Cisco cBR Converged Broadband Routers Layer 2 and Layer 3 VPN Configuration Guide for Cisco IOS XE Fuji 16.7.x
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This feature module describes the Multiprotocol Label Switching Virtual Private Network (MPLS VPN) and cable interface bundling
features. It explains how to create a VPN using MPLS protocol, cable interfaces, bundle interfaces and sub bundle interfaces.
VPNs can be created in many ways using different protocols.
Finding Feature Information
Finding Feature Information
Your software release may not support all the features that are documented in this module. For the latest feature information
and caveats, see the release notes for your platform and software release. The Feature Information Table at the end of this
document provides information about the documented features and lists the releases in which each feature is supported.
Hardware Compatibility Matrix for the Cisco cBR Series Routers
The hardware components that are introduced in a given Cisco IOS-XE Release are supported in all subsequent releases unless
Table 1. Hardware Compatibility Matrix for the Cisco cBR Series Routers
Cisco CMTS Platform
Cisco cBR-8 Converged Broadband Router
Cisco IOS-XE Release 16.5.1 and Later Releases
Cisco IOS-XE Release 16.5.1 and Later Releases
Cisco cBR-8 CCAP Line Cards:
Cisco cBR-8 Downstream PHY Modules:
Cisco cBR-8 Upstream PHY Modules:
Using MPLS VPN
technology, service providers can create scalable and efficient private
networks using a shared hybrid fiber coaxial (HFC) network and Internet
protocol (IP) infrastructure.
The cable MPLS VPN
network consists of:
The Multiple Service
Operator (MSO) or cable company that owns the physical infrastructure and
builds VPNs for the Internet Service Providers (ISPs) to move traffic over the
cable and IP backbone.
ISPs that use the HFC
network and IP infrastructure to supply Internet service to cable customers.
Each ISP moves
traffic to and from a subscriber's PC, through the MSO's physical network
infrastructure, to the ISP's network. MPLS VPNs, created in Layer 3, provide
privacy and security by constraining the distribution of a VPN’s routes only to
the routers that belong to its network. Thus, each ISP's VPN is insulated from
other ISPs that use the same MSO infrastructure.
An MPLS VPN assigns
a unique VPN Routing/Forwarding (VRF) instance to each VPN. A VRF instance
consists of an IP routing table, a derived forwarding table, a set of
interfaces that use the forwarding table, and a set of rules and routing
protocols that determine the contents of the forwarding table.
Each PE router
maintains one or more VRF tables. It looks up a packet’s IP destination address
in the appropriate VRF table, only if the packet arrived directly through an
interface associated with that table.
MPLS VPNs use a
combination of BGP and IP address resolution to ensure security. See
Multiprotocol Label Switching.
The table shows a
cable MPLS VPN network. The routers in the network are:
router—Routers in the core of the provider network. P routers run MPLS
switching, and do not attach VPN labels (MPLS label in each route assigned by
the PE router) to routed packets. VPN labels are used to direct data packets to
the correct egress router.
Provider Edge (PE) router—
Router that adds the VPN label to incoming packets based on the interface or
subinterface on which they are received. A PE router attaches directly to a CE
router. In the MPLS-VPN approach, each Cisco CMTS router acts as a PE router.
Customer (C) router—Router
in the ISP or enterprise network.
Customer Edge (CE)
router—Edge router on the ISP’s network that connects to the PE router on the
MSO’s network. A CE router must interface with a PE router.
The MPLS network
has a unique VPN that exclusively manages the MSOs devices called the
management VPN. It contains servers and devices that other VPNs can access. The
management VPN connects the Cisco CMTS router to a PE router, which connects to
management servers such as Cisco Network Registrar (CNR) and Time of Day (ToD)
servers. A PE router connects to management servers and is a part of the
management VPN. Regardless of the ISP they belong to, the management servers
serve the Dynamic Host Configuration Protocol (DHCP), DNS (Domain Name System),
and TOD requests coming from PCs or cable modems.
MPLS VPNs, you must configure the first subinterface created as a part of the
configuration involves an:
MSO domain that requires a
direct peering link to each enterprise network (ISP), provisioning servers for
residential and commercial subscribers, and dynamic DNS for commercial users.
The MSO manages cable interface IP addressing, Data-over-Cable Service
Interface Specifications (DOCSIS) provisioning, CM hostnames, routing
modifications, privilege levels, and usernames and passwords.
ISP or enterprise domain
that includes the DHCP server for subscriber or telecommuter host devices,
enterprise gateway within the MSO address space, and static routes back to the
that the MSO assign all addresses to the end user devices and gateway
interfaces. The MSO can also use split management to let the ISP configure
tunnels and security.
In an MPLS VPN
configuration, the MSO must configure the following:
One VPN per ISP
DOCSIS servers for all cable modem customers. The MSO must attach DOCSIS
servers to the management VPN, and make them visible.
The MSO must
configure the Cisco CMTS routers that serve the ISP, and remote PE routers
connecting to the ISP, as PE routers in the VPN.
The MSO must
determine the primary IP address range for all cable modems.
The ISP must
determine the secondary IP address range for subscriber PCs.
To reduce security breaches and differentiate DHCP requests from cable modems in VPNs or under specific ISP management, MSOs
can use the cablehelper-addresscommand in Cisco IOS-XE software. The MSO can specify the host IP address to be accessible only in the ISP’s VPN. This lets the ISP use its DHCP
server to allocate IP addresses. Cable modem IP address must be accessible from the management VPN.
The MPLS VPN
approach of creating VPNs for individual ISPs or customers requires
subinterfaces to be configured on the virtual bundle interface. Each ISP
requires one subinterface. The subinterfaces are tied to the VPN
Routing/Forwarding (VRF) tables for their respective ISPs. The first
subinterface must be created on the cable interface bound to the management
To route a reply
from the CNR back to the cable modem, the PE router that connects to the CNR
must import the routes of the ISP VPN into the management VPN. Similarly, to
forward management requests (such as DHCP renewal to CNR) to the cable modems,
the ISP VPN must export and import the appropriate management VPN routes.
You can group all
of the cable interfaces on a Cisco CMTS router into a single bundle so that
only one subnet is required for each router. When you group cable interfaces,
no separate IP subnet or each individual cable interface is required. This
grouping avoids the performance, memory, and security problems in using a
bridging solution to manage subnets, especially for a large number of
traffic to be differentiated on a single physical interface, and assigned to
multiple VPNs. You can configure multiple subinterfaces, and associate an MPLS
VPN with each subinterface. You can split a single physical interface (the
cable plant) into multiple subinterfaces, where each subinterface is associated
with a specific VPN. Each ISP requires access on a physical interface and is
given its own subinterface. Create a management subinterface to support cable
modem initialization from an ISP.
subinterface associated with a specific VPN (and therefore, ISP) subscribers
connect to a logical subinterface, which reflects the ISP that provides their
subscribed services. When properly configured, subscriber traffic enters the
appropriate subinterface and VPN.
MPLS VPNs give cable MSOs
and ISPs a manageable way of supporting multiple access to a cable plant.
Service providers can create scalable and efficient VPNs across the core of
their networks. MPLS VPNs provide systems support scalability in cable
transport infrastructure and management.
Each ISP can support
Internet access services from a subscriber’s PC through an MSO’s physical cable
plant to their networks.
MPLS VPNs allow MSOs to
deliver value-added services through an ISP, and thus, deliver connectivity to
a wider set of potential customers. MSOs can partner with ISPs to deliver
multiple services from multiple ISPs and add value within the MSO’s own network
using VPN technology.
Subscribers can select combinations
of services from various service providers.
The MPLS VPN cable features set build
on CMTS DOCSIS 1.0 and DOCSIS 1.0 extensions to ensure services are reliably
and optimally delivered over the cable plant. MPLS VPN provides systems support
domain selection, authentication per subscriber, selection of QoS, policy-based
routing, and ability to reach behind the cable modem to subscriber end devices
for QoS and billing while preventing session spoofing.
technology ensures both secure access across the shared cable infrastructure
and service integrity.
bundling eliminates the need for an IP subnet on each cable interface. Instead,
an IP subnet is only required for each cable interface bundle. All cable
interfaces in a Cisco CMTS router can be added to a single bundle.
Each subinterface on the CMTS requires an address range from the ISP and from the MSO. These two ranges must not overlap
and must be extensible to support an increased number of subscribers for scalability.
does not address allocation and management of MSO and ISP IP addresses. See
Multiprotocol Label Switching for this information.
The cablesource-verifydhcp command enables Dynamic Host Control Protocol (DHCP) Lease query protocol from the CMTS to DHCP server to verify IP addresses
of upstream traffic, and prevent MSO customers from using unauthorized, spoofed, or stolen IP addresses.
When using only MPLS VPNs, create subinterfaces on the virtual bundle, assign it an IP address, and provide VRF configuration
for each ISP. When you create subinterfaces and configure only MPLS VPNs, the cable interface bundling feature is independent
of the MPLS VPN.
When using cable interface bundling:
Define a virtual bundle interface and associate any cable physical interface to the virtual bundle.
Specify all generic IP networking information (such as IP address, routing protocols, and switching modes) on the virtual
bundle interface. Do not specify generic IP networking information on bundle subsidiary interfaces.
An interface that has a subinterface(s) defined over it is not allowed to be a part of the bundle.
Specify generic (not downstream or upstream related) cable interface configurations, such as source-verify or ARP handling,
on the virtual bundle interface. Do not specify generic configuration on bundle subsidiary interfaces.
Interface bundles can only be configured using the command line interface (including the CLI-based HTML configuration).
IP-based VPNs, complete the following tasks:
Ensure your network supports reliable
broadband data transmission. Your plant must be swept, balanced, and certified
based on National Television Standards Committee (NTSC) or appropriate
international cable plant recommendations. Ensure your plant meets all DOCSIS
or European Data-over-Cable Service Interface Specifications (EuroDOCSIS)
downstream and upstream RF requirements.
Ensure your Cisco router is installed
following instructions in the Hardware Installation Guide and the Regulatory
Compliance and Safety Information guide.
Cisco router is configured for basic operations.
The chassis must contain at
least one port adapter to provide backbone connectivity and one Cisco cable
modem card to serve as the RF cable TV interface.
Other Important Information
Ensure all other required
headend or distribution hub routing and network interface equipment is
installed, configured, and operational based on the services to support. This
includes all routers, servers (DHCP, TFTP, and ToD), network management
systems, other configuration or billing systems and backbone, and other
equipment to support VPN.
Ensure DHCP and DOCSIS configuration files have been created and
pushed to appropriate servers such that each cable modem, when initialized, can
transmit a DHCP request, receive an IP address, obtain TFTP and ToD server
addresses, and download a DOCSIS configuration file. Configure each
subinterface to connect to the ISP’s VPN.
Ensure DOCSIS servers are visible on the management VPN.
Be familiar with your channel plan to assign appropriate
frequencies. Outline your strategies for setting up bundling or VPN solution
sets if applicable to your headend or distribution hub. Obtain passwords, IP
addresses, subnet masks, and device names as appropriate.
Create subinterfaces off of a virtual bundle interface. Configure
each subinterface to connect to the ISP network.
The MPLS VPN configuration steps assume the following:
IP addressing has already been determined and there are assigned
ranges in the MSO and ISP network for specific subinterfaces.
The MSO is using CNR and has configured it (using the
cablehelper-address command) to serve appropriate IP
addresses to cable modems based on the cable modem MAC address. The CMTS
forwards DHCP requests to the CNR based on the
cablehelper-address settings. The CNR server
determines the IP address to assign the cable modem using the client-classes
feature, which let the CNR assign specific parameters to devices based on MAC
ISP CE routers are configured (using the
cablehelper-address command) to appropriately route
relevant IP address ranges into the VPN.
P and PE routers are already running Cisco Express Forwarding
MPLS is configured on the outbound VPN using the
tagswitchingip command in interface configuration mode.
To configure MPLS
VPNs, perform the following tasks:
Creating VRFs for
To create VRFs
for each VPN, perform the following steps beginning in the router configuration
Since only the
CMTS has logical subinterfaces, assignments of VRFs on the other PE devices
will be to specific physical interfaces.
Command or Action
configuration mode (config-vrf)# and maps a VRF table to the VPN (specified by
mgmt-vpn ). The management VPN is the first VPN configured.
routing and forwarding table by assigning a route distinguisher to the
routes for the VPNs (mgmt-vpn) route distinguisher.
Subinterfaces on a Virtual Bundle Interface and Assigning VRFs
To create a
logical cable subinterface, perform the following steps beginning in the global
configuration mode. Create one subinterface for each VPN (one per ISP). The
first subinterface created must be configured as part of the management VPN
(with the lowest subinterface number).
Command or Action
virtual bundle interface configuration mode and defines the first (management)
subinterface with the lowest subinterface number.
the subinterface as the management subinterface.
subinterface to the management VPN (the MPLS VPN used by the MSO to supply
service to customers).
subinterface an IP address and a subnet mask.
Application of the Border Gateway Protocol in the Internet
Multiprotocol Extensions for BGP-4
DOCSIS OSSI Objects Support
Cable Device MIB
The Cisco Support and Documentation website provides online
resources to download documentation, software, and tools. Use these resources
to install and configure the software and to troubleshoot and resolve technical
issues with Cisco products and technologies. Access to most tools on the Cisco
Support and Documentation website requires a Cisco.com user ID and password.
Feature Information for MPLS VPN Cable Enhancements
Use Cisco Feature Navigator to find information about the platform support and software image support. Cisco Feature Navigator
enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature
Navigator, go to the www.cisco.com/go/cfn link. An account on the Cisco.com page is not required.
The following table lists the software release in which a given feature is introduced. Unless noted otherwise, subsequent
releases of that software release train also support that feature.
Table 2. Feature Information for MPLS VPN Cable Enhancements