Filter
Top Products
Understanding VRF-lite
Page 6 | Configure VRF-lite
VRF-lite security domains
VRF-lite provides network isolation on a single device at Layer 3. Each VRF domain can use
the same or overlapping network addresses, as they have independent routing tables. This
separation of the routing tables prevents communication to Layer 3 interfaces in other VRF
domains on the same device. Each Layer 3 interface belongs to exactly one VRF instance and
traffic between two Layer 3 interfaces on the same VRF instance is allowed as normal. But by
default, interfaces in other VRF instances are not reachable as no route exits between the
interfaces unless explicitly configured via Inter-VRF routing.
PC1
PC2
SW
PC5
PC6
vlan1 1.1.1.1/24
PC3
PC4
Company A
VRF green
VRF blue
VRF red
vlan2 10.1.1.1/8
vlan6 10.1.1.1/24
vlan5 1.1.1.1/24
vlan3 1.1.1.1/24
vlan4 10.1.1.1/16
Company B
Company C
For example, on a device three VRF instances (VRF red, VRF green and VRF blue) are
configured for three different companies. Devices PC1 and PC2 from Company A can
communicate normally within the confines of VRF red, but none of PC1’s and PC2’s traffic
can be seen by other devices in VRF green and VRF blue.
Route table and interface management with VRF-lite
A key feature that VRF-lite introduces to a router is the existence of multiple IP route tables
within the one router.
By default, before any VRF is configured, a router
will have one route table, and routes via all
IP interfaces of the router will be stored in this one table. As VRF instances are configured on
the router, the original route table remains. This default route table, and its associated IP
interfaces, are then referred to as the default global VRF domain.
Interface management with VRF
Each network interface can belong to only one VRF. As mentioned above, initially every
interface is in the default global VRF domain. As Layer 3 interfaces are moved to the created
VRF instances, they are removed from the global VRF domain, so the global VRF domain
manages a decreasing set of Layer 3 interfaces.