This documentation has been moved
Assigning an ID Number to a VPN
Downloads: This chapterpdf (PDF - 136.0KB) The complete bookPDF (PDF - 6.78MB) | Feedback

Assigning an ID Number to a VPN

Table Of Contents

Assigning an ID Number to a VPN

Finding Feature Information

Contents

Information About VPN ID

Introduction to VPN ID

Components of the VPN ID

Management Applications That Use VPN IDs

Dynamic Host Configuration Protocol

Remote Authentication Dial-In User Service

How to Configure a VPN ID

Specifying a VPN ID

Restrictions

Prerequisites

Verifying the VPN ID Configuration

Configuration Examples for Assigning an ID Number to a VPN

Specifying a VPN ID: Example

Verifying the VPN ID Configuration: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Feature Information for Assigning an ID Number to a VPN


Assigning an ID Number to a VPN


First Published: May 2, 2005
Last Updated: May 4, 2009

You can identify Virtual Private Networks (VPNs) by a VPN identification number, as described in RFC 2685. This implementation of the VPN ID feature is used for identifying a VPN.

Finding Feature Information

For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Assigning an ID Number to a VPN" section.

Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

Information About VPN ID

How to Configure a VPN ID

Configuration Examples for Assigning an ID Number to a VPN

Additional References

Feature Information for Assigning an ID Number to a VPN

Information About VPN ID

Before configuring this feature, you should understand the following concepts:

Introduction to VPN ID

Components of the VPN ID

Management Applications That Use VPN IDs

Introduction to VPN ID

You can identify VPNs by a VPN identification number, as described in RFC 2685. This implementation of the VPN ID feature is used for identifying a VPN. The VPN ID feature is not used to control the distribution of routing information or to associate IP addresses with VPN ID numbers in the MP-BGP VPNv4 routing updates.

Multiple VPNs can be configured in a router. A VPN is private and uses a private address space that might also be used by another VPN or by the Internet. The IP address used in a VPN is only significant to the VPN in which it exists. You can use a VPN name (a unique ASCII string) to reference a specific VPN configured in the router. Alternately, you can use a VPN ID to identify a particular VPN in the router. The VPN ID follows a standard specification (RFC 2685). To ensure that the VPN has a consistent VPN ID, assign the same VPN ID to all the routers in the service provider network that services that VPN.


Note Configuration of a VPN ID for a VPN is optional. You can still use a VPN name to identify configured VPNs in the router. The VPN name is not affected by the VPN ID configuration. These are two independent mechanisms to identify VPNs.


Components of the VPN ID

Each VPN ID defined by RFC 2685 consists of the following elements:

An Organizational Unique Identifier (OUI), a three-octet hex number

The IEEE Registration Authority assigns OUIs to any company that manufactures components under the ISO/IEC 8802 standard. The OUI is used to generate universal LAN MAC addresses and protocol identifiers for use in local and metropolitan area network applications. For example, an OUI for Cisco Systems is 00-03-6B (hex).

A VPN index, a four-octet hex number, which identifies the VPN within the company.

Use the following vpn id command and specify the VPN ID:

vpn id oui:vpn-index

A colon separates the OUI from the VPN index.

Management Applications That Use VPN IDs

You can use several applications to manage VPNs by VPN ID. Remote access applications, such as the Remote Authentication Dial-In User Service (RADIUS) and Dynamic Host Configuration Protocol (DHCP), can use the VPN ID feature to identify a VPN. RADIUS can use the VPN ID to assign dial-in users to the proper VPN, based on each user's authentication information.

Dynamic Host Configuration Protocol

Using DHCP network administrators can centrally manage and automate the assignment of IP addresses in an organization's network. The DHCP application uses the VPN ID as follows:

1. A VPN DHCP client requests a connection to a provider edge (PE) router from a VRF interface.

2. The PE router determines the VPN ID associated with that interface.

3. The PE router sends a request with the VPN ID and other information for assigning an IP address to the DHCP server.

4. The DHCP server uses the VPN ID and IP address information to process the request.

5. The DHCP server sends a response back to the PE router, allowing the VPN DHCP client access to the VPN.

Remote Authentication Dial-In User Service

A RADIUS server (or daemon) provides authentication and accounting services to one or more client network access servers (NASs). RADIUS servers authenticate users and return all configuration information necessary for the client to deliver service to the users.

Typically, a user login consists of a query (Access-Request) from the NAS to the RADIUS server and a corresponding response (Access-Accept or Access-Reject) from the server.

The Access-Request packet contains the username, encrypted password, NAS IP address, VPN ID, and port. The format of the request also provides information on the type of session that the user wants to initiate.

The RADIUS server returns an Access-Accept response if it finds the username and verifies the password. The response includes a list of attribute-value pairs that describe the parameters to be used for this session. If the user is not authenticated, an Access-Reject is sent by the RADIUS server and access is denied.

How to Configure a VPN ID

This section contains the following procedures:

Specifying a VPN ID (required)

Verifying the VPN ID Configuration (optional)

Specifying a VPN ID

Use this procedure to specify a VPN ID.

Restrictions

The VPN ID feature is not used to control the distribution of routing information or to associate IP addresses with VPN ID numbers in the MP-BGP VPNv4 routing updates.

Prerequisites

Each VRF configured on a PE router can have a VPN ID configured. Configure all the PE routers that belong to the same VPN with the same VPN ID. Make sure the VPN ID is unique to the service provider network.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip vrf vrf-name

4. vpn id oui:vpn-index

DETAILED STEPS

 
Command
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

ip vrf vrf-name

Example:

Router(config)# ip vrf vrf1

Creates a VRF routing table and a CEF forwarding table and enters VRF configuration mode.

vrf-name—Name assigned to a VRF.

Step 4 

vpn id oui:vpn-index

Example:

Router(config-vrf)# vpn id a1:3f6c

Assigns the VPN ID to the VRF.

oui:—An organizationally unique identifier. The IEEE organization assigns this identifier to companies. The OUI is restricted to three octets.

vpn-index—This value identifies the VPN within the company. This VPN index is restricted to four octets.

Verifying the VPN ID Configuration

To verify the VPN ID configuration, perform the following steps.

SUMMARY STEPS

1. enable

2. show ip vrf

3. show ip vrf id

4. show ip vrf detail

DETAILED STEPS


Step 1 enable

Step 2 show ip vrf

Use this command to display information about the VRF tables on the PE router. This example displays three VRF tables called vpn1, vpn2, and vpn5.

Router# show ip vrf

  Name                             Default RD          Interfaces
  vpn1                             100:1               FastEthernet1/1/1
                                                       FastEthernet1/0/0
  vpn2                             <not set>
  vpn5                             500:1               Loopback2

Step 3 show ip vrf id

Use this command to ensure that the PE router contains the VPN ID you specified. The following example shows that only VRF tables vpn1 and vpn2 have VPN IDs assigned. The VRF table called vpn5 is not displayed, because it does not have a VPN ID.

Router# show ip vrf id

VPN Id          Name                             RD
2:3             vpn2                             <not set>
A1:3F6C         vpn1                             100:1

Step 4 show ip vrf detail

Use this command to see all the VRFs on a PE router. This command displays all the VPN IDs that are configured on the router, their associated VRF names, and VRF route distinguishers (RDs). If a VRF table in the PE router has not been assigned a VPN ID, that VRF entry is not included in the output.

Router# show ip vrf detail

VRF vpn1; default RD 100:1; default VPNID A1:3F6C
  Interfaces:
    FastEthernet1/1/1       FastEthernet1/0/1
  Connected addresses are not in global routing table
  Export VPN route-target communities
    RT:100:1
  Import VPN route-target communities
    RT:100:1                 RT:500:1
  No import route-map
  No export route-map
VRF vpn2; default RD <not set>; default VPNID 2:3
  No interfaces
  Connected addresses are not in global routing table
  No Export VPN route-target communities
  No Import VPN route-target communities
  No import route-map
  No export route-map
VRF vpn5; default RD 500:1; default VPNID <not set>
  Interfaces:

Configuration Examples for Assigning an ID Number to a VPN

This section contains the following examples:

Specifying a VPN ID: Example

Verifying the VPN ID Configuration: Example

Specifying a VPN ID: Example

The following example specifies the VPN ID assigned to the VRF table called vpn1:

Router# configure terminal
Router(config)# ip vrf vpn1
Router(config-vrf)# vpn id a1:3f6c

Verifying the VPN ID Configuration: Example

The following is sample output of the show ip vrf detail command, one of the commands that can be used to verify the VPN ID configuration. Use this command to see all the VRFs on a PE router. This command displays all the VPN IDs that are configured on the router, their associated VRF names, and VRF route distinguishers (RDs). If a VRF table in the PE router has not been assigned a VPN ID, that VRF entry is not included in the output.

Router# show ip vrf detail

VRF vpn1; default RD 100:1; default VPNID A1:3F6C
  Interfaces:
    FastEthernet1/1/1       FastEthernet1/0/1
  Connected addresses are not in global routing table
  Export VPN route-target communities
    RT:100:1
  Import VPN route-target communities
    RT:100:1                 RT:500:1
  No import route-map
  No export route-map
VRF vpn2; default RD <not set>; default VPNID 2:3
  No interfaces
  Connected addresses are not in global routing table
  No Export VPN route-target communities
  No Import VPN route-target communities
  No import route-map
  No export route-map
VRF vpn5; default RD 500:1; default VPNID <not set>
  Interfaces:

Additional References

The following sections provide references related to assigning an ID number to a VPN.

Related Documents

Related Topic
Document Title

Description of commands associated with MPLS and MPLS applications

Cisco IOS Multiprotocol Label Switching Command Reference

Basic MPLS VPNs

Configuring MPLS Layer 3 VPNs


Standards

Standard
Title

IEEE Std 802-1990

IEEE Local and Metropolitan Area Networks: Overview and Architecture


MIBs

MIB
MIBs Link

No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.

To locate and download MIBs for selected platforms, Cisco IOS XE software releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFC
Title

RFC 2685

Virtual Private Networks Identifier


Technical Assistance

Description
Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport


Feature Information for Assigning an ID Number to a VPN

Table 1 lists the features in this module and provides links to specific configuration information.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS XE software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.


Note Table 1 lists only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS XE software release train. Unless noted otherwise, subsequent releases of that Cisco IOS XE software release train also support that feature.


Table 1 Feature Information for Assigning an ID Number to a VPN

Feature Name
Releases
Feature Configuration Information

MPLS VPN ID

Cisco IOS XE Release 2.1

You can identify VPNs by a VPN identification number, as described in RFC 2685. This implementation of the VPN ID feature is used for identifying a VPN.

In Cisco IOS XE Release 2.1, this feature was introduced on Cisco ASR 1000 Series Aggregation Services Routers.

The following sections provide information about this feature:

Components of the VPN ID

Management Applications That Use VPN IDs

How to Configure a VPN ID