Kernel support is there: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/networking/vrf.txt
I'd stick to VRF lite for now ;)
Unknown Object (User) | |
Mar 31 2016, 5:23 PM |
Kernel support is there: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/networking/vrf.txt
I'd stick to VRF lite for now ;)
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | FEATURE REQUEST | c-po | T31 Add VRF support | ||
Resolved | FEATURE REQUEST | c-po | T2111 VRF add route leaking support | ||
Resolved | FEATURE REQUEST | c-po | T5234 Add bash identifier for given VRF instance |
I think we should make somewhere a list of services and which level of vrf support they have.
Openssh for example has build in support for vrf
And we should declare which services should be available in the management vrf.
From my point of view:
should for multiple routing tables:
https://andir.github.io/posts/linux-ip-vrf/
http://www.allgoodbits.org/articles/view/24
https://patchwork.ozlabs.org/patch/546171/
Why do we need to explicitly create the routing table? why not name the routing table entry like the VRFs name? We should try to keep the CLI as minimal as possible. More CLI nodes, more headache.
When I think about the the Cisco VRF implementation I ise I just create it with a name and refer to it. It creates a routing table for me and I do not care. When adding routes to the table I refer to the VRF name and not an arbitrary number.
Downside of the explicit table number is a user now needs to remember the VRF and table mapping.
We could indeed create the VRF as we parse interfaces, and auto-allocate the VRF number, removing this control from the user.
I would have to move the VRF creation code within the Interface class and any typo on names would create two VRF as there would be no sanitisation, but auto-completion could be done via /etc/iproutes/rt_tables
I am not aware of any "end of configuration check" hook which could be used to parse all the interfaces and notice that a VRF is not used anymore and remove it.
This would have to be run when ALL the configuration has been parsed and acted upon as VRF can be used in different interfaces, which have different handlers.
If we do not, we would end up leaking resources.
Auto completion should be done on a per CLI path:
<completionHelp> <path>vrf name</path> </completionHelp>
Assuming the VRFs name will be set using set vrf name 'red'
Adding interfaces to VRFs seems to be a bit of a hazzle:
Pondering pro and con I go with option #2 now
Adding a dummy interface to VRF:
vyos@vyos# show interfaces dummy dum1 address 1.1.1.1/32 vrf foo
vyos@vyos# sudo ip vrf exec foo ping 1.1.1.1 PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data. 64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=0.073 ms 64 bytes from 1.1.1.1: icmp_seq=2 ttl=64 time=0.082 ms 64 bytes from 1.1.1.1: icmp_seq=3 ttl=64 time=0.070 ms --- 1.1.1.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 30ms rtt min/avg/max/mdev = 0.070/0.075/0.082/0.005 ms
vyos@vyos# ping 1.1.1.1 PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data. 64 bytes from 1.1.1.1: icmp_seq=1 ttl=59 time=7.92 ms
see the latency
VRF route leaking needs to be added to CLI. Routes can be leaked using:
FRR vtysh: ip route 192.0.2.0/24 172.18.204.254 vrf red nexthop-vrf default
This will add a routing table entry into VRF red for destination 192.0.2.0/24 going via the default VRF
vyos# show ip route vrf red Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP, T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP, F - PBR, f - OpenFabric, > - selected route, * - FIB route, q - queued route, r - rejected route VRF red: K 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), 00:33:44 S>* 192.0.2.0/24 [1/0] via 172.18.204.254, eth0.204(vrf default), 00:01:01