eSight V300R001C10 BGP/MPLS VPN Technical White · PDF fileeSight V300R001C10 BGP/MPLS VPN Technical ... BGP/MPLS VPN Technical White Paper 1 ... When devices from mainstream manufacturers

eSight V300R001C10

BGP/MPLS VPN Technical White Paper

Issue 01

Date 2013-12-10

HUAWEI TECHNOLOGIES CO., LTD.

Issue 01 (2013-12-10) Huawei Proprietary and Confidential

Copyright © Huawei Technologies Co., Ltd.

i

Copyright © Huawei Technologies Co., Ltd. 2013. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior

written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.

All other trademarks and trade names mentioned in this document are the property of their respective

holders.

Notice

The purchased products, services and features are stipulated by the contract made between Huawei and

the customer. All or part of the products, services and features described in this document may not be

within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,

information, and recommendations in this document are provided "AS IS" without warranties, guarantees or

representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the

preparation of this document to ensure accuracy of the contents, but all statements, information, and

recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base

Bantian, Longgang

Shenzhen 518129

People's Republic of China

Website: http://enterprise.huawei.com

http://enterprise.huawei.com/

eSight

BGP/MPLS VPN Technical White Paper About This Document



ii

About This Document

Purpose

This document describes the eSight BGP/MPLS VPN solution to help users learn about its

key capabilities, application scenarios, and usage.

Intended Audience

This document is intended for:

Technical support personnel

Maintenance personnel

Symbol Conventions

The symbols that may be found in this document are defined as follows.

Symbol Description

Indicates an imminently hazardous situation which, if not

avoided, will result in death or serious injury.

Indicates a potentially hazardous situation which, if not

avoided, could result in death or serious injury.


avoided, may result in minor or moderate injury.


avoided, could result in equipment damage, data loss,

performance deterioration, or unanticipated results.

NOTICE is used to address practices not related to personal

injury.

Calls attention to important information, best practices and

tips.

NOTE is used to address information not related to personal

injury, equipment damage, and environment deterioration.

eSight

BGP/MPLS VPN Technical White Paper About This Document



iii

Change History

Changes between document issues are cumulative. The latest document issue contains all the

changes made in earlier issues.

Issue 01 (2013-12-10)

This issue is the first official release.

eSight

BGP/MPLS VPN Technical White Paper Contents



iv

Contents

About This Document .................................................................................................................... ii

1 Executive Summary ...................................................................................................................... 1

2 Introduction.................................................................................................................................... 2

3 Solution ........................................................................................................................................... 3

3.1 Overview .......................................................................................................................................................... 3

3.2 Implementation ................................................................................................................................................ 5

3.2.1 Automatic Discovery............................................................................................................................... 5

3.2.2 Quick Diagnosis ...................................................................................................................................... 6

3.2.3 Service Enabling and Disabling .............................................................................................................. 6

3.2.4 SLA ......................................................................................................................................................... 7

3.3 Function Constraints ........................................................................................................................................ 8

3.3.1 Applicable Device Types ......................................................................................................................... 8

3.4 Typical Applications ....................................................................................................................................... 10

3.4.1 Automatic Discovery............................................................................................................................. 10

3.4.2 Alarm Monitoring and Operating Status Monitoring ............................................................................ 10

3.4.3 Service Enabling and Disabling ............................................................................................................ 12

3.4.4 Quick Diagnosis .................................................................................................................................... 12

4 Conclusion .................................................................................................................................... 15

5 Acronyms and Abbreviations ................................................................................................... 16

eSight

BGP/MPLS VPN Technical White Paper 1 Executive Summary



1

1 Executive Summary

BGP/MPLS VPN is a Layer 3 virtual private network (L3VPN). It uses Border Gateway

Protocol (BGP) to advertise VPN routes and uses Multiprotocol Label Switching (MPLS) to

forward VPN packets on backbone networks of service providers (SPs).

MPLS seamlessly integrates the flexibility of IP routing and simplicity of Asynchronous

Transfer Mode (ATM) label switching. A connection-oriented control plane is added to an

MPLS IP network, which enriches the means of managing and operating the network. On IP

networks, MPLS traffic engineering (TE) has become an important tool in managing network

traffic, reducing network congestion, and ensuring Quality of Service (QoS).

Using MPLS-based IP networks as backbone networks becomes an important means for IP

network carriers to provide value-added services and is widely used by enterprises.

In the enterprise network market, enterprises can lease backbone networks from carriers to

bear services or construct VPNs to bear services. Enterprises that lease backbone networks

from carriers must ensure that the network quality provided by carriers can meet their service

requirements. Enterprises that construct VPNs must perform end-to-end (E2E) monitoring on

the entire network to ensure the proper running of services.

eSight BGP/MPLS VPN monitors VPN services from multiple aspects to help users locate

and rectify faults promptly. This ensures proper running of services, improves operation and

maintenance efficiency, and reduces operation and maintenance costs.

eSight BGP/MPLS VPN provides the following functions to monitor services: automatic

service discovery, service alarm generating, and monitoring of service performance, service

operating status, service enabling status, and service SLA data.

eSight

BGP/MPLS VPN Technical White Paper 2 Introduction



2

2 Introduction

eSight BGP/MPLS VPN helps users locate faults promptly on L3VPN networks that have the

following features:

Complex network structure

Devices located in multiple regions

Various services running on an L3VPN network

Complex configuration of routing protocols

Differentiated skills of maintenance personnel

eSight

BGP/MPLS VPN Technical White Paper 3 Solution



3

3 Solution

3.1 Overview

Figure 3-1 shows the VPN service monitoring process.

Figure 3-1 VPN service monitoring process

The VPN service monitoring process is as follows:

1. A user deploys services on a network using the command-line interface (CLI) or smart

configuration tool.

2. eSight discovers deployed services from the network.

eSight




4

3. eSight monitors service alarms, operating status, performance, SLA data, link status, and

VPN routing and forwarding (VRF) status.

4. A user uses the quick diagnosis function to locate faults when a service is faulty.

Using the Smart Configuration Tool to Deploy Services

On an enterprise network, the L3VPN service deployment involves delivery of a large amount

of data to provider edges (PEs) and customer edges (CEs), most of which have the same

configuration. Therefore, eSight provides the smart configuration tool to deploy services in

batches.

Figure 3-2 shows the process of using the smart configuration tool to deploy services.

Figure 3-2 Process of using the smart configuration tool to deploy services

eSight




5

The process of using the smart configuration tool to deploy services is as follows:

Step 1 Configure network resource information.

Set the following service information based on a service plan: device IP addresses, interface

IP addresses, VRF resource information (such as services that a VRF bears, VRF name, VRF

RD, VRF RT, and VRF routing policy), routing information (public routes and private routes),

and MPLS information.

Step 2 Create a network plan sheet.

Create a network plan sheet based on the supported device types and commands to deploy.

Step 3 Set the network device parameters in the plan sheet to planned values specified in Step 1.

Step 4 Import the plan sheet to eSight.

Step 5 (Optional) Send the plan sheet to devices and verify the CLI parameter values.

Step 6 Send the plan sheet with configured CLI parameters to devices to complete service

deployment.

----End

3.2 Implementation

3.2.1 Automatic Discovery

eSight provides the following automatic discovery modes:

Discover by VRF connectivity

eSight checks whether the import RT of the VRF on a PE is the same as the export RT of

the VRF on another PE. If the import RT and the export RT are the same, eSight checks

whether the two PEs have the peer relationship. If the two PEs have the peer relationship,

eSight discovers the service between them.

Discover by VRF name

eSight checks whether the VRF names on two PEs are the same. If the VRF names are

the same and the two PEs have the BGP peer relationship, eSight discovers the service

between the two PEs.

If private routes are established between PEs and CEs using Open Shortest Path First (OSPF),

Intermediate System-Intermediate System (ISIS), or external BGP (EBGP), eSight can

automatically discover services between the PEs and CEs, reducing the CE maintenance

workload.

When devices from mainstream manufacturers such as Cisco and H3C are used as PEs in

VPN services, eSight can automatically discover services deployed on the PEs based on the

VRF information and BGP peer relationship.

On the L3VPN service automatic discovery page, users can set the discovery scope and

discovery policy to discover services from devices.

eSight




6

Figure 3-3 L3VPN service automatic discovery page

3.2.2 Quick Diagnosis

The quick diagnosis function allows users to locate faults at different network layers. When a

service is faulty, a user can locate faults at the PE-CE access layer, PE-PE L3 link layer, and

PE-PE LSP bearing layer in sequence. For details, see Quick Diagnosis.

3.2.3 Service Enabling and Disabling

When a service is enabled, it is activated. When a service is disabled, it is deactivated. Service

enabling status is indicated by the management status of bound VRF interfaces. If the current

bound VRF interface is disabled, the corresponding PE-CE link is disabled. If all the bound

VRF interfaces of the current service are disabled, the service is disabled.

Users can enable or disable services to control service availability.

Users can also enable or disable a service interface to control the CE connection to a VPN

service.

In the Hub-Spoke network shown in Figure 3-4, users can enable or disable VRF interfaces

enclosed in red boxes to control the CE connection to the VPN network.

eSight




7

Figure 3-4 Hub-Spoke network

3.2.4 SLA

After discovering a VPN service, eSight creates an ICMP ping-based SLA task for PE-PE and

PE-CE links by default. Users then can monitor the SLA compliance for the PE-PE and

PE-CE links. For details, see the eSight V200R003C01 SLA Technical White Paper.

eSight




8

Figure 3-5 L3VPN SLA

3.3 Function Constraints

3.3.1 Applicable Device Types

Device Device Type Device Version

Router NE20 V2R5C01, V2R5C02, V2R5C03, and V2R5C05

NE20E series V200R003C00, V200R003C01, V200R005C00,

V200R005C01, V200R005C02, V200R005C03,

V200R005C05, 600R003C00, V600R001C00,

V600R003C05, and V600R005C00

NE40 series V300R002C00, V300R002C01, V300R003C00,

V300R003C01, V300R003C02, V300R005C00,

V300R005C01, and V600R001C00

NE40E series V300R001C00, V300R002C00, V300R003C00,

V300R003C01, V300R003C02, V300R006C00,

V300R006C01, V600R001C00, V600R001C01,

V600R002C00, V600R002C05, V600R003C00,

V600R003C01, V600R003C02, V600R003C03,

V600R003C05, and V600R005C00

NE80 series V300R002C00, V300R002C01, V300R003C00,

V300R003C01, V300R003C02, V300R005C00, and

V300R005C01

NE80E series V1R2C00, V3R1C00, V3R2C00, V3R3C00, V3R3C01,

V3R3C02, V3R6C00, V3R6C01, V6R1C00, V6R1C01,

V600R002C00, V600R002C01, V600R002C02,

eSight




9

Device Device Type Device Version

V600R003C00 , and V600R003C01

Switch S33 and S37 series V1R3C00, V1R3C01, V1R5C00, V1R5C01, V1R6C00, and

V1R6C01

S53 and S57 series V1R3C00,V1R3C01, V1R5C00, V1R5C01, V1R6C00,

V1R6C01, and V2R1C00

S63 and S67 series V1R6C00, V1R6C01, V2R1C00, V200R001C01, and

V200R002C00

S77 and S93 series V1R3C00, V1R3C01, V1R6C00, V1R6C01, V2R1C00, and

V200R002C00

AR AR150, AR200, AR1200,

AR2200, and AR3200

series

V2R1C00, V2R1C01, V2R2C00, V2R2C01, V2R2C02,

V2R3C00, V2R3C01, and V2R2C01

Router(Cisco) 7600 and 1000 series

Router(H3C) SR6600,SR8800,AR28,AR

29-1,AR46,AR49,

S7502E,S7503E and

S7608-X

eSight




10

3.4 Typical Applications

3.4.1 Automatic Discovery

eSight discovers deployed services from a network in either of the following modes:

discovery by VRF connectivity and discovery by VRF name.

A user sets the discovery policy and device scope (including PEs and CEs), and

clicks . eSight then discovers services automatically. The service automatic

discovery process is as follows:

1. Synchronize device configuration.

eSight synchronizes VPN service–related information with devices.

2. Discover services.

eSight discovers services based on the discovery policy and synchronized device

configuration. Services are classified into the following categories based on the

discovery result: modified service (including PE-CE link change, PE-PE link change,

and VRF information change), new service, and deleted service (eSight deletes services

that no longer exist on devices.)

Figure 3-6 Service automatic discovery page

3.4.2 Alarm Monitoring and Operating Status Monitoring

Users can view the highest alarm severity of the current service in the service list or service

topology, and view devices that generate alarms and PE-CE link status in the service

topology.

Users can also access the Current Alarms page from the service list and view the alarm

details of the current service.

In service details, users can view the PE-CE link operating status and enabling status, link

faults, and service availability on current links.

eSight




11

Figure 3-7 Service list

Figure 3-8 Service topology

Figure 3-9 Alarm list

eSight




12

Figure 3-10 PE-CE link status and VRF status

3.4.3 Service Enabling and Disabling

Users can enable or disable services to control service availability. For example, users must

disable non-key services on an emergency network when only key services are allowed at

emergency moments and enable non-key services at non-emergency moments.

Users can also enable or disable a PE-CE link to control the CE connection to a VPN

network.

Figure 3-11 Service enabling and disabling

3.4.4 Quick Diagnosis

Quick diagnosis provides multiple diagnosis tools to help users locate service faults at

different network layers.

eSight




13

For example, enterprise A has many offices that communicate with each other through

L3VPN. In Figure 3-12, a VPN is established between PE1 and PE2. CE1 and CE2 are added

to the VPN. CE1 and CE2 cannot communicate with each other. The fault must be located on

the VPN.

Figure 3-12 Example of an MPLS VPN network

Figure 3-13 shows the fault diagnosis process, where Yes indicates that the test result is

connected and No indicates that the test result is disconnected.

Figure 3-13 Fault diagnosis process

eSight




14

Step 2 Locate faults at each network layer of the L3VPN service and determine the network layer

where the faults have occurred.

1. At the L3VPN service layer, use ICMP ping or VRF ping to test the access controller

(AC) link between PE1 and CE1 and the AC link between PE2 and CE2.

− If the AC link test fails, view the port configuration at both ends of the AC link and

locate faults from port configuration.

− If the AC link test is successful, use ICMP ping or VRF ping to test the backbone link

between PE1 and PE2. If the backbone link test fails, test the LSP tunnel between

PE1 and PE2.

2. Use LSP ping to test the LSP tunnel between PE1 and PE2.

− If the LSP ping test is successful, the LSP tunnel functions properly at the bearer

network, and the fault has occurred at the L3VPN service layer.

− If the LSP ping test fails, test the public routes.

Step 3 Use a proper trace tool to locate the faulty device by network segment.

Use a trace route tool (ICMP Traceroute, VRF Traceroute, or LSP Traceroute, depending on

the service layer) to detect the link path between PE1 and PE2 at the faulty network layer.

If the actual link path is detected, compare it with the correct service transmission path to

locate the faulty device. Then view the device configuration to locate the fault.

If the actual link path cannot be detected due to route convergence, locate the faulty

device by link segment.

If the fault cannot be located, contact Huawei technical support.

eSight

BGP/MPLS VPN Technical White Paper 4 Conclusion



15

4 Conclusion

eSight BGP/MPLS VPN monitors VPN services from the aspects of alarm, performance, and

SLA, and provides the quick diagnosis function to help users locate and rectify faults

promptly.

eSight

BGP/MPLS VPN Technical White Paper 5 Acronyms and Abbreviations



16

5 Acronyms and Abbreviations

Acronym/Abbreviation Full Name

BGP Border Gateway Protocol

CE Customer edge

MP-BGP Multiprotocol extensions for BGP-4

MPLS Multiprotocol Label Switching

P Provider

PE Provider edge

SLA Service level agreement

VPN Virtual private network

VRF VPN routing and forwarding

eSight V300R001C10 BGP/MPLS VPN Technical White · PDF fileeSight V300R001C10 BGP/MPLS VPN Technical ... BGP/MPLS VPN Technical White Paper 1 ... When devices from mainstream manufacturers

Documents