1. Home
  2. Networking
  3. Mpls VPN security

Layer 2 LAN Access

We have discussed Layer 2 access security issues in Chapter 7, particularly in the context of Ethernet over MPLS. As customers converge their services onto an MPLS-based network, Layer 2 security considerations will be even more pivotal, especially for interworking OAM constructs and interprovider pseudowire mechanisms, such as pseudowire switching, which are being discussed at the time of the writing of this book.

Some points to highlight for deployment are the following:

  • Inter-As and CsC connections only in private peering relationships?Use a dedicated connection rather than a shared VLAN.

  • Within VLANs, ARP spoofing (hacking tools hunt, arpspoof), CAM overflow (hacking tool macof), DoS against spanning tree, and DoS storms (a hacking tool exists) can be done. For ARP spoofing and CAM overflow prevention, look at port security. Also, disable the spanning tree on the router port by hard coding the root bridge, for example.

These are not extensive and are the most obvious best practices for Layer 2 deployments.



    		Part I: MPLS VPN and Security Fundamentals
    		Part II: Advanced MPLS VPN Security Issues
    		Part III: Practical Guidelines to MPLS VPN Security
    		Part IV: Case Studies and Appendixes
    		Chapter 9. Case Studies
    		Internet Access
    		Multi-Lite VRF Mechanisms
    		Layer 2 LAN Access
    		Summary
    		Appendix A. Detailed Configuration Example for a PE
    		Appendix B. Reference List