Hello all,

I am currently preparing a bunch of routers that will be connected to the web, routing public IPs (BGP feeds).
In the "big vendors" world, I would have a separate VRF for the management, that would be completely isolated from the normal traffic.

Trying to replicate this, I have prepared my management interface/VRF as such:

Where yyy.yyy.yyy.yyy is a public IP of the router, and xxx.xxx.xxx.xxx its management IP. Doing this however still makes it possible to reach the mgmt IP if I have a static route manually, such as
Mind you, that enables me to reach xxx.xxx.xxx.xxx only, not the whole management network xxx.xxx.xxx.0/24.

As I want as little firewalling on this router as possible, I was wondering if there is a best practice to make sure that this management interface isn't reachable on the default routing table without using firewalling? I know that I can disable management services from answering on any but the defined management interface, but that still makes it possible to at least ping this management IP from public IPs.

Thanks!

Just curious what is the advantage of this VRF approach compared to
a. ipsec connection to router (then using winbox).
b. running dude (internal network normally not sure how this is handled remotely as a server).
c. cloud SSTP connection using Remote Winbox service (dont like it for business as I dont think the security provided is commensurate)

Just curious what is the advantage of this VRF approach compared to
a. ipsec connection to router (then using winbox).
b. running dude (internal network normally not sure how this is handled remotely as a server).
c. cloud SSTP connection using Remote Winbox service (dont like it for business as I dont think the security provided is commensurate)

Thanks for the reply. We have a physical management network available where the routers will be, so no need for IPsec, SSTP or HTTPS. It's a proper dedicated connection to an isolated network.
Opening IPsec, SSTP or HTTPS to the outside world is the kind of action that I want to avoid, even if only to enable access to the management itself. The goal is to have 0 open service, 0 open port on the public IPs of the routers, apart from BGP for peers.

Furthermore, having a properly segmented management network doesn't preclude the use of the Dude itself.

I have never used VRFs, so do not know how complex they are but it if more secure than using a management VLAN, then it sounds like a good idea!!
Wish I could be of more help!

I have never used VRFs, so do not know how complex they are but it if more secure than using a management VLAN, then it sounds like a good idea!!
Wish I could be of more help!

A VLAN is a network itself, on which you might have an interface with an IP, so basically another network in the routing table of your router. A VRF enables the use of multiple routing tables in the router.