Other than 'no mpls ip propagate-ttl', I would think of:
- VRF unicast/ multicast prefix limits (so that a CE would not flood
the PE with too many routes)
- proper MTU configuration (to avoid fragmentation/ reassembly at the PE)
In general:
- have a separate address block for network infrastructure
- use control plane policing
- secure routing protocols (MD5 signature, GTSM- Genralised TTL
Security Mechanism)
- advertise the loopbacks only (not the P2P links)
HTH,
Mihai
On Sun, Sep 27, 2009 at 9:37 AM, mike arnold <haynessmith70_at_gmail.com> wrote:
> Dears,
>
> What IOS security features has to be enabled on PE router to protect attacks
> from Customer edge (CE) devices.So that PE routers should be stable 365
> days a year. Any reference link or Book which will help.
>
> Thanks,
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Mon Sep 28 2009 - 16:17:55 ART
This archive was generated by hypermail 2.2.0 : Sun Oct 04 2009 - 07:42:04 ART