exit: allow multiple VLANs per VRF
Turns out that while Cumulus supports “up to” 255 VRFs, no switch it runs on supports more than 64. So we have to turn down paranoia and put internal networks for each tenant in the same VRF. This commit just ensures VRF definitions are not duplicated on exits.
This commit is contained in:
parent
c239b91d17
commit
9a56e48141
|
@ -3,7 +3,7 @@
|
||||||
| selectattr('role') | selectattr('role.value', '==', 'loopback')
|
| selectattr('role') | selectattr('role.value', '==', 'loopback')
|
||||||
| map(attribute='address') %}
|
| map(attribute='address') %}
|
||||||
{% set inside_vrfs = interfaces | selectattr('parent') | selectattr('parent.name', '==', 'bridge')
|
{% set inside_vrfs = interfaces | selectattr('parent') | selectattr('parent.name', '==', 'bridge')
|
||||||
| selectattr('vrf') | map(attribute='vrf.name') | reject('==', 'outside') | sort %}
|
| selectattr('vrf') | map(attribute='vrf.name') | reject('==', 'outside') | sort | unique %}
|
||||||
|
|
||||||
frr defaults datacenter
|
frr defaults datacenter
|
||||||
log syslog informational
|
log syslog informational
|
||||||
|
@ -239,7 +239,7 @@ ipv6 prefix-list office permit {{ prefix.prefix }} ge {{ prefix.prefix | ipaddr(
|
||||||
|
|
||||||
# individual prefix lists for each inside network
|
# individual prefix lists for each inside network
|
||||||
{% for prefix in vrf_prefixes | selectattr('vrf.name', 'in', inside_vrfs)
|
{% for prefix in vrf_prefixes | selectattr('vrf.name', 'in', inside_vrfs)
|
||||||
| sort(attribute='family.value') | sort(attribute='vlan.vid') %}
|
| sort(attribute='family.value') | sort(attribute='vrf.name') %}
|
||||||
{% if prefix.family.value == 4 %}
|
{% if prefix.family.value == 4 %}
|
||||||
ip prefix-list {{ prefix.vrf.name }} permit {{ prefix.prefix }} ge {{ prefix.prefix | ipaddr('prefix') }}
|
ip prefix-list {{ prefix.vrf.name }} permit {{ prefix.prefix }} ge {{ prefix.prefix | ipaddr('prefix') }}
|
||||||
{% else %}
|
{% else %}
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{# VRF outside is special, all others are inside but also firewalled from each other. #}
|
{# VRF outside is special, all others are inside but also firewalled from each other. #}
|
||||||
{% set inside_vrfs = interfaces | selectattr('parent') | selectattr('parent.name', '==', 'bridge')
|
{% set inside_vrfs = interfaces | selectattr('parent') | selectattr('parent.name', '==', 'bridge')
|
||||||
| selectattr('vrf') | map(attribute='vrf') | rejectattr('name', '==', 'outside') -%}
|
| selectattr('vrf') | map(attribute='vrf') | rejectattr('name', '==', 'outside') | unique -%}
|
||||||
|
|
||||||
# A separate VRF for each inside network so we can firewall between them.
|
# A separate VRF for each inside network so we can firewall between them.
|
||||||
{% for vrf in inside_vrfs %}
|
{% for vrf in inside_vrfs %}
|
||||||
|
|
Loading…
Reference in a new issue