...
Feature | Support | Comment |
|---|
| BGP | + |
| Code Block |
|---|
| /routing bgp template
add name=bgp-template1 vrf=vrf1
/routing bgp vpls
add name=bgp-vpls1 site-id=10 vrf=vrf1
/routing bgp vpn
add label-allocation-policy=per-vrf vrf=vrf1 |
|
| E-mail | + |
| Code Block |
|---|
| /tool e-mail
set address=192.168.88.1 vrf=vrf1 |
|
| IP Services | + | VRF is supported for telnet, www, ssh, www-ssl, api, winbox, api-ssl services. The ftp service does not support changing the VRF. | Code Block |
|---|
| /ip service
set telnet vrf=vrf1 |
|
| L2TP Client | + |
| Code Block |
|---|
| /interface l2tp-client
add connect-to=192.168.88.1@vrf1 name=l2tp-out1 user=l2tp-client |
|
| MPLS | + |
| Code Block |
|---|
| /mpls ldp
add vrf=vrf1 |
|
| Netwatch | + |
| Code Block |
|---|
| /tool netwatch
add host=192.168.88.1@vrf1 |
|
| NTP | + |
| Code Block |
|---|
| /system ntp client
set vrf=vrf1
/system ntp server
set vrf=vrf1 |
|
| OSPF | + |
| Code Block |
|---|
| /routing ospf instance
add disabled=no name=ospf-instance-1 vrf=vrf1 |
|
| ping | + |
| Code Block |
|---|
| /ping 192.168.88.1 vrf=vrf1 |
|
| RADIUS | + |
| Code Block |
|---|
| /radius add address=192.168.88.1@vrf1
/radius incoming set vrf=vrf1 |
|
| RIP | + |
| Code Block |
|---|
| /routing rip instance
add name=rip-instance-1 vrf=vrf1 |
|
| RPKI | + |
| Code Block |
|---|
| /routing rpki
add vrf=vrf1 |
|
| SNMP | + |
| Code Block |
|---|
| /snmp
set vrf=vrf1 |
|
| EoIP | + |
| Code Block |
|---|
| /interface eoip
add remote-address=192.168.1.1@vrf1 |
|
| IPIP | + |
| Code Block |
|---|
| /interface ipip
add remote-address=192.168.1.1@vrf1 |
|
| GRE | + |
| Code Block |
|---|
| /interface gre
add remote-address=192.168.1.1@vrf1 |
|
| SSTP-client | + |
| Code Block |
|---|
| /interface sstp-client
add connect-to=192.168.1.1@vrf1 |
|
| OVPN-client | + |
| Code Block |
|---|
| /interface ovpn-client
add connect-to=192.168.1.1@vrf1 |
|
| L2TP-ether | + |
| Code Block |
|---|
| /interface l2tp-ether
add connect-to=192.168.2.2@vrf |
|
| VXLAN | + |
| Code Block |
|---|
| /interface vxlan
add vni=10 vrf=vrf1 |
|
| Fetch | + | | Code Block |
|---|
| /tool/fetch
address=10.155.28.236@vrf1 mode=ftp src-path=my_file.pcap user=admin password="" |
|
| DNS | + Starting from RouterOS v7.15 | | Code Block |
|---|
| /ip dns set vrf=vrf1 |
|
| DHCP-Relay | + Starting from RouterOS v7.15 | | Code Block |
|---|
| /ip dhcp-relay set dhcp-server-vrf=vrf1 |
If dhcp-client is in vrf - special parameter in "ip dhcp-relay" configuration is not needed |
VRF interfaces in firewall
| Warning |
|---|
Before RouterOS version 7.14, firewall filter rules with the property in/out-interface would apply to interfaces within a VRF instance. Starting from RouterOS version 7.14, these rules no longer target individual interfaces within a VRF, but rather the VRF interface as a whole. |
Started from version 7.14 when interfaces are added in VRF - virtual VRF interface is created automatically. If it is needed to match traffic which belongs to VRF interface, VRF virtual interface should be used in firewall filters, for example:
| Code Block |
|---|
|
/ip vrf add interfaces=ether5 name=vrf5
/ip firewall filter add chain=input in-interface=vrf5 action=accept |
If there are several interfaces in one VRF but it is needed to match only one of these interfaces - marks should be used. For example:
| Code Block |
|---|
|
/ip vrf add interface=ether15,ether16 vrf=vrf1516
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new in-interface=ether15 new-connection-mark=input_allow passthrough=yes
/ip firewall filter
add action=accept chain=input connection-mark=input_allow |
Examples
Simple VRF-Lite setup
...