Customer segregation in VRR

  • 6 March 2020
  • 1 reply

I am taking over a network from a previous admin that was not wisely utilizing our IP blocks for our fiber ISP clients.  Currently, each client is getting their own either /30 or /29 block, and then he was using VRR to create a gateway for each subnet.  So for each fiber client we’re burning either 4 or 8 IP addresses.  1 for broadcast, 1 for gateway, and then either 2 left over or 6 depending on the CIDR.


These clients connect to us via an NNI, and we’re upstream, we’re not last mile.  The L2 connection the local fiber network hands off to us is how they get to our network for connectivity.


I would like to create a single VRR for ISP customers so that we have 1 Gateway IP on a /24 and I can assign 1 or more IP addresses to the customer as needed.  This is somewhat standard practice in most telcoms situations, but not sure how to properly separate out each customer on the VRR so that it’s truly separate networks vs just grabbing an IP from a big subnet

1 reply

Userlevel 5

It sounds like you’re looking for some kind of Private VLAN configuration where individual hosts can communicate with the gateway but not each other. Cumulus doesn’t support private vlans today but you can replicate that with ACLs today applied per-port but that’s really a solution that doesn’t scale past a single switch in my opinion unless you’re using Automation to render and deliver the configuration.

We have a really-nice DHCP configuration that we’ve built to hand out IPs based on ifname so whomever is plugged into swp1 will always get a specific IP etc. but all this is in the context of a single L2 segment.

Personally I would just do everything with L3 and give each customer one half of a /31 and then route over those links. You could even have it setup to hand-out the /31 IP with DHCP too if you wanted.