Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
690
Views
0
Helpful
4
Replies

Securing from MPLS Cloud

ernie.ignacio
Level 1
Level 1

‎04-03-2008 08:48 AM

We have started migrating our legacy WAN (leased lines) to the Layer 3 MPLS.

We do not run MPLS on our router, rather we peer with the PE router of the service provided by running BGP.

As of now we are not advetising our IGPs (EIGRP in particular) to the BGP, instead we create GRE tunnel and encrypt the tunnels.

My question is :

How do I secure my networking domain, from the MPLS network.

Is there any configuration guidelines for securing router in such cases.

Do we need firewall on our routers, if yes what to filter?

I need forums help, I am really clueless.

Labels:
0 Helpful
4 Replies 4

pcarvill
Level 1
Level 1

‎04-03-2008 09:16 AM

The nature of the MPLS service should be that the PE interface facing you will only be attached to a VRF with your routes, so you will be protecting yourself from yourself. Depending on the provider there could be routing from their global space to your VRF, maybe for CE management. If you are sceptical, or have a good reason (Financial institution) you could ACL off the PE permitting only GRE traffic from the other CE sites. It will essentially come down to your companies internal Security Policy.

Are the CEs provider managed? Are your GRE tunnels created on the CE or one hop further in?

Paul

0 Helpful

libanm
Level 1
Level 1
In response to pcarvill

‎04-03-2008 12:48 PM

You are going the right path, alot of people assume mpls as security technology, but all you need is someone to screw up the RT and leak your routes or vi-verse, so depends how much you data is important to you,should dictate how much work you want to implement. as the previous person mentioned if you skeptical and want to protect your data from everyone then IPsec is your path. just be careful and make sure your ISP does not fragment your packet as IPsec add extra bytes.

0 Helpful

ernie.ignacio
Level 1
Level 1
In response to libanm

‎04-04-2008 02:51 AM

Thanks for the useful advise regarding the fragmentation ... But really what I am looking for the industry's best practice when it comes to the CE-PE relationship, and till now I was not able to find one. If you have some kind of reference , please do let me know.

0 Helpful

ernie.ignacio
Level 1
Level 1
In response to pcarvill

‎04-04-2008 02:48 AM

Thanks for the reply. Its a good idea to permit to permit only GRE tunnels, CEs are not managed.

what about the firewall feature on routers, or other features that need to be enabled.

0 Helpful
Customers Also Viewed These Support Documents