Cisco IP Solution Center MPLS VPN User Guide, 5.1 - Sample Configlets [Cisco IP Solution Center]

The configlets provided in this appendix show the CLIs generated by ISC for particular services and features. Each configlet example provides the following information:

•Service.

•Feature.

•Devices configuration (network role, hardware platform, relationship of the devices and other relevant information).

•Sample configlets for each device in the configuration.

•Comments.

Note The configlets generated by ISC are only the delta between what needs to be provisioned and what currently exists on the device. This means that if a relevant CLI is already on the device, it does not show up in the associated configlet.

Note All examples in this appendix assume an MPLS core.

For information on how to view configlets, see Viewing Configlets Generated by a Service Request, page 6-31.

L2 Access into L3 MPLS VPN

Configuration

•Service: L2VPN/Metro Ethernet.

•Feature: Access into L3 MPLS VPN.

•Device configuration:

–The CE is a Cisco 3550 with IOS 12.1(22)EA1.

Interface(s): F0/13 <-> F0/4.

–The U-PE is a Cisco 3550 with IOS 12.1(22)EA1.

Interface(s): F0/14.

–The N-PE is a Cisco 7609 with IOS 12.2(18)SXF.

Interface(s): F2/8.

–VLAN = 3101.

Configlets

U-PE

N-PE

vlan 3101

exit

interface FastEthernet0/13

no ip address

switchport

switchport trunk 
encapsulation dot1q

switchport mode trunk

switchport trunk allowed 
vlan 1,3101

interface Vlan3101

description By VPNSC: Job 
Id# = 13

ip address 10.19.19.10 
255.255.255.252

no shutdown

vlan 3101

exit

interface FastEthernet0/14

no ip address

switchport

switchport trunk encapsulation 
dot1q

switchport mode trunk

switchport trunk allowed vlan 
1,3101

interface FastEthernet0/4

no keepalive

no ip address

switchport

switchport trunk encapsulation 
dot1q

switchport mode trunk

switchport trunk allowed vlan 
3101

switchport nonegotiate

cdp enable

no shutdown

mac access-group 
ISC-FastEthernet0/4 in

mac access-list extended 
ISC-FastEthernet0/4

deny any host 0100.0ccc.cccc

deny any host 0100.0ccc.cccd

deny any host 0100.0ccd.cdd0

deny any host 0180.c200.0000

permit any any

ip vrf V5:VPN_sample

rd 100:1502

route-target import 
100:1602

route-target import 
100:1603

route-target export 
100:1602

maximum routes 100 80

interface FastEthernet2/8

no shutdown

interface 
FastEthernet2/8.3101

description 
FastEthernet2/8.3101 dot1q 
vlan id=3101. By VPNSC: 
Job Id# = 13

encapsulation dot1Q 3101

ip vrf forwarding 
V5:VPN_sample

ip address 10.19.19.9 
255.255.255.252

no shutdown

router bgp 100

address-family ipv4 vrf 
V5:VPN_sample

redistribute connected

redistribute static

exit-address-family

Comments

•IP Numbered scenario with Dot1q encapsulation for VPN Link.

•The VRF is created on the N-PE device (-s designates that the VRF is joining the VPN as a spoke in a hub-n-spoke topology.

•On the N-PE, the VRF is added to iBGP routing instance with user configured redistribution of connected and static options.

•The VRF is created on the NPE with forwarding associated with the U-PE facing interface.

CE-PE L3 MPLS VPN (BGP with full-mesh)

Configuration

•Service: L3 MPLS VPN.

•Feature: CE-PE BGP with full-mesh.

•Device configuration:

–The PE is a Cisco 7609 with IOS 12.2(18)SXF.

Interface(s): F2/5.

–The CE is a Cisco 3550 with IOS 12.2(22)EA1.

Interface(s): F0/13.

–Routing protocol = BGP.

Configlets

vlan 62

exit

interface FastEthernet0/13

no ip address

switchport

switchport trunk encapsulation dot1q

switchport mode trunk

switchport trunk allowed vlan 62

interface Vlan62

description By VPNSC: Job Id# = 29

ip address 10.19.19.42 255.255.255.252

no shutdown

router bgp 10

neighbor 10.19.19.41 remote-as 100

ip vrf V9:mpls_vpn1

rd 100:1506

route-target import 99:3204

route-target export 99:3204

maximum routes 100 80

interface FastEthernet2/5.62

description FastEthernet2/5.62 dot1q vlan 
id=62. By VPNSC: Job Id# = 29

encapsulation dot1Q 62

ip vrf forwarding V9:mpls_vpn1

ip address 10.19.19.41 255.255.255.252

no shutdown

router bgp 100

address-family ipv4 vrf V9:mpls_vpn1

neighbor 10.19.19.42 remote-as 10

neighbor 10.19.19.42 activate

neighbor 10.19.19.42 allowas-in 2

redistribute connected

redistribute static

exit-address-family

Comments

•A full-mesh configuration is created by means of the CERC selected for the VPN policy. As a result, route-target import and route-target export are identical.

•BGP is the routing protocol on the CE-PE access link.

•IP Numbered scenario with dot1q encapsulation for the VPN link.

•The VRF is created on the PE device.

•The VRF is created on the PE with forwarding associated with the CE facing interface.

CE-PE L3 MPLS VPN (BGP with SOO)

Configuration

•Service: L3 MPLS VPN.

•Feature: CE-PE.

•Device configuration:

–The PE is a Cisco 7609 with IOS 12.2(18)SXF.

Interface(s): FE2/3.

–The CE created in ISC.

Interface(s): FE1/0/14.

–Routing protocol = BGP.

–VPN = hub.

Configlets

vlan 3100

exit

interface FastEthernet1/0/14

no ip address

switchport

switchport trunk encapsulation dot1q

switchport mode trunk

switchport trunk allowed vlan 1,3100

no shutdown

interface Vlan3100

description By VPNSC: Job Id# = 12

ip address 10.19.19.6 255.255.255.252

no shutdown

router ospf 3500

network 10.19.19.4 0.0.0.3 area 12345

ip vrf V4:VPN_sample-s

rd 100:1501

route-target import 100:1602

route-target export 100:1603

maximum routes 100 80

interface FastEthernet2/3.3100

description FastEthernet2/3.3100 dot1q vlan 
id=3100. By VPNSC: Job Id# = 12

encapsulation dot1Q 3100

ip vrf forwarding V4:VPN_sample-s

ip address 10.19.19.5 255.255.255.252

no shutdown

router ospf 2500 vrf V4:VPN_sample-s

redistribute bgp 100 subnets

network 10.19.19.4 0.0.0.3 area 12345

router bgp 100

address-family ipv4 vrf V4:VPN_sample-s

redistribute connected

redistribute ospf 2500 vrf V4:VPN_sample-s 
match internal external 1 external 2

redistribute static

exit-address-family

Comments

•IP Numbered scenario with dot1q encapsulation for the VPN link.

•The VRF is created on PE device (VPN is joining as a spoke).

•On PE, the VRF is added to iBGP routing instance with user configured redistribution of connected and static options.

•The VRF is created on the PE with forwarding associated with the CE-facing interface.

CE-PE L3 MPLS VPN

Configuration

•Service: L3 MPLS VPN.

•Feature: CE-PE.

•Device configuration:

–The PE is a Cisco 7603 with IOS 12.2(18)SXD7.

Interface(s): FE2/25.

–The CE is an Cisco 3750ME-I5-M with IOS 12.2(25)EY2.

Interface(s): FE1/0/6.

–VPN = spoke.

Configlets

vlan 890

exit

interface FastEthernet1/0/6

no ip address

switchport trunk encapsulation dot1q

switchport mode trunk

switchport trunk allowed vlan 890

no shutdown

interface Vlan890

description By VPNSC: Job Id# = 336 : SR 
Id# = 336 ip address 10.10.75.2 
255.255.255.252 no shutdown !

router bgp 120

neighbor 10.10.75.1 remote-as 100

no auto-summary

ip vrf V60:TestVPN-s

rd 100:8069

route-target import 100:1891

route-target export 100:1892

interface FastEthernet2/25.890

description FastEthernet2/25.890 dot1q vlan 
id=890. By VPNSC: Job Id# = 336 : SR Id# = 
336 encapsulation dot1Q 890 ip vrf 
forwarding V60:TestVPN-s ip address 
10.10.75.1 255.255.255.252 no shutdown !

router bgp 100

no auto-summary

address-family ipv4 vrf V60:TestVPN-s

neighbor 10.10.75.2 remote-as 120

neighbor 10.10.75.2 activate

neighbor 10.10.75.2 route-map 
SetSOO_V60:TestVPN-s_100:100 in 
exit-address-family !

route-map SetSOO_V60:TestVPN-s_100:100 
permit 10 set extcommunity soo 100:100

Comments

•IP Numbered scenario with dot1q encapsulation for the VPN link.

•The VRF is created on the PE device.

•neighbor 10.10.75.2 remote-as 120 is created as a result of the policy having the CE BGP AS ID set to 120.

•The VRF is created on the PE with forwarding associated with the CE-facing interface.

•On the PE, BGP defines a route-map for the CE neighbor.

•The associated route map sets the extended community attribute to SOO, which is the community value (SOO pool value defined in ISC).

N-PE L3 MPLS VPN (IPv4, IOS XR, OSPF)

Configuration

•Service: L3 MPLS VPN.

•Feature: IPv4 with IOS XR.

•Device configuration:

–The N-PE is a Cisco 12000 router with IOS XR.

–Routing protocol = OSPF.

Configlets


N-PE
(See the extended code example below.)

<?xml version="1.0" encoding="UTF-8"?>

<Request MajorVersion="1" MinorVersion="0">

  <Delete>

    <Configuration Source="CurrentConfig">

      <InterfaceConfigurationTable>

        <InterfaceConfiguration>

          <Naming>

            <Name>GigabitEthernet0/1/1/1.856</Name>

            <Active>act</Active>

          </Naming>

          <Shutdown>true</Shutdown>

        </InterfaceConfiguration>

      </InterfaceConfigurationTable>

    </Configuration>

  </Delete>

  <Set>

    <Configuration Source="CurrentConfig">

      <VRFTable>

        <VRF>

          <Naming>

            <Name>ICICI_VPN_1</Name>

          </Naming>

          <AFI_SAFITable>

            <AFI_SAFI>

              <Naming>

                <AFI>IPv4</AFI>

                <SAFI>Unicast</SAFI>

              </Naming>

              <BGP>

                <ImportRouteTargets>

                  <RouteTargetTable>

                    <RouteTarget>

                      <Naming>

                        <Type>AS</Type>

                        <AS>100</AS>

                        <ASIndex>1</ASIndex>

                      </Naming>

                      <True>true</True>

                    </RouteTarget>

                  </RouteTargetTable>

                </ImportRouteTargets>

                <ExportRouteTargets>

                  <RouteTargetTable>

                    <RouteTarget>

                      <Naming>

                        <Type>AS</Type>

                        <AS>100</AS>

                        <ASIndex>1</ASIndex>

                      </Naming>

                      <True>true</True>

                    </RouteTarget>

                  </RouteTargetTable>

                </ExportRouteTargets>

              </BGP>

            </AFI_SAFI>

          </AFI_SAFITable>

        </VRF>

      </VRFTable>

      <InterfaceConfigurationTable>

        <InterfaceConfiguration>

          <Naming>

            <Name>GigabitEthernet0/1/1/1.856</Name>

            <Active>act</Active>

          </Naming>

          <Description>GigabitEthernet0/1/1/1.856 dot1q vlan id=856. By VPNSC: Job Id# = 
116</Description>

          <InterfaceModeNonPhysical>Default</InterfaceModeNonPhysical>

          <VLANSubConfiguration>

            <VLANIdentifier>

              <VlanType>VLANTypeDot1q</VlanType>

              <FirstTag>856</FirstTag>

            </VLANIdentifier>

          </VLANSubConfiguration>

          <VRF>ICICI_VPN_1</VRF>

          <IPV4Network>

            <Addresses>

              <Primary>

                <IPAddress>10.10.56.1</IPAddress>

                <Mask>255.255.255.252</Mask>

              </Primary>

            </Addresses>

          </IPV4Network>

        </InterfaceConfiguration>

      </InterfaceConfigurationTable>

      <BGP>

        <AS>

          <Naming>

            <AS>0</AS>

          </Naming>

          <FourByteAS>

            <Naming>

              <AS>100</AS>

            </Naming>

            <VRFTable>

              <VRF>

                <Naming>

                  <Name>ICICI_VPN_1</Name>

                </Naming>

                <VRFGlobal>

                  <Exists>true</Exists>

                  <RouteDistinguisher>

                    <Type>AS</Type>

                    <AS>100</AS>

                    <ASIndex>8064</ASIndex>

                  </RouteDistinguisher>

                  <VRFGlobalAFTable>

                    <VRFGlobalAF>

                      <Naming>

                        <AF>IPv4Unicast</AF>

                      </Naming>

                      <Enabled>true</Enabled>

                      <Redistribution>

                        <ConnectedRoutes/>

                        <OSPFRouteTable>

                          <OSPFRoutes>

                            <Naming>

                              <OSPFInstanceName>100</OSPFInstanceName>

                            </Naming>

                            <RedistType>21</RedistType>

                            <DefaultMetric>20000</DefaultMetric>

                          </OSPFRoutes>

                        </OSPFRouteTable>

                        <StaticRoutes/>

                      </Redistribution>

                    </VRFGlobalAF>

                  </VRFGlobalAFTable>

                </VRFGlobal>

              </VRF>

            </VRFTable>

          </FourByteAS>

        </AS>

      </BGP>

      <OSPF>

        <ProcessTable>

          <Process>

            <Naming>

              <InstanceName>100</InstanceName>

            </Naming>

            <Start>true</Start>

            <VRFTable>

              <VRF>

                <Naming>

                  <VRFName>ICICI_VPN_1</VRFName>

                </Naming>

                <VRFStart>true</VRFStart>

                <Redistribution>

                  <RedistributeTable>

                    <Redistribute>

                      <Naming>

                        <ProtocolType>rip</ProtocolType>

                        <InstanceName>rip</InstanceName>

                      </Naming>

                      <Classful>false</Classful>

                    </Redistribute>

                    <Redistribute>

                      <Naming>

                        <ProtocolType>static</ProtocolType>

                        <InstanceName>static</InstanceName>

                      </Naming>

                      <Classful>false</Classful>

                    </Redistribute>

                  </RedistributeTable>

                </Redistribution>

                <AreaTable>

                  <Area>

                    <Naming>

                      <IntegerID>100</IntegerID>

                    </Naming>

                    <NameScopeTable>

                      <NameScope>

                        <Naming>

                          <Interface>GigabitEthernet0/1/1/1.856</Interface>

                        </Naming>

                        <Running>true</Running>

                      </NameScope>

                    </NameScopeTable>

                    <Running>true</Running>

                  </Area>

                </AreaTable>

                <DefaultInformation>

                  <AlwaysAdvertise>true</AlwaysAdvertise>

                </DefaultInformation>

              </VRF>

            </VRFTable>

          </Process>

        </ProcessTable>

      </OSPF>

    </Configuration>

  </Set>

  <Commit/>

</Request>

Comments

•In IOS XR, device configuration is specified in XML format.

•With respect to the XML schemas, different versions of IOS XR will generate different XML configlets. However the configurations will be almost identical, except for changes in the XML schema.

•There are different cases to consider. For example, when a service request is decommissioned or modified, the XML configuration will slightly differ.

N-PE L3 MPLS VPN (IPv6, IOS XR, EIGRP)

Configuration

•Service: L3 MPLS VPN.

•Feature: N-PE running IOS XR 3.5.x.

•Device configuration:

–The N-PE is a Cisco 12000 router with IOS XR 3.5.x.

–Routing protocol = EIGRP.

Configlets


N-PE
(See the extended code example below.)

<?xml version="1.0" encoding="UTF-8"?>

<Request MajorVersion="1" MinorVersion="0">

 <CLI>

<Configuration>

interface GigabitEthernet0/1/1/1.840

ipv6 address fec0:140:9834::/64

exit

</Configuration>

</CLI>

<Delete>

    <Configuration Source="CurrentConfig">

      <EIGRP>

        <ProcessTable>

          <Process>

            <Naming>

              <ASNumber>100</ASNumber>

            </Naming>

            <VRFTable>

              <VRF>

                <Naming>

                  <VRFName>V10:ICICI_VPN</VRFName>

                </Naming>

                <VRF_AFTable>

                  <VRF_AF>

                    <Naming>

                      <VRF_AFType>IPv4</VRF_AFType>

                    </Naming>

                    <AutoSummary/>

                  </VRF_AF>

                </VRF_AFTable>

              </VRF>

            </VRFTable>

          </Process>

        </ProcessTable>

      </EIGRP>

      <InterfaceConfigurationTable>

        <InterfaceConfiguration>

          <Naming>

            <Name>GigabitEthernet0/1/1/1.840</Name>

            <Active>act</Active>

          </Naming>

          <Shutdown>true</Shutdown>

        </InterfaceConfiguration>

      </InterfaceConfigurationTable>

    </Configuration>

  </Delete>

  <Set>

    <Configuration Source="CurrentConfig">

      <InterfaceConfigurationTable>

        <InterfaceConfiguration>

          <Naming>

            <Name>GigabitEthernet0/1/1/1.840</Name>

            <Active>act</Active>

          </Naming>

          <Description>GigabitEthernet0/1/1/1.840 dot1q vlan id=840. By VPNSC: Job Id# = 
50</Description>

          <InterfaceModeNonPhysical>Default</InterfaceModeNonPhysical>

          <VLANSubConfiguration>

            <VLANIdentifier>

              <VlanType>VLANTypeDot1q</VlanType>

              <FirstTag>840</FirstTag>

            </VLANIdentifier>

          </VLANSubConfiguration>

          <VRF>V10:ICICI_VPN</VRF>

        </InterfaceConfiguration>

      </InterfaceConfigurationTable>

      <BGP>

        <AS>

          <Naming>

            <AS>0</AS>

          </Naming>

          <FourByteAS>

            <Naming>

              <AS>100</AS>

            </Naming>

            <VRFTable>

              <VRF>

                <Naming>

                  <Name>V10:ICICI_VPN</Name>

                </Naming>

                <VRFGlobal>

                  <Exists>true</Exists>

                  <VRFGlobalAFTable>

                    <VRFGlobalAF>

                      <Naming>

                        <AF>IPv6Unicast</AF>

                      </Naming>

                      <Enabled>true</Enabled>

                      <Redistribution>

                        <EIGRPRouteTable>

                          <EIGRPRoutes>

                            <Naming>

                              <EIGRPInstanceName>120</EIGRPInstanceName>

                            </Naming>

                          </EIGRPRoutes>

                        </EIGRPRouteTable>

                      </Redistribution>

                    </VRFGlobalAF>

                  </VRFGlobalAFTable>

                </VRFGlobal>

              </VRF>

            </VRFTable>

          </FourByteAS>

        </AS>

      </BGP>

      <EIGRP>

        <ProcessTable>

          <Process>

            <Naming>

              <ASNumber>100</ASNumber>

            </Naming>

            <VRFTable>

              <VRF>

                <Naming>

                  <VRFName>V10:ICICI_VPN</VRFName>

                </Naming>

                <Enabled>true</Enabled>

                <VRF_AFTable>

                  <VRF_AF>

                    <Naming>

                      <VRF_AFType>IPv4</VRF_AFType>

                    </Naming>

                    <Enabled>true</Enabled>

                    <RedistributeTable>

                      <Redistribute>

                        <Naming>

                          <Protocol>BGP</Protocol>

                          <SecondASNumber>100</SecondASNumber>

                        </Naming>

                        <PolicySpecified>false</PolicySpecified>

                      </Redistribute>

                    </RedistributeTable>

                    <DefaultMetric>

                      <BW>2000</BW>

                      <Delay>2001</Delay>

                      <Reliability>200</Reliability>

                      <Load>201</Load>

                      <MTU>20000</MTU>

                    </DefaultMetric>

                    <InterfaceTable>

                      <Interface>

                        <Naming>

                          <InterfaceName>GigabitEthernet0/1/1/1.840</InterfaceName>

                        </Naming>

                        <Enabled>true</Enabled>

                      </Interface>

                    </InterfaceTable>

                    <AutonomousSystem>120</AutonomousSystem>

                  </VRF_AF>

                </VRF_AFTable>

              </VRF>

            </VRFTable>

          </Process>

        </ProcessTable>

      </EIGRP>

    </Configuration>

  </Set>

  <Commit/>

</Request>Comments

•In IOS XR, device configuration is specified in XML format.

•With respect to the XML schemas, different versions of IOS XR will generate different XML configlets. However the configurations will be almost identical, except for changes in the XML schema.

•There are different cases to consider. For example, when a service request is decommissioned or modified, the XML configuration will slightly differ.

CE-PE L3 MPLS VPN (Q-in-Q/Second VLAN ID)

Configuration

•Service: L3 MPLS VPN.

•Feature: CE-PE. Q-in-Q (second VLAN ID) is configured on the PE.

•Device configuration:

–The N-PE is a Cisco 7606-S with IOS 12.2(33)SRC, and with an ES20 line card.

Interface(s): GE2/0/15.

–The CE is a Cisco 2811.

Interface(s): FE0/0.

–VPN = spoke.

Configlets

N-PE

interface FastEthernet0/0.158

description FastEthernet0/0.158 dot1q vlan 
id=158. By VPNSC: Job Id# = 239

encapsulation dot1Q 158

ip address 10.1.1.98 255.255.255.252

no shutdown

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0.158

ip vrf V15:MPLS-1

rd 100:6812

route-target import 100:7000

route-target import 100:7001

route-target export 100:7000

interface GigabitEthernet2/0/15.158

description GigabitEthernet2/0/15.158 dot1q 
vlan id=158. By VPNSC: Job Id# = 239

encapsulation dot1Q 158 second-dot1q 1502

ip vrf forwarding V15:MPLS-1

ip address 10.1.1.97 255.255.255.252

no shutdown

router bgp 100

address-family ipv4 vrf V15:MPLS-1

redistribute connected

redistribute static

exit-address-family

Comments

•Encapsulation must be dot1q; SVI disabled.

•IOS support only. There is no Q-in-Q support for IOS XR.

•The resulting CLI configuration command is:

encapsulation dot1Q <VID-1> second-dot1q <VID-2>

–VID-1 can be assigned by ISC VLAN ID resource pools, or manually.

–VID-2 must be added manually. There is no support for autopick ID for the second VLAN ID.

•Platforms/IOS versions which support the command include, but are not limited to:

–Cisco 7600/SRBx with ES-20, SIP400 + 2, and 5-port GE-V2 SPA.

–Cisco 7600/SRCx ES-20, SIP400 + 2, 5-port GE-V2 SPA, and 10GE-V2 SPA.

–Cisco 7200 NPE-G1 with IOS 12.4 mainline.

–Cisco 7200 NPE-G2 with IOS 12.4(4)XD.

•There is a new template variable for second VLAN ID: $Second_PE_Vlan_ID.

•Network configurations supported include:

–PE only.

–PE-CE with managed and unmanaged CEs.

Note SecondVLAN ID is configured on the PE only, not the CE.

For addtional coverage of Q-in-Q support in ISC, see the coverage of the Second VLAN ID attribute in the section Creating an MPLS VPN PE-CE Service Request, page 6-7.

Table Of Contents

Sample Configlets

Overview

L2 Access into L3 MPLS VPN

Configuration

Configlets

Comments

CE-PE L3 MPLS VPN (BGP with full-mesh)

Configuration

Configlets

Comments

CE-PE L3 MPLS VPN (BGP with SOO)

Configuration

Configlets

Comments

CE-PE L3 MPLS VPN

Configuration

Configlets

Comments

N-PE L3 MPLS VPN (IPv4, IOS XR, OSPF)

Configuration

Configlets

Comments

N-PE L3 MPLS VPN (IPv6, IOS XR, EIGRP)

Configuration

Configlets

CE-PE L3 MPLS VPN (Q-in-Q/Second VLAN ID)

Configuration

Configlets

Comments