Setting Up the MPLS VPN Environment

Step 2   To keep the startup operations conveniently organized, open three terminal windows—one window for the xhost process, one for the VPN Console and Watchdog, and a third window for Orbix.

xhost VPNSC_hostname

The VPNSC_hostname parameter is the name of the VPN Solutions Center workstation. This command configures your system so that the Orbix user (orbixadm) and the MPLS VPN user (vpnadm) can communicate with your client system.

Step 2   Log in as the owner of the Orbix process (orbixadm).

su - orbixadm

When logged in, you are placed in the /opt/orbixadm directory.

Or if you are logging in remotely, enter this command:

rlogin VPNSC_hostname -l orbixadm

Step 3   Change directory to the directory where Orbix is installed.

cd orbix/Orbix3

You are now in the /opt/orbixadm/orbix/Orbix3 directory.

Step 4   Issue the following command to source the environment as required for your shell:

C-Shell: source setenvs.csh

K-Shell: . ./setenvs.sh

Step 5   Start the Orbix process in the background:

orbixd &

Step 2   Log in as the owner of the VPN Solutions Center software (vpnadm).

su - vpnadm

When logged in, you are placed in the /opt/vpnadm directory.

Or if you are logging in remotely, enter this command:

rlogin VPNSC_hostname -l vpnadm

Step 3   Go to the VPN Solutions Center installation directory.

cd vpn/

You should now be in the /opt/vpnadm/vpn directory.

Step 4   Issue the following command to source the environment as required for your shell.

C-Shell: source vpnenv.csh

K-Shell: . ./vpnenv.sh

Step 5   Set the display variable for the VPN Solutions Center workstation.

For the C shell:

setenv DISPLAY VPNSC_hostname:0.0

For the K shell:

export DISPLAY=VPNSC_hostname:0.0

Step 6   Start the application's WatchDog processes:

startwd

To stop the WatchDog process, issue the stopwd -y command.

Step 7   If you would like to confirm that the servers are running, issue the following command:

wdclient status

Note   This command is recommended, but it is not a required command in the startup sequence.

wdgui &

For a detailed description of the WatchDog graphical user interface, refer to the "wdgui Command" section in Chapter 2, "WatchDog Commands," of the Cisco VPN Solutions Center: MPLS Solution User Reference.

Step 8   Issue the following command to start the VPN Console:

vpnconsole &

Step 9   Enter a valid user name and password, then click OK.

Step 2   If the Watchdog user interface (wdgui) is running, close it by selecting the window, right-click, then choose Close from the menu.

Step 3   From the window where Watchdog was launched, close the Watchdog by issuing this command:

stopwd -y

Step 4   Log out (exit) from the vpnadm user.

Step 5   From the terminal window from which you launched Orbix, shut down the Name Server:

killit NS

Step 6   Discover the process ID of orbixd:

ps -ef | grep orbixd

Step 7   Shut down the Orbix process by issuing this command:

kill orbixd_process_ID

Step 8   Log out (exit) from the orbixadm user.

To use VPNSC: MPLS Solution to set up an MPLS VPN network requires the following tasks:

1. Define the network elements.

Note   When you define target names in the VPN Solutions Center software, the target names you specify must match the actual IOS host names of the corresponding devices.

Note   The Simple Network Management Protocol (SNMP) must be configured on each PE router and CE router in the service provider network. To determine whether SNMP is enabled and set the SNMP community strings on a router, see the "Setting Up SNMP on the Routers in the Service Provider Network" section.

There are two methods for defining targets and organizing them into the appropriate networks (or target groups):

• Importing all the pertinent router configuration files

  A quick way to define the MPLS VPN networks and the targets in them is to import your router configuration files into the VPNSC: MPLS Solution software. This method lets you specify a directory of router configuration files and the network for these routers. The network and the targets in the network are created based on the imported configuration files.

  When employing this method, note that not all the necessary information is present after you import the files. You must then proceed to define the additional target information, such as the IP addresses, passwords, and so forth (described later in this document).

• Defining individual targets manually

Device names within each directory must be unique.

A typical set includes Provider and Customer edge routers (PEs and CEs).

Step 2   From the VPN Console menu, choose Setup > Create Targets From Router Configurations.

An informational window displays the following information:

This will create targets based on the router configuration files in a specified directory. A network will be created for the new targets.

You will be asked to enter the following information:

• Directory containing the router configuration files

• Network name for the new targets

• Domain name for the targets (optional)

Step 4   Enter the directory path, network name, and (optionally) the domain name; then click OK.

   a. The directory path is the path to the router configuration files.

  To browse for the directory path, click Select and choose the appropriate directory.

   b. The Network Name field includes a drop-down list that provides all the currently defined networks. To select the network name from the list, click the Down Arrow icon, then select the appropriate network name.

Under the Networks folder in the hierarchy pane, the product software adds the network name you specified.

Step 2   In the Find What field, enter the name of the network you want to find.

Step 3   If you want the search to match the case of the network name you enter, check the Match Case check box.

Step 4   Choose the direction of the search by clicking the Up or Down radio button.

Step 5   When you have completed the search parameters, click Find Next.

Step 6   Close the Find window.

Step 2   Double-click the desired network from the list of networks.

Step 5   In this dialog box, select the check boxes for the fields you want to apply to all the selected targets: Network, Domain, and Description.

Step 6   Choose the desired network name from the Network field drop-down list.

Step 7   Enter the domain name.

Caution When you specify both the domain name of the device and the IP address of a device, the IP address overrides the specified domain name.

Entering information in the Description field is optional (but recommended).

In this example, we have not specified a value for the Login User field, reserving that value for individual router configuration.

Step 10   Specify the information for the following fields, then click OK.

   a. Login Password

  The recommended setting is three (3) retries.

   f. SNMP and Telnet timeout

  The recommended setting is 20 seconds.

When you click OK, you return to the Network window.

Caution It is important to understand that when you specify both the domain name of the device and the IP address of a device, the IP address overrides the specified domain name.

Step 2   Choose Actions > Edit Target.

Defining the Passwords and SNMP Community Strings for Individual Targets

Step 6   Enter the IP address for the selected router, then click OK.

You return to the IP Addresses tab, where the IP address you entered is now displayed.

To change the passwords defined for routers in the VPNSC software, follow these steps:

Step 2   Double-click the desired network from the list of networks.

The Network window appears in the data pane on the right, displaying the name of each router in the selected network, along with its domain name and role (in this case, Cisco Router).

At this point, you have the option to change the passwords for a single target (router) or multiple targets. This procedure describes how to change the passwords for multiple routers at once.

Step 3   Select the routers from the list for which you want to change one or more passwords.

To select multiple targets from the list, hold down the Ctrl key while you click the desired targets.

Step 5   Check the checkboxes for the password(s) you want to change, then enter the new passwords.

Step 6   When the changes are complete, click OK.

Step 2   Double-click the selected network.

The Network window appears, displaying the names of the devices in the selected network.

The Network window appears, displaying the names of all the devices in the selected network.

Step 3   In the Target Name field, enter the UNIX host name of the NetFlow Collector device (NFC).

Note   When you define target names in VPN Solutions Center software, it is important that the target names you specify match the actual IOS host names of the corresponding devices.

Step 4   Enter the domain name for the NFC device.

Caution It is important to understand that when you specify both the domain name of a device and the IP address of a device, the IP address overrides the specified domain name.

Step 5   Click the Role drop-down menu, then choose NetFlow.

Note   Entering a description in the Description pane is not required but recommended.

VPNSC: MPLS Solution uses the username and Login password specified here to communicate with the NFC device. The Login password is a required password—this password must be set both on the router and in VPNSC.

Step 8   Complete the Retries and Timeout fields as necessary.

The recommended value for Retries is 4; the recommended value for Timeout is 20 seconds.

Step 9   Choose the IP Addresses tab and click Add.

You return to the IP Addresses tab, where the IP address you entered is now displayed.

This completes the procedure for adding an NFC device to the network.

To view devices by their role, follow these steps:

The Network window appears in the data pane. By default, all the routers in the selected network are listed in the Network window.

• To view all the devices—routers and NFC devices—in the network, choose View > All.

• To view all the Cisco routers in the network, choose View > Filter by Role > Cisco Routers.

• To view all the NetFlow Collector devices currently defined in the network, choose View > Filter by Role > NetFlow.

Note that a provider can also assign PEs to these Regions, thereby simplifying the PE selection process (for example, only presenting PEs in the European Region when adding service to a European customer edge router).

Tips Cisco recommends that providers create one Provider Administrative Domain and then define the Regions within the PAD.

• The BGP autonomous system (AS) number

• The names of the PE routers within the Region

• The IP address pools for point-to-point links (that is, the IP numbered links)

• The IP address pools for loopback links (that is, the IP unnumbered links)

To define a new Provider Administrative Domain, follow these steps:

Step 2   Enter the name of the PAD and the BGP Autonomous System (AS) number in the appropriate fields.

The contact information is optional, but it is a good idea to provide it.

Step 4   Enter the name of the Region.

The next step in creating a Region is to assign the provider edge routers that are in the Region.

When you select the Add button from the Region dialog box, the Add Provider Edge Routers dialog box appears.

Step 2   From the dialog box's Network drop-down list, select the appropriate service provider network name (or a network that contains provider devices).

Step 3   From the list of routers, select a router to be assigned as a PE, then click OK.

You return to the Region dialog box. The name of the router you selected is now displayed in the list of PE Routers.

Step 4   Repeat this procedure to add additional PEs to the Region as required.

Step 2   From the PAD menu, choose Open Provider A.D.

Step 3   From the list of Regions, choose the Region to which the PE is to be added.

Step 5   From the Region dialog box, click Add.

Step 6   In the Add Provider Edge Routers dialog box, do the following:

   a. From the Network drop-down list, choose the network.

   b. From the list of devices, choose the name of the router you want to add as a PE.

   c. Click OK.

Step 7   To complete the operation, click OK. You return to the Edit Provider Administrative Domain dialog box.

Click OK again to return to the VPN Console.

Step 2   In the Find What field, enter the name of the VPN Provider you want to find.

Step 3   If you want the search to match the case of the VPN Provider name you enter, check the Match Case check box.

Step 4   Choose the direction of the search by clicking the Up or Down radio button.

Step 5   When you have completed the search parameters, click Find Next.

The VPNSC software locates the indicated VPN Provider and highlights it in the hierarchy pane.

From this dialog box, you can add IP address pool information for point-to-point (IP numbered) links or loopback (IP unnumbered) links.

Step 3   Enter the address for the IP address pool and click OK.

You return to the IP Address Pools dialog box, where the new IP address pool information is displayed.

Step 4   Click OK.

You return to the New Provider Administrative Domain dialog box, where the new Region name is displayed in the Regions field.

The MPLS label is part of a BGP routing update. The routing update also carries the addressing and reachability information. When the RD is unique across the MPLS VPN network, proper connectivity is established even if different customers use non-unique IP addresses.

For the RD, every CE that has the same overall role should use a VRF with the same name, same RD, and same RT values. The RDs and RTs are only for route exchange between the PEs running BGP. That is, for the PEs to do MPLS VPN work, they have to exchange routing information with more fields than usual for IPv4 routes; that extra information includes (but is not limited to) the RDs and RTs.

VPNSC: MPLS Solution software sets the route distinguisher and route target values, but you can assign your own values if you choose (as described in this section).

Step 2   In the Start Route Distinguisher Values At <BGP AS#> field, enter the new Route Distinguisher value.

Step 3   In the Start Route Target Values At <BGP AS#> field, enter the new Route Target value.

Step 4   Click OK.

The list of Provider Administrative Domains is displayed.

Step 2   Click the desired Provider Administrative Domain's open-close icon.

The list of Regions is displayed.

Step 3   Select the desired Region, then right-click.

Step 4   From the Regions menu, choose Delete Region.

A confirmation window appears with the message, "Are you sure you want to delete this Region?"

Step 5   Click Yes.

The Region is deleted and removed from the VPN Console display.

Step 2   In the Find What field, enter the name of the Region you want to find.

Step 3   If you want the search to match the case of the Region name you enter, check the Match Case check box.

Step 4   Choose the direction of the search by clicking the Up or Down radio button.

Step 5   When you have completed the search parameters, click Find Next.

The VPNSC software locates the indicated Region and highlights it in the hierarchy pane.

Step 6   Close the Find dialog box.

Step 3   Use the functions and features in the Topology windows to view various aspects of the PAD topology.

The Node menu presents the following options:

  Choose List Service Requests to generate the VPN Service Requests Report that lists the service requests associated with the selected Region or PE.

  An element displayed with a + (plus) sign indicates that more information is available. The Navigation option offers two options: Go to Child Graph and Show Child Graph.

• View As

  The View As option provides two options: Icon and Details.

• Edit Font

  Choosing the Edit Font option brings up the Choose Font dialog box. From this dialog box, you can choose the font type and size for the topology display.

• Background Color

  Choosing the Background Color option brings up the Choose Color dialog box. From this dialog box, you can choose the background color for the topology display.

• Foreground Color

  Choosing the Foreground Color option brings up the Choose Color dialog box. From this dialog box, you can choose the foreground color for the topology display.

Step 2   Choose the options you need from the Node menu.

The actual deployment of QoS in a network requires a division of labor for greatest efficiency. Because QoS requires intensive processing, the Cisco model distributes CoS duties between edge and core devices. Edge devices, such as provider edge routers (PEs), do most of the processor-intensive work, performing application recognition to identify flows and classify packets according to unique customer policies. Edge devices also provide bandwidth management. Core devices expedite forwarding while enforcing CoS levels assigned at the edge.

About CoS

Class of Service (Cos) is distinguished by providing differentiated classes of service. Before you can provide a higher quality of service to a customer, application, or protocol, you must classify the traffic into classes, and then determine the way in which to handle the various traffic classes as traffic moves through the network.

When differentiation is performed, it is done to identify traffic by a unique criteria and classify incoming traffic into classes. Each of the traffic classes must be recognized by the classification mechanisms at the network ingress point, as well as farther along in the network topology.

CoS differentiation is usually performed as a method of identifying traffic as it enters the network or a method that ensures that traffic is classified appropriately so that it is forced to conform with the desired user-defined policy or service-level agreement (SLA).

VPNSC: MPLS Solution software provisions Class of Service on the ingress PE interfaces and the egress CE interfaces. VPNSC: MPLS Solution offers the following features for Class of Service (CoS) provisioning between a CE and a PE:

  Shaping is a method of mapping traffic into separate output queues to provide predictable network behavior. In MPLS VPNs, shaping is configured on either the CE's or PE's egress interfaces. For shaping, the product uses Generic Traffic Shaping (GTS) that includes an optional feature that handles Frame Relay Backward Explicit Congestion Notification (BECN) responses.

  Takes place into a PE from a CE and configured on the CE's or PE's egress interfaces. The product uses Committed Access Rate (CAR) for policing.

The VPNSC: MPLS Solution software requires that you create a Class of Service (CoS) Profile only if you want the product to provision CoS on the PE-CE link. You can add additional CoS profiles at any time. This procedure only defines the CoS Profile—until you invoke it when you activate a service request, the CoS Profile has no effect.

Class of Service Profiles are applied to the Provider Edge Router (PE), but the CoS definition is enforced across the PE-CE link on both the PE and CE.

To define a Class of Service Profile, follow these steps:

Step 2   Choose Open Provider A.D.

The Edit Provider Administrative Domain dialog box appears.

Step 3   Choose the Class of Service (CoS) Profiles tab, then click Add.

Step 4   Complete the Class of Service profile, then click OK.

The PE can rate limit traffic to the subscribed bandwidth and mark the traffic that is within the specified bandwidth as in-contract, and mark traffic above the specified bandwidth as out-of-contract.

The customer can initially "paint" the packets that leave the customer edge router (the PE is the destination router), and VPNSC: MPLS Solution allows policing or repainting of packets that enter the provider edge router.

The Backup tool backs up the VPN Solutions Center Repository, which includes all the database files, collected raw datasets, generated baseline reports, logs, service objects, and configlets, to a local directory on the VPNSC: MPLS Solution machine. The backup options include Tar (which stands for "tape archiver" even though tape is rarely the backup medium these days) or Tar and compress.

To back up the Repository, follow these steps:

Step 2   Click Backup.

Step 3   In the Source Directory field, enter the path name for the Repository you want to back up.

The Source Directory field is required. This field defaults to the directory of the currently used Repository. If you choose a different Repository to back up, in this field place the full path name to the directory of the Repository that you want to back up.

Step 4   In the Destination Directory field, enter the full path name to the directory where you want to copy the Repository files.

Step 5   Determine the method you want for Repository backup by choosing one of the following:

• Default

  Choose this option if you want to back up the Repository and leave everything as is and copy the files to the destination directory.

• Tar

  Choose this option if you want to back up the Repository and copy it to a TAR file in the destination directory.

• Tar and Compress

  Choose this option if you want to back up the Repository and copy it to a compressed TAR file in the destination directory.

Step 6   If you want to turn on the verbose option when backing up the database, check the Show Details check box. This option gives you detailed progress information.

Step 7   Once you have completed the fields, buttons, and boxes in the Database Backup dialog box, click Start Backup.

Note   Optional: To return the fields and other settings on the Database Backup dialog box to their default values, choose Reset.

To restore the Repository, follow these steps:

Step 4   In the Source Directory/File field, enter the directory (or path to a filename) from which you are restoring the Repository.

Step 5   In the Destination Directory field, enter the drive and path to the directory where you want to restore the Repository.

Caution The destination directory for the restoration operation must be empty. If you restore a Repository over an existing Repository, valuable data may be lost and service requests may not function correctly.

Step 6   Set the Restore operation options if desired:

• If you want VPNSC to create the destination directory, check the Create destination directory if needed check box.

• To provide detailed progress information regarding the Restore operation, check the Show Details check box.

• If you wish to erase the values you have entered so far, click Reset.

Step 7   When you have completed the fields, click Restore.

You receive the prompt, "Do you really want to continue?"

Step 8   To proceed with the Repository restoration operation, click OK.

The next page provides the following information:

The Database Restore Process has started!
The Database backup file is path/filename.
Restore to directory pathname.
The execution string is dbRestore source_path ~dest destination_path -c
Click here to look at the Status.

Step 9   To check the status of the Restore operation, choose the Status link.

The Cisco VPNSC Repository Management Tool displays the Status page.

Step	Command	Description or Task
1	> telnet routername	routername is the name of the router you are checking.
2	Router> enable Router> enable-password	Enter enable mode and enter the enable password.
3	Router# show snmp
4		Check the output to see whether the following statement is present: SNMP agent not enabled
5	Router# configure terminal	Enter global configuration mode. You can also abbreviate the command to config t.
6	Router(config)# snmp-server community userstring RO	Set the community read-only string.
7	Router(config)# snmp-server community userstring RW	Set the community read-write string
8	Router(config)# Ctrl+Z	Return to privileged Exec mode.
9	Router# copy running startup	Save the configuration changes to NVRAM.

Tips The SNMP strings defined in the VPNSC: MPLS Solution target password database must agree with those set on each router in the service provider network. The procedure for setting the SNMP community strings in the VPNSC: MPLS Solution software is described in the "Completing the Target Information for Individual Targets" section.