22-16
Cisco CNS Network Registrar User’s Guide
OL-6240-02
Chapter 22 Advanced DHCP Server Properties
Configuring Virtual Private Networks and Subnet Allocation
VPN Usage
The VPN name is used to qualify many DHCP objects in Network Registrar, such as IP addresses
(leases), scopes, and subnets. For example, lease names can have this syntax:
vpn
/ipaddress
For example, red/192.168.40.0
A VPN can be any unique text string except the reserved words global and all. You can use global and
all when you export address or lease data. The global VPN maps to the [none] VPN; the all VPN maps
to both the specific VPN and the [none] VPN.
In the CLI, if you omit the VPN or its ID in defining an object, the VPN defaults to the value set by
session set current-vpn. In the Web UI, if the current VPN is not defined, it defaults to the [none] VPN,
which includes all addresses outside of any defined VPNs.
These objects have associated VPN properties:
• Address blocks—Define the VPN for an address block.
–
In the local and regional cluster Web UIs—Click Address Space, then Address Blocks. On the
List/Add Address Blocks page, choose the VPN from the Select VPN drop-down list.
–
In the CLI—Use the dhcp-address-block creation and attribute setting commands. For
example:
nrcmd> dhcp-address-block red create 192.168.50.0/24
nrcmd> dhcp-address-block red set vpn=blue
nrcmd> dhcp-address-block red set vpn-id=99
• Clients and client-classes—In some cases it is best to provision a VPN inside of Network Registrar
instead of externally, where it might have to be configured for every Cisco IOS device. To support
this capability, you can specify a VPN for a client or client-class. Two attributes are provided:
–
default-vpn—VPN that the packet gets if it does not already have a vpn-id or vrf-name value in
the incoming packet. You can use the attribute with clients and client-classes.
–
override-vpn—VPN the packet gets no matter what is provided for a vpn-id or vrf-name value
in the incoming packet. You can use the attribute with clients and client-classes. Note that if you
specify an override VPN on the client-class, and a default VPN for the client, the override VPN
on the client-class takes precedence over the default VPN on the client.
In the local cluster Web UI—Click DHCP, then Client-Classes. Create or edit a client-class and
enter the default-vpn and override-vpn attribute values.
In the regional cluster Web UI—Click DHCP Configuration, then Client-Classes. Create or pull,
and then edit a client-class to enter the default-vpn and override-vpn attribute values.
In the CLI—Use the client-class creation and attribute setting commands. For example:
nrcmd> client 1,6,00:d0:ba:d3:bd:3b set default-vpn=blue
nrcmd> client-class CableModem set override-vpn=blue
In a cable modem deployment, for example, you can use the override-vpn attribute to provision the
cable modems. The client-class would determine the scope for the cable modem, and the scope
would determine the VPN for the uBR. User traffic through the cable modem would then have the
vpn-id suboption set and use the specific VPN. The override-vpn value also overrides any
default-vpn set for the client.
• Leases—List leases, show a lease, or get lease attributes.