I built a Linux router/firewall with Arch when I found that systemd has it’s own networkd built in. I also wanted to have complete separation of the “management” interface/routing so I could stop using NAT – and found it is in systemd and kernel 4.8+ (using 5.0.6-arch1). Here is how I found worked well:
Here is my list/placement of files:
First we need to define the virtual device
Figuring out I needed to this one took me a little while, just because you defined it does not mean the system with turn it on
I left the admin network on the default vrf because services (ssh/syslog/etc) bind to it without special configuration
Then I defined by stub network between these guys and a pair of Arista switches (I matched by mac address to have the syntax)
This device has a wireless adapter, but I want to favor the wired, so I added 256 to the default metric.
The rest of my wired connections would be preferred, but I static set the metric to prevent a later change to the default metric that could bump the wireless to preferred
Could you use the ip vrf commands to show how the vrf is created in systemd and how it is applied to the interface/s. I have done all the commands (only for vrf creation and association) and the result is “No vrf created or associated with any interface”.
There is very little documentation for VRF and systemd.
There is so little out there, but I had a some time to poke at it and got it working.
Did you add the .netdev and .network for the vrf (or ip link vrf data up)? I had an issue at first because I didn’t have the .network. The vrf has to be up before you can attach the interfaces, even if the vrf is created, it has to be turned up.
Here is the output of a few commands: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 mtu 1500 qdisc fq_codel state UP group default qlen 1000 mtu 1500 qdisc fq_codel master data state UP group default qlen 1000 mtu 1500 qdisc fq_codel master data state UP group default qlen 1000 mtu 65536 qdisc noqueue state UP group default qlen 1000
[root@arch-1 steve]# ip vrf
Name Table
———————–
data 2
[root@arch-1 steve]# ip add
1: lo:
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ens192:
link/ether 00:0c:29:20:ab:21 brd ff:ff:ff:ff:ff:ff
inet 192.168.7.4/24 brd 192.168.7.255 scope global dynamic ens192
valid_lft 59999972sec preferred_lft 59999972sec
3: ens224:
link/ether 00:0c:29:20:ab:2b brd ff:ff:ff:ff:ff:ff
inet 192.168.100.226/28 brd 192.168.100.239 scope global ens224
valid_lft forever preferred_lft forever
4: ens256:
link/ether 00:0c:29:20:ab:35 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.226/28 brd 192.168.10.239 scope global ens256
valid_lft forever preferred_lft forever
5: data:
link/ether 72:a0:38:c6:8e:41 brd ff:ff:ff:ff:ff:ff
[root@arch-1 steve]# ip route show vrf data
default via 192.168.100.225 dev ens224
192.168.10.224/28 dev ens256 proto kernel scope link src 192.168.10.226
192.168.100.224/28 dev ens224 proto kernel scope link src 192.168.100.226
[root@arch-1 steve]# ip route show
default via 192.168.7.254 dev ens192 proto dhcp src 192.168.7.4 metric 1024
192.168.7.0/24 dev ens192 proto kernel scope link src 192.168.7.4
192.168.7.254 dev ens192 proto dhcp scope link src 192.168.7.4 metric 1024