Inter-AS L2VPN security concern

SaeedBakh_2 · ‎10-14-2011

hi all,

i want to know what is the security concern when we have Inter-AS L2VPN between two Service Provider as the attached configuration (just one service provider side configuration for the ASBR & PE the other Service Provider is the same pointing to our service provider), and how we can mitigate the risk and what is the most secure option, we need to know the advantage and disadvantage.

Vaibhava Varma · ‎10-15-2011

Hi Ahmad

Looking at your configuration it seems the setup is as below

CE1_ISP1---------xconnect---PE_ISP1-----ISP1MPLSBB----ASBR_ISP1-----IP_Link---ASBR_ISP2-----ISP2MPLSBB----PE_ISP2------xconnect---CE2_ISP1

Is that correct ?

In my personal opinion from Security Point of View already only the required loopbacks are being allowed which is good to do. And I believe the SNMP Traps and Remote Access to your ASBR would be a protected and limited access.

Apart from these there might be some other standard security features which others can suggest to be taken care of but the above two should be surely taken care of as I think.

Hope this helps you.

Regards

Varma

SaeedBakh_2 · ‎10-15-2011

the setup is correct, do you think sharing with other provider the loopback ip address is not a risk, and also the ASBR ip address we are peer with is from the globa routing in ASBR not from vrf

Vaibhava Varma · ‎10-15-2011

Hi Ahmad

I understand thats everything is in Global but the above scenario can only be served in this way. We need the remote ISP PE Loopback in Global RT.Again for security concerns we need to make sure Telnet/SSH and SNMP are protected using ACL.

Regards

Varma