search

netbox-community / netbox

The premier source of truth powering network automation. Open source under Apache 2. Try NetBox Cloud free: https://netboxlabs.com/free-netbox-cloud/
http://netboxlabs.com/oss/netbox/
Apache License 2.0
16k stars 2.56k forks source link

Assign Multiple L2VPN / VPLS to a Single Endpoint #10404

Closed kvedder-amplex closed 2 years ago

kvedder-amplex commented 2 years ago

NetBox version

v3.3.3

Feature type

Change to existing functionality

Proposed functionality

On our current routers, we can assign multiple VPLS circuits to a single interface. We cannot do this to VPWS interfaces. I would like to modify the restriction that limits a VPLS endpoint to a single instance/circuit.

Use case

It allows the modeling to align with the possibilities offered by vendors.

Database changes

I don't forsee any DB changes, I suspect modifying some python on model save is what restricts it to one circuit per endpoint currently. Changing the python to allow for more than one circuit if the type is VPLS shouldn't be awful. I am willing to put in the PR.

External dependencies

None.

kvedder-amplex commented 2 years ago

I see this in the model. 

      # Only check if L2VPN is set and is of type P2P
        if hasattr(self, 'l2vpn') and self.l2vpn.type in L2VPNTypeChoices.P2P:
            terminations_count = L2VPNTermination.objects.filter(l2vpn=self.l2vpn).exclude(pk=self.pk).count()
            if terminations_count >= 2:
                l2vpn_type = self.l2vpn.get_type_display()
                raise ValidationError(
                    f'{l2vpn_type} L2VPNs cannot have more than two terminations; found {terminations_count} already '
                    f'defined.'
                )

This makes sense, as L2VPNTypeChoices.P2P includes:

     TYPE_VPWS,
        TYPE_EPL,
        TYPE_EPLAN,
        TYPE_EPTREE

The error I get is from:

     if self.assigned_object:
            obj_id = self.assigned_object.pk
            obj_type = ContentType.objects.get_for_model(self.assigned_object)
            if L2VPNTermination.objects.filter(assigned_object_id=obj_id, assigned_object_type=obj_type).\
                    exclude(pk=self.pk).count() > 0:
                raise ValidationError(f'L2VPN Termination already assigned ({self.assigned_object})')
shatt79 commented 2 years ago

Here's the thing... by definition, a VPWS circuit is point-to-point. There is no MAC learning on a true VPWS circuit, so it can only be point-to-point. The ONLY types of virtual circuits that could qualify as VPWS are EPL and EVPL. EPLAN, EVPLAN, EPTREE and EVPTREE are point-to-multipoint circuits and would never be considered VPWS.

ALL VPWS circuits are either EPLAN or EVPLAN, but not all EPLAN or EVPLANs are VPWS. What determines that is the configuration on the device. On IOS-XR, a VPWS is built as a xconnect group. P2MPs are built as bridge-domains. You can absolutely build a P2P in a bridge-domain, but MAC learning will occur and by definition NOT be a VPWS.

So... the definitions in the model are wrong. It should say:

TYPE_VPWS, TYPE_EPL, TYPE_EVPL

TYPE VPLS, TYPE_EPL, TYPE_EVPL, TYPE_EPTREE, TYPE_EVPTREE, TYPE_EPLAN, TYPE_EVPLAN

shatt79 commented 2 years ago

Also, if you want to use a single physical endpoint to terminate multiple virtual circuits, you must use a type of L2 circuit that begins with "EV", and you must use sub-interfaces. EPL, EP-TREE, and EP-LAN can only use physical ports as terminations.

EVPL, EVP-TREE, and EVPLs all use virtual/sub-interfaces with carrier ethernet tagging methods. Its what the MEF calls a multiplexed port. With this, you're not actually connecting the physical port to the L2VPN instance, but the logical/sub-interface. You can NOT attach a single physical or logical interface to multiple L2VPNs. Ever. Neither in Netbox or in the real world. Not without some intermediary device bridging the two LANs together.

kvedder-amplex commented 2 years ago

Well, let me define that a bit more. I was specifically referring to a physical interface, not a logical one.

shatt79 commented 2 years ago

So yeah... that's by design then. A single physical port cannot be a member of more than 1 L2VPN or VFI. That would be the equivalent of an access port being a member of two VLANs.

kvedder-amplex commented 2 years ago

Then why am I currently using VPLS with multiple circuits configured on a single physical interface? I must be missing something.

Sanitized Config:

interface ge2
 description TO-SWITCH
 switchport
 mtu 9216
 mpls-vpls VPLS-LOCATION-1000 service-template VPLS-LOCATION-1000
  exit-if-vpls
 mpls-vpls VPLS-BNG1 service-template VPLS-BNG1
  exit-if-vpls
!

Ive seen the limitation you describe with VPWS, but not VPLS.

I am obviously not as familiar as you with all of the protocols and how they are designed. Go easy on me. I am more than willing to learn.

baldgeek commented 2 years ago

We also output multiple VPLS vlans on a single physical ports. You aren't doing anything unusual.

On 9/19/22 4:13 PM, kvedder-amplex wrote:

Then why am I currently using VPLS with multiple circuits configured on a single physical interface? I must be missing something.

Sanitized Config:

|interface ge2 description TO-SWITCH switchport mtu 9216 mpls-vpls VPLS-LOCATION-1000 service-template VPLS-LOCATION-1000 exit-if-vpls mpls-vpls VPLS-BNG1 service-template VPLS-BNG1 exit-if-vpls ! |

Ive seen the limitation you describe with VPWS, but not VPLS.

I am obviously not as familiar as you with all of the protocols and how they are designed. Go easy on me. I am more than willing to learn.

— Reply to this email directly, view it on GitHub https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnetbox-community%2Fnetbox%2Fissues%2F10404%23issuecomment-1251501514&data=05%7C01%7Cjos100%40psu.edu%7Ca499ae9ea43644d94a5908da9a7b6570%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637992152013879042%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=zby%2FVf86ErC4DORE2RUDk7MXRrIEsE%2F9s%2BZMDlLfh5o%3D&reserved=0, or unsubscribe https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FANYW3MLAKNGDXSLMOYZRMYDV7DCN7ANCNFSM6AAAAAAQQFC2T4&data=05%7C01%7Cjos100%40psu.edu%7Ca499ae9ea43644d94a5908da9a7b6570%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637992152013879042%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OsdCqVN%2FOZJCjpsBVHUvMmACP10JtiEvzBL8idl5joI%3D&reserved=0. You are receiving this because you are subscribed to this thread.Message ID: @.***>

DanSheps commented 2 years ago

What does your service template say?

It is likely defining a subint within that service template.

It would be weird for you to be terminating multiple VPLS' directly to the physical port, likely you are terminating to a service instance or subint.

shatt79 commented 2 years ago

There has to be SOMETHING on the interface that identifies the unique traffic that belongs to specific L2VPNs/bridge-domains. Think about from an ingress perspective: How does the interface know what frames to place on each L2VPN/EVC/bridge-domain? In most cases, that is done through the matching of 1 or more VLAN tags.

This is the interesting part of your config: mpls-vpls VPLS-LOCATION-1000 service-template VPLS-LOCATION-1000 exit-if-vpls mpls-vpls VPLS-BNG1 service-template VPLS-BNG1 exit-if-vpls

The interface is referencing two different service templates. What is defined by those templates? I'll bet that if you dig into the config you'll find them and there will be unique VLAN/tagging information for each. It'll probably have something like a "match" command. Eg, "match outer tag 123" or something along those lines.

Even though the config is a little bit different than the traditional Cisco/sub-interface model, its still essentially multiple virtual interfaces under the single physical interface.

Here are three examples of how different vendors do this. There are two from Cisco, and one from another vendor that appears to be what you're using:

Cisco IOS-XR model (sub-interfaces):

interface gi0/0/0/0 mtu 9216 no shut ! interface gi0/0/0/0.10 l2transport encapsulation dot1q 10 rewrite ingress tag pop 1 symmetric ! interface gi0/0/0/0.20 l2transport encapsulation dot1q 20 second-dot1q 5 rewrite ingress tag pop 2 symmetric ! l2vpn bridge-group L2VPNs bridge-domain CUSTOMER_ABC interface gi0/0/0/0.10 neighbor 10.20.30.40 pw-id 12345 encapsulation mpls ! bridge-domain CUSTOMER_XYZ interface gi0/0/0/0.20 neighbor 10.20.30.40 pw-id 67890 encapsulation mpls

Cisco IOS-XE model (service instances):

interface gi0/0/0 mtu 9216 no shut service-instance 10 ethernet encapsulation dot1q 10 rewrite ingress tag pop 1 symmetric bridge-domain 20 service instance 20 ethernet encapsulation dot1q 20 second-dot1q 5 rewrite ingress tag pop 2 symmetric bridge-domain 20 ! l2 vfi CUSTOMER_ABC manual vpn id 12345 bridge-domain 10 neighbor 10.20.30.40 12345 ! l2 vfi CUSTOMER_XYZ manual

Your model (service templates):

interface ge2 mtu 9216 switchport mpls-vpls VPLS-LOCATION-1000 service-template VPLS-LOCATION-1000 exit-if-vpls mpls-vpls VPLS-BNG1 service-template VPLS-BNG1 exit-if-vpls ! service-template VPLS-LOCATION-1000 match outer-vlan 10 rewrite ingress pop outgoing-tpid dot1q ! service-template VPLS-BNG1 match double-tag outer-vlan 20 inner-vlan 5 rewrite ingress pop outgoing-tpid dot1q

Same config, different vendors. But its exactly what I stated before: multiple logical interfaces under a common physical interface. The vendors just handle them a bit differently. You simply can NOT have multiple L2VPNs/broadcast domains terminate to a single physical port. You just can't. It violates all the rules of ethernet and L2 switching. Think about it: If you had multiple L2VPN/bridge-domains terminating to a single physical port, then every one of your customers attached to that physical port would be receiving copies of every frame on every L2VPN/EVC terminating to that port. I won't even talk about the loops you'd have...

vincentschuele commented 2 years ago

I believe the request is to map VPLS/VPWS instances to subinterfaces on one physical port. This is supported on most vendors.

DanSheps commented 2 years ago

I believe the request is to map VPLS/VPWS instances to subinterfaces on one physical port. This is supported on most vendors.

Sub-interfaces are already available for assignment for specifically the reasons stated above by @shatt79

DanSheps commented 2 years ago

So, I did a little research on the config.

It appears this is for microtik.

Here would be a full config:

mpls vpls TEST 10
 signaling bgp
  ve-id 10
  exit-signaling
 exit-vpls
!
service-template TEST
 match outer-vlan 10
!
interface xe2
 switchport
 mpls-vpls TEST service-template TEST
  exit-if-vpls

How this should be modelled in NetBox:

(1) Physical Interface (xe2 as a tagged port) (1+) Virtual Interfaces (x2.10, tagged port with vid 10 as the allowed tag -- tagged/untagged could all be viable here) (1) VPLS L2VPN: TEST, Identifier: 10 (1+) L2VPN Termination (Interface xe2.10)

All this being said, I do not believe this is a valid FR as it does not meet real-world implementation details. I am going to convert this to a discussion.