VRF is a routing enhancement mechanism which fits in the scenarios of the customer’s overlapping IP spaces. It separates RIB (routing table) into multiple instances and allows to conserve IP addresses whilst also provides the end-to-end connectivity as normal global RIB does. This also means that the same devices can be re-used to accommodate multiple clients/services aka forwarding paths which in effect minimizes CAPEX.
One of the newest IPSec enhancements adds the VRF capability to allow multiple , i.e. MPLS VPN connected sites with overlapping IP space to benefit from the additional layer of IPSec framework on the top of it to secure and achieve data integrity, data confidentiality (encryption), and replay protection.
VRF enabled IPSec environment is driven by two key definitions, namely VRF domains:
- The outer encapsulated packet belongs to one VRF domain FVRF (front VRF). Our VPN endpoint termination is FVRF and can reference the source IP for multiple client-enabled IPSec tunnels. VRF enabled IPSec can exists without the FVRF too, however in order to distinguish the global RIB service from the VRF enabled service it’ll be used in the topology. The FVRF contains encrypted traffic aka this is VPN tunnel endpoint.
- The inner, protected IP packet belongs to another domain called the IVRF (internal VRF). This VRF references the VRF which is assigned per client basis. The iVRF contains decrypted (clear text) traffic aka it references the interesting traffic.