3-5
Cisco 10000 Series Router Software Configuration Guide
OL-2226-23
Chapter 3 Configuring Remote Access to MPLS VPN
Access Technologies
4.
The VHG/PE router forwards accounting records to the service provider’s proxy RADIUS server,
which in turn logs the accounting records and forwards them to the appropriate customer
RADIUS server.
5.
The VHG/PE obtains an IP address for the CPE. The address is allocated from one of the following:
•
Local address pool
•
Service provider’s RADIUS server, which either specifies the address pool or directly provides
the address
•
Service provider’s DHCP server
6.
The CPE is now connected to the customer VPN. Packets can flow to and from the remote user.
Use virtual template interfaces to map sessions to VRFs. The Cisco 10000 series router can then scale
to 32,000 sessions. In Cisco IOS Release 12.2(16)BX1 and later releases, when you map sessions to
VRFs by using the RADIUS server, use the syntax
ip:vrf-id
or
ip:ip-unnumbered
.
These vendor
specific attributes (VSAs) enhance the scalability of per-user configurations because a new full virtual
access interface is not required. For more information, see the
“Enhancing Scalability of Per-User
Configurations” section on page 2-17
.
Note
In releases earlier than Cisco IOS Release 12.2(16)BX1, to map sessions to VRFs by using the RADIUS
server, use the syntax
lcp:interface-config
. This configuration forces the Cisco 10000 series router to
use full access virtual interfaces, which decreases scaling. We recommend that you do not use this
configuration. Upgrading to Cisco IOS Release 12.2(16)BX1 or later eliminates this restriction.
PPP over Ethernet to MPLS VPN
The Cisco 10000 series router supports a PPP over Ethernet (PPPoE) connection to an MPLS VPN
architecture. In this model, when a remote user attempts to establish a connection with a corporate
network, a PPPoE session is initiated and is terminated on the service provider’s virtual home gateway
(VHG) or provider edge (PE) router. All remote hosts connected to a particular CE router must be part
of the VPN to which the CE router is connected.
The PPPoE to MPLS VPN architecture is a flexible architecture with the following characteristics:
•
A remote host can create multiple concurrent PPPoE sessions, each to a different VPN.
•
If multiple remote hosts exist behind the same CE router, each remote host can log in to a different
VPN.
•
Any remote host can log in to any VPN at any time because each VHG or PE router has the VRFs
for all possible VPNs pre-instantiated on it. This configuration requires that the VRF be applied
through the RADIUS server, which can cause scalability issues (see the following note).
Use virtual template interfaces to map sessions to VRFs. The Cisco 10000 series router can then scale
to 32,000 sessions. In Cisco IOS Release 12.2(16)BX1 and later releases, when you map sessions to
VRFs by using the RADIUS server, use the syntax
ip:vrf-id
or
ip:ip-unnumbered
.
These vendor
specific attributes (VSAs) enhance the scalability of per-user configurations because a new full virtual
access interface is not required. For more information, see the
“Enhancing Scalability of Per-User
Configurations” section on page 2-17
.