03-08-2022 05:18 PM - edited 03-08-2022 05:30 PM
We are implementing VRF. Looking for best practice information.
Is it best practice to have a different VRF for each vlan? Say mgmt/users/printers/servers/phones all in different VRFs? Then leak what is needed?
We are planning
PE -> CE -> Firewall -> Core Switch -> access
Would it be best to change VRFs at the firewalls and leave the core switch to just switch? Or change VRFs at the core switches?
changing at the firewall would Allow us to implement rules/acls easier between “VRFs/zones” for the internal network at sites.is my understanding. We would put each VRF in a different zone. Then have global vrfs at CE/PE for between sites?
I might not have googled the right questions to get the answer i was looking for here. Thank you for your help in advance.
03-09-2022 12:01 AM
If this is Inside Lan, i would not advise VRF here (until you are keen to deploy)
VLAN Segment with Access policy can resolve (if you looking for security)
If this not going to solve your problem, give us more information a block network diagram to understand the correct requirement.
03-09-2022 04:33 AM
Users need to connect to printers and servers, plus phones need to connect to servers (CUCM, etc) and so makes no sense to partition them into seperate VRFs as it just increases the admin-overhead for day-2-day operation and trouble-shooting faults on the network. If you are deploying multiple VRF across lots of subnets then you would need to daisy-chain them all and so adding a new site into your network involves more work (as the design and testing effort for the change gets multiplied by the number of VRF you have strung out across your topology for all these device-types).
For your initial deployment, just a seperate VRF for device-management where your TACACS, Syslog-servers, SNMP-pollers, etc also reside is probably enough (a "management-vrf" each device via a seperate VLAN across your infrastructure to reduce the attack-surface for device-admin security).............if you have services or functions within your network that require separation from everthing else, then potentially a VRF for these might help if they span multiple subnets, but usually a firewall and dedicated VLAN should be enough.
03-09-2022 08:22 AM - edited 03-09-2022 08:23 AM
As the other posters have already noted, using VRF to separate printers/servers/users, within most networks is often (much) more trouble than it's worth. Remember, by design, VRF separates L3 topologies from each other much as VLANs do for L2 topologies. However, L2 topologies, generally are easy to connect using L3, but with VRF, if you need to interconnect them, you also use L3 which is what VRF works to separate.
As one simple example, with VRFs you can use the same address spaces. For example, two VRFs might both have their own 192.168.1.0/24. But, what happens if you now want hosts, on those two networks to intercommunicate or communicate to a third "common" (e.g. servers) network? Can this be solved? Yes, but again, it take a bit of work.
Your question is somewhat similar for asking (for most businesses), should they build their own MPLS network (especially internally within their LAN). Likewise, usually it's also (much) more trouble than it's worth.
Don't, though, take the above as meaning there's no use for VRF in even small businesses; just that's is often really not needed to separate printers/servers/users, as they, most often, need to intercommunicate. Where it can be useful, is in cases where part of your network doesn't need to communicate (directly) with other parts and you want to build an additional "fence" around it. One example, as mentioned by @JimWicks is using a VRF for management (BTW, believe lots of Cisco devices now come out of the box with management interface in a non-default VRF). I've used VRF for branch site routers, for the WAN/Internet interface, to better isolate that interface from the router's internal side interfaces. (I.e., again it's more trouble to get traffic to/from the Internet, but that's the goal.)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide