03-16-2009 08:04 AM
Hello,
I'm currently working on the vrf lite concept and i'm wondering how strong the vrf isolation can be. Is there any way coming from a VRF to jump to another ? Are there any well-known exploits ?
Between a heavy vlan architecture with routing intervlan enable, access-list filtering and a VRF Lite architecture with route-map to decide with packet can be routed from a vrf to another, which architecture is the more secure ?
Do you have some links or white papers dealing with this topik ?
Best regards,
MP
03-16-2009 06:25 PM
Mathieu,
VRFs provides a complete isolation at layer 3 (i.e. separate routing tables), whereas VLANs do share the same routing table. The best way to route between VRF is usually to have all VRF connected to a FW and let the FW handle packets going from one VLAN to another.
Regards
03-17-2009 01:16 AM
Thank you,
From your point of view, the weakness of that kind of architecture does not come from the vrf concept but from the security of the interconnexion ?
With a route-map, we get a stateless accesslist filtering, with a firewall a stateful filtering.
To fully understand what you say :
Router :
ip vrf blue
rd 800:1
route-target export 800:1
route-target import 800:1
ip vrf red
rd 900:1
route-target export 900:1
route-target import 900:1
int fa0/0
description FW_IN
ip vrf forwarding blue
ip address 10.10.0.2 255.255.255.0
int fa0/1
description FW_OUT
ip vrf forwarding red
ip address 10.10.1.2 255.255.255.0
ip route vrf blue 10.10.1.0 255.255.255.0 10.10.0.1
ip route vrf red 10.10.0.0 255.255.255.0 10.10.1.1
Firewall with two interfaces 10.10.0.1 ; 10.10.1.1
Is my architecture correct ?
03-17-2009 03:59 AM
HI,
A VRF is Virtual routing and forwarding instance for a set of sites that have identical connectivity requirment.
Data Structure Associated with VRF:
1- IP routing table.
2- CEF Table.
3- Set of rules and routing protocols.
4- List of interfaces per VRF.
Vlans is a broadcast domain, it provides segmentation and Security at layer-2. Once a routing Occurs , the Tag is removed.
HTH
Mohamed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide