rc/network
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: rc:3b3e759cc18f9dd158e1329fa8573ef45ba87eef
Branches Tags
rc:master
..
compare: rc:d3196a48c2e3e1a1449725ef225174e37b8a0416
Branches Tags
rc:master

5 commits
3b3e759cc1 ... d3196a48c2

Author SHA1 Message Date
Timotej Lazar
d3196a48c2 firewall: set up resolv.conf 
To use IPv6 nameserver addresses.
 2025-03-26 12:32:54 +01:00
Timotej Lazar
f9f71bb337 firewall: don’t import or advertise subnets for inside networks 
This is part two to commit 3b3e759c.
 2025-03-26 12:32:54 +01:00
Timotej Lazar
cafa938da3 firewall: consolidate IPv4 and IPv6 address families for BGP 2025-03-26 12:32:50 +01:00
Timotej Lazar
8a0113ea49 leaf: consolidate IPv4 and IPv6 address families for BGP 
Same applies to spine.
 2025-03-26 01:33:33 +01:00
Timotej Lazar
d667a38553 exit: consolidate IPv4 and IPv6 address families 
In BGP router configuration for default and inside VRFs.
 2025-03-26 01:28:08 +01:00
5 changed files with 32 additions and 75 deletions
Show stats Expand all files Collapse all files

59
roles/exit/templates/frr.conf.j2
View file

@ -37,18 +37,8 @@ router bgp {{ asn.asn }}
neighbor {{ iface }} bfd 3 150 150 neighbor {{ iface }} bfd 3 150 150
{% endfor %} {% endfor %}
address-family ipv4 unicast {% for family in ['ipv4', 'ipv6'] %}
redistribute connected route-map loopback address-family {{ family }} unicast
neighbor fabric soft-reconfiguration inbound
neighbor fabric route-map fabric->default in
neighbor fabric route-map default->fabric out
import vrf outside
import vrf route-map default-import
exit-address-family
address-family ipv6 unicast
redistribute connected route-map loopback redistribute connected route-map loopback
neighbor fabric activate neighbor fabric activate
@ -60,6 +50,7 @@ router bgp {{ asn.asn }}
import vrf route-map default-import import vrf route-map default-import
exit-address-family exit-address-family
{% endfor %}
address-family l2vpn evpn address-family l2vpn evpn
advertise-all-vni advertise-all-vni
advertise-default-gw advertise-default-gw
@ -86,10 +77,12 @@ router bgp {{ asn.asn }} vrf outside
{% endfor %} {% endfor %}
address-family ipv4 unicast address-family ipv4 unicast
neighbor peerlink.4 activate
neighbor peerlink.4 soft-reconfiguration inbound neighbor peerlink.4 soft-reconfiguration inbound
neighbor peerlink.4 route-map peer.4->me in neighbor peerlink.4 route-map peer.4->me in
neighbor peerlink.4 route-map me->peer.4 out neighbor peerlink.4 route-map me->peer.4 out
neighbor firewall activate
neighbor firewall allowas-in 1 neighbor firewall allowas-in 1
neighbor firewall default-originate neighbor firewall default-originate
neighbor firewall soft-reconfiguration inbound neighbor firewall soft-reconfiguration inbound
@ -144,27 +137,8 @@ router bgp {{ asn.asn }} vrf inside
neighbor {{ iface }}.2 bfd 3 150 150 neighbor {{ iface }}.2 bfd 3 150 150
{% endfor %} {% endfor %}
address-family ipv4 unicast {% for family in ['ipv4', 'ipv6'] %}
neighbor peerlink.2 soft-reconfiguration inbound address-family {{ family }} unicast
neighbor peerlink.2 route-map peer.2->me in
neighbor peerlink.2 route-map me->peer.2 out
neighbor firewall allowas-in 1
neighbor firewall soft-reconfiguration inbound
neighbor firewall route-map inside->firewall out
{% for iface in ifaces_firewall %}
neighbor {{ iface }}.2 route-map firewall-{{ loop.index }}->inside in
{% endfor %}
redistribute connected route-map loopback-inside
{% for vrf in inside_vrfs %}
import vrf {{ vrf }}
{% endfor %}
import vrf default
import vrf route-map inside-import
exit-address-family
address-family ipv6 unicast
neighbor peerlink.2 activate neighbor peerlink.2 activate
neighbor peerlink.2 soft-reconfiguration inbound neighbor peerlink.2 soft-reconfiguration inbound
neighbor peerlink.2 route-map peer.2->me in neighbor peerlink.2 route-map peer.2->me in
@ -186,25 +160,15 @@ router bgp {{ asn.asn }} vrf inside
import vrf route-map inside-import import vrf route-map inside-import
exit-address-family exit-address-family
{% endfor %}
{% for vrf in vrfs.values() | selectattr('name', 'in', inside_vrfs) %} {% for vrf in vrfs.values() | selectattr('name', 'in', inside_vrfs) %}
router bgp {{ asn.asn }} vrf {{ vrf.name }} router bgp {{ asn.asn }} vrf {{ vrf.name }}
bgp bestpath as-path multipath-relax bgp bestpath as-path multipath-relax
address-family ipv4 unicast {% for family in ['ipv4', 'ipv6'] %}
redistribute connected address-family {{ family }} unicast
import vrf inside
{% if vrf.custom_fields.imports %}
{% for import in vrf.custom_fields.imports %}
import vrf {{ import.name }}
{% endfor %}
import vrf route-map {{ vrf.name }}-import
{% else %}
import vrf route-map office-import
{% endif %}
exit-address-family
address-family ipv6 unicast
redistribute connected redistribute connected
import vrf inside import vrf inside
{% if vrf.custom_fields.imports %} {% if vrf.custom_fields.imports %}
@ -218,6 +182,7 @@ router bgp {{ asn.asn }} vrf {{ vrf.name }}
exit-address-family exit-address-family
{% endfor %} {% endfor %}
{% endfor %}
# Prefix lists. # Prefix lists.
ip prefix-list default permit 0.0.0.0/0 ip prefix-list default permit 0.0.0.0/0

6
roles/firewall/tasks/main.yml
View file

@ -51,6 +51,12 @@
mode: 0644 mode: 0644
notify: enable interfaces notify: enable interfaces
- name: Set up resolv.conf
template:
dest: /etc/resolv.conf
src: resolv.conf.j2
mode: 0644
- name: Set up sysctls - name: Set up sysctls
template: template:
dest: /etc/sysctl.d/firewall.conf dest: /etc/sysctl.d/firewall.conf

26
roles/firewall/templates/frr.conf.j2
View file

@ -40,26 +40,14 @@ router bgp {{ asn.asn }}
neighbor {{ iface.name }}.4 bfd profile fast neighbor {{ iface.name }}.4 bfd profile fast
{% endfor %} {% endfor %}
address-family ipv4 unicast {% for family in ['ipv4', 'ipv6'] %}
address-family {{ family }} unicast
{% if family == 'ipv4' %}
{% for network in nat %} {% for network in nat %}
network {{ network }} network {{ network }}
{% endfor %} {% endfor %}
redistribute connected route-map loopback {% endif %}
maximum-paths 16
neighbor outside soft-reconfiguration inbound
neighbor outside route-map outside->default in
neighbor outside route-map default->outside out
neighbor inside allowas-in origin
neighbor inside default-originate
neighbor inside soft-reconfiguration inbound
neighbor inside route-map inside->default in
neighbor inside route-map default->inside out
exit-address-family
address-family ipv6 unicast
redistribute connected route-map loopback redistribute connected route-map loopback
maximum-paths 16 maximum-paths 16
@ -76,6 +64,8 @@ router bgp {{ asn.asn }}
neighbor inside route-map default->inside out neighbor inside route-map default->inside out
exit-address-family exit-address-family
{% endfor %}
# Prefix lists. # Prefix lists.
ip prefix-list default permit 0.0.0.0/0 ip prefix-list default permit 0.0.0.0/0
ipv6 prefix-list default permit ::/0 ipv6 prefix-list default permit ::/0
@ -85,9 +75,9 @@ ip prefix-list fabric permit 10.34.0.0/24 ge 32
{% for prefix in vrf_prefixes | rejectattr('vrf.name', '==', 'outside') {% for prefix in vrf_prefixes | rejectattr('vrf.name', '==', 'outside')
| sort(attribute='family.value') %} | sort(attribute='family.value') %}
{% if prefix.family.value == 4 %} {% if prefix.family.value == 4 %}
ip prefix-list office permit {{ prefix.prefix }} ge {{ prefix.prefix | ipaddr('prefix') }} ip prefix-list office permit {{ prefix.prefix }}
{% elif prefix.family.value == 6 %} {% elif prefix.family.value == 6 %}
ipv6 prefix-list office permit {{ prefix.prefix }} ge {{ prefix.prefix | ipaddr('prefix') }} ipv6 prefix-list office permit {{ prefix.prefix }}
{% endif %} {% endif %}
{% endfor %} {% endfor %}

12
roles/leaf/templates/frr.conf.j2
View file

@ -41,7 +41,8 @@ router bgp {{ asn.asn }}
{% endfor %} {% endfor %}
{% endfor %} {% endfor %}
address-family ipv4 unicast {% for family in ['ipv4', 'ipv6'] %}
address-family {{ family }} unicast
redistribute connected route-map loopbacks redistribute connected route-map loopbacks
neighbor fabric activate neighbor fabric activate
{% for tenant in my_tenants %} {% for tenant in my_tenants %}
@ -51,16 +52,7 @@ router bgp {{ asn.asn }}
{% endfor %} {% endfor %}
exit-address-family exit-address-family
address-family ipv6 unicast
redistribute connected route-map loopbacks
neighbor fabric activate
{% for tenant in my_tenants %}
neighbor dc-{{ tenant }} activate
neighbor dc-{{ tenant }} route-map dc-{{ tenant }}->default in
neighbor dc-{{ tenant }} route-map default->dc out
{% endfor %} {% endfor %}
exit-address-family
address-family l2vpn evpn address-family l2vpn evpn
neighbor fabric activate neighbor fabric activate
{% for iface in ifaces_evpn|default([]) %} {% for iface in ifaces_evpn|default([]) %}

4
templates/resolv.conf.j2 Normal file
View file

@ -0,0 +1,4 @@
search {{ domain }}
{% for server in dns6 %}
nameserver {{ server }}
{% endfor %}