topic Re: Multi VSYS, VRs and ARP tables? in General Topics

Multi VSYS, VRs and ARP tables?

AlexandroDelAngel — Fri, 08 Nov 2019 19:59:46 GMT

Hello team,

I will be deploying a couple of 3250s in HA and multi VSYS, and VRs.

My main concern is that are we getting separate ARP tables per each VSYS/VR? Let me give you some more background about what we will try to achieve:

We want to create 4 VSYS with their corresponding VRs, for example: VSYSa/VRa, VSYSb/VRb, VSYSc/VRc, VSYSd/VRd.

I'm planning to allocate a dedicated "Untrust" interface for each VSYS/VR.

The thing is that we are using the same Public IP Addresses range from the ISP, so all of the 4 VSYS/VRs will send traffic to the same Default Gateway/ISP Router. That's the reason why I would like someone to help me to confirm if the PAs in multi-vsys/vrs mode will keep separate ARP tables just like tradditional VRFs or Virtual Contexts on CISCO routers and ASA firewalls (Apologize for the comparison). Otherwise the 4 VSYS/VRs would be in constant conflict by keeping the single ARP entry (if no multiple ARP tables supported).

It will be nice if someone could share a screenshot with me about ARP tables behavior in multi vsys/vrs mode, documentation about this kind of setup will also be greatly appreciated. Below an screenshot of what we are trying to achieve.

Kind Regards,

Re: Multi VSYS, VRs and ARP tables?

BruceBennett — Fri, 08 Nov 2019 21:22:46 GMT

This will be interesting to learn myself.

We have a couple of firewalls with two VSYS and the ARP table, with the "show arp all" command it does not have any distinction for VSYS, only interfaces. Thinking about it, the ARP table is showing layer 2 information, tied to interfaces, so I am not sure it would matter if there were separate tables.

Re: Multi VSYS, VRs and ARP tables?

AlexandroDelAngel — Mon, 11 Nov 2019 20:01:51 GMT

Thanks for your feedback Burce,

Are you also running multiple VRs? And how are you providing Internet access to your current both VSYS? Are you using the same ISP subnet? Which means that you would have an ARP entry for VSYSA, and another ARP entry for VSYSB?

Kind Regards,

Re: Multi VSYS, VRs and ARP tables?

rmfalconer — Mon, 11 Nov 2019 22:51:10 GMT

We run multiple vsys with a separate vr for each vsys. Each interface is assigned to a specific vr. We use a single ISP subnet and multiple vsys do use the same gateway.

When you look at arp information in the CLI, you can look at 'sh arp all' or 'sh arp <interface>'.

'sh arp <interface>' is like 'sh arp vrf <vrf>' and it will only show entries specific to that interface. 'sh arp all' is like the Nexus command 'sh ip arp vrf all' and will display all entries.

If you look at either, you'll see the same entry for the gateway present on different interfaces. So there are different entries per vsys.

show arp ethernet1/1 | match .19
ethernet1/1 x.x.x.19 2c::::6f:00 ethernet1/1

show arp ethernet1/5 | match .19
ethernet1/5 x.x.x.19 2c::::6f:00 ethernet1/5

show arp all | match .19
ethernet1/1 x.x.x.19 2c::::6f:00 ethernet1/1
ethernet1/5 x.x.x.19 2c::::6f:00 ethernet1/5

Re: Multi VSYS, VRs and ARP tables?

AlexandroDelAngel — Tue, 12 Nov 2019 14:22:57 GMT

This is awesome feedback Rmfalconer,

Now I know that my approach will work with no issues. Thanks for confirming that we should be able to see the same entry for ISP gateway on different interfaces.

Kind Regards,

Re: Multi VSYS, VRs and ARP tables?

jeremy.larsen — Tue, 12 Nov 2019 16:53:03 GMT

Just to add to this -

Different vRouters on the same vSYS will also have independent ARP tables (analogous to Cisco VRF or Juniper vRouters).

Re: Multi VSYS, VRs and ARP tables?

AlexandroDelAngel — Tue, 12 Nov 2019 17:05:01 GMT

Awesome Jeremy,

Thanks for your feedback, just as expected even when the CLI output does not explicitly state that. However, we can figure this out when we see multiple entries for the same ISP Gateway through different interfaces.

Kind Regards,