What are transit router CIDR blocks? - Cloud Enterprise Network

You can specify CIDR blocks for a transit router. The CIDR blocks work in a similar way as the CIDR block of the loopback interface on a router. IP addresses within the CIDR blocks can be allocated to IPsec-VPN connections .

Background

When you create a VPN connection , the system allocates an address from the transit router CIDR block to the IPsec-VPN connection :

If you create a private VPN connection, an IP address that falls within the CIDR blocks of the transit router is allocated to the IPsec-VPN connection as the gateway IP address, which is used to connect to the on-premises network.
After you enable route learning between the private VPN connection and a route table of the transit router, the system automatically adds a blackhole route to the route table of the transit router that has a route learning correlation with the VPN connection. The destination CIDR block of the blackhole route is the CIDR block of the transit router from which the gateway IP address is allocated to the IPsec-VPN connection. The blackhole route is advertised only to the route table of the virtual border router (VBR) that is connected to the transit router.
Note
- You can call the CreateTransitRouterCidr operation to view the value of the PublishCidrRoute parameter. The value indicates whether blackhole routes whose destination CIDR blocks are the CIDR blocks of a transit router can be added to the route tables of the transit router. For more information, see CreateTransitRouterCidr.
- After you enable route learning between the private VPN connection and a route table of the transit router, the transit router automatically learns a route that points to the IPsec-VPN connection. The CIDR block of the route is the gateway IP address of the IPsec-VPN connection, and the next hop is the VPN connection.
  This route is added only to the route table of the transit router that has a route learning correlation with the VPN connection.
If you create a public VPN connection:
- In single-tunnel mode, the system allocates a public IP address from the Alibaba Cloud address pool to the IPsec-VPN connection, which is used to connect to the on-premises network. The system allocates an additional IP address from the transit router CIDR block to the IPsec-VPN connection for health checks of the IPsec-VPN connection. This does not impact your network.
- In dual-tunnel mode, the system assigns two public IP addresses from the Alibaba Cloud address pool to the IPsec-VPN connection, with each tunnel using one public IP address. These public IP addresses enable connection to your on-premises network. Additionally, the system allocates two IP addresses from the transit router CIDR block to the IPsec-VPN connection for health checks. These two IP addresses do not affect your network.
- Note
  For more information about dual-tunnel mode, see Introduction to IPsec-VPN connections that are associated with transit routers in dual-tunnel mode.

For more information about the allocation rules, see Rules for allocating IP addresses.

Limits

Only Enterprise Edition transit routers support custom CIDR blocks.
Each transit router supports at most five CIDR blocks. The subnet mask of the CIDR block of a transit router must be 16 bits to 24 bits in length.
You cannot specify 100.64.0.0/10, 224.0.0.0/4, 127.0.0.0/8, 169.254.0.0/16, or their subnets as the CIDR blocks of transit routers.
The CIDR blocks of each transit router cannot overlap with the CIDR blocks of the instances that need to communicate with each other by using the Cloud Enterprise Network (CEN) instance.
In the same CEN instance, each transit router CIDR block must be unique.

Rules for allocating IP addresses

The following section describes the rules for allocating IP addresses from the CIDR blocks of a transit router.

After you add a CIDR block to a transit router, the system automatically reserves three CIDR blocks whose subnet mask length is 28 bits for creating VPN connections when the first VPN connection is created on the transit router. IP addresses are allocated from the remaining CIDR block to IPsec-VPN connections.

When allocating IP addresses for the IPsec-VPN connection, the system first designates a subnet with a 28-bit subnet mask. This subnet will reserve 4 IP addresses that are not assigned. The remaining 12 IP addresses can be allocated to IPsec-VPN connections, with each one address being allocated to each tunnel. After the pool of 12 addresses is exhausted, the system will create a subnet with a 28-bit mask from the remaining address range. Each 28-bit subnet will have four reserved IP addresses that will not be allocated.

Example

Assume that you specify the 10.0.0.0/24 and 192.168.0.0/20 for a transit router. 10.0.0.0/28, 10.0.0.16/28, and 10.0.0.32/28 are reserved by the system. The system creates a smaller CIDR block whose subnet mask length is 28 bits from the remaining CIDR block to allocate IP addresses to IPsec-VPN connections. Assume that the smaller CIDR block is 10.0.0.48/28. Then, the system reserves four IP addresses from 10.0.0.48/28. The remaining 12 IP addresses can be allocated to IPsec-VPN connections. If all the 12 IP addresses are allocated to IPsec-VPN connections, the system divides another smaller CIDR block whose subnet mask length is 28 bits from the remaining CIDR block, and reserves four IP addresses in the smaller CIDR block.

In this scenario:

Single-tunnel mode

In single-tunnel mode, one VPN connection contains one tunnel. Each tunnel occupies one IP address:

The maximum number of VPN connections that can be created on the 10.0.0.0/24 CIDR block: (2^8÷2^4-3)×(2^4-4)=156.
The maximum number of VPN connections that can be created on the 192.168.0.0/20 CIDR block: (2^12÷2^4)×(2^4-4)=3,072.
The maximum number of VPN connections that can be created on the transit router: 156+3,072=3,228.

Dual-tunnel mode

In dual-tunnel mode, one VPN connection contains two tunnels. Each tunnel occupies one IP address:

The maximum number of VPN connections that can be created on the 10.0.0.0/24 CIDR block: (2^8÷2^4-3)×(2^4-4)÷2=78.
The maximum number of VPN connections that can be created on the 192.168.0.0/20 CIDR block: (2^12÷2^4)×(2^4-4)÷2=1,536.
The maximum number of VPN connections that can be created on the transit router: 78+1,536=1,614.

Note

A caret (^) indicates exponentiation. For example, 2^4=16.

After you create a VPN connection, you can view the details of the reserved CIDR blocks and the IP addresses that are allocated to IPsec-VPN connections on the Address Details tab of the transit router CIDR block. For more information, see View allocated CIDR blocks.

Add a CIDR block to a transit router

You can add a CIDR block when you create a transit router, or after a transit route is created.

Add a CIDR block when creating a transit router

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
Go to the Basic Information > Transit Router tab and click Create Transit Router.

In the Create Transit Router dialog box, configure the parameters based on the following table, and then click Confirm:

Item	Description
Region	Select the region in which you want to create the transit router.
Edition	The edition of the transit router. The system displays the transit router edition that is supported in the selected region.
Enable Multicast	Specify whether to enable the multicast feature. Multicast is disabled by default. Note Multicast is supported by Enterprise Edition transit routers in some regions. For more information, see Multicast overview.
Name	Enter a name for the transit router.
Description	Enter a description for the transit router.
Tag	Add tags to the transit router. Tag Key: The tag key can be up to 64 characters in length. It cannot be an empty string or start with `acs:` or `aliyun` or contain `http://` or `https://`. Tag Value: The tag value can be an empty string with a maximum length of 128 characters. It cannot start with `acs:` or `aliyun` or contain `http://` or `https://`. You can add one or multiple tags to a transit router. For more information about tags, see Tag.
Transit Router CIDR	Enter the CIDR block of the transit router. If you want to enter multiple CIDR blocks, click Add below the field.

Add a CIDR block after a transit router is created

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
Go to the Basic Information > Transit Router tab and click the ID of the transit router that you want to manage.
On the transit router instance page, click the Basic Information tab. On the right side of Transit Router CIDR, click Edit.
In the Modify Transit Router CIDR dialog box, enter the CIDR block, and then click OK.
If you want to add multiple CIDR blocks, click Add below the field.
In the Results dialog box, click OK.

View allocated CIDR blocks

After you add a CIDR block to a transit router, the system allocates IP addresses from the transit router CIDR block to IPsec-VPN connections when you create a VPN attachment . You can view the details about the allocated CIDR blocks on the Basic Information tab of the transit router.

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
Go to the Basic Information > Transit Router tab and click the ID of the transit router that you want to manage.
On the transit router instance product page, click the Basic Information tab. On the right side of Transit Router CIDR, click Address Details.
On the Address Details panel, view the details about the allocated CIDR blocks of the transit router.

Modify the CIDR blocks

The CIDR blocks from which IP addresses are already allocated to network connections cannot be modified.

If you want to modify such a CIDR block, you must delete the VPN connections that occupy the IP addresses. For more information, see Delete network instance connections.

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
Go to the Basic Information > Transit Router tab and click the ID of the transit router that you want to manage.
On the transit router instance page, click the Basic Information tab. On the right side of Transit Router CIDR, click Edit.
In the Modify Transit Router CIDR dialog box, modify the CIDR block of the transit router, and then click OK.
You can perform the following operations on the CIDR block of the transit router:
- Add a CIDR block: Click Add below the field to add more CIDR blocks.
- Modify a CIDR block: Modify the current CIDR block.
- Delete a CIDR block: Click the icon on the right side of the field.
In the Results dialog box, review the CIRD blocks, and then click OK.

Delete a CIDR block

CIDR blocks from which IP addresses are already allocated to network connections cannot be deleted.

If you want to delete such a CIDR block, you must delete the VPN connections that occupy the IP addresses. For more information, see Delete network instance connections.

Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
Go to the Basic Information > Transit Router tab and click the ID of the transit router that you want to manage.
On the transit router instance page, click the Basic Information tab. On the right side of Transit Router CIDR, click Edit.
In the Modify Transit Router CIDR dialog box, click the icon on the right side of the target CIDR block, and then click OK.
If no icon is displayed, click Add below the field. Then, the icon will be displayed.
In the Results dialog box, review the CIDR blocks, and then click OK.

References

CreateTransitRouterCidr: Create a CIDR block for a transit router.
ModifyTransitRouterCidr: Modify the CIDR block of a transit router.
DeleteTransitRouterCidr: Delete a CIDR block.
ListTransitRouterCidr: Query the CIDR blocks that are added to a transit router.
ListTransitRouterCidrAllocation: Query the details about the allocated CIDR blocks of a transit router.