Per-Tenant Isolation at Layer 3

A.

The correct answer is A, VRF-lite.

VRF-lite (Virtual Routing and Forwarding lite) is a technology that provides Layer 3 isolation between different tenants (or customers) in a shared network infrastructure. It enables the creation of multiple virtual routing tables on a single physical router, allowing different customers to have their own unique routing instances. Each VRF instance maintains its own separate routing table, forwarding table, and ARP cache.

In the context of the aggregation layer, VRF-lite can be implemented on the aggregation-edge nodes (also known as the border nodes) to provide per-tenant isolation. These nodes typically act as the gateway between the access and core layers and provide services such as firewalling, VPN termination, and policy enforcement. By implementing VRF-lite on the inside interfaces of firewall contexts, each tenant can have its own dedicated routing and forwarding table, effectively isolating their traffic from other tenants.

VDC (Virtual Device Context) is a technology used in the data center to partition a physical device into multiple logical devices, each with its own separate control and data plane. It is typically used on the core and distribution layers to provide separation between different services or departments. However, VDC does not provide Layer 3 isolation between tenants and is not suitable for the aggregation layer.

VXLAN (Virtual Extensible LAN) is a tunneling protocol used to extend Layer 2 segments over an IP network. While VXLAN can be used to provide multi-tenancy in the data center, it operates at Layer 2 and does not provide Layer 3 isolation between tenants.

VLAN (Virtual LAN) is a technology used to segment a network into multiple broadcast domains. While VLANs can provide some level of isolation between different groups of users, they do not provide per-tenant isolation at Layer 3 and are not suitable for the aggregation layer.