Fix for PXE Vlan

[majst01]

Now all deployments use the same topology for the PXE/DHCP Vlan setup, we can now use the built-in template, to make the frr template during deployment obsolet.

[robertvolkmann]

Do we really want that the firewalls know the PXE Vlans?

[majst01]

Do we really want that the firewalls know the PXE Vlans?

For sure not, i simply copied over the template which is actually deployed in both environments.

Maybe we should add another review round to the frr template, this will be true for both, sonic and cumulus flavour

[robertvolkmann]

To prevent this, we should use something like:

 address-family ipv4 unicast
  redistribute connected route-map LOOPBACKS
  redistribute connected route-map VLAN4000
  neighbor FIREWALL allowas-in 2
  neighbor FIREWALL route-map LOOPBACKS out
  {{- range $k, $f := .Ports.Firewalls }}
  neighbor {{ $f.Port }} route-map fw-{{ $k }}-in in
  {{- end }}
 exit-address-family
 !
...
route-map LOOPBACKS permit 10
  match interface Loopback0
!
ip prefix-list VLAN4000 seq 10 permit <local PXE Vlan CIDR>
route-map VLAN4000 permit 10
  match ip address prefix-list VLAN4000
!

[mreiger]

@robertvolkmann Your suggestion looks good to me.

Even simpler maybe:

route-map VLAN4000 permit 10
  match interface Vlan4000

What do you think?

[robertvolkmann]

I tried but it doesn't worked for me. I don't know why.

[Gerrit91]

I created a follow-up issue regarding visibility of the VLANs on the firewalls: #101. @robertvolkmann