Re: MPLS security

The first, most obvious and the one I would configure if I was asked
this in a CCIE Lab is: 'no mpls ip propagate-ttl'. This will stop the
Provider network to be visible from the CE.

Normally when you issue a traceroute you will see all the provider
network. This is because normally the TTL value from the IP packet is
copied in the MPLS header and keeps getting decreased along the path.
If you disable this feature, the TTL is not copied to the MPLS header
but an entirely new value is put in place. Therefore the IP packet
only decreases on the other CE side again where it's a normal IPv4
packet again.
Traceroute then doesn't work anymore as it works with TTL packets with
just the amount of hops to the next node. If the next hop is in fact
the next CE, the provider network is 'hidden'.

There are a lot more features to secure your MPLS VPN network of
course and I would also recommend the previously given books for that,
but on a CCIE Lab perspective this is what I would answer :-)

--
Regards,
Rick Mur
CCIE2 #21946 (R&S / Service Provider)
Sr. Support Engineer  IPexpert, Inc.
URL: http://www.IPexpert.com
On 27 sep 2009, at 08:37, mike arnold wrote:
> Dears,
>
> What IOS security features has to be enabled on PE router to protect
> attacks
> from Customer edge  (CE) devices.So that PE routers should be stable
> 365
> days a year. Any reference link or Book which will help.
>
> Thanks,
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net