Support User Manuals

Cisco Systems 10000 Network Router User Manual

Open as PDF

of 624

3-4

Cisco 10000 Series Router Software Configuration Guide

OL-2226-23

Chapter 3 Configuring Remote Access to MPLS VPN

Access Technologies

Figure 3-3 shows the topology of an RBE to MPLS VPN solution.

Figure 3-3 RBE to MPLS VPN Topology

In the figure, the wholesale provider uses VPNs to separate the subscribers of different retail providers.

The subscribers are uniquely placed in VRFs on the access side. A tag interface separates traffic for the

different retail providers on the network side. The MPLS VPN technology is used to assign tags in a

VPN-aware manner.

PPP over ATM to MPLS VPN

The Cisco 10000 series router supports a PPP over ATM (PPPoA) connection to an MPLS VPN

architecture. In this model, when a remote user attempts to establish a connection with a corporate

network, a PPPoA

session is initiated and is terminated on the service provider’s virtual home gateway

(VHG) or provider edge (PE) router. All remote hosts connected to a particular CE router must be part

of the same VPN to which the CE router is connected.

The following events occur when the remote user attempts to access the corporate network or ISP:

1. A PPPoA session is initiated over the broadband access network.

2. The VHG/PE router accepts and terminates the PPPoA session.

3. The VHG/PE router obtains virtual access interface (VAI) configuration information.

a. The VHG/PE obtains virtual template interface configuration information, which typically

includes virtual routing and forwarding (VRF) mapping for sessions.

b. The VHG/PE sends a separate request to either the customer’s or service provider’s

RADIUS

server for the VPN to authenticate the remote user.

c. The VPN’s VRF instance was previously instantiated on the VHG or PE. The VPN’s VRF

contains a routing table and other information associated with a specific VPN.

Typically, the customer RADIUS server is located within the customer VPN. To ensure that

transactions between the VHG/PE router and the customer RADIUS server occur over routes within

the customer VPN, the VHG/PE router is assigned at least one IP address that is valid within

the

VPN.

CPE

RFC 2684 bridged

format PDUs

Tag interface,

logically separated

into multiple VPNs

Provider 1

Provider 2

Provider n

ATM

access

network

VRF 1

VRF n

VRF 2

MPLS

network

76267

Retail

providers

Wholesale

provider

Subscribers

previous next