Basic Services Design and Implementation
The primary services delivered by EuropCom are IPv6 global IA, and IPv6 VPN access. Global IA can also be offered to VPN customers. Carrier's Carrier is another IPv6 service that EuropCom is offering to other ISPs.
Global IPv6 Internet Access Design and Implementation
The EuropCom infrastructure must be first enabled to provide IPv6 over MPLS connectivity from PEs to IPv6 Internet gateways. The IPv6 Internet gateways are typically located at each EuropCom IX (L1 POP).
PEs located in the L1 POP interface the Internet gateway over native IPv6 (routing and forwarding). IS-ISv6 is used to exchange routes between the PE to the IGW.
PEs located in L2 and L3 POPs interface with the IGW of their closest L1 POP. The peering in that case is performed over 6PE (IPv6 over MPLS), and routes are exchanged using iBGP peering via RRs. The IGW is also a 6PE with regard to providing IA to those remote 6PEs/CE.
From the BGP configuration standpoint, the IGW (for instance Milan-IGW) is just another PE, peering with the RRs, as described in the section "Route Reflector Design."
Table 13.5 reviews the tasks taking place to provide IPv6 IA to a new EuropCom customer. I
Table 13-5. A Deployment Task ListEuropCom Task | Customer Task |
---|
In L1 POP, enable PE<->IGW IS-ISv6 peering. Note that this is done prior to service deployment. | | In L1 POPs, enable RR<->IGW iBGP peering. Note that this is done prior to service deployment, for the benefit of L2/L3 POP's PEs. | | Enable L2/L3 POP's PE<->RR iBGP peering. Note that this is done once, at first attached IPv6 customer. | | Allocate an IPv6 prefix P to the customer. | Enable the network for IPv6. This is done using one of the numerous available mechanisms (native, tunnels, and so on). | 1) Enable the PE-CE interface by configuring link-local in the following form:
ipv6 address FE80::ASN:ID link-local
2) Configure a global address on the loopback interface in the following form:
ipv6 address 2001:6FC::node#/128
3) Protect the global address against denial-of-service (DoS) attacks using access control lists (ACLs). | 1) Enable the CE-PE interface by configuring link-local in the following form:
ipv6 address FE80::ASN:ID link-local
2) Configure a global address on the loopback interface in the following form:
ipv6 address 2001:6FC:P::node#/128
3) Protect the global address against DoS attacks using ACLs. | Agree on a routing protocol on the PE-CE interface (preferred is eBGP). | Configure the routing protocol on the PE-CE interface. | Configure the routing protocol on the CE-PE interface. |
Layer 3 MPLS VPN Service Design and Implementation
Before enabling IPv6 VPN service for its VPNv4 customers, EuropCom has set up its infrastructure to establish IPv6 MPLS VPN connectivity between 6VPEs (via RRs). This step is described in the section "Network Design." For L1 POP, this task has taken place before any customer service request was received. 6VPE peering for remaining locations is configured only when needed (at the first customer request). All RRs are deployed before offering VPN access to the first EuropCom VPNv6 customer.
Table 13-6 reviews the tasks taking place to provide VPNv6 access to a new EuropCom customer.
Table 13-6. Layer 3 VPN Deployment Task ListEuropCom Task | Customer Task |
---|
In L1 POPs, enable 6VPE-IGW IS-ISv6 peering. Note that this is done prior to service deployment. | | In L1 POPs, enable RR<->IGW iBGP peering. Note that this is done prior to service deployment, for the benefit of L2/L3 POP's PEs. | | Enable L2/L3 POP's PE<->RR iBGP peering. Note that this is done once, at first attached VPNv6 customer. | | Allocate an IPv6 prefix P to the customer. | Defines an IPv6 addressing plan for subdividing P among IPv6 VPN sites, typically P:site#::/n.
Enable each site for IPv6. This is done using one of the numerous available mechanisms (native, tunnels, and so on). | Migrate the IPv4 VRF to MP-VRF using vrf upgrade-cli command. | | 1) Enable the PE-CE interface by configuring link-local in the following form:
ipv6 address FE80::ASN:ID link-local
2) Configure a global address on the loopback interface in the following form:
ipv6 address 2001:6FC::node#/128
2) Configure a global address on the loopback interface in the following form:
ipv6 address 2001:6FC::node#:/128
3) Protect the global address against DoS attacks using ACLs. | 1) Enable the CE-PE interface by configuring link-local in the following form:
ipv6 address FE80::ASN:ID link-local
2) Configure a global address on the each PE-CE interface in the following form:
ipv6 address 2001:6FC:P:site#::node#/128
3) Protect the global address against DoS attacks using ACLs. | Agree on a routing protocol on the PE-CE interface (preferred is eBGP). | Configure the routing protocol on the PE-CE interface. | Configure the routing protocol on the CE-PE interface. |
VPN Internet Access Service Design and Implementation
Most EuropCom VPN customers are also accessing the IPv4 Internet, and those getting VPNv6 access will need to access the IPv6 Internet. The design of this service is similar to global IA service. 6VPE routers located in a L1 POP access the Internet gateway natively, whereas 6VPE routers located in L2 and L3 POPs access the IGW (in their closest L1 POP) over 6PE.
In the latter case, core design (essentially setup of 6VPE/RR/IGW iBGP peering) took place before any customer request for a few locations, but is a preliminary task for enabling other locations, based on customer request. Edge design (PE-CE peering) is always driven by customer request.
Configuring VPN IA in such 6VPE router involves configuring BGP peering with the IGW, via the IPv6 RR, as illustrated in the configuration in Example 13-18.
Example 13-18. VPN IA Configuration
hostname Nice-PE-VPN !PE#27
..
router bgp 33751
bgp log-neighbor-changes
..
!For VPNv6 to Milan-RR6
address-family vpnv6
neighbor 100.46.46.1 activate
neighbor 100.46.46.1 send-community extended
neighbor 100.47.47.1 activate
neighbor 100.47.47.1 send-community extended
bgp dampening 15 750 3000 60
exit-address-family
!Peering to Route-Reflector Milan-RR6 for providing Internet access
address-family ipv6
neighbor 100.46.46.1 activate
neighbor 100.46.46.1 send-label
neighbor 100.47.47.1 activate
neighbor 100.47.47.1 send-label
network 2001:6FC:1123:1::/52
network 2001:6FC:1124:1::/52
network 2001:6FC::27/128
bgp dampening 15 750 3000 60
exit-address-family
|
The corresponding configuration at Milan-RR6 is discussed in the "Route Reflector Design" section.
Note that EuropCom is leaking IPv6 customer site addresses (2001:6FC:1123:1::/56 and 2001:6FC:1124:1::/56) toward the IGW. This is to allow the IGW to send back traffic to these customer sites.
In addition to the core iBGP configuration, some static routes are configured to allow VPN traffic to leave the VRF to access global resources, and to allow responses from global resources to enter the VRF. This requires a default route in the VRF, pointing to the IGW, and a route in the default table pointing to the VRF (for prefixes owned by this VRF's customer). Example 13-19 at Nice-PE-VPN illustrates the static routing configuration setup for EuropCom customers Cisco and IBM.
Example 13-19. Static Routing Configuration for IA on VPN PE
hostname Nice-PE-VPN !PE#27
..
!Routes for outbound traffic from each VRF to Milan-IGW
ipv6 route vrf Cisco-Nice ::/0 2001:6FC::1:0:0:1 nexthop-vrf default
ipv6 route vrf IBM-Nice ::/0 2001:6FC::1:0:0:1 nexthop-vrf default
!Routes for inbound traffic from Milan-IGW to VRF
ipv6 route 2001:6FC:1123:1::/52 Serial0/0 nexthop-vrf Cisco-Nice
ipv6 route 2001:6FC:1124:1::/52 Serial1/0 nexthop-vrf IBM-Nice
|
In summary, to enable IA within a VPN, EuropCom has to perform the steps listed in Table 13-7.
Table 13-7. Layer 3 VPN IA Deployment Task ListEuropCom Task (at PE) | Customer Task (at CE) |
---|
Core design (PE<->PE) if not done already for this customer PE of attachment:
iBGP 6PE peering to RR
iBGP RR peering to 6PE | | Leak customer prefix into iBGP:
address-family ipv6
network 2001:6FC:P:site#::/n | | Configure a static route from VRF to IGW:
ipv6 route vrf <vrf name> ::/0
2001:6FC::1:0:0:1 nexthop-vrf default | Configure a default route to 6VPE:
ipv6 route ::0/0 <interface to 6VPE> | Configure a static route from default to VRF:
ipv6 route 2001:6FC:P:site#::/n <VRF
interface> nexthop-vrf <vrf name> | |
Note that no configuration is necessary at the IGW, other than peering with RRs over 6PE iBGP (done once at core design phase) and leaking a single loopback IPv6 address. This is shown in Example 13-20.
Example 13-20. IGW Configuration Example
hostname Milan-IGW !#1
..
router bgp 33751
bgp log-neighbor-changes
..
address-family ipv6
neighbor 100.46.46.1 activate
neighbor 100.46.46.1 send-label
network 2001:6FC:0:0:1::1/128
!
neighbor 100.47.47.1 activate
neighbor 100.47.47.1 send-label
network 2001:6FC:0:0:1::1/128
|
Carrier's Carrier Service Design
This service provides VPN access to a customer service provider, so this service needs to exchange routes and send traffic over the EuropCom MPLS backbone. The only difference from a regular PE is that it provides MPLS-to-MPLS forwarding on the CsC-CE to CsC-PE interface, rather than IP-to-MPLS forwarding.
The EuropCom design of this service mandates that the CsC-CEs are "IPv6 enabled." The peering between CsC-CE and CsC-PE is performed over link-locals, using the previously defined address format. Example 13-21 illustrates the CsC-6VPE to CsC-CE peering, between EuropCom and yyCom, using IPv6 CsC.
Example 13-21. CsC 6VPE Configuration Example
hostname Paris-CSC-PE !PE#77
..
router bgp 33751
..
address-family ipv6 vrf yyCom
neighbor FE80::866C:99%Serial0/0 remote-as 34412
neighbor FE80::866C:99%Serial0/0 activate
neighbor FE80::866C:99%Serial0/0 send-label
neighbor FE80::866C:99%Serial0/0 maximum-prefix 500
|
For CsC-6PE, the main difference is the lack of VRFs configured, and the fact that MP-BGP peering is using address family IPv6 with label, as illustrated in Example 13-22.
Example 13-22. CsC 6PE Configuration Example
router bgp 33751
..
neighbor FE80::916C:100%Serial1/0 remote-as 37228
address-family ipv6
neighbor FE80::916C:100%Serial1/0 activate
neighbor FE80::916C:100%Serial1/0 send-label
neighbor FE80::916C:100%Serial1/0 maximum-prefix 500
|
|