I realize it may be a basic question (to the point I’m almost ashamed of asking it) but what is the point of using VRF?
I understand what it does I think. It allows for creating multiple virtual routers in a sense that routing decisions are separated into distinct segments, giving me multiple routing tables. This can be used to separate devices into discrete non-conflicting domains. By default the traffic cannot cross between these domains, unlike VLANs.
However, I’m struggling to see the benefit of VRF over VLAN+firewall. VLANs give me an easy way of separating the traffic of different kind (e.g. IPTV and normal) with rules in place to prohibit routing between different subnets. How is VRF different in that respect?
The only thing I found so far is that VRF allows for operation of networks where there are logically separated networks which have conflicting subnets (e.g. merge of two companies).
First of all, VRF’s are very often used for providing customers with MPLS L3 VPN’s. This allows an ISP to give a customer a managed service whereby they handle the routing between the customer’s individual locations and their internal networks. Most such customers have the same internal private network as some other customer (ex. two completely different customers using 192.168.1.0/24 internally), which would break this entire setup if you relied on traditional routing. Fortunately, with VRF’s, the subnet need not be unique globally - only unique within the VRF. So you could have one customer with 192.168.1.0/24 and another customer with the exact same subnet, and route them differently for the two customers so you never have to worry about issues.
We do not deliver MPLS L3 VPN’s at the moment, but are interested in VRF’s in ROS 7 particularly as a potential better way of separating out management vs. customer traffic. We have approximately 140 routers in the field all of which have the same 50 firewall rules. Every time we make a firewall rule change we have to deploy it to all 140 routers. Keeping everything in sync doesn’t always work and we have some drift and issues as a result. If we split things into different VRF’s (one for management, one for customers) we could potentially keep customer traffic and management traffic separated on a series of routers going all the way back to our core, so that we wouldn’t need a firewall at all on those 140 routers and yet still keep them secure. I still have to work out the details as to whether this will be possible in RouterOS v7 (it does not seem to be in ROS 6), but it is something I am interested in doing for our network.
Thanks, but this description is too simplistic, even those who have more than one WAN and don’t use VRF can have more than one routing table inside the router…
And have certain interfaces and/or VLAN’s “bound” exclusivly to this routing-domain.
By default there is strict separation between these routing-domains, only by “leaking” routes between the VRF you can have some “inter-VRF” routing.