Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1352
Views
0
Helpful
3
Replies

VRF-lite security strength

mathieu.ploton
Level 1
Level 1

‎03-16-2009 08:04 AM

Hello,

I'm currently working on the vrf lite concept and i'm wondering how strong the vrf isolation can be. Is there any way coming from a VRF to jump to another ? Are there any well-known exploits ?

Between a heavy vlan architecture with routing intervlan enable, access-list filtering and a VRF Lite architecture with route-map to decide with packet can be routed from a vrf to another, which architecture is the more secure ?

Do you have some links or white papers dealing with this topik ?

Best regards,

MP

Labels:
0 Helpful
3 Replies 3

Harold Ritter
Cisco Employee
Cisco Employee

‎03-16-2009 06:25 PM

Mathieu,

VRFs provides a complete isolation at layer 3 (i.e. separate routing tables), whereas VLANs do share the same routing table. The best way to route between VRF is usually to have all VRF connected to a FW and let the FW handle packets going from one VLAN to another.

Regards

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful

mathieu.ploton
Level 1
Level 1
In response to Harold Ritter

‎03-17-2009 01:16 AM

Thank you,

From your point of view, the weakness of that kind of architecture does not come from the vrf concept but from the security of the interconnexion ?

With a route-map, we get a stateless accesslist filtering, with a firewall a stateful filtering.

To fully understand what you say :

Router :

ip vrf blue

rd 800:1

route-target export 800:1

route-target import 800:1

ip vrf red

rd 900:1

route-target export 900:1

route-target import 900:1

int fa0/0

description FW_IN

ip vrf forwarding blue

ip address 10.10.0.2 255.255.255.0

int fa0/1

description FW_OUT

ip vrf forwarding red

ip address 10.10.1.2 255.255.255.0

ip route vrf blue 10.10.1.0 255.255.255.0 10.10.0.1

ip route vrf red 10.10.0.0 255.255.255.0 10.10.1.1

Firewall with two interfaces 10.10.0.1 ; 10.10.1.1

Is my architecture correct ?

0 Helpful

Mohamed Sobair
Level 7
Level 7

‎03-17-2009 03:59 AM

HI,

A VRF is Virtual routing and forwarding instance for a set of sites that have identical connectivity requirment.

Data Structure Associated with VRF:

1- IP routing table.

2- CEF Table.

3- Set of rules and routing protocols.

4- List of interfaces per VRF.

Vlans is a broadcast domain, it provides segmentation and Security at layer-2. Once a routing Occurs , the Tag is removed.

HTH

Mohamed

0 Helpful
Customers Also Viewed These Support Documents