[c-nsp] Re: Interfacing between VRF and global across interface in
one router
Joe Maimon
jmaimon at ttec.com
Tue Jan 18 12:04:07 EST 2005
David Barak wrote:
>--- Joe Maimon <jmaimon at ttec.com> wrote:
>
>
>
>>David Barak wrote:
>><snip>
>>
>>
>Do you see the irony of "be firewalled from everyone
>else" and "have Internet access as well" in the same
>product?
>
>
>
No. All internet access needs to be firewalled these days. Even more
impoartant is for them to be firewalled without any access from other of
our customers who are doing the same thing.
>>You will say, have the customer do ipsec......maybe
>>for new ones.
>>Marketing likes to sell this as a product. IOW
>>managed wan/internet
>>services.
>>
>>
>
>Not necessarily IPSec, although that's a good idea if
>they're serious about security. Rather, I would still
>say that NAT belongs on CPE, not on a provider device.
>
>
>
THEY are not serious about security. They want US to be serious about
THEIR security.
>How about this:
>
>build the customers a 2547bis network, and make one of
>the spokes the inside address of the firewall segment?
>
>
>
>
I will have to look into this. But customer's first question is alway
either "will I be able to do this with the 40 linksys I already bought"
or "How much will the CPE cost?"
There is no escaping that.
More information about the cisco-nsp
mailing list