




3.1 创建VRF

3.2 罗列所有VRFs

3.3 给VRF分配网络接口



3.6 显示VRF中地址

3.7 显示VRF路由

3.8 VRF的路由查询

3.9 将网络接口从VRF中删除

VRF (Virtual Routing and Forwarding)使同一系统下拥有多种且独立的路由表。在LINUX的内核中,从4.3版本已开始支持VRF。如下将展示如何创建两个不同VRF,其中一个专用于虚拟桥,可参看文章:






apt-get install linux-headers-4.10.0-14-generic linux-image-extra-4.10.0-14-generic
apt-get install linux-image-extra-$(uname -r)
modprobe vrf



本人CentOS 7.6 版本,内核3.10版本不支持vrf模块,需要更新内核,建议升级内核4.8以上。如果直接用命令 ip link 创建vrf会出现问题 RTNETLINK answers: Operation not supported 。


yum --enablerepo=elrepo-kernel install kernel-ml
ip link add vrf-blue type vrf table 10


3.1 创建VRF

To instantiate a VRF device and associate it with a table: $ ip link add dev NAME type vrf table ID

As of v4.8 the kernel supports the l3mdev FIB rule where a single rule covers all VRFs. The l3mdev rule is created for IPv4 and IPv6 on first device create.

# ip link add red type vrf table 1
# ip link add green type vrf table 2


# ip link set dev red up
# ip link set dev green up

3.2 罗列所有VRFs

# ip -br link show type vrf
red              UNKNOWN        9a:ca:96:75:f8:f5 
green            UNKNOWN        8e:b6:6f:25:64:10 
# ip link show type vrf

To list VRFs that have been created:
$ ip [-d] link show type vrf
NOTE: The -d option is needed to show the table id

For example:
$ ip -d link show type vrf
11: mgmt: mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 72:b3:ba:91:e2:24 brd ff:ff:ff:ff:ff:ff promiscuity 0
vrf table 1 addrgenmode eui64
12: red: mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether b6:6f:6e:f6:da:73 brd ff:ff:ff:ff:ff:ff promiscuity 0
vrf table 10 addrgenmode eui64
13: blue: mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 36:62:e8:7d:bb:8c brd ff:ff:ff:ff:ff:ff promiscuity 0
vrf table 66 addrgenmode eui64
14: green: mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether e6:28:b8:63:70:bb brd ff:ff:ff:ff:ff:ff promiscuity 0
vrf table 81 addrgenmode eui64

Or in brief output:

$ ip -br link show type vrf
mgmt UP 72:b3:ba:91:e2:24
red UP b6:6f:6e:f6:da:73
blue UP 36:62:e8:7d:bb:8c
green UP e6:28:b8:63:70:bb

3.3 给VRF分配网络接口


# ip link set ens37 master red
# ip link set ens38 master green

 Network interfaces are assigned to a VRF by enslaving the netdevice to a
VRF device:$ ip link set dev NAME master NAME

On enslavement connected and local routes are automatically moved to thetable associated with the VRF device.

For example:$ ip link set dev eth0 master mgmt


$ ip link show vrf red

To show devices that have been assigned to a specific VRF add the master
option to the ip command:
$ ip link show vrf NAME
$ ip link show master NAME

For example:
$ ip link show vrf red
3: eth1: mtu 1500 qdisc pfifo_fast master red state UP mode DEFAULT group default qlen 1000
link/ether 02:00:00:00:02:02 brd ff:ff:ff:ff:ff:ff
4: eth2: mtu 1500 qdisc pfifo_fast master red state UP mode DEFAULT group default qlen 1000
link/ether 02:00:00:00:02:03 brd ff:ff:ff:ff:ff:ff
7: eth5: mtu 1500 qdisc noop master red state DOWN mode DEFAULT group default qlen 1000
link/ether 02:00:00:00:02:06 brd ff:ff:ff:ff:ff:ff

Or using the brief output:
$ ip -br link show vrf red
eth1 UP 02:00:00:00:02:02
eth2 UP 02:00:00:00:02:03
eth5 DOWN 02:00:00:00:02:06


# ip neigh show vrf green

To list neighbor entries associated with devices enslaved to a VRF device
add the master option to the ip command:
$ ip [-6] neigh show vrf NAME
$ ip [-6] neigh show master NAME

For example:
$ ip neigh show vrf red dev eth1 lladdr a6:d9:c7:4f:06:23 REACHABLE dev eth2 lladdr 5e:54:01:6a:ee:80 REACHABLE

$ ip -6 neigh show vrf red
2002:1::64 dev eth1 lladdr a6:d9:c7:4f:06:23 REACHABLE

3.6 显示VRF中地址

# ip neigh show vrf green

To show addresses for interfaces associated with a VRF add the master option to the ip command:
$ ip addr show vrf NAME
$ ip addr show master NAME

For example:
$ ip addr show vrf red
3: eth1: mtu 1500 qdisc pfifo_fast master red state UP group default qlen 1000
link/ether 02:00:00:00:02:02 brd ff:ff:ff:ff:ff:ff
inet brd scope global eth1
valid_lft forever preferred_lft forever
inet6 2002:1::2/120 scope global
valid_lft forever preferred_lft forever
inet6 fe80::ff:fe00:202/64 scope link
valid_lft forever preferred_lft forever
4: eth2: mtu 1500 qdisc pfifo_fast master red state UP group default qlen 1000
link/ether 02:00:00:00:02:03 brd ff:ff:ff:ff:ff:ff
inet brd scope global eth2
valid_lft forever preferred_lft forever
inet6 2002:2::2/120 scope global
valid_lft forever preferred_lft forever
inet6 fe80::ff:fe00:203/64 scope link
valid_lft forever preferred_lft forever
7: eth5: mtu 1500 qdisc noop master red state DOWN group default qlen 1000
link/ether 02:00:00:00:02:06 brd ff:ff:ff:ff:ff:ff

Or in brief format:
$ ip -br addr show vrf red
eth1 UP 2002:1::2/120 fe80::ff:fe00:202/64
eth2 UP 2002:2::2/120 fe80::ff:fe00:203/64
eth5 DOWN

3.7 显示VRF路由

To show routes for a VRF use the ip command to display the table associated with the VRF device:
$ ip [-6] route show vrf NAME
$ ip [-6] route show table ID

For example:
$ ip route show vrf red
unreachable default metric 4278198272
broadcast dev eth1 proto kernel scope link src dev eth1 proto kernel scope link src
local dev eth1 proto kernel scope host src
broadcast dev eth1 proto kernel scope link src
broadcast dev eth2 proto kernel scope link src dev eth2 proto kernel scope link src
local dev eth2 proto kernel scope host src
broadcast dev eth2 proto kernel scope link src

$ ip -6 route show vrf red
local 2002:1:: dev lo proto none metric 0 pref medium
local 2002:1::2 dev lo proto none metric 0 pref medium
2002:1::/120 dev eth1 proto kernel metric 256 pref medium
local 2002:2:: dev lo proto none metric 0 pref medium
local 2002:2::2 dev lo proto none metric 0 pref medium
2002:2::/120 dev eth2 proto kernel metric 256 pref medium
local fe80:: dev lo proto none metric 0 pref medium
local fe80:: dev lo proto none metric 0 pref medium
local fe80::ff:fe00:202 dev lo proto none metric 0 pref medium
local fe80::ff:fe00:203 dev lo proto none metric 0 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev eth2 proto kernel metric 256 pref medium
ff00::/8 dev red metric 256 pref medium
ff00::/8 dev eth1 metric 256 pref medium
ff00::/8 dev eth2 metric 256 pref medium
unreachable default dev lo metric 4278198272 error -101 pref medium

3.8 VRF的路由查询

A test route lookup can be done for a VRF:
$ ip [-6] route get vrf NAME ADDRESS
$ ip [-6] route get oif NAME ADDRESS

For example:
$ ip route get vrf red dev eth1 table red src

$ ip -6 route get 2002:1::32 vrf red
2002:1::32 from :: dev eth1 table red proto kernel src 2002:1::2 metric 256 pref medium

3.9 将网络接口从VRF中删除

# ip link set dev ens37 nomaster

Network interfaces are removed from a VRF by breaking the enslavement to the VRF device:
$ ip link set dev NAME nomaster

Connected routes are moved back to the default table and local entries are
moved to the local table.

For example:
$ ip link set dev eth0 nomaster
