[cisco-voip] Securing Voice networks
Mark Holloway
mh at markholloway.com
Tue Dec 2 18:44:21 EST 2008
You can also use VRF Lite which allows you to use VRF's without using MPLS.
From: cisco-voip-bounces at puck.nether.net
[mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Jason Aarons (US)
Sent: Tuesday, December 02, 2008 4:36 PM
To: Lelio Fulgenzi; Scott Voll
Cc: cisco-voip
Subject: Re: [cisco-voip] Securing Voice networks
VRF is the backbone of how MPLS works. Your network routes are in a private
VRF that only you can see. If they can hack or mis-configure the VRF then
your routes could be advertised to a hack is the security worst case
scenario with MPLS. I believe you can filter a VRF into another VRF but
haven't seen that myself. I went thru backbone service provider MPLS
training, did all the labs and haven't used VRF much since then.
_____
From: cisco-voip-bounces at puck.nether.net
[mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Lelio Fulgenzi
Sent: Tuesday, December 02, 2008 6:07 PM
To: Scott Voll
Cc: cisco-voip
Subject: Re: [cisco-voip] Securing Voice networks
The term is VRF. http://en.wikipedia.org/wiki/VRF
I'm still not clear as to the difference, but from what I understand, they
are logically two separate networks and go beyond the level of seperation
that VLANs provide. For example, you can have two VRF domains and route them
across your network, both with the same IP address space but still logically
separated. What I don't know, is whether you can somehow route between two
VRF domains (if that's even what you call them).
For now, we are using ACLs, and for the most part they work, but it's not
ideal. Putting things behind a firewall makes sense, but with multiple data
centres, you have to ensure that the voice servers can communicate with each
other unhindered/unblocked. There are also some issues with respect to
asymetrical routing which I think is an issue for us.
Until Cisco comes up with a recommended design for putting their voice
servers behind firewalls in multiple data centres, I think people will be
clamoring.
---
Lelio Fulgenzi, B.A.
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
(519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
"Bad grammar makes me [sic]" - Tshirt
----- Original Message -----
From: "Scott Voll" <svoll.voip at gmail.com>
To: "<cisco-voip at puck.nether.net>" <cisco-voip at puck.nether.net>
Sent: Tuesday, December 2, 2008 5:56:59 PM GMT -05:00 US/Canada Eastern
Subject: [cisco-voip] Securing Voice networks
I have multiple Voice networks that I would like to put behind my FWSM. At
CIPTUG (pass the mic) i asked the question of how others were doing it and I
thought they were using VFR. is that the right term?
Can someone give me a run down of how they are doing it?
Thanks
Scott
_______________________________________________ cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
_____
Disclaimer: This e-mail communication and any attachments may contain
confidential and privileged information and is for use by the designated
addressee(s) named above only. If you are not the intended addressee, you
are hereby notified that you have received this communication in error and
that any use or reproduction of this email or its contents is strictly
prohibited and may be unlawful. If you have received this communication in
error, please notify us immediately by replying to this message and deleting
it from your computer. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20081202/30d8475b/attachment.html>
More information about the cisco-voip
mailing list