Inicio
Productos
Red Hat Enterprise Linux
9
Configuring and managing networking
Chapter 29. Starting a service within an isolated VRF network

Este contenido no está disponible en el idioma seleccionado.

Chapter 29. Starting a service within an isolated VRF network

With virtual routing and forwarding (VRF), you can create isolated networks with a routing table that is different to the main routing table of the operating system. You can then start services and applications so that they have only access to the network defined in that routing table.

29.1. Configuring a VRF device
Copiar enlace

To use virtual routing and forwarding (VRF), you create a VRF device and attach a physical or virtual network interface and routing information to it.

Warning

To prevent that you lock out yourself out remotely, perform this procedure on the local console or remotely over a network interface that you do not want to assign to the VRF device.

Prerequisites

You are logged in locally or using a network interface that is different to the one you want to assign to the VRF device.

Procedure

Create the vrf0 connection with a same-named virtual device, and attach it to routing table 1000:

nmcli connection add type vrf ifname vrf0 con-name vrf0 table 1000 ipv4.method disabled ipv6.method disabled

# nmcli connection add type vrf ifname vrf0 con-name vrf0 table 1000 ipv4.method disabled ipv6.method disabled

Copy to Clipboard

Toggle word wrap

Add the enp1s0 device to the vrf0 connection, and configure the IP settings:
```
nmcli connection add type ethernet con-name enp1s0 ifname enp1s0 controller vrf0 ipv4.method manual ipv4.address 192.0.2.1/24 ipv4.gateway 192.0.2.254
```
```
# nmcli connection add type ethernet con-name enp1s0 ifname enp1s0 controller vrf0 ipv4.method manual ipv4.address 192.0.2.1/24 ipv4.gateway 192.0.2.254
```
Copy to Clipboard Toggle word wrap
This command creates the enp1s0 connection as a port of the vrf0 connection. Due to this configuration, the routing information are automatically assigned to the routing table 1000 that is associated with the vrf0 device.
If you require static routes in the isolated network:
1. Add the static routes:
  # nmcli connection modify enp1s0 +ipv4.routes "198.51.100.0/24 192.0.2.2"
  Copy to Clipboard Toggle word wrap
  This adds a route to the 198.51.100.0/24 network that uses 192.0.2.2 as the router.
2. Activate the connection:
  # nmcli connection up enp1s0
  Copy to Clipboard Toggle word wrap

Verification

Display the IP settings of the device that is associated with vrf0:
```
ip -br addr show vrf vrf0
```
```
# ip -br addr show vrf vrf0
enp1s0    UP    192.0.2.1/24
```
Copy to Clipboard Toggle word wrap
Display the VRF devices and their associated routing table:
```
ip vrf show
```
```
# ip vrf show
Name              Table
-----------------------
vrf0              1000
```
Copy to Clipboard Toggle word wrap
Display the main routing table:
```
ip route show
```
```
# ip route show
default via 203.0.113.0/24 dev enp7s0 proto static metric 100
```
Copy to Clipboard Toggle word wrap
The main routing table does not mention any routes associated with the device enp1s0 device or the 192.0.2.1/24 subnet.

Display the routing table 1000:

ip route show table 1000

# ip route show table 1000
default via 192.0.2.254 dev enp1s0 proto static metric 101
broadcast 192.0.2.0 dev enp1s0 proto kernel scope link src 192.0.2.1
192.0.2.0/24 dev enp1s0 proto kernel scope link src 192.0.2.1 metric 101
local 192.0.2.1 dev enp1s0 proto kernel scope host src 192.0.2.1
broadcast 192.0.2.255 dev enp1s0 proto kernel scope link src 192.0.2.1
198.51.100.0/24 via 192.0.2.2 dev enp1s0 proto static metric 101

Copy to Clipboard

Toggle word wrap

The default entry indicates that services that use this routing table, use 192.0.2.254 as their default gateway and not the default gateway in the main routing table.

Execute the traceroute utility in the network associated with vrf0 to verify that the utility uses the route from table 1000:
```
ip vrf exec vrf0 traceroute 203.0.113.1
```
```
# ip vrf exec vrf0 traceroute 203.0.113.1
traceroute to 203.0.113.1 (203.0.113.1), 30 hops max, 60 byte packets
 1  192.0.2.254 (192.0.2.254)  0.516 ms  0.459 ms  0.430 ms
...
```
Copy to Clipboard Toggle word wrap
The first hop is the default gateway that is assigned to the routing table 1000 and not the default gateway from the system’s main routing table.

29.2. Starting a service within an isolated VRF network
Copiar enlace

You can configure a service, such as the Apache HTTP Server, to start within an isolated virtual routing and forwarding (VRF) network.

Important

Services can only bind to local IP addresses that are in the same VRF network.

Prerequisites

You configured the vrf0 device.
You configured Apache HTTP Server to listen only on the IP address that is assigned to the interface associated with the vrf0 device.

Procedure

Display the content of the httpd systemd service:
```
systemctl cat httpd
...
[Service]
ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND
...
```
```
# systemctl cat httpd
...
[Service]
ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND
...
```
Copy to Clipboard Toggle word wrap
You require the content of the ExecStart parameter in a later step to run the same command within the isolated VRF network.
Create the /etc/systemd/system/httpd.service.d/ directory:
```
mkdir /etc/systemd/system/httpd.service.d/
```
```
# mkdir /etc/systemd/system/httpd.service.d/
```
Copy to Clipboard Toggle word wrap
Create the /etc/systemd/system/httpd.service.d/override.conf file with the following content:
```
[Service]
ExecStart=
ExecStart=/usr/sbin/ip vrf exec vrf0 /usr/sbin/httpd $OPTIONS -DFOREGROUND
```
```
[Service]
ExecStart=
ExecStart=/usr/sbin/ip vrf exec vrf0 /usr/sbin/httpd $OPTIONS -DFOREGROUND
```
Copy to Clipboard Toggle word wrap
To override the ExecStart parameter, you first need to unset it and then set it to the new value as shown.
Reload systemd.
```
systemctl daemon-reload
```
```
# systemctl daemon-reload
```
Copy to Clipboard Toggle word wrap
Restart the httpd service.
```
systemctl restart httpd
```
```
# systemctl restart httpd
```
Copy to Clipboard Toggle word wrap

Verification

Display the process IDs (PID) of httpd processes:
```
pidof -c httpd
```
```
# pidof -c httpd
1904 ...
```
Copy to Clipboard Toggle word wrap
Display the VRF association for the PIDs, for example:
```
ip vrf identify 1904
```
```
# ip vrf identify 1904
vrf0
```
Copy to Clipboard Toggle word wrap
Display all PIDs associated with the vrf0 device:
```
ip vrf pids vrf0
```
```
# ip vrf pids vrf0
1904  httpd
...
```
Copy to Clipboard Toggle word wrap

Volver arriba

Este contenido no está disponible en el idioma seleccionado.

Chapter 29. Starting a service within an isolated VRF network

29.1. Configuring a VRF device
Copiar enlace

29.2. Starting a service within an isolated VRF network
Copiar enlace

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Hacer que el código abierto sea más inclusivo

Acerca de Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

Este contenido no está disponible en el idioma seleccionado.

Chapter 29. Starting a service within an isolated VRF network

29.1. Configuring a VRF deviceCopiar enlaceEnlace copiado en el portapapeles!

29.2. Starting a service within an isolated VRF networkCopiar enlaceEnlace copiado en el portapapeles!

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Hacer que el código abierto sea más inclusivo

Acerca de Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

29.1. Configuring a VRF device
Copiar enlace

29.2. Starting a service within an isolated VRF network
Copiar enlace