Appendix C. Cisco IOS to IOS XR Security Transition
Cisco IOS has been the mainstay for all Cisco routers for more than 20 years. This monolithic operating system, which disassociates the software architecture from hardware, has proven resilient to massive upgrades in both hardware and software technologies over the years. The term monolithic means that Cisco IOS runs as a single image and all processes share the same memory space, and that it uses a non-preemptive scheduler. In support of carrier-class IP networks, including continuous system operation and unprecedented service flexibility, the Cisco IOS XR operating system was pioneered for the Cisco CRS-1 and 12000 series platforms. Cisco IOS XR uses a real-time microkernel operating system (QNX) at its core, and incorporates modularity and memory protection between processes, lightweight threads, preemptive scheduling, and the ability to independently restart failed processes to maximize network availability.
Cisco IOS XR represents a new direction and thus provides an opportunity to diverge from legacy requirements and protocols of Cisco IOS. Although some attempt was made to maintain a certain level of familiarity between the command sets, there are many differences between these two distinct software systems. This can make converting from one system to the other challenging. The purpose of this appendix is to provide a brief cross-reference between the security-related commands and operations that you may be familiar with in Cisco IOS and their counterparts in Cisco IOS XR. In many cases, similar commands and functions exist, but there are some instances where comparable configurations are not required. Note that because Cisco IOS XR is applicable only to Cisco CRS-1 and 12000 series routers, it only makes sense to compare it with Cisco IOS version 12.0S, which is the service provider IOS version used today on Cisco 12000 series routers. For the purposes of this appendix, the Cisco IOS version assumed is 12.0(32)S, and the Cisco IOS XR version assumed is IOS XR 3.5. Both are the latest available at the time of this writing. Note that IOS XR also offers a wide variety of security enhancements, including but not limited to authenticated software installation, image validation, and code signing. These capabilities are outside the scope of this book. For further information on these topics, refer to the IOS XR configuration guides referenced in the “Further Reading” section.
The four IP traffic planes presented throughout this book are used to facilitate this cross-referencing task. As such, the following command categories are reviewed:
• Data plane security commands: Table C-1
• Control plane security commands: Table C-2
• Management plane security commands: Table C-3
• Services plane security commands: Table C-4
Each table includes the Cisco IOS command, its Cisco IOS XR counterpart, if any, and a short example of how each command is used.
Data Plane Security Commands
Data plane-specific commands refer to those commands that configure direct security features, such as interface access lists, Unicast RPF, and other features. Table C-1 lists Cisco IOS commands and their Cisco IOS XR counterparts, if any, along with a short example of how each command is used.
Table C-1. Data Plane Security Commands
Control Plane Security Commands
Control plane–specific commands refer to those commands that configure, directly or indirectly, security features within control plane functions such as routing protocols, route filtering mechanisms, and other control plane mechanisms. Table C-2 lists Cisco IOS commands and their Cisco IOS XR counterparts, if any, along with a short example of how each command is used.
Table C-2. Control Plane Security Commands
Management Plane Security Commands
Management plane security commands refer to those commands that configure, directly or indirectly, security features within management plane functions such as SNMP, syslog, SSH, NetFlow, and many others. Table C-3 lists Cisco IOS commands and their Cisco IOS XR counterparts, if any, along with a short example of how each command is used. In addition, best common practice (BCP) configurations are also included in Table C-3. BCP commands configure, directly or indirectly, security features for the routing platform itself. Generally, this includes commands that enable or disable specific functions or features that make the router more secure or more resilient, such as password encryption, and many others.
Table C-3. Management Plane Security Commands
Services Plane Security Commands
Services plane–specific commands refer to those commands that configure, directly or indirectly, security features within services plane functions such as MPLS VPN TTL propagation, VRF maximum prefix limits, and many others. Obviously, it is not possible to list every services plane command here. Only those used within this book are included, but many others exit. Table C-4 lists Cisco IOS commands and their Cisco IOS XR counterparts, if any, along with a short example of how each command is used.
Table C-4. Services Plane Security Commands
Further Reading
Converting Cisco IOS Configurations to Cisco IOS XR Configurations, Release 3.4. Cisco Documentation. http://www.cisco.com/en/US/products/ps5845/products_technical_reference_book09186a00806b9204.html.
Cisco IOS XR Security Configuration Guide, Release 3.4. Cisco Documentation. http://www.cisco.com/en/US/products/ps5845/products_configuration_guide_book09186a00806b66d2.html.
Cisco IOS XR Software Command References. Cisco Documentation. http://www.cisco.com/en/US/products/ps5845/prod_command_reference_list.html.
Cisco IOS XR Software Configuration Guides. Cisco Documentation. http://www.cisco.com/en/US/partner/products/ps5845/products_installation_and_configuration_guides_list.html.
Converting Cisco IOS Configurations to Cisco IOS XR Configurations, Release 3.4. Cisco Documentation. http://www.cisco.com/en/US/partner/products/ps5845/products_technical_reference_book09186a00806b9204.html.