[c-nsp] Internet vrf, pros and cons
Phil Mayers
p.mayers at imperial.ac.uk
Tue May 6 06:37:30 EDT 2008
Mark Tech wrote:
> Hi We area going to deploy a new MPLS network which will be used for
> Internet customers and IP/VPN customers. I understand that there are
> two options with running these networks: 1. Run the internet natively
> across all boxes and secure them down against DoS attacks etc 2.
> Create an Internet VRF whereby all internet traffic is simply seen as
> a large IPVPN network, thereby utilising some of the inherent
> security factors associated with IPVPNS
I'm not aware of any particularly compelling security factors for the
router control plane by putting the internet in a VRF.
What are you thinking of?
There are some benefits to reserving the "default" VRF for management;
specifically at least on 6500/12.2SXF various bits and pieces of IOS are
not VRF aware, such as the DNS and syslog servers, SNMP trap addresses
and so forth - these all come from the "default" VRF. Support for some
of these is trickling in SXH/SR trains, but it's still a bit weak.
Similarly, using scp/ftp/tftp from the box is difficult/impossible if
you're not using the default VRF for management.
For router security I would not rely on "vrfs being secure". I would
look to CoPP.
More information about the cisco-nsp
mailing list