Securing from MPLS Cloud

Unanswered Question
Apr 3rd, 2008

We have started migrating our legacy WAN (leased lines) to the Layer 3 MPLS.

We do not run MPLS on our router, rather we peer with the PE router of the service provided by running BGP.

As of now we are not advetising our IGPs (EIGRP in particular) to the BGP, instead we create GRE tunnel and encrypt the tunnels.

My question is :

How do I secure my networking domain, from the MPLS network.

Is there any configuration guidelines for securing router in such cases.

Do we need firewall on our routers, if yes what to filter?

I need forums help, I am really clueless.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
pcarvill Thu, 04/03/2008 - 09:16

The nature of the MPLS service should be that the PE interface facing you will only be attached to a VRF with your routes, so you will be protecting yourself from yourself. Depending on the provider there could be routing from their global space to your VRF, maybe for CE management. If you are sceptical, or have a good reason (Financial institution) you could ACL off the PE permitting only GRE traffic from the other CE sites. It will essentially come down to your companies internal Security Policy.

Are the CEs provider managed? Are your GRE tunnels created on the CE or one hop further in?


libanm Thu, 04/03/2008 - 12:48

You are going the right path, alot of people assume mpls as security technology, but all you need is someone to screw up the RT and leak your routes or vi-verse, so depends how much you data is important to you,should dictate how much work you want to implement. as the previous person mentioned if you skeptical and want to protect your data from everyone then IPsec is your path. just be careful and make sure your ISP does not fragment your packet as IPsec add extra bytes.

ernie.ignacio Fri, 04/04/2008 - 02:51

Thanks for the useful advise regarding the fragmentation ... But really what I am looking for the industry's best practice when it comes to the CE-PE relationship, and till now I was not able to find one. If you have some kind of reference , please do let me know.

ernie.ignacio Fri, 04/04/2008 - 02:48

Thanks for the reply. Its a good idea to permit to permit only GRE tunnels, CEs are not managed.

what about the firewall feature on routers, or other features that need to be enabled.


This Discussion