The following guidelines summarize best practices for MPLS VPN security:
For Inter-AS implementations, start with a back-to-back VRF implementation (static VPN connections) because this is an easy way to begin. Perhaps at some point (with the deployment of multiple Inter-AS customers), you can migrate to the second option to benefit from the ease of provisioning associated with the second option. For the third option, deploy it only when both ASes are under the same administrative and trust zones. Note For both CsC and Inter-AS deployments, implement them only on private peerings due to the vulnerabilities under the LAN subsection. For Inter-AS and CsC (when labelled packets are exchanged), do NOT use a shared VLAN. Best recommendation: Dedicated connection Second best recommendation: Dedicated VLAN Figures 7-6 and 7-7 summarize best practice security recommendations for the deployment of MPLS. Figure 7-6. Best Practice Security Overview
Figure 7-7. Securing the MPLS Core |