Header Only - DO NOT REMOVE - Extreme Networks

Why do you assign a VLAN to a virtual router, and not an interface?


Userlevel 2
Hi,

I'm trying to understand why you assign a VLAN to a VR, instead of an interface, which is what I you would expect. Why does EXOS work that way?

How I would imagine it to work:
* Create user VR-A
* Go into VR-A and say "i want it to have an interface in VLAN 10 with IP x"
* Also say "i want it to have an interface in VLAN 20 with IP y" (so the VR will route between VLANs 10 and 20)
Further you could:
* Create a second user VR-B
* Go into VR-B and say "i want it to have an interface in VLAN 10 (same as above), this time with IP z (same IP range, or a secondary address)"

I have not tried if you can actually accomplish this... for now I am wondering why it works using VLANs and not interfaces/IPs...

This question arose because we were wondering whether you would be able to assign different secondary IP address of an interface to different VRs? Is it possible?

Thanks,
Marki

9 replies

Userlevel 1
you can have the VLAN on multiple VRs - they are just virtual and best to imagine the physical layout.

There is no point however creating 2 VLAN interfaces on the same layer 3 switch as you only need one for remote management. (unless of course you manage from different LANs)
Userlevel 2
JeremyClarkson wrote:

you can have the VLAN on multiple VRs - they are just virtual and best to imagine the physical layout.

There is no point however creating 2 VLAN interfaces on the same layer 3 switch as you only need one for remote management. (unless of course you manage from different LANs)

There certainly are more uses to VRs than switch mgmt 🙂
Userlevel 1
JeremyClarkson wrote:

you can have the VLAN on multiple VRs - they are just virtual and best to imagine the physical layout.

There is no point however creating 2 VLAN interfaces on the same layer 3 switch as you only need one for remote management. (unless of course you manage from different LANs)

haha yes i know, this is true...its all depending what you need and use them for.
Userlevel 1
JeremyClarkson wrote:

you can have the VLAN on multiple VRs - they are just virtual and best to imagine the physical layout.

There is no point however creating 2 VLAN interfaces on the same layer 3 switch as you only need one for remote management. (unless of course you manage from different LANs)

haha yes i know, this is true...its all depending what you need and use them for.
Userlevel 4
At first: Don't ever use secondary IP adresses on a VLAN Interface unless you need as a workaround for a migration scenario.

The big advantage of VRs is that you can have several l3 environments on the same physics without the need of of ACLs.

Imagine you have a big campus on a university where you want to have a network for the students and a network for the teachers. Each network itself is a 3 tier network with dynamic routing (OSPF) and provides a loop free environment with OSPF/ECMP and MLAG.

Your link from distribution to access contains 2 VLANs : Student and Teacher.

Based on the authorisation on the access the PC will be put into one of the two VLANs.
On the distribution switch these VLANs are in different VRs - now both networks are totally separated and the only way for communication between these networks is via a default gateway on the perimeter of each network (in most cases it's a firewall)

You can achieve this, without one single ACL. You could even use the same IP Ranges for these two networks - but I wouldn't do that for the case you want to establish communication between these networks.

Hope this example helps
Userlevel 4
At first: Don't ever use secondary IP adresses on a VLAN Interface unless you need as a workaround for a migration scenario.

The big advantage of VRs is that you can have several l3 environments on the same physics without the need of of ACLs.

Imagine you have a big campus on a university where you want to have a network for the students and a network for the teachers. Each network itself is a 3 tier network with dynamic routing (OSPF) and provides a loop free environment with OSPF/ECMP and MLAG.

Your link from distribution to access contains 2 VLANs : Student and Teacher.

Based on the authorisation on the access the PC will be put into one of the two VLANs.
On the distribution switch these VLANs are in different VRs - now both networks are totally separated and the only way for communication between these networks is via a default gateway on the perimeter of each network (in most cases it's a firewall)

You can achieve this, without one single ACL. You could even use the same IP Ranges for these two networks - but I wouldn't do that for the case you want to establish communication between these networks.

Hope this example helps
Userlevel 2
André Herkenrath wrote:

At first: Don't ever use secondary IP adresses on a VLAN Interface unless you need as a workaround for a migration scenario.

The big advantage of VRs is that you can have several l3 environments on the same physics without the need of of ACLs.

Imagine you have a big campus on a university where you want to have a network for the students and a network for the teachers. Each network itself is a 3 tier network with dynamic routing (OSPF) and provides a loop free environment with OSPF/ECMP and MLAG.

Your link from distribution to access contains 2 VLANs : Student and Teacher.

Based on the authorisation on the access the PC will be put into one of the two VLANs.
On the distribution switch these VLANs are in different VRs - now both networks are totally separated and the only way for communication between these networks is via a default gateway on the perimeter of each network (in most cases it's a firewall)

You can achieve this, without one single ACL. You could even use the same IP Ranges for these two networks - but I wouldn't do that for the case you want to establish communication between these networks.

Hope this example helps

Even with ACLs you would not be as flexible as you would be with multiple VRs, because you would still only have one routing table. Unless of course you'd use PBR which would probably take you to hell very quickly.

I understand secondary addresses are bad. You must understand some migrations are permanent 😉 You didn't say if you think this might be possible to configure or not? 🙂 Unfortunately I don't have any devices to try this on. Maybe I'll deploy a virtual ExOS to play with.
Userlevel 4
André Herkenrath wrote:

At first: Don't ever use secondary IP adresses on a VLAN Interface unless you need as a workaround for a migration scenario.

The big advantage of VRs is that you can have several l3 environments on the same physics without the need of of ACLs.

Imagine you have a big campus on a university where you want to have a network for the students and a network for the teachers. Each network itself is a 3 tier network with dynamic routing (OSPF) and provides a loop free environment with OSPF/ECMP and MLAG.

Your link from distribution to access contains 2 VLANs : Student and Teacher.

Based on the authorisation on the access the PC will be put into one of the two VLANs.
On the distribution switch these VLANs are in different VRs - now both networks are totally separated and the only way for communication between these networks is via a default gateway on the perimeter of each network (in most cases it's a firewall)

You can achieve this, without one single ACL. You could even use the same IP Ranges for these two networks - but I wouldn't do that for the case you want to establish communication between these networks.

Hope this example helps

You can configure secondary IP Adresses on a VLAN - It's possible - but bad style.
I recently had a customer with more that 10 secondary IPs on a subnet, that was really bad...
Userlevel 2
André Herkenrath wrote:

At first: Don't ever use secondary IP adresses on a VLAN Interface unless you need as a workaround for a migration scenario.

The big advantage of VRs is that you can have several l3 environments on the same physics without the need of of ACLs.

Imagine you have a big campus on a university where you want to have a network for the students and a network for the teachers. Each network itself is a 3 tier network with dynamic routing (OSPF) and provides a loop free environment with OSPF/ECMP and MLAG.

Your link from distribution to access contains 2 VLANs : Student and Teacher.

Based on the authorisation on the access the PC will be put into one of the two VLANs.
On the distribution switch these VLANs are in different VRs - now both networks are totally separated and the only way for communication between these networks is via a default gateway on the perimeter of each network (in most cases it's a firewall)

You can achieve this, without one single ACL. You could even use the same IP Ranges for these two networks - but I wouldn't do that for the case you want to establish communication between these networks.

Hope this example helps

But you can't assign a secondary to another VR, right?
Userlevel 4
André Herkenrath wrote:

At first: Don't ever use secondary IP adresses on a VLAN Interface unless you need as a workaround for a migration scenario.

The big advantage of VRs is that you can have several l3 environments on the same physics without the need of of ACLs.

Imagine you have a big campus on a university where you want to have a network for the students and a network for the teachers. Each network itself is a 3 tier network with dynamic routing (OSPF) and provides a loop free environment with OSPF/ECMP and MLAG.

Your link from distribution to access contains 2 VLANs : Student and Teacher.

Based on the authorisation on the access the PC will be put into one of the two VLANs.
On the distribution switch these VLANs are in different VRs - now both networks are totally separated and the only way for communication between these networks is via a default gateway on the perimeter of each network (in most cases it's a firewall)

You can achieve this, without one single ACL. You could even use the same IP Ranges for these two networks - but I wouldn't do that for the case you want to establish communication between these networks.

Hope this example helps

You can create a VLAN in every VR and assign 1 or more IP Adresses to it. You can even use the same IP Adresses on different VRs. With some external cabling you can do much more strage things. What do you want to accomplish ?
Userlevel 2
André Herkenrath wrote:

At first: Don't ever use secondary IP adresses on a VLAN Interface unless you need as a workaround for a migration scenario.

The big advantage of VRs is that you can have several l3 environments on the same physics without the need of of ACLs.

Imagine you have a big campus on a university where you want to have a network for the students and a network for the teachers. Each network itself is a 3 tier network with dynamic routing (OSPF) and provides a loop free environment with OSPF/ECMP and MLAG.

Your link from distribution to access contains 2 VLANs : Student and Teacher.

Based on the authorisation on the access the PC will be put into one of the two VLANs.
On the distribution switch these VLANs are in different VRs - now both networks are totally separated and the only way for communication between these networks is via a default gateway on the perimeter of each network (in most cases it's a firewall)

You can achieve this, without one single ACL. You could even use the same IP Ranges for these two networks - but I wouldn't do that for the case you want to establish communication between these networks.

Hope this example helps

The traffic from several subnets (on the same VLAN, i.e. secondary networks) needs to use a different default gateway for every subnet. This can be accomplished by putting each subnet together with a transit network to wherever we want to go into a separate VR.

Reply