1. Home
  2. Networking
  3. Mpls VPN security

PE Data Plane Security

For data plane security, as in the CE, the use of Unicast Reverse Path Forwarding (uRFP) is recommended also for the PE. The Unicast Reverse Path Forwarding (uRPF) lookup feature should be enabled on each interface of the PE routers' CE-facing interfaces and on the CE routers' PE-facing interfaces.

NOTE

There is a potential risk of transit traffic compromising a router such as a PE. The service provider network engineer could use the following example for IP options:


ip options ignore/drop

The ignore command option allows the operator to process transit packets with IP options set, but with drop packets that are on the router's receive path. This provides some mitigation of direct IP option-based attacks without impacting packets with IP options destined to customers. Customers should check with Cisco.com for updates when using this command and others referenced in this chapter.




    		Part I: MPLS VPN and Security Fundamentals
    		Part II: Advanced MPLS VPN Security Issues
    		Chapter 3. MPLS Security Analysis
    		Chapter 4. Secure MPLS VPN Designs
    		Chapter 5. Security Recommendations
    		General Router Security
    		CE-Specific Router Security and Topology Design Considerations
    		PE-Specific Router Security
    		PE Data Plane Security
    		PE-CE Connectivity Security Issues
    		P-Specific Router Security
    		Securing the Core
    		Routing Security
    		CE-PE Routing Security Best Practices
    		Internet Access
    		Sharing End-to-End Resources
    		LAN Security Issues
    		IPsec: CE to CE
    		MPLS over IP Operational Considerations: L2TPv3
    		Securing Core and Routing Check List
    		Summary
    		Part III: Practical Guidelines to MPLS VPN Security
    		Part IV: Case Studies and Appendixes