diff --git a/internal/netconf/configurator.go b/internal/netconf/configurator.go
index c987419..2a13ae7 100644
--- a/internal/netconf/configurator.go
+++ b/internal/netconf/configurator.go
@@ -191,6 +191,14 @@ func (configurator FirewallConfigurator) getUnits() []unitConfiguration {
 			},
 			enabled: true,
 		},
+		{
+			unit:         systemdUnitEveboxAgent,
+			templateFile: tplEveboxAgent,
+			constructApplier: func(kb KnowledgeBase, v ServiceValidator) (net.Applier, error) {
+				return NewEveboxAgentServiceApplier(kb, v)
+			},
+			enabled: true,
+		},
 	}
 }
 
diff --git a/internal/netconf/evebox-agent.go b/internal/netconf/evebox-agent.go
new file mode 100644
index 0000000..fa42ca2
--- /dev/null
+++ b/internal/netconf/evebox-agent.go
@@ -0,0 +1,29 @@
+package netconf
+
+import (
+	"github.com/metal-stack/metal-networker/pkg/net"
+)
+
+// tplEveboxAgent is the name of the template for the evebox-agent service.
+const tplEveboxAgent = "evebox-agent.service.tpl"
+
+// systemdUnitEveboxAgent is the name of the systemd unit for the evebox-agent.
+const systemdUnitEveboxAgent = "evebox-agent.service.service"
+
+// EveboxAgentData contains the data to render the evebox-agent service template.
+type EveboxAgentData struct {
+	Comment         string
+	DefaultRouteVrf string
+}
+
+// NewEveboxAgentServiceApplier constructs a new instance of this type.
+func NewEveboxAgentServiceApplier(kb KnowledgeBase, v net.Validator) (net.Applier, error) {
+	defaultRouteVrf, err := getDefaultRouteVRFName(kb)
+	if err != nil {
+		return nil, err
+	}
+
+	data := EveboxAgentData{Comment: versionHeader(kb.Machineuuid), DefaultRouteVrf: defaultRouteVrf}
+
+	return net.NewNetworkApplier(data, v, nil), nil
+}
diff --git a/internal/netconf/testdata/evebox-agent.service b/internal/netconf/testdata/evebox-agent.service
new file mode 100644
index 0000000..ee7d5a9
--- /dev/null
+++ b/internal/netconf/testdata/evebox-agent.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=EveBox Agent
+
+[Service]
+LimitMEMLOCK=infinity
+User=root
+Group=root
+Type=oneshot
+ExecStart=/bin/ip vrf exec vrf104009 /usr/bin/evebox agent
+
+[Install]
+WantedBy=multi-user.target
\ No newline at end of file
diff --git a/internal/netconf/tpl/evebox-agent.service.tpl b/internal/netconf/tpl/evebox-agent.service.tpl
new file mode 100644
index 0000000..692a595
--- /dev/null
+++ b/internal/netconf/tpl/evebox-agent.service.tpl
@@ -0,0 +1,12 @@
+[Unit]
+Description=EveBox Agent
+
+[Service]
+LimitMEMLOCK=infinity
+User=root
+Group=root
+Type=oneshot
+ExecStart=/bin/ip vrf exec {{ .DefaultRouteVrf }} /usr/bin/evebox agent
+
+[Install]
+WantedBy=multi-user.target
\ No newline at end of file