where is VRF actually needed

rhap4boyz · ‎04-12-2016

I have the following scenario. If I need to have Server2, Server3, and Server 4 access Server1 without seeing each other, what is the best way to do this using VRF? 6509 is currently the layer 3 gateway. There are also other workstations that connects to each of the switches like 3508/4507/3560 that should be separate from the network.

My questions are

1. On which switch is VRF actually needed?

2. How should each of the access switch be configured? do they all need VRF as well? does that mean they would need routed layer 3 interface?

3. Is Multi-VRF same as VRF-Lite?

Thank you!

Philip D'Ath · ‎04-12-2016

You don't need a VRF for this.

If you use "switchport protected" on the ports to Server1, Server2 and Server3 then they wont be able to talk to each other, but will still be able to talk to Server1.

rhap4boyz · ‎04-12-2016

This is a simplified diagram. The actual layout is actually more complicated than this.

Suppose the need is to accomplish this using VRF, how would one do this?

I thought "switchport protected" is only local to the switch

Philip D'Ath · ‎04-12-2016

You are right, "switchport protected" is local to the switch. When I first looked at the digram I thought everything was plugged into the 6509. My mistake.

It might be easier putting an access-list on the port where the servers plug in.

VRFs are going to make the complexity go up a lot.

rhap4boyz · ‎04-16-2016

Anyone can point me in the right direction? Overview configuration?

Philip D'Ath · ‎04-17-2016

The best way is using a simple access list.