network/roles/exit/templates/networks.intf.j2

{# VRF outside is special, all others are inside but also firewalled from each other. #}
{% set inside_vrfs = interfaces | selectattr('parent') | selectattr('parent.name', '==', 'bridge')
    | selectattr('vrf') | map(attribute='vrf') | rejectattr('name', '==', 'outside') | unique -%}

# A separate VRF for each inside network so we can firewall between them.
{% for vrf in inside_vrfs %}
auto {{ vrf.name }}
iface {{ vrf.name }}
    vrf-table auto

{% endfor %}
exit: store VLAN interface addresses in NetBox … instead of generating them from prefixes. A NetBox script can be used to create and configure all necessary data for a new VLAN. Instead of VLAN roles “inside" and “outside” we now create separate VRFs for inside VLANs to match the actual exit/firewall configuration. The “outside” VRF is for all VLANs that are directly accessible from the internet. 2024-04-10 12:03:50 +00:00			`{# VRF outside is special, all others are inside but also firewalled from each other. #}`
			`{% set inside_vrfs = interfaces \| selectattr('parent') \| selectattr('parent.name', '==', 'bridge')`
exit: allow multiple VLANs per VRF Turns out that while Cumulus supports “up to” 255 VRFs, no switch it runs on supports more than 64. So we have to turn down paranoia and put internal networks for each tenant in the same VRF. This commit just ensures VRF definitions are not duplicated on exits. 2024-08-04 12:12:26 +00:00			`\| selectattr('vrf') \| map(attribute='vrf') \| rejectattr('name', '==', 'outside') \| unique -%}`
Initial commit, squashed 2023-12-18 10:22:14 +00:00
Add inside and outside roles for VLANs Will probably rename inside/outside and office/server to int/ext. 2024-01-30 11:35:33 +00:00			`# A separate VRF for each inside network so we can firewall between them.`
exit: store VLAN interface addresses in NetBox … instead of generating them from prefixes. A NetBox script can be used to create and configure all necessary data for a new VLAN. Instead of VLAN roles “inside" and “outside” we now create separate VRFs for inside VLANs to match the actual exit/firewall configuration. The “outside” VRF is for all VLANs that are directly accessible from the internet. 2024-04-10 12:03:50 +00:00			`{% for vrf in inside_vrfs %}`
			`auto {{ vrf.name }}`
			`iface {{ vrf.name }}`
Initial commit, squashed 2023-12-18 10:22:14 +00:00			`vrf-table auto`

			`{% endfor %}`