PE Data Plane Security

For data plane security, as in the CE, the use of Unicast Reverse Path Forwarding (uRFP) is recommended also for the PE. The Unicast Reverse Path Forwarding (uRPF) lookup feature should be enabled on each interface of the PE routers' CE-facing interfaces and on the CE routers' PE-facing interfaces.


There is a potential risk of transit traffic compromising a router such as a PE. The service provider network engineer could use the following example for IP options:

ip options ignore/drop

The ignore command option allows the operator to process transit packets with IP options set, but with drop packets that are on the router's receive path. This provides some mitigation of direct IP option-based attacks without impacting packets with IP options destined to customers. Customers should check with for updates when using this command and others referenced in this chapter.