Altough VRF lite (or Mulit VRF) seems to be a Service Provider Tecnology.
Does it make sense to use it in an Enterprise Network to isolate Networks from others ?
I cant find any design paper which describes if this would make sense.
What do you think. Is someone using it ? Does Cisco recommend it ?
Multi-VRF and even MPLS L3VPNs are used more and more in the enterprise environment. The main reason is, that many IT departments have similar tasks as SPs have: separate different customers/departments especially in the data center.
Most of the implementations I dealed with were based on Cat6500 as the core switch and then Multi-VRF on Cat4500, Cat3550, where it was needed.
In fact when you start looking into Multi-VRF you will soon end up with looking at a complete MPLS L3VPN solution. With Multi-VRF you have about the same complexity in the control plane, but less flexibility with respect to Central Service VPNs and the like. In addition the data plane separation has to be done on a hop by hop basis with Multi-VRF ... and from a scalability perspective MPLS is even easier (once you understand the whole Label stuff).
In the end - as with any design - it depends on your exact requirements and limitations.
Hope this helps! Please rate all posts.
Yes we also have a customer who is running VRF Lite on his LAN backbone and also for increased security.
A very simple example:
Suppose you have a customer who want to implement VOIP, so his switches get configured with a data VLAN and a voice VLAN (you know trunking the phone and PC on one port).
Now the customer has some bizar requirement: he does not want uncontrolled access between the data and voice vlan. Any traffic between these vlans must pass a firewall.
The problem here is that somewhere in the core, these two VLANS unite on the same box, and since they are connected interfaces, the switch will automatically route between them.
VRF Lite will devide your switch into two "virtual" switches keeping the two vlans and their routing tables completely seperated. You can then use an external firewall to link the two domains.
It works great
VRF lite does not run MPLS and it is not a tunnel. It merely allows the router to create vrfs within the box but will not talk mpls to another router. Hence it is non-scalable for large deployments. You can create routing instances and connect a number of routers running vrf lite together, but each router will treat each other as a customer edge. I would only consider vrf lite for a very small scale deployment whith regards to the number of routers. For an enterprise, you will be better off with MPLS as the management overhead of vrf lite could prove to be quite substantial and more complex. In addition to L-3 vpns (although not so prevelant in the entrprise) with mpls you will get features such as TE and AToM which may be useful to large entreprises.
We are consider doing what you mentioned. How is external firewall connect to the vrf switch? Could you please elaborate more? Thanks.
Yes, VRF-lite SHOULD be used in an Enterprise environment to isolate the different security classes of devices.
In the past you would isolate different groups of users using Layer1, i.e. separate hubs either totally isolated or connected together by a router with ACLs. Since the PCs were only connected at shared 10 Mbit and the routers were such low performance and worms weren't really prevalent, this was not a big security issue at the time.
Then we migrated to VLANs, which essentially allowed Layer2 isolation within the same switch to provide the same functionality of separating different classes of users and to break up broadcast domains. Unfortunately, everyone connected the VLANs together at Layer3 with a router (or SVI) which essentially connected everything together again! And almost no one gets the ACLs right (if at all) to isolate the VLANs from each other. In fact, in most cases every VLAN can automatically reach every other VLAN from a Layer3 or IP perspective. This is a huge security problem.
Enter VRF-lite, essentially created by Cisco as their tag switching migrated to standards based MPLS and had a need to isolate Layer3 security domains from each other within the same switch (or router). Think of VLANs for routing tables. VRF stands for 'Virtual Route Forwarding', which basically means separate routing tables. Since VRF-lite is a per-switch feature (running locally to the switch) you will need to use other technologies to connect multiple VRF-lite switches together and keep the traffic isolated, see below.
What makes this so secure is that there is no command within the switch to connect different VRFs together within the same switch. You would need to connect a cable between two ports on the same switch configured in different VRFs to be able to communicate between them (recent IOS 12.2SR allows tunnels with different source VRFs but that is a corner case). The reason for this is simple, remember the basis for VRF (and VRF-lite) is for a service provider to isolate multiple customers from each other within the same switch. Just like an ATM, Frame-Relay, SONET, or Optical switch, the command line makes it very difficult (or impossible) to accidentally connect 2 different customers together.
Think about that. Even if someone was able to get ssh enable access to your switch (you aren't running telnet anymore, right?!), they CAN'T connect 2 VRFs together with any command.
And, yes, this is highly recommended by Cisco Engineers and is actually deployed far more than you think. I have VRF-lite running on at least 10 client's networks and those are LARGE networks. VRF-lite was integrated into the environment purely to solve a Layer3 security class isolation issue. I have used Layer3 dot1q trunks on c6500 switches and tunnels to keep isolated connectivity between VRFs between switches.
In Cisco speak, VRF-lite falls under the topic of 'Path Isolation' which is combined with other features that isolate traffic within the same network such as dot1q trunking, tunneling, VPN, policy-routing, and MPLS. Do a search on Cisco's web site for 'path isolation' and you will find a bunch of info.
See the following URLs for a good start:
As always, rate all posts appropriately, particularly those that provide value and don't be shy about following up with additional questions or comments.
Let's say I have two department with duplicate ip address range. Can vrf-lite alone solve this issue or has to go with mpls vpn solution?Thanks for help.
VRF-lite will solve this issue on the control plane. To interconnect PEs you would use trunks and assign VLAN interfaces or physical ports to different VRFs.
The post had the following statement:
"You would need to connect a cable between two ports on the same switch configured in different VRFs to be able to communicate between them". Believe it or not, I have an instance where I need to connect 2 VRFs on a 6500/7600 with an external cable connection between the ports. Is this a supported configuration/scenario?
We have it in production with Catalyst 6500 and 4500
It makes sense in Enterprise Network to cut off different departments with different specifications of traffic.
Yes Cisco recommends it.
The best way to understand it, is VRF Lite replaces the MPLS-Labels with VLAN-Labels.
You build a Global and several VRF Layers, define a Routing for each; ISIS, OSPF or EIGRP.
Place the VLAN Interfaces with their names to the appropriate VRF.
one more remark: you cannot use BGP to connect two VRFs on the same router with an external crossover cable. The BGP session does not come up, because the router gets its own BGP router ID in the Open message. For an enterprise environment this is usually not used, but IGPs are enabled.
Routing protocols supported are RIPv2, OSPF, EIGRP (and ISIS on some platforms and IOS versions).
Hope this helps! Please use the rating system.