Yeah I thought it was crazy-talk :-) I guess you could automate filtering down to the forwarding-plane on the interconnect, but for now restricting the BGP routes being advertised is enough. At least that way you do have control over what prefixes are allowed into the other AS' VPNs.
I think what you're referring to may be possible with option-D and URPF because traffic forwarding can be done via per VRF attachment circuits, and packets may be MPLS-labelled or non-labelled. I haven't digested the RFC totally yet, but that's the gist I get. --Dan > -----Original Message----- > From: Kaj Niemi [mailto:[email protected]] > Sent: 10 September 2009 11:32 > To: Daniel Holme > Cc: [email protected]; Francisco; [email protected] > Subject: Re: [OSL | CCIE_SP] Inter-AS VPN Option B and send-label > > Hi, > > > I'm saying I would *LIKE* to, not that it's possible today. > > The ASBR is advertising the labels to be used _towards it_ over the bgp > session to the other AS so _it_ knows what labels are valid and what it > should accept on ingress from the other AS. A feature implementing this as > an ACL just doesn't currently exist. > > URPF is relevant in the sense that originally it wasn't available and people > who cared did ingress spoof acls by hand. I don't want to do things by hand, > automating is the key. Infrastructure ACLs similarly protect your network on > the edges. > > My point was that these were features people did not have before but once > they became available some people have been using them to their > satisfaction. > > > > Kaj :) > > > > > From: Daniel Holme <[email protected]> > > Date: Thu, 10 Sep 2009 02:50:19 -0700 > > To: Daniel Holme <[email protected]>, Kaj Niemi <[email protected]> > > Cc: <[email protected]>, Francisco <[email protected]>, > > <[email protected]> > > Subject: RE: [OSL | CCIE_SP] Inter-AS VPN Option B and send-label > > > > However (and I'm sorry for the spam), I don't fully understand how URPF > > or interface ACL is relevant on an interface used for inter-AS VPN. URPF > > will just do a lookup for IPv4 packets, which would be the directly > > connected neighbour and not any VPN prefixes as they are essentially > > label switched by CEF. > > > > To be clear, we are talking here about option-B where there is a VPNv4 > > BGP session on a link between two SP. NHS option sends traffic across > > the path with one label (VPN) and send-label option uses two labels > > (IPv4, VPN). > > > > Are you saying that you can configure an iACL permitting the VPN routes > > and the ACL will filter labelled packets? This isn't something I've > > tried before, I've only filtered in the control-plane. > > > > Obviously, there is no LDP here so label filtering there isn't an > > option. This email has been scanned for all viruses. Please consider the environment before printing this email. The content of this email and any attachment is private and may be privileged. If you are not the intended recipient, any use, disclosure, copying or forwarding of this email and/or its attachments is unauthorised. If you have received this email in error please notify the sender by email and delete this message and any attachments immediately. Nothing in this email shall bind the Company or any of its subsidiaries or businesses in any contract or obligation, unless we have specifically agreed to be bound. KCOM Group PLC is a public limited company incorporated in England and Wales, company number 02150618 and whose registered office is at 37 Carr Lane, Hull, HU1 3RE. 118288 - KCOM UK Directory Enquiries. Calls will cost no more than 49p connection + 14p per minute including VAT from a KC or BT landline. Call charges from mobiles and other networks may vary. If you are calling from a mobile you will now receive your requested number via text message. You will not be charged for the text message. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
