Bring-up the Router

After installing the hardware, boot the router. Connect to the XR console port and power on the router. The router completes the boot process using the pre-installed operating system (OS) image. If no image is available within the router, the router can be booted using PXE boot or an external bootable USB drive.

After booting is complete, create the root username and password, and then use it to log on to the XR console and get the router prompt. The first user created in XR console is synchronized to the System Admin console. From the XR console, access the System Admin console to configure system administration settings.

Boot the Router

Use the console port on the Route Processor (RP) to connect to a new router. The console port connect to the XR console by default. If necessary, subsequent connections can be established through the management port, after it is configured.

Procedure


Step 1

Connect a terminal to the console port of the RP.

Step 2

Start the terminal emulation program on your workstation.

  • For modular chassis RP, the console settings are baud rate 9600 bps, no parity, 2 stop bits and 8 data bits

  • For fixed chassis, the console settings are baud rate 115200 bps, no parity, 2 stop bits and 8 data bits.

The baud rate is set by default and cannot be changed.

For NCS5001 and 5002 systems, the baud rate is 115200 bps, no parity, 2 stop bits and 8 data bits. For NCS5011 system, the console settings are baud rate 9600 bps, no parity, 2 stop bits and 8 data bits.

Step 3

Power on the router.

Connect the power cord to Power Entry Module (PEM) and the router boots up. The boot process details are displayed on the console screen of the terminal emulation program.

Step 4

Press Enter.

The boot process is complete when the system prompts to enter the root-system username. If the prompt does not appear, wait for a while to give the router more time to complete the initial boot procedure, then press Enter.

Important 

If the boot process fails, it may be because the preinstalled image on the router is corrupt. In this case, the router can be booted using an external bootable USB drive.

Note 

We recommended that you check the md5sum of the image after copying from source location to the server from where router boots up with new version. This ensures that if md5sum mismatch is observed, you can remove the corrupted file and ensure that a working copy of the image file is available for setup to begin.


What to do next

Specify the root username and password.

Setup Root User Credentials

When the router boots for the first time, the system prompts the user to configure root credentials (username and password). These credentials are configured as the root user on the XR (root-lr) console, the System Admin VM (root-system), and as disaster-recovery credentials.

Before you begin

The boot process must be complete. For details on how to initiate the boot process, see Bring-up the Router.

SUMMARY STEPS

  1. Enter root-system username: username
  2. Enter secret: password
  3. Enter secret again: password
  4. Username: username
  5. Password: password
  6. (Optional) show run username

DETAILED STEPS


Step 1

Enter root-system username: username

Enter the username of the root user. The character limit is 1023. In this example, the name of the root user is "root".

Important 

The specified username is mapped to the "root-lr" group on the XR console. It is also mapped as the "root-system" user on the System Admin console.

When starting the router for the first time, or after a reimage, the router does not have any user configuration. In such cases, the router prompts you to specify the "root-system username". However, if the router has been configured previously, the router prompts you to enter the "username", as described in Step 4.

Step 2

Enter secret: password

Enter the password for the root user. The character range of the password is from 6 through 253 characters. The password that you type is not displayed on the CLI for security reasons.

The root username and password must be safeguarded as it has the superuser privileges. It is used to access the complete router configuration.

Step 3

Enter secret again: password

Reenter the password for the root user. The password is not accepted if it does not match the password that is entered in the previous step. The password that you type is not displayed on the CLI for security reasons.

Step 4

Username: username

Enter the root-system username to login to the XR VM console.

Step 5

Password: password

Enter the password of the root user. The correct password displays the router prompt. You are now logged into the XR VM console.

Step 6

(Optional) show run username

Displays user details.


username root
 group root-lr
 group cisco-support
 secret 5 $1$NBg7$fHs1inKPZVvzqxMv775UE/
!
Note 

The NCS 5000 series routers running IOS XR 64-bit OS can operate as a standalone device, ZTP-controlled device or as an nV satellite.

When the router ships from the factory, the mode in which the router must operate is not predefined. Therefore, the software scans for a few events based on the usage, post-rack mounting, and power up, before deciding the mode of operation. Now, there is a time window when the software is making this decision. During this duration, the router that is intended to operate in standalone or ZTP modes, could be compromised to fall into the nV satellite mode. Thereby, opening up privileged control of the router to a hostile external entity.

Ensure that the external entity has access to the same network as the autoplay ports (highest 10G and lowest 100G ports) in order to gain control. Once compromised, the router could become inaccessible to legitimate users but can be recovered by physical disconnection to the network and reset to factory defaults.

For deployments within insecure or public networks, it is recommended to explicitly change the operating mode of NCS 5000 series router to the standalone mode using the set sdac system-mode standalone command in EXEC mode. This will be a one-time staging step for the first boot after unboxing, or after factory reset of the router before it is connected to an insecure network. Especially, if the links connecting to the router on the lowest 100G and the highest 10G ports are not known to be secure.

If you want to change the standalone mode to the satellite mode, use the set sdac system-mode satellite command in EXEC mode, and reload the router.


What to do next

  • Configure routing functions from the XR console.

  • Configure system administration settings from the System Admin prompt. The System Admin prompt is displayed on accessing the System Admin console. For details on how to get the System Admin prompt, see Access the System Admin Console.

Access the System Admin Console

You must login to the System Admin console through the XR console to perform all system administration and hardware management setups.

SUMMARY STEPS

  1. Login to the XR console as the root user.
  2. (Optional) Disable the login banner on console port when accessing the System Admin mode from XR mode.
  3. admin
  4. (Optional) exit

DETAILED STEPS


Step 1

Login to the XR console as the root user.

Step 2

(Optional) Disable the login banner on console port when accessing the System Admin mode from XR mode.

  1. configure

  2. service sysadmin-login-banner disable

    Example:

    RP/0/RP0/CPU0:router(config)#service sysadmin-login-banner disable

    Disable the login banner on console port in System Admin mode.

  3. commit

  4. end

Step 3

admin

Example:

The login banner is enabled by default. The following example shows the command output with the login banner enabled:
RP/0/RP0/CPU0:router#admin

Mon May 22 06:57:29.350 UTC
 
root connected from 127.0.0.1 using console on host
sysadmin-vm:0_RP0# exit
Mon May  22 06:57:32.360 UTC
The following example shows the command output with the login banner disabled:
RP/0/RP0/CPU0:router#admin
Thu Mar 01:07:14.509 UTC
sysadmin-vm:0_RP0# exit
Step 4

(Optional) exit

Return to the XR mode from the System Admin mode.


Configure the Management Port

To use the Management port for system management and remote communication, you must configure an IP address and a subnet mask for the management ethernet interface. To communicate with devices on other networks (such as remote management stations or TFTP servers), you need to configure a default (static) route for the router.

Before you begin

  • Consult your network administrator or system planner to procure IP addresses and a subnet mask for the management interface.

  • Physical port Ethernet 0 and Ethernet 1 on RP are the management ports. Ensure that the port is connected to management network.

SUMMARY STEPS

  1. configure
  2. interface MgmtEth rack/slot/port
  3. ipv4 address ipv4-address subnet-mask
  4. ipv4 address ipv4 virtual address subnet-mask
  5. no shutdown
  6. exit
  7. router static address-family ipv4 unicast 0.0.0.0/0 default-gateway
  8. Use the commit or end command.

DETAILED STEPS


Step 1

configure

Example:


RP/0/RP0/CPU0:router# configure

Enters mode.

Step 2

interface MgmtEth rack/slot/port

Example:

RP/0/RP0/CPU0:router(config)#interface mgmtEth 0/RP0/CPU0/0

Enters interface configuration mode for the management interface of the primary RP.

Step 3

ipv4 address ipv4-address subnet-mask

Example:

RP/0/RP0/CPU0:router(config-if)#ipv4 address 10.1.1.1/8

Assigns an IP address and a subnet mask to the interface.

Step 4

ipv4 address ipv4 virtual address subnet-mask

Example:

RP/0/RP0/CPU0:router(config-if)#ipv4 address 1.70.31.160 255.255.0.0

Assigns a virtual IP address and a subnet mask to the interface.

Step 5

no shutdown

Example:

RP/0/RP0/CPU0:router(config-if)#no shutdown

Places the interface in an "up" state.

Step 6

exit

Example:

RP/0/RP0/CPU0:router(config-if)#exit

Exits the Management interface configuration mode.

Step 7

router static address-family ipv4 unicast 0.0.0.0/0 default-gateway

Example:

RP/0/RP0/CPU0:router(config)#router static address-family ipv4 unicast 0.0.0.0/0 12.25.0.1

Specifies the IP address of the default-gateway to configure a static route; this is to be used for communications with devices on other networks.

Step 8

Use the commit or end command.

commit —Saves the configuration changes and remains within the configuration session.

end —Prompts user to take one of these actions:
  • Yes — Saves configuration changes and exits the configuration session.

  • No —Exits the configuration session without committing the configuration changes.

  • Cancel —Remains in the configuration session, without committing the configuration changes.


What to do next

Connect to the management port to the ethernet network. With a terminal emulation program, establish a SSH or telnet connection to the management interface port using its IP address. Before establishing a telnet session, use the telnet ipv4|ipv6 server max-servers command in the XR Config mode, to set number of allowable telnet sessions to the router.

Perform Clock Synchronization with NTP Server

There are independent system clocks for the XR console and the System Admin console. To ensure that these clocks do not deviate from true time, they need to be synchronized with the clock of a NTP server. In this task you will configure a NTP server for the XR console. After the XR console clock is synchronized, the System Admin console clock will automatically synchronize with the XR console clock.

Before you begin

Configure and connect to the management port.

SUMMARY STEPS

  1. configure
  2. ntp server server_address

DETAILED STEPS


Step 1

configure

Example:


RP/0/RP0/CPU0:router# configure

Enters mode.

Step 2

ntp server server_address

Example:

RP/0/RP0/CPU0:router(config)#ntp server 64.90.182.55

The XR console clock is configured to be synchronized with the specified sever.