Block access between subnets in same VRF

Kudetauk77 · ‎11-13-2015

Hi All

I am trying to figure a way out to use one VRF for mutiple customers , some customers have only one or 2 sites , so I am thinking of a way I can put these sites/subnets in the same VRF and then be able to block access between the sites /subnets

There is probabaly a very obvious answer to this . The only way I can think at the moment would be on the CE device using ACL's

Any other ideas ?

Thanks in advance !

Mark Malone · ‎11-13-2015

Hi just out of interest if you dont mind me asking why would you use only 1 vrf for multiple customers , no matter how small there sites are im sure they would not want there traffic mixing with another company ? it would be just as quick to create a vrf for each as to appply acls to the CE interfaces.Even though acls will prevent them speaking to each other at ip layer there still in the same FIB table which would be a security concern usually for sensitive traffic

Kudetauk77 · ‎11-13-2015

Hi Mark ,

Thanks for the reply , the reason is because I am talking about 1000 plus customers . So i thought it would be easier using the same VRF through the core up to a single firewall.

Having 1000 vrfs would mean a lot of additional configuration and Vlans , IP addressing etc .

Would a firewall cope with this many VLANS /subinterfaces also ? As they would need access blocking at this level if they came up the same single pyhscial connection

So I am trying to think of other ways of doing it that would block access .

I understand that blocking the subnets onneach CE would only block them at IP level and the other security concerns ,

I am trying to acheive this with a cost effective solution .

Masoud Pourshabanian · ‎11-13-2015

Hello,

What is that firewall for? It controls your customers internet access or controls the access to some specific servers or ....

If it is for internet access or server access, you can create a Firewall VRF and put the firewall interface in that VRF. Then you are able to control all customers based on their IPs. You just need to configure one subnet of IP between firewall and router.

in Firewall VRF, you need to imports RT of all customers, so all the customer routes sit in that VRF.

In customer side, you just need to import RT of Firewall VRF for each customer.

Customer 1

route-target import 500:500 [for Firewall VRF]

route-target export 100:100

route-target import 100:100

Customer 2

route-target import 500:500

route-target export 200:200

route-target import 200:200

Firewall VRF

route-target export 500:500

route-target import 500:500

route-target import 100:100

route-target import 200:200

I hope I understood you question correctly,

Masoud

Kudetauk77 · ‎11-17-2015

Hi Masoud

Yes that is what I am trying to do , I willl need use a VRF per customer and leak the routes to the firewall VRF , this would be the default route . I will also have another exit route for Proxy devices to a proxy server and to a filtering platform . I will create another VRF for this a leak the routes again inot this and vice versa using the route targets as you have described above

Thanks a lot

Masoud Pourshabanian · ‎11-17-2015

You are most welcome. I have done it before. It worked for me.

devils_advocate · ‎11-13-2015

Presumably none of your 1000 customers use the same IP ranges?

Kudetauk77 · ‎11-13-2015

No I will be assigning them

Jon Marshall · ‎11-13-2015

Everybody within the same VRF is just like having no VRF so yes in effect you are limited to acls.

You could use a firewall but you have so many customers you would very probably not have enough interfaces to terminate each customers traffic.

Whether to use acls or not depends on your security requirements.

Jon