We have a need to set up a MAN to inter-connect multiple sites in a metropolitan area.
The sites will be connected via a 1-Gbps fiber ring.
Each location has multiple vlans, and one of the requirements is to isolate the vlans so that they can't communicate w/ each other.
One exception is the "service vlan" that contains servers & printers, which all vlans should be able to talk to.
A vlan / user group should still be able to talk to the same user group at the other locations.
We plan on running OSPF to provide routing between the locations, but are not sure how to handle the VLAN segregation and provide connectivity to the service vlan at the same time.
We'll definitely NOT do ACL's because the administrative overhead is just too much.
We're thinking about VRF Lite, so basically each VLAN will be assigned an RD.
We'd also like to use route targets to control which VLAN's can communicate w/ the other VLAN's.
However, we're not sure if this would work w/ VRF Lite, or if the full blown VRF & MPLS are required.
If the latter, we're screwed because we don't have the necessary hardware to support MPLS and gig speed at these locations. (we have a bunch of 2800/3800 routers but they can't handle the traffic rate)