MPLS/VPN Network
Management

Cisco VPN Solution Center 2.0
Tom Zingale


1140_06F9_c1

© 1999, Cisco Systems, Inc.

1


Overview/Timelines/Features

Cisco Confidential

2


Delivering on the strategy
VPN Solution Center
• Is Cisco’s Service Management platform for multiple
IP VPN technology offerings
Managed MPLS VPN
Managed IPsec VPN
Access VPN (Broadband & Narrowband) tying to MPLS VPN
Last mile secure (IPsec) tying to MPLS VPN

• Provides across the board support for all MPLS and

IPsec VPN enabled Platforms

Cisco Confidential

3


Cisco VPN Solutions
Center Features
P

MPLS
VPN’s

CE

PE

MPLS
Core

CE

Provisioning

SLA
Monitoring

P


CE

CE

IP sec
VPN’s

Auditing
VPN Aware
SLA
Reporting
VPN Usage
Accounting
CORBA API
XML

Cisco Confidential

PE

VPN Usage
Reporting
Provisioning
SLA
Accounting
Events

4



IP VPN Solution Strategy - Charter
CUSTOMER
PREMISES

SERVICE PROVIDER
NETWORK
IPsec

Cisco IOS VPN Routers

Cisco VPN 3000
Concentrators

VPN 3000

Wireless
Equipment
DSL
Equipment

10000ESR
VPN 5000
GSR
MGX

62xx

3xxx - 7xxx
Routers


7600OSR

Firewall

VPN Solution Center for Scalable Management
Cisco Confidential

Others

Cisco IOS Software-Based
VPN Technologies

Cable
Equipment
8xx - 4xxx
Routers

MPLS

Cisco VPN 5000
Concentrators

5


VPNSC Timeline
Oct, 99

VPNSC: MPLS Solution
(Eureka 1.0)


Nov,99

VPNSC: MPLS Solution
(Eureka 1.0.2)

Mar, 00

VPNSC: MPLS Solution
(Eureka 1.1)

Nov, 00

VPNSC: MPLS Solution
(Eureka 1.2.1))

VPNSC 2.0
(MPLS+IPSec)

March 01

Cisco Confidential

VPNSC 2.1

Nov 01

VPNSC 3.0

Q1 CY2002


6


VPN Solution Center 2.0
Major Features
•

Distributed Telnet Gateway Server (TGS)

•

Auditing and Provisioning Engine performance enhancement

•

Templates Manager
 General IOS command generation

•

CE Staging within VPNSC

•

SSH and SNMPV3 support

•

Auto Provisioning SAA probes with VPN service


•

Exec command, IOS configuration version control and download
console

•

IPSec Provisioning Engine and GUI

•

High Availability Solution for Customer
 Journaling of Database and Playback

Cisco Confidential

7


Provisioning

Cisco Confidential

8


Provisioning MPLS/VPN Services
VPN Solution Center
• Automatic Generation of VPN IOS commands

• Provisioning based on network configuration
• Manages IP addresses, RD and RT values and VRF’s
• Auditing of both configuration and routing to verify
VPN connectivity
• Managed and unmanaged CE support
• Automatic Management VPN provisioning
• Latest hardware support
 Cable, DSL, GSR, ESR, MGX, 7600, others…

Cisco Confidential

9


Smart Provisioning Engine
• Easy modification of service using IOS
command object model
• Support of IOS delta’s and provisioning based
on uploaded commands
• Validation of operator inputs against the
current network configuration before
provisioning

Cisco Confidential

10


Just in Time
Provisioning Mechanism

Telnet or SSH to PE
Upload current configuration

Management Network/NOC
Management
VPN

Telnet or SSH to CE

VPN SC

Upload current configuration
Validate Operator input
MPLS CORE
against the network
Create the PE/CE configlet
Download and Activate
IPSec or MPLS/VPN’s

PE

PE

Blue VPN site 2

CE

CE

Blue VPN site 1


Cisco Confidential

11


Verification of VPN Service

• Auditing Verifies VPN is functioning
Audit per customer
Audit per VPN
Audit per PE and CE link
Audits are normally scheduled periodically

• Audit IOS Configuration
Verify provisioned VPN IOS commands line by line

• Audit Routing
Verify PE and CE link propagated between sites

Cisco Confidential

12


VPN Service States
FAILED
DEPLOY

State chance by provisioning


Download Failed

DEPLOYED
Config ok

LOST
Missing
Config

REQUESTED
PENDING
Download OK

Bad Service Request

FAILED
AUDIT

FUNCTIONAL
Routing &
Config ok

BROKEN
No routing

INVALID
CLOSED

Cisco Confidential


13


Topology View of VPNs

•IPSec CPE to CPE
Tunnel Views
•MPLS/VPN
•PE and CE Views
•CE to CE Views

Cisco Confidential

14


Scalable Activation Engine
• Distributed and multi-threaded telnet
gateway Server (TGS) for Activation
• VPNSC will load balance provisioning
requests between multiple TGS’s
• Support for Cisco Router Terminal
server and initializing router using
console
• Current Performance numbers 3300 PE
and CE links per hour (using API)
Cisco Confidential

15



Distributed Telnet Gateway Server
(TGS) Provisioning
Large Set of VPN Service Requests

VPNSC

Generic Transport Layer
Server

Split Telnet Requests into smaller
bundles based on threads of GTL
Partition bundle
Allocate to TGS 1
and provision

TGS1

TGS1

Partition bundle
Allocate to TGS2
and provision

Service Provider Network

Cisco Confidential

16



Event Based Provisioning

Configuration Express Scenario (3.0)
Customer Site 2

33

2

Customer Site 1

Customer Site n

Cisco Mfg.
Config Express
OK

11

Order Entry

Service Provider
Network
Cisco IE 2100
Appliances

PE


4
Next Step in the
Workflow

VPNSC

1. Service rep accepts new customer service order, orders Cisco CPE
2. Cisco ships devices to site with provider-specified PnP configuration
3. Device boots, pulls service configuration, and validates the change
Device publishes ‘configuration success’ event – IP Connectivity!
4. OSS workflow engine monitors events and triggers VPNSC to provision
VPN related information to PE – VPN Service up and running !
Cisco Confidential

17


IPsec to MPLS/VPN Provisioning 2.1
Cable or DSL
with VPN
clients

CPE

PE
802.1q

IPSec Tunnels

PE


VPN SC

Frame DLCI

VPN 5000
VPN 3000
PE
Fixed
wireless

MPLS
Network

VPN1
CE

PE

VPN2
CE

CE
VPN3

• VPN 5000 or Double Diamond as IPSec Hub
• IPsec protects off-net traffic
• 802.1q, L2TP or FR PVC links IPSec to MPLS
Cisco Confidential


18


Template System

Cisco Confidential

19


Template Provisioning System
•Allows flexible and smart provisioning
of any IOS commands
•Components
Template Manager GUI
Template API
•Template Definition language
Rich set of data types and expressions
Dimensional arrays, strings, float,
more..
Tied to VPNSC VPN Service Request

Cisco Confidential

20


Example VPN Provisioning with
Templates
VPN1 site 1


CPE

VPN SC

CE
VPN2 site 2

CE

VPN2 site 1

PE

VPN1 site 2
+
Stage CPE with IPv4
Configuration

Cisco Confidential

Example Attribute Based
HSRP
VPN Service
Template
CE
Provisioning VPN Service

CPE


21


VPNSC OSS Interfaces

• Complete Corba API’s for IPSec and MPLS/VPN
–Provisioning
–VPN aware SLA data
–Accounting API’s (MPLS Only)
–Task Manager (scheduling)
–Events API
–Template Instantiation API

• Corba Event Gateway &Tibco bus Events
• SLA, Mib Data available in XML Format
• XML interface for easy import and export of data to VPNSC Repository

Cisco Confidential

22


VPNSC Partner Integrations

• VPN aware fault management
Cisco Info Center (OEM Micromuse)

• Multi-vendor and layer 2 Provisioning
Cisco Provisioning Center (OEM Syndesis)
System Integrators also available


• VPN aware Performance Reporting
 Concord Network Health

• Usage Collection and Billing
Digiquant IMS and Portal Infranet

Cisco Confidential

23


Flow Thru Provisioning
using XML
XML File
Provisioning
GUI

Output

•Create CE, Customer, Site
•Create PE, PAD
VpnInvImport
•Allocate Address Pools
Executable
OR
•Create VPN Service Request(s)

Import
Information into

VPNSC Database

Output

XML File

CORBA Provisioning
API

•Flexible XML Data File
•Provision Any IOS Commands

Data

Schedule
Service

Template

Provision VPN Service + Template

XML
Template Body

Body

CORBA API to
Create Template with
IOS commands


P
CE
CE

Cisco Confidential

PE

MPLS
Core
P

PE

CE
CE

24


Performance Monitoring

Cisco Confidential

25