Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Tips on security of RIP routing udates to MPLS VPN sent from customer.

Unanswered Question
Jul 18th, 2003
User Badges:


we are going to create a MPLS VPN for our customer, and are planning to exchange routes between our PE routers and customer CE routers using RIPv2, redistributed then to BGP at PE. We have thought of various security scenarios (like telnet access on customer ports, etc), but we are a little bit afraid of customer sending RIP updates to PE, which are then distributed to all VRFs at all PEs which the customer is connected to.

What are possible risks for PEs (router stability when many updates sent) and MPLS VPN as such, and if any, are there some hand-on commands to solve it (at least partially)?

Thanks you so much for any idea, hint or reference to other interesting place.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
annu86 Fri, 07/18/2003 - 07:21
User Badges:

We also have a similar kind of network here.

We are just starting up, so we havent thought about the risk what you are having, but i believe lately we may also be having same risk.

CPE routers will be managed by you, if i am not wrong.

I guess, the security risk falls down with that.

still, you can configure a distribute-list at CPE end.

my final suggestion to you will be, whatever configuration or policies should be implemented at CPE end, nothing at PE end.

ruwhite Fri, 07/18/2003 - 12:24
User Badges:
  • Gold, 750 points or more

You could use route dampening to make certain they don't flap their routes to you too much on the BGP side of the equation, and consume resources too much on your network:


You should also heavily filter the routes you are learning through RIP from your clients.



This Discussion