[vrf} route-leaking missing command
Closed, InvalidPublicBUG
Actions

Assigned To

Authored By

	fernando
	Jul 2 2021, 10:57 PM

Description

when you need to do a vrf route-leaking between default and vrf X ,you need add a static with the prefix in another vrf table ,for example :

$ show ip route vrf TEST1

VRF TEST1:
S>* 0.0.0.0/0 [1/0] via 192.168.125.1, eth0 (vrf default), weight 1, 00:37:06
C>* 192.168.0.0/24 is directly connected, eth1, 01:16:11     ----------------{prefix to add }

if i want to add on vyos-cli this command doesn't exist :

  vyos@rt-vrf-test# set protocols static route  192.168.0.0/24 
Possible completions:
 > blackhole    Silently discard pkts when matched
   dhcp-interface
                DHCP interface supplying next-hop IP address
+> next-hop     Next-hop router


[edit]

I add it config with FRR:

vyos@rt-vrf-test:~$ sudo vtysh -c" show run"
Building configuration...

Current configuration:
!
frr version 7.5.1-20210625-00-gf07d935a2

!
ip route 0.0.0.0/0 192.168.125.1 eth0 tag 210 210
ip route 192.168.0.0/24 eth1 nexthop-vrf TEST1

it works well :

vyos@rt-vrf-test:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup

S>* 0.0.0.0/0 [210/0] via 192.168.125.1, eth0, weight 1, 01:25:33
C>* 10.10.10.0/24 is directly connected, dum10, 01:25:37
S>* 192.168.0.0/24 [1/0] is directly connected, eth1 (vrf TEST1), weight 1, 00:46:30     /// prefix add
C>* 192.168.125.0/24 is directly connected, eth0, 01:25:33



vyos@rt-vrf-test:~$ ping 192.168.0.40
PING 192.168.0.40 (192.168.0.40) 56(84) bytes of data.
64 bytes from 192.168.0.40: icmp_seq=1 ttl=64 time=1.88 ms
64 bytes from 192.168.0.40: icmp_seq=2 ttl=64 time=2.92 ms
^C
--- 192.168.0.40 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 3ms
rtt min/avg/max/mdev = 1.879/2.400/2.921/0.521 ms

PD: ro

Details

Version: VyOS 1.3-beta-202106252246
Is it a breaking change?: Perfectly compatible

Event Timeline

fernando created this task.Jul 2 2021, 10:57 PM

Commands are implemented.

Please check https://docs.vyos.io/en/equuleus/configuration/vrf/index.html?highlight=vrf

From default to red
set protocols static route 10.0.0.0/8 next-hop 1.1.1.1 next-hop-vrf red

From red to default
set protocols vrf red static route 10.0.0.0/8 next-hop 1.1.1.1 next-hop-vrf default

pasik subscribed.Jul 3 2021, 5:04 PM

yes , but when you use 'set protocols static route 10.0.0.0/8 next-hop 1.1.1.1 next-hop-vrf red' it doesn't install the prefix in the default table :

example :

set protocols static route 192.168.0.0/24 next-hop 192.168.0.1 next-hop-vrf 'TEST1'
set protocols vrf TEST1 static route 0.0.0.0/0 next-hop 192.168.125.1 next-hop-vrf 'default'

vyos@rt-vrf-test:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup

S>* 0.0.0.0/0 [210/0] via 192.168.125.1, eth0, weight 1, 00:27:45
C>* 10.10.10.0/24 is directly connected, dum10, 00:27:49
C>* 192.168.125.0/24 is directly connected, eth0, 00:27:45

vyos@rt-vrf-test:~$ ip route show
default nhid 26 via 192.168.125.1 dev eth0 proto static metric 20
10.10.10.0/24 dev dum10 proto kernel scope link src 10.10.10.10
192.168.125.0/24 dev eth0 proto kernel scope link src 192.168.125.22

however , you adds the interface where you research the network . It can be installed in the global table :

rt-vrf-test# show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup

S>* 0.0.0.0/0 [210/0] via 192.168.125.1, eth0, weight 1, 00:41:40
C>* 10.10.10.0/24 is directly connected, dum10, 00:41:44
S>* 192.168.0.0/24 [1/0] is directly connected, eth1 (vrf TEST1), weight 1, 00:00:05
C>* 192.168.125.0/24 is directly connected, eth0, 00:41:40

vyos@rt-vrf-test:~$ ip route
default nhid 26 via 192.168.125.1 dev eth0 proto static metric 20
10.10.10.0/24 dev dum10 proto kernel scope link src 10.10.10.10
192.168.0.0/24 nhid 28 dev eth1 proto static metric 20
192.168.125.0/24 dev eth0 proto kernel scope link src 192.168.125.22

rt-vrf-test# ping 192.168.0.40
PING 192.168.0.40 (192.168.0.40) 56(84) bytes of data.
64 bytes from 192.168.0.40: icmp_seq=1 ttl=64 time=1.90 ms
64 bytes from 192.168.0.40: icmp_seq=2 ttl=64 time=2.13 ms

c-po claimed this task.Jul 11 2021, 11:39 AM

I did a short lab test using the following topology based on my assumptions what you wan't to do using VyOS 1.3.0-rc5:

Topology

PC1 is in the default VRF and acting as e.g. a "fileserver"
PC2 is in VRF blue which is the development department
PC3 and PC4 are connected to a bridge device on router R1 which is in VRF red. Say this is the HR department

All PCs can access the common fileserver as the route is leaked between the VRFs, but blue and red networks can not communicate as there is no route installed.

Configuration

set interfaces bridge br10 address '10.30.0.254/24'
set interfaces bridge br10 member interface eth3
set interfaces bridge br10 member interface eth4
set interfaces bridge br10 vrf 'red'
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 vrf 'mgmt'
set interfaces ethernet eth1 address '10.0.0.254/24'
set interfaces ethernet eth2 address '10.20.0.254/24'
set interfaces ethernet eth2 vrf 'blue'
set protocols static interface-route 10.20.0.0/24 next-hop-interface eth2 next-hop-vrf 'blue'
set protocols static interface-route 10.30.0.0/24 next-hop-interface br10 next-hop-vrf 'red'
set protocols vrf blue static interface-route 10.0.0.0/24 next-hop-interface eth1 next-hop-vrf 'default'
set protocols vrf red static interface-route 10.0.0.0/24 next-hop-interface eth1 next-hop-vrf 'default'
set service ssh disable-host-validation
set service ssh vrf 'mgmt'
set system console device ttyS0 speed '9600'
set system domain-name 'vyos.net'
set system host-name 'R1'
set system name-servers-dhcp 'eth0'
set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org
set system ntp server 2.pool.ntp.org
set system ntp vrf 'mgmt'
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'
set system time-zone 'UTC'
set vrf name blue table '3000'
set vrf name mgmt table '1000'
set vrf name red table '2000'

Operation

vyos@R1:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup

C>* 10.0.0.0/24 is directly connected, eth1, 00:07:44
S>* 10.20.0.0/24 [1/0] is directly connected, eth2 (vrf blue), weight 1, 00:07:38
S>* 10.30.0.0/24 [1/0] is directly connected, br10 (vrf red), weight 1, 00:07:38

vyos@R1:~$ show ip route vrf red
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup

VRF red:
K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), 00:07:57
S>* 10.0.0.0/24 [1/0] is directly connected, eth1 (vrf default), weight 1, 00:07:40
C>* 10.30.0.0/24 is directly connected, br10, 00:07:54

vyos@R1:~$ show ip route vrf blue
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup

VRF blue:
K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), 00:08:00
S>* 10.0.0.0/24 [1/0] is directly connected, eth1 (vrf default), weight 1, 00:07:44
C>* 10.20.0.0/24 is directly connected, eth2, 00:07:53

Test

PCS> ping 10.0.0.1 

84 bytes from 10.0.0.1 icmp_seq=1 ttl=63 time=1.943 ms
84 bytes from 10.0.0.1 icmp_seq=2 ttl=63 time=1.618 ms
84 bytes from 10.0.0.1 icmp_seq=3 ttl=63 time=1.678 ms
84 bytes from 10.0.0.1 icmp_seq=4 ttl=63 time=1.628 ms
84 bytes from 10.0.0.1 icmp_seq=5 ttl=63 time=1.954 ms

VPCS> show ip

NAME        : VPCS[1]
IP/MASK     : 10.30.0.1/24
GATEWAY     : 10.30.0.254
DNS         : 
MAC         : 00:50:79:66:68:0f
LPORT       : 20000
RHOST:PORT  : 127.0.0.1:30000
MTU         : 1500

I know that the CLI syntax feels very clumsy in VyOS 1.3 on the VRF part as it is implemented as routes are implemented in VyOS 1.2 - the CLI commands for static routing and also VRFs got reworked in VyOS 1.4 already to feel more "nicely" when adding routes with a next-hop interface.

fernando added a comment.Jul 12 2021, 1:34 PM

This comment was removed by fernando.

Hi @c-po

good lab, thanks for your time! I want to leave a comment , I used the syntax that you recommend and it worked well ( VyOS 1.3.0-rc5):

vyos@rt-vrf-test-new# compare
[edit protocols static]
+interface-route 192.168.0.0/24 {
+    next-hop-interface eth0 {
+        next-hop-vrf TEST1
+    }
+}

As you said this syntax is a bit clumsy, there are cases where you don't know the next-hop or it is a interface dummy or loopback ,then you need to use this kind of configuration .

c-po closed this task as Invalid.Jul 12 2021, 4:41 PM

c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Jul 31 2021, 8:48 PM

syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Aug 29 2022, 12:17 PM

syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0) board.

	F1583943: image.png
	Jul 11 2021, 1:54 PM

[vrf} route-leaking missing commandClosed, InvalidPublicBUGActions