[c-nsp] Private IP in SP Core
Mikael Abrahamsson
swmike at swm.pp.se
Mon Mar 11 03:16:22 EDT 2013
On Sun, 10 Mar 2013, Gordon Bryan wrote:
> Also, even in a completely private core, a PE still becomes exposed to
> the outside world on its PE-to-CE interface when delivering Internet
> services. Has anyone developed any proficient methods for locking down
> these interfaces and making them unresponsive/secure from the outside?
Put core and PE-to-CE interfaces in a dedicated public range, and then
police/ACL traffic to those IPs at your edge.
Private IPs should never show up in traceroute or send ICMP messages so if
you're going to do that, you have to make sure you have enough
functionality to make ICMP originate from a GUA loopback interface at all
points.
More information about the cisco-nsp
mailing list