Cisco Remote Access to MPLS VPN Integration 2.0 Overview and Provisioning Guide Corporate Headquarters Cisco Systems, Inc 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: Text Part Number: OL-2512-02 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system All rights reserved Copyright © 1981, Regents of the University of California NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES CCIP, the Cisco Arrow logo, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc and/or its affiliates in the U.S and certain other countries All other trademarks mentioned in this document or Web site are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company (0208R) Cisco Remote Access to MPLS VPN Integration 2.0 Overview and Provisioning Guide Copyright © 2002, Cisco Systems, Inc All rights reserved C O N T E N T S Preface ix Document Objectives Audience ix ix Document Organization x Document Conventions xi Safety Warnings xi Related Documentation xiii The Cisco Remote Access to MPLS VPN Integration 2.0 Documentation Set Reference Documentation xiii MPLS VPNSC References xiii Network Management References xiii DSL Routers xiv Access Servers xiv Aggregation/Home Gateway/PE Routers xiv Cisco IOS xv Internetworking Technology Overviews xvi For More Information xiii xvi Obtaining Documentation xvii World Wide Web xvii Documentation CD-ROM xvii Ordering Documentation xvii Documentation Feedback xvii Obtaining Technical Assistance xviii Cisco.com xviii Technical Assistance Center xviii Cisco TAC Web Site xix Cisco TAC Escalation Center xix CHAPTER Solution Overview 1-1 Introduction 1-1 Technology Overviews MPLS Summary 1-2 1-2 MPLS VPN Summary 1-3 Cisco MPLS VPN Solution Center Summary 1-3 Cisco Remote Access to MPLS VPN Integration 2.0 Overview and Provisioning Guide OL-2512-02 i Contents Cisco VPN SC Installation 1-5 Cisco MPLS VPN SC Initialization 1-5 Cisco MPLS VPN SC Provisioning 1-6 Creating Service Requests 1-6 Deploying Service Requests 1-7 Equipment and Software Selection 1-8 Cisco IOS Software Fundamentals 1-9 User Interface Command Modes 1-9 Command Modes 1-9 Context-Sensitive Help 1-11 Saving Configurations 1-11 Undoing a Command 1-12 Passwords 1-12 CHAPTER Overview of Dial Access to MPLS VPN Integration Overview of Dial Access 2-1 2-1 Overview of L2TP Dial-in Remote Access 2-2 L2TP Dial-in Components 2-4 Dial L2TP Service Provider Access Network Network Access Servers 2-4 VHG/PE Routers 2-5 2-4 Overview of Direct ISDN PE Dial-in Remote Access 2-5 Direct ISDN PE Dial-in Components 2-6 Network Access Servers/Provider Edge Routers Overview of Dial Backup 2-7 Dial Backup Components and Features 2-6 2-8 Overview of Dial-out Access 2-9 Platforms Supported for Dial-Out Remote Access Common Components and Features 2-11 Virtual Access Interface 2-12 Framed-Route VRF Aware Feature 2-12 AAA Servers 2-12 Address Management 2-13 Authorization and Authentication 2-14 Accounting 2-14 Core MPLS Network 2-14 Management Tools 2-14 Network Management Components for Dial Access Fault Monitoring 2-15 2-11 2-15 Cisco Remote Access to MPLS VPN Integration 2.0 Overview and Provisioning Guide ii OL-2512-02 Contents SLA Reporting 2-16 Overview of Optional Features Used with Dial Access Multilink PPP 2-16 Requirements for MLP Support 2-16 Multichassis Multilink PPP 2-16 Requirements for MMP Support 2-17 CHAPTER Provisioning Dial Access to MPLS VPN Integration 2-16 3-1 Provisioning Dial-In Access 3-1 Before You Begin 3-1 Dial-In Provisioning Checklist 3-2 Miscellaneous Component Configurations 3-3 Initial, One-Time Setup Tasks 3-3 Task Configure the PE Routers for MPLS 3-3 Task Configure the SP AAA RADIUS Server with Client Information 3-4 Task Configure RADIUS AAA on the Querying Device 3-6 Task On the RADIUS AAA Server, Configure a Per-user Static Route Using the Framed-route Attribute 3-6 Adding New Customer Groups 3-6 Task Configure L2TP Information for New Customers (L2TP only) 3-7 Task Configure VRF Information for the Customer Group 3-9 Task Configure VPDN Information for the Customer Group (L2TP only) 3-9 Task Configure Authentication and Authorization 3-10 Task Configure Accounting Between the VHG/PE or NAS/PE and the Access Registrar 3-13 Task Configure Address Management 3-14 Task (If You Are Using MLP) Configure LCP Renegotiation and Enable MLP for Users in the Group 3-16 Task (If You Are Using MMP) Configure SGBP on Each Stack Group Member 3-17 Provisioning L2TP Dial Backup 3-18 Configuring Routing on a Backup CE-PE Link 3-18 Provisioning Dial-out Access 3-20 Before You Begin 3-20 Dial-Out Provisioning Checklist 3-21 Miscellaneous Component Configurations 3-21 Task Configure the Dialer Profile 3-21 Task Configure the VPDN Group (L2TP Only) 3-22 Task Configure a Static Route in the Customer VRF 3-23 Task Configure VPDN on the NAS (L2TP only) 3-23 Sample Configurations 3-24 Sample Configurations for L2TP Dial-In 3-24 Cisco Remote Access to MPLS VPN Integration 2.0 Overview and Provisioning Guide OL-2512-02 iii Contents Sample NAS Configuration 3-24 Sample VHG/PE Configuration 3-26 Sample SP AAA Server Configuration CHAPTER DSL Access to MPLS VPN Integration DSL Access Methods 3-28 4-1 4-2 RFC 1483 Routing Integration 4-2 RFC 1483 VHG/PE Routers 4-3 RFC 1483 DHCP Server 4-3 Address Management 4-3 Accounting 4-4 RFC 1483 Core Network 4-4 Network Management 4-4 Fault Monitoring 4-4 SLA Reporting 4-4 RFC 1483 Provisioning 4-5 Configuring the VHG/PE 4-6 Configuring the DSLAM using CDM 4-7 Configuring CNR Network Server 4-7 Configuring the RFC 1483 PVCs on PE routers 4-8 Configuring the PE Router for a New Service 4-8 RFC 1483 Routed Bridge Encapsulation to MPLS VPN Integration RBE VHG/PE Routers 4-10 RBE DHCP Server 4-10 Address Management 4-10 Authorization and Authentication 4-10 Accounting 4-12 RBE Core Network 4-12 Network Management 4-12 Fault Monitoring 4-12 SLA Reporting 4-13 RBE Provisioning 4-13 Configuring the VHG/PE 4-13 Configuring DHCP Option 82 for RBE 4-15 Configuring the DSLAM using CDM 4-16 Configuring CNR Network Server 4-16 Configuring the PVCs on PE routers 4-16 Configuring the PE Router for a New Service 4-16 RBE Configuration Example 4-17 4-8 Cisco Remote Access to MPLS VPN Integration 2.0 Overview and Provisioning Guide iv OL-2512-02 Contents PPPoX Remote Access SSG to MPLS VPN Integration 4-19 PPPoX with SSG CPE Equipment 4-19 PPPoX with SSG Access Network 4-19 PPPoX with SSG 4-19 PPPoX with SSG SP Radius Server 4-20 Address Management 4-20 Authorization 4-20 Authentication 4-21 Accounting 4-21 PPPoX with SSG SSD 4-21 PPPoX with SSG Core Network 4-21 Network Management 4-22 Fault Monitoring 4-22 SLA Reporting 4-22 PPPoX with SSG Event Sequences 4-22 Logging On To SSG 4-23 Logging On To a Service 4-23 PPPoX with SSG Provisioning 4-24 Configuring the PE Routers 4-24 Configuring the SSG NRP 4-26 Configuring the Customer DSL Routers 4-27 Configuring the AR Network Server 4-28 Configuring CNR Network Server 4-29 PPPoX Remote Access to MPLS VPN Integration 4-30 PPPoX CPE Equipment 4-30 PPPoX Access Network 4-30 PPPoX VHG/PE Routers 4-30 PPPoX Radius Servers 4-31 Address Management 4-31 Authorization and Authentication 4-33 Accounting 4-33 PPPoX Core Network 4-33 VPN Management 4-33 Network Management 4-34 Fault Monitoring 4-34 SLA Reporting 4-34 PPPoX Event Sequence 4-35 PPPoX Provisioning 4-35 Configuring the VHG/PE Routers 4-36 Configuring the AR and CNR Network Servers on the VHG/PE 4-37 Cisco Remote Access to MPLS VPN Integration 2.0 Overview and Provisioning Guide OL-2512-02 v Contents Configuring the AR Network Server 4-38 Configuring CNR Network Server 4-38 Configuring the VHG/PE for a New Customer 4-38 Configuring the Customer DSL Routers 4-39 DSL L2TP to MPLS VPN Integration 4-40 DSL L2TP CPE Equipment 4-40 DSL L2TP Access Network 4-40 DSL L2TP VHG/PE Routers 4-41 DSL L2TP LACs 4-41 DSL L2TP Radius Servers 4-41 Address Management 4-42 Accounting 4-42 DSL L2TP Core Network 4-43 VPN Management 4-43 Network Management 4-43 Tunnels 4-44 VHG Farms 4-44 Fault Monitoring 4-45 SLA Reporting 4-45 DSL L2TP Event Sequence 4-46 DSL L2TP Provisioning 4-46 Miscellaneous Component Configurations 4-47 Configuring the PE Routers 4-48 Configuring the AAA Network Server using AR 4-48 Configuring the AR and CNR Servers on the LAC or VHG/PE 4-49 Configuring Access Servers for New Customers 4-49 Configuring VHG/PE for a New Customer 4-51 Configuring Authentication & Authorization Components 4-52 Configuring Accounting Between the VHG and AR 4-55 Configuring Address Management Components 4-56 Common Components and Features 4-58 Framed-Route VRF Aware Feature 4-58 Configure a Per-user Static Route Using the Framed-route Attribute on the RADIUS AAA Server, 4-58 On-demand Address Pools (ODAP) 4-59 Configuring ODAP on the VHG/PE or NAS/PE 4-60 Configuring the RADIUS AR for ODAP 4-60 Using Templates for Configuration 4-61 Creating Templates and Configuration Files Template Examples 4-62 4-61 Cisco Remote Access to MPLS VPN Integration 2.0 Overview and Provisioning Guide vi OL-2512-02 Contents CHAPTER Cable Access to MPLS VPN Integration 5-1 Cable DOCSIS 1.0 SID to MPLS VPN Integration 5-1 CPE Equipment 5-2 VHG/PE Routers 5-2 HFC Network 5-3 DHCP Server 5-3 Address Management 5-3 Accounting 5-4 Core Network 5-4 Network Management 5-4 Fault Monitoring 5-5 SLA Reporting 5-5 DOCSIS Provisioning 5-5 Configuring Cisco uBR7200 VHG/PE Routers 5-6 Configuring the SP CNR Network Server 5-10 Configuring VPN/ISP DHCP Server 5-18 Configuring the Customer Cable Access Router 5-18 APPENDIX A AAA Radius Access to MPLS VPN Integration A-1 AAA Radius Requirements A-1 AAA Radius Event Sequence A-1 Authorization at the NAS A-2 Tunnel Authentication A-2 Authorization, Authentication, and Address Assignment at the VHG using SP Radius Server Cisco Remote Access to MPLS VPN Integration 2.0 Overview and Provisioning Guide OL-2512-02 vii A-3 Contents Cisco Remote Access to MPLS VPN Integration 2.0 Overview and Provisioning Guide viii OL-2512-02 Chapter Cable Access to MPLS VPN Integration Cable DOCSIS 1.0 SID to MPLS VPN Integration Figure 5-7 Step Scope Selection Tags Attached Create two client classes and attach “Includes” scope selection tags The client class VPN-Modem requires that any scope, provided for devices with MAC addresses listed within it, have a selection tag of “tag-VPN-Modem” attached to it (Figure 5-8) A client class can have multiple “Includes” tags attached Cisco Remote Access to MPLS VPN Integration 2.0 Overview and Provisioning Guide 5-16 OL-2512-02 Chapter Cable Access to MPLS VPN Integration Cable DOCSIS 1.0 SID to MPLS VPN Integration Figure 5-8 Step VPN Cable Access Router MAC Addresses Place the MAC address for the VPN cable access routers in the client-class VPN-Modem The MAC addresses for the VPN cable access routers are matched by “default” on the CNR GUI Client tab, shown in Figure 5-9 Cisco Remote Access to MPLS VPN Integration 2.0 Overview and Provisioning Guide OL-2512-02 5-17 Chapter Cable Access to MPLS VPN Integration Cable DOCSIS 1.0 SID to MPLS VPN Integration Figure 5-9 Matching MAC Addresses Configuring VPN/ISP DHCP Server Perform the following steps to configure the VPN/ISP DHCP server Step Configure a scope for each cable subinterface within the VPN See Figure 5-5 Note The GIADDR of the DHCP request is set to the secondary IP address of the respective cable subinterface Configuring the Customer Cable Access Router Perform the following steps to configure a new customer’s cable access router Step Apply the default cable access router configuration Cisco Remote Access to MPLS VPN Integration 2.0 Overview and Provisioning Guide 5-18 OL-2512-02 Chapter Cable Access to MPLS VPN Integration Cable DOCSIS 1.0 SID to MPLS VPN Integration Note A TFTP server providing DOCSIS 1.0 cable access router configuration files, and time-of-day server, must be configured in the network Cisco Remote Access to MPLS VPN Integration 2.0 Overview and Provisioning Guide OL-2512-02 5-19 Chapter Cable Access to MPLS VPN Integration Cable DOCSIS 1.0 SID to MPLS VPN Integration Cisco Remote Access to MPLS VPN Integration 2.0 Overview and Provisioning Guide 5-20 OL-2512-02 A P P E N D I X A AAA Radius Access to MPLS VPN Integration This appendix details remote access to MPLS VPN integration AAA and Radius requirements for authorization, authentication, accounting, and address management Direct and proxy authentication are discussed AAA Radius Requirements The Dial L2TP solution (see Provisioning Dial-In Access, page 3-1) is used in this Radius AAA example, but the requirements apply to all RA to MPLS VPN solution environments AAA Radius Event Sequence The following steps are indicative of a AAA and Radius centric call flow Step Remote user dials in A PPP session is created between the remote user and the NAS Step The NAS uses the SP Radius server to determine the address of the VHG/PE the session should be tunneled toward The SP Radius server determines the appropriate VHG based on the remote user's domain name or the DNIS Step The NAS creates an L2TP tunnel to VHG The NAS and the VHG authenticate each other Step The remote users PPP session is tunneled to the VHG Step The VHG uses the SP Radius server to authenticate the incoming PPP session Step The SP Radius server: • authorizes remote users (associates user with the correct VPN, and corresponding VRF on VHG/PE) • proxies the request to the user's VPN Radius server for authentication • could assign an address to the remote user Step Call setup is complete where packets can flow in both directions Step The VHG sends accounting records to the SP Radius servers The SP Radius server saves a copy of the accounting records, and also proxies the record to the relevant VPN Radius server Cisco Remote Access to MPLS VPN Integration 2.0 Overview and Provisioning Guide OL-2512-02 A-1 Appendix A AAA Radius Access to MPLS VPN Integration AAA Radius Requirements If the AR Radius server is used for address assignment, accounting is necessary Note Authorization at the NAS For a scalable solution with multiple VHG/PEs in a POP, the NAS can not be configured with VPDN information to each PE It has to retrieve information from the SP Radius Server When a remote user calls in, the NAS sends an Access-Request to the SP Radius server that includes the following attributes: • The NAS IP address and/or the NAS Identifier • The user name This attribute contains the remote user's domain name, e.g., cisco.com or the DNIS • The user password In this case, it is a standard password, e.g., cisco The SP Radius server must be configured with the following record Assume the remote user's domain name is being used to associate it for retrieving the appropriate VHG to tunnel to: cisco.com Password="cisco" Service-Type=Outbound-User Framed-Protocol = PPP, Tunnel-Type = :1:L2TP, Tunnel-Medium-Type = :1:IP, Tunnel-Server-Endpoint = :1:172.21.9.13, ? Address of the VHG Tunnel-Password = :1:"welcome", Tunnel-Assignment-ID = :1:"nas" All communication between the NAS and the SP Radius server should be carried over the management VPN, if the NAS and the SP Radius server not reside in the same POP Based on the NAS's IP address and/or Identifier, the SP Radius Server recognizes the POP in which this NAS is located The SP returns the address of a VHG/PE router which is located in that POP, and has a VRF pre-enabled for the cisco.com VPN There are multiple VHG/PEs in the POP that have cisco.com VRF enabled The SP Radius server load balances amongst them Random load balancing is acceptable, however, if the SP Radius server monitors the utilization of the various VHG/PEs via accounting records, it can load balance more intelligently The NAS also load balances among multiple VHGs as well as failover if one VHG is not available In this case, the Radius server returns a list of VHG addresses to the NAS and the NAS load balances among these VHGs The Tunnel-Assignment-ID and Tunnel-Password are the local name and the local password used by the NAS for L2TP tunnel setup If these commands are left out, the NAS uses its hostname and default password The attributes that must be returned are the tunnel type (l2tp) and the IP address of VHG/PE Tunnel Authentication When establishing an L2TP tunnel, the LAC (NAS) and the LNS (VHG) first authenticate each other This is optional and can be disabled For L2TP tunnel authentication, the LAC and LNS must use the same password Currently tunnel authentication is possible via local authentication, not via Radius Cisco Remote Access to MPLS VPN Integration 2.0 Overview and Provisioning Guide A-2 OL-2512-02 Appendix A AAA Radius Access to MPLS VPN Integration AAA Radius Requirements Authorization, Authentication, and Address Assignment at the VHG using SP Radius Server The VHG sends an Access-Request to the SP Radius server The request includes the following information: • The VHG IP address and/or identifier (filled into the NAS IP address or NAS-Identifier attributes) • The user name must be in the form remote-user@domain-name if the DNIS is not supplied If the DNIS is provided no domain-name is provided • The remote user “real” password, not a standard password like "cisco." • The DNIS, optional The SP Radius server strips of the user-name, and looks up a record for the domain name to associate it with the appropriate VRF on the VHG/PE The domain name's record could be, for example: cisco.com Password = "cisco" User-Service-Type = Framed-User, Framed-Protocol = PPP, cisco-avpair = "lcp:interface-config=ip vrf forwarding vpn1\nip unnumbered loop1\npeer default ip address pool vpn1-pool" These cisco-avpairs include VPN specific information and configs, but nothing user specific The last command in the "lcp:interface-config" specifies the local pool It may change when the “overlapping address pools” feature is implemented Or the SP Radius server may not include this command, and include an IP address itself in the Framed-IP-Address attribute Based on the domain name or DNIS, the SP Radius server, associates the user with a VPN and proxies the Access-Request to that VPN's Radius server The VPN Radius server authenticates the remote user, and returns an Access-Accept or Access-Reject message to the SP Radius server The Access-Accept message includes user specific information and configs The SP Radius server merges this user-specific information with the VPN specific information in the Access-Accept message it returns to the VHG/PE Note An alternative to this proxy authentication mechanism is for the SP Radius server to both the authorization and remote user authentication itself The customer must provide the SP with complete, up-to-date records for all users with remote access privileges The SP provider needs to keep distinct records for the same domain name: one to respond to the NAS's request in Step and the other one to respond to the VHG's request in Step The AR can this In large networks, there can be a local Radius server in each POP and other Radius servers in the core of the network The local Radius servers is configured with tunneling information specific to that POP, addresses of VHGs, etc The NASs query the local Radius server to obtain tunneling information The Radius server(s) in the core respond to queries from the VHGs for authorization, authentication, address management, and accounting If the SP Radius server is responsible for address assignment it maintains a separate address pools per (VHG,VPN) pair to prevent address fragmentation The other requirement is for the Radius server to maintain overlapping address pools The AR can fulfill both requirements The AR can reclaim unused addresses by monitoring the accounting messages sent for each remote user Access Registrar Scripts • Ability to differentiate between a request from a NAS and a request from a VHG/PE • Load balancing among multiple VHGs (low priority can be done by the NAS itself) • When receiving an Access-Request from a VHG, the SP AR will perform the following: Cisco Remote Access to MPLS VPN Integration 2.0 Overview and Provisioning Guide OL-2512-02 A-3 Appendix A AAA Radius Access to MPLS VPN Integration AAA Radius Requirements • Authorize based on domain name or DNIS • Then proxy request to VPN Radius server for actual authentication • If proxy authentication succeeds, the relevant virtual interface configuration • Assign an IP address to the remote user The AR maintains a separate address pool for each (VHG,VPN) pair • Reply to the VHG with an Access-Accept Cisco Remote Access to MPLS VPN Integration 2.0 Overview and Provisioning Guide A-4 OL-2512-02 FINAL DRAFT - CISCO CONFIDENTIAL I N D EX documentation Symbols ix authentication (MLP), multilink PPP 2-16 (MMP), multichassis multilink PPP DSL 2-16 4-21 authorization ? DSL IOS command help 1-11 authorization and authentication ¡Advertencia! usage 4-20 dial xii 2-14 DSL 4-33 Aviso usage A Avvertenza usage AAA servers dial hardware B 1-9 access, network management Components for dial access, platforms supported for dial-out remote access network, dial L2TP service provider access servers, network 2-14 DSL 4-4, 4-12, 4-21, 4-33, 4-42 adding new customer groups 3-6 address management dial 2-13 DSL 4-3, 4-10, 4-20, 4-31, 4-42 Advarsel usage 2-8 C 2-6 changes command mode 1-10 saving configuration 1-11 command help (?) notation mode changes undo a 1-11 1-10 1-12 command modes user interface 1-9 1-9 common components and features xii Attention usage backup components and features, dial 2-11 2-4 accounting 2-15 2-4 access servers/Provider Edge routers, network dial xii 2-12 access dial xii dial 2-11 components, direct ISDN PE dial-in xii audience components, L2TP dial-in 2-6 2-4 components and features, dial backup 2-8 Cisco Remote Access to MPLS VPN Integration 2.0 Overview and Provisioning Guide OL-2512-02 IN-1 Index FINAL DRAFT - CISCO CONFIDENTIAL Components for dial access, network management 2-15 configuration core MPLS network dial saving changes 2-14 creating templates and configuration files 1-11 4-61 configuring access servers for new customers DSL 4-49 configuring accounting between the VHG and AR configuring address management components 4-55 4-56 configuring authentication & authorization components 4-52 configuring CNR network server DSL 4-29 4-48 2-6 2-4 Dial-In Provisioning Checklist 4-48 3-2 dial L2TP service provider access network dial-out platforms 2-4 2-11 Dial-Out Provisioning Checklist 3-21 dial-out remote access, platforms supported for 4-37 configuring the AR and CNR servers on LAC and/or VHG/PE 4-49 configuring the AR and CNR servers on the LAC or VHG/PE 4-49 configuring the AR network server DSL dial-in components, L2TP 4-28, 4-38 direct ISDN PE dial-in components a feature configuring the customer DSL routers 4-27, 4-39 configuring the customers DSL routers configuring the DSLAM using CDM 4-6, 4-13 document related 4-8, 4-16 4-24, 4-48 configuring the RFC 1483 PVCs on PE routers 4-8, 4-16 configuring the VHG/PE 4-26 context-sensitive help 1-11 controller ix xiii resources xvi DSL access methods 4-2 DSL L2TP access network 4-40 4-43 DSL L2TP cpe equipment configuring the VHG/PE for a new customer configuring VHG/PE for a new customer x DSL L2TP core network 4-6, 4-13 configuring the VHG/PE routers (6400) ix organization audience 4-7, 4-16 configuring the PE routers (7200, 7500, 6400) configuring the SSG NRP xi documentation 4-39 configuring the PE router for a new service 4-36 4-51 4-38 4-40 DSL L2TP event sequence 4-46 DSL L2TP LACs 4-41 DSL L2TP provisioning 4-46 DSL L2TP RADIUS servers 4-41 DSL L2TP to MPLS VPN integration configuration 1-10 controller configuration 2-6 1-12 objectives configuring the Cisco 6400 router using the SCM 2-11 disable conventions 4-28 2-15 2-8 dial-in components, direct ISDN PE 4-7, 4-16, 4-29, 4-38 configuring the AR and CNR network servers on the VHG/PE 4-37 DSL dial access, network management Components for dial backup components and features configuring the AAA network server using AR DSL D DSL L2TP VHG/PE routers 4-40 4-41 1-10 conventions document xi Cisco Remote Access to MPLS VPN Integration 2.0 Overview and Provisioning Guide IN-2 OL-2512-02 Index FINAL DRAFT - CISCO CONFIDENTIAL FDDI (F0) E ports E0 1-9 router interface 1-9 1-9 1-9 Serial0 (S0) Edge routers, network access servers/Provider Serial1 (S1) 2-6 Ethernet0 1-9 1-9 user command interface 1-9 1-9 interface configuration mode 1-10 1-10 ISDN PE dial-in components, direct F F0 interface dial L 1-9 fault monitoring 4-4, 4-12, 4-22, 4-34, 4-45 L2TP dial-in components 2-15 line configuration 1-9 mode feature disable 2-4 L2TP service provider access network, dial FDDI interface 2-6 1-10 1-10 logging on to a service 1-12 logging on to SSG features, dial backup components and For More Information 2-4 4-23 4-23 2-8 xvi M management Components for dial access, network H 2-15 management tools hardware access dial 1-9 miscellaneous component configurations help MLP command prompt (?) context-sensitive host Telnet 2-14 1-11 1-11 2-16 MLP support, requirements for MMP mode 2-16 2-16 MMP support, requirements for 1-9 4-47 2-17 1-10 command changes 1-10 modes I command icon notation user interface command xi 1-9 multichassis multilink PPP (MMP) information for more 1-9 multilink PPP (MLP) xvi Ethernet (E0) 2-16 multilink PPP (MMP), multichassis interface 2-16 2-16 1-9 Cisco Remote Access to MPLS VPN Integration 2.0 Overview and Provisioning Guide OL-2512-02 IN-3 Index FINAL DRAFT - CISCO CONFIDENTIAL PPPoX access network N 4-30 PPPoX core network network, dial L2TP service provider access network access servers 2-4 PPPoX cpe equipment 2-6 4-35 PPPoX RADIUS servers network management Components for dial access 2-15 notation PPPoX remote access SSG to MPLS VPN integration 4-19 PPPoX VHG/PE routers PPPoX with SSG xi 4-19 PPPoX with SSG core network 1-11 saving configuration to 4-19 4-21 PPPoX with SSG cpe equipment 1-11 4-19 PPPoX with SSG event sequences PPPoX with SSG provisioning O 4-22 4-24 PPPoX with SSG SP RADIUS server PPPoX with SSG SSD objectives document command mode organization 4-21 1-9 provider access network, dial L2TP service x provisioning dial-in access overview dial access provisioning dial-out access 2-1 dial backup 4-20 privileged ix document 4-30 4-30 PPPoX with SSG access network NVRAM save to 4-31 PPPoX remote access to MPLS VPN integration 1-11 Note usage 4-35 PPPoX provisioning 4-4, 4-12, 4-22, 4-34, 4-43 (?) IOS command help 4-30 PPPoX event sequence 2-4 network access servers/Provider Edge routers network management 4-33 dial-out access 3-1 3-20 provisioning L2TP dial backup 2-7 provisioning RBE 2-9 direct ISDN PE dial-in remote access L2TP dial-in remote access 2-4 3-18 4-13 2-5 2-2 Q optional features used with dial access 2-16 question mark (?) IOS command help 1-11 P passwords 1-12 R PE dial-in components, direct ISDN platforms, dial-out 2-6 RBE configuration example 2-11 ports interface 4-12 4-10 RBE provisioning 1-9 PPP (MLP), multilink 2-11 RBE core network RBE DHCP server platforms supported for dial-out remote access PPP (MMP), multichassis multilink 4-13 RBE VHG/PE routers 2-16 2-16 4-17 4-10 remote access, platforms supported for dial-out 2-11 Cisco Remote Access to MPLS VPN Integration 2.0 Overview and Provisioning Guide IN-4 OL-2512-02 Index FINAL DRAFT - CISCO CONFIDENTIAL requirements for MLP support support, requirements for MMP 2-16 requirements for MMP support 2-17 supported for dial-out remote access, platforms 2-17 2-11 resources documentation xvi T RFC 1483 core network 4-4 RFC 1483 DHCP server 4-3, 4-10 RFC 1483 provisioning Telnet 4-5 from host RFC 1483 routed bridge encapsulation to MPLS VPN integration 4-3, 4-8 RFC 1483 routing integration RFC 1483 VHG/PE routers 1-9 template examples tunnels 4-62 4-44 4-2 4-3 U router interfaces 1-9 routers, network access servers/Provider Edge undo 2-6 a command 1-12 usage ¡Advertencia! S xii Advarsel interface 1-9 xii Avvertenza S1 Note interface 1-9 xii xi Varning! Safety Warnings xii Varoitus xi sample configurations dial xii Attention S0 xi Waarschuwing 3-24 Warnung sample configurations for L2TP dial-in 3-24 xii user save command mode to NVRAM 1-11 1-9 user interface saving command modes configuration changes xi 1-11 1-9 using templates for configuration 4-61 Serial0 interface 1-9 V Serial1 interface 1-9 servers, network access Varning! 2-4 servers/Provider Edge routers, network access service provider access network, dial L2TP SLA reporting dial 4-4, 4-13, 4-22, 4-34, 4-45 2-16 support, requirements for MLP 2-4 usage 2-6 xii Varoitus usage xi VHG/PE routers dial 2-5 2-16 Cisco Remote Access to MPLS VPN Integration 2.0 Overview and Provisioning Guide OL-2512-02 IN-5 Index FINAL DRAFT - CISCO CONFIDENTIAL VHG farms 4-44 virtual access interface dial 2-12 VPN management 4-33, 4-43 W Waarschuwing usage xi warnings safety xi Warnung usage xii Cisco Remote Access to MPLS VPN Integration 2.0 Overview and Provisioning Guide IN-6 OL-2512-02 ... Radius Access to MPLS VPN Integration, ” describes Radius AAA requirements for Remote Access to MPLS VPN Integration Cisco Remote Access to MPLS VPN Integration 2.0 Overview and Provisioning Guide. .. 4-61 Cisco Remote Access to MPLS VPN Integration 2.0 Overview and Provisioning Guide vi OL-2512-02 Contents CHAPTER Cable Access to MPLS VPN Integration 5-1 Cable DOCSIS 1.0 SID to MPLS VPN Integration. .. anordning Cisco Remote Access to MPLS VPN Integration 2.0 Overview and Provisioning Guide xii OL-2512-02 Preface Related Documentation Related Documentation The Cisco Remote Access to MPLS VPN Integration