|
|
The focus of the MPLS VPN Solution product is the service provided for a customer on the link between the customer's CE and the provider's PE. This chapter describes how you create a service request in the MPLS VPN Solution software, as well as how to modify and delete service requests. Finally, this chapter tells you how to check on a service request's status and find out what went wrong if the request failed.
The service model is the centerpiece of service provisioning. With the service model, the MPLS VPN Solution software can capture the specified VPN service provisioning request, analyze the validity of the request, and audit the provisioning results.
The service provider operators take all service request information from their customers. MPLS VPN Solution can assist the operator in making entries because the product has customer information such as the VPN information, the list of the assigned PEs and CEs, and so forth.
The MPLS VPN Solution VPN Console steps the operator through the process and simplifies the task of provisioning the CE and PE by automating most of the tasks required to set up an MPLS VPN.
Figure 4-1 shows the life cycle of an MPLS VPN service request.

Table 4-1 describes the functions of each type of VPN service request.
| Service Request Type | Description |
|---|---|
Broken | While the router is correctly configured, the service is unavailable (due to a broken cable or Layer 2 problem, for example). A service request moves to Broken if the Auditor finds the routing and forwarding tables for this service, but they do not match the service intent. |
Closed | A service request moves to Closed if the service request should no longer be used during the provisioning or auditing process. A service request moves to the Closed state only upon a successful audit of a remove request. MPLS VPN Solution does not remove a service request from the database to allow for extended auditing. Only a specific administrator action results in service requests being removed. |
Deployed | A service request moves to Deployed if the configlet commands have been verified as found in the router configuration file. Deployed indicates that the configuration file has been downloaded to the router, and the intent of the request has been verified at the configuration level. |
Failed Deploy | After provisioning occurred, the service request failed to download the configlets to the router. A service request moves to Failed Deploy if an error was detected during the deployment process by the Cisco IP Manager (CIPM). If CIPM is not being used to download configlets, and the product is simply exporting configlets to a directory, there is no way to distinguish between a service request in the Failed Deploy and Pending states. There are two causes for Failed Deploy status:
If the configlets are exported to a directory, the service request cannot move into a Failed Deploy state. |
Functional | A service request moves to Functional when the Auditor finds the VPN routing and forwarding tables (VRF) for this service and they match with the service intent. This state requires configuration-level verification. |
Invalid | Indicates that the service request information is incorrect in some way. A service request moves to Invalid if the request was either internally inconsistent or not consistent with the rest of the existing network/router configurations (for example, no more interfaces were available on the router). The VPN Provisioning Inventory Manager (VPIM) server cannot generate configlets to service this request. |
Lost | A service request moves to Lost when the Auditor cannot find a configuration-level verification of intent in the router configuration files. The service request was deployed, but now some or all router configuration information is missing. A service request can move to the Lost state only when the service request had been Deployed or Functional. |
Pending | A service request moves to Pending when the VPN Provisioning Inventory Manager (VPIM) server determines that the request looks consistent and was able to generate the required configlets for this request. Pending indicates that the service request has generated the configlets and the configlets are successfully downloaded to the routers. The Auditor regards pending service requests as new requests and begins the audit. If the service has been freshly provisioned and not yet audited, it is not an error (pending audit). However, if an audit is done and the service is still pending, it is in an error state. |
Requested | If the service is newly entered and not yet deployed, it is not an error. However, if a Deploy is done and it remains Requested, the service is in an error state. |
1. From the VPN Console, define a service request to add VPN service between a CE and PE.
2. Schedule to download the new configuration to the CE and PE pairs.
3. Use the reports available from the Provisioning menu to verify the service requests and view configlets.
Take note of these important elements of the process:
A service request is an instance of service contract between a CE and a PE.
To add VPN service between a PE and CE, follow these steps:
The introductory panel in the Add VPN Service to CE wizard appears.
Step 2 Click Next.
Step 3 From the next window, select the customer edge router for this link.

a. From the Customer drop-down list, select the appropriate customer.
b. From the Site drop-down list, select the appropriate site.
c. From the CE Routers list, select the appropriate CE.
d. Click Next.
Select the Provider Edge Router (PE)
Step 4 Select the provider edge router for this link.

a. From the Provider drop-down list, select the appropriate provider name.
b. From the Region drop-down list, select the appropriate region.
c. From the PE Routers list, select the PE.
d. Click Next.
Define CERC Membership and Join the Management VPN
The Select VPN: CERC Memberships window appears.

Step 5 Select the appropriate VPN from the list and specify the VPN topology.
The most common types of VPNs are hub-and-spoke and full mesh. These two basic types of VPNs---full mesh and hub and spoke---can be represented with a single CERC.
For additional information on CE routing communities, see the "CE Routing Communities" section and the "Defining CE Routing Communities" section.
b. If you are building a VPN with any other topology, check the Advanced setup required check box.
c. If you are adding a CE to the management VPN, check the Join the management VPN check box. For more information, see the "Implementing the Management VPN Technique" section.
d. Click Next.
Choose the Routing Protocol for the Link
The Select Routing Policy window appears.

Step 6 Choose the routing protocol for the PE-CE link.
The routing protocol you choose must run on both the PE and the CE.
b. When you select either Static or RIP, you can choose to give only the default route to the CE.
Giving the Default Route to the CE
Static Routing Option
RIP Routing Option
BGP Option
c. Click Next.
Specifying Redistributed Protocols on the Link
Step 7 If protocol redistribution is not required on this link, click Next.
If necessary, specify the routing protocols that must be redistributed from the CE.
a. Click Add.

b. Select the protocol to be redistributed.
c. Enter the appropriate AS number (BGP, IGRP, and EIGRP), process number (OSPF), or tag number (ISIS) corresponding to your protocol selection.
d. Click Add.
e. Click OK, then click Next.
Defining LAN or WAN Interfaces and Encapsulation
Step 8 Define the interfaces for the PE-CE link.

a. Specify whether the interfaces are for a Wide Area Network (WAN) or Local Area Network (LAN).
b. Specify the PE interface number and protocol encapsulation from the drop-down lists.
c. Specify the CE interface number and protocol encapsulation from the drop-down lists.
d. Click Next.

Choosing an IP Addressing Scheme
The next window in the Add VPN Service to the CE wizard (see Figure 4-9) provides a way to define the IP addressing scheme that is appropriate for this PE-CE link.
A point-to-point link between two routers can be either a numbered IP address or an unnumbered IP address. The service provider must determine whether to use numbered or unnumbered IP addresses for the PE-CE link. Defining the link to use unnumbered addresses can save precious IP addresses because many interfaces can borrow the same IP address.

You can choose among four options:
Step 10 Choose an IP addressing scheme for the PE and CE.
When finished, click Next. The Specify VRF Parameters window appears.
Specifying VRF Parameters
Figure 4-10: Specify VRF Parameters Window

The Specify VRF Parameters window lets you set values for import and export maps, maximum routes into the VRF table, and also enable NetFlow accounting.
![]() |
Note The Cisco IOS supports only one export route map per VRF (and therefore, per VPN). |
![]() |
Note The Cisco IOS supports only one import route map per VRF (and therefore, per VPN). |
Step 11 Complete the fields as necessary in the Specify VRF Parameters window and click Next.
Step 12 If desired, select a Class of Service (CoS) profile to assign to the PE-CE link.
You can create a Class of Service (CoS) profile when you define the Provider Administrative Domain. For information on creating a CoS Profile, see the "Defining a Class of Service Profile" section. For a discussion on the Class of Service feature, see the "Quality of Service and Class of Service" section.
a. Choose the CoS Profile.
b. Click Next.
The product displays a summary of all the service settings defined for this VPN.

Step 13 Verify that the service request information is correct, then click Next.
The wizard displays the following message:
Your request to "Add VPN Service to CE" has been submitted with ID number n. This service request can be deployed by using the "Deploy Service Requests" wizard or by using the "Deploy VPN Service" item under the "Provisioning" option of a VPN service request report.
Step 14 Press Close.
You have now queued a service request. It is entered into the product database and is in the state "Requested."
The Deploy Service Requests wizard begins. The introductory window provides the following information:
This wizard sets up a scheduled task that deploys service requests to the appropriate routers. This involves computing the configlets for each service request, downloading the configlets to the routers, and running audit reports to determine whether the service was successfully deployed.
Click Next.
Step 2 Choose to deploy all or selected service requests, then click Next.

Step 3 Highlight the service request you wish to deploy, then click Next.
The Select Audit Options window appears.
Step 4 From the Select Audit Options window, choose to generate audit reports, then click Next.
Running audit reports is the only way that service requests can progress from the Requested state to an operational state, such as Deployed. You have the option to not generate audit reports, but this option is not recommended.
Step 5 Enter the task name, then click Next.
Step 6 Choose the default, Yes, to proceed to schedule the task, then click Next.
Step 7 From the Schedule window, set all the pertinent scheduling information, then click Add.
The service request is added to the Schedule List (displayed in the upper pane).
Step 8 Click Next twice, then click Close.
![]() |
Note You can also deploy service requests from the Provisioning menu available from the All VPN Service Requests Report. See the "Performing a Customized Service Request Deployment" section. |
Before you view the audit reports, you must first generate the audit reports.
Step 2 Follow the wizard.
To view the audit reports, follow these steps:
Step 3 From the VPN Console menu, choose Auditing > View Latest Audit Reports.
The Cisco VPN Solutions Center Service Request Audit Reports window appears in the Netscape browser.

The Service Request Audit Reports window provides two options:
Step 4 Select the type of audit reports you want to view.
If You Require a Java Plug-in to Proceed
The Java Plug-in Download Page appears.
Step 2 Click the link for the plug-in for your Solaris platform to download the plug-in to your MPLS VPN Solution workstation.
![]() |
Note You may need to register with Sun Microsystem's Java Plug-in service to complete the download procedure. |
Step 3 Install the Java plug-in for and return to the Service Request Audit Reports window.
Once you have created and queued a service request, you can discover the details about its deployment. You can view the configlet generated for the service request. If the service request failed, you can discover why it failed by using the Service Request Audit report. For detailed troubleshooting information, refer to "MPLS VPN Solution Troubleshooting Guide."
The All VPN Service Requests Report appears (see Figure 4-14).

This report provides the following information:
Step 2 Select the service request you want detailed information on.
Step 3 Click Request Details.
The Service Request Details Report appears.

Step 4 To view the configlets generated for the selected service request, click Configlets.

To return to the Service Request Detail Report, click Back.

To return to the Service Request Detail Report, click Back.
A service request is an instance of service contract between a CE and a PE. You can modify this service by creating a new service request. When you do so, MPLS VPN Solution creates a new service request with a new ID. (The service request ID is displayed in the first column in the All VPN Service Requests Report as shown in Figure 4-19). The new service request subsumes the earlier one and becomes the current service request.
When you modify a service request, you can modify the settings for the PE-CE link, except for the CE and the PE themselves. This procedure takes through the same wizard as described in the "Adding a Service for a PE-CE Link" section, except that the settings are based on the service request's current values.
To modify a service, follow these steps:
The All VPN Service Requests Report appears.
![]() |
Note In the dialog boxes in this procedure, the fields display the settings for the current service request. |
Step 2 Click the Provisioning button (at the bottom of the Report window).
Step 3 From the drop-down menu, select Modify VPN Service.
The Modify Existing VPN Service wizard appears. The first window provides a message like this:
This wizard submits a new service request to modify the VPN service between the PE "PE_name" and the CE "CE_name" (specified in service request ID_number). The new service request replaces service request ID_number.
Click Next.
Step 4 Select the VPN and specify the VPN topology.
a. Select the VPN.
b. If you are building a VPN with a hub-and-spoke topology, check the Join as Spoke checkbox.
c. If you are building a VPN with any other topology, check the Advanced setup required checkbox.
d. Click Next.
Step 5 Choose the routing protocol for the PE-CE link.
The routing protocol you choose must run on both the PE and the CE.
Giving the Default Route to the CE
Static Routing Option
RIP Routing Option
BGP Option
a. You can choose Static (for specifying a static route), RIP (Routing Information Protocol) or BGP (Border Gateway Protocol).
b. When you select either Static or RIP, you can choose to give only the default route to the CE.
c. Click Next.
Step 6 If protocol redistribution is not required on this link, click Next.
If necessary, specify the routing protocols that must be redistributed from the CE.
a. Click Add.
b. Select the protocol to be redistributed.
c. Enter the appropriate AS number (BGP), identifier number (IGRP and EIGRP), or process number (OSPF) corresponding to your selection.
d. Click Add.
e. Click OK, then click Next.
Step 7 Define the interfaces for the PE-CE link.
a. Specify whether the interfaces are for a Wide Area Network (WAN) or Local Area Network (LAN).
b. Specify the PE interface address and protocol encapsulation from the drop-down lists.
c. Specify the CE interface address and protocol encapsulation from the drop-down lists.
d. Click Next.
Step 8 If you specified serial interfaces in the previous step, specify the Data-Link Connection Identifier (DLCI) numbers for the PE-CE link, then click Next.
Step 9 Choose an IP addressing scheme for the PE and CE.
You can choose among three options:
When finished, click Next.
Step 10 If desired, select a Class of Service (CoS) profile to assign to the PE-CE link.
You can create a Class of Service (CoS) profile when you define the Provider Administrative Domain. For information on creating a CoS Profile, see the "Defining a Class of Service Profile" section. For a discussion on the Class of Service feature, see the "Quality of Service and Class of Service" section.
Class of Service profiles are applied to the Provider Edge Router (PE), but the CoS definition is enforced across the PE-CE link on both the PE and CE.
a. Choose the CoS Profile.
b. Click Next.
The product displays a summary of all the service settings defined for this VPN.
Step 11 Verify that the service request information is correct, then click Next.
The wizard displays the following message:
Your request to "Modify Existing VPN Service" has been submitted with ID number n. This replaces existing service request. This service request can be deployed by using the "Deploy VPN Service Requests" wizard or by using the "Deploy VPN Service" item under the "Provisioning" option of a VPN service request report.
Step 12 Press Close.
You have now queued a service request. It is entered into the product database and is in the state "Requested."
When you remove a service, MPLS VPN Solution replaces the old service request with a new one whose purpose is to remove the pertinent commands from the PE and CE router configuration files. The new service request will be in Requested state, and you should deploy it normally.
Deploying a "Remove VPN Service" request deletes individual commands from the PE and CE configuration files, which were put there by the original provisioning request, and are not in use by any other service or feature in the router configuration.
To ensure that the service removal is safe requires that not all commands that were provisioned are removed. In cases where the product cannot know whether a provisioned command is being used for some other purpose, the command is not removed. Examples of router commands not removed for a "Remove VPN Service" request include routing protocols created during service provisioning, such as BGP or RIP. These are not be taken out of the router's configuration, although some of their subcommands are removed when they support only the original service request.
To remove a service, follow these steps:
The All VPN Service Requests Report appears.
Step 2 Click Provisioning (at the bottom of the window) as shown in Figure 4-18.

Step 3 Choose Remove VPN Service.
You receive this warning message:
This will submit a new service request to remove the VPN service between the PE and CE. New configlets will be generated with the appropriate "no" commands to remove the VPN service. Service Request n to Add VPN Service will no longer be active. Do you want to continue?
Step 4 Click Yes to proceed, or No to cancel the Remove operation.
If you click Yes, you receive the following message:
A new service request has been submitted to remove the VPN service specified in service request number.
The All VPN Service Requests Report appears.

Step 2 Select the service request you want to deploy.
Step 3 Click Provisioning.
The Provisioning drop-down menu appears.

Step 4 From the drop-down menu, select Deploy VPN Service.
The following message is displayed:
This will deploy the selected VPN service request now. Do you want to continue?
Step 5 Click Yes.
The selected service request is Deployed and placed in the Pending state.
MPLS VPN Solution software performs a basic audit (Audit New Service Request) by default each time you deploy a service request as described in the "Deploying a VPN Service" section. You need only schedule the audit separately as described in this section if you want to run it more frequently or if you customized audits.
When a service request moves beyond the control of the Provisioning system, the Auditor for MPLS VPN Solution takes control. The Auditor is a mechanism that monitors and reports the current state of a VPN service request over its lifetime. It also provides the reasons why the service request is in its current state. The Auditor saves the state transition (if any) into the VPN Inventory Repository.
The lifetime of a VPN service request spans from the Requested state to the Closed state. For an illustration showing the life cycle of a service request, see Figure 4-1.
After you populate targets (PEs and CEs) and the directory Repository, prior to any other steps, you must collect router configuration files to audit the services provisioned by MPLS VPN Solution.
The basic audit (Audit New Service Requests) does collect the configuration files. You need only set up the routers as described in this section if you are performing a customized audit procedure. This ensures that you have the most current version of the configuration files for the audit procedure.
netsys.router.loginprompt = Username:
netsys.router.passwordprompt = Password:
If you use nonstandard router prompts in the csm.properties file, be sure you set the same values for all the routers from which you collect information.
![]() |
Note Enabling DNS causes DNS to handle the name resolution. Otherwise, name resolution is handled by the routers. |
To enable DNS, enter the following commands on the router:
ip domain-lookup
ip name-server a.b.c.d
where a.b.c.d is a valid Domain Name server.
To disable DNS, it is important to enter the following command on all routers:
no ip domain-lookup
| Step | Command | Description or Task |
| 1 | | routername is the name of the router you are checking. |
| 2 | Router> enable-password | Enter enable mode and enter the enable password. |
| 3 | |
|
| 4 | | Check the output to see whether the following command is present: SNMP agent not enabled |
| 5 |
| Enter global configuration mode. You can also abbreviate the command to config t. |
| 6 | | Set the community read-only string. |
| 7 | | Set the community read-write string |
| 8 | | Return to privileged Exec mode. |
| 9 | | Save the configuration changes to NVRAM. |
To start collecting router configuration files, follow these steps:
The introductory panel displays the following information:
This wizard sets up a scheduled task that collects Cisco router configuration files directly from the selected routers. It also allows you to import Cisco router configuration files from a directory.
You can collect additional information, including router types, Frame Relay/ATM PVC information, and IP unnumbered connectivity information.
Click Next.

Step 2 In this window, select one of the following ways of collecting information:
To start the live collection of router configuration files, follow these steps:
Step 2 Click the Selection drop-down menu to choose a specific network.
As shown in Figure 4-22, all the router names in this network appear in the upper pane. If you want to sort the information, click on the column header for which you want to sort.

Step 3 Select the routers from the upper pane that you want to collect router configuration data from, then click Add. You can select all the routers listed by clicking Add All.
Your selections appear in the lower pane.
![]() |
Note You can remove one or more of the routers selected in the bottom pane by selecting specific routers and clicking Remove or Remove All. |
Step 4 When the lower pane includes all the devices from which router configuration data is to be collected, click Next.
Step 6 In the next window, provide a unique task name, then click Next.
Step 7 In the next window, you can schedule the task by selecting the Yes radio button and clicking Next.
Step 8 If you chose to schedule the task, in the next window choose the frequency with which you want to schedule the auditing: Once, Hourly, Daily, Weekly, Monthly, or Yearly.
For detailed information about scheduling, refer to Chapter 11, "Scheduling," in the Cisco VPN Solutions Center: MPLS Solution User Reference.
Step 9 In this next window, click Next to save the auditing collection task. If you chose to schedule the auditing collection task, that will also occur when you click Next.
You are informed that all steps are done.
Step 10 Click Close to close the wizard.
To start importing router configurations from a file, follow these steps after completing the steps in the previous section.
![]() |
Note All files in the directory must be configuration files. Each filename must be the same as the name of the router to be imported, including the use of a domain name, if it exists. |
The introductory panel displays the following information:
This wizard sets up a scheduled task that collects Cisco router configuration files directly from the selected routers. It also allows you to import Cisco router configuration files from a directory.
Click Next.

Step 2 In this window, select Import Router Configuration from Files, then click Next.
This task imports the configuration files that exist in a specified directory.
Step 3 Enter the name of the directory that has the configuration files that you want to import, then click Next.
Step 4 In the next window, select the name of the service provider network, then click Next.
Step 5 In the next window, enter a unique task name, then click Next.
Step 6 In the next window, schedule the task by selecting the Yes radio button and clicking Next.
Step 7 In the next window, click Next to save the auditing collection task.
You are informed that all steps are done.
Step 8 Click Close to close the wizard.
After you have followed the steps in the section "Collecting Router Configuration Files," you can follow these steps to start generating Audit reports:
The introductory panel in the Generate Service Request Audit Reports wizard appears.
Then click Next.

Step 2 In this window, select the types of service requests you wish to be audited:
![]() |
Note Before using the Use VPN routing information during audits option, you must collect the VPN routing information. For information on collecting VPN routing information, refer to "Collect VPN Routing Information" in Chapter 8 of the Cisco VPN Solutions Center: MPLS Solution User Reference. |
Then click Next.
Step 3 In the next window, provide a unique task name, then click Next.
Step 4 In the next window, you can choose to whether you want to schedule the accounting collection task by selecting the Yes or No radio buttons.
If you select No, you can schedule the accounting collection task later.
Step 5 If you chose to schedule the accounting collection task, in the next window choose the frequency with which you want to schedule the auditing: Once, Hourly, Daily, Weekly, Monthly, or Yearly.
Step 6 When the scheduling information is set to your satisfaction, click Add.
As shown in Figure 4-25, the information you entered is added to the Schedule List in the upper pane.

Step 7 In this next window, click Next to save the auditing collection task. If you chose to schedule the auditing collection task, that will also occur when you click Next.
You are informed that all the steps for the "Collect Router Configuration Files" task are done.
Step 8 Click Next, then click Close to close the wizard.
![]()
![]()
![]()
![]()
![]()
![]()
![]()
Posted: Fri Apr 21 11:00:01 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.