VRF (Virtual Routing and Forwarding)使同一系统下拥有多种且独立的路由表。在LINUX的内核中,从4.3版本已开始支持VRF。如下将展示如何创建两个不同VRF,其中一个专用于虚拟桥,可参看文章:
http://www.routereflector.com/2016/11/working-with-vrf-on-linux/
https://blog.csdn.net/armlinuxww/article/details/84075629
iproute2源码路径 https://mirrors.edge.kernel.org/pub/linux/utils/net/iproute2/
1.Ubuntu系统实现VRF
参考文档:https://feisky.gitbooks.io/sdn/linux/vrf.html
Ubuntu默认不包括vrf内核模块,需要额外安装:
解决方法:
$ apt-get install linux-headers-4.10.0-14-generic linux-image-extra-4.10.0-14-generic
$ reboot
$ apt-get install linux-image-extra-$(uname -r)
$ modprobe vrf
2.CentOS系统实现VRF
参考文档:https://forums.centos.org/viewtopic.php?t=57943
https://www.kernel.org/doc/Documentation/networking/vrf.txt
本人CentOS 7.6 版本,内核3.10版本不支持vrf模块,需要更新内核,建议升级内核4.8以上。如果直接用命令 ip link 创建vrf会出现问题 RTNETLINK answers: Operation not supported 。
解决方法:
#首先升级内核
$ yum --enablerepo=elrepo-kernel install kernel-ml
$ reboot
#进入系统前选择内核版本5.4.12,即可创建vrf
$ ip link add vrf-blue type vrf table 10
3.Linux中VRF实现命令
3.1 创建VRF
To instantiate a VRF device and associate it with a table: $ ip link add dev NAME type vrf table ID. As of v4.8 the kernel supports the l3mdev FIB rule where a single rule covers all VRFs. The l3mdev rule is created for IPv4 and IPv6 on first device create.
$ ip link add red type vrf table 1
$ ip link add green type vrf table 2
同时启动两个vrf
$ ip link set dev red up
$ ip link set dev green up
3.2 罗列所有VRFs
##简要查看采用-br参数
$ ip -br link show type vrf
red UNKNOWN 9a:ca:96:75:f8:f5 <NOARP,MASTER,UP,LOWER_UP>
green UNKNOWN 8e:b6:6f:25:64:10 <NOARP,MASTER,UP,LOWER_UP>
##查看所有vrf,-d参数可以显示ID号
$ ip link show type vrf
To list VRFs that have been created:
$ ip [-d] link show type vrf
NOTE: The -d option is needed to show the table id
For example:
$ ip -d link show type vrf
11: mgmt: <NOARP,MASTER,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 72:b3:ba:91:e2:24 brd ff:ff:ff:ff:ff:ff promiscuity 0
vrf table 1 addrgenmode eui64
12: red: <NOARP,MASTER,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether b6:6f:6e:f6:da:73 brd ff:ff:ff:ff:ff:ff promiscuity 0
vrf table 10 addrgenmode eui64
13: blue: <NOARP,MASTER,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 36:62:e8:7d:bb:8c brd ff:ff:ff:ff:ff:ff promiscuity 0
vrf table 66 addrgenmode eui64
14: green: <NOARP,MASTER,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether e6:28:b8:63:70:bb brd ff:ff:ff:ff:ff:ff promiscuity 0
vrf table 81 addrgenmode eui64
Or in brief output:
$ ip -br link show type vrf
mgmt UP 72:b3:ba:91:e2:24 <NOARP,MASTER,UP,LOWER_UP>
red UP b6:6f:6e:f6:da:73 <NOARP,MASTER,UP,LOWER_UP>
blue UP 36:62:e8:7d:bb:8c <NOARP,MASTER,UP,LOWER_UP>
green UP e6:28:b8:63:70:bb <NOARP,MASTER,UP,LOWER_UP>
3.3 给VRF分配网络接口
为VRF分配接口
$ ip link set ens37 vrf red
$ ip link set ens38 vrf green
Network interfaces are assigned to a VRF by enslaving the netdevice to a VRF device: ip link set dev NAME master NAME .
On enslavement connected and local routes are automatically moved to thetable associated with the VRF device.For example:$ ip link set dev eth0 master mgmt
3.4显示被分配给VRF的设备
##显示被分配给vrf的设备
$ ip link show vrf red
To show devices that have been assigned to a specific VRF add the master
option to the ip command:
$ ip link show vrf NAME
$ ip link show master NAME
For example:
$ip link show vrf red
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master red state UP mode DEFAULT group default qlen 1000
link/ether 02:00:00:00:02:02 brd ff:ff:ff:ff:ff:ff
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master red state UP mode DEFAULT group default qlen 1000
link/ether 02:00:00:00:02:03 brd ff:ff:ff:ff:ff:ff
7: eth5: <BROADCAST,MULTICAST> mtu 1500 qdisc noop master red state DOWN mode DEFAULT group default qlen 1000
link/ether 02:00:00:00:02:06 brd ff:ff:ff:ff:ff:ff
Or using the brief output:
$ ip -br link show vrf red
eth1 UP 02:00:00:00:02:02 <BROADCAST,MULTICAST,UP,LOWER_UP>
eth2 UP 02:00:00:00:02:03 <BROADCAST,MULTICAST,UP,LOWER_UP>
eth5 DOWN 02:00:00:00:02:06 <BROADCAST,MULTICAST>
3.5显示VRF的邻居条目
$ ip neigh show vrf green
To list neighbor entries associated with devices enslaved to a VRF device
add the master option to the ip command:
$ ip [-6] neigh show vrf NAME
$ ip [-6] neigh show master NAME
For example:
$ ip neigh show vrf red
10.2.1.254 dev eth1 lladdr a6:d9:c7:4f:06:23 REACHABLE
10.2.2.254 dev eth2 lladdr 5e:54:01:6a:ee:80 REACHABLE
$ ip -6 neigh show vrf red
2002:1::64 dev eth1 lladdr a6:d9:c7:4f:06:23 REACHABLE
3.6 显示VRF中地址
# ip addr show vrf green
To show addresses for interfaces associated with a VRF add the master option to the ip command:
$ ip addr show vrf NAME
$ ip addr show master NAME
For example:
$ ip addr show vrf red
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master red state UP group default qlen 1000
link/ether 02:00:00:00:02:02 brd ff:ff:ff:ff:ff:ff
inet 10.2.1.2/24 brd 10.2.1.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 2002:1::2/120 scope global
valid_lft forever preferred_lft forever
inet6 fe80::ff:fe00:202/64 scope link
valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master red state UP group default qlen 1000
link/ether 02:00:00:00:02:03 brd ff:ff:ff:ff:ff:ff
inet 10.2.2.2/24 brd 10.2.2.255 scope global eth2
valid_lft forever preferred_lft forever
inet6 2002:2::2/120 scope global
valid_lft forever preferred_lft forever
inet6 fe80::ff:fe00:203/64 scope link
valid_lft forever preferred_lft forever
7: eth5: <BROADCAST,MULTICAST> mtu 1500 qdisc noop master red state DOWN group default qlen 1000
link/ether 02:00:00:00:02:06 brd ff:ff:ff:ff:ff:ff
Or in brief format:
$ ip -br addr show vrf red
eth1 UP 10.2.1.2/24 2002:1::2/120 fe80::ff:fe00:202/64
eth2 UP 10.2.2.2/24 2002:2::2/120 fe80::ff:fe00:203/64
eth5 DOWN
3.7 显示VRF路由
To show routes for a VRF use the ip command to display the table associated with the VRF device:
$ ip [-6] route show vrf NAME
$ ip [-6] route show table ID
For example:
$ ip route show vrf red
unreachable default metric 4278198272
broadcast 10.2.1.0 dev eth1 proto kernel scope link src 10.2.1.2
10.2.1.0/24 dev eth1 proto kernel scope link src 10.2.1.2
local 10.2.1.2 dev eth1 proto kernel scope host src 10.2.1.2
broadcast 10.2.1.255 dev eth1 proto kernel scope link src 10.2.1.2
broadcast 10.2.2.0 dev eth2 proto kernel scope link src 10.2.2.2
10.2.2.0/24 dev eth2 proto kernel scope link src 10.2.2.2
local 10.2.2.2 dev eth2 proto kernel scope host src 10.2.2.2
broadcast 10.2.2.255 dev eth2 proto kernel scope link src 10.2.2.2
$ ip -6 route show vrf red
local 2002:1:: dev lo proto none metric 0 pref medium
local 2002:1::2 dev lo proto none metric 0 pref medium
2002:1::/120 dev eth1 proto kernel metric 256 pref medium
local 2002:2:: dev lo proto none metric 0 pref medium
local 2002:2::2 dev lo proto none metric 0 pref medium
2002:2::/120 dev eth2 proto kernel metric 256 pref medium
local fe80:: dev lo proto none metric 0 pref medium
local fe80:: dev lo proto none metric 0 pref medium
local fe80::ff:fe00:202 dev lo proto none metric 0 pref medium
local fe80::ff:fe00:203 dev lo proto none metric 0 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev eth2 proto kernel metric 256 pref medium
ff00::/8 dev red metric 256 pref medium
ff00::/8 dev eth1 metric 256 pref medium
ff00::/8 dev eth2 metric 256 pref medium
unreachable default dev lo metric 4278198272 error -101 pref medium
3.8 VRF的路由查询
A test route lookup can be done for a VRF:
$ ip [-6] route get vrf NAME ADDRESS
$ ip [-6] route get oif NAME ADDRESS
For example:
$ ip route get 10.2.1.40 vrf red
10.2.1.40 dev eth1 table red src 10.2.1.2 cache
$ ip -6 route get 2002:1::32 vrf red
2002:1::32 from :: dev eth1 table red proto kernel src 2002:1::2 metric 256 pref medium
3.9 将网络接口从VRF中删除
$ ip link set dev ens37 nomaster
Network interfaces are removed from a VRF by breaking the enslavement to the VRF device:$ ip link set dev NAME nomaster
Connected routes are moved back to the default table and local entries are moved to the local table. For example:
$ ip link set dev eth0 nomaster