diff --git a/ansible_collections/arista/avd/examples/cv-pathfinder/intended/structured_configs/pf1.yml b/ansible_collections/arista/avd/examples/cv-pathfinder/intended/structured_configs/pf1.yml index a825787e0fe..de767e0c1ed 100644 --- a/ansible_collections/arista/avd/examples/cv-pathfinder/intended/structured_configs/pf1.yml +++ b/ansible_collections/arista/avd/examples/cv-pathfinder/intended/structured_configs/pf1.yml @@ -571,10 +571,10 @@ router_bgp: route_map: RM-CONN-2-BGP address_family_evpn: peer_groups: - - name: WAN-RR-OVERLAY-PEERS + - name: WAN-OVERLAY-PEERS activate: true encapsulation: path-selection - - name: WAN-OVERLAY-PEERS + - name: WAN-RR-OVERLAY-PEERS activate: true encapsulation: path-selection next_hop: diff --git a/ansible_collections/arista/avd/examples/cv-pathfinder/intended/structured_configs/pf2.yml b/ansible_collections/arista/avd/examples/cv-pathfinder/intended/structured_configs/pf2.yml index 9ce7f83c14b..ec26c6b99ff 100644 --- a/ansible_collections/arista/avd/examples/cv-pathfinder/intended/structured_configs/pf2.yml +++ b/ansible_collections/arista/avd/examples/cv-pathfinder/intended/structured_configs/pf2.yml @@ -571,10 +571,10 @@ router_bgp: route_map: RM-CONN-2-BGP address_family_evpn: peer_groups: - - name: WAN-RR-OVERLAY-PEERS + - name: WAN-OVERLAY-PEERS activate: true encapsulation: path-selection - - name: WAN-OVERLAY-PEERS + - name: WAN-RR-OVERLAY-PEERS activate: true encapsulation: path-selection next_hop: diff --git a/ansible_collections/arista/avd/molecule/eos_designs_negative_unit_tests/inventory/host_vars/invalid-wan-role-overlay-routing-protocol.yml b/ansible_collections/arista/avd/molecule/eos_designs_negative_unit_tests/inventory/host_vars/invalid-wan-role-overlay-routing-protocol.yml deleted file mode 100644 index 26f78e6f2ce..00000000000 --- a/ansible_collections/arista/avd/molecule/eos_designs_negative_unit_tests/inventory/host_vars/invalid-wan-role-overlay-routing-protocol.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -wan_mode: autovpn -type: wan_router -fabric_name: FABRIC_WAN_ROLE_OVERLAY_ROUTING_PROTOCOL - -# Not ibgp -overlay_routing_protocol: none - -wan_router: - defaults: - loopback_ipv4_pool: 192.168.0.0/24 - vtep_loopback_ipv4_pool: 192.168.1.0/24 - nodes: - - name: invalid-wan-role-overlay-routing-protocol - id: 1 - l3_interfaces: - - name: Ethernet1 - wan_carrier: TEST - ip_address: dhcp - -wan_carriers: - - name: TEST - path_group: TEST - trusted: true - -wan_path_groups: - - name: TEST - id: 42 - -expected_error_message: >- - Only 'ibgp' is supported as 'overlay_routing_protocol' for WAN nodes. diff --git a/ansible_collections/arista/avd/molecule/eos_designs_negative_unit_tests/inventory/hosts.yml b/ansible_collections/arista/avd/molecule/eos_designs_negative_unit_tests/inventory/hosts.yml index 20f281c8db5..b8d101e794a 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_negative_unit_tests/inventory/hosts.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_negative_unit_tests/inventory/hosts.yml @@ -40,9 +40,6 @@ all: invalid-uplink-port-channel-id-3-l3leaf-1: invalid-uplink-port-channel-id-3-l3leaf-2: invalid-uplink-port-channel-id-3-l2leaf-2: - FABRIC_WAN_ROLE_OVERLAY_ROUTING_PROTOCOL: - hosts: - invalid-wan-role-overlay-routing-protocol: FABRIC_P2P_VRFS: hosts: invalid-uplink-type-p2p-vrfs-underlay-router-false: diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-edge.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-edge.cfg index daf7e66fb6b..2bb27fc9b66 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-edge.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-edge.cfg @@ -83,6 +83,9 @@ router path-selection ! vrf PROD path-selection-policy PROD-AUTOVPN-POLICY + ! + vrf WAN-VRF-NO-AF + path-selection-policy PROD-AUTOVPN-POLICY ! spanning-tree mode none ! @@ -92,6 +95,8 @@ vrf instance MGMT ! vrf instance PROD ! +vrf instance WAN-VRF-NO-AF +! management api http-commands protocol https no shutdown @@ -146,6 +151,7 @@ interface Vxlan1 vxlan udp-port 4789 vxlan vrf default vni 1 vxlan vrf PROD vni 42 + vxlan vrf WAN-VRF-NO-AF vni 200 ! application traffic recognition ! @@ -168,6 +174,7 @@ ip routing ip routing vrf IT no ip routing vrf MGMT ip routing vrf PROD +ip routing vrf WAN-VRF-NO-AF ! ip extcommunity-list ECL-EVPN-SOO permit soo 192.168.30.1:0 ! @@ -238,6 +245,13 @@ router bgp 65000 route-target export evpn 42:42 router-id 192.168.30.1 redistribute connected + ! + vrf WAN-VRF-NO-AF + rd 192.168.30.1:200 + route-target import evpn 200:200 + route-target export evpn 200:200 + router-id 192.168.30.1 + redistribute connected ! stun client diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr1.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr1.cfg index 81ad7865faf..7221d6f48d0 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr1.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr1.cfg @@ -74,6 +74,9 @@ router path-selection ! vrf PROD path-selection-policy PROD-AUTOVPN-POLICY + ! + vrf WAN-VRF-NO-AF + path-selection-policy PROD-AUTOVPN-POLICY ! platform sfe data-plane cpu allocation maximum 2 ! @@ -126,6 +129,7 @@ interface Vxlan1 vxlan udp-port 4789 vxlan vrf default vni 1 vxlan vrf PROD vni 42 + vxlan vrf WAN-VRF-NO-AF vni 200 ! application traffic recognition ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr2.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr2.cfg index 84941e98c10..d9470065bbf 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr2.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr2.cfg @@ -74,6 +74,9 @@ router path-selection ! vrf PROD path-selection-policy PROD-AUTOVPN-POLICY + ! + vrf WAN-VRF-NO-AF + path-selection-policy PROD-AUTOVPN-POLICY ! platform sfe data-plane cpu allocation maximum 2 ! @@ -125,6 +128,7 @@ interface Vxlan1 vxlan udp-port 4789 vxlan vrf default vni 1 vxlan vrf PROD vni 42 + vxlan vrf WAN-VRF-NO-AF vni 200 ! application traffic recognition ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.cfg new file mode 100644 index 00000000000..5a8727ddf6d --- /dev/null +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.cfg @@ -0,0 +1,372 @@ +! +no enable password +no aaa root +! +agent KernelFib environment KERNELFIB_PROGRAM_ALL_ECMP=1 +! +flow tracking hardware + tracker FLOW-TRACKER + record export on inactive timeout 70000 + record export on interval 300000 + exporter CV-TELEMETRY + collector 127.0.0.1 + local interface Loopback0 + template interval 3600000 + no shutdown +! +service routing protocols model multi-agent +! +hostname cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan +! +router adaptive-virtual-topology + topology role edge + region AVD_Land_West id 42 + zone AVD_Land_West-ZONE id 1 + site Site12 id 12 + ! + policy DEFAULT-AVT-POLICY-WITH-CP + ! + match application-profile APP-PROFILE-CONTROL-PLANE + avt profile DEFAULT-AVT-POLICY-CONTROL-PLANE + ! + match application-profile VIDEO + avt profile DEFAULT-AVT-POLICY-VIDEO + ! + match application-profile default + avt profile DEFAULT-AVT-POLICY-DEFAULT + ! + policy PROD-AVT-POLICY + ! + match application-profile VOICE + avt profile PROD-AVT-POLICY-VOICE + ! + match application-profile VIDEO + avt profile PROD-AVT-POLICY-VIDEO + ! + match application-profile default + avt profile PROD-AVT-POLICY-DEFAULT + ! + profile DEFAULT-AVT-POLICY-CONTROL-PLANE + path-selection load-balance LB-DEFAULT-AVT-POLICY-CONTROL-PLANE + ! + profile DEFAULT-AVT-POLICY-DEFAULT + path-selection load-balance LB-DEFAULT-AVT-POLICY-DEFAULT + ! + profile DEFAULT-AVT-POLICY-VIDEO + path-selection load-balance LB-DEFAULT-AVT-POLICY-VIDEO + ! + profile PROD-AVT-POLICY-DEFAULT + path-selection load-balance LB-PROD-AVT-POLICY-DEFAULT + ! + profile PROD-AVT-POLICY-VIDEO + path-selection load-balance LB-PROD-AVT-POLICY-VIDEO + ! + profile PROD-AVT-POLICY-VOICE + path-selection load-balance LB-PROD-AVT-POLICY-VOICE + ! + vrf default + avt policy DEFAULT-AVT-POLICY-WITH-CP + avt profile DEFAULT-AVT-POLICY-DEFAULT id 1 + avt profile DEFAULT-AVT-POLICY-VIDEO id 3 + avt profile DEFAULT-AVT-POLICY-CONTROL-PLANE id 254 + ! + vrf PROD + avt policy PROD-AVT-POLICY + avt profile PROD-AVT-POLICY-DEFAULT id 1 + avt profile PROD-AVT-POLICY-VOICE id 2 + avt profile PROD-AVT-POLICY-VIDEO id 4 + ! + vrf WAN-VRF-NO-AF + avt policy PROD-AVT-POLICY + avt profile PROD-AVT-POLICY-DEFAULT id 1 + avt profile PROD-AVT-POLICY-VOICE id 2 + avt profile PROD-AVT-POLICY-VIDEO id 4 +! +router path-selection + tcp mss ceiling ipv4 ingress + ! + path-group INET id 101 + ipsec profile CP-PROFILE + ! + local interface Ethernet1 + stun server-profile INET-cv-pathfinder-pathfinder-Ethernet1 INET-cv-pathfinder-pathfinder-Ethernet3 + ! + peer dynamic + ! + peer static router-ip 192.168.144.1 + name cv-pathfinder-pathfinder + ipv4 address 172.17.7.7 + ipv4 address 10.9.9.9 + ! + load-balance policy LB-DEFAULT-AVT-POLICY-CONTROL-PLANE + path-group INET + ! + load-balance policy LB-DEFAULT-AVT-POLICY-DEFAULT + path-group INET + ! + load-balance policy LB-DEFAULT-AVT-POLICY-VIDEO + path-group INET + ! + load-balance policy LB-PROD-AVT-POLICY-DEFAULT + path-group INET + ! + load-balance policy LB-PROD-AVT-POLICY-VIDEO + loss-rate 42.0 + path-group INET priority 2 + ! + load-balance policy LB-PROD-AVT-POLICY-VOICE + jitter 42 + hop count lowest + path-group INET priority 2 +! +spanning-tree mode none +! +vrf instance MGMT +! +vrf instance PROD +! +vrf instance VRF-NO-WAN +! +vrf instance VRF-NO-WAN-NO-AF +! +vrf instance WAN-VRF-NO-AF +! +management api http-commands + protocol https + no shutdown + ! + vrf MGMT + no shutdown +! +management security + ! + ssl profile profileA + tls versions 1.2 + trust certificate aristaDeviceCertProvisionerDefaultRootCA.crt + certificate profileA.crt key profileA.key +! +ip security + ike policy CP-IKE-POLICY + local-id 192.168.142.14 + ! + sa policy CP-SA-POLICY + esp encryption aes256gcm128 + pfs dh-group 14 + ! + sa policy DP-SA-POLICY + esp encryption aes256gcm128 + pfs dh-group 14 + ! + profile CP-PROFILE + ike-policy CP-IKE-POLICY + sa-policy CP-SA-POLICY + connection start + shared-key 7 ABCDEF1234567890 + dpd 10 50 clear + mode transport + ! + profile DP-PROFILE + sa-policy DP-SA-POLICY + connection start + shared-key 7 ABCDEF1234567890666 + dpd 10 50 clear + mode transport + ! + key controller + profile DP-PROFILE +! +interface Dps1 + description DPS Interface + mtu 9194 + flow tracker hardware FLOW-TRACKER + ip address 192.168.142.14/32 +! +interface Ethernet1 + description ATT_666 + no shutdown + no switchport + ip address dhcp + dhcp client accept default-route +! +interface Ethernet52 + description P2P_leaf-wan-use-evpn-on-lan_Ethernet2 + no shutdown + mtu 9214 + no switchport + ip address 172.18.0.27/31 +! +interface Loopback0 + description ROUTER_ID + no shutdown + ip address 192.168.42.14/32 +! +interface Vxlan1 + description cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan_VTEP + vxlan source-interface Dps1 + vxlan udp-port 4789 + vxlan vrf default vni 1 + vxlan vrf PROD vni 42 + vxlan vrf VRF-NO-WAN vni 300 + vxlan vrf WAN-VRF-NO-AF vni 200 +! +application traffic recognition + ! + application ipv4 APP-CONTROL-PLANE + destination prefix field-set PFX-PATHFINDERS + ! + application ipv4 CUSTOM-APPLICATION-1 + source prefix field-set CUSTOM-SRC-PREFIX-1 + destination prefix field-set CUSTOM-DEST-PREFIX-1 + protocol tcp + ! + application ipv4 CUSTOM-APPLICATION-2 + protocol tcp source port field-set TCP-SRC-2 destination port field-set TCP-DEST-2 + ! + application ipv4 CUSTOM-DSCP-APPLICATION + dscp ef 12-14 cs6 42 + ! + category VIDEO1 + application CUSTOM-APPLICATION-2 + application CUSTOM-DSCP-APPLICATION + application microsoft-teams + ! + application-profile APP-PROFILE-CONTROL-PLANE + application APP-CONTROL-PLANE + ! + application-profile VIDEO + application CUSTOM-APPLICATION-1 + application skype + application rtp transport + category VIDEO1 + ! + application-profile VOICE + application CUSTOM-VOICE-APPLICATION + ! + field-set ipv4 prefix CUSTOM-DEST-PREFIX-1 + 6.6.6.0/24 + ! + field-set ipv4 prefix CUSTOM-SRC-PREFIX-1 + 42.42.42.0/24 + ! + field-set ipv4 prefix PFX-PATHFINDERS + 192.168.144.1/32 + ! + field-set l4-port TCP-DEST-2 + 666, 777 + ! + field-set l4-port TCP-SRC-2 + 42 +! +ip routing +no ip routing vrf MGMT +ip routing vrf PROD +ip routing vrf VRF-NO-WAN +ip routing vrf VRF-NO-WAN-NO-AF +ip routing vrf WAN-VRF-NO-AF +! +ip extcommunity-list ECL-EVPN-SOO permit soo 192.168.42.14:12 +! +ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY + seq 10 permit 192.168.42.0/24 eq 32 +! +route-map RM-BGP-UNDERLAY-PEERS-IN permit 40 + description Mark prefixes originated from the LAN + set extcommunity soo 192.168.42.14:12 additive +! +route-map RM-CONN-2-BGP permit 10 + match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + set extcommunity soo 192.168.42.14:12 additive +! +route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 10 + match extcommunity ECL-EVPN-SOO +! +route-map RM-EVPN-SOO-IN deny 10 + match extcommunity ECL-EVPN-SOO +! +route-map RM-EVPN-SOO-IN permit 20 +! +route-map RM-EVPN-SOO-OUT permit 10 + set extcommunity soo 192.168.42.14:12 additive +! +router bfd + multihop interval 300 min-rx 300 multiplier 3 +! +router bgp 65000 + router-id 192.168.42.14 + update wait-install + no bgp default ipv4-unicast + maximum-paths 16 + neighbor IPv4-UNDERLAY-PEERS peer group + neighbor IPv4-UNDERLAY-PEERS route-map RM-BGP-UNDERLAY-PEERS-IN in + neighbor IPv4-UNDERLAY-PEERS send-community + neighbor IPv4-UNDERLAY-PEERS maximum-routes 12000 + neighbor WAN-OVERLAY-PEERS peer group + neighbor WAN-OVERLAY-PEERS remote-as 65000 + neighbor WAN-OVERLAY-PEERS update-source Dps1 + neighbor WAN-OVERLAY-PEERS bfd + neighbor WAN-OVERLAY-PEERS bfd interval 1000 min-rx 1000 multiplier 10 + neighbor WAN-OVERLAY-PEERS ttl maximum-hops 1 + neighbor WAN-OVERLAY-PEERS password 7 htm4AZe9mIQOO1uiMuGgYQ== + neighbor WAN-OVERLAY-PEERS send-community + neighbor WAN-OVERLAY-PEERS maximum-routes 0 + neighbor 172.18.0.26 peer group IPv4-UNDERLAY-PEERS + neighbor 172.18.0.26 remote-as 65042 + neighbor 172.18.0.26 description leaf-wan-use-evpn-on-lan_Ethernet2 + neighbor 192.168.144.1 peer group WAN-OVERLAY-PEERS + neighbor 192.168.144.1 description cv-pathfinder-pathfinder_Dps1 + redistribute connected route-map RM-CONN-2-BGP + ! + address-family evpn + neighbor WAN-OVERLAY-PEERS activate + neighbor WAN-OVERLAY-PEERS route-map RM-EVPN-SOO-IN in + neighbor WAN-OVERLAY-PEERS route-map RM-EVPN-SOO-OUT out + neighbor WAN-OVERLAY-PEERS encapsulation path-selection + ! + address-family ipv4 + neighbor IPv4-UNDERLAY-PEERS activate + no neighbor WAN-OVERLAY-PEERS activate + ! + address-family ipv4 sr-te + neighbor WAN-OVERLAY-PEERS activate + ! + address-family link-state + neighbor WAN-OVERLAY-PEERS activate + path-selection + ! + address-family path-selection + bgp additional-paths receive + bgp additional-paths send any + neighbor WAN-OVERLAY-PEERS activate + ! + vrf default + rd 192.168.42.14:1 + route-target import evpn 1:1 + route-target export evpn 1:1 + route-target export evpn route-map RM-EVPN-EXPORT-VRF-DEFAULT + ! + vrf PROD + rd 192.168.42.14:142 + route-target import evpn 142:142 + route-target export evpn 142:142 + router-id 192.168.42.14 + redistribute connected + ! + vrf WAN-VRF-NO-AF + rd 192.168.42.14:200 + route-target import evpn 200:200 + route-target export evpn 200:200 + router-id 192.168.42.14 + redistribute connected +! +router traffic-engineering +! +stun + client + server-profile INET-cv-pathfinder-pathfinder-Ethernet1 + ip address 172.17.7.7 + ssl profile profileA + server-profile INET-cv-pathfinder-pathfinder-Ethernet3 + ip address 10.9.9.9 + ssl profile profileA +! +end diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan.cfg new file mode 100644 index 00000000000..da8236079c8 --- /dev/null +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan.cfg @@ -0,0 +1,386 @@ +! +no enable password +no aaa root +! +agent KernelFib environment KERNELFIB_PROGRAM_ALL_ECMP=1 +! +flow tracking hardware + tracker FLOW-TRACKER + record export on inactive timeout 70000 + record export on interval 300000 + exporter CV-TELEMETRY + collector 127.0.0.1 + local interface Loopback0 + template interval 3600000 + no shutdown +! +service routing protocols model multi-agent +! +hostname cv-pathfinder-edge-wan-use-evpn-on-lan +! +router adaptive-virtual-topology + topology role edge + region AVD_Land_West id 42 + zone AVD_Land_West-ZONE id 1 + site Site12 id 12 + ! + policy DEFAULT-AVT-POLICY-WITH-CP + ! + match application-profile APP-PROFILE-CONTROL-PLANE + avt profile DEFAULT-AVT-POLICY-CONTROL-PLANE + ! + match application-profile VIDEO + avt profile DEFAULT-AVT-POLICY-VIDEO + ! + match application-profile default + avt profile DEFAULT-AVT-POLICY-DEFAULT + ! + policy PROD-AVT-POLICY + ! + match application-profile VOICE + avt profile PROD-AVT-POLICY-VOICE + ! + match application-profile VIDEO + avt profile PROD-AVT-POLICY-VIDEO + ! + match application-profile default + avt profile PROD-AVT-POLICY-DEFAULT + ! + profile DEFAULT-AVT-POLICY-CONTROL-PLANE + path-selection load-balance LB-DEFAULT-AVT-POLICY-CONTROL-PLANE + ! + profile DEFAULT-AVT-POLICY-DEFAULT + path-selection load-balance LB-DEFAULT-AVT-POLICY-DEFAULT + ! + profile DEFAULT-AVT-POLICY-VIDEO + path-selection load-balance LB-DEFAULT-AVT-POLICY-VIDEO + ! + profile PROD-AVT-POLICY-DEFAULT + path-selection load-balance LB-PROD-AVT-POLICY-DEFAULT + ! + profile PROD-AVT-POLICY-VIDEO + path-selection load-balance LB-PROD-AVT-POLICY-VIDEO + ! + profile PROD-AVT-POLICY-VOICE + path-selection load-balance LB-PROD-AVT-POLICY-VOICE + ! + vrf default + avt policy DEFAULT-AVT-POLICY-WITH-CP + avt profile DEFAULT-AVT-POLICY-DEFAULT id 1 + avt profile DEFAULT-AVT-POLICY-VIDEO id 3 + avt profile DEFAULT-AVT-POLICY-CONTROL-PLANE id 254 + ! + vrf PROD + avt policy PROD-AVT-POLICY + avt profile PROD-AVT-POLICY-DEFAULT id 1 + avt profile PROD-AVT-POLICY-VOICE id 2 + avt profile PROD-AVT-POLICY-VIDEO id 4 + ! + vrf WAN-VRF-NO-AF + avt policy PROD-AVT-POLICY + avt profile PROD-AVT-POLICY-DEFAULT id 1 + avt profile PROD-AVT-POLICY-VOICE id 2 + avt profile PROD-AVT-POLICY-VIDEO id 4 +! +router path-selection + tcp mss ceiling ipv4 ingress + ! + path-group INET id 101 + ipsec profile CP-PROFILE + ! + local interface Ethernet1 + stun server-profile INET-cv-pathfinder-pathfinder-Ethernet1 INET-cv-pathfinder-pathfinder-Ethernet3 + ! + peer dynamic + ! + peer static router-ip 192.168.144.1 + name cv-pathfinder-pathfinder + ipv4 address 172.17.7.7 + ipv4 address 10.9.9.9 + ! + load-balance policy LB-DEFAULT-AVT-POLICY-CONTROL-PLANE + path-group INET + ! + load-balance policy LB-DEFAULT-AVT-POLICY-DEFAULT + path-group INET + ! + load-balance policy LB-DEFAULT-AVT-POLICY-VIDEO + path-group INET + ! + load-balance policy LB-PROD-AVT-POLICY-DEFAULT + path-group INET + ! + load-balance policy LB-PROD-AVT-POLICY-VIDEO + loss-rate 42.0 + path-group INET priority 2 + ! + load-balance policy LB-PROD-AVT-POLICY-VOICE + jitter 42 + hop count lowest + path-group INET priority 2 +! +spanning-tree mode none +! +vrf instance MGMT +! +vrf instance PROD +! +vrf instance VRF-NO-WAN +! +vrf instance VRF-NO-WAN-NO-AF +! +vrf instance WAN-VRF-NO-AF +! +management api http-commands + protocol https + no shutdown + ! + vrf MGMT + no shutdown +! +management security + ! + ssl profile profileA + tls versions 1.2 + trust certificate aristaDeviceCertProvisionerDefaultRootCA.crt + certificate profileA.crt key profileA.key +! +ip security + ike policy CP-IKE-POLICY + local-id 192.168.142.12 + ! + sa policy CP-SA-POLICY + esp encryption aes256gcm128 + pfs dh-group 14 + ! + sa policy DP-SA-POLICY + esp encryption aes256gcm128 + pfs dh-group 14 + ! + profile CP-PROFILE + ike-policy CP-IKE-POLICY + sa-policy CP-SA-POLICY + connection start + shared-key 7 ABCDEF1234567890 + dpd 10 50 clear + mode transport + ! + profile DP-PROFILE + sa-policy DP-SA-POLICY + connection start + shared-key 7 ABCDEF1234567890666 + dpd 10 50 clear + mode transport + ! + key controller + profile DP-PROFILE +! +interface Dps1 + description DPS Interface + mtu 9194 + flow tracker hardware FLOW-TRACKER + ip address 192.168.142.12/32 +! +interface Ethernet1 + description ATT_666 + no shutdown + no switchport + ip address dhcp + dhcp client accept default-route +! +interface Ethernet52 + description P2P_leaf-wan-use-evpn-on-lan_Ethernet1 + no shutdown + mtu 9214 + no switchport + ip address 172.18.0.23/31 +! +interface Loopback0 + description ROUTER_ID + no shutdown + ip address 192.168.42.12/32 +! +interface Vxlan1 + description cv-pathfinder-edge-wan-use-evpn-on-lan_VTEP + vxlan source-interface Dps1 + vxlan udp-port 4789 + vxlan vrf default vni 1 + vxlan vrf PROD vni 42 + vxlan vrf VRF-NO-WAN vni 300 + vxlan vrf WAN-VRF-NO-AF vni 200 +! +application traffic recognition + ! + application ipv4 APP-CONTROL-PLANE + destination prefix field-set PFX-PATHFINDERS + ! + application ipv4 CUSTOM-APPLICATION-1 + source prefix field-set CUSTOM-SRC-PREFIX-1 + destination prefix field-set CUSTOM-DEST-PREFIX-1 + protocol tcp + ! + application ipv4 CUSTOM-APPLICATION-2 + protocol tcp source port field-set TCP-SRC-2 destination port field-set TCP-DEST-2 + ! + application ipv4 CUSTOM-DSCP-APPLICATION + dscp ef 12-14 cs6 42 + ! + category VIDEO1 + application CUSTOM-APPLICATION-2 + application CUSTOM-DSCP-APPLICATION + application microsoft-teams + ! + application-profile APP-PROFILE-CONTROL-PLANE + application APP-CONTROL-PLANE + ! + application-profile VIDEO + application CUSTOM-APPLICATION-1 + application skype + application rtp transport + category VIDEO1 + ! + application-profile VOICE + application CUSTOM-VOICE-APPLICATION + ! + field-set ipv4 prefix CUSTOM-DEST-PREFIX-1 + 6.6.6.0/24 + ! + field-set ipv4 prefix CUSTOM-SRC-PREFIX-1 + 42.42.42.0/24 + ! + field-set ipv4 prefix PFX-PATHFINDERS + 192.168.144.1/32 + ! + field-set l4-port TCP-DEST-2 + 666, 777 + ! + field-set l4-port TCP-SRC-2 + 42 +! +ip routing +no ip routing vrf MGMT +ip routing vrf PROD +ip routing vrf VRF-NO-WAN +ip routing vrf VRF-NO-WAN-NO-AF +ip routing vrf WAN-VRF-NO-AF +! +ip extcommunity-list ECL-EVPN-SOO permit soo 192.168.42.12:12 +! +ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY + seq 10 permit 192.168.42.0/24 eq 32 +! +route-map RM-BGP-UNDERLAY-PEERS-IN permit 40 + description Mark prefixes originated from the LAN + set extcommunity soo 192.168.42.12:12 additive +! +route-map RM-CONN-2-BGP permit 10 + match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + set extcommunity soo 192.168.42.12:12 additive +! +route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 10 + match extcommunity ECL-EVPN-SOO +! +route-map RM-EVPN-SOO-IN deny 10 + match extcommunity ECL-EVPN-SOO +! +route-map RM-EVPN-SOO-IN permit 20 +! +route-map RM-EVPN-SOO-OUT permit 10 + set extcommunity soo 192.168.42.12:12 additive +! +router bfd + multihop interval 300 min-rx 300 multiplier 3 +! +router bgp 65000 + router-id 192.168.42.12 + update wait-install + no bgp default ipv4-unicast + maximum-paths 16 + neighbor EVPN-OVERLAY-PEERS peer group + neighbor EVPN-OVERLAY-PEERS update-source Loopback0 + neighbor EVPN-OVERLAY-PEERS bfd + neighbor EVPN-OVERLAY-PEERS ebgp-multihop 3 + neighbor EVPN-OVERLAY-PEERS send-community + neighbor EVPN-OVERLAY-PEERS maximum-routes 0 + neighbor IPv4-UNDERLAY-PEERS peer group + neighbor IPv4-UNDERLAY-PEERS route-map RM-BGP-UNDERLAY-PEERS-IN in + neighbor IPv4-UNDERLAY-PEERS send-community + neighbor IPv4-UNDERLAY-PEERS maximum-routes 12000 + neighbor WAN-OVERLAY-PEERS peer group + neighbor WAN-OVERLAY-PEERS remote-as 65000 + neighbor WAN-OVERLAY-PEERS update-source Dps1 + neighbor WAN-OVERLAY-PEERS bfd + neighbor WAN-OVERLAY-PEERS bfd interval 1000 min-rx 1000 multiplier 10 + neighbor WAN-OVERLAY-PEERS ttl maximum-hops 1 + neighbor WAN-OVERLAY-PEERS password 7 htm4AZe9mIQOO1uiMuGgYQ== + neighbor WAN-OVERLAY-PEERS send-community + neighbor WAN-OVERLAY-PEERS maximum-routes 0 + neighbor 172.18.0.22 peer group IPv4-UNDERLAY-PEERS + neighbor 172.18.0.22 remote-as 65042 + neighbor 172.18.0.22 description leaf-wan-use-evpn-on-lan_Ethernet1 + neighbor 192.168.144.1 peer group WAN-OVERLAY-PEERS + neighbor 192.168.144.1 description cv-pathfinder-pathfinder_Dps1 + redistribute connected route-map RM-CONN-2-BGP + ! + address-family evpn + neighbor EVPN-OVERLAY-PEERS activate + neighbor WAN-OVERLAY-PEERS activate + neighbor WAN-OVERLAY-PEERS route-map RM-EVPN-SOO-IN in + neighbor WAN-OVERLAY-PEERS route-map RM-EVPN-SOO-OUT out + neighbor WAN-OVERLAY-PEERS encapsulation path-selection + ! + address-family ipv4 + neighbor IPv4-UNDERLAY-PEERS activate + no neighbor WAN-OVERLAY-PEERS activate + ! + address-family ipv4 sr-te + neighbor WAN-OVERLAY-PEERS activate + ! + address-family link-state + neighbor WAN-OVERLAY-PEERS activate + path-selection + ! + address-family path-selection + bgp additional-paths receive + bgp additional-paths send any + neighbor WAN-OVERLAY-PEERS activate + ! + vrf default + rd 192.168.42.12:1 + route-target import evpn 1:1 + route-target export evpn 1:1 + route-target export evpn route-map RM-EVPN-EXPORT-VRF-DEFAULT + ! + vrf PROD + rd 192.168.42.12:142 + route-target import evpn 142:142 + route-target export evpn 142:142 + router-id 192.168.42.12 + redistribute connected + ! + vrf VRF-NO-WAN + rd 192.168.42.12:300 + route-target import evpn 300:300 + route-target export evpn 300:300 + router-id 192.168.42.12 + redistribute connected + ! + vrf WAN-VRF-NO-AF + rd 192.168.42.12:200 + route-target import evpn 200:200 + route-target export evpn 200:200 + router-id 192.168.42.12 + redistribute connected +! +router traffic-engineering +! +stun + client + server-profile INET-cv-pathfinder-pathfinder-Ethernet1 + ip address 172.17.7.7 + ssl profile profileA + server-profile INET-cv-pathfinder-pathfinder-Ethernet3 + ip address 10.9.9.9 + ssl profile profileA +! +end diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder.cfg index a010e84d82f..b38ece45826 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder.cfg @@ -123,6 +123,13 @@ router adaptive-virtual-topology avt policy TRANSIT-AVT-POLICY avt profile TRANSIT-AVT-POLICY-DEFAULT id 1 avt profile CUSTOM-VOICE-PROFILE-NAME id 42 + ! + vrf WAN-VRF-NO-AF + avt policy PROD-AVT-POLICY + avt profile PROD-AVT-POLICY-DEFAULT id 1 + avt profile PROD-AVT-POLICY-VOICE id 2 + avt profile PROD-AVT-POLICY-VIDEO id 4 + avt profile PROD-AVT-POLICY-MPLS-ONLY id 5 ! router path-selection peer dynamic source stun @@ -286,6 +293,7 @@ interface Vxlan1 vxlan vrf IT vni 100 vxlan vrf PROD vni 42 vxlan vrf TRANSIT vni 66 + vxlan vrf WAN-VRF-NO-AF vni 200 ! application traffic recognition ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder1.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder1.cfg index a722345ab23..00ec610112f 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder1.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder1.cfg @@ -123,6 +123,13 @@ router adaptive-virtual-topology avt policy TRANSIT-AVT-POLICY avt profile TRANSIT-AVT-POLICY-DEFAULT id 1 avt profile CUSTOM-VOICE-PROFILE-NAME id 42 + ! + vrf WAN-VRF-NO-AF + avt policy PROD-AVT-POLICY + avt profile PROD-AVT-POLICY-DEFAULT id 1 + avt profile PROD-AVT-POLICY-VOICE id 2 + avt profile PROD-AVT-POLICY-VIDEO id 4 + avt profile PROD-AVT-POLICY-MPLS-ONLY id 5 ! router path-selection peer dynamic source stun @@ -277,6 +284,7 @@ interface Vxlan1 vxlan vrf IT vni 100 vxlan vrf PROD vni 42 vxlan vrf TRANSIT vni 66 + vxlan vrf WAN-VRF-NO-AF vni 200 ! application traffic recognition ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder2.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder2.cfg index f5cef9139e2..e77c6f227a2 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder2.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder2.cfg @@ -123,6 +123,13 @@ router adaptive-virtual-topology avt policy TRANSIT-AVT-POLICY avt profile TRANSIT-AVT-POLICY-DEFAULT id 1 avt profile CUSTOM-VOICE-PROFILE-NAME id 42 + ! + vrf WAN-VRF-NO-AF + avt policy PROD-AVT-POLICY + avt profile PROD-AVT-POLICY-DEFAULT id 1 + avt profile PROD-AVT-POLICY-VOICE id 2 + avt profile PROD-AVT-POLICY-VIDEO id 4 + avt profile PROD-AVT-POLICY-MPLS-ONLY id 5 ! router path-selection peer dynamic source stun @@ -290,6 +297,7 @@ interface Vxlan1 vxlan vrf IT vni 100 vxlan vrf PROD vni 42 vxlan vrf TRANSIT vni 66 + vxlan vrf WAN-VRF-NO-AF vni 200 ! application traffic recognition ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/leaf-wan-use-evpn-on-lan.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/leaf-wan-use-evpn-on-lan.cfg new file mode 100644 index 00000000000..3aad67724f0 --- /dev/null +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/leaf-wan-use-evpn-on-lan.cfg @@ -0,0 +1,190 @@ +! +no enable password +no aaa root +! +vlan internal order ascending range 1006 1199 +! +transceiver qsfp default-mode 4x10G +! +service routing protocols model multi-agent +! +hostname leaf-wan-use-evpn-on-lan +! +vlan 100 + name VLAN100 +! +vlan 101 + name VLAN101 +! +vlan 666 + name VLAN666 +! +vrf instance ATTRACTED-VRF-FROM-UPLINK +! +vrf instance IT +! +vrf instance MGMT +! +vrf instance PROD +! +vrf instance VRF-NO-WAN +! +vrf instance VRF-NO-WAN-NO-AF +! +vrf instance WAN-VRF-NO-AF +! +management api http-commands + protocol https + no shutdown + ! + vrf MGMT + no shutdown +! +interface Ethernet1 + description P2P_cv-pathfinder-edge-wan-use-evpn-on-lan_Ethernet52 + no shutdown + mtu 9214 + no switchport + ip address 172.18.0.22/31 +! +interface Ethernet2 + description P2P_cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan_Ethernet52 + no shutdown + mtu 9214 + no switchport + ip address 172.18.0.26/31 +! +interface Loopback0 + description ROUTER_ID + no shutdown + ip address 192.168.45.13/32 +! +interface Loopback1 + description VXLAN_TUNNEL_SOURCE + no shutdown + ip address 192.168.255.13/32 +! +interface Vlan100 + description VLAN100 + shutdown + vrf PROD + ip address virtual 10.0.100.1/24 +! +interface Vlan666 + description VLAN666 + shutdown + vrf ATTRACTED-VRF-FROM-UPLINK + ip address virtual 10.66.66.66/24 +! +interface Vxlan1 + description leaf-wan-use-evpn-on-lan_VTEP + vxlan source-interface Loopback1 + vxlan udp-port 4789 + vxlan vlan 100 vni 1100 + vxlan vlan 101 vni 1101 + vxlan vlan 666 vni 1666 + vxlan vrf ATTRACTED-VRF-FROM-UPLINK vni 666 + vxlan vrf default vni 1 + vxlan vrf IT vni 1000 + vxlan vrf PROD vni 142 + vxlan vrf VRF-NO-WAN vni 300 +! +ip virtual-router mac-address 00:1c:73:00:00:01 +! +ip routing +ip routing vrf ATTRACTED-VRF-FROM-UPLINK +ip routing vrf IT +no ip routing vrf MGMT +ip routing vrf PROD +ip routing vrf VRF-NO-WAN +ip routing vrf VRF-NO-WAN-NO-AF +ip routing vrf WAN-VRF-NO-AF +! +ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY + seq 10 permit 192.168.45.0/24 eq 32 + seq 20 permit 192.168.255.0/24 eq 32 +! +route-map RM-CONN-2-BGP permit 10 + match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY +! +router bfd + multihop interval 300 min-rx 300 multiplier 3 +! +router bgp 65042 + router-id 192.168.45.13 + update wait-install + no bgp default ipv4-unicast + maximum-paths 4 ecmp 4 + neighbor EVPN-OVERLAY-PEERS peer group + neighbor EVPN-OVERLAY-PEERS update-source Loopback0 + neighbor EVPN-OVERLAY-PEERS bfd + neighbor EVPN-OVERLAY-PEERS ebgp-multihop 3 + neighbor EVPN-OVERLAY-PEERS send-community + neighbor EVPN-OVERLAY-PEERS maximum-routes 0 + neighbor IPv4-UNDERLAY-PEERS peer group + neighbor IPv4-UNDERLAY-PEERS send-community + neighbor IPv4-UNDERLAY-PEERS maximum-routes 12000 + neighbor 172.18.0.23 peer group IPv4-UNDERLAY-PEERS + neighbor 172.18.0.23 remote-as 65000 + neighbor 172.18.0.23 description cv-pathfinder-edge-wan-use-evpn-on-lan_Ethernet52 + neighbor 172.18.0.27 peer group IPv4-UNDERLAY-PEERS + neighbor 172.18.0.27 remote-as 65000 + neighbor 172.18.0.27 description cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan_Ethernet52 + redistribute connected route-map RM-CONN-2-BGP + ! + vlan 100 + rd 192.168.45.13:1100 + route-target both 1100:1100 + redistribute learned + ! + vlan 101 + rd 192.168.45.13:1101 + route-target both 1101:1101 + redistribute learned + ! + vlan 666 + rd 192.168.45.13:1666 + route-target both 1666:1666 + redistribute learned + ! + address-family evpn + neighbor EVPN-OVERLAY-PEERS activate + ! + address-family ipv4 + no neighbor EVPN-OVERLAY-PEERS activate + neighbor IPv4-UNDERLAY-PEERS activate + ! + vrf ATTRACTED-VRF-FROM-UPLINK + rd 192.168.45.13:666 + route-target import evpn 666:666 + route-target export evpn 666:666 + router-id 192.168.45.13 + redistribute connected + ! + vrf default + rd 192.168.45.13:1 + route-target import evpn 1:1 + route-target export evpn 1:1 + ! + vrf IT + rd 192.168.45.13:1000 + route-target import evpn 1000:1000 + route-target export evpn 1000:1000 + router-id 192.168.45.13 + redistribute connected + ! + vrf PROD + rd 192.168.45.13:142 + route-target import evpn 142:142 + route-target export evpn 142:142 + router-id 192.168.45.13 + redistribute connected + ! + vrf VRF-NO-WAN + rd 192.168.45.13:300 + route-target import evpn 300:300 + route-target export evpn 300:300 + router-id 192.168.45.13 + redistribute connected +! +end diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-edge.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-edge.yml index ed8e46e9298..e5b5e4441fa 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-edge.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-edge.yml @@ -224,6 +224,21 @@ router_bgp: redistribute: connected: enabled: true + - name: WAN-VRF-NO-AF + rd: 192.168.30.1:200 + route_targets: + import: + - address_family: evpn + route_targets: + - 200:200 + export: + - address_family: evpn + route_targets: + - 200:200 + router_id: 192.168.30.1 + redistribute: + connected: + enabled: true router_path_selection: path_groups: - name: INET @@ -297,6 +312,8 @@ router_path_selection: path_selection_policy: DEFAULT-AUTOVPN-POLICY-WITH-CP - name: PROD path_selection_policy: PROD-AUTOVPN-POLICY + - name: WAN-VRF-NO-AF + path_selection_policy: PROD-AUTOVPN-POLICY tcp_mss_ceiling: ipv4_segment_size: auto service_routing_protocols_model: multi-agent @@ -319,6 +336,9 @@ vrfs: - name: PROD ip_routing: true tenant: TenantA +- name: WAN-VRF-NO-AF + ip_routing: true + tenant: TenantA vxlan_interface: vxlan1: description: autovpn-edge_VTEP @@ -330,3 +350,5 @@ vxlan_interface: vni: 1 - name: PROD vni: 42 + - name: WAN-VRF-NO-AF + vni: 200 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr1.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr1.yml index 31829f301a8..52a092d8e9a 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr1.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr1.yml @@ -173,10 +173,10 @@ router_bgp: route_map: RM-CONN-2-BGP address_family_evpn: peer_groups: - - name: WAN-RR-OVERLAY-PEERS + - name: WAN-OVERLAY-PEERS activate: true encapsulation: path-selection - - name: WAN-OVERLAY-PEERS + - name: WAN-RR-OVERLAY-PEERS activate: true encapsulation: path-selection next_hop: @@ -271,6 +271,8 @@ router_path_selection: path_selection_policy: DEFAULT-AUTOVPN-POLICY-WITH-CP - name: PROD path_selection_policy: PROD-AUTOVPN-POLICY + - name: WAN-VRF-NO-AF + path_selection_policy: PROD-AUTOVPN-POLICY tcp_mss_ceiling: ipv4_segment_size: auto service_routing_protocols_model: multi-agent @@ -295,3 +297,5 @@ vxlan_interface: vni: 1 - name: PROD vni: 42 + - name: WAN-VRF-NO-AF + vni: 200 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr2.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr2.yml index 02eeb47fa29..1e3112d0a98 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr2.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr2.yml @@ -172,10 +172,10 @@ router_bgp: route_map: RM-CONN-2-BGP address_family_evpn: peer_groups: - - name: WAN-RR-OVERLAY-PEERS + - name: WAN-OVERLAY-PEERS activate: true encapsulation: path-selection - - name: WAN-OVERLAY-PEERS + - name: WAN-RR-OVERLAY-PEERS activate: true encapsulation: path-selection next_hop: @@ -270,6 +270,8 @@ router_path_selection: path_selection_policy: DEFAULT-AUTOVPN-POLICY-WITH-CP - name: PROD path_selection_policy: PROD-AUTOVPN-POLICY + - name: WAN-VRF-NO-AF + path_selection_policy: PROD-AUTOVPN-POLICY tcp_mss_ceiling: ipv4_segment_size: auto service_routing_protocols_model: multi-agent @@ -297,3 +299,5 @@ vxlan_interface: vni: 1 - name: PROD vni: 42 + - name: WAN-VRF-NO-AF + vni: 200 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-custom-control-plane-policy-pathfinder-1.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-custom-control-plane-policy-pathfinder-1.yml index 1260da57436..8e2c48bacc3 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-custom-control-plane-policy-pathfinder-1.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-custom-control-plane-policy-pathfinder-1.yml @@ -255,6 +255,10 @@ metadata: name: Site423 location: address: Somewhere-warm + - id: 12 + name: Site12 + location: + address: 12 Downing Street, London - id: 43 name: AVD_Land_East zones: @@ -510,10 +514,10 @@ router_bgp: route_map: RM-CONN-2-BGP address_family_evpn: peer_groups: - - name: WAN-RR-OVERLAY-PEERS + - name: WAN-OVERLAY-PEERS activate: true encapsulation: path-selection - - name: WAN-OVERLAY-PEERS + - name: WAN-RR-OVERLAY-PEERS activate: true encapsulation: path-selection next_hop: diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.yml new file mode 100644 index 00000000000..37fc5e5ea20 --- /dev/null +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.yml @@ -0,0 +1,535 @@ +aaa_root: + disabled: true +agents: +- name: KernelFib + environment_variables: + - name: KERNELFIB_PROGRAM_ALL_ECMP + value: '1' +application_traffic_recognition: + categories: + - name: VIDEO1 + applications: + - name: CUSTOM-APPLICATION-2 + - name: CUSTOM-DSCP-APPLICATION + - name: microsoft-teams + field_sets: + l4_ports: + - name: TCP-SRC-2 + port_values: + - '42' + - name: TCP-DEST-2 + port_values: + - '666' + - '777' + ipv4_prefixes: + - name: CUSTOM-SRC-PREFIX-1 + prefix_values: + - 42.42.42.0/24 + - name: CUSTOM-DEST-PREFIX-1 + prefix_values: + - 6.6.6.0/24 + - name: PFX-PATHFINDERS + prefix_values: + - 192.168.144.1/32 + applications: + ipv4_applications: + - name: CUSTOM-APPLICATION-1 + src_prefix_set_name: CUSTOM-SRC-PREFIX-1 + dest_prefix_set_name: CUSTOM-DEST-PREFIX-1 + protocols: + - tcp + - name: CUSTOM-APPLICATION-2 + protocols: + - tcp + tcp_src_port_set_name: TCP-SRC-2 + tcp_dest_port_set_name: TCP-DEST-2 + - name: CUSTOM-DSCP-APPLICATION + dscp_ranges: + - ef + - 12-14 + - cs6 + - '42' + - name: APP-CONTROL-PLANE + dest_prefix_set_name: PFX-PATHFINDERS + application_profiles: + - name: VIDEO + applications: + - name: CUSTOM-APPLICATION-1 + - name: skype + application_transports: + - rtp + categories: + - name: VIDEO1 + - name: VOICE + applications: + - name: CUSTOM-VOICE-APPLICATION + - name: APP-PROFILE-CONTROL-PLANE + applications: + - name: APP-CONTROL-PLANE +config_end: true +dps_interfaces: +- name: Dps1 + description: DPS Interface + mtu: 9194 + ip_address: 192.168.142.14/32 + flow_tracker: + hardware: FLOW-TRACKER +enable_password: + disabled: true +ethernet_interfaces: +- name: Ethernet52 + description: P2P_leaf-wan-use-evpn-on-lan_Ethernet2 + shutdown: false + mtu: 9214 + ip_address: 172.18.0.27/31 + peer: leaf-wan-use-evpn-on-lan + peer_interface: Ethernet2 + peer_type: l3leaf + switchport: + enabled: false +- name: Ethernet1 + description: ATT_666 + shutdown: false + ip_address: dhcp + dhcp_client_accept_default_route: true + peer_type: l3_interface + switchport: + enabled: false +flow_tracking: + hardware: + trackers: + - name: FLOW-TRACKER + record_export: + on_inactive_timeout: 70000 + on_interval: 300000 + exporters: + - name: CV-TELEMETRY + collector: + host: 127.0.0.1 + local_interface: Loopback0 + template_interval: 3600000 + shutdown: false +hostname: cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan +ip_extcommunity_lists: +- name: ECL-EVPN-SOO + entries: + - type: permit + extcommunities: soo 192.168.42.14:12 +ip_routing: true +ip_security: + ike_policies: + - name: CP-IKE-POLICY + local_id: 192.168.142.14 + sa_policies: + - name: DP-SA-POLICY + esp: + encryption: aes256gcm128 + pfs_dh_group: 14 + - name: CP-SA-POLICY + esp: + encryption: aes256gcm128 + pfs_dh_group: 14 + profiles: + - name: DP-PROFILE + sa_policy: DP-SA-POLICY + connection: start + shared_key: ABCDEF1234567890666 + dpd: + interval: 10 + time: 50 + action: clear + mode: transport + - name: CP-PROFILE + ike_policy: CP-IKE-POLICY + sa_policy: CP-SA-POLICY + connection: start + shared_key: ABCDEF1234567890 + dpd: + interval: 10 + time: 50 + action: clear + mode: transport + key_controller: + profile: DP-PROFILE +is_deployed: true +loopback_interfaces: +- name: Loopback0 + description: ROUTER_ID + shutdown: false + ip_address: 192.168.42.14/32 +management_api_http: + enable_https: true + enable_vrfs: + - name: MGMT +management_security: + ssl_profiles: + - name: profileA + tls_versions: '1.2' + trust_certificate: + certificates: + - aristaDeviceCertProvisionerDefaultRootCA.crt + certificate: + file: profileA.crt + key: profileA.key +metadata: + fabric_name: EOS_DESIGNS_UNIT_TESTS + cv_tags: + device_tags: + - name: Role + value: edge + - name: Region + value: AVD_Land_West + - name: Zone + value: AVD_Land_West-ZONE + - name: Site + value: Site12 + interface_tags: + - interface: Ethernet52 + tags: + - name: Type + value: lan + - interface: Ethernet1 + tags: + - name: Type + value: wan + - name: Carrier + value: ATT + - name: Circuit + value: '666' + cv_pathfinder: + role: edge + region: AVD_Land_West + zone: AVD_Land_West-ZONE + site: Site12 + vtep_ip: 192.168.142.14 + ssl_profile: profileA + pathfinders: + - vtep_ip: 192.168.144.1 + interfaces: + - name: Ethernet1 + carrier: ATT + circuit_id: '666' + pathgroup: INET +prefix_lists: +- name: PL-LOOPBACKS-EVPN-OVERLAY + sequence_numbers: + - sequence: 10 + action: permit 192.168.42.0/24 eq 32 +route_maps: +- name: RM-CONN-2-BGP + sequence_numbers: + - sequence: 10 + type: permit + match: + - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + set: + - extcommunity soo 192.168.42.14:12 additive +- name: RM-BGP-UNDERLAY-PEERS-IN + sequence_numbers: + - sequence: 40 + type: permit + description: Mark prefixes originated from the LAN + set: + - extcommunity soo 192.168.42.14:12 additive +- name: RM-EVPN-SOO-IN + sequence_numbers: + - sequence: 10 + type: deny + match: + - extcommunity ECL-EVPN-SOO + - sequence: 20 + type: permit +- name: RM-EVPN-SOO-OUT + sequence_numbers: + - sequence: 10 + type: permit + set: + - extcommunity soo 192.168.42.14:12 additive +- name: RM-EVPN-EXPORT-VRF-DEFAULT + sequence_numbers: + - sequence: 10 + type: permit + match: + - extcommunity ECL-EVPN-SOO +router_adaptive_virtual_topology: + topology_role: edge + region: + name: AVD_Land_West + id: 42 + zone: + name: AVD_Land_West-ZONE + id: 1 + site: + name: Site12 + id: 12 + profiles: + - name: DEFAULT-AVT-POLICY-CONTROL-PLANE + load_balance_policy: LB-DEFAULT-AVT-POLICY-CONTROL-PLANE + - name: DEFAULT-AVT-POLICY-VIDEO + load_balance_policy: LB-DEFAULT-AVT-POLICY-VIDEO + - name: DEFAULT-AVT-POLICY-DEFAULT + load_balance_policy: LB-DEFAULT-AVT-POLICY-DEFAULT + - name: PROD-AVT-POLICY-VOICE + load_balance_policy: LB-PROD-AVT-POLICY-VOICE + - name: PROD-AVT-POLICY-VIDEO + load_balance_policy: LB-PROD-AVT-POLICY-VIDEO + - name: PROD-AVT-POLICY-DEFAULT + load_balance_policy: LB-PROD-AVT-POLICY-DEFAULT + policies: + - name: DEFAULT-AVT-POLICY-WITH-CP + matches: + - application_profile: APP-PROFILE-CONTROL-PLANE + avt_profile: DEFAULT-AVT-POLICY-CONTROL-PLANE + - application_profile: VIDEO + avt_profile: DEFAULT-AVT-POLICY-VIDEO + - application_profile: default + avt_profile: DEFAULT-AVT-POLICY-DEFAULT + - name: PROD-AVT-POLICY + matches: + - application_profile: VOICE + avt_profile: PROD-AVT-POLICY-VOICE + - application_profile: VIDEO + avt_profile: PROD-AVT-POLICY-VIDEO + - application_profile: default + avt_profile: PROD-AVT-POLICY-DEFAULT + vrfs: + - name: default + policy: DEFAULT-AVT-POLICY-WITH-CP + profiles: + - name: DEFAULT-AVT-POLICY-CONTROL-PLANE + id: 254 + - name: DEFAULT-AVT-POLICY-VIDEO + id: 3 + - name: DEFAULT-AVT-POLICY-DEFAULT + id: 1 + - name: PROD + policy: PROD-AVT-POLICY + profiles: + - name: PROD-AVT-POLICY-VOICE + id: 2 + - name: PROD-AVT-POLICY-VIDEO + id: 4 + - name: PROD-AVT-POLICY-DEFAULT + id: 1 + - name: WAN-VRF-NO-AF + policy: PROD-AVT-POLICY + profiles: + - name: PROD-AVT-POLICY-VOICE + id: 2 + - name: PROD-AVT-POLICY-VIDEO + id: 4 + - name: PROD-AVT-POLICY-DEFAULT + id: 1 +router_bfd: + multihop: + interval: 300 + min_rx: 300 + multiplier: 3 +router_bgp: + as: '65000' + router_id: 192.168.42.14 + maximum_paths: + paths: 16 + updates: + wait_install: true + bgp: + default: + ipv4_unicast: false + peer_groups: + - name: IPv4-UNDERLAY-PEERS + type: ipv4 + send_community: all + maximum_routes: 12000 + route_map_in: RM-BGP-UNDERLAY-PEERS-IN + - name: WAN-OVERLAY-PEERS + type: wan + remote_as: '65000' + update_source: Dps1 + bfd: true + bfd_timers: + interval: 1000 + min_rx: 1000 + multiplier: 10 + password: htm4AZe9mIQOO1uiMuGgYQ== + send_community: all + maximum_routes: 0 + ttl_maximum_hops: 1 + neighbors: + - ip_address: 172.18.0.26 + peer_group: IPv4-UNDERLAY-PEERS + remote_as: '65042' + peer: leaf-wan-use-evpn-on-lan + description: leaf-wan-use-evpn-on-lan_Ethernet2 + - ip_address: 192.168.144.1 + peer_group: WAN-OVERLAY-PEERS + peer: cv-pathfinder-pathfinder + description: cv-pathfinder-pathfinder_Dps1 + redistribute: + connected: + enabled: true + route_map: RM-CONN-2-BGP + address_family_evpn: + peer_groups: + - name: WAN-OVERLAY-PEERS + activate: true + route_map_in: RM-EVPN-SOO-IN + route_map_out: RM-EVPN-SOO-OUT + encapsulation: path-selection + address_family_ipv4: + peer_groups: + - name: IPv4-UNDERLAY-PEERS + activate: true + - name: WAN-OVERLAY-PEERS + activate: false + address_family_ipv4_sr_te: + peer_groups: + - name: WAN-OVERLAY-PEERS + activate: true + address_family_link_state: + peer_groups: + - name: WAN-OVERLAY-PEERS + activate: true + path_selection: + roles: + producer: true + address_family_path_selection: + bgp: + additional_paths: + receive: true + send: any + peer_groups: + - name: WAN-OVERLAY-PEERS + activate: true + vrfs: + - name: default + rd: 192.168.42.14:1 + route_targets: + import: + - address_family: evpn + route_targets: + - '1:1' + export: + - address_family: evpn + route_targets: + - '1:1' + - route-map RM-EVPN-EXPORT-VRF-DEFAULT + - name: PROD + rd: 192.168.42.14:142 + route_targets: + import: + - address_family: evpn + route_targets: + - 142:142 + export: + - address_family: evpn + route_targets: + - 142:142 + router_id: 192.168.42.14 + redistribute: + connected: + enabled: true + - name: WAN-VRF-NO-AF + rd: 192.168.42.14:200 + route_targets: + import: + - address_family: evpn + route_targets: + - 200:200 + export: + - address_family: evpn + route_targets: + - 200:200 + router_id: 192.168.42.14 + redistribute: + connected: + enabled: true +router_path_selection: + path_groups: + - name: INET + id: 101 + ipsec_profile: CP-PROFILE + local_interfaces: + - name: Ethernet1 + stun: + server_profiles: + - INET-cv-pathfinder-pathfinder-Ethernet1 + - INET-cv-pathfinder-pathfinder-Ethernet3 + dynamic_peers: + enabled: true + static_peers: + - router_ip: 192.168.144.1 + name: cv-pathfinder-pathfinder + ipv4_addresses: + - 172.17.7.7 + - 10.9.9.9 + load_balance_policies: + - name: LB-DEFAULT-AVT-POLICY-CONTROL-PLANE + path_groups: + - name: INET + - name: LB-DEFAULT-AVT-POLICY-VIDEO + path_groups: + - name: INET + - name: LB-DEFAULT-AVT-POLICY-DEFAULT + path_groups: + - name: INET + - name: LB-PROD-AVT-POLICY-VOICE + lowest_hop_count: true + jitter: 42 + path_groups: + - name: INET + priority: 2 + - name: LB-PROD-AVT-POLICY-VIDEO + loss_rate: '42.0' + path_groups: + - name: INET + priority: 2 + - name: LB-PROD-AVT-POLICY-DEFAULT + path_groups: + - name: INET + tcp_mss_ceiling: + ipv4_segment_size: auto +router_traffic_engineering: + enabled: true +service_routing_protocols_model: multi-agent +spanning_tree: + mode: none +stun: + client: + server_profiles: + - name: INET-cv-pathfinder-pathfinder-Ethernet1 + ip_address: 172.17.7.7 + ssl_profile: profileA + - name: INET-cv-pathfinder-pathfinder-Ethernet3 + ip_address: 10.9.9.9 + ssl_profile: profileA +transceiver_qsfp_default_mode_4x10: false +vrfs: +- name: MGMT + ip_routing: false +- name: PROD + ip_routing: true + tenant: TenantA +- name: VRF-NO-WAN + ip_routing: true + tenant: TenantD +- name: VRF-NO-WAN-NO-AF + ip_routing: true + tenant: TenantD +- name: WAN-VRF-NO-AF + ip_routing: true + tenant: TenantD +vxlan_interface: + vxlan1: + description: cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan_VTEP + vxlan: + source_interface: Dps1 + udp_port: 4789 + vrfs: + - name: default + vni: 1 + - name: PROD + vni: 42 + - name: VRF-NO-WAN + vni: 300 + - name: WAN-VRF-NO-AF + vni: 200 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan.yml new file mode 100644 index 00000000000..62e2bd308e3 --- /dev/null +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan.yml @@ -0,0 +1,559 @@ +aaa_root: + disabled: true +agents: +- name: KernelFib + environment_variables: + - name: KERNELFIB_PROGRAM_ALL_ECMP + value: '1' +application_traffic_recognition: + categories: + - name: VIDEO1 + applications: + - name: CUSTOM-APPLICATION-2 + - name: CUSTOM-DSCP-APPLICATION + - name: microsoft-teams + field_sets: + l4_ports: + - name: TCP-SRC-2 + port_values: + - '42' + - name: TCP-DEST-2 + port_values: + - '666' + - '777' + ipv4_prefixes: + - name: CUSTOM-SRC-PREFIX-1 + prefix_values: + - 42.42.42.0/24 + - name: CUSTOM-DEST-PREFIX-1 + prefix_values: + - 6.6.6.0/24 + - name: PFX-PATHFINDERS + prefix_values: + - 192.168.144.1/32 + applications: + ipv4_applications: + - name: CUSTOM-APPLICATION-1 + src_prefix_set_name: CUSTOM-SRC-PREFIX-1 + dest_prefix_set_name: CUSTOM-DEST-PREFIX-1 + protocols: + - tcp + - name: CUSTOM-APPLICATION-2 + protocols: + - tcp + tcp_src_port_set_name: TCP-SRC-2 + tcp_dest_port_set_name: TCP-DEST-2 + - name: CUSTOM-DSCP-APPLICATION + dscp_ranges: + - ef + - 12-14 + - cs6 + - '42' + - name: APP-CONTROL-PLANE + dest_prefix_set_name: PFX-PATHFINDERS + application_profiles: + - name: VIDEO + applications: + - name: CUSTOM-APPLICATION-1 + - name: skype + application_transports: + - rtp + categories: + - name: VIDEO1 + - name: VOICE + applications: + - name: CUSTOM-VOICE-APPLICATION + - name: APP-PROFILE-CONTROL-PLANE + applications: + - name: APP-CONTROL-PLANE +config_end: true +dps_interfaces: +- name: Dps1 + description: DPS Interface + mtu: 9194 + ip_address: 192.168.142.12/32 + flow_tracker: + hardware: FLOW-TRACKER +enable_password: + disabled: true +ethernet_interfaces: +- name: Ethernet52 + description: P2P_leaf-wan-use-evpn-on-lan_Ethernet1 + shutdown: false + mtu: 9214 + ip_address: 172.18.0.23/31 + peer: leaf-wan-use-evpn-on-lan + peer_interface: Ethernet1 + peer_type: l3leaf + switchport: + enabled: false +- name: Ethernet1 + description: ATT_666 + shutdown: false + ip_address: dhcp + dhcp_client_accept_default_route: true + peer_type: l3_interface + switchport: + enabled: false +flow_tracking: + hardware: + trackers: + - name: FLOW-TRACKER + record_export: + on_inactive_timeout: 70000 + on_interval: 300000 + exporters: + - name: CV-TELEMETRY + collector: + host: 127.0.0.1 + local_interface: Loopback0 + template_interval: 3600000 + shutdown: false +hostname: cv-pathfinder-edge-wan-use-evpn-on-lan +ip_extcommunity_lists: +- name: ECL-EVPN-SOO + entries: + - type: permit + extcommunities: soo 192.168.42.12:12 +ip_routing: true +ip_security: + ike_policies: + - name: CP-IKE-POLICY + local_id: 192.168.142.12 + sa_policies: + - name: DP-SA-POLICY + esp: + encryption: aes256gcm128 + pfs_dh_group: 14 + - name: CP-SA-POLICY + esp: + encryption: aes256gcm128 + pfs_dh_group: 14 + profiles: + - name: DP-PROFILE + sa_policy: DP-SA-POLICY + connection: start + shared_key: ABCDEF1234567890666 + dpd: + interval: 10 + time: 50 + action: clear + mode: transport + - name: CP-PROFILE + ike_policy: CP-IKE-POLICY + sa_policy: CP-SA-POLICY + connection: start + shared_key: ABCDEF1234567890 + dpd: + interval: 10 + time: 50 + action: clear + mode: transport + key_controller: + profile: DP-PROFILE +is_deployed: true +loopback_interfaces: +- name: Loopback0 + description: ROUTER_ID + shutdown: false + ip_address: 192.168.42.12/32 +management_api_http: + enable_https: true + enable_vrfs: + - name: MGMT +management_security: + ssl_profiles: + - name: profileA + tls_versions: '1.2' + trust_certificate: + certificates: + - aristaDeviceCertProvisionerDefaultRootCA.crt + certificate: + file: profileA.crt + key: profileA.key +metadata: + fabric_name: EOS_DESIGNS_UNIT_TESTS + cv_tags: + device_tags: + - name: Role + value: edge + - name: Region + value: AVD_Land_West + - name: Zone + value: AVD_Land_West-ZONE + - name: Site + value: Site12 + interface_tags: + - interface: Ethernet52 + tags: + - name: Type + value: lan + - interface: Ethernet1 + tags: + - name: Type + value: wan + - name: Carrier + value: ATT + - name: Circuit + value: '666' + cv_pathfinder: + role: edge + region: AVD_Land_West + zone: AVD_Land_West-ZONE + site: Site12 + vtep_ip: 192.168.142.12 + ssl_profile: profileA + pathfinders: + - vtep_ip: 192.168.144.1 + interfaces: + - name: Ethernet1 + carrier: ATT + circuit_id: '666' + pathgroup: INET +prefix_lists: +- name: PL-LOOPBACKS-EVPN-OVERLAY + sequence_numbers: + - sequence: 10 + action: permit 192.168.42.0/24 eq 32 +route_maps: +- name: RM-CONN-2-BGP + sequence_numbers: + - sequence: 10 + type: permit + match: + - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + set: + - extcommunity soo 192.168.42.12:12 additive +- name: RM-BGP-UNDERLAY-PEERS-IN + sequence_numbers: + - sequence: 40 + type: permit + description: Mark prefixes originated from the LAN + set: + - extcommunity soo 192.168.42.12:12 additive +- name: RM-EVPN-SOO-IN + sequence_numbers: + - sequence: 10 + type: deny + match: + - extcommunity ECL-EVPN-SOO + - sequence: 20 + type: permit +- name: RM-EVPN-SOO-OUT + sequence_numbers: + - sequence: 10 + type: permit + set: + - extcommunity soo 192.168.42.12:12 additive +- name: RM-EVPN-EXPORT-VRF-DEFAULT + sequence_numbers: + - sequence: 10 + type: permit + match: + - extcommunity ECL-EVPN-SOO +router_adaptive_virtual_topology: + topology_role: edge + region: + name: AVD_Land_West + id: 42 + zone: + name: AVD_Land_West-ZONE + id: 1 + site: + name: Site12 + id: 12 + profiles: + - name: DEFAULT-AVT-POLICY-CONTROL-PLANE + load_balance_policy: LB-DEFAULT-AVT-POLICY-CONTROL-PLANE + - name: DEFAULT-AVT-POLICY-VIDEO + load_balance_policy: LB-DEFAULT-AVT-POLICY-VIDEO + - name: DEFAULT-AVT-POLICY-DEFAULT + load_balance_policy: LB-DEFAULT-AVT-POLICY-DEFAULT + - name: PROD-AVT-POLICY-VOICE + load_balance_policy: LB-PROD-AVT-POLICY-VOICE + - name: PROD-AVT-POLICY-VIDEO + load_balance_policy: LB-PROD-AVT-POLICY-VIDEO + - name: PROD-AVT-POLICY-DEFAULT + load_balance_policy: LB-PROD-AVT-POLICY-DEFAULT + policies: + - name: DEFAULT-AVT-POLICY-WITH-CP + matches: + - application_profile: APP-PROFILE-CONTROL-PLANE + avt_profile: DEFAULT-AVT-POLICY-CONTROL-PLANE + - application_profile: VIDEO + avt_profile: DEFAULT-AVT-POLICY-VIDEO + - application_profile: default + avt_profile: DEFAULT-AVT-POLICY-DEFAULT + - name: PROD-AVT-POLICY + matches: + - application_profile: VOICE + avt_profile: PROD-AVT-POLICY-VOICE + - application_profile: VIDEO + avt_profile: PROD-AVT-POLICY-VIDEO + - application_profile: default + avt_profile: PROD-AVT-POLICY-DEFAULT + vrfs: + - name: default + policy: DEFAULT-AVT-POLICY-WITH-CP + profiles: + - name: DEFAULT-AVT-POLICY-CONTROL-PLANE + id: 254 + - name: DEFAULT-AVT-POLICY-VIDEO + id: 3 + - name: DEFAULT-AVT-POLICY-DEFAULT + id: 1 + - name: PROD + policy: PROD-AVT-POLICY + profiles: + - name: PROD-AVT-POLICY-VOICE + id: 2 + - name: PROD-AVT-POLICY-VIDEO + id: 4 + - name: PROD-AVT-POLICY-DEFAULT + id: 1 + - name: WAN-VRF-NO-AF + policy: PROD-AVT-POLICY + profiles: + - name: PROD-AVT-POLICY-VOICE + id: 2 + - name: PROD-AVT-POLICY-VIDEO + id: 4 + - name: PROD-AVT-POLICY-DEFAULT + id: 1 +router_bfd: + multihop: + interval: 300 + min_rx: 300 + multiplier: 3 +router_bgp: + as: '65000' + router_id: 192.168.42.12 + maximum_paths: + paths: 16 + updates: + wait_install: true + bgp: + default: + ipv4_unicast: false + peer_groups: + - name: IPv4-UNDERLAY-PEERS + type: ipv4 + send_community: all + maximum_routes: 12000 + route_map_in: RM-BGP-UNDERLAY-PEERS-IN + - name: EVPN-OVERLAY-PEERS + type: evpn + update_source: Loopback0 + bfd: true + ebgp_multihop: 3 + send_community: all + maximum_routes: 0 + - name: WAN-OVERLAY-PEERS + type: wan + remote_as: '65000' + update_source: Dps1 + bfd: true + bfd_timers: + interval: 1000 + min_rx: 1000 + multiplier: 10 + password: htm4AZe9mIQOO1uiMuGgYQ== + send_community: all + maximum_routes: 0 + ttl_maximum_hops: 1 + neighbors: + - ip_address: 172.18.0.22 + peer_group: IPv4-UNDERLAY-PEERS + remote_as: '65042' + peer: leaf-wan-use-evpn-on-lan + description: leaf-wan-use-evpn-on-lan_Ethernet1 + - ip_address: 192.168.144.1 + peer_group: WAN-OVERLAY-PEERS + peer: cv-pathfinder-pathfinder + description: cv-pathfinder-pathfinder_Dps1 + redistribute: + connected: + enabled: true + route_map: RM-CONN-2-BGP + address_family_evpn: + peer_groups: + - name: WAN-OVERLAY-PEERS + activate: true + route_map_in: RM-EVPN-SOO-IN + route_map_out: RM-EVPN-SOO-OUT + encapsulation: path-selection + - name: EVPN-OVERLAY-PEERS + activate: true + address_family_ipv4: + peer_groups: + - name: IPv4-UNDERLAY-PEERS + activate: true + - name: WAN-OVERLAY-PEERS + activate: false + address_family_ipv4_sr_te: + peer_groups: + - name: WAN-OVERLAY-PEERS + activate: true + address_family_link_state: + peer_groups: + - name: WAN-OVERLAY-PEERS + activate: true + path_selection: + roles: + producer: true + address_family_path_selection: + bgp: + additional_paths: + receive: true + send: any + peer_groups: + - name: WAN-OVERLAY-PEERS + activate: true + vrfs: + - name: default + rd: 192.168.42.12:1 + route_targets: + import: + - address_family: evpn + route_targets: + - '1:1' + export: + - address_family: evpn + route_targets: + - '1:1' + - route-map RM-EVPN-EXPORT-VRF-DEFAULT + - name: PROD + rd: 192.168.42.12:142 + route_targets: + import: + - address_family: evpn + route_targets: + - 142:142 + export: + - address_family: evpn + route_targets: + - 142:142 + router_id: 192.168.42.12 + redistribute: + connected: + enabled: true + - name: VRF-NO-WAN + rd: 192.168.42.12:300 + route_targets: + import: + - address_family: evpn + route_targets: + - 300:300 + export: + - address_family: evpn + route_targets: + - 300:300 + router_id: 192.168.42.12 + redistribute: + connected: + enabled: true + - name: WAN-VRF-NO-AF + rd: 192.168.42.12:200 + route_targets: + import: + - address_family: evpn + route_targets: + - 200:200 + export: + - address_family: evpn + route_targets: + - 200:200 + router_id: 192.168.42.12 + redistribute: + connected: + enabled: true +router_path_selection: + path_groups: + - name: INET + id: 101 + ipsec_profile: CP-PROFILE + local_interfaces: + - name: Ethernet1 + stun: + server_profiles: + - INET-cv-pathfinder-pathfinder-Ethernet1 + - INET-cv-pathfinder-pathfinder-Ethernet3 + dynamic_peers: + enabled: true + static_peers: + - router_ip: 192.168.144.1 + name: cv-pathfinder-pathfinder + ipv4_addresses: + - 172.17.7.7 + - 10.9.9.9 + load_balance_policies: + - name: LB-DEFAULT-AVT-POLICY-CONTROL-PLANE + path_groups: + - name: INET + - name: LB-DEFAULT-AVT-POLICY-VIDEO + path_groups: + - name: INET + - name: LB-DEFAULT-AVT-POLICY-DEFAULT + path_groups: + - name: INET + - name: LB-PROD-AVT-POLICY-VOICE + lowest_hop_count: true + jitter: 42 + path_groups: + - name: INET + priority: 2 + - name: LB-PROD-AVT-POLICY-VIDEO + loss_rate: '42.0' + path_groups: + - name: INET + priority: 2 + - name: LB-PROD-AVT-POLICY-DEFAULT + path_groups: + - name: INET + tcp_mss_ceiling: + ipv4_segment_size: auto +router_traffic_engineering: + enabled: true +service_routing_protocols_model: multi-agent +spanning_tree: + mode: none +stun: + client: + server_profiles: + - name: INET-cv-pathfinder-pathfinder-Ethernet1 + ip_address: 172.17.7.7 + ssl_profile: profileA + - name: INET-cv-pathfinder-pathfinder-Ethernet3 + ip_address: 10.9.9.9 + ssl_profile: profileA +transceiver_qsfp_default_mode_4x10: false +vrfs: +- name: MGMT + ip_routing: false +- name: PROD + ip_routing: true + tenant: TenantA +- name: VRF-NO-WAN + ip_routing: true + tenant: TenantD +- name: VRF-NO-WAN-NO-AF + ip_routing: true + tenant: TenantD +- name: WAN-VRF-NO-AF + ip_routing: true + tenant: TenantD +vxlan_interface: + vxlan1: + description: cv-pathfinder-edge-wan-use-evpn-on-lan_VTEP + vxlan: + source_interface: Dps1 + udp_port: 4789 + vrfs: + - name: default + vni: 1 + - name: PROD + vni: 42 + - name: VRF-NO-WAN + vni: 300 + - name: WAN-VRF-NO-AF + vni: 200 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder.yml index 18066ced230..e69b97e2d4a 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder.yml @@ -261,6 +261,10 @@ metadata: name: Site423 location: address: Somewhere-warm + - id: 12 + name: Site12 + location: + address: 12 Downing Street, London - id: 43 name: AVD_Land_East zones: @@ -434,6 +438,56 @@ metadata: preference: alternate - name: LAN_HA preference: preferred + - name: WAN-VRF-NO-AF + vni: 200 + avts: + - constraints: + jitter: 42 + hop_count: lowest + id: 2 + name: PROD-AVT-POLICY-VOICE + pathgroups: + - name: MPLS + preference: preferred + - name: INET + preference: alternate + - name: LAN_HA + preference: preferred + application_profiles: + - VOICE + - constraints: + lossrate: '42.0' + id: 4 + name: PROD-AVT-POLICY-VIDEO + pathgroups: + - name: MPLS + preference: preferred + - name: LTE + preference: preferred + - name: INET + preference: alternate + - name: LAN_HA + preference: preferred + application_profiles: + - VIDEO + - id: 5 + name: PROD-AVT-POLICY-MPLS-ONLY + pathgroups: + - name: MPLS + preference: preferred + - name: LAN_HA + preference: preferred + application_profiles: + - MPLS-ONLY + - id: 1 + name: PROD-AVT-POLICY-DEFAULT + pathgroups: + - name: INET + preference: preferred + - name: MPLS + preference: alternate + - name: LAN_HA + preference: preferred applications: profiles: - name: VIDEO @@ -582,6 +636,17 @@ router_adaptive_virtual_topology: profiles: - name: DEFAULT-POLICY-DEFAULT id: 1 + - name: WAN-VRF-NO-AF + policy: PROD-AVT-POLICY + profiles: + - name: PROD-AVT-POLICY-VOICE + id: 2 + - name: PROD-AVT-POLICY-VIDEO + id: 4 + - name: PROD-AVT-POLICY-MPLS-ONLY + id: 5 + - name: PROD-AVT-POLICY-DEFAULT + id: 1 router_bfd: multihop: interval: 300 @@ -815,3 +880,5 @@ vxlan_interface: vni: 66 - name: ATTRACTED-VRF-FROM-UPLINK vni: 166 + - name: WAN-VRF-NO-AF + vni: 200 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder1.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder1.yml index 9a67f8ae42e..cbcd93588f0 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder1.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder1.yml @@ -224,6 +224,10 @@ metadata: name: Site423 location: address: Somewhere-warm + - id: 12 + name: Site12 + location: + address: 12 Downing Street, London - id: 43 name: AVD_Land_East zones: @@ -397,6 +401,56 @@ metadata: preference: alternate - name: LAN_HA preference: preferred + - name: WAN-VRF-NO-AF + vni: 200 + avts: + - constraints: + jitter: 42 + hop_count: lowest + id: 2 + name: PROD-AVT-POLICY-VOICE + pathgroups: + - name: MPLS + preference: preferred + - name: INET + preference: alternate + - name: LAN_HA + preference: preferred + application_profiles: + - VOICE + - constraints: + lossrate: '42.0' + id: 4 + name: PROD-AVT-POLICY-VIDEO + pathgroups: + - name: MPLS + preference: preferred + - name: LTE + preference: preferred + - name: INET + preference: alternate + - name: LAN_HA + preference: preferred + application_profiles: + - VIDEO + - id: 5 + name: PROD-AVT-POLICY-MPLS-ONLY + pathgroups: + - name: MPLS + preference: preferred + - name: LAN_HA + preference: preferred + application_profiles: + - MPLS-ONLY + - id: 1 + name: PROD-AVT-POLICY-DEFAULT + pathgroups: + - name: INET + preference: preferred + - name: MPLS + preference: alternate + - name: LAN_HA + preference: preferred applications: profiles: - name: VIDEO @@ -545,6 +599,17 @@ router_adaptive_virtual_topology: profiles: - name: DEFAULT-POLICY-DEFAULT id: 1 + - name: WAN-VRF-NO-AF + policy: PROD-AVT-POLICY + profiles: + - name: PROD-AVT-POLICY-VOICE + id: 2 + - name: PROD-AVT-POLICY-VIDEO + id: 4 + - name: PROD-AVT-POLICY-MPLS-ONLY + id: 5 + - name: PROD-AVT-POLICY-DEFAULT + id: 1 router_bfd: multihop: interval: 300 @@ -616,10 +681,10 @@ router_bgp: route_map: RM-CONN-2-BGP address_family_evpn: peer_groups: - - name: WAN-RR-OVERLAY-PEERS + - name: WAN-OVERLAY-PEERS activate: true encapsulation: path-selection - - name: WAN-OVERLAY-PEERS + - name: WAN-RR-OVERLAY-PEERS activate: true encapsulation: path-selection next_hop: @@ -809,3 +874,5 @@ vxlan_interface: vni: 66 - name: ATTRACTED-VRF-FROM-UPLINK vni: 166 + - name: WAN-VRF-NO-AF + vni: 200 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder2.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder2.yml index 5a98350cdfe..d1b8395cd07 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder2.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder2.yml @@ -242,6 +242,10 @@ metadata: name: Site423 location: address: Somewhere-warm + - id: 12 + name: Site12 + location: + address: 12 Downing Street, London - id: 43 name: AVD_Land_East zones: @@ -415,6 +419,56 @@ metadata: preference: alternate - name: LAN_HA preference: preferred + - name: WAN-VRF-NO-AF + vni: 200 + avts: + - constraints: + jitter: 42 + hop_count: lowest + id: 2 + name: PROD-AVT-POLICY-VOICE + pathgroups: + - name: MPLS + preference: preferred + - name: INET + preference: alternate + - name: LAN_HA + preference: preferred + application_profiles: + - VOICE + - constraints: + lossrate: '42.0' + id: 4 + name: PROD-AVT-POLICY-VIDEO + pathgroups: + - name: MPLS + preference: preferred + - name: LTE + preference: preferred + - name: INET + preference: alternate + - name: LAN_HA + preference: preferred + application_profiles: + - VIDEO + - id: 5 + name: PROD-AVT-POLICY-MPLS-ONLY + pathgroups: + - name: MPLS + preference: preferred + - name: LAN_HA + preference: preferred + application_profiles: + - MPLS-ONLY + - id: 1 + name: PROD-AVT-POLICY-DEFAULT + pathgroups: + - name: INET + preference: preferred + - name: MPLS + preference: alternate + - name: LAN_HA + preference: preferred applications: profiles: - name: VIDEO @@ -563,6 +617,17 @@ router_adaptive_virtual_topology: profiles: - name: DEFAULT-POLICY-DEFAULT id: 1 + - name: WAN-VRF-NO-AF + policy: PROD-AVT-POLICY + profiles: + - name: PROD-AVT-POLICY-VOICE + id: 2 + - name: PROD-AVT-POLICY-VIDEO + id: 4 + - name: PROD-AVT-POLICY-MPLS-ONLY + id: 5 + - name: PROD-AVT-POLICY-DEFAULT + id: 1 router_bfd: multihop: interval: 300 @@ -634,10 +699,10 @@ router_bgp: route_map: RM-CONN-2-BGP address_family_evpn: peer_groups: - - name: WAN-RR-OVERLAY-PEERS + - name: WAN-OVERLAY-PEERS activate: true encapsulation: path-selection - - name: WAN-OVERLAY-PEERS + - name: WAN-RR-OVERLAY-PEERS activate: true encapsulation: path-selection next_hop: @@ -838,3 +903,5 @@ vxlan_interface: vni: 66 - name: ATTRACTED-VRF-FROM-UPLINK vni: 166 + - name: WAN-VRF-NO-AF + vni: 200 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/leaf-wan-use-evpn-on-lan.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/leaf-wan-use-evpn-on-lan.yml new file mode 100644 index 00000000000..95e3cdff464 --- /dev/null +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/leaf-wan-use-evpn-on-lan.yml @@ -0,0 +1,286 @@ +aaa_root: + disabled: true +config_end: true +enable_password: + disabled: true +ethernet_interfaces: +- name: Ethernet1 + description: P2P_cv-pathfinder-edge-wan-use-evpn-on-lan_Ethernet52 + shutdown: false + mtu: 9214 + ip_address: 172.18.0.22/31 + peer: cv-pathfinder-edge-wan-use-evpn-on-lan + peer_interface: Ethernet52 + peer_type: wan_router + switchport: + enabled: false +- name: Ethernet2 + description: P2P_cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan_Ethernet52 + shutdown: false + mtu: 9214 + ip_address: 172.18.0.26/31 + peer: cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan + peer_interface: Ethernet52 + peer_type: wan_router + switchport: + enabled: false +hostname: leaf-wan-use-evpn-on-lan +ip_igmp_snooping: + globally_enabled: true +ip_routing: true +ip_virtual_router_mac_address: 00:1c:73:00:00:01 +is_deployed: true +loopback_interfaces: +- name: Loopback0 + description: ROUTER_ID + shutdown: false + ip_address: 192.168.45.13/32 +- name: Loopback1 + description: VXLAN_TUNNEL_SOURCE + shutdown: false + ip_address: 192.168.255.13/32 +management_api_http: + enable_https: true + enable_vrfs: + - name: MGMT +metadata: + fabric_name: EOS_DESIGNS_UNIT_TESTS +prefix_lists: +- name: PL-LOOPBACKS-EVPN-OVERLAY + sequence_numbers: + - sequence: 10 + action: permit 192.168.45.0/24 eq 32 + - sequence: 20 + action: permit 192.168.255.0/24 eq 32 +route_maps: +- name: RM-CONN-2-BGP + sequence_numbers: + - sequence: 10 + type: permit + match: + - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY +router_bfd: + multihop: + interval: 300 + min_rx: 300 + multiplier: 3 +router_bgp: + as: '65042' + router_id: 192.168.45.13 + maximum_paths: + paths: 4 + ecmp: 4 + updates: + wait_install: true + bgp: + default: + ipv4_unicast: false + peer_groups: + - name: IPv4-UNDERLAY-PEERS + type: ipv4 + send_community: all + maximum_routes: 12000 + - name: EVPN-OVERLAY-PEERS + type: evpn + update_source: Loopback0 + bfd: true + ebgp_multihop: 3 + send_community: all + maximum_routes: 0 + neighbors: + - ip_address: 172.18.0.23 + peer_group: IPv4-UNDERLAY-PEERS + remote_as: '65000' + peer: cv-pathfinder-edge-wan-use-evpn-on-lan + description: cv-pathfinder-edge-wan-use-evpn-on-lan_Ethernet52 + - ip_address: 172.18.0.27 + peer_group: IPv4-UNDERLAY-PEERS + remote_as: '65000' + peer: cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan + description: cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan_Ethernet52 + redistribute: + connected: + enabled: true + route_map: RM-CONN-2-BGP + vlans: + - id: 100 + tenant: TenantA + rd: 192.168.45.13:1100 + route_targets: + both: + - 1100:1100 + redistribute_routes: + - learned + - id: 101 + tenant: TenantA + rd: 192.168.45.13:1101 + route_targets: + both: + - 1101:1101 + redistribute_routes: + - learned + - id: 666 + tenant: TenantC + rd: 192.168.45.13:1666 + route_targets: + both: + - 1666:1666 + redistribute_routes: + - learned + address_family_evpn: + peer_groups: + - name: EVPN-OVERLAY-PEERS + activate: true + address_family_ipv4: + peer_groups: + - name: IPv4-UNDERLAY-PEERS + activate: true + - name: EVPN-OVERLAY-PEERS + activate: false + vrfs: + - name: default + rd: 192.168.45.13:1 + route_targets: + import: + - address_family: evpn + route_targets: + - '1:1' + export: + - address_family: evpn + route_targets: + - '1:1' + - name: IT + rd: 192.168.45.13:1000 + route_targets: + import: + - address_family: evpn + route_targets: + - 1000:1000 + export: + - address_family: evpn + route_targets: + - 1000:1000 + router_id: 192.168.45.13 + redistribute: + connected: + enabled: true + - name: PROD + rd: 192.168.45.13:142 + route_targets: + import: + - address_family: evpn + route_targets: + - 142:142 + export: + - address_family: evpn + route_targets: + - 142:142 + router_id: 192.168.45.13 + redistribute: + connected: + enabled: true + - name: ATTRACTED-VRF-FROM-UPLINK + rd: 192.168.45.13:666 + route_targets: + import: + - address_family: evpn + route_targets: + - 666:666 + export: + - address_family: evpn + route_targets: + - 666:666 + router_id: 192.168.45.13 + redistribute: + connected: + enabled: true + - name: VRF-NO-WAN + rd: 192.168.45.13:300 + route_targets: + import: + - address_family: evpn + route_targets: + - 300:300 + export: + - address_family: evpn + route_targets: + - 300:300 + router_id: 192.168.45.13 + redistribute: + connected: + enabled: true +service_routing_protocols_model: multi-agent +transceiver_qsfp_default_mode_4x10: true +vlan_interfaces: +- name: Vlan100 + description: VLAN100 + shutdown: true + vrf: PROD + ip_address_virtual: 10.0.100.1/24 + tenant: TenantA +- name: Vlan666 + description: VLAN666 + shutdown: true + vrf: ATTRACTED-VRF-FROM-UPLINK + ip_address_virtual: 10.66.66.66/24 + tenant: TenantC +vlan_internal_order: + allocation: ascending + range: + beginning: 1006 + ending: 1199 +vlans: +- id: 100 + name: VLAN100 + tenant: TenantA +- id: 101 + name: VLAN101 + tenant: TenantA +- id: 666 + name: VLAN666 + tenant: TenantC +vrfs: +- name: MGMT + ip_routing: false +- name: IT + ip_routing: true + tenant: TenantA +- name: PROD + ip_routing: true + tenant: TenantA +- name: ATTRACTED-VRF-FROM-UPLINK + ip_routing: true + tenant: TenantC +- name: VRF-NO-WAN + ip_routing: true + tenant: TenantD +- name: VRF-NO-WAN-NO-AF + ip_routing: true + tenant: TenantD +- name: WAN-VRF-NO-AF + ip_routing: true + tenant: TenantD +vxlan_interface: + vxlan1: + description: leaf-wan-use-evpn-on-lan_VTEP + vxlan: + source_interface: Loopback1 + udp_port: 4789 + vlans: + - id: 100 + vni: 1100 + - id: 101 + vni: 1101 + - id: 666 + vni: 1666 + vrfs: + - name: default + vni: 1 + - name: IT + vni: 1000 + - name: PROD + vni: 142 + - name: ATTRACTED-VRF-FROM-UPLINK + vni: 666 + - name: VRF-NO-WAN + vni: 300 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/AUTOVPN_TESTS.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/AUTOVPN_TESTS.yml index 46d42ebde5d..02d4786b345 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/AUTOVPN_TESTS.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/AUTOVPN_TESTS.yml @@ -124,6 +124,13 @@ tenants: ip_address_virtual: 10.0.100.1/24 - name: IT vrf_id: 100 + # Removing the default address family with the vrf NOT defined under wan_virtual_topologies.vrfs + # and the knob wan_use_evpn_node_settings_for_lan: False + address_families: [] + - name: WAN-VRF-NO-AF + vrf_id: 200 + # Removing the default address family with the vrf defined under wan_virtual_topologies.vrfs + # and the knob wan_use_evpn_node_settings_for_lan: False address_families: [] l2vlans: - id: 101 @@ -137,6 +144,10 @@ wan_virtual_topologies: - name: PROD policy: PROD-AUTOVPN-POLICY wan_vni: 42 + - name: WAN-VRF-NO-AF + # using same policy to avoid noise + policy: PROD-AUTOVPN-POLICY + wan_vni: 200 policies: - name: PROD-AUTOVPN-POLICY default_virtual_topology: diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml index d5064b2e910..972ef6c08a9 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml @@ -34,6 +34,9 @@ cv_pathfinder_regions: - name: Site423 id: 423 location: Somewhere-warm + - name: Site12 + id: 12 + location: 12 Downing Street, London - name: AVD_Land_East id: 43 description: AVD Region @@ -620,6 +623,25 @@ tenants: nodes: - node: site-ha-disabled-leaf ip_address: 10.66.66.1 + - name: TenantD + # Tenant used to test VRFs + # knob wan_use_evpn_node_settings_for_lan: true + mac_vrf_vni_base: 1000 + vrfs: + - name: WAN-VRF-NO-AF + vrf_id: 200 + # Setting address families under tenant to empty list + # and checking the VRF is still added on the WAN when the knob is true + # and the VRF is defined under wan_virtual_topologies.vrfs + address_families: [] + - name: VRF-NO-WAN + vrf_id: 300 + # keeping default address family "evpn" and verifying we do not raise + # when the knob is true. The VRF should be configured. + - name: VRF-NO-WAN-NO-AF + vrf_id: 400 + # when the knob is true. The VRF should not be configured under VXLAN and BGP. + address_families: [] wan_virtual_topologies: vrfs: @@ -639,6 +661,10 @@ wan_virtual_topologies: wan_vni: 66 - name: ATTRACTED-VRF-FROM-UPLINK wan_vni: 166 + - name: WAN-VRF-NO-AF + # Using PROD policy to avoid extra noise + policy: PROD-AVT-POLICY + wan_vni: 200 policies: - name: PROD-AVT-POLICY default_virtual_topology: diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.yml new file mode 100644 index 00000000000..3ba6bdb0b35 --- /dev/null +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.yml @@ -0,0 +1,37 @@ +--- +# Testing CV pathfinder edge using new toggle wan_use_evpn_node_settings_for_lan +wan_use_evpn_node_settings_for_lan: true +# not enabling any overlay protocol on WAN to see impact on "LAN only VRFs" +# none is already the default +overlay_routing_protocol: none + +bgp_as: 65000 + +wan_route_servers: + - hostname: cv-pathfinder-pathfinder + +wan_router: + defaults: + loopback_ipv4_pool: 192.168.42.0/24 + vtep_loopback_ipv4_pool: 192.168.142.0/24 + filter: + always_include_vrfs_in_tenants: [TenantA, TenantD] + deny_vrfs: [IT] + nodes: + - name: cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan + cv_pathfinder_region: AVD_Land_West + cv_pathfinder_site: Site12 + # Adding uplink to leaf for EVPN + uplink_switches: [leaf-wan-use-evpn-on-lan] + uplink_type: p2p + uplink_interfaces: [Ethernet52] + uplink_switch_interfaces: [Ethernet2] + uplink_ipv4_pool: 172.18.0.0/24 + evpn_role: client + id: 14 + l3_interfaces: + - name: Ethernet1 + wan_carrier: ATT + wan_circuit_id: 666 + dhcp_accept_default_route: true + ip_address: dhcp diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan.yml new file mode 100644 index 00000000000..b0048ee3509 --- /dev/null +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan.yml @@ -0,0 +1,36 @@ +--- +# Testing CV pathfinder edge using new toggle wan_use_evpn_node_settings_for_lan +wan_use_evpn_node_settings_for_lan: true +# enabling EVPN on LAN +overlay_routing_protocol: ebgp + +bgp_as: 65000 + +wan_route_servers: + - hostname: cv-pathfinder-pathfinder + +wan_router: + defaults: + loopback_ipv4_pool: 192.168.42.0/24 + vtep_loopback_ipv4_pool: 192.168.142.0/24 + filter: + always_include_vrfs_in_tenants: [TenantA, TenantD] + deny_vrfs: [IT] + nodes: + - name: cv-pathfinder-edge-wan-use-evpn-on-lan + cv_pathfinder_region: AVD_Land_West + cv_pathfinder_site: Site12 + # Adding uplink to leaf for EVPN + uplink_switches: [leaf-wan-use-evpn-on-lan] + uplink_type: p2p + uplink_interfaces: [Ethernet52] + uplink_switch_interfaces: [Ethernet1] + uplink_ipv4_pool: 172.18.0.0/24 + evpn_role: client + id: 12 + l3_interfaces: + - name: Ethernet1 + wan_carrier: ATT + wan_circuit_id: 666 + dhcp_accept_default_route: true + ip_address: dhcp diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/leaf-wan-use-evpn-on-lan.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/leaf-wan-use-evpn-on-lan.yml new file mode 100644 index 00000000000..1bab418e260 --- /dev/null +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/leaf-wan-use-evpn-on-lan.yml @@ -0,0 +1,14 @@ +--- +type: l3leaf + +l3leaf: + defaults: + bgp_as: 65042 + loopback_ipv4_pool: 192.168.45.0/24 + vtep_loopback_ipv4_pool: 192.168.255.0/24 + virtual_router_mac_address: 00:1c:73:00:00:01 + filter: + always_include_vrfs_in_tenants: [TenantA, TenantD] + nodes: + - name: leaf-wan-use-evpn-on-lan + id: 13 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/hosts.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/hosts.yml index 90647098219..72e3a2df0de 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/hosts.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/hosts.yml @@ -403,6 +403,11 @@ all: cv-pathfinder-edge: cv-pathfinder-edge1: site-ha-disabled-leaf: + SITE_EVPN: + hosts: + cv-pathfinder-edge-wan-use-evpn-on-lan: + cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan: + leaf-wan-use-evpn-on-lan: CV_PATHFINDERS: hosts: cv-pathfinder-pathfinder: @@ -420,11 +425,19 @@ all: cv-pathfinder-custom-control-plane-policy-edge-2: # Edge 3 overrides the profile name and also defines the profile cv-pathfinder-custom-control-plane-policy-edge-3: + CV_PATHFINDER_TESTS_LEAFS: + hosts: + site-ha-enabled-leaf2A: + site-ha-enabled-leaf2B: + site-ha-enabled-leaf1: + site-ha-disabled-leaf: + leaf-wan-use-evpn-on-lan: WAN_UNIT_TESTS: hosts: autovpn-edge-no-default-policy: cv-pathfinder-edge-no-default-policy: cv-pathfinder-edge-custom-default-policy: + cv-pathfinder-edge-wan-use-evpn-on-lan: UPLINK_P2P_VRFS_TESTS: hosts: UPLINK_P2P_VRFS_TESTS_SPINE1: diff --git a/ansible_collections/arista/avd/roles/eos_designs/docs/how-to/wan.md b/ansible_collections/arista/avd/roles/eos_designs/docs/how-to/wan.md index 2501f8519b9..31ed43bde9b 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/docs/how-to/wan.md +++ b/ansible_collections/arista/avd/roles/eos_designs/docs/how-to/wan.md @@ -26,17 +26,17 @@ title: Ansible Collection Role eos_designs - WAN Please familiarize yourself with the Arista WAN terminology before proceeding: -- https://www.arista.com/en/solutions/enterprise-wan -- https://tech-library.arista.com/wan/ (Tech Library access requires an Arista account) +- +- (Tech Library access requires an Arista account) ### Design points - When deploying CV Pathfinder, the assumption is that the deployment is using CVaaS. - The intent is to be able to support having the different WAN participating devices in different inventories. -- Only iBGP is supported as an overlay_routing_protocol. - On the AutoVPN Route Reflectors and Pathfinders, a listen range statement is used for BGP to allow for distributed Ansible inventories. - VRF `default` is being configured by default on all WAN devices with a `wan_vni` of 1. To override this, it is necessary to configure VRF `default` in a tenant in `network_services`. - Path-group ID `65535` is reserved for the path-group called `LAN_HA`. +- iBGP is configured over the WAN for the overlay. The `overlay_routing_protocol` key is considered only on the LAN side. !!! info "CV Pathfinder & CloudVision" @@ -116,8 +116,8 @@ The following table list the `eos_designs` top level keys used for WAN and how t | `wan_stun_dtls_disable` | ✅ | disable dTLS for STUN for instance for lab. (**NOT** recommended in production). | | `application_classification` | ✅ | to define the specific traffic classification required for the WAN if any. | | `cv_pathfinder_internet_exit_policies` | ✅ | to define the internet-exit policies. | -| `wan_route_servers` | ✘| Indicate to which WAN route servers the WAN router should connect to. This key is also used to tell every WAN Route Reflectors with which other RRs it should peer with. | -| `ipv4_acls` | ✘| List of IPv4 access-lists to be assigned to WAN interfaces. | +| `wan_route_servers` | ✘ | Indicate to which WAN route servers the WAN router should connect to. This key is also used to tell every WAN Route Reflectors with which other RRs it should peer with. | +| `ipv4_acls` | ✘ | List of IPv4 access-lists to be assigned to WAN interfaces. | Additionally, following keys must be set for the WAN route servers for the connectivity to work: @@ -194,7 +194,7 @@ However, if the WAN route servers are in a different inventory, it is then neces #### WAN STUN handling -WAN STUN connections are configured by default authenticated and secured with DTLS by default. A security profile is configured with an hardcoded root certificate and matching a certificate `.crt` and key `.key`: +WAN STUN connections are configured by default authenticated and secured with DTLS by default. A security profile is configured with an hardcoded root certificate and matching a certificate `.crt` and key `.key`: ```eos management security @@ -208,7 +208,7 @@ These values can be overwritten using `custom_structured_configuration`. This configuration requires certificates to be distributed on the WAN devices to be able to authenticate themselves: -- For CV Pathinder deployments, CloudVision will automatically generate and deploy the certificates on the devices once AVD configs and metadata have been pushed. +- For CV Pathinder deployments, CloudVision will automatically generate and deploy the certificates on the devices once AVD configs and metadata have been pushed. - For AutoVPN, the certificates must be generated and deployed to the devices for the STUN connections to work. !!! Danger "Disabling STUN" @@ -253,6 +253,7 @@ cv_pathfinder_regions: ``` !!! Note + Site IDs and names must be unique per region. And then for each `wan_router`: @@ -399,7 +400,7 @@ wan_router: # Configure BGP peering with peer bgp: peer_as: 65042 - ipv4_prefix_list_in: ALLOW-DEFAULT # (4)! + ipv4_prefix_list_in: ALLOW-DEFAULT # (4)! # This is NOT a WAN interface - name: Ethernet3 ip_address: 172.20.20.20/31 @@ -427,8 +428,7 @@ ipv4_prefix_list_catalog: 1. `peer` and `peer_interface` are optionals and used for description. 2. `wan_circuit_id` is optional and used for description. -3. Configure IPv4 ACLs in and out for the L3 interface. The access lists must - be defined under `ipv4_acls` top level key. +3. Configure IPv4 ACLs in and out for the L3 interface. The access lists must be defined under `ipv4_acls` top level key. 4. For BGP peering for WAN interfaces, the `ipv4_prefix_list_in` is mandatory for security reaasons. It is defined in the `ipv4_prefix_list_catalog`. ### WAN policies @@ -438,7 +438,7 @@ The policies definition works as follow: - The policies are defined under `wan_virtual_topologies.policies`. For AutoVPN mode, the policies are configured under `router path-selection`, for CV Pathfinder, they are configured under `router adaptive-virtual-topology`. - A policy is composed of a list of `application_virtual_topologies` and one `default_virtual_topology`. - The `application_virtual_topologies` entries and the `default_virtual_topology` key are used to create the policy match statement, the AVT profile (when `wan_mode` is CV Pathfinder) and the load balancing policy. -- The `default_virtual_topology` is used as the default match in the policy. To prevent configuring it, the `drop_unmatched` boolean must be set to `true` otherwise, at least one `path-group` must be configured or AVD will raise an error. +- The `default_virtual_topology` is used as the default match in the policy. To prevent configuring it, the `drop_unmatched` boolean must be set to `true` otherwise, at least one `path-group` must be configured or AVD will raise an error. - Policies are assigned to VRFs using the list `wan_virtual_topologies.vrfs`. A policy can be reused in multiple VRFs. - If no policy is assigned for the `default` VRF policy, AVD auto generates one with one `default_virtual_topology` entry configured to use all available local path-groups. - For the policy defined for VRF `default` (or the auto-generared one), an extra match statement is injected in the policy to match the traffic towards the Pathfinders or AutoVPN RRs, the name of the application-profile is hardcoded as `APP-PROFILE-CONTROL-PLANE`. A special policy is created by appending `-WITH-CP` at the end of the targeted policy name. @@ -447,13 +447,13 @@ The policies definition works as follow: ```yaml wan_virtual_topologies: vrfs: - - name: PROD # (1)! + - name: PROD # (1)! policy: PROD-AVT-POLICY wan_vni: 42 - name: default # (2)! wan_vni: 1 policies: - - name: PROD-AVT-POLICY # (3)! + - name: PROD-AVT-POLICY # (3)! default_virtual_topology: # (4)! path_groups: - names: [INET] @@ -493,8 +493,7 @@ wan_virtual_topologies: 1. Assign the `PROD-AVT-POLICY` to the `PROD` VRF, multiple VRFs can use the same policy. 2. VRF `default` will use the AVD auto-generated `DEFAULT-POLICY` as no policy is set. 3. Define the `PROD-AVT-POLICY` -4. `default_virtual_topology` is used to configure the default match in the policy. - In this case, default traffic will use INET path-group first and MPLS as backup. +4. `default_virtual_topology` is used to configure the default match in the policy. In this case, default traffic will use INET path-group first and MPLS as backup. 5. This list element configures the policy to apply to traffic the `VOICE` application profile. This block of configuration will configure the Load Balance policy, the match statement in the policy (in `router path-selection` for AutoVPN or `router adaptive-virtual-topology` for CV-Pathfinder) and for CV-Pathfinder, the AVT profile. The application profile must be defined under `application_classification.application_profiles`. @@ -546,7 +545,7 @@ cv_pathfinder_internet_exit_policies: # [...] type specific options ``` -An Application Virtual Topology policy is composed of multiple profiles. An AVT profile can be assigned an Internet-policy as follow: +An Application Virtual Topology policy is composed of multiple profiles. An AVT profile can be assigned an Internet-policy as follow: ```yaml wan_virtual_topologies: @@ -649,7 +648,7 @@ AVD `eos_designs` will fetch Zscaler integration information from Cloudvision. ```yaml # Variables used by eos_designs to connect to Cloudvision -cv_server: +cv_server: cv_token: ``` @@ -658,21 +657,21 @@ For each `zscaler` type Internet-policies, AVD uses the `cv_pathinfder_internet_ The `cv_pathinfder_internet_exit_policies[name=].zscaler` dictionary has additonnal options to configure the policy parameters shared with Zscaler through Cloudvision. ```yaml - # PREVIEW: These keys are in preview mode. - cv_pathfinder_internet_exit_policies: - - name: - type: - fallback_to_system_default: - zscaler: - ipsec_key_salt: - domain_name: - encrypt_traffic: - download_bandwidth: - upload_bandwidth: - firewall: - enabled: - ips: - acceptable_use_policy: +# PREVIEW: These keys are in preview mode. +cv_pathfinder_internet_exit_policies: + - name: + type: + fallback_to_system_default: + zscaler: + ipsec_key_salt: + domain_name: + encrypt_traffic: + download_bandwidth: + upload_bandwidth: + firewall: + enabled: + ips: + acceptable_use_policy: ``` !!! tip "IPsec" @@ -698,24 +697,20 @@ The following LAN scenarios are supported: Some design points: - The Site of Origin (SOO) extended community is configured as `:` - note: site id is unique per zone (only a default zone supported today). - for HA site, the SOO is set as `:` where `router1` is - the first router defined in the group. + - site id is unique per zone (only a default zone supported today). + - for HA site, the SOO is set as `:` where `router1` is the first router defined in the group. - HA is not supported for more than two routers for CV Pathfinders. - The routes to be advertised towards the WAN must be marked with the site SOO. - The connected routes and static routes are marked with the SOO when redistributed in BGP - the routes redistributed into BGP via the route-map `RM-CONN-2-BGP` are tagged with the SOO. - the routes redistributed into BGP via the route-map `RM-STATIC-2-BGP` are tagged with the SOO. - - the routes received from LAN are marked with the SOO when received from - the LAN over BGP or when redistributed into BGP from the LAN protocol. - note: For other connection (e.g. L3 interface with a BGP peering, the - user must mark them with the SOO) + - the routes received from LAN are marked with the SOO when received from the LAN over BGP or when redistributed into BGP from the LAN protocol. + - For other connection (e.g. L3 interface with a BGP peering, the user must mark them with the SOO). - For VRF default, there is a requirement to explicitly redistribute the routes for EVPN. The `RM-EVPN-EXPORT-VRF-DEFAULT` is configured to export the routes tagged with the SOO. - Routes received from the WAN with the local SOO are dropped. - Routes received from the WAN are redistributed / advertised towards the LAN. -- For HA, an iBGP session using EVPN Gateway is used to share the routes from - one peer to the other. +- For HA, an iBGP session using EVPN Gateway is used to share the routes from one peer to the other. - WAN, LAN and local static routes are sent to the HA peer to cater for various failure scenarii. - The routes received from the HA peer are made less preferred than routes received from the LAN or from the WAN. @@ -811,6 +806,7 @@ The following diagram represents this scenario: - accept routes coming from the LAN and set the SoO extended community on them. !!! warning + - the Underlay peer group (towards the LAN) is not configured with any outbound route-map. - For VRF default, there is a requirement to explicitly redistribute the routes for EVPN. The `RM-EVPN-EXPORT-VRF-DEFAULT` is configured to export the routes tagged with the SoO. @@ -879,7 +875,7 @@ In the situation where the LAN is EBGP but HA is configured over a direct link, The HA tunnel will come up properly today but route redistribution will be missing so it is not usable. -- the HA interface(s) is(are) the uplink interface(s) which are automatically included in OSPF. +- the HA interface(s) is(are) the uplink interface(s) which are automatically included in OSPF. #### L2 LAN @@ -1070,5 +1066,6 @@ wan_virtual_topologies: | AvdTestAvtRole | VerifyAVTRole | Validate the Adaptive Virtual Topology (AVT) role of a device. | !!! note + More WAN-related tests are available directly in ANTA and can be added using custom catalogs. They will be progressively added to `eos_validate_state`. diff --git a/ansible_collections/arista/avd/roles/eos_designs/docs/tables/node-type-keys.md b/ansible_collections/arista/avd/roles/eos_designs/docs/tables/node-type-keys.md index 24f6b1da3c7..213004057dc 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/docs/tables/node-type-keys.md +++ b/ansible_collections/arista/avd/roles/eos_designs/docs/tables/node-type-keys.md @@ -19,7 +19,7 @@ | [    default_overlay_address_families](## "custom_node_type_keys.[].default_overlay_address_families") | List, items: String | | `['evpn']` | | Set the default overlay address families.
| | [      - <str>](## "custom_node_type_keys.[].default_overlay_address_families.[]") | String | | | Value is converted to lower case.
Valid Values:
- evpn
- vpn-ipv4
- vpn-ipv6 | | | [    default_evpn_encapsulation](## "custom_node_type_keys.[].default_evpn_encapsulation") | String | | `vxlan` | Value is converted to lower case.
Valid Values:
- mpls
- vxlan | Set the default evpn encapsulation.
| - | [    default_wan_role](## "custom_node_type_keys.[].default_wan_role") | String | | | Valid Values:
- client
- server | Set the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector.

Only supported if `overlay_routing_protocol` is set to `ibgp`.
| + | [    default_wan_role](## "custom_node_type_keys.[].default_wan_role") | String | | | Valid Values:
- client
- server | Set the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector.
| | [    default_flow_tracker_type](## "custom_node_type_keys.[].default_flow_tracker_type") | String | | `sampled` | Valid Values:
- sampled
- hardware | Set the default flow tracker type. | | [    mlag_support](## "custom_node_type_keys.[].mlag_support") | Boolean | | `False` | | Can this node type support mlag. | | [    network_services](## "custom_node_type_keys.[].network_services") | Dictionary | | | | Will network services be deployed on this node type. | @@ -69,7 +69,7 @@ | [    default_overlay_address_families](## "node_type_keys.[].default_overlay_address_families") | List, items: String | | `['evpn']` | | Set the default overlay address families.
| | [      - <str>](## "node_type_keys.[].default_overlay_address_families.[]") | String | | | Value is converted to lower case.
Valid Values:
- evpn
- vpn-ipv4
- vpn-ipv6 | | | [    default_evpn_encapsulation](## "node_type_keys.[].default_evpn_encapsulation") | String | | `vxlan` | Value is converted to lower case.
Valid Values:
- mpls
- vxlan | Set the default evpn encapsulation.
| - | [    default_wan_role](## "node_type_keys.[].default_wan_role") | String | | | Valid Values:
- client
- server | Set the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector.

Only supported if `overlay_routing_protocol` is set to `ibgp`.
| + | [    default_wan_role](## "node_type_keys.[].default_wan_role") | String | | | Valid Values:
- client
- server | Set the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector.
| | [    default_flow_tracker_type](## "node_type_keys.[].default_flow_tracker_type") | String | | `sampled` | Valid Values:
- sampled
- hardware | Set the default flow tracker type. | | [    mlag_support](## "node_type_keys.[].mlag_support") | Boolean | | `False` | | Can this node type support mlag. | | [    network_services](## "node_type_keys.[].network_services") | Dictionary | | | | Will network services be deployed on this node type. | @@ -155,8 +155,6 @@ # This is used both for AutoVPN and Pathfinder designs. # That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. # `server` indicates that the router is a route-reflector. - # - # Only supported if `overlay_routing_protocol` is set to `ibgp`. default_wan_role: # Set the default flow tracker type. @@ -335,8 +333,6 @@ # This is used both for AutoVPN and Pathfinder designs. # That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. # `server` indicates that the router is a route-reflector. - # - # Only supported if `overlay_routing_protocol` is set to `ibgp`. default_wan_role: # Set the default flow tracker type. diff --git a/ansible_collections/arista/avd/roles/eos_designs/docs/tables/node-type-wan-configuration.md b/ansible_collections/arista/avd/roles/eos_designs/docs/tables/node-type-wan-configuration.md index 1a282a4d83e..aea9ed2b3d8 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/docs/tables/node-type-wan-configuration.md +++ b/ansible_collections/arista/avd/roles/eos_designs/docs/tables/node-type-wan-configuration.md @@ -9,7 +9,7 @@ | -------- | ---- | -------- | ------- | ------------------ | ----------- | | [<node_type_keys.key>](## "") | Dictionary | | | | | | [  defaults](## ".defaults") | Dictionary | | | | Define variables for all nodes of this type. | - | [    wan_role](## ".defaults.wan_role") | String | | | Valid Values:
- client
- server | Override the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector.

Only supported if `overlay_routing_protocol` is set to `ibgp`. | + | [    wan_role](## ".defaults.wan_role") | String | | | Valid Values:
- client
- server | Override the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector. | | [    cv_pathfinder_transit_mode](## ".defaults.cv_pathfinder_transit_mode") | String | | | Valid Values:
- region
- zone | Configure the transit mode for a WAN client for CV Pathfinder designs
only when the `wan_mode` root key is set to `cv_pathfinder`.

'zone' is currently not supported. | | [    cv_pathfinder_region](## ".defaults.cv_pathfinder_region") | String | | | | The CV Pathfinder region name.
This key is required for WAN routers but optional for pathfinders.
The region name must be defined under 'cv_pathfinder_regions'. | | [    cv_pathfinder_site](## ".defaults.cv_pathfinder_site") | String | | | | The CV Pathfinder site name.
This key is required for WAN routers but optional for pathfinders.
For WAN routers and pathfinders with `cv_pathfinder_region`, the site name must be defined for the relevant region under 'cv_pathfinder_regions'.
For pathfinders without `cv_pathfinder_region` set, the site must be defined under `cv_pathfinder_global_sites`. | @@ -31,7 +31,7 @@ | [    - group](## ".node_groups.[].group") | String | Required, Unique | | | The Node Group Name is used for MLAG domain unless set with 'mlag_domain_id'.
The Node Group Name is also used for peer description on downstream switches' uplinks.
| | [      nodes](## ".node_groups.[].nodes") | List, items: Dictionary | | | | Define variables per node. | | [        - name](## ".node_groups.[].nodes.[].name") | String | Required, Unique | | | The Node Name is used as "hostname". | - | [          wan_role](## ".node_groups.[].nodes.[].wan_role") | String | | | Valid Values:
- client
- server | Override the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector.

Only supported if `overlay_routing_protocol` is set to `ibgp`. | + | [          wan_role](## ".node_groups.[].nodes.[].wan_role") | String | | | Valid Values:
- client
- server | Override the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector. | | [          cv_pathfinder_transit_mode](## ".node_groups.[].nodes.[].cv_pathfinder_transit_mode") | String | | | Valid Values:
- region
- zone | Configure the transit mode for a WAN client for CV Pathfinder designs
only when the `wan_mode` root key is set to `cv_pathfinder`.

'zone' is currently not supported. | | [          cv_pathfinder_region](## ".node_groups.[].nodes.[].cv_pathfinder_region") | String | | | | The CV Pathfinder region name.
This key is required for WAN routers but optional for pathfinders.
The region name must be defined under 'cv_pathfinder_regions'. | | [          cv_pathfinder_site](## ".node_groups.[].nodes.[].cv_pathfinder_site") | String | | | | The CV Pathfinder site name.
This key is required for WAN routers but optional for pathfinders.
For WAN routers and pathfinders with `cv_pathfinder_region`, the site name must be defined for the relevant region under 'cv_pathfinder_regions'.
For pathfinders without `cv_pathfinder_region` set, the site must be defined under `cv_pathfinder_global_sites`. | @@ -49,7 +49,7 @@ | [              enabled](## ".node_groups.[].nodes.[].wan_ha.flow_tracking.enabled") | Boolean | | | | | | [              name](## ".node_groups.[].nodes.[].wan_ha.flow_tracking.name") | String | | | | Flow tracker name as defined in flow_tracking_settings. | | [          dps_mss_ipv4](## ".node_groups.[].nodes.[].dps_mss_ipv4") | String | | `auto` | | IPv4 MSS value configured under "router path-selection" on WAN Devices. | - | [      wan_role](## ".node_groups.[].wan_role") | String | | | Valid Values:
- client
- server | Override the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector.

Only supported if `overlay_routing_protocol` is set to `ibgp`. | + | [      wan_role](## ".node_groups.[].wan_role") | String | | | Valid Values:
- client
- server | Override the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector. | | [      cv_pathfinder_transit_mode](## ".node_groups.[].cv_pathfinder_transit_mode") | String | | | Valid Values:
- region
- zone | Configure the transit mode for a WAN client for CV Pathfinder designs
only when the `wan_mode` root key is set to `cv_pathfinder`.

'zone' is currently not supported. | | [      cv_pathfinder_region](## ".node_groups.[].cv_pathfinder_region") | String | | | | The CV Pathfinder region name.
This key is required for WAN routers but optional for pathfinders.
The region name must be defined under 'cv_pathfinder_regions'. | | [      cv_pathfinder_site](## ".node_groups.[].cv_pathfinder_site") | String | | | | The CV Pathfinder site name.
This key is required for WAN routers but optional for pathfinders.
For WAN routers and pathfinders with `cv_pathfinder_region`, the site name must be defined for the relevant region under 'cv_pathfinder_regions'.
For pathfinders without `cv_pathfinder_region` set, the site must be defined under `cv_pathfinder_global_sites`. | @@ -69,7 +69,7 @@ | [      dps_mss_ipv4](## ".node_groups.[].dps_mss_ipv4") | String | | `auto` | | IPv4 MSS value configured under "router path-selection" on WAN Devices. | | [  nodes](## ".nodes") | List, items: Dictionary | | | | Define variables per node. | | [    - name](## ".nodes.[].name") | String | Required, Unique | | | The Node Name is used as "hostname". | - | [      wan_role](## ".nodes.[].wan_role") | String | | | Valid Values:
- client
- server | Override the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector.

Only supported if `overlay_routing_protocol` is set to `ibgp`. | + | [      wan_role](## ".nodes.[].wan_role") | String | | | Valid Values:
- client
- server | Override the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector. | | [      cv_pathfinder_transit_mode](## ".nodes.[].cv_pathfinder_transit_mode") | String | | | Valid Values:
- region
- zone | Configure the transit mode for a WAN client for CV Pathfinder designs
only when the `wan_mode` root key is set to `cv_pathfinder`.

'zone' is currently not supported. | | [      cv_pathfinder_region](## ".nodes.[].cv_pathfinder_region") | String | | | | The CV Pathfinder region name.
This key is required for WAN routers but optional for pathfinders.
The region name must be defined under 'cv_pathfinder_regions'. | | [      cv_pathfinder_site](## ".nodes.[].cv_pathfinder_site") | String | | | | The CV Pathfinder site name.
This key is required for WAN routers but optional for pathfinders.
For WAN routers and pathfinders with `cv_pathfinder_region`, the site name must be defined for the relevant region under 'cv_pathfinder_regions'.
For pathfinders without `cv_pathfinder_region` set, the site must be defined under `cv_pathfinder_global_sites`. | @@ -101,8 +101,6 @@ # This is used both for AutoVPN and Pathfinder designs. # That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. # `server` indicates that the router is a route-reflector. - # - # Only supported if `overlay_routing_protocol` is set to `ibgp`. wan_role: # Configure the transit mode for a WAN client for CV Pathfinder designs @@ -192,8 +190,6 @@ # This is used both for AutoVPN and Pathfinder designs. # That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. # `server` indicates that the router is a route-reflector. - # - # Only supported if `overlay_routing_protocol` is set to `ibgp`. wan_role: # Configure the transit mode for a WAN client for CV Pathfinder designs @@ -270,8 +266,6 @@ # This is used both for AutoVPN and Pathfinder designs. # That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. # `server` indicates that the router is a route-reflector. - # - # Only supported if `overlay_routing_protocol` is set to `ibgp`. wan_role: # Configure the transit mode for a WAN client for CV Pathfinder designs @@ -354,8 +348,6 @@ # This is used both for AutoVPN and Pathfinder designs. # That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. # `server` indicates that the router is a route-reflector. - # - # Only supported if `overlay_routing_protocol` is set to `ibgp`. wan_role: # Configure the transit mode for a WAN client for CV Pathfinder designs diff --git a/ansible_collections/arista/avd/roles/eos_designs/docs/tables/wan-settings.md b/ansible_collections/arista/avd/roles/eos_designs/docs/tables/wan-settings.md index a29f74c751e..51e62327b29 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/docs/tables/wan-settings.md +++ b/ansible_collections/arista/avd/roles/eos_designs/docs/tables/wan-settings.md @@ -24,6 +24,7 @@ | [wan_mode](## "wan_mode") | String | | `cv-pathfinder` | Valid Values:
- autovpn
- cv-pathfinder | Select if the WAN should be run using CV Pathfinder or AutoVPN only. | | [wan_stun_dtls_disable](## "wan_stun_dtls_disable") | Boolean | | `False` | | WAN STUN connections are authenticated and secured with DTLS by default.
For CV Pathfinder deployments CloudVision will automatically deploy certificates on the devices.
In case of AutoVPN the certificates must be deployed manually to all devices.

For LAB environments this can be disabled, if there are no certificates available.
This should NOT be disabled for a WAN network connected to the internet, since it will leave the STUN service exposed with no authentication. | | [wan_stun_dtls_profile_name](## "wan_stun_dtls_profile_name") | String | | `STUN-DTLS` | | Name of the SSL profile used for DTLS on WAN STUN connections.
When using automatic ceritficate deployment via CloudVision this name must be the same on all WAN routers. | + | [wan_use_evpn_node_settings_for_lan](## "wan_use_evpn_node_settings_for_lan") | Boolean | | `False` | | PREVIEW: This key is currently not supported and may produce invalid configuration.
When true, `eos_designs` will use `overlay_routing_protocol`, `evpn_role` and `vtep`
node settings for LAN side on WAN devices. Otherwise these will be ignored for WAN.
This will be the default in AVD version 6.0.0 and this option will be removed. | === "YAML" @@ -85,4 +86,10 @@ # Name of the SSL profile used for DTLS on WAN STUN connections. # When using automatic ceritficate deployment via CloudVision this name must be the same on all WAN routers. wan_stun_dtls_profile_name: + + # PREVIEW: This key is currently not supported and may produce invalid configuration. + # When true, `eos_designs` will use `overlay_routing_protocol`, `evpn_role` and `vtep` + # node settings for LAN side on WAN devices. Otherwise these will be ignored for WAN. + # This will be the default in AVD version 6.0.0 and this option will be removed. + wan_use_evpn_node_settings_for_lan: ``` diff --git a/python-avd/pyavd/_eos_designs/eos_designs_facts/overlay.py b/python-avd/pyavd/_eos_designs/eos_designs_facts/overlay.py index b667bbd73be..676d14985c3 100644 --- a/python-avd/pyavd/_eos_designs/eos_designs_facts/overlay.py +++ b/python-avd/pyavd/_eos_designs/eos_designs_facts/overlay.py @@ -64,6 +64,6 @@ def overlay(self: EosDesignsFactsProtocol) -> dict | None: @cached_property def vtep_ip(self: EosDesignsFactsProtocol) -> str | None: """Exposed in avd_switch_facts.""" - if self.shared_utils.vtep: + if self.shared_utils.vtep or self.shared_utils.is_wan_router: return self.shared_utils.vtep_ip return None diff --git a/python-avd/pyavd/_eos_designs/schema/__init__.py b/python-avd/pyavd/_eos_designs/schema/__init__.py index 586649249a4..aa9d496afad 100644 --- a/python-avd/pyavd/_eos_designs/schema/__init__.py +++ b/python-avd/pyavd/_eos_designs/schema/__init__.py @@ -8180,8 +8180,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. """ default_flow_tracker_type: Literal["sampled", "hardware"] """ @@ -8333,8 +8331,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. default_flow_tracker_type: Set the default flow tracker type. mlag_support: Can this node type support mlag. network_services: @@ -8708,8 +8704,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. """ default_flow_tracker_type: Literal["sampled", "hardware"] """ @@ -8861,8 +8855,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. default_flow_tracker_type: Set the default flow tracker type. mlag_support: Can this node type support mlag. network_services: @@ -20815,8 +20807,6 @@ class L3PortChannels(AvdIndexedList[str, L3PortChannelsItem]): `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. """ cv_pathfinder_transit_mode: Literal["region", "zone"] | None """ @@ -21506,8 +21496,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. cv_pathfinder_transit_mode: Configure the transit mode for a WAN client for CV Pathfinder designs only when the `wan_mode` root @@ -24664,8 +24652,6 @@ class L3PortChannels(AvdIndexedList[str, L3PortChannelsItem]): `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. """ cv_pathfinder_transit_mode: Literal["region", "zone"] | None """ @@ -25364,8 +25350,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. cv_pathfinder_transit_mode: Configure the transit mode for a WAN client for CV Pathfinder designs only when the `wan_mode` root @@ -28450,8 +28434,6 @@ class L3PortChannels(AvdIndexedList[str, L3PortChannelsItem]): `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. """ cv_pathfinder_transit_mode: Literal["region", "zone"] | None """ @@ -29152,8 +29134,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. cv_pathfinder_transit_mode: Configure the transit mode for a WAN client for CV Pathfinder designs only when the `wan_mode` root @@ -32294,8 +32274,6 @@ class L3PortChannels(AvdIndexedList[str, L3PortChannelsItem]): `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. """ cv_pathfinder_transit_mode: Literal["region", "zone"] | None """ @@ -32994,8 +32972,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. cv_pathfinder_transit_mode: Configure the transit mode for a WAN client for CV Pathfinder designs only when the `wan_mode` root @@ -42418,8 +42394,6 @@ class L3PortChannels(AvdIndexedList[str, L3PortChannelsItem]): `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. """ cv_pathfinder_transit_mode: Literal["region", "zone"] | None """ @@ -43109,8 +43083,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. cv_pathfinder_transit_mode: Configure the transit mode for a WAN client for CV Pathfinder designs only when the `wan_mode` root @@ -46267,8 +46239,6 @@ class L3PortChannels(AvdIndexedList[str, L3PortChannelsItem]): `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. """ cv_pathfinder_transit_mode: Literal["region", "zone"] | None """ @@ -46967,8 +46937,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. cv_pathfinder_transit_mode: Configure the transit mode for a WAN client for CV Pathfinder designs only when the `wan_mode` root @@ -50053,8 +50021,6 @@ class L3PortChannels(AvdIndexedList[str, L3PortChannelsItem]): `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. """ cv_pathfinder_transit_mode: Literal["region", "zone"] | None """ @@ -50755,8 +50721,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. cv_pathfinder_transit_mode: Configure the transit mode for a WAN client for CV Pathfinder designs only when the `wan_mode` root @@ -53897,8 +53861,6 @@ class L3PortChannels(AvdIndexedList[str, L3PortChannelsItem]): `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. """ cv_pathfinder_transit_mode: Literal["region", "zone"] | None """ @@ -54597,8 +54559,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. cv_pathfinder_transit_mode: Configure the transit mode for a WAN client for CV Pathfinder designs only when the `wan_mode` root @@ -55136,6 +55096,7 @@ def __init__( "wan_route_servers": {"type": WanRouteServers}, "wan_stun_dtls_disable": {"type": bool, "default": False}, "wan_stun_dtls_profile_name": {"type": str, "default": "STUN-DTLS"}, + "wan_use_evpn_node_settings_for_lan": {"type": bool, "default": False}, "wan_virtual_topologies": {"type": WanVirtualTopologies}, "zscaler_endpoints": {"type": ZscalerEndpoints}, "_custom_structured_configurations": {"type": _CustomStructuredConfigurations}, @@ -56882,6 +56843,18 @@ def __init__( Default value: `"STUN-DTLS"` """ + wan_use_evpn_node_settings_for_lan: bool + """ + PREVIEW: This key is currently not supported and may produce invalid configuration. + When true, + `eos_designs` will use `overlay_routing_protocol`, `evpn_role` and `vtep` + node settings for LAN side + on WAN devices. Otherwise these will be ignored for WAN. + This will be the default in AVD version + 6.0.0 and this option will be removed. + + Default value: `False` + """ wan_virtual_topologies: WanVirtualTopologies """ Configure Virtual Topologies for CV Pathfinder and AutoVPN. @@ -57101,6 +57074,7 @@ def __init__( wan_route_servers: WanRouteServers | UndefinedType = Undefined, wan_stun_dtls_disable: bool | UndefinedType = Undefined, wan_stun_dtls_profile_name: str | UndefinedType = Undefined, + wan_use_evpn_node_settings_for_lan: bool | UndefinedType = Undefined, wan_virtual_topologies: WanVirtualTopologies | UndefinedType = Undefined, zscaler_endpoints: ZscalerEndpoints | UndefinedType = Undefined, _custom_structured_configurations: _CustomStructuredConfigurations | UndefinedType = Undefined, @@ -58350,6 +58324,14 @@ def __init__( Name of the SSL profile used for DTLS on WAN STUN connections. When using automatic ceritficate deployment via CloudVision this name must be the same on all WAN routers. + wan_use_evpn_node_settings_for_lan: + PREVIEW: This key is currently not supported and may produce invalid configuration. + When true, + `eos_designs` will use `overlay_routing_protocol`, `evpn_role` and `vtep` + node settings for LAN side + on WAN devices. Otherwise these will be ignored for WAN. + This will be the default in AVD version + 6.0.0 and this option will be removed. wan_virtual_topologies: Configure Virtual Topologies for CV Pathfinder and AutoVPN. Auto create a control plane diff --git a/python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml b/python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml index c9a0955b2d8..7b82f3bbfdc 100644 --- a/python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml +++ b/python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml @@ -2584,9 +2584,6 @@ keys: `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. - ' default_flow_tracker_type: type: str @@ -4951,6 +4948,21 @@ keys: When using automatic ceritficate deployment via CloudVision this name must be the same on all WAN routers.' + wan_use_evpn_node_settings_for_lan: + type: bool + documentation_options: + table: wan-settings + default: false + description: 'PREVIEW: This key is currently not supported and may produce invalid + configuration. + + When true, `eos_designs` will use `overlay_routing_protocol`, `evpn_role` and + `vtep` + + node settings for LAN side on WAN devices. Otherwise these will be ignored for + WAN. + + This will be the default in AVD version 6.0.0 and this option will be removed.' wan_virtual_topologies: type: dict description: 'Configure Virtual Topologies for CV Pathfinder and AutoVPN. @@ -9327,10 +9339,7 @@ $defs: That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. - `server` indicates that the router is a route-reflector. - - - Only supported if `overlay_routing_protocol` is set to `ibgp`.' + `server` indicates that the router is a route-reflector.' cv_pathfinder_transit_mode: documentation_options: table: node-type-wan-configuration diff --git a/python-avd/pyavd/_eos_designs/schema/schema_fragments/defs_node_type.schema.yml b/python-avd/pyavd/_eos_designs/schema/schema_fragments/defs_node_type.schema.yml index d902d5ae75d..4b81074a57c 100644 --- a/python-avd/pyavd/_eos_designs/schema/schema_fragments/defs_node_type.schema.yml +++ b/python-avd/pyavd/_eos_designs/schema/schema_fragments/defs_node_type.schema.yml @@ -508,9 +508,9 @@ $defs: documentation_options: table: node-type-bgp-configuration description: |- - BGP AS <1-4294967295> or AS number in asdot notation "<1-65535>.<0-65535>". - For asdot notation in YAML inputs, the value must be put in quotes, to prevent it from being interpreted as a float number. - Required with eBGP. + BGP AS <1-4294967295> or AS number in asdot notation "<1-65535>.<0-65535>". + For asdot notation in YAML inputs, the value must be put in quotes, to prevent it from being interpreted as a float number. + Required with eBGP. type: str convert_types: - int @@ -1283,8 +1283,6 @@ $defs: This is used both for AutoVPN and Pathfinder designs. That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. cv_pathfinder_transit_mode: documentation_options: table: node-type-wan-configuration diff --git a/python-avd/pyavd/_eos_designs/schema/schema_fragments/node_type_keys.schema.yml b/python-avd/pyavd/_eos_designs/schema/schema_fragments/node_type_keys.schema.yml index 239453dd715..5849ba031c9 100644 --- a/python-avd/pyavd/_eos_designs/schema/schema_fragments/node_type_keys.schema.yml +++ b/python-avd/pyavd/_eos_designs/schema/schema_fragments/node_type_keys.schema.yml @@ -123,8 +123,6 @@ keys: This is used both for AutoVPN and Pathfinder designs. That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. default_flow_tracker_type: type: str valid_values: diff --git a/python-avd/pyavd/_eos_designs/schema/schema_fragments/wan_use_evpn_node_settings_for_lan.schema.yml b/python-avd/pyavd/_eos_designs/schema/schema_fragments/wan_use_evpn_node_settings_for_lan.schema.yml new file mode 100644 index 00000000000..2918be6acd4 --- /dev/null +++ b/python-avd/pyavd/_eos_designs/schema/schema_fragments/wan_use_evpn_node_settings_for_lan.schema.yml @@ -0,0 +1,19 @@ +# Copyright (c) 2023-2024 Arista Networks, Inc. +# Use of this source code is governed by the Apache License 2.0 +# that can be found in the LICENSE file. +# yaml-language-server: $schema=../../../_schema/avd_meta_schema.json +# Line above is used by RedHat's YAML Schema vscode extension +# Use Ctrl + Space to get suggestions for every field. Autocomplete will pop up after typing 2 letters. +type: dict +keys: + wan_use_evpn_node_settings_for_lan: + type: bool + # TODO: AVD 6.0.0 remove this + documentation_options: + table: wan-settings + default: false + description: |- + PREVIEW: This key is currently not supported and may produce invalid configuration. + When true, `eos_designs` will use `overlay_routing_protocol`, `evpn_role` and `vtep` + node settings for LAN side on WAN devices. Otherwise these will be ignored for WAN. + This will be the default in AVD version 6.0.0 and this option will be removed. diff --git a/python-avd/pyavd/_eos_designs/shared_utils/filtered_tenants.py b/python-avd/pyavd/_eos_designs/shared_utils/filtered_tenants.py index 7561712ecde..f5c70241708 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/filtered_tenants.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/filtered_tenants.py @@ -68,12 +68,9 @@ def filtered_tenants(self: SharedUtilsProtocol) -> EosDesigns._DynamicKeys.Dynam for tenant in filtered_tenants: if "default" not in tenant.vrfs: continue - if "evpn" not in tenant.vrfs["default"].address_families: - msg = "WAN configuration requires EVPN to be enabled for VRF 'default'. Got 'address_families: {vrf_default['address_families']}." - raise AristaAvdError(msg) if self.inputs.underlay_filter_peer_as: msg = "WAN configuration is not compatible with 'underlay_filter_peer_as'" - raise AristaAvdError + raise AristaAvdError(msg) break return filtered_tenants._natural_sorted() @@ -415,6 +412,7 @@ def bgp_enabled_for_vrf(self: SharedUtilsProtocol, vrf: EosDesigns._DynamicKeys. Otherwise we will autodetect: - If the VRF is part of an overlay we will configure BGP for it. + - If the VRF is on a WAN router, we will configure BGP for it. - If any BGP peers are configured we will configure BGP for it. - If uplink type is p2p_vrfs and the vrf is included in uplink VRFs. """ @@ -427,5 +425,6 @@ def bgp_enabled_for_vrf(self: SharedUtilsProtocol, vrf: EosDesigns._DynamicKeys. vrf_address_families, vrf.bgp_peers, (self.uplink_type == "p2p-vrfs" and vrf.name in (self.get_switch_fact("uplink_switch_vrfs", required=False) or [])), + self.is_wan_vrf(vrf), ] ) diff --git a/python-avd/pyavd/_eos_designs/shared_utils/node_type.py b/python-avd/pyavd/_eos_designs/shared_utils/node_type.py index 6db4e5fdd15..1284ae26433 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/node_type.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/node_type.py @@ -137,4 +137,7 @@ def vtep(self: SharedUtilsProtocol) -> bool: .nodes.[].vtep and node_type_keys..vtep. """ + if self.is_wan_router and not self.inputs.wan_use_evpn_node_settings_for_lan: + # For WAN routers without the knob, vtep should be ignored. + return False return default(self.node_config.vtep, self.node_type_key_data.vtep) diff --git a/python-avd/pyavd/_eos_designs/shared_utils/node_type_keys.py b/python-avd/pyavd/_eos_designs/shared_utils/node_type_keys.py index 73842ed9454..af66b3f55c1 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/node_type_keys.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/node_type_keys.py @@ -149,6 +149,7 @@ "default_evpn_role": "server", "cv_tags_topology_type": "spine", }, + # TODO: AVD 6.0 change default overlay_routing_protocol and evpn_role to none and vtep to false for wan_router and wan_rr. { "key": "wan_router", "type": "wan_router", diff --git a/python-avd/pyavd/_eos_designs/shared_utils/overlay.py b/python-avd/pyavd/_eos_designs/shared_utils/overlay.py index 931e3e66f4c..a6dc0766e28 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/overlay.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/overlay.py @@ -33,6 +33,9 @@ def vtep_loopback(self: SharedUtilsProtocol) -> str: def evpn_role(self: SharedUtilsProtocol) -> str | None: if self.underlay_router: default_evpn_role = self.node_type_key_data.default_evpn_role + if self.is_wan_router and not self.inputs.wan_use_evpn_node_settings_for_lan: + # For WAN routers without the knob, evpn_role should be ignored. + return None return default(self.node_config.evpn_role, default_evpn_role) return None diff --git a/python-avd/pyavd/_eos_designs/shared_utils/routing.py b/python-avd/pyavd/_eos_designs/shared_utils/routing.py index 85ac883dcba..bdaa74d2d08 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/routing.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/routing.py @@ -29,6 +29,9 @@ def underlay_routing_protocol(self: SharedUtilsProtocol) -> str: @cached_property def overlay_routing_protocol(self: SharedUtilsProtocol) -> str: default_overlay_routing_protocol = self.node_type_key_data.default_overlay_routing_protocol + if self.is_wan_router and not self.inputs.wan_use_evpn_node_settings_for_lan: + # For WAN routers without the knob, overlay_routing_protocol should be ignored. + return "none" return (self.inputs.overlay_routing_protocol or default_overlay_routing_protocol).lower() @cached_property diff --git a/python-avd/pyavd/_eos_designs/shared_utils/wan.py b/python-avd/pyavd/_eos_designs/shared_utils/wan.py index 4a4ab8385f7..7f02c4ba04b 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/wan.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/wan.py @@ -30,17 +30,7 @@ def wan_role(self: SharedUtilsProtocol) -> str | None: return None default_wan_role = self.node_type_key_data.default_wan_role - wan_role = self.node_config.wan_role or default_wan_role - if wan_role is not None and self.overlay_routing_protocol != "ibgp": - msg = "Only 'ibgp' is supported as 'overlay_routing_protocol' for WAN nodes." - raise AristaAvdError(msg) - if wan_role == "server" and self.evpn_role != "server": - msg = "'wan_role' server requires 'evpn_role' server." - raise AristaAvdError(msg) - if wan_role == "client" and self.evpn_role != "client": - msg = "'wan_role' client requires 'evpn_role' client." - raise AristaAvdError(msg) - return wan_role + return self.node_config.wan_role or default_wan_role @cached_property def is_wan_router(self: SharedUtilsProtocol) -> bool: @@ -645,3 +635,22 @@ def wan_stun_dtls_profile_name(self: SharedUtilsProtocol) -> str | None: return None return self.inputs.wan_stun_dtls_profile_name + + def is_wan_vrf(self: SharedUtilsProtocol, vrf: EosDesigns._DynamicKeys.DynamicNetworkServicesItem.NetworkServicesItem.VrfsItem) -> bool: + """Returns True is the VRF is a WAN VRF.""" + if not self.is_wan_router: + return False + + configured_as_wan_vrf = vrf.name in self.inputs.wan_virtual_topologies.vrfs or vrf.name == "default" + + # Old behavior where we rely on address_families. + if not self.inputs.wan_use_evpn_node_settings_for_lan and "evpn" in vrf.address_families and not configured_as_wan_vrf: + msg = ( + f"The VRF '{vrf.name}' does not have a 'wan_vni' defined under 'wan_virtual_topologies'. " + "If this VRF was not intended to be extended over the WAN, but still required to be configured on the WAN router, " + "set 'address_families: []' under the VRF definition. If this VRF was not intended to be configured on the WAN router, " + "use the VRF filter 'deny_vrfs' under the node settings." + ) + raise AristaAvdInvalidInputsError(msg) + + return configured_as_wan_vrf diff --git a/python-avd/pyavd/_eos_designs/structured_config/base/utils.py b/python-avd/pyavd/_eos_designs/structured_config/base/utils.py index 71d9baf2293..a6472011844 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/base/utils.py +++ b/python-avd/pyavd/_eos_designs/structured_config/base/utils.py @@ -68,7 +68,7 @@ def _router_bgp_redistribute_routes(self: AvdStructuredConfigBaseProtocol) -> di if not (self.shared_utils.underlay_bgp or self.shared_utils.is_wan_router or self.shared_utils.l3_bgp_neighbors): return None - if self.shared_utils.overlay_routing_protocol != "none" and self.inputs.underlay_filter_redistribute_connected: + if (self.shared_utils.overlay_routing_protocol != "none" or self.shared_utils.is_wan_router) and self.inputs.underlay_filter_redistribute_connected: # Use route-map for redistribution return {"connected": {"enabled": True, "route_map": "RM-CONN-2-BGP"}} diff --git a/python-avd/pyavd/_eos_designs/structured_config/network_services/router_bgp.py b/python-avd/pyavd/_eos_designs/structured_config/network_services/router_bgp.py index 02222b05f57..e66139e0947 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/network_services/router_bgp.py +++ b/python-avd/pyavd/_eos_designs/structured_config/network_services/router_bgp.py @@ -132,21 +132,25 @@ def _router_bgp_vrfs(self: AvdStructuredConfigNetworkServicesProtocol) -> None: if not self.shared_utils.bgp_enabled_for_vrf(vrf): continue - vrf_name = vrf.name bgp_vrf = EosCliConfigGen.RouterBgp.VrfsItem() if vrf.bgp.raw_eos_cli: bgp_vrf.eos_cli = vrf.bgp.raw_eos_cli if vrf.bgp.structured_config: - self.custom_structured_configs.nested.router_bgp.vrfs.obtain(vrf_name)._deepmerge( + self.custom_structured_configs.nested.router_bgp.vrfs.obtain(vrf.name)._deepmerge( vrf.bgp.structured_config, list_merge=self.custom_structured_configs.list_merge_strategy ) - if vrf_address_families := [af for af in vrf.address_families if af in self.shared_utils.overlay_address_families]: + vrf_address_families = {af for af in vrf.address_families if af in self.shared_utils.overlay_address_families} + if self.shared_utils.is_wan_vrf(vrf): + # If the VRF is a WAN VRF, EVPN RTs are needed. + vrf_address_families.add("evpn") + + if vrf_address_families: # The called function in-place updates the bgp_vrf dict. self._update_router_bgp_vrf_evpn_or_mpls_cfg(bgp_vrf, vrf, vrf_address_families) - if vrf_name != "default": + if vrf.name != "default": bgp_vrf.router_id = self.get_vrf_router_id(vrf, tenant, vrf.bgp.router_id) if vrf.redistribute_connected: @@ -156,7 +160,7 @@ def _router_bgp_vrfs(self: AvdStructuredConfigNetworkServicesProtocol) -> None: if vrf.redistribute_static or (vrf.static_routes and vrf.redistribute_static is None): bgp_vrf.redistribute.static.enabled = True - if self.shared_utils.inband_mgmt_vrf == vrf_name and self.shared_utils.inband_management_parent_vlans: + if self.shared_utils.inband_mgmt_vrf == vrf.name and self.shared_utils.inband_management_parent_vlans: bgp_vrf.redistribute.attached_host.enabled = True else: @@ -165,7 +169,7 @@ def _router_bgp_vrfs(self: AvdStructuredConfigNetworkServicesProtocol) -> None: # RD/RT and/or eos_cli/struct_cfg which should go under the vrf default context. # Any peers added later will be put directly under router_bgp if bgp_vrf: - bgp_vrf.name = vrf_name + bgp_vrf.name = vrf.name self.structured_config.router_bgp.vrfs.append(bgp_vrf) # Resetting bgp_vrf so we only add global keys if there are any neighbors for VRF default @@ -195,7 +199,7 @@ def _router_bgp_vrfs(self: AvdStructuredConfigNetworkServicesProtocol) -> None: bgp_peer_config = bgp_peer._cast_as(bgp_vrf.NeighborsItem, ignore_extra_keys=True) if bgp_peer.set_ipv4_next_hop or bgp_peer.set_ipv6_next_hop: - route_map = f"RM-{vrf_name}-{peer_ip}-SET-NEXT-HOP-OUT" + route_map = f"RM-{vrf.name}-{peer_ip}-SET-NEXT-HOP-OUT" bgp_peer_config.route_map_out = route_map if bgp_peer_config.default_originate and not bgp_peer_config.default_originate.route_map: bgp_peer_config.default_originate.route_map = route_map @@ -212,28 +216,28 @@ def _router_bgp_vrfs(self: AvdStructuredConfigNetworkServicesProtocol) -> None: # Skip adding the VRF if we have no config. if not bgp_vrf: continue + if vrf.name == "default": # VRF default is added directly under router_bgp bgp_vrf = cast(EosCliConfigGen.RouterBgp, bgp_vrf) self.structured_config.router_bgp._deepmerge(bgp_vrf) else: bgp_vrf = cast(EosCliConfigGen.RouterBgp.VrfsItem, bgp_vrf) - bgp_vrf.name = vrf_name + bgp_vrf.name = vrf.name self.structured_config.router_bgp.vrfs.append(bgp_vrf) def _update_router_bgp_vrf_evpn_or_mpls_cfg( self: AvdStructuredConfigNetworkServicesProtocol, bgp_vrf: EosCliConfigGen.RouterBgp.VrfsItem, vrf: EosDesigns._DynamicKeys.DynamicNetworkServicesItem.NetworkServicesItem.VrfsItem, - vrf_address_families: list[str], + vrf_address_families: set[str], ) -> None: """In-place update EVPN/MPLS part of structured config for *one* VRF under router_bgp.vrfs.""" - vrf_name = vrf.name bgp_vrf.rd = self.get_vrf_rd(vrf) vrf_rt = self.get_vrf_rt(vrf) route_targets = {"import": [], "export": []} - for af in vrf_address_families: + for af in sorted(vrf_address_families): if (target := get_item(route_targets["import"], "address_family", af)) is None: route_targets["import"].append({"address_family": af, "route_targets": [vrf_rt]}) else: @@ -252,7 +256,7 @@ def _update_router_bgp_vrf_evpn_or_mpls_cfg( else: target["route_targets"].append(rt.route_target) - if vrf_name == "default" and self._vrf_default_evpn and self._route_maps_vrf_default: + if vrf.name == "default" and self._vrf_default_evpn and self._route_maps_vrf_default: # Special handling of vrf default with evpn. if (target := get_item(route_targets["export"], "address_family", "evpn")) is None: @@ -263,7 +267,7 @@ def _update_router_bgp_vrf_evpn_or_mpls_cfg( bgp_vrf.route_targets = EosCliConfigGen.RouterBgp.VrfsItem.RouteTargets._from_dict(route_targets) # VRF default - if vrf_name == "default": + if vrf.name == "default": return # Not VRF default diff --git a/python-avd/pyavd/_eos_designs/structured_config/network_services/utils.py b/python-avd/pyavd/_eos_designs/structured_config/network_services/utils.py index e53dc062874..533ffa42479 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/network_services/utils.py +++ b/python-avd/pyavd/_eos_designs/structured_config/network_services/utils.py @@ -32,7 +32,9 @@ def _local_endpoint_trunk_groups(self: AvdStructuredConfigNetworkServicesProtoco @cached_property def _vrf_default_evpn(self: AvdStructuredConfigNetworkServicesProtocol) -> bool: """Return boolean telling if VRF "default" is running EVPN or not.""" - if not (self.shared_utils.network_services_l3 and self.shared_utils.overlay_vtep and self.shared_utils.overlay_evpn): + if not ( + self.shared_utils.network_services_l3 and ((self.shared_utils.overlay_vtep and self.shared_utils.overlay_evpn) or self.shared_utils.is_wan_router) + ): return False for tenant in self.shared_utils.filtered_tenants: @@ -99,7 +101,7 @@ def _vrf_default_ipv4_static_routes(self: AvdStructuredConfigNetworkServicesProt vrf_default_redistribute_static = default(tenant.vrfs["default"].redistribute_static, vrf_default_redistribute_static) - if self.shared_utils.overlay_evpn and self.shared_utils.overlay_vtep: + if (self.shared_utils.overlay_evpn and self.shared_utils.overlay_vtep) or self.shared_utils.is_wan_router: # This is an EVPN VTEP redistribute_in_underlay = False redistribute_in_overlay = vrf_default_redistribute_static and vrf_default_ipv4_static_routes diff --git a/python-avd/pyavd/_eos_designs/structured_config/network_services/vxlan_interface.py b/python-avd/pyavd/_eos_designs/structured_config/network_services/vxlan_interface.py index d19468d4e21..7f024bd016c 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/network_services/vxlan_interface.py +++ b/python-avd/pyavd/_eos_designs/structured_config/network_services/vxlan_interface.py @@ -127,24 +127,14 @@ def _set_vxlan_interface_config_for_vrf( if svi.vxlan: self._set_vxlan_interface_config_for_vlan(svi, tenant, vnis) - if self.shared_utils.network_services_l3 and self.shared_utils.overlay_evpn_vxlan: + if self.shared_utils.network_services_l3 and (self.shared_utils.overlay_evpn_vxlan or self.shared_utils.is_wan_router): + vrf_name = vrf.name + is_wan_vrf = self.shared_utils.is_wan_vrf(vrf) # Only configure VNI for VRF if the VRF is EVPN enabled - if "evpn" not in vrf.address_families: + if "evpn" not in vrf.address_families and not is_wan_vrf: return - if self.shared_utils.is_wan_router: - # Every VRF with EVPN on a WAN router must have a wan_vni defined. - if vrf.name not in self._filtered_wan_vrfs: - msg = ( - f"The VRF '{vrf.name}' does not have a `wan_vni` defined under 'wan_virtual_topologies'. " - "If this VRF was not intended to be extended over the WAN, but still required to be configured on the WAN router, " - "set 'address_families: []' under the VRF definition. If this VRF was not intended to be configured on the WAN router, " - "use the VRF filter 'deny_vrfs' under the node settings." - ) - raise AristaAvdInvalidInputsError(msg) - vni = self._filtered_wan_vrfs[vrf.name].wan_vni - else: - vni = default(vrf.vrf_vni, vrf.vrf_id) + vni = self._filtered_wan_vrfs[vrf_name].wan_vni if is_wan_vrf else default(vrf.vrf_vni, vrf.vrf_id) if vni is None: # Silently ignore if we cannot set a VNI diff --git a/python-avd/pyavd/_eos_designs/structured_config/overlay/ip_extcommunity_lists.py b/python-avd/pyavd/_eos_designs/structured_config/overlay/ip_extcommunity_lists.py index 2ba2d13a51f..371b13c20f5 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/overlay/ip_extcommunity_lists.py +++ b/python-avd/pyavd/_eos_designs/structured_config/overlay/ip_extcommunity_lists.py @@ -22,13 +22,13 @@ class IpExtCommunityListsMixin(Protocol): @structured_config_contributor def ip_extcommunity_lists(self: AvdStructuredConfigOverlayProtocol) -> None: """Set the structured config for ip_extcommunity_lists.""" - if self.shared_utils.overlay_routing_protocol != "ibgp": + if self.shared_utils.overlay_routing_protocol != "ibgp" and not self.shared_utils.is_wan_router: return if self.shared_utils.evpn_role == "server" and not self.shared_utils.is_wan_router: return - if self.shared_utils.overlay_vtep: + if self.shared_utils.overlay_vtep or self.shared_utils.is_wan_router: ip_extcommunity_list = EosCliConfigGen.IpExtcommunityListsItem(name="ECL-EVPN-SOO") ip_extcommunity_list.entries.append_new(type="permit", extcommunities=f"soo {self.shared_utils.evpn_soo}") self.structured_config.ip_extcommunity_lists.append(ip_extcommunity_list) diff --git a/python-avd/pyavd/_eos_designs/structured_config/overlay/route_maps.py b/python-avd/pyavd/_eos_designs/structured_config/overlay/route_maps.py index 3a31bd561d8..f01e1802b35 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/overlay/route_maps.py +++ b/python-avd/pyavd/_eos_designs/structured_config/overlay/route_maps.py @@ -26,18 +26,19 @@ def route_maps(self: AvdStructuredConfigOverlayProtocol) -> None: if self.shared_utils.overlay_cvx: return - if self.shared_utils.overlay_routing_protocol == "ebgp": - if self.inputs.evpn_prevent_readvertise_to_server: - remote_asns = natural_sort({rs_dict.get("bgp_as") for rs_dict in self._evpn_route_servers.values()}) - for remote_asn in remote_asns: - route_maps_item = EosCliConfigGen.RouteMapsItem(name=f"RM-EVPN-FILTER-AS{remote_asn}") - route_maps_item.sequence_numbers.append_new( - sequence=10, type="deny", match=EosCliConfigGen.RouteMapsItem.SequenceNumbersItem.Match([f"as {remote_asn}"]) - ) - route_maps_item.sequence_numbers.append_new(sequence=20, type="permit") - self.structured_config.route_maps.append(route_maps_item) + if self.shared_utils.overlay_routing_protocol == "ebgp" and self.inputs.evpn_prevent_readvertise_to_server: + remote_asns = natural_sort({rs_dict.get("bgp_as") for rs_dict in self._evpn_route_servers.values()}) + for remote_asn in remote_asns: + route_maps_item = EosCliConfigGen.RouteMapsItem(name=f"RM-EVPN-FILTER-AS{remote_asn}") + route_maps_item.sequence_numbers.append_new( + sequence=10, type="deny", match=EosCliConfigGen.RouteMapsItem.SequenceNumbersItem.Match([f"as {remote_asn}"]) + ) + route_maps_item.sequence_numbers.append_new(sequence=20, type="permit") + self.structured_config.route_maps.append(route_maps_item) - elif self.shared_utils.overlay_routing_protocol == "ibgp" and self.shared_utils.overlay_vtep and self.shared_utils.evpn_role != "server": + if ( + self.shared_utils.overlay_routing_protocol == "ibgp" and self.shared_utils.overlay_vtep and self.shared_utils.evpn_role != "server" + ) or self.shared_utils.is_wan_client: # Route-map IN and OUT for SOO route_maps_item = EosCliConfigGen.RouteMapsItem(name="RM-EVPN-SOO-IN") diff --git a/python-avd/pyavd/_eos_designs/structured_config/overlay/router_bgp.py b/python-avd/pyavd/_eos_designs/structured_config/overlay/router_bgp.py index d156e8760d8..78beba3a3f1 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/overlay/router_bgp.py +++ b/python-avd/pyavd/_eos_designs/structured_config/overlay/router_bgp.py @@ -50,9 +50,10 @@ def router_bgp(self: AvdStructuredConfigOverlayProtocol) -> dict | None: return strip_empties_from_dict(router_bgp, strip_values_tuple=(None, "")) def _bgp_cluster_id(self: AvdStructuredConfigOverlayProtocol) -> str | None: - if self.shared_utils.overlay_routing_protocol == "ibgp" and ( - self.shared_utils.evpn_role == "server" or self.shared_utils.mpls_overlay_role == "server" - ): + if ( + self.shared_utils.overlay_routing_protocol == "ibgp" + and (self.shared_utils.evpn_role == "server" or self.shared_utils.mpls_overlay_role == "server") + ) or self.shared_utils.is_wan_server: return default(self.shared_utils.node_config.bgp_cluster_id, self.shared_utils.router_id) return None @@ -130,35 +131,38 @@ def _peer_groups(self: AvdStructuredConfigOverlayProtocol) -> list | None: peer_groups.append(mpls_peer_group) - if self.shared_utils.overlay_evpn_vxlan is True: + # TODO: AVD 6.0.0 remove the check for WAN routers. + if self.shared_utils.overlay_evpn_vxlan is True and (not self.shared_utils.is_wan_router or self.inputs.wan_use_evpn_node_settings_for_lan): peer_group_config = {"remote_as": self.shared_utils.bgp_as} - if self.shared_utils.is_wan_router: - # WAN OVERLAY peer group - peer_group_config["ttl_maximum_hops"] = self.inputs.bgp_peer_groups.wan_overlay_peers.ttl_maximum_hops - if self.shared_utils.is_wan_server: - peer_group_config["route_reflector_client"] = True - peer_group_config["bfd_timers"] = self.inputs.bgp_peer_groups.wan_overlay_peers.bfd_timers._as_dict(include_default_values=True) - peer_groups.append( - { - **self._generate_base_peer_group("wan", "wan_overlay_peers", update_source=self.shared_utils.vtep_loopback), - **peer_group_config, - }, - ) - else: - # EVPN OVERLAY peer group - also in EBGP.. - if self.shared_utils.evpn_role == "server": - peer_group_config["route_reflector_client"] = True - peer_groups.append( - { - **self._generate_base_peer_group("evpn", "evpn_overlay_peers"), - **peer_group_config, - }, - ) + # EVPN OVERLAY peer group - also in EBGP.. + if self.shared_utils.evpn_role == "server": + peer_group_config["route_reflector_client"] = True + peer_groups.append( + { + **self._generate_base_peer_group("evpn", "evpn_overlay_peers"), + **peer_group_config, + }, + ) # RR Overlay peer group rendered either for MPLS route servers if self._is_mpls_server is True: peer_groups.append({**self._generate_base_peer_group("mpls", "rr_overlay_peers"), "remote_as": self.shared_utils.bgp_as}) + # Always render the WAN routers + # TODO: probably should move from overlay + if self.shared_utils.is_wan_router: + # WAN OVERLAY peer group only is supported iBGP + peer_group_config = {"remote_as": self.shared_utils.bgp_as, "ttl_maximum_hops": self.inputs.bgp_peer_groups.wan_overlay_peers.ttl_maximum_hops} + if self.shared_utils.is_wan_server: + peer_group_config["route_reflector_client"] = True + peer_group_config["bfd_timers"] = self.inputs.bgp_peer_groups.wan_overlay_peers.bfd_timers._as_dict(include_default_values=True) + peer_groups.append( + { + **self._generate_base_peer_group("wan", "wan_overlay_peers", update_source=self.shared_utils.vtep_loopback), + **peer_group_config, + }, + ) + if self._is_wan_server_with_peers: wan_rr_overlay_peer_group = self._generate_base_peer_group("wan", "wan_rr_overlay_peers", update_source=self.shared_utils.vtep_loopback) wan_rr_overlay_peer_group.update( @@ -189,6 +193,8 @@ def _address_family_ipv4(self: AvdStructuredConfigOverlayProtocol) -> dict: if self.shared_utils.is_wan_router: peer_groups.append({"name": self.inputs.bgp_peer_groups.wan_overlay_peers.name, "activate": False}) + if self._is_wan_server_with_peers: + peer_groups.append({"name": self.inputs.bgp_peer_groups.wan_rr_overlay_peers.name, "activate": False}) # TODO: no elif elif self.shared_utils.overlay_evpn_vxlan is True: @@ -206,9 +212,6 @@ def _address_family_ipv4(self: AvdStructuredConfigOverlayProtocol) -> dict: if self._is_mpls_server is True: peer_groups.append({"name": self.inputs.bgp_peer_groups.rr_overlay_peers.name, "activate": False}) - if self._is_wan_server_with_peers: - peer_groups.append({"name": self.inputs.bgp_peer_groups.wan_rr_overlay_peers.name, "activate": False}) - if self.shared_utils.overlay_ipvpn_gateway is True: peer_groups.append({"name": self.inputs.bgp_peer_groups.ipvpn_gateway_peers.name, "activate": False}) @@ -220,15 +223,23 @@ def _address_family_evpn(self: AvdStructuredConfigOverlayProtocol) -> dict | Non peer_groups = [] overlay_peer_group = {} + if self.shared_utils.is_wan_router: + wan_overlay_peer_group = { + "name": self.inputs.bgp_peer_groups.wan_overlay_peers.name, + "activate": True, + "encapsulation": self.inputs.wan_encapsulation, + } + if self.shared_utils.wan_role != "server": + wan_overlay_peer_group.update( + { + "route_map_in": "RM-EVPN-SOO-IN", + "route_map_out": "RM-EVPN-SOO-OUT", + }, + ) + peer_groups.append(wan_overlay_peer_group) + if self.shared_utils.overlay_evpn_vxlan is True: - if self.shared_utils.is_wan_router: - overlay_peer_group = { - "name": self.inputs.bgp_peer_groups.wan_overlay_peers.name, - "activate": True, - "encapsulation": self.inputs.wan_encapsulation, - } - else: - overlay_peer_group = {"name": self.inputs.bgp_peer_groups.evpn_overlay_peers.name, "activate": True} + overlay_peer_group = {"name": self.inputs.bgp_peer_groups.evpn_overlay_peers.name, "activate": True} if self.shared_utils.overlay_routing_protocol == "ebgp": if self.shared_utils.node_config.evpn_gateway.evpn_l2.enabled or self.shared_utils.node_config.evpn_gateway.evpn_l3.enabled: @@ -259,6 +270,7 @@ def _address_family_evpn(self: AvdStructuredConfigOverlayProtocol) -> dict | Non if self._is_mpls_server is True: peer_groups.append({"name": self.inputs.bgp_peer_groups.rr_overlay_peers.name, "activate": True}) + # TODO: this is written for matching either evpn_mpls or evpn_vlxan based for iBGP see if we cannot make this better. if self.shared_utils.overlay_vtep is True and self.shared_utils.evpn_role != "server" and overlay_peer_group: overlay_peer_group.update( { @@ -266,16 +278,6 @@ def _address_family_evpn(self: AvdStructuredConfigOverlayProtocol) -> dict | Non "route_map_out": "RM-EVPN-SOO-OUT", }, ) - - if self._is_wan_server_with_peers: - peer_groups.append( - { - "name": self.inputs.bgp_peer_groups.wan_rr_overlay_peers.name, - "activate": True, - "encapsulation": self.inputs.wan_encapsulation, - } - ) - if overlay_peer_group: peer_groups.append(overlay_peer_group) @@ -302,6 +304,15 @@ def _address_family_evpn(self: AvdStructuredConfigOverlayProtocol) -> dict | Non if self.shared_utils.is_wan_server: address_family_evpn["next_hop"] = {"resolution_disabled": True} + if self._is_wan_server_with_peers: + peer_groups.append( + { + "name": self.inputs.bgp_peer_groups.wan_rr_overlay_peers.name, + "activate": True, + "encapsulation": self.inputs.wan_encapsulation, + } + ) + # Activitating HA iBGP session for WAN HA if self.shared_utils.wan_ha: address_family_evpn["neighbor_default"] = { @@ -482,10 +493,7 @@ def _create_neighbor( ), } - if self.shared_utils.overlay_routing_protocol == "ebgp": - if remote_as is None: - msg = "Configuring eBGP neighbor without a remote_as" - raise AristaAvdError(msg) + if remote_as is not None: neighbor["remote_as"] = remote_as if self.inputs.shutdown_bgp_towards_undeployed_peers and name in self._avd_overlay_peers: @@ -590,43 +598,43 @@ def _neighbors(self: AvdStructuredConfigOverlayProtocol) -> list | None: ) neighbors.append(neighbor) - if self.shared_utils.is_wan_client: - if not self._ip_in_listen_ranges(self.shared_utils.vtep_ip, self.shared_utils.wan_listen_ranges): - msg = f"{self.shared_utils.vtep_loopback} IP {self.shared_utils.vtep_ip} is not in the Route Reflector listen range prefixes" - raise AristaAvdError(msg) - for wan_route_server in self.shared_utils.filtered_wan_route_servers: - neighbor = self._create_neighbor( - wan_route_server.vtep_ip, - wan_route_server.hostname, - self.inputs.bgp_peer_groups.wan_overlay_peers.name, - overlay_peering_interface=self.shared_utils.vtep_loopback, - ) - neighbors.append(neighbor) + if self.shared_utils.is_wan_client: + if not self._ip_in_listen_ranges(self.shared_utils.vtep_ip, self.shared_utils.wan_listen_ranges): + msg = f"{self.shared_utils.vtep_loopback} IP {self.shared_utils.vtep_ip} is not in the Route Reflector listen range prefixes" + raise AristaAvdError(msg) + for wan_route_server in self.shared_utils.filtered_wan_route_servers: + neighbor = self._create_neighbor( + wan_route_server.vtep_ip, + wan_route_server.hostname, + self.inputs.bgp_peer_groups.wan_overlay_peers.name, + overlay_peering_interface=self.shared_utils.vtep_loopback, + ) + neighbors.append(neighbor) - if self.shared_utils.wan_ha: - neighbor = { - "ip_address": self._wan_ha_peer_vtep_ip(), - "peer": self.shared_utils.wan_ha_peer, - "description": self.shared_utils.wan_ha_peer, - "remote_as": self.shared_utils.bgp_as, - "update_source": "Dps1", - "route_reflector_client": True, - "send_community": "all", - "route_map_in": "RM-WAN-HA-PEER-IN", - "route_map_out": "RM-WAN-HA-PEER-OUT", - } - neighbors.append(neighbor) + if self.shared_utils.wan_ha: + neighbor = { + "ip_address": self._wan_ha_peer_vtep_ip(), + "peer": self.shared_utils.wan_ha_peer, + "description": self.shared_utils.wan_ha_peer, + "remote_as": self.shared_utils.bgp_as, + "update_source": "Dps1", + "route_reflector_client": True, + "send_community": "all", + "route_map_in": "RM-WAN-HA-PEER-IN", + "route_map_out": "RM-WAN-HA-PEER-OUT", + } + neighbors.append(neighbor) - if self.shared_utils.is_wan_server: - # No neighbor configured on the `wan_overlay_peers` peer group as it is covered by listen ranges - for wan_route_server in self.shared_utils.filtered_wan_route_servers: - neighbor = self._create_neighbor( - wan_route_server.vtep_ip, - wan_route_server.hostname, - self.inputs.bgp_peer_groups.wan_rr_overlay_peers.name, - overlay_peering_interface=self.shared_utils.vtep_loopback, - ) - neighbors.append(neighbor) + elif self.shared_utils.is_wan_server: + # No neighbor configured on the `wan_overlay_peers` peer group as it is covered by listen ranges + for wan_route_server in self.shared_utils.filtered_wan_route_servers: + neighbor = self._create_neighbor( + wan_route_server.vtep_ip, + wan_route_server.hostname, + self.inputs.bgp_peer_groups.wan_rr_overlay_peers.name, + overlay_peering_interface=self.shared_utils.vtep_loopback, + ) + neighbors.append(neighbor) for ipvpn_gw_peer, data in natural_sort(self._ipvpn_gateway_remote_peers.items()): neighbor = self._create_neighbor( diff --git a/python-avd/pyavd/_eos_designs/structured_config/underlay/prefix_lists.py b/python-avd/pyavd/_eos_designs/structured_config/underlay/prefix_lists.py index 2637c5cb15d..5b3c0fada8f 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/underlay/prefix_lists.py +++ b/python-avd/pyavd/_eos_designs/structured_config/underlay/prefix_lists.py @@ -27,7 +27,7 @@ def prefix_lists(self: AvdStructuredConfigUnderlayProtocol) -> list | None: if self.shared_utils.underlay_bgp is not True and not self.shared_utils.is_wan_router: return None - if self.shared_utils.overlay_routing_protocol == "none": + if self.shared_utils.overlay_routing_protocol == "none" and not self.shared_utils.is_wan_router: return None if not self.inputs.underlay_filter_redistribute_connected: diff --git a/python-avd/pyavd/_eos_designs/structured_config/underlay/route_maps.py b/python-avd/pyavd/_eos_designs/structured_config/underlay/route_maps.py index 92b521be77d..e9bd9b7b778 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/underlay/route_maps.py +++ b/python-avd/pyavd/_eos_designs/structured_config/underlay/route_maps.py @@ -32,7 +32,7 @@ def route_maps(self: AvdStructuredConfigUnderlayProtocol) -> None: if not self.shared_utils.underlay_bgp and not self.shared_utils.is_wan_router: return - if self.shared_utils.overlay_routing_protocol != "none" and self.inputs.underlay_filter_redistribute_connected: + if (self.shared_utils.overlay_routing_protocol != "none" or self.shared_utils.is_wan_router) and self.inputs.underlay_filter_redistribute_connected: # RM-CONN-2-BGP sequence_numbers = EosCliConfigGen.RouteMapsItem.SequenceNumbers() sequence_10 = EosCliConfigGen.RouteMapsItem.SequenceNumbersItem( diff --git a/python-avd/pyavd/_eos_designs/structured_config/underlay/router_bgp.py b/python-avd/pyavd/_eos_designs/structured_config/underlay/router_bgp.py index 523faec4fd1..b8ec7ec13fd 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/underlay/router_bgp.py +++ b/python-avd/pyavd/_eos_designs/structured_config/underlay/router_bgp.py @@ -40,7 +40,7 @@ def router_bgp(self: AvdStructuredConfigUnderlayProtocol) -> None: self.inputs.bgp_peer_groups.ipv4_underlay_peers.structured_config, list_merge=self.custom_structured_configs.list_merge_strategy ) - if self.shared_utils.overlay_routing_protocol == "ibgp" and self.shared_utils.is_cv_pathfinder_router: + if self.shared_utils.is_cv_pathfinder_router: peer_group.route_map_in = "RM-BGP-UNDERLAY-PEERS-IN" if self.shared_utils.wan_ha: peer_group.route_map_out = "RM-BGP-UNDERLAY-PEERS-OUT"