Configuring VPRN Components
Topics in this section include:
Creating a VPRN Service
Use the following CLI syntax to create a VPRN service. A route distinguisher must be defined in order for VPRN to be operationally active.
config>service# vprn service-id [customer customer-id]
route-distinguisher rd
description description-string
no shutdown
where rd is:
ip-addr:comm-val | 2byte-asnumber:ext-comm-val | 4-byte-asnumber:comm-val
ip-addr: a.b.c.d
comm-val : 0 to 65535
2-byte-asnumber : 1 to 65535
ext-comm-val : 0 to 4294967295
4-byte-asnumber: 1 to 4294967295
The following example displays a VPRN service configuration.
*A:ALU-1>config>service# info
----------------------------------------------
...
vprn 1 customer 1 create
route-distinguisher 100:76525
no shutdown
exit
...
----------------------------------------------
*A:ALU-1>config>service>vprn#
Configuring Global VPRN Parameters
See VPRN Services Command Reference for the CLI syntax to configure VPRN parameters.
The autonomous system (AS) number is configured in the config>router>bgp context.
A spoke SDP can be bound to the VPRN service using the auto-bind command or the spoke-sdp sdp-id command. However, when using the spoke-sdp command, you must create a spoke SDP for each peer PE router.
A VPRN spoke SDP can be any of the supported SDPs, except the IP SDP.
The following example displays a VPRN service with configured parameters.
*A:ALU-1>config>service# info
----------------------------------------------
...
vprn 1 customer 1 create
vrf-import "vrfImpPolCust1"
vrf-export "vrfExpPolCust1"
autonomous-system 10000
router-id 2000
route-distinguisher 10001:1
spoke-sdp 2 create
exit
no shutdown
exit
...
----------------------------------------------
*A:ALU-1>config>service#
Configuring Router Interfaces
Refer to the 7705 SAR OS Router Configuration Guide for command descriptions and syntax information to configure router interfaces.
The following example displays a router interface configuration:
ALU48>config>router# info
#------------------------------------------
echo "IP Configuration"
#------------------------------------------
...
interface "if1"
address 2.2.2.1/24
port 1/1/33
exit
interface "if2"
address 10.49.1.46/24
port 1/1/34
exit
interface "if3"
address 11.11.11.1/24
port 1/1/35
exit
...
#------------------------------------------
ALU48>config>router#
Configuring BGP for VPRN
Configuring BGP between the PE routers allows the PE routers to exchange information about routes originating and terminating in the VPRN. The PE routers use the information to determine which labels are used for traffic intended for remote sites.
The minimal parameters that should be configured for a VPRN BGP instance are:
an autonomous system number for the router
a router ID
a VPRN BGP peer group
a VPRN BGP neighbor with which to peer
a VPRN BGP peer-AS that is associated with the above peer
There are no default VPRN BGP groups or neighbors. Each VPRN BGP group and neighbor must be explicitly configured.
All parameters configured for VPRN BGP are applied to the group and are inherited by each peer, but a group parameter can be overridden on a specific basis. The VPRN BGP command hierarchy consists of three levels:
global level
group level
neighbor level
Use the following CLI syntax to configure these three levels:
config>service>vprn>bgp#
group
neighbor
| Note: The local-address command must be explicitly configured if two systems have multiple BGP peer sessions between them. |
BGP for MP-BGP purposes is configured under the config>router>bgp context. For more information about the BGP protocol, refer to the 7705 SAR OS Routing Protocols Guide, “BGP”.
Configuring VPRN BGP Group and Neighbor Parameters
A group is a collection of related VPRN BGP peers. The group name should be a descriptive name for the group. Follow your group, name, and ID naming conventions for consistency and to help when troubleshooting faults.
After a group name is created and options are configured, neighbors can be added in different autonomous systems, creating EBGP peers. All parameters configured for the peer group are inherited by each peer (neighbor), but a group parameter can be overridden on a specific neighbor-level basis.
VPRN BGP CLI Syntax
See VPRN Services Command Reference for the CLI syntax to configure VPRN BGP parameters.
The following example displays a VPRN BGP configuration:
*A:ALU-1>config>service# info
----------------------------------------------
...
vprn 1 customer 1 create
vrf-import "vrfImpPolCust1"
vrf-export "vrfExpPolCust1"
autonomous-system 10000
route-distinguisher 10001:1
auto-bind ldp
vrf-target target:10001:1
interface "to-ce1" create
address 11.1.0.1/24
sap 1/1/10:1 create
ingress
qos 100
filter ip 6
exit
egress
qos 1010
exit
exit
exit
static-route 6.5.0.0/24 next-hop 10.1.1.2
bgp
router-id 10.0.0.1
group “to-cel”
export “vprnBgpExpPolCust1“
multihop 3
peer-as 65101
ttl-security 10
neighbor 10.1.1.2
exit
exit
exit
spoke-sdp 2 create
exit
no shutdown
exit
...
----------------------------------------------
*A:ALU-1>config>service#
Configuring IPv6 Parameters for VPRN BGP
Use the following CLI syntax to configure IPv6 parameters for VPRN BGP:
config>service# vprn service-id [customer customer-id]
bgp
family ipv6
group name
family ipv6
neighbor ipv6-address
family ipv6
A:ALU>config>service# vprn 20
A:ALU>config>service>vprn$ bgp
A:ALU>config>service>vprn>bgp$ family ipv6
A:ALU>config>service>vprn>bgp>family$ group BGP1
A:ALU>config>service>vprn>bgp>family>group$ family ipv6
A:ALU>config>service>vprn>bgp>family>group>family$ neighbor 2001:db8:a0b:12f0::1
A:ALU>config>service>vprn>bgp>family>group>family> neighbor$ family ipv6
A:ALU>config>service>vprn>bgp>family>group>family> neighbor$ exit
A:ALU>config>service>vprn>bgp>family>group>family$ exit
A:ALU>config>service>vprn>bgp>family>group$ exit
A:ALU>config>service>vprn>bgp>family$ exit
A:ALU>config>service>vprn>bgp$ exit
Configuring VPRN IPv6 In-Band Management Parameters
Use the following CLI syntax to configure IPv6 in-band management parameters for a VPRN service:
config>service# vprn service-id [customer customer-id]
grt-lookup
enable-grt-local-management-only
export-grt-rib-only policy-name [policy-name ...(up to 5 max)]
export-v6-limit num-routes
config# service vprn 20
config>service>vprn# grt-lookup
config>service>vprn>grt-lookup# enable-grt-local-management-only
config>service>vprn>grt-lookup# export-grt-rib-only “policy-name 1”
config>service>vprn>grt-lookup# export-v6-limit 4
config>service>vprn>grt-lookup# exit
config>service>vprn# exit
The following example displays IPv6 in-band management parameters output.
A:ALU-A>config>service>vprn 20# info
#------------------------------------------
.....
grt-lookup
enable-grt-local-management-only
export-grt-rib-only “policy-name 1”
export-v6-limit 4
exit
.....
Configuring VPRN IPv6 Neighbor Discovery Parameters
Use the following CLI syntax to configure IPv6 neighbor discovery parameters for a VPRN service:
config# config>service# vprn service-id [customer customer-id]
ipv6
reachable-time seconds
stale-time seconds
config# service vprn 20
config>service>vprn# ipv6
config>service>vprn>ipv6# reachable-time 30
config>service>vprn>ipv6# stale-time 14400
config>service>vprn>ipv6# exit
config>service>vprn# exit
The following example displays IPv6 neighbor discovery parameters output.
A:ALU-A>config>service>vprn 20# info
#------------------------------------------
...
reachable-time 30
stale-time 14400
exit
...
Configuring OSPF for VPRN
Each VPN routing instance is isolated from any other VPN routing instance, and from the routing used across the backbone. OSPF can be run with any VPRN, independently of the routing protocols used in other VPRNs, or in the backbone. For more information on the OSPF protocol and for the commands used to run OSPF over the backbone (router context), refer to the 7705 SAR OS Routing Protocols Guide.
Use the following CLI syntax to configure OSPF in the VPRN context:
config>service>vprn>ospf#
Refer to VPRN Services Command Reference for the CLI syntax to configure VPRN OSPF parameters.
The following example displays a VPRN OSPF configuration:
*A:ALU-1>config>service# info
----------------------------------------------
vprn 2 customer 1 create
interface "ospf_interface" create
exit
ospf
area 0.0.0.0
interface “ospf_interface”
no shutdown
exit
exit
exit
----------------------------------------------
*A:ALU-1>config>service#
Configuring RIP for VPRN
PE routers need to advertise reachability information for each CE that is attached to a VRF. RIP can be used to exchange reachability information between PE and CE routers by establishing adjacency with a CPE router that supports RIP. Via this adjacency, RIP learns the subnet or subnets for the customer site and will advertise any routes learned from other CEs. The routing table is updated to reflect the new information.
RIP can be used to distribute routes between PE and CE routers. When PE and CE routers are RIP peers, the CE router can use RIP to transmit to the PE router the set of address prefixes that are reachable via the CE router. When RIP is configured on the CE, care must be taken to ensure that address prefixes from other sites, that is, address prefixes learned by the CE router from the PE router, are never advertised to the PE. Specifically, if a PE router receives a VPN-IPv4 route and distributes it to a CE, that route must never be distributed from the CE site to, either the originating PE router, or any other PE router.
The parameters configured at the VPRN RIP global level are inherited by the group and neighbor levels. Parameters can be modified and overridden on a level-specific basis. The VPRN RIP command hierarchy consists of three levels:
Hierarchical VPRN RIP commands can be modified on different levels. The most specific value is used. A group-specific command takes precedence over a global command. A neighbor-specific command takes precedence over a global or group-specific command.
| Note: Careful planning is essential to implement commands that can affect the behavior of global, group, and neighbor levels. Because the RIP commands are hierarchical, analyze the values that can disable features on a particular level. |
To enable a VPRN RIP instance, the RIP protocol must be enabled in the config>service>vprn>rip context of the VPRN. VPRN RIP is administratively enabled upon creation. Configuring other RIP commands and parameters is optional.
The minimum RIP configuration for a VPRN instance must define:
one VPRN RIP peer group
one VPRN RIP neighbor peer
one VPRN RIP peer-AS associated with the neighbor peer
See VPRN Services Command Reference for the CLI syntax to configure VPRN RIP parameters.
The following example displays a VPRN RIP configuration:
*A:ALU-1>config>service# info
----------------------------------------------
...
vprn 1 customer 1 create
vrf-import "vrfImpPolCust1"
vrf-export "vrfExpPolCust1"
ecmp 8
autonomous-system 10000
route-distinguisher 10001:1
auto-bind ldp
vrf-target target:10001:1
interface "to-ce1" create
address 11.1.0.1/24
sap 1/1/10:1 create
ingress
qos 100
exit
egress
qos 1010
filter ip 6
exit
exit
exit
rip
export "vprnRipExpPolCust1"
group "cel"
neighbor "to-ce1"
exit
exit
exit
spoke-sdp 2 create
exit
no shutdown
exit
...
----------------------------------------------
For more information about the RIP protocol, refer to the 7705 SAR OS Routing Protocols Guide.
Configuring IGMP for VPRN
When using the ssm-translate command, the group range is not created until the source is specified.
The following example displays multicast IGMP parameters under a VPRN configuration:
*A:Sar18 Dut-B>config>service>vprn>igmp# info detail
----------------------------------------------
interface "mvpn_if"
no import
version 3
subnet-check
no max-groups
no max-grp-sources
no disable-router-alert-check
ssm-translate
grp-range 229.255.0.2 229.255.0.20
source 172.22.184.197
exit
exit
no shutdown
exit
query-interval 125
query-last-member-interval 1
query-response-interval 10
robust-count 2
no shutdown
----------------------------------------------
*A:Sar18 Dut-B>config>service>vprn>igmp#
Configuring PIM for VPRN
The following example displays a PIM configuration for VPRN.
A:ALU-1>config>service>vprn>pim# info detail
----------------------------------------------
no import join-policy
interface "vprn_if"
hello-interval 30
hello-multiplier 35
no tracking-support
no bfd-enable
no three-way-hello
priority 1
no sticky-dr
no max-groups
no assert-period
no instant-prune-echo
no shutdown
no ipv4-multicast-disable
exit
apply-to none
rp
no bootstrap-import
no bootstrap-export
exit
no non-dr-attract-traffic
no shutdown
no ipv4-multicast-disable
----------------------------------------------
A:ALU-1>config>service>vprn>pim#
Configuring MVPN for VPRN
For selective PMSI provider tunnels, mLDP must be configured prior to setting a maximum-p2mp-spmsi. Also, the data-threshold c-grp-ip-addr must be a valid multicast address.
The following example displays the MVPN parameters for VPRN configuration:
*A:ALU>config>service>vprn>mvpn# info detail
----------------------------------------------
auto-discovery default
c-mcast-signaling bgp
umh-selection highest-ip
mdt-type sender-receiver
provider-tunnel
inclusive
mldp
shutdown
exit
exit
selective
mldp
shutdown
exit
maximum-p2mp-spmsi 4
no data-delay-interval
data-threshold 228.0.0.0/6 10
exit
exit
vrf-target unicast
exit
----------------------------------------------
*A:ALU>config>service>vprn>mvpn#
The following example displays a VPRN service with MVPN. The MVPN in this example supports inclusive PMSI and selective PMSI. The data-threshold that forces a group C(S,G) to switch from I-PMSI to S-PMSI in this example is 1 kb/s.
vprn 1 customer 1 create
route-distinguisher 10.10.10.126:65000
auto-bind mpls
vrf-target target:65000:1
interface "TO-CE-SOURCE" create
address 2.2.2.100/31
sap 1/1/9:100 create
exit
exit
pim
interface "to-ce-source"
rp
exit
no shutdown
exit
mvpn
provider-tunnel
inclusive
mldp
no shutdown
exit
exit
selective
mldp
no shutdown
exit
data-threshold 224.0.0.0/7 1
exit
exit
vrf-target target:65000:1
exit
exit
ospf
area 0.0.0.0
interface "TO-CE-SOURCE"
interface-type point-to-point
no shutdown
exit
exit
exit
no shutdown
exit
Configuring a VPRN Interface
Interface names associate an IP address with the interface, and then associate the IP interface with a physical port. The logical interface can associate attributes such as an IP address, port, or Link Aggregation Group (LAG). There are no default interfaces.
| Note: The VPRN interface can be configured as a loopback interface by issuing the loopback command instead of the sap command. The loopback flag cannot be set on an interface where a SAP is already defined, and a SAP cannot be defined on a loopback interface.
|
When using mrinfo and mtrace in a Layer 3 VPN context, the configuration for the VPRN should have a loopback address configured that has the same address as the core VPRN instance's system address (that is, the BGP next hop).
See VPRN Services Command Reference for CLI commands and syntax.
The following example displays a VPRN interface configuration:
*A:ALU-1>config>service>vprn# info
----------------------------------------------
...
vprn 1 customer 1 create
vrf-import "vrfImpPolCust1"
vrf-export "vrfExpPolCust1"
autonomous-system 10000
route-distinguisher 10001:1
auto-bind ldp
vrf-target target:10001:1
interface "to-ce1" create
address 11.1.0.1/24
proxy-arp policy “proxyARPpolicy”
local proxy-arp
remote proxy-arp
exit
exit
static-route 6.5.0.0/24 next-hop 10.1.1.2
spoke-sdp 2 create
exit
no shutdown
exit
...
----------------------------------------------
*A:ALU-1>config>service#
Use the following CLI syntax to configure interface parameters for the VPRN service.
config>service# vprn service-id [customer customer-id] [create]
interface ip-int-name
address if-ip-address
allow-directed-broadcasts
arp-timeout
bfd transmit-interval [receive receive-interval] [multiplier multiplier] [type np]
description description-string
dhcp
description description-string
option
action {replace | drop | keep}
circuit-id [ascii-tuple | ifindex | sap-id | vlan-ascii-tuple]
remote-id [mac | string string]
vendor-specific-option
client-mac-address
sap-id
service-id
string text
system-id
server server1 [server2...(up to 8 max)]
no shutdown
trusted
icmp
mask-reply
ttl-expired [number seconds]
unreachables
ip-mtu octets
ipcp
dns ip-address [secondary ip-address]
dns secondary ip-address
peer-ip-address ip-address
l4-load-balancing {includeL4 | excludeL4}
local proxy-arp
loopback
mac ieee-address
proxy-arp-policy policy-name [policy-name...(up to 5 max)]
remote-proxy-arp
secondary {ip-address/mask | ip-address netmask} [broadcast all-ones | host-ones] [igp-inhibit]
no shutdown
static-arp ip-address ieee-mac-address
static-arp ieee-mac-address unnumbered
unnumbered {ip-int-name | ip-address}
no shutdown
A:ALU-41>config>service# vprn 4
A:ALU-41>config>service>vprn$ interface “vprn_interface”
A:ALU-41>config>service>vprn>if$ address 10.10.3.3/24
A:ALU-41>config>service>vprn>if$ dhcp option
A:ALU-41>config>service>vprn>if>dhcp>option$ circuit-id ifindex
A:ALU-41>config>service>vprn>if>dhcp>option$ exit
A:ALU-41>config>service>vprn>if$ ip-mtu 1524
The following example displays the VPRN interface creation output.
A:ALU-41>config>service>vprn>if# info detail
-------------------------------------------
...
no description
address 10.10.3.3/24 broadcast host-ones
no mac
arp-timeout 14400
no allow-directed-broadcasts
icmp
mask-reply
unreachables 100 10
ttl-expired 100 10
exit
dhcp
shutdown
no description
option
action keep
circuit-id ifindex
no remote-id
no vendor-specific-option
exit
no server
no trusted
exit
ip-mtu 1524
no bfd
ipcp
no peer-ip-address
no dns
exit
proxy-arp policy “proxyARPpolicy”
local proxy-arp
remote proxy-arp
no shutdown...
Configuring a VPRN IPv6 Interface
Use the following CLI syntax to create a VPRN IPv6 interface and to configure optional VPRN IPv6 interface parameters:
config>service
vprn service-id
interface ip-int-name
ipv6
address ipv6-address/prefix-length [eui-64] [preferred]
bfd transmit-interval [receive receive-interval] [multiplier multiplier]
dhcp6-relay
description description-string
option
interface-id
interface-id ascii-tuple
interface-id ifindex
interface-id sap-id
interface-id string
remote-id
server ipv6z-address...(upto 8 max)
shutdown
source-address ipv6-address
dhcp6-server
max-nbr-of-leases max-nbr-of-leases
prefix-delegation
prefix ipv6-address/prefix-length
duid duid [iaid iaid]
preferred-lifetime seconds
preferred-lifetime infinite
valid-lifetime seconds
valid-lifetime infinite
no shutdown
icmp6
packet-too-big number seconds
param-problem number seconds
time-exceeded number seconds
unreachables number seconds
link-local-address ipv6-address [preferred]
local-dhcp-server server-name [create]
neighbor ipv6-address mac-address
reachable-time seconds
stale-time seconds
(The example below shows only some of the CLI VPRN IPv6 interface commands).
config>service# vprn 20
config>service>vprn# interface “int1”
config>service>vprn>if>ipv6#
config>service>vprn>if>ipv6>address# fd00:1:1:1::/64
config>service>vprn>if>ipv6>icmp6# packet-too-big 100 10
config>service>vprn>if>ipv6>icmp6# param-problem 100 10
config>service>vprn>if>ipv6>icmp6# time-exceeded 100 10
config>service>vprn>if>ipv6>icmp6# unreachables 100 10
config>service>vprn>if>ipv6>icmp6# exit
config>service>vprn>if>ipv6>neighbor# FE80::203:FAFF:FE78:5 C88 00:16:4d:50:17:a3
config>service>vprn>if>ipv6>reachable-time# 30
config>service>vprn>if>ipv6>stale-time# 14400
config>service>vprn>if>ipv6># exit
config>service>vprn>if># exit
config>service>vprn# exit
The following example displays a VPRN IPv6 interface configuration:
A:ALU-B>config>service>vprn 20# info detail
----------------------------------------------
.....
ipv6
icmp6
packet-too-big 100 10
param-problem 100 10
time-exceeded 100 10
unreachables 100 10
exit
address fd00:1:1:1::/64
reachable-time 30
stale-time 14400
no dhcp6-relay
no local-dhcp-server
neighbor fe80::203:faff:fe78:5c88 00:16:4d:50:17:a3
no bfd
exit
.....
Configuring VPRN Interface Routed VPLS IPv6 Parameters
Use the following CLI syntax to configure VPRN interface routed VPLS IPv6 parameters:
config>service# vprn service-id [customer customer-id] [create]
interface ip-int-name
vpls service-name create
ingress
v6-routed-override-filter ipv6-filter-id
[no] shutdown
A:ALU-41>config>service# vprn 20
A:ALU-41>config>service>vprn$ interface “vprn20_interface”
A:ALU-41>config>service>vprn>if$ vpls 2/2/2:1 create
A:ALU-41>config>service>vprn>if>vpls$ ingress
A:ALU-41>config>service>vprn>if>vpls>ingress$ v6-routed-override-filter 44
A:ALU-41>config>service>vprn>if>vpls>ingress$ exit
A:ALU-41>config>service>vprn>if>vpls$ exit
A:ALU-41>config>service>vprn>if$ exit
Configuring VPRN Interface SAP Parameters
A SAP is a combination of a port and encapsulation parameters that identify the service access point on the interface and within the 7705 SAR. Each SAP must be unique within a router. A SAP cannot be defined if the loopback command is enabled on the interface.
When configuring VPRN interface SAP parameters, a default QoS policy is applied to each ingress and egress SAP. Additional QoS policies must be configured in the config>qos context. Filter policies are configured in the config>filter context and must be explicitly applied to a SAP. There are no default filter policies.
A VPRN interface SAP is supported on the following ports and adapter cards:
port in access mode with PPP or MLPPP encapsulation (by setting the port’s channel-group encap-type to be ipcp):
any T1/E1 ASAP port or bundle on a 16-port T1/E1 ASAP Adapter card or on a 32-port T1/E1 ASAP Adapter card on a 7705 SAR-8 or 7705 SAR-18:
fractional T1/E1
clear channel T1/E1
any T1/E1 ASAP port or bundle on a 7705 SAR-X, or on a 7705 SAR-M or 7705 SAR-A (variants with T1/E1 ports):
fractional T1/E1
clear channel T1/E1
port in access mode:
any Ethernet port (null, dot1q, or qinq) on:
an 8-port Ethernet Adapter card, version 1 or version 2, or an 8-port Gigabit Ethernet Adapter card on a 7705 SAR-8
a 6-port Ethernet 10Gbps Adapter card on a 7705 SAR-8 Shelf V2 with CSMv2
a 6-port Ethernet 10Gbps Adapter card, 8-port Ethernet Adapter card, version 2, or an 8-port Gigabit Ethernet Adapter card, or a 10-port 1GigE/1-port 10GigE X-Adapter card on a 7705 SAR-18
any Ethernet port (null, dot1q, or qinq) on a 7705 SAR-M (all variants), 7705 SAR-H, 7705 SAR-Hc, 7705 SAR-A (both variants), 7705 SAR-Ax, 7705 SAR-W, 7705 SAR-Wx (all variants), or 7705 SAR-X
DSL module ports (null, dot1q, or qinq) on a 7705 SAR-Wx
GPON module ports and DSL module ports (null or dot1q) when the module is installed in a 7705 SAR-M (variants with module slots)
| Note: The 10-port 1GigE/1-port 10GigE X-Adapter card supports qinq only on version 2 when it is in 10-port 1GigE mode.
The 6-port Ethernet 10Gbps Adapter card and the 7705 SAR-X support qinq only when the card is in access mode.
|
See VPRN Services Command Reference for CLI commands and syntax.
The following examples show the configuration of a VPRN interface SAP for:
an access port on a 16-port T1/E1 ASAP Adapter card
an MLPPP bundle on an access port on a 16-port T1/E1 ASAP Adapter card
*A:ALU-1>config>service# info
----------------------------------------------
...
vprn 1 customer 1 create
vrf-import "vrfImpPolCust1"
vrf-export "vrfExpPolCust1"
autonomous-system 10000
route-distinguisher 10001:1
auto-bind ldp
vrf-target target:10001:1
interface "to-ce1" create
address 11.1.0.1/24
sap 1/1/10:1 create
ingress
qos 100
filter ip 6
exit
egress
qos 1010
exit
exit
exit
static-route 6.5.0.0/24 next-hop 10.1.1.2
spoke-sdp 2 create
exit
no shutdown
exit
...
----------------------------------------------
*A:ALU-1>config>service#
*A:ALU-1>config>service>vprn# info
----------------------------------------------
description "Sasha's test VPRN for PPP SAPs"
route-distinguisher 65101:25
vrf-target target:65101:25
interface "int_to_ixia" create
address 210.177.253.1/24
sap 1/2/4:25 create
exit
exit
interface "to_ce2_ppp" create
address 11.25.1.1/30
bfd 100 receive 100 multiplier 3
ipcp
peer-ip-address 11.25.1.2
exit
sap 1/1/2.24 create
exit
exit
interface "to_ce2_mlppp" create
address 11.25.2.1/24
bfd 100 receive 100 multiplier 3
ipcp
peer-ip-address 11.25.2.11
dns 2.2.2.2 secondary 3.3.3.3
exit
sap bundle-ppp-1/1.1 create
exit
exit
interface "to_ce2_eth" create
address 11.25.3.1/24
sap 1/2/1:25 create
exit
exit
static-route 210.177.35.0/24 next-hop 210.177.253.100
static-route 210.177.36.0/24 next-hop 210.177.253.100
static-route 210.177.45.0/24 next-hop 11.25.1.2
static-route 210.177.46.0/24 next-hop 11.25.2.2
static-route 210.177.46.0/24 next-hop 11.25.3.2 disable
no shutdown
----------------------------------------------
*A:ALU-1>config>service>vprn#
Configuring VPRN Interface SAP IPv6 Parameters
Use the following CLI syntax to configure VPRN interface SAP IPv6 parameters:
config>service# vprn service-id [customer customer-id] [create]
interface ip-int-name
sap sap-id create
ingress
filter ipv6 ipv6-filter-id
[no] shutdown
A:ALU-41>config>service# vprn 20
A:ALU-41>config>service>vprn$ interface “vprn20_interface”
A:ALU-41>config>service>vprn>if$ sap 1/1/10:1 create
A:ALU-41>config>service>vprn>if>sap$ ingress
A:ALU-41>config>service>vprn>if>sap>ingress$ filter ipv6 78
A:ALU-41>config>service>vprn>if>sap>ingress$ exit
A:ALU-41>config>service>vprn>if>sap$ exit
Configuring VPRN Interface Spoke SDP Parameters
Use the following CLI syntax to configure VPRN interface spoke SDP parameters:
config>service# vprn service-id [customer customer-id] [create]
interface ip-int-name
spoke-sdp sdp-id:vc-id [create]
egress
vc-label egress-vc-label
ingress
filter ip ip-filter-id
vc-label ingress-vc-label
[no] shutdown
A:ALU-41>config>service# vprn 6
A:ALU-41>config>service>vprn$ interface “vprn6_interface”
A:ALU-41>config>service>vprn>if$ spoke-sdp 7:8 create
A:ALU-41>config>service>vprn>if>spoke-sdp$ ingress
A:ALU-41>config>service>vprn>if>spoke-sdp>ingress$ filter ip 78
A:ALU-41>config>service>vprn>if>spoke-sdp>ingress$ vc-label 7788
The following example displays the VPRN interface spoke SDP creation output.
A:ALU-41>config>service>vprn>if>spoke SDP# info detail
-------------------------------------------
...
no description
egress
no vc-label
ingress
filter ip 78
vc-label 7788
exit
no shutdown
Configuring VPRN Interface Spoke SDP IPv6 Parameters
Use the following CLI syntax to configure VPRN interface spoke SDP IPv6 parameters:
config>service# vprn service-id [customer customer-id] [create]
interface ip-int-name
spoke-sdp sdp-id:vc-id [create]
egress
filter ipv6 ipv6-filter-id
ingress
filter ipv6 ipv6-filter-id
[no] shutdown
A:ALU-41>config>service# vprn 10
A:ALU-41>config>service>vprn$ interface “vprn10_interface”
A:ALU-41>config>service>vprn>if$ spoke-sdp 8:9 create
A:ALU-41>config>service>vprn>if>spoke-sdp$ egress
A:ALU-41>config>service>vprn>if>spoke-sdp>egress$ filter ipv6 88
A:ALU-41>config>service>vprn>if>spoke-sdp>egress$ exit
A:ALU-41>config>service>vprn>if>spoke-sdp$ ingress
A:ALU-41>config>service>vprn>if>spoke-sdp>ingress$ filter ipv6 89
A:ALU-41>config>service>vprn>if>spoke-sdp>ingress$ exit
A:ALU-41>config>service>vprn>if>spoke-sdp$ exit
Configuring VRRP
Configuring VRRP policies and instances on service interfaces is optional. The basic owner and non-owner VRRP configurations on a VPRN interface must specify the backup ip-address parameter.
VRRP helps eliminate the single point of failure in a routed environment by using virtual router IP address(es) shared between two or more routers connecting the common domain. VRRP provides dynamic failover of the forwarding responsibility to the backup router if the master becomes unavailable.
The VRRP implementation allows one master per IP subnet. All other VRRP instances in the same domain must be in backup mode.
For further information about VRRP CLI syntax and command descriptions, see the VPRN Services Command Reference.
The following displays a VPRN interface VRRP owner configuration:
config>service>vprn> info
#----------------------------------------------
interface “vrrpowner”
address 10.10.10.23/24
vrrp 1 owner
backup 10.10.10.23
authentication-key "testabc”
exit
exit
#----------------------------------------------
config>service>vprn#
Configuring a Security Zone within a VPRN
To configure NAT or firewall security functionality, you must:
configure a NAT or firewall security profile and policy in the config>security context
in the config>security>profile context, specify the timeouts for the TCP/UDP/ICMP protocols and configure logging and application assurance parameters. This step is optional. If you do not configure the profile, a default profile is assigned.
in the config>security>policy context, configure a security policy, specify the match criteria and the action to be applied to a packet if a match is found.
configure a security zone and apply the policy ID to the zone, as shown in the CLI syntax below
config>service
vprn service-id [customer customer-id] [create]
abort
begin
commit
zone zone-id [create]
description description-string
interface ip-int-name [create]
name zone-name
nat
pool pool-id [create]
description description-string
direction {zone-outbound | zone-inbound | both}
entry entry-id [create]
ip-address ip-address [to ip-address] interface ip-int-name
port port [to port] interface ip-int-name
name pool-name
policy policy-id | policy-name
shutdown
The following example displays a NAT zone configuration output.
A:ALU-B>config>service>vprn# info
----------------------------------------------
configure
service vprn 1 create
zone 1 create
begin
name “VPRN zone”
description “uplink zone from private”
interface vprn-100-10.30.10.1
exit
nat
pool 1 create
description "pool 1"
direction zone-inbound
exit
entry 1 create
ip-addr interface vprn-100-10.30.10.1
exit
exit
exit
policy 1 nat pool 1
commit
exit
no-shutdown
----------------------------------------------
A:ALU-B>config>service>ies#
Configuring VPRN Router Advertisement
Use the following CLI syntax to enable VPRN router advertisement on all IPv6-enabled interfaces and to configure optional router advertisement parameters:
config>service
vprn service-id
router-advertisement
interface ip-int-name
current-hop-limit number
managed-configuration
max-advertisement-interval seconds
min-advertisement-interval seconds
mtu mtu-bytes
other-stateful-configuration
prefix ipv6-prefix/prefix-length
autonomous
on-link
preferred-lifetime {seconds | infinite}
valid-lifetime {seconds | infinite}
reachable-time milli-seconds
retransmit-time milli-seconds
router-lifetime seconds
no shutdown
config>service# vprn 1
config>service>vprn# router-advertisement
config>service>vprn>router-advert# interface “int1”
config>service>vprn>router-advert>if# prefix fd00:1:1:1::/64
config>router>router-advert>if>prefix# autonomous
config>router>router-advert>if>prefix# on-link
config>router>router-advert>if>prefix# preferred-lifetime 206800
config>router>router-advert>if>prefix# valid-lifetime 1502000
config>router>router-advert>if>prefix# exit
config>router>router-advert>if# exit
config>router>router-advert# exit
The following example displays a VPRN router advertisement configuration:
A:ALU-A>config>service# info detail
------------------------------------------
interface “n1”
prefix 3::/64
exit
no shutdown
------------------------------------------
A:ALU-A>config>router>router-advert# interface n1
A:ALU-A>config>router>router-advert>if# prefix fd00:1:1:1::/64
A:ALU-A>config>router>router-advert>if>prefix# into detail
------------------------------------------
autonomous
on-link
preferred-lifetime 604800
valid-lifetime 2592000
------------------------------------------
A:ALU-A>config>router>router-advert>if>prefix#