Segmenting a VLAN with VRF

Chad Parish · ‎10-25-2018

My company has four sites connected over MPLS using BGP and within each site we use EIGRP. In each site we have a vlan (lets call it vlan 3) that needs to be segmented from the other vlans at layer 3. Within the individual lans this would likely just require the use of VRF-Lite. I would create the VRF, associate it to the SVI and build a second EIGRP instance to deal with dynamic routing for Vlan 3.

However, clients on vlan 3 at one location will need to be able to reach clients on vlan 3 at the other sites.

Do I therefore need to create a second BGP instance (using address family) that will also be associated to the segmented VRF?

Georg Pauwen · ‎10-25-2018

Hello,

can't you simply apply access lists to the SVIs at each site ?

Chad Parish · ‎10-25-2018

We could and normally we do. But the security team has specificly requested we segment this lan from the global route cache.

paul driver · ‎10-25-2018

hello

racls are a good option but if you wish to use vrf I see no reason why you cannot

I am assuming these vlan 3 users at each site be in a different ip address subnet - meaning your not extending a vlan over sites?

Once the “vlan3” traffic hits PE rtr of each site it will go over the mpls backbone with all the other traffic and you then should be able just to import that traffic between each sites segregated vrf

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul