Steve Borba

My notes, I hope they help you, feel free to comment/add to them

systemd-networkd plus vrf

I built a Linux router/firewall with Arch when I found that systemd has it’s own networkd built in. I also wanted to have complete separation of the “management” interface/routing so I could stop using NAT – and found it is in systemd and kernel 4.8+ (using 5.0.6-arch1). Here is how I found worked well:

Here is my list/placement of files:

ll /etc/systemd/network/
  100-vrf-data.netdev
  110-data-vrf.network
  200-admin-ethernet.network
  300-stub-ethernet.network
  980-default-wireless.network
  990-default-ethernet.network

First we need to define the virtual device

100-vrf-data.netdev
[NetDev]
Name=data
Kind=vrf

[VRF]
TableId=2

Figuring out I needed to this one took me a little while, just because you defined it does not mean the system with turn it on

110-data-vrf.network
[Match]
Name=data

[Network]
vrf=data

I left the admin network on the default vrf because services (ssh/syslog/etc) bind to it without special configuration

200-admin-ethernet.network
[Match]
Name=ens192

[Network]
DHCP=ipv4
LLMNR=false
LinkLocalAddressing=no

Then I defined by stub network between these guys and a pair of Arista switches (I matched by mac address to have the syntax)

300-stub-ethernet.network
[Match]
MACAddress=00:0c:29:5a:de:2a

[Network]
Address=192.168.100.226/28
IPForward=ipv4
LLMNR=false
LinkLocalAddressing=no
VRF=data

This device has a wireless adapter, but I want to favor the wired, so I added 256 to the default metric.

980-default-wireless.network
[Match]
Name=w*

[Network]
DHCP=ipv4
VRF=data
IPForward=ipv4

[DHCP]
RouteMetric=1280

The rest of my wired connections would be preferred, but I static set the metric to prevent a later change to the default metric that could bump the wireless to preferred

990-default-ethernet.network
[Match]
Name=e*

[Network]
DHCP=ipv4
VRF=data
IPForward=ipv4

[DHCP]
RouteMetric=1024

2 Responses to “systemd-networkd plus vrf”

  1. Burjiz says:

    Could you use the ip vrf commands to show how the vrf is created in systemd and how it is applied to the interface/s. I have done all the commands (only for vrf creation and association) and the result is “No vrf created or associated with any interface”.
    There is very little documentation for VRF and systemd.

    1. sjborbajr says:

      There is so little out there, but I had a some time to poke at it and got it working.

      Did you add the .netdev and .network for the vrf (or ip link vrf data up)? I had an issue at first because I didn’t have the .network. The vrf has to be up before you can attach the interfaces, even if the vrf is created, it has to be turned up.

      Here is the output of a few commands:
      [root@arch-1 steve]# ip vrf
      Name Table
      ———————–
      data 2
      [root@arch-1 steve]# ip add
      1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
      inet 127.0.0.1/8 scope host lo
      valid_lft forever preferred_lft forever
      2: ens192: mtu 1500 qdisc fq_codel state UP group default qlen 1000
      link/ether 00:0c:29:20:ab:21 brd ff:ff:ff:ff:ff:ff
      inet 192.168.7.4/24 brd 192.168.7.255 scope global dynamic ens192
      valid_lft 59999972sec preferred_lft 59999972sec
      3: ens224: mtu 1500 qdisc fq_codel master data state UP group default qlen 1000
      link/ether 00:0c:29:20:ab:2b brd ff:ff:ff:ff:ff:ff
      inet 192.168.100.226/28 brd 192.168.100.239 scope global ens224
      valid_lft forever preferred_lft forever
      4: ens256: mtu 1500 qdisc fq_codel master data state UP group default qlen 1000
      link/ether 00:0c:29:20:ab:35 brd ff:ff:ff:ff:ff:ff
      inet 192.168.10.226/28 brd 192.168.10.239 scope global ens256
      valid_lft forever preferred_lft forever
      5: data: mtu 65536 qdisc noqueue state UP group default qlen 1000
      link/ether 72:a0:38:c6:8e:41 brd ff:ff:ff:ff:ff:ff
      [root@arch-1 steve]# ip route show vrf data
      default via 192.168.100.225 dev ens224
      192.168.10.224/28 dev ens256 proto kernel scope link src 192.168.10.226
      192.168.100.224/28 dev ens224 proto kernel scope link src 192.168.100.226
      [root@arch-1 steve]# ip route show
      default via 192.168.7.254 dev ens192 proto dhcp src 192.168.7.4 metric 1024
      192.168.7.0/24 dev ens192 proto kernel scope link src 192.168.7.4
      192.168.7.254 dev ens192 proto dhcp scope link src 192.168.7.4 metric 1024

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>