[nsp] Protecting border routers

Andrew Fort afort at choqolat.org
Fri Nov 28 22:06:21 EST 2003

Matthew Crocker wrote:

> What is the current best practice for protecting border routers.   We 
> have a couple routers that are in front of our firewall.  I would like 
> to put them behind the firewall from a management, SNMP, logging point 
> of view.  There is not reason for the Internet to talk with my 
> router.  My upstreams need to talk for BGP sessions.  Is it just done 
> with ACLs or is there a way with MPLS to set the local management 
> stuff on the router into a VPN?
> -Matt

To comment on the "management VRF" matter, we've found it doesn't 
presently work (static vrf-lite tested on c3550 & c7600/sup720 
platforms) on current software.  Setting service 'source-interface's to 
the Loopback interface inside the VRF causes no connectivity.  Is anyone 
aware of a way to make this work, or is this feature in the pipeline? 


More information about the cisco-nsp mailing list