Page MenuHomeVyOS Platform
Create Task
Maniphest T8972

Add support for propagating VyOS interface VRF assignment to VPP dataplane FIB tables for LCP-managed interfaces.
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

Summary

Add support for propagating VyOS interface VRF assignment to VPP dataplane FIB tables for LCP-managed interfaces.

Currently, when a VPP/LCP-managed interface or Ethernet VIF is assigned to a VyOS VRF, the Linux/control-plane state is updated correctly, but the corresponding VPP interface remains bound to the default IPv4 FIB table 0.

Example configuration:

vyos
set vpp settings interface eth1
set vrf name mgmt table 1000
set interfaces ethernet eth1 vif 20 address 100.100.100.1/24
set interfaces ethernet eth1 vif 20 vrf mgmt

Linux state is correct:

ip a show master mgmt

shows eth1.20 as a member of VRF mgmt.

However, in VPP the connected route remains in the default table:

vppctl show ip fib | grep 100.100.100

while the expected table is empty:

vppctl show ip fib table 1000 | grep 100.100.100

VPP already has the FIB table:

vppctl show ip table

shows:

text
table_id:1000 ipv4-VRF:1000

The missing part appears to be binding the VPP interface to the corresponding FIB table, similar to:

text
sw_interface_set_table(sw_if_index=<eth1.20>, is_ipv6=False, vrf_id=1000)

Use case

VRF separation is commonly used for management, tenant separation, routing isolation, and multi-table forwarding. VyOS already supports VRF configuration in the regular Linux dataplane, and VPP supports multiple IPv4/IPv6 FIB tables.

When using the VPP dataplane, users expect this VyOS configuration:

vyos
set interfaces ethernet eth1 vif 20 vrf mgmt

to place both the Linux/LCP interface and the corresponding VPP dataplane interface into the same routing table.

This is especially important for management VRF scenarios, where SSH, routing, and connected interfaces must be isolated from the default routing table.

Additional information

Observed behavior:

vyos
set vrf name mgmt table 1000
set interfaces ethernet eth1 vif 20 address 100.100.100.1/24
set interfaces ethernet eth1 vif 20 vrf mgmt
commit

Linux/control-plane result:

ip a show master mgmt

Correctly shows:

text
eth1.20 master mgmt
inet 100.100.100.1/24

VPP result:

vppctl show ip fib table 1000 | grep 100.100.100

No output.

But:

vppctl show ip fib | grep 100.100.100

shows the connected routes in the default VPP table:

text
100.100.100.0/24 ... eth1.20
100.100.100.1/32 ... eth1.20

A lab proof-of-concept confirmed that calling VPP PAPI sw_interface_set_table() for the affected interface moves the interface to the correct VPP FIB table. After this, LCP can recreate the connected routes in the correct table.

However, the implementation must be careful when changing or deleting VRF assignment. Simply deleting all VPP interface addresses, changing the table, and relying on lcp_resync() is not sufficient in all cases. In one lab test, deleting the VRF assignment caused the address to remain in Linux but disappear from VPP. A proper implementation should preserve and restore interface addresses when moving an interface between VPP FIB tables.

Expected behavior:

  1. Add VRF to VPP-managed VIF:
vyos
set interfaces ethernet eth1 vif 20 vrf mgmt
commit

Expected VPP state:

vppctl show ip fib table 1000 | grep 100.100.100

should show connected routes for 100.100.100.0/24 and 100.100.100.1/32.

  1. Delete VRF from VPP-managed VIF:
vyos
delete interfaces ethernet eth1 vif 20 vrf
commit

Expected VPP state:

vppctl show ip fib table 0 | grep 100.100.100

should show the connected routes again in the default table. The address must not disappear from VPP.

  1. Change VRF:
vyos
set vrf name test1 table 2000
set interfaces ethernet eth1 vif 20 vrf test1
commit

Expected VPP state:

vppctl show ip fib table 2000 | grep 100.100.100

should show the connected routes in table 2000, and they should no longer be present in table 1000 or table 0.

Suggested implementation direction:

  • Detect VRF assignment for VPP/LCP-managed interfaces.
  • Resolve VyOS VRF name to table-id.
  • Bind the corresponding VPP interface to the correct FIB table using VPP PAPI sw_interface_set_table().
  • Preserve and restore interface IP addresses when changing the VPP interface table.
  • Support at least Ethernet interfaces and Ethernet VIFs, for example eth1 and eth1.20.
  • Ideally handle both IPv4 and IPv6 tables.

Next
I am continuing to test this behavior in a lab environment and will update this task with additional findings, command outputs, and edge cases.

Any comments, implementation suggestions, or guidance from maintainers are very welcome.

Details

Version
2026.05.15-0043-rolling
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects
Search...

Event Timeline

Russ28 created this task.Mon, Jun 8, 6:01 PM
Russ28 triaged this task as Normal priority.
Russ28 created this object in space S1 VyOS Public.
pasik subscribed.Mon, Jun 8, 8:25 PM
Viacheslav added a parent task: T7221: VPP related features the root task.Tue, Jun 9, 12:00 PM
Russ28 added a comment.Tue, Jun 9, 3:14 PM

VPP/LCP VRF Table Synchronization Manual Test

Manual testing was performed in a GNS3 VyOS lab with VPP enabled on eth1.

Source repo

VyOS has been built from https://github.com/inetman28/vyos-1x/tree/fix-vpp-lcp-vrf-table

Initial Configuration

shell
set vpp settings interface eth1
set vrf name mgmt table 1000
set interfaces ethernet eth1 vif 20 address 100.100.100.1/24
set interfaces ethernet eth1 vif 20 vrf mgmt
commit

The VPP interface address output showed that eth1.20 was bound to VPP table
1000:

text
eth1.20 (up):
  L3 100.100.100.1/24 ip4 table-id 1000 fib-idx 1

100.100.100.0/24 and 100.100.100.1/32 were present in VPP FIB table
1000 and were not present in table 0.

Address Delete/Re-Add

The address was removed from the VIF:

shell
delete interfaces ethernet eth1 vif 20 address
commit

After commit, the address disappeared from vppctl show int addr, and no
100.100.100.* routes were present in VPP table 0 or table 1000.

Then the address was added back:

shell
set interfaces ethernet eth1 vif 20 address 100.100.100.1/24
commit

After commit, the address returned to eth1.20 in VPP table 1000, and the
connected routes appeared only in table 1000.

VRF Removal

The VRF assignment was removed from the VIF:

shell
delete interfaces ethernet eth1 vif 20 vrf
commit

After commit, eth1.20 still had 100.100.100.1/24, but without
ip4 table-id 1000:

text
eth1.20 (up):
  L3 100.100.100.1/24

Connected routes moved to VPP table 0 and disappeared from table 1000.

VRF Add-Back

The VIF was moved back to the mgmt VRF:

shell
set interfaces ethernet eth1 vif 20 vrf mgmt
commit

After commit, eth1.20 was again bound to table 1000:

text
eth1.20 (up):
  L3 100.100.100.1/24 ip4 table-id 1000 fib-idx 1

Connected routes moved back to table 1000 and disappeared from table 0.

VRF Change

A second VRF was created, and the VIF was moved from mgmt to test1:

shell
set vrf name test1 table 2000
set interfaces ethernet eth1 vif 20 vrf test1
commit

After commit, eth1.20 was bound to VPP table 2000:

text
eth1.20 (up):
  L3 100.100.100.1/24 ip4 table-id 2000 fib-idx 2

Connected routes disappeared from tables 0 and 1000, and appeared only in
VPP table 2000.

Conclusion

VPP/LCP VRF table synchronization works for Ethernet VIF add, address
delete/re-add, VRF removal, VRF add-back, and VRF change.

Russ28 added a comment.Tue, Jun 9, 3:23 PM

I also noticed another issue with vpploX interfaces: currently, they cannot be assigned to any VRF.

Should we fix this in the same branch, or would it be better to handle it separately?

Branch: https://github.com/inetman28/vyos-1x/tree/fix-vpp-lcp-vrf-table

Viacheslav subscribed.Tue, Jun 9, 3:44 PM
In T8972#269030, @Russ28 wrote:

I also noticed another issue with vpploX interfaces: currently, they cannot be assigned to any VRF.

Should we fix this in the same branch, or would it be better to handle it separately?

Branch: https://github.com/inetman28/vyos-1x/tree/fix-vpp-lcp-vrf-table

@Russ28 It should be a separate feature
because at the moment the support VRFs for VPP is not implemented yet.

Viacheslav added a comment.Tue, Jun 9, 4:03 PM
In T8972#269009, @Russ28 wrote:

VPP/LCP VRF Table Synchronization Manual Test

Manual testing was performed in a GNS3 VyOS lab with VPP enabled on eth1.

Source repo

VyOS has been built from https://github.com/inetman28/vyos-1x/tree/fix-vpp-lcp-vrf-table

Would you like to create a PR?

Russ28 added a comment.Tue, Jun 9, 4:24 PM

yes, PR is here: https://github.com/vyos/vyos-1x/pull/5261

Viacheslav changed the task status from Open to In progress.Wed, Jun 10, 11:07 AM
Viacheslav assigned this task to Russ28.
Viacheslav closed this task as Resolved.Tue, Jun 16, 3:35 PM
Viacheslav moved this task from Need Triage to Completed on the VyOS Rolling board.