Why do you assign a VLAN to a virtual router, and not an interface?

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
Hi,

I'm trying to understand why you assign a VLAN to a VR, instead of an interface, which is what I you would expect. Why does EXOS work that way?

How I would imagine it to work:
* Create user VR-A
* Go into VR-A and say "i want it to have an interface in VLAN 10 with IP x"
* Also say "i want it to have an interface in VLAN 20 with IP y" (so the VR will route between VLANs 10 and 20)
Further you could:
* Create a second user VR-B
* Go into VR-B and say "i want it to have an interface in VLAN 10 (same as above), this time with IP z (same IP range, or a secondary address)"

I have not tried if you can actually accomplish this... for now I am wondering why it works using  VLANs and not interfaces/IPs...

This question arose because we were wondering whether you would be able to assign different secondary IP address of an interface to different VRs? Is it possible?

Thanks,
Marki
Photo of jeronimo

jeronimo

  • 1,198 Points 1k badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of JeremyClarkson

JeremyClarkson

  • 1,010 Points 1k badge 2x thumb
you can have the VLAN on multiple VRs - they are just virtual and best to imagine the physical layout.

There is no point however creating 2 VLAN interfaces on the same layer 3 switch as you only need one for remote management. (unless of course you manage from different LANs)
Photo of jeronimo

jeronimo

  • 1,198 Points 1k badge 2x thumb
There certainly are more uses to VRs than switch mgmt :)
Photo of JeremyClarkson

JeremyClarkson

  • 1,010 Points 1k badge 2x thumb
haha yes i know, this is true...its all depending what you need and use them for.
Photo of André Herkenrath

André Herkenrath, Employee

  • 1,942 Points 1k badge 2x thumb
At first: Don't ever use secondary IP adresses on a VLAN Interface unless you need as a workaround for a migration scenario.

The big advantage of VRs is that you can have several l3 environments on the same physics without the need of of ACLs.

Imagine you have a big campus on a university where you want to have a network for the students and a network for the teachers. Each network itself is a 3 tier network with dynamic routing (OSPF) and provides a loop free environment with OSPF/ECMP and MLAG. 

Your link from distribution to access contains 2 VLANs  : Student and Teacher.

Based on the authorisation on the access the PC will be put into one of the two VLANs.
On the distribution switch these VLANs are in different VRs - now both networks are totally separated and the only way for communication between these networks is via a default gateway on the perimeter of each network (in most cases it's a firewall) 

You can achieve this, without one single ACL. You could even use the same IP Ranges for these two networks - but I wouldn't do that for the case you want to establish communication between these networks.

Hope this example helps
Photo of jeronimo

jeronimo

  • 1,198 Points 1k badge 2x thumb
Even with ACLs you would not be as flexible as you would be with multiple VRs, because you would still only have one routing table. Unless of course you'd use PBR which would probably take you to hell very quickly.

I understand secondary addresses are bad. You must understand some migrations are permanent ;-) You didn't say if you think this might be possible to configure or not? :) Unfortunately I don't have any devices to try this on. Maybe I'll deploy a virtual ExOS to play with.
Photo of André Herkenrath

André Herkenrath, Employee

  • 1,942 Points 1k badge 2x thumb
You can configure secondary IP Adresses on a VLAN - It's possible - but bad style.
I recently had a customer with more that 10 secondary IPs on a subnet, that was really bad...
Photo of jeronimo

jeronimo

  • 1,198 Points 1k badge 2x thumb
But you can't assign a secondary to another VR, right?
Photo of André Herkenrath

André Herkenrath, Employee

  • 1,942 Points 1k badge 2x thumb
You can create a VLAN in every VR and assign 1 or more IP Adresses to it. You can even use the same IP Adresses on different VRs. With some external cabling you can do much more strage things. What do you want to accomplish ?
Photo of jeronimo

jeronimo

  • 1,198 Points 1k badge 2x thumb
The traffic from several subnets (on the same VLAN, i.e. secondary networks) needs to use a different default gateway for every subnet. This can be accomplished by putting each subnet together with a transit network to wherever we want to go into a separate VR.