Hi,
I'm running VyOS 1.4.0-epa2. I'm using DMVPN and BGP to interconnect multiple sites. My plan would be to separate my interfaces and networks with VRFs, so DMVPN routes as well as BGP routes do not interfere with routes from the management interface. When creating a VRF (and not assigning), I am loosing any connectivity to the router.
The following command breaks connectivity. It "returns" after the commit, but then does not do anything anymore. No connections or other things are working.
Only a reboot of the (hardware) machine brings it back (without the vrf, as the config has not been saved).
```
vyos@hostname# set vrf name test table 500
[edit]
vyos@hostname# commit
[edit]
vyos@hostname#
```
See my sample/censored config below:
```
vyos@myhostname:~$ show configuration
firewall {
group {
ipv6-network-group BGP-INCOMING {
}
ipv6-network-group SSH-INCOMING {
<snip>
}
ipv6-network-group TUNNEL-INCOMING {
}
network-group BGP-INCOMING {
<snip>
}
network-group SSH-INCOMING {
<snip>
}
network-group TUNNEL-INCOMING {
}
}
ipv4 {
input {
filter {
rule 1 {
action accept
state established
state related
}
rule 2 {
action accept
protocol icmp
}
rule 10 {
action accept
destination {
port 22
}
protocol tcp
source {
group {
network-group SSH-INCOMING
}
}
}
rule 20 {
action accept
destination {
port bgp
}
protocol tcp
source {
group {
network-group BGP-INCOMING
}
}
}
rule 30 {
action accept
source {
group {
network-group TUNNEL-INCOMING
}
}
}
rule 50 {
action accept
protocol gre
}
rule 51 {
action accept
protocol esp
}
rule 52 {
action accept
protocol ah
}
rule 53 {
action accept
destination {
port isakmp
}
protocol udp
}
rule 54 {
action accept
destination {
port ipsec-nat-t
}
protocol udp
}
rule 55 {
action accept
protocol udp
source {
port isakmp
}
}
rule 56 {
action accept
protocol udp
source {
port ipsec-nat-t
}
}
rule 999 {
action drop
}
}
}
}
ipv6 {
input {
filter {
rule 1 {
action accept
state established
state related
}
rule 2 {
action accept
protocol icmpv6
}
rule 10 {
action accept
destination {
port 22
}
protocol tcp
source {
group {
network-group SSH-INCOMING
}
}
}
rule 20 {
action accept
destination {
port bgp
}
protocol tcp
source {
group {
network-group BGP-INCOMING
}
}
}
rule 30 {
action accept
source {
group {
network-group TUNNEL-INCOMING
}
}
}
rule 999 {
action drop
}
}
}
}
}
interfaces {
ethernet eth0 {
address 192.168.1.253/24
hw-id ec:a8:6b:fe:ad:c7
vif 10 {
address 10.10.81.129/27
}
}
loopback lo {
}
tunnel tun100 {
address 10.10.81.243/28
enable-multicast
encapsulation gre
parameters {
ip {
key ****************
}
}
source-address 0.0.0.0
}
tunnel tun241 {
address my:prefix::241:243::2/96
encapsulation sit
remote 10.10.81.241
source-address 10.10.81.243
}
tunnel tun242 {
address my:prefix::242:243::2/96
encapsulation sit
remote 10.10.81.242
source-address 10.10.81.243
}
}
policy {
local-route {
rule 50 {
protocol gre
set {
table 100
}
}
rule 51 {
protocol esp
set {
table 100
}
}
rule 52 {
protocol ah
set {
table 100
}
}
rule 53 {
destination {
port 500
}
protocol udp
set {
table 100
}
}
rule 54 {
destination {
port 4500
}
protocol udp
set {
table 100
}
}
rule 55 {
protocol udp
set {
table 100
}
source {
port 500
}
}
rule 56 {
protocol udp
set {
table 100
}
source {
port 4500
}
}
rule 100 {
set {
table 100
}
source {
address 192.168.1.253
}
}
rule 150 {
destination {
address 192.168.1.0/24
}
set {
table 100
}
}
rule 160 {
set {
table 100
}
source {
address 192.168.1.0/24
}
}
}
prefix-list DMVPN4-HUB {
rule 1 {
action permit
ge 24
le 32
prefix 10.10.80.0/23
}
rule 2 {
action permit
prefix 0.0.0.0/0
}
}
prefix-list DMVPN4-SPOKE {
rule 1 {
action permit
ge 24
le 32
prefix 10.10.80.0/23
}
}
prefix-list EBGP-PREPEND4 {
}
prefix-list EBGP4 {
}
prefix-list6 DMVPN6-HUB {
rule 1 {
action permit
ge 48
prefix my:other:refix::/44
}
rule 2 {
action permit
prefix ::/0
}
}
prefix-list6 DMVPN6-SPOKE {
rule 1 {
action permit
ge 48
prefix my:other:refix::/44
}
}
prefix-list6 EBGP-PREPEND6 {
}
prefix-list6 EBGP6 {
}
route-map DMVPN-HUB {
rule 1 {
action permit
match {
ip {
address {
prefix-list DMVPN4-HUB
}
}
}
}
rule 2 {
action permit
match {
ipv6 {
address {
prefix-list DMVPN6-HUB
}
}
}
}
rule 999 {
action deny
}
}
route-map DMVPN-SPOKE {
rule 1 {
action permit
match {
ip {
address {
prefix-list DMVPN4-SPOKE
}
}
}
}
rule 2 {
action permit
match {
ipv6 {
address {
prefix-list DMVPN6-SPOKE
}
}
}
}
rule 999 {
action deny
}
}
route-map UPSTREAM {
rule 1 {
action permit
match {
ipv6 {
address {
prefix-list EBGP-PREPEND6
}
}
}
set {
as-path {
prepend "MYASN MYASN MYASN"
}
}
}
rule 2 {
action permit
match {
ip {
address {
prefix-list EBGP-PREPEND4
}
}
}
set {
as-path {
prepend "MYASN MYASN MYASN"
}
}
}
rule 3 {
action permit
match {
ipv6 {
address {
prefix-list EBGP6
}
}
}
}
rule 4 {
action permit
match {
ip {
address {
prefix-list EBGP4
}
}
}
}
rule 999 {
action deny
}
}
}
protocols {
bgp {
address-family {
ipv4-unicast {
network 10.10.81.128/27 {
}
}
}
neighbor 10.10.81.241 {
peer-group DMVPN4-HUB
}
neighbor 10.10.81.242 {
peer-group DMVPN4-HUB
}
peer-group DMVPN4-HUB {
address-family {
ipv4-unicast {
route-map {
export DMVPN-SPOKE
import DMVPN-HUB
}
soft-reconfiguration {
inbound
}
}
}
remote-as MYASN
}
peer-group DMVPN4-SPOKE {
address-family {
ipv4-unicast {
route-map {
export DMVPN-SPOKE
import DMVPN-SPOKE
}
soft-reconfiguration {
inbound
}
}
}
remote-as MYASN
}
system-as MYASN
}
nhrp {
tunnel tun100 {
cisco-authentication secret
holding-time 300
map 10.10.81.241/28 {
nbma-address 107.189.8.95
register
}
map 10.10.81.242/28 {
nbma-address 194.32.107.51
register
}
multicast nhs
redirect
shortcut
}
}
static {
route 0.0.0.0/0 {
next-hop 192.168.1.1 {
}
}
/* Originating traffic from the router */
table 100 {
route 0.0.0.0/0 {
next-hop 192.168.1.1 {
}
}
}
}
}
service {
ntp {
allow-client {
address 0.0.0.0/0
address ::/0
}
server time1.vyos.net {
}
server time2.vyos.net {
}
server time3.vyos.net {
}
}
ssh {
disable-password-authentication
port 22
}
}
system {
host-name somehostname
login {
user vyos {
authentication {
encrypted-password ****************
public-keys root@root {
key ****************
type ssh-rsa
}
public-keys root@work {
key ****************
type ssh-rsa
}
}
}
}
name-server 8.8.4.4
name-server 8.8.8.8
static-host-mapping {
host-name myhostname {
inet 127.0.0.1
}
}
}
vpn {
ipsec {
esp-group ESP-HUB {
lifetime 1800
mode transport
pfs dh-group2
proposal 1 {
encryption aes256
hash sha1
}
proposal 2 {
encryption 3des
hash md5
}
}
ike-group IKE-HUB {
key-exchange ikev1
lifetime 3600
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}
proposal 2 {
dh-group 2
encryption aes128
hash sha1
}
}
interface eth0
profile NHRPVPN {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
bind {
tunnel tun100
}
esp-group ESP-HUB
ike-group IKE-HUB
}
}
}
vyos@myhostname:~$ show version
Version: VyOS 1.4.0-epa2
Release train: sagitta
Built by: Sentrium S.L.
Built on: Tue 12 Mar 2024 11:58 UTC
Build UUID: 7b60be54-0b8f-4337-aa9e-b6e675942946
Build commit ID: 48f7d41a607707
Architecture: x86_64
Boot via: installed image
System type: bare metal
Hardware vendor:
Hardware model:
Hardware S/N:
Hardware UUID: c7587600-34d4-11e1-a8f9-eca86bfeadc7
Copyright: VyOS maintainers and contributors
```