Hi,
I'm running VyOS 1.4.0-epa2. I'm using DMVPN and BGP to interconnect multiple sites. My plan would be to separate my interfaces and networks with VRFs, so DMVPN routes as well as BGP routes do not interfere with routes from the management interface. When creating a VRF (and not assigning), I am loosing any connectivity to the router.
The following command breaks connectivity. It "returns" after the commit, but then does not do anything anymore. No connections or other things are working.
Only a reboot of the (hardware) machine brings it back (without the vrf, as the config has not been saved).
vyos@hostname# set vrf name test table 500 [edit] vyos@hostname# commit [edit] vyos@hostname#
See my sample/censored config below:
vyos@myhostname:~$ show configuration firewall { group { ipv6-network-group BGP-INCOMING { } ipv6-network-group SSH-INCOMING { <snip> } ipv6-network-group TUNNEL-INCOMING { } network-group BGP-INCOMING { <snip> } network-group SSH-INCOMING { <snip> } network-group TUNNEL-INCOMING { } } ipv4 { input { filter { rule 1 { action accept state established state related } rule 2 { action accept protocol icmp } rule 10 { action accept destination { port 22 } protocol tcp source { group { network-group SSH-INCOMING } } } rule 20 { action accept destination { port bgp } protocol tcp source { group { network-group BGP-INCOMING } } } rule 30 { action accept source { group { network-group TUNNEL-INCOMING } } } rule 50 { action accept protocol gre } rule 51 { action accept protocol esp } rule 52 { action accept protocol ah } rule 53 { action accept destination { port isakmp } protocol udp } rule 54 { action accept destination { port ipsec-nat-t } protocol udp } rule 55 { action accept protocol udp source { port isakmp } } rule 56 { action accept protocol udp source { port ipsec-nat-t } } rule 999 { action drop } } } } ipv6 { input { filter { rule 1 { action accept state established state related } rule 2 { action accept protocol icmpv6 } rule 10 { action accept destination { port 22 } protocol tcp source { group { network-group SSH-INCOMING } } } rule 20 { action accept destination { port bgp } protocol tcp source { group { network-group BGP-INCOMING } } } rule 30 { action accept source { group { network-group TUNNEL-INCOMING } } } rule 999 { action drop } } } } } interfaces { ethernet eth0 { address 192.168.1.253/24 hw-id ec:a8:6b:fe:ad:c7 vif 10 { address 10.10.81.129/27 } } loopback lo { } tunnel tun100 { address 10.10.81.243/28 enable-multicast encapsulation gre parameters { ip { key **************** } } source-address 0.0.0.0 } tunnel tun241 { address my:prefix::241:243::2/96 encapsulation sit remote 10.10.81.241 source-address 10.10.81.243 } tunnel tun242 { address my:prefix::242:243::2/96 encapsulation sit remote 10.10.81.242 source-address 10.10.81.243 } } policy { local-route { rule 50 { protocol gre set { table 100 } } rule 51 { protocol esp set { table 100 } } rule 52 { protocol ah set { table 100 } } rule 53 { destination { port 500 } protocol udp set { table 100 } } rule 54 { destination { port 4500 } protocol udp set { table 100 } } rule 55 { protocol udp set { table 100 } source { port 500 } } rule 56 { protocol udp set { table 100 } source { port 4500 } } rule 100 { set { table 100 } source { address 192.168.1.253 } } rule 150 { destination { address 192.168.1.0/24 } set { table 100 } } rule 160 { set { table 100 } source { address 192.168.1.0/24 } } } prefix-list DMVPN4-HUB { rule 1 { action permit ge 24 le 32 prefix 10.10.80.0/23 } rule 2 { action permit prefix 0.0.0.0/0 } } prefix-list DMVPN4-SPOKE { rule 1 { action permit ge 24 le 32 prefix 10.10.80.0/23 } } prefix-list EBGP-PREPEND4 { } prefix-list EBGP4 { } prefix-list6 DMVPN6-HUB { rule 1 { action permit ge 48 prefix my:other:refix::/44 } rule 2 { action permit prefix ::/0 } } prefix-list6 DMVPN6-SPOKE { rule 1 { action permit ge 48 prefix my:other:refix::/44 } } prefix-list6 EBGP-PREPEND6 { } prefix-list6 EBGP6 { } route-map DMVPN-HUB { rule 1 { action permit match { ip { address { prefix-list DMVPN4-HUB } } } } rule 2 { action permit match { ipv6 { address { prefix-list DMVPN6-HUB } } } } rule 999 { action deny } } route-map DMVPN-SPOKE { rule 1 { action permit match { ip { address { prefix-list DMVPN4-SPOKE } } } } rule 2 { action permit match { ipv6 { address { prefix-list DMVPN6-SPOKE } } } } rule 999 { action deny } } route-map UPSTREAM { rule 1 { action permit match { ipv6 { address { prefix-list EBGP-PREPEND6 } } } set { as-path { prepend "MYASN MYASN MYASN" } } } rule 2 { action permit match { ip { address { prefix-list EBGP-PREPEND4 } } } set { as-path { prepend "MYASN MYASN MYASN" } } } rule 3 { action permit match { ipv6 { address { prefix-list EBGP6 } } } } rule 4 { action permit match { ip { address { prefix-list EBGP4 } } } } rule 999 { action deny } } } protocols { bgp { address-family { ipv4-unicast { network 10.10.81.128/27 { } } } neighbor 10.10.81.241 { peer-group DMVPN4-HUB } neighbor 10.10.81.242 { peer-group DMVPN4-HUB } peer-group DMVPN4-HUB { address-family { ipv4-unicast { route-map { export DMVPN-SPOKE import DMVPN-HUB } soft-reconfiguration { inbound } } } remote-as MYASN } peer-group DMVPN4-SPOKE { address-family { ipv4-unicast { route-map { export DMVPN-SPOKE import DMVPN-SPOKE } soft-reconfiguration { inbound } } } remote-as MYASN } system-as MYASN } nhrp { tunnel tun100 { cisco-authentication secret holding-time 300 map 10.10.81.241/28 { nbma-address other-address register } map 10.10.81.242/28 { nbma-address another-address register } multicast nhs redirect shortcut } } static { route 0.0.0.0/0 { next-hop 192.168.1.1 { } } /* Originating traffic from the router */ table 100 { route 0.0.0.0/0 { next-hop 192.168.1.1 { } } } } } service { ntp { allow-client { address 0.0.0.0/0 address ::/0 } server time1.vyos.net { } server time2.vyos.net { } server time3.vyos.net { } } ssh { disable-password-authentication port 22 } } system { host-name somehostname login { user vyos { authentication { encrypted-password **************** public-keys root@root { key **************** type ssh-rsa } public-keys root@work { key **************** type ssh-rsa } } } } name-server 8.8.4.4 name-server 8.8.8.8 static-host-mapping { host-name myhostname { inet 127.0.0.1 } } } vpn { ipsec { esp-group ESP-HUB { lifetime 1800 mode transport pfs dh-group2 proposal 1 { encryption aes256 hash sha1 } proposal 2 { encryption 3des hash md5 } } ike-group IKE-HUB { key-exchange ikev1 lifetime 3600 proposal 1 { dh-group 2 encryption aes256 hash sha1 } proposal 2 { dh-group 2 encryption aes128 hash sha1 } } interface eth0 profile NHRPVPN { authentication { mode pre-shared-secret pre-shared-secret **************** } bind { tunnel tun100 } esp-group ESP-HUB ike-group IKE-HUB } } } vyos@myhostname:~$ show version Version: VyOS 1.4.0-epa2 Release train: sagitta Built by: Sentrium S.L. Built on: Tue 12 Mar 2024 11:58 UTC Build UUID: 7b60be54-0b8f-4337-aa9e-b6e675942946 Build commit ID: 48f7d41a607707 Architecture: x86_64 Boot via: installed image System type: bare metal Hardware vendor: Hardware model: Hardware S/N: Hardware UUID: c7587600-34d4-11e1-a8f9-eca86bfeadc7 Copyright: VyOS maintainers and contributors