Defining and Deploying MPLS VPN Service Requests

The focus of the VPNSC: MPLS Solution product is the service provided for a customer on the link between the customer's CE and the provider's PE. This chapter describes how you create a service request in the VPNSC: MPLS Solution software, as well as how to modify and delete service requests. Finally, this chapter tells you how to check on a service request's status and find out what went wrong if the request failed.

The main topics presented in this chapter are as follows:

Service Request Summary

The service model is the centerpiece of service provisioning. With the service model, the VPNSC: MPLS Solution software can capture the specified VPN service provisioning request, analyze the validity of the request, and audit the provisioning results.

The service provider operators take all service request information from their customers. VPNSC: MPLS Solution can assist the operator in making entries because the product has customer information such as the VPN information, the list of the assigned PEs and CEs, and so forth.

The VPN Console steps the operator through the process and simplifies the task of provisioning the CE and PE by automating most of the tasks required to set up an MPLS VPN.

Table 5-1 and Table 5-2 show the state transition paths for VPN Solutions Center service requests. The beginning state of a service request is listed in the first column; the states that service requests transition to are displayed in the heading row.

For example, to use Table 5-1 to trace the state of a Pending service request to Functional, find "Pending" in the first column and move to your right until you find "Functional" in the heading. You can see that for a service request to move from Pending to Functional, a successful routing audit must take place.

Table 5-1 shows the service request transitions from Requested to Lost.

Table 5-1: State Transition Paths for VPNSC Service Requests (Part 1)

Service Request States Requested Pending Deployed Functional Lost

Requested
No transition to Requested

Successful service request deployment

No transition

No transition

No transition to Lost

Pending
No transition to Requested

Successful service request deployment

Audit with error

Audit is successful

Routing audit is successful

No transition to Lost

Deployed
No transition to Requested

Successful service request redeployment

Audit is successful

Routing audit is successful

Audit found error

Functional
No transition to Requested

Successful service request redeployment

No transition to Deployed

Routing audit is successful

Audit found error

Lost
No transition to Requested

Successful service request redeployment

Audit is successful

Routing audit is successful

Audit found error

Broken
No transition to Requested

Successful service request redeployment

No transition to Deployed

Routing audit is successful

Audit found error

Invalid
No transition to Requested

Successful service request redeployment

No transition to Deployed

No transition to Functional

No transition to Lost

Failed Deploy
No transition to Requested

Successful service request redeployment

No transition to Deployed

No transition to Functional

No transition to Lost

Closed
No transition to Requested

No transition to Pending

No transition to Deployed

No transition to Functional

No transition to Lost

Service Request States	Requested	Pending	Deployed	Functional	Lost
Requested	No transition to Requested	Successful service request deployment	No transition	No transition	No transition to Lost
Pending	No transition to Requested	Successful service request deployment Audit with error	Audit is successful	Routing audit is successful	No transition to Lost
Deployed	No transition to Requested	Successful service request redeployment	Audit is successful	Routing audit is successful	Audit found error
Functional	No transition to Requested	Successful service request redeployment	No transition to Deployed	Routing audit is successful	Audit found error
Lost	No transition to Requested	Successful service request redeployment	Audit is successful	Routing audit is successful	Audit found error
Broken	No transition to Requested	Successful service request redeployment	No transition to Deployed	Routing audit is successful	Audit found error
Invalid	No transition to Requested	Successful service request redeployment	No transition to Deployed	No transition to Functional	No transition to Lost
Failed Deploy	No transition to Requested	Successful service request redeployment	No transition to Deployed	No transition to Functional	No transition to Lost
Closed	No transition to Requested	No transition to Pending	No transition to Deployed	No transition to Functional	No transition to Lost

Table 5-2 shows the service request transitions from Broken to Closed.

Table 5-2: State Transition Paths for VPNSC Service Requests (Part 2)

Service Request States Broken Invalid Failed Deploy Closed

Requested
No transition to Broken

Deploy Service Request error

Deploy failed

No transition to Closed

Pending
Route audit is not successful

Redeploy service request error

Redeploy service request failed

Removal of the service request is successful

Deployed
Route audit is not successful

Redeploy service request error

Redeploy service request failed

No transition to Closed

Functional
Route audit is not successful

Redeploy service request error

Redeploy service request failed

No transition to Closed

Lost
Route audit is not successful

Redeploy service request error

Redeploy service request failed

No transition to Closed

Broken
Route audit is not successful

Redeploy service request error

Redeploy service request failed

No transition to Closed

Invalid
No transition to Broken

Redeploy service request error

Redeploy service request failed

No transition to Closed

Failed Deploy
No transition to Broken

Redeploy service request error

Redeploy service request failed

No transition to Closed

Closed
No transition to Broken

No transition to Invalid

No transition to Failed Deploy

No transition to Closed

Service Request States	Broken	Invalid	Failed Deploy	Closed
Requested	No transition to Broken	Deploy Service Request error	Deploy failed	No transition to Closed
Pending	Route audit is not successful	Redeploy service request error	Redeploy service request failed	Removal of the service request is successful
Deployed	Route audit is not successful	Redeploy service request error	Redeploy service request failed	No transition to Closed
Functional	Route audit is not successful	Redeploy service request error	Redeploy service request failed	No transition to Closed
Lost	Route audit is not successful	Redeploy service request error	Redeploy service request failed	No transition to Closed
Broken	Route audit is not successful	Redeploy service request error	Redeploy service request failed	No transition to Closed
Invalid	No transition to Broken	Redeploy service request error	Redeploy service request failed	No transition to Closed
Failed Deploy	No transition to Broken	Redeploy service request error	Redeploy service request failed	No transition to Closed
Closed	No transition to Broken	No transition to Invalid	No transition to Failed Deploy	No transition to Closed

Table 5-3 describes the functions of each type of VPN Solutions Center service request.

Table 5-3: Summary of VPN Solutions Center Service Request Types

Service Request Type Description

Broken

While the router is correctly configured, the service is unavailable (due to a broken cable or Layer 2 problem, for example). A service request moves to Broken if the Auditor finds the routing and forwarding tables for this service, but they do not match the service intent.

Closed

A service request moves to Closed if the service request should no longer be used during the provisioning or auditing process. A service request moves to the Closed state only upon a successful audit of a remove request. VPNSC: MPLS Solution does not remove a service request from the database to allow for extended auditing. Only a specific administrator action results in service requests being removed.

Deployed

A service request moves to Deployed if the configlet commands have been verified as found in the router configuration file. Deployed indicates that the configuration file has been downloaded to the router, and the intent of the request has been verified at the configuration level.

Failed Deploy

After provisioning occurred, the service request failed to download the configlets to the router. A service request moves to Failed Deploy if an error was detected during the deployment process by the Cisco IP Manager (CIPM). If CIPM is not being used to download configlets, and the product is simply exporting configlets to a directory, there is no way to distinguish between a service request in the Failed Deploy and Pending states. There are two causes for Failed Deploy status:

CIPM reports to VPIM that the download failed (lost connection, bad password, etc.).

The object could not establish configuration-level verification of intent.

If the configlets are exported to a directory, the service request cannot move into a Failed Deploy state.

Functional

A service request moves to Functional when the Auditor finds the VPN routing and forwarding tables (VRF) for this service and they match with the service intent. This state requires configuration-level verification.

Invalid

Indicates that the service request information is incorrect in some way. A service request moves to Invalid if the request was either internally inconsistent or not consistent with the rest of the existing network/router configurations (for example, no more interfaces were available on the router). The VPN Provisioning Inventory Manager (VPIM) server cannot generate configlets to service this request.

Lost

A service request moves to Lost when the Auditor cannot find a configuration-level verification of intent in the router configuration files. The service request was deployed, but now some or all router configuration information is missing. A service request can move to the Lost state only when the service request had been Deployed or Functional.

Pending

A service request moves to Pending when the VPN Provisioning Inventory Manager (VPIM) server determines that the request looks consistent and was able to generate the required configlets for this request. Pending indicates that the service request has generated the configlets and the configlets are successfully downloaded to the routers.

The Auditor regards pending service requests as new requests and begins the audit. If the service has been freshly provisioned and not yet audited, it is not an error (pending audit). However, if an audit is done and the service is still pending, it is in an error state.

Requested

If the service is newly entered and not yet deployed, it is not an error. However, if a Deploy is done and it remains Requested, the service is in an error state.

Service Request Type	Description
Broken	While the router is correctly configured, the service is unavailable (due to a broken cable or Layer 2 problem, for example). A service request moves to Broken if the Auditor finds the routing and forwarding tables for this service, but they do not match the service intent.
Closed	A service request moves to Closed if the service request should no longer be used during the provisioning or auditing process. A service request moves to the Closed state only upon a successful audit of a remove request. VPNSC: MPLS Solution does not remove a service request from the database to allow for extended auditing. Only a specific administrator action results in service requests being removed.
Deployed	A service request moves to Deployed if the configlet commands have been verified as found in the router configuration file. Deployed indicates that the configuration file has been downloaded to the router, and the intent of the request has been verified at the configuration level.
Failed Deploy	After provisioning occurred, the service request failed to download the configlets to the router. A service request moves to Failed Deploy if an error was detected during the deployment process by the Cisco IP Manager (CIPM). If CIPM is not being used to download configlets, and the product is simply exporting configlets to a directory, there is no way to distinguish between a service request in the Failed Deploy and Pending states. There are two causes for Failed Deploy status: CIPM reports to VPIM that the download failed (lost connection, bad password, etc.). The object could not establish configuration-level verification of intent. If the configlets are exported to a directory, the service request cannot move into a Failed Deploy state.
Functional	A service request moves to Functional when the Auditor finds the VPN routing and forwarding tables (VRF) for this service and they match with the service intent. This state requires configuration-level verification.
Invalid	Indicates that the service request information is incorrect in some way. A service request moves to Invalid if the request was either internally inconsistent or not consistent with the rest of the existing network/router configurations (for example, no more interfaces were available on the router). The VPN Provisioning Inventory Manager (VPIM) server cannot generate configlets to service this request.
Lost	A service request moves to Lost when the Auditor cannot find a configuration-level verification of intent in the router configuration files. The service request was deployed, but now some or all router configuration information is missing. A service request can move to the Lost state only when the service request had been Deployed or Functional.
Pending	A service request moves to Pending when the VPN Provisioning Inventory Manager (VPIM) server determines that the request looks consistent and was able to generate the required configlets for this request. Pending indicates that the service request has generated the configlets and the configlets are successfully downloaded to the routers. The Auditor regards pending service requests as new requests and begins the audit. If the service has been freshly provisioned and not yet audited, it is not an error (pending audit). However, if an audit is done and the service is still pending, it is in an error state.
Requested	If the service is newly entered and not yet deployed, it is not an error. However, if a Deploy is done and it remains Requested, the service is in an error state.

Overview of Service Request Definition Process

Provisioning a VPN provides a method to build a service for site-to-site connectivity between a provider edge router and a customer edge router. It includes the following steps:

1. From the VPN Console, define a service request to add VPN service between a CE and PE.

2. Schedule to download the new configuration to the CE and PE pairs.

3. Use the reports available from the Provisioning menu to verify the service requests and view configlets.

The first step in provisioning a VPN is to define a service request. A service request defines through whom (the provider edge router) and to whom (the customer edge router) the service is provided. In this procedure, you determine the specifics of the link between the PE and CE.

Take note of these important elements of the process:

When defining a service request, you define the VPN's membership in a CE Routing Community (CERC).

: A CE Routing Community describes how CEs in a VPN communicate with each other. The most common examples are hub-and-spoke and full mesh topologies.

Define the routing protocol for the PE-CE link.
Define the IP addressing scheme for the PE-CE link.

: Within a VPN (or extranet), all IP addresses must be unique. Customer IP addresses are not allowed to overlap with provider IP addresses. Overlap is possible only when two devices cannot see each other; that is, they are in isolated, non-extranet VPNs.
: The VPNSC: MPLS Solution software assumes that it has an IP address pool to draw addresses from. The only way to guarantee that the product can use these addresses freely is if they are provider IP addresses.
: Predefining a unique section (or sections) of IP address space for the PE-CE links is the only way to ensure stable security. Thus, because of the security and maintenance issues, Cisco does not recommend using customer IP addresses on the PE-CE link.

Adding a Service for a PE-CE Link

A service request is an instance of service contract between a CE and a PE. The service request wizard asks you to enter several parameters, including the specific interfaces on the CE and PE routers, routing protocol information, and IP addressing information.

To add VPN service between a PE and CE, follow these steps:

Step 1 From the VPN Console, choose Provisioning > Add VPN Service to CE.

The introductory panel in the Add VPN Service to CE wizard appears. It is informational only.

Step 2 Click Next. The Select CE dialog box appears (see Figure 5-1).

Selecting a Customer Edge Router (CE)

Step 1 From the Select CE dialog box, select the customer edge router for this link.

Figure 5-1: The Select CE Dialog Box

Step 2 From the Customer drop-down list, select the appropriate customer.

Step 3 From the Site drop-down list, select the appropriate site.

Step 4 From the CE Routers list, select the appropriate CE.

Note If you are configuring a service for a cable link, the specified CE should be an unmanaged CE.

Step 5 Click Next.

The Select PE dialog box appears (see Figure 5-2).

Selecting the Provider Edge Router (PE)

Step 1 From the Select PE dialog box, select the provider edge router for this link.

Figure 5-2: Select PE Dialog Box

Step 2 From the Provider drop-down list, select the appropriate provider name.

Step 3 From the Region drop-down list, select the appropriate region.

Step 4 From the PE Routers list, select the PE.

Step 5 Click Next.

The Select VPN: CERC Memberships dialog box appears (see Figure 5-3).

Defining CERC Membership and Joining the Management VPN

Step 1 From the Select VPN: CERC Memberships dialog box, select the appropriate VPN from the list and specify the VPN topology.

Figure 5-3: Select VPN: CERC Memberships Dialog Box

The most common types of VPNs are hub-and-spoke and full mesh. These two basic types of VPNs—full mesh and hub and spoke—can be represented with a single CERC.

For additional information on CE routing communities, see the "CE Routing Communities" section and the "Defining CE Routing Communities" section.

Step 2 If you are building a VPN with a hub-and-spoke topology, check the Join as Spoke check box.

A hub-and-spoke CERC is one in which one or a few CEs act as hubs, and all spoke CEs talk only to or through the hubs, never directly to each other.
A full mesh CERC is one in which every CE connects to every other CE.

Step 3 If you are building a VPN with CEs that are members of multiple VPNs (extranets), check the Advanced setup required check box.

Extranet provisioning provides a way to create multiple VPN connectivity to a single VRF.

Step 4 If you are adding a CE to the management VPN, check the Join the management VPN check box. For more information, see the "Implementing the Management VPN Technique" section.

When you use the VPNSC: MPLS Solution software to define a management VPN, the software automatically generates an export route map for the management VPN.

Step 5 Click Next.

The Select Routing Policy dialog box appears (see Figure 5-4).

Choosing the Routing Protocol for the Link

The Select Routing Policy dialog box appears. The first routing protocol option is Static routing. Figure 5-4 shows the options available when you choose to use a Static protocol.

Figure 5-4: The Static Protocol Routing Policy Options

Step 1 Choose the routing protocol for the PE-CE link.

The routing protocol you choose must run on both the PE and the CE.

You can choose Static (for specifying a static route), OSPF (Open Shortest Path First), BGP (Border Gateway Protocol), RIP (Routing Information Protocol), or None (to specify parameters for cable service).
The wizard presents a different sequence of screens and requires different information depending on which protocol you choose.

Step 2 Complete the necessary fields and other information required for the selected routing protocol as described below, then click Next.

Static Routes Options

Step 1 To define static routes on the PE-CE link, choose the Static radio button. VPNSC displays the dialog box shown in Figure 5-4.

The Static Routes dialog box provides the following options:

Give Only Default Routes to CE

: When using the Give only default routes to CE option with static route provisioning on the PE-CE link, the product creates a default route on the CE that points to the PE. The VRF static route to the CE's site is redistributed into BGP to other sites in the VPN.
: When you select the Give only default routes to CE option, the default route (0.0.0.0/0) is filled in for you; the site contains no Internet feed or any other requirement for a default route. When it encounters a packet that does not route locally, it can send the packet to the VPN.

Redistribute Connected (BGP only)

: When you check Redistribute Connected, the connected routes (that is, the routes to the directly connected PEs or CEs) are distributed to all the other CEs in that particular VPN.

Note When joining the management VPN and you are using IP numbered addresses on the link, you must enable the Redistribute Connected option.

Step 2 When you click Next, VPNSC: MPLS Solution software asks for two lists of static routes (see Figure 5-5):

Those static routes to put on the PE, which describe all of the address space in the CE's site.
Those static routes to put on the CE, which describe all of the address space throughout the VPN.

: That is, the product informs the PE what the CE needs to know, and informs the CE what the VPN (via the PE) needs to know.

Figure 5-5: Specifying the Static Routes on the PE-CE Link

Step 3 To specify the advertised routes for the specified CE, click the Add button in the upper right corner of the dialog box. The Advertised Routes dialog box appears (see Figure 5-6).

Figure 5-6: Specifying the Advertised Routes to Put on the PE

Step 4 Enter the IP address of the advertised static route to be placed on the PE to define the CE's address space, then click Add.

The specified advertised route is displayed in the field.

Step 5 Click OK. You return to the Static Type dialog box (see Figure 5-5).

Step 6 To specify the static routes to put on the CE (which describes all of the address space throughout the VPN), click the Add button in the lower right corner of the dialog box. The Routes to Reach All Sites dialog box appears (see Figure 5-7).

Figure 5-7: Specifying the Static Routes to Reach All Sites in the VPN

Step 7 Enter the IP address of the static route to reach all sites in the VPN, then click Add.

The specified static route is displayed in the field.

Step 8 Click OK. You return to the Static Type dialog box, which now displays the specified routes (see Figure 5-8).

Figure 5-8: Static Routes Displayed

Step 9 When finished specifying the static routes for the PE-CE link, click Next.

The Redistribution dialog box appears, which specifies the protocols to be redistributed on the link (see the "Specifying Redistributed Protocols on the Link" section).

OSPF Protocol Options

When you choose the OSPF radio button, VPNSC displays the dialog box shown in Figure 5-9:

Figure 5-9: The OSPF Protocol Routing Policy Options

Give Only Default Routes to the CE

: When you enable the Give only default routes to CE option, you indicate whether the site needs full routing or default routing. Full routing is when the site must know specifically which other routes are present in the VPN. Default routing is when it is sufficient to send all packets that are not specifically for your site to the VPN.
: A device can only have one default route. Therefore, the VPN can use a default route, but only on condition that the customer site does not already have a different one. The most common reason to already have a default route is that the site has an Internet feed that is independent of the VPN.
: If the CE site already has Internet service, the CE can either 1) route all packets to unknown destinations to the Internet, or 2) learn all the routes in the Internet. The obvious choice is to route all packets to unknown destinations to the Internet. If a site has an Internet feed, it may already have a default route. Under such conditions, setting the VPN as the default route is incorrect; the VPN should only route packets meant for other VPN sites.

Redistribute Static (BGP and OSPF)

: When you enable the Redistribute Static option for OSPF, the software redistributes the static routes into the core network (running BGP) and to the CE (running OSPF).

Redistribute Connected (BGP only)

: When you enable the Redistribute Connected option for OSPF, the software redistributes the connected routes (that is, the routes to the directly connected PEs or CEs) to all the other CEs in that particular VPN.

OSPF Process ID on CE

: The OSPF process ID is a unique value assigned for each OSPF routing process within a single router—this ID is internal to the CE only. You can enter this number either as any decimal number from 1 to 65535 or a number in dotted decimal notation.

OSPF Area Number on CE

: An area in OSPF terms is a grouping of contiguous OSPF networks and hosts. OSPF areas are logical subdivisions of OSPF autonomous systems. The topology of each area is invisible to entities in other areas, and each maintains its own topological database.
: You can enter the OSPF area number for the CE either as any decimal number in the range specified or a number in dotted decimal notation.

OSPF Process ID on PE

: The OSPF process ID is a unique value assigned for each OSPF routing process within a single router—this ID is internal to the PE only.

OSPF Area Number on PE

: You can enter the OSPF area number for the PE either as any decimal number in the range specified or a number in dotted decimal notation.

BGP Protocol Options

When you choose the BGP radio button, VPNSC displays the dialog box shown in Figure 5-10:

Figure 5-10: The BGP Protocol Routing Policy Options

Redistribute Static (BGP only)

: When you enable the Redistribute Static option for BGP, the software redistributes the static routes into the core network and to the CE, both of which are running BGP in this configuration.

Redistribute Connected (BGP only)

: When you enable the Redistribute Connected option for BGP, the software redistributes the connected routes (that is, the routes to the directly connected PEs or CEs) to all the other CEs in that particular VPN.

Neighbor AllowAS-in

: When you check the Neighbor AllowAs-in option, you can specify a maximum number of times (up to 10) that the service provider autonomous system (AS) number can occur in the autonomous system path.

Neighbor AS-Override

: When you check the Neighbor AS-Override option, you configure VPNSC: MPLS Solution to reuse the same AS number on all the VPN's sites.

BGP Autonomous System (AS) ID for the CE

: Enter the BGP autonomous system number for the CE (that is, the customer's BGP network). The number assigned here is different from the BGP AS number for the service provider's core network.

RIP Protocol Options

When you choose the RIP radio button, VPNSC displays the dialog box shown in Figure 5-11:

Figure 5-11: The RIP Protocol Routing Policy Options

Give Only Default Routes to CE

: When you enable the Give only default route to CE option for RIP, the product creates a default RIP route on the PE; the default RIP route points to the PE and is sent to the CE. The provisioning request gives you the option of redistributing any other routing protocols in the customer network into the CE's RIP routing protocol. The RIP routes on the PE to the CE's site are redistributed into BGP to other VPN sites.
: When you choose the Give only default route to CE option for RIP routing, the PE instructs the CE to send any traffic it cannot route any other way to the PE. This option should not be used if the CE's site needs a default route for any reason, such as having a separate Internet feed.

Redistribute Static (BGP and RIP)

: When you enable the Redistribute Static option for RIP, the software redistributes the static routes into the core network (running BGP) and to the CE (running RIP).

Redistribute Connected (BGP only)

: When you enable the Redistribute Connected option for BGP, the software redistributes the connected routes (that is, the routes to the directly connected PEs or CEs) to all the other CEs in that particular VPN.

The None Protocol Options (for Cable Service)

The None option in the Routing Policy dialog box indicates that you do not want to run a routing protocol on the selected PE-CE link. This option is provided to allow for configuring service over a cable link. For details, see "Provisioning the Cable Maintenance Subinterface" section.

When you choose the None radio button, VPNSC displays the dialog box shown in Figure 5-12:

Figure 5-12: The Routing Policy Options for None (Cable Services)

Redistribute Static (BGP)

: When you enable the Redistribute Static option for None, the software redistributes the static routes into the core network (running BGP).

Redistribute Connected (BGP only)

: When you enable the Redistribute Connected option for None, the software redistributes the connected routes (that is, the routes to the directly connected PEs or CEs) to all the other CEs in that particular VPN.

Note Because there is no routing protocol on this PE-CE link, enabling the Redistribute Connected option for this topology is highly recommended.

Specifying Redistributed Protocols on the Link

When you complete the Routing Policy wizard and click Next, the Redistribution dialog box appears (see Figure 5-13).

Step 1 If protocol redistribution is not required on this link, click Next.

Step 2 If necessary, specify the routing protocols that must be redistributed from the CE.

Step 3 Click Add.

The Redistributed Protocols dialog box appears (see Figure 5-13).

Figure 5-13: Redistributing Routing Protocols

Step 4 Select the protocol to be redistributed.

Step 5 Enter the appropriate AS number (BGP, IGRP, and EIGRP), process number (OSPF), or tag number (ISIS) corresponding to your protocol selection.

Step 6 Click Add.

Step 7 The redistributed protocol information is displayed in the dialog box.

Step 8 Click OK, then click Next.

Defining the Interfaces on the PE-CE Link

Step 1 Define the interfaces for the PE-CE link.

Figure 5-14: The Select PE-CE Interfaces Dialog Box

Step 2 Specify the type of interfaces for the PE-CE link:

Wide Area Network (WAN)
Local Area Network (LAN)

Step 3 Select the PE interface and its encapsulation method from the drop-down lists.

The interfaces available are determined by the PE's configuration file.
The encapsulation methods are determined by the which interface you select.

Step 4 Enable the Shutdown and Maintenance Interface options if appropriate:

When you check the Shutdown PE Interface checkbox, the specified PE interface will be configured in a shut down state.
When you select Cable for the PE interface, the Selected interface is a maintenance interface option is enabled. Checking this option provisions the cable maintenance interface; this interface is always configured as subinterface 1 (for example, if the selected cable interface is 3/0, the maintenance subinterface is 3/0.1). For details, see "Provisioning the Cable Maintenance Subinterface" section.

Step 5 Specify the CE interface and its protocol encapsulation from the drop-down lists.

Step 6 Click Next.

Step 7 If you specified serial interfaces for the PE and CE and chose Frame Relay as the encapsulation, specify the encapsulation information for the PE and CE, and Data-Link Connection Identifier (DLCI) numbers for the PE-CE link, then click Next. The dialog box shown in Figure 5-15 is not displayed for other encapsulation types.

Figure 5-15: Protocol Encapsulation Information

If you specified LAN interfaces, the wizard displays the dialog box shown in Figure 5-16.

Figure 5-16: Specifying VLAN IDs for the PE and CE

Step 8 Enter the VLAN IDs for the indicated PE and CE, then click Next.

The valid values are any integer from 1 to 1000.

Choosing an IP Addressing Scheme

The next dialog box in the Add VPN Service to the CE wizard (see Figure 5-17) provides a way to define the IP addressing scheme that is appropriate for this PE-CE link.

A point-to-point link between two routers can be either a numbered IP address or an unnumbered IP address. The service provider must determine whether to use numbered or unnumbered IP addresses for the PE-CE link. Defining the link to use unnumbered addresses can save precious IP addresses because many interfaces can borrow the same IP address.

Figure 5-17: IP Addressing Scheme Dialog Box

Step 1 Choose an IP addressing scheme for the PE and CE.

You can choose among four options:

IP unnumbered

: IP addresses are drawn from the loopback IP address pool. An unnumbered IP address means that each interface "borrows" its address from another interface on the router (usually the loopback interface). Unnumbered addresses can only be used on point-to-point WAN links (such as Serial, Frame, and ATM), not on LAN links (such as Ethernet). If using IP unnumbered, then both the PE and CE must use the same IP unnumbered addressing scheme. When you choose IP unnumbered, VPNSC creates a static route for the PE-CE link.
: When you choose IP unnumbered, VPNSC: MPLS Solution software automatically creates a loopback interface (unless a loopback interface already exists with the correct attributes). For related information, see the next section, "Using an Existing Loopback Interface Number."
: If you select IP unnumbered and choose to not use automatically assigned IP addresses, you can enter the IP addresses for the PE interface and CE interface in the fields provided. Entering the IP addresses in these fields forces the MPLS VPN software to use the indicated addresses.

IP numbered

: If you select IP numbered and choose to not use automatically assigned IP addresses, you can enter the IP addresses for the PE interface and CE interface in the fields provided. Entering the IP addresses in these fields forces the MPLS VPN software to use the indicated addresses.

IP numbered with extra CE loopback

: Even though a numbered IP address does not require a loopback address, VPNSC: MPLS Solution software provides the option to specify IP numbered with extra CE loopback. This option places an IP address on a CE router that is not tied to any physical interface.
: If you select IP numbered with extra CE loopback, you can enter the addresses for the PE and CE interfaces, plus the CE loopback address.

Use Automatically Assigned IP Address

: If you choose IP unnumbered and also check the Use Automatically Assigned IP Address check box, VPNSC: MPLS Solution picks two IP addresses from a /32 subnet point-to-point IP address pool.
: If you choose IP numbered and also check the Use Automatically Assigned IP Address check box, VPNSC: MPLS Solution picks IP addresses from a /30 subnet point-to-point IP address pool.

Step 2 When finished, click Next. The Specify VRF Parameters dialog box appears (see Figure 5-18).

Using an Existing Loopback Interface Number

On each PE, there is one loopback interface number per VRF for interfaces using IP unnumbered addresses. By default, VPNSC software assigns a loopback number associated with a particular loopback address.

However, if a service provider wants VPNSC to use an existing loopback interface number (for example, Loopback0), the service provider must modify the loopback interface description line in the configuration files for the pertinent routers (PE or CE).

To use the existing loopback interface number, you must modify the loopback interface description line so that it includes the keyword VPN-SC, as shown in this example of a router configuration file:

interface Loopback0
description Provisioned by VPN-SC
ip address 209.165.202.129 255.255.255.224

Specifying VRF Parameters

The Specify VRF Parameters dialog box lets you set values for import and export maps, maximum routes into the VRF table, and enable NetFlow accounting.

Figure 5-18: Specify VRF Parameters Dialog Box

Step 1 If necessary, enter the name of the export map in the Export Map field.

The Export Map field is the name of an existing export route map on the PE.

Note The Cisco IOS supports only one export route map per VRF (and therefore, per VPN).

When you use the VPNSC: MPLS Solution software to define a management VPN (see the "Defining CERC Membership and Joining the Management VPN" section), the software automatically generates an export route map for the management VPN. Because the Cisco IOS supports only one export route map per VRF and that route map is reserved for the management VPN, the Export Map field is not available if the VRF is part of the management VPN.

An export route map does not apply a filter; it can be used to override the default set of route targets associated with a route.

For information on the route-map command, refer to the Cisco IOS documentation on IP routing protocol-independent commands.

Step 2 Enter the name of the import map in the Import Map field.

The Import Map field is the name of an existing import route map on the PE.

Note The Cisco IOS supports only one import route map per VRF (and therefore, per VPN).

An import route map does apply a filter. Therefore, if you want to exclude a particular route from the VRF on this PE, you can either set an export route map on the sending router to make sure it does not have any route targets that can be imported into the current VRF, or create an import route map on this PE to exclude the route.

For command reference details on the import map command, see the "import map" section.

Step 3 In the Maximum Routes field, specify the maximum number of routes that can be imported into the VRF on this PE.

Step 4 To enable NetFlow accounting, check the Turn on NetFlow accounting checkbox.

For more information, see the "NetFlow Collector and VPNSC: MPLS Solution Software" section and the "MPLS VPN NetFlow Accounting" section.

Step 5 When you have completed the fields as necessary in the Specify VRF Parameters dialog box, click Next.

Overriding the Default VRF Name and Route Distinguisher Values

When you enable the VRF-RD Override property in the csm.properties file, the Select VRF Parameters dialog box presents options that allow you to override the default VRF name and Route Distinguisher (RD) values.

Caution Changing the default values for the VRF name and the Route Distinguisher value can alter or disable other service requests if not done correctly. Please make these changes with caution and only when absolutely necessary.

To override the default VRF name or the default RD values, follow these steps.

Step 1 On the VPNSC: MPLS Solution workstation, log in as superuser (su).

Step 2 Go to the /opt/vpnadm/vpn/etc directory.

Step 3 Open the csm.properties file with a text editor.

Step 4 Find the following section in the csm.properties file:

# Override VRF names and RD values.
# WARNING: This is an advanced feature. Overriding VRF names and RD values
# can potentially modify the intent of other service requests.
 
netsys.srvc.VRFRDOverride.unix=false

Step 5 Change the false value to true, then save your changes and exit the file.

Step 6 In the VPN Console, proceed through the Add Service to CE wizard as described in the previous sections.

When the Select VRF Parameters dialog box appears, it now displays fields for the VRF name and the RD value (see Figure 5-19).

Figure 5-19: VRF Name and RD Override Options

Step 7 To override the default VRF name, enter the new VRF name in the VRF Name field.

The maximum number of characters for the VRF name is 32.

Step 8 To override the default Route Distinguisher value, enter the new RD value in the RD Value field.

Step 9 When finished entering the necessary information, click Next. The Class of Service Profile dialog box appears.

Selecting a Class of Service Profile for the PE-CE Link

Step 1 If desired, select a Class of Service (CoS) profile to assign to the PE-CE link.

You can create a Class of Service (CoS) profile when you define the Provider Administrative Domain. For information on creating a CoS Profile, see the "Defining a Class of Service Profile" section. For a discussion on the Class of Service feature, see the "Quality of Service and Class of Service" section.

Class of Service profiles are applied to the Provider Edge Router (PE), but the CoS definition is enforced across the PE-CE link on both the PE and CE.

Step 2 Click Next.

Confirming the VPN Service Settings

VPN Solutions Center displays a summary of all the service settings defined for this VPN (see Figure 5-20).

Figure 5-20: Confirm VPN Service Information Window

Step 1 Verify that the service request information is correct, then click Next.

The wizard displays the following message:

Your request to "Add VPN Service to CE" has been submitted with ID number n. This service request can be deployed by using the "Deploy Service Requests" wizard or by using the "Deploy VPN Service" item under the "Provisioning" option of a VPN service request report.

Step 2 Press Close.

You have now queued a service request. It is entered into the product database and is in the initial state of "Requested."

Deploying a VPN Service

When you have queued a service request, you can then deploy it using the following method. This method automatically generates an Audit New Service Request type of audit. This audit passes the service request into an operational state.

Step 1 From the VPN Console, choose Provisioning > Deploy Service Requests.

The Deploy Service Requests wizard begins. The introductory window provides the following information:

This wizard sets up a scheduled task that deploys service requests to the appropriate routers. This involves computing the configlets for each service request, downloading the configlets to the routers, and running audit reports to determine whether the service was successfully deployed.

Click Next.

Step 2 Choose to deploy all or selected service requests, then click Next.

Deploy all new service requests

: For all service requests that are in the Requested state, this option initiates the process of uploading the configuration files from the PEs and managed CEs in the VPN, generates configlets, and downloads the configlets to the PEs and managed CEs.

Deploy selected service requests

: This option deploys the selected service requests regardless of which state they are in.

Figure 5-21: Selecting a Specific Service Request for Deployment

Step 3 Highlight the service request you wish to deploy, then click Next.

The Select Audit Options dialog box appears.

Running audit reports is the only way that service requests can progress from the Requested state to an operational state, such as Deployed. You have the option to not generate audit reports, but this option is not recommended.

Step 4 From the Select Audit Options dialog box, choose to generate audit reports, then click Next. The Save Task dialog box appears.

Figure 5-22: The Save Task Dialog Box

To help you enter a unique task name, the Save Task dialog box provides a list of up to 30 existing task names for the appropriate task type.

Step 5 Enter a unique task name, then click Next.

Step 6 To proceed to schedule the task, choose the default, Yes, in the next dialog box, then click Next.

Step 7 From the Schedule dialog box, set all the pertinent scheduling information, then click Add.

The service request is added to the Schedule List (displayed in the upper pane).

Step 8 Click Next twice, then click Close.

Note You can also deploy service requests from the Provisioning menu available from the All VPN Service Requests Report. See the "Performing a Customized Service Request Deployment" section.

Viewing Audit Reports

Before you view the audit reports, you must first generate the audit reports.

Step 1 From the VPN Console menu, choose Auditing > Generate Service Request Audit Reports.

Step 2 Follow the wizard.

To view the audit reports, follow these steps:

Step 3 From the VPN Console menu, choose Auditing > View Latest Audit Reports.

The Cisco VPN Solutions Center Service Request Audit Reports window appears in the Netscape browser.

Figure 5-23: Service Request Audit Reports Window

The Service Request Audit Reports window provides two options:

Audit Reports for VPNs
Audit Reports for Provider Administrative Domains

Step 4 Select the type of audit reports you want to view.

If You Require a Java Plug-in to Proceed

When you select one of the audit report links, you may receive a message that the page contains information that can be viewed only with the appropriate plug-in.

Step 1 Click OK to proceed with downloading the required Java plug-in.

The Java Plug-in Download Page appears.

Step 2 Click the link for the plug-in for your Solaris platform to download the plug-in to your VPNSC: MPLS Solution workstation.

Note You may need to register with Sun Microsystem's Java Plug-in service to complete the download procedure.

Step 3 Install the Java plug-in for and return to the Service Request Audit Reports window.

Checking Service Request Deployment Details

Once you have created and queued a service request, you can discover the details about its deployment. You can view the configlet generated for the service request. If the service request failed, you can discover why it failed by using the Service Request Audit report. For detailed troubleshooting information, refer to "VPNSC: MPLS Solution Troubleshooting Guide."

Step 1 To check service request details, choose Provisioning>List All Service Requests.

The All VPN Service Requests Report appears (see Figure 5-24).

Figure 5-24: All VPN Service Requests Report

This report provides the following information:

Service request ID number
Type of request
Current state

: If the current state is either Deployed or Functional, the service request is deployed.

Names of the PE and CE router the service is for
Customer name
VPN name
Time and date the service request was created
Time and date when the service was last changed

Step 2 Select the service request you want detailed information on.

Step 3 Click Request Details.

The Service Request Details Report appears (see Figure 5-25).

Figure 5-25: Service Request Details Report

Step 4 To view the configlets generated for the selected service request, click Configlets. The report shown in Figure 5-26 appears.

Figure 5-26: Service Request Configlets Report

To return to the Service Request Detail Report, click Back.

Step 5 To see the detailed audit details for the selected service request, click Audit Details from the Service Request Details Report.

Figure 5-27: Audit Details Report

To return to the Service Request Detail Report, click Back.

Modifying an Existing Service

A service request is an instance of service contract between a CE and a PE. You can modify this service by creating a new service request. When you do so, VPNSC: MPLS Solution creates a new service request with a new ID. (The service request ID is displayed in the first column in the All VPN Service Requests Report as shown in Figure 5-29). The new service request subsumes the earlier one and becomes the current service request.

When you modify a service request, you can modify the settings for the PE-CE link, except for the CE and the PE themselves. This procedure takes through the same wizard as described in the "Adding a Service for a PE-CE Link" section, except that the settings are based on the service request's current values.

To modify a service, follow these steps:

Step 1 Choose Provisioning>List all Service Requests.

The All VPN Service Requests Report appears.

Note In the dialog boxes in this procedure, the fields display the settings for the current service request.

Step 2 Click the Provisioning button (at the bottom of the Report window).

Step 3 From the drop-down menu, select Modify VPN Service.

The Modify Existing VPN Service wizard appears. The first window provides a message like this:

This wizard submits a new service request to modify the VPN service between the PE "PE_name" and the CE "CE_name" (specified in service request ID_number). The new service request replaces service request ID_number.

Click Next.

Step 4 Select the VPN and specify the VPN topology. For details, see the "Defining CERC Membership and Joining the Management VPN" section.

Step 5 Choose the routing protocol for the PE-CE link.

The routing protocol you choose must run on both the PE and the CE. For details on each of the options for the routing protocols, see the "Choosing the Routing Protocol for the Link" section.

Step 6 If protocol redistribution is not required on this link, click Next.

If necessary, specify the routing protocols that must be redistributed from the CE. For details, see the "Specifying Redistributed Protocols on the Link" section.

Step 7 Define the interfaces for the PE-CE link. For details, see the "Defining the Interfaces on the PE-CE Link" section.

Step 8 Choose an IP addressing scheme for the PE and CE.

For details, see the "Choosing an IP Addressing Scheme" section.

When finished, click Next.

Step 9 If desired, select a Class of Service (CoS) profile to assign to the PE-CE link.

Class of Service profiles are applied to the Provider Edge Router (PE), but the CoS definition is enforced across the PE-CE link on both the PE and CE.

create a Class of Service (CoS) profile when you define the Provider Administrative Domain. For information on creating a CoS Profile, see the "Defining a Class of Service Profile" section. For a discussion on the Class of Service feature, see the "Quality of Service and Class of Service" section.

The product displays a summary of all the service settings defined for this VPN.

Step 10 Verify that the service request information is correct, then click Next.

The wizard displays the following message:

Your request to "Modify Existing VPN Service" has been submitted with ID number n. This replaces existing service request. This service request can be deployed by using the "Deploy VPN Service Requests" wizard or by using the "Deploy VPN Service" item under the "Provisioning" option of a VPN service request report.

Step 11 Press Close.

You have now queued a service request. It is entered into the product database and is in the state "Requested."

Removing a Service

When you remove a service, VPNSC: MPLS Solution replaces the old service request with a new one whose purpose is to remove the pertinent commands from the PE and CE router configuration files. The new service request will be in Requested state, and you should deploy it normally.

Deploying a "Remove VPN Service" request deletes individual commands from the PE and CE configuration files, which were put there by the original provisioning request, and are not in use by any other service or feature in the router configuration.

To ensure that the service removal is safe requires that not all commands that were provisioned are removed. In cases where the product cannot know whether a provisioned command is being used for some other purpose, the command is not removed. Examples of router commands not removed for a "Remove VPN Service" request include routing protocols created during service provisioning, such as BGP or RIP. These are not removed from the router's configuration file, although some of their subcommands are removed when they support only the original service request.

To remove a service, follow these steps:

Step 1 From the VPN Console, choose Provisioning > List All Service Requests.

The All VPN Service Requests Report appears.

Step 2 From the Service Request Provisioning menu (at the bottom of the window), click Provisioning as shown in Figure 5-28.

Figure 5-28: Service Request Provisioning Menu

Step 3 Choose Remove VPN Service.

You receive this warning message:

This will submit a new service request to remove the VPN service between the PE and CE. New configlets will be generated with the appropriate "no" commands to remove the VPN service. Service Request n to Add VPN Service will no longer be active. Do you want to continue?

Step 4 Click Yes to proceed, or No to cancel the Remove operation.

If you click Yes, you receive the following message:

A new service request has been submitted to remove the VPN service specified in service request n.

Step 5 Click OK.

Purging a Closed Service from the Database

VPNSC: MPLS Solution software does not automatically remove closed service requests from the Repository (in case you may need them for your records). But keeping closed service requests can be a waste of disk space, therefore, the VPNSC software provides a way to purge obsolete request data from the Repository.

To purge closed service requests from the Repository, follow these steps:

Step 1 If you have not already done so, remove the obsolete services as described in the previous section, "Removing a Service."

Step 2 From the VPN Console, choose Provisioning > Purge Closed Requests from Database.

You receive the following Delete Confirmation prompt:

All closed service requests will be removed from the database. To get a request into the closed state, go to the request report and use the "Remove VPN Service" option on the Provisioning menu.

Do you want to purge closed requests now?

Step 3 If you wish to proceed, click Yes.

If you wish to cancel the purge operation, click No.

Performing a Customized Service Request Deployment

The procedure to perform a customized service request deployment deploys the service request immediately. This customized deployment does not perform an audit, nor does it allow you to schedule the audit.

Step 1 From the VPN Console, choose Provisioning>List All Service Requests.

The All VPN Service Requests Report appears.

Figure 5-29: All VPN Service Requests Report

Step 2 Select the service request you want to deploy.

Step 3 From the Provisioning menu at the bottom of the window, click Provisioning.

The Service Request Provisioning drop-down menu appears.

Figure 5-30: Service Request Provisioning Menu

Step 4 From the drop-down menu, choose Deploy VPN Service.

The following message is displayed:

This will deploy the selected VPN service request now. Do you want to continue?

Step 5 Click Yes.

The selected service request is Deployed and placed in the Pending state.

Performing a Customized Audit

VPNSC: MPLS Solution software performs a basic audit (Audit New Service Request) by default each time you deploy a service request as described in the "Deploying a VPN Service" section. You need only schedule the audit separately as described in this section if you want to run it more frequently or if you customized audits.

When a service request moves beyond the control of the Provisioning system, the Auditor for VPNSC: MPLS Solution takes control. The Auditor is a mechanism that monitors and reports the current state of a VPN service request over its lifetime. The lifetime of a VPN service request spans from the Requested state to the Closed state. The Auditor also provides the reasons why the service request is in its current state. The Auditor saves the state transition (if any) into the VPN Inventory Repository.

After you populate targets (PEs and CEs) and the directory Repository, prior to any other steps, you must collect router configuration files to audit the services provisioned by MPLS VPN Solution.

Setting Up Routers for Collecting Configuration Files

The basic audit (Audit New Service Requests) does collect the configuration files. You need only set up the routers as described in this section if you are performing a customized audit procedure. This ensures that you have the most current version of the configuration files for the audit procedure.

To set up routers for collecting router configuration files, be sure to implement the following requirements:

Set the csm.properties file for a customized router prompt

: The csm.properties file is in the /opt/vpnadm/vpn/etc directory.

Set up the Domain Name server

Setting the csm.properties File for Customized Router Prompt

When setting up configuration file collection from routers, be sure that all the routers have the same prompts as in the csm.properties file for netsys.router.loginprompt and netsys.router.passwordprompt. The default values match the default values on Cisco routers. They are as follows:

netsys.router.loginprompt = Username:

netsys.router.passwordprompt = Password:

If you use nonstandard router prompts in the csm.properties file, be sure you set the same values for all the routers from which you collect information.

Setting Up the Domain Name Server

For the collection module of MPLS VPN Solution, enable or disable the Domain Name Server (DNS) on the routers. If DNS is not properly configured on the routers, collections fail due to a time-out.

Note Enabling DNS causes DNS to handle the name resolution. Otherwise, name resolution is handled by the routers.

Enabling DNS

To enable DNS, enter the following commands on the router:

ip domain-lookup

ip name-server a.b.c.d

where a.b.c.d is a valid Domain Name server.

Disabling DNS

To disable DNS, it is important to enter the following command on all routers:

no ip domain-lookup

Configuring the SNMP Settings on the PEs and CEs

To determine whether SNMP is enabled and set the SNMP community strings, execute the following steps for each PE and CE in the service provider network:

Step
Command
Description or Task

1
> telnet routername

routername is the name of the router you are checking.

2
Router> enable

Router> enable-password

Enter enable mode and enter the enable password.

3
Router# show snmp

4

Check the output to see whether the following command is present: SNMP agent not enabled

5
Router# configure terminal

Enter global configuration mode. You can also abbreviate the command to config t.

6
Router(config)# snmp-server community userstring RO

Set the community read-only string.

7
Router(config)# snmp-server community userstring RW

Set the community read-write string

8
Router(config)# Ctrl+Z

Return to privileged Exec mode.

9
Router# copy running startup

Save the configuration changes to NVRAM.

Step	Command	Description or Task
1	`>` telnet routername	routername is the name of the router you are checking.
2	`Router>` enable `Router>` enable-password	Enter enable mode and enter the enable password.
3	`Router#` show snmp
4		Check the output to see whether the following command is present: SNMP agent not enabled
5	`Router#` configure terminal	Enter global configuration mode. You can also abbreviate the command to config t.
6	`Router(config)#` snmp-server community userstring RO	Set the community read-only string.
7	`Router(config)#` snmp-server community userstring RW	Set the community read-write string
8	`Router(config)#` Ctrl+Z	Return to privileged Exec mode.
9	`Router#` copy running startup	Save the configuration changes to NVRAM.

Collecting Router Configuration Files

To start collecting router configuration files, follow these steps:

Step 1 From the VPN Console, choose Monitoring>Collect Router Configuration Files.

The introductory panel displays the following information:

This wizard sets up a scheduled task that collects Cisco router configuration files directly from the selected routers. It also allows you to import Cisco router configuration files from a directory.

You can collect additional information, including router types, Frame Relay/ATM PVC information, and IP unnumbered connectivity information.

Click Next.

Figure 5-31: Specifying Configuration File Collection Method

Step 2 In this dialog box, select one of the following ways of collecting information:

Live Collection of Router Configuration

: This task performs a Telnet operation to the routers to collect the running configuration of each router.

Importing Router Configuration from Files

: This task imports collected configuration files that exist in a directory.

Live Collection of Router Configuration Files

To start the live collection of router configuration files, follow these steps:

Step 1 Choose Live Collection of Router Configuration Files.

Step 2 Click the Selection drop-down menu to choose a specific network.

As shown in Figure 5-32, all the router names in this network appear in the upper pane. If you want to sort the information, click on the column header for which you want to sort.

Figure 5-32: Collecting Router Configuration Files

Step 3 Select the routers from the upper pane that you want to collect router configuration data from, then click Add. You can select all the routers listed by clicking Add All.

Your selections appear in the lower pane.

Note You can remove one or more of the routers selected in the bottom pane by selecting specific routers and clicking Remove or Remove All.

Step 4 When the lower pane includes all the devices from which router configuration data is to be collected, click Next.

Step 5 I n the next dialog box, you can choose the Mask passwords in collected files option. This allows you to place a group of x marks in the router's password field to mask the actual characters that are typed in the field. Click Next.

Step 6 In the next dialog box, provide a unique task name, then click Next.

Step 7 In the next dialog box, you can schedule the task by selecting the Yes radio button and clicking Next.

Step 8 If you chose to schedule the task, in the next dialog box choose the frequency with which you want to schedule the auditing: Once, Hourly, Daily, Weekly, Monthly, or Yearly.

For detailed information about scheduling, refer to Chapter 12, "Scheduling," in the Cisco VPN Solutions Center: MPLS Solution User Reference.

Step 9 In this next dialog box, click Next to save the auditing collection task. If you chose to schedule the auditing collection task, that will also occur when you click Next.

You are informed that all steps are done.

Step 10 Click Close to close the wizard.

Importing Router Configurations from Files

To start importing router configurations from a file, follow these steps after completing the steps in the previous section.

Note All files in the directory must be configuration files. Each filename must be the same as the name of the router to be imported, including the use of a domain name, if it exists.

Step 1 From the VPN Console, choose Monitoring>Collect Router Configuration Files.

The introductory panel displays the following information:

This wizard sets up a scheduled task that collects Cisco router configuration files directly from the selected routers. It also allows you to import Cisco router configuration files from a directory.

Click Next.

Figure 5-33: Specifying Configuration File Collection Method

Step 2 In this dialog box, choose Import Router Configuration from Files, then click Next.

This task imports the configuration files that exist in a specified directory.

Step 3 Enter the name of the directory that has the configuration files that you want to import, then click Next.

Step 4 In the next dialog box, select the name of the service provider network, then click Next.

Step 5 In the next dialog box, enter a unique task name, then click Next.

Step 6 In the next dialog box, schedule the task by selecting the Yes radio button and clicking Next.

Step 7 In the next dialog box, click Next to save the auditing collection task.

You are informed that all steps are done.

Step 8 Click Close to close the wizard.

Generating Audit Reports

After you have followed the steps in the section "Collecting Router Configuration Files," you can follow these steps to start generating Audit reports:

Step 1 From the VPN Console, choose Auditing > Generate Service Request Audit Reports.

The introductory panel in the Generate Service Request Audit Reports wizard appears.

Then click Next.

Figure 5-34: Choosing the Type of Audit

Step 2 In this dialog box, select the types of service requests you wish to be audited:

Audit new service requests

: A required audit. The Audit new service requests option is the mechanism required to pass the service request from the Pending state to a Deployed (or a failed state if there is a problem). The successful passing of this audit liberates the provisioning system from reconsidering this service request, thus lessening system overhead.

Audit existing service requests

: A surveillance audit. The Audit existing service requests option tests whether there is a state change to an already operational or nonoperational service request.

Use VPN routing information during audits

: When you choose this option, the Auditor audits the VPN routing information, which provides a dynamic verification of a service request.

Note Before using the Use VPN routing information during audits option, you must collect the VPN routing information. For information on collecting VPN routing information, refer to "Collect VPN Routing Information" in Chapter 9 of the Cisco VPN Solutions Center: MPLS Solution User Reference.

Then click Next.

Step 3 In the next dialog box, provide a unique task name, then click Next.

Step 4 In the next dialog box, you can choose to whether you want to schedule the auditing task by selecting the Yes or No radio buttons.

If you select No, you can schedule the auditing task later.

Step 5 If you chose to schedule the auditing task, in the next dialog box choose the frequency with which you want to schedule the auditing: Once, Hourly, Daily, Weekly, Monthly, or Yearly.

Step 6 When the scheduling information is set to your satisfaction, click Add.

As shown in Figure 5-35, the information you entered is added to the Schedule List in the upper pane.

Figure 5-35: Scheduling Configuration File Collection

Step 7 In this next dialog box, click Next to save the auditing collection task. If you chose to schedule the auditing task, that will also occur when you click Next.

You are informed that all the steps for the task are done.

Step 8 Click Next, then click Close to close the wizard.

Using the Task Manager

VPNSC provides a Task Manager that allows you to view pertinent information about both current and expired provisioning tasks, as well as create and schedule tasks, delete specified tasks, and delete the expired tasks.

To bring up the Task Manager, choose Tools > Tasks from the VPN Console menu.

The Task Manager window appears (see Figure 5-36).

Figure 5-36: The Task Manager Window

The Task Manager window provides information on each task by name, including the task type, the date when the task was last modified, the VPNSC username, schedule summary information, and its current status—expired or active.

From the Actions menu (shown in Figure 5-37), you can execute all the necessary task-related functions:

Figure 5-37: The Task Manager Actions Menu

Creating a New Task

Step 1 From the VPN Console, choose Tools > Tasks. The Task Manager window appears.

Step 2 To create a new task, choose Actions > New Task from the Task Manager menu.

The Task Chooser appears (see Figure 5-38).

Figure 5-38: The Task Chooser

Step 3 From the Task List, choose the task you want to execute and press OK.

Step 4 Complete the task wizard as required.

Deleting a Task

When you delete a task through the Task Manager, you delete both the persistent and the scheduled tasks.VPNSC removes the task from the Task Repository and updates the task logs (see also the "Deleting Task Logs" section).

To delete one or more tasks, do the following:

Step 1 From the VPN Console, choose Tools > Tasks. The Task Manager window appears.

Step 2 In the Task Manager window, select one or more tasks to delete.

Step 3 Choose Actions > Delete Task.

You are asked to confirm the deletion request:

You have selected to delete n task(s) from the Repository. Do you want to continue?

Step 4 To delete the selected tasks, click Continue.

You can also cancel the operation at this point by clicking Cancel.

VPNSC deletes the selected tasks and redisplays the current list of tasks in the Task Manager window.

Deleting Expired Tasks

To delete tasks that have expired, follow these steps:

Step 1 From the VPN Console, choose Tools > Tasks. The Task Manager window appears.

Step 2 From the Task Manager, choose Actions > Delete Expired.

You are asked to confirm the deletion request:

You have selected to delete the expired tasks from the Repository. Do you want to continue?

Step 3 To delete the expired tasks, click Continue.

You can also cancel the operation at this point by clicking Cancel.

VPNSC deletes the expired tasks and redisplays the current list of tasks in the Task Manager window.

Scheduling a Task

The VPNSC Task Manager allows you to schedule a selected task. To schedule a task, follow these steps:

Step 1 From the VPN Console, choose Tools > Tasks. The Task Manager window appears.

Step 2 Scroll through the Task Manager window to select the task you want to schedule.

Step 3 From the Task Manager, choose Actions > Schedule.

The Scheduler dialog box appears.

Figure 5-39: The Scheduler Dialog Box

Step 4 Set the task frequency, start time, and dates in the Schedule Information area.

Step 5 When the schedule information is set, click Add.

The task is added to the Schedule List area.

Step 6 Click Apply, then click OK.

The task is added to the VPNSC task queue; it will begin executing on the date and time specified.

Using the Task Logs

To access the VPNSC task logs, do the following:

Step 1 From the VPN Console, choose Tools > Task Logs.

VPNSC starts the browser and displays the Task Logs window. The tasks are listed in order of the task start time; the task with the latest start time is listed at the top of list, and the task with the earliest start time is listed at the bottom of the list.

Notice the Logs column in Figure 5-40, which provides a Log link for every task listed.

Figure 5-40: Viewing the List of Tasks

The task logs are displayed in sets of 10 logs per page. To jump to the next page of task logs, click the Next link (in the upper left corner of the task logs table).

The next page of task logs provides a Previous link so you can jump to the previous page of task logs, as shown in Figure 5-41.

Figure 5-41: Jumping to the Next and Previous Pages of Task Logs

When there are task log pages above and below the current position, the task logs page provides both Next and Previous links so you can navigate efficiently through multiple pages.

Step 2 Scroll to the name of the task whose log you want to view, then click the corresponding Log link on that row.

The status report for the selected task appears in the lower left pane, as shown in Figure 5-42.

Figure 5-42: Displaying the Task Status

The status pane shows the following information for the selected task:

Task status summary

: The possible task status summary states can be any one of the following: Task Completed Successfully, Running, Task Terminated, or Task Completed with n Errors.

Start time
End time
All the actions under the currently selected task
Start time and end time for all the actions

Viewing a Task Action Log

Step 3 To see an Action log for the selected action, click the link displayed under the Actions heading.

The Action log appears in the lower right pane (see Figure 5-43).

For example, for the task shown, Deploy_VPN_19, there is only one action—"Deploy Service Request." (Some tasks have more than one action listed.)

To view the action report for the action "Deploy Service Request" for task "Deploy_VPN_19," click the DeployServiceRequest link.

Figure 5-43: The Task Action Report

Viewing the Standard Output/Standard Error Log

Step 4 To view the standard output and error logs for the selected task, click the Stdout/Stderr link.

The Standard Output and Error log appears in the lower right pane (see Figure 5-44).

Figure 5-44: Standard Output and Error Logs

Viewing the Task Log Error Report

Step 5 To view the Error Report for the selected task log, click the Errors link.

The Task Log Error Report appears in the lower right pane (see Figure 5-45).

Figure 5-45: Task Log Error Report

Viewing Debug Messages

When you check the Show Debug Messages checkbox, you can view in the task logs any debug messages that were generated.

Deleting Task Logs

To save disk space, you can delete task logs when they become obsolete. When you delete a task from the task logs, you delete the run-time task and the logs associated with the task.

Tips We recommend that you delete no more than 10 task logs at a time.
When you have a large number of tasks and would like to delete the oldest logs, you may find it more convenient to click the Show All button. Show All displays all the tasks in one page, so if you have a large number of tasks in the Repository, the browser often takes a long time to display all of the tasks. But the advantage to this procedure is that you can delete the oldest logs (which would be the last set of tasks in the list), rather than having to click Next many times to reach the last page of logs.

To delete task logs, follow these steps:

Step 1 From the VPN Console, choose Tools > Task Logs.

VPNSC starts the browser and displays the Task Logs window. Notice the Delete column (the rightmost column in the Task Logs window) as shown in Figure 5-46.

The tasks are listed in order of the task start time; the task with the latest start time is listed at the top of list, and the task with the earliest start time is listed at the bottom of the list.

Figure 5-46: The Task Logs Window

Step 2 Check the Delete check box for each task log you want to delete.

a. To mark all the tasks in the current page for deletion, click Check All.

: When you click Check All, all the tasks on the current page are checked—not all the tasks in the Repository. Thus, when you click Check All, then click Delete, the application deletes only the tasks in the current page.

b. To clear all the check boxes in the current page, click Clear All.

Step 3 When you have indicated which task logs are to be deleted, click Delete.

The VPNSC software deletes the selected task logs and redisplays the Task Logs window.

Table of Contents

Defining and Deploying MPLS VPN Service Requests

Selecting a Customer Edge Router (CE)

Selecting the Provider Edge Router (PE)

Selecting a Class of Service Profile for the PE-CE Link

Confirming the VPN Service Settings