VRF Static Route Leaking

Hello,

I’ve been trying to get VRF route leaking via static routes to work for the past few days to no avail, even following 1:1 the provided documentation.
My goal is to leak a default route from the global table to a couple of VRFs, so that they can reach the internet.
I’m unable to even get 2 VRFs to talk to each other with a simple static route leak.

VRF A:
172.16.9.1/24 (eth0)
set vrf name A protocols static route 192.168.9.0/24 interface eth1 vrf B

VRF B: 192.168.9.1/24 (eth1)
set vrf name B protocols static route 172.16.9.0/24 interface eth0 vrf A

I try to ping each other from their respective interfaces:
ping 192.168.9.1 source-address 172.16.9.1 vrf A

PING 192.168.9.1 (192.168.9.1) from 172.16.9.1: 56(84) bytes of data.
(blank)

I’m on VyOS 1.4-rolling-202109250602

Is this a bug or something I am doing wrong? No firewalls are put in place, a mostly stock VyOS setup. Thanks

Given VRF red and green which use 192.168.1.0/24 and 192.168.2.0/24 and leaking a default route into the VRFs. The VRF prefixes are “exported” via OSPF to my border router (BR1).

cpo@BR1.wue3:~$ show ip route ospf | match 192.168
O>* 192.168.1.0/24 [110/20] via 172.18.201.10, eth0.201, weight 1, 00:05:36
O>* 192.168.2.0/24 [110/20] via 172.18.201.10, eth0.201, weight 1, 00:05:36

The router with the VRFs uses:

set interfaces ethernet eth1 address '192.168.1.1/24'
set interfaces ethernet eth1 vrf 'green'
set interfaces ethernet eth2 address '192.168.2.1/24'
set interfaces ethernet eth2 vrf 'red'
set protocols ospf redistribute static
set protocols static route 192.168.1.0/24 interface eth1 vrf 'green'
set protocols static route 192.168.2.0/24 interface eth2 vrf 'red'
set vrf name green protocols static route 0.0.0.0/0 next-hop 172.18.201.254 interface 'eth0.201'
set vrf name green protocols static route 0.0.0.0/0 next-hop 172.18.201.254 vrf 'default'
set vrf name green table '3000'
set vrf name red protocols static route 0.0.0.0/0 next-hop 172.18.201.254 interface 'eth0.201'
set vrf name red protocols static route 0.0.0.0/0 next-hop 172.18.201.254 vrf 'default'
set vrf name red table '2000'
cpo@LR1.wue3:~$ show ip route vrf red
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup

VRF red:
S>* 0.0.0.0/0 [1/0] via 172.18.201.254, eth0.201 (vrf default), weight 1, 00:03:39
K * 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), 1d08h24m
C>* 192.168.2.0/24 is directly connected, eth2, 00:06:31


cpo@LR1.wue3:~$ show ip route vrf green
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup

VRF green:
S>* 0.0.0.0/0 [1/0] via 172.18.201.254, eth0.201 (vrf default), weight 1, 00:03:42
K * 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), 1d08h24m
C>* 192.168.1.0/24 is directly connected, eth1, 00:06:34

Please note - due to a limitation in the VRF implementation in Linux it seems that you can not access the local IP address inside a VRF (192.168.1.1 or 192.168.2.1) by e.g. ICMP or any other fancy stuff. If you have more hosts connected inside that VRF they will be reachable.

Wow! Thanks for the detailed reply, I did not know that ICMP VRF limitation you mentioned either so that would explain some of my issues too.

I’ll give a try on my VyOS config with what you taught me, I will let you know how it goes. Appreciated very much :slightly_smiling_face: