Administering Customer Edge Routers

C H A P T E R
Administering Customer Edge Routers

This chapter provides the fundamental concepts and considerations, as well as our recommendations, for administering customer edge routers (CEs) in a service provider environment. Before MPLS VPN Solution software can be appropriately deployed to deliver services to customers, the question of whether the CEs are to be managed by the service provider or not must be answered.
Unmanaged CE Considerations
One of the options available to the service provider is to not manage the CEs connected to the service provider network. For the service provider, the primary advantage of unmanaged CEs is administrative simplicity. If the CEs are unmanaged, the provider can use IPv4 connectivity for all management traffic. MPLS VPN Solution software is not employed for provisioning or managing unmanaged CEs. Figure 6-1 shows a basic topology with unmanaged CEs. Note that the network management subnet has a direct link to the service provider MPLS core network.
Figure 6-1 Service Provider Network and Unmanaged CEs
Service Provider Network Network management subnet VPN Solutions Center Telnet Gateway Server
NetFlow Collector Customer 1 CE PE Service provider MPLS core
NetFlow Collector Customer 1 PE CE

32065
Regarding unmanaged CEs, service providers should note the following considerations:
Cisco VPN Solutions Center: MPLS Solution User Guide 78-10548-02
6-1
Chapter 6 Managed CE Considerations
Unmanaged CEs are wholly outside the service providers administrative domain. Thus, there is no required connectivity from the CEs to the service provider network. There is no IP connectivity between a PE and an unmanaged CE. Thus, there is no access to the unmanaged CE via SNMP, Telnet, and so forth. The service provider cannot view the configuration or the traps of the unmanaged CE.
An unmanaged CE has independent IP addressing (nonlinear and overlapping). The service provider does not administer the following elements on the unmanaged CE:
IP addresses Host name Domain Name server Fault management (and timestamp coordination by means of the Network Time Protocol) Collecting, archiving, and restoring CE configurations Access data such as passwords and SNMP strings on the unmanaged CE
Customer routing and service provider routing are entirely separate. Prototype CE configlets are generated, but they are not automatically downloaded to the router. There is no configuration management.
With no configuration management, no configuration history is maintained and there is no
configuration change management.

Changes to a service request (on the PE-CE link) are not deployed to the CE.
There is no configuration auditing because there is no means to retrieve the current CE configuration. The CoS parameters are on the CE. You can perform routing auditing. You can use the Service Assurance Agent (SA Agent) to measure response times between shadow routers, but you cannot use SA Agent to measure response times between CEs. NetFlow Collector devices are operational.
Managed CE Considerations
The alternative to unmanaged CEs is managed CEs, that is, customer edge routers managed by the service provider. Managed CEs can be wholly within the service providers administrative domain or co-managed between the provider and the customer, although CE co-management poses a number of ongoing administrative challenges and is not recommended. For information on how you define a CE as a managed CE, refer to the Adding the Customer Edge Routers to a Site section on page 3-27. Regarding managed CEs, service providers should note the following considerations:

Managed CEs are within the service providers administrative domain. Thus, some connectivity to the CEs from the service provider network is required. The service provider must administer the following elements on the managed CE:
IP addresses Host name
Cisco VPN Solutions Center: MPLS Solution User Guide
6-2
78-10548-02
Chapter 6
Administering Customer Edge Routers Managed CE Considerations
Domain Name server Access data such as passwords and SNMP strings
The service provider should administer fault management (and timestamp coordination by means of the Network Time Protocol) The service provider can administer collecting, archiving, and restoring CE configurations. CE configlets are generated and downloaded to the managed CE. Changes to service requests are based on the current CE configuration and automatically downloaded. The CE configurations are audited. Customer routing and service provider routing must interact. Access from CEs to the management hosts on the network management subnet is required. Configuration auditing and routing auditing are both functional. You can use the Service Assurance Agent (SA Agent) to measure response times between CEs and between shadow routers. NetFlow Collector devices are operational.
The following sections discuss the concepts and issues required for administering a managed CE environment.
6-3
Chapter 6 What Is the Network Management Subnet?
What Is the Network Management Subnet?

The network management subnet begins with the MPLS VPN Solution workstation and the Cisco IP Manager workstations connected on a LAN or subnet. The MPLS VPN Solution network management subnet is required when the providers service offering entails the management of CEs. Once a CE is in a VPN, it is no longer accessible by means of conventional IPv4 routing unless one of the techniques described in this chapter is employed. Figure 6-2 shows the network management subnet and the devices that may be required to connect to it:
Figure 6-2 The MPLS VPN Solution Network Management Subnet
Service Provider Network Network management subnet MPLS VPN Solution Cisco IP Manager
NetFlow Collector Customer 1 CE PE
Connectivity method determined by service provider
NetFlow Collector Customer 1

32066
Service provider MPLS core
PE
CE
Access to VPN Issues

The core issues with regard to gaining access to VPNs are as follows:

How to keep provider space clean from unnecessary customer routes How to keep customer space clean from both the providers and other customers routes How to provide effective security How to prevent routing loops MPLS VPN Solution does not handle any of these responsibilitiesdoing so must be designed and implemented by the service provider.
Reachability changes as a direct consequence of employing MPLS VPN Solution. Before you provision a CE in the MPLS VPN Solution software, you might be able to reach the CE via IPv4 connectivity, but the moment the product deploys a task, you cannot reach that CE any moreunless you have first implemented the network management subnet.
On non-Frame Relay/ATM links, a service request never reaches the Deployed state unless a network management subnet is already in place.
6-4
78-10548-02
Chapter 6
Administering Customer Edge Routers The Network Management Subnet Implementation Techniques
The Network Management Subnet Implementation Techniques

The network management subnet must have access to Management CEs (MCEs), PEs, and the NetFlow Collector devices. The network management subnet is appropriateand necessaryonly if there is an intent to have managed CEs connected via an in-band connection. In-band indicates a single link or permanent virtual circuit (PVC) that carries both the customer's VPN traffic, as well as the providers network management traffic.
Management CE (MCE)
The network management subnet is connected to the Management CE (MCE). The MCE emulates the role of a customer edge router (CE), but the MCE is in provider space and serves as a network operations center gateway router. The MCE is part of a management site as defined in the MPLS VPN Solution software. For information on defining a CE as an MCE within MPLS VPN Solution software, see the Implementing the Management VPN Technique section on page 3-35.
Management PE (MPE)
The Management PE (MPE) emulates the role of a PE in the provider core network. The MPE connects the MCE to the provider core network. An MPE can have a dual role as both a PE and the MPE. The MPE needs access to the following devices: Device
1.
Connectivity Access from the network management subnet into the VPNs Access from the network management subnet into the VPNs
Function Provision or change configuration and collect SA Agent performance data A simulated CE used to measure data travel time between two devices Provision or change configuration Collect data
Customer Edge Routers (CEs) Shadow routers
2.
3. 4.
Provider Edge Routers (PEs) standard IP connectivity NetFlow Collector standard IP connectivity
At the current time, MPLS VPN Solution recommends three main network management subnet implementation techniques:
Management VPN Technique The MPE-MCE link uses a Management VPN (see the Management VPN Technique section on page 6-6) to connect to managed CEs. To connect to the PEs and NetFlow Connector, the MPE-MCE link uses a parallel IPv4 link.
Extranet Multiple VPN Technique The MPE-MCE link uses the Extranet Multiple VPN technique (see the Extranet Multiple VPN Technique section on page 6-7) to connect to managed CEs. To connect to the PEs and NetFlow Connector, the MPE-MCE link uses a parallel IPv4 link.
Out-of-Band Technique
6-5
Chapter 6 The Network Management Subnet Implementation Techniques
In the Out-of-Band technique, the MCE has IPv4 connectivity (that is, not MPLS VPN connectivity) to all the CEs and PEs in the network (see the Out-of-Band Technique section on page 6-9). In this context, out-of-band signifies a separate link between PEs that carries the providers management traffic. The network management subnet technique the provider chooses to implement depends on many factors, which are discussed later in this chapter.
Management VPN Technique

The Management VPN technique is the default method provisioned by MPLS VPN Solution. A key concept for this implementation technique is that all the CEs in the network are a member of the management VPN. To connect to the PEs and NetFlow Collector, the MPE-MCE link uses a parallel IPv4 link. Figure 6-3 shows a typical topology for the Management VPN technique.
Figure 6-3
Customer 3 Customer 3 VPN and management CE 1 route map Customer 2 Customer 2 VPN and management route map Customer 1 CE 1 CE 1 Customer 1 VPN and management route map
Typical Configuration for a Management VPN Network

Customer 1 Customer 1 VPN and management CE 2 route map Customer 2 Customer 2 VPN and management CE 2 route map Customer 3 Customer 3 VPN and management route map CE 2
Service Provider Network
MPE NetFlow Collector
Service provider MPLS core IPv4 link
PE NetFlow Collector
Management VPN
MCE VPN Solutions Center Telnet Gateway Server
Network management subnet

28566
When employing the Management VPN technique, the MPE-MCE link uses a management VPN to connect to managed CEs. To connect to the PEs and NetFlow Connector, the MPE-MCE link employs a parallel IPv4 link. Each CE in a customer VPN is also added to the management VPN by selecting the Join the management VPN option in the service request wizard (see the About Provisioning PE-CE Links in the Management VPN section on page 3-42). The function of the management route map is to allow only the routes to the specific CE into the management VPN. The Cisco IOS supports only one export route map and one import route map per VRF (and therefore, per VPN).
6-6
78-10548-02
Chapter 6
As shown in Figure 6-3, a second parallel non-MPLS VPN link is required between the MPE and MCE to reach the PEs and the NetFlow Collector host. For information on how to provision a Management VPN in MPLS VPN Solution software, see the Implementing the Management VPN Technique section on page 3-35.
Note
Implementation of the Management VPN technique requires Cisco IOS 12.07 or higher.
Advantages
The advantages involved in implementing the Management VPN technique are as follows:

Provisioning with this method requires only one service request. The only routes given to the network management subnet are the routes to the CEsthat is, either the address of the CE link to the PE or the CE loopback address. General VPN routes are not given to the network management subnet. A CE in the Management VPN method is a spoke to the Management VPN regardless of which role the CE has within its own VPN. Therefore, CEs cannot be accidentally exposed to inappropriate routes. The only management routes the CEs can learn must come from a hub of the Management VPN.
Extranet Multiple VPN Technique

A key concept for this network management subnet technique is that the MPE-MCE pair are part of all the customers VPNs. When you a add new VPN to the Extranet Multiple VPN, you must create a service request each time a VPN is defined to add that VPN to the MPE-MCE pair, and thus to the network management subnet. To connect to the PEs and NetFlow Connector, the MPE-MCE link uses a parallel IPv4 link. Figure 6-4 shows a typical topology for the Extranet Multiple VPN.
6-7
Chapter 6 The Network Management Subnet Implementation Techniques
Figure 6-4
Extranet Multiple VPN
Customer 3 Customer 3 VPN CE 1 Customer 2 Customer 2 VPN CE 1 Customer 1 Customer 1 VPN CE 1 Service Provider Network Customer 3 VPN Customer 2 VPN Customer 1 VPN
Customer 1 CE 2 Customer 2 CE 2 Customer 3 CE 2
MPE NetFlow Collector
Service provider MPLS core IPv4 link
Customer 1, 2, and 3 VPN MCE VPN Solutions Center Telnet Gateway Server

28567
In the Extranet Multiple VPN (sometimes referred to as the rainbow VPN), several security and access list considerations exist, but these considerations are centralized at the MPE and MCE devices. The MPE includes the BGP routes to all customer routes. This should constrained such that only the CE subnet routes are imported to the interior gateway protocol.
Advantages
The advantages in implementing the Extranet Multiple VPN technique are as follows:

Only the MPE has routes for all the VPNsthe PEs do not have the VPN routes; that is, all the customer routes are only in the MPEs VRF route tables. You must apply access lists on the MPE-MCE link only. It is easy to create another MPE-MCE pair if necessary.
6-8
78-10548-02
Chapter 6
Out-of-Band Technique
The Out-of-Band technique does not employ a management VPN to manage the CEs. Out-of-band connectivity is provided by IPv4 links. Out-of-band signifies a separate link between PEs that carries the providers management traffic. As shown in Figure 6-5, the MCE provides separation between the providers routes and the customers routes.
Figure 6-5 Out-of-Band Technique
Customer 2 IPV4 link CE Customer 2 VPN IPV4 link CE Customer 1 VPN Service Provider Network Service provider MPLS core IPV4 link
Customer 1 Customer 1 VPN IPV4 link Customer 2 VPN CE CE
Customer 1
Customer 2
MCE VPN Solutions Center Telnet Gateway Server

28557
The Out-of-Band technique has the advantage of being relatively simple to set up, and no management VPN is required. However, its disadvantages are that it is expensive since it requires an IPv4 connection to each CE. Also, due to the delicate staging requirements for this technique, the Out-of-Band implementation does have a high degree of complexity.
6-9
Chapter 6 CE Staging Guidelines
CE Staging Guidelines
This section summarizes the general considerations to take into account when staging CEs.
1. 2.
Define the VPN in MPLS VPN Solution, and use the MPLS VPN Solution software to update the configuration of the PE and CE that supports it on the network management subnet. Go to Cisco IP Manager and define the CE object. This assumes that all PE objects are already defined in Cisco IP Manager. Cisco recommends that you connect the CE (with no configurationdirectly off the delivery truck) to a terminal server on the same LAN as MPLS VPN Solution.Inform Cisco IP Manager can about the terminal server and the port to which the CE is attached. Use a Cisco IP Manager template to configure everything on the CE except the interface toward the PE and the loopback interface that has the management address on it. Use Cisco IP Manager to configure customer-facing LANs, customer-facing routing protocols, user names, passwords, VTY definitions, and so forth.
3.
4.
5.
Update Cisco IP Managers definition of the CE object to reflect the changes made to user names and passwords. At this point, you are ready to go to MPLS VPN Solution. In MPLS VPN Solution, it is possible to define the target to represent the CE in such a way that the synchronization with Cisco IP Manager works smoothly. Note that a well-chosen naming scheme helps until Cisco IP Manager and MPLS VPN Solution are more fully integrated. It should not be necessary to provide MPLS VPN Solution user names and passwords, but it would still be a good idea to do so in case configuration file collection is required while the CE is still attached to the network management subnet. If you do provide MPLS VPN Solution user names and passwords, the optimal IP address would be the alias offered by the terminal server for access to the CE (not the address of the terminal server itself).
6.
In MPLS VPN Solution, provision normally, and request downloading of configlets to both the PE and the CE. When the product uses Cisco IP Manager for downloading configlets, it uses the administrative information in Cisco IP Manager, including terminal server access for the CE. The PE provisions normally.
7. 8.
The PE is now in the field, but configured for service; the CE is in the network management subnet, fully configured and ready to ship. Finally, update the object definitions in Cisco IP Manager and MPLS VPN Solution to reflect the fact that the CE has been shipped. You can remove the terminal server information and replace it with the management IP address given by MPLS VPN Solution.
6-10
78-10548-02
Chapter 6
Administering Customer Edge Routers Securing the Management Network
Securing the Management Network

If you use MPLS VPN Solution for IP allocation, you know the set of legal IP addresses for management access to CEs. Therefore, you can deny all packets that do not originate from an MPLS VPN Solution IP address pool. (If the network employs non-auto-picked IP addressing, augment the notion of pool to cover all legal IP addresses for a CE interface to a PE.) You can also limit access precisely to those hosts on the network management subnet that need it. The CE access lists between IP pool addresses and the network management subnet hosts should also specify the required ports for access (using Telnet). It is important to limit the port numbers. Cisco IP Manager uses TFTP; MPLS VPN Solution uses SNMP when it can (see the Using TFTP to Transport Router Configuration Files section on page 2-8). Those three ports are the only permissible ones. Access to the Orbix process running on either the Cisco IP Manager or MPLS VPN Solution hosts should particularly be denied. Cisco recommends the following access rules of type:

Permit from {Cisco IP Manager host, MPLS VPN Solution host} to anything in the pool. Deny all others.
Apply these access rules outbound on the CE on its interface up to the PE so that only MPLS VPN Solution and Cisco IP Manager can send packets, and then only to management addresses. Additional rules of type are as follows:

Permit from pool to {Cisco IP Manager host, MPLS VPN Solution host} for TCP established. Deny all others.
These rules should apply on the CE as an input list on its link from the PE. Thus, only responses are allowed ingeneral CEs cannot start a session to the management machinesand then only from legal IP addresses. Given these rules of type, only the CE can send packets into the network management subnet, and even those must be in response to a network management subnet query. Spoofing could be an issue, but for that Cisco recommends anti-spoofing access lists as part of the basic configuration of CEs at customer sitesdeny all packets coming from within a site marked with a management address.) The CEs do not need the CE-PE link when returning management packets. Another option is to suppress the network management subnet; that is, you can set up static addresses with /32 subnet masks on the PEone for each host on the network management subnet needing to receive packets from CEs. At a minimum, that would be the MPLS VPN Solution host and the Cisco IP Manager host. No other routes need to be allowed into the VRF supporting the network management subnet. Build the local entries in the VRF like this:
IP route VRF Management <MPLS VPN Solution Host/32 CE_address> IP route VRF Management <CIPM Host/32 CE_address>
The term VRF Management is for illustration purposes only; MPLS VPN Solution builds all this and picks a name for the VRF. To prevent injections of inappropriate routes, it is helpful to add this command:
IP route VRF Management 0.0.0.0/0 Null0
That is all you want to put in the local VRF table. From there, it dynamically learns all the routes to the other CEs. However, you cannot prevent it also knowing a directly connected route for the link between this PE and the Management CE. You must protect against customer attempts to gain access to the Management CE. The access lists described above control only transit traffic across that CE.
6-11
Chapter 6 Securing the Management Network
Therefore, Cisco recommends that the PE have an access list applied outbound on the link to the CE in the following form:
permit packets to {MPLS VPN Solution Host, CIPM Host} deny everything else
This is simple, and it means customers cannot gain access to the Management CE. Cisco recommends the following:
1.
In the PE configuration file, enter the following commands:

ip route vrf management MPLS VPN Solution host ip/32 <mce ip route vrf management cipm host ip/32 <mce
To dump unknowns, add this command:

ip route vrf management 0.0.0.0/0 Null0
2.
Whenever possible, use statics on the Management CE toouse a static or set of statics covering legal management addresses, as discussed above. If dynamic routing is absolutely required (meaning it is not known which addresses might be used for CE-PE links, which is not recommended), then you can use RIP. However, Cisco recommends doing so one way only: redistribute BGP into RIP on the PE, but do not redistribute back. MPLS VPN Solution makes two-way redistributions in such cases, so add the RIP configuration manually when setting this up. Route maps could apply here, but as noted, running dynamic routing is generally undesirable.
3.
The most important access lists are output and input lists on the Management CE. The output access list: On the Management CE, connected to Link B (with access to the VPNs), make an output access list as follows:
permit {MPLS VPN Solution host, CIPM host} to <pool deny all
The input access list is as follows:

permit <pool to {MPLS VPN Solution host, CIPM host} with tcp-established deny all
4.
To protect the Management CE, create an output access list on the PEs link B interface:
permit to {MPLS VPN Solution host, CIPM host} deny all
5.
If desired, also place an access list to protect the IPv4 link, depending on the service providers own access needs to the network management subnet.
6-12
78-10548-02

Administering Customer Edge Routers

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Administering Customer Edge Routers

Uploaded by

Copyright:

Available Formats

C H A P T E R