From 9a56e481412fb20ceb3af86a11e66759c009674e Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Sun, 4 Aug 2024 14:12:26 +0200 Subject: [PATCH] exit: allow multiple VLANs per VRF MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Turns out that while Cumulus supports “up to” 255 VRFs, no switch it runs on supports more than 64. So we have to turn down paranoia and put internal networks for each tenant in the same VRF. This commit just ensures VRF definitions are not duplicated on exits. --- roles/exit/templates/frr.conf.j2 | 4 ++-- roles/exit/templates/networks.intf.j2 | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/exit/templates/frr.conf.j2 b/roles/exit/templates/frr.conf.j2 index d4f6bfe..a9a5e62 100644 --- a/roles/exit/templates/frr.conf.j2 +++ b/roles/exit/templates/frr.conf.j2 @@ -3,7 +3,7 @@ | selectattr('role') | selectattr('role.value', '==', 'loopback') | map(attribute='address') %} {% set inside_vrfs = interfaces | selectattr('parent') | selectattr('parent.name', '==', 'bridge') - | selectattr('vrf') | map(attribute='vrf.name') | reject('==', 'outside') | sort %} + | selectattr('vrf') | map(attribute='vrf.name') | reject('==', 'outside') | sort | unique %} frr defaults datacenter log syslog informational @@ -239,7 +239,7 @@ ipv6 prefix-list office permit {{ prefix.prefix }} ge {{ prefix.prefix | ipaddr( # individual prefix lists for each inside network {% for prefix in vrf_prefixes | selectattr('vrf.name', 'in', inside_vrfs) - | sort(attribute='family.value') | sort(attribute='vlan.vid') %} + | sort(attribute='family.value') | sort(attribute='vrf.name') %} {% if prefix.family.value == 4 %} ip prefix-list {{ prefix.vrf.name }} permit {{ prefix.prefix }} ge {{ prefix.prefix | ipaddr('prefix') }} {% else %} diff --git a/roles/exit/templates/networks.intf.j2 b/roles/exit/templates/networks.intf.j2 index a9f3857..99b6d64 100644 --- a/roles/exit/templates/networks.intf.j2 +++ b/roles/exit/templates/networks.intf.j2 @@ -1,6 +1,6 @@ {# VRF outside is special, all others are inside but also firewalled from each other. #} {% set inside_vrfs = interfaces | selectattr('parent') | selectattr('parent.name', '==', 'bridge') - | selectattr('vrf') | map(attribute='vrf') | rejectattr('name', '==', 'outside') -%} + | selectattr('vrf') | map(attribute='vrf') | rejectattr('name', '==', 'outside') | unique -%} # A separate VRF for each inside network so we can firewall between them. {% for vrf in inside_vrfs %}