Configuring Secure Domain Routers on Cisco IOS XR Software
Information About Configuring Secure Domain Routers
SMC-131
Cisco IOS XR System Management Configuration Guide
• Ability to assign nodes (RPs, DRPs, and LCs) to SDRs.
• Ability to create other users with similar or lower privileges.
• Complete authority over the chassis.
• Ability to log in to non-owner SDRs using admin plane authentication. Admin plane authentication
allows the root-system user to log in to a non-owner SDR regardless of the configuration set by the
root-lr user. See the “Configuring a Username and Password for a Non-Owner SDR” section on
page SMC-157
• Ability to install and activate software packages for all SDRs or for a specific SDR.
• Ability to view the following admin plane events (owner SDR logging system only):
–
Software installation operations and events.
–
System card boot operations, such as card booting notifications and errors, heartbeat-missed
notifications, and card reloads.
–
Card alphanumeric display changes.
–
Environment monitoring events and alarms.
–
Fabric control events.
–
Upgrade progress information.
root-lr Users
Note SDRs were previously known as Logical Routers (LRs). The name was changed for Release 3.3.0.
Users with root-lr privileges can log in to the non-owner SDR only and perform configuration tasks that
are specific to that SDR. The root-lr group has the following privileges:
• Ability to configure interfaces and protocols.
• Ability to create other users with similar or lower privileges on the non-owner SDR.
• Ability to view the resources assigned to their particular SDR.
The following restrictions apply to root-lr users:
• root-lr users cannot enter Administration EXEC or configuration modes.
• root-lr users cannot create or remove SDRs.
• root-lr users cannot add or remove nodes from an SDR.
• root-lr users cannot create root-system users.
• The highest privilege a non-owner SDR user can have is root-lr.
Other SDR Users
Additional usernames and passwords can be created by the root-system or root-lr users to provide more
restricted access to the configuration and management capabilities of the owner SDR or non-owner
SDRs.