VRFs/zones modeling

[berlikm]

Hi all

I'm looking for help with modeling this in NetBox.

In NetBox I plan to use a single (default) VRF across all sites (no overlapping IPs).

On devices, we use VRFs as “zones.” I’m not sure how to reflect that cleanly in NetBox while keeping just one global VRF.

I’m considering VLAN Groups per zone, with VLANs in the right group — but VLAN IDs can differ by site.

Site A

VLAN Group zone1 → VLANs 10, 20

VLAN Group zone2 → VLANs 30, 40

Site B

VLAN Group zone1 → VLAN 50

VLAN Group zone2 → VLANs 30, 40

There’s also a transport VLAN between the core (VRF) and the firewall (zone), and I’d like that relationship to be obvious in the model.

do you have any idea how to do it the best
maybe i should look into VRFs but then ipam will be complicated

[pheus]

Thanks for opening the discussion! I might be misunderstanding your goal, but here’s how I’m thinking about it.

NetBox models real-world L3 routing domains using VRFs. If you have multiple security zones separated by firewalls, there are generally two common approaches:

• One VRF per zone, and selectively leak routes between them using import/export route targets.
• A single global VRF if the network effectively shares one routing domain, and then model the security boundaries separately (outside of the VRF construct).

From your description, it sounds like there’s a single VRF across the network and you may be trying to represent firewall/security concepts with IPAM objects. If that’s the case, you’ll likely get a cleaner model by keeping VRFs focused on routing domains and handling security intent elsewhere. Depending on your needs, that could be with tags, custom fields, or with plugins such as Custom Objects or the NetBox Security Plugin.

Hope this helps!

[berlikm]

Thank you for the reply
I think I'm going to end up with the VLAN roles and Custom objects