Getting Started with the MPLS VPN Solutions Center

Step 2 To keep the startup operations conveniently organized, open three terminal windows---the first window for the xhost process, the second window for the VPN Console and Watchdog user interface, and the third window for Orbix.

xhost MPLS_VPN_hostname

The MPLS_VPN_hostname parameter is the name of the MPLS VPN workstation. This command configures your system so that the Orbix user (orbixadm) and the MPLS VPN user (vpnadm) can communicate with the client system.

Step 2 Log in as the owner of the Orbix process (orbixadm).

rlogin computer_name -l orbixadm

or

su - orbixadm

Step 3 Go to the directory where Orbix is installed.

cd /opt/orbixadm/orbix/Orbix3

Step 4 Source the environment as required for your shell:

C-Shell: source setenvs.csh

K-Shell: . ./setenvs.sh

Step 5 Start the Orbix process in the background:

orbixd &

rlogin computer_name -l vpnadm

or

su - vpnadm

Step 3 Go to the MPLS VPN Solution installation directory.

cd /opt/vpnadm/vpn/

Step 4 Source the environment as required for your shell.

C-Shell: source vpnenv.csh

K-Shell: . ./vpnenv.sh

Step 5 Start the application's Watchdog processes:

startwd

Note To stop the Watchdog process and its user interface, issue the stopwd command.

Step 6 If you want to confirm that the servers are running, issue the following command:

wdclient status

Step 7 Start the MPLS VPN Solution software VPN Console:

To shut down the MPLS VPN Solution software, execute these commands:

Step 2 If the Watchdog user interface (WDGUI) is running, close it by selecting the window, right-click, then select Close from the menu.

stopwd -y

Step 4 Log out (exit) from the vpnadm software user.

Step 5 From the terminal window from which you launched Orbix, shut down the Name Server:

killit NS

Step 6 Discover the process ID of orbixd:

ps -ef | grep orbixd

Step 7 Shut down the Orbix process by issuing this command:

kill orbixd_process_ID

Step 8 Log out (exit) from the orbixadm software user.

There are two methods for defining targets and organizing them into the appropriate networks (or target groups):

• Importing all the pertinent router configuration files

A quick way to define the MPLS VPN networks and the targets in them is to import your router configuration files into the MPLS VPN Solution software. This method lets you specify a directory of router configuration files and the network for these routers. The network and the targets in the network are created based on the imported configuration files.

When employing this method, note that not all the necessary information is present after you import the files. You must then proceed to define the additional target information, such as the IP addresses, passwords, and so forth (described later in this document).

• Defining individual targets manually

Device names within each directory must be unique.

Note A configuration file filename must be identical to the hostname of the router in which it resides.

A typical set includes Provider and Customer edge routers (PEs and CEs).

Step 2 From the VPN Console menu, choose Setup > Create Targets From Router Configurations.

An informational window displays the following information:

This will create targets based on the router configuration files in a specified directory. A network will be created for the new targets.

You will be asked to enter the following information:

• Directory containing the router configuration files

• Network name for the new targets

• Domain name for the targets (optional)

Under the Networks folder in the hierarchy pane, the product software adds the network name you specified.

Step 2 Double-click the desired network from the list of networks.

The General tab for the Edit Multiple Targets window appears.

Step 5 In this window, select the check boxes for the fields you want to apply to all the selected targets: Network, Domain, and Description.

Step 6 Choose the desired network name from the Network field drop-down list.

Step 7 Enter the domain name.

Entering information in the Description field is optional (but recommended).

Step 8 Choose the Passwords tab.

In this example, we have not specified values for the Login User and Login Password fields, reserving those values for individual router configuration.

Step 10 Specify the information for the following fields, then click OK.

The recommended setting is three (3) retries.

e. SNMP and Telnet timeout

The recommended setting is 20 seconds.

When you click OK, you return to the Network window.

Step 2 Choose Actions > Edit Target.

Defining the Passwords and SNMP Community Strings for Individual Targets

The Enter IP Address window displays.

Step 6 Enter the IP address for the selected router, then click OK.

You return to the IP Addresses tab, where the IP address you entered is now displayed.

The Network window appears, displaying the names of the devices in the selected network.

Step 2 From the Network window, choose Actions>New Target.

The New Target window appears.

The Network window appears, displaying the names of all the devices in the selected network.

Step 2 From the Network window, choose Actions > New Target.

The New Target window appears.

Step 3 In the Target Name field, enter the UNIX host name of the NetFlow Collector device (NFC).

Step 4 Enter the domain name for the NFC.

Step 5 Click the Role drop down menu and choose NetFlow.

Note Entering a description in the Description pane is not required but recommended.

Step 6 Click the Passwords tab.

MPLS VPN Solution uses the username and password specified here to communicate with the NFC device.

Step 8 Complete the Retries and Timeout fields as necessary.

The recommended value for Retries is 4; the recommended value for Timeout is 20 seconds.

Step 9 Choose the IP Addresses tab and click Add.

The Enter IP Address window displays.

You return to the IP Addresses tab, where the IP address you entered is now displayed.

This completes the procedure for adding an NFC device to the network.

To view devices by their role, follow these steps:

The Network window appears in the data pane. By default, all the routers in the selected network are listed in the Network window.

Step 2 From the Network window, choose View > Filter by Role.

• To view all the devices---routers and NFC devices---in the network, choose View > All.

• To view all the Cisco routers in the network, choose View > Filter by Role > Cisco Routers.

• To view all the NetFlow Collector devices currently defined in the network, choose View > Filter by Role > NetFlow.

Note that a provider can also assign PEs to these Regions, thereby simplifying the PE selection process (for example, only presenting PEs in the European Region when adding service to a European customer edge router).

Tips Cisco recommends that providers create one Provider Administrative Domain and then define the Regions within the PAD.

• The BGP autonomous system (AS) number

• The names of the PE routers within the Region

• The IP address pools for point-to-point links (that is, the IP numbered links)

• The IP address pools for loopback links (that is, the IP unnumbered links)

To define a new Provider Administrative Domain, follow these steps:

Step 2 Enter the name of the PAD and the BGP Autonomous System (AS) number in the appropriate fields.

The contact information is optional, but it is a good idea to provide it.

The Region window appears.

Step 4 Enter the name of the Region.

The next step in creating a Region is to assign the provider edge routers that are in the Region.

When you select the Add button from the Region window, the Add Provider Edge Routers window appears.

Step 2 From the window's Network drop-down list, select the appropriate service provider network name (or a network that contains provider devices).

Step 3 From the list of routers, select a router to be assigned as a PE, then click OK.

You return to the Region window. The name of the router you selected is now displayed in the list of PE Routers.

Step 4 Repeat this procedure to add additional PEs to the Region as required.

The Service Provider menu appears.

Step 2 From the menu, choose Open Provider A.D.

The Edit Provider Administrative Domain window appears.

Step 3 From the General tab in the window, click Add.

The Region window appears.

Step 4 In the Name field, enter the name of the Region the PE is assigned to, then click Add.

Within a VPN or extranet, all IP addresses must be unique. Customer IP addresses must not overlap with the provider's IP addresses. Overlapping IP addresses are only possible when two devices cannot see each other---that is, when they are in isolated VPNs.

Caution Due to security and maintenance issues, Cisco does not recommend using customer IP addresses on the PE-CE link.

From this window, you can add IP address pool information for point-to-point (IP numbered) links or loopback (IP unnumbered) links.

Step 2 Choose which type of address pool you are defining and click Add.

The New IP Address Pool window appears.

Step 3 Enter the address for the IP address pool and click OK.

You return to the IP Address Pools window, where the new IP address pool information is displayed.

Step 4 Click OK.

You have now created a Region in the Provider Administrative Domain. You return to the New Provider Administrative Domain window, where the new Region name is displayed in the Regions field.

The list of Provider Administrative Domains are displayed.

Step 2 Select the desired Provider Administrative Domain and right-click.

The Service Provider menu appears.

Step 3 From the Service Provider menu, choose New Region.

Step 2 Click the desired Provider Administrative Domain's open-close icon.

The list of Regions is displayed.

Step 3 Select the desired Region, then right-click.

Step 4 From the Regions menu, choose Delete Region.

A confirmation window appears with the message, "Are you sure you want to delete this Region?"

Step 5 Click Yes.

The Region is deleted and removed from the VPN Console display.

The actual deployment of QoS in a network requires a division of labor for greatest efficiency. Because QoS requires intensive processing, the Cisco model distributes CoS duties between edge and core devices. Edge devices, such as provider edge routers (PEs), do most of the processor-intensive work, performing application recognition to identify flows and classify packets according to unique customer policies. Edge devices also provide bandwidth management. Core devices expedite forwarding while enforcing CoS levels assigned at the edge.

About CoS

Class of Service (Cos) is distinguished by providing differentiated classes of service. Before you can provide a higher quality of service to a customer, application, or protocol, you must classify the traffic into classes, and then determine the way in which to handle the various traffic classes as traffic moves through the network.

When differentiation is performed, it is done to identify traffic by a unique criteria and classify incoming traffic into classes. Each of the traffic classes must be recognized by the classification mechanisms at the network ingress point, as well as farther along in the network topology.

CoS differentiation is usually performed as a method of identifying traffic as it enters the network or a method that ensures that traffic is classified appropriately so that it is forced to conform with the desired user-defined policy or service-level agreement (SLA).

MPLS VPN Solution software provisions Class of Service on the ingress PE interfaces and the egress CE interfaces. MPLS VPN Solution software can apply any or all of the following CoS methods:

MPLS VPN Solution offers the following features for Class of Service (CoS) provisioning between a CE and a PE:

Shaping is a method of mapping traffic into separate output queues to provide predictable network behavior. In MPLS VPNs, shaping is configured on either the CE's or PE's egress interfaces. For shaping, the product uses Generic Traffic Shaping (GTS) that includes an optional feature that handles Frame Relay Backward Explicit Congestion Notification (BECN) responses.

Takes place into a PE from a CE and configured on the CE's or PE's egress interfaces. The product uses Committed Access Rate (CAR) for policing.

The MPLS VPN Solution software requires that you create a Class of Service (CoS) Profile only if you want the product to provision CoS on the PE-CE link. You can add additional CoS profiles at any time. This procedure only defines the CoS Profile---until you invoke it when you activate a service request, the CoS Profile has no effect.

Class of Service Profiles are applied to the Provider Edge Router (PE), but the CoS definition is enforced across the PE-CE link on both the PE and CE.

To define a Class of Service Profile, follow these steps:

The Service Provider menu appears.

Step 2 Select Open Provider A.D.

The Edit Provider Administrative Domain window appears.

Step 3 Choose the Class of Service (CoS) Profiles tab, then click Add.

Step 4 Complete the Class of Service profile and click OK.

The PE can rate limit traffic to the subscribed bandwidth and mark the traffic that is within the specified bandwidth as in-contract, and mark traffic above the specified bandwidth as out-of-contract.

The customer can initially "paint" the packets that leave the customer edge router (the PE is the destination router), and MPLS VPN Solution allows policing or repainting of packets that enter the provider edge router.

The New VPN Customer window appears.

Step 2 Enter the customer name.

Step 3 Optionally, enter the customer's contact information.

Though it is not required, entering the contact information is recommended.

Note This procedure assumes the CEs in the customer site are managed by the provider.

To define a customer site, follow these steps:

The Customer Site window appears.

Step 2 Enter the customer site name and location information.

• Whether the CE is a managed or unmanaged CE.

The Service Assurance Agent (SA Agent) can gather performance information from CEs only when they are managed CEs.

• Define the CE's Service Assurance Agent (SA Agent) status---no SA Agent usage, regular SA Agent, or shadow SA Agent. These options are discussed in detail below.

MPLS VPN Solution software monitors performance through the service-level agreement (SLA) servers. MPLS VPN Solution monitors the service related performance criteria by provisioning and monitoring SLAs on routers that support the Service Assurance Agent (SA Agent) management information base (MIB).

Step 2 From the Add Customer Edge Routers window, select the appropriate service provider network from the Network drop-down list.

Step 3 From the list of routers displayed, select a CE in the current site.

Defining the CE as Managed or Unmanaged

Note The Management LAN and Management LAN, SA Agent options in this window allow you to define a router in service provider space as a Management CE (MCE) in a Management VPN. For information on these options, see the "Implementing the Management VPN Technique" section.

Step 6 Repeat Steps 1 through 5 for each CE you want to add to the customer site.

Step 7 When you have added all the CEs in the site to the CE list, click OK.

You return to the Edit Customer Site window. Note that the CEs selected here are displayed in the Customer Edge Routers pane.

Step 8 Click OK.

You return to the VPN Console. Under the VPN Customers folder in the VPN Console hierarchy pane, you can view the customers defined, the sites for each customer, and the list of CEs in each site.

The list of VPN customers is displayed.

Step 2 Select the name of the pertinent customer, then right-click.

Step 3 From the Customers menu, choose Open VPN Customer.

The Edit VPN Customer window appears.

You can edit the contact information by changing the information in the Contact Info panel and clicking OK.

The list of VPN customers is displayed.

Step 2 Click the open-close icon for the pertinent VPN customer.

The list of sites for the selected customer is displayed.

Step 3 Select the appropriate site, then right-click.

Step 4 From the Site menu, choose Open Site.

The Edit Customer Site window appears.

Note You can also access the Edit Customer Site window from the Edit VPN Customer window (see Figure 3-30) by selecting the pertinent Customer and clicking Edit.

Step 5 You can edit the location information by changing the information in the Location Info panel.

Note This procedure does not implement the VPN in the network; it only defines the VPN within the MPLS VPN Solution software.

To define the VPN, follow these steps:

Step 2 From the drop-down list, select the Provider Administrative Domain for the VPN, then click OK.

The New VPN Definition window appears.

Step 3 Enter the name of the new VPN and click OK.

You return to the VPN Console window, which now displays the new VPN name under the VPNs folder. This is all that is required to complete the VPN definition. However, you may want to define one or more CE Routing Communities for this VPN. If so, proceed to the next section.

To define a new CE Routing Community (CERC) for a VPN, follow these steps:

Step 2 From the CE Routing Communities (CERCs) tab, click Edit.

The Add CE Routing Community window appears.

Note CERCs should be defined only with consultation with the VPN network administrator.

Step 3 Complete the fields as required for the VPN, then click OK.

To build complex topologies, it is necessary to break down the required connectivity between CEs into groups, where each group is either fully meshed, or has a hub and spoke pattern. A CE can be in more than one group at a time, so long as each group has one of the two basic configuration patterns.

Each subgroup in the VPN needs its own CERC. Any CE that is only in one group just joins the corresponding CERC (as a spoke if necessary). If a CE is in more than one group, then you can use the Advanced Setup choice during provisioning to add the CE to all the relevant groups in one service request. Given this information, the provisioning software does the rest, assigning route target values and VRF tables to arrange exactly the connectivity the customer requires. You can use the Topology tool to double-check the CERC memberships and resultant VPN connection status.

A Management VPN employs two PE devices called the Management CE (MCE) and the Management PE (MPE).

The MPE needs access to the following devices:

Device	Connectivity	Function
1. Customer Edge Routers (CEs)	Access from the network management subnet into the VPNs	Provision or change configuration and collect SA Agent performance data
2. Shadow routers	Access from the network management subnet into the VPNs	A simulated CE used to measure data travel time between two devices
3. Provider Edge Routers (PEs)	standard IP connectivity	Provision or change configuration
4. NetFlow Collector	standard IP connectivity	Collect data

The first step is to create a VPN Customer specifically reserved as the Management VPN Customer. The Management VPN Customer should have a single site with a single CE---the router designated as the Management CE---assigned to the Management VPN Customer's site.

To provision a management VPN in MPLS VPN Solution software, follow these steps:

You can also right-click the VPN Customers folder and choose New VPN Customer.

Step 2 Enter the name of the Management VPN Customer. Remember that the Customer in this case is the service provider.

Step 3 Optionally, enter the contact information for the service provider network administrator.

Though it is not required, entering the contact information is recommended.

Step 4 To define the site for the Management VPN, click Add.

The Add Customer Site window appears.

Step 5 Enter the management site's name and location information.

Step 6 To add the Management CE to the management site, click Add.

Step 9 Define the router as an MCE by choosing one of these two options, then click OK.

• Management LAN

• Management LAN, SA Agent

Selecting the Management LAN, SA Agent option defines the router as both an MCE and a CE with SA Agent enabled.

When you click OK, the selected router is designated as the MCE. The next step is to provision a service request between the MCE and a PE designated as the Management PE (MPE).

Step 12 From the Customer drop-down list, select the name of the Management customer.

Step 13 From the Site drop-down list, select the name of the Management site.

Step 15 From the Provider drop-down list, select the name of the service provider.

Step 16 From the Region drop-down list, select the name of the Region where the MPE resides.

Only the IP Numbered and IP Numbered with Extra CE Loopback options are valid for the MPE-MCE link.

Step 24 In the next window, you can optionally specify the import map and maximum routes parameters for the MCE, then click Next.You can also enable NetFlow accounting on the MCE from this window.

When you make the CE join the Management VPN in this step, MPLS VPN Solution generates the appropriate route-map statements in the PE's configlet.

The function of the management route map is to allow only the routes to the specific CE into the management VPN. The Cisco IOS supports only one export route map and one import route map per VRF (and therefore, per VPN).

The Backup tool backs up the MPLS VPN Solution Repository, which includes all the database files, collected raw datasets, generated baseline reports, logs, service objects, and configlets, to a local directory on the MPLS VPN Solution machine. The backup options include Tar (which stands for "tape archiver" even though tape is rarely the backup medium these days) or Tar and compress.

To back up the Repository, follow these steps:

Step 2 Click Backup.

The Database Backup window appears.

Step 3 In the Source Directory field, enter the path name for the Repository you want to back up.

The Source Directory field is required. This field defaults to the directory of the currently used Repository. If you choose a different Repository to back up, in this field place the full path name to the directory of the Repository that you want to back up.

Step 4 In the Destination Directory field, enter the full path name to the directory where you want to copy the Repository files.

Step 5 Determine the method you want for Repository backup by choosing one of the following:

• Default

Choose this option if you want to back up the Repository and leave everything as is and copy the files to the destination directory.

• Tar

Choose this option if you want to back up the Repository and copy it to a TAR file in the destination directory.

• Tar and Compress

Choose this option if you want to back up the Repository and copy it to a compressed TAR file in the destination directory.

Step 6 If you want to turn on the verbose option when backing up the database, check the Show Details check box. This option gives you detailed progress information.

Step 7 Once you have completed the fields, buttons, and boxes in the Database Backup window, click Start Backup.

Note Optional: To return the fields and other settings on the Database Backup window to their default values, choose Reset.