PE to CE Circuits
As discussed earlier in this chapter, the MPLS core infrastructure is neither reachable nor visible from within a customer VPN; therefore, it is protected from potential customer DoS attacks. An exception to this rule is the peering interface of the PE router for the PE/CE circuit. Because the customer VRF is defined on this interface, it is reachable by the customer network. Therefore, the PE router might be subject to intrusion of DoS attempts from the customer network.
To mitigate unauthorized access to the service provider network, access-list filters should be placed on the PE router ingress interface to limit access, for example, to the peering addresses (PE/CE endpoints) used by the PE/CE routing protocol. Also, distribution ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access