[c-nsp] Private IP in SP Core
Gordon Bryan
cisco_resource at yahoo.co.uk
Mon Mar 11 08:18:39 EDT 2013
Thanks to all who have contributed to this discussion.
As always , you have provided a sense of perspective (equally as important in my eyes as technical guidance) and some sound advice.
I think I'll stick with public IPs on the core, aggerssive iACLs on ingress and the Internet in the global table. This for me seems the simplest, most supportable and widely deployed option.
This was originally my intention some time ago butI thought I'd at least consider other options.
Thanks again
Gordon
________________________________
From: Gert Doering <gert at greenie.muc.de>
To: Saku Ytti <saku at ytti.fi>
Cc: cisco-nsp at puck.nether.net
Sent: Monday, 11 March 2013, 11:15
Subject: Re: [c-nsp] Private IP in SP Core
Hi,
On Mon, Mar 11, 2013 at 12:54:25PM +0200, Saku Ytti wrote:
> On (2013-03-11 11:43 +0100), Gert Doering wrote:
>
> > What we're currently not so good at is "protect the PE-CE link" - the
>
> We've solved this by not announcing the PE address of PE-CE. Occasionally
> we need to announce the CE address, maybe for management purposes, maybe
> for something else. Then we create more specific /32 static route to the
> interface.
In our case, the "CE" might be "a /27 connected right to the PE"...
So yes, I can see this work out if you always have a transit network
to a dedicated CE device and "all customer stuff lives behind that", but
well, doesn't work out like this here... so we rely on CoPP and service
ACLs on the PE routers.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list