We currently use a BT MPLS network and use BGP on our CE router to peer with the providers PE routers. Currently we only use one VPN for production across the MPLS network.
We are now looking to give access from some of our MPLS sites to a test environment housed in our data centre. We need to do this on a pc by pc basis.
At the moment the plan is to add a Test VPN within the MPLS network. All sites will be a member of the production VPN and those sites that also need access to test environment will be a member of the Test vpn.
This will segregate the traffic over the WAN but the issue i now have is how to segregate the traffic once it leaves the PE router. The link between the CE and PE router is just a layer 3 link so the VPN separation
has disappeared by now. I don't mind the traffic not being separated in terms of VPN's on the CE to PE link but i need to segregate the traffic once it leaves the CE router and enters our LAN.
So finally the questions
1) Is there a way to keep the separation at a VPN level on the CE -> PE link. As i say i don't mind not having it but if there is a way i would be interested.
2) More importantly i have done some limited reading on VRF-lite and was wondering before i go further if that would allow me to segregate the traffic internally within the LAN. Our Lan's in major buildings usually consist
of 4500 at the access-layer and 6500 as distribtion/core. What i would ideally like to do is ensure that only users within the site who need to access the test environment can ie. by adding a site to the TEST vpn this does
not mean that all users within the site should be able to get to it.
i) Use PBR together with access-list and potentially firewalls
ii) use vrf-lite to segregate the traffic.
So is this a good application for vrf-lite or have i missed the point of it ?. if not can anyone suggest a better way ?