Anybody could shed light why it poses security concern without VRF?

johnifanx98

Intro to VRF lite - Packet Life

When introducing VRF, it reads,

Obviously, the addition of a "back door" Internet access link opens a huge security hole, but we can employ VRFs here to segment the single physical infrastructure into two virtual, isolated networks.

kmcintosh78

I believe it has to do with the idea of packets traversing the non-MPLS can be intercepted outside of the ISP established MPLS network.

MPLS is basically a virtual network, where the ISP has created the confinement, hence VRF.
VRF Lite will just head out into the wide open internet.

If I am wrong, someone please correct me.

Forsaken_GA

It has nothing to do with MPLS. VRF Lite is just employing VRF's without an MPLS network being involved.

As for why it's a security hole, take a look at the diagram. To the right, you have the Corporate Internet access, which goes through a firewall.

To the left, you have the Guest internet access, which goes directly to the core router. That's why it's a security hole, the guest internet circuit would entirely bypass all the normal security mechanisms and allow direct access to the internal network from the internet, and vice versa. That is a Bad Thing.

With VRF's, the core router simply puts the guest internet access into it's own routing instance, and the traffic from the two networks will never meet.

Conceptually, it's like a layer 3 vlan. At layer 2, VLAN's can't directly communicate with each other, there has to be a layer 3 device involved. Devices in differing VRF's can also not communicate with each other, without very specific configuration on the router.