Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Traffic Inspection by Sourcefire System in Virtual Routing and Forwarding(VRF) Environment

Introduction


Virtual Routing and Forwarding (VRF) is a mechanism to segment a single router into multiple virtual routers that do not pass traffic between them. It allows multiple instances of the routing table to co-exist within the same router at the same time.

 

Frequently Asked Questions


Question 1: How do Sourcefire appliances work in a VRF deployment?

 
VRF does not require any special support or configuration in Sourcefire products as it is completely transparent to the device monitoring the traffic.
 
The only way this could become an issue is if someone is using a aggregator to combine traffic from multiple different networks into a single interface set or detection engine.  In this case, the 3D System is unable to distinguish between two different hosts with the same IP address.
 

Question 2: How is the traffic in a VRF network analyzed?

 
Lets consider a scenario as an example:

There are multiple networks with 172.22.x.x. Some networks are in the virtual routing table (in VRF), and some networks are not. If a Sourcefire appliance generates alerts from one of the 172.22.x.x networks, is it possible to determine the correct network of origin from the alert? The handling of this scenario is not specific to the use of VRF. As long as the Sourcefire appliances are configured so that each network is monitored by a unique detection engine, then the name of the detection engine can be used to distinguish between events. However, RNA will not work in this case as the network map does not distinguish hosts by the reporting detection engine. RNA will combine all hosts using the same IP address into a single entry in the network map.


Question 3: How are events generated from VRF network traffic identified?


When the alert is triggered, the "packet view" of the event will be the same as the other (non-encapsulated, non-VRF) events. However if each network is being monitored by a unique detection engine, the name of the detection engine can be used to distinguish between events.

Version history
Revision #:
1 of 1
Last update:
‎07-17-2014 10:09 AM
Updated by:
 
Labels (1)
Everyone's tags (2)