Add IP VPN Configuration to Provider Hubs
You can configure IP VPN (Layer 3) parameters to connect an existing Layer 3 VPN which is not managed by Contrail Service Orchestration (CSO) to a network managed by CSO through a provisioned provider hub site.
Figure 1 shows a sample network topology with IP VPN interconnect. On the left side, a CSO-managed SD-WAN overlay network is shown consisting of a multi-tenant provider hub which can be connected to multiple spoke sites or enterprise hub sites belonging to different tenants. On the right side, an existing L3 VPN network which is not managed by CSO is shown. The PE router interconnects with the provider hub to create an IP VPN. Two department VPNs, orange and red, connects the provider hub and the PE router using point-to-point external BGP (eBGP) peering. This peering is implemented using Inter-AS Option-A. For more information, see Interprovider VPNs.
IP VPN can be configured only for provisioned provider hub sites with OAM_AND_DATA or DATA_ONLY capability for each tenant department VPN.
IP VPN configuration is not applicable for data center department VPNs.
To add an IP VPN configuration:
- Click Resources > Site Management.
The Site Management page appears.
- Click the Provider-Hub-Name link
to which you want to add an IP VPN.
The Site-Name page appears.
- Click the IPVPN tab.
- Click the Add icon (+).
The Add IPVPN Configuration page appears.
- In the Department VPN(s) field, select one
or more VPNs listed on the left column and click the right arrow (>) icon.
The VPNs associated with standard departments are listed here. For more information, see About the Departments Page.
For tenants with network segmentation disabled, a single VPN shared by all its departments is displayed.
- Click Next and complete the configuration as
per the guidelines in Table 1, or click Previous to make changes on the previous page.
If you select more than one VPN, you must configure the IP VPN parameters for each VPN separately on the Configure IPVPN page as per the guidelines in Table 1.
Fields marked with an asterisk (*) are mandatory.
- Click Finish.
A Configure IPVPN job is triggered and you are returned to the IPVPN page.
A confirmation message appears (with the job link) at the top of the page indicating that the job was created. You can click the job link to view the status of the job. Alternatively, you can check the status of the job on the Jobs (Monitor > Jobs) page.
Table 1: Fields on the Add IPVPN configuration page
Enter the name of the physical interface on which you want to enable external BGP (eBGP) between provider hub site and the PE router. For example, ge-0/0/10.
Enter the VLAN ID of the interface.
Range: 1 through 4094.
Interface IP Prefix
Enter IPv4 address with a prefix for the interface. For example, 10.10.10.1/24.
AS Loop Count
Enter the maximum number of times the detection of local Autonomous System (AS) number is allowed in the AS path. If this count exceeds the specified AS loop count, the system discards this route. This helps in preventing routing loops. For example, if you configure AS Loop Count as 1, the route is discarded if the neighbor’s local AS is detected in the path more than once.
Range: 1 through 10.
Enter the autonomous system (AS) number for the eBGP peer.
Range: 1 through 4294967295.
Enter the IPv4 address of the peer interface.
Local AS number
Enter the local AS number for the IP VPN configuration. When you configure this parameter, the local AS number is used for eBGP peering instead of the global AS number configured for the provider hub.
Select one of the following BGP route authentication method:
Disable Graceful Restart
Disable graceful restart configuration for the provider hub by clicking the toggle button while trying to peer with a device which does not have the graceful restart capability. By default, graceful restart helper mode, the ability to assist a neighboring router attempting a graceful restart, is enabled.