I'm re-thinking my network arrangement and would like to know how others secure or separate their management network.
My current setup is all Mikrotik running OSPF/MPLS/VPLS with VPLS tunnels from the APs back to my edge routers, where customer traffic is handled and I use firewall rules at those routers to prevent the tunnels from having access into the network. I have public IPs available at the edge routers, and all internal hardware has some slice of 10.0.0.0/8. I don't have firewall rules on most of the routers as they are all protected by the edge. I'd like to move away from this model and have IP blocks at each AP site that route over my OSPF/MPLS system. I can get them to route, but I am wondering if there is an easy way to block routes or limit OSPF distribution to prevent access to my hardware (other than running several firewall rules on every router). I am running many RB750, RB750UP, and RB750P routers and would like to keep firewall rules to a minimum if possible. Thanks - Chris
