It is very common to isolate some special services into virtual private networks of some kind and provide only limited connectivity to these services from the outer world. Can this be done on a single box? Not without tricks 😉 .

Let’s face the following scenario. Autonomous systems A (blue on the right) and B (green on the left) decide to share services via a dedicated high-speed/low-latency/super-duper link (see green link on the picture below). They form a “servers VPN” which guarantees superb connectivity between servers A and B. But, what if the big green link fails? If this is the case, backup path is provided via ordinary best-effort internet.

Besides, other clients from the internet as well as local clients in A must reach servers A as well. No other traffic except for the traffic between servers A in B should use the green link. These possibilities are depicted below:

We want to achieve:

  • only servers A – servers B use the green path
  • no other traffic can follow the green path
  • servers A – servers B use dashed backup path via internet in case the green path fails
  • servers A communicate with all other clients via blue paths and internet

No problem, you’d say – just put another router (router D) in front of the servers A and connect it with the router A with two links. Put the first one into a VRF together with the interface to the green link – this link will carry the VPN “servers A – servers B” traffic, and the second link will provide the connectivity to the internet via global routing table at router A.

But there is a big problem – we haven’t got another router 😦 .

OK, then – how about a physical loop between two interface on router A? Put one into a VRF and connect to another one at the global router (GRT). Then, point the default route in the VRF to the global router via this physical loopback and use the same link to route back from GRT towards the servers A. Like this:

Well, no go! We haven’t got spare interfaces, or even if we had some, they’re to expensive to justify the cost of this “loopback hack” 😦 .

Looking into the “loopback hack” it seems that something similar can be achieved with tunnels – an intuitive next step is to replace the wire with a tunnel. Let’s try to set up a GRE tunnel between two loopbacks, then put one side of the tunnel into the VRF and leave another in GRT. Then just fix the routing.

I must admit it sounds crazy to set up a tunnel within a single box just to route between GRT and VRF. But it does the job with no extra cost for additional routers and interfaces and, yes, it works (at least on Cisco Cat6500) and it works in hardware.

Stay tuned for details in my next post