On Thu, 3 Jan 2019 at 22:32, Anderson, Charles R <[email protected]> wrote:
> > > c) always match destination-address if you're running L3 MPLS VPNs > > > > I must be misunderstanding because I’m sure you’re not suggesting that in > > the absence of L3VPNs, omitting destination address matching is acceptable? > > I would like to learn more about this particular BCP. Why is it that with L3 > MPLS VPNs is it important to specify destination-address? Because otherwise you have to rely that no L3 MPLS VPN customer anywhere can advertise your internal infrastructure addresses. If you have 1 customer not properly filtered, then they can advertise your NMS station inside their L3 MPLS VPN, no biggy. Now they set SADDR=NMS DADDR=PE_CE_LINK And be accepted as your NMS. If you ensure that DADDR must be loop or BB link, this trick does not work. And obviously the L3 MPLS VPN can't send packet to those, as they're not in the table. I know that this trick has worked on all companies I've worked for who have had L3 MPLS VPN, because realistically anyone who widely deploys L3 MPLS VPN will not have perfect hygiene in prefix-filtering. -- ++ytti _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
