VRP - Virtual routing protocol and network seperation

Unanswered Question
Mar 15th, 2009

Hi,

My client has few network zones that they want to separate using a firewall.

Example:

Network A, B, C, D

In order for PCs in network A,B,C to access servers in network D, they will have to pass through the firewall before getting to servers in network D.

Does VRP (Virtual routing protocol) help do the job by redirecting all requests to the firewall? Or is there any other tool that can help me do the job?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Joseph W. Doherty Sun, 03/15/2009 - 19:40

VRP? Did you intend VRRP or VRF?

If VRF, it can be used if you have multiple L3 networks "superimposed" on the same routers. If you're using "superimposed" L2, you could use VLANs and shouldn't need VRF. Also for non-superimposed L3 shouldn't be an issue either. From what your describing, server access with "network D", might not require VRF to help push traffic through a firewall.

If VRRP, it might be used by the firewall itself to appear as a gateway router. Perhaps needed if you have multiple firewalls for redundancy.

alanchia2000 Sun, 03/15/2009 - 20:36

Hi,

I'm sorry about the unclear terms. Yes, it was VRF. I didn't quite understand the purpose of using VRF (virtual routing forwarding) and how it helped.

But without VRF, does that mean I would have one interface on the server vlan - network D and each interfaces of the firewall connect to each VLAN?

This is the ideal set up which I want to have. But I do not have so many network interfaces on the firewall. So is VRF the only solution to this problem?

Network A ->

Network B -> Firewall -> Network D

Network C ->

Joseph W. Doherty Mon, 03/16/2009 - 04:53

If you're not already routing between networks now, and networks A, B and C are VLANs, it might be possible to VLAN trunk them into the firewall (i.e. the firewall would then have 3 virtual interfaces).

If you place a L3 switch (or router) between networks A, B and C, then the firewall will only see one L3 interface.

VRF is (sort of) the L3 version of L2 vlans. If networks A, B, C and D were L3, within each (not just between them), and they need to be on the same devices, the VRF could be a useful solution. Unclear what you're describing is that complex.

alanchia2000 Mon, 03/16/2009 - 18:42

We currently have a L3 switch with different networks A, B, C & D. Network A (Finance), B (Engineering), C(Boss) are where all PCs are located and they access the server network D.

Right now, our bosses wants to put a firewall in between so that it restricts the access to server in Network D (Servers).

Network A

Network B -> Firewall -> Network D

Network C

The layer 3 switch also performs routing functions routing traffic between A, B, C & D.

I was wondering how does VRF apply in this situation. Each VLAN has an IP on their interface.

Gateways of each network

Network A - 192.168.1.253

Network B - 192.168.2.253

Network C - 192.168.3.253

Network D - 192.168.4.253

Problem here is that if I were to set my firewall to have an IP of 192.168.4.253. What are the things I need to do for traffic directed to servers to flow through the firewall first before going to the servers. Is VRF needed in this case?

Joseph W. Doherty Mon, 03/16/2009 - 19:16

VRF may be a good solution.

The problem you have with all four networks on the same L3 device, that device will route between all the networks.

If you assign networks A, B and C in one VRF, and network D into another VRF, they won't see each other unless you route between them which can be through the (external?) firewall device. (Functionally where you now have one L3 device, you'll logically have two, and you can place the firewall between the two virtual routing environments.)

PS:

If you're not running any dynamic routing protocol or using static routing, you'll likely need to do so once you have two virtual L3 networks.

alanchia2000 Mon, 03/16/2009 - 22:03

Hi,

VRF was a solution that was suggested to me. However, I am still unaware of how it works and what exactly it does. Would appreciate it if you could provide references for me to do some studies.

From my understand of what josephdoherty wrote, VRF seems like a zone and where you would put each VLAN in. Is that right?

Joseph W. Doherty Tue, 03/17/2009 - 05:27

I tried to find some references on Cisco that would help explain. Didn't find enough to make it clear, and reference to "full blown" MPLS and BGP may confuse, but you might start with:

"Q. What is Virtual Routing and Forwarding (VRF)?

A. Virtual Routing and Forwarding (VRF) is a technology included in IP network routers that allows multiple instances of a routing table to exist in a router and work simultaneously. This increases functionality because it allows network paths to be segmented without the use of multiple devices. Because traffic is automatically segregated, VRF also increases network security and can eliminate the need for encryption and authentication. Internet Service Providers (ISPs) often take advantage of VRF in order to create separate Virtual Private Networks (VPNs) for customers. Therefore the technology is also referred to as VPN routing and forwarding.

VRF acts like a logical router, but while a logical router can include many routing tables, a VRF instance uses only a single routing table. In addition, VRF requires a forwarding table that designates the next hop for each data packet, a list of devices that can be called upon to forward the packet, and a set of rules and routing protocols that govern how the packet is forwarded. These tables prevent traffic from being forwarded outside a specific VRF path and also keep out traffic that must remain outside the VRF path. "

http://www.cisco.com/en/US/docs/ios/12_2sb/feature/guide/vrflitsb.html

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_vrfaw.html

PS:

You might want to repost your last question as a new forum question.

ronyahmed Tue, 03/17/2009 - 07:46

Hi, Basically VRF is a solution where you need multiple instances of routing in the same router. It actually eliminates needs for additional hardware on the L3 level. From your previous posts, I think you can get away with creating different vlans in the router/Switch that you are using and you should be fine .. VRF may not be the right solution in your case.

Joseph W. Doherty Tue, 03/17/2009 - 17:55

Rony, I'm curious how you might do that on the same L3 switch with all four networks on it without VRF. Could you elaborate on what you have in mind?

alanchia2000 Tue, 03/17/2009 - 18:05

I'm confused.

Does VRF mean Virtual routing and forwarding or VPN Routing and Forwarding?

Joseph W. Doherty Tue, 03/17/2009 - 19:36

Both.

Virtual routing and forwarding, seems to be used in reference to individual router configuration or a shorting of Virtual (Private Network) Routing and Forwarding.

Actions

This Discussion