Re: [vpp-dev] Source-based routing

Wed, 27 Aug 2025 06:10:04 -0700 

Hi Ben
The VPP machine is a router with two interfaces through which I establish BGP sessions with two different providers. These sessions are established using non-routable IPs, so to be able to access the router externally, one of the providers has assigned me an "administration IP" that I use to ssh into the router. 


When this was a pure Linux router, this administration IP was configured 
in a dummy interface, and I used source-based routing to ensure that the 
return packets from sshd would go via the interface connected to 
provider who assigned me the IP.



To do this, I created a new kernel routing table called "mgmt", added a 
default route there, with


  ip route add default $peer_ip table mgmt

and then created a source routing rule with

  ip rule add from $admin_ip lookup mgmt


I'm now reconfiguring this router with VPP, so I have an sshd instance 
running in the vpp namespace, and I'm adding the administration IP to a 
loopback interface:


  create loopback interface instance 0
  lcp create loop0 host-if management
  set interface state loop0 up
  set interface ip address loop0 $admin_ip/32

Now if I add a default route via $peer_ip, it works fine:

  ip netns exec vpp \
    ip route add default via $peer_ip dev $peer_interface

But if I try the same solution as before, with ip rule, that is,

  ip netns exec vpp \
    ip route add default $peer_ip table mgmt
  ip netns exec vpp \
    ip rule add from $admin_ip lookup mgmt


and then delete the default route above, ssh into the router doesn't 
work anymore.



I suspect this is because the routes in the "mgmt" are not synced into 
VPP by LCP. So what I'm trying to do is to find the equivalent 
configuration to reproduce the linux setup.


I thought this would work (along with the ip route and ip rule above):

  ip table add 10
  create loopback interface instance 0
  set interface ip table loop0 10
  lcp create loop0 host-if management
  set interface state loop0 up
  set interface ip address loop0 $admin_ip/32
  ip route add 0.0.0.0/0 table 10 via $peer_ip $peer_interface


I have also tried the svs plugin as in the previous email, and also 
acl/abf but couldn't get any of those options to work.


Thanks,
Andre


On 8/27/25 5:15 AM, Benoit Ganne (bganne) via lists.fd.io wrote:

Hi Andre,

Generally speaking policy based routing can be achieved with ABF [0] or IP 
session redirect [1].
I'm not sure to understand the topology but don't you have to configure policy 
based routing in Linux too?
 From what I understand, VPP forwards packets toward the management just fine 
but the problem is on the return traffic? If Linux also have all the routes, 
Linux will likely not answer back through VPP?
You can check if you receive traffic back from Linux and what is happening by doing a packet trace with 
'vppctl clear trace && vppctl trace add virtio-input 100 && sleep 5 && vppctl 
show trace'.
Otherwise, an actual schema could help better understand what you are trying to 
achieve.

best
ben

[0] https://git.fd.io/vpp/tree/src/plugins/abf/FEATURE.yaml
[1] 
https://git.fd.io/vpp/tree/src/plugins/ip_session_redirect/ip_session_redirect_doc.rst

________________________________________
From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> on behalf of Andre Nathan via 
lists.fd.io <andre=digirati.com...@lists.fd.io>
Sent: Wednesday, August 27, 2025 1:21
To: vpp-dev@lists.fd.io
Subject: [vpp-dev] Source-based routing

Hello

I'm in the process of reconfiguring a Linux router, by adding a VPP
interface to it. The BGP session established over this interface uses
non-routable IPs, so my link provider gives me an administration IP
address so that I can access it remotely from outside my network.

In Linux, this used to be a dummy interface, with source-based routing
to ensure packets from the administration IP will always go out via the
interface connected to this provider:

ip route add default $peer_ip table mgmt
ip rule add from $admin_ip lookup mgmt

I'm trying to reproduce this configuration in VPP. I've managed to get
the loopback address working:

create loopback interface instance 0
lcp create loop0 host-if management
set interface state loop0 up
set interface ip address loop0 $admin_ip/32

With this and an ssh daemon running in the VPP namespace, I can get it
to work with a default route, i.e.

ip netns exec ip route add default via $peer_ip dev $uplink_interface

However when the BGP sessions in the router are established, other
routes will take precedence, so I'd like to reproduce the source-based
routing I had in linux.

I've tried to add a new VRF:

vppctl ip table add 10
vppctl set interface ip table loop0 10
vppctl ip route add 0.0.0.0/0 table 10 via $peer_ip $uplink_interface
vppctl ip route add $admin_ip/32 via ip4-lookup-in-table 10

With this configuration I can see SYN packets arriving at the management
interface, but no replies seem to be sent.

I've also tried the SVS plugin:

svs enable ip4 table-id 1 loop0
svs table add ip4 table-id 1
svs route add table-id 1 $admin_ip/32 src-table-id 10

and a few attempts using acl and abf, but nothing worked.

Does anyone have a working example of source-based routing to share?

Thanks,
Andre








-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#26297): https://lists.fd.io/g/vpp-dev/message/26297
Mute This Topic: https://lists.fd.io/mt/114909302/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/14379924/21656/631435203/xyzzy 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-























					Reply via email to