Guidelines and Limitations for Virtual Routers
Firewall Mode Guidelines
Virtual routers are supported on routed firewall mode only.
Interface Guidelines
-
You can assign an interface to only one virtual router.
-
A virtual router can have any number of interfaces that are assigned to it.
-
You can assign only routed interfaces with logical names and VTIs to a user-defined virtual router.
-
If you want to change a virtual router interface to a non-routed mode, remove the interface from the virtual router, and then change its mode.
-
You can assign an interface to a virtual router, either from a global virtual router or from another user-defined virtual router.
-
The following interfaces cannot be assigned to an user-defined virtual router:
-
Members of EtherChannel.
-
Members of Redundant interfaces.
-
Members of BVI.
-
-
VTI is a route-based VPN. So, when the tunnel is established, the traffic that uses VTI for encryption must be controlled through routing. Static routing, as well as dynamic routing with BGP, OSPFv2/v3, or EIGRP is supported.
-
You cannot use interfaces that belong to user-defined virtual routers in policy-based site-to-site or remote access VPNs.
-
A dynamic VTI and its corresponding protected network interface must be part of the same virtual router.
-
You must map the borrow IP interface and the dynamic VTI to the same virtual router.
-
User-defined virtual routers support only BGPv4/v6 and OSPFv2 routing protocols.
-
A tunnel source interface can be in a different user-defined virtual router than that associated with the dynamic VTI.
-
If a route using the interface that is being moved or its virtual router is deleted, exist in source or destination virtual router table, remove the routes before the interface movement or virtual router deletion.
-
As separate routing tables are maintained for each virtual router, when an interface is moved from one virtual router to another virtual router, be it global or user-defined, the system removes the IP address configured on the interface temporarily. All existing connections on the interface are terminated. Thus, moving interfaces between virtual routers have drastic effect on the network traffic. Hence take precautionary measures before you move interfaces.
Global Virtual Router Guidelines
-
The interfaces which are named and not part of other virtual routers, are part of the global virtual router.
-
You cannot remove routed interfaces from global virtual router.
-
You cannot modify global virtual router.
-
Generally, after configuring interfaces, if you un-register and register back to same or another management center, interface configuration is imported back from device. With virtual router support, there is a restriction—the IP address for only global virtual router interfaces is retained.
Clustering Guidelines
-
When the control unit link fails due to failure of its interfaces, the unit removes all leaked routes of its interfaces from the global routing table and propagates the inactive connected and static routes to other units of the cluster. This results in removal of those leaked routes from the routing table in other units. These removal takes place prior to another unit becoming a new control unit, which takes approximately 500 ms. When another unit becomes the new control unit, these routes are learned and added back to the routing tables through BGP convergence. Thus, till the convergence time, approximately one minute, the leaked routes are not available for the routing events to take place.
-
When a control role change occurs in a cluster, the leaked routes learnt through BGP is updated with the best ECMP path. However, the non-best ECMP path is removed from the cluster routing table only after the BGP reconvergence timer elapses, that is 210 seconds. Thus, till the BGP reconvergence timer elapse, the old, non-best ECMP path persist as preferred route for routing events.
Additional Guidelines
-
While configuring BGP for virtual routers, you can redistribute the routes belonging to different protocols within the same virtual routers. For example, OSPF VR2 routes cannot be imported into BGP VR1. You can only redistribute OSPF VR2 into BGP VR2, and then configure a route leak between BGP VR2 and BGP VR1.
-
You cannot use IPv6 ACL for filtering the routes in the route map. Only prefix list is supported.
-
Security Intelligence Policy—The Security Intelligence policy is not virtual-router-aware. If you add an IP address, URL, or DNS name to the block list, it is blocked for all virtual routers. This limitation is applicable on the interface having security zones.
-
NAT Rules—Do not mix interfaces in NAT rules. In virtual routing, if the specified source and destination interface objects (interface groups or security zones) have interfaces that belong to different virtual routers, the NAT rule diverts traffic from one virtual router through another virtual router. The NAT does the route lookup in the virtual router table for the inbound interface only. If necessary, define static routes in the source virtual router for the destination interface. If you leave the interface as any, the rule applies to all interfaces regardless of virtual router membership.
-
DHCP Relay—Interconnecting virtual routers for DHCP relay is not supported. For example, if DHCP relay client is enabled on VR1 interface and DHCP relay server is enabled on VR2 interface, the DHCP requests will not be forwarded outside of VR2 interface.
-
Recreating a deleted virtual router—When you recreate a virtual router that was deleted less than 10 seconds earlier, an error message appears stating that deletion of the virtual router is in progress. If you want to recreate a deleted virtual router successively, use a different name for the new virtual router.