Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VRF-lite security strength

Hello,

I'm currently working on the vrf lite concept and i'm wondering how strong the vrf isolation can be. Is there any way coming from a VRF to jump to another ? Are there any well-known exploits ?

Between a heavy vlan architecture with routing intervlan enable, access-list filtering and a VRF Lite architecture with route-map to decide with packet can be routed from a vrf to another, which architecture is the more secure ?

Do you have some links or white papers dealing with this topik ?

Best regards,

MP

3 REPLIES
Cisco Employee

Re: VRF-lite security strength

Mathieu,

VRFs provides a complete isolation at layer 3 (i.e. separate routing tables), whereas VLANs do share the same routing table. The best way to route between VRF is usually to have all VRF connected to a FW and let the FW handle packets going from one VLAN to another.

Regards

Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México 
Paseo de la Reforma 222 Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
New Member

Re: VRF-lite security strength

Thank you,

From your point of view, the weakness of that kind of architecture does not come from the vrf concept but from the security of the interconnexion ?

With a route-map, we get a stateless accesslist filtering, with a firewall a stateful filtering.

To fully understand what you say :

Router :

ip vrf blue

rd 800:1

route-target export 800:1

route-target import 800:1

ip vrf red

rd 900:1

route-target export 900:1

route-target import 900:1

int fa0/0

description FW_IN

ip vrf forwarding blue

ip address 10.10.0.2 255.255.255.0

int fa0/1

description FW_OUT

ip vrf forwarding red

ip address 10.10.1.2 255.255.255.0

ip route vrf blue 10.10.1.0 255.255.255.0 10.10.0.1

ip route vrf red 10.10.0.0 255.255.255.0 10.10.1.1

Firewall with two interfaces 10.10.0.1 ; 10.10.1.1

Is my architecture correct ?

Re: VRF-lite security strength

HI,

A VRF is Virtual routing and forwarding instance for a set of sites that have identical connectivity requirment.

Data Structure Associated with VRF:

1- IP routing table.

2- CEF Table.

3- Set of rules and routing protocols.

4- List of interfaces per VRF.

Vlans is a broadcast domain, it provides segmentation and Security at layer-2. Once a routing Occurs , the Tag is removed.

HTH

Mohamed

790
Views
0
Helpful
3
Replies