Posted on August 28, 2020 2:15 pm
 |  Asked by Joali Barajas
Print Friendly, PDF & Email

We would like to know which scenario/architecture would be the best to isolate internal subnet’s with a firewall, we have proposed 2 options


  • VRF’s, in which we would put the internal subnets (interface VLAN’s) on a different VRF and we will communicate between VRF (let’s call it internal vs external) through a firewall.
  • Dynamic routing, in which we would put the firewall between the Core Router and the MPLS/MAN/WAN routers with OSFP between them.

Please take into account the following: the main objective is to inspect the North-South traffic only, and NOT inspect the East-west traffic

Posted by Philippe Bureau
Answered on August 28, 2020 3:15 pm


Both options are good.  It comes down to your security policies.

Physical vs virtual separations.

Using VRFs allows you to do route leaking between VRF if you want to have exceptions for some traffic to bypass the firewall, or bypass firewall during their maintenance.  But it also is a risk to manage as misconfiguration of route leaking could totally bypass the firewall and expose the internal vlans.


Posted by Tyler Conrad
Answered on August 28, 2020 3:38 pm

Hard to say without seeing a topology diagram - one point though, if your firewall and devices support BGP, I would use that instead if you end up going with a dynamic routing model. I've tried OSPF in a previous role across a few different vendor firewalls, and always ended up getting burned. BGP is a simpler protocol to implement, and much more likely to be successful.

Posted by Alexis Dacquay
Answered on September 1, 2020 11:29 am

Hi Joali,
If you want to "isolate internal subnet", then I would have expected some form of security concern about inter-VLAN communications. But since you insist only caring for North-South then you don't need to care about isolating the subnets from each other, and therefore don't need to have a different routing instance (VRF) per VLAN.

May I as why you were considering VRF in the first place, since you don't care about isolating the routing between them? I am just trying to understand the requirements completely, maybe I missed something.

If the firewall is in Layer3 routing mode, then sure you can just route through it.
In some environment the firewall is the default gateway, so you need to stretch Layer2 to it. But many modern deigns use the 1st hop switch as default gateway, like in the case you describe with an SVI and possibly a virtual IP common across all the switches. In that case the traffic can be routed towards the firewall.

The two scenarios you described are actually identical: in both cases the traffic is routed.
The difference is whether you separate the routing information across multiple VRF, or everything is inside a single routing table.

At scale, L3 EVPN can make it much easier to carry L3 VPN routing information, as opposed to have many VRF-lite instance of the routing protocols.

With limited knowledge of your scenario, simple routing (your option2) would be the simplest, but I admit it's the least employed because of the potential security risk between the subnets. After all you did mention "isolate internal subnet".

If you are simply looking at sharing a switch and share "Internal" and "External" on the same switch, then yes VRF can be used. It is typical in a DMZ.

Internet --> DMZswitch-VRFInternet --> Firewall --> DMZswitch-VRFClean --> Internal switches

If you don't intend to share the same switch "DMZswitch" for both roles (Internet-facing and "Clean") then you don't need to care about the local VRFs. But that works well, depending on your security requirements.


Post your Answer

You must be logged in to post an answer.