NetworkManager配置VRF

NetworkManager 1.24版本开始支持VRF，VRF对三层网络进行隔离，类似VLAN对二层网络进行隔离。每个VRF都拥有独立的路由表，每个在VRF中的接口都可以有自己的网关或默认路由。另外VRF功能可以在一台服务器的不同接口上使用相同的IP地址而不冲突，但这些地址不能属于同一个广播域（VLAN）。

[root@localhost ~]# nmcli -v
nmcli tool, version 1.28.0-0.1.el8

首先查看一下LINUX默认的路由规则，默认有3个。

[root@localhost ~]# ip rule show 
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

创建VRF并分配FIB表。

nmcli connection add type vrf ifname vrf-a con-name vrf-a table 101 ipv4.method disabled ipv6.method disable
nmcli connection up vrf-a

[root@localhost ~]# ip rule show
0:      from all lookup local
1000:   from all lookup [l3mdev-table]
32766:  from all lookup main
32767:  from all lookup default
#l3mdev FIB规则将查找定向到与设备关联的表,一个l3mdev规则对于所有vrf来说就足够了,默认规则表为1000。

给VRF分配接口，并配置IP地址。

nmcli connection modify ens224 master vrf-a ipv4.method manual ipv4.addresses 192.168.12.100/24 ipv4.gateway 192.168.12.254 ipv4.dns 114.114.114.114,114.114.115.115
nmcli connection up ens224

[root@localhost ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens224
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens224
UUID=16ea4107-ce52-4feb-9e1f-6204f12130fd
DEVICE=ens224
ONBOOT=no
IPADDR=192.168.12.100
PREFIX=24
GATEWAY=192.168.12.254
DNS1=114.114.114.114
DNS2=114.114.115.115
VRF=vrf-a

[root@localhost ~]# ip route show #全局路由表
default via 192.168.11.254 dev ens192 proto static metric 100 
192.168.11.0/24 dev ens192 proto kernel scope link src 192.168.11.100 metric 100 
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown 

[root@localhost ~]# ip route show vrf vrf-a #VRF路由表
default via 192.168.12.254 dev ens224 proto static metric 101 
192.168.12.0/24 dev ens224 proto kernel scope link src 192.168.12.100 metric 101 

[root@localhost ~]#  ping -I ens192 114.114.114.114
PING 114.114.114.114 (114.114.114.114) from 192.168.11.100 ens192: 56(84) bytes of data.
64 bytes from 114.114.114.114: icmp_seq=1 ttl=70 time=15.4 ms
64 bytes from 114.114.114.114: icmp_seq=2 ttl=67 time=15.4 ms
^C
--- 114.114.114.114 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 3ms
rtt min/avg/max/mdev = 15.386/15.393/15.401/0.124 ms
[root@localhost ~]#  ping -I ens224 114.114.114.114
PING 114.114.114.114 (114.114.114.114) from 192.168.12.100 ens224: 56(84) bytes of data.
64 bytes from 114.114.114.114: icmp_seq=1 ttl=88 time=16.2 ms
64 bytes from 114.114.114.114: icmp_seq=2 ttl=79 time=15.4 ms

　　

 https://www.kernel.org/doc/Documentation/networking/vrf.txt