Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Support

Getting Started with the MPLS VPN Solutions Center

Downloads

Table Of Contents

Getting Started with the MPLS VPN Solutions Center

Starting the MPLS VPN Solution Software

Starting Orbix

Starting the Watchdog and the VPN Console

Shutting Down the MPLS VPN Solution Software

Setting Up the Network

Defining the Network Elements

Importing Router Configuration Files

Completing the Target Information for Multiple Targets

Completing the Target Information for Individual Targets

Adding a New Router to the Network

Adding a NetFlow Collector Device to the Network

Viewing Devices in the Network by Their Role

Defining Provider Administrative Domains

Assigning the Provider Edge Routers to a Region

Adding Provider Edge Routers to a Region

Defining the IP Address Pools for a Region

Adding a Region to an Existing Provider Administrative Domain

Deleting a Region

About Class of Service with MPLS VPN Solution Software

Defining a Class of Service Profile

Creating a VPN Customer Definition

Defining the VPN Customer Information

Defining the Customer Sites

Adding the Customer Edge Routers to a Site

Editing VPN Customer Information

Editing Customer Site and Site CE Definitions

Editing or Viewing the Customer Edge Router Definition

Defining a VPN

Defining CE Routing Communities

Implementing the Management VPN Technique

Provisioning a Management VPN

About Provisioning PE-CE Links in the Management VPN

Backing Up the Repository


Getting Started with the MPLS VPN Solutions Center

Cisco VPN Solutions Center: MPLS Solution is an MPLS VPN provisioning and auditing tool. The software focuses on the provider edge routers (PEs), customer edge routers (CEs), and the link between them. MPLS VPN Solution software integrates with Cisco IP Manager for element management tasks such as downloading configlets to target routers. Additional features include Class of Service (CoS) provisioning, VPN-aware NetFlow accounting, and Service Level Agreement (SLA) monitoring.

The MPLS VPN Solution product also provides external access to its provisioning, accounting, and SLA monitoring features through CORBA APIs.

Starting the MPLS VPN Solution Software

Before you start the MPLS VPN Solution software, complete these tasks:

Step 1 Log into the MPLS VPN host under your own login name.

Step 2 To keep the startup operations conveniently organized, open three terminal windows—the first window for the xhost process, the second window for the VPN Console and Watchdog user interface, and the third window for Orbix.

Step 3 In the first terminal window, enter the following command:

xhost MPLS_VPN_hostname

The MPLS_VPN_hostname parameter is the name of the MPLS VPN workstation. This command configures your system so that the Orbix user (orbixadm) and the MPLS VPN user (vpnadm) can communicate with the client system.

Starting Orbix

Starting the MPLS VPN Solution software requires that you first start the Orbix process and then start the Watchdog process and the VPN Console as described below. To start the MPLS VPN software, follow these steps:

Step 1 Go to the terminal window for the Orbix software.

Step 2 Log in as the owner of the Orbix process (orbixadm).

rlogin computer_name -l orbixadm

or

su - orbixadm

Step 3 Go to the directory where Orbix is installed.

cd /opt/orbixadm/orbix/Orbix3

Step 4 Source the environment as required for your shell:

C-Shell: source setenvs.csh

K-Shell: . ./setenvs.sh

Step 5 Start the Orbix process in the background:

orbixd &

Starting the Watchdog and the VPN Console

Step 1 Go to the terminal window for the Watchdog and the VPN Console.

Step 2 Log in as the owner of the MPLS VPN Solution software (vpnadm).

rlogin computer_name -l vpnadm

or

su - vpnadm

Step 3 Go to the MPLS VPN Solution installation directory.

cd /opt/vpnadm/vpn/

Step 4 Source the environment as required for your shell.

C-Shell: source vpnenv.csh

K-Shell: . ./vpnenv.sh

Step 5 Start the application's Watchdog processes:

startwd

Note To stop the Watchdog process and its user interface, issue the stopwd command.

The Watchdog log file resides at /opt/vpnadm/vpn/tmp/wdlog.

Step 6 If you want to confirm that the servers are running, issue the following command:

wdclient status

Step 7 Start the MPLS VPN Solution software VPN Console:

vpnconsole &

Figure 3-1 The VPN Console

Proceed to the "Setting Up the Network" section.

Shutting Down the MPLS VPN Solution Software

This section assumes that the MPLS VPN Solution software is running and that the software user names—vpnadm and orbixadm—are active. It also assumes that Orbix is running as a background process.

To shut down the MPLS VPN Solution software, execute these commands:

Step 1 If the VPN Console is running, close it by choosing File > Exit.

Step 2 If the Watchdog user interface (WDGUI) is running, close it by selecting the window, right-click, then select Close from the menu.

Step 3 From the window where Watchdog was launched, close the Watchdog by issuing this command:

stopwd -y

Step 4 Log out (exit) from the vpnadm software user.

Shutting down Orbix is optional. To shut down Orbix, follow these steps:

Step 5 From the terminal window from which you launched Orbix, shut down the Name Server:

killit NS

Step 6 Discover the process ID of orbixd:

ps -ef | grep orbixd

Step 7 Shut down the Orbix process by issuing this command:

kill orbixd_process_ID

Step 8 Log out (exit) from the orbixadm software user.

Setting Up the Network

To use MPLS VPN Solution to set up an MPLS VPN requires the following tasks:

1. Defining the network elements

2. Defining the Provider Administrative Domain

3. Creating the VPN customer definition

4. Defining the VPN

This chapter describes each of these MPLS VPN Solution software procedures.

Defining the Network Elements

Every device that the MPLS VPN Solution software manages must be defined as a target. A target is any device from which the MPLS VPN Solution software can collect information (a router or Netflow Collector). In most cases, these targets are Cisco routers that function either as a provider edge router (PE) or a customer edge router (CE).

In this product, an MPLS VPN network is a unique group of targets; a target can be a member of only one network. Thus, an MPLS VPN network allows a provider to partition the working space into manageable segments that are unique and do not overlap other networks.

There are two methods for defining targets and organizing them into the appropriate networks (or target groups):

Importing all the pertinent router configuration files

A quick way to define the MPLS VPN networks and the targets in them is to import your router configuration files into the MPLS VPN Solution software. This method lets you specify a directory of router configuration files and the network for these routers. The network and the targets in the network are created based on the imported configuration files.

When employing this method, note that not all the necessary information is present after you import the files. You must then proceed to define the additional target information, such as the IP addresses, passwords, and so forth (described later in this document).

Defining individual targets manually

You can define targets manually when you want to create, edit, or delete targets in a network. See the "Adding a New Router to the Network" section.

Importing Router Configuration Files

To import router configuration files, follow these steps:

Step 1 Create a directory of configuration files for a given set of devices and copy the appropriate configuration files into the directory.

Device names within each directory must be unique.

Note A configuration file filename must be identical to the hostname of the router in which it resides.

A typical set includes Provider and Customer edge routers (PEs and CEs).

Step 2 From the VPN Console menu, choose Setup > Create Targets From Router Configurations.

An informational window displays the following information:

This will create targets based on the router configuration files in a specified directory. A network will be created for the new targets.

You will be asked to enter the following information:

Directory containing the router configuration files

Network name for the new targets

Domain name for the targets (optional)

Specifying the domain name is necessary only if a fully domain-qualified hostname is needed to resolve the IP address of the target (router). For details, see the "On Specifying the Fully Domain-Qualified Hostname" section.

Step 3 Click OK.

The Create Targets From Router Configurations window displays.

Figure 3-2 Creating Targets From Router Configuration Files

Step 4 Enter the directory path, network name, and (optionally) the domain name; then click OK.

The directory path is the path to the router configuration files.

To browse for the directory path, click Select and choose the appropriate directory.

The network name should reflect the customer's name and the provider's Region that the customer is assigned to. For a discussion of Regions, see the "Defining Provider Administrative Domains" section.

The domain name indicates the provider's domain.

The MPLS VPN Solution software imports the router configuration files from the indicated directory. For every valid configuration file, the MPLS VPN Solution software creates a target, and defines the target's role as Cisco router. A valid configuration file is one in which the hostname statement is present in the file. If a configuration file does not contain the hostname statement, MPLS VPN Solution software regards the file as invalid and does not import the configuration file into the Repository.

Under the Networks folder in the hierarchy pane, the product software adds the network name you specified.

Step 5 To display the window that lists the targets in a network, double-click the network name in the hierarchy pane. The product displays the Network window, as shown in Figure 3-3.

Figure 3-3 Network Window

Completing the Target Information for Multiple Targets

Now that you have imported the router configuration files and assigned them to an MPLS VPN network (sp_network in our example), you have completed the initial phase required to define the targets. Now you must enter the rest of the information the product software requires to implement the targets.

Step 1 From the hierarchy pane, click the open-close icon for the Networks folder.

Step 2 Double-click the desired network from the list of networks.

As shown in Figure 3-3, the Network window appears in the data pane on the right, displaying the name of each router in the selected network, along with its domain name and role (in this case, Cisco Router).

At this point, you have the option to enter information for a single target (router) or multiple targets. If the targets share some characteristics, such as the same login or enable passwords, you can define those parameters once for multiple routers, then return to the Network window to edit individual targets for those parameters that are unique for each router. This is the procedure described in the following steps.

Step 3 Select the routers from the list for which you want to define the common parameters.

To select multiple targets from the list, hold down the Ctrl key while you click the desired targets.

Step 4 From the Network window, choose Actions > Edit Multiple > Edit General Parameters (as shown in Figure 3-4).

Figure 3-4 The Network Window's Action Menu

The General tab for the Edit Multiple Targets window appears.

Figure 3-5 Entering General Information for Multiple Targets

Step 5 In this window, select the check boxes for the fields you want to apply to all the selected targets: Network, Domain, and Description.

Step 6 Choose the desired network name from the Network field drop-down list.

Step 7 Enter the domain name.

Entering information in the Description field is optional (but recommended).

Step 8 Choose the Passwords tab.

Figure 3-6 Entering Passwords and SNMP Community Strings for Multiple Targets

Step 9 In the Passwords window, select the check boxes for the fields you want to apply to all the selected targets.

In this example, we have not specified values for the Login User and Login Password fields, reserving those values for individual router configuration.

Step 10 Specify the information for the following fields, then click OK.

a. Enable User

b. Enable Password

c. SNMP Read-Only and SNMP Read-Write community strings

Note The SNMP community strings must be set on all the PEs and CEs in the service provider's network; the SNMP settings on the routers must match the settings configured here. For related information, see the "Setting Up CEs for SLA Data Collection" section.

d. SNMP and Telnet retries

The recommended setting is three (3) retries.

e. SNMP and Telnet timeout

The recommended setting is 20 seconds.

When you click OK, you return to the Network window.

Completing the Target Information for Individual Targets

Now that you have defined the parameters that apply to all the selected targets, you can proceed to define the elements that must be defined for each target: user names and IP addresses.

Step 1 From the Network window, select the target you want to edit.

Step 2 Choose Actions > Edit Target.

The Edit Target window appears (see Figure 3-7).

Figure 3-7 Edit Target Window

Defining the Passwords and SNMP Community Strings for Individual Targets

Step 3 From the Edit Target window, choose the Passwords tab.

Figure 3-8 Editing a Target's Password and SNMP Strings Information

As you can see in Figure 3-8, the fields you defined for multiple targets are displayed in the pertinent fields.

Step 4 Enter the information in the fields you need to define for the selected target (router).

Entering a Target's IP Address Information

Step 5 Choose the IP Addresses tab and click Add.

The Enter IP Address window displays.

Figure 3-9 Entering the IP Address

Step 6 Enter the IP address for the selected router, then click OK.

You return to the IP Addresses tab, where the IP address you entered is now displayed.

Adding a New Router to the Network

In the event you need to add a new target (router) to an MPLS VPN network, follow these steps:

Step 1 Double-click the desired network from the Networks list.

The Network window appears, displaying the names of the devices in the selected network.

Step 2 From the Network window, choose Actions > New Target.

The New Target window appears.

Figure 3-10 New Target Window for a Cisco Router

Step 3 Complete the fields in the General and Passwords windows as described in the "Completing the Target Information for Multiple Targets" section.

Step 4 Complete the fields for the IP Addresses as described in the "Completing the Target Information for Individual Targets" section.

Adding a NetFlow Collector Device to the Network

When you install NetFlow on the NetFlow Collector (NFC) device, configure a local username and password. The username and password is used by MPLS VPN Solution software to communicate with the NFC.

In order to collect traffic statistics from NetFlow Collector devices, these devices must be configured as a target. To do so, follow these steps:

Step 1 Double-click the desired network from the Networks list.

The Network window appears, displaying the names of all the devices in the selected network.

Step 2 From the Network window, choose Actions  >  New Target.

The New Target window appears.

Figure 3-11 New Target Window for NetFlow Collector Device

Step 3 In the Target Name field, enter the UNIX host name of the NetFlow Collector device (NFC).

Step 4 Enter the domain name for the NFC.

Step 5 Click the Role drop down menu and choose NetFlow.

Note Entering a description in the Description pane is not required but recommended.

Step 6 Click the Passwords tab.

Figure 3-12 Passwords Tab for NetFlow Collector Device

Step 7 Complete the Login User and Login Password fields as necessary.

MPLS VPN Solution uses the username and password specified here to communicate with the NFC device.

Step 8 Complete the Retries and Timeout fields as necessary.

The recommended value for Retries is 4; the recommended value for Timeout is 20 seconds.

Step 9 Choose the IP Addresses tab and click Add.

The Enter IP Address window displays.

Figure 3-13 Add IP Address for the NetFlow Collector Device

Step 10 Enter the IP address for the selected NFC device, then click OK.

You return to the IP Addresses tab, where the IP address you entered is now displayed.

This completes the procedure for adding an NFC device to the network.

Viewing Devices in the Network by Their Role

You can view lists of the existing devices in a network by the role assigned to them as either Cisco routers or NetFlow Collector devices.

To view devices by their role, follow these steps:

Step 1 From the VPN Console hierarchy pane, select the desired network and double-click.

The Network window appears in the data pane. By default, all the routers in the selected network are listed in the Network window.

Step 2 From the Network window, choose View > Filter by Role.

As shown in Figure 3-14, a submenu appears with two options: Cisco Router and NetFlow.

Figure 3-14 Network Window View Menu

To view all the devices—routers and NFC devices—in the network, choose View > All.

To view all the Cisco routers in the network, choose View > Filter by Role > Cisco Routers.

To view all the NetFlow Collector devices currently defined in the network, choose View > Filter by Role > NetFlow.

When you choose NetFlow, a screen like that shown in Figure 3-15 appears.

Figure 3-15 Viewing NetFlow Collector Devices in the Network

When you choose to filter the network members by either Cisco Router or NetFlow, additional information is presented, such as the login user name and login password for the NFC devices, as illustrated in Figure 3-15.

Defining Provider Administrative Domains

The MPLS VPN Solution software allows you to define as many Regions within a Provider Administrative Domain (PAD) as you need. PADs are divided into Regions in much the same way that customers are divided into sites. A Region can be considered to be a group of provider edge routers (PEs) within a single BGP autonomous system. The primary objective for defining Regions is to allow a provider to employ unique IP address pools in large Regions, such as Europe, Asia Pacific, and so forth.

Note that a provider can also assign PEs to these Regions, thereby simplifying the PE selection process (for example, only presenting PEs in the European Region when adding service to a European customer edge router).

Tips Cisco recommends that providers create one Provider Administrative Domain and then define the Regions within the PAD.

Before you begin this procedure, have the following information at hand:

The BGP autonomous system (AS) number

There is generally one BGP AS number per Provider Administrative Domain.

The names of the PE routers within the Region

The IP address pools for point-to-point links (that is, the IP numbered links)

The IP address pools for loopback links (that is, the IP unnumbered links)

To define a new Provider Administrative Domain, follow these steps:

Step 1 From the VPN Console menu, choose Setup > New Provider Administrative Domain.

Figure 3-16 New Provider Administrative Domain Window

Step 2 Enter the name of the PAD and the BGP Autonomous System (AS) number in the appropriate fields.

Each autonomous system is assigned a unique 16-bit number by the same central authority that assigns IP network numbers.

The contact information is optional, but it is a good idea to provide it.

The Regions pane on the window shown in Figure 3-16 is where existing Region names are displayed. Regions must have a name, assigned PEs, and their corresponding IP address pools.

Defining a New Region in a PAD

A Region can be considered to be a group of provider edge routers (PEs) within a single BGP autonomous system.

Step 3 To begin defining a new Region, from the New Provider Administrative Domain window, click Add.

The Region window appears.

Figure 3-17 Defining a New Region

Step 4 Enter the name of the Region.

The next step in creating a Region is to assign the provider edge routers that are in the Region.

Assigning the Provider Edge Routers to a Region

To assign the provider edge routers for the Region, follow these steps:

Step 1 From the New Region window, click Add.

When you select the Add button from the Region window, the Add Provider Edge Routers window appears.

Step 2 From the window's Network drop-down list, select the appropriate service provider network name (or a network that contains provider devices).

The names of the targets (routers) in the selected service provider network are displayed.

Figure 3-18 Assigning Provider Edge Routers

Step 3 From the list of routers, select a router to be assigned as a PE, then click OK.

You return to the Region window. The name of the router you selected is now displayed in the list of PE Routers.

Step 4 Repeat this procedure to add additional PEs to the Region as required.

When all the provider edge routers for a Region are assigned, the next task is to assign the IP address pool for the Region (see the "Defining the IP Address Pools for a Region" section).

Adding Provider Edge Routers to a Region

You can add only PEs that are not already assigned to a Region. To add PEs to a Region, follow these steps:

Step 1 In the VPN Console hierarchy pane, select the name of the Provider Administrative Domain, then right-click.

The Service Provider menu appears.

Figure 3-19 Service Provider Menu

Step 2 From the menu, choose Open Provider A.D.

The Edit Provider Administrative Domain window appears.

Figure 3-20 Edit Provider Administrative Domain Window

Step 3 From the General tab in the window, click Add.

The Region window appears.

Step 4 In the Name field, enter the name of the Region the PE is assigned to, then click Add.

The Add Provider Edge Routers window appears (as shown in Figure 3-18).

Step 5 Select the PE (or PEs) to add to the Region, then click OK.

Defining the IP Address Pools for a Region

The MPLS VPN Solution software uses IP address pools to automatically assign IP addresses to PEs and CEs. Each Region has an IP address pool to use for IP numbered addresses (point-to-point address pool) and a separate IP address pool for IP unnumbered address (loopback address pool).

Within a VPN or extranet, all IP addresses must be unique. Customer IP addresses must not overlap with the provider's IP addresses. Overlapping IP addresses are only possible when two devices cannot see each other—that is, when they are in isolated VPNs.

Caution Due to security and maintenance issues, Cisco does not recommend using customer IP addresses on the PE-CE link.

Step 1 From the Region window, choose the IP Address Pools tab.

Figure 3-21 Defining a Region's IP Address Pool

From this window, you can add IP address pool information for point-to-point (IP numbered) links or loopback (IP unnumbered) links.

Step 2 Choose which type of address pool you are defining and click Add.

The New IP Address Pool window appears.

Figure 3-22 Entering a New IP Address Pool

Step 3 Enter the address for the IP address pool and click OK.

You return to the IP Address Pools window, where the new IP address pool information is displayed.

Step 4 Click OK.

You have now created a Region in the Provider Administrative Domain. You return to the New Provider Administrative Domain window, where the new Region name is displayed in the Regions field.

Adding a Region to an Existing Provider Administrative Domain

To add a Region to an existing Provider Administrative Domain, follow these steps:

Step 1 From the VPN Console hierarchy pane, click the open-close icon for the Provider Administrative Domain folder.

The list of Provider Administrative Domains are displayed.

Step 2 Select the desired Provider Administrative Domain and right-click.

The Service Provider menu appears.

Figure 3-23 Accessing the Service Provider Menu

Step 3 From the Service Provider menu, choose New Region.

The Region window appears, as shown in Figure 3-17.

Step 4 Complete the procedures as described in the previous sections, "Assigning the Provider Edge Routers to a Region" and "Defining the IP Address Pools for a Region."

Deleting a Region

To delete a Region from a Provider Administrative Domain, follow these steps:

Step 1 From the VPN Console hierarchy pane, click the open-close icon for the Provider Administrative Domain folder.

Step 2 Click the desired Provider Administrative Domain's open-close icon.

The list of Regions is displayed.

Step 3 Select the desired Region, then right-click.

Step 4 From the Regions menu, choose Delete Region.

A confirmation window appears with the message, "Are you sure you want to delete this Region?"

Step 5 Click Yes.

The Region is deleted and removed from the VPN Console display.

About Class of Service with MPLS VPN Solution Software

As part of their VPN services, service providers may wish to offer premium services defined by Service Level Agreements (SLAs) to expedite traffic from certain customers or applications. Quality of Service (QoS) and its implementation through Class of Service (CoS) mechanisms in IP networks gives devices the intelligence to preferentially handle traffic as dictated by network policy.

About QoS

Quality of Service (QoS) is typically used to describe a situation in which the network provides preferential treatment to certain types of traffic, but the term is not specific about exactly which mechanisms are used to provide these services.

QoS is not a device feature, it is an end-to-end system architecture. A robust QoS solution includes a variety of technologies that interoperate to deliver scalable, media-independent services throughout the network, with system-wide monitoring capabilities.

QoS is defined as those mechanisms that give network managers the ability to control the mix of bandwidth, delay, jitter, and packet loss in the network.

The actual deployment of QoS in a network requires a division of labor for greatest efficiency. Because QoS requires intensive processing, the Cisco model distributes CoS duties between edge and core devices. Edge devices, such as provider edge routers (PEs), do most of the processor-intensive work, performing application recognition to identify flows and classify packets according to unique customer policies. Edge devices also provide bandwidth management. Core devices expedite forwarding while enforcing CoS levels assigned at the edge.

About CoS

Class of Service (Cos) is distinguished by providing differentiated classes of service. Before you can provide a higher quality of service to a customer, application, or protocol, you must classify the traffic into classes, and then determine the way in which to handle the various traffic classes as traffic moves through the network.

When differentiation is performed, it is done to identify traffic by a unique criteria and classify incoming traffic into classes. Each of the traffic classes must be recognized by the classification mechanisms at the network ingress point, as well as farther along in the network topology.

CoS differentiation is usually performed as a method of identifying traffic as it enters the network or a method that ensures that traffic is classified appropriately so that it is forced to conform with the desired user-defined policy or service-level agreement (SLA).

MPLS VPN Solution software provisions Class of Service on the ingress PE interfaces and the egress CE interfaces. MPLS VPN Solution software can apply any or all of the following CoS methods:

MPLS VPN Solution offers the following features for Class of Service (CoS) provisioning between a CE and a PE:

Shaping

Shaping is a method of mapping traffic into separate output queues to provide predictable network behavior. In MPLS VPNs, shaping is configured on either the CE's or PE's egress interfaces. For shaping, the product uses Generic Traffic Shaping (GTS) that includes an optional feature that handles Frame Relay Backward Explicit Congestion Notification (BECN) responses.

Policing

Takes place into a PE from a CE and configured on the CE's or PE's egress interfaces. The product uses Committed Access Rate (CAR) for policing.

Congestion Management

Congestion management is a scheme that provides preferential treatment to certain classes of traffic when the network is congested. In the context of MPLS VPNs, congestion management is put in place to manage heavy traffic from a PE as it moves to a CE. The product employs both GTS and (D)WRED.

GTS for congestion management is not a full-featured technique because it cannot preferentially queue and drop packets based on precedence. However, the ideal solution—Class-Based Weighted Fair Queueing—is not currently available.

GTS still has the powerful property of protecting other customers' SLAs, which are supported on shared fabric between the PE and CE. That is, if one customer suddenly converges all his traffic towards one CE, GTS shapes this load so that the shared medium is not saturated, hence preventing failure on all SLAs in the vicinity.

The other choice, Distributed Weighted Random Early Detection ((D)WRED) is simple to configure, although not particularly precise. (D)WRED is configured on the PE's egress interfaces.

MPLS VPN Solution over-specifies the inputs for congestion management, even though the current configuration uses only the bandwidth total.

All three techniques rely on existing IP precedence values in all packets. Policing may change these values, but the values to differentiate the service classes must have already been set before exiting from the CE. The setting of initial IP precedence values is called painting or marking.

Defining a Class of Service Profile

A Class of Service (CoS) profile represents a set of CoS configurations offered by a provider to its customer. Each CoS profile consists of a set of CoS classes that record information on how traffic shaping and policing are configured.

The MPLS VPN Solution software requires that you create a Class of Service (CoS) Profile only if you want the product to provision CoS on the PE-CE link. You can add additional CoS profiles at any time. This procedure only defines the CoS Profile—until you invoke it when you activate a service request, the CoS Profile has no effect.

Class of Service Profiles are applied to the Provider Edge Router (PE), but the CoS definition is enforced across the PE-CE link on both the PE and CE.

To define a Class of Service Profile, follow these steps:

Step 1 From the VPN Console hierarchy pane, select the name of the pertinent Provider Administrative Domain, then right-click.

The Service Provider menu appears.

Figure 3-24 Service Provider Menu

The Service Provider menu lets you open (that is, edit) the current settings for the administrative domain, define a new Region, list the service requests active for this administrative domain, and view the current topology for that domain.

Step 2 Select Open Provider A.D.

The Edit Provider Administrative Domain window appears.

Step 3 Choose the Class of Service (CoS) Profiles tab, then click Add.

Figure 3-25 Defining a Class of Service Profile

Step 4 Complete the Class of Service profile and click OK.

Valid input for the in-contract bandwidth is a range from 8,000 to 2,000,000,000 (in bits per second).

The PE can rate limit traffic to the subscribed bandwidth and mark the traffic that is within the specified bandwidth as in-contract, and mark traffic above the specified bandwidth as out-of-contract.

Marking a packet as in-contract or out-of-contract is done by setting the first bit of the precedence bits in the IP header. The appropriate class is indicated by the remaining two precedence bits (see Table 3-1). Traffic that exceeds any class is marked as out-of-contract, and this traffic can be dropped or mapped to a lower class of service. The out-of-contract bandwidth is initially set to the in-contract bandwidth, but you can set this to the values appropriate for the customer.

Table 3-1 Mapping IP Precedence to Class of Service

IP Precedence
Contract Status
Class of Service

111

In-contract

Class 1

110

In-contract

Class 2

101

In-contract

Class 3

100

In-contract

Class 4

011

Out-of-contract

Class 1

010

Out-of-contract

Class 2

001

Out-of-contract

Class 3

000

Out-of-contract

Class 4


The customer can initially "paint" the packets that leave the customer edge router (the PE is the destination router), and MPLS VPN Solution allows policing or repainting of packets that enter the provider edge router.

For more information, see the "Quality of Service and Class of Service" section.

Creating a VPN Customer Definition

Creating a VPN Customer Definition includes the following tasks:

Define the VPN customer information.

Define the customer sites.

Add the customer edge routers (CEs) to the sites.

When you add a CE to a site, you can indicate whether the CE is enabled for the Service Assurance Agent (SA Agent).

Defining the VPN Customer Information

To define the VPN customer information, follow these steps:

Step 1 From the VPN Console menu, choose Setup > New VPN Customer.

The New VPN Customer window appears.

Figure 3-26 Entering the New VPN Customer Information

Step 2 Enter the customer name.

Step 3 Optionally, enter the customer's contact information.

Though it is not required, entering the contact information is recommended.

For details on how to modify the VPN customer information, see the "Editing VPN Customer Information" section.

Defining the Customer Sites

A customer site is a collection of one or more customer edge routers (CEs).

Note This procedure assumes the CEs in the customer site are managed by the provider.

To define a customer site, follow these steps:

Step 1 From the New VPN Customer window, click Add.

The Customer Site window appears.

Figure 3-27 Entering the Customer Site Information

Step 2 Enter the customer site name and location information.

For details on how to modify the customer site information, see the "Editing Customer Site and Site CE Definitions" section.

Adding the Customer Edge Routers to a Site

In addition to allowing you to assign specific CEs to a site, this procedure also lets you indicate the following:

Whether the CE is a managed or unmanaged CE.

The Service Assurance Agent (SA Agent) can gather performance information from CEs only when they are managed CEs.

Define the CE's Service Assurance Agent (SA Agent) status—no SA Agent usage, regular SA Agent, or shadow SA Agent. These options are discussed in detail below.

MPLS VPN Solution software monitors performance through the service-level agreement (SLA) servers. MPLS VPN Solution monitors the service related performance criteria by provisioning and monitoring SLAs on routers that support the Service Assurance Agent (SA Agent) management information base (MIB).

Define the selected CE as a Management CE (MCE).

For information on the role of the MCE, see the "The Network Management Subnet Implementation Techniques" section.

To assign CEs to a site, follow these steps:

Step 1 From the Customer Site window, click Add.

Step 2 From the Add Customer Edge Routers window, select the appropriate service provider network from the Network drop-down list.

Figure 3-28 Assigning CEs to a Site

Step 3 From the list of routers displayed, select a CE in the current site.

Defining the CE as Managed or Unmanaged

Step 4 With the check box, indicate whether the CE is managed by the service provider or is an unmanaged CE.

MPLS VPN Solution provisions only managed CEs, thus the default is This customer edge router is managed by the provider. For more information about managed CEs and unmanaged CEs, see "Administering Customer Edge Routers."

Defining the CE's SA Agent Status

Note The SA Agent can gather performance information from CEs only when they are managed CEs. Make sure that when you add a CE to VPN Customer that the CE is configured as a managed CE with either Regular SA Agent status or Shadow SA Agent status enabled.

Step 5 Indicate the CE's status regarding SA Agent.

Selecting No SA Agent indicates that the CE does not employ the SA Agent feature.

Selecting Regular SA Agent indicates that the CE has a dual function as a CE and an SA Agent router. That is, while functioning as a CE in the VPN, it is also monitoring traffic response times between CEs in the same VPN.

Note that a CE operating as an SA Agent device must also be a managed CE.

Selecting Shadow SA Agent indicates that the designated CE is actually a PE (in provider space) functioning as an SA Agent device.

Note The Management LAN and Management LAN, SA Agent options in this window allow you to define a router in service provider space as a Management CE (MCE) in a Management VPN. For information on these options, see the "Implementing the Management VPN Technique" section.

Step 6 Repeat Steps 1 through 5 for each CE you want to add to the customer site.

Step 7 When you have added all the CEs in the site to the CE list, click OK.

You return to the Edit Customer Site window. Note that the CEs selected here are displayed in the Customer Edge Routers pane.

Step 8 Click OK.

You return to the VPN Console. Under the VPN Customers folder in the VPN Console hierarchy pane, you can view the customers defined, the sites for each customer, and the list of CEs in each site.

Figure 3-29 Viewing the Customer Definition in the VPN Console

Step 9 Repeat the steps in "Creating a VPN Customer Definition" for each additional customer.

For information on how to modify the CE definition, see the "Editing or Viewing the Customer Edge Router Definition" section.

Editing VPN Customer Information

To edit (or view) the VPN Customer information, follow these steps:

Step 1 In the VPN Console hierarchy view, click the VPN Customers' open-close icon.

The list of VPN customers is displayed.

Step 2 Select the name of the pertinent customer, then right-click.

Step 3 From the Customers menu, choose Open VPN Customer.

The Edit VPN Customer window appears.

Figure 3-30 Edit VPN Customer Window

You can edit the contact information by changing the information in the Contact Info panel and clicking OK.

Editing Customer Site and Site CE Definitions

You can modify an existing CE definition and change whether the CE is managed or unmanaged, modify the CE's SA Agent status, indicate whether the CE is a Management CE (Management LAN option), and determine whether the MCE also provides SA Agent functionality.

To edit (or view) the customer site and site CE definition, follow these steps:

Step 1 From the VPN Console hierarchy view, click the VPN Customers open-close icon.

The list of VPN customers is displayed.

Step 2 Click the open-close icon for the pertinent VPN customer.

The list of sites for the selected customer is displayed.

Step 3 Select the appropriate site, then right-click.

The Site menu appears, as shown in Figure 3-31.

Figure 3-31 Site Menu

Step 4 From the Site menu, choose Open Site.

The Edit Customer Site window appears.

Figure 3-32 Edit Customer Site Window

Note You can also access the Edit Customer Site window from the Edit VPN Customer window (see Figure 3-30) by selecting the pertinent Customer and clicking Edit.

Step 5 You can edit the location information by changing the information in the Location Info panel.

Editing or Viewing the Customer Edge Router Definition

Tips The SA Agent can gather performance information from CEs only when they are managed CEs. Make sure that when you add a CE to VPN Customer that the CE is configured as a managed CE with either Regular SA Agent status or Shadow SA Agent status enabled.

Step 1 To edit or view the CE definition for the chosen site, select the CE you wish to edit, then click Edit.

The Edit Customer Edge Routers window appears.

Figure 3-33 Edit Customer Edge Routers Window

Step 2 Make the changes necessary for the selected CE, then click OK.

Defining a VPN

You have defined the network elements, defined the Provider Administrative Domain, and created the VPN customer definition. The final stage of setting up is to define the VPN.

Note This procedure does not implement the VPN in the network; it only defines the VPN within the MPLS VPN Solution software.

To define the VPN, follow these steps:

Step 1 From the VPN Console menu, choose Setup > New VPN Definition.

Figure 3-34 Selecting the PAD for a New VPN

Step 2 From the drop-down list, select the Provider Administrative Domain for the VPN, then click OK.

The New VPN Definition window appears.

Figure 3-35 Defining a New VPN

Step 3 Enter the name of the new VPN and click OK.

You return to the VPN Console window, which now displays the new VPN name under the VPNs folder. This is all that is required to complete the VPN definition. However, you may want to define one or more CE Routing Communities for this VPN. If so, proceed to the next section.

Defining CE Routing Communities

Whenever you create a VPN, the MPLS VPN Solution software creates one default CE routing community (CERC) for you. This means that until you need advanced customer layout methods, you will not need to define new CERCs. Up to that point, consider a CERC as standing for the VPN itself—they are identical. If, for any reason, you need to override the software's choice of route target values, you can do this by editing the CERC definition since this is where these values are stored.

To define a new CE Routing Community (CERC) for a VPN, follow these steps:

Step 1 From the New VPN Definition window (accessed in the previous section), choose the CE Routing Communities (CERCs) tab.

Figure 3-36 CERC for a VPN Definition

Step 2 From the CE Routing Communities (CERCs) tab, click Edit.

The Add CE Routing Community window appears.

Figure 3-37 Add CE Routing Community Window

Note CERCs should be defined only with consultation with the VPN network administrator.

Step 3 Complete the fields as required for the VPN, then click OK.

To build complex topologies, it is necessary to break down the required connectivity between CEs into groups, where each group is either fully meshed, or has a hub and spoke pattern. A CE can be in more than one group at a time, so long as each group has one of the two basic configuration patterns.

Each subgroup in the VPN needs its own CERC. Any CE that is only in one group just joins the corresponding CERC (as a spoke if necessary). If a CE is in more than one group, then you can use the Advanced Setup choice during provisioning to add the CE to all the relevant groups in one service request. Given this information, the provisioning software does the rest, assigning route target values and VRF tables to arrange exactly the connectivity the customer requires. You can use the Topology tool to double-check the CERC memberships and resultant VPN connection status.

For more information, see the "CE Routing Communities" section.

Implementing the Management VPN Technique

The Management VPN technique is the default method provisioned by MPLS VPN Solution. A key concept for this implementation technique is that all the CEs in the network are a member of the management VPN. The Management VPN is a VPN that belongs to the service provider so that the service provider can manage the VPNs that belong to the provider's customers. Figure 3-38 shows a typical topology for the Management VPN technique.

Figure 3-38 Example of Management VPN Topology

A Management VPN employs two PE devices called the Management CE (MCE) and the Management PE (MPE).

The network management subnet is connected to the Management CE (MCE). The MCE emulates the role of a customer edge router (CE), but the MCE is a router in provider space that serves as a network operations center gateway router. The MCE is part of a management site as defined in the MPLS VPN Solution software.

The Management PE (MPE) is a router in service provider space that emulates the role of a PE in the provider core network. The MPE connects the MCE to the provider core network. An MPE can have a dual role as both a standard PE and the MPE.

The MPE needs access to the following devices:

Device
Connectivity
Function

1. Customer Edge Routers (CEs)

Access from the network management subnet into the VPNs

Provision or change configuration and collect SA Agent performance data

2. Shadow routers

Access from the network management subnet into the VPNs

A simulated CE used to measure data travel time between two devices

3. Provider Edge Routers (PEs)

standard IP connectivity

Provision or change configuration

4. NetFlow Collector

standard IP connectivity

Collect data


The MPE-MCE link uses a Management VPN (see the "Management VPN Technique" section) to connect to managed CEs. To connect to the PEs and NetFlow Connector, the MPE-MCE link uses a parallel IPv4 link.

Provisioning a Management VPN

This procedure assumes that routers that are to function as the MPE and MCE exist in the service provider network.

The first step is to create a VPN Customer specifically reserved as the Management VPN Customer. The Management VPN Customer should have a single site with a single CE—the router designated as the Management CE—assigned to the Management VPN Customer's site.

To provision a management VPN in MPLS VPN Solution software, follow these steps:

Step 1 From the VPN Console menu, choose Setup > New VPN Customer.

You can also right-click the VPN Customers folder and choose New VPN Customer.

The New VPN Customer window appears.

Figure 3-39 Creating the Management VPN Customer

Step 2 Enter the name of the Management VPN Customer. Remember that the Customer in this case is the service provider.

Step 3 Optionally, enter the contact information for the service provider network administrator.

Though it is not required, entering the contact information is recommended.

Step 4 To define the site for the Management VPN, click Add.

The Add Customer Site window appears.

Figure 3-40 Adding the Management VPN Customer Site

Step 5 Enter the management site's name and location information.

Step 6 To add the Management CE to the management site, click Add.

The Add Customer Edge Routers window appears (see Figure 3-41).

Step 7 From the Add Customer Edge Routers window, select the name of the service provider network from the Network drop-down list.

Figure 3-41 Adding the MCE to the Management Site

Step 8 From the list of routers, select the router that is to function as a Management CE (MCE).

Step 9 Define the router as an MCE by choosing one of these two options, then click OK.

Management LAN

Management LAN, SA Agent

Selecting the Management LAN, SA Agent option defines the router as both an MCE and a CE with SA Agent enabled.

When you click OK, the selected router is designated as the MCE. The next step is to provision a service request between the MCE and a PE designated as the Management PE (MPE).

For detailed information on deploying service requests in the MPLS VPN Solution software, see "Defining and Deploying MPLS VPN Service Requests."

Step 10 Choose Provisioning > Add VPN Service to CE.

The introductory panel in the Add VPN Service to CE wizard appears.

Step 11 Click Next.

When provisioning standard PE-CE links, the next window is used to select the CE in the PE-CE link. However, setting up a service request for the MCE is a special case, and so use this window to select the router designated as the MCE.

Figure 3-42 Selecting the MCE for the Service Request

Step 12 From the Customer drop-down list, select the name of the Management customer.

Step 13 From the Site drop-down list, select the name of the Management site.

As shown in Figure 3-42, the name of the router designated as the MCE appears in the CE Routers pane.

Step 14 When completed with the selections, click Next.

When provisioning standard PE-CE links, the next window is used to select the PE in the PE-CE link. However, for this operation, use this window to select the router designated as the Management PE (MPE).

Figure 3-43 Selecting the MPE for the Service Request

Step 15 From the Provider drop-down list, select the name of the service provider.

Step 16 From the Region drop-down list, select the name of the Region where the MPE resides.