Cisco Service Control MPLS/VPN Solution Guide, Release 5.2.x
Cisco Service Control MPLS/VPN: The Challenge and The Solution
Cisco MPLS/VPN Service Control Solution
Benefits for Service Providers
Service Control in the MPLS/VPN Environment
Challenges for Service Control MPLS/VPN Support
How the Service Control MPLS/VPN Solution Works
Service Control MPLS/VPN Concepts
Additional MPLS Pattern Support
Service Control MPLS/VPN Requirements
Configuring the MPLS Environment
How to Check the Running Configuration
How to Configure the MPLS Environment
Configuring the SCE Platform for MPLS/VPN Support
About Configuring the SCE Platform for MPLS/VPN Support
How to Configure the MAC Resolver
How to Monitor the MAC Resolver
How to Configure the Subscriber Manager for MPLS/VPN Support
Configuring the Subscriber Manager for MPLS/VPN Support
How to Edit the Subscriber Manager Configuration File
How to Configure the Subscriber Manager to Allow IP Ranges
How to Manage MPLS/VPN Support via SNMP
How to Monitor MPLS/VPN Support via SCE Platform CLI
How to Display VPN-related Mappings
How to Clear Upstream VPN Mappings
How to Monitor Subscriber Counters
How to Monitor MPLS/VPN Counters
How to Monitor Non-VPN Mappings
How to Manage MPLS/VPN Support via Subscriber Manager CLU
How to Add Mappings to VPN-Based Subscribers
How to Remove VPN Mappings from Subscribers
How to Monitor Subscriber MPLS/VPN Mappings
Introduction to the Service Control MPLS/VPN Solution
Overview of the Service Control Solution for MPLS/VPN Networks
Cisco Service Control MPLS/VPN Solution Guide is for experienced network administrators who are responsible for configuring and maintaining the Service Control Multiprotocol Label Switching (MPLS) or VPN solution.
Table 1 lists the Document Revision History, which records the changes to this document.
For additional information about the components of the Cisco Service Control MPLS/VPN solution, see the related documentation:
– Cisco SCE 10000 Software Configuration Guide
– Cisco SCE 10000 and vSCE CLI Command Reference
In addition, the extensive features and functionality of the SCE platform and the softwares are documented in these guides:
– Cisco SCE 10000 Installation and Configuration Guide
Note You can access Cisco software configuration, and hardware installation and maintenance documentation at the Cisco.com.
– Regulatory Compliance and Safety Information for the Cisco Service Control Engine (SCE)
This section explains how the Cisco Service Control MPLS/VPN solution was developed to cope with the challenges faced by ISPs offering MPLS/VPN services.
Cisco offers a Service Control solution for service providers who are either offering MPLS/VPN services to their customers, or planning to introduce such a service in the near future. This solution targets providers offering enterprise-focused solutions as well as those involved in offering MPLS/VPN services to their small office, home office (SOHO) customers. This highest level solution allows complete visibility into the applications and services in MPLS/VPN tunnels for subscriber-based usage monitoring and billing, and is used for capacity control and differentiation of service levels as well.
The Service Control solution incorporates the ability to monitor and control all the traffic in an MPLS/VPN tunnel as belonging to a single subscriber entity, including traffic with private non-routable IP addresses. Its advanced functionality facilitates the implementation of the Cisco Service Control solution in MPLS/VPN environments, and the suite of capabilities that the solution provides.
Service providers who offer MPLS/VPN services are challenged in their ability to use their investment in the MPLS/VPN infrastructure. This hampers their ability to both reduce total cost of ownership and increase per customer revenue, aggregate revenue, and profitability.
These service providers need to:
In the Cisco MPLS/VPN Service Control solution, Cisco has managed to overcome the technical challenge of classifying flows with private non-routable IP addresses into the correct MPLS/VPN that these flows are part of. The challenge originates from the fact that the SCE platform may have been incorrectly classifying the packets of these flows. The Cisco MPLS/VPN solution implements a unique learning algorithm that can successfully, reliably, and correctly classify multiple flows in multiple MPLS/VPN tunnels, even if they have the same private IP address.
With the Cisco Service Control MPLS/VPN solution, service providers can benefit from granular per-subscriber and per-application usage reports. This granularity allows for complete per subscriber and per application Layer-7 visibility of the manner in which the MPLS/VPN subscribers use the service provider's network. The reports can, for example, show these details:
These reports can be used by the service provider network teams for capacity planning, and by the marketing teams for planning and rolling out new tiers of service packages.
In addition to the data records that enable these reports, the solution also generates data records that can be forwarded to mediation and billing systems and used for implementation of granular usage-based billing.
Service providers can also benefit from the Service Control MPLS/VPN solution by using the SCE platforms as network enforcement devices for a variety of per-network-based services, such as:
This flexibility not only provides an extremely attractive return on investment, but protects your investment as your needs for network and application infrastructure evolve.
Using the Service Control infrastructure to create these next-generation services provides the path to enhanced customer revenue streams, differentiated service offerings, and a cost structure commensurate with the required business model.
This section contains these subsections:
MPLS/VPN networks are very complex, and use many routing protocols and many different levels of addressing and control. In addition, the various VPNs may use overlapping IP addresses (private IPs).
The SCE platform makes a distinction between identical IP addresses that come from different VPNs, and maps them into subscribers according to the MPLS labels attached to the packets. This involves various mechanisms in all levels of the system.
The following assumptions and requirements allow the SCE platform to operate in an MPLS/VPN environment:
– External labels—For transport over the service provider MPLS core network.
These labels are not mandatory for VPN classification, and some situations do not appear in the packet due to penultimate-hop popping (PHP) or other reasons.
– Internal labels [Border Gateway Protocol (BGP) labels]—To identify the VPNs connected to each edge router, and typically controlled by the BGP protocol.
These labels are mandatory for VPN classification.
Note The MPLS/VPN solution supports the existence of non-VPN-based subscribers concurrently with the MPLS/VPN-based subscribers. (See the “Non-VPN-Based Subscribers” section.)
Table 2 defines important terms and acronyms.
PE1 |
Router at the edge of the service provider network. The PE routers are the ones that connect to the customers, and maintain the VPNs. |
P2 |
Router in the core of the service provider network. P routers forward only MPLS packets, regardless of VPNs. |
In the Service Control context, a VPN resides in a specific site. It is a managed entity over which private IP subscribers can be managed. |
|
Software module that resides on the Subscriber Manager server and generates BGP-related login events. The BGP LEG communicates with the BGP routers (PEs) and passes the relevant updates to the Subscriber Manager software, which generates login events to the SCE platform for the updated VPN-based subscribers. |
|
Traffic coming from the PE router and going into the P router. |
|
Traffic coming from the P router and going into the PE router. |
|
RD3 |
Used to uniquely identify the same network and mask from different VRFs (such as, 10.0.0.0/8 from VPN A and 10.0.0.0/8 from VPN B). |
RT4 |
Used by the routing protocols to control import and export policies, to build arbitrary VPN topologies for customers. |
VRF5 |
Mechanism used to build per-interface routing tables. Each PE has several VRFs, one for each site it connects to. This is how the private IPs remain unique. |
The challenges involved in providing Service Control MPLS/VPN support are:
Service Control supports three mechanisms that make the MPLS/VPN support work:
Flow detection is the process of deciding which packets belong to the same flow. This relates to the first two challenges listed:
Flow detection is based on the MPLS labels, extending the basic 5-tuple that Cisco Service Control Operating System (Cisco SCOS) uses to identify flows, and notes that in MPLS, the packet is labeled differently in each direction.
Because MPLS traffic is unidirectional, each direction is classified separately by the SCE platform, using these:
Downstream labels are learned from the control plane (through the Subscriber Manager BGP Login Event Generator (LEG)).
The network configuration that provides the division into VPNs is controlled by the Subscriber Manager. The network-wide value that describes a VPN most closely is either the RT or the RD.
The relevant module in the Subscriber Manager server is the BGP LEG. The BGP LEG is added to the BGP neighborhood for obtaining the information on the MPLS labels. The local PEs are configured to add the BGP LEG as a BGP peer.
The SCE platform detects that a flow belongs to a certain VPN according to the downstream label that the flow carries, and the MAC address of the PE router that it is sent to.
One VPN may spread over more than one PE router, as long as all the sites of the VPN are connected to the subscriber side of the same SCE platform.
VPNs can be configured only via the Subscriber Manager. The SCE platform CLI can be used to view VPN-related information, but not to configure the VPNs.
In MPLS/VPN (as in other modes of operation), each flow belongs to a certain subscriber. A VPN-based subscriber is a part of a VPN. The VPN itself corresponds to a set of IP addresses that are managed separately and that belong to a specific ISP customer who pays for the VPN service.
An MPLS/VPN-based subscriber can be defined as either of these:
The network configuration that provides the division into VPNs and VPN-based subscribers is controlled by the Subscriber Manager. (For more information, see the Cisco Service Control Management Suite Subscriber Manager User Guide.)
VPN-based subscribers can have private IP mappings, which are a combination of an IP range and a VPN mapping. Because the source of such mappings is typically in the BGP protocol, and they are received automatically from the protocol by the BGP agent, the IP ranges may contain overlapping ranges. The semantics of such overlaps is that of a longest prefix match.
For example, if subscriber A receives the range 10.0.0.0/8@VPN1 and subscriber B receives the range 10.1.0.0/16@VPN1, the system maps IPs that start with 10.1 to subscriber B, and any other address that begins with 10 to subscriber A. Traffic with other IP addresses on VPN1 are mapped to the unknown subscriber.
For private IP subscribers, flows are distributed to traffic processors according to the VPN, not according to the IP address. This means that all traffic from any one VPN is mapped to the same traffic processor.
A VPN is identified by the RD or RT and the PE router.
– Mappings of downstream labels to VPNs are received from the Subscriber Manager
– Upstream labels are learned from the data
BGP LEG is a software module that runs on the Subscriber Manager server.
The MPLS/VPN solution supports the existence of non-VPN-based (regular IP) subscribers concurrently with the MPLS/VPN-based subscribers, with these limitations and requirements:
In typical MPLS/VPN networks, traffic that does not belong to any VPN is labeled with a single MPLS label in the upstream direction, which is used for routing. The downstream direction of such flows typically does not contain any label, because of PHP.
The SCE platform uses one or more labels upstream and no label downstream definition to identify non-VPN flows. Classification and traffic processor load balancing on these flows is performed according to the IP header, rather than the label. This process requires learning of the upstream labels in use for such flows, and is done using the flow detection mechanism described above (see the “Flow Detection” section).
In an MPLS network, there may be many VPNs crossing the SCE platform, only a small number of which require service control functionality. It is necessary for the SCE platform to recognize which VPNs are not managed.
Note The label limit (see the “Limitations” section) of 57344 different labels includes labels from the bypassed VPNs.
Each bypassed VPN entry, both upstream and downstream, is removed from the database after a set period of time (10 minutes). If the entry is still used in the traffic, it is re-learned. This allows the database to remain clean, even if the labels are reused by the routers for different VPNs.
In the show bypassed VPNs command, the age is indicated with each label, that is, the length of time since it was learned.
The MPLS/VPN solution was designed to provide deep packet inspection (DPI) services in an MPLS/VPN network. These networks use BGP as the control plane for the VPNs and Label Distribution Protocol (LDP) for routing. There are complex networks in which the MPLS infrastructure is used not only for VPN and routing, but also for other features such as traffic engineering (TE) and better fail-over. These features are usually enabled per VRF in the PE.
The Service Control MPLS/VPN solution does not support VPNs that use other MPLS-related features. Features such as Cisco MPLS TE or MPLS-FRR (Fast Reroute) are not supported. VPNs for which these features are enabled can be automatically bypassed in the system, but are not allowed to be configured in the Subscriber Manager as serviced VPNs. Configuration of these VPNs in the Subscriber Manager might cause misclassification because of label aliasing.
This list describes the label combinations that are supported by the SCE platform and how each combination is interpreted by the platform:
The SCE platform treats these IP flows as non-VPN flows, and ignores their labels.
Label in the downstream is treated as a BGP label, like the regular case. If the BGP label is known from the Subscriber Manager, then the flow is assigned to the correct subscriber, otherwise, it is treated as a bypassed VPN.
Either the RD attribute or the RT attribute can be used to identify the VPN. It is required to decide which attribute best reflects the VPN partitioning, and configure the system accordingly. The configuration is global for all the VPNs, that is, all VPNs must be identified by the same attribute.
RD is generally used to distinguish the distinct VPN routes of separate customers who connect to the provider, so in most cases RD is a good partition for the VPNs in the network. Because RD is an identifier of the local VRF, and not the target VRF, it can be used to distinguish between VPNs that transfer information to a common central entity (for example, a central bank, IRS, Port Authority, and so forth).
RT is used to define the destination VPN site. Though it is not intuitive to define the VPN based on its destination route, it might be easier in some cases. For example, if all the VPN sites that communicate to a central bank must be treated as a single subscriber, consider using RT as the VPN identifier.
It is important to note that this configuration is global. Therefore, if at some point in time, any VPN would have to be defined by RD, all the other VPNs must be defined by RD as well. This is a point to consider when designing the initial deployment.
These are the general topology requirements for MPLS/VPN support:
Mutually Exclusive System Modes
When the system works in MPLS/VPN mode, these modes are not supported:
– Layer 2 Tunneling Protocol (L2TP) skip
Subscriber-Related Limitations
These subscriber-related limitations exist in the current solution:
Asymmetrical routing topology in which the traffic may be unidirectional, is not supported because the MPLS/VPN solution relies on the bidirectional nature of the traffic for various mechanisms.
There must be enough TCP flows opening from the subscriber side on each PE-PE route in each period of time. The higher the rate of TCP flows from the subscriber side, the higher the accuracy of the mechanism.
VPN Configuration Requirements
These are the VPN configuration requirements:
– Connected to the same SCE platform
– Communicate with a common remote site by using the same upstream labels and P router.
This section explains how to configure MPLS/VPN support. Both the SCE platform and the Subscriber Manager must be configured correctly.
For MPLS/VPN support to function, the environment must be configured correctly. It specifically requires that:
Check the running configuration to verify that no user-configured values appear for tunneling protocols or VLAN support, indicating that they are all in default mode.
Step 1 At the SCE10000# prompt, enter show running-config
and press Enter.
The running configuration appears.
Step 2 Check that no VLAN or L2TP configuration appears.
If either VLAN or tunneling support is in default mode, skip the relevant step in these procedure:
Step 1 At the SCE10000(config if)# prompt, enter default vlan and press Enter.
This configures VLAN support to default mode.
Step 2 At the SCE10000(config if)# prompt, enter no IP-tunnel and press Enter.
This disables all other tunneling protocol support.
Note All subscribers with VPN mappings must be cleared to change the tunneling mode. To clear all subscribers with VPN mappings when the Subscriber Manager is down, use the no subscriber all with-vpn-mappings CLI command.
Note In addition, all VPN mappings must also be removed. This can be done only via the Subscriber Manager CLU (which means that the connection with the Subscriber Manager must be up). See the “How to Manage VPN Mappings” section.
Step 3 At the SCE10000(config if)# prompt, enter MPLS VPN auto-learn and press Enter.
This enables the MPLS auto-learning mechanism.
There are three main steps to configure the SCE platform for MPLS/VPN support:
1. Correctly configure the MPLS tunneling environment by disabling all other tunneling protocols, including VLAN support. (See the “How to Configure the MPLS Environment” section.)
2. Define all PE routers, specifying the relevant interface IP addresses necessary for MAC resolution. (See the “How to Define the PE Routers” section.)
3. Configure the MAC resolver. (See the “How to Configure the MAC Resolver” section.)
– At least one interface IP address must be defined per PE router.
– Multiple interface IP addresses may be defined for one PE router.
– In the case where the PE router has multiple IP interfaces sharing the same MAC address, it is sufficient to configure just one of the PE interfaces.
Two interfaces cannot be defined with the same IP address, even if they have different VLAN tags. If such a configuration is attempted, it simply updates the VLAN tag information for the existing PE interface.
Each PE router that has managed VPNs behind it must be defined using the MPLS VPN PE-ID pe-id interface-ip-address interface-ip [vlan vlan] command at the SCE10000(config if)# prompt.
This defines the PE router with one interface IP address and an optional VLAN tag may also be used to add an additional interface IP address to an existing PE router.
This section consists of these subsections:
Use the commands specified in this section to remove one or all defined PE routers.
How to Remove a Specified PE Router
At the SCE10000(config if)# prompt, enter no MPLS VPN PE-ID pe-id and press Enter.
This command removes the specified PE router.
At the SCE10000(config if)# prompt, enter no MPLS VPN PE-Database and press Enter.
This command removes all configured PE routers.
How to Remove a Specified Interface from a PE Router
At the SCE10000(config if)# prompt, enter no MPLS VPN PE-ID pe-id interface-ip-address interface-ip and press Enter.
This command removes the specified interface from the PE router definition. The PE router itself is not removed.
The MAC resolver allows the SCOS to find the MAC address associated with a specific IP address. The MAC resolver must be configured when the SCE platform operates in MPLS/VPN mode, to translate the IP addresses of the PE router interfaces to their respective MAC addresses.
The MPLS/VPN mode needs the MAC resolver, as opposed to the standard ARP protocol, because the ARP is used by the management interface, whereas MPLS/VPN uses the traffic interfaces of the SCE platform, which ARP does not include.
The MAC resolver database holds the IP addresses registered by the clients to be resolved. The IP addresses of the routers are added to and removed from the database in either of two modes:
– Benefit—It works even if the MAC address of the PE interface changes.
– Drawback—Depending on the specific network topology, the MAC resolution convergence time may be undesirably long.
– Benefit—There is no initial delay until the IP addresses converge.
– Drawback—PE interface is not automatically updated via ARP updates; therefore, it does not automatically support cases where the MAC address changes on the fly.
However, for statically configured MAC addresses, a user log message appears when the system detects that the MAC address changed. This can be used by the operator to configure the new address.
These two modes can function simultaneously; therefore, selected PE routers can be configured statically, while the rest are resolved dynamically.
For more information about the MAC resolver, see these configuration guides:
At the SCE10000(config if)# prompt, enter
mac-resolver arp ip_address [vlan vlan_tag] mac_address and press Enter.
This command adds the specified IP address and MAC address pair to the MAC resolver database.
At the SCE10000(config if)# prompt, enter no mac-resolver arp ip_address [vlan vlan_tag]
and press Enter.
This command removes the specified IP address and MAC address pair from the MAC resolver database.
At the SCE10000# prompt, enter show interface linecard 0 mac-resolver arp
and press Enter.
This command displays a listing of all IP addresses and corresponding MAC addresses currently registered in the MAC resolver database.
There are two main steps to configure the Subscriber Manager for MPLS/VPN support:
Step 1 Edit the p3sm.cfg configuration file to specify the field in the BGP messages that should be used by the Subscriber Manager for MPLS/VPN identification. See the “How to Edit the Subscriber Manager Configuration File” section.
Step 2 Install and configure the BGP Login Event Generator (LEG).
For more information, see the Cisco SCMS SM LEGs User Guide.
The Subscriber Manager configuration file, p3sm.cfg, must be configured to:
An optional parameter may be turned on to facilitate troubleshooting the BGP LEG installation. This parameter turns on detailed logging of messages received from the BGP LEG. It should be turned on only when necessary for troubleshooting and should always be turned off for normal operation of the system.
Add this parameter to the [MPLS/VPN] section of the p3sm.cfg configuration file:
To set up the Subscriber Manager to work with MPLS/VPN to enable the IP ranges, use the support_ip_ranges command in the configuration file.
Set the support_ip_ranges parameter in the [Data Repository] section of the p3sm.cfg configuration file to “yes” as follows:
Note Resetting this parameter requires restarting the Subscriber Manager. This parameter is discarded on regular configuration loading (using CLU).
This section explains how to manage MPLS/VPN support:
SNMP support for MPLS/VPN auto-learn is provided in two ways:
The mplsVpnAutoLearnGrp MIB object group (pcubeSEObjs 17) contains information about MPLS/VPN auto-learning.
The objects in the mplsVpnAutoLearnGrp provide these information:
For more information, see the “Proprietary MIB Reference” chapter of Cisco SCE 10000 Software Configuration Guide.
There is one MPLS/VPN-related trap:
mplsVpnTotalHWMappingsThresholdExceeded (pcubeSeEvents 45)
To provide online notification of a resource deficiency, when the system reaches a level of 80 percent utilization of the hardware MPLS/VPN mappings, a warning message appears in the user log, and this SNMP trap is sent.
Both the warning and the trap are sent for each 100 mappings that are added after the threshold has been exceeded.
Use these Viewer commands to display subscriber mappings. These commands display these information:
This section consists of these subsections:
vpn-name —Name of the VPN for which to display mappings.
At the SCE > prompt, enter show interface linecard 0 VPN name vpn-name and press Enter.
Displaying Mappings for a Specified VPN: Examples
This is an output of the show interface linecard 0 VPN name vpn-name command for an MPLS-based VPN:
This is an output of show interface linecard 0 VPN name vpn-name command for a VLAN-based VPN:
This is an output of show interface linecard 0 VPN name vpn-name command for an automatically created VLAN:
Use this command to display a listing of all currently logged-in VPNs:
At the SCE > prompt, enter show interface linecard 0 VPN all-names
and press Enter.
This section consists of these subsections:
At the SCE > prompt, enter show interface linecard 0 subscriber mapping included-in IP ip-range VPN vpn-name and press Enter.
The VPN option allows you to search for subscribers with a private IP mapping
Displaying Subscribers Mapped to an IP range on a Specified VPN: Example
This is an example of using show interface linecard 0 subscriber mapping included-in IP ip-range VPN vpn-name command to display subscribers mapped to an IP range on a specific VPN:
This section consists of these subsections:
Use the ‘ amount ‘keyword to display the number of subscribers rather than a listing of subscriber names.
At the SCE > prompt, enter show interface linecard 0 subscriber amount mapping included-in IP ip-range VPN vpn-name and press Enter.
Displaying the Number of Subscribers Mapped to Range on a Specified VPN: Example
This is an example of using show interface linecard 0 subscriber amount mapping included-in IP ip-range VPN vpn-name command to display the number of subscribers mapped to range on a specific VPN:
If the MPLS/VPN is configured as a single subscriber mapped to 0.0.0.0/0 on the VPN that is mapped to the specified MPLS, this option displays that subscriber. This section consists of these subsections:
At the SCE10000# prompt, enter show interface linecard 0 subscriber mapping MPLS/VPN PE-ID pe-id BGP-label label and press Enter.
Displaying the Subscriber Mapped to a Specified VPN: Example 1
Displaying the Subscriber Mapped to a Specified VPN: Example 2
At the SCE10000# prompt, enter show interface linecard 0 MPLS/VPN non-VPN-mappings and press Enter.
Use the clear interface linecard 0 VPN name vpn-name upstream mpls all command, at SCE10000# prompt, to remove all learned upstream labels of a specified VPN.
This command, in effect, causes early label aging. Clearing the mappings allows relearning; labels are quickly relearned after they have been cleared. Therefore, this command is useful when you want to update the VPN mappings without waiting for the standard aging period.
Use the Viewer command to display subscriber counters, including those related to MPLS/VPN mappings.
When MPLS/VPN-based subscribers are enabled, these related counters appear in addition to the basic subscriber counters:
– Current number of MPLS/VPN-based subscribers that have VPN mappings.
– Maximum number of MPLS/VPN-based subscribers.
– Current number of used MPLS/VPN mappings.
– Maximum number of MPLS/VPN mappings.
Note These values reflect the total number of mappings, not just the mappings used by MPLS/VPN-based subscribers. Bypassed VPNs also consume MPLS/VPN mappings.
At the SCE10000# prompt, enter show interface linecard 0 subscriber db counters and press Enter.
This is an example of how interface linecard 0 subscriber db counters command output:
Use this Viewer command to display MPLS/VPN information:
At the SCE10000# prompt, enter show interface linecard 0 mpls vpn
and press Enter.
This is an example of the show interface linecard 0 mpls vpn command output:
Use the Viewer commands to monitor PE routers. These commands provide the configuration information of:
At the SCE10000# prompt, enter show interface linecard 0 MPLS VPN PE-Database
and press Enter.
At the SCE10000# prompt, enter show interface linecard 0 MPLS VPN PE-Database PE-ID pe-id and press Enter.
At the SCE10000# prompt, enter show interface linecard 0 MPLS VPN Bypassed-VPNs
and press Enter.
At the SCE10000# prompt, enter clear interface linecard 0 MPLS VPN Bypassed-VPNs
and press Enter.
At the SCE10000# prompt, enter show interface linecard 0 MPLS VPN non-VPN-mappings
and press Enter.
At the SCE10000# prompt, enter clear interface linecard 0 MPLS VPN non-VPN-mappings
and press Enter.
The Subscriber Manager CLU allows you to do these:
For more information, see the Cisco Service Control Management Suite Subscriber Manager User Guide.
– RT —Route target of the VPN, specified by using the ASN: n notation or the IP: n notation.
At the shell prompt, enter the p3vpn --add --vpn=VPN-Name --MPLS/VPN=RT@PE,(RT@PE2, RT@PE3,...) command.
This section consists of these subsections:
At the shell prompt, enter the p3vpn -–show-all command.
Listing All Subscribers for a Specified VPN
At the shell prompt, enter the p3vpn –-show-sub --vpn=VPN-Name command.
Listing All Subscribers for a Specified VPN: Example
Displaying the Mappings for a Specified VPN
At the shell prompt, enter the following p3vpn –-show --vpn=VPN-Name command.
This section consists of these subsections:
Removing All Existing Mappings from a Specified VPN
At the shell prompt, enter the p3vpn –-remove-all-mappings --vpn=VPN-Name command.
Removing a Specified Mapping from a Specified VPN
From the shell prompt, enter the p3vpn –-remove-mappings --vpn=VPN-Name --MPLS/VPN=RT@PE,(RT@PE2, RT@PE3,...)
command.
There are three types of mappings that can be added to an existing VPN-based subscriber:
– IP— IP address. This may be any of these:
– VPN-NAME— name of the VPN to which the community attribute is assigned.
At the shell prompt, enter the p3subs –add -–subscriber=SUB-NAME --ip=IP1[/RANGE][,...]@VPN-NAME [--additive-mappings] command.
This option is supported to provide backwards compatibility with MPLS/VPN-based subscribers in releases earlier than 3.1.5.
At the shell prompt, enter the p3subs –add -–subscriber=SUB-NAME –-vpn=VPN-NAME [--additive-mappings]
command.
An optional parameter may be set defining a community attribute. The community attribute provides a mechanism for defining the BGP community as one subscriber, using the community@VPN specification.
The community attribute in the BGP protocol is used to dynamically map IP ranges to subscribers. The community attribute can be configured in the PE router or in the CE router.
The community@VPN specification is replaced by an IP@VPN specification by the BGP LEG.
Use the p3subs utility to configure the community parameter.
– AS —Autonomous system. Integer in the range from 0 to 65535 assigned by the network administrator.
– value —Community attribute. Integer in the range from 0 to 65535 assigned by the network administrator.
– VPN-NAME —Name of the VPN to which the community attribute is assigned.
At the shell prompt, enter the p3subs –add -–subscriber=SUB-NAME --community=AS:value@VPN-NAME command.
At the shell prompt, enter the p3subs –-remove-all-mappings -–subscriber=SUB-NAME
command.
At the shell prompt, enter the p3psubs –-remove-mappings -–subscriber=SUB-NAME --ip=IP1[/RANGE][,...]@VPN-NAME command.
At the shell prompt, enter the p3psubs –-remove-mappings -–subscriber=SUB-NAME --vpn=VPN-NAME command.
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation at: http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html.
Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation as an RSS feed and delivers content directly to your desktop using a reader application. The RSS feeds are a free service.