[c-nsp] Internet vrf, pros and cons

Rubens Kuhl Jr. rubensk at gmail.com
Tue May 6 21:05:39 EDT 2008


The issue with VRFs is that it can't do policy routing, because it's
already a routing table selection... I agree that box security should
be taken care with CoPP. Put Internet customers on the main VRF, but
carefully design ACL, policy-routing and CoPP to reach your security
goals. VRFs are great with overlapping IP spaces, but on the Internet
where everybody on the world agrees on an addressing plan, just use
plaing routing.


Rubens


On Tue, May 6, 2008 at 6:08 AM, Mark Tech <techconfig at yahoo.com> wrote:
> Hi
>  We area going to deploy a new MPLS network which will be used for Internet customers and IP/VPN customers. I understand that there are two options with running these networks:
>  1. Run the internet natively across all boxes and secure them down against DoS attacks etc
>  2. Create an Internet VRF whereby all internet traffic is simply seen as a large IPVPN network, thereby utilising some of the inherent security factors associated with IPVPNS
>  My question is whether anyone has other pros and cons from real life experience, associated with the two options previously stated.
>  I would like to add that the platforms will be provisionally Cisco 6500s with SUP720s (edge) and Cisco XR 12406's (core)
>  Regards
>  Mark
>
>
>
>       ____________________________________________________________________________________
>  Be a better friend, newshound, and
>  know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
>  _______________________________________________
>  cisco-nsp mailing list  cisco-nsp at puck.nether.net
>  https://puck.nether.net/mailman/listinfo/cisco-nsp
>  archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list