Objective

The objective of this project was to completely separate freight vessel Wi-Fi traffic from internal harbor infrastructure across 14 locations nationwide. The challenge was to ensure network separation during both local access and transport across the country, without deploying a second MPLS or investing in expensive new hardware. The solution needed to maintain high reliability, scalability, and security using existing infrastructure.

Background

Many harbors serve both internal staff operations and visiting vessels. As freight ships connect to harbor Wi-Fi, it’s crucial that their traffic does not mix with sensitive internal systems—such as logistics platforms, IoT sensors, and administrative networks.

Initially, the idea was to use a separate VRF (Virtual Routing and Forwarding) within the existing MPLS infrastructure. However, the nationwide ISP declined this approach due to policy restrictions. Procuring a completely new MPLS circuit was technically feasible—but financially unjustifiable.

That’s when we explored a smarter option: leveraging the existing routers already installed at each of the 14 locations to create a logical separation without changing the transport layer.

Design and Approach

Key Goals:

  • Full L2/L3 separation between vessel traffic and harbor infrastructure
  • Avoid additional MPLS lines or hardware
  • Centralized routing control of segregated traffic
  • Ensure seamless scalability across all sites

Solution Highlights:

  1. Utilizing Existing Routers: Each location already had capable routers in place. These were used to extend the new VRF locally without hardware upgrades.
  2. New VRF for Vessel Traffic: An additional VRF was configured at each site dedicated exclusively to vessel Wi-Fi traffic, ensuring local isolation from the main harbor network.
  3. Tunneling to Central Location: Each router established a tunnel (such as GRE or IPsec) to a centralized hub site. These tunnels operated under the new VRF, ensuring that the freight traffic remained logically separated even during transport.
  4. Encapsulation for End-to-End Segregation: Both Layer 2 and Layer 3 separation were achieved by encapsulating all vessel traffic within the tunnel before it hit the provider’s MPLS, thus preventing any mixing or exposure on the shared backbone.

Implementation

The deployment was performed in phased steps:

  1. Configuration Testing: The full design was validated in a lab environment, testing tunnel reliability, routing behavior, and failover scenarios.
  2. Phased Rollout: Locations were brought online incrementally to minimize disruption and simplify troubleshooting.
  3. Monitoring and Logging: Monitoring was set up at both the central hub and local sites to track tunnel status, throughput, and anomaly detection.

Benefits

This project delivered a range of tangible benefits:

  • End-to-End Traffic Segregation: Full logical separation from edge device to central routing—without relying on ISP support or changes.
  • Cost Efficiency: By avoiding a second MPLS contract or additional hardware purchases, the client saved significantly on both CapEx and OpEx.
  • Scalability: The design is easily extendable. New locations or additional traffic types can be isolated using similar VRF/tunnel setups.
  • Operational Simplicity: Using existing hardware meant that the local IT teams were already familiar with the equipment, shortening the learning curve and easing support.

Conclusion

By creatively leveraging VRFs and tunneling on the customer’s existing infrastructure, we achieved secure, scalable traffic isolation across 14 harbor locations nationwide. This solution not only fulfilled all security and performance requirements but also avoided costly infrastructure investments.

In a time when budget constraints and operational security are both high priorities, this project stands as a perfect example of engineering smarter, not harder.