V300R001C10 BGP/MPLS VPN Technical White Paper Issue 01 Date 2013-12-10 HUAWEI TECHNOLOGIES CO., LTD.
2013. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademarks and Permissions and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied. Huawei Technologies Co., Ltd. Address: Website: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China http://enterprise.huawei.com i
About This Document About This Document Purpose This document describes the esight BGP/MPLS VPN solution to help users learn about its key capabilities, application scenarios, and usage. Intended Audience This document is intended for: Technical support personnel Maintenance personnel Symbol Conventions The symbols that may be found in this document are defined as follows. Symbol Description Indicates an imminently hazardous situation which, if not avoided, will result in death or serious injury. Indicates a potentially hazardous situation which, if not avoided, could result in death or serious injury. Indicates a potentially hazardous situation which, if not avoided, may result in minor or moderate injury. Indicates a potentially hazardous situation which, if not avoided, could result in equipment damage, data loss, performance deterioration, or unanticipated results. NOTICE is used to address practices not related to personal injury. Calls attention to important information, best practices and tips. NOTE is used to address information not related to personal injury, equipment damage, and environment deterioration. ii
About This Document Change History Changes between document issues are cumulative. The latest document issue contains all the changes made in earlier issues. This issue is the first official release. iii
Contents Contents About This Document... ii 1 Executive Summary... 1 2 Introduction... 2... 3 3.1 Overview... 3 3.2 Implementation... 5 3.2.1 Automatic Discovery... 5 3.2.2 Quick Diagnosis... 6 3.2.3 Service Enabling and Disabling... 6 3.2.4 SLA... 7 3.3 Function Constraints... 8 3.3.1 Applicable Device Types... 8 3.4 Typical Applications... 10 3.4.1 Automatic Discovery... 10 3.4.2 Alarm Monitoring and Operating Status Monitoring... 10 3.4.3 Service Enabling and Disabling... 12 3.4.4 Quick Diagnosis... 12 4 Conclusion... 15 5 Acronyms and Abbreviations... 16 iv
1 Executive Summary 1 Executive Summary BGP/MPLS VPN is a Layer 3 virtual private network (L3VPN). It uses Border Gateway Protocol (BGP) to advertise VPN routes and uses Multiprotocol Label Switching (MPLS) to forward VPN packets on backbone networks of service providers (SPs). MPLS seamlessly integrates the flexibility of IP routing and simplicity of Asynchronous Transfer Mode (ATM) label switching. A connection-oriented control plane is added to an MPLS IP network, which enriches the means of managing and operating the network. On IP networks, MPLS traffic engineering (TE) has become an important tool in managing network traffic, reducing network congestion, and ensuring Quality of Service (QoS). Using MPLS-based IP networks as backbone networks becomes an important means for IP network carriers to provide value-added services and is widely used by enterprises. In the enterprise network market, enterprises can lease backbone networks from carriers to bear services or construct VPNs to bear services. Enterprises that lease backbone networks from carriers must ensure that the network quality provided by carriers can meet their service requirements. Enterprises that construct VPNs must perform end-to-end (E2E) monitoring on the entire network to ensure the proper running of services. esight BGP/MPLS VPN monitors VPN services from multiple aspects to help users locate and rectify faults promptly. This ensures proper running of services, improves operation and maintenance efficiency, and reduces operation and maintenance costs. esight BGP/MPLS VPN provides the following functions to monitor services: automatic service discovery, service alarm generating, and monitoring of service performance, service operating status, service enabling status, and service SLA data. 1
2 Introduction 2 Introduction esight BGP/MPLS VPN helps users locate faults promptly on L3VPN networks that have the following features: Complex network structure Devices located in multiple regions Various services running on an L3VPN network Complex configuration of routing protocols Differentiated skills of maintenance personnel 2
3.1 Overview Figure 3-1 shows the VPN service monitoring process. Figure 3-1 VPN service monitoring process The VPN service monitoring process is as follows: 1. A user deploys services on a network using the command-line interface (CLI) or smart configuration tool. 2. esight discovers deployed services from the network. 3
3. esight monitors service alarms, operating status, performance, SLA data, link status, and VPN routing and forwarding (VRF) status. 4. A user uses the quick diagnosis function to locate faults when a service is faulty. Using the Smart Configuration Tool to Deploy Services On an enterprise network, the L3VPN service deployment involves delivery of a large amount of data to provider edges (PEs) and customer edges (CEs), most of which have the same configuration. Therefore, esight provides the smart configuration tool to deploy services in batches. Figure 3-2 shows the process of using the smart configuration tool to deploy services. Figure 3-2 Process of using the smart configuration tool to deploy services 4
The process of using the smart configuration tool to deploy services is as follows: Step 1 Configure network resource information. Set the following service information based on a service plan: device IP addresses, interface IP addresses, VRF resource information (such as services that a VRF bears, VRF name, VRF RD, VRF RT, and VRF routing policy), routing information (public routes and private routes), and MPLS information. Step 2 Create a network plan sheet. Create a network plan sheet based on the supported device types and commands to deploy. Step 3 Set the network device parameters in the plan sheet to planned values specified in Step 1. Step 4 Import the plan sheet to esight. Step 5 (Optional) Send the plan sheet to devices and verify the CLI parameter values. Step 6 Send the plan sheet with configured CLI parameters to devices to complete service deployment. ----End 3.2 Implementation 3.2.1 Automatic Discovery esight provides the following automatic discovery modes: Discover by VRF connectivity esight checks whether the import RT of the VRF on a PE is the same as the export RT of the VRF on another PE. If the import RT and the export RT are the same, esight checks whether the two PEs have the peer relationship. If the two PEs have the peer relationship, esight discovers the service between them. Discover by VRF name esight checks whether the VRF names on two PEs are the same. If the VRF names are the same and the two PEs have the BGP peer relationship, esight discovers the service between the two PEs. If private routes are established between PEs and CEs using Open Shortest Path First (OSPF), Intermediate System-Intermediate System (ISIS), or external BGP (EBGP), esight can automatically discover services between the PEs and CEs, reducing the CE maintenance workload. When devices from mainstream manufacturers such as Cisco and H3C are used as PEs in VPN services, esight can automatically discover services deployed on the PEs based on the VRF information and BGP peer relationship. On the L3VPN service automatic discovery page, users can set the discovery scope and discovery policy to discover services from devices. 5
Figure 3-3 L3VPN service automatic discovery page 3.2.2 Quick Diagnosis The quick diagnosis function allows users to locate faults at different network layers. When a service is faulty, a user can locate faults at the PE-CE access layer, PE-PE L3 link layer, and PE-PE LSP bearing layer in sequence. For details, see Quick Diagnosis. 3.2.3 Service Enabling and Disabling When a service is enabled, it is activated. When a service is disabled, it is deactivated. Service enabling status is indicated by the management status of bound VRF interfaces. If the current bound VRF interface is disabled, the corresponding PE-CE link is disabled. If all the bound VRF interfaces of the current service are disabled, the service is disabled. Users can enable or disable services to control service availability. Users can also enable or disable a service interface to control the CE connection to a VPN service. In the Hub-Spoke network shown in Figure 3-4, users can enable or disable VRF interfaces enclosed in red boxes to control the CE connection to the VPN network. 6
Figure 3-4 Hub-Spoke network 3.2.4 SLA After discovering a VPN service, esight creates an ICMP ping-based SLA task for PE-PE and PE-CE links by default. Users then can monitor the SLA compliance for the PE-PE and PE-CE links. For details, see the esight V200R003C01 SLA Technical White Paper. 7
Figure 3-5 L3VPN SLA 3.3 Function Constraints 3.3.1 Applicable Device Types Device Device Type Device Version Router NE20 V2R5C01, V2R5C02, V2R5C03, and V2R5C05 NE20E series NE40 series NE40E series NE80 series NE80E series V200R003C00, V200R003C01, V200R005C00, V200R005C01, V200R005C02, V200R005C03, V200R005C05, 600R003C00, V600R001C00, V600R003C05, and V600R005C00 V300R002C00, V300R002C01, V300R003C00, V300R003C01, V300R003C02, V300R005C00, V300R005C01, and V600R001C00 V300R001C00, V300R002C00, V300R003C00, V300R003C01, V300R003C02, V300R006C00, V300R006C01, V600R001C00, V600R001C01, V600R002C00, V600R002C05, V600R003C00, V600R003C01, V600R003C02, V600R003C03, V600R003C05, and V600R005C00 V300R002C00, V300R002C01, V300R003C00, V300R003C01, V300R003C02, V300R005C00, and V300R005C01 V1R2C00, V3R1C00, V3R2C00, V3R3C00, V3R3C01, V3R3C02, V3R6C00, V3R6C01, V6R1C00, V6R1C01, V600R002C00, V600R002C01, V600R002C02, 8
Device Device Type Device Version V600R003C00, and V600R003C01 Switch S33 and S37 series V1R3C00, V1R3C01, V1R5C00, V1R5C01, V1R6C00, and V1R6C01 AR Router(Cisco) S53 and S57 series S63 and S67 series S77 and S93 series AR150, AR200, AR1200, AR2200, and AR3200 series 7600 and 1000 series V1R3C00,V1R3C01, V1R5C00, V1R5C01, V1R6C00, V1R6C01, and V2R1C00 V1R6C00, V1R6C01, V2R1C00, V200R001C01, and V200R002C00 V1R3C00, V1R3C01, V1R6C00, V1R6C01, V2R1C00, and V200R002C00 V2R1C00, V2R1C01, V2R2C00, V2R2C01, V2R2C02, V2R3C00, V2R3C01, and V2R2C01 Router(H3C) SR6600,SR8800,AR28,AR 29-1,AR46,AR49, S7502E,S7503E and S7608-X 9
3.4 Typical Applications 3.4.1 Automatic Discovery esight discovers deployed services from a network in either of the following modes: discovery by VRF connectivity and discovery by VRF name. A user sets the discovery policy and device scope (including PEs and CEs), and clicks. esight then discovers services automatically. The service automatic discovery process is as follows: 1. Synchronize device configuration. esight synchronizes VPN service related information with devices. 2. Discover services. esight discovers services based on the discovery policy and synchronized device configuration. Services are classified into the following categories based on the discovery result: modified service (including PE-CE link change, PE-PE link change, and VRF information change), new service, and deleted service (esight deletes services that no longer exist on devices.) Figure 3-6 Service automatic discovery page 3.4.2 Alarm Monitoring and Operating Status Monitoring Users can view the highest alarm severity of the current service in the service list or service topology, and view devices that generate alarms and PE-CE link status in the service topology. Users can also access the Current Alarms page from the service list and view the alarm details of the current service. In service details, users can view the PE-CE link operating status and enabling status, link faults, and service availability on current links. 10
Figure 3-7 Service list Figure 3-8 Service topology Figure 3-9 Alarm list 11
Figure 3-10 PE-CE link status and VRF status 3.4.3 Service Enabling and Disabling Users can enable or disable services to control service availability. For example, users must disable non-key services on an emergency network when only key services are allowed at emergency moments and enable non-key services at non-emergency moments. Users can also enable or disable a PE-CE link to control the CE connection to a VPN network. Figure 3-11 Service enabling and disabling 3.4.4 Quick Diagnosis Quick diagnosis provides multiple diagnosis tools to help users locate service faults at different network layers. 12
For example, enterprise A has many offices that communicate with each other through L3VPN. In Figure 3-12, a VPN is established between PE1 and PE2. CE1 and CE2 are added to the VPN. CE1 and CE2 cannot communicate with each other. The fault must be located on the VPN. Figure 3-12 Example of an MPLS VPN network Figure 3-13 shows the fault diagnosis process, where Yes indicates that the test result is connected and No indicates that the test result is disconnected. Figure 3-13 Fault diagnosis process 13
Step 2 Locate faults at each network layer of the L3VPN service and determine the network layer where the faults have occurred. 1. At the L3VPN service layer, use ICMP ping or VRF ping to test the access controller (AC) link between PE1 and CE1 and the AC link between PE2 and CE2. If the AC link test fails, view the port configuration at both ends of the AC link and locate faults from port configuration. If the AC link test is successful, use ICMP ping or VRF ping to test the backbone link between PE1 and PE2. If the backbone link test fails, test the LSP tunnel between PE1 and PE2. 2. Use LSP ping to test the LSP tunnel between PE1 and PE2. If the LSP ping test is successful, the LSP tunnel functions properly at the bearer network, and the fault has occurred at the L3VPN service layer. If the LSP ping test fails, test the public routes. Step 3 Use a proper trace tool to locate the faulty device by network segment. Use a trace route tool (ICMP Traceroute, VRF Traceroute, or LSP Traceroute, depending on the service layer) to detect the link path between PE1 and PE2 at the faulty network layer. If the actual link path is detected, compare it with the correct service transmission path to locate the faulty device. Then view the device configuration to locate the fault. If the actual link path cannot be detected due to route convergence, locate the faulty device by link segment. If the fault cannot be located, contact Huawei technical support. 14
4 Conclusion 4 Conclusion esight BGP/MPLS VPN monitors VPN services from the aspects of alarm, performance, and SLA, and provides the quick diagnosis function to help users locate and rectify faults promptly. 15
5 Acronyms and Abbreviations 5 Acronyms and Abbreviations Acronym/Abbreviation BGP CE MP-BGP MPLS P PE SLA VPN VRF Full Name Border Gateway Protocol Customer edge Multiprotocol extensions for BGP-4 Multiprotocol Label Switching Provider Provider edge Service level agreement Virtual private network VPN routing and forwarding 16