You can also use VRF Lite which allows you to use VRF's without using MPLS.

 

From: cisco-voip-bounces <at> puck.nether.net [mailto:cisco-voip-bounces <at> puck.nether.net] On Behalf Of Jason Aarons (US)
Sent: Tuesday, December 02, 2008 4:36 PM
To: Lelio Fulgenzi; Scott Voll

Cc: cisco-voip
Subject: Re: [cisco-voip] Securing Voice networks

 

VRF is the backbone of how MPLS works.  Your network routes are in a private VRF that only you can see. If they can hack or mis-configure the VRF then your routes could be advertised to a hack is the security worst case scenario  with MPLS.  I believe you can filter a VRF into another VRF but haven't seen that myself.  I went thru backbone service provider MPLS training, did all the labs and haven't used VRF much since then.

 

From: cisco-voip-bounces <at> puck.nether.net [mailto:cisco-voip-bounces <at> puck.nether.net] On Behalf Of Lelio Fulgenzi
Sent: Tuesday, December 02, 2008 6:07 PM
To: Scott Voll
Cc: cisco-voip
Subject: Re: [cisco-voip] Securing Voice networks

 

The term is VRF. http://en.wikipedia.org/wiki/VRF

I'm still not clear as to the difference, but from what I understand, they are logically two separate networks and go beyond the level of seperation that VLANs provide. For example, you can have two VRF domains and route them across your network, both with the same IP address space but still logically separated. What I don't know, is whether you can somehow route between two VRF domains (if that's even what you call them).

For now, we are using ACLs, and for the most part they work, but it's not ideal. Putting things behind a firewall makes sense, but with multiple data centres, you have to ensure that the voice servers can communicate with each other unhindered/unblocked. There are also some issues with respect to asymetrical routing which I think is an issue for us.

Until Cisco comes up with a recommended design for putting their voice servers behind firewalls in multiple data centres, I think people will be clamoring.


---
Lelio Fulgenzi, B.A.
Senior Analyst (CCS) * University of Guelph * Guelph, Ontario N1G 2W1
(519) 824-4120 x56354 (519) 767-1060 FAX (JNHN)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
"Bad grammar makes me [sic]" - Tshirt


----- Original Message -----
From: "Scott Voll" <svoll.voip <at> gmail.com>
To: "<cisco-voip <at> puck.nether.net>" <cisco-voip <at> puck.nether.net>
Sent: Tuesday, December 2, 2008 5:56:59 PM GMT -05:00 US/Canada Eastern
Subject: [cisco-voip] Securing Voice networks

I have multiple Voice networks that I would like to put behind my FWSM.  At CIPTUG (pass the mic) i asked the question of how others were doing it and I thought they were using VFR.  is that the right term? 

 

Can someone give me a run down of how they are doing it?

 

Thanks

 

Scott

_______________________________________________ cisco-voip mailing list cisco-voip <at> puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip

Disclaimer: This e-mail communication and any attachments may contain confidential and privileged information and is for use by the designated addressee(s) named above only. If you are not the intended addressee, you are hereby notified that you have received this communication in error and that any use or reproduction of this email or its contents is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and deleting it from your computer. Thank you.