Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1369
Views
7
Helpful
6
Replies

Security in MPLS

Go to solution
Muhammad Thanveer
Level 5
Level 5

‎03-11-2013 11:17 AM

Dear Folks,

I got a question in my mind, which just started like this.

I have been configuring a lab and set up is as shown in the figure. for router 6 in R2 and router 7 in R3 has vrf B with route-targets 1:600 for R6 and 1:700 for R7

I have router 4 in R2 and router 5 in R3 with vr A and router targets are 1:100 and 1:300 respectivly. I am able to get the routes in there respective routers, I also have imported router targets of VRF B in VRF A and vice versa. Now I am able to see all the routes properly. PE-CE protocol is ospfv2,

Now in my Lab this is ok, but in real network how a customer has control of his routes, if route leaking happens by mistake or intentionally My commpany ex VRF A routes are imported in my competetors company example VRF B which I dont want to be.

Please explain.

Untitled.jpg

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."       

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
blau grana
Level 7
Level 7
In response to Muhammad Thanveer

‎03-11-2013 01:48 PM

Hello Muhammad,

I am not an individual dear, infact I represent a company. I may trust as a person but my company as a group might not.

In your company has to be someone who is responsible for decision like this, you should consult with him if comapny "trust" your ISP.

There must be a way and I understand encryption is one of the ways.
Even though there must be an other Which I might be missing and searching for?

Maybe there is, but I also can not figure any other than encrypt your traffic. Is there any problem why dont you want to do this?

Do I have any way to identify that my traffic is going to intended destination and not the one which I dont need.

If you request information from remote site and you will not get any, than you now that request did not arrived to inteded destination. But I think that bigger problem is that if you do not trust your ISP and you do not protect your traffic (encryption,...) ISP can sniff your traffic anywhere in backbone (man in the middle), ISP could monitor traffic on entire port where your CE connect to ISP's PE (SPAN, RSPAN) and you will notice anything...

Can I create a Blachhole and push the traffic which is going to the unwanted network and comming from there also.

I do not understand what exactly do you mean by this. From each sites you will propagate only subnets which are used in your topology, so each router will have only valid routes in routing table.

Do Route-maps serve me in stoping my routes going to unwanted destinations?

Your CE will peer with ISP's PE (static, RIP, OSPF, BGP, whatever...) you will advertise to ISP subnets which ISP (on your behalf) will advertise to other sites in your MPLS VPN. You can configure which subnets will CEs advertise to particular PEs, but nothing more. You have no knowledge of "unwanted destinations".

I think that best solutions for you will be to create IPsec tunnels to each site. ISP will distribute only networks which will serve only as IPsec tunnels endpoints.

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Fredrik Lönnman
Level 1
Level 1

‎03-11-2013 11:57 AM

Basically you'd have to trust your L3VPN provider. If you don't, encrypt your own traffic going through the L3VPN.

Go to solution
Muhammad Thanveer
Level 5
Level 5
In response to Fredrik Lönnman

‎03-11-2013 12:05 PM

I am not an individual dear, infact I represent a company. I may trust as a person but my company as a group might not.

There must be a way and I understand encryption is one of the ways.

Even though there must be an other Which I might be missing and searching for?

Do I have any way to identify that my traffic is going to intended destination and not the one which I dont need.

Can I create a Blachhole and push the traffic which is going to the unwanted network and comming from there also.

Do Route-maps serve me in stoping my routes going to unwanted destinations?

If yes/no is the answer to any or all questions could anyone please guide me in doing so?

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

0 Helpful

Go to solution
Fredrik Lönnman
Level 1
Level 1
In response to Muhammad Thanveer

‎03-11-2013 12:49 PM

Heh ok excuse my formulation, the company you infact represent have to trust its L3VPN provider.

Go to solution
Muhammad Thanveer
Level 5
Level 5
In response to Fredrik Lönnman

‎03-11-2013 02:20 PM

He he, I do trust my dear friend f_lonnman, I do.

Needed a solution from security side.

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

0 Helpful

Go to solution
blau grana
Level 7
Level 7
In response to Muhammad Thanveer

‎03-11-2013 01:48 PM

Hello Muhammad,

I am not an individual dear, infact I represent a company. I may trust as a person but my company as a group might not.

In your company has to be someone who is responsible for decision like this, you should consult with him if comapny "trust" your ISP.

There must be a way and I understand encryption is one of the ways.
Even though there must be an other Which I might be missing and searching for?

Maybe there is, but I also can not figure any other than encrypt your traffic. Is there any problem why dont you want to do this?

Do I have any way to identify that my traffic is going to intended destination and not the one which I dont need.

If you request information from remote site and you will not get any, than you now that request did not arrived to inteded destination. But I think that bigger problem is that if you do not trust your ISP and you do not protect your traffic (encryption,...) ISP can sniff your traffic anywhere in backbone (man in the middle), ISP could monitor traffic on entire port where your CE connect to ISP's PE (SPAN, RSPAN) and you will notice anything...

Can I create a Blachhole and push the traffic which is going to the unwanted network and comming from there also.

I do not understand what exactly do you mean by this. From each sites you will propagate only subnets which are used in your topology, so each router will have only valid routes in routing table.

Do Route-maps serve me in stoping my routes going to unwanted destinations?

Your CE will peer with ISP's PE (static, RIP, OSPF, BGP, whatever...) you will advertise to ISP subnets which ISP (on your behalf) will advertise to other sites in your MPLS VPN. You can configure which subnets will CEs advertise to particular PEs, but nothing more. You have no knowledge of "unwanted destinations".

I think that best solutions for you will be to create IPsec tunnels to each site. ISP will distribute only networks which will serve only as IPsec tunnels endpoints.

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions
0 Helpful

Go to solution
Muhammad Thanveer
Level 5
Level 5
In response to blau grana

‎03-11-2013 02:09 PM

Thanks Blau Grana, It is not the matter of trust, infact security from enterprise side.

There is no issue in going with IPSec, but searching for an other option if any?

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

0 Helpful
Customers Also Viewed These Support Documents