This is an excellent read if you are just getting into reading up on VRF. He breaks VRF lite down to a simple example that everyone can easily understand. Which I can’t say for some authors out there. His assessment of the secondary internet backdoor is right on except when you have three users of AT&T’s global dialer that will not work through your ASA box no matter what you do 🙂

VRFs, or VPN Routing and Forwarding instances, are most commonly associated with MPLS service providers. In such networks, MPLS encapsulation is used to isolate individual customers’ traffic and an independent routing table (VRF) is maintained for each customer. Most often, MP-BGP is employed to facilitate complex redistribution schemes to import and export routes to and from VRFs to provide Internet connectivity.

However, VRF configuration isn’t at all dependent on MPLS (the two components just work well together). In Cisco terminology, deployment of VRFs without MPLS is known as VRF lite, and this article discusses a scenario where such a solution could come in handy.