8600 Smart Routers VPNs Configuration Guide 76.8600-50128F 12.11.2014 Document Information Revision History Document No Date Description of Changes 76.860050128F 12.11.2014 New chapter 2.5 Limitations and Restrictions for VPN Enhancements to the CLI examples layout 8600 Discontinued Products table removed and replaced by chapter 8600 Smart Routers Discontinued Products 76.860050128E 24.04.2013 Information on layer VPNs updated in chapter Virtual Private Networks 8600 Discontinued Products table added Fig updated First paragraph of 2.2.1 Label Switched Paths (LSP) updated Typographical corrections in 2.2.2 Route Distribution Among PE Routers and in Fig and Fig 10 76.860050128D 31.08.2012 New 8600 brand: 8600 managed edge system and 8600 network elements changed to 8600 smart routers CLI examples layout change from table format to step list 8600 Smart Routers VPNs Configuration Guide 76.8600-50128F © 2014 Coriant This revision of the manual documents the following network elements and the corresponding feature packs or higher 8602 Smart Router FP1.1 8605 Smart Router FP1.6 8607 Smart Router FP1.1 8609 Smart Router FP2.0 8611 Smart Router FP2.0 8615 Smart Router FP1.0 8620 Smart Router FP4.1 8630 Smart Router FP5.0 8660 Smart Router FP5.0 If a different feature pack of 8600 products is in use, please refer to the relevant product document program on the Tellabs and Coriant Portal by navigating to www.portal.tellabs.com > Product Documentation > Data Networking > 8600 Smart Routers > Technical Documentation © 2014 Coriant All rights reserved This manual is protected by U.S and international copyright laws, conventions and treaties Your right to use this manual is subject to limitations and restrictions imposed by applicable licenses and copyright laws Unauthorized reproduction, modification, distribution, display or other use of this manual may result in criminal and civil penalties The specifications and information regarding the products in this manual are subject to change without notice All statements, information, and recommendations in this manual are believed to be accurate but are presented without warranty of any kind, express or implied Users must take full responsibility for their application of any products Adobe ® Reader ® are registered trademarks of Adobe Systems Incorporated in the United States and/or other countries 76.8600-50128F © 2014 Coriant 8600 Smart Routers VPNs Configuration Guide 8600 Smart Routers VPNs Configuration Guide 76.8600-50128F © 2014 Coriant Document Information Terms and Abbreviations 76.8600-50128F © 2014 Coriant Term Explanation ARP Address Resolution Protocol AS Autonomous System ATM Asynchronous Transfer Mode BGP-4 Border Gateway Protocol version CE Customer Edge CLI Command Line Interface DHCP Dynamic Host Configuration Protocol DNS Domain Name System eBGP External Border Gateway Protocol iBGP Internal Border Gateway Protocol ICMP Internet Control Message Protocol IGP Interior Gateway Protocol ILM Incoming Label Map (for MPLS) IP Internet Protocol LAN Local Area Network LDP Label Distribution Protocol LSP Label Switched Path LSR Label Switch Router A network element along a path of an MPLS LSP switching traffic on the basis of labels MP-BGP Multiprotocol Border Gateway Protocol MPLS Multiprotocol Label Switching NE Network Element Any traffic forwarding network building block part of the 8600 system In 8000 Intelligent Network Manager also referred to as node NLRI Network Layer Reachability Information NMS Network Management System N-PE Network Facing PE OSPF-TE Open Shortest Path First - Traffic Engineering P-a An access network element controlled by the service provider Operates only in LSR mode (VPN unaware) It can be a 8600 element PE Provider Edge PPVPN Provider Provisioned Virtual Private Network PSN Packet-Switched Network RSVP-TE Resource Reservation Protocol - Traffic Engineering RD Route Distinguisher 8600 Smart Routers VPNs Configuration Guide Document Information RT Route Target SP Service Provider TCP Transmission Control Protocol UDP User Datagram Protocol U-PE User Facing PE VCI Virtual Channel Identifier VLAN Virtual LAN VPI Virtual Path Identifier VPLS Virtual Private LAN Service VPN Virtual Private Network VPWS Virtual Private Wire Service VRF VPN Routing and Forwarding (RFC4364) 8600 Smart Routers VPNs Configuration Guide 76.8600-50128F © 2014 Coriant Table of Contents Table of Contents About This Manual Objectives Audience 8600 Smart Routers Technical Documentation Interface Numbering Conventions 13 Document Conventions 13 Documentation Feedback 13 8600 Smart Routers Discontinued Products 14 Virtual Private Networks 15 1.1 1.2 Layer VPN 16 2.1 2.2 2.3 2.4 2.5 2.6 Layer PPVPN Technologies 15 Layer PPVPN Technologies 15 Overview 16 Route Distribution in Layer VPN 16 2.2.1 Label Switched Paths (LSP) 16 2.2.2 Route Distribution Among PE Routers 17 2.2.3 Route Distribution Between U-PE and N-PE 18 2.2.4 Route Distribution Between CE and PE Router 18 Forwarding in Layer VPN 19 2.3.1 Traffic Flow from CE Device 19 2.3.2 Traffic Flow over Core Network 19 2.3.3 Traffic Flow Between U-PE and N-PE 20 VPN Topologies 20 2.4.1 Full Mesh VPN 21 2.4.2 Hub-and-Spoke VPN 21 2.4.3 Overlapping VPN 23 2.4.4 Management VPN 25 Limitations and Restrictions for VPN 26 References 26 Virtual Private Network Configuration Examples 27 76.8600-50128F © 2014 Coriant 8600 Smart Routers VPNs Configuration Guide Table of Contents 3.1 3.2 3.3 Full Mesh Layer VPN 27 3.1.1 U-PE Basic Configuration (Full Mesh) 28 3.1.2 U-PE Customer Side Configuration (Full Mesh) 30 3.1.3 U-PE Network Side Configuration (Full Mesh) 31 3.1.4 N-PE Configuration (Full Mesh) 33 Hub-and-Spoke Layer VPN 34 3.2.1 U-PE Basic Configuration (Hub-and-Spoke) 34 3.2.2 U-PE Customer Side Configuration (Hub-and-Spoke) 36 3.2.3 U-PE Network Side Configuration (Hub-and-Spoke) 37 3.2.4 N-PE Configuration (Hub-and-Spoke) 37 Overlapping Layer VPN 38 8600 Smart Routers VPNs Configuration Guide 76.8600-50128F © 2014 Coriant About This Manual About This Manual This chapter discusses the objectives and intended audience of this manual, 8600 Smart Routers VPNs Configuration Guide and consists of the following sections: • Objectives • Audience • Related Documentation • Documentation Feedback Objectives This manual provides an overview of the 8600 smart routers virtual private network (VPN) layer functions and instructions on how to configure them with a command-line interface (CLI) using a router’s console or remote terminal (Telnet) Audience This manual is designed for administration personnel for configuring 8600 smart routers functions with CLI On the other hand, 8000 intelligent network manager provides access to equal functionality for administration personnel with a graphical user interface It is assumed that you have a basic understanding of Ethernet, POS, IP, MPLS, VPN and Differentiated Services concepts This manual also assumes that you are familiar with the following protocols: • ARP • DHCP, DNS • IP, UDP, TCP, ICMP • BGP-4, OSPF-TE • LDP, RSVP-TE 8600 Smart Routers Technical Documentation The document numbering scheme consists of the document ID, indicated by numbers, and the document revision, indicated by a letter The references in the Related Documentation table below are generic and include only the document ID To make sure the references point to the latest available document versions, please refer to the relevant product document program on the Tellabs and Coriant Portal by navigating to www.portal.tellabs.com > Product Documentation & Software > Data Networking > 8600 Smart Routers > Technical Documentation Note that the table below reflects the customer document content for SR6.0 SP1 GA 76.8600-50128F © 2014 Coriant 8600 Smart Routers VPNs Configuration Guide About This Manual Document Title Description 8600 Smart Routers ATM and TDM Configuration Guide (76.8600-50110) Provides an overview of 8600 system PWE3 applications, including types, Single-Segment and Multi-Segment; PWE3 Redundancy; ATM applications, including PWE3 tunnelling, Traffic Management, Fault Management OAM, protection and TDM applications as well as instructions on how to configure them with CLI 8600 Smart Routers Boot and Mini-Applications Embedded Software Release Notes (76.8600-50108) Provides information related to the boot and mini-applications software of 8605 Smart Router, 8607 Smart Router, 8609 Smart Router, 8611 Smart Router, 8620 Smart Router, 8630 Smart Router and 8660 Smart Router as well as the installation instructions 8600 Smart Routers CLI Commands Manual (76.8600-50117) Provides commands available to configure, monitor and maintain 8600 system with CLI 8600 Smart Routers Embedded Software Release Notes Consists of the embedded software release notes of the 8600 NEs • 8600 Smart Routers SR6.0 Embedded Software Release Notes (76.8660-50169) for the following: - 8602 Smart Router FP1.1 - 8609 Smart Router and 8611 Smart Router FP2.0 - 8615 Smart Router FP1.0 - 8630 Smart Router and 8660 Smart Router FP5.0 8600 Smart Routers Equipment Management Configuration Guide (76.8600-50118) Provides an overview of 8600 system HW inventory, software management, equipment protection 1+1 (CDC and SCM) as well as instructions on how to configure them with CLI 8600 Smart Routers Ethernet Configuration Guide (76 8600-50133) Provides an overview of 8600 system Ethernet applications, including interfaces; Ethernet forwarding (MAC Switching, Ethernet PWE3, IRB, VLAN, VPLS); Ethernet OAM; LAG; ELP as well as instructions on how to configure them with CLI 8600 Smart Routers Fault Management Configuration Guide (76.8600-50115) Provides an overview of 8600 system fault management, including fault source, types and status as well as instructions on how to configure it with CLI 8600 Smart Routers Frame Relay Configuration Guide (76.8600-50120) Provides an overview of 8600 system Frame Relay applications, including interfaces; Performance Monitoring; protection; Traffic Management as well as instructions on how to configure them with CLI 8600 Smart Routers Hardware Installation Guide (76.8600-40039) Provides guidance on mechanical installation, cooling, grounding, powering, cabling, maintenance, commissioning and ESW downloading 8600 Smart Routers Hardware Release Notes (76.8600-40027) Consists of the hardware release notes of the network element components in 8605 Smart Router, 8607 Smart Router, 8609 Smart Router, 8611 Smart Router, 8615 Smart Router, 8620 Smart Router, 8630 Smart Router and 8660 Smart Router 8600 Smart Routers VPNs Configuration Guide 10 76.8600-50128F © 2014 Coriant Layer VPN Fig Overlapping VPNs In the figure below the Partner has connectivity to the Company HQ Site but not to other sites Overlapping VPNs can be implemented by using Route Targets in the correct manner The figure below depicts how the required connectivity can be achieved The implementation in the figure allows the Partner to reach all the networks at the Company HQ Site The actual requirement of the connectivity might be such that the Partner is allowed to access a certain server at the Company HQ Site, in which case only that prefix should be advertised to the Partner (RT=Partner) Fig Basic Overlapping VPN 8600 Smart Routers VPNs Configuration Guide 24 76.8600-50128F © 2014 Coriant Layer VPN 2.4.4 Management VPN The IP interconnectivity of management VPNs should be such that the management station can communicate with CE routers but the CE routers cannot communicate with each other The figure below shows the IP connectivity requirements It can be seen that from the IP connectivity point of view there are multiple overlapping VPNs The management station belongs to all those VPNs Fig Management VPNs The figure below shows one way of setting Route Targets in order to achieve the desired IP connectivity for management VPNs In the figure there are management VPNs and two intranets Note that it is enough that the management station learns one address that it can use for communication Other customer addresses must not be advertised towards 8000 intelligent network manager This is because of security reasons and in order to reduce addresses advertised to VRF to which the management station is connected RT=CE in the figure below should be attached only to one address (the loopback or interface address of CE) 76.8600-50128F © 2014 Coriant 8600 Smart Routers VPNs Configuration Guide 25 Layer VPN Fig 10 Management VPN 2.5 Limitations and Restrictions for VPN This chapter provides an outline of VPN limitations and restrictions • 8600 system supports a maximum of 16 route target configuration lines per VRF When any VRF has more than 16 import or export route targets, only the first 16 are returned by the network element 2.6 References [RFC4364] 8600 Smart Routers VPNs Configuration Guide 26 RFC4364 (2006-02), BGP/MPLS IP Virtual Private Networks (VPNs) 76.8600-50128F © 2014 Coriant Virtual Private Network Configuration Examples Virtual Private Network Configuration Examples These chapters provide configuration examples for VPN networks It is advisable always to refer to 8600 Smart Routers CLI Commands Manual for the latest information on: • Default values to avoid unnecessary configuration • Available configuration options and parametric range To set up full mesh and hub-and-spoke layer VPNs, at least the following configuration tasks are required: • Configuration prerequisites: • Global IP routing; refer to the configuration examples in document 8600 IP Forwarding and Traffic Management Configuration Guide • MPLS switching; refer to the configuration examples in document 8600 MPLS Applications Configuration Guide • Layer 3VPN configuration: • 3.1 Full Mesh Layer VPN • 3.2 Hub-and-Spoke Layer VPN 3.1 Full Mesh Layer VPN The example provided in this chapter shows the CLI configuration steps required to configure a full mesh layer VPN, where three customer sites need to be connected The configuration is applied for the network shown in Fig 11 76.8600-50128F © 2014 Coriant 8600 Smart Routers VPNs Configuration Guide 27 Virtual Private Network Configuration Examples Fig 11 Full Mesh VPN Example 3.1.1 U-PE Basic Configuration (Full Mesh) Configuration tasks: • Configuration of VRFs interacting with customers for upe1, upe2 and upe3 • Create VRF • Configure a Route Distinguisher • Configure imported and exported routes towards the network VRF Configuration upe1 configuration Step Create a VRF upe1(config)# ip vrf vpnCust1 Step Configure a Route Distinguisher upe1(cfg-vrf[vpnCust1])# rd 1:1 Step Configure imported and exported routes towards the network upe1(cfg-vrf[vpnCust1])# route-target both 10:1 8600 Smart Routers VPNs Configuration Guide 28 76.8600-50128F © 2014 Coriant Virtual Private Network Configuration Examples upe2 configuration Step Create a VRF upe2(config)# ip vrf vpnCust1 Step Configure a Route Distinguisher upe2(cfg-vrf[vpnCust1])# rd 1:2 Step Configure imported and exported routes towards the network upe2(cfg-vrf[vpnCust1])# route-target both 10:1 upe3 configuration Step Create a VRF upe3(config)# ip vrf vpnCust1 Step Configure a Route Distinguisher upe3(cfg-vrf[vpnCust1])# rd 1:3 Step Configure imported and exported routes towards the network upe3(cfg-vrf[vpnCust1])# route-target both 10:1 Step Configure the RSVP-TE tunnels this VRF uses This is intended to be used if potential RSVP-TE tunnels are wanted to be limited upe3(cfg-vrf[vpnCust1])# include-any 0x01 76.8600-50128F © 2014 Coriant 8600 Smart Routers VPNs Configuration Guide 29 Virtual Private Network Configuration Examples 3.1.2 U-PE Customer Side Configuration (Full Mesh) Configuration tasks: • Static routing • OSPF routing • E-BGP routing • IP address and CE-VRF association for upe1, upe2 and upe3 • Associate the interface to the VRF • Configure the interface IP address Static Routing Static routes can be used between U-PE and CE This avoids the usage of any dynamic routing protocols In this configuration example router upe1 uses static routes Step Configure static routes towards the CE upe1(config)# ip route vrf vpnCust1 10.10.1.0/24 10.10.1.1 OSPF Routing The OSPF can be configured to exchange routes between U-PE and CE In this configuration example router upe2 uses the OSPF protocol Step Configure OSPF between the upe2 and customer CE upe2(config)# router ospf 10 vpnCust1 upe2(cfg-ospf[10])# redistribute bgp upe2(cfg-ospf[10])# network 10.10.2.0/24 area E-BGP Routing The BGP can be configured to exchange routes between U-PE and CE In this configuration example router upe3 uses the BGP protocol Step Configure eBGP between the upe3 and customer CE upe3(config)# router bgp 65003 upe3(cfg-bgp[65003])# address—family ipv4 vrf vpnCust1 upe3(cfg-bgp[65003]-af)# neighbor 10.10.3.1 IP Address and CE-VRF Association Configurations The customers need to be associated to the VRF before they can transmit or receive traffic This is done by associating interfaces to the VRF Step Associate the interface to the VRF 8660: upe1(config)# interface fe 5/1/1 8600 Smart Routers VPNs Configuration Guide 30 76.8600-50128F © 2014 Coriant Virtual Private Network Configuration Examples upe1(cfg-if[fe 5/1/1])# ip vrf forwarding vpnCust1 Step Configure the interface IP address upe1(cfg-if[fe 5/1/1])# ip address 10.10.1.2/24 Step Associate the interface to the VRF 8660: upe2(config)# interface fe 5/1/2 upe2(cfg-if[fe 5/1/2])# ip vrf forwarding vpnCust1 Step Configure the interface IP address upe2(cfg-if[fe 5/1/2])# ip address 10.10.2.2/24 Step Associate the interface to the VRF 8660: upe3(config)# interface fe 5/1/3 upe3(cfg-if[fe 5/1/3])# ip vrf forwarding vpnCust1 Step Configure the interface IP address upe3(cfg-if[fe 5/1/3])# ip address 10.10.3.2/24 3.1.3 U-PE Network Side Configuration (Full Mesh) Since there is an RSVP-TE access network between upe3 and npe3, an RSVP-TE tunnel is needed between them It is assumed here that a separate tunnel is created for the VPN traffic Configuration tasks: • Create an RSVP-TE tunnel from upe3 to npe3 • MP-eBGP VPN configuration for upe1, upe2 and upe3 • Configure the neighbor router • Configure a loopback interface as a source of routing updates • Configure MP-eBGP for the VRF route exchange • Redistribute static routes to other VRFs RSVP-TE Tunnels to N-PEs Step Allow any VRF having affinity 0x01 to use this trunk The affinity is intended to be used if potential RSVP-TE tunnel users are wanted to be limited (in this example, for VRF) upe3(config)# rsvp-trunk upe3-npe3 upe3(cfg-rsvp-trunk[upe3-npe3])# map-route 0.0.0.0/0 mpls 0x01 Step Configure the tunnel destination upe3(cfg-rsvp-trunk[upe3-npe3])# to 171.19.13.13 MP-eBGP VPN Configuration upe1 configuration Step 76.8600-50128F © 2014 Coriant Configure the neighbor router 8600 Smart Routers VPNs Configuration Guide 31 Virtual Private Network Configuration Examples upe1(config)# router bgp 65001 upe1(cfg-bgp[65001])# neighbor 171.19.13.11 remote-as 65011 Step Allow eBGP neighbors to be more than one hop away, i.e not needing to be directly connected networks upe1(cfg-bgp[65001])# neighbor 171.19.13.11 ebgp-multihop Step Configure a loopback interface as a source of routing updates upe1(cfg-bgp[65001])# neighbor 171.19.13.11 update-source lo Step Configure MP-eBGP for the VRF route exchange upe1(cfg-bgp[65001])# address-family vpnv4 unicast upe1(cfg-bgp[65001]-af)# neighbor 171.19.13.11 activate upe1(cfg-bgp[65001]-af)# exit Step Inject static routes to the BGP process upe1(cfg-bgp[65001])# address-family ipv4 vrf vpnCust1 upe1(cfg-bgp[65001]-af)# redistribute static upe2 configuration Step Configure the neighbor router upe2(config)# router bgp 65001 upe2(cfg-bgp[65001])# neighbor 171.19.13.11 remote-as 65011 Step Allow eBGP neighbors to be more than one hop away, i.e not needing to be directly connected networks upe2(cfg-bgp[65001])# neighbor 171.19.13.11 ebgp-multihop Step Configure a loopback interface as a source of routing updates upe2(cfg-bgp[65001])# neighbor 171.19.13.11 update-source lo Step Configure MP-eBGP for the VRF route exchange upe2(cfg-bgp[65001])# address-family vpnv4 unicast upe2(cfg-bgp[65001]-af)# neighbor 171.19.13.11 activate upe2(cfg-bgp[65001]-af)# exit Step Redistribute static routes to other VRFs upe2(cfg-bgp[65001])# address-family ipv4 vrf vpnCust1 upe2(cfg-bgp[65001]-af)# redistribute ospf upe3 configuration Note that for upe3, the ipv4 address family is already configured since eBGP is also towards the customer Step Configure the neighbor router upe3(config)# router bgp 65003 upe3(cfg-bgp[65003])# neighbor 171.19.13.13 remote-as 65011 Step Allow eBGP neighbors to be more than one hop away, i.e not needing to be directly connected networks upe3(cfg-bgp[65003])# neighbor 171.19.13.13 ebgp-multihop Step Configure a loopback interface as a source of routing updates 8600 Smart Routers VPNs Configuration Guide 32 76.8600-50128F © 2014 Coriant Virtual Private Network Configuration Examples upe3(cfg-bgp[65003])# neighbor 171.19.13.13 update-source lo Step Configure MP-eBGP for the VRF route exchange upe3(cfg-bgp[65003])# address-family vpnv4 unicast upe3(cfg-bgp[65003]-af)# neighbor 171.19.13.13 activate 3.1.4 N-PE Configuration (Full Mesh) Configuration tasks: • Configuration of VRFs for N-PEs npe1 and npe3 • Create VRF • Configure a Route Distinguisher • Configure imported and exported routes towards the network • Create a RSVP-TE tunnel from npe3 to upe3 VRF Configuration npe1 configuration Step Create a VRF npe1(config)# ip vrf vpnCust1 Step Configure a Route Distinguisher npe1(cfg-vrf[vpnCust1])# rd 1:11 Step Configure imported and exported routes towards the network npe1(cfg-vrf[vpnCust1])# route-target both 10:1 npe3 configuration Step Create a VRF npe3(config)# ip vrf vpnCust1 Step Configure a Route Distinguisher npe3(cfg-vrf[vpnCust1])# rd 1:13 Step Configure imported and exported routes towards the network npe3(cfg-vrf[vpnCust1])# route-target both 10:1 RSVP-TE Tunnel to U-PEs Step Allow any VRF having affinity 0x01 to use this trunk The affinity is intended to be used if potential RSVP-TE tunnel users are wanted to be limited (in this example, for VRF) npe3(config)# rsvp-trunk npe3-upe3 npe3(cfg-rsvp-trunk[npe3-upe3])# map-route 0.0.0.0/0 mpls 0x01 Step Configure the tunnel destination After this CLI command the RSVP signalling starts npe3(cfg-rsvp-trunk[npe3-upe3])# to 171.19.13.3 76.8600-50128F © 2014 Coriant 8600 Smart Routers VPNs Configuration Guide 33 Virtual Private Network Configuration Examples 3.2 Hub-and-Spoke Layer VPN The example provided in this chapter shows the CLI configuration steps required to configure a hub-and-spoke layer VPN where the Headquarters is the hub site and Branch Offices are the spoke sites The configuration is applied for the network described in Fig 12 Fig 12 Hub and Spoke VPN Example 3.2.1 U-PE Basic Configuration (Hub-and-Spoke) Configuration tasks: • Configuration of VRFs interacting with customers for upe1, upe2 and upe3 • Create VRF • Configure a Route Distinguisher • Configure import and export Route Targets • Configure imported and exported routes towards the network 8600 Smart Routers VPNs Configuration Guide 34 76.8600-50128F © 2014 Coriant Virtual Private Network Configuration Examples VRF Configuration The VRFs interacting with the customers need to be configured The difference between hub-and-spoke and full mesh is that different import and export Route Targets are needed to separate the hub-to-spoke and spoke-to-hub traffic upe1 configuration Step Create a VRF for customer CE1 upe1(config)# ip vrf vpnCust1 Step Configure a Route Distinguisher upe1(cfg-vrf[vpnCust1])# rd 1:1 Step Configure the Route Target value for routes advertised by MP-BGP: Route target = Hub upe1(cfg-vrf[vpnCust1])# route-target export 10:1 Step Configure the Route Target value required for accepted MP-BGP advertised routes: Route target = Spoke upe1(cfg-vrf[vpnCust1])# route-target import 10:2 upe2 configuration Step Create a VRF for customer CE2 upe2(config)# ip vrf vpnCust1 Step Configure a Route Distinguisher upe2(cfg-vrf[vpnCust1])# rd 1:2 Step Configure the Route Target value for routes advertised by MP-BGP Route target = Hub upe2(cfg-vrf[vpnCust1])# route-target export 10:1 Step Configure the Route Target value required for accepted MP-BGP advertised routes Route target = Spoke upe2(cfg-vrf[vpnCust1])# route-target import 10:2 upe3 configuration Note that import and export Route Targets have now been divided into separate VRFs as required for the hub site Step Create a VRF for customer CE3 traffic from Spokes upe3(config)# ip vrf vpnCust1FromSpokes Step Configure a Route Distinguisher upe3(cfg-vrf[vpnCust1FromSpokes])# rd 1:31 Step Configure the Route Target value for routes advertised by MP-BGP Route target: Spoke upe3(cfg-vrf[vpnCust1FromSpokes])# route-target export 10:2 upe3(cfg-vrf[vpnCust1FromSpokes])# exit Step Create a VRF for customer CE3 traffic to Spokes upe3(config)# ip vrf vpnCust1ToSpokes 76.8600-50128F © 2014 Coriant 8600 Smart Routers VPNs Configuration Guide 35 Virtual Private Network Configuration Examples Step Configure a Route Distinguisher upe3(cfg-vrf[vpnCust1ToSpokes])# rd 1:32 Step Configure the Route Target value required for accepted MP-BGP advertised routes Route target = Hub upe3(cfg-vrf[vpnCust1ToSpokes])# route-target import 10:1 Step Configure the RSVP-TE tunnels this VRF uses upe3(cfg-vrf[vpnCust1ToSpokes])# include-any 0x01 3.2.2 U-PE Customer Side Configuration (Hub-and-Spoke) Configuration tasks: • Static route The configuration is the same as in full mesh, refer to chapter Static Routing for instructions • OSPF routing The configuration is the same as in full mesh, refer to chapter OSPF Routing for instructions • E-BGP routing The configuration is the same as in full mesh, refer to chapter E-BGP Routing for instructions • IP address and CE-VRF association for upe1, upe2 and upe3 • Associate the interface to the VRF • Configure the interface IP address IP Address and CE-VRF Association Configurations upe1 and upe2 are configured as in full mesh, refer to chapter IP Address and CE-VRF Association Configurations for instructions upe3 configuration Step Associate the interface to the VRF 8660: upe3(config)# interface fe 5/1/3 upe3(cfg-if[fe 5/1/3])# ip vrf forwarding vpnCust1FromSpokes Step Configure the interface IP address upe3(cfg-if[fe 5/1/3])# ip address 10.10.3.2/24 upe3(cfg-if[fe 5/1/3])# exit Step Associate the interface to the VRF 8660: upe3(config)# interface fe 5/1/4 upe3(cfg-if[fe 5/1/4])# ip vrf forwarding vpnCust1ToSpokes Step Configure the interface IP address upe3(cfg-if[fe 5/1/4])# ip address 10.10.3.4/24 8600 Smart Routers VPNs Configuration Guide 36 76.8600-50128F © 2014 Coriant Virtual Private Network Configuration Examples 3.2.3 U-PE Network Side Configuration (Hub-and-Spoke) Configuration tasks: • RSVP-TE tunnels to N-PEs The configuration is the same as in full mesh, refer to chapter RSVP-TE Tunnels to N-PEs for instructions • MP-eBGP VPN configuration for upe1, upe2 and upe3 MP-eBGP VPN Configuration upe1 and upe2 are configured as in full mesh; refer to chapter MP-eBGP VPN Configuration for instructions upe3 configuration For upe3, the following configurations are needed in addition to the full mesh configuration Step Allow re-advertisement of all routes containing a duplicate AS number (refers to Access Network AS number) upe3(config)# router bgp 65003 upe3(cfg-bgp[65003])# address-family ipv4 vrf vpnCust1ToSpokes upe3(cfg-bgp[65003]-af)# neighbor 10.10.3.1 allowas-in 3.2.4 N-PE Configuration (Hub-and-Spoke) Configuration tasks: • Configuration of VRFs for N-PEs npe1 and npe3 • Create VRF • Configure a Route Distinguisher • Configure imported and exported routes towards the network VRF Configuration The difference between hub-and-spoke and full mesh is that different import and export Route Targets are needed since hub to spoke and spoke to hub traffic need to be separated npe1 configuration Step Create a VRF for traffic from Spokes npe1(config)# ip vrf vpnCust1FromSpokes Step Configure a Route Distinguisher npe1(cfg-vrf[vpnCust1FromSpokes])# rd 1:111 Step Configure the Route Target value for routes advertised by MP-BGP Route target = Spoke npe1(cfg-vrf[vpnCust1FromSpokes])# route-target export 10:2 76.8600-50128F © 2014 Coriant 8600 Smart Routers VPNs Configuration Guide 37 Virtual Private Network Configuration Examples Step Configure the Route Target value required for accepted MP-BGP advertised routes Route target = Spoke npe1(cfg-vrf[vpnCust1FromSpokes])# route-target import 10:2 npe1(cfg-vrf[vpnCust1FromSpokes])# exit Step Create a VRF for traffic to Spokes npe1(config)# ip vrf vpnCust1ToSpokes Step Configure a Route Distinguisher npe1(cfg-vrf[vpnCust1ToSpokes])# rd 1:112 Step Configure the Route Target value for routes advertised by MP-BGP The exported Route Target is different in order to prevent unnecessary routes in other Spoke N-PEs (when more than one Spoke N-PEs) Route target = HubPE npe1(cfg-vrf[vpnCust1ToSpokes])# route-target export 10:12 Step Configure the Route Target value required for the accepted MP-BGP advertised routes Route target = Hub npe1(cfg-vrf[vpnCust1ToSpokes])# route-target import 10:1 npe3 configuration Step Create a VRF npe3(config)# ip vrf vpnCust1FromSpokes Step Configure a Route Distinguisher npe3(cfg-vrf[vpnCust1FromSpokes])# rd 1:131 Step Configure the Route Target value for routes advertised by MP-BGP Route target = Spoke npe3(cfg-vrf[vpnCust1FromSpokes])# route-target export 10:2 Step Configure the Route Target value required for the accepted MP-BGP advertised routes Route target = Spoke npe3(cfg-vrf[vpnCust1FromSpokes])# route-target import 10:2 npe3(cfg-vrf[vpnCust1FromSpokes])# exit Step Create a VRF npe3(config)# ip vrf vpnCust1ToSpokes Step Configure a Route Distinguisher npe3(cfg-vrf[vpnCust1ToSpokes])# rd 1:132 Step Configure the Route Target value for routes advertised by MP-BGP Route target = Hub npe3(cfg-vrf[vpnCust1ToSpokes])# route-target export 10:1 Step Configure the Route Target value required for the accepted MP-BGP advertised routes Route target = HubPE npe3(cfg-vrf[vpnCust1ToSpokes])# route-target import 10:12 3.3 Overlapping Layer VPN Basically overlapping VPNs are achieved only by importing several Route Targets 8600 Smart Routers VPNs Configuration Guide 38 76.8600-50128F © 2014 Coriant ... States and/or other countries 76. 8 600 - 501 28F © 201 4 Coriant 8 600 Smart Routers VPNs Configuration Guide 8 600 Smart Routers VPNs Configuration Guide 76. 8 600 - 501 28F © 201 4 Coriant Document Information... fi-documentation@tellabs.com 76. 8 600 - 501 28F © 201 4 Coriant 8 600 Smart Routers VPNs Configuration Guide 13 8 600 Smart Routers Discontinued Products 8 600 Smart Routers Discontinued Products 8 600 Smart Routers Manufacture... FP2 .0 Interface Configuration Guide (76. 86 60- 501 71) • 8 600 Smart Routers FP5 .0 Interface Configuration Guide (76. 86 60- 501 70) (for 86 30 Smart Router and 86 60 Smart Router) 76. 8 600 - 501 28F © 201 4