Re: MPLS security from Rick Mur on 2009-10-01 (Ccielab archives 10/2009)

From: Rick Mur <rmur_at_ipexpert.com>
Date: Thu, 1 Oct 2009 22:18:52 +0200

Google for some example configurations. It's very hard to say do this
or do that as we don't have any requirements or things you want with
your network. I can imagine that the topics named in the last reply
are very valuable, but all not specifically for MPLS security :-)
Those are routing protocol security features.

Else I wouldn't really bother as security features could always be
implemented afterwards if you really want to.

--
Regards,
Rick Mur
CCIE2 #21946 (R&S / Service Provider)
Sr. Support Engineer  IPexpert, Inc.
URL: http://www.IPexpert.com
On 1 okt 2009, at 17:25, mike arnold wrote:
> Hi,
>
> As if now i have a very less time to get the customer on my PE it  
> will take
> me a long time to read the above mentioned books,for time being can  
> any body
> help with any additional command's other than above one so till my
> completion of books i will be relaxed.
>
> Thanks,
>
> On Mon, Sep 28, 2009 at 5:17 PM, <sheherezada_at_gmail.com> wrote:
>
>> Other than 'no mpls ip propagate-ttl', I would think of:
>>
>> - VRF unicast/ multicast prefix limits (so that a CE would not flood
>> the PE with too many routes)
>> - proper MTU configuration (to avoid fragmentation/ reassembly at  
>> the PE)
>>
>> In general:
>>
>> - have a separate address block for network infrastructure
>> - use control plane policing
>> - secure routing protocols (MD5 signature, GTSM- Genralised TTL
>> Security Mechanism)
>> - advertise the loopbacks only (not the P2P links)
>>
>> HTH,
>>
>> Mihai
>>
>> On Sun, Sep 27, 2009 at 9:37 AM, mike arnold  
>> <haynessmith70_at_gmail.com>
>> wrote:
>>> Dears,
>>>
>>> What IOS security features has to be enabled on PE router to protect
>> attacks
>>> from Customer edge  (CE) devices.So that PE routers should be  
>>> stable 365
>>> days a year. Any reference link or Book which will help.
>>>
>>> Thanks,
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net

Received on Thu Oct 01 2009 - 22:18:52 ART

This archive was generated by hypermail 2.2.0 : Sun Nov 01 2009 - 07:50:59 ART