Header Only - DO NOT REMOVE - Extreme Networks

Routing between VR's on a single switch


Userlevel 4
Create Date: Mar 20 2013 3:28AM

I have a network that I am trying to isolate. Lets say it's 1.1.1.0/24. I would like it to communicate with 2.2.2.0/24 and 3.3.3.0/24 and not with the other 15 networks. My thought was to put it on a separate VR and only advertise this network to 2.2.2.0 and 3.3.3.0. I thought this might be a cleaner way to do this as opposed to creating an acl and having to list every network in the acl. And if I understand Extreme ACL's correctly (very possible that I dont'), I would have to create ingress and egress ACL's.
So the underlying question is - Am I able to route between VR's on the same switch without having to exit the switch, go through a firewall, and then connect back into the switch?

This is on a BD8810 XOS 12.6.3.2

Thanks!
Forrest

(from Forrest_Darst)

5 replies

Userlevel 4
Create Date: Mar 20 2013 2:07PM

Hello Forest

As of right now there is no way to route between VRs in the same switch. The intent of the VR is for complete L3 isolation so going to an out side FW or other router is needed.

As for the ACLs you can create an ACL that looks at the traffic in both directions of the conversation and have it applied on ingress.

P (from Paul_Russo)
Hello,

For X670 with summitX-15.4.1.3, does it support routing between VRs on a single switch? Or one PBR can solve routing of different VRs on the same switch?

Thanks.
Userlevel 1
If you have 2 spare ports, you might link them to each other and put each one in a different VR. Never tried it though, you might have some trouble because of the same macaddress. But then you could create a new macaddress on that interface with VRRP.
MrGuga wrote:

If you have 2 spare ports, you might link them to each other and put each one in a different VR. Never tried it though, you might have some trouble because of the same macaddress. But then you could create a new macaddress on that interface with VRRP.

Did it work from you? Would you share some config? Thanks a lot.
Userlevel 2
Hi,

that wouldn't be a good idea, as the mac address would be the same (tricking it with VRRP doesn't work).

As of today, VRF leaking is not supported. I'd encourage you to contact your local SE to discuss this topic further.

Reply