Assigning 1 VLAN to multiple sites/tenants

[TenNorbert]

Hello,

Can you please tell me or suggest me how I can assign 1 VLAN to multiple sites/tenants?
Is it even possible to do this?
How should this be done properly?

For example, my company has 4 branches(A,B,C,D) in different cities, but we have the same list of vlans
Vlan 5 - A,B,C,D
Vlan 10 - A,B
Vlan 15 - B,C
Vlan 20 - A,D

Do I have to create Vlan5 4 times to add it to 4 diferent Vlan groups?

I have the latest version installed (v3.3.7)

I would appreciate any help

[hagbarddenstore]

Do they exist within the same L2? If not, then they aren’t the same.On 5 Nov 2022, at 09:13, Norbert ***@***.***> wrote: Hello, Can you please tell me or suggest me how I can assign 1 VLAN to multiple sites/tenants? Is it even possible to do this? How should this be done properly? For example, my company has 4 branches(A,B,C,D) in different cities, but we have the same list of vlans Vlan 5 - A,B,C,D Vlan 10 - A,B Vlan 15 - B,C Vlan 20 - A,D Do I have to create Vlan5 4 times to add it to 4 diferent Vlan groups? I would appreciate any help —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[candlerb]

Do they exist within the same L2? If not, then they aren’t the same.

Or to put it more strongly: if VLAN 5 in site A and VLAN 5 in site B are different subnets, then they should be different VLANs in Netbox. If the same subnet spans two sites (i.e. it's bridged across the WAN) then it's a single VLAN in Netbox.

[TenNorbert]

Yes, they have different subnets.
But 1 VLAN can have multiple prefixes, from multiple tenants or sites.
So why can a VLAN be assigned to only 1 tenant or 1 site?

In my case, the tenant and the site are the same branch.
I would like to see in the tenant how many vlans I have assigned, but without creating the same vlans around 100 times instead of 10.

[mtinberg]

I think you have a very different way of conceptualizing this than many of the people using and designing Netbox. Netbox is designed to hold a model that allows you to template device configs, not just to record a VLAN ID number as assigned, so it has to have independent records for places where you have independent device config. The data model is designed for the following network model Tenant Foo Device router-a dcim.device 2) at Site Alpha (dcim.site 1) Vlan5 (ipam.vlans record ID 87) (dcim.interface record ID 123456) description workstations at Alpha (from vlan record ID 87 name) ip address 192.0.2.1/25 (ipam.address record ID 23) (child of ipam.prefix record ID 42) Tenant Bar Device router-b (dcim.device 3) at Site Bravo (dcim.site 2) Vlan5 (ipam.vlans record ID 123) (dcim.interface record ID 23451) description workstations at Bravo (from ip address 192.0.2.129/25 (ipam.address record ID 72) (child of ipam.prefix record ID 51) # in a pseudo code, skipping some of the lookups, eg. ipaddress by record type and id interface Vlan{{ dcim.interface.vlan.vid or dcim.interface.name }} description {{ dcim.interface.vlan.name }} at {{ ipam.vlan.site.name }} ip address {{ ipam.ipaddress.address (search by dcim.interface and interface record ID }} So for your ipam.vlan id 87 you can have the description and properties of the vlan, assign that instance to the Vlan5 interface of router-a, assign it to site Alpha, assign the Tenant to all the records if you like so you can see _who_ they are for, associate the prefix 42 (192.0.2.0/25) to vlan record 87 (5), so if you look up the parent for IP 192.0.2.1 you can find the prefix, map it to the vlan, find all the physical interfaces associated with that vlan, the devices associated with those interfaces specifically and map out the properties of that particular layer2 and layer3 domain. You can query for all the VLANs at a particular site and their names, to template a vlan stanza, you can template out an interface config by looking up the associated IP/mask and vlan and its properties. Each instance could have different settings that you capture in custom fields, like spanning tree priority. Sure you could have multiple prefixes on the same vlan, when they are configured as secondaries on the same interface, not on interfaces on different equipment in different sites. — Mark Tinberg ***@***.***> Division of Information Technology-Network Services University of Wisconsin-Madison

…

________________________________ From: Norbert ***@***.***> Sent: Tuesday, November 8, 2022 1:27 AM To: netbox-community/netbox ***@***.***> Cc: Subscribed ***@***.***> Subject: Re: [netbox-community/netbox] Assigning 1 VLAN to multiple sites/tenants (Discussion #10854) Yes, they have different subnets. But 1 VLAN can have multiple prefixes, from multiple tenants or sites. So why can a VLAN be assigned to only 1 tenant or 1 site? In my case, the tenant and the site are the same branch. I would like to see in the tenant how many vlans I have assigned, but without creating the same vlans around 100 times instead of 10. — Reply to this email directly, view it on GitHub<#10854 (reply in thread)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAS7UM7U7NBLXQFBS6LUFGTWHH6FPANCNFSM6AAAAAARX2D6XM>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[ziggekatten]

As I see it, you have a central entity managing the VLAN, but prefixes is unique to the tenant. That's the logic you should follow.

As a service provider, separating tenants by prefixes on the same VLAN is a definitive no no (for christ sake, if tenant have access to an server on that VLAN they have access to all the traffic!) but for a internal company with department based tenancy this is maybe fine.

[mtinberg]

central entity managing the VLAN, but prefixes unique to the tenant

that sounds more like a VRF if the tenants have their own overlapping IP space (eg. they are all 192.168.1.0/24).

separating tenants by prefixes on the same VLAN is a definitive no no

I don't think anyone was suggesting that but maybe I missed it or there is a misunderstanding. The original question:

> Can you please tell me or suggest me how I can assign 1 VLAN to multiple sites/tenants? > Is it even possible to do this? > How should this be done properly? > For example, my company has 4 branches(A,B,C,D) in different cities, but we have the same list of vlans > Vlan 5 - A,B,C,D > Vlan 10 - A,B > Vlan 15 - B,C > Vlan 20 - A,D > Do I have to create Vlan5 4 times to add it to 4 diferent Vlan groups?

I think the answer is that yes, you'd have 4 records, one for each distinct instance of VLAN 5 at each Site, assuming they are routed at each site and not bridged between sites, as each is fundamentally a separate LAN. Record ID 1: {Vlan: 5, Site: A, name: foo, prefix: 192.0.2.0/25 } Record ID 2: {Vlan: 5, Site: B, name: bar, prefix: 192.0.2.128/25 } ... If you filter VLANs by Site then looking at Site A you'll see VLAN 5, 10, 20 and at Site B 5, 10, 15 and at Site C 5, 15. They can have different names, comments, tenants and other properties and each can have prefix(s) assigned You could also create a VLAN Group for each Site, but I'm not sure if that is necessary, VLAN Groups do make it easy to allocate the next available in a group and manage which numbers are available, it can help organization and uniqueness checking. — Mark Tinberg ***@***.***> Division of Information Technology-Network Services University of Wisconsin-Madison

…

________________________________ From: ziggekatten ***@***.***> Sent: Tuesday, November 8, 2022 12:45 PM To: netbox-community/netbox ***@***.***> Cc: Mark Tinberg ***@***.***>; Comment ***@***.***> Subject: Re: [netbox-community/netbox] Assigning 1 VLAN to multiple sites/tenants (Discussion #10854) As I see it, you have a central entity managing the VLAN, but prefixes is unique to the tenant. That's the logic you should follow. As a service provider, separating tenants by prefixes on the same VLAN is a definitive no no (for christ sake, if tenant have access to an server on that VLAN they have access to all the traffic!) but for a internal company with department based tenancy this is maybe fine. — Reply to this email directly, view it on GitHub<#10854 (reply in thread)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAS7UM52NXDYMM6UBKVHJW3WHKNV5ANCNFSM6AAAAAARX2D6XM>. You are receiving this because you commented.Message ID: ***@***.***>

[TenNorbert]

I think the answer is that yes, you'd have 4 records, one for each distinct instance of VLAN 5 at each Site, assuming they are routed at each site and not bridged between sites, as each is fundamentally a separate LAN.

Thank you, Mark. This is the answer I was looking for.