Routing between virtual routers

  • 0
  • 1
  • Question
  • Updated 5 years ago
  • Answered
I'd like to revisit the question of "how do I route between virtual routers". I'm in a managed datacenter environment and have 8806s, 480s, 460s. all running XOS 15.3 or higher.

Scenario: I have a dozen or so corporate-internal VLANs that are all connected to let's say "VR-Corp". Now, the problem is that I have a handful of colocated customers with their internal networks (private IP space) that we need to manage, so two or three of our corporate VLANs have to somehow get access to the customer VLANs.

I do not want to add those customer VLANs to our corporate VR. I'm not a big fan of ACLs that aren't straightforward, simple, and easily maintainable. VPN access to the customer is usually not an option, either.
I would much rather add all those customer VLANs to a "VR-Cust" and somehow route between the to VRs - that approach makes for a much simpler configuration on the respective VRs. At least I won't have to worry about routing protocols - just good old fashioned static routes will do just fine here :)

From previous discussions I do understand that I cannot do that "within" the switch. However, my 8806s do have a 48-port Ethernet blade, and my idea was to create one VLAN on each VR (different tags) that are the same IP network, assign one Ethernet port to each VLAN, and just patch them together with a short cable.

This, however, does not seem to work. The ports are up, but I can only ping the IP address that's on the VR that I set the context to, and not the other. The ports are up, the VRs are up, the VLANs are up, and they're still invisible to each other. I would assume that if it doesn't work over Ethernet, it won't work over fiber either.

I don't quite understand why it doesn't work - technically I'm leaving the switch out one port and come back in through another port.

If everything else fails, I can of course introduce my 480 into the mix and have it be the "router between the VRs" (or rather: the cross-connect VLANs)", but I would find that a somewhat less-than-elegant solution (to a less-than-elegant problem/requirement).

Thanks for your help!

    Frank
Photo of Frank

Frank

  • 3,836 Points 3k badge 2x thumb

Posted 5 years ago

  • 0
  • 1
Photo of Paul Russo

Paul Russo, Alum

  • 9,694 Points 5k badge 2x thumb
Official Response
Hey Frank

My suspicion was correct.  The issue is that the switch has one MAC for all VRs.

Here's some information from an internal post

At L2, a simple cable between the two VRs will do the job. Disable learning on the ports will help.

At L3, we need an external device to go from one VR to another. And because we have a unique Mac for the whole system, you may need 2 external devices... Hopefully, VRF leaking will come one day (no idea of possible limitations). In the meantime, you can try to trick the system to enable such feature using a cable to directly connect two ports in two VRs, and using VRRP to generate a different mac.

I would recommend going to a 460/480 versus trying to do it with VRRP.

Let me know if there is anything else I can help with.
P