VRF Static Route Leaking

Soarin · September 26, 2021, 3:56pm

Hello,

I’ve been trying to get VRF route leaking via static routes to work for the past few days to no avail, even following 1:1 the provided documentation.
My goal is to leak a default route from the global table to a couple of VRFs, so that they can reach the internet.
I’m unable to even get 2 VRFs to talk to each other with a simple static route leak.

VRF A:
172.16.9.1/24 (eth0)
set vrf name A protocols static route 192.168.9.0/24 interface eth1 vrf B

VRF B: 192.168.9.1/24 (eth1)
set vrf name B protocols static route 172.16.9.0/24 interface eth0 vrf A

I try to ping each other from their respective interfaces:
ping 192.168.9.1 source-address 172.16.9.1 vrf A

PING 192.168.9.1 (192.168.9.1) from 172.16.9.1: 56(84) bytes of data.
(blank)

I’m on VyOS 1.4-rolling-202109250602

Is this a bug or something I am doing wrong? No firewalls are put in place, a mostly stock VyOS setup. Thanks

c-po · September 26, 2021, 4:33pm

Given VRF red and green which use 192.168.1.0/24 and 192.168.2.0/24 and leaking a default route into the VRFs. The VRF prefixes are “exported” via OSPF to my border router (BR1).

cpo@BR1.wue3:~$ show ip route ospf | match 192.168
O>* 192.168.1.0/24 [110/20] via 172.18.201.10, eth0.201, weight 1, 00:05:36
O>* 192.168.2.0/24 [110/20] via 172.18.201.10, eth0.201, weight 1, 00:05:36

The router with the VRFs uses:

set interfaces ethernet eth1 address '192.168.1.1/24'
set interfaces ethernet eth1 vrf 'green'
set interfaces ethernet eth2 address '192.168.2.1/24'
set interfaces ethernet eth2 vrf 'red'
set protocols ospf redistribute static
set protocols static route 192.168.1.0/24 interface eth1 vrf 'green'
set protocols static route 192.168.2.0/24 interface eth2 vrf 'red'
set vrf name green protocols static route 0.0.0.0/0 next-hop 172.18.201.254 interface 'eth0.201'
set vrf name green protocols static route 0.0.0.0/0 next-hop 172.18.201.254 vrf 'default'
set vrf name green table '3000'
set vrf name red protocols static route 0.0.0.0/0 next-hop 172.18.201.254 interface 'eth0.201'
set vrf name red protocols static route 0.0.0.0/0 next-hop 172.18.201.254 vrf 'default'
set vrf name red table '2000'

cpo@LR1.wue3:~$ show ip route vrf red
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup

VRF red:
S>* 0.0.0.0/0 [1/0] via 172.18.201.254, eth0.201 (vrf default), weight 1, 00:03:39
K * 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), 1d08h24m
C>* 192.168.2.0/24 is directly connected, eth2, 00:06:31


cpo@LR1.wue3:~$ show ip route vrf green
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup

VRF green:
S>* 0.0.0.0/0 [1/0] via 172.18.201.254, eth0.201 (vrf default), weight 1, 00:03:42
K * 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), 1d08h24m
C>* 192.168.1.0/24 is directly connected, eth1, 00:06:34

Please note - due to a limitation in the VRF implementation in Linux it seems that you can not access the local IP address inside a VRF (192.168.1.1 or 192.168.2.1) by e.g. ICMP or any other fancy stuff. If you have more hosts connected inside that VRF they will be reachable.

Soarin · September 26, 2021, 7:24pm

Wow! Thanks for the detailed reply, I did not know that ICMP VRF limitation you mentioned either so that would explain some of my issues too.

I’ll give a try on my VyOS config with what you taught me, I will let you know how it goes. Appreciated very much

ibehr · April 21, 2022, 9:25pm

I am wrestling with similar issue. Hoping you can help me.

Based on your configs, what are the 172.18.201.254 and 172.18.201.10 addresses?

My post → Having trouble leaking routes between VRFs - simple example with static entries

Any help appreciated!

c-po · May 23, 2022, 1:40pm

Those addresses are my layer 3 interfaces on between the VRF VyOS router (10) and my border router (254)