Securing a IPVPN Provider Core with Zone Based Firewalls
Currently we are rolling out a new new core network to provide a MPLS IPVPN, Internet Access, DSL services etc, how everything is going well, however I am trying to decide on a security model. I am currently evaluating ZBF for the core network, I was draw to this due to the Zone Self, so we can tightly control traffic destined to the control plane (as receive ACL have been depreciated on the IOS XE Platforms. Now I thought / hoped the ZBF zones information would be carried across the core as a BGP community by default, this appears not to be the case. Please see diagram below:
So traffic is currently being dropped, as the core link (core 1 - core 2) is not part of a Zone, I can create a new zone (Zone: Core) and define access across zones.
However I am unsure if ZBF is now suitible for a MPLS IPVPN provider, what are people thoughts / experiences.
Core Security Checklist:
1. Define / Secure CPE -> PE traffic
ACL - Currently configured
Control Plane Protection - Investigate
ZBF - Investigating
2. Control Plane Policing (Complete)
3. Disable SSH Keyboard (regarding this if anyone know off hand, I have successfully created Public / Private pairs and they work successfully, however the router will still accept keyboard authentication, can this be disabled)?
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...