The San Jose VHG/PE router terminates the L2TP tunnel from the San Jose NAS/LAC. The remote PPP session received through the tunnel from elvis@fastfoods.com is terminated on a virtual-access interface. The virtual-access interface is associated with the FastFoods VRF to allow elvis@fastfoods.com access to the FastFoods VPN. You can create a virtual-access interface by cloning through virtual templates or virtual-profiles.
Virtual templates are configured for individual VPNs. Each associated virtual interface template must be configured for a specific VRF to preinstantiate the route for that VRF.
Cisco IOS permits no more than 25 virtual-templates to be configured on a router;
therefore, the use of virtual-templates does not scale well and is not recommended for terminating a large number of VPNs.
• Table of Contents
• Index
MPLS and VPN Architectures, Volume II By Jim Guichard, Ivan Pepelnjak, Jeff Apcar
Publisher: Cisco Press Pub Date: June 06, 2003
ISBN: 1-58705-112-5 Pages: 504
With MPLS and VPN Architectures, Volume II, you'll learn:
How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers
The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT)
How VRFs can be extended into a customer site to provide separation inside the customer network
The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone
How to carry customer multicast traffic inside a VPN
The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services
Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II, builds on the best-selling MPLS and VPN
Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN.
MPLS and VPN Architectures, Volume II, begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN
deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting.
MPLS and VPN Architectures, Volume II, also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced
Virtual-profiles are more flexible and can use a common virtual-template or an AAA (in our case, it will be RADIUS) server to provide the additional configuration details needed to create the virtual-access interface. The configuration information on the AAA server is held on a per user basis. Virtual-profiles simplify the configuration and provide a more scalable approach for tunnel termination because only a single virtual-template configuration is required for VPNs that terminate on the LNS.
Example 2-3 shows the necessary configuration for the San Jose VHG/PE router.
Example 2-3. San Jose VHG/PE Router Configuration
hostname SanJose_PE
!
aaa authentication ppp default local group radius aaa authorization network default local group radius
!
virtual-profile aaa vpdn enable
!
vpdn-group 1 accept-dialin protocol l2tp virtual-Template 1
terminate-from hostname SuperCom_LAC local name SuperCom_LNS
l2tp tunnel password vision
!
interface virtual-Template1 no ip address
no peer default ip address ppp authentication chap callin
!
ip local pool SuperCom_Pool 192.168.3.1 192.168.3.62
ip local pool FastFoods_Pool 192.168.3.1 192.168.3.62 group VPN_FastFoods
• Table of Contents
• Index
MPLS and VPN Architectures, Volume II By Jim Guichard, Ivan Pepelnjak, Jeff Apcar
Publisher: Cisco Press Pub Date: June 06, 2003
ISBN: 1-58705-112-5 Pages: 504
With MPLS and VPN Architectures, Volume II, you'll learn:
How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers
The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT)
How VRFs can be extended into a customer site to provide separation inside the customer network
The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone
How to carry customer multicast traffic inside a VPN
The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services
Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II, builds on the best-selling MPLS and VPN
Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN.
MPLS and VPN Architectures, Volume II, begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN
deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting.
MPLS and VPN Architectures, Volume II, also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced ip local pool EuroBank_Pool 192.168.3.1 192.168.3.62 group VPN_EuroBank
!
ip radius source-interface Loopback0
!
radius-server host 194.22.16.2 auth-port 1645 acct-port 1646 key a$4two
The aaa configuration is identical to what the SuperCom NAS/LAC uses because both use the same SuperCom RADIUS server. The operational difference is that the San Jose NAS/LAC passes the domain name fastfoods.com to the SuperCom RADIUS server that responds directly. In contrast, the San Jose VHG/PE router passes the fully qualified username elvis@fastfoods.com to the SuperCom RADIUS server for authentication, which, in turn, proxies the message to the FastFoods RADIUS server for processing. The virtual-profile aaa command enables the LNS to obtain configuration information from the RADIUS server on a per-user basis that can be applied to the virtual-template. In our case, the vpdn-group command supplies the virtual-template number. A single VPDN group configuration is required to terminate an L2TP tunnel from any LAC that has the name SuperCom_LAC with a password of "vision." The LAC uses the local name SuperCom_LNS for authentication, which matches the AV pair information previously provided to the SuperCom NAS/LAC in Table 2-1.
The vpdn-group is associated with the generic virtual-template1. This virtual-template is used in conjunction with information received from the FastFoods RADIUS server to create the virtual-access interface for the remote user.
The San Jose VHG/PE router uses locally configured overlapping pools to provide IP
addresses to remote users. The overlapping pool feature allows the same address space to be used concurrently in different VRFs by appending a group name on the ip local pool
command. In our example, three pools have been configured to use the same address range 192.168.3.1 through 192.168.3.62:
A SuperCom_Pool for remote users who are accessing services in the global routing table (such as best effort Internet)
A FastFoods_Pool for remote users of the FastFoods VPN A EuroBank_Pool for remote users of the EuroBank VPN
NOTE
In a production network, the pools used would most likely provide registered addresses.
You can find further discussion on other addressing options in the "Advanced Features for MPLS VPN Remote Access" section.
To complete the configuration, we must preinstantiate all the VRFs to be accessed through this LNS. We cannot rely on dynamic instantiation of the VRF routing information when the first user dials in because Multiprotocol BGP might take up to 60 seconds to converge the routes for the new VRF. To avoid this delay, create and associate a loopback interface with the applicable VRF, as shown in Example 2-4.
• Table of Contents
• Index
MPLS and VPN Architectures, Volume II By Jim Guichard, Ivan Pepelnjak, Jeff Apcar
Publisher: Cisco Press Pub Date: June 06, 2003
ISBN: 1-58705-112-5 Pages: 504
With MPLS and VPN Architectures, Volume II, you'll learn:
How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers
The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT)
How VRFs can be extended into a customer site to provide separation inside the customer network
The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone
How to carry customer multicast traffic inside a VPN
The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services
Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II, builds on the best-selling MPLS and VPN
Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN.
MPLS and VPN Architectures, Volume II, begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN
deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting.
MPLS and VPN Architectures, Volume II, also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced