Customer has a desire to run a Pseudowire or Virtual Leased Line (VLL) service over IPSec, which in turn was desired to run over top of MPLS. This configuration note will cover the basic requirements to set it up. The setup below will be for static IPSec tunnels, a separate Configuration Note is available for creating dynamic tunnels between the 7705 and 7750.
In this example the hardware consisted of a 7705 SAR, running Release 6.2R1, employing a CSMv2 and a8-1gb-v3-sfp MDA installed in a SAR-8v2 chassis. Any MDA supporting IPSec should be sufficient and any software that supports IPSec and Hybrid ports on the 7705 SAR should be sufficient. The 7750 SR, running Release 12.0R8, used standard cards for Ethernet and Control. An isa-ms provisioned as an isa-tunnel card was used to terminate the IPSec tunnels.
Step 1 (VPLS over LSP Based SDP):
Note: All config snippets are built on previous configs snippets.
A:SAR-8v2-138# configure
#--------------------------------------------------
echo "Router (Network Side) Configuration"
#--------------------------------------------------
router
interface "loop"
address 12.12.12.138/32
loopback
exit
interface "system"
address 10.10.10.138/32
exit
interface "to-180"
address 10.138.180.0/31
port 1/6/6
exit
#--------------------------------------------------
echo "OSPFv2 Configuration"
#--------------------------------------------------
ospf
area 0.0.0.0
interface "system"
exit
interface "to-180"
interface-type point-to-point
exit
interface "loop"
passive
exit
exit
exit
#--------------------------------------------------
echo "MPLS Configuration"
#--------------------------------------------------
mpls
interface "system"
exit
interface "to-180"
exit
interface "loop"
exit
exit
#--------------------------------------------------
echo "RSVP Configuration"
#--------------------------------------------------
rsvp
interface "system"
exit
interface "to-180"
exit
interface "loop"
exit
no shutdown
exit
#--------------------------------------------------
echo "MPLS LSP Configuration"
#--------------------------------------------------
mpls
path "loose"
no shutdown
exit
lsp "test"
to 12.12.12.180
primary "loose"
exit
no shutdown
exit
no shutdown
exit
#--------------------------------------------------
echo "LDP Configuration"
#--------------------------------------------------
ldp
targeted-session
peer 12.12.12.180
local-lsr-id "loop"
exit
exit
exit
exit
#--------------------------------------------------
echo "Service Configuration"
#--------------------------------------------------
service
customer 1 create
description "Default customer"
exit
sdp 180 mpls create
far-end 12.12.12.180
lsp "test"
keep-alive
shutdown
exit
no shutdown
exit
vpls 200 customer 1 create
spoke-sdp 180:200 create
exit
no shutdown
exit
Next we must create a link between a Global Routing Table (GRT) interface and the VPLS, this will allow the IPSec session to be passed over the VPLS. The 7705 permitted this to work using a Router VPLS and IES, whereas the 7750 only worked when an external cable was used to physically connect a SAP on the VPLS to the GRT Interface. The example below focuses on the configuration required for the external cable solution. The ports used for the external physical connection should be configured for hybrid mode. Again the 7705 SAR and 7750 SR configurations are very similar.
A:SAR-8v2-138#configure
#--------------------------------------------------
echo "Router (Network Side) Configuration"
#--------------------------------------------------
router
interface "to-SR"
address 10.180.138.1/30
port 1/6/7:200
exit
exit
#--------------------------------------------------
echo "Service Configuration"
#--------------------------------------------------
service
vpls 200 customer 1 create
sap 1/6/8:200 create
exit
Verify traffic passes through the VPLS:
*B:SR-7-180# ping 10.180.138.1
PING 10.180.138.1 56 data bytes
64 bytes from 10.180.138.1: icmp_seq=1 ttl=64 time=0.590ms.
64 bytes from 10.180.138.1: icmp_seq=2 ttl=64 time=0.570ms.
64 bytes from 10.180.138.1: icmp_seq=3 ttl=64 time=0.570ms.
64 bytes from 10.180.138.1: icmp_seq=4 ttl=64 time=0.596ms.
64 bytes from 10.180.138.1: icmp_seq=5 ttl=64 time=0.599ms.
---- 10.180.138.1 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 0.570ms, avg = 0.585ms, max = 0.599ms, stddev = 0.012ms
A series of static routes are now needed to allow the IPSec interfaces to reach each other over the previously configured GRT Interface. From there IPSec can be configured between the 7705 SAR and 7750 SR. Since the 7750 SR supports ike-version 1 and 2, while the 7705 SAR only supports ike-version 2, we must specifically configure the ike-version on the 7750 SR. For more details on the basic IPSec configuration below please consult the 7705 SAR IPSec Configuration Note. Also keep in mind that only one side should have auto-establish configured.
A:SAR-8v2-138# configure
#--------------------------------------------------
echo "Router (Network Side) Configuration"
#--------------------------------------------------
router
#--------------------------------------------------
echo "Static Route Configuration"
#--------------------------------------------------
static-route 11.180.138.0/24 next-hop 10.180.138.2
exit
#--------------------------------------------------
echo "IPsec Configuration"
#--------------------------------------------------
ipsec
ike-policy 1 create
ike-version 2 (7750 SR only, not available on 7705 SAR)
exit
ipsec-transform 1 create
exit
exit
#--------------------------------------------------
echo "Service Configuration"
#--------------------------------------------------
service
ies 202 customer 1 create
interface "public-to-SR" create
exit
exit
vprn 203 customer 1 create
interface "private-ipsec" tunnel create
exit
interface "to-GRE" create
exit
exit
ies 202 customer 1 create
interface "public-to-SR" create
address 11.138.180.5/24
sap tunnel-1.public:2 create
exit
exit
no shutdown
exit
vprn 203 customer 1 create
ipsec
security-policy 1 create
entry 1 create
local-ip any
remote-ip any
exit
exit
exit
autonomous-system 65100
route-distinguisher 65100:100
vrf-target target:65100:100
interface "private-ipsec" tunnel create
sap tunnel-1.private:2 create
ipsec-tunnel "toSR" create
security-policy 1
local-gateway-address 11.138.180.6 peer 11.180.138.6 delivery-service 202
dynamic-keying
ike-policy 1
pre-shared-key "alcatel"
auto-establish (Only one side)
transform 1
exit
no shutdown
exit
exit
exit
no shutdown
An interface must now be inserted into the GRT that has the same subnet as an interface under the IPSec VPRN, the external physical connection from Step 2 can be re-used with a different VLAN. A series of static routes are also needed to ensure that the remote system IP address is reachable in the base routing context via the IPSec VPRN and also static routes are required within the IPSec VPRN to ensure that the remote and local system interfaces are reachable via the appropriate interfaces. In the base routing context the remote system IP will be available via OSPF and a static route, however the static route which points towards the VPRN will have precedence.
#A:SAR-8v2-138# configure
#--------------------------------------------------
echo "Router (Network Side) Configuration"
#--------------------------------------------------
router
interface "GRE"
address 138.0.0.1/24
port 1/6/7:100
exit
#--------------------------------------------------
echo "Static Route Configuration"
#--------------------------------------------------
static-route 10.10.10.180/32 next-hop 138.0.0.2
static-route 180.0.0.0/24 next-hop 138.0.0.2
exit
#--------------------------------------------------
echo "Service Configuration"
#--------------------------------------------------
service
customer 1 create
description "Default customer"
exit
sdp 1802 gre create
far-end 10.10.10.180
no shutdown
exit
vprn 203 customer 1 create
interface "to-GRE" create
address 138.0.0.2/24
sap 1/6/8:100 create
exit
exit
static-route 10.10.10.138/32 next-hop 138.0.0.1
static-route 10.10.10.180/32 ipsec-tunnel "toSR"
static-route 180.0.0.0/24 ipsec-tunnel "toSR"
no shutdown
exit
Verify that the remote system IP is reachable via the IPSec VPRN:
A:SAR-8v2-138# traceroute 10.10.10.180 no-dns
traceroute to 10.10.10.180, 30 hops max, 40 byte packets
1 138.0.0.2 3.86 ms 11.0 ms 7.33 ms (Local IPSec VPRN Interface)
2 180.0.0.2 1.59 ms 1.49 ms 1.62 ms (Remote IPSec VPRN Interface)
3 10.10.10.180 1.43 ms 1.41 ms 1.37 ms (Remote System IP Address)
A:SAR-8v2-138#
Configuration of a VLL to use the GRE SDP is identical to any other distributed services at this point.
A:SAR-8v2-138# configure
#--------------------------------------------------
echo "Service Configuration"
#--------------------------------------------------
service
epipe 204 customer 1 create
sap 1/6/5 create
exit
spoke-sdp 1802:204 create
exit
no shutdown
exit
exit