Vrf: default rout leaking

giuppo77 · February 11, 2024, 7:22pm

Hello,

I am trying to configure vrf in a very simple topology: eth0 is the wan interface in the default vrf and eth2 is in the pippo vrf. My goal is to leak the wan default route to the pippo vrf. Here is the configuration:

 interfaces {
     ethernet eth0 {
         address dhcp
     }
     ethernet eth2 {
         address 10.0.0.1/24
         vrf pippo
     }
 }
 nat {
     source {
         rule 10 {
             outbound-interface {
                 name eth0
             }
             translation {
                 address masquerade
             }
         }
     }
 }
 protocols {
     static {
         route 10.0.0.0/24 {
             interface eth2 {
                 vrf pippo
             }
         }
     }
 }
 vrf {
     name pippo {
         protocols {
             static {
                 route 0.0.0.0/0 {
                     next-hop 192.168.154.2 {
                         interface eth0
                         vrf default
                     }
                 }
                 route 192.168.154.0/24 {
                     interface eth0 {
                         vrf default
                     }
                 }
             }
         }
         table 1000
     }
 }

Here are the generated routing tables:

vyos@vyos:~$ show ip route vrf all
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

VRF default:
S>* 0.0.0.0/0 [210/0] via 192.168.154.2, eth0, weight 1, 00:14:00
S>* 10.0.0.0/24 [1/0] is directly connected, eth2 (vrf pippo), weight 1, 01:31:56
C>* 192.168.154.0/24 is directly connected, eth0, 00:14:00

VRF pippo:
S>* 0.0.0.0/0 [1/0] via 192.168.154.2, eth0 (vrf default), weight 1, 00:14:00
C>* 10.0.0.0/24 is directly connected, eth2, 01:31:56
S>* 192.168.154.0/24 [1/0] is directly connected, eth0 (vrf default), weight 1, 00:14:01

And here is the information about the interfaces:

vyos@vyos:~$ show  interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address          MAC                VRF        MTU  S/L    Description
-----------  ------------------  -----------------  -------  -----  -----  -------------
eth0         192.168.154.128/24  xx:xx:xx:xx:xx:xx  default   1500  u/u
eth2         10.0.0.1/24         xx:xx:xx:xx:xx:xx  pippo     1500  u/u
lo           127.0.0.1/8         00:00:00:00:00:00  default  65536  u/u
             ::1/128

I can ping the internet from the default vrf, while I cannot from the pippo vrf:

vyos@vyos:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=128 time=13.2 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=128 time=14.1 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=128 time=13.7 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=128 time=13.7 ms

vyos@vyos:~$ ping 8.8.8.8 vrf pippo
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

Do you see anything wrong or missing in my configuration?
How can I debug this problem?

Forgotten to report the VyOS version I am using: 1.5-rolling-202401030023.

giuppo77 · February 12, 2024, 10:07am

I have solved the issue using a pair of virtual ethernet interfaces to connect the two vrf.

Here is the config:

 interfaces {
     ethernet eth0 {
         address dhcp
     }
     ethernet eth2 {
         address 10.0.0.1/24
         vrf pippo
     }
     virtual-ethernet veth0 {
         address 10.1.1.0/31
         peer-name veth2
     }
     virtual-ethernet veth2 {
         address 10.1.1.1/31
         peer-name veth0
         vrf pippo
     }
 }
 vrf {
     name pippo {
         protocols {
             static {
                 route 0.0.0.0/0 {
                     next-hop 10.1.1.0 {
                         interface veth2
                     }
                 }
             }
         }
         table 1000
     }
 }

vth0 resides in the default vrf, while its peer, vth2 resides in the pippo vrf.
Then vth2 is used in the pippo vrf to define the default root.

Here are the routing tables:

VRF default:
S>* 0.0.0.0/0 [210/0] via 192.168.154.2, eth0, weight 1, 00:40:35
C>* 10.1.1.0/31 is directly connected, veth0, 00:15:54
C>* 192.168.154.0/24 is directly connected, eth0, 00:40:35

VRF pippo:
S>* 0.0.0.0/0 [1/0] via 10.1.1.0, veth2, weight 1, 00:09:15
C>* 10.0.0.0/24 is directly connected, eth2, 00:44:58
C>* 10.1.1.0/31 is directly connected, veth2, 00:15:54

JoeN · February 12, 2024, 5:09pm

Hi @giuppo77,

Thank you for sharing your solution! Your contribution to resolving the issue is greatly appreciated, and your solution will undoubtedly help others facing similar challenges.

skynw · February 13, 2024, 10:30am

Aloha.
Interesting solution.
Is this a requirement on Vyos to leak routes between 2 VRF?
the first solution with static routes looks correct for me and the control plane / routing tables looks also correct.
Thanks
Marcel

giuppo77 · February 13, 2024, 11:10am

Thanks to you! I am far from being an expert in the field, but I am glad to contribute and help when I can.

giuppo77 · February 13, 2024, 11:11am

Yes, the documentation says that route leaking in vrf is supported.

And indeed, at least in my case, route leaking works for sub-nets but not for the default route. I do not have any explanation for that.

aldemaro · February 18, 2024, 1:15am

I just had the same issue!

I created a VRF “LAN” and assigned an interface to it:

    vif 201 {
        address X.X.X.2/24
        vrf LAN
    }

Created an interface route on the default VRF pointing to the “LAN” VRF:

    interface-route X.X.X.0/24 {
        next-hop-interface bond0.201 {
            next-hop-vrf LAN
        }
    }

It did work as expected, as it created the correct route and did in fact route these packets to the “LAN” VRF:

aldemaro@sp1-r001-staging:~$ show ip route X.X.X.0/24
Routing entry for X.X.X.0/24
Known via “static”, distance 1, metric 0, best
Last update 00:42:08 ago

directly connected, bond0.201(vrf LAN), weight 1

Created a static route inside the VRF pointing the default route to the default vrf:

vrf LAN {
    static {
        interface-route 0.0.0.0/0 {
            next-hop-interface bond0 {
                next-hop-vrf default
            }
        }
    }
}

This generated the correct route, but it did not route packets at all between the VLANs:

aldemaro@sp1-r001-staging:~$ show ip route vrf LAN
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup

VRF LAN:
S>* 0.0.0.0/0 [1/0] is directly connected, bond0 (vrf default), weight 1, 00:10:17
C>* X.X.X.0/24 is directly connected, bond0.201, 00:45:02

It seems like that kind of configuration is valid, but it did not work.