Solved: Re: The use of VRF Lite

Mitrixsen · ‎09-04-2023

Hello, everyone! I have a quick question about VRF Lite.

So I understand that VRF is a technology which allows the router to build multiple virtual routing tables which divide the network on L3 with each VRF table being isolated from the other VRF tables, correct?

I can understand the use of this when it comes to MPLS, however, when exactly would we want to use VRF Lite? Lite means that it's not being used in an MPLS deployment, right? So where and why would we want to use VRF lite? Because basically, if I just want to isolate traffic or divide my network, I could just use VLANs and access lists or a firewall.

Kind regards,
David

Giuseppe Larosa · ‎09-04-2023

Hello @Mitrixsen ,

in a campus network VRF lite can be implemented using dedicated per VRF subinterfaces or SVIs , but it is the responsability of the network admin to build an end to end connectivity for each VRF.

It is less scalable then using MPLS + L3 VPN but it is also less complex to configure so it has its own applications.

The different VRFs can be terminated to different subinterfaces on firewalls for example to have a controlled inter VRF connectivity.

Edit :

inside a datacenter VRF lite can be used for multi tenant each customer is associated to a different VRF and they are separated and they are free to use also overlapping subnets with no issues.

Managing ACLs and NAT can become a problem with multiple customers.

Hope to help

Giuseppe

View solution in original post

Joseph W. Doherty · ‎09-04-2023

Actually, you've implicitly answered your basic question about why use VRF-Lite, i.e. when want VRF features, but don't, or cannot (I recall [?], for example, 3750s supported VRF-Lite but not MPLS), use MPLS.

In most Enterprises, there's probably not much use case for VRF-Lite, but same might be said for so many other features Cisco supports, i.e. few might use it, but if you want to use it, Cisco supports it.

I'm old enough to remember where switches came on the scene (are they really that much better than hubs? - wink) and when switches started to support VLANs (a "virtual" VLAN - what the heck is that?) and then L3 or multi-layer switches (I always liked the Catalyst 4500 with a L2 sup that could do multi-layer switching coordinating with an external Cisco router - those allowed me to think of L3 switches as logically two distinct devices in the same physical device).

Now, I'm not claiming that VRF-Lite will become the norm like my foregoing switch technology examples, but VRF-Lite is probably more like "hey, we could do that with VRF-Lite" kind of cases.

So, you're correct, you might use VLANs, ACLs, FWs to divide network, but then we used to have real working networks even without hubs (Ethernet 10Base2 and 10Base5) and routers. So (to paraphrase JFK) ask not what VRF-Lite can do for others, but consider what VRF-Lite can do for you. ; )

View solution in original post

Giuseppe Larosa · ‎09-04-2023

Hello @Mitrixsen ,

in a campus network VRF lite can be implemented using dedicated per VRF subinterfaces or SVIs , but it is the responsability of the network admin to build an end to end connectivity for each VRF.

It is less scalable then using MPLS + L3 VPN but it is also less complex to configure so it has its own applications.

The different VRFs can be terminated to different subinterfaces on firewalls for example to have a controlled inter VRF connectivity.

Edit :

inside a datacenter VRF lite can be used for multi tenant each customer is associated to a different VRF and they are separated and they are free to use also overlapping subnets with no issues.

Managing ACLs and NAT can become a problem with multiple customers.

Hope to help

Giuseppe

Mitrixsen · ‎09-04-2023

inside a datacenter VRF lite can be used for multi tenant each customer is associated to a different VRF and they are separated and they are free to use also overlapping subnets with no issues.

A beautiful explanation, thank you. I have a question about this one bit, though. What if this datacenter has two customers which share the same IP space and then a packet destined for that IP space is received by the router? How will it know who to forward it to?

Giuseppe Larosa · ‎09-04-2023

Hello @Mitrixsen ,

in case of inter VRF communication managed by a firewall this device can implement NAT so to make the overlapping subnets to appear as something else from the point of view ( the VRF of customer A) of the other tenant so that communication becomes possible and not ambiguos.

Hope to help

Giuseppe

M02@rt37 · ‎09-04-2023

Hello @Mitrixsen,

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Joseph W. Doherty · ‎09-04-2023

Actually, you've implicitly answered your basic question about why use VRF-Lite, i.e. when want VRF features, but don't, or cannot (I recall [?], for example, 3750s supported VRF-Lite but not MPLS), use MPLS.

In most Enterprises, there's probably not much use case for VRF-Lite, but same might be said for so many other features Cisco supports, i.e. few might use it, but if you want to use it, Cisco supports it.

I'm old enough to remember where switches came on the scene (are they really that much better than hubs? - wink) and when switches started to support VLANs (a "virtual" VLAN - what the heck is that?) and then L3 or multi-layer switches (I always liked the Catalyst 4500 with a L2 sup that could do multi-layer switching coordinating with an external Cisco router - those allowed me to think of L3 switches as logically two distinct devices in the same physical device).

Now, I'm not claiming that VRF-Lite will become the norm like my foregoing switch technology examples, but VRF-Lite is probably more like "hey, we could do that with VRF-Lite" kind of cases.

So, you're correct, you might use VLANs, ACLs, FWs to divide network, but then we used to have real working networks even without hubs (Ethernet 10Base2 and 10Base5) and routers. So (to paraphrase JFK) ask not what VRF-Lite can do for others, but consider what VRF-Lite can do for you. ; )