[nsp] Protecting border routers
Andrew Fort
afort at choqolat.org
Fri Nov 28 22:06:21 EST 2003
Matthew Crocker wrote:
>
> What is the current best practice for protecting border routers. We
> have a couple routers that are in front of our firewall. I would like
> to put them behind the firewall from a management, SNMP, logging point
> of view. There is not reason for the Internet to talk with my
> router. My upstreams need to talk for BGP sessions. Is it just done
> with ACLs or is there a way with MPLS to set the local management
> stuff on the router into a VPN?
>
> -Matt
To comment on the "management VRF" matter, we've found it doesn't
presently work (static vrf-lite tested on c3550 & c7600/sup720
platforms) on current software. Setting service 'source-interface's to
the Loopback interface inside the VRF causes no connectivity. Is anyone
aware of a way to make this work, or is this feature in the pipeline?
-andrew
More information about the cisco-nsp
mailing list