Virtual routing and forwarding

A physical router can implement several logical routers by using different tables for routing, forwarding, filtering, etc.

Turbo IPsec allows to define several Virtual Routing and Forwarding (VRF) instances to be used by different services. For example, one logical or physical interface can be configured to use one specific routing and forwarding table.

In the rest of the document, the term VRF designates a VRF instance. Each VRF is assigned a numeric identifier X ranging from 0 to 2047, and a Linux network namespace named vrfX.


The Turbo IPsec VRF implementation is based on Linux network namespaces (netns), not on the VRF device (a.k.a. VRF-lite).

Creating a VRF

To create or configure a VRF, enter the vrfX context.

X is the VRF identifier, between 0 and 2047


The default VRF vrf0 always exists and can be referenced by all services, regardless if the CLI context vrf0 exists or not.

Configuring a VRF

Enabling and disabling forwarding

To enable or disable forwarding on all interfaces in the VRF, use the following command:

router{conf:myconfig-vrfX}forwarding ipv4|ipv6 enable|disable


IPv4 and IPv6 forwarding are enabled by default.

Setting ephemeral port range

Each VRF can be configured to use a specific source port range using the following command:

router{conf:myconfig-vrfX}ephemeral-port-range default|(LOWRANGE HIGHRANGE)
Default value for the ephemeral port range: 32768-60999.
First port available to be used as source port for an application, it must be greater than 1 and less than HIGHRANGE.
Last port available to be used as source port for an application, it must be greater than LOWRANGE and less than 65535.


Different VRFs can share the same ephemeral port range.

Displaying VRF configuration

The configuration of a VRF can be displayed using the following commands:

router{conf:myconfig}display vrfX



Deleting a VRF

To delete a VRF, use the following command from the root context:

router{conf:myconfig}delete vrf vrfX
X is the VRF identifier, between 0 and 2047

Configuration example

router{conf:myconfig-vrf0}forwarding ipv6 disable
router{conf:myconfig-vrf0}ephemeral-port-range 10001 20000
router{conf:myconfig-vrf1}forwarding ipv6 disable
router{conf:myconfig-vrf1}ephemeral-port-range 20001 30000

Cross-VRF: communicating between VRFs

VRFs are a means of isolating several networks with potentially overlapping addressing plans. However, it is sometimes necessary to communicate between two or more VRFs. The crossing of VRF boundaries is called Cross-VRF.

A packet can be made to change VRFs via routing.

Let us consider the following topology where the local gateway must forward traffic from the network in vrf1 to the and networks in vrf2:


Cross-VRF will be enabled on vrf1 and vrf2, and Cross-VRF routes will be configured.

Enabling Cross-VRF in vrfX creates a veth interface xvrfX. All VRFs on which Cross-VRF is enabled have their own xvrf interface. These xvrf interfaces are bridged.

A subnet is assigned to xvrf interfaces: a different IP address is configured on each xvrfX interface, in this subnet. To route a packet from vrfX to vrfY, simply add a route via the address of the xvrfY interface. The packet will be output via xvrfX (in vrfX) and the bridge will steer it to the xvrfY interface (in vrfY).

The xvrf interfaces are interconnected as follows: a bridge xvrbr is created in a transit netns named xvrf. The other end of each xvrf veth interface is connected to this bridge. The bridge dispatches packets according to their destination address.


Create VRFs and enable Cross-VRF

Create vrf1 and enable Cross-VRF and IPv4 forwarding in this VRF:

router{conf:myconfig-vrf1}xvrf enable
router{conf:myconfig-vrf1}forwarding ipv4 enable

Here we choose subnet for Cross-VRF routing. We assign an address in this subnet to the xvrf1 interface:


Create vrf2, enable Cross-VRF and IPv4 forwarding, and assign an address in the subnet choosen for Cross-VRF:

router{conf:myconfig-vrf2}xvrf enable
router{conf:myconfig-vrf2}forwarding ipv4 enable

Configure ethernet interface in their respective VRFs

Configure eth1 in vrf1:

router{conf:myconfig-eth1}vrf-id 1

Configure eth2 in vrf2:

router{conf:myconfig-eth2}vrf-id 2

Add Cross-VRF routes

To reach (in vrf2) and (in vrf2) from vrf1, packets must jump to vrf2. Therefore, we specify the address of xvrf2 as the gateway:

route vrf-id 1
route vrf-id 1

To reach (in vrf1) from vrf2, packets must jump to vrf1. Therefore, we specify the address of xvrf1 as the gateway:

route vrf-id 2

To reach (in vrf2) from vrf2, packets stay in the same VRF, we simply specify the neighbor router as the gateway:

route vrf-id 2