Possibly VRF, but I just dont find it.
I have a couple of Mikrotiks soon serving as router in a distributed environment (i.e. not an ISP, they baisically all VPN into a central cluster). 4 different environments to be exact. One “hosting” environment, with an internal backbone. This has various customers that all share the backbone, this is ok. One Admin environment for central servers all other environments interact with. Two companies that both have internal addresses and their own internal networks.
VLAN only does not isolate because on the central cluster there is a VLAN for every of the three segments and there is some interaction. For example all three “load” environments can access the admin area, the admin area the 3 environments. Admin area and borth company networks have NAT to the internet, the hosting backbone hast not. VLAN come into play to expand some of those areas to third party sites (2 office locations). Also 2+ external Mikrotiks (2 at he office, another 2 for travellers) will connect back to the admin area with a VPN that is for admin purposes only (i.e. no other traffic should be there).
How do I best isolate them? Filter rules on the interfaces my only option? Or should I go Metarouter with RouterOS and brisge the stuff into Metarouter (expensive)?
I am used to extreme networks in another scenario and they allow a split of the router into different routers without full virtualization - basically you assign ports to a router instance, and then set routing between instances. With RouterOS idont see a way to isolate the different areas without firewall filters. How do you guys keep customers out of the administrative vlans that you obviously put up between all the mikrotiks you have?
Please confirm. Looking for the most elegant solution here.