1IP-VRF(8)                            Linux                           IP-VRF(8)
2
3
4

NAME

6       ip-vrf - run a command against a vrf
7

SYNOPSIS

9       ip vrf  { COMMAND | help }
10
11
12       ip vrf show [ NAME ]
13
14       ip vrf identify [ PID ]
15
16       ip vrf pids NAME
17
18       ip vrf exec [ NAME ] command...
19
20

DESCRIPTION

22       A VRF provides traffic isolation at layer 3 for routing, similar to how
23       a VLAN is used to isolate traffic at layer 2. Fundamentally, a VRF is a
24       separate routing table. Network devices are associated with a VRF by
25       enslaving the device to the VRF. At that point network addresses
26       assigned to the device are local to the VRF with host and connected
27       routes moved to the table associated with the VRF.
28
29       A process can specify a VRF using several APIs -- binding the socket to
30       the VRF device using SO_BINDTODEVICE, setting the VRF association using
31       IP_UNICAST_IF or IPV6_UNICAST_IF, or specifying the VRF for a specific
32       message using IP_PKTINFO or IPV6_PKTINFO.
33
34       By default a process is not bound to any VRF. An association can be set
35       explicitly by making the program use one of the APIs mentioned above or
36       implicitly using a helper to set SO_BINDTODEVICE for all IPv4 and IPv6
37       sockets (AF_INET and AF_INET6) when the socket is created. This ip-vrf
38       command is a helper to run a command against a specific VRF with the
39       VRF association inherited parent to child.
40
41
42       ip vrf show [ NAME ] - Show all configured VRF
43
44              This command lists all VRF and their corresponding table ids. If
45              NAME is given, then only that VRF and table id is shown. The
46              latter command is useful for scripting where the table id for a
47              VRF is needed.
48
49
50       ip vrf exec [ NAME ] cmd ... - Run cmd against the named VRF
51
52              This command allows applications that are VRF unaware to be run
53              against a VRF other than the default VRF (main table). A command
54              can be run against the default VRF by passing the "default" as
55              the VRF name. This is useful if the current shell is associated
56              with another VRF (e.g, Management VRF).
57
58              This command requires the system to be booted with cgroup v2
59              (e.g. with systemd, add systemd.unified_cgroup_hierarchy=1 to
60              the kernel command line).
61
62              This command also requires to be ran as root or with the
63              CAP_SYS_ADMIN, CAP_NET_ADMIN and CAP_DAC_OVERRIDE capabilities.
64              If built with libcap and if capabilities are added to the ip
65              binary program via setcap, the program will drop them as the
66              first thing when invoked, unless the command is vrf exec.
67              NOTE: capabilities will NOT be dropped if CAP_NET_ADMIN is set
68              to INHERITABLE to avoid breaking programs with ambient capabiliā€
69              ties that call ip.  Do not set the INHERITABLE flag on the ip
70              binary itself.
71
72
73       ip vrf identify [PID] - Report VRF association for process
74
75              This command shows the VRF association of the specified process.
76              If PID is not specified then the id of the current process is
77              used.
78
79
80       ip vrf pids NAME - Report processes associated with the named VRF
81
82              This command shows all process ids that are associated with the
83              given VRF.
84
85

CAVEATS

87       This command requires a kernel compiled with CGROUPS and CGROUP_BPF
88       enabled.
89
90       The VRF helper *only* affects network layer sockets.
91
92

EXAMPLES

94       ip vrf exec red ssh 10.100.1.254
95              Executes ssh to 10.100.1.254 against the VRF red table.
96
97

SEE ALSO

99       ip(8), ip-link(8), ip-address(8), ip-route(8), ip-neighbor(8)
100
101

AUTHOR

103       Original Manpage by David Ahern
104
105
106
107iproute2                          7 Dec 2016                         IP-VRF(8)
Impressum