cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Using vrf for separating management and user traffic

TGF_Cisco
Beginner
Beginner

hello

We use vrf in our network for separating user / production traffic vs management traffic. but the way we have used it has turned out to be messy and we are in a situation where we no longer have the distinction between the two. I personally feel that vrf is a great way to separate management vs user traffic.

Here is why I am in a dilema

If  VLANS for users computers and server VLANS are in USERS vrf

and management servers ( including domain controllers, AD) are in management vrf  , there is no way this will work . and this was the reason we thought it was going to work. now I am wondering if using vrf is even necessary in an enterprise environment when management traffic can be separated on server end and not so much at the clients end.

anyone has any ideas how to go about this..

3 REPLIES 3

Bilal Nawaz
Engager
Engager

Hello, very interesting scenario! I was in a similar position to you. I agree VRF's are great for management purposes, as it provides you with total segregation of routing instances. In fact the newer cisco devices come with vrf's configured for management out the box, with a separate interface for management only (for the network device itself).

However, when it comes to enterprise networks and you have domain controllers, file servers, messaging, maybe ACS or ISE, proxies etc... and other services that should be available for your users, is there any point in using vrf's to separate users from management servers. Lets take for example:

A PC on the domain, and I want to log in using my AD credentials. You need to be able to contact the domain controller(s) in order to login right? Since vrf's are contained they will have no routes to get to different networks in other vrf's. Except when configured to do so.

Unless you do something called vrf route leaking or advertising. It's explained well here:
http://packetlife.net/blog/2010/mar/29/inter-vrf-routing-vrf-lite/
http://blog.ipexpert.com/2010/12/01/vrf-route-leaking/


Anyway, nevertheless - you are still going to be providing reachability via routing, so this defeats the purpose kindof... It could add unnecessary complexity too.

Me personally, I just made sure that they were separated by VLAN's and had a dedicated vrf for management, i.e. ssh, snmp etc... to the network devices. I weighed up and thought its not worth doing something that will not really be of any benefit.
I can understand the need for ISPs and large service providers to use this but not business/enterprise.

I hope this helps.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Hi Bilal,

 

Would you consider using VRFs for separation of IT/OT/IOT in the enterprise? With Management and voice not on a VRF.

 

Thank you

Adam

 

Peter Koltl
Rising star
Rising star
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: