ASR1k. It's an MPLS PE.
It has a loopback in one of the VRFs.
I want to expose the VRF to the internet. Internet would be inbound via another PE router, not a local link.
I can't put an ACL on the loopback itself, we know that doesn't work.
How can I protect that loopback? Sure I can put an ACE on the edge interface to the internet, but that's... imperfect/sub-ideal IMO. I have ACLs on the various mgmt services, but that's not a complete solution. No, the VRF isn't going behind a firewall; it's the VRF that the firewalls connect to.
I suppose I could put ACLs on the inbound interfaces to the router; that's SOP... but all the traffic comes in tagged, right? How would I write that ACL?
No comments:
Post a Comment