uninstalled from the System Admin VM.
However, the cross VM operation allows System Admin packages to be deactivated from XR as well.

Note Installed ISO images cannot be uninstalled. Also, kernel SMUs that install third party SMU on host, XR VM
and System Admin VM, cannot be uninstalled. However, subsequent installation of ISO image or kernel SMU
overwrites the existing installation.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
47
Perform System Upgrade and Install Feature Packages
Uninstall Packages

The workflow for uninstalling a package is shown in this flowchart.


Figure 3: Uninstalling Packages Workflow

This task uninstalls XR VM packages. If you need to uninstall System Admin packages, run the same commands
from the System Admin EXEC mode.

Step 1 show install active


Example:
RP/0/RP0/CPU0:router#show install active

Displays active packages. Only active packages can be deactivated.

Node 0/RP0/CPU0 [RP]


Boot Partition: xr_lv55
Active Packages: 2
ncs5k-xr-6.0.0 version=6.0.0 [Boot image]
ncs5k-k9sec-1.0.0.0-r600

Step 2 Execute one of these:


• install deactivate package_name
• install deactivate id operation_id
Example:
RP/0/RP0/CPU0:router#install deactivate ncs5k-mcast-1.0.0.0-r60014I.x86_64.rpm
ncs5k-iosxr-mpls-1.0.0.0-r60014I.x86_64.rpm

or
RP/0/RP0/CPU0:router#install deactivate id 8

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
48
Perform System Upgrade and Install Feature Packages
Uninstall Packages

The operation_id is the ID from install add operation. All features and software patches associated with the package are
deactivated. You can specify multiple package names and deactivate them simultaneously.
If you use the operation ID, all packages that were added in the specified operation are deactivated together. You do not
have to deactivate the packages individually. If System admin packages were added as a part of the install add operation
(of the ID used in deactivate) then those packages will also be deactivated.

Step 3 show install inactive


Example:
RP/0/RP0/CPU0:router#show install inactive

The deactivated packages are now listed as inactive packages. Only inactive packages can be removed from the repository.

Step 4 install commit


Step 5 install remove package_name
Example:
RP/0/RP0/CPU0:router#install remove ncs5k-mcast-1.0.0.0-r60014I.x86_64.rpm
ncs5k-iosxr-mpls-1.0.0.0-r60014I.x86_64.rpm

The inactive packages are removed from the repository.


Use the install remove command with the id operation-id keyword and argument to remove all packages that were
added for the specified operation ID.
You can also use the install remove inactive all to remove all inactive packages from XR and System Admin.

Step 6 show install repository


Example:
RP/0/RP0/CPU0:router#show install repository

Displays packages available in the repository. The package that are removed are no longer displayed in the result.

What to do next
Install required packages. .

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
49
Perform System Upgrade and Install Feature Packages
Uninstall Packages

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
50
CHAPTER 7
Manage Automatic Dependency
Flexible packaging supports automatic dependency management. While you update an RPM, the system
automatically identifies all relevant dependent packages and updates them.
Figure 4: Flow for Installation (base software, RPMs and SMUs)

Until this release, you downloaded the software image and required RPMs from CCO on a network server
(the repository), and used the install add and the install activate commands to add and activate the downloaded
files on the router. Then, you manually identify relevant dependent RPMs, to add and activate them.
With automatic dependency management, you need not identify dependent RPMs to individually add and
activate them. You can execute new install command to identify and install dependent RPMs automatically.
The command install source adds and activates packages. The command install replace adds and activates
packages in a given golden ISO (GISO).

Note 1. Cisco IOS XR Version 6.0.2 and later does not provide third party and host package SMUs as part of
automatic dependency management (install source command). The third party and host package SMUs
must be installed separately, and in isolation from other installation procedures (installation of SMUs and
RPMs in IOS XR or admin containers).

The rest of this chapter contains these sections:


• Update RPMs and SMUs, on page 52
• Upgrade Base Software Version, on page 52
• Downgrade an RPM, on page 53

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
51
Manage Automatic Dependency
Update RPMs and SMUs

Update RPMs and SMUs


An RPM may contain a fix for a specific defect, and you may need to update the system with that fix. To
update RPMs and SMUs to a newer version, use the install source command. When this command is issued
for a particular RPM, the router communicates with the repository, and downloads and activates that RPM.
If the repository contains a dependent RPM, the router identifies that dependent RPM and installs that too.
The syntax of the install source command is:
install source repository [rpm]
Four scenarios in which you can use the install source command are:
• When a package name is not specified
When no package is specified, the command updates the latest SMUs of all installed packages.
install source [repository]

• When a package name is specified


If the package name is specified, the command installs that package, updates the latest SMUs of that
package, along with its dependencies. If the package is already installed, only the SMUs of that package
are installed. (SMUs that are already installed are skipped.)
install source [repository] ncs5k-mcast.rpm

• When a package name and version number are specified


If a particular version of package needs to be installed, the complete package name must be specified;
that package is installed along with the latest SMUs of that package present in the repository.
install source [repository] ncs5k-mcast-1.0.0.1-r611.x86_64.rpm

• When an SMU is specified


If an SMU is specified, that SMU is downloaded and installed, along with its dependent SMUs.
install source [repository] ncs5k-mcast-1.0.0.1-r611.CSCva85697.x86_64.rpm

Upgrade Base Software Version


You can upgrade to a newer version of the base software when it becomes available. To upgrade to the latest
base software version, use the install source command. With the upgrade of the base version, RPMs that are
currently available on the router are also upgraded.

Note SMUs are not upgraded as part of this process.

The syntax of the install source command is:


install source repository

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
52
Manage Automatic Dependency
Downgrade an RPM

Note VRF and TPA on dataport is not supported. If the server is reachable only through non-default VRF interface,
the file must already be retrieved using ftp, sfp, scp, http or https protocols.

Note Default routes (0.0.0.0/0) cannot be copied onto Linux due to TPA implementation.

You can use the install source command when:


• The version number is specified
The base software (.mini) is upgraded to the specified version; all installed RPMs are upgraded to the
same release version.
install source [repository] version <version> asr9k-mini-x64-<version>.iso
For example,
install source repository version 7.0.1 asr9k-mini-x64-7.0.1.iso
You can also automatically fetch the .mini file and RPMs of the required release and proceed with the
upgrade.
install source repository asr9k-mini-x64-7.0.1.iso
• The version number for an RPM is specified
When performing a system upgrade, the user can choose to have an optional RPM to be of a different
release (from that of the base software version); that RPM can be specified.
install source repository version 6.2.2
ncs5k-mcast-1.0.0.0-r623.x86_64.rpm

Downgrade an RPM
An RPM can be downgraded after it is activated. RPMs are of the following types:
• Hostos RPM: The RPM contains hostos in the name.
For example:
• <platform>-sysadmin-hostos-6.5.1-r651.CSChu77777.host.arm
• <platform>-sysadmin-hostos-6.5.1-r651.CSChu77777.admin.arm
• <platform>-sysadmin-hostos-6.5.1-r651.CSChu77777.host.x86_64
• <platform>-sysadmin-hostos-6.5.1-r651.CSChu77777.admin.x86_64

• Non-hostos RPM: The RPM does not contain hostos in the name.
For example:
• <platform>-sysadmin-system-6.5.1-r651.CSCvc12346

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
53
Manage Automatic Dependency
Downgrade an RPM

To deactivate the RPMs, perform the following steps:


• Downgrade Hostos RPM
• Scenario 1: To downgrade to version 06 from the active version 09:
1. Download the version 06 hostos RPMs, and add the RPMs.
install add source [repository]
<platform>-sysadmin-hostos-6.5.1.06-r65108I.CSChu44444.host.arm
<platform>-sysadmin-hostos-6.5.1.06-r65108I.CSChu44444.admin.arm
<platform>-sysadmin-hostos-6.5.1.06-r65108I.CSChu44444.host.x86_64
<platform>-sysadmin-hostos-6.5.1.06-r65108I.CSChu44444.admin.x86_64

2. Activate the downloaded RPMs.


install activate [repository]
<platform>-sysadmin-hostos-6.5.1.06-r65108I.CSChu44444.host.arm
<platform>-sysadmin-hostos-6.5.1.06-r65108I.CSChu44444.admin.arm
<platform>-sysadmin-hostos-6.5.1.06-r65108I.CSChu44444.host.x86_64
<platform>-sysadmin-hostos-6.5.1.06-r65108I.CSChu44444.admin.x86_64

3. Commit the configuration.


install commit

• Scenario 2: Deactivate hostos RPM by activating base RPM, consider version 09 is active:
1. Activate the base RPM.
install activate <platform>-sysadmin-hostos-6.5.1.08I-r65108I.admin.arm
<platform>-sysadmin-hostos-6.5.1.08I-r65108I.host.arm
<platform>-sysadmin-hostos-6.5.1.08I-r65108I.admin.x86_64
<platform>-sysadmin-hostos-6.5.1.08I-r65108I.host.x86_64

For example, if RPM ncs5000-sysadmin-hostos-6.5.1-r651.CSChu44444.host.arm is the


RPM installed, then ncs5000-sysadmin-hostos-6.5.1-r651.host.arm is its base RPM.
2. Commit the configuration.
install commit

The downgrade for third-party RPMs is similar to the hostos RPMs. To downgrade a SMU, activate
the lower version of the SMU. If only one version of SMU is present, the base RPM of the SMU
must be activated.

Note Hostos and third-party RPMs cannot be deactivated. Only activation of different
versions is supported.

• Downgrade Non-Hostos RPM


1. Deactivate the RPM to downgrade to earlier version of RPM.
install deactivate <platform>-<rpm-name>

2. Check the active version of the RPM.


show install active
3. Commit the configuration.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
54
Manage Automatic Dependency
Downgrade an RPM

install commit

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
55
Manage Automatic Dependency
Downgrade an RPM

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
56
CHAPTER 8
Customize Installation using Golden ISO
Table 2: Feature History Table

Feature Name Release Information Description

Automatic Install of Bridging Bug Release 7.5.1 This feature enables an easy
Fix RPMs one-step, no prompt upgrade, or
downgrade, based on GISO. This
removes the dependency on having
to manually install the bridging bug
fix RPMs before performing an
upgrade or a downgrade.

Golden ISO (GISO) is a customized ISO that a user can build to suit the installation requirement. The user
can customize the installable image to include the standard base image with the basic functional components,
and add additional RPMs, SMUs and configuration files based on requirement.
The ease of installation and the time taken to seamlessly install or upgrade a system plays a vital role in a
cloud-scale network. An installation process that is time-consuming and complex affects the resiliency and
scale of the network. The GISO simplifies the installation process, automates the installation workflow, and
manages the dependencies in RPMs and SMUs automatically.
GISO is built using a build script gisobuild.py available on the github location Github location.
From Cisco IOS XR Release 7.5.1, you can use the Automatic Install of Bridging Bug Fix RPMs feature to
install the bridging bug fix RPMs that are prerequisite for a system upgrade or a downgrade. You need to add
the required Bridging Bug Fix RPMs into the customized ISO built using Cisco Golden ISO (GISO) build
script gisobuild.py. The GISO can include bridging Bug Fix RPMs for multiple releases, and installs only
the specific bridging Bug Fix RPMs required for the target release. The bridging bug fix RPMs can be used
in the following scenarios:
• To resolve a bug that might stop upgrade.
• The latest version has new prerequisite requirements that are not met by the earlier version.

When a system boots with GISO, additional SMUs and RPMs in GISO are installed automatically, and the
router is pre-configured with the XR configuration in GISO. For more information about downloading and
installing GISO, see Install Golden ISO, on page 66.
The capabilities of GISO can be used in the following scenarios:
• Initial deployment of the router

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
57
Customize Installation using Golden ISO
Limitations

• Software disaster recovery


• System upgrade from one base version to another
• System upgrade from same base version but with additional SMUs
• Install update to identify and update dependant packages

• Limitations, on page 59
• Customize Installation using Golden ISO, on page 58
• Golden ISO Workflow, on page 59
• Build Golden ISO, on page 60
• Install Golden ISO, on page 66

Limitations
The following are the known problems and limitations with the customized ISO:
• Building and booting GISO for asynchronous package (a package of different release than the ISO) is
not supported.
• Verifying the XR configuration is not supported in the GISO build script gisobuild.py.
• Renaming a GISO build and then installing from the renamed GISO build is not supported.
• Install operation over IPv6 is not supported.

Customize Installation using Golden ISO


Table 3: Feature History Table

Feature Name Release Information Description

Automatic Install of Bridging Bug Release 7.5.1 This feature enables an easy
Fix RPMs one-step, no prompt upgrade, or
downgrade, based on GISO. This
removes the dependency on having
to manually install the bridging bug
fix RPMs before performing an
upgrade or a downgrade.

Golden ISO (GISO) is a customized ISO that a user can build to suit the installation requirement. The user
can customize the installable image to include the standard base image with the basic functional components,
and add additional RPMs, SMUs and configuration files based on requirement.
The ease of installation and the time taken to seamlessly install or upgrade a system plays a vital role in a
cloud-scale network. An installation process that is time-consuming and complex affects the resiliency and
scale of the network. The GISO simplifies the installation process, automates the installation workflow, and
manages the dependencies in RPMs and SMUs automatically.
GISO is built using a build script gisobuild.py available on the github location Github location.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
58
Customize Installation using Golden ISO
Limitations

From Cisco IOS XR Release 7.5.1, you can use the Automatic Install of Bridging Bug Fix RPMs feature to
install the bridging bug fix RPMs that are prerequisite for a system upgrade or a downgrade. You need to add
the required Bridging Bug Fix RPMs into the customized ISO built using Cisco Golden ISO (GISO) build
script gisobuild.py. The GISO can include bridging Bug Fix RPMs for multiple releases, and installs only
the specific bridging Bug Fix RPMs required for the target release. The bridging bug fix RPMs can be used
in the following scenarios:
• To resolve a bug that might stop upgrade.
• The latest version has new prerequisite requirements that are not met by the earlier version.

When a system boots with GISO, additional SMUs and RPMs in GISO are installed automatically, and the
router is pre-configured with the XR configuration in GISO. For more information about downloading and
installing GISO, see Install Golden ISO, on page 66.
The capabilities of GISO can be used in the following scenarios:
• Initial deployment of the router
• Software disaster recovery
• System upgrade from one base version to another
• System upgrade from same base version but with additional SMUs
• Install update to identify and update dependant packages

Limitations
The following are the known problems and limitations with the customized ISO:
• Building and booting GISO for asynchronous package (a package of different release than the ISO) is
not supported.
• Verifying the XR configuration is not supported in the GISO build script gisobuild.py.
• Renaming a GISO build and then installing from the renamed GISO build is not supported.
• Install operation over IPv6 is not supported.

Golden ISO Workflow


The following image shows the workflow for building and installing golden ISO.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
59
Customize Installation using Golden ISO
Build Golden ISO

Figure 5: Golden ISO Workflow

Build Golden ISO


The customized ISO is built using Cisco Golden ISO (GISO) build script gisobuild.py available on the
Github location.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
60
Customize Installation using Golden ISO
Build Golden ISO Using Script

The GISO build script supports automatic dependency management, and provides these functionalities:
• Builds RPM database of all the packages present in package repository.
• Scans the repositories and selects the relevant Cisco RPMs that matches the input iso.
• Skips and removes third-party RPMs that are not SMUs of already existing third-party base package in
mini-x.iso.
• Displays an error and exits build process if there are multiple base RPMs of same release but different
versions.
• Performs compatibility check and dependency check for all the RPMs. For example, the child RPM
ncs5000-mpls-te-rsvp is dependent on the parent RPM ncs5000-mpls . If only the child RPM is included,
the Golden ISO build fails.

Build Golden ISO Using Script


Table 4: Feature History Table

Feature Name Release Information Description

Enhanced Golden ISO Build Tool Release 7.5.1 This enhancement provides you
with the flexibility to use the
gisobuild.py tool to build GISO
images using Cisco IOS XR
software commands, YAML-based
template file, or docker capability
to suit your customized install
requirements. When you build a
GISO, you can also specify Zero
Touch Provisioning (ZTP)
initialization file, script
initialization file, Cisco IOS XR
configuration file, and SMUs in
addition to using the base image
and optional RPMs to automatically
provision the router.

To build GISO, provide the following input parameters to the script:


• Base mini-x.iso (mandatory)
• XR configuration file (optional)
• one or more Cisco-specific SMUs for host, XR and System admin (optional)
• one or more third-party SMUs for host, XR and System admin (optional)
• Label for golden ISO (optional)
• Optional RPMs
• ZTP initialization ztp.ini file (optional)

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
61
Customize Installation using Golden ISO
Build Golden ISO Using Script

• Script initialization script.ini file (optional)

The GISO script does not support verification of XR configuration.

Note To successfully add k9sec RPM to GISO, change the permission of the file to 644 using the chmod command.
chmod 644 [k9 sec rpm]

Cisco IOS XR, Release 7.5.1 introduces enhancements to the gisobuild.py GISO build tool. You can also
add a ztp.ini ZTP initialization and script.ini Script initialization file. The ZTP configuration is applied
on the router when the current software version is replaced or rolled back to a version with GISO image, and
is used whenever ZTP is run to automatically provision the router. The tool supports more than one repository.
You can use CLI command, docker, or a YAML file to build GISO.

Note • For Cisco NCS 5500 and Cisco NCS 5000 series routers, set the migration value to false.
• Set the clean option to true if you use the same build directory after the first GISO is created. Ensure
that you set the option to true for every successive GISO build.
• Set the docker option to true if you are building GISO using docker.
• Ensure that the format and syntax of the YAML file is intact to avoid errors when building a GISO. For
example, if the : symbol is missing, or if an unsupported symbol is used in the template, the GISO build
displays errors.

The gisobuild.py tool can be run either natively or on systems where docker service is enabled and has the
ability to pull published docker images. Prefer building the image using the docker as it does not require
additional privileges:.

Note The full-iso option is used to build a full ISO image xrv9k-full-x-7.5.1.iso specific to Cisco IOS XRv
9000 routers. Starting Cisco IOS XR, Release 7.8.1, the full ISO image must not be used to build GISO.

To build GISO, perform the following steps:

Before you begin


• The system where GISO is built must meet the following requirements:
• System must have Python version 3.6 and later.
• System must have free disk space of minimum 12 GB.
• Verify that the Linux utilities mount, rm, cp, umount, zcat, chroot, mkisofs are present in the system.
These utilities will be used by the script. Ensure privileges are available to execute all of these Linux
commands. However, if you are using docker, these utilities are not required.
• Kernel version of the system must be later than 3.16 or later than the version of kernel of Cisco ISO.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
62
Customize Installation using Golden ISO
Build Golden ISO Using Script

• Verify that a libyaml rpm supported by the Linux kernel is available to successfully import yaml
in the tool.
• User should have proper permission for security rpm(k9sec-rpm) in rpm repository, else security
rpm would be ignored for Golden ISO creation.

• The system from where the gisobuild.py script is executed must have root credentials. This is not
mandatory if you are building the image within a docker container.
• We recommend that you perform a git pull operation before you use the gisobuild.py script to ensure
you obtain the latest version of the script for the Python version.

Step 1 Copy the script gisobuild.py from the Github repository to an offline system or external server where the GISO will
be built. Ensure that this system meets the pre-requisites described above in the Before You Begin section.
Step 2 Run the script gisobuild.py and provide parameters to build the golden ISO off the router. Ensure that all RPMs and
SMUs are present in the same directory or on a repository. The number of RPMs and SMUs that can be used to build the
Golden ISO is 64.
usage: gisobuild.py [-h] [--iso ISO] [--repo REPO [REPO ...]]
[--bridging-fixes BRIDGE_FIXES [BRIDGE_FIXES ...]]
[--xrconfig XRCONFIG] [--ztp-ini ZTP_INI] [--label LABEL]
[--out-directory OUT_DIRECTORY] [--yamlfile CLI_YAML] [--clean]
[--pkglist PKGLIST [PKGLIST ...]] [--script SCRIPT] [--docker]
[--x86-only] [--migration]
[--remove-packages REMOVE_PACKAGES [REMOVE_PACKAGES ...]]
[--skip-usb-image] [--copy-dir COPY_DIRECTORY]
[--clear-bridging-fixes] [--verbose-dep-check] [--debug]
[--version]

Utility to build Golden ISO for IOS-XR.

optional arguments:
-h, --help show this help message and exit
--iso ISO Path to Mini.iso/Full.iso file
--repo REPO [REPO ...]
Path to RPM repository. For LNT, user can specify .rpm, .tgz,
.tar filenames, or directories. RPMs are only used if already
included in the ISO, or specified by the user via the
--pkglist option.
--bridging-fixes BRIDGE_FIXES [BRIDGE_FIXES ...]
Bridging rpms to package. For EXR, takes from-release or rpm
names; for LNT, the user can specify the same file types as for
the --repo option.
--xrconfig XRCONFIG Path to XR config file
--ztp-ini ZTP_INI Path to user ztp ini file
--label LABEL, -l LABEL
Golden ISO Label
--out-directory OUT_DIRECTORY
Output Directory
--yamlfile CLI_YAML Cli arguments via yaml
--clean Delete output dir before proceeding
--pkglist PKGLIST [PKGLIST ...]
Packages to be added to the output GISO. For eXR: optional rpm
or smu to package. For LNT: either full package filenames or
package names for user installable packages can be specified.
Full package filenames can be specified to choose a particular
version of a package, the rest of the block that the package is
in will be included as well. Package names can be specified to
include optional packages in the output GISO.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
63
Customize Installation using Golden ISO
Build Golden ISO Using Script

--docker, --use-container
Build GISO in container environment.Pulls and run pre-built
container image to build GISO.
--version Print version of this script and exit

EXR only build options:


--script SCRIPT Path to user executable script executed as part of bootup post
activate.
--x86-only Use only x86_64 rpms even if other architectures are
applicable.
--migration To build Migration tar only for ASR9k

LNT only build options:


--remove-packages REMOVE_PACKAGES [REMOVE_PACKAGES ...]
Remove RPMs, specified in a comma separated list. These are are
matched against user installable package names, and must be the
whole package name, e.g: xr-bgp
--skip-usb-image Do not build the USB image
--copy-dir COPY_DIRECTORY
Copy built artefacts to specified directory if provided. The
specified directory must already exist, be writable by the
builder and must not contain a previously built artefact with
the same name.
--clear-bridging-fixes
Remove all bridging bugfixes from the input ISO
--verbose-dep-check Verbose output for the dependency check.
--debug Output debug logs to console

Example
Example: Build Docker-Based GISO Image
In this example, a GISO image is built using docker.
View that the GISO file is created succesfully.
[root@xr src]# ls
exrmod gisobuild.py lntmod output_gisobuild utils

[root@xr src]# cd output_gisobuild/


[root@xr output_gisobuild]# ls
img_built_name.txt logs -golden-x-7.5.1-dockerbasedgiso.iso
rpms_packaged_in_giso.txt

Example: Build YAML-Based GISO Image


YAML is a markup file that serves as a template to provide the package list and manage the build
options.
The following example shows a sample YAML template:
# Options below correspond to the tool input options.
# --iso ISO Path to Mini.iso/golden.iso file
# --repo REPO [REPO ...]
# Path to list of RPM repositories. RPMs are only used if already
# included in the ISO, or specified by the user via the --pkglist
option.
# --pkglist PKGLIST [PKGLIST ...]
# Optional list of rpm or smu to add to the ISO.
# --remove-packages REMOVE_PACKAGES [REMOVE_PACKAGES ...]
# Remove named RPMs, specified in a space separated list. Valid build

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
64
Customize Installation using Golden ISO
Build Golden ISO Using Script

# option for LNT only. eXR builds simply ignores this option.
# --bridging-fixes BRIDGE_FIXES [BRIDGE_FIXES ...]
# Bridging rpms to package. Takes from-release (supported for eXR)
# or rpm names.
# --xrconfig XRCONFIG Path to XR config file
# --ztp-ini ZTP_INI Path to user ztp ini file
# --script SCRIPT Path to user executable script executed as part of
# bootup post activate. Valid build option for eXR only.
# LNT builds simply ignores.
# --label LABEL Golden ISO Label
# --out-directory OUT_DIRECTORY
# Output Directory. Built GISO and logs will be available post
gisobuild.
# --copy-directory COPY_DIRECTORY
# Copy built artefacts to specified directory if provided. Valid build
# option for LNT only. eXR build ignores this option.
# --yamlfile CLI_YAML Cli arguments via yaml.
# --clean Delete output dir before proceeding.
# --migration To build Migration tar only for ASR9k. Valid build option for eXR
only.
# LNT builds simply ignore this option.
# --docker Load and run pre-built docker image. Valid build option for eXR
only.
# LNT builds simply ignore this option.
# --x86-only Use only x86_64 rpms even if other architectures are applicable.
Valid build
# option for eXR only. LNT builds simply ignore this option.
# --version Print version of this script and exit

packages:
iso: <path-to-iso>
repo:
- <path-to-repo1>
- <path-to-repo2>
pkglist:
- <pkg1>
- <pkg2>
bridge-fixes:
upgrade-from-release:
- <dotted-release-1>
- <dotted-release-2>
rpms:
- <pkg1>
- <pkg2>
remove_packages:
- <pkg1>
- <pkg2>

user-content:
script: <path-to-script-sh>
xrconfig: <path-to-router.cfg>
ztp-ini: <path-to-ztp.ini>

output:
label: <giso-label>
out-directory: <path-to-output-directory>
clean: <true/false>

options:
docker: <true/false>
migration: <true/false>
x86-only: <true/false>

In this example, you configure a YAML file with the required files:

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
65
Customize Installation using Golden ISO
Install Golden ISO

If you do not want to specify the list of packages and parameters via CLI, you can use the YAML
file template.
[directory-path]$ ./src/gisobuild.py --yamlfile <input-yaml-cfg>

To override any input in the YAML configuration file, use the corresponding CLI options.
[directory-path]$ ./src/gisobuild.py --yamlfile <input-yaml-cfg> --label <new-label>

This new label overrides the label specified in the YAML file.
When the host machine does not have its package dependencies met, but allows pulling and running
docker images, enable the docker option in YAML file to true and run the command:
[directory-path]$ ./src/gisobuild.py --yamlfile <input-yaml-cfg>

where, the input-yaml-cfg has the docker option set to true.

What to do next
Install the GISO image on the router.

Install Golden ISO


Golden ISO (GISO) automatically performs the following actions:
• Installs host and system admin RPMs.
• Partitions repository and TFTP boot on RP.
• Creates software profile in system admin and XR modes.
• Installs XR RPMs. Use show install active command to see the list of RPMs.
• Applies XR configuration. Use show running-config command in XR mode to verify.

Step 1 Download GISO image to the router using one of the following options:
• PXE boot: when the router is booted, the boot mode is identified. After detecting PXE as boot mode, all available
ethernet interfaces are brought up, and DHClient is run on each interface. DHClient script parses HTTP or TFTP
protocol, and GISO is downloaded to the box.
• System Upgrade: when the system is upgraded, GISO can be installed using install add, install activate, or using
install replace commands.
Important To replace the current version and packages on the router with the version from GISO, note the change
in command and format.
• In versions prior to Cisco IOS XR Release 6.3.3, 6.4.x and 6.5.1, use the install update command:
install update source <source path> <Golden-ISO-name> replace

• In Cisco IOS XR Release 6.5.2 and later, use the install replace command.
install replace <absolute-path-of-Golden-ISO>

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
66
Customize Installation using Golden ISO
Install Golden ISO

Note To create a Bootable External USB Disk, do the following:


• Ensure that the USB Boot Disk has a minimum storage of 8GB, and that you have root/admin or
appropriate permission to create bootable disk on linux machine.

a. Copy and execute usb-install script on the Linux machine to create a bootable external USB.

Router#admin

Router#./linux/misc/scripts/create_usb_zip ncs5500 ncs5500-goldenk9-x.iso-7.5.01.v1

adding: EFI/ (stored 0%)


adding: EFI/boot/ (stored 0%)
adding: EFI/boot/grub.cfg (deflated 66%)
adding: EFI/boot/bootx64.efi (deflated 67%)
adding: boot/ (stored 0%)
adding: boot/install-image.iso (deflated 1%)
Zip file created - usb_boot.zip
Router# ls -ltr usb_boot.zip
-rw-r--r-- 1 user eng 1448680576 Sep 14 04:13 usb_boot.zip
Router#

b. Reset the RSP/RP and plug in bootable USB to RSP/RP's front panel. The USB will get detected
in ROMMON. Note that when the system is in ROMMON, and if you add a front panel external
USB, the USB will not be detected until the RSP/RP is reset.

The options to upgrade the system are as follows:


• system upgrade from a non-GISO (image that does not support GISO) to GISO image: If a system is
running a version1 with an image that does not support GISO, the system cannot be upgraded directly to version2
of an image that supports GISO. Instead, the version1 must be upgraded to version2 mini ISO, and then to
version2 GISO.
• system upgrade in a release from version1 GISO to version2 GISO: If both the GISO images have the same
base version but different labels, install add and install activate commands does not support same version of
two images. Instead, using install source command installs only the delta RPMs. System reload is based on
restart type of the delta RPMs.
Using install replace command performs a system reload, irrespective of the difference between ISO and the
existing version.
Router#install replace <path-to-image> <platform-name-golden-x-<version>-<label>.iso
Install operation 1 started by root:
exec-timeout is suspended.
No install operation in progress at this moment
Label = <label-name>
ISO <platform-name-golden-x-<version>.iso in input package list. Going to upgrade the system
to version 6.5.2.

Current label: <None>

Updating contents of golden ISO


Scheme : localdisk
Hostname : localhost
Username : None
SourceDir : /ws

Collecting software state..

Getting platform

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
67
Customize Installation using Golden ISO
Install Golden ISO

Getting supported architecture


Getting active packages from XR
Getting inactive packages from XR
Getting list of RPMs in local repo
Getting list of provides of all active packages
Getting provides of each rpm in repo
Getting requires of each rpm in repo
Fetching .... <platform-name-golden-x-<version>.iso

Label within GISO: <label-name>

Adding packages
<platform-name-golden-x-<version>.iso

UTC: sdr_instmgr[1150]: %INSTALL-INSTMGR-2-OPERATION_SUCCESS : Install operation 2 finished


successfully

Install add operation successful

Activating <platform-name-golden-x-<version>

Install operation 3 started by root:


install activate pkg <platform-name-golden-x-<version>-<label> replace

Package list:
<platform-name-golden-x-<version>-<label>

This install operation will reload the system, continue?

[yes/no]:[yes] Install operation will continue in the background

exec-timeout is resumed.

Router# Install operation 3 finished successfully


%INSTALL-INSTMGR-2-OPERATION_SUCCESS : Install operation 3 finished successfully
sdr_instmgr[1150]: %INSTALL-INSTMGR-2-SYSTEM_RELOAD_INFO : The whole system will be reloaded
to complete install operation 3

• system upgrade across releases from version1 GISO to version2 GISO: Both the GISO images have different
base versions. Use install add and install activate commands, or install replace command to perform the
system upgrade. The router reloads after the upgrade with the version2 GISO image.

Step 2 Run the show install repository all command in System Admin mode to view the RPMs and base ISO for host, system
admin and XR.
sysadmin-vm:0_RP0#show install repository all
Admin repository
---------------------
ncs5000-sysadmin-6.2.2
ncs5000-sysadmin-hostos-6.2.2-r622.CSCcv10001.admin.x86_64
ncs5000-sysadmin-hostos-6.2.2-r622.CSCcv10001.admin.arm
ncs5000-sysadmin-system-6.2.2-r622.CSCcv10005.x86_64
ncs5000-sysadmin-system-6.2.2-r622.CSCcv10005.arm
....
XR repository
------------------
ncs5000-iosxr-mgbl-3.0.0.0-r622.x86_64
ncs5000-xr-6.2.2
....
Host repository
---------------------
host-6.2.2

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
68
Customize Installation using Golden ISO
Install Golden ISO

Step 3 Run the show install package <golden-iso> command to display the list of RPMs, and packages built in GISO.
Note To list RPMs in the GISO, the GISO must be present in the install repository.
Router#show install package ncs5000-goldenk9-x64-6.2.2

This may take a while ...


ISO Name: ncs5000-goldenk9-x64-6.2.2
ISO Type: bundle
ISO Bundled: ncs5000-mini-x64-6.2.2
Golden ISO Label: temp
ISO Contents:
ISO Name: ncs5000-xr-6.2.2
ISO Type: xr
rpms in xr ISO:
iosxr-os-ncs5000-64-5.0.0.0-r622
iosxr-ce-ncs5000-64-3.0.0.0-r622
iosxr-infra-ncs5000-64-4.0.0.0-r622
iosxr-fwding-ncs5000-64-4.0.0.0-r622
iosxr-routing-ncs5000-64-3.1.0.0-r6122

ISO Name: ncs5000-sysadmin-6.2.2


ISO Type: sysadmin
rpms in sysadmin ISO:
ncs5000-sysadmin-topo-6.2.2-r622
ncs5000-sysadmin-shared-6.2.2-r622
ncs5000-sysadmin-system-6.2.2-r622
ncs5000-sysadmin-hostos-6.2.2-r622.admin
...

ISO Name: host-6.2.2


ISO Type: host
rpms in host ISO:
ncs5000-sysadmin-hostos-6.2.2-r622.host

Golden ISO Rpms:


xr rpms in golden ISO:
ncs5000-k9sec-x64-2.2.0.1-r622.CSCxr33333.x86_64.rpm
openssh-scp-6.6p1.p1-r0.0.CSCtp12345.xr.x86_64.rpm
openssh-scp-6.6p1-r0.0.xr.x86_64.rpm
ncs5000-mpls-x64-2.1.0.0-r622.x86_64.rpm
ncs5000-k9sec-x64-2.2.0.0-r622.x86_64.rpm

sysadmin rpms in golden ISO:


ncs5000-sysadmin-system-6.2.2-r622.CSCcv11111.x86_64.rpm
ncs5000-sysadmin-system-6.2.2-r622.CSCcv11111.arm.rpm
openssh-scp-6.6p1-r0.0.admin.x86_64.rpm
openssh-scp-6.6p1-r0.0.admin.arm.rpm
openssh-scp-6.6p1.p1-r0.0.CSCtp12345.admin.x86_64.rpm
openssh-scp-6.6p1.p1-r0.0.CSCtp12345.admin.arm.rpm
ncs5000-sysadmin-hostos-6.2.2-r622.CSCcv10001.admin.x86_64.rpm
ncs5000-sysadmin-hostos-6.2.2-r622.CSCcv10001.admin.arm.rpm

host rpms in golden ISO:


openssh-scp-6.6p1-r0.0.host.x86_64.rpm
openssh-scp-6.6p1-r0.0.host.arm.rpm
openssh-scp-6.6p1.p1-r0.0.CSCtp12345.host.x86_64.rpm
openssh-scp-6.6p1.p1-r0.0.CSCtp12345.host.arm.rpm

The ISO, SMUs and packages in GISO are installed on the router.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
69
Customize Installation using Golden ISO
Install Golden ISO

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
70
CHAPTER 9
Disaster Recovery
The topics covered in this chapter are:
• Boot using USB Drive, on page 71
• Boot the Router Using iPXE, on page 73

Boot using USB Drive


The bootable USB drive is used to re-image the router for the purpose of system upgrade or boot the router
in case of boot failure. The bootable USB drive can be created using a compressed boot file.

Create a Bootable USB Drive Using Compressed Boot File


A bootable USB drive is created by copying a compressed boot file into a USB drive. The USB drive becomes
bootable after the contents of the compressed file are extracted.

Note In case of failure to read or boot from USB drive, ensure that the drive is inserted correctly. If the drive is
inserted correctly and still fails to read from USB drive, check the contents of the USB on another system.

This task can be completed using Windows, Linux, or MAC operating systems available on your local machine.
The exact operation to be performed for each generic step outlined here depends on the operating system in
use.

Before you begin


• You have access to a USB drive with a storage capacity that is between 8GB (min) and (max). USB 2.0
and USB 3.0 are supported.
• Copy the compressed boot file from the software download page at cisco.com to your local machine.
The file name for the compressed boot file is in the format ncs5k-usb-boot-<release_number>.zip .

Step 1 Connect the USB drive to your local machine and format it with FAT32 or MS-DOS file system using the Windows
Operating System or Apple MAC Disk Utility.
Step 2 Copy the compressed boot file to the USB drive.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
71
Disaster Recovery
Boot the Router Using USB

Step 3 Verify that the copy operation is successful. To verify, compare the file size at source and destination. Additionally, verify
the MD5 checksum value.
Step 4 Extract the content of the compressed boot file by unzipping it inside the USB drive. This converts the USB drive to a
bootable drive.
Note The content of the zipped file ("EFI" and "boot" directories) should be extracted directly into root of the
USB drive. If the unzipping application places the extracted files in a new folder, move the "EFI" and "boot"
directories to root of the USB drive.

Step 5 Eject the USB drive from your local machine.

What to do next
Use the bootable USB drive to boot the router or upgrade its image.

Boot the Router Using USB


The router can be booted using an external bootable USB drive. This might be required when the router is
unable to boot from the installed image. A boot failure may happen when the image gets corrupted. During
the USB boot, process the router gets re-imaged with the version available on the USB drive.

Note During the USB boot process, the router is completely re-imaged with the ISO image version present in the
bootable USB drive. All existing configurations are deleted because the disk 0 content is erased. No optional
packages are installed during the upgrade process; they need to be installed after the upgrade is complete.

Before you begin


• Create a bootable USB drive. See Create a Bootable USB Drive Using Compressed Boot File, on page
71.
• Ensure that an external connection unit (ECU) with two solid-state drives (SSDs) is present.

Step 1 Connect the USB drive to the active RP.


Step 2 Connect to the console
Step 3 Power the router.
Step 4 Press Esc to pause the boot process and get the RPs to BIOS menu.
Step 5 Select the USB from the boot menu on the RP to which the USB is connected to.
The image is copied in internal disk, and the router is restarted automatically.

What to do next
• After the booting process is complete, specify the root username and password.
• Install the required optional packages.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
72
Disaster Recovery
Boot the Router Using iPXE

Boot the Router Using iPXE


iPXE is a pre-boot execution environment that is included in the network card of the management interfaces
and works at the system firmware (UEFI) level of the router. iPXE is used to re-image the system, and boot
the router in case of boot failure or in the absence of a valid bootable partition. iPXE downloads the ISO
image, proceeds with the installation of the image, and finally bootstraps inside the new installation.
iPXE acts as a boot loader and provides the flexibility to choose the image that the system will boot based on
the Platform Identifier (PID), the Serial Number, or the management mac-address. iPXE must be defined in
the DHCP server configuration file.

Zero Touch Provisioning


Zero Touch Provisioning (ZTP) helps in auto provisioning after the software installation of the router using
iPXE.
ZTP auto provisioning involves:
• Configuration: Downloads and executes the configuration file. The first line of the file must contain !!
IOS XR for ZTP to process the file as a configuration.

• Script: Downloads and executes the script files. The script files include a programmatic approach to
complete a task. For example, scripts created using IOS XR commands to perform patch upgrades. The
first line of the file must contain #! /bin/bash or #! /bin/sh for ZTP to process the file as a script.

Setup DHCP Server


A DHCP server must be configured for IPv4, IPv6 or both communication protocols. The following example
shows ISC-DHCP server running on Linux system.

Before you begin


• Consult your network administrator or system planner to procure IP addresses and a subnet mask for the
management interface.
• Physical port Ethernet 0 or Ethernet 1 on RP is the management port. Ensure that the port is connected
to management network.
• Enable firewall to allow the server to process DHCP packets.
• For DHCPv6, a Routing advertisement (RA) message must be sent to all nodes in the network that
indicates which method to use to obtain the IPv6 address. Configure Router-advertise-daemon (radvd,
install using yum install radvd) to allow the client to send DHCP request. For example:
interface eth3
{
AdvSendAdvert on;
MinRtrAdvInterval 60;
MaxRtrAdvInterval 180;
AdvManagedFlag on;
AdvOtherConfigFlag on;
prefix 2001:1851:c622:1::/64
{
AdvOnLink on;

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
73
Disaster Recovery
Setup DHCP Server

AdvAutonomous on;
AdvRouterAddr off;
};
};

• The HTTP server can be in the same server as that of the DHCP server, or can be on a different server.
After the IP address is assigned from DHCP server, the router must connect to the HTTP server to
download the image.

Step 1 Create the dhcpd.conf file (for IPv4, IPv6 or both communication protocols), dhcpv6.conf file (for IPv6) or both in the
/etc/ or /etc/dhcp directory. This configuration file stores the network information such as the path to the script,
location of the ISO install file, location of the provisioning configuration file, serial number, MAC address of the router.
Step 2 Test the server once the DHCP server is running. For example, for IPv4:
• Use MAC address of the router:
Note Using the host statement provides a fixed address that is used for DNS, however, verify that option 77
is set to iPXE in the request. This option is used to provide the bootfile to the system when required.

host ncs5k {
hardware ethernet <router-mac-address>;
if exists user-class and option user-class = "iPXE" {
filename = "http://<httpserver-address>/<path-to-image>/ncs5k-mini-x.iso";
}
fixed-address <ip address>;
}

Ensure that the above configuration is successful.


• Use serial number of the router:
host ncs5k
{
option dhcp-client-identifier "<router-serial-number>";
filename "http://<IP-address>/<path-to-image>/ncs5k-mini-x.iso";
fixed-address <IP-address>;
}

The serial number of the router is derived from the BIOS and is used as an identifier.

Step 3 Restart DHCP.


killall dhcpd
/usr/sbin/dhcpd -f -q -4 -pf /run/dhcp-server/dhcpd.pid
-cf /etc/dhcp/dhcpd.conf ztp-mgmt &

Example
The example shows a sample dhcpd.conf file:

allow bootp;
allow booting;
ddns-update-style interim;
option domain-name "cisco.com";
option time-offset -8;
ignore client-updates;
default-lease-time 21600;

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
74
Disaster Recovery
Invoke ZTP

max-lease-time 43200;
option domain-name-servers <ip-address-server1>, <ip-address-server2>;
log-facility local0;
:
subnet <subnet> netmask <netmask> {
option routers <ip-address>;
option subnet-mask <subnet-mask>;
next-server <server-addr>;
}
:
host <hostname> {
hardware ethernet e4:c7:22:be:10:ba;
fixed-address <address>;
filename "http://<address>/<path>/<image.bin>";
}

The example shows a sample dhcpd6.conf file:

option dhcp6.name-servers <ip-address-server>;


option dhcp6.domain-search "cisco.com";
dhcpv6-lease-file-name "/var/db/dhcpd6.leases";
option dhcp6.info-refresh-time 21600;
option dhcp6.bootfile-url code 59 = string;
subnet6 <subnet> netmask <netmask> {
range6 2001:1851:c622:1::2 2001:1851:c622:1::9;
option dhcp6.bootfile-url "http://<address>/<path>/<image.bin>";

What to do next
Invoke ZTP.

Invoke ZTP
ZTP runs within the XR namespace, and within the global VPN routing/forwarding (VRF) namespace for
management interfaces and line card interfaces.

Before you begin


Ensure that a DHCP server is setup. For more information, see Setup DHCP Server, on page 73.

Edit the dhcpd.conf file to utilize the capabilities of ZTP.


The following example shows a sample DHCP server configuration including iPXE and ZTP:

host <host-name>
{
hardware ethernet <router-serial-number or mac-id>;
fixed-address <ip-address>;
if exists user-class and option user-class = "iPXE" {
# Image request, so provide ISO image
filename "http://<ip-address>/<directory>/ncs5k-mini-x.iso";
} else
{
# Auto-provision request, so provide ZTP script or configuration
filename "http://<ip-address>/<script-directory-path>/ncs5k-ztp.script";
#filename "http://<ip-address>/<script-directory-path>/ncs5k-ztp.cfg

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
75
Disaster Recovery
Invoke ZTP Manually

}
}

Note Either the ZTP .script file or the .cfg file can be provided at a time for auto-provisioning.

With this configuration, the system boots using ncs5k-mini-x.iso during installation, and then download and execute
ncs5k-ztp.script when XR VM is up.

Invoke ZTP Manually


ZTP can also be invoked manually with the modified one touch provisioning approach. The process involves:

Before you begin


A configuration file can be used to specify a list of interfaces that will be brought up in XR and DHCP will
be invoked on. /pkg/etc/ztp.config is a platform specific file that allows the platform to specify which if any
additional interfaces will be used.

#
# List all the interfaces that ZTP will consider running on. ZTP will attempt
# to bring these interfaces. At which point dhclient will be able to use them.
#
# Platforms may add dynamically to this list.
#
#ZTP_DHCLIENT_INTERFACES=" \
# Gi0_0_0_0 \
#"
...

Step 1 Boot the router.


Step 2 Login manually.
Step 3 Enable interfaces.
Step 4 Invoke a new ZTP DHCP session manually using the ztp initiate command.

Router#ztp initiate

For example, to send DHCP requests on the GigabitEthernet interface 0/0/0/0, run the command:

Router#ztp initiate debug verbose interface GigabitEthernet0/0/0/0

ZTP will run on the management port by default unless the platform has configured otherwise. The logs will be logged
in /disk0:/ztp/ztp/log location.
Note To configure a 40G interface into 4 separate 10G interfaces, use the ztp breakout
nosignal-stay-in-breakout-mode command.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
76
Disaster Recovery
Additional Commands for Manually Invoking ZTP

Note To enable dataport breakouts and invoke DHCP sessions on all dataport and line card interfaces that are
detected, use the ztp breakout command.

Router#ztp breakout debug verbose


Router#ztp initiate dataport debug verbose
Invoke ZTP?(this may change your configuration) [confirm] [y/n]:

To override the prompt:

Router#ztp initiate noprompt


Invoke ZTP?(this may change your configuration) [confirm] [y/n]:

ZTP will now run in the background.


Please use "show logging" or look at /disk0:/ztp/ztp/log to check progress.

ZTP runs on the management interfaces that are UP by default.


Step 5 To terminate the ZTP session, use the ztp terminate command.

What to do next
Boot the router using iPXE.

Additional Commands for Manually Invoking ZTP


The following table lists some of the additional commands that are useful while manually invoking ZTP.

Table 5: Additional Commands for Manually Invoking ZTP

Command Description

ztp initiate management Use this command to send DHCP request on the management
interface

ztp initiate dhcp4 Use this command to send DHCP IPv4 requests.

ztp initiate dhcp4-client-identifier Use this command to override the default DHCP IPv4 client
unique-identifier identifier.

ztp initiate dhcp6 Use this command to send DHCP IPv6 requests.

ztp initiate dscp dscp-value Use this command to set the DSCP value in the IPv4 packet
header.

ztp initiate dscp6 dscp-value Use this command to set the DSCP value in the IPv6 header

ztp breakout Use this command to keep the interfaces in breakout mode
nosignal-stay-in-breakout-mode when there is no signal.

ztp breakout nosignal-stay-in-state-noshut Use this command to keep the interfaces up when there is no
signal.

ztp breakout hostname hostname Use this command to set the XR hostname.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
77
Disaster Recovery
Boot the Router Using iPXE

ztp clean Use this command to remove all ZTP log and settings.

ztp terminate Use this command to cancel the ongoing ZTP request.

Boot the Router Using iPXE


Before you use the iPXE boot, ensure that:
• DHCP server is set and is running.
• You have logged in to the System Admin console using the admin command.

Run the following command to invoke the iPXE boot process to reimage the router:
hw-module location all bootmedia network reload

Example:
sysadmin-vm:0_RP0# hw-module location all bootmedia network reload
Wed Dec 23 15:29:57.376 UTC
Reload hardware module ? [no,yes]

The following example shows the output of the command:

iPXE 1.0.0+ (3e573) -- Open Source Network Boot Firmware -- http://ipxe.org


Features: DNS HTTP TFTP VLAN EFI ISO9660 NBI Menu
Trying net0...
net0: c4:72:95:a6:14:e1 using dh8900cc on PCI01:00.1 (open)
[Link:up, TX:0 TXE:0 RX:0 RXE:0]
Configuring (net0 c4:72:95:a6:14:e1).................. Ok << Talking to DHCP/PXE server to
obtain network information
net0: 10.37.1.101/255.255.0.0 gw 10.37.1.0
net0: fe80::c672:95ff:fea6:14e1/64
net0: 2001:1800:5000:1:c672:95ff:fea6:14e1/64 gw fe80::20c:29ff:fefb:b9fe
net1: fe80::c672:95ff:fea6:14e3/64 (inaccessible)
Next server: 10.37.1.235
Filename: http://10.37.1.235/ncs5k/ncs5k-mini-x.iso

http://10.37.1.235/ncs5k/ncs5k-mini-x.iso ... 58% << Downloading file as indicated by


DHCP/PXE server to boot install image

Disaster Recovery Using Manual iPXE Boot


Manually booting the system using iPXE can be used to reinstall a clean system in case of a corrupt install
or recover lost password. However, all the disks will be wiped out and the configuration will be removed.

Step 1 Press the right arrow key to enter the Cisco Boot Options menu.
Step 2 Use the arrow keys (up, down) to select UEFI: Built-in EFI IPXE to enable iPXE boot. The iPXE boot launches the
auto boot.
To manually boot using iPXE, press Ctrl-B keys to reach the iPXE command line.

Step 3 Identify the management interface. If the management interface is connected properly and is UP, it displays Link:up in
the following output:

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
78
Disaster Recovery
Disaster Recovery Using Manual iPXE Boot

Example:
iPXE initialising devices...Sysconf checksum failed. Using default values
ok

iPXE 1.0.0+ (aa070) -- Open Source Network Boot Firmware -- http://ipxe.org


Features: DNS HTTP TFTP VLAN EFI ISO9660 NBI Menu
iPXE> ifstat
net0: c4:72:95:a7:c9:30 using dh8900cc on PCI01:00.1 (closed)
[Link:up, TX:0 TXE:0 RX:0 RXE:0]
net1: c4:72:95:a7:c9:31 using dh8900cc on PCI01:00.2 (closed)
[Link:down, TX:0 TXE:0 RX:0 RXE:0]
[Link status: Down (http://ipxe.org/38086193)]

iPXE> set net0/ip 10.x.x.y


iPXE> set net0/netmask 255.x.x.x
iPXE> set net0/gateway 10.x.x.x
iPXE> ifopen net0
iPXE> ping 10.x.x.z
64 bytes from 10.x.x.z: seq=1
64 bytes from 10.x.x.z: seq=2
Finished: Operation canceled (http://ipxe.org/0b072095)

iPXE> boot http://10.x.x.z/<dir-to-iso>/ncs5k-mini-x.iso-<version>_IMAGE


http://10.x.x.z/<dir-to-iso>/ncs5k-mini-x.iso-<version>_IMAGE... ok
Booting iso-image@0x430173000(803784704), bzImage@0x4301a0000(4473806)
...

Choose the net interface that shows Link:up. If there are multiple interfaces that show the status as UP, identify the
management interface with MAC address.
iPXE also supports HTTP, TFTP and FTP. For more information, see https://ipxe.org/cmd.
After installing the mini ISO image, the system reboots. After successful reboot, specify the root username and password.
Once you get back to the XR prompt, you can load the configuration and install remaining packages.

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
79
Disaster Recovery
Disaster Recovery Using Manual iPXE Boot

System Setup and Software Installation Guide for Cisco NCS 5000 Series Routers, IOS XR Release 7.7.x
80

You might also like