The following provides a brief checklist of the recommendations detailed within this overall chapter:
Use static routing between PE and CE if possible.
If dynamic routing is required between PE and CE, secure the peering using MD5:
- Use eBGP as the dynamic routing protocol if possible.
- Configure "maximum prefix" limits per VRF and per neighbor.
- Establish "dampening" parameters.
- If MD5 is not possible, use distance to mark all but the peering router as unreliable.
- Only use EIGRP/OSPF/RIP as PE-CE routing protocol if static/eBGP routing are not available and only if PE-CE links are point-to-point.
- Minimize and secure access to PE and CE routers.
- Limit access to devices within the span of control of the operating entity; that is, customers do not access SP routers, and SP does not access customer routers.
- Define ACLs and apply "access-group" to VTYs.
- Use AAA and centralized servers to control access.
- Protect access to console and auxiliary ports.
- Use CoPP and AutoSecure.
- Use SSH for access to router VTYs.
- If SSH not availablem then use ACLs to control telnet access.
- Limit SNMP access to specific servers through ACLs.
- Provide only read-only SNMP access.
- Use receive ACLs where possible.
- Use iACLs to secure the core.
- Log, log, log
- Implement uRPF on all edge routers
- Use "strict" mode wherever possible.
- Use "loose" mode if strict cannot be applied.
- Apply QoS/policing to PE/CE interfaces to control offered loads.
- Implement DMZs using IDS and firewalls to protect networks from intrusions as discussed in the previous chapter.
- Run CE-to-CE IPsec where data sensitivity or environment demands.
- Use MD5 for LDP in the core.
- Use MPLS over L2TPv3 when considering an MPLS over IP deployment scenario for best practice security.
See Appendix A for a detailed configuration example of a provider edge router.
Figure 5-2 depicts the requisite best practice functions for each of the network components, such as P, PE, and CE.