Cisco IOS Software Releases 12.0 ST

Table Of Contents

MPLS VPN ID

Feature Overview

Components of the VPN ID

Why Is a VPN ID Useful?

Benefits

Restrictions

Related Documents

Supported Platforms

Supported Standards, MIBs, and RFCs

Prerequisites

Configuration Tasks

Specifying a VPN ID

Verifying That the VPN ID Is Set

Configuration Examples

Command Reference

show ip vrf

vpn id

MPLS VPN ID

---

This document describes the MPLS VPN ID feature, which allows you to identify virtual private networks (VPNs) by a VPN identification number, as described in RFC 2685. This implementation of the MPLS VPN ID feature is used for identifying a VPN. The MPLS VPN ID feature is not used to control the distribution of routing information or to associate IP addresses with MPLS VPN ID numbers in routing updates.

This document includes the following sections:

•Feature Overview

•Supported Platforms

•Supported Standards, MIBs, and RFCs

•Prerequisites

•Configuration Tasks

•Configuration Examples

•Command Reference

Feature Overview

Multiple VPNs can be configured in a router. You can use VPN name (a unique ASCII string) to reference a specific VPN configured in the router. Alternately, you can use a VPN ID to identify a particular VPN in the router. The VPN ID follows a standard specification (RFC 2685).To ensure that the VPN has a consistent VPN ID, assign the same VPN ID to all the routers in the service provider network that service that VPN.

You can use several applications to manage VPNs by VPN ID. For more datails on how server applications use the VPN ID, refer to Why Is a VPN ID Useful?

---

Note Configuration of a VPN ID for a VPN is optional. You can still use a VPN name to identify configured VPNs in the router. The VPN name is not affected by the VPN ID configuration. These are two independent mechanisms to identify VPNs.

---

What Is a VRF?

For each VPN that is configured in a router, the router creates a VRF instance. The VPN ID is stored in the corresponding VRF structure for the VPN.

The VRF table is a key element in the MPLS VPN technology. VRF tables exist on PEs only. More than one VRF table can exist on a PE. A VPN can contain one or more VRF table on a PE.

A VRF contains the routing information that defines the customer VPN site that is attached to a PE router. A VRF consists of the following elements:

•An IP routing table

•A derived Cisco Express Forwarding (CEF) table

•A set of interfaces that use the forwarding table

•A set of rules and routing protocols that determine what goes into the forwarding table

An IP routing table and the CEF table store packet forwarding information for each VRF. Another routing table and CEF table for each VRF prevent information from being forwarded outside a VPN and prevent packets that are outside a VPN from being forwarded to a router within the VPN.

Components of the VPN ID

Each VPN ID defined by RFC 2685 consists of the following elements:

•An Organizational Unique Identifier (OUI), a three-octet hex number.

The IEEE Registration Authority assigns OUIs to any company that manufactures components under the ISO/IEC 8802 standard. The OUI is used to generate universal LAN MAC addresses and protocol identifiers for use in local and metropolitan area network applications. For example, an OUI for Cisco Systems is 00-03-6B (hex).

•A VPN index, a four-octet hex number, which identifies the VPN within the company.

You use the vpn id command and specify the VPN ID in the following format:

vpn id oui:vpn-index

A colon separates the OUI from the VPN index. See the command vpn id for more information.

Why Is a VPN ID Useful?

Remote access applications, such as the Remote Authentication Dial-In User Service (RADIUS) and Dynamic Host Configuration Protocol (DHCP), can use the MPLS VPN ID feature to identify a VPN. RADIUS can use the VPN ID to assign dial-in users to the proper VPN, based on each user's authentication information.

DHCP

DHCP lets network administrators centrally manage and automate the assignment of Internet Protocol (IP) addresses in an organization's network. The DHCP application uses the VPN ID as follows:

---

Step 1 A VPN DHCP client requests a connection to a PE router from a VRF interface.

Step 2 The PE router determines the VPN ID associated with that interface.

Step 3 The PE router sends a request with the VPN ID and other information for assigning an IP address to the DHCP server.

Step 4 The DHCP server uses the VPN ID and IP address information to processes the request.

Step 5 The DHCP server sends a response back to the PE router, allowing the VPN DHCP client access to the VPN.

---

Remote Authentication Dial-In User Service

A Remote Authentication Dial-In User Service (RADIUS) server (or daemon) provides authentication and accounting services to one or more client network-attached storage (NAS) devices. RADIUS servers authenticate users and return all configuration information necessary for the client to deliver service to the users.

Typically, a user login consists of a query (Access-Request) from the NAS to the RADIUS server and a corresponding response (Access-Accept or Access-Reject) from the server.

•The Access-Request packet contains the user name, encrypted password, NAS IP address, VPN ID, and port. The format of the request also provides information on the type of session that the user wants to initiate.

•The RADIUS server returns an Access-Accept response if it finds the user name and verifies the password. The response includes a list of attribute-value pairs that describe the parameters to be used for this session.

Benefits

The MPLS VPN ID feature provides the following benefits:

•A VPN is private and uses a private address space that might be also used by another VPN or by the Internet. The IP address used in a VPN is only significant to the VPN in which it exists. The VPN ID identifies the VPN to which the IP address belongs.

•The MPLS VPN ID feature standardizes the VPN identification method, as described in RFC 2685.

Restrictions

The MPLS VPN ID feature has the following restrictions:

•The VPN ID is not used to control the distribution of routing information or to associate IP addresses with VPN-IDs in routing updates.

•Configure all the PE routers that belong to the same VPN with the same VPN ID. Make sure the VPN ID is unique to the Service Provider network.

Related Documents

The following documents provide more information about the MPLS VPN ID feature:

The list of public OUI assignments
http://standards.ieee.org/regauth/oui/oui.txt

Cisco IOS Security Configuration Guide, Release 12.2
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/index.htm

Introduction to Cisco MPLS VPN Technology
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/vpnsc/mpls/1_2/prov_gd/vpn_ug1.htm

Supported Platforms

This feature is supported on the following platforms:

Cisco 3600 series routers

Cisco 7200 series routers

Cisco 7500 series routers

Supported Standards, MIBs, and RFCs

Standards

IEEE Std 802-1990, IEEE Local and Metropolitan Area Networks: Overview and Architecture

MIBs

No new or modified MIBs are supported by this feature.

RFCs

RFC 2685—Virtual Private Networks Identifier
This document can be found at the following URL:
http://www.ietf.org/rfc/rfc2685.txt

Prerequisites

Each VRF configured in a PE router can have a VPN ID configured. Configure all the PE routers that belong to the same VPN with the same VPN ID. Make sure the VPN ID is unique to the Service Provider network.

Configuration Tasks

See the following sections for configuration tasks for the MPLS VPN ID feature. Each task in the list is identified as either optional or required.

•Specifying a VPN ID (Required)

•Verifying That the VPN ID Is Set (Optional)

Specifying a VPN ID

To specify a VPN ID on a PE router, perform the following steps:

	Command	Purpose
Step 1	Router(config)# ip vrf vpn1	Creates a VRF routing table and a CEF (forwarding) table, both named vpn1.
Step 2	Router(config-if)# vpn id a1:3f6c	Assigns the VRF a VPN ID.

Verifying That the VPN ID Is Set

To ensure that the PE router contains the VPN ID you specified, issue the following command:

Router# show ip vrf id

VPN Id          Name                             RD

2:3             vpn2                             <not set>

A1:3F6C         vpn1                             100:1

This command displays all the VPN IDs that are configured on the router, their associated VRF names, and VRF route distinguishers (RDs). If a VRF table in the PE router has not been assigned a VPN ID, that VRF entry is not included in the output. See the command show ip vrf for more information.

To see all the VRFs on a PE router, issue the following command:

Router# show ip vrf detail

VRF vpn1; default RD 100:1; default VPNID A1:3F6C

  Interfaces:

    Ethernet1/1              Ethernet1/4

  Connected addresses are not in global routing table

  Export VPN route-target communities

    RT:100:1

  Import VPN route-target communities

    RT:100:1                 RT:500:1

  No import route-map

  No export route-map

VRF vpn2; default RD <not set>; default VPNID 2:3

  No interfaces

  Connected addresses are not in global routing table

  No Export VPN route-target communities

  No Import VPN route-target communities

  No import route-map

  No export route-map

VRF vpn5; default RD 500:1; default VPNID <not set>

  Interfaces:

Configuration Examples

This section provides an example of configuring a VPN ID.

The show ip vrf command shows information about the VRF tables on the PE router. There are three VRF tables called vpn1, vpn2, and vpn5.

Router# show ip vrf

  Name                             Default RD          Interfaces

  vpn1                             100:1               Ethernet1/1

                                                       Ethernet1/4

  vpn2                             <not set>

  vpn5                             500:1               Loopback2

The show ip vrf id command shows that only VRF tables vpn1 and vpn2 have VPN IDs assigned. The VRF table called vpn5 is not displayed, because it does not have a VPN ID.

Router# show ip vrf id

VPN Id          Name                             RD

2:3             vpn2                             <not set>

1122:12345678   vpn1                             100:1

The following commands update the VPN ID assigned to the VRF table called vpn1.

Router# config t

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)# ip vrf vpn1

Router(config-vrf)# vpn id a1:3f6c

Router(config-vrf)# end

The show ip vrf id command displays the updated VPN ID assigned to the VRF table called vpn1.

Router# sh ip vrf id

VPN Id          Name                             RD

2:3             vpn2                             <not set>

A1:3F6C         vpn1                             100:1

The show ip vrf detail command displays information about all the VRF tables in the PE router. The output of the command explicitly states that vpn5 does not

Router# sh ip vrf detail

VRF vpn1; default RD 100:1; default VPNID A1:3F6C

  Interfaces:

    Ethernet1/1              Ethernet1/4

  Connected addresses are not in global routing table

  Export VPN route-target communities

    RT:100:1

  Import VPN route-target communities

    RT:100:1                 RT:500:1

  No import route-map

  No export route-map

VRF vpn2; default RD <not set>; default VPNID 2:3

  No interfaces

  Connected addresses are not in global routing table

  No Export VPN route-target communities

  No Import VPN route-target communities

  No import route-map

  No export route-map

VRF vpn5; default RD 500:1; default VPNID <not set>

  Interfaces:

Command Reference

This section documents new or modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.2 command reference publications.

show ip vrf

To display the set of defined VRFs and associated interfaces, use the show ip vrf command in EXEC mode.

show ip vrf [{brief | detail | interfaces | id}] [vrf-name] [output-modifiers]

Syntax Description

brief	(Optional) Displays concise information on the VRFs and associated interfaces.
detail	(Optional) Displays detailed information on the VRFs and associated interfaces.
interfaces	(Optional) Displays detailed information about all interfaces bound to a particular VRF, or any VRF.
id	(Optional) Displays the VPN IDs that are configured in a PE router for different VPNs.
vrf-name	(Optional) Name assigned to a VRF.
output-modifiers	(Optional) For a list of associated keywords and arguments, use context-sensitive help.

Defaults

When no optional parameters are specified, the command shows concise information about all configured VRFs.

Command Modes

EXEC

Command History

Release	Modification
12.0(5)T	This command was introduced.
12.0(17)ST	This command was modified to include the id keyword. Plus, VPN ID information was added to the output of the show ip vrf detail command.

Usage Guidelines

Use this command to display information about VRFs. Two levels of detail are available: use the brief keyword or no keyword to display concise information, or use the detail keyword to display all information. To display information about all interfaces bound to a particular VRF, or to any VRF, use the interfaces keyword. To display information about VPN IDs assigned to a PE router, use the id keyword.

Examples

This example shows brief information for the VRFs currently configured:

Router# show ip vrf

  Name                Default RD          Interfaces

  vrf1                100:1               Ethernet1/3

  vrf2                100:2               Ethernet0/3

Table 1 describes the fields shown in this example.

Table 1 show ip vrf Field Descriptions 

Field	Description
Name	Specifies the VRF name.
Default RD	Specifies the default route distinguisher.
Interfaces	Specifies the network interfaces.

This example shows detailed information for the VRF called vrf1:

Router# show ip vrf detail vrf1

VRF vrf1; default RD 100:1 default VPNID A1:3F6C

 Interfaces:

  Ethernet1/3

 Connected addresses are in global routing table

 Export VPN route-target communities

  RT:100:1

 Import VPN route-target communities

  RT:100:1

 No import route-map

Table 2 describes the significant fields shown in the output.

Table 2 show ip vrf detail Field Descriptions

Field	Description
VPNID	Specifies the VPN ID assigned to the VRF.
Interfaces	Specifies the network interfaces.
Export	Specifies VPN route-target export communities.
Import	Specifies VPN route-target import communities.

This example shows the interfaces bound to a particular VRF:

Router# show ip vrf interfaces

Interface       IP-Address      VRF                       Protocol

Ethernet2       130.22.0.33     blue_vrf                  up      

Ethernet4       130.77.0.33     hub                       up      

router#

Table 3 describes the significant fields shown in the output.

Table 3 show ip vrf interfaces Field Descriptions

Field	Description
Interface	Specifies the network interfaces for a VRF.
IP-Address	Specifies the IP address of a VRF interface.
VRF	Specifies the VRF name.
Protocol	Displays the state of the protocol (up/down) for each VRF interface.

This example displays all the VPN IDs that are configured in the router and their associated VRF names and VRF route distinguishers (RDs).

Router# show ip vrf id

VPN Id          Name                             RD

2:3             vpn2                             <not set>

A1:3F6C         vpn1                             100:1

Table 4 describes the significant fields shown in the output.

Table 4 show ip vrf id Field Descriptions

Field	Description
VPN ID	Specifies the VPN ID assigned to the VRF.
Name	Specifies the VRF name.
RD	Specifies the route distinguisher.

Related Commands

Command	Description
import map	Configures an import route map for a VRF.
ip vrf	Configures a VRF routing table.
ip vrf forwarding	Associates a VRF with an interface or subinterface.
rd	Creates routing and forwarding tables for a VRF.
route-target	Creates a route-target extended community for a VRF.
vpn id	Assigns a VPN ID to a VRF.

vpn id

To set or update a VPN ID on a VRF, use the vpn id vrf submode command. To remove the VPN ID from the VRF, use the no form of this command.To change the VPN ID, issue the command again. The new ID overwrites the old one.

vpn id oui:vpn-index

no vpn id [oui:vpn-index]

Syntax Description

oui	An organizationally unique identifier. The IEEE organization assigns this identifier to companies. The OUI is restricted to three octets.
vpn-index	This value identifies the VPN within the company. This vpn index is restricted to four octets.

Defaults

By default, the VPN ID is not set.

Command Modes

vrf submode

Command History

Release	Modification
12.0(17)ST	This command was introduced.

Usage Guidelines

Each VRF configured in a PE router can have a VPN ID. Use the same VPN ID for the PE routers that belong to the same VPN. Make sure the VPN ID is unique for each VPN in the Service Provider network.

Examples

In the following example, the VPN ID of 0000a100003f6c is for a VRF called vpn1:

Router-config# ip vrf vpn1

Router-config-vrf# vpn id a1:3f6c

Related Commands

Command	Description
show ip vrf id	Displays all the VPN IDs that are configured in the router and their associated VRF names and VRF route distinguishers (RDs).
show ip vrf detail	Displays all the VRFs on a router.