448 Chapter 9: Service Provider Network Case Studies other Customer A sites via the Internet. For both connections of CPE-A0 and CPE-A1, the associated edge router (PE) interfaces are assumed to be Serial0/0/0. The IP addresses assigned to these PE-CE links are shown in Figure 9-2. For all external PE-CE links, /30 subnet masking is assigned. • Internal: Internal interfaces connect network infrastructure wholly within one administrative domain. All SP edge and core routers shown in Figure 9-2 include at least two internal interfaces. Interfaces Serial1/0/0 and Serial2/0/0 of PE-00 are considered internal to the SP network. All internal interfaces within this case study are assigned from the 172.30.0.0/15 address block. The IP subnets associated with these internal interfaces are carried within the SP IGP (OSPF in this case study). • Loopback: All SP edge and core routers shown in Figure 9-2 implement a single loopback interface that is used for control and management plane traffic. All loopback interfaces within this case study are assigned from the 192.168.1.0/24 address block, as shown in Figure 9-2. The /32 IP subnets associated with these internal interfaces are also carried within the SP IGP (OSPF in this case study). • Receive: All routers include by default a receive interface that “logically” represents the slow path to the IOS process level on the RP. The receive path applies to any ingress packets that must be punted from the CEF fast path to be processed locally by the router’s CPU whether transit or receive adjacency packets. Because the receive path represents an exception packet processing path between the CEF fast path and IOS process level, it is not assigned or associated with a specific IP subnet. However, as you will see, control plane security features are applied to these logical interfaces. Figure 9-3 highlights in particular the router of focus for this case study, PE-00, and illustrates the relationship among its interfaces. This router is also the focus for the sample IOS configuration that follows. Router Configuration Security configurations may be derived based upon the preceding topology and functional requirements. Router PE-00 is used as the focal point for the remaining discussions; however, the other Internet edge routers shown within the topology of Figure 9-2 have similar but locally specific configurations. Example 9-1 provides the derived Cisco IOS configuration that satisfies the preceding requirements and defense in depth and breadth security principles. This configuration assumes that PE-00 is a Cisco 12000 series router (12416), and that it is running IOS Software Release 12.0(32)S with the SSH feature set. Line numbers precede each configuration command shown in Example 9-1 and serve as reference points for the remainder of the discussion that directly follows, which is organized by IP traffic plane. Case Study 1: IPsec VPN and Internet Access 449 Example 9-1 Case Study 1 SP Internet Edge Router PE-00 Configuration 1 : version 12.0 2 : service nagle 3 : no service pad 4 : service tcp-keepalives-in 5 : service tcp-keepalives-out 6 : service timestamps debug datetime msec localtime show-timezone 7 : service timestamps log datetime msec localtime show-timezone 8 : service password-encryption 9 : no service dhcp 10 : ! 11 : hostname PE-00 12 : ! 13 : boot-start-marker 14 : boot system disk0:gsr-k3p-mz.120-32.S3.bin 15 : boot-end-marker 16 : ! 17 : logging buffered 4096 debugging 18 : no logging console 19 : logging monitor errors 20 : ! 21 : aaa new-model 22 : aaa authentication login default tacacs+ local 23 : aaa authentication enable default tacacs+ enable 24 : aaa authorization exec default tacacs+ none 25 : aaa accounting commands 1 default start-stop tacacs+ 26 : aaa accounting commands 15 default start-stop tacacs+ 27 : enable secret 5 $1$rdYk$45iBa5oBI.QGmjoFDS9j00 28 : ! 29 : username noc-admin secret 5 $1$z.rf$jFH3rwXPQdsXP8FxUeCV5. 30 : memory free low-watermark processor 100000 31 : ip subnet-zero 32 : no ip source-route 33 : no ip gratuitous-arps 34 : ip icmp rate-limit unreachable 100 35 : ip options drop 36 : ip cef 37 : no ip finger 38 : ip tcp window-size 32768 39 : ip tcp synwait-time 5 40 : ip tcp path-mtu-discovery 41 : no ip bootp server 42 : ip ssh time-out 20 43 : ip ssh source-interface Loopback0 44 : ip ssh version 1 45 : no ip domain-lookup 46 : ip domain-name sp-as65001.com 47 : ! 48 : ip receive access-list 101 continues 450 Chapter 9: Service Provider Network Case Studies 49 : ! 50 : class-map match-all gold 51 : match ip precedence 4 5 52 : class-map match-all bronze 53 : match ip precedence 0 1 54 : class-map match-all control 55 : match ip precedence 6 7 56 : class-map match-all silver 57 : match ip precedence 2 3 58 : class-map match-all CoPP-management 59 : match access-group 121 60 : class-map match-all CoPP-normal 61 : match access-group 122 62 : class-map match-all CoPP-remaining-IP 63 : match access-group 124 64 : class-map match-all CoPP-undesirable 65 : match access-group 123 66 : class-map match-all CoPP-routing 67 : match access-group 120 68 : ! 69 : ! 70 : policy-map edge-recolor 71 : class class-default 72 : set precedence 0 73 : policy-map CoPP 74 : class CoPP-undesirable 75 : police 8000 conform-action drop exceed-action drop 76 : class CoPP-routing 77 : police 8000 conform-action transmit exceed-action transmit 78 : class CoPP-management 79 : police 50000 conform-action transmit exceed-action drop 80 : class CoPP-normal 81 : police 15000 conform-action transmit exceed-action drop 82 : class CoPP-remaining-IP 83 : police 8000 conform-action transmit exceed-action drop 84 : class class-default 85 : police 8000 conform-action transmit exceed-action transmit 86 : policy-map diffserv-qos 87 : class control 88 : bandwidth percent 20 89 : class gold 90 : bandwidth percent 40 91 : class silver 92 : bandwidth percent 30 93 : class bronze 94 : bandwidth percent 10 95 : ! 96 : ! 97 : ! 98 : ! 99 : interface Loopback0 Example 9-1 Case Study 1 SP Internet Edge Router PE-00 Configuration (Continued) Case Study 1: IPsec VPN and Internet Access 451 100 : ip address 192.168.1.5 255.255.255.255 101 : no ip unreachables 102 : no ip directed-broadcast 103 : ! 104 : interface Null0 105 : no ip unreachables 106 : ! 107 : interface Serial0/0/0 108 : description – Link to Customer A CPE-A0 router 109 : ip address 209.165.200.225 255.255.255.252 110 : ip access-group 100 in 111 : ip verify unicast source reachable-via rx 112 : no ip redirects 113 : no ip unreachables 114 : no ip directed-broadcast 115 : encapsulation ppp 116 : ntp disable 117 : no peer neighbor-route 118 : no cdp enable 119 : service-policy input edge-recolor 120 : ! 121 : interface Serial1/0/0 122 : description – Link to P-00 router 123 : mtu 4072 124 : ip address 172.31.4.1 255.255.255.252 125 : no ip directed-broadcast 126 : encapsulation ppp 127 : ip ospf message-digest-key 1 md5 7 095F4B0A0B0003 128 : service-policy output diffserv-qos 129 : ! 130 : interface Serial2/0/0 131 : description – Link to P-03 router 132 : mtu 4072 133 : ip address 172.30.4.1 255.255.255.252 134 : no ip directed-broadcast 135 : encapsulation ppp 136 : ip ospf message-digest-key 1 md5 7 095F4B0A0B0003 137 : service-policy output diffserv-qos 138 : ! 139 : router ospf 1 140 : router-id 192.168.1.5 141 : log-adjacency-changes 142 : area 0.0.0.0 authentication message-digest 143 : passive-interface Loopback0 144 : network 172.31.0.0 0.0.255.255 area 0.0.0.0 145 : network 172.30.0.0 0.0.255.255 area 0.0.0.0 146 : network 192.168.1.0 0.0.0.255 area 0.0.0.0 147 : ! 148 : router bgp 65001 149 : bgp router-id 192.168.1.5 continues Example 9-1 Case Study 1 SP Internet Edge Router PE-00 Configuration (Continued) 452 Chapter 9: Service Provider Network Case Studies 150 : bgp maxas-limit 100 151 : bgp log-neighbor-changes 152 : neighbor 192.168.1.2 remote-as 65001 153 : neighbor 192.168.1.2 password 7 02050D480809 154 : neighbor 192.168.1.2 update-source Loopback0 155 : ! 156 : address-family ipv4 157 : redistribute static 158 : neighbor 192.168.1.2 activate 159 : neighbor 192.168.1.2 next-hop-self 160 : no auto-summary 161 : no synchronization 162 : network 172.16.0.0 mask 255.255.255.0 163 : exit-address-family 164 : ! 165 : ip classless 166 : ip route 172.16.0.0 255.255.255.0 Serial0/0 167 : ip route 192.0.2.1 255.255.255.255 Null0 168 : ip route 209.165.200.0 255.255.252.0 Null0 169 : ip route 209.165.200.226 255.255.255.255 Serial0/0 170 : no ip http server 171 : ! 172 : ! 173 : logging trap notifications 174 : logging source-interface Loopback0 175 : logging 192.168.255.50 176 : access-list 10 permit 192.168.252.0 0.0.3.255 177 : access-list 100 deny ip any 172.30.0.0 0.1.255.255 178 : access-list 100 deny ip any 192.168.1.0 0.0.0.255 179 : access-list 100 deny ip any 192.168.252.0 0.0.3.255 180 : access-list 100 deny ip 0.0.0.0 0.255.255.255 any 181 : access-list 100 deny ip 10.0.0.0 0.255.255.255 any 182 : access-list 100 deny ip 127.0.0.0 0.255.255.255 any 183 : access-list 100 deny ip 169.254.0.0 0.255.255.255 any 184 : access-list 100 deny ip 172.16.0.0 0.0.15.255 any 185 : access-list 100 deny ip 192.0.2.0 0.0.0.255 any 186 : access-list 100 deny ip 192.168.0.0 0.0.255.255 any 187 : access-list 100 deny ip 198.18.0.0 0.1.255.255 any 188 : access-list 100 deny ip 224.0.0.0 63.255.255.255 any 189 : access-list 100 permit ip any any 190 : access-list 101 permit ospf 192.168.1.0 0.0.0.255 any precedence internet 191 : access-list 101 permit tcp host 192.168.1.2 host 192.168.1.5 eq 179 precedence internet 192 : access-list 101 permit tcp host 192.168.1.2 eq 179 host 192.168.1.5 precedence internet 193 : access-list 101 permit tcp 192.168.252.0 0.0.3.255 host 192.168.1.5 eq 22 194 : access-list 101 permit tcp 192.168.252.0 0.0.3.255 eq 22 host 192.168.1.5 195 : access-list 101 permit udp 192.168.252.0 0.0.3.255 host 192.168.1.5 eq 123 Example 9-1 Case Study 1 SP Internet Edge Router PE-00 Configuration (Continued) Case Study 1: IPsec VPN and Internet Access 453 196 : access-list 101 permit tcp 192.168.252.0 0.0.3.255 eq tacacs host 192.168.1.5 established 197 : access-list 101 permit udp 192.168.252.0 0.0.3.255 host 192.168.1.5 eq 69 198 : access-list 101 permit udp 192.168.252.0 0.0.3.255 host 192.168.1.5 eq 161 199 : access-list 101 permit icmp any any echo 200 : access-list 101 permit icmp any any echo-reply 201 : access-list 101 permit icmp any any ttl-exceeded 202 : access-list 101 permit icmp any any unreachable 203 : access-list 101 permit icmp any any port-unreachable 204 : access-list 101 permit icmp any any packet-too-big 205 : access-list 101 deny ip any any 206 : access-list 120 permit ospf 192.168.1.0 0.0.0.255 any precedence internet 207 : access-list 120 permit tcp host 192.168.1.2 host 192.168.1.5 eq 179 precedence internet 208 : access-list 120 permit tcp host 192.168.1.2 eq 179 host 192.168.1.5 precedence internet 209 : access-list 121 permit tcp 192.168.252.0 0.0.3.255 host 192.168.1.5 eq 22 210 : access-list 121 permit udp 192.168.252.0 0.0.3.255 host 192.168.1.5 eq 123 211 : access-list 121 permit tcp 192.168.252.0 0.0.3.255 eq tacacs host 192.168.1.5 established 212 : access-list 121 permit udp 192.168.252.0 0.0.3.255 host 192.168.1.5 eq 69 213 : access-list 121 permit udp 192.168.252.0 0.0.3.255 host 192.168.1.5 eq 161 214 : access-list 121 permit ip 192.168.252.0 0.0.3.255 any 215 : access-list 122 permit icmp 172.30.0.0 0.1.255.255 any echo 216 : access-list 122 permit icmp 192.168.1.0 0.0.0.255 any echo 217 : access-list 122 permit icmp 209.165.200.0 0.0.3.255 any echo 218 : access-list 122 permit icmp 172.30.0.0 0.1.255.255 any echo-reply 219 : access-list 122 permit icmp 192.168.1.0 0.0.0.255 any echo-reply 220 : access-list 122 permit icmp 209.165.200.0 0.0.3.255 any echo-reply 221 : access-list 122 permit icmp 172.30.0.0 0.1.255.255 any packet-too-big 222 : access-list 122 permit icmp 192.168.1.0 0.0.0.255 any packet-too-big 223 : access-list 122 permit icmp 209.165.200.0 0.0.3.255 any packet-too-big 224 : access-list 122 permit icmp 172.30.0.0 0.1.255.255 any ttl-exceeded 225 : access-list 122 permit icmp 192.168.1.0 0.0.0.255 any ttl-exceeded 226 : access-list 122 permit icmp 209.165.200.0 0.0.3.255 any ttl-exceeded 227 : access-list 123 permit icmp any any fragments 228 : access-list 123 permit udp any any fragments 229 : access-list 123 permit tcp any any fragments 230 : access-list 124 permit ip any any 231 : ! 232 : ! 233 : tacacs-server host 192.168.255.30 234 : tacacs-server timeout 2 235 : no tacacs-server directed-request 236 : tacacs-server key 7 s3cr3t 237 : snmp-server community s3cr3t RO 10 238 : snmp-server trap-source Loopback0 239 : snmp-server enable traps tty 240 : snmp-server host 192.168.255.1 version 2c s3cr3t continues Example 9-1 Case Study 1 SP Internet Edge Router PE-00 Configuration (Continued) 454 Chapter 9: Service Provider Network Case Studies 241 : ! 242 : control-plane slot 0 243 : service-policy input CoPP 244 : control-plane slot 1 245 : service-policy input CoPP 246 : control-plane slot 2 247 : service-policy input CoPP 248 : control-plane slot 3 249 : service-policy input CoPP 250 : control-plane slot 4 251 : service-policy input CoPP 252 : control-plane slot 5 253 : service-policy input CoPP 254 : control-plane slot 6 255 : service-policy input CoPP 256 : control-plane slot 9 257 : service-policy input CoPP 258 : control-plane slot 10 259 : service-policy input CoPP 260 : control-plane slot 11 261 : service-policy input CoPP 262 : control-plane slot 12 263 : service-policy input CoPP 264 : control-plane slot 13 265 : service-policy input CoPP 266 : control-plane slot 14 267 : service-policy input CoPP 268 : control-plane slot 15 269 : service-policy input CoPP 270 : ! 271 : banner motd ^C 272 : **** AUTHORIZED ACCESS ONLY ***** 273 : **** This system is the property of SP AS65001. 274 : **** Disconnect IMMEDIATELY if you are not an authorized user! 275 : **** ********************** ***** 276 : ^C 277 : ! 278 : line con 0 279 : exec-timeout 5 0 280 : login authentication default 281 : line aux 0 282 : no exec 283 : line vty 0 4 284 : access-class 10 in 285 : access-class 10 out 286 : exec-timeout 5 0 287 : transport input ssh 288 : ! 289 : process cpu threshold type total rising 80 interval 5 falling 20 interval 5 Example 9-1 Case Study 1 SP Internet Edge Router PE-00 Configuration (Continued) Case Study 1: IPsec VPN and Internet Access 455 Data Plane In this case study, and from the perspective of router PE-00, data plane traffic includes the following: • Internal to internal traffic: Data plane traffic in this category includes traffic that is sourced by and destined to devices wholly within the administrative domain of the SP (AS 65001). In the case of PE-00, this includes all packets routed between the redundant uplinks (that is, only those packets routed between Serial1/0/0 and Serial2/0/0). Many SP network designs are architected such that internal to internal data plane traffic is routed exclusively through core routers and not through edge routers except during multiple core failure conditions. In this way, the PE-00 uplink interface capacity is used exclusively for traffic routed between internal and external interfaces and, of course, control and management plane protocols. Hence, in this case study and from the perspective of PE-00, no data plane traffic is included in this category. • Internal to external traffic: Data plane traffic in this category includes traffic that is sourced within the SP internal infrastructure but destined to external networks outside the SP’s administrative domain. Support for such internal to external traffic forwarding is required by some external applications such as IP traceroute and Path MTU Discovery (PMTUD). For the purposes of this case study and from the perspective of PE-00, this type of internal to external data plane traffic is limited to certain ICMP types—for example, Fragmentation Needed but Do Not Fragment Bit Set (Message Type 3, Code 4) and Time Exceeded (Message Type 11)—and comes from internal interfaces within the SP internal infrastructure prefix range 172.30.0.0/15. • External to internal traffic: Data plane traffic in this category includes traffic that is sourced externally and destined for internal SP infrastructure, such as in the case of SPs with hosted content. However, in this case study and from the perspective of PE-00, no legitimate data plane traffic is included in this category. Therefore, such traffic is filtered at the network edge to mitigate the risk of an attack against the internal SP infrastructure. • External to external traffic: Data plane traffic in this category includes traffic that is sourced externally and destined to an external network. Such traffic requires transit 290 : ntp authentication-key 1 md5 0017400516081F 7 291 : ntp authenticate 292 : ntp trusted-key 1 293 : ntp source Loopback0 294 : ntp access-group serve-only 10 295 : ntp server 192.168.255.40 key 1 296 : no cns aaa enable 297 : ! 298 : end Example 9-1 Case Study 1 SP Internet Edge Router PE-00 Configuration (Continued) 456 Chapter 9: Service Provider Network Case Studies from the SP and possibly the wider Internet for remote connectivity. For SPs, this often represents the vast majority of the data plane traffic seen within the network. In this case study and from the perspective of PE-00, this includes any traffic that ingresses an external interface, such as Serial0/0/0, and that is destined to a prefix only reachable through another external interface. The egress external interface can exist on either PE-00 or a different edge router within the SP network (AS 65001). Either way, external to external traffic simply transits the SP network. Data Plane Security From the perspective of PE-00, the techniques used for data plane security include the following: • Interface ACL: A combined infrastructure and antispoofing ACL is applied to the Serial0/0/0 interface to filter any ingress traffic destined to SP internal infrastructure, including the SP NOC, and any special-use and reserved IP addresses (per RFC 3330). This policy is defined through the extended ACL 100 (lines 177 through 189), which is attached to the Serial0/0/0 interface in the input direction on line 110. Note that this input ACL applies to all ingress traffic. Because PE-00 exchanges only data plane packets with CPE-A0, no permit ACL entries are included for control, management, and services plane traffic. The only traffic that is filtered is traffic destined to internal SP infrastructure addresses and spoofed traffic that is using special-use and reserved IP addresses. All other traffic is allowed. Although it is possible for the SP to also configure an egress ACL on Serial0/0/0 as well, rarely would it do so for unmanaged Internet access customers. In this case, Customer A has taken the responsibilities for managing its Internet access (CPE) router itself, as was described in Chapter 8. The interface ACL policy mitigates the risk of both direct attacks against the SP internal infrastructure and spoofing attacks using special-use and reserved IP addresses. • uRPF: Unicast RPF strict mode is deployed on the PE-00 external interface to Customer A for antispoofing protection. The use of uRPF strict mode will filter (drop) any ingress traffic sourced from outside the Customer A HQ network public address blocks, including 172.16.0.0/24 and 209.165.200.226/32. Only ingress traffic having an IP source address within these two address blocks is permitted by uRPF strict mode. Configuration line 111 enables uRPF for antispoofing protection on the Serial0/0/0 interface. The uRPF policy mitigates the risk of spoofing attacks. • QoS: QoS is deployed within the SP network in support of differentiated services and to isolate important control plane traffic from the other IP traffic planes. The associated policy map (lines 86 through 94) and class maps (lines 50 through 57) are defined using MQC. The policy is then attached to the PE-00 uplink interfaces, including Serial1/0/0 and Serial2/0/0 per lines 128 and 137. If the PE-00 uplinks Case Study 1: IPsec VPN and Internet Access 457 become congested, QoS will reserve 20 percent of uplink bandwidth for control plane traffic. To ensure that low-priority external traffic does not inadvertently or maliciously enter the high-priority traffic classes (in other words, gold, silver, control), a QoS recoloring policy is applied to Internet access ports, including the PE-00 serial interface (Serial0/0/0) to CPE-A0 (line 119). The associated policy (lines 70 through 72) simply recolors all traffic with IP precedence 0. This prevents any transit Internet traffic from being classified into the SP’s high-priority traffic classes. Hence, the queuing and recoloring policies mitigate the risk of resource (bandwidth) exhaustion attacks against high-priority traffic classes including control plane protocols. • IP options: IP packets with option headers are filtered by the ip options drop global configuration command (line 35). The IOS default behavior of IP source routing is also disabled with the no ip source-route global configuration command (line 32). Disabling IP options in this way mitigates the risk of IP options–based attacks. • ICMP techniques: On a per-interface basis, several ICMP best common practices (BCP) are also applied. ICMP Destination Unreachable and Redirect message generation is disabled using the no ip unreachables (line 113) and no ip redirects (line 112) interface configuration commands, respectively. Global rate limiting of ICMP Destination Unreachable message generation is also enabled via line 34. ICMP Information Request and Address Mask Request processing is disabled by default within IOS; hence, the no ip information-reply and no ip mask-reply interface commands are applied by default. Disabling ICMP processing in this way mitigates the risk of transit IP data plane attacks and ICMP-based control plane attacks. • IP directed broadcasts: The dropping of IP directed broadcast packets is the default behavior in IOS 12.0(32)S and, hence, the no ip directed-broadcast interface command is applied by default (line 114). Earlier versions of IOS forwarded IP directed broadcast packets by default. You should confirm the default behavior for your IOS release in order to properly mitigate the risk of directed broadcast based attacks. • Edge router external link protection: Whereas IP reachability from the wider Internet to the CPE-A0 Serial0/0 interface is required for IPsec VPN services as outlined previously, it is not required to the PE-00 Serial0/0/0 interface. To mitigate the risk of remote attacks against PE routers that leverage IP reachable external interface addresses, an aggregate static route to Null0 is configured on every edge and core router within the SP network (line 168). As a result, remote external traffic destined to an external PE-CE (Internet access) interface is now discarded as described in detail in Chapter 4. Because this configuration has the additional impact of making local eBGP next hops no longer reachable, BGP next-hop-self (line 159) must be set for iBGP sessions. Further, to maintain IP reachability to CPE-A0 in support of IPsec VPN and NAT services, a static route for the host prefix 209.165.200.226/32 is also configured (line 169) and redistributed into iBGP (line 157). The no peer neighbor-route [...]... fragments 2 68 : access-list 124 permit ip any any 269 : ! 270 : tacacs-server host 192.1 68. 255.30 Case Study 2: MPLS VPN 473 Example 9-2 Case Study 2 SP MPLS VPN Provider Edge Router Configuration (Continued) 271 272 273 274 275 276 277 2 78 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 2 98 299 300 301 302 303 304 305 306 307 3 08 309 310 311 312 313 314 315 316 317 3 18 319 320... Provider Edge Router Configuration (Continued) 134 135 136 137 1 38 139 140 141 142 143 144 145 146 147 1 48 149 150 151 152 153 154 155 156 157 1 58 159 160 161 162 163 164 165 166 167 1 68 169 170 171 172 173 174 175 176 177 1 78 179 180 181 182 183 184 : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : ! interface Serial1/0/0 description – Link to P-03 router. .. neighbor 192.1 68. 1.2 activate Case Study 2: MPLS VPN 471 Example 9-2 Case Study 2 SP MPLS VPN Provider Edge Router Configuration (Continued) 185 186 187 188 189 190 191 192 193 194 195 196 197 1 98 199 200 201 202 203 204 205 206 207 2 08 209 210 211 212 213 214 215 216 217 : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 2 18 : 219 : 220 : 221 : 222 : 223 : 224 225 226 227 : : : : 2 28 : neighbor... CoPP-routing match access-group 120 Case Study 2: MPLS VPN 469 Example 9-2 Case Study 2 SP MPLS VPN Provider Edge Router Configuration (Continued) 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 1 08 109 110 111 112 113 114 115 116 117 1 18 119 120 121 122 123 124 125 126 127 1 28 129 130 131 132 133 : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : :... tcp 192.1 68. 252.0 0.0.3.255 host 192.1 68. 1.5 eq 22 access-list 101 permit udp 192.1 68. 252.0 0.0.3.255 host 192.1 68. 1.5 eq 123 access-list 101 permit tcp 192.1 68. 252.0 0.0.3.255 eq tacacs host 192.1 68. 1.5 established access-list 101 permit udp 192.1 68. 252.0 0.0.3.255 host 192.1 68. 1.5 eq 69 access-list 101 permit udp 192.1 68. 252.0 0.0.3.255 host 192.1 68. 1.5 eq 161 access-list 101 permit ip 192.1 68. 252.0... network 192.1 68. 1.0 0.0.0.255 area 0.0.0.0 ! router bgp 65001 bgp router- id 192.1 68. 1.1 bgp maxas-limit 100 bgp log-neighbor-changes neighbor 192.1 68. 1.2 remote-as 65001 neighbor 192.1 68. 1.2 password 7 02050D 480 809 neighbor 192.1 68. 1.2 update-source Loopback0 neighbor 209.165.200.242 remote-as 65002 neighbor 209.165.200.242 update-source Serial0/0 ! address-family ipv4 no neighbor 192.1 68. 1.2 activate... $1$z.rf$jFH3rwXPQdsXP8FxUeCV5 memory free low-watermark processor 100000 ip subnet-zero no ip source-route no ip gratuitous-arps continues 4 68 Chapter 9: Service Provider Network Case Studies Example 9-2 Case Study 2 SP MPLS VPN Provider Edge Router Configuration (Continued) 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 ... access-list 121 permit udp 192.1 68. 252.0 0.0.3.255 host 192.1 68. 1.5 eq 123 249 : access-list 121 permit tcp 192.1 68. 252.0 0.0.3.255 eq tacacs host 192.1 68. 1.5 established 250 : access-list 121 permit udp 192.1 68. 252.0 0.0.3.255 host 192.1 68. 1.5 eq 69 251 : access-list 121 permit udp 192.1 68. 252.0 0.0.3.255 host 192.1 68. 1.5 eq 161 252 : access-list 121 permit ip 192.1 68. 252.0 0.0.3.255 any 253 : access-list... each mechanism These case studies focused on the SP side of the network In Chapter 8, the focus is on the enterprise side of the network for these same cases Further Reading Behringer, M., and M Morrow MPLS VPN Security Cisco Press, 2005 ISBN 1- 587 05- 183 -4 Greene, B R., and P Smith ISP Essentials Cisco Press, 2002 ISBN: 1- 587 05-041-2 ... udp 192.1 68. 1.0 0.0.0.255 any eq 646 precedence internet 244 : access-list 120 permit udp 192.1 68. 1.0 0.0.0.255 eq 646 any precedence internet 245 : access-list 120 permit tcp 192.1 68. 1.0 0.0.0.255 any eq 646 precedence internet 246 : access-list 120 permit tcp 192.1 68. 1.0 0.0.0.255 eq 646 any precedence internet 247 : access-list 121 permit tcp 192.1 68. 252.0 0.0.3.255 host 192.1 68. 1.5 eq 22 2 48 : access-list . ! 2 78 : line con 0 279 : exec-timeout 5 0 280 : login authentication default 281 : line aux 0 282 : no exec 283 : line vty 0 4 284 : access-class 10 in 285 : access-class 10 out 286 :. access-list 100 deny ip 192.1 68. 0.0 0.0.255.255 any 187 : access-list 100 deny ip 1 98. 18. 0.0 0.1.255.255 any 188 : access-list 100 deny ip 224.0.0.0 63.255.255.255 any 189 : access-list 100 permit. drop 82 : class CoPP-remaining-IP 83 : police 80 00 conform-action transmit exceed-action drop 84 : class class-default 85 : police 80 00 conform-action transmit exceed-action transmit 86 :