I was part of a service provider deployment project where we were contracted to design and build a scalable, secure, and redundant enterprise network for a large client. The client required traffic isolation per department, centralized internet access, and resilient WAN connectivity with failover mechanisms. The network was designed using a multi-tier architecture consisting of a core, dual distribution switches, and multiple dual-homed access switches to ensure high availability.
My role was to architect and implement the VRF-based segmentation solution across the enterprise. This involved defining and enforcing routing boundaries between departments, enabling policy-based communication and integrating a scalable routing structure that could grow with the business. I chose VRFs with MP-BGP and per-VRF OSPF to achieve these goals.
To begin, I defined unique VRFs for each department assigning structured Route Distinguishers (RDs) and Route Targets (RTs) using a consistent pattern. This provided deterministic control over route distribution and simplified configuration templates across all devices.
Each access switch was dual-homed to both distribution switches and configured with VRF-aware interfaces, enabling both fault tolerance and faster convergence. Within each VRF, I configured separate OSPF processes for routing between access and distribution. This isolated the IGP per VRF and allowed granular redistribution into BGP, ensuring routing symmetry and ease of troubleshooting.
At the distribution layer, I implemented MP-BGP with the vpnv4 address family. Internal BGP peering was established between the distribution switches over loopbacks, and OSPF ensured reachability between them. I activated „send-community“ to propagate RTs and controlled route leakage between departments by importing/exporting only the required RTs in each VRF.