VRF-lite vs ACLs for segmentation of internal campus networks

Hello fellow members of the networking community. I'm hoping to get some ideas on how you all handle segmentation of your campus networks across layer 3 boundaries. At most of our districts, inter-VLAN routing is handled by the firewall, but as more devices are connected to the network and more demands placed on it, I'm looking to route more often, either at the edge of a small building or even down to the IDF in larger buildings. Here's the example segments (VLANs) we have in place.

• Private. Staff and students, RADIUS authenticated WiFi
• Guest. PSK authenticated guest WiFi
• Infrastructure. Access points, switch management, etc.
• Security cameras
• VoIP
• HVAC
• Door access control

And the differences I see between the two solutions.

VRF-lite

Just like a VLAN is a virtual switch, a VRF I see as a virtual router. Here's the advantages I'm seeing on this solution.

• Scalable. As I add routers and VLANs to networks, it seems easier to me to add a new VLAN to an existing VRF than to create an ACL for an IP scheme that may or may not change and then change all the existing ACLs to include that new VLAN. Any IP scheme changes that may happen are automatically propagated through the network with OSPF as well.

• Maintaining separation of device duties. As much as I can, I like to have routers routing, switches switching, and firewalls controlling traffic flow. With VRFs, I can control traffic flow between these segments with the edge firewall, which it is designed to do. I could even run UTM features on traffic flowing from a less trusted zone to a more trusted zone if I so wished.

ACLs on each layer 3 switch

• More simple. I try to follow the KISS principle when appropriate, and ACLs would certainly solve the problem I have. Adding VRFs into my design would add more complexity that our more junior techs may not be able to solve, and I'm not a fan of designing networks only I can troubleshoot.

• No support for VRF-lite on Aruba switches. We'd have to break our switch standard to get VRF-lite support, which adds to the learning curve for supporting the network. This isn't so much a budget cost but an operational/support cost that I think is important to consider.