Cisco Systems OL-4344-01 User Manual

CHA PTER

1

About Cisco IP Solution Center

Cisco IP Solution Center (ISC) is a carrier-class network and service-management solution for the rapid
and cost-effective delivery of IP services. IP based services targeted to enterprise customers can
represent major revenue opportunities for service providers. Success in this highly competitive market
requires the ability to effectively plan, provision, operate, and bill for such IP services.

Deploying and offering MPLS VPN services for enterprise customers requires planning of network
resources, deploying, maintaining and finally configuring the network elements and services. This
manual procedure can be time consuming and not accurate. A service provider needs to automate all
these steps in order to be stay competitive in this high-touch market.

Figure 1-1 shows all the major elements and devices that a service provider can employ to fully deploy

ISC MPLS VPN management services.

A customer edge router (CE) is connected to a provider edge router (PE) in such a way that the
customer’s traffic is encapsulated and transparently sent to other CEs, thus creating a virtual private
network. CEs advertise routes to the VPN for all the devices in their site. The ISC provisioning engine
accesses the configuration files on both the CE and PE to compute the necessary changes to those files
that are required to support the service on the PE-CE link.

Figure 1-1 ISC MPLS VPN Management in the Service Provider Network

Service Provider

network

ISC network management subnet

Management PE

CE 1

CE 2

OL-4344-01

Multi-VRF

CE

CE

IP Solution

Center

Management VPN

PE

PE 1 PE 2 CE 3

Collection

server

Service provider

Processing

server

Management CE

Collection

server

MPLS core

Cisco IP Solution Center, 3.0: MPLS VPN Management User Guide, 3.0

89996

CE 5

Catalyst

2950 switch

CE 4

Catalyst 3550

Ethernet switch

1-1

Overview of ISC

Chapter 1 About Cisco IP Solution Center

The notable ISC network elements are as follows:

• ISC Network Management Subnet

The ISC Network Management Subnet is required when the service provider’s service offering
entails the management of CEs. The management subnet consists of the ISC workstation (where ISC
is installed). On the same LAN, the service provider can optionally install one or more Processing
servers. The Processing servers are responsible for executing tasks such as provisioning, auditing,
SLA data collection, and so on.

• The Management VPN

The Management VPN is a special VPN employed by the ISC Network Management Subnet to
manage the CEs in a service provider network. Once a CE is in a VPN, it is no longer accessible by
means of conventional IPv4 routing, unless the CEs are part of the Management VPN. To
communicate with the PEs, the link between the Management PE (MPE) and the Management-CE
(MCE) uses a parallel IPv4 link. The Management VPN connects to the managed CEs.

• Multi-VRF CE

The Multi-VRF CE is a feature that provides for Layer 3 aggregation. Multiple CEs can connect to
a single Multi-VRF CE (typically in an enterprise network); then the Multi-VRF CE connects
directly to a PE. Figure 1-1 shows CE 1 and CE2 connected to the Multi-VRF CE, and the
Multi-VRF CE is connected directly to the PE. For details, see the “About Multi-VRF CEs” section

on page 1-10.

• Layer 2 Access to MPLS VPNs

The service provider can install multiple Layer 2 switches between a PE and CE, as shown in

Figure 1-1. This feature provides Layer 2 aggregation. Additional CEs can be connected to the

switches as well. Cisco supports two switches for the Layer 2 access to MPLS: either a Cisco
Catalyst 2950 Switch or a Cisco Catalyst 3550 Intelligent Ethernet Switch.

• Collection Servers

Cisco ISC is designed to provision a large number of devices through its distributed architecture. If
the Master server (equivalent to the ISC workstation) cannot keep up with the number of devices,
Collection servers can be added to offload the work of the Master server. Among other tasks,
Collection servers are responsible for uploading and downloading configuration files to and from
Cisco routers. For more information, see the “Defining Collection Zones and Assigning Devices to

Zones” section on page 2-13.

Overview of ISC

Cisco ISC offers service providers the ability to plan, provision, operate and bill for the MPLS services.
Using the ISC, service providers can do the following:

• Provision IP-based MPLS VPN services.

• Generate audit reports for service requests.

• Perform data collection to measure SLA performance.

• Evaluate service usage for each VPN.

1-2

An MPLS VPN consists of a set of sites that are interconnected by means of an MPLS provider core
network. At each site, there are one or more CEs, which attach to one or more PEs. PEs use the Border
Gateway Protocol-Multiprotocol (MP-BGP) to dynamically communicate with each other.

Cisco IP Solution Center, 3.0: MPLS VPN Management User Guide, 3.0

OL-4344-01

Chapter 1 About Cisco IP Solution Center

It is not required that the set of IPv4 addresses used in any two VPNs be mutually exclusive because the
PEs translate IPv4 addresses into IPv4 VPN entities by using MP-BGP with extended community
attributes.

The set of IP addresses used in a VPN, however, must be exclusive of the set of addresses used in the
provider network. Every CE must be able to address the PEs to which it is directly attached. Thus, the
IP addresses of the PEs must not be duplicated in any VPN.

ISC Features

ISC offers the following features:

• High Availability and Distributed Architecture

• Various protocols supported for the PE-CE link

• Multicast VPN support

• VRF Lite/Multi-VRF support

• Site of Origin support

• ATM/IMA interface support

Overview of ISC

• Unmanaged CPE with no CPE definition required

• Single service request for multiple MPLS VPN links

• MPLS VPN Service Policy support

• Service workflow for customizing MPLS VPN service activation

• Layer 2 Ethernet Access into MPLS VPNs

One of ISC key features is to hide much of the complexity in dealing with the deployment of Metro
services.

• Autodiscovery: ISC supports Autodiscovery of network elements, of network topology, and MPLS

VPN services. This feature greatly reduces the initial effort needed to insert ISC in the service
provider’s operation. For details, refer to Chapter 3, “Discovering the Network.”

• Managed CLE: ISC offers the capability of managing the Customer Located Equipment (CLE),

which gives the service provider the possibility of offering a managed Metro Service to their
customer (configuration, monitoring, and auditing of the managed CLE).

• Plug and Play: As the network and customer base grow, network elements can be added to the

network. ISC, working in collaboration with CNS Intelligent Agents, is able to detect newly added
Network Elements.

This gives the service provider the ability to rapidly deploy services and network elements.

• End-To-End Service Management: ISC manages the entire end-to-end provisioning of MPLS

VPN services. Assuming that the network operator defined MPLS VPN service policy and the
parameters that are to be editable by the service operator during the provisioning process, ISC
translates these service requirements into IOS configurations. ISC does a just-in-time Cisco IOS
configuration download, which consist of always validating the configuration of the real devices
before applying the needed configuration.

OL-4344-01

Once a service is configured, ISC makes sure that the service configuration is the intended one by
checking the configuration and verifying that VPN routing is operational.

Cisco IP Solution Center, 3.0: MPLS VPN Management User Guide, 3.0

1-3

Overview of ISC

Chapter 1 About Cisco IP Solution Center

• VLAN ID Management: ISC allocates VLAN IDs per customer and per Ethernet Service deployed.

The service provider can track per Access Domain a particular allocated VLAN ID (per service or
per customer or per Access Domain).

ISC keeps track of the VLANs allocated and gives detailed usage information of the VLAN
allocated per service, per customer, or per Access Domain.

Access Domain: The Layer 2 Ethernet switching domain attached to a PE defines an access domain.
All the switches attached to the PE-POP belong to the access domain (as illustrated in Figure 1-3 on

page 1-5). This notion enables the network operator to tie multiple VLAN pools to a single Access

Domain, and also allows redundancy with dual PEs in a single Access Domain.

For illustration purpose, let’s assume that a Service Provider has a network such as the one
illustrated in Figure 1-2. A customer has two sites (Chicago and New York), and would like to get
an Ethernet Wire Service between the two sites.

Figure 1-2 Service Provider Network for VLAN ID Management

Service Provider

network

IP Solution Center

Network Management

subnet

Management PE

Management VPN

PE

Service provider

CLE-1

CLE-2

CE 2

Chicago

If the network operator has chosen the Auto-Pick VLAN ID option in the service policy (see the

1.

PE

PE-POP 1

MPLS core

Management CE

PE

PE-POP 2

89997

CE 2

New York

“PE Interface Information” section on page 4-11), the network operator must assign an access

domain and a VLAN pool for a given PE-POP.

This automatically gives ISC the range of VLAN IDs that are attached to the access domain.

Figure 1-3 shows the access domain assigned, with PE-POP 1, CLE 1, and CLE 2 defined within the

access domain.

1-4

Cisco IP Solution Center, 3.0: MPLS VPN Management User Guide, 3.0

OL-4344-01

Chapter 1 About Cisco IP Solution Center

Figure 1-3 Access Domain Assigned

Overview of ISC

Service Provider

network

IP Solution Center

Network Management

subnet

Management PE

Management VPN

PE

Access domain

CLE-1

CLE-2

CE 2

Chicago

2. All the network elements have been discovered during the Autodiscovery process, as well as the

PE-POP 1

Service provider

MPLS core

PE

Management CE

PE

PE-POP 2

89998

CE 2

New York

network topology (connectivity between sites).

3. The service operator wants to deploy an Ethernet over MPLS service from Chicago to New York.

4. Using ISC’s GUI, the service operator needs to select the From and To ports, and the appropriate

service policy that allows VLAN IDs in the Access Domain to be picked automatically.

5. ISC allocated a VLAN ID for Chicago and a VLAN ID for New York. (Both sites belong to the same

customer.)

6. VLAN IDs are allocated and assigned.

Resource Pools

ISC enables multiple pools to be defined and used during deployment operations. The following resource
pools are available:

OL-4344-01

• VLAN ID pool: VLAN ID pools are defined with a starting value and a size of the VLAN pool. A

given VLAN ID pool can be attached to an Access Domain. During the deployment an Ethernet
Service (EWS, ERS for example), VLAN ID can be auto-allocated from the Access Domain’s
VLAN pools. This gives the Service Provider a tighter control of VLAN ID allocation.

• IP address pool: The IP address pool can be defined and assigned to regions.

• Multicast pool: The Multicast pool is used for Multicast MPLS VPNs.

• Route Target (RT) pool: A route target is the MPLS mechanism that informs PEs as to which routes

should be inserted into the appropriate VRFs. Every VPN route is tagged with one or more route
targets when it is exported from a VRF and offered to other VRFs. The route target can be considered
a VPN identifier in MPLS VPN architecture. RTs are a 64-bit number.

Cisco IP Solution Center, 3.0: MPLS VPN Management User Guide, 3.0

1-5

Chapter 1 About Cisco IP Solution Center

Overview of ISC

• Route Distinguisher (RD) pool: The IP subnets advertised by the CE routers to the PE routers are

augmented with a 64-bit prefix called a route distinguisher (RD) to make them unique. The resulting
96-bit addresses are then exchanged between the PEs, using a special address family of
Multiprotocol BGP (referred to as MP-BGP). The RD pool is a pool of 64-bit RD values that ISC
uses to make sure the IP addresses in the network are unique.

• Site of origin pool: The pool of values for the site-of-origin attribute. The site-of-origin attribute

prevents routing loops when a site is multihomed to the MPLS VPN backbone. This is achieved by
identifying the site from which the route was learned, based on its SOO value, so that it is not
readvertised back to that site from a PE in the MPLS VPN network.

All these resources, that are made available to the service provider, enable the automation of service
deployment.

Features and Functions Provided in Provisioning with ISC

ISC assumes that the iBGPv4 core over MPLS, IGP, and VPNv4 neighbors are preprovisioned.

The features and functions provided in provisioning MPLS VPNs are as follows:

• ISC configures the IP addresses on the CE and PE interfaces.

IP addresses are assumed to be specified by the service provider and unique in the network.

• Configures CE and PE routing.

This allocates the PE VRF, route target, and route distinguisher values

• Advertises CE site routes to other sites in the same VPN.

• Supports unmanaged CEs

• Allows service request removal and modification

• Support for MP-BGPv4 commands

–

BGP transparent: PE to CE routing protocol metric preserved between VPN sites.

–

Neighbor AS override: You can reuse the same autonomous system number between VPN sites.

–

AS-allow: Allows an autonomous system number multiple times in the AS path.

• Supports VRF commands:

–

import map

–

export map

–

maximum routes in a VRF

• Management VPN support

• Provisioning of CE Loopback interfaces

VPN Service Profile-Based Provisioning

For all MPLS VPN provisioning, several network elements that participate in the VPN must be defined.
These parameters are:

• Choice of protocols between PE-CE and their intrinsic characteristics.

• IP addressing for each site joining the IP VPN

Cisco IP Solution Center, 3.0: MPLS VPN Management User Guide, 3.0

1-6

OL-4344-01

Chapter 1 About Cisco IP Solution Center

• VRF configuration (export map, import map, maximum number of routes, VRF and RD override,

and so forth)

• Choice of joining the VPN as hub or spoke

• Choice of interfaces on the PE, CE, and intermediate network devices

All the provisioning parameters can be made editable for a service operator who will deploy the service.
A service policy is defined by a network operator and used by a service operator.

A service policy defines the parameters that will be used during provisioning.

Each of these parameters can be made editable or not to the inexperienced service operator. The fact that
a service can be profiled greatly simplifies the service operator’s tasks and has now only limited number
of parameters to enter during the provisioning process to deploy and activate a MPLS VPN service.

Role-Based Access Control (RBAC)

The central notion of role-based access control (RBAC) is that permissions are associated with roles, and
users are made members of appropriate roles. Access control policy is embodied in various components
of RBAC, such as role-permission, user-role, and role-role relationships. These components determine
whether a particular user will be allowed to access a particular piece of data in the system.

The Role object specifies a set of occupants and the privileges or permissions granted to those occupants.
There are several ways for constructing a role.

A role can represent competency to do specific tasks, such as a technician or a support engineer. A
technician can collect edge device and interface information and import them into the ISC Repository.
A support engineer (service operator) can create policies, submit service requests and deploy them.

Overview of ISC

A role can reflect specific duty assignments, for example, an engineer can be assigned to provision
customer Acme’s VPN. The operator may not be allowed to provision the competitor customer Widget’s
VPN.

A role can have distinct authority, for example, VPN customer AcmeInc should be allowed only to view
or make minor change on Acme’s VPN data. The customer should not be allowed to access any other
customer’s VPN data.

There can be a role hierarchy in which a super user has all the permissions allowed to two different roles.

The service provider can define a role for each VPN customer, for example Acme and Widgets. The
acme_customers role and the Widgets_customers role are mutually exclusive roles. The same user can
be assigned to no more than one role in a mutually exclusive set. Role constraint supports separation of
duties.

ISC supports full Role-Based Access Control to the system resources. Each Role defines limited access
to the resources with a set of permissions: view, create, update, delete, and execute. This same access
mechanism is also given to a group. When a user is part of a group, he inherits the group’s access
privileges.

Each user can be assigned one or many roles. Each user will be shown only the resources and services
that he or she is allowed to create view, modify, or delete. Using the access privileges that the user has
been allocated, the display and action allowed are adjusted accordingly.

OL-4344-01

Cisco IP Solution Center, 3.0: MPLS VPN Management User Guide, 3.0

1-7

Overview of ISC

Figure 1-4 Defining the User Role

WAIT

DEPLOY

FAILED

DEPLOY

Chapter 1 About Cisco IP Solution Center

ISC Service Request States

FAILED

AUDIT

Provisioning States

Auditing States

REQUESTED

INVALID

PENDING

CLOSED

DEPLOYED FUNCTIONAL

LOST

BROKEN

The permissions to Create, View, Modify, and Delete are enforced for the following resources:

• Persistent task

• SAA probe

• Workflow

• Device

• ISC host

• Customer

• MPLS policy

• MPLS service request

• Layer 2 VPN policy

• Layer 2 VPN service request

• Firewall policy

• Firewall service request

93827

1-8

• Provider

• PE

• CPE

• Qos Policy

• Qos service request

Cisco IP Solution Center, 3.0: MPLS VPN Management User Guide, 3.0

• Network Address Translation service request

• IPsec policy

• IPsec service request

• Deployment flow

• Template

OL-4344-01

Chapter 1 About Cisco IP Solution Center

The Customer’s and Provider’s View of the Network

The Customer’s and Provider’s View of the Network

From the customer’s point of view, they see their internal routers communicating with their customer
edge routers (CEs) from one site to another through a VPN managed by the service provider (see

Figure 1-5).

Figure 1-5 The Customer’s View of the Network

Service provider

network

CE

Gadgets, Inc's VPN

CE

Gadgets, Inc.

Seattle

Gadgets, Inc.

New York City

CE

Gadgets, Inc.

Chicago

28554

This simple view of the customer’s network is the advantage of employing VPNs: the customer
experiences direct communication to their sites as though they had their own private network, even
though their traffic is traversing a public network infrastructure and they are sharing that infrastructure
with other businesses.

The service provider’s view of the network is naturally very different, as shown in Figure 1-6. This
illustration shows two different customers, with each customer having a single VPN. A customer can,
however, have multiple VPNs.

OL-4344-01

Cisco IP Solution Center, 3.0: MPLS VPN Management User Guide, 3.0

1-9

The Customer’s and Provider’s View of the Network

Figure 1-6 Service Provider’s View of the Network

Chapter 1 About Cisco IP Solution Center

VPN 10 VPN 10

CE

Gadgets, Inc.

Seattle

VPN 15

CE

Gizmos, Intl.

San Francisco

PE-1

About Provider Edge Routers (PEs)

At the edge of the provider network are provider edge routers (PEs). Within the provider network are
other provider routers as needed (often designated as P routers) that communicate with each other and
the PEs via the Border Gateway Protocol-Multiprotocol (MP-BGP). Note that in this model, the service
provider need only provision the links between the PEs and CEs.

PEs maintain separate routing tables called VPN routing and forwarding tables (VRFs). The VRFs
contain the routes for directly connected VPN sites only. (For more information about VRFs, see the

“VPN Routing and Forwarding Tables (VRFs)” section on page 1-16). PEs exchange VPN-IPv4 updates

through MP-iBGP sessions. These updates contain VPN-IPv4 addresses and labels. The PE originating
the route is the next hop of the route. PE addresses are referred to as host routes into the core interior
gateway protocol.

Service provider network

BGP

MPLS core

BGP

PE-3

VPN 10 VPN 15

CE

Gadgets, Inc.

Chicago

BGP

CE

Gizmos, Intl.

Berlin

CE

Gadgets, Inc.

New York City

PE-2

VPN 15

CE

Gizmos, Intl.

London

28555

About Multi-VRF CEs

The Multi-VRF CE is a feature that provides for Layer 3 aggregation. Multiple CEs can connect to a
single Multi-VRF CE (typically in an enterprise network); then the Multi-VRF CE connects directly to
a PE. A Multi-VRF CE can be a Cisco router or a Cisco Catalyst® 3550 Intelligent Ethernet Switch.

The Multi-VRF CE functionality extends some of the functionality formerly reserved to the PE to a CE
router in an MPLS VPN—the only PE-like functionality that this feature provides is the ability to have
multiple VRFs on the CE router so that different routing decisions can be made. The packets are sent
toward the PE as IP packets.

With this feature, a Multi-VRF CE can maintain separate VRF tables to extend the privacy and security
of an MPLS VPN down to a branch office, rather than just at the PE router node.

Cisco IP Solution Center, 3.0: MPLS VPN Management User Guide, 3.0

1-10

OL-4344-01