The figure below shows the topology of integrated PPP over Ethernet (PPPoE) access to an Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN).
Figure 2. PPPoE Access to MPLS VPN Topology
In the figure above, the service provider operates an MPLS VPN that interconnects all customer sites. The service provider’s core network is an MPLS backbone with VPN service capability. The service provider provides all remote access operations to its customer. The network-side interfaces are tagged interfaces, logically separated into multiple VPNs.
Remote access is provided using a PPPoE connection. In this model, when a remote user attempts to establish a connection with a corporate network, a PPPoE session is initiated and is terminated on the service provider’s virtual home gateway (VHG) or provider edge (PE) device. All remote hosts connected to a particular customer edge (CE) device must be part of the VPN to which the CE device is connected.
The PPPoE to MPLS VPN architecture is a flexible architecture with the following characteristics:
- A remote host can create multiple concurrent PPPoE sessions, each to a different VPN.
- If multiple remote hosts exist behind the same CE device, each remote host can log in to a different VPN.
- Any remote host can log in to any VPN at any time because each VHG or PE device has the virtual routing and forwarding (VRF) instances for all possible VPNs preinstantiated on it. This configuration requires that the VRF be applied through the RADIUS server, which can cause scalability issues.
The following events occur as the VHG or PE device processes the incoming PPPoE session:
- A PPPoE session is initiated over the broadband access network.
- The VHG/PE device accepts and terminates the PPPoE session.
- The VHG/PE device obtains virtual access interface (VAI) configuration information:
- The VHG/PE obtains a virtual template interface configuration information, which typically includes VRF mapping for sessions.
- The VHG/PE sends a separate request to either the customer’s or service provider’s RADIUS server for the VPN to authenticate the remote user.
- The VPN’s VRF instance is instantiated on the VHG or PE. The VPN’s VRF contains a routing table and other information associated with a specific VPN.
Typically, the customer RADIUS server is located within the customer VPN. To ensure that transactions between the VHG/PE device and the customer RADIUS server occur over routes within the customer VPN, the VHG/PE device is assigned at least one IP address that is valid within the VPN.
- The VHG/PE device forwards accounting records to the service provider’s proxy RADIUS server, which in turn logs the accounting records and forwards them to the appropriate customer RADIUS server.
- The VHG/PE obtains an IP address for the CPE. The address is allocated from one of the following:
- Local address pool
- Service provider’s RADIUS server, which either specifies the address pool or directly provides the address
- Service provider’s DHCP server
- The CPE is now connected to the customer VPN. Packets can flow to and from the remote user.