The MPLS-OPS Archive

Cell Relay Retreat>MPLS-OPS Archive>month:2002-Feb> msg00170



[Date Prev][Date Next][Thread Prev][Thread Next]  
  [Date Index][Thread Index][Author Index][Subject Index]

RE: off net access to 2547 PE

  • From: Karl Garcia <Karl.Garcia@cosinecom.com>
  • Date: Tue, 26 Feb 2002 14:25:08 -0800
  • Resent-Date: Tue, 26 Feb 2002 18:18:05 -0500
  • To: "'Mike Duckett'" <mduckett@bellsouth.net>, mpls-ops@mplsrc.com

Title: RE: off net access to 2547 PE

Mike,

As your questions to the group clearly demonstrate, I think it is naive to think that
any one solution (i.e. MPLS, IPSec, etc.) is going to work in every situation.  The reality
today is that service offerings must accommodate a whole range of user connection types
and protocols.  The other reality is that a multi-box solution, while technically feasible,
will not scale and has much higher (overlooked) op-ex costs.

Virtual routers which have the off-net access features you describe below exist today.
You can find details about them here:

        http://www.cosinecom.com/library/downloads/mpls_vpn_wp.pdf


BGP/MPLS VPNs can be an important part of a network design.  But, they do not
operate in a vacuum, so the tactical implementation (and its interaction with
other parts of the network) is absolutely key in their widespread use and acceptance.

_______
Karl



-----Original Message-----
From: Mike Duckett [mailto:mduckett@bellsouth.net]
Sent: Sunday, February 24, 2002 5:05 AM
To: mpls-ops@mplsrc.com
Subject: off net access to 2547 PE


Cisco, Juniper, ... and operators...

I noticed a recent thread on what you called "various media/protocols
accessing a MPLS VPN".  Basically, you have a problem where customer sites
or mobile workers are not directly connected (via circuit nor ATM/FR/..) and
require access to the VPN.  One approach is to mix and match overlay VPNs
(e.g, IPSec) with 2547 VPNs.  Certainly there are religious and
non-religious views on how to address a non-directly connected CE.  I'm
particularly interested in the view of Cisco and Juniper as well as service
providers as to how they can support a large scale 2547 service in
conjunction with off-net users.  I'm interested in two "virtual" interface
options including:

(1) PPP/L2TP (could be used for cable, dsl, ..) access into a VPN.  In this
case, the network between the PE and the customer is a "broadband"
aggregator functioning below the IP layer as far as the customer is
concerned.

(2) IPSec into a VPN.  In this case, I have customers with off-net sites
that need access to the VPN, both mobile workers and dedicated sites, and
are not directly connected to my network.

Can this be done?  If so, can you point me to a detailed architecture?

How to you manage AAA (authentication and authorization attributes) for
users?  Can this be supported in Radius or LDAP?

What models do you support for key management as well as things like issuing
session attributes (e.g., traffic filters, diff serve)?  Can this be
integrated into Radius as well?

How do you see building a large off net PE connection scheme (e.g., using
IPsec and PPP/L2TP)?  You have problems like scaling VRFs, scaling
encryption, load sharing, distributed PEs, etc...

-------
The MPLS-OPS Mailing List
Subscribe/Unsubscribe:  http://www.mplsrc.com/mplsops.shtml
Archive: http://www.mplsrc.com/mpls-ops_archive.shtml