Hoping this is a simple config issue that I'm just not seeing. I have a CRS309 that acts as my core switch with multiple VRFs. Each VRF will have unique default routes that go up to my firewall that has interfaces into each of the VRFs. Attached is a high level diagram.
Everything on my main routing table works fine going out through the firewall although oddly, if I look at the routing table it shows my configured default route for the MAIN routing table as entry 0 AND entry 1? with 1 being Inactive. In anycase, this is how it looks
Code: Select all
[admin@CRS309] /ip/route> print
Flags: D - DYNAMIC; I, A - ACTIVE; c, s, y - COPY; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
0 AsH 0.0.0.0/0 172.19.0.9 1
1 IsH 0.0.0.0/0 1
DAcH 172.19.0.0/24 MainGateway 0
DAcH 10.10.10.0/24 HomeWired 0
2 IsH 0.0.0.0/0 172.19.80.9 1
DAcH 172.19.80.0/24 VRF-X-Gateway@vrf-x 0
DAcH 10.11.11.0/24 VRF-X-LAN@vrf-x 0
3 IsH 0.0.0.0/0 172.19.81.9 1
DAcH 172.19.81.0/24 VRF-Y-Gateway@vrf-y 0
DAcH 10.12.12.0/24 VRF-Y-LAN@vrf-y 0
4 IsH 0.0.0.0/0 172.19.82.9 1
DAcH 172.19.82.0/24 VRF-Z-Gateway@vrf-z 0
DAcH 10.13.13.0/24 VRF-Z-LAN@vrf-z 0
[admin@CRS309] /tool> ping address=172.19.82.9 vrf=vrf-z src-address=172.19.82.1
SEQ HOST SIZE TTL TIME STATUS
0 172.19.82.9 56 64 1ms713us
0 172.19.82.9 56 64 1ms816us
1 172.19.82.9 56 64 1ms17us
1 172.19.82.9 56 64 1ms125us
The hosts within each VRF can talk to each other no problem. If I send traffic between VRFs, what should happen is they route out to the firewall and let the firewall route traffic. There's nothing showing on the firewall pcaps which makes sense since the default route for each VRF isn't being installed... I tried testing with check-gateway using arp or ping and neither works and the CRS still marks it inactive (that's also why you will see I have ping or arp on check-gateway of the various routes since I was testing). Is there anything I'm missing here?
EDIT: Noting here on OP post that I tested 7.3 where it apparently should only enable l3hw-offload on the main table but this does not fix the issue with VRF breaking when enabled.