Very early in our careers, we learn about physical and logical network segmentation. Generally speaking, that understanding comes in the form represented by the diagrams below.
Depending on the work environment of an individual, it may take some time before they are exposed to the methods that provide segmentation to routed parts of the network. Looking at the diagram above, let’s think about what is being accomplished in each example. The physical segmentation provides full isolation between the two hosts. This article examines the construct used to extend segmentation into a routed network. We will not get into the configuration details but will share some links to additional content that can provide practical guidance on the configuration.
VLANs only provide segmentation at layer 2. This would provide isolation for things like ARP and other broadcasts. VLANs would also provide full segmentation if a router didn’t exist for a given VLAN. However, it is often necessary to extend this into the routed portions of our networks. In the above example, I would expect properly configured routers and switches to allow the two hosts on the right to communicate with one another. What if that is not the goal? We might consider building something that looks like this.
Most networks have requirements that exceed the scale of this diagram. In such cases, we need to provide a way to extend the segmentation into the Layer 3 part of the network. In reality, our networks need to provide some sort of restricted access between various zones and the physical infrastructure is often shared. This would be a more accurate representation.
The challenge is that a default configuration would not force inter-VLAN traffic through the firewall. To solve this, we need to extend the VLAN segmentation into the routed domain. This is exactly what a VRF (virtual routing and forwarding) instance does. Just like a VLAN does not allow devices to communicate directly with one another at Layer 2, VRFs provide similar segmentation at Layer 3.
In this case, we could configure each of the routers with 802.1q trunks and with two subinterfaces on each of their routed interfaces. Each of the subinterfaces should be configured in a VRF that is mapped to the required security zone. The firewall would simply have an interface or subinterface in each VRF and contain no VRF configuration of its own. This allows it to be the fusion device for both segments. In our example, we have VLAN 10 and VLAN20. Each of these VLANs would map to a given VRF to provide the segmentation on the routers.
From a Cisco perspective, this configuration is known as VRF-lite. The article would not be complete without mentioning MPLS. In my example, I used subinterfaces on each router interface. These were attached to each VRF and created zones of segmentation. This is a solution that would become unwieldy and complex in very large networks (or a large number of zones). MPLS is the solution to that problem of scale.
VRFs provide a method of segmentation in a routed network and are often used to solve the following challenges:
- Multi-tenant environments
- Providing transit networks to multiple customers
- Zones of differing business objectives/methods
- Compliance/regulatory boundaries
- Overlapping IP networks
- Tunneled configurations
- Any other general segmentation requirements
The following articles give a deeper dive and how-to approach to configuring VRFs to provide routed segmentation.
- MPLS and VRFs – Filling the Gaps
- VRFing 101, Understing VRF Basics
- Segmenting Layer 3 Networks with VRFs
Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This
may or may does not reflect the position of past, present or future employers.