The Last Mile.(s) Remote Access to MPLS VPN Integration MPLS Deployment Forum May 15th, 2001 Eric Voit evoit@cisco.com © 2001, Cisco Systems, Inc Agenda • Market Background • Solution Benefits • Technology Introduction • Remote Access to MPLS VPN Solution © 2001, Cisco Systems, Inc Remote Access VPN Benefits The VPN Market growth is driven by customer value Increased bandwidth for remote access workers using VPNs over DSL or cable 49% 40% Increased geographical coverage Domestic dial-up cost savings 38% Increased Network uptime 38% International Dial-up cost savings 36% Reduction of remote access equipment 35% 33% Ability to quickly add many remote users Reduction of Operations and Management Costs 22% Percentage of Remote Access VPN Respondents Source: Infonetics April 2000 © 2001, Cisco Systems, Inc Integrated Access VPN with Intranet and Extranet VPNs Extending MPLS VPN benefits to other business opportunities Broadband Access DSL Cable Direct VPN Access Leased Lines Frame Relay ATM LSR LSR LSR MPLS VPN Enterprise A NAS MPLS VPN Enterprise B Dial Access PSTN ISDN Secure MPLS Intranet and Extranet VPNs Content and Caches © 2001, Cisco Systems, Inc DNS, AAA Remote Access Leadership WW Remote Access (Dial) Equipment Market Share Other WW Broadband Aggregation Equipment Market Share Total Q3 ‘00 segment revenue = $ 1,028 M Cisco’s Port share = 35 % Total Q3 ‘00 segment revenue = $168 M Cisco’s unit share = 60 % Other Cisco 6400 & 7200 Unishpere 3Com Nortel Q4 '99 Alcatel Q1 '00 Q2 '00 Q4' 99 Q1' 00 Nortel Q2' 00 Q3' 00 Q3 '00 Lucent/Ascend Redback Cisco 0% Cisco 10% 20% 30% 40% 50% 0% 10% 20% 30% 40% 50% WW Cable Equipment Market Share Other Total Q3 ‘00 segment revenue = $ 168 M Cisco’s unit share = 40 % Cable Headend Equipment 3Com Q4 '99 Nortel Q1 '00 Q2 '00 Q3 '00 Terayon Cisco 0% 10% 20% 30% 40% 50% 60% 70% 80% Source: Synergy Research Group – Q3CY00 © 2001, Cisco Systems, Inc Agenda • Market Background • Solution Benefits • Technology Introduction • Remote Access to MPLS VPN Solution © 2001, Cisco Systems, Inc Service Provider Benefits • Enhance their MPLS VPN service offering to their customers • Enjoy increased revenues, service differentiation, and greater customer loyalty • Build a secure and comprehensive VPN portfolio that businesses want today • Expand MPLS VPN service offering into new markets â 2001, Cisco Systems, Inc Customer Benefits Remote users can now securely access their corporate intranet and extranet MPLS VPN via dial, DSL and cable • Expand into new markets and business opportunities by leveraging last mile access to their existing MPLS VPN based applications and services • Prioritized New World services can now be extended all the way to last mile remote users by leveraging QoS features of the MPLS VPN © 2001, Cisco Systems, Inc Agenda • Market Background • Solution Benefits • Technology Introduction Remote Access to MPLS VPN Solution â 2001, Cisco Systems, Inc Access Technologies • Dial (POTS and ISDN) • DSL Road Warrior Residential • Cable Small-Medium Enterprise © 2001, Cisco Systems, Inc 10 PPPoX to MPLS VPN Call Flow Customer A Client A AAA 6) IP Address handed to User CE SP Network MPLS/VPN 1) PPP Setup, UserId & Pwd D S L 5) Virtual Interface configured, IP Address assigned, Route insertion in VRF PE 4) Session Accepted + VRF mapping + other virtual interface config (local addr pool name) VHG/PE 2) UserId@cisco.com & Pwd (DNIS Optional) DSL IP PPP ETH CPE Client B Bridge ATM RFC1483 Bridged PE CE Customer B VHG/ MPLS IP PE DHCP DSL ATM IP ETH CPE PPP AAL5 Router © 2001, Cisco Systems, Inc VHG/ MPLS IP PE VPN SC 7) User gets connected AAA AAA 3) Proxy Authentication & Accounting 36 PPPoX to MPLS VPN VHG/PE Scaling • Sample Test Results: – 6400 NRP1 – 10 routes/VRF © 2001, Cisco Systems, Inc 37 PPPoX to MPLS VPN Important Issues • VHG/PE Platform: 6400 • PPPoA: – CPE is a router – One PPP session per PVC – All users behind the CPE are mapped to the same VRF – CPE authentication by the SP (in case of managed CPE), no user authentication – CPE as a local DHCP server • PPPoE: © 2001, Cisco Systems, Inc – CPE is a bridge – Multiple PPP sessions per PVC – Each user behind CPE can be mapped to a different VRF – User authentication by the customer 38 DSL Aggregation Architectures Overview • L2TP Overlay • PPPoX to MPLS VPN • PPPoX to SSG to MPLS VPN • L2TP to MPLS VPN • RFC1483 to MPLS VPN © 2001, Cisco Systems, Inc 39 PPPoX to SSG to MPLS VPN Service Architecture PPP terminated and Service Selection occurs Each Service is mapped to PVC VPN SC AAA DHCP Customer A Overlapping IP Address Assignment (Local, Radius) CE SSD PE PPPoX DSL SSG-NRP AAA Central Site MPLS VPN Backbone PE PE maps PVC to VRF Per Service AAA & Multiple Accounting ATM IP PPP AAL5 SSG NRP ATM RFC1483 Routed PE NRP MPLS IP Service Architecture Benefits Service Providers can offer Service Selection into MPLS VPN solutions Managed Security Access (AAA) can be offered on a per service basis (VPN) Service Provider can offer VPN services for users with non-registered IP addresses or can save expensive IP addressing space in backbone © 2001, Cisco Systems, Inc 40 DSL Aggregation Architectures Overview • L2TP Overlay • PPPoX to MPLS VPN • PPPoX to SSG to MPLS VPN • L2TP to MPLS VPN • RFC1483 to MPLS VPN © 2001, Cisco Systems, Inc 41 L2TP to MPLS VPN (DSL) Service Architecture Client B Customer A Tunnel Information received from AAA AAA Overlapping IP Address Assignment (Local, Radius, DHCP) NRP/LAC DSL PE/LNS Virtual Profiles CE SP Network MPLS/VPN VHGw Load Balancing & Failover IP PPP NRP/ LAC L2TP PE PE CE Customer B VHG/ MPLS IP PE DHCP VPN SC AAA AAA Proxy Authentication & Accounting Service Architecture Benefits Provides a better aggregation for SP than the single-card PPPoX solution Removes the need for VPDN (No tunnels required in Backbone) and achieves optimal routing Customer Home Gateway is no longer needed and SP can offer Managed Home Gateway Service (Virtual Home Gateway) Service Provider can offer VPN services for users with non-registered IP addresses or can save scarce IP addressing space in backbone © 2001, Cisco Systems, Inc 42 DSL Aggregation Architectures Overview • L2TP Overlay • PPPoX to MPLS VPN • PPPoX to SSG to MPLS VPN • L2TP to MPLS VPN • RFC1483 to MPLS VPN © 2001, Cisco Systems, Inc 43 RFC1483 Routed to MPLS VPN Service Architecture Customer A Branch Office A Dynamic Routing Supported CE Netflow Accounting DSL PE-NRP ATM DSL RFC1483 IP ETH IP over RFC1483 CPE Routed Router SP Network MPLS/VPN PE PE PE MPLS MPLS IP CE Customer B Client B DHCP DHCP VPN SC Service Architecture Benefits Service Provider can now offer enhanced Managed CPE services Good solution to provide routing capabilities to Branch Offices © 2001, Cisco Systems, Inc 44 RA to MPLS VPN Integration Common Solution Independent of Access Technology Access Technology Specific Solutions SP AAA Server SP DHCP Server Dial Access Access Dial VHG-PE DSL Access SP MPLS Core PE CE Customer Net Cable Cable Access, Access, DOCSIS DOCSIS Customer AAA Server © 2001, Cisco Systems, Inc Customer DHCP Server 45 Cable to MPLS VPN Architectures Overview • CPE (DOCSIS) to MPLS-VPN • PPPoE to MPLS-VPN © 2001, Cisco Systems, Inc 46 Cable CPE (DOCSIS) to MPLS VPN Service Architecture Customer A Client A CE Netflow Accounting PE DOCSIS SP Network MPLS/VPN PE DHCP Option 82 to provide unique client ID for DHCP DHCP Relay VRF Aware to reach DHCP address server in appropriate VRF Client B IP ETH CPE Router DOCSIS PE CE Customer B MPLS IP DHCP VPN SC PE CSRC DHCP Service Architecture Benefits Service Provider can now offer Open/Managed access services © 2001, Cisco Systems, Inc 47 Cable to MPLS VPN Architectures Overview • CPE (DOCSIS) to MPLS-VPN • PPPoE to MPLS-VPN © 2001, Cisco Systems, Inc 48 PPPoE to MPLS VPN Service Architecture Customer A AAA Overlapping IP Address Assignment (Local, Radius, DHCP) SP Network MPLS/VPN VHG/PE DOCSIS CE PE Virtual Profile IP PPP ETH CPE Bridged DOCSIS VHG/ PE (uBR) PE MPLS IP CE Customer B Client B DHCP VPN SC AAA AAA Proxy Authentication & Accounting Service Architecture Benefits Service Provider can now offer Open/Managed access services Scalable solution since each session can be mapped to a different VPN Service Provider can offer VPN services for users with non-registered IP addresses or can save scarce IP addressing space in backbone © 2001, Cisco Systems, Inc 49 ... Direct VPN Access Leased Lines Frame Relay ATM LSR LSR LSR MPLS VPN Enterprise A NAS MPLS VPN Enterprise B Dial Access PSTN ISDN Secure MPLS Intranet and Extranet VPNs Content and Caches © 2001, Cisco. .. to last mile remote users by leveraging QoS features of the MPLS VPN â 2001, Cisco Systems, Inc Agenda Market Background • Solution Benefits • Technology Introduction • Remote Access to MPLS VPN. .. â 2001, Cisco Systems, Inc Entpr A Site Entpr A Site VPN MembershipBased on Logical Port and Unique RD Entpr B Site MPLS Network MPLS VPN Enterprise A Entpr A Site Entpr B Site MPLS VPN Enterprise