The Last Mile.(s)
Remote Access to MPLS VPN Integration
MPLS Deployment Forum
May 15th, 2001
Eric Voit
© 2001, Cisco Systems, Inc.
1
Agenda
• Market Background
• Solution Benefits
• Technology Introduction
• Remote Access to MPLS VPN
Solution
© 2001, Cisco Systems, Inc.
2
Remote Access VPN Benefits
The VPN Market growth is
driven by customer value
Increased bandwidth for remote access
workers using VPNs over DSL or cable
49%
40%
Increased geographical coverage
Domestic dial-up cost savings
38%
Increased Network uptime
38%
International Dial-up cost savings
36%
Reduction of remote access equipment
35%
33%
Ability to quickly add many remote users
Reduction of Operations and Management Costs
22%
Percentage of Remote Access VPN Respondents
Source: Infonetics April 2000
© 2001, Cisco Systems, Inc.
3
Integrated Access VPN with
Intranet and Extranet VPNs
Extending MPLS VPN
benefits to other
business opportunities
Broadband Access
DSL
Cable
Direct VPN Access
Leased Lines
Frame Relay
ATM
LSR
LSR
LSR
MPLS VPN Enterprise A
NAS
MPLS VPN Enterprise B
Dial Access
PSTN
ISDN
Secure MPLS Intranet
and Extranet VPNs
Content
and Caches
© 2001, Cisco Systems, Inc.
DNS, AAA
4
Remote Access Leadership
WW Remote Access (Dial) Equipment Market Share
Other
WW Broadband Aggregation Equipment Market Share
Total Q3 ‘00 segment revenue = $ 1,028 M
Cisco’s Port share = 35 %
Total Q3 ‘00 segment revenue = $168 M
Cisco’s unit share = 60 %
Other
Cisco 6400 & 7200
Unishpere
3Com
Nortel
Q4 '99
Alcatel
Q1 '00
Q2 '00
Q4' 99
Q1' 00
Nortel
Q2' 00
Q3' 00
Q3 '00
Lucent/Ascend
Redback
Cisco
0%
Cisco
10%
20%
30%
40%
50%
0%
10%
20%
30%
40%
50%
WW Cable Equipment Market Share
Other
Total Q3 ‘00 segment revenue = $ 168 M
Cisco’s unit share = 40 %
Cable Headend Equipment
3Com
Q4 '99
Nortel
Q1 '00
Q2 '00
Q3 '00
Terayon
Cisco
0%
10%
20%
30%
40%
50%
60%
70%
80%
Source: Synergy Research Group – Q3CY00
© 2001, Cisco Systems, Inc.
5
Agenda
• Market Background
• Solution Benefits
• Technology Introduction
• Remote Access to MPLS VPN
Solution
© 2001, Cisco Systems, Inc.
6
Service Provider Benefits
• Enhance their MPLS VPN
service offering to their
customers
• Enjoy increased revenues,
service differentiation, and
greater customer loyalty
• Build a secure and
comprehensive VPN portfolio
that businesses want today.
• Expand MPLS VPN service
offering into new markets
© 2001, Cisco Systems, Inc.
7
Customer Benefits
• Remote users can now securely access
their corporate intranet and extranet
MPLS VPN via dial, DSL and cable
• Expand into new markets and business
opportunities by leveraging last mile
access to their existing MPLS VPN
based applications and services
• Prioritized New World services can now
be extended all the way to last mile
remote users by leveraging QoS
features of the MPLS VPN
© 2001, Cisco Systems, Inc.
8
Agenda
• Market Background
• Solution Benefits
• Technology Introduction
• Remote Access to MPLS VPN
Solution
© 2001, Cisco Systems, Inc.
9
Access Technologies
• Dial (POTS and ISDN)
• DSL
Road Warrior
Residential
• Cable
Small-Medium
Enterprise
© 2001, Cisco Systems, Inc.
10
Access VPNs
• L2TP, L2F, PPTP:
– Provisioning Overhead
– Scaling Problems
– Sub-Optimal Routing
• Other L3 Tunnel-Based VPNs:
– IPsec
– GRE
© 2001, Cisco Systems, Inc.
11
Integrate with MPLS Architecture
• Scalable VPNs
• Standards-based
• IP QoS
and traffic engineering
• Easy to manage and No
VC provisioning
required
• Supports the
deployment of new
value-added
applications
• Customer IP address
freedom
© 2001, Cisco Systems, Inc.
Entpr A
Site 3
Entpr A
Site 2
VPN MembershipBased on Logical Port
and Unique RD
Entpr B
Site 3
MPLS
Network
MPLS VPN Enterprise A
Entpr A
Site 1
Entpr B
Site 2
MPLS VPN Enterprise B
Entpr B
Site 1
Traffic Separation at Layer 3
Each VPN has Unique RD
12
Access Protocols
PPP Access
• PPP
• PPPoA
• PPPoE
Non-PPP Access
• DSL 1483
Routed
• Cable DOCSIS
SID
• L2TP/PPP
© 2001, Cisco Systems, Inc.
13
Agenda
• Market Background
• Solution Benefits
• Technology Introduction
• Remote Access to MPLS VPN
Solution
© 2001, Cisco Systems, Inc.
14
RA to MPLS VPN Integration
The Generic Solution
Common Solution Independent
of Access Technology
Access Technology
Specific Solutions
SP AAA Server
SP DHCP
Server
Dial Access
VHG-PE
DSL Access
SP
MPLS
Core
PE
CE
Customer
Net
Cable Access, DOCSIS
Customer AAA
Server
Customer DHCP
Server
VHG-PE.- This is a standard Provider Edge device in the MPLS Network which receives remote user
sessions. Its context is not limited to tunneled sessions (L2TP).
© 2001, Cisco Systems, Inc.
15
RA to MPLS VPN Integration
Common Solution Independent
of Access Technology
Access Technology
Specific Solutions
SP AAA Server
SP DHCP
Server
Dial Access
Access
Dial
Dial
Access
VHG-PE
DSL Access
SP
MPLS
Core
PE
CE
Customer
Net
Cable Access, DOCSIS
Customer AAA
Server
© 2001, Cisco Systems, Inc.
Customer DHCP
Server
16
Dial Access Field Environment
© 2001, Cisco Systems, Inc.
17
Dial Access Service Architectures
• L2TP Overlay
• L2TP MPLS VPN (Dial in)
© 2001, Cisco Systems, Inc.
18
L2TP Overlay
Service Architecture
SP receives LNS info from Customers A and B
Client A
Customer A
AAA
AAA
VPN SC
CE
P
S
T
N
Tunnel Information received from SP AAA
PE
NAS/
LAC
SP Network
MPLS/VPN
PE
PE
Client B
NAS/
IP PPP LAC/
PE
L2TP MPLS
L2TP
PE
LNS
IP
LNS “must” have
Public IP address
CE/LNS
Service Architecture Benefits.
Provides a solution for an MPLS VPN migration (CE/LNS). VPDN is
used for Remote Access VPN services and MPLS VPN is used for
Intranet/Extranet VPN
© 2001, Cisco Systems, Inc.
AAA
Customer B
19
Dial Access Service Architectures
Overview
• L2TP Overlay
• L2TP MPLS VPN (Dial in)
© 2001, Cisco Systems, Inc.
20
L2TP Dial In
Service Architecture
Customer A
Client A
AAA
CE
Tunnel Information received from AAA
Overlapping IP Address Assignment
(Local, Radius)
P
S
T
N
NAS
PE
“VHGw”
Virtual Profiles
VHG Load Balancing
IP
PPP NAS
L2TP
PE
SP Network
MPLS/VPN
PE
VHG/ MPLS IP
PE
CE Customer B
Client B
DHCP
VPN SC
AAA
AAA
Proxy Authentication & Accounting
Service Architecture Benefits.
Removes the need for VPDN (No tunnels required in Backbone) and achieves optimal routing.
Customer Home Gateway is no longer needed and SP can offer Managed Home Gateway Service (Virtual Home Gateway)
Service Provider can offer VPN services for users with non-registered IP addresses or can save scarce IP addressing
space in backbone.
© 2001, Cisco Systems, Inc.
21
L2TP Dial In - Call Flow
Customer A
Client A
AAA
9) IP Address handed to User
CE
SPAAA
Network
3) Tunnel Information received from
MPLS/VPN
(PE/VHgw IP address included)
1) PPP
Setup,
UserId &
Pwd
P
S
T
N
NAS
8) Virtual Interface configured, IP Address
assigned, Route insertion in VRF
PE “VHGw”
2) DNIS or
@cisco.com
IP
PPP NAS
7) Session Accepted + VRF mapping
+ other virtual interface config (local
addr. pool name)
5)
& Pwd (DNIS
Optional)
AAA
Client B
PE
L2TP
PE
CE Customer B
VHG/ MPLS IP
PE
DHCP
4) Tunnel created &
UserId & Pwd
forwarded to PE/VHgw
© 2001, Cisco Systems, Inc.
VPN SC
10) User gets
connected
AAA
AAA
6) Proxy Authentication & Accounting
22
L2TP Dial In - Components
NAS/LACs (AS5300/5400/5800)
VHG/PEs (6400, 7200, 7500)
SP AAA Server (e.g. AR 1.6)
SP DHCP Server (e.g. CNR 3.0)
RPMS
RPMS
VPNSC 1.2 or above
IP core or ATM core
© 2001, Cisco Systems, Inc.
23
Configuration
Provisioning MPLS/VPN
1. Enable tag switching on all interfaces
inside MPLS cloud
2. configure the IGP used by SP.
Loopback of PE should be reachable
VHG/PE
MPLS
V1.2.com
PE
3.Create the VRF + a
loopback interface which
you put in the VRF of the
customer.
(VRF must be preinstantiated)
CE
CE
V1.3.com
4. Enable the MP-iBGP peer between VHG and PE
5. Provision the BGP peer so that VPN-IPV4 addresses
for the corresponding VRF’s get exchanged
c75d12-1#sh ip route vrf V1.2.com
23.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C
23.1.2.252/30 is directly connected, FastEthernet2/0/0.2
C
23.1.2.250/32 is directly connected, Loopback2
12.0.0.0/32 is subnetted, 1 subnets
B
12.1.2.250 [200/1] via 10.10.104.8, 19:44:29
© 2001, Cisco Systems, Inc.
24
Configuration
The L2TP Tunnels
Username@
domain
DNIS
PSTN
Configure per (domain/DNIS,
PoP) record with IETF tunnel
attributes:NAS/LAC
Tunnel Type, Tunnel Medium,
Tunnel Endpoint(s), Tunnel
Password
AAA server
SP Access
Network
NAS can initiate the L2TP tunnel
based on:
1. realm
2. DNIS
The mandatory info to setup the
tunnel could be stored on:
1. LAC
2. AAA server
3. RPMS
Configure AAA and Radius
Enable VPDN
SP MPLS
aaa new-model
Core
aaa authentication ppp default local
group
radius
vpdn enable
aaa authorization network default local
group 3
radius
vpdn-group
vpdn enable
accept-dialin
vpdn search-order domain dnis
protocol l2tp
radius-server host 10.10.111.5 key wwvirtual-template 1
ip radius source-interface Loopback0terminate-from
(optional)
hostname c53c2-1
© 2001, Cisco Systems, Inc.
RPMS
VHG/PE
AAA server
25