I'm currently working on the vrf lite concept and i'm wondering how strong the vrf isolation can be. Is there any way coming from a VRF to jump to another ? Are there any well-known exploits ?
Between a heavy vlan architecture with routing intervlan enable, access-list filtering and a VRF Lite architecture with route-map to decide with packet can be routed from a vrf to another, which architecture is the more secure ?
Do you have some links or white papers dealing with this topik ?
VRFs provides a complete isolation at layer 3 (i.e. separate routing tables), whereas VLANs do share the same routing table. The best way to route between VRF is usually to have all VRF connected to a FW and let the FW handle packets going from one VLAN to another.
Harold Ritter Sr. Technical Leader CCIE 4168 (R&S, SP) email@example.com México móvil: +52 1 55 8312 4915 Cisco México Paseo de la Reforma 222 Piso 19 Cuauhtémoc, Juárez Ciudad de México, 06600 México
Introduction: The "external-out enable" command is available for
configuration under the "router ospf process" in case of the IOS-XR
operating system. This command basically enables advertisement of
intra-area routes on the device as external routes in th...
Introduction Basic configuration for netflow Scale parameters for
netflow Netflow support Architecture Packet flow for netflow Inside the
LC CPU Netflow Cache size, maintenance and memory Sample usage Cache
Size Aging Permanent cache Characteristics Which...