Managing virtual routing and forwarding (VRF) tables

Expand all | Collapse all

Kaspersky SD-WAN supports the Virtual Routing and Forwarding (VRF) technology for creating virtual routing and forwarding tables on CPE devices. You can create up to 100 virtual routing and forwarding tables.

When creating a virtual routing and forwarding table, you must select network interfaces that you want to add to it. You cannot add the same network interface to multiple virtual routing and forwarding tables. Network interfaces for connecting the CPE device to the controller and orchestrator are automatically added to the default virtual routing and forwarding table and you cannot add them to other virtual routing and forwarding tables.

If network interfaces are added to different virtual routing and forwarding tables, networks connected to these network interfaces do not have access to each other. In this situation, network interfaces can have IP addresses from identical or overlapping subnets.

When you create a virtual routing and forwarding table, a system network interface corresponding to this virtual routing and forwarding table is automatically created on the CPE device. This system network interface is used to forward traffic between network interfaces in the virtual routing and forwarding table. For the system network interface to work, you need to create a record for it in the orchestrator web interface.

If no firewall zones are assigned to network interfaces in the virtual routing and forwarding table, you need to make sure that by default, the firewall of the CPE device accepts traffic packets forwarded between network interfaces and subnets. You can specify default actions when configuring the basic settings of the firewall.

If firewall zones are assigned to network interfaces in the virtual routing and forwarding table, and the CPE device firewall does not, by default, accept traffic packets forwarded between network interfaces and subnets, you must assign a firewall zone to the system network interface. The assigned firewall zone must also be assigned to one of the network interfaces in the virtual routing and forwarding table.

You can add BGP routes and static routes to virtual routing and forwarding tables of a CPE device. To add BGP routes to a virtual routing and forwarding table, specify that virtual routing and forwarding table when editing basic BGP settings. To add a static route to a virtual routing and forwarding table, specify that virtual routing and forwarding table when adding the static route.

You can use virtual routing and forwarding tables in the following scenarios:

• Network segmentation using virtual routing and forwarding tables

  You can create virtual routing and forwarding tables to segment your network. In the figure below, Network 1 is built between the 'overlay1' network interface and user PCs, and Network 2 is built between the 'overlay2' network interface and ATMs. Both network interfaces are in the default virtual routing and forwarding table (Default VRF), so the networks have access to each other and are insecure.

  

  Network interfaces connected to different networks in the virtual default routing and forwarding table

  To isolate Network 1 and Network 2, the overlay1 and overlay2 network interfaces must be added to different virtual routing and forwarding tables, which creates two segments (see the figure below).

  

  Network interfaces connected to different networks are in separate virtual default routing and forwarding tables

• Sending the 0.0.0.0/0 over BGP.

  You can create a separate virtual routing and forwarding table for sending the 0.0.0.0/0 route between devices over BGP. The figure below shows a CPE device with the SD-WAN gateway (GW) role and a standard device. All CPE devices in the network are added to the default virtual routing and forwarding table.

  If the SD-WAN gateway sends the 0.0.0.0/0 BGP route from overlay network interface 10.10.10.254/24 to overlay network interface 10.10.10.1/24, such a route cannot be used. This is the case because the default virtual routing and forwarding table already has 0.0.0.0/0 routes with a lower administrative distance for connecting to the controller and orchestrator.

  

  Sending the 0.0.0.0/0 route to a CPE device with the default virtual routing and forwarding table

  To send route 0.0.0.0/0 over BGP through the overlay 10.10.10.254/24 network interface to overlay 10.10.10.1/24, you must create a separate table for the overlay 10.10.10.1/24 network interface and add BGP routes to it (see the figure below).

  

  Sending the 0.0.0.0/0 route to a CPE device with a separate virtual routing and forwarding table for BGP routes

The table of virtual routing and forwarding tables is displayed in the CPE template and on the CPE device:

• To display the table of virtual routing and forwarding tables in a CPE template, go to the SD-WAN → CPE templates menu section, click the CPE template, and select the VRF tab.
• To display the table of virtual routing and forwarding tables on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, and select the VRF tab.

Information about virtual routing and forwarding tables is displayed in the following columns of the table:

• Name is the name of the virtual routing and forwarding table.
• Table is the ID of the virtual routing and forwarding table.
• Interfaces are network interfaces that have been added to the virtual routing and forwarding table.

In this section Creating a virtual routing and forwarding table Modifying the virtual routing and forwarding table Deleting a virtual routing and forwarding table

Page top