 
					
				
		
on 02-21-2012 06:29 AM
This document tries to assist in an easy and smooth migration from IOS to IOS-XR. Because of the fundamental different nature of the IOS XR operating system and the way things have been implemented specifically by the ASR9000 platform, this article tries to collect a couple of key items to think about and providing some pointers that prevent issues down the road and prepare for proper planning to the great ASR9000.
In this article various topics are separated out per main topic.
Understanding the IOS-XR prompt and privilege levels/taskgroups
Memory architecture
Processes and Using OSPF as a PE-CE protocol
This is a "living document", we'll add more and more items as we see questions coming in that have not been covered before, so watch the revision of the document to see if new items have been added. I realize that this document is not complete, but more to be added as we go.
One of the key differences between IOS and IOS-XR is the base operating system. Legacy IOS is known to be a "monolithic" operating system. Effectively it is a run to completion whereby some timesharing is done between processes. This model has proven to be working out very well for over 25 years given the success of Cisco IOS based routers and switches. Also IOS uses a complete shared memory space.
Of course there are also drawbacks which IOS-XR focusses on to address.
One of these enhancements is that XR is running on a microkernel (qnx based) and on top of that we are running the IOS XR processes.
These processes are running similar to a process on a linux based operating system. Effectively the QNX gives us a K-Shell from which we can do similar things as a unix based OS.
When seeing the IOS-XR prompt, if you type "run" it will give you access to the K-Shell. Although it is not supported officially, sometimes it is handy and useful to access the kshell to get hardware level counters or access the file system to copy things around etc.
The flexibility that IOS-XR gives with these processes are:
IOS has a very simple prompt with a host name followed by a sign that identifies the "mode" that you are in, whether that is privileged exec or regular exec etc.
For instance:
CPE#
or
CPE>
IOS-XR prompt looks like this:
RP/0/RSP0/CPU0:A9K-BNG#
The way to interpret it is as follows:
RP : We are looking at a route processor
0 : Currently we are attached to shelf 0. In the case of multichassis (CRS) or Clustering (ASR9000) we can link multiple chassis together functioning as a single entity, this number identifies which shelf from that same logical node we are looking at.
RSP0: Which RSP we are connecting to. In the case of dual RSP the lower slot ID is RSP0 and the higher slotID is RSP1. Generally you always logon to the active RSP via telnet which can then either be RSP1 or RSP0.
CPU0: today we only have a single (multicore) CPU on the RSP and linecards. This would identify the CPU we are working with in the case that we are adding CPU's on the system.
:hostname : this is the well known part, the hostname.
Note that the suffix of the complete prompt is always with a hash '#' sign. Which suggests that you are in privilige 15 mode.
IOS-XR does NOT have the concept of privilege levels but instead uses task group authorization.
To learn more about using task groups in IOS-XR check you can see in this picture.
Some key differences and highlights between 7600/IOS and ASR9000/XR

A very comprehensive overview of the EVC model is found on this link.
The ASR9000 only supports full MSTP and no other spanning tree protocol.
There is the possibility to use the PVST in PVST-AG mode or Access Gateway.
The "AG" version of the MST or PVST gives you the ability to run these protocols in an P2MP VPLS deployment without the need to run the full protocol set. It basically is designed around the 9K PE's being the root, advertising pre-canned BPDU's and receive the TCN's from the access switches to trigger MAC withdrawl.
More info on VPLS and ASR9000 is here.
Running Spanning Tree (not the AGG) version together with IOS requires you to be aware of the concept of VLAN pruning that IOS does and XR is not aware of.
Migrating spanning tree from 7600 to ASR9000 can be a complex task. IOS switches run STP by default, and you need to disable it explicitly if you don't want to run it. ASR9000 does not run any spanning tree protocol by default and you need to enable it explicitly.
Also the way that BPDU's are handled in XR/ASR9000 is dependant on your configuration.
The following scenarios cover a few of these design migrations you need to be aware of.
This section tries to cover both MSTP and PVST. The key difference for these 2 protocols is that MSTP sends BPDU's untagged and PVST sends tagged BPDU's on the vlans that are PVST enabled.
One of the first decisions you need to make is whether you want the A9K's to be part of the Spanning Tree design or be transparent to them.
There are pros and cons to each option.
In this first picture below shows a design whereby the ASR9000's are NOT part of the spanning tree topology.
If you have defined an untagged EFP like this:
int Gig0/0/0/P.1 l2trans
encap untagged
you will capture the MSTP BPDU's and put them subject to the service that is attached to this untagged EFP.
This can either be a Cross connect (p2p) or a Bridge domain (p2mp). The difference between XCON and BD is that XCON transparently takes whatever comes in on the Attachment Circuit (AC) and send it to the other side (whether that is a phyiscal interface again or a PseudoWire). An Xcon can only have 2 interfaces.
A bridge domain can have multiple EFP's and also employs mac-learning. If the Destination MAC is not know or part of a broadcast/multicast mac address it will get "Flooded" over to all EFP's in the Bridge Domain, except for the originating EFP (split horizon).
Ok so in this design, with that knowledge from above, the BPDU's from switch X are sent via interfaces X and Y to PE1 and PE2.
PE1 would take the BPDU from the untagged EFPand sends them transparently to PE2 over interface M to Switch B's interface U.
In other words Switch A and B see each other as directly connected neighbors. The A9k's are completely transparent and acting as a transparent L2 wire.
This STP design will block one of the 4 (X, Y, U or V) interfaces to break the loop.
If you were to have a bridge domain on PE1 and a pseudowire between PE1 and PE4, the BPDU *also* gets sent to PE4 and arriving on interface V.
This model whereby the 9k's are transparent to STP cannot be used with a full mesh of PseudoWires.
This design that you see above is generally seen by "accident" when it is forgotten that the switches run STP by default and the 9k would transparently pass everything on.
"Solutions" are to break to loop manually and using an L2ACL to block the MSTP BPDU's from traversing your 9K's.
In the scenario that you do want the 9k's to participate in spanning tree you basically create to STP "islands" on the left and right side.
The 9k's now terminate the spanning tree coming from the switches. A full PW mesh is possible and this is also one of the designs where the AG version of the STP protocol becomes very useful.
Switch A sees PE1 and PE2 as neighbor.
Design it such that the PE1 and PE2 are root and back up root.
The configuration for this design is to put the interface P into the STP Configuration so that BPDU's are sent and received.
The effects of the design scenarios and the relation to the spanning-tree protocol in use are pretty much the same for both MSTP and PVST.
What happens when you follow design 1 or 2 in relation to the EFP configuration associated with it, will be discussed below separated out between the two key STP's.
More detailed configurations and VPLS designs are discussed in this article.
Let us evaluate the various configuration options that you have when defining your EFP's with and without Spanning tree.
Scenario 1 in this picture above is the model that you want to use in the design option "2". There is no untagged EFP necessary in this case, and BPDU's received are punted and locally generated BPDU's are injected directly into the port to the switch.
Scenario 2 describes a situation whereby sometimes people want to peel out their untagged traffic and transport it while still running MSTP on the 9k as in design "2". This is problematic today for a few reasons:
1) received BPDU's are subject to the untagged EFP service defintion and will get forwarded. The local MSTP configuration injects BPDU's.
2) this causes the locally connected switch to see BPDU's from the VPLS remote side (switch B) as well as PE1.
3) it will cause MSTi mismatches and unexpected blocked ports.
Scenario 3 can be used for "design option 1". We don't have any local configuration for STP, so we're not injecting anything, we are sending the BPDU's across as per the EFP service definition.
Note:
Scenario 2 is however a design that is recognized as a design we need to support. Starting XR421 scenario 2 will work as follows:
If there is an untagged EFP *and* local STP config on the PE, THEN we will NOT forward the BPDU, but punt them for local STP handling.
We will continue to inject local BPDU's towards the locally connected switch.
In other words if you have untagged traffic that you want to transport but not the BPDU's this will work in XR421. Today, you will get the behavior as described above in scenario 2.
If your intend is to use design option 1, and you want to forward untagged traffic (config scenario 3), but you don't want to forward the BPDU's then you must apply an L2 ACL onto the untagged EFP to block and deny the DMAC used for (MSTP) BPDU's.
The ACL definition is discussed in this article in the related information section.
The story above doesn't change that much when we are considering PVST.
However there are some minor tweaks caused by the fact that PVST BPDU's are vlan tagged.
Scenario 1 is used in design option "2" whereby you want your A9K's to participate in PVST. Note that we don't do full PVST, but PVST-AG or access gateway, which means that we are sending the bpdu's on the EFP's for the respective vlans and take the BPDU's from these vlans and react on them with mac widthdrawl. The configuration scenario looks like this:
!EFP's
interface g0/0/0/P.10 l2trans
encap dot1q 10
...etc
!service definitions
l2vpn
bridge group VLANS
bridge-domain vlan-10
interface g0/0/0/P.10
bridge-domain vlan-20
interface g0/0/0/P.20
...etc
!spanning-tree config
spanning-tree pvst-ag
interface g0/0/0/P.10
interface g0/0/0/P.20
interface g0/0/0/P.30
HOT HOT HOT HOT
Scenario 2 is a common issue we see happening causing a lot of trouble. This config scenario does NOT have any local PVST configuration, but if the adjacent switches have PVST enabled (and that can be the default!!) then we'd be transparently passing on the vlans as part of the EFP's service definition! The PVST BPDU's are arriving at the remote side and what can be worse is that if we are doing vlan manipulation in terms of tag rewriting with pop or push operations, then the remote side received BPDU's meant to describe vlan 10, but received as VLAN X after the rewrite!
This scenario can be the intended design as described in design option "1" above.
Scenario 3 is a remedy for scenario 2. Basically we are using an L2ACL blocking any bpdu's on the EFP's received so that we are not confusing switches on either end. Alternatively you can also disable STP on the switches connected to the 9k PE's. We are applying L2 ACL's that are blocking a particular DMAC that is used for the PVST bpdu's (see
This issue described here above is something you MUST be aware of.
The ACL definition is discussed in this article in the related information section.
The concept between a Switch Virtual Interface and a Bridge Virtual Interface is the same: and L3 endpoint in an L2 environment.
The SVI is a switch concept and the BVI is an L3 concept generally seen on routers.
The BVI interface in IOS-XR/ASR9000 has some restrictions well documented in the CCO documentation for BVI.
Use this reference to setup IRB (Integrated Route Bridging) using the BVI.
When you set up your Ethernet Flow Point (EFP), especially the untagged one, it can make you run into unexpected scenarios.
For instance, when you have an untagged EFP and you are running full MSTP, the 9K will be able to inject BPDU's to the peer, but the peer's BPDU's are subject to the service of the untagged EFP and may get forwarded. This results in MSTP conflicts on your peer device.
With XR 4.2.1 we'll have the auto ability to peel out the BPDU's from the untagged EFP when MSTP configuration is present.
Also the forwarding of vlan traffic out of an EFP and vlans has a few things that you need to be aware of documented in this article
Because the IOS-XR EVC model is not aware of trunks like IOS devices are, the conversion from an IOS trunk to an XR EVC based config can be a bit confusing at first. This configuration example documents how to convert an IOS trunk to an XR EVC model:
IOS:
interface TenGigabitEthernet13/3
description my-trunk
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 4,130,133
switchport mode trunk
no ip address
interface Vlan 4
ip add 10.11.2.1 255.255.255.0
XR:
The translation will be:
interface TenGigabitEthernet 0/0/0/0
description my-trunk-like-xr-interface
Define the EFP's with their respective vlan tags. Because a BVI is used we need to pop the tag so that "inside" the bridge-domain we see untagged packets. On egress, the vlan tag will be slapped on as per EFP definition. Effectively, we create a bridge-domain per vlan.
interface ten0/0/0/0.4 l2transport
encapsulation dot1q 4
rewrite ingress tag pop 1 symmetric
interface ten0/0/0/0.130 l2transport
encapsulation dot1q 130
rewrite ingress tag pop 1 symmetric
int ten0/0/0/0.133 l2transport
encapsulation dot1q 133
rewrite ingress tag pop 1 symmetric
The L2transport command makes these switchports for L2 services
For the switchport trunk allowed vlans, and the interface vlan X, you need to do the following:
First create the bvi interface:
interface BVI4
ipv4 address 10.4.1.10 255.255.0.0
interface BVI130
ipv4 address 10.130.1.1 255.255.0.0
interface BVI133
ipv4 address 10.130.1.1 255.255.0.0
Note that the BVI interface number doesn't necessarily need to be the same as the VLAN identifier, same goes for the subinterface number of the l2transport interface. Though for this example, the practice is followed to make the BVI number, the same as the dot1q TAG value and the same as the EFP subinterface number for clarity.
Then you need to create the bridge group to tide all together.
l2vpn
bridge group MyTrunks
bridge-domain VLAN4
interface ten0/0/0/0.4
routed-interface bvi4
bridge-domain VLAN130
interface ten0/0/0/0.130
routed-interface bvi130
bridge-domain VLAN133
interface ten0/0/0/0.133
interface bvi133
The Bridge group is just a non functional configuration hierarchy to tie several bridge-domains together in part of the same functional group. It functionaly is no different then creating multiple individual groups with their domains, as opposed to one group with multiple domains.
Because as you've seen throughout this document XR is heavily distributed, SNMP being a component that requests data from every feature or functioanlity potentially is very heavily relient on IPC's to get its info. Sometimes it feels that show commands or SNMP performs slower in a next generation OS like XR, but this is because of these IPC's.
Also because IOS-XR employs the concept of "SDR" or Secure Domain Routers (CRS specific), some restrictions apply to the way that SNMP operates.
Significant performance options have been put in place. For instance, when you get the stats for an interface, rather then sending an IPC for one interface, we collect a "bulk" of info for the next X interfaces also as you might do a getnext for the next if inline.
Some "standard" data like the Entity info is subject to the load of the MGBL pie that gives access to these MIBS as well as special config is needed to expose this info to the SNMP agent. See here for more detail on that.
Xander Thuijs, CCIE #6775
Sr Tech Lead ASR9000
 
					
				
		
That shouldn't be a worry directly Pedro.
Some processes may have allocated the memory, released it in terms of no longer in use but not returned to the system.
It is like what MAC OSX calls inactive, which can be retrieved if necessary.
It is the way that Linux/QNX manages memory.
You could look at a process memory individually to check out what the precise utilization is.
If it is allocating and keeps on allocating it may be a problem obviously.
But free phy mem is not necessarily a sign of an issue like it was in IOS.
If you like to triage this furhther I would recommend opening a new discussion on that, or alternatively open a TAC case if it is concern.
XR4.3.2 is end of august/early september target.
cheers
xander
 
					
				
		
Hi Xander,
Thank you very much for all your help. I'll open a TAC case since the client is slightly worried about this.
Cheers,
Pedro
Hi
Do you have sommple configuration to intigrate with 7600. We have tried to connect 9010 to 7600 in MPLS enevironment,, MP-BGP (vpnv4) didnt comeup so had to back out. any additional setting needs to be don on IOS or XR configs.
Hello Xander!
Your posts helped me a lot, through my studies and research. And i also have other questions which first i'm going to ask you is, can you tell me about sysdb architecture? sysdb directories(namespace)? How do the planes are separated? and how it is managed by sysdb, or to sysdb?
Regards,
Munkh
 
					
				
		
hi Munkh,
I think I may have something, it may benefit others also I think, would you mind raising the question on the discussions piece of the xr os and platforms forum then I'll pull something together for you so that when people search for sysdb they find our discussion and everyone can benefit from it?
sounds good?
xander
Hi Xander,
Sounds very good, and i have started the discussion -
https://supportforums.cisco.com/discussion/12550556/ios-xr-system-databasesysdb
Hello Xander,
i have one question please about configuration mapping between IOS to XR,
i need to translate this configuration :
route-map TOTO permit 1
 match ip address 1
 set ip next-hop X.X.X.X
Could you please help me ?
Many Thanks
Ahmed
Ahmed,
its done in a single line ABF statement that is then attached ingress to an interface.
https://supportforums.cisco.com/document/145271/abf-acl-based-forwarding-asr9k
Eddie.
Hi Eddie,
Many Thanks can i also attached to an BVI interface ??
Many Thanks,
Ahmed
Yes in most instances one can, just the ABF support matrix in the link i sent you.
Eddie.
Hi Eddie,
ok thanks, but i have a Pb with BVi interface when i attached to an BVI interface
RP/0/RSP0/CPU0:R1(config)#show configuration failed
Tue Sep 29 11:00:45.832 UTC
!! SEMANTIC ERRORS: This configuration was rejected by
!! the system due to semantic errors. The individual
!! errors with each failed configuration command can be
!! found below.
interface BVI600
 ipv4 access-group TOTO
!!% 'pfilter-ea' detected the 'resource not available' condition 'Failed on applying ACL based forwarding rule to non-ingress interface'
!
end
What sort of line cards do you have? Do a show platform, this isn't support on the Gen1 (trident) line cards. Please check the matrix and confirm you have the supported hardware.
Eddie.
Hello Eddie,
Now it's ok many thanks for your help :), i have a last question,
Could you please tell me what that mean location in this case ???
RP/0/RSP0/CPU0:C1#sh access-lists Toto hardware ingress location ?
  0/0/0        Fully qualified location specification
  0/0/1        Fully qualified location specification
  0/0/CPU0     Fully qualified location specification
  0/1/0        Fully qualified location specification
  0/1/1        Fully qualified location specification
  0/1/CPU0     Fully qualified location specification
  0/2/0        Fully qualified location specification
  0/2/1        Fully qualified location specification
  0/2/CPU0     Fully qualified location specification
  0/3/0        Fully qualified location specification
  0/3/1        Fully qualified location specification
  0/3/CPU0     Fully qualified location specification
  0/4/0        Fully qualified location specification
  0/4/CPU0     Fully qualified location specification
  0/RSP0/CPU0  Fully qualified location specification
  0/RSP1/CPU0  Fully qualified location specification
  WORD         Fully qualified location specification
Br,
Ahmed
In XR location is a linecard slot. In your case above 0/0/CPU0 is the Linecard in Slot0. 0/0/0 is the MPA in slot 0. Its CPU-less. Whereas 0/0/cpu0 is the LC and has a CPU, in distributed systems information is at times locally kept to the LC, so the location xyx/cpu0 is used to fetch information kept on that LC.
Eddie.
ok tmany thanks :)
Ahmed
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: