Layer 3 Vpn Vrf Terminations at FWSM

The FWSM does not have any knowledge of the Layer 3 VPNs. The Layer 3 VPN services can be terminated at the Layer 3 next hop router connected to the FWSM. The FWSM interfaces can be configured to map different Layer 3 VPNs (Virtual Route Forwarding, or VRF), by associating the interface with the next hop Layer 3 device, where the VRF tag is removed. The removal of the VRF tag makes the FWSM receive regular IP packets. The Layer 3 VPN technology references MPLS Layer 3 VPN or multi-VRF technologies. Using this concept of terminating the Layer 3 VPN traffic, the FWSM can apply security rules to the traffic. The Layer 3 VPN traffic (defined in RFC 2547) and segregation of traffic are maintained across security domains.

What is a VRF?

A Layer 3 VPN is associated with separate routing/forwarding instances called VRF. Every VPN membership is defined as a VRF. A VRF consists of the following:

• An IP routing table derived from the Cisco Express Forwarding (CEF) table

• A separate routing protocol table for the Layer 3 VPN

• A set of interfaces that use the forwarding table

Network virtualization can be achieved by enabling the following:

These four solutions are well suited for network virtualization in an enterprise environment and can use Layer 2 or Layer 3 segregation technologies:

• GRE tunnels: Routing segregation can be achieved by running GRE tunnels across the administered infrastructure. GRE tunnels are good for a small deployment. For a large-scale deployment for network virtualization, the GRE solution is not recommended.

• Multi-VRF: VRF-lite is a Cisco feature that also goes by the generic name of multi-VRF. It virtualizes the routing domains by enabling a single routing device to support multiple virtual routers. This segregation has local significance only on the router. With VRF-lite, network managers enjoy the flexibility of using any IP address space for any given Layer 3 VPN, regardless of whether it overlaps or conflicts with the address space of other VPNs. This flexibility is beneficial in many scenarios.

• MPLS Layer 3 VPNs: Another way to partition a campus network is using MPLS-based Layer 3 VPNs. MPLS VPNs provide logical separation of networks on a common physical infrastructure. This provides a solution for campus separation by enabling a single routing device to support multiple virtual routers. IP address space for any given VPN can overlap with another VPN's address space.

• L2TPv3: Layer 2 Tunneling Protocol version 3 (L2TPv3) allows service providers and large enterprises with native IP core networks to offer high-speed Layer 2 tunneling or Layer 3 VPN segregation.

Figure 23-1 shows the logical flow of packets in a VRF through the FWSM with an example. Here the VRF in the outside security domain is depicted as RED. The Layer 3 VPN header information is removed at the Layer 3 next hop device connected to the FWSM. The packet enters the FWSM as an IP packet. After the packet leaves the FWSM in another security domain, the Layer 3 next hop device in the new security domain can add Layer 3 VPN definition to the packet. The packet can be placed in a new Layer 3 VPN or maintained in the old Layer 3 VPN.

Figure 23-1 Logical Flow of Packets for VRF Termination Concept on Layer 3 FWSM

Figure 23-1 Logical Flow of Packets for VRF Termination Concept on Layer 3 FWSM

The outside interface in the switched virtual interface (SVI) is represented in VRF out (outside). The VRF out has its own virtual routing table.

The demilitarized zone (DMZ) is represented in the VRF dmz. The inside security domain is represented in the global routing table. The scenario in Figure 23-2 shows multiple VRF terminations at different security zones. The traffic from these VRFs flows to the global routing domain through the FWSM.

Figure 23-2 VRF Termination on FWSM

Figure 23-2 VRF Termination on FWSM

Because the FWSMs do not inspect labeled traffic, the key to pass the traffic through the security zones is to remove the Layer 3 VPN VRF tag from the packet before it reaches the FWSM. The IP packet traverses through the FWSM.

In this design, a single PFC is used for configuring a Layer 3 device for all security domains. The single PFC represents the Layer 3 next hop device at the outside and inside security domains. This is achieved by segregating the routing plane using VRF segregation.

In practical scenarios, multi-VRF using 802.1q or multiprotocol label switching (MPLS) can be used to extend these virtual domains across multiple Layer 3 hops.

Was this article helpful?

+1 0

Post a comment