Hello everyone. Lengthy post, I apologize. :)
I am in the process of considering rolling out MPLS/L3VPN with MP-BGP across our public backbone to carry our private routed traffic inter-DC across the DCI, as opposed to trying to build discrete VRFs with vrf-lite and connect the VRF instances. In the present layout, private networks and public networks physically co-exist on the same gear, albeit different routing tables. I am not familiar with how this is typically rolled out in a SP network, but one question came to mind: If my public network is using MPLS/MP-BGP to carry the private traffic from Node A to B, there's really no encryption mechanism built in. While this all stays in my network and doesn't leave, the idea concerns me a little. I'm not a huge fan of public/private mingling anyway, but I'm sure this likely happens on larger networks than I am aware of. The iBGP peers performing the peerings would be on "dark" IP space, meaning not accessible by the Internet, with password protection on OSPF/BGP/LDP sessions and filtered on the WAN egress with anything as them as the destination (hijacking, loss of IGP forcing to default, etc.) Are my worries founded here, or is this functionally as secure as vrf-lites connected together? In this setup, I wouldn't have a traditional "CE" where I could do a DMVPN or something over the MPLS, since my PE is technically where the L3 gateways for the VRFs at each site terminate. Is there a good method of securing this other than L3 terminating all the private behind some new CE device and encrypting it via a tunnel? TIA. _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/