I have a basic understanding of VRFs, VLANs and subnets. I understand that VLANs operate on L2, and subnets and VRFs (lite) on L3. What I don't understand, is why you would choose one over the other when you mostly care about segmentation.
Imagine I have only 2 devices, and I don't want them to be able to talk to each other, but I do want them to be able to access the internet.
VLANs
Imagine I have only one switch and one router in my network. I could do as follows:
- device 1 => VLAN 1
- device 2 => VLAN 2
- Internet => VLAN 3
Then, to prevent them from talking, I could allow traffic between vlan 1 and vlan 3, as well as traffic between vlan 2 and vlan 3. I would, however, drop all traffic flowing between vlan 1 and vlan 2. => Segmentation OK.
Subnets
Imagine I have two switches and one router in my network. I could do as follows:
- subnet 1 => switch 1 => device 1
- subnet 2 => switch 2 => device 2
Then, like I did with the VLANs, I could drop all packets flowing between subnet 1 and subnet 2. => Segmentation OK.
VRFs
Imagine I have multiple switches and one router. I could do as follows:
- VRF 1 => Device 1
- VRF 2 => Device 2
I do not explicitly have to prevent anything. By default, the two VRF's won't be able to talk to each other. => Segmentation OK.
Is there any other advantage to any of the three? What is the preferred method? Why would I combine the three? What else did I miss?
edit
I'm really looking for an answer which compares the three options, especially VLAN (which might be using separate subnets) vs VRF segmentation.
Best Answer
Each fills a different purpose and all three may be part of an overall solution. Lets start with the oldest concept first.
Subnets are the IP worlds way of determining what devices are "assumed to be on-link". Devices within the same subnet will send unicast traffic directly to each other by default while devices in different subnets will send unicast traffic via a router by default.
You could put each subnet on a separate physical network. This forces traffic to go via the router, which can act as a firewall. That works fine if your isolation domains match up with your physical network layout but gets to be a PITA if they don't.
You can have multiple subnets on the same "link", but doing so does not provide a high degree of isolation between the devices. IPv4 unicast traffic between different subnets will by default flow via your router where it can be filtered but broadcasts, IPv6 link local traffic and non-ip protocols will flow directly between the hosts. IPv6 global unicast traffic may or may not flow via the router depending on how the hosts are configured. Furthermore if someone wants to bypass the router they can trivially do so by adding an extra IP address to their NIC.
VLANs take an Ethernet network and split it up into multiple seperate Virtual Ethernet networks. This lets you ensure that traffic goes via the router without constraining your physical network layout.
VRFs let you build multiple virtual routers in one box. They are a relatively recent idea and are mostly useful in large complex networks. Essentially while VLANs let you build multiple independent virtual Ethernet networks on the same infrastructure VRFs (used in conjunction with an appropriate virtual link layer such as VLANs or MPLS) let you build multiple independent IP networks on the same infrastructure. Some examples of where they might be useful.