Cisco Systems OL-4344-01 manual Using Templates to Customize Configuration Files

Page 12

Chapter 1 About Cisco IP Solution Center

Using Templates to Customize Configuration Files

Mapping IPsec Tunnels to MPLS VPNs

Provisioning network-based IPsec VPNs in order to map IPsec tunnels to MPLS VPNs involves both MPLS and IPsec services in IP Solutions Center. Thus, it is necessary to create both MPLS and IPsec policies, as well as MPLS and IPsec service requests. For details, see Chapter 6, “Mapping IPsec to MPLS VPN.”

The IPsec terminating router resides on the service provider premises. IPsec tunnels from various customers are aggregated on this router. This may be either a PE router or a Multi-VRF CE router. Depending on which type of device is employed, the IPsec- to-MPLS mapping is either the “one-box” solution or a “two-box” solution. In the “one-box” solution, the service provider uses a PE router as the IPsec aggregator, whereas in the “two-box” solution, the service provider uses a Multi-VRF CE router for IPsec aggregation in conjunction with a PE router.

Two types of IPsec tunnels can be terminated on the IPsec aggregator (PE or Multi-VRF CE router):

Site-to-site IPsec tunnels: A tunnel between a customer’s CE router and the IPsec aggregator.

Remote access IPsec tunnels: A tunnel initiated from a VPN client, for example, a Windows workstation running Cisco IPsec VPN Client software.

Using Templates to Customize Configuration Files

The Template Manager in ISC is a provisioning system that provides fast, flexible, and extensible Cisco IOS command generation capability. The Template Manager defines standard templates to generate Cisco IOS configurations for common provisioning tasks, such as common IPv4, QoS, and VPN provisioning.

A template file is a file created by the Template Manager that stores a ISC template definition.

A template data file is a text file that stores variable values to generate the template file. A valid data file contains name-value pairs for all the variables defined in a template. Each template file can be associated with multiple data files; however, note that each data file can only be associated with a single template. You can select which data file to use to generate a template. The filename suffix for data files is .dat.

A template configuration file is an IOS configuration file that stores the Cisco IOS commands created by the Template Manager. A template configuration file can be either a partial or complete configuration file. When you generate a template configuration file using a particular data file, the template configuration filename is the same as the data file’s name.

The template data files are tightly linked with its corresponding template. You can use a data file and its associated template to create a template configuration file. The template configuration file is merged with (either appended to or prepended to) the ISC configlet. ISC downloads the combined configlet to the edge device router.

You can apply the same template to multiple edge devices, assigning the appropriate template data file for each device. Each template data file includes the specific data for a particular device (for example, the management IP address or host name of each device).

Cisco IP Solution Center, 3.0: MPLS VPN Management User Guide, 3.0

1-12

OL-4344-01

 

 

Image 12
Contents About Cisco IP Solution Center Overview of ISC ISC Network Management SubnetISC Features Service Provider Network for Vlan ID Management Access Domain Assigned Resource PoolsFeatures and Functions Provided in Provisioning with ISC VPN Service Profile-Based ProvisioningRole-Based Access Control Rbac CPE Customer’s and Provider’s View of the Network Customer’s View of the NetworkAbout Provider Edge Routers PEs About Multi-VRF CEsA Multi-VRF CE Providing Layer 3 Aggregation Using Templates to Customize Configuration Files Mapping IPsec Tunnels to Mpls VPNsAuditing Service Requests Uses for the Template FunctionAbout Mpls VPNs VPNs Sharing SitesCharacteristics of Mpls VPNs Intranets and ExtranetsVPN Routing and Forwarding Tables VRFs VRF Implementation Considerations Ip vrf site2 rdCreating a VRF Instance Route Distinguishers and Route TargetsRoute Target Communities CE Routing CommunitiesHub and Spoke Considerations Security Requirements for Mpls VPNs Address Space and Routing SeparationAddress Space Separation Routing SeparationHiding the Mpls Core Structure Resistance to Attacks Securing the Routing ProtocolLabel Spoofing Routing Authentication Securing the Mpls CoreTrusted Devices PE-CE InterfaceLDP Authentication Separation of CE-PE LinksConnectivity Between VPNs MP-BGP Security Features Security Through IP Address ResolutionNorth Bound Interface NBI Ensuring VPN IsolationAPI Functionality Supported Distributed Load Balancing NBI BenefitsAPI Approach 11 Simple Flat-Based Server Load Balancing Configuration Four-Tier System Architecture Client tierControl tier