-
Cisco IP Solution Center MPLS VPN User Guide, 3.0
-
Index
-
About This Guide
-
About Cisco IP Solutions Center
-
Setting Up the Network for ISC
-
Discovering the Network
-
Defining MPLS VPN Service Policies
-
Managing MPLS VPN Service Requests
-
Mapping IPsec to MPLS VPN
-
The ISC Management Network
-
Provisioning MPLS VPN Cable Services
-
Service Request Transition States
-
Table Of Contents
A - B - C - D - E - F - G - H - I - J - L - M - N - O - P - R - S - T - U - V - W - X -
Index
A
accounting server port number 6-53
authentication server port number 6-53
access domain 1-4
accounting server port number 6-53
ACLs
on the PE-CE link 1-25
role in MPLS security 1-23
address space separation 1-21
allowAS-in option 4-23
attacks, types of 1-23
authentication server port number 6-53
autonomous system (AS) number
number of occurrences in AS path 4-23
auto-pick route target values 4-7
B
allowAS-in option 4-23
AS number for CE's network 4-23
community attribute 1-27
dampening 1-24
neighbor allowAS-in value 4-23
neighbor AS-override option 4-23
RDs and RTs 1-18
redistribute connected routes 4-23
redistributing protocols into BGP 4-23
route-target communities 1-19
security features 1-27
Border Gateway Protocol. See BGP
C
cable services
cable-CE, creating 8-6
cable link, provisioning 8-15
CMTS 8-4
DOCSIS 8-4
host helper address 8-11
maintenance helper address 8-11
maintenance subinterface, provisioning 8-6
modem helper address 8-11
MSO 8-4
no routing protocol, provisioning for 8-9, 8-18
primary IP address range 8-5
redistributing connected routes recommended 4-33, 8-9, 8-18
redistributing static routes 4-33, 8-9, 8-18
secondary address 8-20
secondary IP address range 8-5
specifying no routing protocol 4-33
CE
BGP AS number for 4-23
cable-CE, creating 8-6
default routes to 4-16
description of 1-1
extra loopback address 4-14
managed CE considerations 7-2
marking private interface 6-3
OSPF process ID 4-26
routing context table 1-26
unmanaged CEs 7-1
CERC 4-35
auto-pick route target values 4-7
creating new CERC 4-5
default CERC created automatically 4-3
full mesh 1-20
route target values, entering 4-7
Cisco VPN Client 6-56
closed state 5-2
CMTS 8-4
collection server 1-2, 1-32, 2-2, 2-13
collection zones
assigning devices to 2-15
defining 2-13
devices assigned, list of 2-16
configuration files
editing 5-34
security requirement 1-26
viewing 5-34
connected routes, redistributing 4-21, 4-24, 4-28, 4-32
CoS GL-3
crypto key generate rsa command 2-4
D
dampening 1-24
Data Over Cable Service Interface Specifications. See DOCSIS
default information originate option 4-18
default routes 4-19
default routes to CE 4-16
denial-of-service attack 1-23
deployed state 5-3
deploying service requests 5-28
device access algorithm 5-4
DOCSIS 8-4
E
EBGP 4-22
edge device routers
access algorithm 5-4
SNMP, setting up 2-4
editable attributes 4-8
EIGRP 4-29
metrics 4-30
encapsulations for each interface type 4-12
export route map
defining name of 4-34
extranets 1-15
F
failed audit state 5-3
failed deploy state 5-3
file descriptor limit, fixing problem with 2-3
Frame Relay
IETF encapsulation 4-12
full mesh topology 1-20
definition 1-19
G
gateway of last resort 4-19
generate reverse route injection 6-11
group type 6-55
H
host helper address 8-11
hub-and-spoke topology 1-20
definition 1-19
hub route target 4-5
I
iBGP 4-22
idle timeout 6-60
import route map
defining name of 4-34
in-band connection 7-4
interfaces
cable interface, specifying 8-19
cable maintenance subinterface, provisioning 8-6
encapsulations available 4-12
IP numbered 4-14
loopback, using existing number 4-15
subinterface numbers, how chosen by VPNSC 8-5, 8-19
supported interfaces 4-11
Internet Service Provider. See ISP
intranets 1-15
intrusion attack 1-23
invalid state 5-3
Inventory and Connection Manager 3-5, 4-2
Inventory Manager 3-1
IP addresses 4-9
automatically assigned 4-14
IP numbered with extra CE loopback 4-14
maintenance helper address 8-11
and network security 1-27
numbered 4-14
primary IP address range 8-5
secondary address 8-20
secondary IP address range 8-5
unnumbered 4-14
in VPNs 1-3
IP address pools
and automatically assigned addresses 4-14
on the PE-CE link 4-9
and regions 4-15
IPsec
Cisco VPN Client 6-56
generate reverse route injection 6-11
one-box solution 6-7
remote access policy 6-6
site-to-site VPN policy 6-5
split tunneling 6-57
IPsec encryption policy 6-4
IPsec to MPLS mapping 1-12, 6-1
IPsec encryption policy 6-4
private interface 6-2
public interface 6-2
remote access IPsec tunnels 1-12, 6-1
selecting in IPsec service request 6-14, 6-38, 6-64, 6-76
site-to-site IPsec tunnels 1-12, 6-1
site-to-site VPN policy 6-5
summarized addresses for MPLS VPN 6-11
VRF-aware IPsec 6-7
IP Solution Center
device access algorithm 5-4
enabling TFTP 2-9
network management subnet 1-2, 2-2
setting ISC workstation as TFTP server 2-11
IP SolutionCenter
file descriptor limit 2-3
ISAKMP Extended Authentication 6-55
ISP 8-5
secondary IP address range 8-5
J
jitter probes, enabling SA Agent for 2-7
L
L2TP Over IPsec protocol 6-56, GL-5
label spoofing 1-24
LDP authentication 1-26
login command 2-4
login shell file 2-3
loopback
extra loopback address on CE 4-14
interface number, using existing 4-15
and IP unnumbered addressing scheme 4-14
SR ID not included 4-16
lost state 5-3
M
maintenance helper address 8-11
managed CE
considerations 7-2
management route map 7-6
management VPN 1-2, 2-2, 7-5, GL-6
cable maintenance subinterface and 8-8, 8-17
and export route map 4-34
and management route map 7-6
redistribute connected routes required 4-17
mapping
site-to-site IPsec tunnels 1-12, 6-1
maximum number of routes into VRF 4-35
mode configuration 6-55
modem helper address 8-11
and shadow CE 7-5
MPLS VPNs 1-14
address space separation 1-21
CERCs in 1-19
characteristics 1-14
connectivity between 1-26
default routes to CE 4-16
extranets 1-15
implementation techniques 7-4
in-band connection 7-4
intranets 1-15
management VPN 7-5
multiple VPNS merged into a single VPN 1-26
out-of-band VPN 7-5
principal technologies 1-15
route-target communities 1-19
routing protocols 4-16
routing separation 1-21
service requests, defining 5-6, 5-13, 5-21, 7-12
VRF forwarding table 1-26
MPLS VPN Solution
management VPN, implementing 7-9
security requirements 1-21
MSO
domain 8-4
primary IP address range 8-5
multicast
data MDT size 4-4
data MDT threshold 4-4
enabling 4-4
multicast domain (MD) 4-4, 5-4
multiple VPNS merged into a single VPN 1-26
Multi-VRF CE
CE-facing interface 6-40
data path 1-11
defining CPE as 6-29
description of 1-10
PE-facing interface 6-40
switches for 2-2
switch supported for 1-10
unlike a CE 1-11
N
neighbor allowAS-in value 4-23
neighbor AS-override option 4-23
NetFlow Collector
enabling NetFlow accounting 8-14
network layer reachability information. See NLRI
network management subnet 1-2, 2-2
management VPN technique 7-6, 7-9
out-of-band technique 7-7
NLRI 1-15
O
one-box solution 6-7
OSPF 4-25
area number on PE 4-26
connected routes, redistributing 4-26
process ID on CE 4-26
process ID on PE 4-26
out-of-band technique 7-5, 7-7
P
PE
description of 1-10
export route map 4-34
import route map 4-34
marking public interace 6-2, 6-3, 6-47
OSPF area number 4-26
OSPF process ID 4-26
PE-CE link
routing protocols for 4-16
security considerations 1-25
static route for IP unnumbered scheme 4-14
static route provisioning 4-17
pending state 5-3
point-to-point address pool 4-14
POS interface 4-13
primary IP address range 8-5
private interface 6-2
processing server 1-2, 1-32, 2-2
provisioning
cable link 8-15
cable maintenance subinterface 8-6
public interface 6-2
R
RD
allocate new RD 4-35
description of 1-18
in hub-and-spoke environments 1-20
overwriting default RD value 4-35
role in routing separation 1-21
redistribute connected 4-21, 4-24, 4-28, 4-32
redistribution of IP routes 4-16
redistribution of routing information 4-19
regions
IP address pools 4-15
remote access IPsec tunnels 1-12, 6-1, 6-51
group name 6-55
remote access services
group type 6-55
idle timeout 6-60
mode configuration 6-55
password to access Cisco VPN Client 6-55
requested state 5-4
RIP
default route to CE 4-19
giving only default routes to CE 4-19
hop counts 4-19
metrics 4-19
redistributing connected routes 4-19
redistributing OSPF routes to a PE 4-21, 4-24, 4-28, 4-32
redistributing static routes 4-19
route provisioning 4-19
route distinguisher 4-35
route map
export 4-34
import 4-34
routers
access algorithm 5-4
redistribute connected 4-21, 4-24, 4-28, 4-32
redistribution 4-19
routing context table 1-26
SA Agent, enabling for jitter probes 2-7
SSH, setting up 2-3
VRF forwarding table 1-26
route-target communities 1-19
routing context table 1-26
routing protocols
defining for PE-CE link 4-16
redistribute connected 4-21, 4-24, 4-28, 4-32
redistribution 4-19
securing 1-23
routing separation 1-21
RT
description of 1-18
entering RT values in CERC definition 4-7
rtr responder, enabling 2-7
S
SA Agent
enabling on edge devices for jitter probes 2-7
secondary address 8-20
secondary IP address range 8-5
Secure Shell. See SSH 2-2
security considerations
address space and routing separation 1-21
connectivity between VPNs 1-26
denial-of-service attack 1-23
hiding the MPLS core structure 1-22
intrusion attack 1-23
label spoofing 1-24
PE-CE link 1-25
security level in SNMPv3 2-5
security model in SNMPv3 2-5
security requirements for MPLS VPNs 1-21
multi-VRF CE
in service provider network 1-2
service operator 4-1, 4-8, 6-11
CERC membership 4-35
editable attributes 4-8
editor 4-8
entering values 4-8
interface attributes 4-11
owner 4-10
types of service policies available 4-10
VRF and VPN information 4-34
service request
states 5-2
service requests
defining 5-6, 5-13, 5-21, 7-12
deploying 5-28
RD value, overwriting 4-35
templates, enabling 4-35
VRF name, overwriting 4-35
shadow CE
and Management PE 7-5
site-to-site IPsec tunnels 6-7
one-box solution 6-7
SNMP
rtr responder, enabling 2-7
security level 2-5
security model 2-5
setting SNMP community strings on routers 2-4
version 3 configuration 2-5
SNMPv3
object characteristics 2-6
split tunneling
and mode configuration 6-56
setting policy 6-57
spoke route target 4-5
SSH
generate crypto keys for 2-4
setting up on routers 2-3
state
closed 5-2
deployed 5-3
failed audit 5-3
failed deploy 5-3
invalid 5-3
lost 5-3
pending 5-3
requested 5-4
states of service requests 5-2
static route provisioning 4-17
created for IP unnumbered link 4-14
default information originate option 4-18
giving default routes to CE 4-17
IPsec to MPLS mapping 6-8, 6-31
redistributing connected routes 4-17
subinterface number, entering 6-20
subinterface numbers, how chosen by VPNSC 8-5, 8-19
summarized addresses 6-11
T
templates
enabling for service policy 4-35
terminal server
Telnet sessions, setting appropriate number 2-8
TFTP
setting ISC workstation as TFTP server 2-11
using instead of Telnet 2-9
time zones
supported 2-8
troubleshooting
file descriptor limit, fixing problem with 2-3
U
unmanaged CEs 7-1
unnumbered IP addresses 4-14
V
VLAN
ID, automatically set by ISC 4-13
VPN
auto-pick route target values 4-7
VPN groups
IPsec protocol GL-5
L2TP Over IPsec protocol GL-5
and split tunneling 6-57
VPN route forwarding table. See VRF
VPNs
creating 4-1
multicast routing 4-4
VRF 1-14
configuration commands 1-18
description 4-35
elements of 1-16
export route map, defining name of 4-34
implementation considerations 1-17
import route map, defining name of 4-34
maximum routes in 4-35
naming convention 1-16
overwriting VRF name 4-35
and route-target communities 1-19
and routing separation 1-21
subinterface associated with 8-5
VRF forwarding table 1-26
VRF-aware IPsec 6-7
W
WAN interfaces
loopback, using existing loopback number 4-15
X
XAUTH 6-55