VRF: Difference between revisions

From Alpine Linux
(Created page with "VRF or Virtual Routing Functions provide virtualization of the routing table. They are useful for isolating services and entire networks from each other while avoiding th...")
 
(add category networking)
 
(10 intermediate revisions by 2 users not shown)
Line 1: Line 1:
[[VRF]] or Virtual Routing Functions provide virtualization of the routing table.  They are useful for isolating services and entire networks from each other while avoiding the complexity of network namespaces.
[[VRF]] or Virtual Routing and Forwarding (or perhaps Virtual Routing Functions) provide virtualization of the routing table.  They are useful for isolating services and entire networks from each other while avoiding the complexity of network namespaces.


== Prerequisites ==
== Prerequisites ==
Line 12: Line 12:
auto vrf-mgmt
auto vrf-mgmt
iface vrf-mgmt inet manual
iface vrf-mgmt inet manual
     pre-up ip link add vrf-mgmt type vrf table 42
     pre-up ip link add $IFACE type vrf table 42
    up ip link set dev $IFACE up
</pre>
</pre>


Line 22: Line 23:
     address 1.2.3.4
     address 1.2.3.4
     netmask 255.255.255.0
     netmask 255.255.255.0
    gateway 1.2.3.1
     pre-up ip link set $IFACE master vrf-mgmt
     pre-up ip link set eth0 master vrf-mgmt
    up ip route add default table 42 via 1.2.3.1
</pre>
</pre>


Line 32: Line 33:
For example, with sshd:
For example, with sshd:


<code>
<pre>
# echo 'vrf="vrf-mgmt"' >> /etc/conf.d/sshd
# echo 'vrf="vrf-mgmt"' >> /etc/conf.d/sshd
# rc-service sshd restart
# rc-service sshd restart
</code>
</pre>
 
== Name route tables ==
 
Routing tables can be named i.e. 42 can be named mgmt be editing /etc/iproute2/rt_tables or creating and separate config (e.g. /etc/iproute2/rt_tables.d/vrf.conf)
 
Example vrf.conf
<pre>
42      mgmt
43      int
44      ext
</pre>
 
Then instead of having to remember that 42 is is used for mgmt it can be used directly with ip route, example
<pre>
# ip route add default table mgmt via 1.2.3.1
</pre>
 
== Running network clients in a specific VRF ==
 
For ping is a simple as specifying a local interface that is already bound to a specific vrf
 
Example
<pre>
# ping -I eth0 <ip to ping>
</pre>
 
For other process like apk we use the ip vrf command
<pre>
# ip vrf exec vrf-mgmt apk update
</pre>
 
[[Category:Networking]]

Latest revision as of 10:52, 10 November 2023

VRF or Virtual Routing and Forwarding (or perhaps Virtual Routing Functions) provide virtualization of the routing table. They are useful for isolating services and entire networks from each other while avoiding the complexity of network namespaces.

Prerequisites

To make use of VRFs, you will need `iproute2` and a kernel that is capable of using eBPF installed. Kernel 5.4.19-r1 and later are capable of using eBPF.

VRF creation

The easiest way to define VRFs is to add them to /etc/network/interfaces:

auto vrf-mgmt
iface vrf-mgmt inet manual
    pre-up ip link add $IFACE type vrf table 42
    up ip link set dev $IFACE up

You can then associate specific interfaces with VRFs using pre-up commands:

auto eth0
iface eth0 inet static
    address 1.2.3.4
    netmask 255.255.255.0
    pre-up ip link set $IFACE master vrf-mgmt
    up ip route add default table 42 via 1.2.3.1

VRF-based Service Isolation

Services can be isolated to specific VRFs when running OpenRC 0.42.1-r4 or newer. You can set the $vrf variable in an /etc/conf.d file for a service to isolate it in most cases.

For example, with sshd:

# echo 'vrf="vrf-mgmt"' >> /etc/conf.d/sshd
# rc-service sshd restart

Name route tables

Routing tables can be named i.e. 42 can be named mgmt be editing /etc/iproute2/rt_tables or creating and separate config (e.g. /etc/iproute2/rt_tables.d/vrf.conf)

Example vrf.conf

42      mgmt
43      int
44      ext

Then instead of having to remember that 42 is is used for mgmt it can be used directly with ip route, example

# ip route add default table mgmt via 1.2.3.1

Running network clients in a specific VRF

For ping is a simple as specifying a local interface that is already bound to a specific vrf

Example

# ping -I eth0 <ip to ping>

For other process like apk we use the ip vrf command

# ip vrf exec vrf-mgmt apk update