Hi, have a customer running MPLS CE and their main connection is in FastEthernet form which is a 4Mbps MPLS connection. They have a single PRI which will dial-back to the core of the MPLS backbone (AS5400 Universal Gateway)...I've a few question to clear at this stages.
i. The CE is configure with static route, can I configure ISDN DDR when they use static route as the primary routing protocol, I plan to configure some floating route, and if the fiber connection down, and the original static route next-hop is unreachable, the interesting traffics will trigger the floating route and hence initiate the ISDN PRI dial-up. Is the concept here right?
ii. Since the ISDN PRI dial-up are dialing to a AS5400...there's a problem whereby the MPLS backbone is built on Juniper platform, in order to re-establish all the existing remote site's connection, the AS5400 need to have either a L2TP or a VPDN to the Juniper PE...is that right? and if so, how shall I implement the AS5400 so that it can work in conjunction with the Juniper PE? I tried to look at the Juniper PE (either a M10i or ERX700), it just support l2tp dialout whereby i can't see any dial-in options available? does that means that the ERX700/M10i does not support the L2TP dial-out from the AS5400?
I'm very new to these kind of ISP backbone thingy, but would like to know if you guys face the situations like this, what's the best practice?
Thanks and appreciate if someone here could help
ok let me try to answer some ...
Ai) Yes your concept is right. Do not forget about the return traffic though. Your VPN routing should point to the AS5400 in the backup case.
Aii) Hm. maybe. in fact you will need either
a) VRFs or VRF aware dialin and a label switched path between AS5400 and a/the PEs or
b) another transport encapsulation to separate customer traffic on the data plane. One thing could be L2TP and you have to check with a juniper guru to understand your options there.
According to the feature navigator the AS5400 supports MPLS, MPLS VPNs and also features like "Dialer Map VRF-Aware for an MPLS VPN"
and also "Large-Scale Dial-Out (LSDO) VRF Aware"
This options might allow you to avoid L2TP between Juniper and AS5400. The AS5400 itself becomes a PE router used for backup purposes only.
Hope this helps! Please rate all posts.
Hi Martin, thanks for the links you've provided, much appreciated, took some times and read through it...here's my thoughts:
i. As the MPLS backbone is built on the Juniper, they won't simply allow me to add a Cisco device and run it just like another Juniper PE in their backbone.
ii. Can I just feed the AS5400 with enough PRI interface as the backup method for remote site, whenever the AS5400 receive a call from remote site, it'll automatically initiate a L2TP request to the Juniper end?
iii. If the ii) idea can be work out, let's say there's 2 remote sites place a call, and will the AS5400 initiate two separate request or the L2TP is just the main one? Can I separate the traffic between Remote Site A and Remote Site B while they dial into the AS5400? Can qos be applicable in this scenario?
As the remote router is running on static route, i configure a static route tracking over the remote end, whenever the next-hop address failed, it'll trigger the floating route where it'll dial into the AS5400...obviously AS5400 need to have the static route configure back to the remote-end. It means during a L2TP request from AS5400 -> Juniper, the Juniper PE also need to have floating route to the remote site through the AS5400 is it?
By the sites grow, i guess the manageability wil be tough, as the AS5400 need to hold dialers for ISDN backup, and need to hold dialer to dial a L2TP into Juniper as well, am I getting the stuffs the right way?
Seeing the constraints you have, you will need to proceed as below.
1) Position LAC and LNS/PE services seperately.
LAC would be your 5400 and LNS/PE would be your Juniper.
2) You will need to do partial authentication of the incoming session on
PPP and then direct it on L2TP towards the Right or closest LNS/PE device.
When passing the L2TP session to the LNS/PE the LAC will also forward the
authentication details received during the first negotiation with the remote
client.No type of routing for VPN required for this on the LAC.
3) The LNS/PE would need to have Raidus integration done, and will pass the
authentication parameters received via LAC to the radius server and then
would termiate the incoming L2TP into the appropriate VRF.
4) Since your Juniper supports Only Dialout, I believe you can configure LAC
to request a Dialout from the LNS/PE.
5) Also its possible to preserve the receive packet TOS when encapsulating
it into L2TP tunnel. (I have attached a link below, check the feature HW/SW support)
6) Since you are not providing a remote-access service, but a backup for existing
VPN customers, you need to take care of the routing part as well. between the
CE customer Nets and the LNS/PE, the LAC or your AS5400 wont come into
picture for this.
Its actually very difficult to explain more implementation specifics that this,
since it involves different components, but again if you proceed like below, with
a clear high level idea as described above you should be able to cap it.
For the above implementation you need to have expert hands with Radius, Juniper &
Cisco AS5xxx series, if you explain the scenario as above to the team each team
may be able to carry out the required tasks, as mentioned, making your
Having said that I believe your scope is limited to only AS5400 configuration?
Some Links related to configuring L2TP with LAC and LNS and other relevant links.
L2TP with LAC and LNS
Preseving TOS Over L2TP
L2TP Design Guide
Hi, I've met up with one of the Juniper guy and he assure me it can be done...but just wish to clarify on the Cisco part, when i configured it as the LAC, it won't actually authenticated the user but it'll let LNS to authenticate it instead, so the dialer is terminated at the LNS site, it means that from my remote sites, I'll need to do the follows:
i. static route thru primary connection
ii. Configure dialer as a backup interface
iii. or configure floating route and the next-hop would be the dialer ip at the Juniper end.
Am i getting it right? and about the L2TP tunneling, as far as I understand, when there's 2 remote sites called the ISDN backup, although the L2TP tunnel is only one, but there'll create 2 different profile for each remote site, could we drill it down and apply some QoS over the profile?
I'll conduct the test with Juniper guy very soon...and will definitely update the result once i got it done, thanks for all the great help...
oh yea, one last thing, if the remote site primary resume services after a down time, the remote router will basically drops the ISDN backup call, how's the L2TP session, it'll drop according to the drop of ISDN call?
have a good day
1) The LAC as mentioned will partially autheticate the User and get the domain name and as per the domain name forward it to the right and the closest LNS. It doesnt do anything beyond that.
2) And yes when you ISDN call drops your L2TP created for the incoming ISDN interface also drops off.
Hi all, thanks for the guides given, I've conducted the test along with some Juniper guys, and guess what, finally we've got the L2TP tunnel up...but we still face some of the problem, since the remote site is using "ip add negotiated" at the dialer interface, or the serial interface when we use it to test isdn call...
when the L2TP is up, the dialer or the serial interface successsfully got the ip address from the pool of ip configured at the LNS side, which is Juniper. Please see my attached file "BEFORE" section...although the L2TP tunnel is up, and the IP address is negotiated successfully, the remote end cisco router just can't ping properly, I did some debug ip packets and saw the encap failed message.
After we went for lunch, and simply just trial and erros, we've got the pinging to the LNS ip works well, kindly look at the "AFTER" section, but ping to remote site's router own negotiated IP still get the encap failed, what i meant is, I'm login at the remote site router, imagine the negotiated IP is 10.100.7.48, i can ping to 10.100.7.1 which is at the LNS end as it is considered directly-connected, but when i ping my own IP (10.100.7.48), the encap failed message appear, any idea?
May be what you are referring is you cannot ping your local IP?. Its been such a long time I have worked on ISDN!!.
If thats the case then you can try to use a Dialer Map for the Local IP pointing to the Remote LNS router.
This is because the ISDN is a Non-Broadcast Media, and it needs to resolve the Link Layer to Network Layer Mapping, even though the IP address is local it doesnt understand where to send them.
This is similar to what you do in FrameRelay also to enable ur self to ping the local end.
Although this function is not required. If desired you may try as above and post back.
Hi, sorry as I didn't test it yet as stuck with some other projects....i'll try it out beginning of next week...definitely will post the result here