Routed through and mostly dropped by the firewall, of course. So we
don’t necessarily have to do NAT for everything that comes from the
old / USI network.
And group them into vrf_prefixes for VLAN networks and bgp_prefixes for
servers plugged directly into fabric.
This should reduce the number of queries to NetBox when configuring
firewalls and exit switches. Not sure but I think set_fact helps to
avoid queries (as opposed to setting group_vars).
… instead of generating them from prefixes. A NetBox script can be
used to create and configure all necessary data for a new VLAN.
Instead of VLAN roles “inside" and “outside” we now create separate
VRFs for inside VLANs to match the actual exit/firewall configuration.
The “outside” VRF is for all VLANs that are directly accessible from
the internet.
Timotej Lazar