Thanks to all who have contributed to this discussion. As always , you have provided a sense of perspective (equally as important in my eyes as technical guidance) and some sound advice. I think I'll stick with public IPs on the core, aggerssive iACLs on ingress and the Internet in the global table. This for me seems the simplest, most supportable and widely deployed option. This was originally my intention some time ago butI thought I'd at least consider other options. Thanks again Gordon
________________________________ From: Gert Doering <g...@greenie.muc.de> To: Saku Ytti <s...@ytti.fi> Cc: cisco-nsp@puck.nether.net Sent: Monday, 11 March 2013, 11:15 Subject: Re: [c-nsp] Private IP in SP Core Hi, On Mon, Mar 11, 2013 at 12:54:25PM +0200, Saku Ytti wrote: > On (2013-03-11 11:43 +0100), Gert Doering wrote: > > > What we're currently not so good at is "protect the PE-CE link" - the > > We've solved this by not announcing the PE address of PE-CE. Occasionally > we need to announce the CE address, maybe for management purposes, maybe > for something else. Then we create more specific /32 static route to the > interface. In our case, the "CE" might be "a /27 connected right to the PE"... So yes, I can see this work out if you always have a transit network to a dedicated CE device and "all customer stuff lives behind that", but well, doesn't work out like this here... so we rely on CoPP and service ACLs on the PE routers. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/