I was recommended to start using vrf's to separate networks defined on my switches but I am not sure what is the added value of using vrf's.
how is it different than having different vlans and controlling access with acl's? do all switches support vrf's?
we have many sites connected over a wan, is that a viable solution or vlans is ok as well?
if you know of some explanation and sample config i would love that.
I'm not sure what they would be telling you to use VRFs to separate networks defined on your switches. You can
just use multiple VLANs for that. VRFs have to deal with MPLS VPNs. VRF stands for Virtual Routing and Forwarding.
Basically it's a separate routing instance with an MPLS VPN network. By default it only holds routing information destined
for that specific instance. What kind of WAN connection do you have between your sites, what is the speed, and how many
sites do you have?
In a sense, VRFs are to routing table like VLANs are to LANs. Using VRFs, you are virtualizing your routing table into multiple routing tables, similarly to VLANs used to virtualize LANs. One could say that VLANs are performing L2 virtualization, VRFs are performing L3 virtualization. VLANs make a single switch look like several switches; VRFs make a single router look like several routers.
Using VRFs strongly depends on what your requirements are. Also, whether a switch supports VRFs is strongly dependent on its platform - for this reason, I would recommend using the Feature Navigator at http://cisco.com/go/fn to verify if a particular platform and IOS version supports VRFs.
I hope other friends here will share their views on the topic.
I understand that VRFs are not just for MPLS, but you usually always see them in MPLS VPN enviornments.
I wish I could get my hands dirty on some MPLS VPN setups, but so far, where I have worked it's always the
SP that takes care of that. One of these days, maybe I can work for a large company, with which they have
their own private MPLS VPN setup.
A VRF provides Layer3 speration. This is done by a creating seperate table per VRF to the global tables.
A VLAN provides layer2 seperation. A SVI is a layer3 interface for a VLAN on a given switch.
When one switch has two SVI's on the same switch the prefixes of the SVI's would be present in the same routing table. Depending how Gateway/routing was setup, routing (layer3) between the SVI is possible. To illustrate this, trying to configure two SVI with the same IP prefix will produce an error.
Where a VRF in the switching world might add benfit in certain designs, is by seperating the layer3 table on the same switch. Considering the above example where one switch has two SVIs configured, and each SVI is configured within its own VRF, The prefixes from the SVI would be contained in SEPERATE routing tables. Routing between the two VRFs (although still possible) is not native enabled. Now since there is Layer3 seperation the same IP prefix could be configured on both SVI's.
Lastly another difference between a VRF and a VLAN.
A VRF is local to a router/switch, where the membership of a VRF is determine by the input interface.
A VLAN is comunicated between device by encapsulating frame leaving the device. A VLAN membership is determined by the information in the encapsulation of the arriving frame.
Lastly to address the MPLS side. The VRF functionality operate indepently of MPLS. MPLS protocols leverage of a VRF for the mentioned seperation. VRFs are however mostly used in MPLS network, but not required by MPLS.