VRF-aware config-management

Hello there,

is there the way to implement VRF-aware config-archive?

I tried to set source address for config-archive to address of interface in VRF but I’m getting the error:

[Errno 99] Cannot assign requested address
run-parts: /etc/commit/post-hooks.d/02vyos-commit-archive exited with return code 1

I’m using latest rolling version for now:

vyos@vyos:~$ show version 
Version:          VyOS 1.5-rolling-202404090019
Release train:    current

Built by:         autobuild@vyos.net
Built on:         Tue 09 Apr 2024 02:26 UTC
Build UUID:       5bf1b1b0-2f07-4e59-9fe7-d5b2595b2584
Build commit ID:  f32d9fa78b8ccb

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (i440FX + PIIX, 1996)
Hardware S/N:     
Hardware UUID:    9ca6408d-f557-493e-bd94-b89d2a70320d

Copyright:        VyOS maintainers and contributors

Thanks in advance!

1 Like

Could you share the full configuration , is difficult to understand what is going on .

Sure, here it goes (it’s lab environment but with some real IPs so I changed them):

interfaces {
    ethernet eth0 {
        address "192.168.1.170/24"
        description "--- BVPN ---"
        hw-id "50:00:00:07:00:00"
        vrf "BVPN"
    }
    ethernet eth1 {
        address "X.X.X.A/29"
        description "--- ID ---"
        hw-id "50:00:00:07:00:01"
    }
    ethernet eth2 {
        hw-id "50:00:00:07:00:02"
    }
    ethernet eth3 {
        hw-id "50:00:00:07:00:03"
    }
    loopback lo {
    }
    tunnel tun0 {
        address "10.200.200.17/30"
        encapsulation "gre"
        remote "X.X.X.B"
        source-interface "eth1"
        vrf "BVPN"
    }
}
nat {
    source {
        rule 100 {
            disable
            outbound-interface {
                name "eth0"
            }
            protocol "all"
            translation {
                address "masquerade"
            }
        }
    }
}
protocols {
    bgp {
        system-as "65077"
    }
    static {
        route 0.0.0.0/0 {
            next-hop X.X.X.Z {
            }
        }
    }
}
service {
    ntp {
        allow-client {
            address "0.0.0.0/0"
            address "::/0"
        }
        server time1.vyos.net {
        }
        server time2.vyos.net {
        }
        server time3.vyos.net {
        }
    }
    ssh {
        port "22"
    }
}
system {
    config-management {
        commit-archive {
            location "scp://test:test@192.168.1.196/VyTEST"
            source-address "192.168.1.170"
        }
        commit-revisions "100"
    }
    conntrack {
        modules {
            ftp
            h323
            nfs
            pptp
            sip
            sqlnet
            tftp
        }
    }
    console {
        device ttyS0 {
            speed "115200"
        }
    }
    login {
        user vyos {
            authentication {
                encrypted-password "$6$rounds=656000$Eo5.XeHTeuRPhZrO$0vJRDPy5fl7OJrPoHsk5vmT8Pm0bJN/qWKZIT2sTw4nVAVUpRUH5udMWu1K71sTd57jOYMq2B1xgzRL7d7OKZ/"
                plaintext-password ""
            }
        }
    }
    syslog {
        global {
            facility all {
                level "info"
            }
            facility local7 {
                level "debug"
            }
        }
    }
}
vrf {
    bind-to-all
    name BVPN {
        protocols {
            bgp {
                address-family {
                    ipv4-unicast {
                        redistribute {
                            static
                        }
                    }
                }
                neighbor 10.200.200.18 {
                    address-family {
                        ipv4-unicast {
                            soft-reconfiguration {
                                inbound
                            }
                        }
                    }
                    remote-as "65005"
                }
                system-as "65077"
            }
            static {
                route 0.0.0.0/0 {
                    next-hop 192.168.1.1 {
                    }
                }
            }
        }
        table "100"
    }
}

I do understand that I can make archive work using route leaking, but that’s not the best design IMO.