Virtual Networks FAQ


What is a Virtual Network?
It is the combination of the resources to create a single administrative entity.  For Virtual Networks, this is the set of all VLANs, Subnets, and VRFs belonging to a particular faculty or department including the virtual firewall that ties these together.

What is a VRF?
VRFs (Virtual Router Forwarding instances – pronounced verfs) are virtual private networks.  A VRF is a completely private campus-wide network – it appears as if a department has its own private router.  Any Subnets in any buildings campus-wide can be assigned to a VRF.  A department may have as many VRFs as they require to implement their security policies.  Routing between Subnets within a VRF is direct – no firewall is involved.  To connect a Subnet outside of a VRF, connectivity is through a firewall (usually a virtual firewall).
A VRF is not a campus-wide bridged VLAN.

Is Virtual Networking mandatory?
No, it is not mandatory. In fact, it is completely optional. If you don't want to take advantage of virtual networking then you don't have to. It will be business as usual. All of your Subnets will continue to be in the global routing table.

If I decide to use Virtual Networking, does it impact my existing VLANs and Subnets?
The only impact is that you have to let the NMC know what VRF each subnet should be assigned to. Other than that, it's business as usual. No VLANs or IP addresses change. The Transmogrifier works as normal.

When will Virtual Networking be available?
Virtual networking, identity-based wireless and VPN are available now campus-wide for the Point Grey campus. Multicast and Virtual Devices are also available now.

Is Virtual Networking available to UBC Okanagan and beyond?
Virtual networking is available at UBC Vancouver, Okanagan and Vancouver General Hospital (VGH).

How much does it cost?
This service is free to UBC departments.

How do I sign up?
Submit a service request to the Network Management Centre

Is it difficult to convert to Virtual Networking?
This is a complex network conversion, especially if there is an existing firewall involved. The NMC will work with you to prepare a plan to transition your department's VLANs and Subnets to a Virtual Network. A test Virtual Network can be created as a starting point to become familiar with the set up before transitioning. Most of the work for the department involves defining a centralized security policy and defining firewall rules that implement that security policy. A conversion can take anywhere from 1 month to 3 months.

Is troubleshooting Virtual Networks more difficult?
No, it is exactly the same as troubleshooting any network that contains a firewall. Common tools like ping and traceroute work as normal within the subnets in a VRF.

What technology are VRFs based upon?
VRFs are an industry standard technology supported by many vendors including Cisco Systems. The underlying technology leverages MPLS and BGP protocols. The defining document is RFC2547 - BGP/MPLS VPNs.

Where is my virtual firewall located?
There are several firewalls, configured in pairs for redundancy, that deliver virtual firewall services for UBC. A few of these pairs are solely dedicated to servicing departments.

If I don't want to use a virtual firewall, can I use my own firewall?
Yes, you may use your own firewall in a virtual network. However, it may be an expensive proposition. The redundant deployment of the virtual firewalls provide high availability while simplifying your network design. 7x24 hardware support and monitoring is also included. Security policy administration is the most important function which remains fully within your control.