.

VRF-Lite

<<

balder

Newbie
Newbie

Posts: 4

Joined: Fri Apr 24, 2009 6:23 am

Post Tue May 05, 2009 2:47 pm

VRF-Lite

Hello, this is my first post here so i thought i best start with a hello.  Im trying to find out information on VRF Lite , specificly information on the security aspects.  I have had a google and read quite a few documents on various implmentations specificly cisco documentation.  I havn't seen many other document around yet.  could anyone let me know if this is proriatery, i couldn't fin and RFC.  Anyway the questions i had are
  --what extra security VFR-lite offers
--what security assumptions does it make
--Are there any know insecurities in current implmentations
--Are tere any know insecuriteis in the protocol (is this a protocol?, if so where is the spec)
--Alo a bit of an obscure one but if any one has GSE/GSI experience i would be intrested in how it is viewed under that framework

Any documentation or articles people could point me too would be much appreciated.
<<

ciscostu

Newbie
Newbie

Posts: 11

Joined: Sun Dec 16, 2007 8:54 pm

Post Wed May 06, 2009 12:20 pm

Re: VRF-Lite

VRF-lite isn't a protocol; just the name of the feature that allows for multiple routing tables.

Simple example- you have a router with a connection to your WAN and to the Internet.  You want to force traffic from the WAN to the Internet (and vice versa) to traverse an attached firewall.

With VRF-Lite this is easy...

1) assign the WAN link to a second routing table (VRF)
2) connect the firewall to both routing tables (either 2 physical links or a trunk carrying 2 VLANs)
3) add a route to the global routing table saying the WAN is reachable via firewall interface 1
4) add a route to the second (VRF) routing table saying the Internet is reachable via firewall interface 2

Hope this helps,
Charlie
PacketProtector- OpenWrt + FreeRADIUS + OpenVPN + Snort + DansGuardian + ClamAV
<<

balder

Newbie
Newbie

Posts: 4

Joined: Fri Apr 24, 2009 6:23 am

Post Thu May 07, 2009 3:37 pm

Re: VRF-Lite

hi Charlie,

Thanks for the response thats quite a nice use case which i may be able to use for a completly different problem cheers :).  What im currently trying to work out is what security vrf-lite offeres when used to seperat networks.  i have drawn up a quick visio diagram to try and explain what we intend to do; beware im rubush at visio http://bayimg.com/LaphFaabI

from this i can see how VRF's offer a functional benifit;  however im unsure what security it offers.  is it more secure then vlans.  if it is more secure then vlans does that mean each VRF needs to be on its own layer2 hardware to achive this security.
<<

ciscostu

Newbie
Newbie

Posts: 11

Joined: Sun Dec 16, 2007 8:54 pm

Post Fri May 08, 2009 9:28 am

Re: VRF-Lite

VRFs and VLANs offer equivalent security.  The most common security issue with either is misconfiguration.

The Visio looks good.  Since you have overlapping IP addresses, you'll need to do some NAT before you uplink to the VRFs to a common point.

In this case I'd create a VRF per customer, tie these to separate firewall contexts (virtual firewalls) where they're NAT'ed to unique addresses.

Charlie
PacketProtector- OpenWrt + FreeRADIUS + OpenVPN + Snort + DansGuardian + ClamAV
<<

balder

Newbie
Newbie

Posts: 4

Joined: Fri Apr 24, 2009 6:23 am

Post Fri May 08, 2009 5:00 pm

Re: VRF-Lite

ok so after you response i thought i best go off and do some research.  so i went of and did this lab (http://netsg.wordpress.com/2009/02/02/216/).  it was a prety good lab and enabled me to get my head around vrf-lite a bit more.  i can now see how it can offer backboe security.  i.e you can conect a router to a vrf-lite mesh and it will only know about one routing table.  this is leaning me more into the opinion that vrfs dont offer any extra security if the end decices are conected to the same layer 2 i.e. if they can vlan hop they can hop into a different vrf context.

i am still confused by what you have said in regard to having nat because of  overlaping lans.  i had thought one of the benifits of vrf's was that you can ues the sam subnets.  can you please explain this a bit more or point me to some docs

cheers


if anyone is intrested my config is here http://pastebay.com/14496

Return to Other

Who is online

Users browsing this forum: No registered users and 2 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software