Suggested VyOS implementation similar to IOS XE VASI

Hi,

Is anyone doing anything similar to IOS XE’s VASI with VyOS?

Ref Configure VRF-Aware Software Infrastructure NAT on Cisco IOS XE - Cisco

To replicate, is the best option with VyOS seems simply sub-interfaces between VRFs via different pNICs or vNICs?

Cheers,
Mick

So in short VRF-leaking with NAT/CGNAT between the VRF domains?

That is doing this internally in the box without wasting physical interfaces (which is otherwise the common workaround to achieve this)?

Or did I misunderstand the usecase? :slight_smile:

Note that VRF in VyOS is currently “VRF lite” where only the routing table is unique per VRF but everything else is still mixed (as if you have a single VRF). That is its not as isolated as VRF are on a Cisco/Arista/Juniper router.

To get full isolation (similar to “how others does this”) we need NETNS (network namespace) but that was recently removed from 1.4 and 1.5-rolling since its unfinished. Hopefully it will return in future.

https://vyos.dev/T6295

Thanks for your reply, @Apachez

You’ve got it - that’s pretty much the use-case:

  • NAT/CGNAT between VRF domains (both host and subnet based)
  • Post NAT netflow on DST VRF
  • Post NAT strict unicast RPF on DST VRF
  • Simplification of route leaking between VRF domains in relation to multi destination be it VTI or ethernet based.

Thanks, I’ll have a look around vyos.dev and subscribe.
T3829 and :anchor: T6295 netns: disable incomplete support in VyOS 1.4 sagitta look applicable to what you’ve described.

I think that it’s possible to make it with our current features , using vrf route-link + nat or route leaking with virtual-ethernet + nat . furthermore , it’s possible to configure VTI , here there are some link in our documentation with different techniques , try to play with them :

https://docs.vyos.io/en/latest/configuration/vrf/index.html

https://docs.vyos.io/en/latest/configexamples/inter-vrf-routing-vrf-lite.html

https://docs.vyos.io/en/latest/configuration/interfaces/virtual-ethernet.html#example

1 Like