VRF-lite security strength

Unanswered Question
Mar 16th, 2009


I'm currently working on the vrf lite concept and i'm wondering how strong the vrf isolation can be. Is there any way coming from a VRF to jump to another ? Are there any well-known exploits ?

Between a heavy vlan architecture with routing intervlan enable, access-list filtering and a VRF Lite architecture with route-map to decide with packet can be routed from a vrf to another, which architecture is the more secure ?

Do you have some links or white papers dealing with this topik ?

Best regards,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Harold Ritter Mon, 03/16/2009 - 18:25


VRFs provides a complete isolation at layer 3 (i.e. separate routing tables), whereas VLANs do share the same routing table. The best way to route between VRF is usually to have all VRF connected to a FW and let the FW handle packets going from one VLAN to another.


mathieu.ploton Tue, 03/17/2009 - 01:16

Thank you,

From your point of view, the weakness of that kind of architecture does not come from the vrf concept but from the security of the interconnexion ?

With a route-map, we get a stateless accesslist filtering, with a firewall a stateful filtering.

To fully understand what you say :

Router :

ip vrf blue

rd 800:1

route-target export 800:1

route-target import 800:1

ip vrf red

rd 900:1

route-target export 900:1

route-target import 900:1

int fa0/0

description FW_IN

ip vrf forwarding blue

ip address

int fa0/1

description FW_OUT

ip vrf forwarding red

ip address

ip route vrf blue

ip route vrf red

Firewall with two interfaces ;

Is my architecture correct ?

Mohamed Sobair Tue, 03/17/2009 - 03:59


A VRF is Virtual routing and forwarding instance for a set of sites that have identical connectivity requirment.

Data Structure Associated with VRF:

1- IP routing table.

2- CEF Table.

3- Set of rules and routing protocols.

4- List of interfaces per VRF.

Vlans is a broadcast domain, it provides segmentation and Security at layer-2. Once a routing Occurs , the Tag is removed.




This Discussion