Hello everyone. Lengthy post, I apologize. :)

I am in the process of considering rolling out MPLS/L3VPN with MP-BGP
across our public backbone to carry our private routed traffic inter-DC
across the DCI, as opposed to trying to build discrete VRFs with vrf-lite
and connect the VRF instances. In the present layout, private networks and
public networks physically co-exist on the same gear, albeit different
routing tables.

I am not familiar with how this is typically rolled out in a SP network,
but one question came to mind:

If my public network is using MPLS/MP-BGP to carry the private traffic from
Node A to B, there's really no encryption mechanism built in. While this
all stays in my network and doesn't leave, the idea concerns me a little.
I'm not a huge fan of public/private mingling anyway, but I'm sure this
likely happens on larger networks than I am aware of.

The iBGP peers performing the peerings would be on "dark" IP space, meaning
not accessible by the Internet, with password protection on OSPF/BGP/LDP
sessions and filtered on the WAN egress with anything as them as the
destination (hijacking, loss of IGP forcing to default, etc.)

Are my worries founded here, or is this functionally as secure as vrf-lites
connected together? In this setup, I wouldn't have a traditional "CE" where
I could do a DMVPN or something over the MPLS, since my PE is technically
where the L3 gateways for the VRFs at each site terminate. Is there a good
method of securing this other than L3 terminating all the private behind
some new CE device and encrypting it via a tunnel?

cisco-nsp mailing list  cisco-nsp@puck.nether.net
archive at http://puck.nether.net/pipermail/cisco-nsp/

Reply via email to