[rancid] Re: Pulling down context configs from a Cisco FWSM
Justin Shore
justin at justinshore.com
Thu Mar 29 02:47:38 UTC 2007
Rob Shepherd wrote:
> Lance wrote:
>> I don't intend on this being a context session 101, but why do you
>> create contexts for each customer you have (as it appears to me)? You
>> might enlighten me and I might switch to such a model. :-D
>>
>
> I do this because it permits me to hand off control of a context to a
> particular customer, if they want to do the config themselves.
>
> They can then SSH or PDM independently.
>
> Also there is some limitations with things like DNS/DHCP. I havn't found
> a way to have different DNS server options outputted by the dhcpd
> service on different interfaces. Same for extra options, like vendor
> specific 43, which different for each customer, for Alcatel AVA.
That's one of the main reasons for us. We fully expect some customers
to want to control their own context. This way we can just hand it off
to them. It also gives us the option of putting these customers in VRFs
which afford a better layer of security between customers than simple
VLANs. Customers that tunnel to us can have their own IGP in their VRF,
can have IP subnets that would otherwise conflict with another
customer's, etc. MPLS VRF affords hide the underlying network
components from the VRF itself. It's really quite slick and very
complex (I don't pretend to fully understand it but I'm getting better).
Justin
More information about the Rancid-discuss
mailing list