Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN-Security when connecting to other MPLS-Providers?

Hi,

how can I avoid that another provider inserts itself into my VPN.

I have VPNs which should not be imported or exported by other carriers. I would like to avoid this within my configuration.

Is there any practical solution to so that no other provider can connect ifself to my VPNs. Should only be possible to connect to VPNs I allow.

Regards,

Chris

5 REPLIES
New Member

Re: VPN-Security when connecting to other MPLS-Providers?

Hi, Chris

If you configure a back to back VRF configuration, you should be fine.

In fact what it is is that you configure the interface to the other provider with multiple subinterfaces on which you configure the VRF's you want the other provider to be able to connect to.

In fact you configure the provider as a customer of yours.

Hope this helps,

-Ives-

New Member

Re: VPN-Security when connecting to other MPLS-Providers?

Hi Ives,

so there is no possibility for an "RD/RT access-control" if the link is tag-switched. Using Subif / VRF does not scale very well and stops any exchange of BGP-attributes, right.

It would be best if the vrf-import/export could be controlled on the ASBR and if there would also be a possibility if anybody tries a hack.

Regards,

Chris

New Member

Re: VPN-Security when connecting to other MPLS-Providers?

What you can do is configure only the VRF's that you want to exchange on the PE-ASBR's, the automatic route filtering feature will then filter all routes that are not needed on the PE to be exchanged.

As such you have a kind of RT filter.

Hope this helps,

-Ives-

New Member

Re: VPN-Security when connecting to other MPLS-Providers?

The only problem I have is that the VRFs I want to secure are defined on the ASBR-routers.

Regards,

Chris

New Member

Re: VPN-Security when connecting to other MPLS-Providers?

Hi Chris,

What you could try is the following :

router bgp 65000

neighbor 10.0.0.1 remote 1

address-family vpnv4

neighbor 10.0.0.1 activate

neighbor 10.0.0.1 set ext

neighbor 10.0.0.1 route-map permitted_RT

route-map permitted_RT

match extcommunity 1

ip extcommunity-list 1 permit rt 65000:1

I have never needed this though it might work.

Hope this helps,

-Ives-

155
Views
3
Helpful
5
Replies