[nsp] Protecting border routers
vovik at dumpty.org
Sat Nov 29 11:07:50 EST 2003
On Fri, Nov 28, 2003 at 10:34:32AM -0500, Matthew Crocker wrote:
>What is the current best practice for protecting border routers. We
>have a couple routers that are in front of our firewall. I would like
>to put them behind the firewall from a management, SNMP, logging point
>of view. There is not reason for the Internet to talk with my router.
>My upstreams need to talk for BGP sessions. Is it just done with ACLs
>or is there a way with MPLS to set the local management stuff on the
>router into a VPN?
One possible solution is to use global routing table and associated interfaces
for management access purposes, and put Internet traffic to separate VRF.
It looks like all management-related services do not listen on VRF interfaces
by default (you can recheck this by yourself using port-scanners).
I have used such setup (global for management and Internet inside VRF) on
couple of routers (OSPF, EIGRP, BGP fullview inside VRF) under IOS 12.2.16.
More information about the cisco-nsp