Cisco 6800 – VRF-Lite Limitations

It appears that you're applying the load balancing policy to the routing-instance. It needs to be applied to the forwarding-table in order for it to perform ECMP on the forwarding plane.

routing-options {
     forwarding-table {
          export load-balancing-policy;
     }
}

To confirm it's working, you should see something similar to this. Note the additional entry on the forwarding table for entry 10.0.0.0/24.

# run show route forwarding-table table {client}
Routing table: {client}.inet
Internet:
Destination        Type RtRef Next hop           Type Index NhRef Netif
default            user     0 8:5b:e:84:4c:b0    ucst   561     3 ge-1/1/2.3017
default            perm     0                    rjct   961     1
0.0.0.0/32         perm     0                    dscd   959     1
10.0.0.0/24        user     0 196.33.144.3       ucst   589     5 ge-1/1/5.2100 *
10.0.0.0/24        user     0 196.33.144.11      ucst   645     6 gr-1/1/10.1   *
10.0.0.55/32       user     0                    ucst   645     6 gr-1/1/10.1
10.0.0.210/32      user     0                    ucst   645     6 gr-1/1/10.1
10.0.6.0/24        user     0                    ucst   921     3 gr-1/1/10.16
.
.

Each fills a different purpose and all three may be part of an overall solution. Lets start with the oldest concept first.

Subnets are the IP worlds way of determining what devices are "assumed to be on-link". Devices within the same subnet will send unicast traffic directly to each other by default while devices in different subnets will send unicast traffic via a router by default.

You could put each subnet on a separate physical network. This forces traffic to go via the router, which can act as a firewall. That works fine if your isolation domains match up with your physical network layout but gets to be a PITA if they don't.

You can have multiple subnets on the same "link", but doing so does not provide a high degree of isolation between the devices. IPv4 unicast traffic between different subnets will by default flow via your router where it can be filtered but broadcasts, IPv6 link local traffic and non-ip protocols will flow directly between the hosts. IPv6 global unicast traffic may or may not flow via the router depending on how the hosts are configured. Furthermore if someone wants to bypass the router they can trivially do so by adding an extra IP address to their NIC.

VLANs take an Ethernet network and split it up into multiple seperate Virtual Ethernet networks. This lets you ensure that traffic goes via the router without constraining your physical network layout.

VRFs let you build multiple virtual routers in one box. They are a relatively recent idea and are mostly useful in large complex networks. Essentially while VLANs let you build multiple independent virtual Ethernet networks on the same infrastructure VRFs (used in conjunction with an appropriate virtual link layer such as VLANs or MPLS) let you build multiple independent IP networks on the same infrastructure. Some examples of where they might be useful.

• If you are running a multi-tenant datacenter scenario each customer may have their own (possibly overlapping) set of subnets and want different routing and filtering rules.
• In a large network you may want to route between subnets/vlans in the same security domain locally while sending cross security domain traffic to a central firewall.
• If you are doing DDOS scrubbing you may want to separate unscrubbed traffic from scrubbed traffic.
• If you have multiple classes of customer you may want to apply different routing rules to their traffic. For example you could route "economy" traffic on the cheapest path while routing "premium" traffic on the fastest path.