On Thu, Jan 03, 2019 at 10:38:50PM +0200, Saku Ytti wrote: > On Thu, 3 Jan 2019 at 22:32, Anderson, Charles R <c...@wpi.edu> wrote: > > > > > c) always match destination-address if you're running L3 MPLS VPNs > > > > > > I must be misunderstanding because I’m sure you’re not suggesting that in > > > the absence of L3VPNs, omitting destination address matching is > > > acceptable? > > > > I would like to learn more about this particular BCP. Why is it that with > > L3 MPLS VPNs is it important to specify destination-address? > > Because otherwise you have to rely that no L3 MPLS VPN customer > anywhere can advertise your internal infrastructure addresses. If you > have 1 customer not properly filtered, then they can advertise your > NMS station inside their L3 MPLS VPN, no biggy. > > Now they set SADDR=NMS DADDR=PE_CE_LINK > > And be accepted as your NMS. If you ensure that DADDR must be loop or > BB link, this trick does not work. And obviously the L3 MPLS VPN can't > send packet to those, as they're not in the table.
Thanks. I assume the same problem exists if you have VRF loopback interfaces inside the VPN as well (e.g. OSPF router-id loopbacks for the customer's VPN). So the idea is to restrict the destinations to ones that will never exist inside a customer-visible VRF. _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp