Inter-VRF Routing over VRF Lite
Inter-VRF Routing over VRF Lite
Inter-VRF routing позволяет контролируемый обмен маршрутами между изолированными VRF (Virtual Routing and Forwarding) instances, обеспечивая segmentation с selective connectivity.
Сценарий использования
Применимость
- Multi-Tenant Cloud: Изоляция клиентов с контролируемым shared services доступом
- Enterprise Segmentation: Разделение Production / Development / Testing environments
- Service Provider: Carrier VPN с частичным route leaking
- Security Zones: DMZ, Internal, Management с выборочным доступом
Преимущества
- Network Isolation: Полная изоляция routing tables между tenant
- Selective Connectivity: Контролируемый доступ к shared services (DNS, monitoring)
- IP Overlap: Разные VRF могут использовать одинаковые IP ranges
- Flexible Policy: Granular control через route-maps и prefix-lists
- Scalability: Поддержка множества VRF на одном роутере
Топология сети
Базовая топология (3 VRF)
┌─────────────────────────────────┐
│ VyOS Router │
│ │
│ ┌────────────────────────┐ │
│ │ VRF PRODUCTION │ │
│ │ RD: 65000:100 │ │
│ │ 10.100.0.0/16 │ │
│ └──────────┬─────────────┘ │
│ │ Route Leak │
│ ┌──────────┴─────────────┐ │
│ │ VRF SHARED │ │
│ │ RD: 65000:999 │ │
│ │ 10.255.0.0/24 │ │
│ │ (DNS, NTP, Monitor) │ │
│ └──────────┬─────────────┘ │
│ │ Route Leak │
│ ┌──────────┴─────────────┐ │
│ │ VRF DEVELOPMENT │ │
│ │ RD: 65000:200 │ │
│ │ 10.200.0.0/16 │ │
│ └────────────────────────┘ │
│ │
│ eth1 ─ PRODUCTION │
│ eth2 ─ DEVELOPMENT │
│ eth3 ─ SHARED │
└─────────────────────────────────┘Yandex Cloud Multi-Tenant
┌──────────────────────────────────────────┐
│ Yandex Cloud VPC │
│ │
│ ┌────────────────────────────────────┐ │
│ │ VyOS Gateway │ │
│ │ │ │
│ │ VRF CUSTOMER-A ◄──┐ │ │
│ │ (10.1.0.0/16) │ │ │
│ │ │ │ │
│ │ VRF CUSTOMER-B ◄──┼─► SHARED │ │
│ │ (10.2.0.0/16) │ SERVICES │ │
│ │ │ (DNS/NTP) │ │
│ │ VRF CUSTOMER-C ◄──┘ │ │
│ │ (10.3.0.0/16) │ │
│ └────────────────────────────────────┘ │
│ │
│ Customer A Subnet ◄─── eth1 │
│ Customer B Subnet ◄─── eth2 │
│ Customer C Subnet ◄─── eth3 │
│ Shared Services ◄─── eth4 │
└──────────────────────────────────────────┘Требования
Минимальные требования
- VyOS 1.4 (Sagitta) или новее
- Поддержка VRF (FRRouting)
- BGP или static routing для route import/export
- Unique Route Distinguisher (RD) для каждого VRF
Сетевые параметры (пример)
| VRF | RD | RT Import | RT Export | Networks |
|---|---|---|---|---|
| PRODUCTION | 65000:100 | 65000:100, 65000:999 | 65000:100 | 10.100.0.0/16 |
| DEVELOPMENT | 65000:200 | 65000:200, 65000:999 | 65000:200 | 10.200.0.0/16 |
| SHARED | 65000:999 | 65000:100, 65000:200 | 65000:999 | 10.255.0.0/24 |
Конфигурация VRF
Создание VRF instances
configure
# VRF PRODUCTION
set vrf name PRODUCTION table '100'
set vrf name PRODUCTION description 'Production environment - Customer A'
# VRF DEVELOPMENT
set vrf name DEVELOPMENT table '200'
set vrf name DEVELOPMENT description 'Development environment - Customer B'
# VRF SHARED
set vrf name SHARED table '999'
set vrf name SHARED description 'Shared services - DNS, NTP, Monitoring'
commitНазначение интерфейсов VRF
configure
# eth1 - PRODUCTION
set interfaces ethernet eth1 address '10.100.1.1/24'
set interfaces ethernet eth1 description 'PRODUCTION network'
set interfaces ethernet eth1 vrf 'PRODUCTION'
# eth2 - DEVELOPMENT
set interfaces ethernet eth2 address '10.200.1.1/24'
set interfaces ethernet eth2 description 'DEVELOPMENT network'
set interfaces ethernet eth2 vrf 'DEVELOPMENT'
# eth3 - SHARED
set interfaces ethernet eth3 address '10.255.0.1/24'
set interfaces ethernet eth3 description 'SHARED services'
set interfaces ethernet eth3 vrf 'SHARED'
commit
saveКонфигурация BGP для Inter-VRF Routing
BGP базовая конфигурация
configure
# BGP AS number
set protocols bgp system-as '65000'
set protocols bgp parameters router-id '192.168.255.1'
commitVRF PRODUCTION BGP configuration
configure
# BGP для VRF PRODUCTION
set protocols bgp address-family ipv4-unicast vrf PRODUCTION rd '65000:100'
set protocols bgp address-family ipv4-unicast vrf PRODUCTION route-target export '65000:100'
set protocols bgp address-family ipv4-unicast vrf PRODUCTION route-target import '65000:100'
set protocols bgp address-family ipv4-unicast vrf PRODUCTION route-target import '65000:999'
# Announce PRODUCTION networks
set protocols bgp address-family ipv4-unicast vrf PRODUCTION network '10.100.0.0/16'
# Redistribute connected
set protocols bgp address-family ipv4-unicast vrf PRODUCTION redistribute connected
commitVRF DEVELOPMENT BGP configuration
configure
# BGP для VRF DEVELOPMENT
set protocols bgp address-family ipv4-unicast vrf DEVELOPMENT rd '65000:200'
set protocols bgp address-family ipv4-unicast vrf DEVELOPMENT route-target export '65000:200'
set protocols bgp address-family ipv4-unicast vrf DEVELOPMENT route-target import '65000:200'
set protocols bgp address-family ipv4-unicast vrf DEVELOPMENT route-target import '65000:999'
# Announce DEVELOPMENT networks
set protocols bgp address-family ipv4-unicast vrf DEVELOPMENT network '10.200.0.0/16'
set protocols bgp address-family ipv4-unicast vrf DEVELOPMENT redistribute connected
commitVRF SHARED BGP configuration
configure
# BGP для VRF SHARED
set protocols bgp address-family ipv4-unicast vrf SHARED rd '65000:999'
set protocols bgp address-family ipv4-unicast vrf SHARED route-target export '65000:999'
set protocols bgp address-family ipv4-unicast vrf SHARED route-target import '65000:100'
set protocols bgp address-family ipv4-unicast vrf SHARED route-target import '65000:200'
# Announce SHARED services
set protocols bgp address-family ipv4-unicast vrf SHARED network '10.255.0.0/24'
set protocols bgp address-family ipv4-unicast vrf SHARED redistribute connected
commit
saveОбъяснение Route Targets
Route Target (RT) контролирует import/export маршрутов между VRF:
PRODUCTION:
- Export
65000:100: Пометить маршруты тегом 65000:100 - Import
65000:100: Импортировать маршруты с тегом 65000:100 (свои) - Import
65000:999: Импортировать маршруты из SHARED VRF
- Export
SHARED:
- Export
65000:999: Пометить shared services маршруты - Import
65000:100, 65000:200: Импортировать от PRODUCTION и DEVELOPMENT
- Export
Результат: PRODUCTION видит SHARED, но НЕ видит DEVELOPMENT (и наоборот).
Альтернатива: Static Route Leaking
Если не нужен BGP, можно использовать static routes с VRF:
configure
# В VRF PRODUCTION: маршрут к SHARED через eth3
set vrf name PRODUCTION protocols static route 10.255.0.0/24 next-hop 10.255.0.1 vrf 'SHARED'
# В VRF SHARED: маршруты обратно к PRODUCTION и DEVELOPMENT
set vrf name SHARED protocols static route 10.100.0.0/16 next-hop 10.100.1.1 vrf 'PRODUCTION'
set vrf name SHARED protocols static route 10.200.0.0/16 next-hop 10.200.1.1 vrf 'DEVELOPMENT'
commit
saveПримечание: Static route leaking проще, но менее гибкий чем BGP с RT.
Интеграция с Yandex Cloud
Сценарий: Multi-Tenant Gateway в Yandex Cloud
configure
# Management интерфейс
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description 'Yandex Cloud management'
# Customer A (VRF CUSTOMER-A)
set vrf name CUSTOMER-A table '101'
set vrf name CUSTOMER-A description 'Tenant A - E-commerce'
set interfaces ethernet eth1 address '10.1.1.1/24'
set interfaces ethernet eth1 description 'Customer A subnet'
set interfaces ethernet eth1 vrf 'CUSTOMER-A'
# Customer B (VRF CUSTOMER-B)
set vrf name CUSTOMER-B table '102'
set vrf name CUSTOMER-B description 'Tenant B - Analytics'
set interfaces ethernet eth2 address '10.2.1.1/24'
set interfaces ethernet eth2 description 'Customer B subnet'
set interfaces ethernet eth2 vrf 'CUSTOMER-B'
# Shared Services (DNS, NTP, Yandex Monitoring)
set vrf name SHARED-SERVICES table '999'
set vrf name SHARED-SERVICES description 'Shared: DNS, NTP, Monitoring'
set interfaces ethernet eth4 address '10.255.1.1/24'
set interfaces ethernet eth4 description 'Shared services'
set interfaces ethernet eth4 vrf 'SHARED-SERVICES'
# BGP для route leaking
set protocols bgp system-as '65000'
set protocols bgp parameters router-id '10.255.255.1'
# CUSTOMER-A VRF BGP
set protocols bgp address-family ipv4-unicast vrf CUSTOMER-A rd '65000:101'
set protocols bgp address-family ipv4-unicast vrf CUSTOMER-A route-target export '65000:101'
set protocols bgp address-family ipv4-unicast vrf CUSTOMER-A route-target import '65000:101'
set protocols bgp address-family ipv4-unicast vrf CUSTOMER-A route-target import '65000:999'
set protocols bgp address-family ipv4-unicast vrf CUSTOMER-A redistribute connected
# CUSTOMER-B VRF BGP
set protocols bgp address-family ipv4-unicast vrf CUSTOMER-B rd '65000:102'
set protocols bgp address-family ipv4-unicast vrf CUSTOMER-B route-target export '65000:102'
set protocols bgp address-family ipv4-unicast vrf CUSTOMER-B route-target import '65000:102'
set protocols bgp address-family ipv4-unicast vrf CUSTOMER-B route-target import '65000:999'
set protocols bgp address-family ipv4-unicast vrf CUSTOMER-B redistribute connected
# SHARED-SERVICES VRF BGP
set protocols bgp address-family ipv4-unicast vrf SHARED-SERVICES rd '65000:999'
set protocols bgp address-family ipv4-unicast vrf SHARED-SERVICES route-target export '65000:999'
set protocols bgp address-family ipv4-unicast vrf SHARED-SERVICES route-target import '65000:101'
set protocols bgp address-family ipv4-unicast vrf SHARED-SERVICES route-target import '65000:102'
set protocols bgp address-family ipv4-unicast vrf SHARED-SERVICES redistribute connected
commit
saveYandex Cloud Firewall между VRF
configure
# Разрешить только DNS и NTP от customers к shared
set firewall ipv4-name CUSTOMER-TO-SHARED default-action 'drop'
set firewall ipv4-name CUSTOMER-TO-SHARED rule 10 action 'accept'
set firewall ipv4-name CUSTOMER-TO-SHARED rule 10 protocol 'udp'
set firewall ipv4-name CUSTOMER-TO-SHARED rule 10 destination port '53'
set firewall ipv4-name CUSTOMER-TO-SHARED rule 10 description 'Allow DNS'
set firewall ipv4-name CUSTOMER-TO-SHARED rule 20 action 'accept'
set firewall ipv4-name CUSTOMER-TO-SHARED rule 20 protocol 'udp'
set firewall ipv4-name CUSTOMER-TO-SHARED rule 20 destination port '123'
set firewall ipv4-name CUSTOMER-TO-SHARED rule 20 description 'Allow NTP'
# Применить к VRF
set vrf name CUSTOMER-A ip protocol all export 'CUSTOMER-TO-SHARED'
set vrf name CUSTOMER-B ip protocol all export 'CUSTOMER-TO-SHARED'
commit
saveИнтеграция с VK Cloud
Конфигурация для VK Cloud
configure
# VK Cloud management (OpenStack Neutron)
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description 'VK Cloud management'
# VRF конфигурация аналогична Yandex Cloud
# Особенности VK Cloud:
# 1. Security Groups вместо VyOS firewall (или комбинация)
# 2. Floating IP только для management
# 3. MTU 1450 для tenant networks
set interfaces ethernet eth1 mtu '1450'
set interfaces ethernet eth2 mtu '1450'
set interfaces ethernet eth4 mtu '1450'
commit
saveVK Cloud Security Groups
Создать Security Groups в VK Cloud Console для каждого tenant:
Customer-A SG:
- Allow DNS (UDP 53) to Shared Services subnet
- Allow NTP (UDP 123) to Shared Services subnet
- Deny all other to Shared Services
Customer-B SG:
- Allow DNS (UDP 53) to Shared Services subnet
- Allow NTP (UDP 123) to Shared Services subnet
- Deny all other to Shared Services
Проверка конфигурации
Проверка VRF
# Список VRF
show vrf
# Ожидаемый вывод:
# VRF name table description
# -------- ----- -----------
# CUSTOMER-A 101 Tenant A - E-commerce
# CUSTOMER-B 102 Tenant B - Analytics
# SHARED-SERVICES 999 Shared: DNS, NTP, Monitoring
# Детали конкретного VRF
show vrf PRODUCTIONПроверка интерфейсов в VRF
# Интерфейсы по VRF
show interfaces
# IP адреса в конкретном VRF
ip vrf exec PRODUCTION ip addr show
# Routing table конкретного VRF
show ip route vrf PRODUCTION
show ip route vrf SHAREDПроверка BGP VRF
# BGP summary для всех VRF
show bgp vrf all summary
# BGP routes в конкретном VRF
show bgp vrf PRODUCTION ipv4 unicast
show bgp vrf SHARED ipv4 unicast
# Route Distinguisher и Route Target
vtysh
show bgp vrf all
show bgp ipv4 vpn
exitПроверка Route Leaking
# VRF PRODUCTION должен видеть SHARED (10.255.0.0/24)
show ip route vrf PRODUCTION
# Ожидаемый вывод:
# B>* 10.255.0.0/24 [200/0] via 10.255.0.1 (vrf SHARED), 00:10:00
# VRF SHARED должен видеть PRODUCTION и DEVELOPMENT
show ip route vrf SHARED
# Ожидаемый вывод:
# B>* 10.100.0.0/16 [200/0] via 10.100.1.1 (vrf PRODUCTION), 00:10:00
# B>* 10.200.0.0/16 [200/0] via 10.200.1.1 (vrf DEVELOPMENT), 00:10:00Тест связности между VRF
# Ping из PRODUCTION VRF к SHARED services
ip vrf exec PRODUCTION ping 10.255.0.10 count 4
# Ping из PRODUCTION к DEVELOPMENT (должно НЕ работать - нет route leak)
ip vrf exec PRODUCTION ping 10.200.1.10 count 4
# Ожидаемый результат: "Network is unreachable"
# Traceroute в другой VRF
ip vrf exec PRODUCTION traceroute 10.255.0.10DNS Test (если DNS в SHARED VRF)
# DNS сервер в SHARED VRF: 10.255.0.53
# Test от PRODUCTION VRF
ip vrf exec PRODUCTION nslookup example.com 10.255.0.53Troubleshooting
Проблема 1: VRF не видит маршруты из другого VRF
Симптомы:
show ip route vrf PRODUCTION
# Нет маршрутов из SHARED VRFПричины и решения:
Неправильный Route Target:
# Проверить RT configuration vtysh show running-config | grep "route-target" # PRODUCTION должен импортировать 65000:999 # SHARED должен экспортировать 65000:999 # Исправить configure set protocols bgp address-family ipv4-unicast vrf PRODUCTION route-target import '65000:999' commitBGP не запущен для VRF:
show bgp vrf PRODUCTION summary # Должен показать BGP process # Если нет, проверить конфигурацию show configuration commands | grep "vrf PRODUCTION"Нет анонса сетей:
vtysh show bgp vrf SHARED ipv4 unicast # Должны быть маршруты для announce # Добавить network statement configure set protocols bgp address-family ipv4-unicast vrf SHARED network '10.255.0.0/24' commit
Проблема 2: Интерфейс не назначен VRF
Симптомы:
show interfaces ethernet eth1
# Нет VRF в outputРешение:
configure
set interfaces ethernet eth1 vrf 'PRODUCTION'
commit
# ВАЖНО: После назначения VRF интерфейс будет down/up
# Все IP адреса сохраняютсяПроблема 3: IP overlap между VRF вызывает проблемы
Симптомы: CUSTOMER-A и CUSTOMER-B используют 10.0.0.0/8, пакеты идут не туда
Решение: Это нормально для VRF, но нужна правильная конфигурация:
# Проверить что интерфейсы в правильных VRF
show vrf
# Убедиться что routing table номера уникальные
show configuration commands | grep "table"
# Тестировать connectivity ВСЕГДА с указанием VRF
ip vrf exec CUSTOMER-A ping 10.0.0.1
ip vrf exec CUSTOMER-B ping 10.0.0.1
# Разные destination, несмотря на одинаковый IPПроблема 4: Performance issues
Симптомы: Медленная скорость между VRF
Причины:
- Routing через kernel, не hardware offload
- Firewall processing
Решение:
# Проверить firewall rules
show firewall statistics
# Упростить firewall rules
# Использовать connection tracking
set firewall ipv4-name VRF-TO-VRF rule 1 action 'accept'
set firewall ipv4-name VRF-TO-VRF rule 1 state established 'enable'
set firewall ipv4-name VRF-TO-VRF rule 1 state related 'enable'
commitBest Practices
1. VRF Naming Convention
# Используйте описательные имена
VRF PRODUCTION # Не VRF-1
VRF CUSTOMER-ACME # Не VRF-CUST-001
VRF SHARED-SERVICES # Не VRF-SHARED2. Route Distinguisher (RD) Planning
# Формат: AS:NN
# AS = ваш AS number (или 65000 для private)
# NN = уникальный номер VRF
# Схема нумерации:
# 65000:100-199 = Production VRFs
# 65000:200-299 = Development VRFs
# 65000:300-399 = Testing VRFs
# 65000:900-999 = Shared/Management VRFs3. Route Target Design
Hub-and-Spoke (наш пример):
PRODUCTION → SHARED (import 999)
DEVELOPMENT → SHARED (import 999)
SHARED → ALL (import 100, 200)Full Mesh (все VRF видят друг друга):
ALL VRF → (import * export *)Partial Mesh: Используйте route-maps для фильтрации конкретных prefix.
4. Security между VRF
# Используйте firewall даже между VRF
set firewall ipv4-name VRF-ISOLATION default-action 'drop'
set firewall ipv4-name VRF-ISOLATION rule 10 action 'accept'
set firewall ipv4-name VRF-ISOLATION rule 10 destination address '10.255.0.53'
set firewall ipv4-name VRF-ISOLATION rule 10 destination port '53'
set firewall ipv4-name VRF-ISOLATION rule 10 protocol 'udp'
# Применить
set vrf name PRODUCTION ip protocol all export 'VRF-ISOLATION'
commit5. Logging и Мониторинг
# BGP logging
vtysh
conf t
log syslog informational
bgp log-neighbor-changes
exit
exit
# Мониторинг VRF routing tables
watch -n 5 'show ip route vrf PRODUCTION; show ip route vrf SHARED'
# BGP VRF monitoring
watch -n 5 'show bgp vrf all summary'6. Documentation
Документируйте VRF topology:
# /etc/vyos/vrf-topology.yaml
vrf_topology:
PRODUCTION:
table: 100
rd: "65000:100"
rt_export: "65000:100"
rt_import: ["65000:100", "65000:999"]
interfaces: ["eth1"]
networks: ["10.100.0.0/16"]
access_to: ["SHARED"]
SHARED:
table: 999
rd: "65000:999"
rt_export: "65000:999"
rt_import: ["65000:100", "65000:200"]
interfaces: ["eth3"]
networks: ["10.255.0.0/24"]
services: ["DNS: 10.255.0.53", "NTP: 10.255.0.123"]Advanced Configuration
Route-Maps для Selective Filtering
configure
# Prefix-list: разрешить только DNS server
set policy prefix-list ALLOW-DNS-ONLY rule 10 action 'permit'
set policy prefix-list ALLOW-DNS-ONLY rule 10 prefix '10.255.0.53/32'
# Route-map: применить prefix-list
set policy route-map FILTER-SHARED-IMPORT rule 10 action 'permit'
set policy route-map FILTER-SHARED-IMPORT rule 10 match ip address prefix-list 'ALLOW-DNS-ONLY'
# Применить route-map к BGP import
# (требуется FRR vtysh)
vtysh
conf t
router bgp 65000
address-family ipv4 unicast vrf PRODUCTION
import vrf route-map FILTER-SHARED-IMPORT
exit
exit
exit
exitVRF с MPLS (для L3VPN)
# Enable MPLS на интерфейсах
set interfaces ethernet eth0 mpls
# LDP
set protocols mpls ldp interface 'eth0'
set protocols mpls ldp router-id '192.168.255.1'
# BGP VPNv4
vtysh
conf t
router bgp 65000
address-family vpnv4 unicast
neighbor 192.168.255.2 activate
exit
exit
exit