Basic Services Design and Implementation


The primary services delivered by EuropCom are IPv6 global IA, and IPv6 VPN access. Global IA can also be offered to VPN customers. Carrier's Carrier is another IPv6 service that EuropCom is offering to other ISPs.

Global IPv6 Internet Access Design and Implementation

The EuropCom infrastructure must be first enabled to provide IPv6 over MPLS connectivity from PEs to IPv6 Internet gateways. The IPv6 Internet gateways are typically located at each EuropCom IX (L1 POP).

PEs located in the L1 POP interface the Internet gateway over native IPv6 (routing and forwarding). IS-ISv6 is used to exchange routes between the PE to the IGW.

PEs located in L2 and L3 POPs interface with the IGW of their closest L1 POP. The peering in that case is performed over 6PE (IPv6 over MPLS), and routes are exchanged using iBGP peering via RRs. The IGW is also a 6PE with regard to providing IA to those remote 6PEs/CE.

From the BGP configuration standpoint, the IGW (for instance Milan-IGW) is just another PE, peering with the RRs, as described in the section "Route Reflector Design."

Table 13.5 reviews the tasks taking place to provide IPv6 IA to a new EuropCom customer. I

Table 13-5. A Deployment Task List

EuropCom Task

Customer Task

In L1 POP, enable PE<->IGW IS-ISv6 peering. Note that this is done prior to service deployment.

 

In L1 POPs, enable RR<->IGW iBGP peering. Note that this is done prior to service deployment, for the benefit of L2/L3 POP's PEs.

 

Enable L2/L3 POP's PE<->RR iBGP peering. Note that this is done once, at first attached IPv6 customer.

 

Allocate an IPv6 prefix P to the customer.

Enable the network for IPv6. This is done using one of the numerous available mechanisms (native, tunnels, and so on).

1) Enable the PE-CE interface by configuring link-local in the following form:

ipv6 address FE80::ASN:ID link-local

2) Configure a global address on the loopback interface in the following form:

ipv6 address 2001:6FC::node#/128

3) Protect the global address against denial-of-service (DoS) attacks using access control lists (ACLs).

1) Enable the CE-PE interface by configuring link-local in the following form:

ipv6 address FE80::ASN:ID link-local

2) Configure a global address on the loopback interface in the following form:

ipv6 address 2001:6FC:P::node#/128

3) Protect the global address against DoS attacks using ACLs.

Agree on a routing protocol on the PE-CE interface (preferred is eBGP).

Configure the routing protocol on the PE-CE interface.

Configure the routing protocol on the CE-PE interface.


Layer 3 MPLS VPN Service Design and Implementation

Before enabling IPv6 VPN service for its VPNv4 customers, EuropCom has set up its infrastructure to establish IPv6 MPLS VPN connectivity between 6VPEs (via RRs). This step is described in the section "Network Design." For L1 POP, this task has taken place before any customer service request was received. 6VPE peering for remaining locations is configured only when needed (at the first customer request). All RRs are deployed before offering VPN access to the first EuropCom VPNv6 customer.

Table 13-6 reviews the tasks taking place to provide VPNv6 access to a new EuropCom customer.

Table 13-6. Layer 3 VPN Deployment Task List

EuropCom Task

Customer Task

In L1 POPs, enable 6VPE-IGW IS-ISv6 peering. Note that this is done prior to service deployment.

 

In L1 POPs, enable RR<->IGW iBGP peering. Note that this is done prior to service deployment, for the benefit of L2/L3 POP's PEs.

 

Enable L2/L3 POP's PE<->RR iBGP peering. Note that this is done once, at first attached VPNv6 customer.

 

Allocate an IPv6 prefix P to the customer.

Defines an IPv6 addressing plan for subdividing P among IPv6 VPN sites, typically P:site#::/n.

Enable each site for IPv6. This is done using one of the numerous available mechanisms (native, tunnels, and so on).

Migrate the IPv4 VRF to MP-VRF using vrf upgrade-cli command.

 

1) Enable the PE-CE interface by configuring link-local in the following form:

ipv6 address FE80::ASN:ID link-local

2) Configure a global address on the loopback interface in the following form:

ipv6 address 2001:6FC::node#/128

2) Configure a global address on the loopback interface in the following form:

ipv6 address 2001:6FC::node#:/128

3) Protect the global address against DoS attacks using ACLs.

1) Enable the CE-PE interface by configuring link-local in the following form:

ipv6 address FE80::ASN:ID link-local

2) Configure a global address on the each PE-CE interface in the following form:

ipv6 address 2001:6FC:P:site#::node#/128

3) Protect the global address against DoS attacks using ACLs.

Agree on a routing protocol on the PE-CE interface (preferred is eBGP).

Configure the routing protocol on the PE-CE interface.

Configure the routing protocol on the CE-PE interface.


VPN Internet Access Service Design and Implementation

Most EuropCom VPN customers are also accessing the IPv4 Internet, and those getting VPNv6 access will need to access the IPv6 Internet. The design of this service is similar to global IA service. 6VPE routers located in a L1 POP access the Internet gateway natively, whereas 6VPE routers located in L2 and L3 POPs access the IGW (in their closest L1 POP) over 6PE.

In the latter case, core design (essentially setup of 6VPE/RR/IGW iBGP peering) took place before any customer request for a few locations, but is a preliminary task for enabling other locations, based on customer request. Edge design (PE-CE peering) is always driven by customer request.

Configuring VPN IA in such 6VPE router involves configuring BGP peering with the IGW, via the IPv6 RR, as illustrated in the configuration in Example 13-18.

Example 13-18. VPN IA Configuration

hostname Nice-PE-VPN !PE#27 .. router bgp 33751 bgp log-neighbor-changes .. !For VPNv6 to Milan-RR6 address-family vpnv6  neighbor 100.46.46.1 activate  neighbor 100.46.46.1 send-community extended  neighbor 100.47.47.1 activate  neighbor 100.47.47.1 send-community extended  bgp dampening 15 750 3000 60  exit-address-family !Peering to Route-Reflector Milan-RR6 for providing Internet access address-family ipv6  neighbor 100.46.46.1 activate  neighbor 100.46.46.1 send-label  neighbor 100.47.47.1 activate  neighbor 100.47.47.1 send-label  network 2001:6FC:1123:1::/52  network 2001:6FC:1124:1::/52  network 2001:6FC::27/128  bgp dampening 15 750 3000 60  exit-address-family

The corresponding configuration at Milan-RR6 is discussed in the "Route Reflector Design" section.

Note that EuropCom is leaking IPv6 customer site addresses (2001:6FC:1123:1::/56 and 2001:6FC:1124:1::/56) toward the IGW. This is to allow the IGW to send back traffic to these customer sites.

In addition to the core iBGP configuration, some static routes are configured to allow VPN traffic to leave the VRF to access global resources, and to allow responses from global resources to enter the VRF. This requires a default route in the VRF, pointing to the IGW, and a route in the default table pointing to the VRF (for prefixes owned by this VRF's customer). Example 13-19 at Nice-PE-VPN illustrates the static routing configuration setup for EuropCom customers Cisco and IBM.

Example 13-19. Static Routing Configuration for IA on VPN PE

hostname Nice-PE-VPN !PE#27 .. !Routes for outbound traffic from each VRF to Milan-IGW ipv6 route vrf Cisco-Nice ::/0 2001:6FC::1:0:0:1 nexthop-vrf default ipv6 route vrf IBM-Nice ::/0 2001:6FC::1:0:0:1 nexthop-vrf default !Routes for inbound traffic from Milan-IGW to VRF ipv6 route 2001:6FC:1123:1::/52 Serial0/0 nexthop-vrf  Cisco-Nice ipv6 route 2001:6FC:1124:1::/52 Serial1/0 nexthop-vrf IBM-Nice

In summary, to enable IA within a VPN, EuropCom has to perform the steps listed in Table 13-7.

Table 13-7. Layer 3 VPN IA Deployment Task List

EuropCom Task (at PE)

Customer Task (at CE)

Core design (PE<->PE) if not done already for this customer PE of attachment:

iBGP 6PE peering to RR

iBGP RR peering to 6PE

 

Leak customer prefix into iBGP:

address-family ipv6

network 2001:6FC:P:site#::/n

 

Configure a static route from VRF to IGW:

ipv6 route vrf <vrf name> ::/0

2001:6FC::1:0:0:1 nexthop-vrf default

Configure a default route to 6VPE:

ipv6 route ::0/0 <interface to 6VPE>

Configure a static route from default to VRF:

ipv6 route 2001:6FC:P:site#::/n <VRF

interface> nexthop-vrf <vrf name>

 


Note that no configuration is necessary at the IGW, other than peering with RRs over 6PE iBGP (done once at core design phase) and leaking a single loopback IPv6 address. This is shown in Example 13-20.

Example 13-20. IGW Configuration Example

hostname Milan-IGW !#1 .. router bgp 33751  bgp log-neighbor-changes ..  address-family ipv6  neighbor 100.46.46.1 activate  neighbor 100.46.46.1 send-label  network 2001:6FC:0:0:1::1/128 !  neighbor 100.47.47.1 activate  neighbor 100.47.47.1 send-label  network 2001:6FC:0:0:1::1/128

Carrier's Carrier Service Design

This service provides VPN access to a customer service provider, so this service needs to exchange routes and send traffic over the EuropCom MPLS backbone. The only difference from a regular PE is that it provides MPLS-to-MPLS forwarding on the CsC-CE to CsC-PE interface, rather than IP-to-MPLS forwarding.

The EuropCom design of this service mandates that the CsC-CEs are "IPv6 enabled." The peering between CsC-CE and CsC-PE is performed over link-locals, using the previously defined address format. Example 13-21 illustrates the CsC-6VPE to CsC-CE peering, between EuropCom and yyCom, using IPv6 CsC.

Example 13-21. CsC 6VPE Configuration Example

hostname Paris-CSC-PE !PE#77 .. router bgp 33751 ..  address-family ipv6 vrf yyCom  neighbor FE80::866C:99%Serial0/0 remote-as 34412  neighbor FE80::866C:99%Serial0/0 activate  neighbor FE80::866C:99%Serial0/0 send-label  neighbor FE80::866C:99%Serial0/0 maximum-prefix 500

For CsC-6PE, the main difference is the lack of VRFs configured, and the fact that MP-BGP peering is using address family IPv6 with label, as illustrated in Example 13-22.

Example 13-22. CsC 6PE Configuration Example

router bgp 33751 .. neighbor FE80::916C:100%Serial1/0 remote-as 37228 address-family ipv6  neighbor FE80::916C:100%Serial1/0 activate  neighbor FE80::916C:100%Serial1/0 send-label  neighbor FE80::916C:100%Serial1/0 maximum-prefix 500




Deploying IPv6 Networks
Deploying IPv6 Networks
ISBN: 1587052105
EAN: 2147483647
Year: 2006
Pages: 130

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net