Virtual routing and forwarding

A physical router can implement several logical routers by using different tables for routing, forwarding, filtering, etc.

Turbo IPsec allows to define several Virtual Routing and Forwarding (VRF) instances to be used by different services. For example, one logical or physical interface can be configured to use one specific routing and forwarding table.

In the rest of the document, the term VRF designates a VRF instance. Each VRF is assigned a numeric identifier X ranging from 0 to 2047, and a Linux network namespace named vrfX.

Note

The Turbo IPsec VRF implementation is based on Linux network namespaces (netns), not on the VRF device (a.k.a. VRF-lite).

Creating a VRF

To create or configure a VRF, enter the vrfX context.

router{conf:myconfig}vrfX
vrfX
X is the VRF identifier, between 0 and 2047

Note

The default VRF vrf0 always exists and can be referenced by all services, regardless if the CLI context vrf0 exists or not.

Configuring a VRF

Enabling and disabling forwarding

To enable or disable forwarding on all interfaces in the VRF, use the following command:

router{conf:myconfig-vrfX}forwarding ipv4|ipv6 enable|disable

Note

IPv4 and IPv6 forwarding are enabled by default.

Setting ephemeral port range

Each VRF can be configured to use a specific source port range using the following command:

router{conf:myconfig-vrfX}ephemeral-port-range default|(LOWRANGE HIGHRANGE)
default
Default value for the ephemeral port range: 32768-60999.
LOWRANGE
First port available to be used as source port for an application, it must be greater than 1 and less than HIGHRANGE.
HIGHRANGE
Last port available to be used as source port for an application, it must be greater than LOWRANGE and less than 65535.

Note

Different VRFs can share the same ephemeral port range.

Displaying VRF configuration

The configuration of a VRF can be displayed using the following commands:

router{conf:myconfig}display vrfX

or

router{conf:myconfig-vrfX}display

Deleting a VRF

To delete a VRF, use the following command from the root context:

router{conf:myconfig}delete vrf vrfX
vrfX
X is the VRF identifier, between 0 and 2047

Configuration example

router{conf:myconfig}vrf0
router{conf:myconfig-vrf0}forwarding ipv6 disable
router{conf:myconfig-vrf0}ephemeral-port-range 10001 20000
router{conf:myconfig-vrf0}vrf1
router{conf:myconfig-vrf1}forwarding ipv6 disable
router{conf:myconfig-vrf1}ephemeral-port-range 20001 30000

Cross-VRF: communicating between VRFs

VRFs are a means of isolating several networks with potentially overlapping addressing plans. However, it is sometimes necessary to communicate between two or more VRFs. The crossing of VRF boundaries is called Cross-VRF.

A packet can be made to change VRFs via routing.

Let us consider the following topology where the local gateway must forward traffic from the 10.100.0.0/24 network in vrf1 to the 10.125.0.0/24 and 10.200.0.0/24 networks in vrf2:

../../../_images/aafig-f0d306d0ff0abbf0f7d5d125594c1caca5fe9faa.svg

Cross-VRF will be enabled on vrf1 and vrf2, and Cross-VRF routes will be configured.

Enabling Cross-VRF in vrfX creates a veth interface xvrfX. All VRFs on which Cross-VRF is enabled have their own xvrf interface. These xvrf interfaces are bridged.

A subnet is assigned to xvrf interfaces: a different IP address is configured on each xvrfX interface, in this subnet. To route a packet from vrfX to vrfY, simply add a route via the address of the xvrfY interface. The packet will be output via xvrfX (in vrfX) and the bridge will steer it to the xvrfY interface (in vrfY).

The xvrf interfaces are interconnected as follows: a bridge xvrbr is created in a transit netns named xvrf. The other end of each xvrf veth interface is connected to this bridge. The bridge dispatches packets according to their destination address.

../../../_images/aafig-ddef7a1b20017015fc47f3a7bef236e18b617814.svg

Create VRFs and enable Cross-VRF

Create vrf1 and enable Cross-VRF and IPv4 forwarding in this VRF:

router{conf:myconfig}vrf1
router{conf:myconfig-vrf1}xvrf enable
router{conf:myconfig-vrf1}forwarding ipv4 enable

Here we choose subnet 169.254.0.0/20 for Cross-VRF routing. We assign an address in this subnet to the xvrf1 interface:

router{conf:myconfig-vrf1}ipv4-xvr-address 169.254.0.1/20

Create vrf2, enable Cross-VRF and IPv4 forwarding, and assign an address in the subnet choosen for Cross-VRF:

router{conf:myconfig}vrf2
router{conf:myconfig-vrf2}xvrf enable
router{conf:myconfig-vrf2}forwarding ipv4 enable
router{conf:myconfig-vrf2}ipv4-xvr-address 169.254.0.2/20

Configure ethernet interface in their respective VRFs

Configure eth1 in vrf1:

router{conf:myconfig}eth1
router{conf:myconfig-eth1}vrf-id 1
router{conf:myconfig-eth1}ipaddress 10.100.0.2/24

Configure eth2 in vrf2:

router{conf:myconfig}eth2
router{conf:myconfig-eth2}vrf-id 2
router{conf:myconfig-eth2}ipaddress 10.125.0.1/24

Add Cross-VRF routes

To reach 10.125.0.0/24 (in vrf2) and 10.200.0.0/24 (in vrf2) from vrf1, packets must jump to vrf2. Therefore, we specify the address of xvrf2 as the gateway:

route 10.125.0.0/24 169.254.0.2 vrf-id 1
route 10.200.0.0/24 169.254.0.2 vrf-id 1

To reach 10.100.0.0/24 (in vrf1) from vrf2, packets must jump to vrf1. Therefore, we specify the address of xvrf1 as the gateway:

route 10.100.0.0/24 169.254.0.1 vrf-id 2

To reach 10.200.0.0/24 (in vrf2) from vrf2, packets stay in the same VRF, we simply specify the neighbor router as the gateway:

route 10.200.0.0/24 10.125.0.2 vrf-id 2