[rancid] Re: Pulling down context configs from a Cisco FWSM

Justin Shore justin at justinshore.com
Thu Mar 29 02:47:38 UTC 2007

Rob Shepherd wrote:
> Lance wrote:
>> I don't intend on this being a context session 101, but why do you
>> create contexts for each customer you have (as it appears to me)? You
>> might enlighten me and I might switch to such a model. :-D
> I do this because it permits me to hand off control of a context to a 
> particular customer, if they want to do the config themselves.
> They can then SSH or PDM independently.
> Also there is some limitations with things like DNS/DHCP. I havn't found 
> a way to have different DNS server options outputted by the dhcpd 
> service on different interfaces. Same for extra options, like vendor 
> specific 43, which different for each customer, for Alcatel AVA.

That's one of the main reasons for us.  We fully expect some customers 
to want to control their own context.  This way we can just hand it off 
to them.  It also gives us the option of putting these customers in VRFs 
which afford a better layer of security between customers than simple 
VLANs.  Customers that tunnel to us can have their own IGP in their VRF, 
can have IP subnets that would otherwise conflict with another 
customer's, etc.  MPLS VRF affords hide the underlying network 
components from the VRF itself.  It's really quite slick and very 
complex (I don't pretend to fully understand it but I'm getting better).


More information about the Rancid-discuss mailing list