It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

Virtual Routing and Forwarding (VRF)

  • Last updated on

Virtual routing and forwarding (VRF) is a technology based on the operating principle of a physical router. Unlike a single router, virtual routers (VR) can be run simultaneously as multiple instances. Each of these instances uses its own routing and forwarding table. Because each virtual router instance (VRI) runs autonomously, network traffic on the assigned interfaces is separated from the traffic managed by other virtual routers. This special separation of networks increases network security without having to use VPNs like on a common network. Because it is possible to use the same IP addresses or IP ranges on multiple virtual routers, which can even overlap without conflicting each other, virtual routers can also be used for managing network traffic for multiple networks with identical network configurations simultaneously on the firewall.

Virtual routing can be used to segment network paths without using additional devices. The number of network paths is limited only by the number of available network interfaces. The concept of keeping traffic on multiple network paths separated can be overridden by configuring access rules that forward specific traffic from one path to another. As an example, all traffic from different network paths can be routed to a common path that leads to the Internet, thereby reducing the overhead for configuring access rules for routed traffic that flows from different networks to the Internet simultaneously. By combining different types of interface types, like network, VLAN or bundled interfaces, the different possibilities offer a huge variety of applications.

vr_forwarding.png

Virtual Router Naming and Identification

For configuration purposes, each virtual router instance receives a unique logical ID and a name. The firewall's standard routing instance is named 'default' and has the virtual router ID = 0. These two values cannot be changed. Unlike a user-defined virtual router instance, the default router instance cannot be deleted. Every additional virtual router instance can be configured individually. The virtual router IDs are set automatically in the range between 1 and 255 when a new instance is created. The virtual router ID can also be entered manually for special purposes, e.g., for configuring an HA cluster where all virtual routers must be configured identically on both HA partners. In addition, this ID is required for assigning virtual router instances in VPN configurations.

Never change a VR ID that has already been assigned to a VR instance!

If it is necessary to change the VR ID of a virtual router instance, be prepared to plan the usage of VR IDs. In case VR instance are already configured, delete existing VR instances completely from the firewall before assigning new IDs!

The maximal number of additional configurable virtual router instances varies depending on the firewall model:

ModelRAM [GB]Additional VRF InstancesTotal VRF Instances
(Default + virtual)
F122910
F182910
F802-4910
F824910
F1802-4910
F1834910
F183R4910
F184R4910
F200, F201, F300, F301-n.a.n.a.
F2804910
F380434
F400434
F6008910
F800241920
F900321920
F10001282425
Cloud Level 1n.a.01
Cloud Level 2n.a.12
Cloud Level 4n.a.34
Cloud Level 6n.a.56
Cloud Level 8n.a.78
VF10, TSF10, TSFp10n.a.01
VF25, TSF25, TSFp25n.a.01
VF50, TSF50, TSFp50n.a.01
VF100, TSF100, TSFp100n.a.12
VF250, TSF250, TSFp250n.a.12
VF500, TSF500, TSFp500n.a.34
VF1000, TSF1000, TSFp1000n.a.56
VF2000, TSF2000, TSFp2000n.a.78
VF4000, TSF4000, TSFp4000n.a.910
VF8000, TSF8000, TSFp8000n.a.1920

Virtual Routers, Network and Dynamic Interfaces, VLAN, and Ethernet Bundled Interfaces

VLANs can be configured for each network interface. If necessary, both network and VLAN interfaces can be combined to Ethernet bundled interfaces. With their specific characteristics, each of these interface types can be assigned to a virtual router.

InterfaceSupported
Network Interfaces (eth0, eth1, ...)Yes
Bundled Interfaces

Yes

VLAN InterfacesYes
Dynamic InterfacesNo

Management Interface and Virtual Routers

Because licenses are bound to the MAC address of the network interface on which the management IP is configured, the management interface must always reside under control of the default router.

Never assign the management IP to an interface that is managed by an additional virtual router instance unless you want your firewall to fall back into grace mode.

For more information about the grace period and the validity of licenses, see Validity.

Remote Management Tunnels and Virtual Routers

Default routes can also be assigned to VR instances. When you must manage your firewall via a remote management tunnel, always configure a default route on the default router instance. This is necessary because the connection service on port 692 for the remote management tunnel is supported only in the default router instance.

When managing your firewall using a remote management tunnel, never delete the default route on your default router instance unless you do not want your firewall to be manageable by the Control Center!

For more information on how to configure a remote management tunnel, see How to Configure a Remote Management Tunnel for a CloudGen Firewall.

Virtual Routers and Services

All services that run on top of a server are available only for the default router instance. Some services can be used on additional virtual router instances if certain conditions are met:

Service / Feature

Availability for
default VR

Availability for
additional VRs

Comments
Access Control Service*YesNo

*Only for administrative purposes

DHCP Relay ServiceYesNo 
DHCP ServiceYesNo 
DNS ServiceYesNo 
FTP Gateway ServiceYesNo 
Firewall ServiceYes

*Yes

*Only if authenticated users are NOT defined.

HTTP ProxyYesNo 
Mail GatewayYesNo 
OSPF/RIP/BGP ServiceYesNo 
SNMP ServiceYesNo 
Spam Filter ServiceYesNo 
SSH Proxy ServiceYesNo 
URL Filter Service

Only available for HTTP Proxy.

*Available for the Firewall service.

No*Check license dependency for Application Control.
Access Controller
VPN Service
YesNo 
VPN Service

Yes

Yes: using VPN Interface Index.

  • Only TINA and site-to-site VPN.
  • No IKEv1/v2.
  • No client-to-site VPN.
 
Virus Scanner Service*Yes*Yes*If feature is licensed. See also Virtual Routers and Application Control below.
Local DNS cacheYesNoAlso available for additional virtual routers if traffic is redirected to default router.
DNS InterceptionYesNoAlso available for additional virtual routers if traffic is redirected to default router.

Virtual Routers and Application Control

If Application Control is licensed, some restrictions may apply.

FeatureAvailable to
default VR
Available to
additional VRs
Application ControlYesYes
SSL InspectionYesYes
URL Filter in the FirewallYesFor firewall service only
Virus ScannerYes

Only configurable for
default VR instance.
Configuration of
default router applies.

ATP

ATP scan available.
Quarantine available.

ATP scan available.
Quarantine NOT available.
File Content ScanYesYes
Archive Content ScanYesYes
Mail DNSBL CheckYesYes
Link ProtectionYesYes
SafeSearchYesYes
Google AccountsYesYes

Virtual Routers and Access Rules

Access rules control how and whether traffic can pass from one interface to another. If only one router is used on the firewall, managing an access rule in the rule list is straightforward. However, if multiple virtual router instances live side by side in a common environment, it is recommended to build rule lists in order to maintain an overview of the access rules that refer to different virtual router instances.

For more information, see How to Create New Rule Lists.

Configuring and Activating Virtual Routers

Configuring a virtual router is similar to configuring IP addresses and routing tables. However, there are some differences in the workflow due to the conditions described in this article.

For more information, see How to Configure and Activate a Virtual Router Instance with Hardware, Virtual, VLAN, or Bundled Interfaces.

Redirecting Traffic between Multiple Virtual Router Instances

The idea of virtual routers is to separate traffic between multiple network paths. In certain cases, however, it may be useful to redirect traffic between separated paths or from multiple paths to a common path, e.g., to the Internet.

For more information, see How to Redirect Traffic between Multiple Virtual Router Instances.

Virtual Routers and High Availability

Virtual routers can also be configured on HA partners. Because HA partners must (with some exceptions) be configured identically, there are three different ways for configuring virtual routers depending on how the partners are managed in a network environment. In all cases, the administrator is responsible for setting up an identical configuration in order to ensure that syncing between the two HA partners will work as expected.

Virtual Routers and VPN

Virtual routers also support Virtual Private Networks (VPNs). The VPN service is fully available to the default router instance. When using VPN in connection with an additional virtual router, TINA and site-to-site VPN are the only protocols supported. Client-to-site VPN and IKEv1/V2 tunnels are not available to additional virtual routers.