7.6. Configuring VPRN Components
Topics in this section include:
7.6.1. Creating a VPRN Service
Use the following CLI syntax to create a VPRN service. A route distinguisher must be defined in order for VPRN to be operationally active.
config>service# vprn service-id [customer customer-id]
route-distinguisher rd
description description-string
no shutdown
The following example displays a VPRN service configuration.
*A:ALU-1>config>service# info
----------------------------------------------
...
vprn 1 customer 1 create
route-distinguisher 10001:0
no shutdown
exit
...
----------------------------------------------
*A:ALU-1>config>service>vprn#
7.6.2. Configuring Global VPRN Parameters
The autonomous system (AS) number for a VPRN service is configured in the config>service>vprn context. Local AS numbers can be set at the VPRN BGP global, group, and neighbor levels.
A spoke SDP can be bound to the VPRN service using the auto-bind-tunnel command or the spoke-sdp sdp-id command. However, when using the spoke-sdp command, you must create a spoke SDP for each peer PE router.
A VPRN spoke SDP can be any of the supported SDPs, except the IP SDP.
The following example displays a VPRN service with configured parameters.
*A:ALU-1>config>service# info
----------------------------------------------
...
vprn 1 customer 1 create
vrf-import "vrfImpPolCust1"
vrf-export "vrfExpPolCust1"
autonomous-system 10000
router-id 2000
route-distinguisher 10001:0
spoke-sdp 2 create
exit
no shutdown
exit
...
----------------------------------------------
*A:ALU-1>config>service#
7.6.3. Configuring Router Interfaces
Refer to the 7705 SAR Router Configuration Guide for command descriptions and syntax information to configure router interfaces.
The following example displays a router interface configuration:
ALU48>config>router# info
#------------------------------------------
echo "IP Configuration"
#------------------------------------------
...
interface "if1"
address 10.0.0.0/8
port 1/1/33
exit
interface "if2"
address 10.0.0.1/8
port 1/1/34
exit
interface "if3"
address 10.0.0.2/8
port 1/1/35
exit
...
#------------------------------------------
ALU48>config>router#
7.6.4. Configuring Static Route Entries for VPRN
The 7705 SAR VPRN service supports static routes to next-hop addresses.
Only one next-hop IP address can be specified per IP interface for static routes.
Use the following CLI syntax to create a VPRN static route entry. Multiple types of static routes (black-hole, grt, indirect, ipsec-tunnel, and next-hop) can be applied to the same entry. Unless no shutdown is specified, the static-route-entry will be created in a shutdown state.
config>service>vprn>
static-route-entry {ip-prefix/prefix-length}
black-hole {ip-int-name | ip-address | ipv6-address}
description description-string
metric metric
preference preference
prefix-list prefix-list-name [all | none]
no shutdown
tag tag
grt
description description-string
metric metric
preference preference
no shutdown
indirect ip-address
cpe-check cpe-ip-address
drop-count count
interval seconds
log
description description-string
metric metric
preference preference
prefix-list prefix-list-name {all | none}
no shutdown
tag tag
ipsec-tunnel [ipsec-tunnel-name]
description description-string
metric metric
preference preference
no shutdown
tag tag
next-hop {ip-int-name | ip-address | ipv6-address}
bfd-enable
cpe-check cpe-ip-address
drop-count count
interval interval
log
description description-string
metric metric
preference preference
prefix-list prefix-list-name [all | none]
no shutdown
tag tag
config>service>vprn# static-route-entry 10.5.5.5/8
static-route-entry# next-hop 10.1.1.2
next-hop# metric 1
next-hop# preference 5
next-hop# tag 20
next-hop# no shutdown
7.6.5. Configuring BGP for VPRN
Configuring BGP between the PE routers allows the PE routers to exchange information about routes originating and terminating in the VPRN. The PE routers use the information to determine which labels are used for traffic intended for remote sites.
The minimal parameters that should be configured for a VPRN BGP instance are:
an autonomous system number
a router ID
a VPRN BGP peer group
a VPRN BGP neighbor with which to peer
a VPRN BGP peer-AS that is associated with the above peer
VPRN BGP is administratively enabled upon creation. Minimally, to enable VPRN BGP in a VPRN instance, you must associate an autonomous system number and router ID for the VPRN service, create a peer group, neighbor, and associate a peer AS number. There are no default VPRN BGP groups or neighbors. Each VPRN BGP group and neighbor must be explicitly configured.
All parameters configured for VPRN BGP are applied to the group and are inherited by each peer, but a group parameter can be overridden on a specific basis. The VPRN BGP command hierarchy consists of three levels:
global level
group level
neighbor level
Use the following CLI syntax to configure these three levels:
config>service>vprn>bgp#
group
neighbor
| Note: The local-address command must be explicitly configured if two systems have multiple BGP peer sessions between them. |
BGP for MP-BGP purposes is configured under the config>router>bgp context. For more information about the BGP protocol, refer to the 7705 SAR Routing Protocols Guide, “BGP”.
7.6.5.1. Configuring VPRN BGP Group and Neighbor Parameters
A group is a collection of related VPRN BGP peers. The group name should be a descriptive name for the group. Follow your group, name, and ID naming conventions for consistency and to help when troubleshooting faults.
After a group name is created and options are configured, neighbors can be added in different autonomous systems, creating EBGP peers. All parameters configured for the peer group are inherited by each peer (neighbor), but a group parameter can be overridden on a specific neighbor-level basis.
7.6.5.2. Configuring Route Reflection
Route reflection can be implemented in autonomous systems with a large internal BGP mesh to reduce the number of IBGP sessions required. One or more routers can be selected to act as focal points for internal BGP sessions. Several BGP-speaking routers can peer with a route reflector. A route reflector forms peer connections to other route reflectors. A router assumes the role as a route reflector by configuring the cluster cluster-id command. No other command is required unless disabling reflection to specific peers is desired.
If you configure the cluster command at the global level, then all subordinate groups and neighbors are members of the cluster. The route reflector cluster ID is expressed in dotted decimal notation. The ID should be a significant topology-specific value. No other command is required unless disabling reflection to specific peers is desired.
If a route reflector client is fully meshed, the disable-client-reflect command can be enabled to stop the route reflector from reflecting redundant route updates to a client.
7.6.5.3. VPRN BGP CLI Syntax
The following example displays a VPRN BGP configuration. The example includes two BGP groups: one group has a static (configured) neighbor and the other group has dynamic neighbors.
*A:ALU-1>config>service# info
----------------------------------------------
...
vprn 1 customer 1 create
vrf-import "vrfImpPolCust1"
vrf-export "vrfExpPolCust1"
autonomous-system 10000
route-distinguisher 10001:1
auto-bind-tunnel
resolution-filter
ldp
exit
resolution filter
exit
vrf-target target:10001:1
interface "to-ce1" create
address 172.16.0.0/12
sap 1/1/10:1 create
ingress
qos 100
filter ip 6
exit
egress
qos 1010
exit
exit
exit
static-route-entry 10.1.1.1/8
next-hop 10.1.1.2
no shutdown
exit
exit
bgp
router-id 10.0.0.1
group “to-cel”
export “vprnBgpExpPolCust1“
multihop 3
peer-as 65101
ttl-security 10
neighbor 172.16.0.10
exit
group "dynamic"
peer-as 100
dynamic-neighbor
prefix 10.100.0.0/16
dynamic-neighbor-limit 75
exit
exit
exit
spoke-sdp 2 create
exit
no shutdown
exit
...
----------------------------------------------
*A:ALU-1>config>service#
7.6.6. Configuring IPv6 Parameters for VPRN BGP
Use the following CLI syntax to configure IPv6 parameters for VPRN BGP:
config>service# vprn service-id [customer customer-id]
bgp
family ipv6
group name
family ipv6
neighbor ipv6-address
family ipv6
A:ALU>config>service# vprn 20
A:ALU>config>service>vprn$ bgp
A:ALU>config>service>vprn>bgp$ family ipv6
A:ALU>config>service>vprn>bgp>family$ group BGP1
A:ALU>config>service>vprn>bgp>family>group$ family ipv6
A:ALU>config>service>vprn>bgp>family>group>family$ neighbor 2001:db8:a::123
A:ALU>config>service>vprn>bgp>family>group>family> neighbor$ family ipv6
A:ALU>config>service>vprn>bgp>family>group>family> neighbor$ exit
A:ALU>config>service>vprn>bgp>family>group>family$ exit
A:ALU>config>service>vprn>bgp>family>group$ exit
A:ALU>config>service>vprn>bgp>family$ exit
A:ALU>config>service>vprn>bgp$ exit
7.6.7. Configuring VPRN IPv6 Neighbor Discovery Parameters
Use the following CLI syntax to configure IPv6 neighbor discovery parameters for a VPRN service:
config# config>service# vprn service-id [customer customer-id]
ipv6
reachable-time seconds
stale-time seconds
config# service vprn 20
config>service>vprn# ipv6
config>service>vprn>ipv6# reachable-time 30
config>service>vprn>ipv6# stale-time 14400
config>service>vprn>ipv6# exit
config>service>vprn# exit
The following example displays IPv6 neighbor discovery parameters output.
A:ALU-A>config>service>vprn 20# info
#------------------------------------------
...
reachable-time 30
stale-time 14400
exit
...
7.6.8. Configuring OSPF or OSPFv3 for VPRN
Each VPN routing instance is isolated from any other VPN routing instance and from the routing used across the backbone. OSPF or OSPFv3 can be run with any VPRN, independently of the routing protocols used in other VPRNs, or in the backbone. For more information on the OSPF and OSPFv3 protocols and for the commands used to run OSPF or OSPFv3 over the backbone (router context), refer to the 7705 SAR Routing Protocols Guide.
Use the following CLI syntax to configure OSPF or OSPFv3 in the VPRN context:
config>service>vprn>ospf#
config>service>vprn>ospf3#
The following example displays a VPRN OSPF configuration:
*A:ALU-1>config>service# info
----------------------------------------------
vprn 2 customer 1 create
interface "ospf_interface" create
exit
ospf
area 0.0.0.0
interface “ospf_interface”
no shutdown
exit
exit
exit
----------------------------------------------
*A:ALU-1>config>service#
7.6.9. Configuring RIP for VPRN
PE routers need to advertise reachability information for each CE that is attached to a VRF. RIP can be used to exchange reachability information between PE and CE routers by establishing adjacency with a CPE router that supports RIP. Via this adjacency, RIP learns the subnet or subnets for the customer site and will advertise any routes learned from other CEs. The routing table is updated to reflect the new information.
RIP can be used to distribute routes between PE and CE routers. When PE and CE routers are RIP peers, the CE router can use RIP to transmit to the PE router the set of address prefixes that are reachable via the CE router. When RIP is configured on the CE, care must be taken to ensure that address prefixes from other sites, that is, address prefixes learned by the CE router from the PE router, are never advertised to the PE. Specifically, if a PE router receives a VPN-IPv4 route and distributes it to a CE, that route must never be distributed from the CE site to, either the originating PE router, or any other PE router.
The parameters configured at the VPRN RIP global level are inherited by the group and neighbor levels. Parameters can be modified and overridden on a level-specific basis. The VPRN RIP command hierarchy consists of three levels:
Hierarchical VPRN RIP commands can be modified on different levels. The most specific value is used. A group-specific command takes precedence over a global command. A neighbor-specific command takes precedence over a global or group-specific command.
| Note: Careful planning is essential to implement commands that can affect the behavior of global, group, and neighbor levels. Because the RIP commands are hierarchical, analyze the values that can disable features on a particular level. |
To enable a VPRN RIP instance, the RIP protocol must be enabled in the config>service>vprn>rip context of the VPRN. VPRN RIP is administratively enabled upon creation. Configuring other RIP commands and parameters is optional.
The minimum RIP configuration for a VPRN instance must define:
one VPRN RIP peer group
one VPRN RIP neighbor peer
one VPRN RIP peer-AS associated with the neighbor peer
The following example displays a VPRN RIP configuration:
*A:ALU-1>config>service# info
----------------------------------------------
...
vprn 1 customer 1 create
vrf-import "vrfImpPolCust1"
vrf-export "vrfExpPolCust1"
ecmp 8
autonomous-system 10000
route-distinguisher 10001:1
auto-bind-tunnel
resolution-filter
ldp
exit
resolution filter
exit
vrf-target target:10001:1
interface "to-ce1" create
address 172.16.0.0/12
sap 1/1/10:1 create
ingress
qos 100
exit
egress
qos 1010
filter ip 6
exit
exit
exit
rip
export "vprnRipExpPolCust1"
group "cel"
neighbor "to-ce1"
exit
exit
exit
spoke-sdp 2 create
exit
no shutdown
exit
...
----------------------------------------------
For more information about the RIP protocol, refer to the 7705 SAR Routing Protocols Guide.
7.6.10. Configuring IGMP for VPRN
When using the ssm-translate command, the group range is not created until the source is specified.
The following example displays multicast IGMP parameters under a VPRN configuration:
*A:Sar18 Dut-B>config>service>vprn>igmp# info detail
----------------------------------------------
interface "mvpn_if"
no import
version 3
subnet-check
no max-groups
no max-grp-sources
no disable-router-alert-check
ssm-translate
grp-range 239.255.0.2 239.255.0.20
source 192.168.0.0
exit
exit
no shutdown
exit
query-interval 125
query-last-member-interval 1
query-response-interval 10
robust-count 2
no shutdown
----------------------------------------------
*A:Sar18 Dut-B>config>service>vprn>igmp#
7.6.11. Configuring PIM for VPRN
The following example displays a PIM configuration for VPRN.
A:ALU-1>config>service>vprn>pim# info detail
----------------------------------------------
no import join-policy
no import register-policy
interface "vprn_if"
hello-interval 30
hello-multiplier 35
no tracking-support
improved-assert
no bfd-enable
no three-way-hello
priority 1
multicast-senders auto
no bsm-check-rtr-alert
no sticky-dr
no max-groups
no assert-period
no instant-prune-echo
no shutdown
no ipv4-multicast-disable
exit
apply-to none
rp
no bootstrap-import
no bootstrap-export
static
exit
bsr-candidate
shutdown
priority 0
hash-mask-len 30
no address
exit
rp-candidate
shutdown
no address
holdtime 150
priority 192
exit
exit
no non-dr-attract-traffic
no ssm-default-range-disable ipv4
no shutdown
no ipv4-multicast-disable
----------------------------------------------
A:ALU-1>config>service>vprn>pim#
7.6.12. Configuring MVPN for VPRN
For selective PMSI provider tunnels, mLDP must be configured prior to setting a maximum-p2mp-spmsi. Also, the data-threshold c-grp-ip-addr must be a valid multicast address.
The following example displays the MVPN parameters for VPRN configuration:
*A:ALU>config>service>vprn>mvpn# info detail
----------------------------------------------
auto-discovery default
c-mcast-signaling bgp
umh-selection highest-ip
mdt-type sender-receiver
provider-tunnel
inclusive
mldp
shutdown
exit
exit
selective
mldp
shutdown
exit
maximum-p2mp-spmsi 4
no data-delay-interval
data-threshold 239.255.0.0/6 10
exit
exit
vrf-target unicast
exit
----------------------------------------------
*A:ALU>config>service>vprn>mvpn#
The following example displays a VPRN service with MVPN. The MVPN in this example supports inclusive PMSI and selective PMSI. The data-threshold that forces a group C(S,G) to switch from I-PMSI to S-PMSI in this example is 1 kb/s.
vprn 1 customer 1 create
route-distinguisher 10001:1
auto-bind-tunnel
resolution-filter
ldp
rsvp
exit
resolution filter
exit
vrf-target target:65000:1
interface "TO-CE-SOURCE" create
address 172.16.0.1/12
sap 1/1/9:100 create
exit
exit
pim
interface "to-ce-source"
rp
exit
no shutdown
exit
mvpn
provider-tunnel
inclusive
mldp
no shutdown
exit
exit
selective
mldp
no shutdown
exit
data-threshold 239.255.0.0/7 1
exit
exit
vrf-target target:65000:1
exit
exit
ospf
area 0.0.0.0
interface "TO-CE-SOURCE"
interface-type point-to-point
no shutdown
exit
exit
exit
no shutdown
exit
7.6.13. Configuring a VPRN Interface
Interface names associate an IP address with the interface, and then associate the IP interface with a physical port. The logical interface can associate attributes such as an IP address, port, or Link Aggregation Group (LAG). There are no default interfaces.
| Note: The VPRN interface can be configured as a loopback interface by issuing the loopback command instead of the sap command. The loopback flag cannot be set on an interface where a SAP is already defined, and a SAP cannot be defined on a loopback interface.
|
When using mrinfo and mtrace in a Layer 3 VPN context, the configuration for the VPRN should have a loopback address configured that has the same address as the core VPRN instance's system address (that is, the BGP next hop).
See VPRN Services Command Reference for CLI commands and syntax.
The following example displays a VPRN interface configuration:
*A:ALU-1>config>service>vprn# info
----------------------------------------------
...
vprn 1 customer 1 create
vrf-import "vrfImpPolCust1"
vrf-export "vrfExpPolCust1"
autonomous-system 10000
route-distinguisher 10001:1
auto-bind-tunnel
resolution-filter
ldp
exit
resolution filter
exit
vrf-target target:10001:1
interface "to-ce1" create
address 172.16.0.1/12
proxy-arp policy “proxyARPpolicy”
local proxy-arp
remote proxy-arp
exit
exit
static-route-entry 10.1.1.1/8
next-hop 10.1.1.2
no shutdown
exit
exit
spoke-sdp 2 create
exit
no shutdown
exit
...
----------------------------------------------
*A:ALU-1>config>service#
Use the following CLI syntax to configure interface parameters for the VPRN service.
config>service# vprn service-id [customer customer-id] [create]
interface ip-int-name
address if-ip-address
allow-directed-broadcasts
arp-timeout
bfd transmit-interval [receive receive-interval] [multiplier multiplier] [type np]
description description-string
dhcp
description description-string
option
action {replace | drop | keep}
circuit-id [ascii-tuple | ifindex | sap-id | vlan-ascii-tuple]
remote-id [mac | string string]
vendor-specific-option
client-mac-address
sap-id
service-id
string text
system-id
server server1 [server2...(up to 8 max)]
no shutdown
trusted
icmp
mask-reply
ttl-expired [number seconds]
unreachables
if-attribute
admin-group group-name [group-name...(up to 5 max)]
srlg-group group-name [group-name...(up to 5 max)]
ip-mtu octets
ipcp
dns ip-address [secondary ip-address]
dns secondary ip-address
peer-ip-address ip-address
l4-load-balancing hashing-algorithm
local-dhcp-service local-server-name
local-proxy-arp
loopback
mac ieee-address
proxy-arp-policy policy-name [policy-name...(up to 5 max)]
remote-proxy-arp
secondary {ip-address/mask | ip-address netmask} [broadcast all-ones | host-ones] [igp-inhibit]
no shutdown
static-arp ip-address ieee-mac-address
static-arp ieee-mac-address unnumbered
tcp-mss mss-value
teid-load-balancing
unnumbered {ip-int-name | ip-address}
no shutdown
A:ALU-41>config>service# vprn 4
A:ALU-41>config>service>vprn$ interface “vprn_interface”
A:ALU-41>config>service>vprn>if$ address 192.168.0.0/16
A:ALU-41>config>service>vprn>if$ dhcp option
A:ALU-41>config>service>vprn>if>dhcp>option$ circuit-id ifindex
A:ALU-41>config>service>vprn>if>dhcp>option$ exit
A:ALU-41>config>service>vprn>if$ ip-mtu 1524
The following example displays the VPRN interface creation output.
A:ALU-41>config>service>vprn>if# info detail
-------------------------------------------
...
no description
address 192.168.0.0/16 broadcast host-ones
no mac
arp-timeout 14400
no allow-directed-broadcasts
icmp
mask-reply
unreachables 100 10
ttl-expired 100 10
exit
dhcp
shutdown
no description
option
action keep
circuit-id ifindex
no remote-id
no vendor-specific-option
exit
no server
no trusted
exit
ip-mtu 1524
no bfd
ipcp
no peer-ip-address
no dns
exit
proxy-arp policy “proxyARPpolicy”
local proxy-arp
remote proxy-arp
no shutdown...
7.6.14. Configuring a VPRN IPv6 Interface
Use the following CLI syntax to create a VPRN IPv6 interface and to configure optional VPRN IPv6 interface parameters:
config>service
vprn service-id
interface ip-int-name
ipv6
address ipv6-address/prefix-length [eui-64] [preferred]
bfd transmit-interval [receive receive-interval] [multiplier multiplier]
dhcp6-relay
description description-string
option
interface-id
interface-id ascii-tuple
interface-id ifindex
interface-id sap-id
interface-id string
remote-id
server ipv6-address...(upto 8 max)
shutdown
source-address ipv6-address
dhcp6-server
max-nbr-of-leases max-nbr-of-leases
prefix-delegation
prefix ipv6-address/prefix-length
duid duid [iaid iaid]
preferred-lifetime seconds
preferred-lifetime infinite
valid-lifetime seconds
valid-lifetime infinite
no shutdown
icmp6
packet-too-big number seconds
param-problem number seconds
time-exceeded number seconds
unreachables number seconds
link-local-address ipv6-address [preferred]
local-dhcp-server server-name [create]
neighbor ipv6-address mac-address
reachable-time seconds
stale-time seconds
(The example below shows only some of the CLI VPRN IPv6 interface commands).
config>service# vprn 20
config>service>vprn# interface “int1”
config>service>vprn>if>ipv6#
config>service>vprn>if>ipv6>address# 2001:db8:a::123
config>service>vprn>if>ipv6>icmp6# packet-too-big 100 10
config>service>vprn>if>ipv6>icmp6# param-problem 100 10
config>service>vprn>if>ipv6>icmp6# time-exceeded 100 10
config>service>vprn>if>ipv6>icmp6# unreachables 100 10
config>service>vprn>if>ipv6>icmp6# exit
config>service>vprn>if>ipv6>neighbor# 2001:db8:a::124
config>service>vprn>if>ipv6>reachable-time# 30
config>service>vprn>if>ipv6>stale-time# 14400
config>service>vprn>if>ipv6># exit
config>service>vprn>if># exit
The following example displays a VPRN IPv6 interface configuration:
A:ALU-B>config>service>vprn 20# info detail
----------------------------------------------
.....
ipv6
icmp6
packet-too-big 100 10
param-problem 100 10
time-exceeded 100 10
unreachables 100 10
exit
address 2001:db8:a::123
reachable-time 30
stale-time 14400
no dhcp6-relay
no local-dhcp-server
neighbor 2001:db8:a::124
no bfd
exit
.....
7.6.15. Configuring VPRN Interface Routed VPLS IPv6 Parameters
Use the following CLI syntax to configure VPRN interface routed VPLS IPv6 parameters:
config>service# vprn service-id [customer customer-id] [create]
interface ip-int-name
vpls service-name create
ingress
v6-routed-override-filter ipv6-filter-id
[no] shutdown
A:ALU-41>config>service# vprn 20
A:ALU-41>config>service>vprn$ interface “vprn20_interface”
A:ALU-41>config>service>vprn>if$ vpls 2/2/2:1 create
A:ALU-41>config>service>vprn>if>vpls$ ingress
A:ALU-41>config>service>vprn>if>vpls>ingress$ v6-routed-override-filter 44
A:ALU-41>config>service>vprn>if>vpls>ingress$ exit
A:ALU-41>config>service>vprn>if>vpls$ exit
A:ALU-41>config>service>vprn>if$ exit
7.6.16. Configuring VPRN Interface SAP Parameters
A SAP is a combination of a port and encapsulation parameters that identify the service access point on the interface and within the 7705 SAR. Each SAP must be unique within a router. A SAP cannot be defined if the loopback command is enabled on the interface.
When configuring VPRN interface SAP parameters, a default QoS policy is applied to each ingress and egress SAP. Additional QoS policies must be configured in the config>qos context. Filter policies are configured in the config>filter context and must be explicitly applied to a SAP. There are no default filter policies.
A VPRN interface SAP is supported on the following ports and adapter cards:
port in access mode with PPP or MLPPP encapsulation (by setting the port’s channel-group encap-type to be ipcp):
any T1/E1 ASAP port or bundle on the 16-port T1/E1 ASAP Adapter card or 32-port T1/E1 ASAP Adapter card on the 7705 SAR-8 Shelf V2 or 7705 SAR-18:
fractional T1/E1
clear channel T1/E1
any T1/E1 ASAP port or bundle on the 7705 SAR-X, 7705 SAR-M, or 7705 SAR-A:
fractional T1/E1
clear channel T1/E1
DS1/E1 channels on the 4-port OC3/STM1 / 1-port OC12/STM4 Adapter card:
the SAP can be a PPP link over a single DS1/E1 channel
the SAP can be an MLPPP or MC-MLPPP bundle over multiple DS1/E1 channels
port in access mode:
any Ethernet port (null, dot1q, or qinq) on the 6-port Ethernet 10Gbps Adapter card, 8-port Ethernet Adapter card, 8-port Gigabit Ethernet Adapter card, or 10-port 1GigE/1-port 10GigE X-Adapter card (supported on the 7705 SAR-18 only) on the 7705 SAR-8 Shelf V2 or 7705 SAR-18
any Ethernet port (null, dot1q, or qinq) on the 7705 SAR-M, 7705 SAR-H, 7705 SAR-Hc, 7705 SAR-A, 7705 SAR-Ax, 7705 SAR-W, 7705 SAR-Wx, or 7705 SAR-X
| Note: IPv6 and multicast are not supported on PPP, MLPPP, or MC-MLPPP SAPs on the 4-port OC3/STM1 / 1-port OC12/STM4 Adapter card. The 10-port 1GigE/1-port 10GigE X-Adapter card supports qinq only when it is in 10-port 1GigE mode. |
See VPRN Services Command Reference for CLI commands and syntax.
The following examples show the configuration of a VPRN interface SAP for:
an access port on a 16-port T1/E1 ASAP Adapter card
an MLPPP bundle on an access port on a 16-port T1/E1 ASAP Adapter card
*A:ALU-1>config>service# info
----------------------------------------------
...
vprn 1 customer 1 create
vrf-import "vrfImpPolCust1"
vrf-export "vrfExpPolCust1"
autonomous-system 10000
route-distinguisher 10001:10
auto-bind-tunnel
resolution-filter
ldp
exit
resolution filter
exit
vrf-target target:10001:1
interface "to-ce1" create
address 172.16.0.0/12
sap 1/1/10:1 create
ingress
qos 100
filter ip 6
exit
egress
qos 1010
exit
exit
exit
static-route-entry 192.168.0.0/16
next-hop 192.168.0.1
no shutdown
exit
exit
spoke-sdp 2 create
exit
no shutdown
exit
...
----------------------------------------------
*A:ALU-1>config>service#
*A:ALU-1>config>service>vprn# info
----------------------------------------------
description "test VPRN for PPP SAPs"
route-distinguisher 10001:1
vrf-target target:10001:1
interface "to-ce1" create
address 172.16.0.0/12
sap 1/1/10:1 create
exit
exit
interface "to_ce2_ppp" create
address 172.16.0.1/12
bfd 100 receive 100 multiplier 3
ipcp
peer-ip-address 192.168.0.50
exit
sap 1/1/2.24 create
exit
exit
interface "to_ce2_mlppp" create
address 172.16.0.3/12
bfd 100 receive 100 multiplier 3
ipcp
peer-ip-address 192.168.0.51
dns 2.2.2.2 secondary 3.3.3.3
exit
sap bundle-ppp-1/1.1 create
exit
exit
interface "to_ce2_eth" create
address 172.16.0.3/12
sap 1/2/1:25 create
exit
exit
static-route-entry 192.168.0.0/16
next-hop 192.168.0.5
no shutdown
exit
exit
static-route-entry 192.168.0.1/16
next-hop 192.168.0.6
no shutdown
exit
exit
static-route-entry 192.168.0.2/16
next-hop 192.168.0.7
no shutdown
exit
exit
static-route-entry 192.168.0.3/16
next-hop 192.168.0.8
no shutdown
exit
exit
static-route-entry 192.168.0.3/16
next-hop 192.168.0.9 disable
shutdown
exit
exit
----------------------------------------------
*A:ALU-1>config>service>vprn#
7.6.17. Configuring VPRN Interface SAP IPv6 Parameters
Use the following CLI syntax to configure VPRN interface SAP IPv6 parameters:
config>service# vprn service-id [customer customer-id] [create]
interface ip-int-name
sap sap-id create
ingress
filter ipv6 ipv6-filter-id
[no] shutdown
A:ALU-41>config>service# vprn 20
A:ALU-41>config>service>vprn$ interface “vprn20_interface”
A:ALU-41>config>service>vprn>if$ sap 1/1/10:1 create
A:ALU-41>config>service>vprn>if>sap$ ingress
A:ALU-41>config>service>vprn>if>sap>ingress$ filter ipv6 78
A:ALU-41>config>service>vprn>if>sap>ingress$ exit
A:ALU-41>config>service>vprn>if>sap$ exit
7.6.18. Configuring VPRN Interface Spoke SDP Parameters
Use the following CLI syntax to configure VPRN interface spoke SDP parameters:
config>service# vprn service-id [customer customer-id] [create]
interface ip-int-name
spoke-sdp sdp-id:vc-id [create]
egress
vc-label egress-vc-label
ingress
filter ip ip-filter-id
vc-label ingress-vc-label
[no] shutdown
A:ALU-41>config>service# vprn 6
A:ALU-41>config>service>vprn$ interface “vprn6_interface”
A:ALU-41>config>service>vprn>if$ spoke-sdp 7:8 create
A:ALU-41>config>service>vprn>if>spoke-sdp$ ingress
A:ALU-41>config>service>vprn>if>spoke-sdp>ingress$ filter ip 78
A:ALU-41>config>service>vprn>if>spoke-sdp>ingress$ vc-label 7788
The following example displays the VPRN interface spoke SDP creation output.
A:ALU-41>config>service>vprn>if>spoke SDP# info detail
-------------------------------------------
...
no description
egress
no vc-label
ingress
filter ip 78
vc-label 7788
exit
no shutdown
7.6.19. Configuring VPRN Interface Spoke SDP IPv6 Parameters
Use the following CLI syntax to configure VPRN interface spoke SDP IPv6 parameters:
config>service# vprn service-id [customer customer-id] [create]
interface ip-int-name
spoke-sdp sdp-id:vc-id [create]
egress
filter ipv6 ipv6-filter-id
ingress
filter ipv6 ipv6-filter-id
[no] shutdown
A:ALU-41>config>service# vprn 10
A:ALU-41>config>service>vprn$ interface “vprn10_interface”
A:ALU-41>config>service>vprn>if$ spoke-sdp 8:9 create
A:ALU-41>config>service>vprn>if>spoke-sdp$ egress
A:ALU-41>config>service>vprn>if>spoke-sdp>egress$ filter ipv6 88
A:ALU-41>config>service>vprn>if>spoke-sdp>egress$ exit
A:ALU-41>config>service>vprn>if>spoke-sdp$ ingress
A:ALU-41>config>service>vprn>if>spoke-sdp>ingress$ filter ipv6 89
A:ALU-41>config>service>vprn>if>spoke-sdp>ingress$ exit
A:ALU-41>config>service>vprn>if>spoke-sdp$ exit
7.6.20. Configuring VRRP
Configuring VRRP policies and instances on service interfaces is optional. The basic owner and non-owner VRRP configurations on a VPRN interface must specify the backup ip-address parameter.
VRRP helps eliminate the single point of failure in a routed environment by using virtual router IP addresses shared between two or more routers connecting the common domain. VRRP provides dynamic failover of the forwarding responsibility to the backup router if the master becomes unavailable.
The VRRP implementation allows one master per IP subnet. All other VRRP instances in the same domain must be in backup mode.
For overview information on VRRP and VRRP VPRN interface parameters, refer to the “VRRP” chapter in the 7705 SAR Router Configuration Guide.
The following displays a VPRN interface VRRP owner configuration:
config>service>vprn> info
#----------------------------------------------
...
interface “vrrpowner”
address 10.10.10.24
vrrp 1 owner
backup 10.10.10.23
authentication-key "testabc”
exit
exit
...
#----------------------------------------------
config>service>vprn#
config>service>vprn>if># info
-------------------------------------------
...
ipv6
address 2001:db8:a::123
vrrp 1 owner
backup 2001:db8:a::124
exit
exit
exit
...
-------------------------------------------
7.6.21. Configuring a Security Zone Within a VPRN
To configure NAT or firewall security functionality, you must:
configure a NAT or firewall security profile and policy in the config>security context
in the config>security>profile context, specify the timeouts for the TCP/UDP/ICMP protocols and configure logging and application assurance parameters. This step is optional. If you do not configure the profile, a default profile is assigned.
in the config>security>policy context, configure a security policy, specify the match criteria and the action to be applied to a packet if a match is found.
configure a security zone and apply the policy ID to the zone, as shown in the following CLI syntax
config>service
vprn service-id [customer customer-id] [create]
abort
begin
commit
zone zone-id [create]
description description-string
interface ip-int-name [create]
name zone-name
nat
pool pool-id [create]
description description-string
direction {zone-outbound | zone-inbound | both}
entry entry-id [create]
ip-address ip-address [to ip-address] interface ip-int-name
port port [to port] interface ip-int-name
name pool-name
policy policy-id | policy-name
shutdown
The following example displays a NAT zone configuration output.
A:ALU-B>config>service>vprn# info
----------------------------------------------
configure
service vprn 1 create
zone 1 create
begin
name “VPRN zone”
description “uplink zone from private”
interface vprn-100-192.168.0.0
exit
nat
pool 1 create
description "pool 1"
direction zone-inbound
exit
entry 1 create
ip-addr interface vprn-100-203.0.113.0
exit
exit
exit
policy 1 nat pool 1
commit
exit
no-shutdown
----------------------------------------------
A:ALU-B>config>service>ies#
7.6.22. Configuring Serial Raw Socket Transport Within VPRN
Configure an IP transport subservice within a VPRN service in order to enable the transport of serial data using raw sockets.
config>service
vprn service-id [customer customer-id] [create]
ip-transport ipt-id [create]
description description-string
filter-unknown-host
local-host ip-addr ip-addr port-num port-num protocol {tcp | udp}
remote-host host-id [ip-addr ip-addr] [port-num port-num] [create]
description description-string
name host-name
exit
fc fc-name profile {in | out}
shutdown
tcp
inactivity-timeout seconds
max-retries number
retry-interval seconds
exit
exit
exit
exit
The following example displays an IP transport subservice configuration output.
A:ALU-B>config>service>vprn# info
----------------------------------------------
configure
service vprn 100 create
ip-transport 1/2/4.1 create
description “ip-transport vprn”
filter-unknown-host
local-host ip-address 192.168.0.0 port-number 4000 protocol udp
exit
remote-host 1 ip-address 192.168.0.1 port-number 4001 create
exit
exit
no-shutdown
----------------------------------------------
A:ALU-B>config>service>vprn
7.6.23. Configuring VPRN Router Advertisement
Use the following CLI syntax to enable VPRN router advertisement on all IPv6-enabled interfaces and to configure optional router advertisement parameters:
config>service
vprn service-id
router-advertisement
interface ip-int-name
current-hop-limit number
managed-configuration
max-advertisement-interval seconds
min-advertisement-interval seconds
mtu mtu-bytes
other-stateful-configuration
prefix ipv6-prefix/prefix-length
autonomous
on-link
preferred-lifetime {seconds | infinite}
valid-lifetime {seconds | infinite}
reachable-time milli-seconds
retransmit-time milli-seconds
router-lifetime seconds
no shutdown
config>service# vprn 1
config>service>vprn# router-advertisement
config>service>vprn>router-advert# interface “int1”
config>service>vprn>router-advert>if# prefix 2001:db8:a::123
config>router>router-advert>if>prefix# autonomous
config>router>router-advert>if>prefix# on-link
config>router>router-advert>if>prefix# preferred-lifetime 206800
config>router>router-advert>if>prefix# valid-lifetime 1502000
config>router>router-advert>if>prefix# exit
config>router>router-advert>if# exit
config>router>router-advert# exit
The following example displays a VPRN router advertisement configuration:
A:ALU-A>config>service# info detail
------------------------------------------
interface “n1”
prefix 3::/64
exit
no shutdown
------------------------------------------
A:ALU-A>config>router>router-advert# interface n1
A:ALU-A>config>router>router-advert>if# prefix 2001:db8:a::123
A:ALU-A>config>router>router-advert>if>prefix# into detail
------------------------------------------
autonomous
on-link
preferred-lifetime 604800
valid-lifetime 2592000
------------------------------------------
A:ALU-A>config>router>router-advert>if>prefix#