IP-VRF(8)                           Linux                          IP-VRF(8)

NAME         top

       ip-vrf - run a command against a vrf

SYNOPSIS         top

       ip vrf  { COMMAND | help }

       ip vrf show [ NAME ]

       ip vrf identify [ PID ]

       ip vrf pids NAME

       ip vrf exec [ NAME ] command...

DESCRIPTION         top

       A VRF provides traffic isolation at layer 3 for routing, similar to
       how a VLAN is used to isolate traffic at layer 2. Fundamentally, a
       VRF is a separate routing table. Network devices are associated with
       a VRF by enslaving the device to the VRF. At that point network
       addresses assigned to the device are local to the VRF with host and
       connected routes moved to the table associated with the VRF.

       A process can specify a VRF using several APIs -- binding the socket
       to the VRF device using SO_BINDTODEVICE, setting the VRF association
       using IP_UNICAST_IF or IPV6_UNICAST_IF, or specifying the VRF for a
       specific message using IP_PKTINFO or IPV6_PKTINFO.

       By default a process is not bound to any VRF. An association can be
       set explicitly by making the program use one of the APIs mentioned
       above or implicitly using a helper to set SO_BINDTODEVICE for all
       IPv4 and IPv6 sockets (AF_INET and AF_INET6) when the socket is
       created. This ip-vrf command is a helper to run a command against a
       specific VRF with the VRF association inherited parent to child.

       ip vrf show [ NAME ] - Show all configured VRF

              This command lists all VRF and their corresponding table ids.
              If NAME is given, then only that VRF and table id is shown.
              The latter command is useful for scripting where the table id
              for a VRF is needed.

       ip vrf exec [ NAME ] cmd ... - Run cmd against the named VRF

              This command allows applications that are VRF unaware to be
              run against a VRF other than the default VRF (main table). A
              command can be run against the default VRF by passing the
              "default" as the VRF name. This is useful if the current shell
              is associated with another VRF (e.g, Management VRF).

              This command requires the system to be booted with cgroup v2
              (e.g. with systemd, add systemd.unified_cgroup_hierarchy=1 to
              the kernel command line).

              This command also requires to be ran as root or with the
              capabilities. If built with libcap and if capabilities are
              added to the ip binary program via setcap, the program will
              drop them as the first thing when invoked, unless the command
              is vrf exec.
              NOTE: capabilities will NOT be dropped if CAP_NET_ADMIN is set
              to INHERITABLE to avoid breaking programs with ambient
              capabilities that call ip.  Do not set the INHERITABLE flag on
              the ip binary itself.

       ip vrf identify [PID] - Report VRF association for process

              This command shows the VRF association of the specified
              process. If PID is not specified then the id of the current
              process is used.

       ip vrf pids NAME - Report processes associated with the named VRF

              This command shows all process ids that are associated with
              the given VRF.

CAVEATS         top

       This command requires a kernel compiled with CGROUPS and CGROUP_BPF

       The VRF helper *only* affects network layer sockets.

EXAMPLES         top

       ip vrf exec red ssh
              Executes ssh to against the VRF red table.

SEE ALSO         top

       ip(8), ip-link(8), ip-address(8), ip-route(8), ip-neighbor(8)

AUTHOR         top

       Original Manpage by David Ahern

COLOPHON         top

       This page is part of the iproute2 (utilities for controlling TCP/IP
       networking and traffic) project.  Information about the project can
       be found at 
       If you have a bug report for this manual page, send it to,  This page was obtained
       from the project's upstream Git repository
       ⟨⟩ on
       2020-02-08.  (At that time, the date of the most recent commit that
       was found in the repository was 2020-01-29.)  If you discover any
       rendering problems in this HTML version of the page, or you believe
       there is a better or more up-to-date source for the page, or you have
       corrections or improvements to the information in this COLOPHON
       (which is not part of the original manual page), send a mail to

iproute2                         7 Dec 2016                        IP-VRF(8)