Example 2-10. San Jose NAS VPDN Information

SanJose_NAS#show vpdn tunnel

L2TP Tunnel Information Total tunnels 2 sessions 3

LocID RemID Remote Name State Remote Address Port Sessions 28791 1463 SuperCom_LNS est 194.22.15.2 1701 2

35022 37120 SuperCom_LNS est 194.22.15.2 1701 1

SanJose_NAS#show vpdn session

L2TP Session Information Total tunnels 2 sessions 3

LocID RemID TunID Intf Username State Last Chg Fastswitch 46 46 28791 As3 jimi@fastfoods.com est 00:14:26 enabled 49 49 28791 As2 elvis@fastfoods.com est 00:05:13 enabled 50 50 35022 As4 eric@eurobank.com est 00:02:04 enabled

• Table of Contents

• Index

MPLS and VPN Architectures, Volume II By Jim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003

ISBN: 1-58705-112-5 Pages: 504

With MPLS and VPN Architectures, Volume II, you'll learn:

How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers

The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT)

How VRFs can be extended into a customer site to provide separation inside the customer network

The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone

How to carry customer multicast traffic inside a VPN

The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services

Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II, builds on the best-selling MPLS and VPN

Architectures, Volume I (1-58705-002-1), from Cisco Press. Extending into more advanced topics and deployment architectures, Volume II provides readers with the necessary tools they need to deploy and maintain a secure, highly available VPN.

MPLS and VPN Architectures, Volume II, begins with a brief refresher of the MPLS VPN Architecture. Part II describes advanced MPLS VPN connectivity including the integration of service provider access technologies (dial, DSL, cable, Ethernet) and a variety of routing protocols (IS-IS, EIGRP, and OSPF), arming the reader with the knowledge of how to integrate these features into the VPN backbone. Part III details advanced deployment issues including security, outlining the necessary steps the service provider must take to protect the backbone and any attached VPN sites, and also detailing the latest security features to allow more advanced topologies and filtering. This part also covers multi-carrier MPLS VPN

deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting.

MPLS and VPN Architectures, Volume II, also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced The VPDN information on the San Jose VHG/PE router is shown in Example 2-11 and is similar to the LAC. Note that the interface associated with the user is a virtual-access

interface and that all L2TP tunnels are terminated by using VPDN group 1 as the tunnel client name that matched the hostname "SuperCom_LAC."

Example 2-11. San Jose VHG/PE Router VPDN Information

SanJose_PE#show vpdn tunnel

L2TP Tunnel Information Total tunnels 2 sessions 3

LocID RemID Remote Name State Remote Address Port Sessions VPDN Group 1463 28791 SuperCom_LAC est 194.22.15.26 1701 2 1

37120 35022 SuperCom_LAC est 194.22.15.26 1701 1 1

SanJose_PE#show vpdn sess

L2TP Session Information Total tunnels 2 sessions 3

LocID RemID TunID Intf Username State Last Chg Fastswitch 46 46 1463 Vi1 jimi@fastfoods.com est 00:36:22 enabled 49 49 1463 Vi2 elvis@fastfoods.com est 00:27:09 enabled 50 50 37120 Vi3 eric@eurobank.com est 00:24:01 enabled

If we look at the VRF information in the San Jose VHG/PE router in Example 2-12, we see that the virtual-access interfaces have been associated with the correct VRF. The loopback interfaces are used for preinstantiation of the VPN routes, as discussed earlier.

Example 2-12. San Jose VHG/PE Router VRF Information

SanJose_PE#show ip vrf

Name Default RD Interfaces

• Table of Contents

• Index

MPLS and VPN Architectures, Volume II By Jim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003

ISBN: 1-58705-112-5 Pages: 504

With MPLS and VPN Architectures, Volume II, you'll learn:

How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers

The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT)

How VRFs can be extended into a customer site to provide separation inside the customer network

The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone

How to carry customer multicast traffic inside a VPN

The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services

Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II, builds on the best-selling MPLS and VPN

deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting.

MPLS and VPN Architectures, Volume II, also introduces the latest advances in customer integration, security, and troubleshooting features essential to providing the advanced EuroBank 10:27 virtual-Access3 Loopback11 FastFoods 10:26 virtual-Access1 virtual-Access2 Loopback10

In our configuration, the addresses for each of the remote access users are taken from one of the shared pools. To achieve higher utilization of the available address space, all the pools use the same range of 192.168.3.1–192.168.3.62. As you can see in Example 2-13, two addresses have been used from the FastFoods_Pool, whereas one address has been used from the EuroBank_Pool. Because these addresses are allocated to different VRFs, there is no possibility of overlap.

Example 2-13. San Jose VHG/PE-Router Address Pool Usage

SanJose_PE#show ip local pool

Pool Begin End Free In use SuperCom_Pool 192.168.3.1 192.168.3.62 62 0 ** pool <FastFoods_Pool> is in group <VPN_FastFoods>

FastFoods_Pool 192.168.3.1 192.168.3.62 60 2 ** pool <EuroBank_Pool> is in group <VPN_EuroBank>

EuroBank_Pool 192.168.3.1 192.168.3.62 61 1

Examining the routing tables for FastFoods and EuroBank in Example 2-14, we can see that the host addresses have been installed as connected routes for each of the virtual-access interfaces. You can also see the loopback address used for preinstantiation of the VRFs using the address of 192.168.2.100.

Our original premise for providing remote access to FastFoods users was to provide access to the Sales Data server in Lyon (10.2.1.6). This has been achieved because the FastFoods VRF has imported the BGP route 10.2.1.0/24 from the FastFoods VRF on the Paris PE router (194.22.15.1), allowing any FastFoods remote access user who is terminating on the San Jose PE router access to the FastFoods Lyon subnet.

Example 2-14. San Jose VHG/PE Router VRF Routing Tables

• Table of Contents

• Index

MPLS and VPN Architectures, Volume II By Jim Guichard, Ivan Pepelnjak, Jeff Apcar

Publisher: Cisco Press Pub Date: June 06, 2003

ISBN: 1-58705-112-5 Pages: 504

With MPLS and VPN Architectures, Volume II, you'll learn:

How to integrate various remote access technologies into the backbone providing VPN service to many different types of customers

The new PE-CE routing options as well as other advanced features, including per-VPN Network Address Translation (PE-NAT)

How VRFs can be extended into a customer site to provide separation inside the customer network

The latest MPLS VPN security features and designs aimed at protecting the MPLS VPN backbone

How to carry customer multicast traffic inside a VPN

The latest inter-carrier enhancements to allow for easier and more scalable deployment of inter-carrier MPLS VPN services

Advanced troubleshooting techniques including router outputs to ensure high availability MPLS and VPN Architectures, Volume II, builds on the best-selling MPLS and VPN

deployments. Finally, Part IV provides a methodology for advanced MPLS VPN troubleshooting.

[snip]

10.0.0.0/24 is subnetted, 1 subnets

B 10.2.1.0 [200/0] via 194.22.15.1, 02:09:57

192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.2.100/32 is directly connected, Loopback10 B 192.168.2.20/30 [200/0] via 194.22.15.1, 02:09:57 192.168.3.0/32 is subnetted, 2 subnets

C 192.168.3.2 is directly connected, virtual-Access1 C 192.168.3.1 is directly connected, virtual-Access2

SanJose_PE#show ip route vrf EuroBank [snip]

B 196.7.25.0/24 [200/0] via 194.22.15.1, 02:14:14 194.22.15.0/32 is subnetted, 2 subnets

B 194.22.15.3 [200/0] via 194.22.15.3, 02:14:29 B 194.22.15.1 [200/0] via 194.22.15.1, 02:13:59

192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.2.100/32 is directly connected, Loopback11 B 192.168.2.24/30 [200/0] via 194.22.15.1, 02:14:14 192.168.3.0/32 is subnetted, 1 subnets

C 192.168.3.1 is directly connected, virtual-Access3

Dans le document troubleshooting.MPLS and VPN Architectures, Volume II (Page 68-71)