8600 Discontinued Products table removed and replaced bychapter8600 Smart Routers Discontinued Products.76.8600- 50128E 24.04.2013 Information on layer 2 VPNs updated in chapterNetworks.
Trang 1VPNs Configuration Guide
76.8600-50128F 12.11.2014
Trang 2Document Information
Revision History
Document No.
Date Description of Changes
50128F
76.8600-12.11.2014 New chapter2.5 Limitations and Restrictions for VPN
Enhancements to the CLI examples layout
8600 Discontinued Products table removed and replaced bychapter8600 Smart Routers Discontinued Products.76.8600-
50128E 24.04.2013 Information on layer 2 VPNs updated in chapterNetworks 1 Virtual Private
8600 Discontinued Products table added
Fig 4updated
First paragraph of2.2.1 Label Switched Paths (LSP)updated.Typographical corrections in2.2.2 Route Distribution Among PERoutersand inFig 8andFig 10
50128D
76.8600-31.08.2012 New 8600 brand: 8600 managed edge system and 8600 network
elements changed to 8600 smart routers
CLI examples layout change from table format to step list
Trang 3© 2014 Coriant All rights reserved.
This manual is protected by U.S and international copyright laws, conventions and treaties Your right to use this manual is subject to limitations and restrictions imposed by applicable licenses and copyright laws Unauthorized reproduction, modification,
distribution, display or other use of this manual may result in criminal and civil penalties.
The specifications and information regarding the products in this manual are subject to change without notice All statements, information, and recommendations in this manual are believed to be accurate but are presented without warranty of any kind,
express or implied Users must take full responsibility for their application of any products.
Adobe ® Reader ® are registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Trang 5Terms and Abbreviations
eBGP External Border Gateway ProtocoliBGP Internal Border Gateway ProtocolICMP Internet Control Message ProtocolIGP Interior Gateway Protocol
ILM Incoming Label Map (for MPLS)
IP Internet ProtocolLAN Local Area NetworkLDP Label Distribution ProtocolLSP Label Switched PathLSR Label Switch Router A network element along a path of an MPLS LSP switching
traffic on the basis of labels
MP-BGP Multiprotocol Border Gateway ProtocolMPLS Multiprotocol Label Switching
NE Network Element Any traffic forwarding network building block part of the 8600
system In 8000 Intelligent Network Manager also referred to as node
NLRI Network Layer Reachability InformationNMS Network Management System
N-PE Network Facing PEOSPF-TE Open Shortest Path First - Traffic EngineeringP-a An access network element controlled by the service provider Operates only in LSR
mode (VPN unaware) It can be a 8600 element
Trang 6Document Information
SP Service ProviderTCP Transmission Control ProtocolUDP User Datagram ProtocolU-PE User Facing PE
VCI Virtual Channel Identifier
VPI Virtual Path IdentifierVPLS Virtual Private LAN ServiceVPN Virtual Private NetworkVPWS Virtual Private Wire ServiceVRF VPN Routing and Forwarding (RFC4364)
Trang 7Table of Contents
About This Manual 9
Objectives 9
Audience 9
8600 Smart Routers Technical Documentation 9
Interface Numbering Conventions 13
Document Conventions 13
Documentation Feedback 13
8600 Smart Routers Discontinued Products 14
1 Virtual Private Networks 15
1.1 Layer 2 PPVPN Technologies 15
1.2 Layer 3 PPVPN Technologies 15
2 Layer 3 VPN 16
2.1 Overview 16
2.2 Route Distribution in Layer 3 VPN 16
2.2.1 Label Switched Paths (LSP) 16
2.2.2 Route Distribution Among PE Routers 17
2.2.3 Route Distribution Between U-PE and N-PE 18
2.2.4 Route Distribution Between CE and PE Router 18
2.3 Forwarding in Layer 3 VPN 19
2.3.1 Traffic Flow from CE Device 19
2.3.2 Traffic Flow over Core Network 19
2.3.3 Traffic Flow Between U-PE and N-PE 20
2.4 VPN Topologies 20
2.4.1 Full Mesh VPN 21
2.4.2 Hub-and-Spoke VPN 21
2.4.3 Overlapping VPN 23
2.4.4 Management VPN 25
2.5 Limitations and Restrictions for VPN 26
2.6 References 26
3 Virtual Private Network Configuration Examples 27
Trang 8Table of Contents
3.1 Full Mesh Layer 3 VPN 27
3.1.1 U-PE Basic Configuration (Full Mesh) 28
3.1.2 U-PE Customer Side Configuration (Full Mesh) 30
3.1.3 U-PE Network Side Configuration (Full Mesh) 31
3.1.4 N-PE Configuration (Full Mesh) 33
3.2 Hub-and-Spoke Layer 3 VPN 34
3.2.1 U-PE Basic Configuration (Hub-and-Spoke) 34
3.2.2 U-PE Customer Side Configuration (Hub-and-Spoke) 36
3.2.3 U-PE Network Side Configuration (Hub-and-Spoke) 37
3.2.4 N-PE Configuration (Hub-and-Spoke) 37
3.3 Overlapping Layer 3 VPN 38
Trang 9About This Manual
This chapter discusses the objectives and intended audience of this manual, 8600 Smart Routers VPNs Configuration Guide and consists of the following sections:
Audience
This manual is designed for administration personnel for configuring 8600 smart routers functionswith CLI On the other hand, 8000 intelligent network manager provides access to equal
functionality for administration personnel with a graphical user interface
It is assumed that you have a basic understanding of Ethernet, POS, IP, MPLS, VPN andDifferentiated Services concepts This manual also assumes that you are familiar with the followingprotocols:
8600 Smart Routers Technical Documentation
The document numbering scheme consists of the document ID, indicated by numbers, and thedocument revision, indicated by a letter The references in the Related Documentation table beloware generic and include only the document ID To make sure the references point to the latestavailable document versions, please refer to the relevant product document program on the Tellabsand Coriant Portal by navigating towww.portal.tellabs.com> Product Documentation & Software
> Data Networking > 8600 Smart Routers > Technical Documentation
Note that the table below reflects the customer document content for SR6.0 SP1 GA.
Trang 10About This Manual
8600 Smart RoutersATM and TDM Configuration Guide(76.8600-50110)
Provides an overview of 8600 system PWE3 applications,including types, Single-Segment and Multi-Segment; PWE3Redundancy; ATM applications, including PWE3 tunnelling,Traffic Management, Fault Management OAM, protection andTDM applications as well as instructions on how to configurethem with CLI
8600 Smart RoutersBoot and Mini-ApplicationsEmbedded Software Release Notes(76.8600-50108)
Provides information related to the boot and mini-applicationssoftware of 8605 Smart Router, 8607 Smart Router, 8609Smart Router, 8611 Smart Router, 8620 Smart Router, 8630Smart Router and 8660 Smart Router as well as the installationinstructions
8600 Smart RoutersCLI Commands Manual(76.8600-50117)
Provides commands available to configure, monitor and maintain
8600 system with CLI
8600 Smart RoutersEmbedded Software Release Notes
Consists of the embedded software release notes of the 8600 NEs
• 8600 Smart Routers SR6.0 Embedded Software ReleaseNotes (76.8660-50169) for the following:
Provides an overview of 8600 system HW inventory, softwaremanagement, equipment protection 1+1 (CDC and SCM) as well
as instructions on how to configure them with CLI
8600 Smart RoutersEthernet Configuration Guide (76
8600-50133)
Provides an overview of 8600 system Ethernet applications,including interfaces; Ethernet forwarding (MAC Switching,Ethernet PWE3, IRB, VLAN, VPLS); Ethernet OAM; LAG;ELP as well as instructions on how to configure them with CLI
8600 Smart RoutersFault Management ConfigurationGuide (76.8600-50115)
Provides an overview of 8600 system fault management,including fault source, types and status as well as instructions onhow to configure it with CLI
8600 Smart RoutersFrame Relay Configuration Guide(76.8600-50120)
Provides an overview of 8600 system Frame Relay applications,including interfaces; Performance Monitoring; protection; TrafficManagement as well as instructions on how to configure themwith CLI
8600 Smart RoutersHardware Installation Guide(76.8600-40039)
Provides guidance on mechanical installation, cooling,grounding, powering, cabling, maintenance, commissioning andESW downloading
8600 Smart RoutersHardware Release Notes(76.8600-40027)
Consists of the hardware release notes of the network elementcomponents in 8605 Smart Router, 8607 Smart Router, 8609Smart Router, 8611 Smart Router, 8615 Smart Router, 8620Smart Router, 8630 Smart Router and 8660 Smart Router
Trang 11Document Title Description
8600 Smart RoutersInterface Configuration Guides The Interface Configuration Guides provide an overview of the8600 NEs interface functions, including NE supported interface
types and equipping; interface features; configuration options andoperating modes; fault management; performance monitoring;interface configuration layers and port protocols as well asinstructions on how to configure them with CLI The followinginterface configuration guides are available:
• 8600 Smart Routers Network Interfaces ConfigurationGuide (76.8600-50161) (for 8602 Smart Router and 8615Smart Router)
• 8609 Smart Router and 8611 Smart Router FP2.0 InterfaceConfiguration Guide (76.8660-50171)
• 8600 Smart Routers FP5.0 Interface Configuration Guide(76.8660-50170) (for 8630 Smart Router and 8660 SmartRouter)
8600 Smart Routers
IP Forwarding and TrafficManagement Configuration Guide(76.8600-50122)
Provides an overview of 8600 system IP, forwarding and trafficmanagement functionality, including: IP addressing; IP hosting(ARP, DHCP); IP routing (static); ACL; Differentiated Services(Policing, Queue Management, Shaping) as well as instructions
on how to configure them with CLI
8600 Smart RoutersManagement CommunicationsConfiguration Guide
(76.8600-50125)
Provides an overview of 8600 system managementcommunications functions, including communication protocols:BMP; FTP; RADIUS; SNMP; SSH; TELNET as well asinstructions for configuring them with CLI
8600 Smart RoutersMobile Optimization ConfigurationGuide (76.8600-50100)
Provides an overview of 8600 system Mobile Optimizationapplications as well as instructions on how to configure themwith CLI
8600 Smart RoutersMPLS Applications ConfigurationGuide (76.8600-50123)
Provides an overview of 8600 system MPLS applications(including FRR (one-to-one and facility backup); LDP;
protection and Traffic Engineering), MPLS-TP applications(including OAM, linear protection), S-MPLS applications as well
as instructions on how to configure them with CLI
8600 Smart RoutersPerformance Counters ReferenceGuide (76.8600-50143)
Provides an overview of 8600 system supported performancecounters
Trang 12About This Manual
8600 Smart RoutersReference Manuals The reference manuals describe the 8600 network elementfeatures including:
• NE enclosure, baseboard, power supply modules, andinterfaces in 8602 Smart Router FP1.1 Reference Manual(76.8660-40120)
• NE enclosure, baseboard, power supply modules, interfacesand physical LM types in 8609 Smart Router FP2.0 Refer-ence Manual (76.8660-40121)
• NE enclosure, baseboard, power supply modules, SCMs, HMand LM types in 8611 Smart Router FP2.0 Reference Manual(76.8660-40122)
• NE enclosure, baseboard, power supply modules, and terfaces in 8615 Smart Router FP1.0 Reference Manual(76.8660-40117)
in-• NE subrack, fan modules, CDCs, line cards and IFMs in 8630Smart Router FP5.0 Reference Manual (76.8660-40123)
• NE subrack, fan modules, CDCs, line cards and IFMs in 8660Smart Router FP5.0 Reference Manual (76.8660-40124)
8600 Smart RoutersRouting Protocols ConfigurationGuide (76.8600-50121)
Provides an overview of 8600 system routing protocols,including BFD; BGP; ECMP; IS-IS; OSPF and VRRP as well asinstructions on how to configure them with CLI
8600 Smart RoutersSNMP MIB Support(76.8600-50116)
Describes SNMP MIB support by the 8600 NEs and providesinformation on the supported objects and traps For furtherinformation on SNMP MIBs, see the related RFCs
8600 Smart RoutersStatistic Counters Reference Guide(76.8600-50142)
Provides an overview of 8600 system supported statistic counters
8600 Smart RoutersSynchronization ConfigurationGuide (76.8600-50114)
Provides an overview of 8600 system synchronizationapplications, including physical layer Frequency Synchronization(SEC, EEC); Frequency Packet Synchronization (CES, PTP);Phase-Time Synchronization as well as instructions on how toconfigure them with CLI
8600 Smart RoutersTest and Measurement ConfigurationGuide (76.8600-50124)
Provides an overview of 8600 system measurement andconnectivity verification tools, including Ethernet loopback;
IP ping and traceroute; MAC swap loopback; MPLS ping andtraceroute; PLT; PWE3 loopback; VCCV (VCCV BFD, VCCVLSP ping) as well as instructions on how to configure them withCLI
8600 Smart RoutersVPNs Configuration Guide(76.8600-50128)
Provides an overview of 8600 system virtual private network(VPN) layer 3 applications as well as instructions on how toconfigure them with CLI
8000 Intelligent Network ManagerOnline Help Provides instructions on how different operations are performedwith the 8000 Intelligent Network Manager Describes also
different parameters and controls of the 8000 Intelligent NetworkManager dialogs and windows
Note that the Online Help is not available on the Portal but it isincorporated in the 8000 Intelligent Network Manager
Trang 13Interface Numbering Conventions
To be able to follow more easily the feature descriptions and configuration examples given in this
document, see also the 8600 system interface numbering and related figures described in 8600 Smart Routers CLI Commands Manual.
Document Conventions
This is a note symbol It emphasizes or supplements information in the document.
This is a caution symbol It indicates that damage to equipment is possible if the instructions are not followed.
This is a warning symbol It indicates that bodily injury is possible if the instructions are not followed.
Documentation Feedback
Please contact us to suggest improvements or to report errors in our documentation:
Email: fi-documentation@tellabs.com
Trang 148600 Smart Routers Discontinued Products
8600 Smart Routers Discontinued Products
8600 Smart Routers Manufacture Discontinued (MD) notifications are available on the Tellabsand Coriant Portal,www.portal.tellabs.com > Product Documentation & Software > Data Networking > [8600 Smart Router product name] > Product Notifications.
Trang 151 Virtual Private Networks
Several types of Provider Provisioned Virtual Private Network (PPVPN) technologies have beendefined and are in use
1.1 Layer 2 PPVPN Technologies
Layer 2 PPVPN technologies can be divided to Point-to-Point and Multipoint VPNs The former
provides Virtual Private Wire Service (VPWS) and the latter Virtual Private LAN Service (VPLS)
In both layer 2 VPN types a CE device attaches to a PE device via some sort of a circuit or virtualcircuit, which is called an attachment circuit The attachment circuit can be, for instance, an Ethernetport, VLAN or ATM VPI/VCI MPLS is used to carry the L2 traffic between PE devices
More information about the 8600 system support on the layer 2 VPNs can be found in 8600 Smart Routers Ethernet Configuration Guide and 8600 Smart Routers PWE3, ATM and TDM Configuration Guide.
1.2 Layer 3 PPVPN Technologies
Layer 3 VPNs can be either PE-based or CE-based implementations A PE-based implementation
can be either a Virtual Router or [RFC4364] VPN (former RFC2547bis)
The 8600 system supports [RFC4364] Layer 3 VPN
Trang 16PE routers are routing peers BGP is used to distribute VPN routes between PEs MPLS is used toseparate different customers' traffic in the backbone.
Customer networks may use overlapping IP addresses It is common for customer networks to useprivate IP addresses The usage of private IP addresses within customer networks is not a problem,since the routing and forwarding tables can be kept separate for each VPN
One customer site can belong to multiple VPNs In that case one VRF contains routes for multipleVPNs These overlapping VPNs cannot have overlapping IP addresses It is also possible to let onecustomer site access multiple VRFs in which case the IP addresses can overlap When one site isattached to multiple VRFs, the selected VRF can be determined from the incoming physical port,layer 2 header (VLAN/QinQ) or from the MPLS label
The VRFs in the routers can be used to implement different kinds of VPN topologies The mostcommon topologies are the full mesh and hub-and-spoke topology The topology is controlled byBGP attributes (route targets)
In addition to basic [RFC4364], the 8600 system supports enhancements that allow the usage of anMPLS access network and multiple VRFs in an access network or customer premise equipmentwithout enlarging the core network This method is referred to as distributed layer 3 VPN
2.2 Route Distribution in Layer 3 VPN
2.2.1 Label Switched Paths (LSP)
PSN LSPs (outer label) have to exist between all relevant PEs in the network Label distributionfor PSN LSPs is done by RSVP-TE, by LDP, or manually The PE router determines which LSP
to use by consulting the default routing table and the BGP next hop in the VPN-IPv4 addressadvertisement LSP tunneling is done in order to avoid the need for P routers to be VPN aware andstore all the VPN routes This makes layer 3 VPN scalable
IPv4 loadbalancing over RSVP-TE tunnels for IP VPN routes is activated for a set of prefixes if they
use RSVP-TE tunnels that are configured as described in the document 8600 Smart Routers MPLS Applications Configuration Guide, chapter 'RSVP-TE Traffic Loadbalancing Configuration'.
Trang 172.2.2 Route Distribution Among PE Routers
BGP plays a main role in layer 3 VPN route distribution The BGP multiprotocol extensions(MP-BGP) allow BGP to carry routes for multiple address families The VPN-IPv4 address family
is defined in [RFC4364] The VPN-IPv4 address is 12 bytes long and it contains an 8-byte RouteDistinguisher (RD) and a 4-byte IPv4 address MP-iBGP sessions are used for distributing VPNroutes over the core network Typically this occurs via Route Reflector
The VPN-IPv4 route distribution is controlled by using the Route Target attributes Every VRF isassigned with one or more import and export Route Targets The export Route Targets are attached
to the BGP message as an attribute of a route The import Route Targets are used to determinewhether the route that is received from another router can be installed into the VRF
The following figure shows two VPNs The Route Targets are set so that the ordinary full mesh VPNtopology is achieved For example, the routes learned from VPN A Site 1 are further distributed byBGP to other PE routers with route target attribute VPN_A Since PE-2 has a matching import routetarget attribute in one of its VRFs, it will install the route in that VRF
Fig 1 Basic RFC4364 VPN
BGP is used also to distribute the VPN label that is mapped to the route The label is advertised bythe same BGP Update Message as the route itself The label information is part of the NetworkLayer Reachability Information (NLRI) in the Multiprotocol Extensions attributes The 8600 systemallocates one label for all the routes in the same VRF
Trang 182 Layer 3 VPN
2.2.3 Route Distribution Between U-PE and N-PE
The 8600 system supports distributed layer 3 VPN In basic [RFC4364] networks VRFs reside only
in PEs at the core edge The 8600 system provides a method for using VRFs in the access networkcloser to the end customer, without the need to have PSN tunnels between all PEs The routerthat resides closer to the customer premises is called a user-facing PE (U-PE) The router in thecore edge is called a network-facing PE (N-PE) The N-PE router acts as BGP next hop for trafficdestined outside of the local access network
Fig 2 Distributed [RFC4364] VPN
In the figure above, VPN B Site 2 is connected to the VPN service using distributed RFC4364 Theroute distribution between N-PE and U-PE is done with an MP-eBGP session The VPN-IPv4address family is used and the same BGP attributes are utilized as with the VPN routes when theyare distributed between PEs in basic [RFC4364]
2.2.4 Route Distribution Between CE and PE Router
The 8600 system supports static routing, OSPF or BGP If a dynamic routing protocol is used, the
Trang 192.3 Forwarding in Layer 3 VPN
2.3.1 Traffic Flow from CE Device
When PE receives a packet from the interface that is connected to the CE device, the PE makes an
IP lookup from the VRF VRF is selected based on the interface from which the packet arrived Ifthe next hop requires that the packet is to be sent over the core, MPLS labels are added Otherwise
no labels are added and the packet is sent to the egress interface that is connected to another CE
2.3.2 Traffic Flow over Core Network
The PE routers select the outer label by consulting the default routing table The PE router finds thebest LSP to the BGP nexthop and adds that label as the top label
The VPN label learned from the BGP route advertisement is added as an inner label
In the core network the P routers forward packets on the basis of the outer label only
When the labelled VPN packet arrives to the PE router, it will first pop the outer label if nopenultimate hop popping is in use The 8600 system performs IP lookup from the VRF identified bythe VPN label The figure below illustrates the VPN traffic flow over the core
Fig 3 Traffic Flow over Core