[c-nsp] MLPPP product from the provider point of view
Joe Maimon
jmaimon at ttec.com
Wed Mar 12 15:45:01 EDT 2008
Gert Doering wrote:
> Hi,
>
> On Wed, Mar 12, 2008 at 09:07:51AM -0400, Joe Maimon wrote:
>
>>- Is it really neccessary to utilize Mutltilink interfaces on the
>>provider side if using a 7200 as opposed to 7500 which seem to only
>>require a Virtual-Template?
>
>
> Multilink interfaces are (for statically configured link) vastly superior
> to virtual-template based multilink bundles.
how so?
>
>
>>- In theory, one virtual template can be used for all mlppp customers,
>>as they will establish seperate bundles with their endpoint
>>discriminators, correct?
>
>
> Yes.
>
>
>>- Its not neccessary to embed interface ip on the virtual template, ip
>>unnumbered loopback works just fine, is this a common approach?
>
>
> Having the same interface IP on independent bundles usually causes great
> pain for IOS, so "ip unnumbered" would be strongly recommended.
Or use seperate virtual templates for each bundle, you have about 500
per router.
>
>
>>- Using ip unnumbered loopback on the customer side in its multilink
>>interface results in the customer ppp ipcp negotiation assigning the
>>customer loopback ip to its ppp session. Is this a common approach? Is
>>it secure?
>
>
> How do you protect against a customer claiming "I have the IP address
> of your nameserver?".
The only way to do that as far as as I can see is to use ppp ipcp
commands to reject or restrict the address.
In that case you either have to use seperate interfaces with that
command in it or use radius with authentication, adm I correct?
>
> If the other end is not under your control, this is about as insecure as
> permitting the other end to speak OSPF to you. Never ever permit the
> customer router to inject routes into your system.
>
> Use multilink interfaces and static routes pointing to these.
On the 7500?
>
> gert
More information about the cisco-nsp
mailing list