On 4/28/16 11:16 AM, Elluru, Krishna Mohan wrote:
I posted a few bug fix patches a week or two ago. Not sure what the
status is with respect to 4.3 - 4.5 trees.
MOHAN> Sure. Are those patches sent over netdev mailer list?
yes. All patches for VRF - kernel and iproute2 - are sent to netdev.
MOHAN> sorry for not being clear. My ask was, to create a namespace we need
cap_admin privileges currently, but your earlier mails suggested that we should be
able to configure/create vrf device with net_admin capabilities. Is this support
present /expected to be added soon?
VRF is implemented using a netdevice. As such the ability to create one
requires the same permissions as creating any other netdevice
(CAP_NET_ADMIN).
5. Is there a possibility of enabling secondary level lookup, to give a leak
functionality to parent route table from device local route table? I tested
with veth pair, configured one as default gateway, it is possible to forward
traffic b/w the interfaces, looking for cleaner method.
Are you referring to inter-vrf routing? See slide 27
http://www.netdevconf.org/1.1/proceedings/slides/ahern-vrf-tutorial.pdf
Full lookup in VRF table
▪ ip route add table vrf-red 1.1.1.0/24 dev vrf-green
MOHAN> In slide 27 above shows inter vrf routing, requirement is to use current
namespace global route table if the ip lookup fails in vrf-device routing table.
Reference:
https://www.juniper.net/techpubs/en_US/junose16.1/topics/task/configuration/mbgp-secondary-routing-table-search.html
One solution is to create a VRF device that is associated with the main
table and then use an inter-vrf route to jump to the main table.
VRF tables do need a default route (e.g., unreachable with high metric
value) else the FIB lookups will proceed to the next table which is most
likely not what you want.
David
