MPLS cisco QOS VPN full last mile

RA to MPLS VPN Integration The Generic Solution CE VHG-PE SP AAA Server PE SP MPLSCore CustomerNet Customer DHCP Server Customer AAA Server Dial Access DSL Access Cable Access, DOCSIS Co

The Last Mile ( s )

Remote Access to MPLS VPN Integration

MPLS Deployment Forum

Eric Voit

evoit@cisco.com

Remote Access VPN Benefits

Reduction of Operations and Management Costs

Ability to quickly add many remote users Reduction of remote access equipment

International Dial-up cost savings

Increased Network uptime Domestic dial-up cost savings Increased geographical coverage

Increased bandwidth for remote access workers using VPNs over DSL or cable

Percentage of Remote Access VPN Respondents

Source: Infonetics April 2000

The VPN Market growth is driven by customer value

NAS

Content and Caches

DSL Cable

Leased Lines Frame Relay ATM

PSTN ISDN

Integrated Access VPN with Intranet and Extranet VPNs

Extending MPLS VPN benefits to other business opportunities

Remote Access Leadership

Total Q3 ‘00 segment revenue = $ 1,028 M

Cisco’s Port share = 35 %

0% 10% 20% 30% 40% 50%

Other Unishpere Alcatel Nortel Redback Cisco

Q4' 99 Q1' 00 Q2' 00 Q3' 00

0% 10% 20% 30% 40% 50% 60% 70% 80%

Other 3Com Nortel Terayon Cisco

Q4 '99 Q1 '00 Q2 '00 Q3 '00

Total Q3 ‘00 segment revenue = $168 M Cisco’s unit share = 60 %

Total Q3 ‘00 segment revenue = $ 168 M

Cisco’s unit share = 40 %

Source: Synergy Research Group – Q3CY00

WW Remote Access (Dial) Equipment Market Share WW Broadband Aggregation Equipment Market Share

WW Cable Equipment Market Share

Cisco 6400 & 7200

Cable Headend Equipment

Service Provider Benefits

• Enhance their MPLS VPN

service offering to their

customers

• Enjoy increased revenues,

service differentiation, and

greater customer loyalty

• Build a secure and

Customer Benefits

• Remote users can now securely access

their corporate intranet and extranet

MPLS VPN via dial, DSL and cable

• Expand into new markets and business

opportunities by leveraging last mile

access to their existing MPLS VPN

based applications and services

• Prioritized New World services can now

be extended all the way to last mile

remote users by leveraging QoS

features of the MPLS VPN

Small-Medium

Access VPNs

• L2TP, L2F, PPTP:

– Provisioning Overhead – Scaling Problems

– Sub-Optimal Routing

• Other L3 Tunnel-Based VPNs:

– IPsec – GRE

Integrate with MPLS Architecture

• Scalable VPNs

• Standards-based

• IP QoS

and traffic engineering

• Easy to manage and No

Traffic Separation at Layer 3 Each VPN has Unique RD

MPLS VPN Enterprise A MPLS VPN Enterprise B

Entpr A Site 2

Entpr A Site 3

Entpr A Site 1

Entpr B Site 2

Entpr B Site 1

Entpr B Site 3

VPN Based on Logical Port and Unique RD

RA to MPLS VPN Integration

The Generic Solution

CE VHG-PE

SP AAA Server

PE

SP MPLSCore

CustomerNet

Customer DHCP Server

Customer AAA Server

Dial Access

DSL Access

Cable Access, DOCSIS

Common Solution Independent

of Access Technology

Access Technology Specific Solutions

SP DHCP Server

VHG-PE.- This is a standard Provider Edge device in the MPLS Network which receives remote user

sessions Its context is not limited to tunneled sessions (L2TP).

Dial Access

RA to MPLS VPN Integration

CE VHG-PE

SP AAA Server

PE

SP MPLSCore

CustomerNet

Customer DHCP Server

Customer AAA Server

Dial Access

DSL Access

Cable Access, DOCSIS

Common Solution Independent

of Access Technology

Access Technology Specific Solutions

SP DHCP Server

Dial Access Field Environment

Dial Access Service Architectures

• L2TP MPLS VPN (Dial in)

L2TP Overlay Service Architecture

SP Network MPLS/VPN PE

CE

P S T N

AAA

AAA Client B

NAS/

LAC

AAA VPN SC

Tunnel Information received from SP AAA

SP receives LNS info from Customers A and B

LNS “must” have Public IP address

PPP

IP NAS/ LAC/

PE

L2TP MPLS L2TP PE LNS IP

Service Architecture Benefits.

Provides a solution for an MPLS VPN migration (CE/LNS) VPDN is used for Remote Access VPN services and MPLS VPN is used for Intranet/Extranet VPN

Dial Access Service Architectures

Overview

• L2TP Overlay

L2TP Dial In Service Architecture

SP Network MPLS/VPN PE

CE

P S T N

AAA

AAA AAA

Client B

NAS

“VHGw”

DHCP VPN SC

Overlapping IP Address Assignment

(Local, Radius)

Proxy Authentication & Accounting

Virtual Profiles VHG Load Balancing

Tunnel Information received from AAA

PPP

IP NAS L2TP VHG/ MPLS IP

PE

Service Architecture Benefits.

Removes the need for VPDN (No tunnels required in Backbone) and achieves optimal routing

Customer Home Gateway is no longer needed and SP can offer Managed Home Gateway Service (Virtual Home Gateway) Service Provider can offer VPN services for users with non-registered IP addresses or can save scarce IP addressing

space in backbone.

L2TP Dial In - Call Flow

SP Network MPLS/VPN

CE

P S T N

AAA

AAA Client B

NAS

“VHGw”

DHCP AAA

3) Tunnel Information received from AAA (PE/VHgw IP address included)

2) DNIS or

@cisco.com

8) Virtual Interface configured, IP Address assigned, Route insertion in VRF 1) PPP

7) Session Accepted + VRF mapping + other virtual interface config (local

addr pool name) 9) IP Address handed to User

10) User gets connected

PPP

PE

L2TP Dial In - Components

NAS/LACs (AS5300/5400/5800) VHG/PEs (6400, 7200, 7500)

SP AAA Server (e.g AR 1.6)

SP DHCP Server (e.g CNR 3.0) RPMS

VPNSC 1.2 or above

IP core or ATM core

RPMS

c75d12-1#sh ip route vrf V1.2.com 23.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 23.1.2.252/30 is directly connected, FastEthernet2/0/0.2

C 23.1.2.250/32 is directly connected, Loopback2

Configuration Provisioning MPLS/VPN

loopback interface which

you put in the VRF of the

customer

(VRF must be

pre-instantiated)

2 configure the IGP used by SP.

Loopback of PE should be reachable

5 Provision the BGP peer so that VPN-IPV4 addresses for the corresponding VRF’s get exchanged

1 Enable tag switching on all interfaces

inside MPLS cloud

4 Enable the MP-iBGP peer between VHG and PE

MPLS

SP MPLS Core

SP Access Network

NAS can initiate the L2TP tunnel based on:

aaa authentication ppp default local group radius

aaa authorization network default local group radius

vpdn enable

vpdn search-order domain dnis

radius-server host 10.10.111.5 key ww

ip radius source-interface Loopback0 (optional)

vpdn enable vpdn-group 3

accept-dialin protocol l2tp virtual-template 1

terminate-from hostname c53c2-1

Configure per (domain/DNIS, PoP) record with IETF tunnel attributes:

Tunnel Type, Tunnel Medium, Tunnel Endpoint(s), Tunnel Password

SP MPLS Core

SP Access Network

AAA server

RPMS

AAA server

Configuration PPP to MPLS VPN Mapping

Vaccess Interface configuration commands

set cisco-avpair "lcp:interface-config=ip vrf forwarding V1.26.com \\n ip unnumbered

Loopback26\\n peer default ip address pool NAME"

POOL-L2TP Dial In VHG/PE Scaling

– 496 VRFs, 10 routes/VRF

Functional Description Address Management

Objectives:

SP’s own addresses)

• Phase I DHCP server not

VPN aware and there is no support of Overlapping Addresses.

• VPN-aware (domain name or

DNIS)

• Assign adjacent addresses

to requests from the same (VHG,VPN) pair

• Relies on Accounting Stop

records for release

• Watch route summarization

and route propagation

• One pool per VPN

the VHG/PEs

Functional Description Network and Service Management

monitoring

Dial Access

RA to MPLS VPN Integration

CE VHG-PE

SP AAA Server

PE

SP MPLSCore

CustomerNet

Customer DHCP Server

Customer AAA Server

Dial Access

DSL Access

Cable Access, DOCSIS

Common Solution Independent

of Access Technology

Access Technology Specific Solutions

SP DHCP Server

DSL Access Field Environment

DSL L2TP Overlay Service Architecture

SP Network MPLS/VPN PE/LAC

Customer A

Customer B

PE

PE CE/LNS

CE AAA

AAA Client B

AAA VPN SC

Tunnel Information received from AAA

SP receives LNS info from Network A or B

LNS must have Public IP address

Service Architecture Benefits.

Provides a solution for an MPLS VPN migration (CE/LNS) VPDN is used for Remote Access VPN services and MPLS VPN is used for Intranet/Extranet VPN

PPPoX to MPLS VPN Service Architecture

SP Network MPLS/VPN

Customer A

Customer B

PE

PE CE

CE DSL

AAA

AAA AAA

Client B

VHG/PE

DHCP VPN SC

Overlapping IP Address Assignment

(Local, Radius)

Proxy Authentication & Accounting

Virtual Profile

DSL CPE Bridge

VHG/

PE MPLS IP PPP

VHG/

PE MPLS IP ETH

Service Architecture Benefits.

Open/Managed access can be offered by Service Provider

Service selection can be based on the domain name

Each session can be mapped to a different VPN

Service Provider can offer VPN services for users with non-registered IP addresses or can save scarce IP addressing space in backbone.

PPPoX to MPLS VPN

Call Flow

SP Network MPLS/VPN

CE

D S L

4) Session Accepted + VRF mapping + other virtual interface config (local

addr pool name) 6) IP Address handed to User

7) User gets connected

VHG/

PE MPLS IP PPP

IP ETH RFC1483 ATM

Bridged

PPPoX to MPLS VPN

VHG/PE Scaling

– 6400 NRP1 – 10 routes/VRF

– CPE authentication by the SP (in case of managed CPE), no user authentication

PE maps PVC to VRF Per Service AAA &

Service Architecture Benefits.

Service Providers can offer Service Selection into MPLS VPN solutions

Managed Security Access (AAA) can be offered on a per service basis (VPN)

L2TP to MPLS VPN (DSL)

Service Architecture

SP Network MPLS/VPN PE/LNS

Customer A

Customer B

PE PE CE

CE AAA

AAA AAA

Client B

NRP/LAC

DHCP VPN SC

Overlapping IP Address Assignment

Service Architecture Benefits.

Provides a better aggregation for SP than the single-card PPPoX solution

Removes the need for VPDN (No tunnels required in Backbone) and achieves optimal routing

RFC1483 Routed to MPLS VPN

Service Architecture

SP Network MPLS/VPN

Customer A

Customer B

PE PE CE

CE DSL

Client B

PE-NRP

DHCP VPN SC

Netflow Accounting

Dynamic Routing Supported

Dial Access

RA to MPLS VPN Integration

CE VHG-PE

SP AAA Server

PE

SP MPLSCore

CustomerNet

Customer DHCP Server

Customer AAA Server

Dial Access

DSL Access

Cable Access, DOCSIS

Common Solution Independent

of Access Technology

Access Technology Specific Solutions

SP DHCP Server

Cable to MPLS VPN Architectures

Overview

• PPPoE to MPLS-VPN

Cable CPE (DOCSIS) to MPLS VPN

Service Architecture

SP Network MPLS/VPN

Customer A

Customer B

PE PE CE

CE DOCSIS

Client B

PE

DHCP VPN SC

Netflow Accounting

DHCP

Client A

DHCP Option 82 to provide unique client ID for DHCP DHCP Relay VRF Aware to reach DHCP address server in appropriate VRF

CSRC

IP ETH CPE

Service Architecture Benefits.

Service Provider can now offer Open/Managed access services

Cable to MPLS VPN Architectures

Overview

• CPE (DOCSIS) to MPLS-VPN

PPPoE to MPLS VPN Service Architecture

SP Network MPLS/VPN

Customer A

Customer B

PE

PE CE

CE DOCSIS

AAA

AAA AAA

Client B

VHG/PE

DHCP VPN SC

Overlapping IP Address Assignment

MPLS IP IP

Service Architecture Benefits.

Service Provider can now offer Open/Managed access services

Scalable solution since each session can be mapped to a different VPN

Service Provider can offer VPN services for users with non-registered IP addresses or can save scarce IP addressing

space in backbone.