Skip to content

No Default VRF Route Fallback HLD #2067

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

No Default VRF Route Fallback HLD #2067

wants to merge 5 commits into from
+334 −0

Conversation

@sudharr86
Copy link

This document provides a high level design of VRF fallback disable feature that disallows VRF lookups falling back to default VRF and other non default VRF when the route lookup fails in the intended VRF.

@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Sep 4, 2025
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

@mssonicbld
Copy link
Collaborator

/azp run

@azure-pipelines
Copy link

No pipelines are associated with this pull request.

@mssonicbld
Copy link
Collaborator

/azp run

@azure-pipelines
Copy link

No pipelines are associated with this pull request.

@mssonicbld
Copy link
Collaborator

/azp run

@azure-pipelines
Copy link

No pipelines are associated with this pull request.

selva-nexthop
selva-nexthop reviewed Sep 9, 2025
View reviewed changes
rck-innovium
rck-innovium reviewed Sep 9, 2025
View reviewed changes
@sudharr86
Update no-default-vrf-route-fallback-hld.md
54631e3 
Default unreachable route, global fallback knob added
@mssonicbld
Copy link
Collaborator

/azp run

@azure-pipelines
Copy link

No pipelines are associated with this pull request.

@mssonicbld
Copy link
Collaborator

/azp run

@azure-pipelines
Copy link

No pipelines are associated with this pull request.

ashutosh-agrawal
ashutosh-agrawal reviewed Sep 9, 2025
View reviewed changes
doc/vrf/no-default-vrf-route-fallback-hld.md Outdated

## 2. Scope

This high-level design document covers the implementation of a configurable mechanism to disable VRF (Virtual Routing and Forwarding) route fallback behavior in SONiC. The scope includes:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please include some explicit wording to clarify that the HLD covers only the Kernel routes and software forwarding.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agreed.

ashutosh-agrawal
ashutosh-agrawal reviewed Sep 9, 2025
View reviewed changes
doc/vrf/no-default-vrf-route-fallback-hld.md
In prior SONiC releases, Linux kernel allowed VRF lookup fallback if a route was missing in a non-default VRF, which could cause divergence from ASIC behavior and security/operational risks.

**This design ensures:**
- By default, fallback is disabled both in kernel and ASIC by installing an unreachable default route in every new non-default VRF.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought that unreachable route installed by the proposed implementation doesn't get propogated to ASIC DB, so this design doesn't do anything specific to disable fallback in the ASIC.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ashutosh-agrawal the unreachable route is NOT propagated to ASIC DB. The feature makes the kernel behavior consistent with ASIC. will re-word accordingly.

ashutosh-agrawal
ashutosh-agrawal reviewed Sep 9, 2025
View reviewed changes
doc/vrf/no-default-vrf-route-fallback-hld.md

### 7.2. Global Fallback Knob

- New global configuration (in CONFIG_DB and CLI): `KERNEL_VRF_FALLBACK`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIRC, in the HLD review meeting, we agreed to implement only the CONFIG_DB mechanism and not the CLI.

ashutosh-agrawal
ashutosh-agrawal reviewed Sep 9, 2025
View reviewed changes
doc/vrf/no-default-vrf-route-fallback-hld.md
### 9.3. Backward Compatibility

- Default (knob unset): fallback disabled, matches ASIC.
- Knob enabled: fallback restored (legacy only).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please change to "fallback restored in the kernel forwarding path only"

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agreed.

rck-innovium
rck-innovium reviewed Sep 11, 2025
View reviewed changes
@gord1306
Copy link

I've submitted a similar PR before. Here's just a link for reference: sonic-net/sonic-swss#2943

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

4 more reviewers

@ashutosh-agrawal ashutosh-agrawal ashutosh-agrawal left review comments

@rck-innovium rck-innovium rck-innovium left review comments

@selva-nexthop selva-nexthop selva-nexthop left review comments

@prhoskot prhoskot prhoskot left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@sudharr86 @mssonicbld @gord1306 @ashutosh-agrawal @rck-innovium @selva-nexthop @prhoskot