Support cross-VRF local-in and local-out traffic for local services
When local-out traffic such as SD-WAN health checks, SNMP, syslog, and so on are initiated from an interface on one VRF and then pass through interfaces on another VRF, the reply traffic will be successfully forwarded back to the original VRF.
VRF 0 is a special VRF. By default, all routing is done in VRF 0. So all routes in different VRFs, such as VRF 10 or VRF 20, will all be included in VRF 0. VRF 0 cannot be used in the cross-VRF case. For local-in and local-out traffic, all routes relating to one VRF are isolated from other VRFs so interfaces in one VRF cannot reach interfaces in a different VRF, except for VRF 0. |
Example
In this example, there is an NPU inter-VDOM link that is configured on the root VDOM. Two VLANs, vrf10 and vrf20, are created on either ends of the NPU inter-VDOM link, each belonging to a different VRF.
When pinging from the vrf10 interface in VRF 10 to the destination server 172.16.202.2, since there is a single static route for VRF 10 with a gateway of vrf20/10.32.70.2, traffic is sent to the next hop and subsequently routed through port12 to the server.
As seen in the sniffer trace, the ICMP replies are received on port12 in VRF 20, then pass through vrf20, and are ultimately forwarded back to vrf10 in VRF 10. The traffic flow demonstrates that local-out traffic sourced from one VRF passing through another VRF can return back to the original VRF.
To configure cross-VRF local-out traffic for local services:
-
Configure the interfaces:
config system interface edit "vrf10" set vdom "root" set vrf 10 set ip 10.32.70.1 255.255.255.0 set allowaccess ping set device-identification enable set role lan set snmp-index 35 set interface "npu0_vlink0" set vlanid 22 next edit "vrf20" set vdom "root" set vrf 20 set ip 10.32.70.2 255.255.255.0 set allowaccess ping set device-identification enable set role lan set snmp-index 36 set interface "npu0_vlink1" set vlanid 22 next edit "port12" set vdom "root" set vrf 20 set ip 172.16.202.1 255.255.255.0 set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response fabric ftm speed-test set type physical set alias "TO_FGT_D_port22" set snmp-index 14 config ipv6 set ip6-address 2003:172:16:202::1/64 set ip6-allowaccess ping end next end
-
Configure the firewall policy:
config firewall policy edit 1 set srcintf "vrf20" set dstintf "port12" set action accept set srcaddr "all" set dstaddr "all" set srcaddr6 "all" set dstaddr6 "all" set schedule "always" set service "ALL" next end
-
Configure the static route:
config router static edit 2 set gateway 10.32.70.2 set distance 3 set device "vrf10" next end
To test the configuration:
-
Execute a ping from the vrf10 interface in VRF 10 to the destination server (172.16.202.2):
# execute ping-options interface vrf10 # execute ping 172.16.202.2 PING 172.16.202.2 (172.16.202.2): 56 data bytes 64 bytes from 172.16.202.2: icmp_seq=0 ttl=254 time=0.1 ms 64 bytes from 172.16.202.2: icmp_seq=1 ttl=254 time=0.0 ms --- 172.16.202.2 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.0/0.0/0.1 ms
-
Run a sniffer trace on 172.16.202.2 for ICMP:
# diagnose sniffer packet any "host 172.16.202.2 and icmp" 4 interfaces=[any] filters=[host 172.16.202.2 and icmp] 3.393920 vrf10 out 10.32.70.1 -> 172.16.202.2: icmp: echo request 3.393922 npu0_vlink0 out 10.32.70.1 -> 172.16.202.2: icmp: echo request 3.393927 vrf20 in 10.32.70.1 -> 172.16.202.2: icmp: echo request 3.393943 port12 out 10.32.70.1 -> 172.16.202.2: icmp: echo request 3.393977 port12 in 172.16.202.2 -> 10.32.70.1: icmp: echo reply 3.393987 vrf20 out 172.16.202.2 -> 10.32.70.1: icmp: echo reply 3.393988 npu0_vlink1 out 172.16.202.2 -> 10.32.70.1: icmp: echo reply 3.393993 vrf10 in 172.16.202.2 -> 10.32.70.1: icmp: echo reply 4.393941 vrf10 out 10.32.70.1 -> 172.16.202.2: icmp: echo request 4.393942 npu0_vlink0 out 10.32.70.1 -> 172.16.202.2: icmp: echo request 4.393948 vrf20 in 10.32.70.1 -> 172.16.202.2: icmp: echo request 4.393957 port12 out 10.32.70.1 -> 172.16.202.2: icmp: echo request 4.393980 port12 in 172.16.202.2 -> 10.32.70.1: icmp: echo reply 4.393987 vrf20 out 172.16.202.2 -> 10.32.70.1: icmp: echo reply 4.393987 npu0_vlink1 out 172.16.202.2 -> 10.32.70.1: icmp: echo reply 4.393994 vrf10 in 172.16.202.2 -> 10.32.70.1: icmp: echo reply