[c-nsp] Management stuff in VRFs

Lasher, Donn DLasher at newedgenetworks.com
Thu Sep 3 13:42:37 EDT 2009


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jerome Durand
Subject: Re: [c-nsp] Management stuff in VRFs

>We went in that direction in our latest deployment and discovered also 
>that many pieces were missing in IOS and IOS-XR to have full management

>in a dedicated VRF for all our devices.

>At this stage we have the VRF but not all management goes there... so 
>there is more complexity and network is no more secure... I must admit 
>IOS-XR gives us more troubles as more management features are missing
in 
>VRF's.

The most effective way to do this I've seen so far essentially turns
your network inside out. The "Global" portion of the router is
management, in RFC1918 space, and your "internet/public"
IP's/traffic/etc are all carried in a dedicated VRF.

Taking a production network NOT designed that way, and doing the
inside-out... well.... that's every bit as hard as it sounds...




More information about the cisco-nsp mailing list