352-001 · Question #402
Which two options are considered risks or concerns when both the Internet and VPN service functions are on the same PE router? (Choose two.)
The correct answer is A. Internet-based attacks can affect VPN customers. D. Failure on the PE router affects both VPN and Internet services.. Hosting both Internet and VPN services on a single PE router creates a security risk and a single point of failure that simultaneously impacts both service types.
Question
Which two options are considered risks or concerns when both the Internet and VPN service functions are on the same PE router? (Choose two.)
Options
- AInternet-based attacks can affect VPN customers.
- BBGP cannot simultaneously run on the PE router that runs MPLS.
- CMP-BGP prefixes increase routers' global routing tables, which affects network convergence.
- DFailure on the PE router affects both VPN and Internet services.
- ECustomer performance can be affected by VPN traffic if Internet-based traffic is not prioritized on
How the community answered
(41 responses)- A78% (32)
- B2% (1)
- C7% (3)
- E12% (5)
Why each option
Hosting both Internet and VPN services on a single PE router creates a security risk and a single point of failure that simultaneously impacts both service types.
When Internet-facing and VPN services share the same PE router, malicious Internet traffic such as DDoS or exploitation attempts can consume router resources or exploit vulnerabilities that directly impact the VPN customers hosted on the same device.
BGP can run concurrently with MPLS on the same PE router; in fact, MP-BGP is a fundamental component of standard MPLS L3VPN design and routinely coexists on PE devices.
In MPLS VPN architecture, MP-BGP VPN prefixes are stored in per-VRF routing tables, not the global routing table, so they do not inflate the global RIB or negatively affect convergence in the way described.
A hardware failure, software crash, or overload condition on the shared PE router will simultaneously bring down both Internet and VPN services, eliminating any service isolation and violating typical SLA requirements for VPN customers.
The statement is logically reversed and misleadingly worded; while resource contention is a real concern, the primary documented risks of co-located Internet and VPN services are the security exposure and single point of failure captured by A and D.
Concept tested: MPLS PE router colocation risks for Internet and VPN
Source: https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/MPLS_over_IP-IPSec/mpls_vpn_over_ip-ipsec.html
Topics
Community Discussion
No community discussion yet for this question.