|
|
Using the VSM, you can program your client software to:
The Cisco VPN Solutions Center software has an embedded database, the VPN Inventory repository, which maps the service model to an underlying database schema. All service model objects are stored in the VPN Inventory repository tables.
Figure 3-1 is a simplified version of the VSM, which shows the relationships between service-model objects. The following sections describe each object and the other objects to which it is related.
In Figure 3-1, interface names from the IDL CiscoVsmBrowser module are used to illustrate each object type in the service model. For clarity, the common terminology for each of these objects is supplied in Table 3-1.
| CiscoVsmBrowser Interface Name | Common Terminology |
|---|---|
Class-of-Service Profile (CoS Profile) | |
Virtual Private Network (VPN) | |
Port Reservation Group (PRG) | |
Provider Edge Router (PE) | |
Customer Edge Router (CE) | |
CE Routing Community (CERC) | |
In Table 3-1, interface names marked with an asterisk (*) directly affect the provisioning process, while the other objects assist in managing the provisioning request. Figure 3-2 shows how third-party applications interact with the Cisco VPN Solutions Center software. With the VPN service model APIs, third-party applications to can interact with the VPN Inventory repository.
Specifically, with the modules and interfaces that comprise the VPN service model APIs, a third-party client application can be programmed to:
After constructing all necessary VSM objects and service requests, third-party applications can perform provisioning tasks using the VPN Provisioning Manager APIs. The VPN Provisioning and Inventory Manager (VPIM) generates configlets and is responsible for downloading them to the routers.
Each client application connects to the VPN Inventory Manager server to get exactly one VpnInvMgr object. This scheme—one client per VpnInvMgr instance—conveniently implements the "one thread per client" model for the CORBA server implementation. It also simplifies the garbage-collection process on the server.
The VpnInvMgr object serves as an entry point for navigating to other service-model objects, and it manages all other service-model objects that are generated within that thread for a particular client. When the client disconnects from the server, its copy of the VpnInvMgr object is destroyed automatically by the server, and memory is freed for all service-model objects managed by it.
A provider administrative domain is the administrative domain of an ISP with one BGP autonomous system (AS) number. The network owned by the provider administrative domain is called the backbone network. If your administrative domain has two AS numbers, for example, represent it as two CiscoVsmBrowser::VsmProviderAdminDomain objects.
Each provider administrative domain may span multiple geographical regions that supply local connectivity—by way of provider-edge routers (PEs)—to the customer sites served by a VPN. Therefore, each VsmProviderAdminDomain object can have multiple VsmRegion objects and must have at least one VsmRegion object to serve any useful purpose.
For information about managing CiscoVsmBrowser::VsmProviderAdminDomain objects, see the "CiscoVsmBrowser::VsmProviderAdminDomain" section.
Each CiscoVsmBrowser::VsmProviderAdminDomain object may have many route distinguisher (RD) and route target (RT) seeds and values. An RD is an 8-byte value that is prepended to an IPv4 prefix to create a unique VPN IPv4 prefix. An RT is an 8-byte value by which the IOS discriminates routes for route updates in VRF tables.
RD and RT seeds are integer values stored as the string aliases, CiscoVsmBrowser::VsmRDSeed and CiscoVsmBrowser::VsmRTSeed, respectively. RT and RD values are expressed as string types in the format, seed:offset. For example, if an RT seed is 100 with an offset of 12, the RT value is expressed as the string literal, 100:12.
Each CiscoVsmBrowser::VsmProviderAdminDomain object can have many VsmRegion objects. For more information about CiscoVsmBrowser::VsmRegion objects, see the "Region" section and the "CiscoVsmBrowser::VsmRegion" section.
Each CiscoVsmBrowser::VsmProviderAdminDomain object can have many VsmCoSProfile objects. For more information about CiscoVsmBrowser::VsmCoSProfile objects, see the "Class-of-Service Profile" section and the "CiscoVsmBrowser::VsmCoSProfile" section.
Each CiscoVsmBrowser::VsmProviderAdminDomain object can have many VsmVRFDef objects. For more information about CiscoVsmBrowser::VsmVRFDef objects, see the "VPN Routing/Forwarding Table Definition" section.
Each CiscoVsmBrowser::VsmProviderAdminDomain object can have many VsmVPN objects. For more information about CiscoVsmBrowser::VsmVPN objects, see the "Virtual Private Network" section and the "CiscoVsmBrowser::VsmVPN" section.
A provider can partition a backbone network into multiple geographical regions. Each region of the provider-backbone network is represented by a CiscoVsmBrowser::VsmRegion object in the VPN Inventory repository. Each VsmRegion object belongs to exactly one VsmProviderAdminDomain object and has its own IP address allocation pools.
Each geographical region may have multiple provider-edge routers (PEs) that supply local connectivity to the customer sites served by one or more VPN services. Therefore, each VsmRegion object can have multiple VsmPE objects and must have at least one VsmPE object to serve any useful purpose.
Each CiscoVsmBrowser::VsmRegion object maintains a pool of /30 subnet addresses for IP-numbered interfaces and a pool of /32 subnet addresses for IP-unnumbered (loopback) interfaces.
Within a VPN or extranet, all IP addresses must be unique. Customer IP addresses must not overlap the provider IP addresses. Overlapping addresses are only supported for devices that are in isolated VPNs. Each VsmRegion object has the operations, isAddressOverlappedWithPool30() and isAddressOverlappedWithPool32(), to determine whether or not a specific IP address overlaps one of the indicated pools for the region.
Because addresses from each pool become unavailable for allocation when they are assigned, each VsmRegion object also maintains a list of free IP addresses for each supported subnet mask to support auto allocation processes during provisioning. As allocated IP addresses are released or freed from their assignments, they are returned to the appropriate pool of free IP addresses for reuse by the provisioning system.
Each CiscoVsmBrowser::VsmRegion object can belong to exactly one VsmProviderAdminDomain object. For more information about CiscoVsmBrowser::VsmProviderAdminDomain objects, see the "Provider Administrative Domain" section and the "CiscoVsmBrowser::VsmProviderAdminDomain" section.
Each CiscoVsmBrowser::VsmRegion object can have many VsmPE objects. For more information about CiscoVsmBrowser::VsmPE objects, see the "Provider Edge Router" section and the "CiscoVsmBrowser::VsmPE" section.
A class-of-service (CoS) profile represents the set of CoS configurations—CoS classes that record information on how traffic shaping and policing is configured—that is offered by a provider to its customer. Each provider administrative domain may have multiple class-of-service (CoS) profiles defined for it, and each CoS profile consists of multiple CoS classes.
Each CiscoVsmBrowser::VsmCoSProfile object can belong to only one VsmProviderAdminDomain object. For more information about CiscoVsmBrowser::VsmProviderAdminDomain objects, see the "Provider Administrative Domain" section and the "CiscoVsmBrowser::VsmProviderAdminDomain" section.
Each CiscoVsmBrowser::VsmCoSProfile object can have multiple CoS classes. In the APIs for the Cisco VPN Solutions Center: MPLS Solution, a CoS class is represented as the data structure, CiscoVsmBrowser::VsmCoSClass. This structure contains the following information:
 |
Note For this release of the Cisco VPN Solutions Center: MPLS Solution software, the VsmCoSClass data structure is not used. Instead, the CoS profile configuration is set using the CiscoVsmFWCreator::VsmCoSProfileCreator::setCoSProfileConfig() operation when defining a CoS profile to be added to the VPN Inventory repository. |
A VPN Routing/Forwarding table (VRF) is an IOS route table that defines the connection of a set of customer sites with a VPN service. In the VPN Inventory Repository, a VRF definition is a template that helps define a VRF table in a provider-edge router (PE) and is stored as an instance of the CiscoVsmBrowser::VsmVRFDef interface.
A VsmVRFDef object, which represents the configuration information for a VPN routing/forwarding (VRF) table for PEs that share a common route distinguisher (RD), is created automatically when an VsmSRVC object is created. Each VRF definition belongs to exactly one provider administrative domain and has a specific set of CE routing community (CERC) memberships. All VsmSRVC objects with the same VPN connectivity become part of a common VRF definition.
Each CiscoVsmBrowser::VsmVRFDef object belongs to exactly one VsmProviderAdminDomain object. For more information about CiscoVsmBrowser::VsmProviderAdminDomain objects, see the "Provider Administrative Domain" section and the "CiscoVsmBrowser::VsmProviderAdminDomain" section.
Each CiscoVsmBrowser::VsmVRFDef object can be used by many VsmSRVC objects. For more information about CiscoVsmBrowser::VsmSRVC objects, see the "Service Request VPN Configuration" section and "Defining Service Requests."
Each CiscoVsmBrowser::VsmVRFDef object can join many VsmCERCMembership objects. For more information about CiscoVsmBrowser::VsmCERCMembership objects, see the "CERC Membership" section and the "CiscoVsmBrowser::VsmCERCMembership" section.
The following definition of virtual private network (VPN) object is quoted from the IETF draft RFC 2547 submitted by Eric Rosen and Yakov Rekhter (draft-rosen-vpn-mpls-00.txt):
Each VPN object consists of a set of provisioning templates and policies (PRG and CERC). Each VPN can also can span multiple provider administrative domains, but it has a default domain for RD and RT auto allocation purposes. PRGs in a VPN collect reserved ports. CERCs in a VPN break down complex topology into multiple subgroups.
Each CiscoVsmBrowser::VsmVPN object can belong to only one VsmProviderAdminDomain object. For more information about CiscoVsmBrowser::VsmProviderAdminDomain objects, see the "Provider Administrative Domain" section and the "CiscoVsmBrowser::VsmProviderAdminDomain" section.
Each CiscoVsmBrowser::VsmVPN object can have many VsmCERC objects. For more information about CiscoVsmBrowser::VsmCERC objects, see the "CE Routing Community" section and the "CiscoVsmBrowser::VsmCERC" section.
Each CiscoVsmBrowser::VsmVPN object can have many VsmPRG objects. For more information about CiscoVsmBrowser::VsmPRG objects, see the "Port Reservation Group" section and the "CiscoVsmBrowser::VsmPRG" section.
This object is used to group a set of port reservation service request objects that are SRVCs containing only PE port information. Each PRG can belong to one and only one VPN object. Each PRG can also contain many SRVC port reservation service request objects.
Each CiscoVsmBrowser::VsmPRG object can belong to exactly one VsmVPN object. For more information about CiscoVsmBrowser::VsmVPN objects, see the "Virtual Private Network" section and the "CiscoVsmBrowser::VsmVPN" section.
Each CiscoVsmBrowser::VsmPRG object may be a component of none or many VsmSRVC objects. For more information about CiscoVsmBrowser::VsmSRVC objects, see the "Service Request VPN Configuration" section (specifically, the "Partial SRVCs: Specifying PE Port Reservations" section) and "Defining Service Requests."
A provider-edge router (PE) is an edge device of a provider region that supports VPN connectivity to one or more customer sites. A PE is stored in the VPN Inventory repository as an instance of the CiscoVsmBrowser::VsmPE interface. Each PE belongs to exactly one region of the provider backbone network and may have multiple VRF tables and configlets, and may be configured by any of several SRVCs.
Each CiscoVsmBrowser::VsmPE object belongs to exactly one VsmRegion object. For more information about CiscoVsmBrowser::VsmRegion objects, see the "Region" section and the "CiscoVsmBrowser::VsmRegion" section.
Each CiscoVsmBrowser::VsmPE object can have many VsmConfiglet objects. For more information about CiscoVsmBrowser::VsmConfiglet objects, see the "Configlet" section and the "CiscoVsmBrowser::VsmConfiglet" section.
Each CiscoVsmBrowser::VsmPE object may be configured by many VsmSRVC objects. For more information about CiscoVsmBrowser::VsmSRVC objects, see the "Service Request VPN Configuration" section and in "Defining Service Requests."
A VPN customer is a customer that requests VPN service from an ISP. A CiscoVsmBrowser::Customer object may have many VsmCustomerSite objects and may have many VsmSRVC service request objects.
Each CiscoVsmBrowser::VsmCustomer object can have multiple VsmSRVC objects. For more information about CiscoVsmBrowser::VsmSRVC objects, see the "Service Request VPN Configuration" section and in "Defining Service Requests."
Each CiscoVsmBrowser::VsmCustomer object can have multiple VsmCustomerSite objects. For more information about CiscoVsmBrowser::VsmCustomerSite objects, see the "Customer Site" section and the "CiscoVsmBrowser::VsmCustomerSite" section.
A customer site is defined as "a set of IP systems with mutual IP interconnectivity and communication between them without the use of a VPN." Each CiscoVsmBrowser::VsmCustomerSite object belongs to exactly one VsmCustomer object and can own many VsmCE objects.
Each CiscoVsmBrowser::VsmCustomerSite object can belong to only one VsmCustomer object. For more information about CiscoVsmBrowser::VsmCustomer objects, see the "VPN Customer" section and the "CiscoVsmBrowser::VsmCustomer" section.
Each CiscoVsmBrowser::VsmCustomerSite object can have many VsmCE objects. For more information about CiscoVsmBrowser::VsmCE objects, see the "Customer Edge Router" section and the "CiscoVsmBrowser::VsmCE" section.
A customer-edge router (CE) is an edge device of a customer site that supports VPN connectivity to a PE in a region of the provider backbone network. A CE is stored in the VPN Inventory repository as an instance of the CiscoVsmBrowser::VsmCE interface. Each CE belongs to exactly one customer site, may have multiple configlets, and may be configured by any of several SRVCs.
Each CiscoVsmBrowser::VsmCE object can belong to only one VsmCustomerSite object. For more information about CiscoVsmBrowser::VsmCustomerSite objects, see the "Customer Site" section and the "CiscoVsmBrowser::VsmCustomerSite" section.
Each CiscoVsmBrowser::VsmCE object can have many VsmConfiglet objects. For more information about CiscoVsmBrowser::VsmConfiglet objects, see the "Configlet" section and the "CiscoVsmBrowser::VsmConfiglet" section.
Each CiscoVsmBrowser::VsmCE object may be configured by many VsmSRVC objects. For more information about CiscoVsmBrowser::VsmSRVC objects, see the "Service Request VPN Configuration" section and in "Defining Service Requests."
A CE Routing Community (CERC) is a VPN subset that specifies either full-mesh or hub-and-spoke CE relationships. CERCs are used to break a complex VPN into simpler subgroups. Each CERC is stored in the VPN Inventory repository as an instance of the CiscoVsmBrowser::VsmCERC interface and belongs to exactly one VsmVPN object.
Each CiscoVsmBrowser::VsmCERC object can join many VsmCERCMembership objects. For more information about CiscoVsmBrowser::VsmCERCMembership objects, see the "CERC Membership" section and the "CiscoVsmBrowser::VsmCERCMembership" section.
Each CiscoVsmBrowser::VsmCERC object can belong to exactly one VsmVPN object. For more information about CiscoVsmBrowser::VsmVPN objects, see the "Virtual Private Network" section and the "CiscoVsmBrowser::VsmVPN" section.
A CERC membership defines the relationship between a VRF definition and a CERC. It dictates with which CERC a VRF Definition is joining and whether the CE end of the PE-CE link is joining the CERC as a hub or a spoke.
Each CiscoVsmBrowser::VsmCERCMembership object can be contained by many VsmCERC objects. For more information about CiscoVsmBrowser::VsmCERC objects, see the "CE Routing Community" section and the "CiscoVsmBrowser::VsmCERC" section.
Each CiscoVsmBrowser::VsmCERCMembership object can be joined by many VsmVRFDef objects. For more information about CiscoVsmBrowser::VsmVRFDef objects, see the "VPN Routing/Forwarding Table Definition" section.
A service request VPN configuration (SRVC) is a service request object that specifies how the PE and CE ends of a PE-CE link are to be provisioned. A partial SRVC may also be used to reserve a port on the PE device for use by a port reservation group (PRG). A complete SRVC has a unique VRF definition and does not belong to a PRG. It can contain no more than two Configlets (one for PE and one for CE). Each SRVC can configure a PE-CE pair. Each SRVC is initiated by one customer. Each SRVC can attach one PE interface to one VRF table.
A full SRVC object specifies VPN connectivity for a PE-CE edge-router pair. Specifically, each SRVC specifies how the PE and CE ends of a PE-CE link are to be provisioned. Each full SRVC:
The SRVC is stored in the VPN Inventory repository as an instance of the CiscoVsmBrowser::VsmSRVC interface.
A full SRVC object specifies how the PE and CE ends of a PE-CE link are to be provisioned. Each full SRVC has a unique VRF definition and does not belong to a PRG. It can contain no more than two configlets—one each for the PE and CE ends of a PE-CE link—and can configure a single PE-CE pair. Each SRVC is initiated by one customer. Each SRVC can attach one PE interface to one VRF table.
In addition to specifying VPN connectivity for a PE-CE link, you can also use an SRVC to reserve PE ports for future use in the form of a port-reservation group (PRG). When using an SRVC to specify a PRG, you need only specify those parts of the SRVC that pertain to PRGs.
Each CiscoVsmBrowser::VsmPE object can be configured by many VsmSRVC objects. For more information about CiscoVsmBrowser::VsmPE objects, see the "Provider Edge Router" section and the "CiscoVsmBrowser::VsmPE" section.
Each CiscoVsmBrowser::VsmPRG object can consist of many VsmSRVC objects. For more information about CiscoVsmBrowser::VsmPRG objects, see the "Port Reservation Group" section and the "CiscoVsmBrowser::VsmPRG" section.
A configlet is a text stream that consists of a set of router-configuration commands generated by a provisioning task. Each configlet can be either for a PE or a CE. A Configlet is generated by a set of SRVC service requests.
Each CiscoVsmBrowser::VsmConfiglet object can configure a maximum of one VsmPE object, but each VsmPE object can be configured by multiple CiscoVsmBrowser::VsmCE objects. For more information about CiscoVsmBrowser::VsmPE objects, see the "Provider Edge Router" section and the "CiscoVsmBrowser::VsmPE" section.
Each CiscoVsmBrowser::VsmConfiglet object can configure a maximum of one VsmCE object, but each VsmCE object can be configured by multiple CiscoVsmBrowser::VsmCE objects. For more information about CiscoVsmBrowser::VsmCE objects, see the "Customer Edge Router" section and the "CiscoVsmBrowser::VsmCE" section.
Each CiscoVsmBrowser::VsmConfiglet object may be contained by many VsmSRVC objects, and each VsmSRVC object contains either zero configlets for a PRG or two configlets to configure a PE-CE pair for VPN connectivity. For more information about CiscoVsmBrowser::VsmSRVC objects, see the "Service Request VPN Configuration" section and in "Defining Service Requests."
Posted: Fri Sep 22 20:17:26 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.