Este contenido no está disponible en el idioma seleccionado.
Chapter 28. Starting a service within an isolated VRF network
With virtual routing and forwarding (VRF), you can create isolated networks with a routing table that is different to the main routing table of the operating system. You can then start services and applications so that they have only access to the network defined in that routing table.
28.1. Configuring a VRF device
To use virtual routing and forwarding (VRF), you create a VRF device and attach a physical or virtual network interface and routing information to it.
To prevent that you lock out yourself out remotely, perform this procedure on the local console or remotely over a network interface that you do not want to assign to the VRF device.
Prerequisites
- You are logged in locally or using a network interface that is different to the one you want to assign to the VRF device.
Procedure
Create the
vrf0
connection with a same-named virtual device, and attach it to routing table1000
:# nmcli connection add type vrf ifname vrf0 con-name vrf0 table 1000 ipv4.method disabled ipv6.method disabled
Add the
enp1s0
device to thevrf0
connection, and configure the IP settings:# nmcli connection add type ethernet con-name enp1s0 ifname enp1s0 master vrf0 ipv4.method manual ipv4.address 192.0.2.1/24 ipv4.gateway 192.0.2.254
This command creates the
enp1s0
connection as a port of thevrf0
connection. Due to this configuration, the routing information are automatically assigned to the routing table1000
that is associated with thevrf0
device.If you require static routes in the isolated network:
Add the static routes:
# nmcli connection modify enp1s0 +ipv4.routes "198.51.100.0/24 192.0.2.2"
This adds a route to the
198.51.100.0/24
network that uses192.0.2.2
as the router.Activate the connection:
# nmcli connection up enp1s0
Verification
Display the IP settings of the device that is associated with
vrf0
:# ip -br addr show vrf vrf0 enp1s0 UP 192.0.2.1/24
Display the VRF devices and their associated routing table:
# ip vrf show Name Table ----------------------- vrf0 1000
Display the main routing table:
# ip route show default via 203.0.113.0/24 dev enp7s0 proto static metric 100
The main routing table does not mention any routes associated with the device
enp1s0
device or the192.0.2.1/24
subnet.Display the routing table
1000
:# ip route show table 1000 default via 192.0.2.254 dev enp1s0 proto static metric 101 broadcast 192.0.2.0 dev enp1s0 proto kernel scope link src 192.0.2.1 192.0.2.0/24 dev enp1s0 proto kernel scope link src 192.0.2.1 metric 101 local 192.0.2.1 dev enp1s0 proto kernel scope host src 192.0.2.1 broadcast 192.0.2.255 dev enp1s0 proto kernel scope link src 192.0.2.1 198.51.100.0/24 via 192.0.2.2 dev enp1s0 proto static metric 101
The
default
entry indicates that services that use this routing table, use192.0.2.254
as their default gateway and not the default gateway in the main routing table.Execute the
traceroute
utility in the network associated withvrf0
to verify that the utility uses the route from table1000
:# ip vrf exec vrf0 traceroute 203.0.113.1 traceroute to 203.0.113.1 (203.0.113.1), 30 hops max, 60 byte packets 1 192.0.2.254 (192.0.2.254) 0.516 ms 0.459 ms 0.430 ms ...
The first hop is the default gateway that is assigned to the routing table
1000
and not the default gateway from the system’s main routing table.
Additional resources
-
ip-vrf(8)
man page on your system
28.2. Starting a service within an isolated VRF network
You can configure a service, such as the Apache HTTP Server, to start within an isolated virtual routing and forwarding (VRF) network.
Services can only bind to local IP addresses that are in the same VRF network.
Prerequisites
-
You configured the
vrf0
device. -
You configured Apache HTTP Server to listen only on the IP address that is assigned to the interface associated with the
vrf0
device.
Procedure
Display the content of the
httpd
systemd service:# systemctl cat httpd ... [Service] ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND ...
You require the content of the
ExecStart
parameter in a later step to run the same command within the isolated VRF network.Create the
/etc/systemd/system/httpd.service.d/
directory:# mkdir /etc/systemd/system/httpd.service.d/
Create the
/etc/systemd/system/httpd.service.d/override.conf
file with the following content:[Service] ExecStart= ExecStart=/usr/sbin/ip vrf exec vrf0 /usr/sbin/httpd $OPTIONS -DFOREGROUND
To override the
ExecStart
parameter, you first need to unset it and then set it to the new value as shown.Reload systemd.
# systemctl daemon-reload
Restart the
httpd
service.# systemctl restart httpd
Verification
Display the process IDs (PID) of
httpd
processes:# pidof -c httpd 1904 ...
Display the VRF association for the PIDs, for example:
# ip vrf identify 1904 vrf0
Display all PIDs associated with the
vrf0
device:# ip vrf pids vrf0 1904 httpd ...
Additional resources
-
ip-vrf(8)
man page on your system