Network virtualization allows an abstraction from a physical topology. It takes the notion of a logical network further. Abstraction allows segregation of the routing table and can be used in a flexible way. The ability now to define a security policy per domain and perform L3 traffic isolation are just the beginning. The notion of creating multiple logical networks over a single physical network allows for explosive growth.
Thismay consist of such parameters such as access control. We can allow and or isolate through control. We can provide path isolation including transport for compliance and security reasons. We could tier and control access to single and multi-tenant services which allow people to apply policies on a partition basis.
VRFs are one way to achieve this. I see VRF’s the same way VLAN’s slice the CAM table. With VRFs you gain a separate RIB and FIB you gain sound isolation and control. You can even reuse IP addresses. VRF lite is a cheeky way of delivering per VRF packet processed network virtualization. It provides a unique control and data plane.
- You can have sub-interfaces on L3 trunks which allow for passing VRF information. It is important to be aware the Catalyst 4500 platform doesn’t support this. This still requires manual hands on and can be clunky to scale.
- It is possible to deliver VRF abstraction over GRE tunnels between devices. They require a few additional prerequisites such as a tunnel, loopback and a client interface per VRF. Albeit they are easy to configure it does have limited scale. You also need to factor in the additional 28 byte header along the path. 20 byte GRE header + 4 – 8 byte key + original packet.
- Enhanced Virtual Networking end to end delivers all the features listed above but is compatible on the Catalyst 4500! What it adds additionally is the automatic configuration of trunks when a new VRF is created. You could say it adds a new sub interface like VTP spreads VLANs! This can help with scaling and ensure all devices in a VRF network at consistent.
Once you achieve the level of abstraction required you then can police inter-VRF communication. With the notion of zoning from the firewall in mind you can leak routes between VRF, pass them through transparent firewalls, or simply keep them isolated. There is a growing trend of establishing BGP internet peerings in a VRF to then leak required routes to customers or partners. Think to the benefits of a multi-tenant environment. You can confidently isolate A from B and C. Needs may change and C and B require full access. Easy done. Flexibility that is abstracted from hardware.
This post was inspired from Next Generation Campus Architectures BRKCRS-2663 and is available for viewing at Ciscolive365