Configure VRF to isolate internal subnet

Hello,

Both options are good.  It comes down to your security policies.

Physical vs virtual separations.

Using VRFs allows you to do route leaking between VRF if you want to have exceptions for some traffic to bypass the firewall, or bypass firewall during their maintenance.  But it also is a risk to manage as misconfiguration of route leaking could totally bypass the firewall and expose the internal vlans.

Hard to say without seeing a topology diagram - one point though, if your firewall and devices support BGP, I would use that instead if you end up going with a dynamic routing model. I've tried OSPF in a previous role across a few different vendor firewalls, and always ended up getting burned. BGP is a simpler protocol to implement, and much more likely to be successful.

Hi Joali,
If you want to "isolate internal subnet", then I would have expected some form of security concern about inter-VLAN communications. But since you insist only caring for North-South then you don't need to care about isolating the subnets from each other, and therefore don't need to have a different routing instance (VRF) per VLAN.

May I as why you were considering VRF in the first place, since you don't care about isolating the routing between them? I am just trying to understand the requirements completely, maybe I missed something.

If the firewall is in Layer3 routing mode, then sure you can just route through it.
In some environment the firewall is the default gateway, so you need to stretch Layer2 to it. But many modern deigns use the 1st hop switch as default gateway, like in the case you describe with an SVI and possibly a virtual IP common across all the switches. In that case the traffic can be routed towards the firewall.

The two scenarios you described are actually identical: in both cases the traffic is routed.
The difference is whether you separate the routing information across multiple VRF, or everything is inside a single routing table.

At scale, L3 EVPN can make it much easier to carry L3 VPN routing information, as opposed to have many VRF-lite instance of the routing protocols.

With limited knowledge of your scenario, simple routing (your option2) would be the simplest, but I admit it's the least employed because of the potential security risk between the subnets. After all you did mention "isolate internal subnet".

If you are simply looking at sharing a switch and share "Internal" and "External" on the same switch, then yes VRF can be used. It is typical in a DMZ.

Internet --> DMZswitch-VRFInternet --> Firewall --> DMZswitch-VRFClean --> Internal switches

If you don't intend to share the same switch "DMZswitch" for both roles (Internet-facing and "Clean") then you don't need to care about the local VRFs. But that works well, depending on your security requirements.

Regards,
Alexis