# veth create root@raspi:~# ip link add swp1 type veth peer name swp2 root@raspi:~# ip link add swp3 type veth peer name swp4 # vrf prepare root@raspi:~# ip -4 rule add pref 32765 table local root@raspi:~# ip -4 rule del pref 0 # h1 create root@raspi:~# ip link add dev vrf-h1 type vrf table 1 root@raspi:~# ip -4 route add table 1 unreachable default metric 4278198272 root@raspi:~# ip link set dev vrf-h1 up root@raspi:~# ip link set dev swp1 master vrf-h1 root@raspi:~# ip link set dev swp1 up root@raspi:~# ip addr add 192.0.2.1/24 dev swp1 #h2 create root@raspi:~# ip link add dev vrf-h2 type vrf table 2 root@raspi:~# ip -4 route add table 2 unreachable default metric 4278198272 root@raspi:~# ip link set dev vrf-h2 up root@raspi:~# ip link set dev swp4 master vrf-h2 root@raspi:~# ip link set dev swp4 up root@raspi:~# ip addr add 192.0.2.2/24 dev swp4 # switch_create root@raspi:~# ip link add dev br0 type bridge vlan_filtering 1 ageing_time 1000 mcast_snooping 0 root@raspi:~# ip link set dev swp2 master br0 root@raspi:~# ip link set dev swp3 master br0 root@raspi:~# ip link set dev br0 up root@raspi:~# ip link set dev swp2 up root@raspi:~# ip link set dev swp3 up
# 视情况而定 root@raspi:~# tc filter del dev DEV ingress protocol ip pref PERF handle HANDLE flower root@raspi:~# tc qdisc del dev DEV ingress root@raspi:~# ip link set DEV promisc off root@raspi:~# bridge link set dev DEV flood on # 删除br0 root@raspi:~# ip link set dev swp2 down root@raspi:~# ip link set dev swp3 down root@raspi:~# ip link del dev br0 # 删除ip,恢复路由表,删除vrf root@raspi:~# ip addr del 192.0.2.2/24 dev swp4 root@raspi:~# ip link set dev swp4 down root@raspi:~# ip link set dev swp4 nomaster root@raspi:~# ip -4 route del table 2 unreachable default metric 4278198272 root@raspi:~# ip link del dev vrf-h2 root@raspi:~# root@raspi:~# ip addr del 192.0.2.1/24 dev swp1 root@raspi:~# ip link set dev swp1 down root@raspi:~# ip link set dev swp1 nomaster root@raspi:~# ip -4 route del table 1 unreachable default metric 4278198272 root@raspi:~# ip link del dev vrf-h1 root@raspi:~# root@raspi:~# ip -4 rule add pref 0 table local root@raspi:~# ip -4 rule del pref 32765
一些细节
ip rule
在 Linux 网络栈中,ip rule 命令用于配置 策略路由(Policy Routing),它决定了数据包应该使用哪张路由表进行查找。默认情况下,Linux 内核维护几张路由表,常见的有:
1 2 3 4 5
zrf@debian:~$ ip rule show 0: from all lookup local 32766: from all lookup main 32767: from all lookup default zrf@debian:~$
# 创建VRF设备vrf-h1,绑定到路由表1,即此VRF只能访问table 1里的路由信息 root@raspi:~# ip link add dev vrf-h1 type vrf table 1 # 在table 1中添加默认不可达的路由,防止默认流量泄露到其他VRF或主路由表。 root@raspi:~# ip -4 route add table 1 unreachable default metric 4278198272 # 将swp1绑定到vrf-h1,意味着swp1的流量会受vrf-h1规则限制。 root@raspi:~# ip link set dev swp1 master vrf-h1
可以查看下两个vrf各自的路由表
1 2 3 4 5 6 7 8 9 10 11 12
root@raspi:~# ip route show table 1 unreachable default metric 4278198272 192.0.2.0/24 dev swp1 proto kernel scope link src 192.0.2.1 local 192.0.2.1 dev swp1 proto kernel scope host src 192.0.2.1 broadcast 192.0.2.255 dev swp1 proto kernel scope link src 192.0.2.1
root@raspi:~# ip route show table 2 unreachable default metric 4278198272 192.0.2.0/24 dev swp4 proto kernel scope link src 192.0.2.2 local 192.0.2.2 dev swp4 proto kernel scope host src 192.0.2.2 broadcast 192.0.2.255 dev swp4 proto kernel scope link src 192.0.2.2 root@raspi:~#
bridge
1
ip link add dev br0 type bridge vlan_filtering 1 ageing_time 1000 mcast_snooping 0
