Red Hat Training

A Red Hat training course is available for RHEL 8

Chapter 27. Starting a service within an isolated VRF network

With virtual routing and forwarding (VRF), you can create isolated networks with a routing table that is different to the main routing table of the operating system. You can then start services and applications so that they have only access to the network defined in that routing table.

27.1. Configuring a VRF device

To use virtual routing and forwarding (VRF), you create a VRF device and attach a physical or virtual network interface and routing information to it.

Warning

To prevent that you lock out yourself out remotely, perform this procedure on the local console or remotely over a network interface that you do not want to assign to the VRF device.

Prerequisites

  • You are logged in locally or using a network interface that is different to the one you want to assign to the VRF device.

Procedure

  1. Create the vrf0 connection with a same-named virtual device, and attach it to routing table 1000: 

    # nmcli connection add type vrf ifname vrf0 con-name vrf0 table 1000 ipv4.method disabled ipv6.method disabled

  2. Add the enp1s0 device to the vrf0 connection, and configure the IP settings: 

    # nmcli connection add type ethernet con-name enp1s0 ifname enp1s0 master vrf0 ipv4.method manual ipv4.address 192.0.2.1/24 ipv4.gateway 192.0.2.254

    This command creates the enp1s0 connection as a port of the vrf0 connection. Due to this configuration, the routing information are automatically assigned to the routing table 1000 that is associated with the vrf0 device.

  3. If you require static routes in the isolated network:

    1. Add the static routes: 

      # nmcli connection modify enp1s0 +ipv4.routes "198.51.100.0/24 192.0.2.2"

      This adds a route to the 198.51.100.0/24 network that uses 192.0.2.2 as the router.

    2. Activate the connection: 

      # nmcli connection up enp1s0

Verification

  1. Display the IP settings of the device that is associated with vrf0: 

    # ip -br addr show vrf vrf0
enp1s0    UP    192.0.2.1/24

  2. Display the VRF devices and their associated routing table: 

    # ip vrf show
Name              Table
-----------------------
vrf0              1000

  3. Display the main routing table: 

    # ip route show
default via 203.0.113.0/24 dev enp7s0 proto static metric 100

    The main routing table does not mention any routes associated with the device enp1s0 device or the 192.0.2.1/24 subnet.

  4. Display the routing table 1000: 

    # ip route show table 1000
default via 192.0.2.254 dev enp1s0 proto static metric 101
broadcast 192.0.2.0 dev enp1s0 proto kernel scope link src 192.0.2.1
192.0.2.0/24 dev enp1s0 proto kernel scope link src 192.0.2.1 metric 101
local 192.0.2.1 dev enp1s0 proto kernel scope host src 192.0.2.1
broadcast 192.0.2.255 dev enp1s0 proto kernel scope link src 192.0.2.1
198.51.100.0/24 via 192.0.2.2 dev enp1s0 proto static metric 101

    The default entry indicates that services that use this routing table, use 192.0.2.254 as their default gateway and not the default gateway in the main routing table.

  5. Execute the traceroute utility in the network associated with vrf0 to verify that the utility uses the route from table 1000: 

    # ip vrf exec vrf0 traceroute 203.0.113.1
traceroute to 203.0.113.1 (203.0.113.1), 30 hops max, 60 byte packets
 1  192.0.2.254 (192.0.2.254)  0.516 ms  0.459 ms  0.430 ms
...

    The first hop is the default gateway that is assigned to the routing table 1000 and not the default gateway from the system’s main routing table.

Additional resources

  • ip-vrf(8) man page

27.2. Starting a service within an isolated VRF network

You can configure a service, such as the Apache HTTP Server, to start within an isolated virtual routing and forwarding (VRF) network.

Important

Services can only bind to local IP addresses that are in the same VRF network.

Prerequisites

  • You configured the vrf0 device.
  • You configured Apache HTTP Server to listen only on the IP address that is assigned to the interface associated with the vrf0 device.

Procedure

  1. Display the content of the httpd systemd service: 

    # systemctl cat httpd
...
[Service]
ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND
...

    You require the content of the ExecStart parameter in a later step to run the same command within the isolated VRF network.

  2. Create the /etc/systemd/system/httpd.service.d/ directory: 

    # mkdir /etc/systemd/system/httpd.service.d/

  3. Create the /etc/systemd/system/httpd.service.d/override.conf file with the following content: 

    [Service]
ExecStart=
ExecStart=/usr/sbin/ip vrf exec vrf0 /usr/sbin/httpd $OPTIONS -DFOREGROUND

    To override the ExecStart parameter, you first need to unset it and then set it to the new value as shown.

  4. Reload systemd. 

    # systemctl daemon-reload

  5. Restart the httpd service. 

    # systemctl restart httpd

Verification

  1. Display the process IDs (PID) of httpd processes: 

    # pidof -c httpd
1904 ...

  2. Display the VRF association for the PIDs, for example: 

    # ip vrf identify 1904
vrf0

  3. Display all PIDs associated with the vrf0 device: 

    # ip vrf pids vrf0
1904  httpd
...

Additional resources

  • ip-vrf(8) man page