3-6
Cisco 10000 Series Router Software Configuration Guide
OL-2226-23
Chapter 3 Configuring Remote Access to MPLS VPN
Access Technologies
Note
For releases earlier than Cisco IOS Release 12.2(16)BX1, to map sessions to VRFs by using the
RADIUS server, use the syntax
lcp:interface-config
. This configuration forces the
Cisco 10000 series router to use full access virtual interfaces, which decreases scaling. We recommend
that you do not use this configuration. Upgrading to Cisco IOS Release 12.2(16)BX1 or later releases
will eliminate this restriction.
The following events occur as the VHG or PE router processes the incoming PPPoE session:
1.
A PPPoE session is initiated over the broadband access network.
2.
The VHG/PE router accepts and terminates the PPPoE session.
3.
The VHG/PE router obtains virtual access interface (VAI) configuration information.
a.
The VHG/PE obtains virtual template interface configuration information, which typically
includes VRF mapping for sessions.
b.
The VHG/PE sends a separate request to either the customer’s or service provider’s
RADIUS server for the VPN to authenticate the remote user.
c.
The VPN’s VRF instance was previously instantiated on the VHG or PE. The VPN’s VRF
contains a routing table and other information associated with a specific VPN.
Use virtual template interfaces to map sessions to VRFs. The Cisco 10000 series router can then
scale to 32,000 sessions. In Cisco IOS Release 12.2(16)BX1 and later releases, when you map
sessions to VRFs by using the RADIUS server, use the syntax
ip:vrf-id
or
ip:ip-unnumbered
.
These vendor specific attributes (VSAs) enhance the scalability of per-user configurations because
a new full virtual access interface is not required. For more information, see the
“Enhancing
Scalability of Per-User Configurations” section on page 2-17
.
Note
For releases earlier than Cisco IOS Release 12.2(16)BX1, to map sessions to VRFs by using the
RADIUS server, use the syntax
lcp:interface-config
. This configuration forces the
Cisco 10000 series router to use full access virtual interfaces, which decreases scaling. We
recommend that you do not use this configuration. Upgrading to Cisco IOS Release
12.2(16)BX1 or later releases will eliminate this restriction.
Typically, the customer RADIUS server is located within the customer VPN. To ensure that
transactions between the VHG/PE router and the customer RADIUS server occur over routes within
the customer VPN, the VHG/PE router is assigned at least one IP address that is valid within the
VPN.
4.
The VHG/PE router forwards accounting records to the service provider’s proxy RADIUS server,
which in turn logs the accounting records and forwards them to the appropriate customer
RADIUS server.
5.
The VHG/PE obtains an IP address for the CPE. The address is allocated from one of the following:
•
Local address pool
•
Service provider’s RADIUS server, which either specifies the address pool or directly provides
the address
•
Service provider’s DHCP server
6.
The CPE is now connected to the customer VPN. Packets can flow to and from the remote user.