Understanding VRF-lite

VRF-lite security domains

VRF-lite provides network isolation on a single device at Layer 3. Each VRF domain can use the same or overlapping network addresses, as they have independent routing tables. This separation of the routing tables prevents communication to Layer 3 interfaces in other VRF domains on the same device. Each Layer 3 interface belongs to exactly one VRF instance and traffic between two Layer 3 interfaces on the same VRF instance is allowed as normal. But by default, interfaces in other VRF instances are not reachable as no route exits between the interfaces unless explicitly configured via Inter-VRF routing.

 

 

 

vlan1

1.

 

 

 

 

 

 

 

 

 

 

 

vlan2

 

 

1.

 

 

 

 

 

 

 

 

 

 

 

 

 

1.

 

 

SW

 

 

 

 

 

10.

 

 

 

1/24

 

 

 

 

 

 

 

 

1.

 

 

 

 

 

 

 

 

 

 

PC1

 

 

 

1.

 

 

.1/24

 

 

 

 

 

 

 

 

 

1/8

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

.1

 

 

 

 

 

 

 

 

 

 

 

 

 

.1

 

.1/16

 

 

 

 

 

 

 

 

 

 

 

1

 

 

 

 

 

 

 

 

 

 

 

 

 

.1

 

 

 

 

 

 

 

 

 

 

 

vlan3

.1

 

vlan5

 

 

 

 

 

 

 

 

 

10

 

1.

 

 

 

 

 

 

 

 

 

vlan4

 

 

 

 

 

PC2

 

 

 

 

 

 

 

 

vlan6

 

1.

 

Company A

 

 

 

 

 

 

 

 

 

 

1.

 

 

 

 

 

 

 

 

 

10.

 

 

1/24

 

 

 

 

 

 

 

 

 

 

 

1.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

1.

 

 

 

PC3

 

 

 

 

 

 

 

 

 

 

1/24

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Company B

PC4

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

PC5

 

 

 

 

 

 

 

 

VRF red

 

 

 

 

 

 

 

 

 

 

 

 

 

 

VRF green

 

Company C

 

 

 

PC6

 

 

 

 

VRF blue

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

For example, on a device three VRF instances (VRF red, VRF green and VRF blue) are configured for three different companies. Devices PC1 and PC2 from Company A can communicate normally within the confines of VRF red, but none of PC1’s and PC2’s traffic can be seen by other devices in VRF green and VRF blue.

Route table and interface management with VRF-lite

A key feature that VRF-lite introduces to a router is the existence of multiple IP route tables within the one router.

By default, before any VRF is configured, a router will have one route table, and routes via all IP interfaces of the router will be stored in this one table. As VRF instances are configured on the router, the original route table remains. This default route table, and its associated IP interfaces, are then referred to as the default global VRF domain.

Interface management with VRF

Each network interface can belong to only one VRF. As mentioned above, initially every interface is in the default global VRF domain. As Layer 3 interfaces are moved to the created VRF instances, they are removed from the global VRF domain, so the global VRF domain manages a decreasing set of Layer 3 interfaces.

Page 6 Configure VRF-lite

Page 5 Page 7
Page 6
Image 6
Allied Telesis C613-16164-00 REV E VRF-lite security domains, Route table and interface management with VRF-lite, Vlan5
Page 5 Page 7

C613-16164-00 REV E specifications

The Allied Telesis C613-16164-00 REV E is a robust networking device designed to enhance connectivity and communication within enterprise environments. Renowned for its reliability and efficiency, this device serves as an ideal choice for organizations seeking to improve their network infrastructure.

At its core, the C613-16164-00 REV E is a part of Allied Telesis' suite of products that adhere to high-performance standards. One of the main features is its support for both Layer 2 and Layer 3 networking, making it versatile enough to handle a variety of network configurations. This capability allows for seamless integration into different network architectures, whether for simple local area networks (LANs) or more advanced setups with routing capabilities.

Another significant characteristic of the C613-16164-00 REV E is its high-speed data transfer capabilities. With support for Gigabit Ethernet, the device ensures that data can be transmitted quickly and efficiently across the network. This is particularly important for businesses that rely on heavy data usage and need to maintain performance standards even during peak hours.

Additionally, the C613-16164-00 REV E features advanced security measures, including VLAN support and port security configurations, which help protect sensitive information and prevent unauthorized access. This is essential for businesses that handle confidential data and must comply with industry regulations.

In terms of manageability, the device supports SNMP (Simple Network Management Protocol), allowing for easy monitoring and management of network resources. Network administrators can efficiently manage the device and optimize performance with minimal effort, improving overall productivity.

The design of the C613-16164-00 REV E is also noteworthy; it is built for durability, often featuring a compact form factor that makes installation straightforward without compromising on performance. Its compatibility with various Allied Telesis products ensures that organizations can build a cohesive network ecosystem.

In conclusion, the Allied Telesis C613-16164-00 REV E stands out as an excellent networking solution characterized by its support for multiple networking layers, high-speed data transfer, and robust security features. Ideal for both small to medium enterprises and larger organizations, it helps ensure that businesses can maintain efficient and secure operations in a constantly evolving digital landscape.
Top Page Image Contents