|
|
This chapter provides a conceptual summary of the MPLS VPN Cable feature as implemented through the VPN Solutions software. It also describes how to use VPN Solutions software to provision cable services. The main topics presented in this chapter are as follows:
As shown in Figure 8-1, each ISP moves traffic to and from a subscriber's PC, through the MSO's physical network infrastructure, to the ISP's network. MPLS VPNs, created in Layer 3, provide privacy and security by constraining the distribution of a VPN's routes only to the routers that belong to its network. Thus, each ISP's VPN is insulated from other ISPs that use the same MSO infrastructure.
In the MPLS-based cable scheme, a VPN is a private network built over a shared cable plant and MPLS-core backbone. The public network is the shared cable plant or backbone connection points. A cable plant can support Internet access services and carry traffic for an MSO and its subscribers, as well as for multiple Internet Service Providers (ISPs) and their subscribers.
An MPLS VPN assigns a unique VPN Routing/Forwarding (VRF) instance to each VPN. A VRF instance consists of an IP routing table, a derived forwarding table, a set of interfaces that use the forwarding table, and a set of rules and routing protocols that determine the contents of the forwarding table.
Each PE router maintains one or more VRF tables. If a packet arrives directly through an interface associated with a particular VRF, the PE looks up a packet's IP destination address in the appropriate VRF table. MPLS VPNs use a combination of BGP and IP address resolution to ensure security.
The routers in the cable network are as follows:
The shared cable plant supports Internet connectivity from ISP A to its subscribers and from ISP B to its subscribers.
As shown in Figure 8-1, the management VPN is comprised of the network management subnet (where the VPN Solutions Center workstation resides), which is directly connected to the Management CE (MCE). The management VPN is a special VPN for the MCE and the cable VPN gateway. The cable VPN gateway is usually a Cisco uBR 72xx router that functions as both a regular PE and a Management PE. Notice that there is also a parallel IPv4 link between the MCE and the MPE.
Cable VPN configuration involves the following:
 |
Note Cisco recommends that the MSO assign all addresses to the end user devices and gateway interfaces. The MSO can also use split management to let the ISP configure tunnels and security. |
To configure MPLS VPNs for cable services, the MSO must configure the following:
 |
Tips When configuring MPLS VPNs for cable services, you must configure the cable maintenance subinterface on the PE. The cable maintenance interface is the means by which the cable device retrieves its own IP address. For this reason, the maintenance subinterface must be configured before cable services provisioning can take place. See the "Provisioning the Cable Maintenance Subinterface" section. |
The ISP must determine the secondary IP address range. The secondary IP address is the ISP's address range for its subscriber PCs.
To reduce security breaches and differentiate DHCP requests from cable modems in VPNs or under specific ISP management, MSOs can use the cable helper-address command in Cisco IOS software. The MSO can specify the host IP address to be accessible only in the ISP's VPN. This lets the ISP use its DHCP server to allocate IP addresses. Cable modem IP address must be accessible from the management VPN.
In VPN Solutions Center 1.2 software, you specify the maintenance helper address (see the "Specifying the Cable Maintenance Helper Address" section), and the host helper address and the secondary addresses for the cable subinterface (see "Specifying the Cable Helper Addresses" section).
In the cable subscriber environment, several thousand subscribers share a single physical interface. Configurations with multiple logical subinterfaces are a vital part of the MPLS VPN network over cable. You can configure multiple subinterfaces and associate a specific VRF with each subinterface. You can split a single physical interface (the cable plant) into multiple subinterfaces, where each subinterface is associated with a specific VRF. Each ISP requires access on a physical interface and is given its own subinterface. The MSO administrator can define subinterfaces on a cable physical interface and assign Layer 3 configurations to each subinterface.
The MPLS VPN approach of creating VPNs for individual ISPs or customers requires subinterfaces to be configured on the cable interface. One subinterface is required for each ISP. The subinterfaces are tied to the VPN Routing/Forwarding (VRF) tables for their respective ISPs.
You must create the maintenance subinterface on the cable interface and tie it to the management VPN. The maintenance interface is for the ISP's use, and it is used for VPN connectivity, as well as the management VPN using an extranet between the ISP and the management VPN (for details, see "Provisioning the Cable Maintenance Subinterface" section).
The network management subnet (which includes the CNR, ToD, and VPN Solutions Center) can reply to the cable modem because the management VPN allows connectivity for one filtered route from the ISP's VPN to the Management CE (MCE). Similarly, in order to forward the management requests (such as DHCP renewal to CNR), the ISP VPN must import a route to the MCE in the management VPN.
Cisco uBR7200 series software supports the definition of logical network layer interfaces over a cable physical interface. The system supports subinterface creation on a physical cable interface.
Subinterfaces allow traffic to be differentiated on a single physical interface and associated with multiple VPNs. Each ISP requires access on a physical interface and is given its own subinterface. Using each subinterface associated with a specific VPN (and therefore, ISP) subscribers connect to a logical subinterface, which reflects the ISP that provides their subscribed services. Once properly configured, subscriber traffic enters the appropriate subinterface and VPN.
The tasks you must complete to provision cable services in VPN Solutions Center software are as follows:
When using the VPN Solutions Center to provision cable services, there are no CEs in the same sense there are when provisioning a standard MPLS VPN. Thus, you must create an unmanaged cable-CE that "stands in" for a CE in the provisioning process. You need define only one cable-CE per customer site.
To create a cable-CE in VPN Solutions Center software, follow these steps.
Step 2 From the Network window, choose Actions > New Target. The New Target dialog box appears (see Figure 8-3).
Step 3 Complete the fields displayed in the General tab. You do not need to complete the fields in the Passwords and IP Addresses tabs.
a. In the Target Name field, enter the name of the cable-CE.
b. In the Domain field, enter the name of a nonexistent domain.
c. Though optional, we recommend that you enter any pertinent information about the cable-CE.
d. Click OK.
Step 4 In the VPN Console, open the VPN Customers folder.
Step 5 Select the appropriate customer, then to display the list of sites for that customer, open the customer icon.
Step 6 Double-click the customer site where you want to place the cable-CE. The Edit Customer Site dialog box appears (see Figure 8-4).
Step 7 In the Edit Customer Site dialog box, click Add.
The Add Customer Edge Routers dialog box appears. Figure 8-5 shows only the lower portion of this dialog box.
Step 8 In the Add Customer Edge Routers dialog box, do the following:
a. From the list of devices displayed, select the name of the cable-CE.
b. A cable-CE must be an unmanaged CE, so be sure that the This customer edge router is managed by the provider check box is not checked.
c. Choose the No SA Agent option.
|
Note Do not choose either of the Management LAN options. |
d. When finished, click OK.
This procedure assumes that the PE configuration files that define the cable maintenance interfaces have been imported into VPN Solutions Center. For a description of this procedure, see the "Importing Router Configuration Files" section.
To set up the cable maintenance subinterface on the PE, follow these steps:
When configuring a service for a cable link, the specified CE should be an unmanaged CE.
Step 2 Click Next. The Select CE dialog box appears (see Figure 8-6).
Step 3 From the Select CE dialog box, do the following:
a. From the Customer drop-down list, select the appropriate customer.
b. From the Site drop-down list, select the appropriate site.
c. From the CE Routers list, select the name of the cable-CE.
d. Click Next. The Select PE dialog box appears (see Figure 8-7).
Step 2 From the Provider drop-down list, select the appropriate provider name.
Step 3 From the Region drop-down list, select the appropriate region.
Step 4 From the PE Routers list, select the PE.
Step 5 When finished entering the necessary information, click Next. The Select VPN dialog box appears (see Figure 8-8).
The most common types of VPNs are hub-and-spoke and full mesh. These two basic types of VPNs—full mesh and hub and spoke—can be represented with a single CERC.
For additional information on CE routing communities, see the "CE Routing Communities" section and the "Defining CE Routing Communities" section.
Step 2 If you are building a VPN with a hub-and-spoke topology, check the Join as Spoke check box.
Step 3 If you are building a VPN with CEs that are members of multiple VPNs (extranets), check the Advanced setup required check box.
Extranet provisioning provides a way to create multiple VPN connectivity to a single VRF.
Step 4 When provisioning a cable service maintenance interface, joining the management VPN is required. Therefore, check the Join the management VPN check box. For more information on the management VPN and VPN Solutions Center software, see the "Implementing the Management VPN Technique" section.
When you use the VPNSC: MPLS Solution software to define a management VPN, the software automatically generates an export route map for the management VPN.
Step 5 When finished entering the necessary information, click Next. The Select Routing Policy dialog box appears (see Figure 8-9).
Step 2 If you want to distribute static routes into the provider core network (which runs BGP), check the Redistribute Static (BGP only) check box.
Step 4 When finished entering the necessary information, click Next. The Select PE-CE Interface dialog box appears (see Figure 8-10).
You can now specify the interface on the PE that will host the cable maintenance subinterface.
Step 2 Select the interface on the PE that hosts the cable maintenance subinterface.
The encapsulation method is set to Default for the cable interface.
Step 3 Enable the Shutdown PE Interface option if desired:
When you check the Shutdown PE Interface checkbox, the specified PE interface will be configured in a shut down state.
Step 4 Be sure to check the Selected interface is a maintenance interface check box.
Checking this option provisions the cable maintenance interface; this interface is always configured as subinterface 1 (for example, if the selected cable interface is 3/0, the maintenance subinterface is 3/0.1).
Step 5 When finished with these settings, click Next. The Select Cable Parameters dialog box appears (see Figure 8-11).
The maintenance helper address is the IP address of the DHCP server in the Multiple Service Operator (MSO) network.
In the fields provided for the Maintenance Helper address, enter the appropriate IP address, then click Next.
The Select IP Addresses dialog box appears (see Figure 8-12).
In the Select IP Addresses dialog box, you must specify the IP address for the cable maintenance subinterface on the PE.
The IP Numbered with Extra CE Loopback option is not a viable option in a cable services configuration.
Step 2 In the PE Interface fields, enter the IP addresses on the PE for the cable maintenance subinterface.
|
Note The IP address entered here must be different from the IP address entered for the cable subinterface. To be reachable, each subinterface must have its own IP address. |
You do not need to enter an IP address for the CE interface.
Step 3 When finished entering the necessary information, click Next. The Select VRF Parameters dialog box appears (see Figure 8-13).
The Select VRF Parameters dialog box lets you set values for an import route map and the maximum number of routes in the VRF table. You can also enable NetFlow accounting.
|
Note The Cisco IOS supports only one import route map per VRF (and therefore, per VPN). |
An import route map does apply a filter. Therefore, if you want to exclude a particular route from the VRF on this PE, you can either set an export route map on the sending router to make sure it does not have any route targets that can be imported into the current VRF, or create an import route map on this PE to exclude the route.
For command reference details on the import map command, see the "import map" section.
Step 2 In the Maximum Routes field, specify the maximum number of routes that can be imported into the VRF on this PE.
Step 3 To enable NetFlow accounting, check the Turn on NetFlow accounting checkbox.
For more information, see the "NetFlow Collector and VPNSC: MPLS Solution Software" section and the "MPLS VPN NetFlow Accounting" section.
Step 4 When you have completed the fields as necessary in the Specify VRF Parameters dialog box, click Next. The Class of Service (CoS) dialog box appears.
You can create a Class of Service (CoS) profile when you define the Provider Administrative Domain. For information on creating a CoS Profile, see the "Defining a Class of Service Profile" section. For a discussion on the Class of Service feature, see the "Quality of Service and Class of Service" section.
Class of Service profiles are applied to the Provider Edge Router (PE), but the CoS definition is enforced across the PE-CE link on both the PE and CE.
Step 2 Click Next. The Confirm dialog box appears (see Figure 8-14).
VPN Solutions Center displays a summary of settings defined for this cable services VPN.
Your request to "Add VPN Service to CE" has been submitted with ID number n. This service request can be deployed by using the "Deploy Service Requests" wizard or by using the "Deploy VPN Service" item under the "Provisioning" option of a VPN service request report.
Step 2 Press Close. You have now queued a service request. It is entered into the product database and is in the initial state of "Requested."
To provision the cable link, follow these steps:
Step 2 Click Next. The Select CE dialog box appears (see Figure 8-15).
Step 3 From the Select CE dialog box, do the following:
a. From the Customer drop-down list, select the appropriate customer.
b. From the Site drop-down list, select the appropriate site.
c. From the CE Routers list, select the name of the cable-CE.
|
Note When configuring a service for a cable link, the specified CE should be an unmanaged CE. |
d. Click Next. The Select PE dialog box appears (see Figure 8-16).
Step 2 From the Provider drop-down list, select the appropriate provider name.
Step 3 From the Region drop-down list, select the appropriate region.
Step 4 From the PE Routers list, select the PE.
Step 5 When finished entering the necessary information, click Next. The Select VPN dialog box appears (see Figure 8-17).
The most common types of VPNs are hub-and-spoke and full mesh. These two basic types of VPNs—full mesh and hub and spoke—can be represented with a single CERC.
For additional information on CE routing communities, see the "CE Routing Communities" section and the "Defining CE Routing Communities" section.
Step 2 If you are building a VPN with a hub-and-spoke topology, check the Join as Spoke check box.
Step 3 If you are building a VPN with CEs that are members of multiple VPNs (extranets), check the Advanced setup required check box.
Extranet provisioning provides a way to create multiple VPN connectivity to a single VRF.
Step 4 When provisioning a cable service, we recommend that you check the Join the management VPN check box. For more information, see the "Implementing the Management VPN Technique" section.
When you use the VPNSC: MPLS Solution software to define a management VPN, the software automatically generates an export route map for the management VPN.
Step 5 When finished entering the necessary information, click Next. The Select Routing Policy dialog box appears (see Figure 8-18).
Step 2 If you want to distribute static routes into the provider core network (which runs BGP), check the Redistribute Static (BGP only) check box.
Step 4 When finished entering the necessary information, click Next. The Select PE-CE Interface dialog box appears (see Figure 8-19).
You can now specify the interface on the PE that will host the cable subinterface.
Step 2 Select the interface on the PE that hosts the cable subinterface.
|
Tips Be sure to select the same interface that you chose for the maintenance subinterface. For example, if you chose Cable 3/0 for the maintenance subinterface, choose Cable 3/0 here as well. |
The encapsulation method is set to Default for the cable interface.
Step 3 Enable the Shutdown PE Interface option if desired:
When you check the Shutdown PE Interface checkbox, the specified PE interface will be configured in a shut down state.
Step 4 Be sure to not check the Selected interface is a maintenance interface check box.
You should enable this option only when you want to provision the cable maintenance interface.
Step 5 When finished with these settings, click Next. The Select Cable Parameters dialog box appears (see Figure 8-20).
In this Select Cable Parameters dialog box, you must specify the Modem Helper address and the Host Helper address. You can also specify secondary addresses.
Step 2 In the Host Helper fields, enter the host helper IP address.
Step 3 If necessary, enter a secondary address.
a. Click Add.
b. In the IP Address fields, enter the secondary IP address, then click Add.
c. If the address is correct, click OK.
d. Click Next. The Select IP Addresses dialog box appears (see Figure 8-22).
In the Select IP Addresses dialog box, you must specify the IP address for the cable subinterface on the PE.
If two or more cable modems belong to a particular ISP, the cable modems are connected to the same subnet on the PE, and that subnet is in the ISP's VPN.
The IP Numbered with Extra CE Loopback option is not a viable option in a cable services configuration.
Step 2 In the PE Interface fields, enter the IP address on the PE for the subinterface that the cable is connected to.
|
Note The IP address entered here must be different from the IP address entered for the maintenance subinterface. To be reachable, each subinterface must have its own IP address. |
You do not need to enter an IP address for the CE interface.
Step 3 When finished entering the necessary information, click Next. The Select VRF Parameters dialog box appears (see Figure 8-23).
The Select VRF Parameters dialog box lets you set values for an import route map and the maximum number of routes in the VRF table. You can also enable NetFlow accounting.
|
Note The Cisco IOS supports only one import route map per VRF (and therefore, per VPN). |
An import route map applies a filter. Therefore, if you want to exclude a particular route from the VRF on this PE, you can either set an export route map on the sending router to make sure it does not have any route targets that can be imported into the current VRF, or create an import route map on this PE to exclude the route.
For command reference details on the import map command, see the "import map" section.
Step 2 In the Maximum Routes field, specify the maximum number of routes that can be imported into the VRF on this PE.
Step 3 To enable NetFlow accounting, check the Turn on NetFlow accounting checkbox.
For more information, see the "NetFlow Collector and VPNSC: MPLS Solution Software" section and the "MPLS VPN NetFlow Accounting" section.
Step 4 When you have completed the fields as necessary in the Specify VRF Parameters dialog box, click Next. The Class of Service (CoS) dialog box appears.
You can create a Class of Service (CoS) profile when you define the Provider Administrative Domain. For information on creating a CoS Profile, see the "Defining a Class of Service Profile" section. For a discussion on the Class of Service feature, see the "Quality of Service and Class of Service" section.
Class of Service profiles are applied to the Provider Edge Router (PE), but the CoS definition is enforced across the PE-CE link on both the PE and CE.
Step 2 Click Next. The Confirm dialog box appears.
The Confirm dialog box displays a summary of settings defined for this cable services VPN.
Your request to "Add VPN Service to CE" has been submitted with ID number n. This service request can be deployed by using the "Deploy Service Requests" wizard or by using the "Deploy VPN Service" item under the "Provisioning" option of a VPN service request report.
Step 2 Press Close. You have now queued a service request. It is entered into the product database and is in the initial state of "Requested."
Posted: Wed Sep 20 15:04:14 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.