cerc-io
/
stack-orchestrator
mirror of https://github.com/cerc-io/stack-orchestrator
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity
stack-orchestrator/docs/doublezero-agent-managed-co...

81 lines
3.1 KiB
Markdown
Raw Normal View History

docs: document DoubleZero agent managed config on both switches Inventories what the DZ agent controls (tunnels, ACLs, VRFs, BGP, route-maps, loopbacks) so we don't accidentally modify objects that the agent will silently overwrite. Includes a "safe to modify" section listing our own relay infrastructure. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-07 23:45:36 +00:00
# DoubleZero Agent — Managed Configuration
The `doublezero-agent` daemon runs on both mia-sw01 and was-sw01. It manages
GRE tunnels, ACLs, BGP neighbors, and route-maps via EOS config sessions
(named `doublezero-agent-<timestamp>`). It periodically creates pending
sessions and commits them, overwriting any manual changes to the objects
it manages.
**Do NOT modify any of the items listed below.** The agent will silently
overwrite your changes.
## mia-sw01
### Tunnel interfaces (all DZ-managed)
| Interface | Description | VRF | Peer | ACL |
|------------|-----------------|---------|-----------------|------------------------------|
| Tunnel500 | USER-UCAST-500 | vrf1 | 186.233.184.235 | SEC-USER-500-IN |
| Tunnel501 | USER-MCAST-501 | default | 186.233.185.50 | SEC-USER-SUB-MCAST-IN |
| Tunnel502 | USER-UCAST-502 | vrf1 | 155.138.213.71 | SEC-USER-502-IN |
| Tunnel503 | USER-MCAST-503 | default | 155.138.213.71 | SEC-USER-PUB-MCAST-IN |
| Tunnel504 | (empty) | | | |
| Tunnel505 | USER-UCAST-505 | vrf1 | 186.233.185.50 | SEC-USER-505-IN |
| Tunnel506 | (exists) | | | |
### ACLs (DZ-managed — do NOT modify)
- `SEC-DIA-IN` — ingress ACL on Et1/1 (bogon/RFC1918 filter)
- `SEC-USER-500-IN` — ingress ACL on Tunnel500
- `SEC-USER-502-IN` — ingress ACL on Tunnel502
- `SEC-USER-505-IN` — ingress ACL on Tunnel505
- `SEC-USER-SUB-MCAST-IN` — ingress ACL on Tunnel501
- `SEC-USER-PUB-MCAST-IN` — ingress ACL on Tunnel503
- `SEC-USER-MCAST-BOUNDARY-501-OUT` — multicast boundary on Tunnel501
- `SEC-USER-MCAST-BOUNDARY-503-OUT` — multicast boundary on Tunnel503
### VRF (DZ-managed)
- `vrf1` — used by Tunnel500, Tunnel502, Tunnel505 (unicast tunnels)
- `ip route vrf vrf1 0.0.0.0/0 egress-vrf default Ethernet4/1 172.16.1.188`
### BGP (DZ-managed)
- `router bgp 65342` — iBGP mesh with DZ fabric switches (ny7, sea001, ld4, etc.)
- BGP neighbors on tunnel link IPs (169.254.x.x) with `RM-USER-*` route-maps
- All `RM-USER-*-IN` and `RM-USER-*-OUT` route-maps
### Loopbacks (DZ-managed)
- `Loopback255`, `Loopback256` — BGP update sources for iBGP mesh
## was-sw01
### ACLs (DZ-managed)
- `SEC-DIA-IN` — ingress ACL on Et1/1
- `SEC-USER-PUB-MCAST-IN`
- `SEC-USER-SUB-MCAST-IN`
### Daemons
- `doublezero-agent` — config management
- `doublezero-telemetry` — metrics (writes to influxdb `doublezero-mainnet-beta`)
## Safe to modify (NOT managed by DZ agent)
### mia-sw01
- `Tunnel100` — our dedicated validator relay tunnel (VRF relay)
- `SEC-VALIDATOR-100-IN` — our ACL on Tunnel100
- `Loopback101` — tunnel source IP (209.42.167.137)
- VRF `relay` — our outbound isolation VRF
- `ip route 137.239.194.65/32 egress-vrf relay 169.254.100.1`
- `ip route vrf relay 0.0.0.0/0 egress-vrf default 172.16.1.188`
- Backbone `Ethernet4/1` — physical interface, not DZ-managed
### was-sw01
- `ip route 137.239.194.65/32 172.16.1.189` — our static route
- Backbone `Ethernet4/1` — physical interface, not DZ-managed