Author Topic: Getting around global VLANs - ASR1K  (Read 260 times)

netspork (OP)

  • Byte
  • *
  • Posts: 21
  • Country: us
  • Rep: 0
    • View Profile
Getting around global VLANs - ASR1K
« on: September 29, 2017, 01:22:24 AM »
Bear with me - I do more sysadmin and web dev work these days.  My IOS heyday was like IOS 10 and 11.

So I'm probably missing an easy workaround to this problem.  I have an ASR-1002-X and multiple NNIs to some metro-ethernet providers. So far I've been able to specify VLANs when we order, so for example, provider 1, VLANs 100-200, provider 2, VLANs 201-300, etc. Now I have an NNI coming from another provider that does not allow me to specify the range of VLANs and they will overlap with the others.

From playing around with this, I see on the ASR that the VLANs are "global" to the router.  If I create a subint and vlan on one physical interface and then on another different physical interface, they see each other's traffic as if I've created a bridge.  I imagine there's a way to avoid that.  Pointers?

wintermute000

  • Senior Engineer
  • ****
  • Posts: 2371
  • Rep: 25
    • View Profile
  • Certifications: Alphabets
Re: Getting around global VLANs - ASR1K
« Reply #1 on: September 29, 2017, 05:27:32 AM »
Some ASR can do bridge domain interfaces to join the provider external vlan to your unique internal vlan. But as always caveats arise re bridge domain interfaces vs subs. Also complex logically

Metro Ethernet switchea like the old ME3400 range etc can also do vlan tag rewrites. This is probably simpler and straightforward (ie NAT the VLAN basically)

netspork (OP)

  • Byte
  • *
  • Posts: 21
  • Country: us
  • Rep: 0
    • View Profile
Re: Getting around global VLANs - ASR1K
« Reply #2 on: September 29, 2017, 09:30:25 PM »
Fudge.  I was hoping I was just mistaken...

Is there any sort of "virtualization" hack?  Like a layer-2 VRF for VLANs?

wintermute000

  • Senior Engineer
  • ****
  • Posts: 2371
  • Rep: 25
    • View Profile
  • Certifications: Alphabets
Re: Getting around global VLANs - ASR1K
« Reply #3 on: October 01, 2017, 06:12:08 AM »
Are you sure routed interfaces bridge locally?

netspork (OP)

  • Byte
  • *
  • Posts: 21
  • Country: us
  • Rep: 0
    • View Profile
Re: Getting around global VLANs - ASR1K
« Reply #4 on: October 17, 2017, 01:43:00 PM »
Yo, Szechuan Rick - what are you saying, maybe they don't? :)

I can setup a test case without breaking anyone, I'll check it out.

deanwebb

  • Permit any any all log
  • Administrator
  • Volume Licensing
  • *****
  • Posts: 7404
  • Country: us
  • Rep: 19
  • *I* am the one who NACs.
    • View Profile
  • Certifications: FSCA: ForeScout Certified Administrator, CCNP Security, Tufin CSE, TippingPoint ASE
Re: Getting around global VLANs - ASR1K
« Reply #5 on: October 17, 2017, 01:57:55 PM »
Yo, Szechuan Rick - what are you saying, maybe they don't? :)

I can setup a test case without breaking anyone, I'll check it out.

 :showme:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!

wintermute000

  • Senior Engineer
  • ****
  • Posts: 2371
  • Rep: 25
    • View Profile
  • Certifications: Alphabets
Re: Getting around global VLANs - ASR1K
« Reply #6 on: October 17, 2017, 05:56:08 PM »
I've done sub interfaces before with the same tag send they're all routing nicely and definitely not switching

RoDDy

  • Byte
  • *
  • Posts: 30
  • Rep: 0
    • View Profile
  • Certifications: CISCO
Re: Getting around global VLANs - ASR1K
« Reply #7 on: October 25, 2017, 11:21:46 AM »
Hey, how about trying bridge domains (not sure)? If you have them connected to different physical interfaces and have EFPs/Service instances defined then i believe that would work (example below).

Interface Gi0/0/1
 service instance 1 ethernet
  description **Provider 1**
  encapsulation dot1q 100-200
  rewrite ingress tag pop 1 symmetric
  bridge-domain 1

Interface Gi0/0/2
 service instance 2 ethernet
  description **Provider 2**
  encapsulation dot1q 201-300
  rewrite ingress tag pop 1 symmetric
  bridge-domain 2

Interface Gi0/0/3
 service instance 3 ethernet
  description **Provider 3**
  encapsulation dot1q 201-300
  rewrite ingress tag pop 1 symmetric
  bridge-domain 3

So basically anything arriving on those interfaces with dot1q tags as defined will be placed in the bridge domain listed under the interface. From there you can do L2 / L3 to where ever.
« Last Edit: October 25, 2017, 11:23:27 AM by RoDDy »