Leaking route from vrf deafult to vrf X

aserkin · March 24, 2024, 2:01pm

Hey, all
Can you advice, how i can configure route leaking from default vrf to some vrf X? I have dummy interface in vrf X and i want to access it from default vrf. I did
ip route 10.0.0.0/32 X nexthop-vrf X in vtysh
now i can ping 10.0.0.0 in vrf X from vrf default. But tcp connect from vrf default to 10.0.0.0 results in RST received from 10.0.0.0. The tcp service in vrf X is definitely working, as i can do wget from it using for example:
ip vrf exec X wget -O - http://10.0.0.0/ ...

n.fort · March 25, 2024, 10:43am

You need to leak routes in both ways.
According to what you wrote, you only apply leaking in one direction. You may need to add the leaking in the opposite direction

aserkin · March 25, 2024, 1:55pm

Yes, i thought this might be a reason. I built test vyos setup this way:

set interfaces dummy dum0 address '10.0.0.200/32'
set interfaces dummy dum1000 address '10.0.0.1/32'
set interfaces dummy dum1000 vrf 'test'
set protocols static route 10.0.0.1/32 interface dum1000 vrf 'test'
set vrf bind-to-all
set vrf name test protocols static route 10.0.0.200/32 interface dum0 vrf 'default'
set vrf name test table '1000'

There’s no ping from 10.0.0.1 to 10.0.0.200.

vyos@vyos:~$ ping 10.0.0.1 source-address 10.0.0.200 count 3
PING 10.0.0.1 (10.0.0.1) from 10.0.0.200 : 56(84) bytes of data.

--- 10.0.0.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2048ms

vyos@vyos:~$ show ip route vrf test
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

VRF test:
C>* 10.0.0.1/32 is directly connected, dum1000, 1d06h00m
S>* 10.0.0.200/32 [1/0] is directly connected, dum0 (vrf default), weight 1, 1d05h57m
vyos@vyos:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

S>* 0.0.0.0/0 [1/0] via 10.39.250.1, eth0, weight 1, 1d06h04m
S>* 10.0.0.1/32 [1/0] is directly connected, dum1000 (vrf test), weight 1, 1d05h57m
C>* 10.0.0.200/32 is directly connected, dum0, 1d06h00m
C>* 10.39.250.0/24 is directly connected, eth0, 1d06h04m

fernando · March 25, 2024, 9:05pm

this route-leaking doesn’t allow to ping himself, however, it should be possible to reach a host behind an interface. I don’t know what is the idea of this, maybe you can use another technique to leaking tables/vrf.

https://docs.vyos.io/en/sagitta/configuration/interfaces/virtual-ethernet.html#example

aserkin · March 25, 2024, 10:31pm

Hmm. The idea initially was to make web service, running within vrf X, accessible for telegraf, running within vrf default. It’s not about VyOS actually, but i thought it’s a good place to ask as it is based on FRR which i was playing with. Will check the veth option then. Thanks, Fernando.

system · April 25, 2024, 2:01pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.