Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
603
Views
3
Helpful
5
Replies

VPN-Security when connecting to other MPLS-Providers?

wagnerch
Level 1
Level 1

‎04-23-2003 11:16 PM

Hi,

how can I avoid that another provider inserts itself into my VPN.

I have VPNs which should not be imported or exported by other carriers. I would like to avoid this within my configuration.

Is there any practical solution to so that no other provider can connect ifself to my VPNs. Should only be possible to connect to VPNs I allow.

Regards,

Chris

Labels:
0 Helpful
5 Replies 5

ives.dekoninck
Level 1
Level 1

‎04-24-2003 03:50 AM

Hi, Chris

If you configure a back to back VRF configuration, you should be fine.

In fact what it is is that you configure the interface to the other provider with multiple subinterfaces on which you configure the VRF's you want the other provider to be able to connect to.

In fact you configure the provider as a customer of yours.

Hope this helps,

-Ives-

0 Helpful

wagnerch
Level 1
Level 1
In response to ives.dekoninck

‎04-24-2003 04:27 AM

Hi Ives,

so there is no possibility for an "RD/RT access-control" if the link is tag-switched. Using Subif / VRF does not scale very well and stops any exchange of BGP-attributes, right.

It would be best if the vrf-import/export could be controlled on the ASBR and if there would also be a possibility if anybody tries a hack.

Regards,

Chris

0 Helpful

ives.dekoninck
Level 1
Level 1
In response to wagnerch

‎04-24-2003 05:15 AM

What you can do is configure only the VRF's that you want to exchange on the PE-ASBR's, the automatic route filtering feature will then filter all routes that are not needed on the PE to be exchanged.

As such you have a kind of RT filter.

Hope this helps,

-Ives-

wagnerch
Level 1
Level 1
In response to ives.dekoninck

‎04-24-2003 07:34 AM

The only problem I have is that the VRFs I want to secure are defined on the ASBR-routers.

Regards,

Chris

0 Helpful

ives.dekoninck
Level 1
Level 1
In response to wagnerch

‎04-24-2003 11:25 PM

Hi Chris,

What you could try is the following :

router bgp 65000

neighbor 10.0.0.1 remote 1

address-family vpnv4

neighbor 10.0.0.1 activate

neighbor 10.0.0.1 set ext

neighbor 10.0.0.1 route-map permitted_RT

route-map permitted_RT

match extcommunity 1

ip extcommunity-list 1 permit rt 65000:1

I have never needed this though it might work.

Hope this helps,

-Ives-

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents