This repository hosts the network architecture and configurations for a segmented corporate environment. The design prioritizes security through VRF-Lite (control-plane isolation) and Zone-Based Policy Firewall (stateful data-plane protection).
The network is logically partitioned into five Virtual Routing and Forwarding (VRF) instances. This ensures that by default, traffic from one department cannot reach another unless explicitly "leaked" through BGP Route Targets.
| VRF Name | RD | Purpose | Import Logic (Connectivity) |
|---|---|---|---|
| VRF_FIN | 65000:10 |
Finance Dept | Imports TECH (Shared) & INTERNET |
| VRF_HR | 65000:20 |
Human Resources | Imports TECH (Shared) & INTERNET |
| VRF_TECH | 65000:30 |
Tech/Management | Imports FIN, HR, and INTERNET |
| VRF_GUEST | 65000:40 |
Public Access | Imports INTERNET only |
| VRF_INTERNET | 65000:100 |
Gateway | Imports ALL for return path |
| Device | Interface | VRF | IP Address | Subnet Mask | Default Gateway |
|---|---|---|---|---|---|
| HQ_Router | Gi0/0/0 | VRF_FIN |
10.0.10.1 | 255.255.255.252 | N/A |
| Gi0/0/1 | VRF_GUEST |
192.168.40.1 | 255.255.255.0 | N/A | |
| Gi0/0/2 | VRF_TECH |
192.168.30.1 | 255.255.255.0 | N/A | |
| Gi0/0/2 | VRF_HR |
10.0.20.1 | 255.255.255.252 | N/A | |
| FIN_Router | Gi0/0/0 | VRF_FIN |
10.0.10.2 | 255.255.255.252 | 10.0.10.1 |
| Gi0/0/1 | VRF_FIN |
192.168.10.1 | 255.255.255.0 | N/A | |
| FIN_SW | VLAN 10 | VRF_FIN |
DHCP | 255.255.255.0 | 192.168.10.1 |
| HR_Router | Gi0/0/0 | VRF_HR |
10.0.20.2 | 255.255.255.252 | 10.0.20.1 |
| Gi0/0/1 | VRF_HR |
192.168.20.1 | 255.255.255.0 | N/A | |
| HR_SW | VLAN 20 | VRF_HR |
DHCP | 255.255.255.0 | 192.168.20.1 |
| GUEST_SW | VLAN 40 | VRF_GUEST |
DHCP | 255.255.255.0 | 192.168.40.1 |
| TECH_SW | VLAN 30 | VRF_TECH |
DHCP | 255.255.255.0 | 192.168.30.1 |
We implemented Zone-Based Policy Firewall (ZBFW) at the HQ Core instead of standard Access Control Lists (ACLs).
| Source | Destination | Allow? |
|---|---|---|
| VRF_FIN | VRF_HR, VRF_TECH, VRF_GUEST |
❌ |
VRF_INTERNET |
✅ | |
| VRF_HR | VRF_FIN, VRF_TECH, VRF_GUEST |
❌ |
VRF_INTERNET |
✅ | |
| VRF_GUEST | VRF_HR, VRF_FIN, VRF_TECH |
❌ |
VRF_INTERNET |
✅ | |
| VRF_TECH | VRF_GUEST |
❌ |
VRF_FIN, VRF_HR, VRF_INTERNET |
✅ |
- Stateful Inspection: ZBFW tracks the state of connections. When a Finance user initiates a web request, the firewall "remembers" it and lets the reply back in automatically. ACLs would require a static, unsecure "permit" for all return traffic.
- Scalability: Instead of managing ACLs on every interface, we apply policies to Zone-Pairs. This makes adding new subnets simple—just assign the interface to a Zone.
- Directional Control: Policies clearly define traffic flow (e.g.,
FINtoINTERNETis allowed, butINTERNETtoFINis dropped).
Verification from live router logs confirms successful inter-VRF and external communication:
| Source | Destination | Protocol | Status | Session State (HQ Log) |
|---|---|---|---|---|
| FIN_Router | HQ Core | BGP | ✅ UP | BGP Neighbor established |
| TECH (30.11) | Google (172.217.x.x) | ICMP | ✅ PASS | icmp SIS_OPEN |
| TECH (30.11) | Facebook (157.240.x.x) | TCP | ✅ PASS | tcp SIS_OPEN |
| TECH (30.11) | Guest LAN (40.2) | ICMP | ❌ BLOCKED | icmp SIS_OPENING (Dropped) |
Below are the Ping result of every VRF:
-
VRF_FIN
-
VRF_HR
-
VRF_GUEST
-
VRF_TECH
Use these commands to audit the fabric status:
show ip route vrf *: Display the routing tables for every segment.show ip bgp vpnv4 all summary: Check status of all BGP department peers.show policy-map type inspect zone-pair sessions: View live firewall session tracking.