[c-nsp] Management stuff in VRFs
Daniska, Tomas
tomas at soitron.com
Wed Sep 2 16:35:37 EDT 2009
> I'm a little curious since there have been so many threads about
> running
> management stuff in VRFs. I've until now considered VRFs something for
> customers only; management is in the global table.
>
> Is management from a VRF to be considered "best practice"?
Telcos are doing something similar for ages - they are deploying
physically separate networks for management and they know very well why
they do so. IP equipment is just getting there, e.g. Nexus has dedicated
management ports which are forced into a management VRF.
> What are the benefits from using a VRF for this?
It's kind of mimicking separate control and forwarding planes. Though
the separation is virtual, it's still better than none.
> I assume everyone uses infrastructure ACLs so the VRF thingy shouldn't
> be any more "secure". Or should it?
First, ACL is reactive mechanism, management separation is proactive.
You prevent unwanted stuff from entering your management network even
before you can filter it. Second, you isolate problems - think your IGP
not working because of whatever reason (attack, misconfiguration...),
but you still can ssh your box via the (quasi) out-of-band management,
which you don't touch at the same time, and repair the network. Etc.
Many more. ;)
--
deejay
__________ Informacia od ESET NOD32 Antivirus, verzia databazy 4389
(20090902) __________
Tuto spravu preveril ESET NOD32 Antivirus.
http://www.eset.sk
More information about the cisco-nsp
mailing list