Connectivity for MPLS VPN Implementations – Best Practice

An access circuit connects the customer’s CE router to the MPLS provider’s PE router.

A MPLS provider can offer a fully managed solution, where they will install and manage a CE router on business premises at additional cost, or an unmanaged solution, where businesses require the fastest router speed from their own CE device. The unmanaged service is the preferred choice. A managed service can be considered if the added value it brings outweighs the additional financial cost.

The access circuit can be any suitable WAN transport option including Gigabit Ethernet, Fast Ethernet, T3, E3 etc. When selecting the access circuit type, consideration must be given to whether it will support multiple VPNs: an Ethernet service is preferred, but a WAN service supporting frame relay is acceptable. In either case, sub-interfaces will be defined with separate VLANs or DLCIs for each VPN to be carried on the same access circuit.

For most MPLS VPN implementations, business will connect a minimum of two separate WAN hub locations to diverse MPLS provider clouds. Remote locations (i.e. any non-WAN hub site) can connect to a single provider cloud (if another WAN connection provides an alternate connection) or to both provider clouds.

Crypto Map :
crypto map external_map 4 match address external_4_cryptomap
crypto map external_map 4 set pfs
crypto map external_map 4 set peer 203.53.132.225
crypto map external_map 4 set transform-set ESP-AES-256-SHA

Crypto ACL :
access-list external_4_cryptomap extended permit ip object-group tt-NRMA-NAT 10.2.232.0 255.255.255.0
!
access-list external_4_cryptomap extended permit ip object-group 10.2.232.0 255.255.255.0 tt-NRMA-NAT

Crypto IPSec :
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Object Group :
object-group network tt-NRMA-NAT
description TT NRMA PROD NAT Address
network-object host 192.168.210.1

ACL:
access-list internal_nat_outbound_8 remark NRMA Prod
access-list internal_nat_outbound_8 extended permit ip object-group tt-internal-subnets 10.2.232.0 255.255.255.0

Dynamic Policy Nat :
nat (internal) 6 access-list internal_nat_outbound_8
global (external) 6 192.168.210.1 netmask 255.255.255.255

debug crypto isakmp