Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Securing from MPLS Cloud

We have started migrating our legacy WAN (leased lines) to the Layer 3 MPLS.

We do not run MPLS on our router, rather we peer with the PE router of the service provided by running BGP.

As of now we are not advetising our IGPs (EIGRP in particular) to the BGP, instead we create GRE tunnel and encrypt the tunnels.

My question is :

How do I secure my networking domain, from the MPLS network.

Is there any configuration guidelines for securing router in such cases.

Do we need firewall on our routers, if yes what to filter?

I need forums help, I am really clueless.

New Member

Re: Securing from MPLS Cloud

The nature of the MPLS service should be that the PE interface facing you will only be attached to a VRF with your routes, so you will be protecting yourself from yourself. Depending on the provider there could be routing from their global space to your VRF, maybe for CE management. If you are sceptical, or have a good reason (Financial institution) you could ACL off the PE permitting only GRE traffic from the other CE sites. It will essentially come down to your companies internal Security Policy.

Are the CEs provider managed? Are your GRE tunnels created on the CE or one hop further in?


New Member

Re: Securing from MPLS Cloud

You are going the right path, alot of people assume mpls as security technology, but all you need is someone to screw up the RT and leak your routes or vi-verse, so depends how much you data is important to you,should dictate how much work you want to implement. as the previous person mentioned if you skeptical and want to protect your data from everyone then IPsec is your path. just be careful and make sure your ISP does not fragment your packet as IPsec add extra bytes.

New Member

Re: Securing from MPLS Cloud

Thanks for the useful advise regarding the fragmentation ... But really what I am looking for the industry's best practice when it comes to the CE-PE relationship, and till now I was not able to find one. If you have some kind of reference , please do let me know.

New Member

Re: Securing from MPLS Cloud

Thanks for the reply. Its a good idea to permit to permit only GRE tunnels, CEs are not managed.

what about the firewall feature on routers, or other features that need to be enabled.

CreatePlease to create content