Posted inNetworking

Linux VRF: How to Run Multiple Independent Routing Tables on a Single Server

Networking tutorial - IT technology blog
Networking tutorial - IT technology blog

The Limitation of the Global Routing Table

Standard Linux networking follows a simple rule: one main routing table, one default gateway, and every interface competes for space in that global list. This ‘one-size-fits-all’ approach works for basic web servers, but it collapses in complex enterprise environments.

Consider a practical scenario: you are managing a gateway connecting two separate branch offices via VPN. Both offices use the 192.168.1.0/24 subnet for their internal printers and NAS devices. When you connect both, the kernel faces a conflict.

If you try to reach 192.168.1.50, which office should receive the packet? In a standard setup, adding that second route usually results in a 50% packet loss as the kernel flaps between paths, or one connection simply dies. Historically, we hacked around this with iptables marking or policy-based routing (PBR), but those setups are brittle and notoriously difficult to debug.

VRF (Virtual Routing and Forwarding) solves this by partitioning the networking stack into independent routing instances. Think of it as turning one physical server into multiple virtual routers. Each VRF maintains its own routing table, interfaces, and default gateway.

VRF vs. Network Namespaces: The Lightweight Alternative

If you use Docker, you know Network Namespaces (netns). While both provide isolation, they operate at different depths. A Namespace is a heavy-duty ‘silo’—it replicates the entire stack, including firewalls and loopback devices. It is essentially a container for your network.

VRF is far more surgical. It only isolates Layer 3 (the routing layer). All VRFs share the same global firewall rules and system resources. This makes it the ideal choice for separating management traffic (SSH/SNMP) from production data traffic. You get the isolation you need without the complexity of managing 20 different namespace contexts.

Building a VRF Environment

To start, ensure you are running Linux kernel 4.14 or newer. While support began in 4.4, the 4.14+ releases provide the stability needed for production. You will also need the iproute2 package.

1. Create the VRF Device

Linux treats a VRF as a virtual network device. You must link it to a specific routing table ID. Let’s create vrf-blue and assign it to table 100.

# Create the VRF master device
sudo ip link add vrf-blue type vrf table 100

# Enable the interface
sudo ip link set vrf-blue up

Check your work by listing the active VRF devices:

ip link show type vrf

2. Enslave Interfaces to the VRF

The VRF device acts as a ‘master’ for physical or virtual interfaces. Once an interface is ‘enslaved,’ the kernel ignores the global table and looks specifically at Table 100 for that interface’s traffic.

Suppose eth1 connects to your Blue Client:

# Move eth1 into the vrf-blue context
sudo ip link set dev eth1 master vrf-blue

# Moving an interface often clears its IP. Re-assign it now:
sudo ip addr add 192.168.1.5/24 dev eth1
sudo ip link set eth1 up

3. Routing Inside the VRF

With eth1 inside the VRF, standard routing commands won’t see it. You must specify the VRF context. Use the vrf keyword to make the syntax more readable:

# Set a default gateway for the Blue network
sudo ip route add default via 192.168.1.1 dev eth1 vrf vrf-blue

To audit the specific routing table for this instance, run:

ip route show vrf vrf-blue

Running Processes in a VRF Context

Try to run ping 8.8.8.8 and it will likely fail. By default, the shell uses the global table. To force a process to use the VRF’s routing logic, use ip vrf exec.

# Test connectivity using the Blue routing table
sudo ip vrf exec vrf-blue ping -c 3 8.8.8.8

This helper binds the process socket to the VRF device. It is a game-changer for running a management SSH instance on one network while the rest of the server handles multi-gigabit production traffic on another.

Binding Services to a VRF

If you need a specific service, like a backup agent or an SSH daemon, to listen exclusively on the Blue network, start it within the context:

sudo ip vrf exec vrf-blue /usr/sbin/sshd -D

Hard-Won Lessons from Production

After deploying VRFs across hundreds of edge routers, three issues pop up most frequently.

  • The Loopback Limitation: While interfaces are isolated, 127.0.0.1 remains global. If two services in different VRFs try to bind to the same localhost port, they will collide.
  • Kernel Settings: VRF requires specific sysctl tweaks to handle TCP/UDP sockets correctly. Ensure net.ipv4.tcp_l3mdev_accept=1 and net.ipv4.udp_l3mdev_accept=1 are set. These allow the kernel to automatically map incoming packets to the correct VRF table.
  • Persistence: Runtime ip link commands vanish after a reboot. For modern Ubuntu systems, use Netplan’s vrfs: key. For older Debian systems, define the VRF master and its slaves in /etc/network/interfaces.

The Bottom Line

VRF on Linux provides a middle ground between basic routing and full virtualization. It offers a clean, scalable method for handling overlapping IPs and strict traffic isolation without the CPU and memory overhead of namespaces or virtual machines. By treating the VRF as a master device, you turn a single server into a powerful multi-tenant router.

Share:
Tags: