Definitive MPLS Network Designs [Electronic resources] نسخه متنی

Remote Access to the Layer 3 MPLS VPN Service

Many different options are available to connect remote users to a Layer 3 MPLS VPN service. Chapter 2 of [MPLS-VPN-Vol2] provides technical and configuration details for most of these options. This section doesn't cover these details. Instead, it looks at the specific design options that TK chose.

For Layer 3 MPLS VPN services, the deployed network currently has more than 5000 remote-access users, who belong to a total of 625 separate remote-access VPNs. With an average of eight routes per VPN, the total number of VPNv4 routes generated by the remote-access solution set is approximately 5000.

TK provides three main remote-access solutions:

Dial-in access via L2TP Virtual Private Dialup Network (VPDN)

Dial-in access via direct ISDN

DSL access using PPPoE or PPPoA and VPDN (L2TP)

Table 4-2 breaks down how the number of sites is spread across the different remote-access services.

To support the Layer 3 MPLS VPN remote-access services, TK has a separate set of Network Access Server (NAS) devices in each Level 1 and Level 2 POP. They are connected to the mPE routers via Gigabit Ethernet. To support the dial-in services, TK has deployed 12 L2TP network servers (LNSs), two in each Level 1 POP, and it limits the maximum number of L2TP sessions to 1000 for each device.

Dial-In Access Via L2TP VPDN

Chapter 1 in the section "Remote Access to the Layer 3 MPLS VPN Service." This concept uses a tunneling protocol (such as L2TP) to extend the dial connection from a remote user and terminate it on an LNS, which in this context is called a Virtual Home Gateway (VHG).

TK supports connection speeds of up to 56 kbps for dialup via the PSTN and 64 kbps/128 kbps for dialup via the ISDN.

Figure 4-15 shows a high-level example of the VPDN concept.

Using this infrastructure, a remote client may dial in to any of the TK Level 1/Level 2 POP NASs. After RADIUS authentication, the remote client can be tunneled to one of the 12 LNSs for access to their Layer 3 MPLS VPN environment. Figure 4-16 provides a more detailed topology specific to TK.

Dial-In Access Via Direct ISDN

TK provides a direct digital ISDN service to some of its customers. This service is deployed by attaching a primary rate ISDN connection to an mPE router. TK currently has six of these connections, one in each Level 1 POP. The primary interface is housed in one of the existing mPE routers, as shown in Figure 4-17.

Direct ISDN access does not require the use of any tunneling protocol from the remote client to the TK mPE router. Instead, a PPP link is established over the ISDN B channel directly to the mPE router. The mPE router obtains the remote client's credentials using CHAP; it then forwards the credentials to the TK RADIUS server for authentication. Upon successful authentication, the RADIUS server returns configuration parameters for the client (such as VRF name, IP address pool, and so forth). The mPE router then can create a virtual-access interface for the PPP session based on local configuration and the information returned by the RADIUS server. The user CHAP authentication process then can finish, and the remote user is given access to the relevant VPN.

DSL Access Using PPPoE or PPPoA and VPDN (L2TP)

DSL access is provided to business clients by terminating DSL connections using the L2TP VPDN architecture rather than a direct connection onto an mPE router. This provides the infrastructure for large-scale DSL termination, with access speeds up to 1.2 Mbps. Figure 4-18 shows the DSL connectivity option.

As shown in Figure 4-18, a remote-access client may access its Layer 3 MPLS VPN using PPPoE (if the CPE acts as a bridge) or PPPoA (if the CPE acts as a router). RFC 1483 routed (PPPoA) and bridged (PPPoE) encapsulation is used, and an L2TP tunnel is built from the receiving NAS/LAC to one of the LNSs in the TK Level 1 POPs.