[c-nsp] Private IP in SP Core

Pshem Kowalczyk pshem.k at gmail.com
Sun Mar 10 18:23:33 EDT 2013


Hi,

The last two networks that I've build used private IP in the core -
but neither of them ran Internet in the global table (both used VRFs
for that). If you run L3vpns you should probably disable TTL
propagation to avoid confusing your customers with 'weird'
traceroutes. I also moved all the management interfaces of the devices
to VRFs (or VRF-lites) to clean up the global table completely.

When it comes to edge security - the same thing as usual - access
lists, CoPP and uRPF (if your platform supports it).

If you plan to run full tables in VRFs - just double check that the
hardware you're running this on can handle it fine. I found that for
example RP1 in ASR1k is slower loading full table into VRF that it is
into global table, for the first table. IOS XR platform have to be
explicitly told to use addresses from VRFs when it comes to generation
of ICMP packets (for example on your PEs, or in cases when you might
have a VRF with no physical interfaces, just loopbacks). I've noticed
some oddities when it comes to ICMP in ASR1k - in some cases the
egress interface doesn't show up in traceroutes (when it should).

The organisation that I've deployed that setup for has been running it
successfully for over 3 years now without any major issues.

kind regards
Pshem


On 11 March 2013 10:44, Gordon Bryan <cisco_resource at yahoo.co.uk> wrote:
> Hi Group,
>
> I'm heading towards the final stages of planning a new MPLS core network and I'm currently stuck in two minds between public or private addressing for the core.
>
> I like the concept of private addressing (core hiding being one) but having never seen it deployed in anger I'm concerned that it might not be as simple as it seems and may break other things. I've read that traceroute and PMTUD are at risk in such a scenario.
>
> Is anyone on this list using private addressing in the core and can you share your experiences? Particularly any pitfalls or any obscure quirks that you found lurking?
>
> Also, even in a completely private core, a PE still becomes exposed to the outside world on its PE-to-CE interface when delivering Internet services. Has anyone developed any proficient methods for locking down these interfaces and making them unresponsive/secure from the outside?
>
> Many thanks
>
> Gordon
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list