Re: VRF leaking doesn't work

From: David Ahern <dsahern@gmail.com>
To: Greesha Mikhalkin <grigoriymikhalkin@gmail.com>, netdev@vger.kernel.org
Subject: Re: VRF leaking doesn't work
Date: Fri, 5 Mar 2021 08:37:44 -0700	[thread overview]
Message-ID: <a47aac93-d528-beee-a2a7-ce4b12c718b9@gmail.com> (raw)
In-Reply-To: <CADbyt64e2cmQzZTEg3VoY6py=1pAqkLDRw+mniRdr9Rua5XtgQ@mail.gmail.com>

On 3/2/21 3:57 AM, Greesha Mikhalkin wrote:
> Hi. I need a help to understand why VRF leaking doesn’t work in my situation.
> I want to set up leaking between 2 VRFs, that are set up by following commands:
> 
>       # Setup bridge
>       sudo ip link add bridge type bridge
> 
>       # Setup VLANs
>       ip link add link bridge name vlan1 type vlan id 1
>       ip link add link bridge name vlan2 type vlan id 2
>       ip addr add 10.0.0.31/32 dev vlan1
>       ip addr add 10.0.0.32/32 dev vlan2
>       ip link set vlan1 up
>       ip link set vlan2 up
> 
>       # Setup VXLANs
>       ip link add vni1 type vxlan id 1 local 10.1.0.1 dev lan1 srcport
> 0 0 dstport 4789 nolearning
>       ip link add vni2 type vxlan id 2 local 10.1.0.1 dev lan1 srcport
> 0 0 dstport 4789 nolearning
>       ip link set vni1 master bridge
>       ip link set vni2 master bridge
>       bridge vlan add dev vni1 vid 1 pvid untagged
>       bridge vlan add dev vni2 vid 2 pvid untagged
>       ip link set vni1 up
>       ip link set vni2 up
> 
>       # Setup VRFs
>       ip link add vrf1 type vrf table 1000
>       ip link set dev vrf1 up
>       ip link add vrf2 type vrf table 1001
>       ip link set dev vrf2 up
> 
>     Setting routes:
> 
>       # Unreachable default routes
>       ip route add table 1000 unreachable default metric 4278198272
>       ip route add table 1001 unreachable default metric 4278198272
> 
>       # Nexthop
>       ip route add table 1000 100.255.254.3 proto bgp metric 20
> nexthop via 10.0.0.11 dev vlan1 weight 1 onlink
> 
> I'm trying to setup VRF leaking in following way:
> 
>       ip r a vrf vrf2 100.255.254.3/32 dev vrf1
>       ip r a vrf vrf2 10.0.0.31/32 dev vrf1
>       ip r a vrf vrf1 10.0.0.32/32 dev vrf2
> 
> Main goal is that 100.255.254.3 should be reachable from vrf2. But
> after this setup it doesn’t work. When i run `ping -I vrf2
> 100.255.254.3` it sends packets from source address that belongs to
> vlan1 enslaved by vrf1. I can see in tcpdump that ICMP packets are
> sent and then returned to source address but they're not returned to
> ping command for some reason. To be clear `ping -I vrf1 …` works fine.
> 

What kernel version? If you have not tried 5.10 or 5.11, please do.