cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
791
Views
5
Helpful
8
Replies

Routing using VRF ?

alanchia2000
Level 1
Level 1

We currently have a L3 switch with different networks A, B, C & D. Network A (Finance), B (Engineering), C(Boss) are where all PCs are located and they access the server network D.

Right now, our bosses wants to put a firewall in between so that it restricts the access to server in Network D (Servers).

Network A

Network B -> Firewall -> Network D

Network C

The layer 3 switch also performs routing functions routing traffic between A, B, C & D.

I was wondering how does VRF apply in this situation. Each VLAN has an IP on their interface.

Gateways of each network

Network A - 192.168.1.253

Network B - 192.168.2.253

Network C - 192.168.3.253

Network D - 192.168.4.253

Problem here is that if I were to set my firewall to have an IP of 192.168.4.253. What are the things I need to do for traffic directed to servers to flow through the firewall first before going to the servers. Is VRF needed in this case?

1 Accepted Solution

Accepted Solutions

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Mun,

VRFs are not needed in your case.

you just need to put the network D behind the firewall so that a static route pointing to FW outside is used to reach Network D

Net A

Net B -- L3 switch -- vl. x - FW -- Net D

Net C

where vlan x is a new different vlan used to communicate with the FW.

This is in the case of a L3 FW.

You can also use a transparent firewall that can be useful if multicast traffic is involved

Hope to help

Giuseppe

View solution in original post

8 Replies 8

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Mun,

VRFs are not needed in your case.

you just need to put the network D behind the firewall so that a static route pointing to FW outside is used to reach Network D

Net A

Net B -- L3 switch -- vl. x - FW -- Net D

Net C

where vlan x is a new different vlan used to communicate with the FW.

This is in the case of a L3 FW.

You can also use a transparent firewall that can be useful if multicast traffic is involved

Hope to help

Giuseppe

Hi Giuseppe,

Let me know if I am getting you right,

The firewall, fw, in your scenario has 2 interfaces, one attached to VLAN X, and another attached to Network D.

Is that right ?

Alan

Hello Alan,

>> The firewall, fw, in your scenario has 2 interfaces, one attached to VLAN X, and another attached to Network D.

absolutely correct

Hope to help

Giuseppe

BTW:

Original poster provided similar information a few days earlier in the WAN forum. (http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.2cd269dd/3#selected_message)

My understanding was all nets were already (and would continue to be?) on the same L3 switch. If correct, VRF looks to be a possible solution to avoid the same L3 device routing between the networks without using the FW.

Hello Joseph,

VRFs are an optimal solution if the goal is network separation.

My understanding of this thread is that the objective is controlled access to Network D and that the firewall introduction is a decision already taken.

It depends from the level of control: with VRFs we can associate a different VRF to each Network and then we can decide what VRF can talk with the VRF of network D.

With a firewall we could decide that only some specific hosts can have access to network D.

The firewall provides the benefit of logging sessions.

So if the objective is that only one or two subnets can access network D the VRF solutions is the right one and saves money and network complexity

I can say we actually use both together (FW and VRFs) for some services

Hope to help

Giuseppe

Giuseppe, don't disagree, except yes but . . .

Re: "optimal", if all the networks are to remain on the same L3 device even with an external FW, which I think(?) the OP intends, how might you see this being done without VRF? I.e., the problem issue I see, once L3 is enabled on the device with all four networks, the device will want to route beteen the networks. VRF could be used on that device to keep the two sides of the FW isolated. How might it be done without it?

"the problem issue I see, once L3 is enabled on the device with all four networks, the device will want to route beteen the networks."

For that to happen you might not want to configure an IP on the network D's vlan interface.

->Vlan X -> Fw - > Network D

So in this case, the firewall has one interface connected to Network D and another to Vlan X.

All the servers on network D will set the firewall as its default gateway. So in that aspect, the server network D is isolated from the other subnets.

That's what I believe.

Up till now, I have a vague idea of how VRF helps in this situation though. This is because of my lack of understanding of VRF. I am still not able to find any good materials that gives me a basic understanding. Most materials I found go right into MPLS which is another deep topic though.

Yes, that makes sense if the FW acts as a router.

For documentation, if you look for VRF-Lite, or Multi-VRF CE, it might make a bit more sense for how you could use it.

In short, consider if we ran two different routing protocols on the same device. Without redistribution, neither routing protocol knows of the other protocol's routes, but the router hosting both routing protocols would. What VRF allows is virtual routing protocol instances. By default, each virtual routing instance is unaware of another route table on the same L3 devices (much like L2 VLANs are separate on the same L2 device). (This also allows us to run multiple instances of the same routing protocol.)

In your case, networks A, B and C would be one VRF instance, and network D another routing instance (much like two different routers). You would then route between the two virtual routing instances using the FW. You should even be able to use a transparent FW.

Perhaps someone else can explain better (correct my explanation if mistaken), or provide some additional references how to use VRF without MPLS.

Review Cisco Networking for a $25 gift card