7705 SAR
R6.2 Configuration Note

,VLL Over IPSec Over VPLS Over LSP Based SDP
Configuration Note
,AlcatelLucent_Hor_2col_lrg

Introduction:

Customer has a desire to run a Pseudowire or Virtual Leased Line (VLL) service over IPSec, which in turn was desired to run over top of MPLS. This configuration note will cover the basic requirements to set it up. The setup below will be for static IPSec tunnels, a separate Configuration Note is available for creating dynamic tunnels between the 7705 and 7750.

In this example the hardware consisted of a 7705 SAR, running Release 6.2R1, employing a CSMv2 and a8-1gb-v3-sfp MDA installed in a SAR-8v2 chassis. Any MDA supporting IPSec should be sufficient and any software that supports IPSec and Hybrid ports on the 7705 SAR should be sufficient. The 7750 SR, running Release 12.0R8, used standard cards for Ethernet and Control. An isa-ms provisioned as an isa-tunnel card was used to terminate the IPSec tunnels.

Step 1 (VPLS over LSP Based SDP):

The initial setup requires OSPF, MPLS and RSVP to be setup between the two nodes. A loopback interface must be created on each node and inserted into OSPF as a passive interface. This loopback must be used as the destination for the LSP and SDP. The corresponding remote loopback must also be configured under the “router ldp targeted-session” context with a local-lsr-id of the loopback interface name. Once this is completed a VPLS can be created to be distributed over the SDP using the LSP created. The setup for the 7705 SAR and 7750 SR is very similar, just different IPs, at this point. This Configuration Note does not cover the basics of setting up the system and ports.

Note: All config snippets are built on previous configs snippets.

A:SAR-8v2-138# configure

#--------------------------------------------------

echo "Router (Network Side) Configuration"

#--------------------------------------------------

router

interface "loop"

address 12.12.12.138/32

loopback

exit

interface "system"

address 10.10.10.138/32

exit

interface "to-180"

address 10.138.180.0/31

port 1/6/6

exit

#--------------------------------------------------

echo "OSPFv2 Configuration"

#--------------------------------------------------

ospf

area 0.0.0.0

interface "system"

exit

interface "to-180"

interface-type point-to-point

exit

interface "loop"

passive

exit

#--------------------------------------------------

echo "MPLS Configuration"

#--------------------------------------------------

mpls

interface "system"

exit

interface "to-180"

exit

interface "loop"

exit

#--------------------------------------------------

echo "RSVP Configuration"

#--------------------------------------------------

rsvp

interface "system"

exit

interface "to-180"

exit

interface "loop"

exit

no shutdown

exit

#--------------------------------------------------

echo "MPLS LSP Configuration"

#--------------------------------------------------

mpls

path "loose"

no shutdown

exit

lsp "test"

to 12.12.12.180

primary "loose"

exit

no shutdown

exit

no shutdown

exit

#--------------------------------------------------

echo "LDP Configuration"

#--------------------------------------------------

ldp

targeted-session

peer 12.12.12.180

local-lsr-id "loop"

exit

#--------------------------------------------------

echo "Service Configuration"

#--------------------------------------------------

service

customer 1 create

description "Default customer"

exit

sdp 180 mpls create

far-end 12.12.12.180

lsp "test"

keep-alive

shutdown

exit

no shutdown

exit

vpls 200 customer 1 create

spoke-sdp 180:200 create

exit

no shutdown

exit

Step 2 : GRT over VPLS

Next we must create a link between a Global Routing Table (GRT) interface and the VPLS, this will allow the IPSec session to be passed over the VPLS. The 7705 permitted this to work using a Router VPLS and IES, whereas the 7750 only worked when an external cable was used to physically connect a SAP on the VPLS to the GRT Interface. The example below focuses on the configuration required for the external cable solution. The ports used for the external physical connection should be configured for hybrid mode. Again the 7705 SAR and 7750 SR configurations are very similar.

A:SAR-8v2-138#configure

#--------------------------------------------------

echo "Router (Network Side) Configuration"

#--------------------------------------------------

router

interface "to-SR"

address 10.180.138.1/30

port 1/6/7:200

exit

#--------------------------------------------------

echo "Service Configuration"

#--------------------------------------------------

service

vpls 200 customer 1 create

sap 1/6/8:200 create

exit

Verify traffic passes through the VPLS:

*B:SR-7-180# ping 10.180.138.1

PING 10.180.138.1 56 data bytes

64 bytes from 10.180.138.1: icmp_seq=1 ttl=64 time=0.590ms.

64 bytes from 10.180.138.1: icmp_seq=2 ttl=64 time=0.570ms.

64 bytes from 10.180.138.1: icmp_seq=3 ttl=64 time=0.570ms.

64 bytes from 10.180.138.1: icmp_seq=4 ttl=64 time=0.596ms.

64 bytes from 10.180.138.1: icmp_seq=5 ttl=64 time=0.599ms.

---- 10.180.138.1 PING Statistics ----

5 packets transmitted, 5 packets received, 0.00% packet loss

round-trip min = 0.570ms, avg = 0.585ms, max = 0.599ms, stddev = 0.012ms

Step 3 : IPSec

A series of static routes are now needed to allow the IPSec interfaces to reach each other over the previously configured GRT Interface. From there IPSec can be configured between the 7705 SAR and 7750 SR. Since the 7750 SR supports ike-version 1 and 2, while the 7705 SAR only supports ike-version 2, we must specifically configure the ike-version on the 7750 SR. For more details on the basic IPSec configuration below please consult the 7705 SAR IPSec Configuration Note. Also keep in mind that only one side should have auto-establish configured.

A:SAR-8v2-138# configure

#--------------------------------------------------

echo "Router (Network Side) Configuration"

#--------------------------------------------------

router

#--------------------------------------------------

echo "Static Route Configuration"

#--------------------------------------------------

static-route 11.180.138.0/24 next-hop 10.180.138.2

exit

#--------------------------------------------------

echo "IPsec Configuration"

#--------------------------------------------------

ipsec

ike-policy 1 create

ike-version 2 (7750 SR only, not available on 7705 SAR)

exit

ipsec-transform 1 create

exit

#--------------------------------------------------

echo "Service Configuration"

#--------------------------------------------------

service

ies 202 customer 1 create

interface "public-to-SR" create

exit

vprn 203 customer 1 create

interface "private-ipsec" tunnel create

exit

interface "to-GRE" create

exit

ies 202 customer 1 create

interface "public-to-SR" create

address 11.138.180.5/24

sap tunnel-1.public:2 create

exit

no shutdown

exit

vprn 203 customer 1 create

ipsec

security-policy 1 create

entry 1 create

local-ip any

remote-ip any

exit

autonomous-system 65100

route-distinguisher 65100:100

vrf-target target:65100:100

interface "private-ipsec" tunnel create

sap tunnel-1.private:2 create

ipsec-tunnel "toSR" create

security-policy 1

local-gateway-address 11.138.180.6 peer 11.180.138.6 delivery-service 202

dynamic-keying

ike-policy 1

pre-shared-key "alcatel"

auto-establish (Only one side)

transform 1

exit

no shutdown

exit

no shutdown

Step 4 : GRE SDP over IPSec

An interface must now be inserted into the GRT that has the same subnet as an interface under the IPSec VPRN, the external physical connection from Step 2 can be re-used with a different VLAN. A series of static routes are also needed to ensure that the remote system IP address is reachable in the base routing context via the IPSec VPRN and also static routes are required within the IPSec VPRN to ensure that the remote and local system interfaces are reachable via the appropriate interfaces. In the base routing context the remote system IP will be available via OSPF and a static route, however the static route which points towards the VPRN will have precedence.

#A:SAR-8v2-138# configure

#--------------------------------------------------

echo "Router (Network Side) Configuration"

#--------------------------------------------------

router

interface "GRE"

address 138.0.0.1/24

port 1/6/7:100

exit

#--------------------------------------------------

echo "Static Route Configuration"

#--------------------------------------------------

static-route 10.10.10.180/32 next-hop 138.0.0.2

static-route 180.0.0.0/24 next-hop 138.0.0.2

exit

#--------------------------------------------------

echo "Service Configuration"

#--------------------------------------------------

service

customer 1 create

description "Default customer"

exit

sdp 1802 gre create

far-end 10.10.10.180

no shutdown

exit

vprn 203 customer 1 create

interface "to-GRE" create

address 138.0.0.2/24

sap 1/6/8:100 create

exit

static-route 10.10.10.138/32 next-hop 138.0.0.1

static-route 10.10.10.180/32 ipsec-tunnel "toSR"

static-route 180.0.0.0/24 ipsec-tunnel "toSR"

no shutdown

exit

Verify that the remote system IP is reachable via the IPSec VPRN:

A:SAR-8v2-138# traceroute 10.10.10.180 no-dns

traceroute to 10.10.10.180, 30 hops max, 40 byte packets

1 138.0.0.2 3.86 ms 11.0 ms 7.33 ms (Local IPSec VPRN Interface)

2 180.0.0.2 1.59 ms 1.49 ms 1.62 ms (Remote IPSec VPRN Interface)

3 10.10.10.180 1.43 ms 1.41 ms 1.37 ms (Remote System IP Address)

A:SAR-8v2-138#

Step 5 : Epipe over GRE SDP

Configuration of a VLL to use the GRE SDP is identical to any other distributed services at this point.

A:SAR-8v2-138# configure

#--------------------------------------------------

echo "Service Configuration"

#--------------------------------------------------

service

epipe 204 customer 1 create

sap 1/6/5 create

exit

spoke-sdp 1802:204 create

exit

no shutdown

exit