VRF Lite - 1

All router interfaces which provide transport for both types of traffic have been configured with two subinterfaces performing 802.1Q encapsulation; .10 for VLAN 10 (blue) and .20 for VLAN 20 (red).

VRF lite is simple: each routed interface (whether physical or virtual) belongs to exactly one VRF. Unless import/export maps have been applied, routes (and therefore packets) cannot move from one VRF to another, much like the way VLANs work at layer two. Packets entering VRF A can only follow routes in routing table A, as we'll see shortly.

Topology

After configuring, the routing tables are as follows:

--

----

----------------------------------

Trace route test from the Host PCs

Reachability from PC4 to PC1 is fine (BLUE vrf). The traceroute result shows PC4 <-> R3 <-> R2 <-> PC1.

Reachability from PC4 to PC2 is not working as they are in different VRF and 10.0.0.1 (FW) does not have a route to 192.168.x.x network.