Customer Edge 221
Customer Edge
In this section, we discuss security considerations at the customer edge router as Layer 3
and Layer 2 devices. We illustrate the security factors for both constructs and highlight
recommendations for deployment.
CE Interconnection Service Is a Layer 3 Device
In scenarios where customers seek a Layer 2 interconnection service for their Layer 3
networks as would be expected through a Frame Relay/ATM offering, the security
approaches are simplest to implement while providing a reasonable degree of control
over network access.
The customer needs to follow the Layer 3 best practices as described in Chapter 4, “Secure
MPLS VPN Designs.” This should include using MD5 signatures for the routing protocol
mechanisms traversing the service provider network. In addition, the service provider
should provide a MAC address–based filter on the access point to the Layer 2 provider
edge. This filter should permit the MAC address of the customer CE router only.
An example is as follows:
vacl blah permit aabb.ccdd.eeff
vacl deny all
The service provider should further implement traffic load controls on the provider edge
router facing the customer’s interconnection device. That is, received traffic should be
bandwidth limited to the levels as agreed on in the service contract between the customer
and the service provider. Bandwidth limiting can be provided by using input policing
mechanisms as shownhere:
service-policy dogger
police 3000000
interface ethernet 0/0
service-policy dogger in
In addition, it would be preferable that the service provider also police outbound traffic
volumes to protect the customer’s network from network anomalies escaping from the
service provider core.
The customer should also implement protections on its service provider–facing edge
devices to prevent any aberrant traffic loads from impacting its local operations.
Customer Edge Interconnection Service Is a Layer 2 Device
In designs where a customer Layer 2 domain is interconnected by a service provider
Layer 2 EoMPLS network, the security considerations are considerably more significant
and complex in implementation.
222 Chapter 7: Security of MPLS Layer 2 VPNs
As such, the following configuration components should be addressed for Ethernet VLAN
security, VPLS security, and and hijack management access security:
Secure console/aux access
Disable password recovery (if possible)
Ensure that U-PE cannot become spanning tree root (priority configuration)
Establish broadcast controls on interfaces
Disable/block Cisco Discover Protocol (CDP), Bridge Protocol Data Units (BPDUs),
and Dynamic Trunking Protocol (DTP) on the UNI interfaces
Ensure VTP operation in transparent mode
Apply MAC address limits
Remove VLAN 1 and reserved VLANs from UNI
Remove unused VLANs from allowed list
Shut down all unused ports
Hard-code physical port attributes
Establish error reporting
Enable 802.1x as applicable
Hijack Management Security
The interconnect device (CE and especially U-PE) access ports should be strongly
secured to prevent unauthorized intrusion into the service provider network. The general
recommendations for securing access to Cisco devices can be summarized by protecting
access to console ports and implementing router password security mechanisms.
Many of the above recommendations can also be readily applied to large enterprise
Disable Password Recovery
In addition, consideration should be given to disabling password recovery mechanisms
inherent in most Cisco hardware. This fail-safe measure allows a user with physical access
to the device to power the device off and on and issue a “break” sequence on the console
port within 20 seconds of the reboot. This will drop the router into “ROMMON” mode,
where the configuration may be viewed and possibly manipulated.
For example, most Cisco routers and switches allow the service provider to disable this
recovery mechanism using the following command sequence: no service password-

Get MPLS VPN Security now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.