'vrf groups' to contain a Layer3 domain of RFC1918's over several small vrfs

[PieterL75]

I'm looking for some assitance in how Netbox can accomodate different "Layer3 zones"

We're a mesh of several companies together, and we all have our 'legacy' network and a brandnew-shared network.
Of course everybody has been using RFC1918 for the internal networks.
Inside each legacy network there are several vrf's that separate based on 'function' or 'security' layer, but all VRF's pick IPs out of the same ranges.

So we have

• Layer3 Legacy A - 10.0.0.0/8

• vrf offices - 10.1.0.0/16
• vrf customers - 10.10.0.0/16
• vrf storage - 10.129.0.0/16

• Layer3 Legacy B - 10.0.0.0/8

• vrf offices - 10.1.0.0/16
• vrf customers - 10.100.0.0/16
• vrf storage - 10.240.0.0/16

I thinking of the option that one ip range (10.0.0.0/8) can be combined with several VRF's.. like a 'vrf group', and the prefixes have to be unique within the group.
this means that in 'Legacy group A - vrf offices' we cannot add 10.10.0.0/16 anymore, as it is used in the 'Legacy group A - vrf customers'

In Legacy group B - vrf offices' we can add the 10.10.0.0/16 as it is not used anywhere in the vrf 'group'

Is this something that can be done already with the current functions of netbox ?

Pieter

[candlerb]

A Netbox VRF is really just an "IP address namespace" - meaning that prefixes in one VRF can overlap with prefixes in another VRF. So to achieve what you want, what you are calling a "VRF group" is modelled as simply a "VRF" in Netbox.

That is, you need two VRFs in Netbox: "Legacy A" and "Legacy B" - even if for routing policy reasons some of those subnets are in different network zones, isolated by VRFs. You can add a custom field to each prefix to indicate what real VRF / network zone it is assigned to.

[PieterL75]

Brian,

That was indeed the way I was going with the current features.

I can create 2 'group' vrfs and create 'child' vrf, but only populate the 'group' vrf with ip addresses.
Add some custom field that refers to the 'child' vrf (maybe a custom text that refers to the vrf, and a custom link that automatically brings me to the child vrf) that is added to the prefix (and the ip addresses)

Of course this approach will lack the 'general' way of provisioning and using ip addresses and prefixes.. I always have to add that custom field manually.

It is an option for now, but I would like to propose a feature request that can accommodate this kind of setup. Do you think that is a feasible option ?

Pieter

[candlerb]

Maybe this feature introduced in Netbox v2.10.0 is what you're looking for:

Route Targets (#259)

This release introduces support for modeling L3VPN route targets, which can be used to control the redistribution of > advertised prefixes among VRFs. Each VRF may be assigned one or more route targets in the import and/or export direction. Like VRFs, route targets may be assigned to tenants and support tag assignment.

[PieterL75]

I took a look at that #259.
Route targets are indeed a way to link IP space of different VRF to one IP space.
I tested it out in v2.11.7, but it seems that there is no validation that prefix exists in another VRF that is of the same route-target...
It was no problem to create the same prefix in 2 vrf that share the same route-target (import and export)

too bad, it was a good possible option.

I still like the 'layer3 domain' group vrf idea thought... where you can say that all vrfs in one L3 domain cannot have overlapping prefixes...

pieter