Multi VSYS, VRs and ARP tables?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Multi VSYS, VRs and ARP tables?

Hello team,

 

I will be deploying a couple of 3250s in HA and multi VSYS, and VRs.

 

My main concern is that are we getting separate ARP tables per each VSYS/VR? Let me give you some more background about what we will try to achieve:

 

We want to create 4 VSYS with their corresponding VRs, for example: VSYSa/VRa, VSYSb/VRb, VSYSc/VRc, VSYSd/VRd.

 

I'm planning to allocate a dedicated "Untrust" interface for each VSYS/VR.

 

The thing is that we are using the same Public IP Addresses range from the ISP, so all of the 4 VSYS/VRs will send traffic to the same Default Gateway/ISP Router. That's the reason why I would like someone to help me to confirm if the PAs in multi-vsys/vrs mode will keep separate ARP tables just like tradditional VRFs or Virtual Contexts on CISCO routers and ASA firewalls (Apologize for the comparison). Otherwise the 4 VSYS/VRs would be in constant conflict by keeping the single ARP entry (if no multiple ARP tables supported).

 

It will be nice if someone could share a screenshot with me about ARP tables behavior in multi vsys/vrs mode, documentation about this kind of setup will also be greatly appreciated. Below an screenshot of what we are trying to achieve.

 

clipboard_image_0.png

 

Kind Regards,

1 accepted solution

Accepted Solutions

We run multiple vsys with a separate vr for each vsys. Each interface is assigned to a specific vr. We use a single ISP subnet and multiple vsys do use the same gateway.

When you look at arp information in the CLI, you can look at 'sh arp all' or 'sh arp <interface>'.  

'sh arp <interface>' is like 'sh arp vrf <vrf>' and it will only show entries specific to that interface. 'sh arp all' is like the Nexus command 'sh ip arp vrf all' and will display all entries.

If you look at either, you'll see the same entry for the gateway present on different interfaces. So there are different entries per vsys.

 

show arp ethernet1/1 | match .19
ethernet1/1 x.x.x.19 2c::::6f:00 ethernet1/1

show arp ethernet1/5 | match .19
ethernet1/5 x.x.x.19 2c::::6f:00 ethernet1/5

 

show arp all | match .19
ethernet1/1 x.x.x.19 2c::::6f:00 ethernet1/1 
ethernet1/5 x.x.x.19 2c::::6f:00 ethernet1/5 

View solution in original post

6 REPLIES 6

L3 Networker

This will be interesting to learn myself.

We have a couple of firewalls with two VSYS and the ARP table, with the "show arp all" command it does not have any distinction for VSYS, only interfaces. Thinking about it, the ARP table is showing layer 2 information, tied to interfaces, so I am not sure it would matter if there were separate tables.

 

 


Bruce.

Learn at least one new thing every day.

Thanks for your feedback Burce,

 

Are you also running multiple VRs? And how are you providing Internet access to your current both VSYS? Are you using the same ISP subnet? Which means that you would have an ARP entry for VSYSA, and another ARP entry for VSYSB?

 

 

 

Kind Regards,

We run multiple vsys with a separate vr for each vsys. Each interface is assigned to a specific vr. We use a single ISP subnet and multiple vsys do use the same gateway.

When you look at arp information in the CLI, you can look at 'sh arp all' or 'sh arp <interface>'.  

'sh arp <interface>' is like 'sh arp vrf <vrf>' and it will only show entries specific to that interface. 'sh arp all' is like the Nexus command 'sh ip arp vrf all' and will display all entries.

If you look at either, you'll see the same entry for the gateway present on different interfaces. So there are different entries per vsys.

 

show arp ethernet1/1 | match .19
ethernet1/1 x.x.x.19 2c::::6f:00 ethernet1/1

show arp ethernet1/5 | match .19
ethernet1/5 x.x.x.19 2c::::6f:00 ethernet1/5

 

show arp all | match .19
ethernet1/1 x.x.x.19 2c::::6f:00 ethernet1/1 
ethernet1/5 x.x.x.19 2c::::6f:00 ethernet1/5 

This is awesome feedback Rmfalconer,

 

Now I know that my approach will work with no issues. Thanks for confirming that we should be able to see the same entry for ISP gateway on different interfaces.

 

Kind Regards,

Just to add to this - 

 

Different vRouters on the same vSYS will also have independent ARP tables (analogous to Cisco VRF or Juniper vRouters).

Awesome Jeremy,

 

Thanks for your feedback, just as expected even when the CLI output does not explicitly state that. However, we can figure this out when we see multiple entries for the same ISP Gateway through different interfaces.

 

Kind Regards,

  • 1 accepted solution
  • 6680 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!