The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Remote Access MPLS-VPNs feature allows the service provider to offer a scalable end-to-end Virtual Private Network (VPN) service to remote users. This feature integrates the Multiprotocol Label Switching (MPLS)-enabled backbone with broadband access capabilities.
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
The Remote Access MPLS-VPNs feature has the following prerequisites:
The Remote Access MPLS-VPNs feature has the following restrictions:
MPLS-based VPNs allow service providers to deploy a scalable and cost-effective VPN service that provides a stable and secure path through the network. An enterprise connects to geographically dispersed sites in the Internet service provider's (ISPs) network through use of an MPLS backbone. Sites are interconnected to create an MPLS VPN.
The Remote Access MPLS-VPNs feature allows the service provider to offer a scalable end-to-end VPN service to remote users. The Remote Access MPLS-VPNs feature integrates the MPLS-enabled backbone with broadband access capabilities. By integrating access VPNs with MPLS VPNs, a service provider can:
MPLS VPN architecture enables the service provider to build the MPLS VPN network one time and add VPNs for new customers as needed, including them in the already established network. The elements that comprise the MPLS VPN are:
The figure below shows an example of MPLS VPN network architecture.
Figure 1 | MPLS VPN Network--Example |
The figure below shows the topology of integrated PPP over Ethernet (PPPoE) access to an MPLS VPN.
Figure 2 | PPPoE Access to MPLS VPN Topology |
In the figure above, the service provider operates an MPLS VPN that interconnects all customer sites. The service provider's core network is an MPLS backbone with VPN service capability. The service provider provides all remote access operations to its customer. The network-side interfaces are tagged interfaces, logically separated into multiple VPNs.
Remote access is provided using a PPPoE connection. In this model, when a remote user attempts to establish a connection with a corporate network, a PPPoE session is initiated and is terminated on the service provider's virtual home gateway (VHG) or PE router. All remote hosts connected to a particular CE router must be part of the VPN to which the CE router is connected.
The PPPoE to MPLS VPN architecture is a flexible architecture with the following characteristics:
The following events occur as the VHG or PE router processes the incoming PPPoE session:
Typically, the customer RADIUS server is located within the customer VPN. To ensure that transactions between the VHG/PE router and the customer RADIUS server occur over routes within the customer VPN, the VHG/PE router is assigned at least one IP address that is valid within the VPN.
The MPLS core network is configured by enabling label switching of IP packets on interfaces, configuring virtual routing and forwarding instances, associating VRFs and configuring Multiprotocol BGP PE-to-PE routing sessions. For details relating to these activities, see the appropriate section of the Cisco IOS XE Multiprotocol Label Switching Configuration Guide.
To create and configure a virtual template interface that can be configured and applied dynamically in creating virtual access interfaces, perform the steps in the following task.
To configure a broadband aggregation (BBA) group for PPPoE and to link it to the appropriate virtual template interface, perform the steps in the following task.
A Virtual Private Network (VPN) service can be added to your MPLS configuration by configuring VPNs and associating the VPNs with a virtual template interface. For details relating to these activities, see the Configuring MPLS Layer 3 VPNs module.
The following example shows how to configure the RA to MPLS VPN feature with one VRF for PPPoE sessions:
! !Enables the AAA access control model. aaa new-model ! !Configures AAA accounting. aaa authentication login default none aaa authentication enable default none aaa authentication ppp default group radius aaa authorization config-commands aaa authorization network default local aaa session-id common enable password cisco ! username pppoe password 0 pppoe username common password 0 common ! !Creates the common VRF. ip vrf common rd 100:1000 route-target export 100:1000 route-target import 100:1000 ! !Specifies the BBA group to be used to establish PPPoE sessions and specifies the maximum !number of PPPoE sessions to be established over a vlan. bba-group pppoe virtual-template 1 sessions per-mac limit 32000 ! no virtual-template snmp ! !Configures the small buffer. buffers small permanent 15000 ! !Defines the general loopback interface used for reachability to the router and as a !source IP address for sessions (IBGP, TDP, and so on). interface Loopback0 ip address 10.16.3.1 255.255.255.255 ip ospf network point-to-point ! !Creates a loopback interface in the vpn1 VRF. You do this for each customer VRF you IP !unnumber interfaces to. interface Loopback1 ip vrf forwarding vpn1 ip address 10.24.1.1 255.255.255.255 ! interface Loopback2 ip vrf forwarding vpn2 ip address 10.8.1.2 255.255.255.255 ! interface gigaethernet 0/0/0 load-interval 30 negotiation auto no cdp enable interface gigaethernet 0/0/0.9 encapsulation dot1q 9 pppoe enable no cdp enable ! !Enables label switching of IP packets on the interface. interface GigabitEthernet1/0/0 ip address 10.1.10.1 255.255.0.0 no ip redirects load-interval 30 negotiation auto tag-switching ip ! !Defines the virtual template and associates the common VRF with it. interface Virtual-Template1 ip vrf forwarding common ip unnumbered Loopback1 peer default ip address pool common ppp authentication chap ! !Configures OSPF to advertise the networks. router ospf 100 log-adjacency-changes auto-cost reference-bandwidth 1000 network 10.16.3.1 0.0.0.0 area 0 network 10.1.0.0 0.0.255.255 area 0 ! router rip version 2 ! !Enters address family configuration mode to configure the VRF for PE to CE routing !sessions. address-family ipv4 vrf common version 2 network 10.0.0.0 no auto-summary exit-address-family ! !Configures BGP to advertise the networks for the VPN. router bgp 100 no synchronization no bgp default ipv4-unicast bgp log-neighbor-changes neighbor 172.16.1.4 remote-as 100 neighbor 172.16.1.4 activate ! !Enters address family configuration mode to configure the common VRF for PE to CE routing !sessions. address-family ipv4 vrf common no auto-summary no synchronization aggregate-address 10.10.0.0 255.255.0.0 summary-only exit-address-family ! address-family vpnv4 neighbor 172.16.1.4 activate neighbor 172.16.1.4 send-community both exit-address-family ! !Specifies the IP local pool to use for the VRF address assignment. ip local pool common 10.10.1.1 10.10.126.0 ip classless !Enters routing information in the routing table for the VRF. ip route 10.0.0.0 255.0.0.0 FastEthernet0/0/0 10.9.0.1 ip route vrf common 10.22.0.0 255.255.0.0 Null0 ip route vrf common 10.30.0.0 255.255.0.0 2.1.1.1 3 ip route vrf common 10.32.0.0 255.255.0.0 2.2.151.1 2 ip route vrf common 10.33.0.0 255.255.0.0 2.3.101.1 2 no ip http server ip pim bidir-enable ! no cdp run ! !Specifies the RADIUS host and configures RADIUS accounting. radius-server retransmit is !on by default and cannot be removed. radius-server host 10.19.100.150 auth-port 1645 acct-port 1646 radius-server retransmit 3 radius-server key test radius-server authorization permit missing Service-Type radius-server vsa send authentication call admission limit 90 !
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Description of commands associated with MPLS and MPLS applications |
Cisco IOS Multiprotocol Label Switching Command Reference |
Basic MPLS VPNs |
Configuring MPLS Layer 3 VPNs |
Standard |
Title |
---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
-- |
MIB |
MIBs Link |
---|---|
No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature. |
To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFC |
Title |
---|---|
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature. |
-- |
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 | Feature Information for Remote Access MPLS-VPNs |
Feature Name |
Releases |
Feature Information |
---|---|---|
Remote Access MPLS-VPNs |
Cisco IOS XE Release 2.1 |
The Remote Access MPLS-VPNs feature allows the service provider to offer a scalable end-to-end VPN service to remote users. This feature integrates the MPLS-enabled backbone with broadband access capabilities. In Cisco IOS XE Release 2.1, this feature was introduced on the Cisco ASR 1000 Series Aggregation Services Routers. |
CE --customer edge.
PPPoE --Point-to-Point Protocol over Ethernet.
PE --provider edge.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.