Morning Chaps,

Currently we are rolling out a new new core network to provide a MPLS IPVPN, Internet Access, DSL services etc, how everything is going well, however I am trying to decide on a security model. I am currently evaluating ZBF for the core network, I was draw to this due to the Zone Self, so we can tightly control traffic destined to the control plane (as receive ACL have been depreciated on the IOS XE Platforms. Now I thought / hoped the ZBF zones information would be carried across the core as a BGP community by default, this appears not to be the case. Please see diagram below:

So traffic is currently being dropped, as the core link (core 1 - core 2) is not part of a Zone, I can create a new zone (Zone: Core) and define access across zones.

However I am unsure if ZBF is now suitible  for a MPLS IPVPN provider, what are people thoughts / experiences. 

Core Security Checklist:

1. Define / Secure CPE -> PE traffic

• ACL - Currently configured
• Control Plane Protection - Investigate 
• ZBF - Investigating   

2. Control Plane Policing (Complete)

3. Disable SSH Keyboard (regarding this if anyone know off hand, I have successfully created Public / Private pairs and they work successfully, however the router will still accept keyboard authentication, can this be disabled)?

Regards Neil