Query prefixes once for all hosts
And group them into vrf_prefixes for VLAN networks and bgp_prefixes for servers plugged directly into fabric. This should reduce the number of queries to NetBox when configuring firewalls and exit switches. Not sure but I think set_fact helps to avoid queries (as opposed to setting group_vars).
This commit is contained in:
parent
1c0709a6a6
commit
457ab7d3b7
10 changed files with 52 additions and 50 deletions
|
|
@ -213,17 +213,15 @@ ipv6 prefix-list default permit ::/0
|
|||
ip prefix-list fabric permit 10.34.0.0/24 ge 32
|
||||
ipv6 prefix-list fabric permit 2001:1470:fffd:3400::/64 ge 128
|
||||
|
||||
{% for vrf in inside_vrfs %}
|
||||
{% set prefixes = query('netbox.netbox.nb_lookup', 'prefixes', api_filter='vrf_id='~vrf.id, raw_data=true)
|
||||
| sort(attribute='family.value') %}
|
||||
{% for prefix in prefixes %}
|
||||
{% for prefix in vrf_prefixes
|
||||
| selectattr('vrf.id', 'in', inside_vrfs|map(attribute='id'))
|
||||
| sort(attribute='family.value') | sort(attribute='vlan.vid') %}
|
||||
{% if prefix.family.value == 4 %}
|
||||
ip prefix-list office permit {{ prefix.prefix }} ge 24
|
||||
{% else %}
|
||||
ipv6 prefix-list office permit {{ prefix.prefix }} ge 64
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
|
||||
{% if wg_net is defined %}
|
||||
ip prefix-list vpn permit {{ wg_net | ipaddr('subnet') }}
|
||||
|
|
@ -237,7 +235,7 @@ ip prefix-list nat permit {{ wg_ip | ipaddr('host') }}
|
|||
ip prefix-list nat permit {{ network }}
|
||||
{% endfor %}
|
||||
|
||||
{% for prefix in query('netbox.netbox.nb_lookup', 'prefixes', raw_data=true, api_filter='role=bgp') | selectattr('tenant') %}
|
||||
{% for prefix in bgp_prefixes | sort(attribute='family.value') %}
|
||||
{% if prefix.family.value == 4 %}
|
||||
ip prefix-list dc permit {{ prefix.prefix }} ge 32
|
||||
{% else %}
|
||||
|
|
@ -281,7 +279,7 @@ route-map inside-import permit 21
|
|||
match ipv6 address prefix-list office
|
||||
|
||||
# Route maps for advertised and received routes.
|
||||
# Inside ↔ fabric.
|
||||
# Default VRF ↔ fabric.
|
||||
route-map default->fabric permit 10
|
||||
match ip address prefix-list default
|
||||
route-map default->fabric permit 11
|
||||
|
|
@ -296,7 +294,7 @@ route-map fabric->default permit 20
|
|||
route-map fabric->default permit 21
|
||||
match ipv6 address prefix-list dc
|
||||
|
||||
# Inside ↔ firewall.
|
||||
# Inside VRF ↔ firewall.
|
||||
route-map inside->firewall permit 1
|
||||
match interface lo
|
||||
route-map inside->firewall permit 20
|
||||
|
|
@ -313,7 +311,7 @@ route-map firewall->inside permit 10
|
|||
route-map firewall->inside permit 11
|
||||
match ipv6 address prefix-list default
|
||||
|
||||
# Outside ↔ firewall.
|
||||
# Outside VRF ↔ firewall.
|
||||
route-map outside->firewall permit 10
|
||||
match ip address prefix-list default
|
||||
route-map outside->firewall permit 11
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue