Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VRF-lite security strength


I'm currently working on the vrf lite concept and i'm wondering how strong the vrf isolation can be. Is there any way coming from a VRF to jump to another ? Are there any well-known exploits ?

Between a heavy vlan architecture with routing intervlan enable, access-list filtering and a VRF Lite architecture with route-map to decide with packet can be routed from a vrf to another, which architecture is the more secure ?

Do you have some links or white papers dealing with this topik ?

Best regards,


Cisco Employee

Re: VRF-lite security strength


VRFs provides a complete isolation at layer 3 (i.e. separate routing tables), whereas VLANs do share the same routing table. The best way to route between VRF is usually to have all VRF connected to a FW and let the FW handle packets going from one VLAN to another.


Harold Ritter
Sr. Technical Leader
CCIE 4168 (R&S, SP)
México móvil: +52 1 55 8312 4915
Cisco México 
Paseo de la Reforma 222 Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
New Member

Re: VRF-lite security strength

Thank you,

From your point of view, the weakness of that kind of architecture does not come from the vrf concept but from the security of the interconnexion ?

With a route-map, we get a stateless accesslist filtering, with a firewall a stateful filtering.

To fully understand what you say :

Router :

ip vrf blue

rd 800:1

route-target export 800:1

route-target import 800:1

ip vrf red

rd 900:1

route-target export 900:1

route-target import 900:1

int fa0/0

description FW_IN

ip vrf forwarding blue

ip address

int fa0/1

description FW_OUT

ip vrf forwarding red

ip address

ip route vrf blue

ip route vrf red

Firewall with two interfaces ;

Is my architecture correct ?

Re: VRF-lite security strength


A VRF is Virtual routing and forwarding instance for a set of sites that have identical connectivity requirment.

Data Structure Associated with VRF:

1- IP routing table.

2- CEF Table.

3- Set of rules and routing protocols.

4- List of interfaces per VRF.

Vlans is a broadcast domain, it provides segmentation and Security at layer-2. Once a routing Occurs , the Tag is removed.