The only answer I could give is “it depends” (it’s like asking “Do animals need wings?”), and here’s my attempt at building a decision tree:
Do you have multiple security zones or tenants (organizations)?
No: You don’t need VRFs
You might have to treat the guest VLAN as a separate tenant whose traffic has to be pulled back to the central firewall.
Do you plan to span these zones across multiple sites (or data centers)?
Yes: I would use VRFs. You might want to use stretched VLANs, and I wish you luck.
Will you implement tenants or security zones with multiple segments or distributed firewalls (also marketed as microsegmentation)?
Distributed firewalls: You might think you don’t need VRFs, but maybe you still do unless all hosts use the same exit from the subnet. If the hosts from different security zones (or tenants) need different exit points (aka service insertion), you’re better off using different routing domains for them.
Different tenants or security zones might use different load balancers, in which case you’d need either multiple segments (or routing domains) or source NAT on the load balancer to ensure symmetrical traffic flow.
Do you need a separate routing domain for each security zone or tenant within a site?
No: You don’t need VRFs, VLANs are good enough.
Yes: You probably need VRFs.
More on separate routing domains
You might be wondering whether you need a routing domain for a tenant or security zone, or whether a simple VLAN would be good enough. The only answer I can give for a multi-tenant setup is “it depends” (on your service definition), but there’s an easy answer for security zones.
- If it’s OK that all traffic exiting a security zone passes through a firewall (or load balancer) that serves as the default gateway, then you don’t need a routing domain (and VRF) for the security zone.
- If you want to split traffic based on destinations and send it to multiple exit points (next hops) then it’s better to implement a security zone as a routing domain instead of configuring static routes on all hosts.
Need an example for the second scenario? How about network-based backup – do you really want to pump all backup traffic through an expensive firewall?