Différence entre VLAN et VRF

Virtual Local Area Network (VLAN) is a concept that allows us to divide a physical LAN into multiple smaller networks logically. VLAN partitions and isolates the OSI model’s broadcast domain at layer 2. Switches make the logical separation of VLANs by adding a VLAN tag to the frames sent by network devices. As a result, each device can only communicate directly with another device in the same VLAN. However, devices from different VLANs can communicate with each other via routing (layer 3).

VRF (Virtual Routing and Forwarding) is a technology that allows us to create virtual routing instances inside a single router. Using VRF, we can configure different routing tables, interfaces, and forwarding policies for each virtual instance. This allows us to run these networks separately. Since routing instances are independent, different instances can use identical IP addresses without encountering conflicts. A simple example is that we can simultaneously use the same IP address (or an entire range) assigned to two different interfaces on a router.

VLAN works at layer 2, adding and treating tags in frames. VRF also operates at layer 3, enabling multiple routing instances. In contrast, VLANs offer us better isolation. Devices only communicate directly if they’re in the same VLAN. Otherwise, communication must be done via routing (if desirable). VRF offers further isolation. We can even overlap IP addresses without conflicts because the virtual instances are independent.

VRF is helpful in many situations. One of them is in a multi-tenant infrastructure scenario. We can assign each customer its own set of subnets and, through VRF, allow each to use different routing and packet filtering rules. VLANs provide more excellent isolation and control on a physical LAN. Finally, VRFs improve network separation and allow simultaneous use of IP address ranges by different devices.

I understand that VLANs operate on L2, and subnets and VRFs (lite) on L3.

What I don't understand, is why you would choose one over the other when you mostly care about segmentation.

Imagine I have only one switch and one router in my network. I could do as follows: device 1 => VLAN 1 device 2 => VLAN 2 Internet => VLAN 3 Then, to prevent them from talking, I could allow traffic between vlan 1 and vlan 3, as well as traffic between vlan 2 and vlan 3. I would, however, drop all traffic flowing between vlan 1 and vlan 2. => Segmentation OK.

Imagine I have two switches and one router in my network. I could do as follows: subnet 1 => switch 1 => device 1 subnet 2 => switch 2 => device 2 Then, like I did with the VLANs, I could drop all packets flowing between subnet 1 and subnet 2. => Segmentation OK.

Imagine I have multiple switches and one router. I could do as follows: VRF 1 => Device 1 VRF 2 => Device 2 I do not explicitly have to prevent anything. By default, the two VRF's won't be able to talk to each other. => Segmentation OK.

Is there any other advantage to any of the three? What is the preferred method? Why would I combine the three? What else did I miss? edit I'm really looking for an answer which compares the three options, especially VLAN (which might be using separate subnets) vs VRF segmentation.