Benefits and applications of multi-vrf – Brocade Multi-Service IronWare Routing Configuration Guide (Supporting R05.6.00) User Manual

370

Multi-Service IronWare Routing Configuration Guide

53-1003033-02

Overview of Multi-VRF

Benefits and applications of Multi-VRF

Multi-VRF provides a reliable mechanism for a network administrator to maintain multiple virtual
routers on the same device. The goal of providing isolation among different VPN instances is
accomplished without the overhead of heavyweight protocols used in secure VPN technologies or
the administrative complexity of MPLS VPNs. It is particularly effective when operational staff has
expertise in managing IP networks but may not have the same familiarity in managing MPLS
networks. Overlapping address spaces can be maintained among the different VPN instances.

As the two examples in the following sections demonstrate, the simplicity of Multi-VRF allows for
several interesting applications.

Example of Multi-VRF usage in an enterprise data center

Figure 24

displays an example of Multi-VRF in an enterprise data center. Each server farm is used

for a dedicated application or set of applications. For security reasons, only specific servers in this
farm may be allowed to communicate with other servers. Access in some cases may be completely
prohibited whereas in other cases access may be allowed through the firewall. Each server is
placed on a different subnet. To ensure optimal performance of the data center, trusted servers
should be allowed to communicate directly whereas un-trusted servers should not be allowed to
directly communicate at all. While

Figure 24

shows a limited number of servers; in practice, the

number of servers used for this application can run from the tens to the hundreds.

A common way to configure this example is by using Policy Based Routing (PBR). However, because
PBR can become very difficult to administer and manage as the network begins to grow, it may
require frequent configuration changes which is prone to introducing operator errors.

MPLS VPNs can also be used to configure this example. However, it may be too heavy-weight for
what needs to be accomplished in this scenario. In addition, operational staff in enterprise data
centers may not always be conversant with administering MPLS.

Secure VPN technologies like IP-Sec are not required here because the infrastructure is already
secure. Therefore, the overhead of encryption is not needed.

Multi-VRF is an ideal solution for an application like this example. The servers that are allowed to
communicate can be placed in the same Multi-VRF instance. If server access is to be controlled at
a more granular level (e.g. at the application layer), then traffic from specific applications on that
server can be sent on a specific tagged interface to the router in Cluster A. As shown in

Figure 24

, a

highly redundant cluster is achieved by ensuring that no single node becomes a point of failure
within this network.

Overlapping Private Addresses
allowed over VPNs?

Yes

Yes

Scalability

Reasonably Scalable

Highly Scalable

MPLS Required

No

Yes

TABLE 61

Comparison between Multi-VRF and BGP or MPLS VPNs