VRF: Difference between revisions

Revision as of 16:58, 14 February 2020

VRF or Virtual Routing and Forwarding (or perhaps Virtual Routing Functions) provide virtualization of the routing table. They are useful for isolating services and entire networks from each other while avoiding the complexity of network namespaces.

Prerequisites

To make use of VRFs, you will need `iproute2` and a kernel that is capable of using eBPF installed. Kernel 5.4.19-r1 and later are capable of using eBPF.

VRF creation

The easiest way to define VRFs is to add them to /etc/network/interfaces:

auto vrf-mgmt
iface vrf-mgmt inet manual
    pre-up ip link add vrf-mgmt type vrf table 42

You can then associate specific interfaces with VRFs using pre-up commands:

auto eth0
iface eth0 inet static
    address 1.2.3.4
    netmask 255.255.255.0
    gateway 1.2.3.1
    pre-up ip link set eth0 master vrf-mgmt

VRF-based Service Isolation

Services can be isolated to specific VRFs when running OpenRC 0.42.1-r4 or newer. You can set the $vrf variable in an /etc/conf.d file for a service to isolate it in most cases.

For example, with sshd:

# echo 'vrf="vrf-mgmt"' >> /etc/conf.d/sshd
# rc-service sshd restart

Revision as of 16:50, 14 February 2020 (view source) Ariadne (talk \| contribs) No edit summary ← Older edit		Revision as of 16:58, 14 February 2020 (view source) Ariadne (talk \| contribs) No edit summary Newer edit →
Line 1:		Line 1:
	[[VRF]] or Virtual Routing Functions provide virtualization of the routing table. They are useful for isolating services and entire networks from each other while avoiding the complexity of network namespaces.		[[VRF]] or Virtual Routing and Forwarding (or perhaps Virtual Routing Functions) provide virtualization of the routing table. They are useful for isolating services and entire networks from each other while avoiding the complexity of network namespaces.

	== Prerequisites ==		== Prerequisites ==