cc/td/doc/product/rtrmgmt/vpnsc/mpls/1_1
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Defining and Deploying MPLS VPN Service Requests

Defining and Deploying MPLS VPN Service Requests

The focus of the MPLS VPN Solution product is the service provided for a customer on the link between the customer's CE and the provider's PE. This chapter describes how you create a service request in the MPLS VPN Solution software, as well as how to modify and delete service requests. Finally, this chapter tells you how to check on a service request's status and find out what went wrong if the request failed.

MPLS VPN Service Request Summary

The service model is the centerpiece of service provisioning. With the service model, the MPLS VPN Solution software can capture the specified VPN service provisioning request, analyze the validity of the request, and audit the provisioning results.

The service provider operators take all service request information from their customers. MPLS VPN Solution can assist the operator in making entries because the product has customer information such as the VPN information, the list of the assigned PEs and CEs, and so forth.

The MPLS VPN Solution VPN Console steps the operator through the process and simplifies the task of provisioning the CE and PE by automating most of the tasks required to set up an MPLS VPN.

Figure 4-1 shows the life cycle of an MPLS VPN service request.


Figure 4-1: Life Cycle of an MPLS VPN Service Request


Table 4-1 describes the functions of each type of VPN service request.


Table 4-1: Summary of MPLS VPN Service Request Types
Service Request Type Description

Broken

While the router is correctly configured, the service is unavailable (due to a broken cable or Layer 2 problem, for example). A service request moves to Broken if the Auditor finds the routing and forwarding tables for this service, but they do not match the service intent.

Closed

A service request moves to Closed if the service request should no longer be used during the provisioning or auditing process. A service request moves to the Closed state only upon a successful audit of a remove request. MPLS VPN Solution does not remove a service request from the database to allow for extended auditing. Only a specific administrator action results in service requests being removed.

Deployed

A service request moves to Deployed if the configlet commands have been verified as found in the router configuration file. Deployed indicates that the configuration file has been downloaded to the router, and the intent of the request has been verified at the configuration level.

Failed Deploy

After provisioning occurred, the service request failed to download the configlets to the router. A service request moves to Failed Deploy if an error was detected during the deployment process by the Cisco IP Manager (CIPM). If CIPM is not being used to download configlets, and the product is simply exporting configlets to a directory, there is no way to distinguish between a service request in the Failed Deploy and Pending states. There are two causes for Failed Deploy status:

  • CIPM reports to VPIM that the download failed (lost connection, bad password, etc.).

  • The object could not establish configuration-level verification of intent.

If the configlets are exported to a directory, the service request cannot move into a Failed Deploy state.

Functional

A service request moves to Functional when the Auditor finds the VPN routing and forwarding tables (VRF) for this service and they match with the service intent. This state requires configuration-level verification.

Invalid

Indicates that the service request information is incorrect in some way. A service request moves to Invalid if the request was either internally inconsistent or not consistent with the rest of the existing network/router configurations (for example, no more interfaces were available on the router). The VPN Provisioning Inventory Manager (VPIM) server cannot generate configlets to service this request.

Lost

A service request moves to Lost when the Auditor cannot find a configuration-level verification of intent in the router configuration files. The service request was deployed, but now some or all router configuration information is missing. A service request can move to the Lost state only when the service request had been Deployed or Functional.

Pending

A service request moves to Pending when the VPN Provisioning Inventory Manager (VPIM) server determines that the request looks consistent and was able to generate the required configlets for this request. Pending indicates that the service request has generated the configlets and the configlets are successfully downloaded to the routers.

The Auditor regards pending service requests as new requests and begins the audit. If the service has been freshly provisioned and not yet audited, it is not an error (pending audit). However, if an audit is done and the service is still pending, it is in an error state.

Requested

If the service is newly entered and not yet deployed, it is not an error. However, if a Deploy is done and it remains Requested, the service is in an error state.

Overview of Service Request Definition Process

Provisioning a VPN provides a method to build a service for site-to-site connectivity between a provider edge router and a customer edge router. It includes the following steps:

    1. From the VPN Console, define a service request to add VPN service between a CE and PE.

    2. Schedule to download the new configuration to the CE and PE pairs.

    3. Use the reports available from the Provisioning menu to verify the service requests and view configlets.

The first step in provisioning a VPN is to define a service request. A service request defines through whom (the provider edge router) and to whom (the customer edge router) the service is provided. In this procedure, you determine the specifics of the link between the PE and CE.

Take note of these important elements of the process:
A CE Routing Community describes how CEs in a VPN communicate with each other. The most common examples are hub-and-spoke and full mesh topologies.
For more information on CERCs, see the "CE Routing Communities" section.
Within a VPN (or extranet), all IP addresses must be unique. Customer IP addresses are not allowed to overlap with provider IP addresses. Overlap is possible only when two devices cannot see each other; that is, they are in isolated, non-extranet VPNs.
The MPLS VPN Solution software assumes that it has an IP address pool to draw addresses from. The only way to guarantee that the product can use these addresses freely is if they are provider IP addresses.
Predefining a unique section (or sections) of IP address space for the PE-CE links is the only way to ensure stable security. Thus, because of the security and maintenance issues, Cisco does not recommend using customer IP addresses on the PE-CE link.

Adding a Service for a PE-CE Link

A service request is an instance of service contract between a CE and a PE.

To add VPN service between a PE and CE, follow these steps:

Step 1 From the VPN Console, choose Provisioning > Add VPN Service to CE.

The introductory panel in the Add VPN Service to CE wizard appears.

Step 2 Click Next.

Selecting a Customer Edge Router (CE)

Step 3 From the next window, select the customer edge router for this link.


Figure 4-2: Select CE Window


Select the Provider Edge Router (PE)

Step 4 Select the provider edge router for this link.


Figure 4-3: Select PE Window


Define CERC Membership and Join the Management VPN

The Select VPN: CERC Memberships window appears.


Figure 4-4: Select VPN: CERC Memberships Window


Step 5 Select the appropriate VPN from the list and specify the VPN topology.

The most common types of VPNs are hub-and-spoke and full mesh. These two basic types of VPNs---full mesh and hub and spoke---can be represented with a single CERC.

For additional information on CE routing communities, see the "CE Routing Communities" section and the "Defining CE Routing Communities" section.

A hub-and-spoke CERC is one in which one or a few CEs act as hubs, and all spoke CEs talk only to or through the hubs, never directly to each other.
A full mesh CERC is one in which every CE connects to every other CE.
When you use the MPLS VPN Solution software to define a management VPN, the software automatically generates an export route map for the management VPN.

Choose the Routing Protocol for the Link

The Select Routing Policy window appears.


Figure 4-5: Select Routing Policy Window


Step 6 Choose the routing protocol for the PE-CE link.

The routing protocol you choose must run on both the PE and the CE.
The wizard presents a different sequence of screens and requires different information depending on which protocol you choose. In this guide, we use BGP as an example.

Giving the Default Route to the CE

The Give only default route to CE option gives you the ability to indicate whether the site needs full routing or default routing. Full routing is when the site must know specifically which other routes are present in the VPN. Default routing is when it is sufficient to send all packets that are not specifically for your site to the VPN.
A device can only have one default route. Therefore, the VPN can use a default route, but only on condition that the customer site does not already have a different one. The most common reason to already have a default route is that the site has an Internet feed that is independent of the VPN.
If the CE site already has Internet service, the CE can either 1) route all packets to unknown destinations to the Internet, or 2) learn all the routes in the Internet. The obvious choice is to route all packets to unknown destinations to the Internet. If a site has an Internet feed, it may already have a default route. Under such conditions, setting the VPN as the default route is incorrect; the VPN should only route packets meant for other VPN sites.

Static Routing Option

When using the Give only default route to CE option with static route provisioning on the PE-CE link, the product creates a default route on the CE that points to the PE. The VRF static route is redistributed into BGP-VPNv4 using a metric of 1 for connectivity to other sites in the VPN to the CE's site.
In the case of static routing between a PE and CE, MPLS VPN Solution software asks for two lists of static routes:

  • Those routes to put on the PE, which describe all of the address space in the CE's site.

  • Those routes to put on the CE, which describe all of the address space throughout the VPN.

That is, the product informs the PE what the CE is supposed to know, and informs the CE what the VPN (via the PE) is supposed to know.
When you select the Give only default route to CE option, the default route (0.0.0.0/0) is filled in for you; the site contains no Internet feed or any other requirement for a default route. When it encounters a packet that does not route locally, it can send the packet to the VPN.

RIP Routing Option

When using the Give only default route to CE option with RIP, the product creates a default RIP route on the PE; the default RIP route points to the PE and is sent to the CE. The provisioning request gives you the option of redistributing any other routing protocols in the customer network into the CE's RIP routing protocol. The RIP routes on the PE are redistributed into BGP-VPNv4 with a metric of 1 for connectivity to other VPN sites to the CE's site.
The effect of choosing the Give only default route to CE option and RIP routing is that the PE instructs the CE to send any traffic it cannot route any other way to the PE. This option should not be used if the CE's site needs a default route for any reason, such as having a separate Internet feed.

BGP Option

You cannot use the Give only default route to CE option when employing BGP on the PE-CE link. The option is greyed out.
The Redistribution window appears.

Specifying Redistributed Protocols on the Link

Step 7 If protocol redistribution is not required on this link, click Next.

If necessary, specify the routing protocols that must be redistributed from the CE.

The Redistributed Protocols window appears.

Figure 4-6: Redistributing Routing Protocols


The redistributed protocol information is displayed in the window.

Defining LAN or WAN Interfaces and Encapsulation

Step 8 Define the interfaces for the PE-CE link.


Figure 4-7: Select PE-CE Interfaces Window


Step 9 If you specified serial interfaces for the PE and CE and chose Frame Relay as the encapsulation, specify the encapsulation information for the PE and CE, and Data-Link Connection Identifier (DLCI) numbers for the PE-CE link, then click Next. This window is not displayed for other encapsulation types.


Figure 4-8: Protocol Encapsulation Information


Choosing an IP Addressing Scheme

The next window in the Add VPN Service to the CE wizard (see Figure 4-9) provides a way to define the IP addressing scheme that is appropriate for this PE-CE link.

A point-to-point link between two routers can be either a numbered IP address or an unnumbered IP address. The service provider must determine whether to use numbered or unnumbered IP addresses for the PE-CE link. Defining the link to use unnumbered addresses can save precious IP addresses because many interfaces can borrow the same IP address.


Figure 4-9: IP Addressing Scheme Window


You can choose among four options:

IP addresses are drawn from the loopback IP address pool. An unnumbered IP address means that each interface "borrows" its address from another interface on the router (usually the loopback interface). Unnumbered addresses can only be used on point-to-point WAN links (such as Serial, Frame, and ATM), not on LAN links (such as Ethernet).
When you choose IP unnumbered, MPLS VPN Solution software automatically creates a loopback interface (unless a loopback interface already exists with the correct attributes).
If you choose IP unnumbered and also check the Use Automatically Assigned IP Address check box, MPLS VPN Solution picks two IP addresses from a /32 subnet point-to-point IP address pool.
If you select IP unnumbered and choose to not use automatically assigned IP addresses, you can enter the IP addresses for the PE interface and CE interface in the fields provided. Entering the IP addresses in these fields forces the MPLS VPN software to use the indicated addresses.
If you select IP numbered and choose to not use automatically assigned IP addresses, you can enter the IP addresses for the PE interface and CE interface in the fields provided. Entering the IP addresses in these fields forces the MPLS VPN software to use the indicated addresses.
If you choose IP numbered and also check the Use Automatically Assigned IP Address check box, MPLS VPN Solution picks IP addresses from a /30 subnet point-to-point IP address pool.
Even though a numbered IP address does not require a loopback address, MPLS VPN Solution software provides the option to specify IP unnumbered with extra CE loopback. This option places an IP address on a CE router that is not tied to any physical interface.
If you select IP numbered with extra CE loopback, you can enter the addresses for the PE and CE interfaces, plus the CE loopback address.

Step 10 Choose an IP addressing scheme for the PE and CE.

When finished, click Next. The Specify VRF Parameters window appears.

Specifying VRF Parameters


Figure 4-10: Specify VRF Parameters Window


The Specify VRF Parameters window lets you set values for import and export maps, maximum routes into the VRF table, and also enable NetFlow accounting.
Note The Cisco IOS supports only one export route map per VRF (and therefore, per VPN).
When you use the MPLS VPN Solution software to define a management VPN (see the "Define CERC Membership and Join the Management VPN" section), the software automatically generates an export route map for the management VPN. Because the Cisco IOS supports only one export route map per VRF, specify an export map in this field only if the router is not part of a management VPN. The export route map generated for the management VPN overrides the export route map defined here.
An export route map does not apply a filter; it can be used to override the default set of route targets associated with a route.
For information on the route-map command, refer to the Cisco IOS documentation on IP routing protocol-independent commands.
Note The Cisco IOS supports only one import route map per VRF (and therefore, per VPN).
An import route map does apply a filter. Therefore, if you want to exclude a particular route from the VRF on this PE, you can either set an export route map on the sending router to make sure it does not have any route targets that can be imported into the current VRF, or create an import route map on this PE to exclude the route.
For command reference details on the import map command, see the "import map" section.
For more information, see the "NetFlow Collector and MPLS VPN Solution Software" section and the "MPLS VPN NetFlow Accounting" section.

Step 11 Complete the fields as necessary in the Specify VRF Parameters window and click Next.

Step 12 If desired, select a Class of Service (CoS) profile to assign to the PE-CE link.

You can create a Class of Service (CoS) profile when you define the Provider Administrative Domain. For information on creating a CoS Profile, see the "Defining a Class of Service Profile" section. For a discussion on the Class of Service feature, see the "Quality of Service and Class of Service" section.

Class of Service profiles are applied to the Provider Edge Router (PE), but the CoS definition is enforced across the PE-CE link on both the PE and CE.

The product displays a summary of all the service settings defined for this VPN.


Figure 4-11: Confirm VPN Service Information Window


Step 13 Verify that the service request information is correct, then click Next.

The wizard displays the following message:

Your request to "Add VPN Service to CE" has been submitted with ID number n. This service request can be deployed by using the "Deploy Service Requests" wizard or by using the "Deploy VPN Service" item under the "Provisioning" option of a VPN service request report.

Step 14 Press Close.

You have now queued a service request. It is entered into the product database and is in the state "Requested."

Deploying a VPN Service

When you have queued a service request, you can then deploy it using the following method. This method automatically generates an Audit New Service Request type of audit. This audit passes the service request into an operational state.

Step 1 From the VPN Console, choose Provisioning > Deploy Service Requests.

The Deploy Service Requests wizard begins. The introductory window provides the following information:

This wizard sets up a scheduled task that deploys service requests to the appropriate routers. This involves computing the configlets for each service request, downloading the configlets to the routers, and running audit reports to determine whether the service was successfully deployed.

Click Next.

Step 2 Choose to deploy all or selected service requests, then click Next.

For all service requests that are in the Requested state, this option initiates the process of uploading the configuration files from the PEs and managed CEs in the VPN, generates configlets, and downloads the configlets to the PEs and managed CEs.
This option deploys the selected service requests regardless of which state they are in.
If you choose this option, the window shown in Figure 4-12 appears.

Figure 4-12: Selecting a Specific Service Request for Deployment


Step 3 Highlight the service request you wish to deploy, then click Next.

The Select Audit Options window appears.

Step 4 From the Select Audit Options window, choose to generate audit reports, then click Next.

Running audit reports is the only way that service requests can progress from the Requested state to an operational state, such as Deployed. You have the option to not generate audit reports, but this option is not recommended.

Step 5 Enter the task name, then click Next.

Step 6 Choose the default, Yes, to proceed to schedule the task, then click Next.

Step 7 From the Schedule window, set all the pertinent scheduling information, then click Add.

The service request is added to the Schedule List (displayed in the upper pane).

Step 8 Click Next twice, then click Close.

Note You can also deploy service requests from the Provisioning menu available from the All VPN Service Requests Report. See the "Performing a Customized Service Request Deployment" section.

Viewing Audit Reports

Before you view the audit reports, you must first generate the audit reports.

Step 1 From the VPN Console menu, choose Auditing > Generate Service Request Audit Reports.

Step 2 Follow the wizard.

To view the audit reports, follow these steps:

Step 3 From the VPN Console menu, choose Auditing > View Latest Audit Reports.

The Cisco VPN Solutions Center Service Request Audit Reports window appears in the Netscape browser.


Figure 4-13: Service Request Audit Reports Window


The Service Request Audit Reports window provides two options:

Step 4 Select the type of audit reports you want to view.

If You Require a Java Plug-in to Proceed

When you select one of the audit report links, you may receive a message that the page contains information that can be viewed only with the appropriate plug-in.

Step 1 Click OK to proceed with downloading the required Java plug-in.

The Java Plug-in Download Page appears.

Step 2 Click the link for the plug-in for your Solaris platform to download the plug-in to your MPLS VPN Solution workstation.

Note You may need to register with Sun Microsystem's Java Plug-in service to complete the download procedure.

Step 3 Install the Java plug-in for and return to the Service Request Audit Reports window.

Checking Service Request Deployment Details

Once you have created and queued a service request, you can discover the details about its deployment. You can view the configlet generated for the service request. If the service request failed, you can discover why it failed by using the Service Request Audit report. For detailed troubleshooting information, refer to "MPLS VPN Solution Troubleshooting Guide."

Step 1 To check service request details, choose Provisioning>List All Service Requests.

The All VPN Service Requests Report appears (see Figure 4-14).


Figure 4-14: All VPN Service Requests Report


This report provides the following information:

If the current state is either Deployed or Functional, the service request is deployed.

Step 2 Select the service request you want detailed information on.

Step 3 Click Request Details.

The Service Request Details Report appears.


Figure 4-15: Service Request Details Report


Step 4 To view the configlets generated for the selected service request, click Configlets.


Figure 4-16: Service Request Configlets Report


To return to the Service Request Detail Report, click Back.

Step 5 To see the detailed audit details for the selected service request, click Audit Details from the Service Request Details Report window.


Figure 4-17: Audit Details Report


To return to the Service Request Detail Report, click Back.

Modifying an Existing Service

A service request is an instance of service contract between a CE and a PE. You can modify this service by creating a new service request. When you do so, MPLS VPN Solution creates a new service request with a new ID. (The service request ID is displayed in the first column in the All VPN Service Requests Report as shown in Figure 4-19). The new service request subsumes the earlier one and becomes the current service request.

When you modify a service request, you can modify the settings for the PE-CE link, except for the CE and the PE themselves. This procedure takes through the same wizard as described in the "Adding a Service for a PE-CE Link" section, except that the settings are based on the service request's current values.

To modify a service, follow these steps:

Step 1 Choose Provisioning>List all Service Requests.

The All VPN Service Requests Report appears.

Note In the dialog boxes in this procedure, the fields display the settings for the current service request.

Step 2 Click the Provisioning button (at the bottom of the Report window).

Step 3 From the drop-down menu, select Modify VPN Service.

The Modify Existing VPN Service wizard appears. The first window provides a message like this:

This wizard submits a new service request to modify the VPN service between the PE "PE_name" and the CE "CE_name" (specified in service request ID_number). The new service request replaces service request ID_number.

Click Next.

Step 4 Select the VPN and specify the VPN topology.

Step 5 Choose the routing protocol for the PE-CE link.

The routing protocol you choose must run on both the PE and the CE.

Giving the Default Route to the CE

The Give only default route to CE option gives you the ability to indicate whether the site needs full routing or default routing. Full routing is when the site must know specifically which other routes are present in the VPN. Default routing is when it is sufficient to send all packets that are not specifically for your site to the VPN.
A device can only have one default route. Therefore, the VPN can use a default route, but only on condition that the customer site does not already have a different one. The most common reason to already have a default route is that the site has an Internet feed that is independent of the VPN.
If the CE site already has Internet service, the CE can either 1) route all packets to unknown destinations to the Internet, or 2) learn all the routes in the Internet. The obvious choice is to route all packets to unknown destinations to the Internet. If a site has an Internet feed, it may already have a default route. Under such conditions, setting the VPN as the default route is incorrect; the VPN should only route packets meant for other VPN sites.

Static Routing Option

When using the Give only default route to CE option with static route provisioning on the PE-CE link, the product creates a default route on the CE that points to the PE. The VRF static route is redistributed into BGP-VPNv4 using a metric of 1 for connectivity to other sites in the VPN to the CE's site.
In the case of static routing between a PE and CE, MPLS VPN Solution software asks for two lists of static routes:
That is, the product informs the PE what the CE is supposed to know, and informs the CE what the VPN (via the PE) is supposed to know.
When you select the Give only default route to CE option, the default route (0.0.0.0/0) is filled in for you; the site contains no Internet feed or any other requirement for a default route. When it encounters a packet that does not route locally, it can send the packet to the VPN.

RIP Routing Option

When using the Give only default route to CE option with RIP, the product creates a default RIP route on the PE; the default RIP route points to the PE and is sent to the CE. The provisioning request gives you the option of redistributing any other routing protocols in the customer network into the CE's RIP routing protocol. The RIP routes on the PE are redistributed into BGP-VPNv4 with a metric of 1 for connectivity to other VPN sites to the CE's site.
The effect of choosing the Give only default route to CE option with RIP is that the PE instructs the CE to send any traffic it cannot route any other way to the PE. The Give only default route to CE option should not be used with RIP routing if the CE's site needs a default route for any reason, such as having a separate Internet feed.

BGP Option

The Give only default route to CE option cannot be used when employing BGP on the PE-CE link. When you choose BGP routing, the option is greyed out.
The wizard presents a different sequence of screens and requires different information depending on which protocol you choose.

Step 6 If protocol redistribution is not required on this link, click Next.

If necessary, specify the routing protocols that must be redistributed from the CE.

The Redistributed Protocols window appears.
The redistributed protocol information appears in the window.

Step 7 Define the interfaces for the PE-CE link.

Step 8 If you specified serial interfaces in the previous step, specify the Data-Link Connection Identifier (DLCI) numbers for the PE-CE link, then click Next.

Step 9 Choose an IP addressing scheme for the PE and CE.

You can choose among three options:

IP addresses are drawn from the loopback IP address pool.
IP addresses are drawn from the point-to-point IP address pool
The interfaces must be IP numbered interfaces. Entering the addresses here forces the MPLS VPN software to use the indicated IP numbered addresses.

When finished, click Next.

Step 10 If desired, select a Class of Service (CoS) profile to assign to the PE-CE link.

You can create a Class of Service (CoS) profile when you define the Provider Administrative Domain. For information on creating a CoS Profile, see the "Defining a Class of Service Profile" section. For a discussion on the Class of Service feature, see the "Quality of Service and Class of Service" section.

Class of Service profiles are applied to the Provider Edge Router (PE), but the CoS definition is enforced across the PE-CE link on both the PE and CE.

The product displays a summary of all the service settings defined for this VPN.

Step 11 Verify that the service request information is correct, then click Next.

The wizard displays the following message:

Your request to "Modify Existing VPN Service" has been submitted with ID number n. This replaces existing service request. This service request can be deployed by using the "Deploy VPN Service Requests" wizard or by using the "Deploy VPN Service" item under the "Provisioning" option of a VPN service request report.

Step 12 Press Close.

You have now queued a service request. It is entered into the product database and is in the state "Requested."

Removing a Service

When you remove a service, MPLS VPN Solution replaces the old service request with a new one whose purpose is to remove the pertinent commands from the PE and CE router configuration files. The new service request will be in Requested state, and you should deploy it normally.

Deploying a "Remove VPN Service" request deletes individual commands from the PE and CE configuration files, which were put there by the original provisioning request, and are not in use by any other service or feature in the router configuration.

To ensure that the service removal is safe requires that not all commands that were provisioned are removed. In cases where the product cannot know whether a provisioned command is being used for some other purpose, the command is not removed. Examples of router commands not removed for a "Remove VPN Service" request include routing protocols created during service provisioning, such as BGP or RIP. These are not be taken out of the router's configuration, although some of their subcommands are removed when they support only the original service request.

To remove a service, follow these steps:

Step 1 From the VPN Console, choose Provisioning > List All Service Requests.

The All VPN Service Requests Report appears.

Step 2 Click Provisioning (at the bottom of the window) as shown in Figure 4-18.


Figure 4-18: Provisioning Menu


Step 3 Choose Remove VPN Service.

You receive this warning message:

This will submit a new service request to remove the VPN service between the PE and CE. New configlets will be generated with the appropriate "no" commands to remove the VPN service. Service Request n to Add VPN Service will no longer be active. Do you want to continue?

Step 4 Click Yes to proceed, or No to cancel the Remove operation.

If you click Yes, you receive the following message:

A new service request has been submitted to remove the VPN service specified in service request number.

Performing a Customized Service Request Deployment

The procedure to perform a customized service request deployment deploys the service request immediately. This customized deployment does not perform an audit, nor does it allow you to schedule the audit.

Step 1 From the VPN Console, choose Provisioning>List All Service Requests.

The All VPN Service Requests Report appears.


Figure 4-19: All VPN Service Requests Report


Step 2 Select the service request you want to deploy.

Step 3 Click Provisioning.

The Provisioning drop-down menu appears.


Figure 4-20: Provisioning Menu


Step 4 From the drop-down menu, select Deploy VPN Service.

The following message is displayed:

This will deploy the selected VPN service request now. Do you want to continue?

Step 5 Click Yes.

The selected service request is Deployed and placed in the Pending state.

Performing a Customized Audit

MPLS VPN Solution software performs a basic audit (Audit New Service Request) by default each time you deploy a service request as described in the "Deploying a VPN Service" section. You need only schedule the audit separately as described in this section if you want to run it more frequently or if you customized audits.

When a service request moves beyond the control of the Provisioning system, the Auditor for MPLS VPN Solution takes control. The Auditor is a mechanism that monitors and reports the current state of a VPN service request over its lifetime. It also provides the reasons why the service request is in its current state. The Auditor saves the state transition (if any) into the VPN Inventory Repository.

The lifetime of a VPN service request spans from the Requested state to the Closed state. For an illustration showing the life cycle of a service request, see Figure 4-1.

After you populate targets (PEs and CEs) and the directory Repository, prior to any other steps, you must collect router configuration files to audit the services provisioned by MPLS VPN Solution.

Setting Up Routers for Collecting Configuration Files

The basic audit (Audit New Service Requests) does collect the configuration files. You need only set up the routers as described in this section if you are performing a customized audit procedure. This ensures that you have the most current version of the configuration files for the audit procedure.

To set up routers for collecting router configuration files, be sure to implement the following requirements:

Setting the csm.properties File for Customized Router Prompt

When setting up configuration file collection from routers, be sure that all the routers have the same prompts as in the csm.properties file for netsys.router.loginprompt and netsys.router.passwordprompt. The default values match the default values on Cisco routers. They are as follows:

netsys.router.loginprompt = Username:

netsys.router.passwordprompt = Password:

If you use nonstandard router prompts in the csm.properties file, be sure you set the same values for all the routers from which you collect information.

Setting Up the Domain Name Server

For the collection module of MPLS VPN Solution, enable or disable the Domain Name Server (DNS) on the routers. If DNS is not properly configured on the routers, collections fail due to a time-out.

Note Enabling DNS causes DNS to handle the name resolution. Otherwise, name resolution is handled by the routers.

To enable DNS, enter the following commands on the router:

ip domain-lookup

ip name-server a.b.c.d

where a.b.c.d is a valid Domain Name server.

To disable DNS, it is important to enter the following command on all routers:

no ip domain-lookup

Configuring the SNMP Settings

To determine whether SNMP is enabled and set the SNMP community strings, execute the following steps for each router.

Step Command Description or Task
1

Router> telnet routername

routername is the name of the router you are checking.

2

Router> enable

Router> enable-password

Enter enable mode and enter the enable password.

3

Router# show snmp

4

Check the output to see whether the following command is present: SNMP agent not enabled

5

Router# configure terminal

Enter global configuration mode. You can also abbreviate the command to config t.

6

Router(config)# snmp-server community userstring RO

Set the community read-only string.

7

Router(config)# snmp-server community userstring RW

Set the community read-write string

8

Router(config)# Ctrl+Z

Return to privileged Exec mode.

9

Router# copy running startup

Save the configuration changes to NVRAM.

Collecting Router Configuration Files

To start collecting router configuration files, follow these steps:

Step 1 From the VPN Console, choose Monitoring>Collect Router Configuration Files.

The introductory panel displays the following information:

This wizard sets up a scheduled task that collects Cisco router configuration files directly from the selected routers. It also allows you to import Cisco router configuration files from a directory.

You can collect additional information, including router types, Frame Relay/ATM PVC information, and IP unnumbered connectivity information.

Click Next.


Figure 4-21: Specifying Configuration File Collection Method


Step 2 In this window, select one of the following ways of collecting information:

This task performs a Telnet operation to the routers to collect the running configuration of each router.
This task imports collected configuration files that exist in a directory.

Live Collection of Router Configuration Files

To start the live collection of router configuration files, follow these steps:

Step 1 Choose Live Collection of Router Configuration Files.

Step 2 Click the Selection drop-down menu to choose a specific network.

As shown in Figure 4-22, all the router names in this network appear in the upper pane. If you want to sort the information, click on the column header for which you want to sort.


Figure 4-22: Collecting Router Configuration Files


Step 3 Select the routers from the upper pane that you want to collect router configuration data from, then click Add. You can select all the routers listed by clicking Add All.

Your selections appear in the lower pane.

Note You can remove one or more of the routers selected in the bottom pane by selecting specific routers and clicking Remove or Remove All.

Step 4 When the lower pane includes all the devices from which router configuration data is to be collected, click Next.

Step 5 In the next window, you can choose the Mask passwords in collected files option. This allows you to place a group of x marks in the router's password field to mask the actual characters that are typed in the field. Click Next.

Step 6 In the next window, provide a unique task name, then click Next.

Step 7 In the next window, you can schedule the task by selecting the Yes radio button and clicking Next.

Step 8 If you chose to schedule the task, in the next window choose the frequency with which you want to schedule the auditing: Once, Hourly, Daily, Weekly, Monthly, or Yearly.

For detailed information about scheduling, refer to Chapter 11, "Scheduling," in the Cisco VPN Solutions Center: MPLS Solution User Reference.

Step 9 In this next window, click Next to save the auditing collection task. If you chose to schedule the auditing collection task, that will also occur when you click Next.

You are informed that all steps are done.

Step 10 Click Close to close the wizard.

Importing Router Configurations from Files

To start importing router configurations from a file, follow these steps after completing the steps in the previous section.

Note All files in the directory must be configuration files. Each filename must be the same as the name of the router to be imported, including the use of a domain name, if it exists.
Step 1 From the VPN Console, choose Monitoring>Collect Router Configuration Files.

The introductory panel displays the following information:

This wizard sets up a scheduled task that collects Cisco router configuration files directly from the selected routers. It also allows you to import Cisco router configuration files from a directory.

Click Next.


Figure 4-23: Specifying Configuration File Collection Method


Step 2 In this window, select Import Router Configuration from Files, then click Next.

This task imports the configuration files that exist in a specified directory.

Step 3 Enter the name of the directory that has the configuration files that you want to import, then click Next.

Step 4 In the next window, select the name of the service provider network, then click Next.

Step 5 In the next window, enter a unique task name, then click Next.

Step 6 In the next window, schedule the task by selecting the Yes radio button and clicking Next.

Step 7 In the next window, click Next to save the auditing collection task.

You are informed that all steps are done.

Step 8 Click Close to close the wizard.

Generating Audit Reports

After you have followed the steps in the section "Collecting Router Configuration Files," you can follow these steps to start generating Audit reports:

Step 1 From the VPN Console, choose Auditing > Generate Service Request Audit Reports.

The introductory panel in the Generate Service Request Audit Reports wizard appears.

Then click Next.


Figure 4-24: Choosing the Type of Audit


Step 2 In this window, select the types of service requests you wish to be audited:

A required audit. The Audit new service requests option is the mechanism required to pass the service request from the Pending state to a Deployed (or a failed state if there is a problem). The successful passing of this audit liberates the provisioning system from reconsidering this service request, thus lessening system overhead.
A surveillance audit. The Audit existing service requests option tests whether there is a state change to an already operational or nonoperational service request.
When you choose this option, the Auditor audits the VPN routing information, which provides a dynamic verification of a service request.
Note Before using the Use VPN routing information during audits option, you must collect the VPN routing information. For information on collecting VPN routing information, refer to "Collect VPN Routing Information" in Chapter 8 of the Cisco VPN Solutions Center: MPLS Solution User Reference.

Then click Next.

Step 3 In the next window, provide a unique task name, then click Next.

Step 4 In the next window, you can choose to whether you want to schedule the accounting collection task by selecting the Yes or No radio buttons.

If you select No, you can schedule the accounting collection task later.

Step 5 If you chose to schedule the accounting collection task, in the next window choose the frequency with which you want to schedule the auditing: Once, Hourly, Daily, Weekly, Monthly, or Yearly.

Step 6 When the scheduling information is set to your satisfaction, click Add.

As shown in Figure 4-25, the information you entered is added to the Schedule List in the upper pane.


Figure 4-25: Scheduling Configuration File Collection


Step 7 In this next window, click Next to save the auditing collection task. If you chose to schedule the auditing collection task, that will also occur when you click Next.

You are informed that all the steps for the "Collect Router Configuration Files" task are done.

Step 8 Click Next, then click Close to close the wizard.


hometocprevnextglossaryfeedbacksearchhelp
Posted: Fri Apr 21 11:00:01 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.