Using VRFs with linux and systemd-networkd

2-minute read
linux routing vrf iproute2 systemd

While working on a systemd-networkd patch to implement (at least basic) VRF interfaces I did write :doc:my other post <linux-ip-vrf>. This post should give you a brief example on how you can create a VRF with systemd-networkd.

At this point it really only created the interfaces and enslaves potential customer interfaces to a given VRF.

You still have to implement all the ip rule-stuff yourself. For example a systemd.unit file might be the right approach which is executed/started after the network is “up”.

First you’ve to create the systemd.netdev vrf-customer1.netdev file:

After restarting systemd-networkd with systemctl restart systemd-networkd you should see the corresponding interface:

$ ip -d link show dev vrf-customer1
9: vrf-customer1: <NOARP,MASTER> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether 02:74:c7:e1:de:64 brd ff:ff:ff:ff:ff:ff promiscuity 0
    vrf table 42 addrgenmode eui64 numtxqueues 1 numrxqueues 1

Note the last line which states vrf table 42.

To add an interface to the VRF you’ll have to modify/create the corresponding .network file. This is how the file /etc/systemd/network/enp0s31f6.network would look on my notebook:

Restarting systemd-networkd again and checking the status using ip -d link gives us:

$ip -d link show  dev enp0s31f6
3: enp0s31f6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel master vrf-customer1 state DOWN mode DEFAULT group default qlen 1000
 link/ether 50:7b:9d:cf:34:dc brd ff:ff:ff:ff:ff:ff promiscuity 0
 vrf_slave table 42 addrgenmode eui64 numtxqueues 1 numrxqueues 1

Again note the last line which states vrf_slave table 42. Also in the first line you can see that it belongs to the VRF vrf-customer.

And that is all for now. You still have to add the ip rule commands in some way or another (there is no support in systemd-networkd yet and I did not have a good idea without inventing ip rule management in systemd).