03-13-2014 06:43 PM - edited 03-04-2019 10:34 PM
We're a very small ISP with one PoP that is getting an ASR-1002X to replace an aging 7206 w/NPE-G2.
I'm trying to wrap my head around how to achieve some separation between management access and customer traffic. We're basically self-contained in one cabinet at a colo facility, and the only existing "management" network is just a dumb switch connected to the internal interfaces of all the servers - this is used for backend db access, backups, and other "management" tasks, but it is totally isolated from the larger internet. The VXR currently does not even have an interface on that network. Our current protection is simply a bunch of ACLs to restrict snmp/ssh to a handful of IPs (admin workstations, monitoring server).
On running through the initial setup of the ASR1K, I noticed that it has a dedicated management interface and that a VRF instance is setup and this interface is placed in that VRF. That is I assume what's noted in this document:
Looking at an older, non-ASR1K specific document, I note that VRFs aren't even discussed:
http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html
In a small deployment where we don't have a full-on management network, does it make any sense to do anything beyond the recommendations in the second link (ACL management protocols, ACL the control plane, and rate-limit things as appropriate)?
I feel like putting that management interface and a VRF on our current internal network doesn't give me a big win and it makes things all the more fragile/complicated when something goes awry and I need to reach the router.
Any opinions on that?
Lastly, is the Best Practices guide I linked to above current enough? It was published in 2011, not sure if later versions of IOS introduce any new features that would obsolete that document.
03-14-2014 12:00 AM
When the new ASR is installed, will it be possible for a hacker to attack your network through this device? If the answer is yes then they could do a significant amount of damage to both your company and your customers.
Therefore I would suggest as an alternative that you install a small ASA firewall between this router and your internal network. They offer a major stronger form of defence than router ACLs and management VRFs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide