[c-nsp] Internet vrf, pros and cons

Phil Mayers p.mayers at imperial.ac.uk
Tue May 6 06:37:30 EDT 2008


Mark Tech wrote:
> Hi We area going to deploy a new MPLS network which will be used for
> Internet customers and IP/VPN customers. I understand that there are
> two options with running these networks: 1. Run the internet natively
> across all boxes and secure them down against DoS attacks etc 2.
> Create an Internet VRF whereby all internet traffic is simply seen as
> a large IPVPN network, thereby utilising some of the inherent
> security factors associated with IPVPNS

I'm not aware of any particularly compelling security factors for the 
router control plane by putting the internet in a VRF.

What are you thinking of?

There are some benefits to reserving the "default" VRF for management; 
specifically at least on 6500/12.2SXF various bits and pieces of IOS are 
not VRF aware, such as the DNS and syslog servers, SNMP trap addresses 
and so forth - these all come from the "default" VRF. Support for some 
of these is trickling in SXH/SR trains, but it's still a bit weak.

Similarly, using scp/ftp/tftp from the box is difficult/impossible if 
you're not using the default VRF for management.

For router security I would not rely on "vrfs being secure". I would 
look to CoPP.


More information about the cisco-nsp mailing list