[nsp] Protecting border routers

Volodymyr Yakovenko vovik at dumpty.org
Sat Nov 29 11:07:50 EST 2003

On Fri, Nov 28, 2003 at 10:34:32AM -0500, Matthew Crocker wrote:
>What is the current best practice for protecting border routers.   We 
>have a couple routers that are in front of our firewall.  I would like 
>to put them behind the firewall from a management, SNMP, logging point 
>of view.  There is not reason for the Internet to talk with my router.  
>My upstreams need to talk for BGP sessions.  Is it just done with ACLs 
>or is there a way with MPLS to set the local management stuff on the 
>router into a VPN?

One possible solution is to use global routing table and associated interfaces 
for management access purposes, and put Internet traffic to separate VRF.

It looks like all management-related services do not listen on VRF interfaces
by default (you can recheck this by yourself using port-scanners). 

I have used such setup (global for management and Internet inside VRF) on 
couple of routers (OSPF, EIGRP, BGP fullview inside VRF) under IOS 12.2.16.


More information about the cisco-nsp mailing list