NetworkManager配置VRF
NetworkManager 1.24版本开始支持VRF,VRF对三层网络进行隔离,类似VLAN对二层网络进行隔离。每个VRF都拥有独立的路由表,每个在VRF中的接口都可以有自己的网关或默认路由。另外VRF功能可以在一台服务器的不同接口上使用相同的IP地址而不冲突,但这些地址不能属于同一个广播域(VLAN)。
[root@localhost ~]# nmcli -v nmcli tool, version 1.28.0-0.1.el8
首先查看一下LINUX默认的路由规则,默认有3个。
[root@localhost ~]# ip rule show 0: from all lookup local 32766: from all lookup main 32767: from all lookup default
创建VRF并分配FIB表。
nmcli connection add type vrf ifname vrf-a con-name vrf-a table 101 ipv4.method disabled ipv6.method disable
nmcli connection up vrf-a
[root@localhost ~]# ip rule show 0: from all lookup local 1000: from all lookup [l3mdev-table] 32766: from all lookup main 32767: from all lookup default
#l3mdev FIB规则将查找定向到与设备关联的表,一个l3mdev规则对于所有vrf来说就足够了,默认规则表为1000。
给VRF分配接口,并配置IP地址。
nmcli connection modify ens224 master vrf-a ipv4.method manual ipv4.addresses 192.168.12.100/24 ipv4.gateway 192.168.12.254 ipv4.dns 114.114.114.114,114.114.115.115
nmcli connection up ens224
[root@localhost ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens224 TYPE=Ethernet PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=none DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=ens224 UUID=16ea4107-ce52-4feb-9e1f-6204f12130fd DEVICE=ens224 ONBOOT=no IPADDR=192.168.12.100 PREFIX=24 GATEWAY=192.168.12.254 DNS1=114.114.114.114 DNS2=114.114.115.115 VRF=vrf-a
[root@localhost ~]# ip route show #全局路由表 default via 192.168.11.254 dev ens192 proto static metric 100 192.168.11.0/24 dev ens192 proto kernel scope link src 192.168.11.100 metric 100 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown
[root@localhost ~]# ip route show vrf vrf-a #VRF路由表 default via 192.168.12.254 dev ens224 proto static metric 101 192.168.12.0/24 dev ens224 proto kernel scope link src 192.168.12.100 metric 101
[root@localhost ~]# ping -I ens192 114.114.114.114 PING 114.114.114.114 (114.114.114.114) from 192.168.11.100 ens192: 56(84) bytes of data. 64 bytes from 114.114.114.114: icmp_seq=1 ttl=70 time=15.4 ms 64 bytes from 114.114.114.114: icmp_seq=2 ttl=67 time=15.4 ms ^C --- 114.114.114.114 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 3ms rtt min/avg/max/mdev = 15.386/15.393/15.401/0.124 ms [root@localhost ~]# ping -I ens224 114.114.114.114 PING 114.114.114.114 (114.114.114.114) from 192.168.12.100 ens224: 56(84) bytes of data. 64 bytes from 114.114.114.114: icmp_seq=1 ttl=88 time=16.2 ms 64 bytes from 114.114.114.114: icmp_seq=2 ttl=79 time=15.4 ms
https://www.kernel.org/doc/Documentation/networking/vrf.txt
