From f7ffd86aa0426f415a2109f3e277cb085afceed2 Mon Sep 17 00:00:00 2001 From: gmuloc Date: Tue, 7 Jan 2025 15:47:42 +0100 Subject: [PATCH 01/40] Refactor(eos_designs): Remove dependency on overlay_routing_protocol and evpn_role for WAN routers --- ...alid-wan-role-overlay-routing-protocol.yml | 31 ---- .../inventory/hosts.yml | 3 - .../structured_configs/autovpn-rr1.yml | 4 +- .../structured_configs/autovpn-rr2.yml | 4 +- ...stom-control-plane-policy-pathfinder-1.yml | 4 +- .../cv-pathfinder-pathfinder1.yml | 4 +- .../cv-pathfinder-pathfinder2.yml | 4 +- .../inventory/group_vars/AUTOVPN_TESTS.yml | 1 + .../group_vars/CV_PATHFINDER_TESTS.yml | 14 +- .../group_vars/CV_PATHFINDER_TESTS_LEAFS.yml | 3 + .../inventory/hosts.yml | 6 + .../tables/node-type-wan-configuration.md | 16 +- .../eos_designs/docs/tables/wan-settings.md | 6 + .../pyavd/_eos_designs/schema/__init__.py | 48 ++--- .../schema/eos_designs.schema.yml | 16 +- .../defs_node_type.schema.yml | 8 +- ..._use_evpn_node_settings_for_lan.schema.yml | 18 ++ .../shared_utils/filtered_tenants.py | 2 + .../_eos_designs/shared_utils/routing.py | 3 + .../pyavd/_eos_designs/shared_utils/wan.py | 16 +- .../structured_config/base/utils.py | 2 +- .../metadata/cv_pathfinder.py | 13 +- .../network_services/utils.py | 6 +- .../network_services/vxlan_interface.py | 2 +- .../overlay/ip_extcommunity_lists.py | 4 +- .../structured_config/overlay/route_maps.py | 4 +- .../structured_config/overlay/router_bgp.py | 173 +++++++++--------- .../underlay/prefix_lists.py | 2 +- .../structured_config/underlay/route_maps.py | 2 +- .../structured_config/underlay/router_bgp.py | 2 +- 30 files changed, 208 insertions(+), 213 deletions(-) delete mode 100644 ansible_collections/arista/avd/molecule/eos_designs_negative_unit_tests/inventory/host_vars/invalid-wan-role-overlay-routing-protocol.yml create mode 100644 ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS_LEAFS.yml create mode 100644 python-avd/pyavd/_eos_designs/schema/schema_fragments/wan_use_evpn_node_settings_for_lan.schema.yml diff --git a/ansible_collections/arista/avd/molecule/eos_designs_negative_unit_tests/inventory/host_vars/invalid-wan-role-overlay-routing-protocol.yml b/ansible_collections/arista/avd/molecule/eos_designs_negative_unit_tests/inventory/host_vars/invalid-wan-role-overlay-routing-protocol.yml deleted file mode 100644 index 26f78e6f2ce..00000000000 --- a/ansible_collections/arista/avd/molecule/eos_designs_negative_unit_tests/inventory/host_vars/invalid-wan-role-overlay-routing-protocol.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -wan_mode: autovpn -type: wan_router -fabric_name: FABRIC_WAN_ROLE_OVERLAY_ROUTING_PROTOCOL - -# Not ibgp -overlay_routing_protocol: none - -wan_router: - defaults: - loopback_ipv4_pool: 192.168.0.0/24 - vtep_loopback_ipv4_pool: 192.168.1.0/24 - nodes: - - name: invalid-wan-role-overlay-routing-protocol - id: 1 - l3_interfaces: - - name: Ethernet1 - wan_carrier: TEST - ip_address: dhcp - -wan_carriers: - - name: TEST - path_group: TEST - trusted: true - -wan_path_groups: - - name: TEST - id: 42 - -expected_error_message: >- - Only 'ibgp' is supported as 'overlay_routing_protocol' for WAN nodes. diff --git a/ansible_collections/arista/avd/molecule/eos_designs_negative_unit_tests/inventory/hosts.yml b/ansible_collections/arista/avd/molecule/eos_designs_negative_unit_tests/inventory/hosts.yml index 9ec68dcf98c..c52aa7855cf 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_negative_unit_tests/inventory/hosts.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_negative_unit_tests/inventory/hosts.yml @@ -40,9 +40,6 @@ all: invalid-uplink-port-channel-id-3-l3leaf-1: invalid-uplink-port-channel-id-3-l3leaf-2: invalid-uplink-port-channel-id-3-l2leaf-2: - FABRIC_WAN_ROLE_OVERLAY_ROUTING_PROTOCOL: - hosts: - invalid-wan-role-overlay-routing-protocol: FABRIC_P2P_VRFS: hosts: invalid-uplink-type-p2p-vrfs-underlay-router-false: diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr1.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr1.yml index 31829f301a8..3ab9e3d94e5 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr1.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr1.yml @@ -173,10 +173,10 @@ router_bgp: route_map: RM-CONN-2-BGP address_family_evpn: peer_groups: - - name: WAN-RR-OVERLAY-PEERS + - name: WAN-OVERLAY-PEERS activate: true encapsulation: path-selection - - name: WAN-OVERLAY-PEERS + - name: WAN-RR-OVERLAY-PEERS activate: true encapsulation: path-selection next_hop: diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr2.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr2.yml index 02eeb47fa29..35550cae94a 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr2.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr2.yml @@ -172,10 +172,10 @@ router_bgp: route_map: RM-CONN-2-BGP address_family_evpn: peer_groups: - - name: WAN-RR-OVERLAY-PEERS + - name: WAN-OVERLAY-PEERS activate: true encapsulation: path-selection - - name: WAN-OVERLAY-PEERS + - name: WAN-RR-OVERLAY-PEERS activate: true encapsulation: path-selection next_hop: diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-custom-control-plane-policy-pathfinder-1.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-custom-control-plane-policy-pathfinder-1.yml index 1260da57436..4bee113fade 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-custom-control-plane-policy-pathfinder-1.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-custom-control-plane-policy-pathfinder-1.yml @@ -510,10 +510,10 @@ router_bgp: route_map: RM-CONN-2-BGP address_family_evpn: peer_groups: - - name: WAN-RR-OVERLAY-PEERS + - name: WAN-OVERLAY-PEERS activate: true encapsulation: path-selection - - name: WAN-OVERLAY-PEERS + - name: WAN-RR-OVERLAY-PEERS activate: true encapsulation: path-selection next_hop: diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder1.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder1.yml index 9a67f8ae42e..aff9edf6374 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder1.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder1.yml @@ -616,10 +616,10 @@ router_bgp: route_map: RM-CONN-2-BGP address_family_evpn: peer_groups: - - name: WAN-RR-OVERLAY-PEERS + - name: WAN-OVERLAY-PEERS activate: true encapsulation: path-selection - - name: WAN-OVERLAY-PEERS + - name: WAN-RR-OVERLAY-PEERS activate: true encapsulation: path-selection next_hop: diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder2.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder2.yml index 5a98350cdfe..28ac1b7145a 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder2.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder2.yml @@ -634,10 +634,10 @@ router_bgp: route_map: RM-CONN-2-BGP address_family_evpn: peer_groups: - - name: WAN-RR-OVERLAY-PEERS + - name: WAN-OVERLAY-PEERS activate: true encapsulation: path-selection - - name: WAN-OVERLAY-PEERS + - name: WAN-RR-OVERLAY-PEERS activate: true encapsulation: path-selection next_hop: diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/AUTOVPN_TESTS.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/AUTOVPN_TESTS.yml index 46d42ebde5d..ecdf9677de4 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/AUTOVPN_TESTS.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/AUTOVPN_TESTS.yml @@ -124,6 +124,7 @@ tenants: ip_address_virtual: 10.0.100.1/24 - name: IT vrf_id: 100 + # Removing the default address family address_families: [] l2vlans: - id: 101 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml index d68dd43849a..98f3f1be85e 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml @@ -4,6 +4,8 @@ wan_mode: cv-pathfinder # Have all the router in the examples use eBGP as underlay routing protocol - # the default is "none" for WAN routers" underlay_routing_protocol: ebgp +# the default is currently ibgp for WAN routers but need to change it soon. +overlay_routing_protocol: none ipv4_prefix_list_catalog: - name: ALLOW-DEFAULT @@ -105,8 +107,8 @@ wan_router: # cv-pathfinder-edge is not configured on cv-pathfinder-edge1 - group: Site511 uplink_type: p2p-vrfs - uplink_switches: [ site-ha-disabled-leaf ] - uplink_interfaces: [ Ethernet52 ] + uplink_switches: [site-ha-disabled-leaf] + uplink_interfaces: [Ethernet52] cv_pathfinder_region: AVD_Land_East cv_pathfinder_site: Site511 wan_ha: @@ -220,8 +222,8 @@ wan_router: cv_pathfinder_region: AVD_Land_West cv_pathfinder_site: Site423 uplink_type: p2p-vrfs - uplink_switches: [ site-ha-enabled-leaf2A, site-ha-enabled-leaf2B ] - uplink_interfaces: [ Ethernet52, Ethernet53 ] + uplink_switches: [site-ha-enabled-leaf2A, site-ha-enabled-leaf2B] + uplink_interfaces: [Ethernet52, Ethernet53] wan_ha: enabled: true # TODO AVD4.8.0: Remove once WAN HA is GA. nodes: @@ -251,8 +253,8 @@ wan_router: always_include_vrfs_in_tenants: [TenantA, TenantB] uplink_ipv4_pool: 172.17.0.0/16 uplink_type: p2p-vrfs - uplink_switches: [ site-ha-enabled-leaf1 ] - uplink_interfaces: [ Ethernet52 ] + uplink_switches: [site-ha-enabled-leaf1] + uplink_interfaces: [Ethernet52] cv_pathfinder_transit_mode: region # Disable HA IPsec wan_ha: diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS_LEAFS.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS_LEAFS.yml new file mode 100644 index 00000000000..0f8919e10ed --- /dev/null +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS_LEAFS.yml @@ -0,0 +1,3 @@ +--- +# Setting back to ebgp for Leaves +overlay_routing_protocol: ebgp diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/hosts.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/hosts.yml index 19c15c67bbb..7909a6d35e8 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/hosts.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/hosts.yml @@ -414,6 +414,12 @@ all: cv-pathfinder-custom-control-plane-policy-edge-2: # Edge 3 overrides the profile name and also defines the profile cv-pathfinder-custom-control-plane-policy-edge-3: + CV_PATHFINDER_TESTS_LEAFS: + hosts: + site-ha-enabled-leaf2A: + site-ha-enabled-leaf2B: + site-ha-enabled-leaf1: + site-ha-disabled-leaf: WAN_UNIT_TESTS: hosts: autovpn-edge-no-default-policy: diff --git a/ansible_collections/arista/avd/roles/eos_designs/docs/tables/node-type-wan-configuration.md b/ansible_collections/arista/avd/roles/eos_designs/docs/tables/node-type-wan-configuration.md index f6692192c8b..8300d6b9928 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/docs/tables/node-type-wan-configuration.md +++ b/ansible_collections/arista/avd/roles/eos_designs/docs/tables/node-type-wan-configuration.md @@ -9,7 +9,7 @@ | -------- | ---- | -------- | ------- | ------------------ | ----------- | | [<node_type_keys.key>](## "") | Dictionary | | | | | | [  defaults](## ".defaults") | Dictionary | | | | Define variables for all nodes of this type. | - | [    wan_role](## ".defaults.wan_role") | String | | | Valid Values:
- client
- server | Override the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector.

Only supported if `overlay_routing_protocol` is set to `ibgp`. | + | [    wan_role](## ".defaults.wan_role") | String | | | Valid Values:
- client
- server | Override the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector. | | [    cv_pathfinder_transit_mode](## ".defaults.cv_pathfinder_transit_mode") | String | | | Valid Values:
- region
- zone | Configure the transit mode for a WAN client for CV Pathfinder designs
only when the `wan_mode` root key is set to `cv_pathfinder`.

'zone' is currently not supported. | | [    cv_pathfinder_region](## ".defaults.cv_pathfinder_region") | String | | | | The CV Pathfinder region name.
This key is required for WAN routers but optional for pathfinders.
The region name must be defined under 'cv_pathfinder_regions'. | | [    cv_pathfinder_site](## ".defaults.cv_pathfinder_site") | String | | | | The CV Pathfinder site name.
This key is required for WAN routers but optional for pathfinders.
For WAN routers and pathfinders with `cv_pathfinder_region`, the site name must be defined for the relevant region under 'cv_pathfinder_regions'.
For pathfinders without `cv_pathfinder_region` set, the site must be defined under `cv_pathfinder_global_sites`. | @@ -31,7 +31,7 @@ | [    - group](## ".node_groups.[].group") | String | Required, Unique | | | The Node Group Name is used for MLAG domain unless set with 'mlag_domain_id'.
The Node Group Name is also used for peer description on downstream switches' uplinks.
| | [      nodes](## ".node_groups.[].nodes") | List, items: Dictionary | | | | Define variables per node. | | [        - name](## ".node_groups.[].nodes.[].name") | String | Required, Unique | | | The Node Name is used as "hostname". | - | [          wan_role](## ".node_groups.[].nodes.[].wan_role") | String | | | Valid Values:
- client
- server | Override the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector.

Only supported if `overlay_routing_protocol` is set to `ibgp`. | + | [          wan_role](## ".node_groups.[].nodes.[].wan_role") | String | | | Valid Values:
- client
- server | Override the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector. | | [          cv_pathfinder_transit_mode](## ".node_groups.[].nodes.[].cv_pathfinder_transit_mode") | String | | | Valid Values:
- region
- zone | Configure the transit mode for a WAN client for CV Pathfinder designs
only when the `wan_mode` root key is set to `cv_pathfinder`.

'zone' is currently not supported. | | [          cv_pathfinder_region](## ".node_groups.[].nodes.[].cv_pathfinder_region") | String | | | | The CV Pathfinder region name.
This key is required for WAN routers but optional for pathfinders.
The region name must be defined under 'cv_pathfinder_regions'. | | [          cv_pathfinder_site](## ".node_groups.[].nodes.[].cv_pathfinder_site") | String | | | | The CV Pathfinder site name.
This key is required for WAN routers but optional for pathfinders.
For WAN routers and pathfinders with `cv_pathfinder_region`, the site name must be defined for the relevant region under 'cv_pathfinder_regions'.
For pathfinders without `cv_pathfinder_region` set, the site must be defined under `cv_pathfinder_global_sites`. | @@ -49,7 +49,7 @@ | [              enabled](## ".node_groups.[].nodes.[].wan_ha.flow_tracking.enabled") | Boolean | | | | | | [              name](## ".node_groups.[].nodes.[].wan_ha.flow_tracking.name") | String | | | | Flow tracker name as defined in flow_tracking_settings. | | [          dps_mss_ipv4](## ".node_groups.[].nodes.[].dps_mss_ipv4") | String | | `auto` | | IPv4 MSS value configured under "router path-selection" on WAN Devices. | - | [      wan_role](## ".node_groups.[].wan_role") | String | | | Valid Values:
- client
- server | Override the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector.

Only supported if `overlay_routing_protocol` is set to `ibgp`. | + | [      wan_role](## ".node_groups.[].wan_role") | String | | | Valid Values:
- client
- server | Override the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector. | | [      cv_pathfinder_transit_mode](## ".node_groups.[].cv_pathfinder_transit_mode") | String | | | Valid Values:
- region
- zone | Configure the transit mode for a WAN client for CV Pathfinder designs
only when the `wan_mode` root key is set to `cv_pathfinder`.

'zone' is currently not supported. | | [      cv_pathfinder_region](## ".node_groups.[].cv_pathfinder_region") | String | | | | The CV Pathfinder region name.
This key is required for WAN routers but optional for pathfinders.
The region name must be defined under 'cv_pathfinder_regions'. | | [      cv_pathfinder_site](## ".node_groups.[].cv_pathfinder_site") | String | | | | The CV Pathfinder site name.
This key is required for WAN routers but optional for pathfinders.
For WAN routers and pathfinders with `cv_pathfinder_region`, the site name must be defined for the relevant region under 'cv_pathfinder_regions'.
For pathfinders without `cv_pathfinder_region` set, the site must be defined under `cv_pathfinder_global_sites`. | @@ -69,7 +69,7 @@ | [      dps_mss_ipv4](## ".node_groups.[].dps_mss_ipv4") | String | | `auto` | | IPv4 MSS value configured under "router path-selection" on WAN Devices. | | [  nodes](## ".nodes") | List, items: Dictionary | | | | Define variables per node. | | [    - name](## ".nodes.[].name") | String | Required, Unique | | | The Node Name is used as "hostname". | - | [      wan_role](## ".nodes.[].wan_role") | String | | | Valid Values:
- client
- server | Override the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector.

Only supported if `overlay_routing_protocol` is set to `ibgp`. | + | [      wan_role](## ".nodes.[].wan_role") | String | | | Valid Values:
- client
- server | Override the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector. | | [      cv_pathfinder_transit_mode](## ".nodes.[].cv_pathfinder_transit_mode") | String | | | Valid Values:
- region
- zone | Configure the transit mode for a WAN client for CV Pathfinder designs
only when the `wan_mode` root key is set to `cv_pathfinder`.

'zone' is currently not supported. | | [      cv_pathfinder_region](## ".nodes.[].cv_pathfinder_region") | String | | | | The CV Pathfinder region name.
This key is required for WAN routers but optional for pathfinders.
The region name must be defined under 'cv_pathfinder_regions'. | | [      cv_pathfinder_site](## ".nodes.[].cv_pathfinder_site") | String | | | | The CV Pathfinder site name.
This key is required for WAN routers but optional for pathfinders.
For WAN routers and pathfinders with `cv_pathfinder_region`, the site name must be defined for the relevant region under 'cv_pathfinder_regions'.
For pathfinders without `cv_pathfinder_region` set, the site must be defined under `cv_pathfinder_global_sites`. | @@ -101,8 +101,6 @@ # This is used both for AutoVPN and Pathfinder designs. # That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. # `server` indicates that the router is a route-reflector. - # - # Only supported if `overlay_routing_protocol` is set to `ibgp`. wan_role: # Configure the transit mode for a WAN client for CV Pathfinder designs @@ -192,8 +190,6 @@ # This is used both for AutoVPN and Pathfinder designs. # That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. # `server` indicates that the router is a route-reflector. - # - # Only supported if `overlay_routing_protocol` is set to `ibgp`. wan_role: # Configure the transit mode for a WAN client for CV Pathfinder designs @@ -270,8 +266,6 @@ # This is used both for AutoVPN and Pathfinder designs. # That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. # `server` indicates that the router is a route-reflector. - # - # Only supported if `overlay_routing_protocol` is set to `ibgp`. wan_role: # Configure the transit mode for a WAN client for CV Pathfinder designs @@ -354,8 +348,6 @@ # This is used both for AutoVPN and Pathfinder designs. # That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. # `server` indicates that the router is a route-reflector. - # - # Only supported if `overlay_routing_protocol` is set to `ibgp`. wan_role: # Configure the transit mode for a WAN client for CV Pathfinder designs diff --git a/ansible_collections/arista/avd/roles/eos_designs/docs/tables/wan-settings.md b/ansible_collections/arista/avd/roles/eos_designs/docs/tables/wan-settings.md index a29f74c751e..a913cbbbea8 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/docs/tables/wan-settings.md +++ b/ansible_collections/arista/avd/roles/eos_designs/docs/tables/wan-settings.md @@ -24,6 +24,7 @@ | [wan_mode](## "wan_mode") | String | | `cv-pathfinder` | Valid Values:
- autovpn
- cv-pathfinder | Select if the WAN should be run using CV Pathfinder or AutoVPN only. | | [wan_stun_dtls_disable](## "wan_stun_dtls_disable") | Boolean | | `False` | | WAN STUN connections are authenticated and secured with DTLS by default.
For CV Pathfinder deployments CloudVision will automatically deploy certificates on the devices.
In case of AutoVPN the certificates must be deployed manually to all devices.

For LAB environments this can be disabled, if there are no certificates available.
This should NOT be disabled for a WAN network connected to the internet, since it will leave the STUN service exposed with no authentication. | | [wan_stun_dtls_profile_name](## "wan_stun_dtls_profile_name") | String | | `STUN-DTLS` | | Name of the SSL profile used for DTLS on WAN STUN connections.
When using automatic ceritficate deployment via CloudVision this name must be the same on all WAN routers. | + | [wan_use_evpn_node_settings_for_lan](## "wan_use_evpn_node_settings_for_lan") | Boolean | | `False` | | Setting to start using `overlay_routing_protocol`, `evpn_role` and `vtep`
node settings for LAN side on WAN devices (they were enforced before).
This will be the default starting 6.0.0. | === "YAML" @@ -85,4 +86,9 @@ # Name of the SSL profile used for DTLS on WAN STUN connections. # When using automatic ceritficate deployment via CloudVision this name must be the same on all WAN routers. wan_stun_dtls_profile_name: + + # Setting to start using `overlay_routing_protocol`, `evpn_role` and `vtep` + # node settings for LAN side on WAN devices (they were enforced before). + # This will be the default starting 6.0.0. + wan_use_evpn_node_settings_for_lan: ``` diff --git a/python-avd/pyavd/_eos_designs/schema/__init__.py b/python-avd/pyavd/_eos_designs/schema/__init__.py index e466583a2e4..feaa819eacd 100644 --- a/python-avd/pyavd/_eos_designs/schema/__init__.py +++ b/python-avd/pyavd/_eos_designs/schema/__init__.py @@ -22240,8 +22240,6 @@ class L3Interfaces(AvdIndexedList[str, L3InterfacesItem]): `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. """ cv_pathfinder_transit_mode: Literal["region", "zone"] | None """ @@ -22919,8 +22917,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. cv_pathfinder_transit_mode: Configure the transit mode for a WAN client for CV Pathfinder designs only when the `wan_mode` root @@ -25730,8 +25726,6 @@ class L3Interfaces(AvdIndexedList[str, L3InterfacesItem]): `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. """ cv_pathfinder_transit_mode: Literal["region", "zone"] | None """ @@ -26418,8 +26412,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. cv_pathfinder_transit_mode: Configure the transit mode for a WAN client for CV Pathfinder designs only when the `wan_mode` root @@ -29174,8 +29166,6 @@ class L3Interfaces(AvdIndexedList[str, L3InterfacesItem]): `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. """ cv_pathfinder_transit_mode: Literal["region", "zone"] | None """ @@ -29864,8 +29854,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. cv_pathfinder_transit_mode: Configure the transit mode for a WAN client for CV Pathfinder designs only when the `wan_mode` root @@ -32677,8 +32665,6 @@ class L3Interfaces(AvdIndexedList[str, L3InterfacesItem]): `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. """ cv_pathfinder_transit_mode: Literal["region", "zone"] | None """ @@ -33365,8 +33351,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. cv_pathfinder_transit_mode: Configure the transit mode for a WAN client for CV Pathfinder designs only when the `wan_mode` root @@ -42990,8 +42974,6 @@ class L3Interfaces(AvdIndexedList[str, L3InterfacesItem]): `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. """ cv_pathfinder_transit_mode: Literal["region", "zone"] | None """ @@ -43669,8 +43651,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. cv_pathfinder_transit_mode: Configure the transit mode for a WAN client for CV Pathfinder designs only when the `wan_mode` root @@ -46480,8 +46460,6 @@ class L3Interfaces(AvdIndexedList[str, L3InterfacesItem]): `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. """ cv_pathfinder_transit_mode: Literal["region", "zone"] | None """ @@ -47168,8 +47146,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. cv_pathfinder_transit_mode: Configure the transit mode for a WAN client for CV Pathfinder designs only when the `wan_mode` root @@ -49924,8 +49900,6 @@ class L3Interfaces(AvdIndexedList[str, L3InterfacesItem]): `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. """ cv_pathfinder_transit_mode: Literal["region", "zone"] | None """ @@ -50614,8 +50588,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. cv_pathfinder_transit_mode: Configure the transit mode for a WAN client for CV Pathfinder designs only when the `wan_mode` root @@ -53427,8 +53399,6 @@ class L3Interfaces(AvdIndexedList[str, L3InterfacesItem]): `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. """ cv_pathfinder_transit_mode: Literal["region", "zone"] | None """ @@ -54115,8 +54085,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. cv_pathfinder_transit_mode: Configure the transit mode for a WAN client for CV Pathfinder designs only when the `wan_mode` root @@ -54655,6 +54623,7 @@ def __init__( "wan_route_servers": {"type": WanRouteServers}, "wan_stun_dtls_disable": {"type": bool, "default": False}, "wan_stun_dtls_profile_name": {"type": str, "default": "STUN-DTLS"}, + "wan_use_evpn_node_settings_for_lan": {"type": bool, "default": False}, "wan_virtual_topologies": {"type": WanVirtualTopologies}, "zscaler_endpoints": {"type": ZscalerEndpoints}, "_custom_data": {"type": dict}, @@ -56386,6 +56355,15 @@ def __init__( Default value: `"STUN-DTLS"` """ + wan_use_evpn_node_settings_for_lan: bool + """ + Setting to start using `overlay_routing_protocol`, `evpn_role` and `vtep` + node settings for LAN side + on WAN devices (they were enforced before). + This will be the default starting 6.0.0. + + Default value: `False` + """ wan_virtual_topologies: WanVirtualTopologies """ Configure Virtual Topologies for CV Pathfinder and AutoVPN. @@ -56601,6 +56579,7 @@ def __init__( wan_route_servers: WanRouteServers | UndefinedType = Undefined, wan_stun_dtls_disable: bool | UndefinedType = Undefined, wan_stun_dtls_profile_name: str | UndefinedType = Undefined, + wan_use_evpn_node_settings_for_lan: bool | UndefinedType = Undefined, wan_virtual_topologies: WanVirtualTopologies | UndefinedType = Undefined, zscaler_endpoints: ZscalerEndpoints | UndefinedType = Undefined, _custom_data: dict[str, Any] | UndefinedType = Undefined, @@ -57836,6 +57815,11 @@ def __init__( Name of the SSL profile used for DTLS on WAN STUN connections. When using automatic ceritficate deployment via CloudVision this name must be the same on all WAN routers. + wan_use_evpn_node_settings_for_lan: + Setting to start using `overlay_routing_protocol`, `evpn_role` and `vtep` + node settings for LAN side + on WAN devices (they were enforced before). + This will be the default starting 6.0.0. wan_virtual_topologies: Configure Virtual Topologies for CV Pathfinder and AutoVPN. Auto create a control plane diff --git a/python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml b/python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml index 3fc301e3936..57f486175b0 100644 --- a/python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml +++ b/python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml @@ -4861,6 +4861,17 @@ keys: When using automatic ceritficate deployment via CloudVision this name must be the same on all WAN routers.' + wan_use_evpn_node_settings_for_lan: + type: bool + documentation_options: + table: wan-settings + default: false + description: 'Setting to start using `overlay_routing_protocol`, `evpn_role` and + `vtep` + + node settings for LAN side on WAN devices (they were enforced before). + + This will be the default starting 6.0.0.' wan_virtual_topologies: type: dict description: 'Configure Virtual Topologies for CV Pathfinder and AutoVPN. @@ -9175,10 +9186,7 @@ $defs: That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. - `server` indicates that the router is a route-reflector. - - - Only supported if `overlay_routing_protocol` is set to `ibgp`.' + `server` indicates that the router is a route-reflector.' cv_pathfinder_transit_mode: documentation_options: table: node-type-wan-configuration diff --git a/python-avd/pyavd/_eos_designs/schema/schema_fragments/defs_node_type.schema.yml b/python-avd/pyavd/_eos_designs/schema/schema_fragments/defs_node_type.schema.yml index c887e4abf79..28c6c820538 100644 --- a/python-avd/pyavd/_eos_designs/schema/schema_fragments/defs_node_type.schema.yml +++ b/python-avd/pyavd/_eos_designs/schema/schema_fragments/defs_node_type.schema.yml @@ -499,9 +499,9 @@ $defs: documentation_options: table: node-type-bgp-configuration description: |- - BGP AS <1-4294967295> or AS number in asdot notation "<1-65535>.<0-65535>". - For asdot notation in YAML inputs, the value must be put in quotes, to prevent it from being interpreted as a float number. - Required with eBGP. + BGP AS <1-4294967295> or AS number in asdot notation "<1-65535>.<0-65535>". + For asdot notation in YAML inputs, the value must be put in quotes, to prevent it from being interpreted as a float number. + Required with eBGP. type: str convert_types: - int @@ -1265,8 +1265,6 @@ $defs: This is used both for AutoVPN and Pathfinder designs. That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. cv_pathfinder_transit_mode: documentation_options: table: node-type-wan-configuration diff --git a/python-avd/pyavd/_eos_designs/schema/schema_fragments/wan_use_evpn_node_settings_for_lan.schema.yml b/python-avd/pyavd/_eos_designs/schema/schema_fragments/wan_use_evpn_node_settings_for_lan.schema.yml new file mode 100644 index 00000000000..25539127626 --- /dev/null +++ b/python-avd/pyavd/_eos_designs/schema/schema_fragments/wan_use_evpn_node_settings_for_lan.schema.yml @@ -0,0 +1,18 @@ +# Copyright (c) 2023-2024 Arista Networks, Inc. +# Use of this source code is governed by the Apache License 2.0 +# that can be found in the LICENSE file. +# yaml-language-server: $schema=../../../_schema/avd_meta_schema.json +# Line above is used by RedHat's YAML Schema vscode extension +# Use Ctrl + Space to get suggestions for every field. Autocomplete will pop up after typing 2 letters. +type: dict +keys: + wan_use_evpn_node_settings_for_lan: + type: bool + # TODO: AVD 6.0.0 remove this + documentation_options: + table: wan-settings + default: false + description: |- + Setting to start using `overlay_routing_protocol`, `evpn_role` and `vtep` + node settings for LAN side on WAN devices (they were enforced before). + This will be the default starting 6.0.0. diff --git a/python-avd/pyavd/_eos_designs/shared_utils/filtered_tenants.py b/python-avd/pyavd/_eos_designs/shared_utils/filtered_tenants.py index b6958109dac..8b321906460 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/filtered_tenants.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/filtered_tenants.py @@ -421,6 +421,7 @@ def bgp_enabled_for_vrf(self: SharedUtils, vrf: EosDesigns._DynamicKeys.DynamicN Otherwise we will autodetect: - If the VRF is part of an overlay we will configure BGP for it. + - If the VRF is on a WAN router, we will configure BGP for it. - If any BGP peers are configured we will configure BGP for it. - If uplink type is p2p_vrfs and the vrf is included in uplink VRFs. """ @@ -430,6 +431,7 @@ def bgp_enabled_for_vrf(self: SharedUtils, vrf: EosDesigns._DynamicKeys.DynamicN vrf_address_families = [af for af in vrf.address_families if af in self.overlay_address_families] return any( [ + (self.is_wan_router and self.vrf_has_wan_vni(vrf.name)), vrf_address_families, vrf.bgp_peers, (self.uplink_type == "p2p-vrfs" and vrf.name in (self.get_switch_fact("uplink_switch_vrfs", required=False) or [])), diff --git a/python-avd/pyavd/_eos_designs/shared_utils/routing.py b/python-avd/pyavd/_eos_designs/shared_utils/routing.py index af2c522ad5d..4716e78567f 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/routing.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/routing.py @@ -36,6 +36,9 @@ def overlay_address_families(self: SharedUtils) -> list[str]: if self.overlay_routing_protocol in ["ebgp", "ibgp"]: default_overlay_address_families = self.node_type_key_data.default_overlay_address_families return self.node_config.overlay_address_families._as_list() or default_overlay_address_families._as_list() + # TODO: discuss if this is the best place + if self.is_wan_router: + return ["evpn"] return [] @cached_property diff --git a/python-avd/pyavd/_eos_designs/shared_utils/wan.py b/python-avd/pyavd/_eos_designs/shared_utils/wan.py index ba94441bb4c..625d1820d90 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/wan.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/wan.py @@ -30,17 +30,7 @@ def wan_role(self: SharedUtils) -> str | None: return None default_wan_role = self.node_type_key_data.default_wan_role - wan_role = self.node_config.wan_role or default_wan_role - if wan_role is not None and self.overlay_routing_protocol != "ibgp": - msg = "Only 'ibgp' is supported as 'overlay_routing_protocol' for WAN nodes." - raise AristaAvdError(msg) - if wan_role == "server" and self.evpn_role != "server": - msg = "'wan_role' server requires 'evpn_role' server." - raise AristaAvdError(msg) - if wan_role == "client" and self.evpn_role != "client": - msg = "'wan_role' client requires 'evpn_role' client." - raise AristaAvdError(msg) - return wan_role + return self.node_config.wan_role or default_wan_role @cached_property def is_wan_router(self: SharedUtils) -> bool: @@ -592,3 +582,7 @@ def wan_stun_dtls_profile_name(self: SharedUtils) -> str | None: return None return self.inputs.wan_stun_dtls_profile_name + + def vrf_has_wan_vni(self: SharedUtils, vrf_name: str) -> bool: + """Returns True if the VRF `vrf_name` is present under wan_virtual_topologies and wan_vni is set.""" + return vrf_name in self.inputs.wan_virtual_topologies.vrfs and self.inputs.wan_virtual_topologies.vrfs[vrf_name].wan_vni diff --git a/python-avd/pyavd/_eos_designs/structured_config/base/utils.py b/python-avd/pyavd/_eos_designs/structured_config/base/utils.py index 721d679c8e6..f12f893be44 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/base/utils.py +++ b/python-avd/pyavd/_eos_designs/structured_config/base/utils.py @@ -66,7 +66,7 @@ def _router_bgp_redistribute_routes(self: AvdStructuredConfigBase) -> dict | Non if not (self.shared_utils.underlay_bgp or self.shared_utils.is_wan_router or self.shared_utils.l3_interfaces_bgp_neighbors): return None - if self.shared_utils.overlay_routing_protocol != "none" and self.inputs.underlay_filter_redistribute_connected: + if (self.shared_utils.overlay_routing_protocol != "none" or self.shared_utils.is_wan_router) and self.inputs.underlay_filter_redistribute_connected: # Use route-map for redistribution return {"connected": {"enabled": True, "route_map": "RM-CONN-2-BGP"}} diff --git a/python-avd/pyavd/_eos_designs/structured_config/metadata/cv_pathfinder.py b/python-avd/pyavd/_eos_designs/structured_config/metadata/cv_pathfinder.py index 15ffa97eda7..244c20508c6 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/metadata/cv_pathfinder.py +++ b/python-avd/pyavd/_eos_designs/structured_config/metadata/cv_pathfinder.py @@ -204,11 +204,10 @@ def _metadata_vrfs(self: AvdStructuredConfigMetadata) -> list: return strip_empties_from_list(metadata_vrfs) def _get_vni_for_vrf_name(self: AvdStructuredConfigMetadata, vrf_name: str) -> int: - if vrf_name not in self.inputs.wan_virtual_topologies.vrfs or (wan_vni := self.inputs.wan_virtual_topologies.vrfs[vrf_name].wan_vni) is None: - if vrf_name == "default": - return 1 + if vrf_name in self.inputs.wan_virtual_topologies.vrfs and (wan_vni := self.inputs.wan_virtual_topologies.vrfs[vrf_name].wan_vni) is not None: + return wan_vni + if vrf_name == "default": + return 1 - msg = f"Unable to find the WAN VNI for VRF {vrf_name} during generation of cv_pathfinder metadata." - raise AristaAvdError(msg) - - return wan_vni + msg = f"Unable to find the WAN VNI for VRF {vrf_name} during generation of cv_pathfinder metadata." + raise AristaAvdError(msg) diff --git a/python-avd/pyavd/_eos_designs/structured_config/network_services/utils.py b/python-avd/pyavd/_eos_designs/structured_config/network_services/utils.py index bf52dfc896c..93049e2e699 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/network_services/utils.py +++ b/python-avd/pyavd/_eos_designs/structured_config/network_services/utils.py @@ -35,7 +35,9 @@ def _local_endpoint_trunk_groups(self: AvdStructuredConfigNetworkServices) -> se @cached_property def _vrf_default_evpn(self: AvdStructuredConfigNetworkServices) -> bool: """Return boolean telling if VRF "default" is running EVPN or not.""" - if not (self.shared_utils.network_services_l3 and self.shared_utils.overlay_vtep and self.shared_utils.overlay_evpn): + if not ( + self.shared_utils.network_services_l3 and ((self.shared_utils.overlay_vtep and self.shared_utils.overlay_evpn) or self.shared_utils.is_wan_router) + ): return False for tenant in self.shared_utils.filtered_tenants: @@ -102,7 +104,7 @@ def _vrf_default_ipv4_static_routes(self: AvdStructuredConfigNetworkServices) -> vrf_default_redistribute_static = default(tenant.vrfs["default"].redistribute_static, vrf_default_redistribute_static) - if self.shared_utils.overlay_evpn and self.shared_utils.overlay_vtep: + if (self.shared_utils.overlay_evpn and self.shared_utils.overlay_vtep) or self.shared_utils.is_wan_router: # This is an EVPN VTEP redistribute_in_underlay = False redistribute_in_overlay = vrf_default_redistribute_static and vrf_default_ipv4_static_routes diff --git a/python-avd/pyavd/_eos_designs/structured_config/network_services/vxlan_interface.py b/python-avd/pyavd/_eos_designs/structured_config/network_services/vxlan_interface.py index abab779eebd..e73c8464cab 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/network_services/vxlan_interface.py +++ b/python-avd/pyavd/_eos_designs/structured_config/network_services/vxlan_interface.py @@ -154,7 +154,7 @@ def _get_vxlan_interface_config_for_vrf( context_keys=["id", "vni"], ) - if self.shared_utils.network_services_l3 and self.shared_utils.overlay_evpn_vxlan: + if self.shared_utils.network_services_l3 and (self.shared_utils.overlay_evpn_vxlan or self.shared_utils.is_wan_router): vrf_name = vrf.name # Only configure VNI for VRF if the VRF is EVPN enabled diff --git a/python-avd/pyavd/_eos_designs/structured_config/overlay/ip_extcommunity_lists.py b/python-avd/pyavd/_eos_designs/structured_config/overlay/ip_extcommunity_lists.py index 76847d0499a..060d8bd9283 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/overlay/ip_extcommunity_lists.py +++ b/python-avd/pyavd/_eos_designs/structured_config/overlay/ip_extcommunity_lists.py @@ -22,13 +22,13 @@ class IpExtCommunityListsMixin(UtilsMixin): @cached_property def ip_extcommunity_lists(self: AvdStructuredConfigOverlay) -> list | None: """Return structured config for ip_extcommunity_lists.""" - if self.shared_utils.overlay_routing_protocol != "ibgp": + if self.shared_utils.overlay_routing_protocol != "ibgp" and not self.shared_utils.is_wan_router: return None if self.shared_utils.evpn_role == "server" and not self.shared_utils.is_wan_router: return None - if self.shared_utils.overlay_vtep: + if self.shared_utils.overlay_vtep or self.shared_utils.is_wan_router: return [ { "name": "ECL-EVPN-SOO", diff --git a/python-avd/pyavd/_eos_designs/structured_config/overlay/route_maps.py b/python-avd/pyavd/_eos_designs/structured_config/overlay/route_maps.py index df7e11c796c..2f970aa4c01 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/overlay/route_maps.py +++ b/python-avd/pyavd/_eos_designs/structured_config/overlay/route_maps.py @@ -51,7 +51,9 @@ def route_maps(self: AvdStructuredConfigOverlay) -> list | None: }, ) - elif self.shared_utils.overlay_routing_protocol == "ibgp" and self.shared_utils.overlay_vtep and self.shared_utils.evpn_role != "server": + elif ( + (self.shared_utils.overlay_routing_protocol == "ibgp" and self.shared_utils.overlay_vtep) or self.shared_utils.is_wan_router + ) and self.shared_utils.evpn_role != "server": # Route-map IN and OUT for SOO route_maps.append( { diff --git a/python-avd/pyavd/_eos_designs/structured_config/overlay/router_bgp.py b/python-avd/pyavd/_eos_designs/structured_config/overlay/router_bgp.py index c34abe424ce..0c29e7c5e22 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/overlay/router_bgp.py +++ b/python-avd/pyavd/_eos_designs/structured_config/overlay/router_bgp.py @@ -52,9 +52,10 @@ def router_bgp(self: AvdStructuredConfigOverlay) -> dict | None: return strip_empties_from_dict(router_bgp, strip_values_tuple=(None, "")) def _bgp_cluster_id(self: AvdStructuredConfigOverlay) -> str | None: - if self.shared_utils.overlay_routing_protocol == "ibgp" and ( - self.shared_utils.evpn_role == "server" or self.shared_utils.mpls_overlay_role == "server" - ): + if ( + self.shared_utils.overlay_routing_protocol == "ibgp" + and (self.shared_utils.evpn_role == "server" or self.shared_utils.mpls_overlay_role == "server") + ) or self.shared_utils.is_wan_server: return default(self.shared_utils.node_config.bgp_cluster_id, self.shared_utils.router_id) return None @@ -132,35 +133,38 @@ def _peer_groups(self: AvdStructuredConfigOverlay) -> list | None: peer_groups.append(mpls_peer_group) - if self.shared_utils.overlay_evpn_vxlan is True: + # TODO: AVD 6.0.0 remove the check for WAN routers. + if self.shared_utils.overlay_evpn_vxlan is True and (not self.shared_utils.is_wan_router or self.inputs.wan_use_evpn_node_settings_for_lan): peer_group_config = {"remote_as": self.shared_utils.bgp_as} - if self.shared_utils.is_wan_router: - # WAN OVERLAY peer group - peer_group_config["ttl_maximum_hops"] = self.inputs.bgp_peer_groups.wan_overlay_peers.ttl_maximum_hops - if self.shared_utils.is_wan_server: - peer_group_config["route_reflector_client"] = True - peer_group_config["bfd_timers"] = self.inputs.bgp_peer_groups.wan_overlay_peers.bfd_timers._as_dict(include_default_values=True) - peer_groups.append( - { - **self._generate_base_peer_group("wan", "wan_overlay_peers", update_source=self.shared_utils.vtep_loopback), - **peer_group_config, - }, - ) - else: - # EVPN OVERLAY peer group - also in EBGP.. - if self.shared_utils.evpn_role == "server": - peer_group_config["route_reflector_client"] = True - peer_groups.append( - { - **self._generate_base_peer_group("evpn", "evpn_overlay_peers"), - **peer_group_config, - }, - ) + # EVPN OVERLAY peer group - also in EBGP.. + if self.shared_utils.evpn_role == "server": + peer_group_config["route_reflector_client"] = True + peer_groups.append( + { + **self._generate_base_peer_group("evpn", "evpn_overlay_peers"), + **peer_group_config, + }, + ) # RR Overlay peer group rendered either for MPLS route servers if self._is_mpls_server is True: peer_groups.append({**self._generate_base_peer_group("mpls", "rr_overlay_peers"), "remote_as": self.shared_utils.bgp_as}) + # Always render WAN routers + # TODO: probably should move from overlay + if self.shared_utils.is_wan_router: + # WAN OVERLAY peer group only is supported iBGP + peer_group_config = {"remote_as": self.shared_utils.bgp_as, "ttl_maximum_hops": self.inputs.bgp_peer_groups.wan_overlay_peers.ttl_maximum_hops} + if self.shared_utils.is_wan_server: + peer_group_config["route_reflector_client"] = True + peer_group_config["bfd_timers"] = self.inputs.bgp_peer_groups.wan_overlay_peers.bfd_timers._as_dict(include_default_values=True) + peer_groups.append( + { + **self._generate_base_peer_group("wan", "wan_overlay_peers", update_source=self.shared_utils.vtep_loopback), + **peer_group_config, + }, + ) + if self._is_wan_server_with_peers: wan_rr_overlay_peer_group = self._generate_base_peer_group("wan", "wan_rr_overlay_peers", update_source=self.shared_utils.vtep_loopback) wan_rr_overlay_peer_group.update( @@ -191,6 +195,8 @@ def _address_family_ipv4(self: AvdStructuredConfigOverlay) -> dict: if self.shared_utils.is_wan_router: peer_groups.append({"name": self.inputs.bgp_peer_groups.wan_overlay_peers.name, "activate": False}) + if self._is_wan_server_with_peers: + peer_groups.append({"name": self.inputs.bgp_peer_groups.wan_rr_overlay_peers.name, "activate": False}) # TODO: no elif elif self.shared_utils.overlay_evpn_vxlan is True: @@ -208,9 +214,6 @@ def _address_family_ipv4(self: AvdStructuredConfigOverlay) -> dict: if self._is_mpls_server is True: peer_groups.append({"name": self.inputs.bgp_peer_groups.rr_overlay_peers.name, "activate": False}) - if self._is_wan_server_with_peers: - peer_groups.append({"name": self.inputs.bgp_peer_groups.wan_rr_overlay_peers.name, "activate": False}) - if self.shared_utils.overlay_ipvpn_gateway is True: peer_groups.append({"name": self.inputs.bgp_peer_groups.ipvpn_gateway_peers.name, "activate": False}) @@ -222,15 +225,21 @@ def _address_family_evpn(self: AvdStructuredConfigOverlay) -> dict | None: peer_groups = [] overlay_peer_group = {} - if self.shared_utils.overlay_evpn_vxlan is True: - if self.shared_utils.is_wan_router: - overlay_peer_group = { - "name": self.inputs.bgp_peer_groups.wan_overlay_peers.name, - "activate": True, - "encapsulation": self.inputs.wan_encapsulation, - } - else: - overlay_peer_group = {"name": self.inputs.bgp_peer_groups.evpn_overlay_peers.name, "activate": True} + if self.shared_utils.is_wan_router: + overlay_peer_group = { + "name": self.inputs.bgp_peer_groups.wan_overlay_peers.name, + "activate": True, + "encapsulation": self.inputs.wan_encapsulation, + } + if self.shared_utils.wan_role != "server": + overlay_peer_group.update( + { + "route_map_in": "RM-EVPN-SOO-IN", + "route_map_out": "RM-EVPN-SOO-OUT", + }, + ) + elif self.shared_utils.overlay_evpn_vxlan is True: + overlay_peer_group = {"name": self.inputs.bgp_peer_groups.evpn_overlay_peers.name, "activate": True} if self.shared_utils.overlay_routing_protocol == "ebgp": if self.shared_utils.node_config.evpn_gateway.evpn_l2.enabled or self.shared_utils.node_config.evpn_gateway.evpn_l3.enabled: @@ -269,15 +278,6 @@ def _address_family_evpn(self: AvdStructuredConfigOverlay) -> dict | None: }, ) - if self._is_wan_server_with_peers: - peer_groups.append( - { - "name": self.inputs.bgp_peer_groups.wan_rr_overlay_peers.name, - "activate": True, - "encapsulation": self.inputs.wan_encapsulation, - } - ) - if overlay_peer_group: peer_groups.append(overlay_peer_group) @@ -304,6 +304,15 @@ def _address_family_evpn(self: AvdStructuredConfigOverlay) -> dict | None: if self.shared_utils.is_wan_server: address_family_evpn["next_hop"] = {"resolution_disabled": True} + if self._is_wan_server_with_peers: + peer_groups.append( + { + "name": self.inputs.bgp_peer_groups.wan_rr_overlay_peers.name, + "activate": True, + "encapsulation": self.inputs.wan_encapsulation, + } + ) + # Activitating HA iBGP session for WAN HA if self.shared_utils.wan_ha: address_family_evpn["neighbor_default"] = { @@ -592,43 +601,43 @@ def _neighbors(self: AvdStructuredConfigOverlay) -> list | None: ) neighbors.append(neighbor) - if self.shared_utils.is_wan_client: - if not self._ip_in_listen_ranges(self.shared_utils.vtep_ip, self.shared_utils.wan_listen_ranges): - msg = f"{self.shared_utils.vtep_loopback} IP {self.shared_utils.vtep_ip} is not in the Route Reflector listen range prefixes" - raise AristaAvdError(msg) - for wan_route_server in self.shared_utils.filtered_wan_route_servers: - neighbor = self._create_neighbor( - wan_route_server.vtep_ip, - wan_route_server.hostname, - self.inputs.bgp_peer_groups.wan_overlay_peers.name, - overlay_peering_interface=self.shared_utils.vtep_loopback, - ) - neighbors.append(neighbor) + if self.shared_utils.is_wan_client: + if not self._ip_in_listen_ranges(self.shared_utils.vtep_ip, self.shared_utils.wan_listen_ranges): + msg = f"{self.shared_utils.vtep_loopback} IP {self.shared_utils.vtep_ip} is not in the Route Reflector listen range prefixes" + raise AristaAvdError(msg) + for wan_route_server in self.shared_utils.filtered_wan_route_servers: + neighbor = self._create_neighbor( + wan_route_server.vtep_ip, + wan_route_server.hostname, + self.inputs.bgp_peer_groups.wan_overlay_peers.name, + overlay_peering_interface=self.shared_utils.vtep_loopback, + ) + neighbors.append(neighbor) - if self.shared_utils.wan_ha: - neighbor = { - "ip_address": self._wan_ha_peer_vtep_ip(), - "peer": self.shared_utils.wan_ha_peer, - "description": self.shared_utils.wan_ha_peer, - "remote_as": self.shared_utils.bgp_as, - "update_source": "Dps1", - "route_reflector_client": True, - "send_community": "all", - "route_map_in": "RM-WAN-HA-PEER-IN", - "route_map_out": "RM-WAN-HA-PEER-OUT", - } - neighbors.append(neighbor) + if self.shared_utils.wan_ha: + neighbor = { + "ip_address": self._wan_ha_peer_vtep_ip(), + "peer": self.shared_utils.wan_ha_peer, + "description": self.shared_utils.wan_ha_peer, + "remote_as": self.shared_utils.bgp_as, + "update_source": "Dps1", + "route_reflector_client": True, + "send_community": "all", + "route_map_in": "RM-WAN-HA-PEER-IN", + "route_map_out": "RM-WAN-HA-PEER-OUT", + } + neighbors.append(neighbor) - if self.shared_utils.is_wan_server: - # No neighbor configured on the `wan_overlay_peers` peer group as it is covered by listen ranges - for wan_route_server in self.shared_utils.filtered_wan_route_servers: - neighbor = self._create_neighbor( - wan_route_server.vtep_ip, - wan_route_server.hostname, - self.inputs.bgp_peer_groups.wan_rr_overlay_peers.name, - overlay_peering_interface=self.shared_utils.vtep_loopback, - ) - neighbors.append(neighbor) + if self.shared_utils.is_wan_server: + # No neighbor configured on the `wan_overlay_peers` peer group as it is covered by listen ranges + for wan_route_server in self.shared_utils.filtered_wan_route_servers: + neighbor = self._create_neighbor( + wan_route_server.vtep_ip, + wan_route_server.hostname, + self.inputs.bgp_peer_groups.wan_rr_overlay_peers.name, + overlay_peering_interface=self.shared_utils.vtep_loopback, + ) + neighbors.append(neighbor) for ipvpn_gw_peer, data in natural_sort(self._ipvpn_gateway_remote_peers.items()): neighbor = self._create_neighbor( diff --git a/python-avd/pyavd/_eos_designs/structured_config/underlay/prefix_lists.py b/python-avd/pyavd/_eos_designs/structured_config/underlay/prefix_lists.py index e70c9058eda..2c31c693223 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/underlay/prefix_lists.py +++ b/python-avd/pyavd/_eos_designs/structured_config/underlay/prefix_lists.py @@ -29,7 +29,7 @@ def prefix_lists(self: AvdStructuredConfigUnderlay) -> list | None: if self.shared_utils.underlay_bgp is not True and not self.shared_utils.is_wan_router: return None - if self.shared_utils.overlay_routing_protocol == "none": + if self.shared_utils.overlay_routing_protocol == "none" and not self.shared_utils.is_wan_router: return None if not self.inputs.underlay_filter_redistribute_connected: diff --git a/python-avd/pyavd/_eos_designs/structured_config/underlay/route_maps.py b/python-avd/pyavd/_eos_designs/structured_config/underlay/route_maps.py index 71b9da1e8c2..10841a02dff 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/underlay/route_maps.py +++ b/python-avd/pyavd/_eos_designs/structured_config/underlay/route_maps.py @@ -35,7 +35,7 @@ def route_maps(self: AvdStructuredConfigUnderlay) -> list | None: route_maps = [] - if self.shared_utils.overlay_routing_protocol != "none" and self.inputs.underlay_filter_redistribute_connected: + if (self.shared_utils.overlay_routing_protocol != "none" or self.shared_utils.is_wan_router) and self.inputs.underlay_filter_redistribute_connected: # RM-CONN-2-BGP sequence_10 = { "sequence": 10, diff --git a/python-avd/pyavd/_eos_designs/structured_config/underlay/router_bgp.py b/python-avd/pyavd/_eos_designs/structured_config/underlay/router_bgp.py index 3289ed049e9..cd55279c064 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/underlay/router_bgp.py +++ b/python-avd/pyavd/_eos_designs/structured_config/underlay/router_bgp.py @@ -43,7 +43,7 @@ def router_bgp(self: AvdStructuredConfigUnderlay) -> dict | None: self.inputs.bgp_peer_groups.ipv4_underlay_peers.structured_config, list_merge=self.custom_structured_configs.list_merge_strategy ) - if self.shared_utils.overlay_routing_protocol == "ibgp" and self.shared_utils.is_cv_pathfinder_router: + if self.shared_utils.is_cv_pathfinder_router: peer_group["route_map_in"] = "RM-BGP-UNDERLAY-PEERS-IN" if self.shared_utils.wan_ha: peer_group["route_map_out"] = "RM-BGP-UNDERLAY-PEERS-OUT" From 23e19d5b28be127a85dc66d4346a94b9914b239d Mon Sep 17 00:00:00 2001 From: gmuloc Date: Thu, 9 Jan 2025 16:26:44 +0100 Subject: [PATCH 02/40] Test: Moleculing the molecule --- .../cv-pathfinder/intended/structured_configs/pf1.yml | 4 ++-- .../cv-pathfinder/intended/structured_configs/pf2.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ansible_collections/arista/avd/examples/cv-pathfinder/intended/structured_configs/pf1.yml b/ansible_collections/arista/avd/examples/cv-pathfinder/intended/structured_configs/pf1.yml index a825787e0fe..de767e0c1ed 100644 --- a/ansible_collections/arista/avd/examples/cv-pathfinder/intended/structured_configs/pf1.yml +++ b/ansible_collections/arista/avd/examples/cv-pathfinder/intended/structured_configs/pf1.yml @@ -571,10 +571,10 @@ router_bgp: route_map: RM-CONN-2-BGP address_family_evpn: peer_groups: - - name: WAN-RR-OVERLAY-PEERS + - name: WAN-OVERLAY-PEERS activate: true encapsulation: path-selection - - name: WAN-OVERLAY-PEERS + - name: WAN-RR-OVERLAY-PEERS activate: true encapsulation: path-selection next_hop: diff --git a/ansible_collections/arista/avd/examples/cv-pathfinder/intended/structured_configs/pf2.yml b/ansible_collections/arista/avd/examples/cv-pathfinder/intended/structured_configs/pf2.yml index 9ce7f83c14b..ec26c6b99ff 100644 --- a/ansible_collections/arista/avd/examples/cv-pathfinder/intended/structured_configs/pf2.yml +++ b/ansible_collections/arista/avd/examples/cv-pathfinder/intended/structured_configs/pf2.yml @@ -571,10 +571,10 @@ router_bgp: route_map: RM-CONN-2-BGP address_family_evpn: peer_groups: - - name: WAN-RR-OVERLAY-PEERS + - name: WAN-OVERLAY-PEERS activate: true encapsulation: path-selection - - name: WAN-OVERLAY-PEERS + - name: WAN-RR-OVERLAY-PEERS activate: true encapsulation: path-selection next_hop: From 597bf79fb878c6d75416092251f984183b56ec57 Mon Sep 17 00:00:00 2001 From: gmuloc Date: Tue, 14 Jan 2025 16:28:29 +0100 Subject: [PATCH 03/40] feat: Adjust evpn_role and overlay_routing_protocol defaults when toggle is set --- python-avd/pyavd/_eos_designs/shared_utils/overlay.py | 2 ++ python-avd/pyavd/_eos_designs/shared_utils/routing.py | 7 +++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/python-avd/pyavd/_eos_designs/shared_utils/overlay.py b/python-avd/pyavd/_eos_designs/shared_utils/overlay.py index 74af539aa46..9b810286bdf 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/overlay.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/overlay.py @@ -33,6 +33,8 @@ def vtep_loopback(self: SharedUtils) -> str: def evpn_role(self: SharedUtils) -> str | None: if self.underlay_router: default_evpn_role = self.node_type_key_data.default_evpn_role + if self.is_wan_router and self.inputs.wan_use_evpn_node_settings_for_lan): + default_evpn_role = None return default(self.node_config.evpn_role, default_evpn_role) return None diff --git a/python-avd/pyavd/_eos_designs/shared_utils/routing.py b/python-avd/pyavd/_eos_designs/shared_utils/routing.py index 4716e78567f..2391b6c43d3 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/routing.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/routing.py @@ -29,16 +29,15 @@ def underlay_routing_protocol(self: SharedUtils) -> str: @cached_property def overlay_routing_protocol(self: SharedUtils) -> str: default_overlay_routing_protocol = self.node_type_key_data.default_overlay_routing_protocol + if self.is_wan_router and self.inputs.wan_use_evpn_node_settings_for_lan: + default_overlay_routing_protocol = "none" return (self.inputs.overlay_routing_protocol or default_overlay_routing_protocol).lower() @cached_property def overlay_address_families(self: SharedUtils) -> list[str]: - if self.overlay_routing_protocol in ["ebgp", "ibgp"]: + if self.overlay_routing_protocol in ["ebgp", "ibgp"] or self.is_wan_router: default_overlay_address_families = self.node_type_key_data.default_overlay_address_families return self.node_config.overlay_address_families._as_list() or default_overlay_address_families._as_list() - # TODO: discuss if this is the best place - if self.is_wan_router: - return ["evpn"] return [] @cached_property From ed2dcd2b0769aa1d7231b26b08751b4ecb573728 Mon Sep 17 00:00:00 2001 From: gmuloc Date: Tue, 14 Jan 2025 17:31:44 +0100 Subject: [PATCH 04/40] Refactor: Address PR comment --- python-avd/pyavd/_eos_designs/shared_utils/overlay.py | 2 +- .../_eos_designs/structured_config/overlay/route_maps.py | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/python-avd/pyavd/_eos_designs/shared_utils/overlay.py b/python-avd/pyavd/_eos_designs/shared_utils/overlay.py index 9b810286bdf..efe00fa6c83 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/overlay.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/overlay.py @@ -33,7 +33,7 @@ def vtep_loopback(self: SharedUtils) -> str: def evpn_role(self: SharedUtils) -> str | None: if self.underlay_router: default_evpn_role = self.node_type_key_data.default_evpn_role - if self.is_wan_router and self.inputs.wan_use_evpn_node_settings_for_lan): + if self.is_wan_router and self.inputs.wan_use_evpn_node_settings_for_lan: default_evpn_role = None return default(self.node_config.evpn_role, default_evpn_role) return None diff --git a/python-avd/pyavd/_eos_designs/structured_config/overlay/route_maps.py b/python-avd/pyavd/_eos_designs/structured_config/overlay/route_maps.py index 2f970aa4c01..2b344b1fe5e 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/overlay/route_maps.py +++ b/python-avd/pyavd/_eos_designs/structured_config/overlay/route_maps.py @@ -51,9 +51,7 @@ def route_maps(self: AvdStructuredConfigOverlay) -> list | None: }, ) - elif ( - (self.shared_utils.overlay_routing_protocol == "ibgp" and self.shared_utils.overlay_vtep) or self.shared_utils.is_wan_router - ) and self.shared_utils.evpn_role != "server": + elif (self.shared_utils.overlay_routing_protocol == "ibgp" and self.shared_utils.overlay_vtep and self.shared_utils.evpn_role != "server") or self.shared_utils.is_wan_client: # Route-map IN and OUT for SOO route_maps.append( { From 4d1565e2202faebc7ec0b542b878ff782db46f79 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 14 Jan 2025 16:34:50 +0000 Subject: [PATCH 05/40] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- .../_eos_designs/structured_config/overlay/route_maps.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/python-avd/pyavd/_eos_designs/structured_config/overlay/route_maps.py b/python-avd/pyavd/_eos_designs/structured_config/overlay/route_maps.py index 2b344b1fe5e..ae3848e9729 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/overlay/route_maps.py +++ b/python-avd/pyavd/_eos_designs/structured_config/overlay/route_maps.py @@ -51,7 +51,9 @@ def route_maps(self: AvdStructuredConfigOverlay) -> list | None: }, ) - elif (self.shared_utils.overlay_routing_protocol == "ibgp" and self.shared_utils.overlay_vtep and self.shared_utils.evpn_role != "server") or self.shared_utils.is_wan_client: + elif ( + self.shared_utils.overlay_routing_protocol == "ibgp" and self.shared_utils.overlay_vtep and self.shared_utils.evpn_role != "server" + ) or self.shared_utils.is_wan_client: # Route-map IN and OUT for SOO route_maps.append( { From f1ce4170ad13019411ca900045a2dc50adc8bd57 Mon Sep 17 00:00:00 2001 From: gmuloc Date: Tue, 14 Jan 2025 17:34:55 +0100 Subject: [PATCH 06/40] Doc: Add TODO for our future-selves, they shall thank this --- python-avd/pyavd/_eos_designs/shared_utils/node_type_keys.py | 1 + 1 file changed, 1 insertion(+) diff --git a/python-avd/pyavd/_eos_designs/shared_utils/node_type_keys.py b/python-avd/pyavd/_eos_designs/shared_utils/node_type_keys.py index fd5d74c041e..af161f74ca1 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/node_type_keys.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/node_type_keys.py @@ -149,6 +149,7 @@ "default_evpn_role": "server", "cv_tags_topology_type": "spine", }, + # TODO: AVD 6.0 change default overlay_routing_protocol and evpn_role to none for wan_router and wan_rr. { "key": "wan_router", "type": "wan_router", From db3656a67d3fee5701f8b122c5af9417a85a075e Mon Sep 17 00:00:00 2001 From: gmuloc Date: Wed, 15 Jan 2025 11:40:31 +0100 Subject: [PATCH 07/40] Refactor: Documentation cleaning --- ...cv-pathfinder-edge-wan-use-evpn-on-lan.yml | 173 ++++++++++++++++++ .../inventory/hosts.yml | 1 + .../avd/roles/eos_designs/docs/how-to/wan.md | 131 +++++++------ .../eos_designs/docs/tables/node-type-keys.md | 8 +- .../pyavd/_eos_designs/schema/__init__.py | 8 - .../schema/eos_designs.schema.yml | 3 - .../node_type_keys.schema.yml | 2 - 7 files changed, 240 insertions(+), 86 deletions(-) create mode 100644 ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan.yml diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan.yml new file mode 100644 index 00000000000..588d6840a5f --- /dev/null +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan.yml @@ -0,0 +1,173 @@ +--- +# Testing CV pathfinder edge using new toggle wan_use_evpn_node_settings_for_lan +wan_mode: cv-pathfinder +wan_use_evpn_node_settings_for_lan: true +# enabling EVPN on LAN +overlay_routing_protocol: ebgp + +bgp_as: 65000 + +flow_tracking_settings: + trackers: + - name: custom_flow_track_name + record_export: + on_inactive_timeout: 50000 + on_interval: 300331 + exporters: + - name: ayush_exporter + collector: + host: 127.0.0.1 + local_interface: Loopback0 + template_interval: 40000 + +fabric_flow_tracking: + dps_interfaces: + name: custom_flow_track_name + +cv_pathfinder_regions: + - name: AVD_Land_West + id: 42 + description: AVD Region + sites: + - name: Site12 + id: 12 + location: 12 Downing Street, London + +bgp_peer_groups: + wan_overlay_peers: + password: "htm4AZe9mIQOO1uiMuGgYQ==" + # Overwriting TTL + ttl_maximum_hops: 42 + listen_range_prefixes: + - 192.168.255.0/24 + +wan_route_servers: + - hostname: cv-pathfinder-pathfinder + +wan_ipsec_profiles: + control_plane: + shared_key: ABCDEF1234567890 + +default_node_types: + - node_type: wan_router + match_hostnames: + - "cv-pathfinder-edge.*" + +wan_router: + defaults: + loopback_ipv4_pool: 192.168.42.0/24 + vtep_loopback_ipv4_pool: 192.168.255.0/24 + filter: + always_include_vrfs_in_tenants: [TenantA] + deny_vrfs: [IT] + nodes: + - name: cv-pathfinder-edge-wan0use-evpn-on-lan + cv_pathfinder_region: AVD_Land_West + cv_pathfinder_site: Site12 + evpn_role: client + id: 12 + l3_interfaces: + - name: Ethernet1 + wan_carrier: ATT + wan_circuit_id: 666 + dhcp_accept_default_route: true + ip_address: dhcp + - name: Ethernet2 + wan_carrier: Colt + wan_circuit_id: 10555 + ip_address: 172.15.5.5/31 + - name: Ethernet3 + wan_carrier: Comcast-5G + wan_circuit_id: AF830 + ip_address: 172.20.20.20/31 + connected_to_pathfinder: false + +wan_path_groups: + - name: MPLS + ipsec: + static_peers: false + # TODO remove one once auto-id is implemented - for now required in schema + id: 100 + - name: INET + id: 101 + - name: LTE + id: 102 + - name: Equinix + id: 103 + - name: Satellite + id: 104 + +wan_carriers: + - name: Comcast + path_group: INET + trusted: true + - name: ATT + path_group: INET + trusted: true + - name: Bouygues_Telecom + path_group: INET + trusted: true + - name: SFR + path_group: INET + trusted: true + - name: Orange + path_group: INET + trusted: true + - name: Another-ISP + path_group: INET + trusted: true + - name: Colt + path_group: MPLS + trusted: true + - name: ATT-MPLS + path_group: MPLS + trusted: true + - name: Comcast-5G + path_group: LTE + trusted: true + - name: Inmrasat + path_group: Satellite + trusted: true + +tenants: + - name: TenantA + vrfs: + - name: default + vrf_id: 1 + - name: PROD + vrf_id: 42 + - name: IT + vrf_id: 100 + +wan_virtual_topologies: + vrfs: + # No policy for default or PROD, going to use DEFAULT-POLICY + # overwrite DEFAULT-POLICY below + - name: default + wan_vni: 1 + - name: PROD + wan_vni: 42 + policies: + # Name of the DEFAULT-POLICY being overwritten + - name: DEFAULT-POLICY + default_virtual_topology: + path_groups: + - names: [INET] + - names: [LTE] + preference: 42 + application_virtual_topologies: + - application_profile: VIDEO + path_groups: + - names: [MPLS, INET] + preference: preferred + id: 3 + +application_classification: + application_profiles: + - name: VIDEO + # Testing categories filtering + applications: + # Testing applications in application-profiles filtering + - name: CUSTOM-APPLICATION-1 + # Builtin application that should not raise + - name: skype diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/hosts.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/hosts.yml index 7909a6d35e8..1d59cf7bf24 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/hosts.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/hosts.yml @@ -425,6 +425,7 @@ all: autovpn-edge-no-default-policy: cv-pathfinder-edge-no-default-policy: cv-pathfinder-edge-custom-default-policy: + cv-pathfinder-edge-wan-use-evpn-on-lan: UPLINK_P2P_VRFS_TESTS: hosts: UPLINK_P2P_VRFS_TESTS_SPINE1: diff --git a/ansible_collections/arista/avd/roles/eos_designs/docs/how-to/wan.md b/ansible_collections/arista/avd/roles/eos_designs/docs/how-to/wan.md index f4d46b5dcec..f07a39c8190 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/docs/how-to/wan.md +++ b/ansible_collections/arista/avd/roles/eos_designs/docs/how-to/wan.md @@ -33,10 +33,10 @@ Please familiarize yourself with the Arista WAN terminology before proceeding: - When deploying CV Pathfinder, the assumption is that the deployment is using CVaaS. - The intent is to be able to support having the different WAN participating devices in different inventories. -- Only iBGP is supported as an overlay_routing_protocol. - On the AutoVPN Route Reflectors and Pathfinders, a listen range statement is used for BGP to allow for distributed Ansible inventories. - VRF `default` is being configured by default on all WAN devices with a `wan_vni` of 1. To override this, it is necessary to configure VRF `default` in a tenant in `network_services`. - Path-group ID `65535` is reserved for the path-group called `LAN_HA`. +- iBGP is configured over the WAN for the overlay. The `overlay_routing_protocol` key is considered only on the LAN side. !!! info "CV Pathfinder & CloudVision" @@ -102,21 +102,21 @@ Please familiarize yourself with the Arista WAN terminology before proceeding: The following table list the `eos_designs` top level keys used for WAN and how they should be set: -| Key | Must be the same for all the WAN routers | Comment | -| --- | ---------------------------------------- | ------- | -| `wan_mode` | ✅ | Two possible modes, `autovpn` and `cv-pathfinder` (default). | -| `wan_encapsulation` | ✅ | Two possible encapsulations, `vxlan` and `path-selection` (default). | -| `wan_virtual_topologies` | ✅ | to define the Policies and the VRF to policy mappings. | -| `wan_path_groups` | ✅ | to define the list of path-groups in the network. | -| `wan_carriers` | ✅ | to define the list of carriers in the network, each carrier is assigned to a path-group. | -| `wan_ipsec_profiles` | ✅ | to define the shared key for the Control Plane and Data Plane IPSec profiles. | -| `cv_pathfinder_regions` | ✅ | to define the Region/Zone/Site hierarchy, not required for AutoVPN. | -| `tenants` | ✅ | the default tenant key from `network_services` or any other key for tenant that would hold some WAN VRF information. | -| `wan_stun_dtls_disable` | ✅ | disable dTLS for STUN for instance for lab. (**NOT** recommended in production). | -| `application_classification` | ✅ | to define the specific traffic classification required for the WAN if any. | -| `cv_pathfinder_internet_exit_policies` | ✅ | to define the internet-exit policies. | -| `wan_route_servers` | ✘| Indicate to which WAN route servers the WAN router should connect to. This key is also used to tell every WAN Route Reflectors with which other RRs it should peer with. | -| `ipv4_acls` | ✘| List of IPv4 access-lists to be assigned to WAN interfaces. | +| Key | Must be the same for all the WAN routers | Comment | +| -------------------------------------- | ---------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| `wan_mode` | ✅ | Two possible modes, `autovpn` and `cv-pathfinder` (default). | +| `wan_encapsulation` | ✅ | Two possible encapsulations, `vxlan` and `path-selection` (default). | +| `wan_virtual_topologies` | ✅ | to define the Policies and the VRF to policy mappings. | +| `wan_path_groups` | ✅ | to define the list of path-groups in the network. | +| `wan_carriers` | ✅ | to define the list of carriers in the network, each carrier is assigned to a path-group. | +| `wan_ipsec_profiles` | ✅ | to define the shared key for the Control Plane and Data Plane IPSec profiles. | +| `cv_pathfinder_regions` | ✅ | to define the Region/Zone/Site hierarchy, not required for AutoVPN. | +| `tenants` | ✅ | the default tenant key from `network_services` or any other key for tenant that would hold some WAN VRF information. | +| `wan_stun_dtls_disable` | ✅ | disable dTLS for STUN for instance for lab. (**NOT** recommended in production). | +| `application_classification` | ✅ | to define the specific traffic classification required for the WAN if any. | +| `cv_pathfinder_internet_exit_policies` | ✅ | to define the internet-exit policies. | +| `wan_route_servers` | ✘ | Indicate to which WAN route servers the WAN router should connect to. This key is also used to tell every WAN Route Reflectors with which other RRs it should peer with. | +| `ipv4_acls` | ✘ | List of IPv4 access-lists to be assigned to WAN interfaces. | Additionally, following keys must be set for the WAN route servers for the connectivity to work: @@ -182,7 +182,7 @@ wan_route_servers: # (1)! ``` 1. A `wan_router` with this configuration will establish BGP peering to all the `wan_route_servers` in the list if it has a common path-group. - A `wan_rr` with this configuration will establish BGP peerings to every other `wan_route_servers` in the list if they have a common path-group. + A `wan_rr` with this configuration will establish BGP peerings to every other `wan_route_servers` in the list if they have a common path-group. !!! note @@ -193,7 +193,7 @@ However, if the WAN route servers are in a different inventory, it is then neces #### WAN STUN handling -WAN STUN connections are configured by default authenticated and secured with DTLS by default. A security profile is configured with an hardcoded root certificate and matching a certificate `.crt` and key `.key`: +WAN STUN connections are configured by default authenticated and secured with DTLS by default. A security profile is configured with an hardcoded root certificate and matching a certificate `.crt` and key `.key`: ```eos management security @@ -207,7 +207,7 @@ These values can be overwritten using `custom_structured_configuration`. This configuration requires certificates to be distributed on the WAN devices to be able to authenticate themselves: -- For CV Pathinder deployments, CloudVision will automatically generate and deploy the certificates on the devices once AVD configs and metadata have been pushed. +- For CV Pathinder deployments, CloudVision will automatically generate and deploy the certificates on the devices once AVD configs and metadata have been pushed. - For AutoVPN, the certificates must be generated and deployed to the devices for the STUN connections to work. !!! Danger "Disabling STUN" @@ -252,7 +252,7 @@ cv_pathfinder_regions: ``` !!! Note - Site IDs and names must be unique per region. +Site IDs and names must be unique per region. And then for each `wan_router`: @@ -398,7 +398,7 @@ wan_router: # Configure BGP peering with peer bgp: peer_as: 65042 - ipv4_prefix_list_in: ALLOW-DEFAULT # (4)! + ipv4_prefix_list_in: ALLOW-DEFAULT # (4)! # This is NOT a WAN interface - name: Ethernet3 ip_address: 172.20.20.20/31 @@ -412,7 +412,7 @@ ipv4_prefix_list_catalog: 1. `peer` and `peer_interface` are optionals and used for description. 2. `wan_circuit_id` is optional and used for description. 3. Configure IPv4 ACLs in and out for the L3 interface. The access lists must - be defined under `ipv4_acls` top level key. + be defined under `ipv4_acls` top level key. 4. For BGP peering for WAN interfaces, the `ipv4_prefix_list_in` is mandatory for security reaasons. It is defined in the `ipv4_prefix_list_catalog`. ### WAN policies @@ -422,7 +422,7 @@ The policies definition works as follow: - The policies are defined under `wan_virtual_topologies.policies`. For AutoVPN mode, the policies are configured under `router path-selection`, for CV Pathfinder, they are configured under `router adaptive-virtual-topology`. - A policy is composed of a list of `application_virtual_topologies` and one `default_virtual_topology`. - The `application_virtual_topologies` entries and the `default_virtual_topology` key are used to create the policy match statement, the AVT profile (when `wan_mode` is CV Pathfinder) and the load balancing policy. -- The `default_virtual_topology` is used as the default match in the policy. To prevent configuring it, the `drop_unmatched` boolean must be set to `true` otherwise, at least one `path-group` must be configured or AVD will raise an error. +- The `default_virtual_topology` is used as the default match in the policy. To prevent configuring it, the `drop_unmatched` boolean must be set to `true` otherwise, at least one `path-group` must be configured or AVD will raise an error. - Policies are assigned to VRFs using the list `wan_virtual_topologies.vrfs`. A policy can be reused in multiple VRFs. - If no policy is assigned for the `default` VRF policy, AVD auto generates one with one `default_virtual_topology` entry configured to use all available local path-groups. - For the policy defined for VRF `default` (or the auto-generared one), an extra match statement is injected in the policy to match the traffic towards the Pathfinders or AutoVPN RRs, the name of the application-profile is hardcoded as `APP-PROFILE-CONTROL-PLANE`. A special policy is created by appending `-WITH-CP` at the end of the targeted policy name. @@ -431,13 +431,13 @@ The policies definition works as follow: ```yaml wan_virtual_topologies: vrfs: - - name: PROD # (1)! + - name: PROD # (1)! policy: PROD-AVT-POLICY wan_vni: 42 - name: default # (2)! wan_vni: 1 policies: - - name: PROD-AVT-POLICY # (3)! + - name: PROD-AVT-POLICY # (3)! default_virtual_topology: # (4)! path_groups: - names: [INET] @@ -478,7 +478,7 @@ wan_virtual_topologies: 2. VRF `default` will use the AVD auto-generated `DEFAULT-POLICY` as no policy is set. 3. Define the `PROD-AVT-POLICY` 4. `default_virtual_topology` is used to configure the default match in the policy. - In this case, default traffic will use INET path-group first and MPLS as backup. + In this case, default traffic will use INET path-group first and MPLS as backup. 5. This list element configures the policy to apply to traffic the `VOICE` application profile. This block of configuration will configure the Load Balance policy, the match statement in the policy (in `router path-selection` for AutoVPN or `router adaptive-virtual-topology` for CV-Pathfinder) and for CV-Pathfinder, the AVT profile. The application profile must be defined under `application_classification.application_profiles`. @@ -530,12 +530,11 @@ cv_pathfinder_internet_exit_policies: # [...] type specific options ``` -An Application Virtual Topology policy is composed of multiple profiles. An AVT profile can be assigned an Internet-policy as follow: +An Application Virtual Topology policy is composed of multiple profiles. An AVT profile can be assigned an Internet-policy as follow: ```yaml wan_virtual_topologies: - vrfs: - [...] + vrfs: [...] policies: - name: PROD-AVT-POLICY default_virtual_topology: @@ -633,7 +632,7 @@ AVD `eos_designs` will fetch Zscaler integration information from Cloudvision. ```yaml # Variables used by eos_designs to connect to Cloudvision -cv_server: +cv_server: cv_token: ``` @@ -642,21 +641,21 @@ For each `zscaler` type Internet-policies, AVD uses the `cv_pathinfder_internet_ The `cv_pathinfder_internet_exit_policies[name=].zscaler` dictionary has additonnal options to configure the policy parameters shared with Zscaler through Cloudvision. ```yaml - # PREVIEW: These keys are in preview mode. - cv_pathfinder_internet_exit_policies: - - name: - type: - fallback_to_system_default: - zscaler: - ipsec_key_salt: - domain_name: - encrypt_traffic: - download_bandwidth: - upload_bandwidth: - firewall: - enabled: - ips: - acceptable_use_policy: +# PREVIEW: These keys are in preview mode. +cv_pathfinder_internet_exit_policies: + - name: + type: + fallback_to_system_default: + zscaler: + ipsec_key_salt: + domain_name: + encrypt_traffic: + download_bandwidth: + upload_bandwidth: + firewall: + enabled: + ips: + acceptable_use_policy: ``` !!! tip "IPsec" @@ -682,9 +681,9 @@ The following LAN scenarios are supported: Some design points: - The Site of Origin (SOO) extended community is configured as `:` - note: site id is unique per zone (only a default zone supported today). - for HA site, the SOO is set as `:` where `router1` is - the first router defined in the group. + note: site id is unique per zone (only a default zone supported today). + for HA site, the SOO is set as `:` where `router1` is + the first router defined in the group. - HA is not supported for more than two routers for CV Pathfinders. - The routes to be advertised towards the WAN must be marked with the site SOO. - The connected routes and static routes are marked with the SOO when @@ -692,14 +691,14 @@ Some design points: - the routes redistributed into BGP via the route-map `RM-CONN-2-BGP` are tagged with the SOO. - the routes redistributed into BGP via the route-map `RM-STATIC-2-BGP` are tagged with the SOO. - the routes received from LAN are marked with the SOO when received from - the LAN over BGP or when redistributed into BGP from the LAN protocol. - note: For other connection (e.g. L3 interface with a BGP peering, the - user must mark them with the SOO) + the LAN over BGP or when redistributed into BGP from the LAN protocol. + note: For other connection (e.g. L3 interface with a BGP peering, the + user must mark them with the SOO) - For VRF default, there is a requirement to explicitly redistribute the routes for EVPN. The `RM-EVPN-EXPORT-VRF-DEFAULT` is configured to export the routes tagged with the SOO. - Routes received from the WAN with the local SOO are dropped. - Routes received from the WAN are redistributed / advertised towards the LAN. - For HA, an iBGP session using EVPN Gateway is used to share the routes from - one peer to the other. + one peer to the other. - WAN, LAN and local static routes are sent to the HA peer to cater for various failure scenarii. - The routes received from the HA peer are made less preferred than routes received from the LAN or from the WAN. @@ -794,9 +793,7 @@ The following diagram represents this scenario: - one inbound route-map `RM-BGP-UNDERLAY-PEERS-IN`: - accept routes coming from the LAN and set the SoO extended community on them. -!!! warning - - the Underlay peer group (towards the LAN) is not configured with any outbound route-map. - - For VRF default, there is a requirement to explicitly redistribute the routes for EVPN. The `RM-EVPN-EXPORT-VRF-DEFAULT` is configured to export the routes tagged with the SoO. +!!! warning - the Underlay peer group (towards the LAN) is not configured with any outbound route-map. - For VRF default, there is a requirement to explicitly redistribute the routes for EVPN. The `RM-EVPN-EXPORT-VRF-DEFAULT` is configured to export the routes tagged with the SoO. The following diagram shows the additional route-maps configured to support eBGP on LAN: @@ -863,7 +860,7 @@ In the situation where the LAN is EBGP but HA is configured over a direct link, The HA tunnel will come up properly today but route redistribution will be missing so it is not usable. -- the HA interface(s) is(are) the uplink interface(s) which are automatically included in OSPF. +- the HA interface(s) is(are) the uplink interface(s) which are automatically included in OSPF. #### L2 LAN @@ -1043,16 +1040,16 @@ wan_virtual_topologies: `eos_validate_state` is being enriched to support new tests for WAN designs. The tests listed below are validating WAN designs. -| AVD Test Class | ANTA Test Class | Description | -| -------------- | --------------- | ----------- | -| AvdTestInterfacesState | VerifyInterfacesStatus | Validate the DPS interface status. | -| AvdTestBGP | VerifyBGPSpecificPeers | Validate the state of BGP Address Family sessions, including `Path-Selection` for AutoVPN, `Link-State` and `IPv4/IPv6 SR-TE` for CV Pathfinder. | -| AvdTestIPSecurity | VerifySpecificIPSecConn | Validate the establishment of IP security connections for each static peer under the `router path-selection` section of the configuration. | -| AvdTestStun | VerifyStunClient | Validate the presence of a STUN client translation for a given source IPv4 address and port. The list of expected translations for each device is built by searching local interfaces in each path-group. | -| AvdTestDpsReachability | VerifyReachability | Validate DPS reachability between devices. | -| AvdTestAvtPath | VerifyAVTSpecificPath | Validate that the status is active and the type is direct for an Adaptive Virtual Topology (AVT) path in a specified VRF for the static peers. | -| AvdTestAvtRole | VerifyAVTRole | Validate the Adaptive Virtual Topology (AVT) role of a device. | +| AVD Test Class | ANTA Test Class | Description | +| ---------------------- | ----------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AvdTestInterfacesState | VerifyInterfacesStatus | Validate the DPS interface status. | +| AvdTestBGP | VerifyBGPSpecificPeers | Validate the state of BGP Address Family sessions, including `Path-Selection` for AutoVPN, `Link-State` and `IPv4/IPv6 SR-TE` for CV Pathfinder. | +| AvdTestIPSecurity | VerifySpecificIPSecConn | Validate the establishment of IP security connections for each static peer under the `router path-selection` section of the configuration. | +| AvdTestStun | VerifyStunClient | Validate the presence of a STUN client translation for a given source IPv4 address and port. The list of expected translations for each device is built by searching local interfaces in each path-group. | +| AvdTestDpsReachability | VerifyReachability | Validate DPS reachability between devices. | +| AvdTestAvtPath | VerifyAVTSpecificPath | Validate that the status is active and the type is direct for an Adaptive Virtual Topology (AVT) path in a specified VRF for the static peers. | +| AvdTestAvtRole | VerifyAVTRole | Validate the Adaptive Virtual Topology (AVT) role of a device. | !!! note - More WAN-related tests are available directly in ANTA and can be added using custom catalogs. - They will be progressively added to `eos_validate_state`. +More WAN-related tests are available directly in ANTA and can be added using custom catalogs. +They will be progressively added to `eos_validate_state`. diff --git a/ansible_collections/arista/avd/roles/eos_designs/docs/tables/node-type-keys.md b/ansible_collections/arista/avd/roles/eos_designs/docs/tables/node-type-keys.md index 24f6b1da3c7..213004057dc 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/docs/tables/node-type-keys.md +++ b/ansible_collections/arista/avd/roles/eos_designs/docs/tables/node-type-keys.md @@ -19,7 +19,7 @@ | [    default_overlay_address_families](## "custom_node_type_keys.[].default_overlay_address_families") | List, items: String | | `['evpn']` | | Set the default overlay address families.
| | [      - <str>](## "custom_node_type_keys.[].default_overlay_address_families.[]") | String | | | Value is converted to lower case.
Valid Values:
- evpn
- vpn-ipv4
- vpn-ipv6 | | | [    default_evpn_encapsulation](## "custom_node_type_keys.[].default_evpn_encapsulation") | String | | `vxlan` | Value is converted to lower case.
Valid Values:
- mpls
- vxlan | Set the default evpn encapsulation.
| - | [    default_wan_role](## "custom_node_type_keys.[].default_wan_role") | String | | | Valid Values:
- client
- server | Set the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector.

Only supported if `overlay_routing_protocol` is set to `ibgp`.
| + | [    default_wan_role](## "custom_node_type_keys.[].default_wan_role") | String | | | Valid Values:
- client
- server | Set the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector.
| | [    default_flow_tracker_type](## "custom_node_type_keys.[].default_flow_tracker_type") | String | | `sampled` | Valid Values:
- sampled
- hardware | Set the default flow tracker type. | | [    mlag_support](## "custom_node_type_keys.[].mlag_support") | Boolean | | `False` | | Can this node type support mlag. | | [    network_services](## "custom_node_type_keys.[].network_services") | Dictionary | | | | Will network services be deployed on this node type. | @@ -69,7 +69,7 @@ | [    default_overlay_address_families](## "node_type_keys.[].default_overlay_address_families") | List, items: String | | `['evpn']` | | Set the default overlay address families.
| | [      - <str>](## "node_type_keys.[].default_overlay_address_families.[]") | String | | | Value is converted to lower case.
Valid Values:
- evpn
- vpn-ipv4
- vpn-ipv6 | | | [    default_evpn_encapsulation](## "node_type_keys.[].default_evpn_encapsulation") | String | | `vxlan` | Value is converted to lower case.
Valid Values:
- mpls
- vxlan | Set the default evpn encapsulation.
| - | [    default_wan_role](## "node_type_keys.[].default_wan_role") | String | | | Valid Values:
- client
- server | Set the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector.

Only supported if `overlay_routing_protocol` is set to `ibgp`.
| + | [    default_wan_role](## "node_type_keys.[].default_wan_role") | String | | | Valid Values:
- client
- server | Set the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector.
| | [    default_flow_tracker_type](## "node_type_keys.[].default_flow_tracker_type") | String | | `sampled` | Valid Values:
- sampled
- hardware | Set the default flow tracker type. | | [    mlag_support](## "node_type_keys.[].mlag_support") | Boolean | | `False` | | Can this node type support mlag. | | [    network_services](## "node_type_keys.[].network_services") | Dictionary | | | | Will network services be deployed on this node type. | @@ -155,8 +155,6 @@ # This is used both for AutoVPN and Pathfinder designs. # That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. # `server` indicates that the router is a route-reflector. - # - # Only supported if `overlay_routing_protocol` is set to `ibgp`. default_wan_role: # Set the default flow tracker type. @@ -335,8 +333,6 @@ # This is used both for AutoVPN and Pathfinder designs. # That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. # `server` indicates that the router is a route-reflector. - # - # Only supported if `overlay_routing_protocol` is set to `ibgp`. default_wan_role: # Set the default flow tracker type. diff --git a/python-avd/pyavd/_eos_designs/schema/__init__.py b/python-avd/pyavd/_eos_designs/schema/__init__.py index ef76a2664b4..73d0d18c75d 100644 --- a/python-avd/pyavd/_eos_designs/schema/__init__.py +++ b/python-avd/pyavd/_eos_designs/schema/__init__.py @@ -8942,8 +8942,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. """ default_flow_tracker_type: Literal["sampled", "hardware"] """ @@ -9097,8 +9095,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. default_flow_tracker_type: Set the default flow tracker type. mlag_support: Can this node type support mlag. network_services: @@ -9496,8 +9492,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. """ default_flow_tracker_type: Literal["sampled", "hardware"] """ @@ -9651,8 +9645,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. default_flow_tracker_type: Set the default flow tracker type. mlag_support: Can this node type support mlag. network_services: diff --git a/python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml b/python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml index c7c4a34148a..d143a845d78 100644 --- a/python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml +++ b/python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml @@ -2512,9 +2512,6 @@ keys: `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. - ' default_flow_tracker_type: type: str diff --git a/python-avd/pyavd/_eos_designs/schema/schema_fragments/node_type_keys.schema.yml b/python-avd/pyavd/_eos_designs/schema/schema_fragments/node_type_keys.schema.yml index 239453dd715..5849ba031c9 100644 --- a/python-avd/pyavd/_eos_designs/schema/schema_fragments/node_type_keys.schema.yml +++ b/python-avd/pyavd/_eos_designs/schema/schema_fragments/node_type_keys.schema.yml @@ -123,8 +123,6 @@ keys: This is used both for AutoVPN and Pathfinder designs. That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. default_flow_tracker_type: type: str valid_values: From 57455cf69e1ae195674ba9ca526ecb7399bc4453 Mon Sep 17 00:00:00 2001 From: gmuloc Date: Wed, 15 Jan 2025 12:13:57 +0100 Subject: [PATCH 08/40] Test: WIP add molecule for EVPN on LAN --- ...cv-pathfinder-edge-wan-use-evpn-on-lan.cfg | 240 ++++++++++++ ...cv-pathfinder-edge-wan-use-evpn-on-lan.yml | 361 ++++++++++++++++++ .../leaf-wan-use-evpn-on-lan.yml | 247 ++++++++++++ .../group_vars/CV_PATHFINDER_TESTS.yml | 9 + ...cv-pathfinder-edge-wan-use-evpn-on-lan.yml | 151 +------- .../host_vars/leaf-wan-use-evpn-on-lan.yml | 14 + .../inventory/hosts.yml | 5 + .../structured_config/overlay/router_bgp.py | 5 +- 8 files changed, 884 insertions(+), 148 deletions(-) create mode 100644 ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan.cfg create mode 100644 ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan.yml create mode 100644 ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/leaf-wan-use-evpn-on-lan.yml create mode 100644 ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/leaf-wan-use-evpn-on-lan.yml diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan.cfg new file mode 100644 index 00000000000..ba98fb155e0 --- /dev/null +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan.cfg @@ -0,0 +1,240 @@ +! +no enable password +no aaa root +! +agent KernelFib environment KERNELFIB_PROGRAM_ALL_ECMP=1 +! +flow tracking hardware + tracker FLOW-TRACKER + record export on inactive timeout 70000 + record export on interval 300000 + exporter CV-TELEMETRY + collector 127.0.0.1 + local interface Loopback0 + template interval 3600000 + no shutdown +! +service routing protocols model multi-agent +! +hostname cv-pathfinder-edge-wan-use-evpn-on-lan +! +router adaptive-virtual-topology + topology role edge + region AVD_Land_West id 42 + zone AVD_Land_West-ZONE id 1 + site Site12 id 12 + ! + policy DEFAULT-POLICY + ! + match application-profile default + avt profile DEFAULT-POLICY-DEFAULT + ! + policy DEFAULT-POLICY-WITH-CP + ! + match application-profile APP-PROFILE-CONTROL-PLANE + avt profile DEFAULT-POLICY-CONTROL-PLANE + ! + match application-profile default + avt profile DEFAULT-POLICY-DEFAULT + ! + profile DEFAULT-POLICY-CONTROL-PLANE + path-selection load-balance LB-DEFAULT-POLICY-CONTROL-PLANE + ! + profile DEFAULT-POLICY-DEFAULT + path-selection load-balance LB-DEFAULT-POLICY-DEFAULT + ! + vrf default + avt policy DEFAULT-POLICY-WITH-CP + avt profile DEFAULT-POLICY-DEFAULT id 1 + avt profile DEFAULT-POLICY-CONTROL-PLANE id 254 + ! + vrf PROD + avt policy DEFAULT-POLICY + avt profile DEFAULT-POLICY-DEFAULT id 1 +! +router path-selection + tcp mss ceiling ipv4 ingress + ! + path-group INET id 101 + ipsec profile CP-PROFILE + ! + local interface Ethernet1 + stun server-profile INET-cv-pathfinder-pathfinder-Ethernet1 INET-cv-pathfinder-pathfinder-Ethernet3 + ! + peer dynamic + ! + peer static router-ip 192.168.144.1 + name cv-pathfinder-pathfinder + ipv4 address 172.17.7.7 + ipv4 address 10.9.9.9 + ! + load-balance policy LB-DEFAULT-POLICY-CONTROL-PLANE + path-group INET + ! + load-balance policy LB-DEFAULT-POLICY-DEFAULT + path-group INET +! +spanning-tree mode none +! +vrf instance MGMT +! +vrf instance PROD +! +management api http-commands + protocol https + no shutdown + ! + vrf MGMT + no shutdown +! +management security + ! + ssl profile STUN-DTLS + tls versions 1.2 + trust certificate aristaDeviceCertProvisionerDefaultRootCA.crt + certificate STUN-DTLS.crt key STUN-DTLS.key +! +ip security + ike policy CP-IKE-POLICY + local-id 192.168.255.12 + ! + sa policy CP-SA-POLICY + esp encryption aes256gcm128 + pfs dh-group 14 + ! + profile CP-PROFILE + ike-policy CP-IKE-POLICY + sa-policy CP-SA-POLICY + connection start + shared-key 7 ABCDEF1234567890 + dpd 10 50 clear + mode transport + ! + key controller + profile CP-PROFILE +! +interface Dps1 + description DPS Interface + mtu 9194 + flow tracker hardware FLOW-TRACKER + ip address 192.168.255.12/32 +! +interface Ethernet1 + description ATT_666 + no shutdown + no switchport + ip address dhcp + dhcp client accept default-route +! +interface Loopback0 + description ROUTER_ID + no shutdown + ip address 192.168.42.12/32 +! +interface Vxlan1 + description cv-pathfinder-edge-wan-use-evpn-on-lan_VTEP + vxlan source-interface Dps1 + vxlan udp-port 4789 + vxlan vrf default vni 1 + vxlan vrf PROD vni 42 +! +application traffic recognition + ! + application ipv4 APP-CONTROL-PLANE + destination prefix field-set PFX-PATHFINDERS + ! + application-profile APP-PROFILE-CONTROL-PLANE + application APP-CONTROL-PLANE + ! + field-set ipv4 prefix PFX-PATHFINDERS + 192.168.144.1/32 +! +ip routing +no ip routing vrf MGMT +ip routing vrf PROD +! +ip extcommunity-list ECL-EVPN-SOO permit soo 192.168.42.12:12 +! +ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY + seq 10 permit 192.168.42.0/24 eq 32 +! +route-map RM-CONN-2-BGP permit 10 + match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + set extcommunity soo 192.168.42.12:12 additive +! +route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 10 + match extcommunity ECL-EVPN-SOO +! +router bfd + multihop interval 300 min-rx 300 multiplier 3 +! +router bgp 65000 + router-id 192.168.42.12 + update wait-install + no bgp default ipv4-unicast + maximum-paths 16 + neighbor EVPN-OVERLAY-PEERS peer group + neighbor EVPN-OVERLAY-PEERS update-source Loopback0 + neighbor EVPN-OVERLAY-PEERS bfd + neighbor EVPN-OVERLAY-PEERS ebgp-multihop 3 + neighbor EVPN-OVERLAY-PEERS send-community + neighbor EVPN-OVERLAY-PEERS maximum-routes 0 + neighbor WAN-OVERLAY-PEERS peer group + neighbor WAN-OVERLAY-PEERS remote-as 65000 + neighbor WAN-OVERLAY-PEERS update-source Dps1 + neighbor WAN-OVERLAY-PEERS bfd + neighbor WAN-OVERLAY-PEERS bfd interval 1000 min-rx 1000 multiplier 10 + neighbor WAN-OVERLAY-PEERS ttl maximum-hops 42 + neighbor WAN-OVERLAY-PEERS password 7 htm4AZe9mIQOO1uiMuGgYQ== + neighbor WAN-OVERLAY-PEERS send-community + neighbor WAN-OVERLAY-PEERS maximum-routes 0 + neighbor 192.168.144.1 peer group WAN-OVERLAY-PEERS + neighbor 192.168.144.1 description cv-pathfinder-pathfinder_Dps1 + redistribute connected route-map RM-CONN-2-BGP + ! + address-family evpn + neighbor WAN-OVERLAY-PEERS activate + neighbor WAN-OVERLAY-PEERS route-map RM-EVPN-SOO-IN in + neighbor WAN-OVERLAY-PEERS route-map RM-EVPN-SOO-OUT out + neighbor WAN-OVERLAY-PEERS encapsulation path-selection + ! + address-family ipv4 + no neighbor WAN-OVERLAY-PEERS activate + ! + address-family ipv4 sr-te + neighbor WAN-OVERLAY-PEERS activate + ! + address-family link-state + neighbor WAN-OVERLAY-PEERS activate + path-selection + ! + address-family path-selection + bgp additional-paths receive + bgp additional-paths send any + neighbor WAN-OVERLAY-PEERS activate + ! + vrf default + rd 192.168.42.12:1 + route-target import evpn 1:1 + route-target export evpn 1:1 + route-target export evpn route-map RM-EVPN-EXPORT-VRF-DEFAULT + ! + vrf PROD + rd 192.168.42.12:142 + route-target import evpn 142:142 + route-target export evpn 142:142 + router-id 192.168.42.12 + redistribute connected +! +router traffic-engineering +! +stun + client + server-profile INET-cv-pathfinder-pathfinder-Ethernet1 + ip address 172.17.7.7 + ssl profile STUN-DTLS + server-profile INET-cv-pathfinder-pathfinder-Ethernet3 + ip address 10.9.9.9 + ssl profile STUN-DTLS +! +end diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan.yml new file mode 100644 index 00000000000..fefa639c40d --- /dev/null +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan.yml @@ -0,0 +1,361 @@ +aaa_root: + disabled: true +agents: +- name: KernelFib + environment_variables: + - name: KERNELFIB_PROGRAM_ALL_ECMP + value: '1' +application_traffic_recognition: + field_sets: + ipv4_prefixes: + - name: PFX-PATHFINDERS + prefix_values: + - 192.168.144.1/32 + applications: + ipv4_applications: + - name: APP-CONTROL-PLANE + dest_prefix_set_name: PFX-PATHFINDERS + application_profiles: + - name: APP-PROFILE-CONTROL-PLANE + applications: + - name: APP-CONTROL-PLANE +config_end: true +dps_interfaces: +- name: Dps1 + description: DPS Interface + mtu: 9194 + ip_address: 192.168.255.12/32 + flow_tracker: + hardware: FLOW-TRACKER +enable_password: + disabled: true +ethernet_interfaces: +- name: Ethernet1 + description: ATT_666 + shutdown: false + ip_address: dhcp + dhcp_client_accept_default_route: true + peer_type: l3_interface + switchport: + enabled: false +flow_tracking: + hardware: + trackers: + - name: FLOW-TRACKER + record_export: + on_inactive_timeout: 70000 + on_interval: 300000 + exporters: + - name: CV-TELEMETRY + collector: + host: 127.0.0.1 + local_interface: Loopback0 + template_interval: 3600000 + shutdown: false +hostname: cv-pathfinder-edge-wan-use-evpn-on-lan +ip_extcommunity_lists: +- name: ECL-EVPN-SOO + entries: + - type: permit + extcommunities: soo 192.168.42.12:12 +ip_routing: true +ip_security: + ike_policies: + - name: CP-IKE-POLICY + local_id: 192.168.255.12 + sa_policies: + - name: CP-SA-POLICY + esp: + encryption: aes256gcm128 + pfs_dh_group: 14 + profiles: + - name: CP-PROFILE + ike_policy: CP-IKE-POLICY + sa_policy: CP-SA-POLICY + connection: start + shared_key: ABCDEF1234567890 + dpd: + interval: 10 + time: 50 + action: clear + mode: transport + key_controller: + profile: CP-PROFILE +is_deployed: true +loopback_interfaces: +- name: Loopback0 + description: ROUTER_ID + shutdown: false + ip_address: 192.168.42.12/32 +management_api_http: + enable_https: true + enable_vrfs: + - name: MGMT +management_security: + ssl_profiles: + - name: STUN-DTLS + tls_versions: '1.2' + trust_certificate: + certificates: + - aristaDeviceCertProvisionerDefaultRootCA.crt + certificate: + file: STUN-DTLS.crt + key: STUN-DTLS.key +metadata: + fabric_name: EOS_DESIGNS_UNIT_TESTS + cv_tags: + device_tags: + - name: Role + value: edge + - name: Region + value: AVD_Land_West + - name: Zone + value: AVD_Land_West-ZONE + - name: Site + value: Site12 + interface_tags: + - interface: Ethernet1 + tags: + - name: Type + value: wan + - name: Carrier + value: ATT + - name: Circuit + value: '666' + cv_pathfinder: + role: edge + region: AVD_Land_West + zone: AVD_Land_West-ZONE + site: Site12 + vtep_ip: 192.168.255.12 + ssl_profile: STUN-DTLS + pathfinders: + - vtep_ip: 192.168.144.1 + interfaces: + - name: Ethernet1 + carrier: ATT + circuit_id: '666' + pathgroup: INET +prefix_lists: +- name: PL-LOOPBACKS-EVPN-OVERLAY + sequence_numbers: + - sequence: 10 + action: permit 192.168.42.0/24 eq 32 +route_maps: +- name: RM-CONN-2-BGP + sequence_numbers: + - sequence: 10 + type: permit + match: + - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + set: + - extcommunity soo 192.168.42.12:12 additive +- name: RM-EVPN-EXPORT-VRF-DEFAULT + sequence_numbers: + - sequence: 10 + type: permit + match: + - extcommunity ECL-EVPN-SOO +router_adaptive_virtual_topology: + topology_role: edge + region: + name: AVD_Land_West + id: 42 + zone: + name: AVD_Land_West-ZONE + id: 1 + site: + name: Site12 + id: 12 + profiles: + - name: DEFAULT-POLICY-CONTROL-PLANE + load_balance_policy: LB-DEFAULT-POLICY-CONTROL-PLANE + - name: DEFAULT-POLICY-DEFAULT + load_balance_policy: LB-DEFAULT-POLICY-DEFAULT + policies: + - name: DEFAULT-POLICY-WITH-CP + matches: + - application_profile: APP-PROFILE-CONTROL-PLANE + avt_profile: DEFAULT-POLICY-CONTROL-PLANE + - application_profile: default + avt_profile: DEFAULT-POLICY-DEFAULT + - name: DEFAULT-POLICY + matches: + - application_profile: default + avt_profile: DEFAULT-POLICY-DEFAULT + vrfs: + - name: default + policy: DEFAULT-POLICY-WITH-CP + profiles: + - name: DEFAULT-POLICY-CONTROL-PLANE + id: 254 + - name: DEFAULT-POLICY-DEFAULT + id: 1 + - name: PROD + policy: DEFAULT-POLICY + profiles: + - name: DEFAULT-POLICY-DEFAULT + id: 1 +router_bfd: + multihop: + interval: 300 + min_rx: 300 + multiplier: 3 +router_bgp: + as: '65000' + router_id: 192.168.42.12 + maximum_paths: + paths: 16 + updates: + wait_install: true + bgp: + default: + ipv4_unicast: false + peer_groups: + - name: EVPN-OVERLAY-PEERS + type: evpn + update_source: Loopback0 + bfd: true + ebgp_multihop: 3 + send_community: all + maximum_routes: 0 + - name: WAN-OVERLAY-PEERS + type: wan + remote_as: '65000' + update_source: Dps1 + bfd: true + bfd_timers: + interval: 1000 + min_rx: 1000 + multiplier: 10 + password: htm4AZe9mIQOO1uiMuGgYQ== + send_community: all + maximum_routes: 0 + ttl_maximum_hops: 42 + neighbors: + - ip_address: 192.168.144.1 + peer_group: WAN-OVERLAY-PEERS + peer: cv-pathfinder-pathfinder + description: cv-pathfinder-pathfinder_Dps1 + redistribute: + connected: + enabled: true + route_map: RM-CONN-2-BGP + address_family_evpn: + peer_groups: + - name: WAN-OVERLAY-PEERS + activate: true + route_map_in: RM-EVPN-SOO-IN + route_map_out: RM-EVPN-SOO-OUT + encapsulation: path-selection + address_family_ipv4: + peer_groups: + - name: WAN-OVERLAY-PEERS + activate: false + address_family_ipv4_sr_te: + peer_groups: + - name: WAN-OVERLAY-PEERS + activate: true + address_family_link_state: + peer_groups: + - name: WAN-OVERLAY-PEERS + activate: true + path_selection: + roles: + producer: true + address_family_path_selection: + bgp: + additional_paths: + receive: true + send: any + peer_groups: + - name: WAN-OVERLAY-PEERS + activate: true + vrfs: + - name: default + rd: 192.168.42.12:1 + route_targets: + import: + - address_family: evpn + route_targets: + - '1:1' + export: + - address_family: evpn + route_targets: + - '1:1' + - route-map RM-EVPN-EXPORT-VRF-DEFAULT + - name: PROD + rd: 192.168.42.12:142 + route_targets: + import: + - address_family: evpn + route_targets: + - 142:142 + export: + - address_family: evpn + route_targets: + - 142:142 + router_id: 192.168.42.12 + redistribute: + connected: + enabled: true +router_path_selection: + path_groups: + - name: INET + id: 101 + ipsec_profile: CP-PROFILE + local_interfaces: + - name: Ethernet1 + stun: + server_profiles: + - INET-cv-pathfinder-pathfinder-Ethernet1 + - INET-cv-pathfinder-pathfinder-Ethernet3 + dynamic_peers: + enabled: true + static_peers: + - router_ip: 192.168.144.1 + name: cv-pathfinder-pathfinder + ipv4_addresses: + - 172.17.7.7 + - 10.9.9.9 + load_balance_policies: + - name: LB-DEFAULT-POLICY-CONTROL-PLANE + path_groups: + - name: INET + - name: LB-DEFAULT-POLICY-DEFAULT + path_groups: + - name: INET + tcp_mss_ceiling: + ipv4_segment_size: auto +router_traffic_engineering: + enabled: true +service_routing_protocols_model: multi-agent +spanning_tree: + mode: none +stun: + client: + server_profiles: + - name: INET-cv-pathfinder-pathfinder-Ethernet1 + ip_address: 172.17.7.7 + ssl_profile: STUN-DTLS + - name: INET-cv-pathfinder-pathfinder-Ethernet3 + ip_address: 10.9.9.9 + ssl_profile: STUN-DTLS +transceiver_qsfp_default_mode_4x10: false +vrfs: +- name: MGMT + ip_routing: false +- name: PROD + ip_routing: true + tenant: TenantA +vxlan_interface: + vxlan1: + description: cv-pathfinder-edge-wan-use-evpn-on-lan_VTEP + vxlan: + source_interface: Dps1 + udp_port: 4789 + vrfs: + - name: default + vni: 1 + - name: PROD + vni: 42 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/leaf-wan-use-evpn-on-lan.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/leaf-wan-use-evpn-on-lan.yml new file mode 100644 index 00000000000..9f3b68b9191 --- /dev/null +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/leaf-wan-use-evpn-on-lan.yml @@ -0,0 +1,247 @@ +aaa_root: + disabled: true +config_end: true +enable_password: + disabled: true +hostname: leaf-wan-use-evpn-on-lan +ip_igmp_snooping: + globally_enabled: true +ip_routing: true +ip_virtual_router_mac_address: 00:1c:73:00:00:01 +is_deployed: true +loopback_interfaces: +- name: Loopback0 + description: ROUTER_ID + shutdown: false + ip_address: 192.168.45.13/32 +- name: Loopback1 + description: VXLAN_TUNNEL_SOURCE + shutdown: false + ip_address: 192.168.255.13/32 +management_api_http: + enable_https: true + enable_vrfs: + - name: MGMT +metadata: + fabric_name: EOS_DESIGNS_UNIT_TESTS +prefix_lists: +- name: PL-LOOPBACKS-EVPN-OVERLAY + sequence_numbers: + - sequence: 10 + action: permit 192.168.45.0/24 eq 32 + - sequence: 20 + action: permit 192.168.255.0/24 eq 32 +route_maps: +- name: RM-CONN-2-BGP + sequence_numbers: + - sequence: 10 + type: permit + match: + - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY +router_bfd: + multihop: + interval: 300 + min_rx: 300 + multiplier: 3 +router_bgp: + as: '65042' + router_id: 192.168.45.13 + maximum_paths: + paths: 4 + ecmp: 4 + updates: + wait_install: true + bgp: + default: + ipv4_unicast: false + peer_groups: + - name: IPv4-UNDERLAY-PEERS + type: ipv4 + send_community: all + maximum_routes: 12000 + - name: EVPN-OVERLAY-PEERS + type: evpn + update_source: Loopback0 + bfd: true + ebgp_multihop: 3 + send_community: all + maximum_routes: 0 + redistribute: + connected: + enabled: true + route_map: RM-CONN-2-BGP + vlans: + - id: 1000 + tenant: TenantA + rd: 192.168.45.13:2000 + route_targets: + both: + - 2000:2000 + redistribute_routes: + - learned + - id: 100 + tenant: TenantA + rd: 192.168.45.13:1100 + route_targets: + both: + - 1100:1100 + redistribute_routes: + - learned + - id: 101 + tenant: TenantA + rd: 192.168.45.13:1101 + route_targets: + both: + - 1101:1101 + redistribute_routes: + - learned + - id: 666 + tenant: TenantC + rd: 192.168.45.13:1666 + route_targets: + both: + - 1666:1666 + redistribute_routes: + - learned + address_family_evpn: + peer_groups: + - name: EVPN-OVERLAY-PEERS + activate: true + address_family_ipv4: + peer_groups: + - name: IPv4-UNDERLAY-PEERS + activate: true + - name: EVPN-OVERLAY-PEERS + activate: false + vrfs: + - name: default + rd: 192.168.45.13:1 + route_targets: + import: + - address_family: evpn + route_targets: + - '1:1' + export: + - address_family: evpn + route_targets: + - '1:1' + - name: IT + rd: 192.168.45.13:1000 + route_targets: + import: + - address_family: evpn + route_targets: + - 1000:1000 + export: + - address_family: evpn + route_targets: + - 1000:1000 + router_id: 192.168.45.13 + redistribute: + connected: + enabled: true + - name: PROD + rd: 192.168.45.13:142 + route_targets: + import: + - address_family: evpn + route_targets: + - 142:142 + export: + - address_family: evpn + route_targets: + - 142:142 + router_id: 192.168.45.13 + redistribute: + connected: + enabled: true + - name: ATTRACTED-VRF-FROM-UPLINK + rd: 192.168.45.13:666 + route_targets: + import: + - address_family: evpn + route_targets: + - 666:666 + export: + - address_family: evpn + route_targets: + - 666:666 + router_id: 192.168.45.13 + redistribute: + connected: + enabled: true +service_routing_protocols_model: multi-agent +transceiver_qsfp_default_mode_4x10: true +vlan_interfaces: +- name: Vlan1000 + description: VLAN1000 + shutdown: true + vrf: IT + ip_address_virtual: 10.0.100.1/24 + tenant: TenantA +- name: Vlan100 + description: VLAN100 + shutdown: true + vrf: PROD + ip_address_virtual: 10.0.100.1/24 + tenant: TenantA +- name: Vlan666 + description: VLAN666 + shutdown: true + vrf: ATTRACTED-VRF-FROM-UPLINK + ip_address_virtual: 10.66.66.66/24 + tenant: TenantC +vlan_internal_order: + allocation: ascending + range: + beginning: 1006 + ending: 1199 +vlans: +- id: 1000 + name: VLAN1000 + tenant: TenantA +- id: 100 + name: VLAN100 + tenant: TenantA +- id: 101 + name: VLAN101 + tenant: TenantA +- id: 666 + name: VLAN666 + tenant: TenantC +vrfs: +- name: MGMT + ip_routing: false +- name: IT + ip_routing: true + tenant: TenantA +- name: PROD + ip_routing: true + tenant: TenantA +- name: ATTRACTED-VRF-FROM-UPLINK + ip_routing: true + tenant: TenantC +vxlan_interface: + vxlan1: + description: leaf-wan-use-evpn-on-lan_VTEP + vxlan: + source_interface: Loopback1 + udp_port: 4789 + vlans: + - id: 1000 + vni: 2000 + - id: 100 + vni: 1100 + - id: 101 + vni: 1101 + - id: 666 + vni: 1666 + vrfs: + - name: default + vni: 1 + - name: IT + vni: 1000 + - name: PROD + vni: 142 + - name: ATTRACTED-VRF-FROM-UPLINK + vni: 666 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml index 98f3f1be85e..f02f7635cd6 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml @@ -36,6 +36,9 @@ cv_pathfinder_regions: - name: Site423 id: 423 location: Somewhere-warm + - name: Site12 + id: 12 + location: 12 Downing Street, London - name: AVD_Land_East id: 43 description: AVD Region @@ -522,6 +525,12 @@ tenants: ip_address_virtual: 10.0.100.1/24 - name: IT vrf_id: 1000 + svis: + - id: 1000 + name: VLAN1000 + ip_address_virtual: 10.0.100.1/24 + nodes: + - node: leaf-use-wan-evpn-on-lan l2vlans: - id: 101 name: VLAN101 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan.yml index 588d6840a5f..dad40a114da 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan.yml @@ -1,58 +1,14 @@ --- # Testing CV pathfinder edge using new toggle wan_use_evpn_node_settings_for_lan -wan_mode: cv-pathfinder wan_use_evpn_node_settings_for_lan: true # enabling EVPN on LAN overlay_routing_protocol: ebgp bgp_as: 65000 -flow_tracking_settings: - trackers: - - name: custom_flow_track_name - record_export: - on_inactive_timeout: 50000 - on_interval: 300331 - exporters: - - name: ayush_exporter - collector: - host: 127.0.0.1 - local_interface: Loopback0 - template_interval: 40000 - -fabric_flow_tracking: - dps_interfaces: - name: custom_flow_track_name - -cv_pathfinder_regions: - - name: AVD_Land_West - id: 42 - description: AVD Region - sites: - - name: Site12 - id: 12 - location: 12 Downing Street, London - -bgp_peer_groups: - wan_overlay_peers: - password: "htm4AZe9mIQOO1uiMuGgYQ==" - # Overwriting TTL - ttl_maximum_hops: 42 - listen_range_prefixes: - - 192.168.255.0/24 - wan_route_servers: - hostname: cv-pathfinder-pathfinder -wan_ipsec_profiles: - control_plane: - shared_key: ABCDEF1234567890 - -default_node_types: - - node_type: wan_router - match_hostnames: - - "cv-pathfinder-edge.*" - wan_router: defaults: loopback_ipv4_pool: 192.168.42.0/24 @@ -61,9 +17,15 @@ wan_router: always_include_vrfs_in_tenants: [TenantA] deny_vrfs: [IT] nodes: - - name: cv-pathfinder-edge-wan0use-evpn-on-lan + - name: cv-pathfinder-edge-wan-use-evpn-on-lan cv_pathfinder_region: AVD_Land_West cv_pathfinder_site: Site12 + # Adding uplink to leaf for EVPN + uplink_switches: [leaf-use-wan-evpn-on-lan] + uplink_type: p2p + uplink_interfaces: [Ethernet52] + uplink_switch_interfaces: [Ethernet1] + uplink_ipv4_pool: 172.18.0.0/24 evpn_role: client id: 12 l3_interfaces: @@ -72,102 +34,3 @@ wan_router: wan_circuit_id: 666 dhcp_accept_default_route: true ip_address: dhcp - - name: Ethernet2 - wan_carrier: Colt - wan_circuit_id: 10555 - ip_address: 172.15.5.5/31 - - name: Ethernet3 - wan_carrier: Comcast-5G - wan_circuit_id: AF830 - ip_address: 172.20.20.20/31 - connected_to_pathfinder: false - -wan_path_groups: - - name: MPLS - ipsec: - static_peers: false - # TODO remove one once auto-id is implemented - for now required in schema - id: 100 - - name: INET - id: 101 - - name: LTE - id: 102 - - name: Equinix - id: 103 - - name: Satellite - id: 104 - -wan_carriers: - - name: Comcast - path_group: INET - trusted: true - - name: ATT - path_group: INET - trusted: true - - name: Bouygues_Telecom - path_group: INET - trusted: true - - name: SFR - path_group: INET - trusted: true - - name: Orange - path_group: INET - trusted: true - - name: Another-ISP - path_group: INET - trusted: true - - name: Colt - path_group: MPLS - trusted: true - - name: ATT-MPLS - path_group: MPLS - trusted: true - - name: Comcast-5G - path_group: LTE - trusted: true - - name: Inmrasat - path_group: Satellite - trusted: true - -tenants: - - name: TenantA - vrfs: - - name: default - vrf_id: 1 - - name: PROD - vrf_id: 42 - - name: IT - vrf_id: 100 - -wan_virtual_topologies: - vrfs: - # No policy for default or PROD, going to use DEFAULT-POLICY - # overwrite DEFAULT-POLICY below - - name: default - wan_vni: 1 - - name: PROD - wan_vni: 42 - policies: - # Name of the DEFAULT-POLICY being overwritten - - name: DEFAULT-POLICY - default_virtual_topology: - path_groups: - - names: [INET] - - names: [LTE] - preference: 42 - application_virtual_topologies: - - application_profile: VIDEO - path_groups: - - names: [MPLS, INET] - preference: preferred - id: 3 - -application_classification: - application_profiles: - - name: VIDEO - # Testing categories filtering - applications: - # Testing applications in application-profiles filtering - - name: CUSTOM-APPLICATION-1 - # Builtin application that should not raise - - name: skype diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/leaf-wan-use-evpn-on-lan.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/leaf-wan-use-evpn-on-lan.yml new file mode 100644 index 00000000000..586dcf0ecee --- /dev/null +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/leaf-wan-use-evpn-on-lan.yml @@ -0,0 +1,14 @@ +--- +type: l3leaf + +l3leaf: + defaults: + bgp_as: 65042 + loopback_ipv4_pool: 192.168.45.0/24 + vtep_loopback_ipv4_pool: 192.168.255.0/24 + virtual_router_mac_address: 00:1c:73:00:00:01 + filter: + always_include_vrfs_in_tenants: [TenantA] + nodes: + - name: leaf-wan-use-evpn-on-lan + id: 13 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/hosts.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/hosts.yml index 1d59cf7bf24..c815d67ba36 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/hosts.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/hosts.yml @@ -397,6 +397,10 @@ all: cv-pathfinder-edge: cv-pathfinder-edge1: site-ha-disabled-leaf: + SITE_EVPN: + hosts: + cv-pathfinder-edge-wan-use-evpn-on-lan: + leaf-wan-use-evpn-on-lan: CV_PATHFINDERS: hosts: cv-pathfinder-pathfinder: @@ -420,6 +424,7 @@ all: site-ha-enabled-leaf2B: site-ha-enabled-leaf1: site-ha-disabled-leaf: + leaf-wan-use-evpn-on-lan: WAN_UNIT_TESTS: hosts: autovpn-edge-no-default-policy: diff --git a/python-avd/pyavd/_eos_designs/structured_config/overlay/router_bgp.py b/python-avd/pyavd/_eos_designs/structured_config/overlay/router_bgp.py index 0c29e7c5e22..34fe1a93039 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/overlay/router_bgp.py +++ b/python-avd/pyavd/_eos_designs/structured_config/overlay/router_bgp.py @@ -493,10 +493,7 @@ def _create_neighbor( ), } - if self.shared_utils.overlay_routing_protocol == "ebgp": - if remote_as is None: - msg = "Configuring eBGP neighbor without a remote_as" - raise AristaAvdError(msg) + if remote_as is None: neighbor["remote_as"] = remote_as if self.inputs.shutdown_bgp_towards_undeployed_peers and name in self._avd_overlay_peers: From b2a7447f26cfdeb3cdbb1c379f767dd87bb1a5c0 Mon Sep 17 00:00:00 2001 From: gmuloc Date: Mon, 20 Jan 2025 15:49:39 +0100 Subject: [PATCH 09/40] Refactor(eos_designs): Make the knob preview --- .../eos_designs/docs/tables/wan-settings.md | 3 ++- .../pyavd/_eos_designs/schema/__init__.py | 20 +++++++++++-------- .../schema/eos_designs.schema.yml | 5 +++-- ..._use_evpn_node_settings_for_lan.schema.yml | 1 + 4 files changed, 18 insertions(+), 11 deletions(-) diff --git a/ansible_collections/arista/avd/roles/eos_designs/docs/tables/wan-settings.md b/ansible_collections/arista/avd/roles/eos_designs/docs/tables/wan-settings.md index a913cbbbea8..6040b151198 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/docs/tables/wan-settings.md +++ b/ansible_collections/arista/avd/roles/eos_designs/docs/tables/wan-settings.md @@ -24,7 +24,7 @@ | [wan_mode](## "wan_mode") | String | | `cv-pathfinder` | Valid Values:
- autovpn
- cv-pathfinder | Select if the WAN should be run using CV Pathfinder or AutoVPN only. | | [wan_stun_dtls_disable](## "wan_stun_dtls_disable") | Boolean | | `False` | | WAN STUN connections are authenticated and secured with DTLS by default.
For CV Pathfinder deployments CloudVision will automatically deploy certificates on the devices.
In case of AutoVPN the certificates must be deployed manually to all devices.

For LAB environments this can be disabled, if there are no certificates available.
This should NOT be disabled for a WAN network connected to the internet, since it will leave the STUN service exposed with no authentication. | | [wan_stun_dtls_profile_name](## "wan_stun_dtls_profile_name") | String | | `STUN-DTLS` | | Name of the SSL profile used for DTLS on WAN STUN connections.
When using automatic ceritficate deployment via CloudVision this name must be the same on all WAN routers. | - | [wan_use_evpn_node_settings_for_lan](## "wan_use_evpn_node_settings_for_lan") | Boolean | | `False` | | Setting to start using `overlay_routing_protocol`, `evpn_role` and `vtep`
node settings for LAN side on WAN devices (they were enforced before).
This will be the default starting 6.0.0. | + | [wan_use_evpn_node_settings_for_lan](## "wan_use_evpn_node_settings_for_lan") | Boolean | | `False` | | PREVIEW: This key is currently not supported
Setting to start using `overlay_routing_protocol`, `evpn_role` and `vtep`
node settings for LAN side on WAN devices (they were enforced before).
This will be the default starting 6.0.0. | === "YAML" @@ -87,6 +87,7 @@ # When using automatic ceritficate deployment via CloudVision this name must be the same on all WAN routers. wan_stun_dtls_profile_name: + # PREVIEW: This key is currently not supported # Setting to start using `overlay_routing_protocol`, `evpn_role` and `vtep` # node settings for LAN side on WAN devices (they were enforced before). # This will be the default starting 6.0.0. diff --git a/python-avd/pyavd/_eos_designs/schema/__init__.py b/python-avd/pyavd/_eos_designs/schema/__init__.py index 73d0d18c75d..c7d100d10c8 100644 --- a/python-avd/pyavd/_eos_designs/schema/__init__.py +++ b/python-avd/pyavd/_eos_designs/schema/__init__.py @@ -56429,10 +56429,12 @@ def __init__( """ wan_use_evpn_node_settings_for_lan: bool """ - Setting to start using `overlay_routing_protocol`, `evpn_role` and `vtep` - node settings for LAN side - on WAN devices (they were enforced before). - This will be the default starting 6.0.0. + PREVIEW: This key is currently not supported + Setting to start using `overlay_routing_protocol`, + `evpn_role` and `vtep` + node settings for LAN side on WAN devices (they were enforced before). + This + will be the default starting 6.0.0. Default value: `False` """ @@ -57896,10 +57898,12 @@ def __init__( When using automatic ceritficate deployment via CloudVision this name must be the same on all WAN routers. wan_use_evpn_node_settings_for_lan: - Setting to start using `overlay_routing_protocol`, `evpn_role` and `vtep` - node settings for LAN side - on WAN devices (they were enforced before). - This will be the default starting 6.0.0. + PREVIEW: This key is currently not supported + Setting to start using `overlay_routing_protocol`, + `evpn_role` and `vtep` + node settings for LAN side on WAN devices (they were enforced before). + This + will be the default starting 6.0.0. wan_virtual_topologies: Configure Virtual Topologies for CV Pathfinder and AutoVPN. Auto create a control plane diff --git a/python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml b/python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml index d143a845d78..8c53a02c88c 100644 --- a/python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml +++ b/python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml @@ -4881,8 +4881,9 @@ keys: documentation_options: table: wan-settings default: false - description: 'Setting to start using `overlay_routing_protocol`, `evpn_role` and - `vtep` + description: 'PREVIEW: This key is currently not supported + + Setting to start using `overlay_routing_protocol`, `evpn_role` and `vtep` node settings for LAN side on WAN devices (they were enforced before). diff --git a/python-avd/pyavd/_eos_designs/schema/schema_fragments/wan_use_evpn_node_settings_for_lan.schema.yml b/python-avd/pyavd/_eos_designs/schema/schema_fragments/wan_use_evpn_node_settings_for_lan.schema.yml index 25539127626..aa099e3353d 100644 --- a/python-avd/pyavd/_eos_designs/schema/schema_fragments/wan_use_evpn_node_settings_for_lan.schema.yml +++ b/python-avd/pyavd/_eos_designs/schema/schema_fragments/wan_use_evpn_node_settings_for_lan.schema.yml @@ -13,6 +13,7 @@ keys: table: wan-settings default: false description: |- + PREVIEW: This key is currently not supported Setting to start using `overlay_routing_protocol`, `evpn_role` and `vtep` node settings for LAN side on WAN devices (they were enforced before). This will be the default starting 6.0.0. From bc869562b505fb36ec9904e707f9cb78718356a1 Mon Sep 17 00:00:00 2001 From: gmuloc Date: Mon, 20 Jan 2025 16:27:32 +0100 Subject: [PATCH 10/40] Test: Fixing typos in molecule --- ...cv-pathfinder-edge-wan-use-evpn-on-lan.cfg | 156 ++++++++++++--- ...stom-control-plane-policy-pathfinder-1.yml | 4 + ...cv-pathfinder-edge-wan-use-evpn-on-lan.yml | 184 +++++++++++++++--- .../cv-pathfinder-pathfinder.yml | 4 + .../cv-pathfinder-pathfinder1.yml | 4 + .../cv-pathfinder-pathfinder2.yml | 4 + .../leaf-wan-use-evpn-on-lan.yml | 17 ++ .../site-ha-disabled-leaf.yml | 19 ++ .../site-ha-enabled-leaf1.yml | 19 ++ .../site-ha-enabled-leaf2A.yml | 19 ++ .../site-ha-enabled-leaf2B.yml | 19 ++ .../group_vars/CV_PATHFINDER_TESTS.yml | 2 +- ...cv-pathfinder-edge-wan-use-evpn-on-lan.yml | 4 +- 13 files changed, 400 insertions(+), 55 deletions(-) diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan.cfg index ba98fb155e0..02a5285b8b7 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan.cfg @@ -24,33 +24,57 @@ router adaptive-virtual-topology zone AVD_Land_West-ZONE id 1 site Site12 id 12 ! - policy DEFAULT-POLICY + policy DEFAULT-AVT-POLICY-WITH-CP + ! + match application-profile APP-PROFILE-CONTROL-PLANE + avt profile DEFAULT-AVT-POLICY-CONTROL-PLANE + ! + match application-profile VIDEO + avt profile DEFAULT-AVT-POLICY-VIDEO ! match application-profile default - avt profile DEFAULT-POLICY-DEFAULT + avt profile DEFAULT-AVT-POLICY-DEFAULT ! - policy DEFAULT-POLICY-WITH-CP + policy PROD-AVT-POLICY ! - match application-profile APP-PROFILE-CONTROL-PLANE - avt profile DEFAULT-POLICY-CONTROL-PLANE + match application-profile VOICE + avt profile PROD-AVT-POLICY-VOICE + ! + match application-profile VIDEO + avt profile PROD-AVT-POLICY-VIDEO ! match application-profile default - avt profile DEFAULT-POLICY-DEFAULT + avt profile PROD-AVT-POLICY-DEFAULT ! - profile DEFAULT-POLICY-CONTROL-PLANE - path-selection load-balance LB-DEFAULT-POLICY-CONTROL-PLANE + profile DEFAULT-AVT-POLICY-CONTROL-PLANE + path-selection load-balance LB-DEFAULT-AVT-POLICY-CONTROL-PLANE ! - profile DEFAULT-POLICY-DEFAULT - path-selection load-balance LB-DEFAULT-POLICY-DEFAULT + profile DEFAULT-AVT-POLICY-DEFAULT + path-selection load-balance LB-DEFAULT-AVT-POLICY-DEFAULT + ! + profile DEFAULT-AVT-POLICY-VIDEO + path-selection load-balance LB-DEFAULT-AVT-POLICY-VIDEO + ! + profile PROD-AVT-POLICY-DEFAULT + path-selection load-balance LB-PROD-AVT-POLICY-DEFAULT + ! + profile PROD-AVT-POLICY-VIDEO + path-selection load-balance LB-PROD-AVT-POLICY-VIDEO + ! + profile PROD-AVT-POLICY-VOICE + path-selection load-balance LB-PROD-AVT-POLICY-VOICE ! vrf default - avt policy DEFAULT-POLICY-WITH-CP - avt profile DEFAULT-POLICY-DEFAULT id 1 - avt profile DEFAULT-POLICY-CONTROL-PLANE id 254 + avt policy DEFAULT-AVT-POLICY-WITH-CP + avt profile DEFAULT-AVT-POLICY-DEFAULT id 1 + avt profile DEFAULT-AVT-POLICY-VIDEO id 3 + avt profile DEFAULT-AVT-POLICY-CONTROL-PLANE id 254 ! vrf PROD - avt policy DEFAULT-POLICY - avt profile DEFAULT-POLICY-DEFAULT id 1 + avt policy PROD-AVT-POLICY + avt profile PROD-AVT-POLICY-DEFAULT id 1 + avt profile PROD-AVT-POLICY-VOICE id 2 + avt profile PROD-AVT-POLICY-VIDEO id 4 ! router path-selection tcp mss ceiling ipv4 ingress @@ -68,11 +92,26 @@ router path-selection ipv4 address 172.17.7.7 ipv4 address 10.9.9.9 ! - load-balance policy LB-DEFAULT-POLICY-CONTROL-PLANE + load-balance policy LB-DEFAULT-AVT-POLICY-CONTROL-PLANE path-group INET ! - load-balance policy LB-DEFAULT-POLICY-DEFAULT + load-balance policy LB-DEFAULT-AVT-POLICY-DEFAULT path-group INET + ! + load-balance policy LB-DEFAULT-AVT-POLICY-VIDEO + path-group INET + ! + load-balance policy LB-PROD-AVT-POLICY-DEFAULT + path-group INET + ! + load-balance policy LB-PROD-AVT-POLICY-VIDEO + loss-rate 42.0 + path-group INET priority 2 + ! + load-balance policy LB-PROD-AVT-POLICY-VOICE + jitter 42 + hop count lowest + path-group INET priority 2 ! spanning-tree mode none ! @@ -89,19 +128,23 @@ management api http-commands ! management security ! - ssl profile STUN-DTLS + ssl profile profileA tls versions 1.2 trust certificate aristaDeviceCertProvisionerDefaultRootCA.crt - certificate STUN-DTLS.crt key STUN-DTLS.key + certificate profileA.crt key profileA.key ! ip security ike policy CP-IKE-POLICY - local-id 192.168.255.12 + local-id 192.168.142.12 ! sa policy CP-SA-POLICY esp encryption aes256gcm128 pfs dh-group 14 ! + sa policy DP-SA-POLICY + esp encryption aes256gcm128 + pfs dh-group 14 + ! profile CP-PROFILE ike-policy CP-IKE-POLICY sa-policy CP-SA-POLICY @@ -110,14 +153,21 @@ ip security dpd 10 50 clear mode transport ! + profile DP-PROFILE + sa-policy DP-SA-POLICY + connection start + shared-key 7 ABCDEF1234567890666 + dpd 10 50 clear + mode transport + ! key controller - profile CP-PROFILE + profile DP-PROFILE ! interface Dps1 description DPS Interface mtu 9194 flow tracker hardware FLOW-TRACKER - ip address 192.168.255.12/32 + ip address 192.168.142.12/32 ! interface Ethernet1 description ATT_666 @@ -126,6 +176,13 @@ interface Ethernet1 ip address dhcp dhcp client accept default-route ! +interface Ethernet52 + description P2P_leaf-wan-use-evpn-on-lan_Ethernet1 + no shutdown + mtu 9214 + no switchport + ip address 172.18.0.23/31 +! interface Loopback0 description ROUTER_ID no shutdown @@ -143,11 +200,48 @@ application traffic recognition application ipv4 APP-CONTROL-PLANE destination prefix field-set PFX-PATHFINDERS ! + application ipv4 CUSTOM-APPLICATION-1 + source prefix field-set CUSTOM-SRC-PREFIX-1 + destination prefix field-set CUSTOM-DEST-PREFIX-1 + protocol tcp + ! + application ipv4 CUSTOM-APPLICATION-2 + protocol tcp source port field-set TCP-SRC-2 destination port field-set TCP-DEST-2 + ! + application ipv4 CUSTOM-DSCP-APPLICATION + dscp ef 12-14 cs6 42 + ! + category VIDEO1 + application CUSTOM-APPLICATION-2 + application CUSTOM-DSCP-APPLICATION + application microsoft-teams + ! application-profile APP-PROFILE-CONTROL-PLANE application APP-CONTROL-PLANE ! + application-profile VIDEO + application CUSTOM-APPLICATION-1 + application skype + application rtp transport + category VIDEO1 + ! + application-profile VOICE + application CUSTOM-VOICE-APPLICATION + ! + field-set ipv4 prefix CUSTOM-DEST-PREFIX-1 + 6.6.6.0/24 + ! + field-set ipv4 prefix CUSTOM-SRC-PREFIX-1 + 42.42.42.0/24 + ! field-set ipv4 prefix PFX-PATHFINDERS 192.168.144.1/32 + ! + field-set l4-port TCP-DEST-2 + 666, 777 + ! + field-set l4-port TCP-SRC-2 + 42 ! ip routing no ip routing vrf MGMT @@ -158,6 +252,10 @@ ip extcommunity-list ECL-EVPN-SOO permit soo 192.168.42.12:12 ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY seq 10 permit 192.168.42.0/24 eq 32 ! +route-map RM-BGP-UNDERLAY-PEERS-IN permit 40 + description Mark prefixes originated from the LAN + set extcommunity soo 192.168.42.12:12 additive +! route-map RM-CONN-2-BGP permit 10 match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY set extcommunity soo 192.168.42.12:12 additive @@ -179,15 +277,22 @@ router bgp 65000 neighbor EVPN-OVERLAY-PEERS ebgp-multihop 3 neighbor EVPN-OVERLAY-PEERS send-community neighbor EVPN-OVERLAY-PEERS maximum-routes 0 + neighbor IPv4-UNDERLAY-PEERS peer group + neighbor IPv4-UNDERLAY-PEERS route-map RM-BGP-UNDERLAY-PEERS-IN in + neighbor IPv4-UNDERLAY-PEERS send-community + neighbor IPv4-UNDERLAY-PEERS maximum-routes 12000 neighbor WAN-OVERLAY-PEERS peer group neighbor WAN-OVERLAY-PEERS remote-as 65000 neighbor WAN-OVERLAY-PEERS update-source Dps1 neighbor WAN-OVERLAY-PEERS bfd neighbor WAN-OVERLAY-PEERS bfd interval 1000 min-rx 1000 multiplier 10 - neighbor WAN-OVERLAY-PEERS ttl maximum-hops 42 + neighbor WAN-OVERLAY-PEERS ttl maximum-hops 1 neighbor WAN-OVERLAY-PEERS password 7 htm4AZe9mIQOO1uiMuGgYQ== neighbor WAN-OVERLAY-PEERS send-community neighbor WAN-OVERLAY-PEERS maximum-routes 0 + neighbor 172.18.0.22 peer group IPv4-UNDERLAY-PEERS + neighbor 172.18.0.22 remote-as 65042 + neighbor 172.18.0.22 description leaf-wan-use-evpn-on-lan_Ethernet1 neighbor 192.168.144.1 peer group WAN-OVERLAY-PEERS neighbor 192.168.144.1 description cv-pathfinder-pathfinder_Dps1 redistribute connected route-map RM-CONN-2-BGP @@ -199,6 +304,7 @@ router bgp 65000 neighbor WAN-OVERLAY-PEERS encapsulation path-selection ! address-family ipv4 + neighbor IPv4-UNDERLAY-PEERS activate no neighbor WAN-OVERLAY-PEERS activate ! address-family ipv4 sr-te @@ -232,9 +338,9 @@ stun client server-profile INET-cv-pathfinder-pathfinder-Ethernet1 ip address 172.17.7.7 - ssl profile STUN-DTLS + ssl profile profileA server-profile INET-cv-pathfinder-pathfinder-Ethernet3 ip address 10.9.9.9 - ssl profile STUN-DTLS + ssl profile profileA ! end diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-custom-control-plane-policy-pathfinder-1.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-custom-control-plane-policy-pathfinder-1.yml index 4bee113fade..8e2c48bacc3 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-custom-control-plane-policy-pathfinder-1.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-custom-control-plane-policy-pathfinder-1.yml @@ -255,6 +255,10 @@ metadata: name: Site423 location: address: Somewhere-warm + - id: 12 + name: Site12 + location: + address: 12 Downing Street, London - id: 43 name: AVD_Land_East zones: diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan.yml index fefa639c40d..6cb77ea3010 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan.yml @@ -6,16 +6,63 @@ agents: - name: KERNELFIB_PROGRAM_ALL_ECMP value: '1' application_traffic_recognition: + categories: + - name: VIDEO1 + applications: + - name: CUSTOM-APPLICATION-2 + - name: CUSTOM-DSCP-APPLICATION + - name: microsoft-teams field_sets: + l4_ports: + - name: TCP-SRC-2 + port_values: + - '42' + - name: TCP-DEST-2 + port_values: + - '666' + - '777' ipv4_prefixes: + - name: CUSTOM-SRC-PREFIX-1 + prefix_values: + - 42.42.42.0/24 + - name: CUSTOM-DEST-PREFIX-1 + prefix_values: + - 6.6.6.0/24 - name: PFX-PATHFINDERS prefix_values: - 192.168.144.1/32 applications: ipv4_applications: + - name: CUSTOM-APPLICATION-1 + src_prefix_set_name: CUSTOM-SRC-PREFIX-1 + dest_prefix_set_name: CUSTOM-DEST-PREFIX-1 + protocols: + - tcp + - name: CUSTOM-APPLICATION-2 + protocols: + - tcp + tcp_src_port_set_name: TCP-SRC-2 + tcp_dest_port_set_name: TCP-DEST-2 + - name: CUSTOM-DSCP-APPLICATION + dscp_ranges: + - ef + - 12-14 + - cs6 + - '42' - name: APP-CONTROL-PLANE dest_prefix_set_name: PFX-PATHFINDERS application_profiles: + - name: VIDEO + applications: + - name: CUSTOM-APPLICATION-1 + - name: skype + application_transports: + - rtp + categories: + - name: VIDEO1 + - name: VOICE + applications: + - name: CUSTOM-VOICE-APPLICATION - name: APP-PROFILE-CONTROL-PLANE applications: - name: APP-CONTROL-PLANE @@ -24,12 +71,22 @@ dps_interfaces: - name: Dps1 description: DPS Interface mtu: 9194 - ip_address: 192.168.255.12/32 + ip_address: 192.168.142.12/32 flow_tracker: hardware: FLOW-TRACKER enable_password: disabled: true ethernet_interfaces: +- name: Ethernet52 + description: P2P_leaf-wan-use-evpn-on-lan_Ethernet1 + shutdown: false + mtu: 9214 + ip_address: 172.18.0.23/31 + peer: leaf-wan-use-evpn-on-lan + peer_interface: Ethernet1 + peer_type: l3leaf + switchport: + enabled: false - name: Ethernet1 description: ATT_666 shutdown: false @@ -62,13 +119,26 @@ ip_routing: true ip_security: ike_policies: - name: CP-IKE-POLICY - local_id: 192.168.255.12 + local_id: 192.168.142.12 sa_policies: + - name: DP-SA-POLICY + esp: + encryption: aes256gcm128 + pfs_dh_group: 14 - name: CP-SA-POLICY esp: encryption: aes256gcm128 pfs_dh_group: 14 profiles: + - name: DP-PROFILE + sa_policy: DP-SA-POLICY + connection: start + shared_key: ABCDEF1234567890666 + dpd: + interval: 10 + time: 50 + action: clear + mode: transport - name: CP-PROFILE ike_policy: CP-IKE-POLICY sa_policy: CP-SA-POLICY @@ -80,7 +150,7 @@ ip_security: action: clear mode: transport key_controller: - profile: CP-PROFILE + profile: DP-PROFILE is_deployed: true loopback_interfaces: - name: Loopback0 @@ -93,14 +163,14 @@ management_api_http: - name: MGMT management_security: ssl_profiles: - - name: STUN-DTLS + - name: profileA tls_versions: '1.2' trust_certificate: certificates: - aristaDeviceCertProvisionerDefaultRootCA.crt certificate: - file: STUN-DTLS.crt - key: STUN-DTLS.key + file: profileA.crt + key: profileA.key metadata: fabric_name: EOS_DESIGNS_UNIT_TESTS cv_tags: @@ -114,6 +184,10 @@ metadata: - name: Site value: Site12 interface_tags: + - interface: Ethernet52 + tags: + - name: Type + value: lan - interface: Ethernet1 tags: - name: Type @@ -127,8 +201,8 @@ metadata: region: AVD_Land_West zone: AVD_Land_West-ZONE site: Site12 - vtep_ip: 192.168.255.12 - ssl_profile: STUN-DTLS + vtep_ip: 192.168.142.12 + ssl_profile: profileA pathfinders: - vtep_ip: 192.168.144.1 interfaces: @@ -150,6 +224,13 @@ route_maps: - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY set: - extcommunity soo 192.168.42.12:12 additive +- name: RM-BGP-UNDERLAY-PEERS-IN + sequence_numbers: + - sequence: 40 + type: permit + description: Mark prefixes originated from the LAN + set: + - extcommunity soo 192.168.42.12:12 additive - name: RM-EVPN-EXPORT-VRF-DEFAULT sequence_numbers: - sequence: 10 @@ -168,33 +249,53 @@ router_adaptive_virtual_topology: name: Site12 id: 12 profiles: - - name: DEFAULT-POLICY-CONTROL-PLANE - load_balance_policy: LB-DEFAULT-POLICY-CONTROL-PLANE - - name: DEFAULT-POLICY-DEFAULT - load_balance_policy: LB-DEFAULT-POLICY-DEFAULT + - name: DEFAULT-AVT-POLICY-CONTROL-PLANE + load_balance_policy: LB-DEFAULT-AVT-POLICY-CONTROL-PLANE + - name: DEFAULT-AVT-POLICY-VIDEO + load_balance_policy: LB-DEFAULT-AVT-POLICY-VIDEO + - name: DEFAULT-AVT-POLICY-DEFAULT + load_balance_policy: LB-DEFAULT-AVT-POLICY-DEFAULT + - name: PROD-AVT-POLICY-VOICE + load_balance_policy: LB-PROD-AVT-POLICY-VOICE + - name: PROD-AVT-POLICY-VIDEO + load_balance_policy: LB-PROD-AVT-POLICY-VIDEO + - name: PROD-AVT-POLICY-DEFAULT + load_balance_policy: LB-PROD-AVT-POLICY-DEFAULT policies: - - name: DEFAULT-POLICY-WITH-CP + - name: DEFAULT-AVT-POLICY-WITH-CP matches: - application_profile: APP-PROFILE-CONTROL-PLANE - avt_profile: DEFAULT-POLICY-CONTROL-PLANE + avt_profile: DEFAULT-AVT-POLICY-CONTROL-PLANE + - application_profile: VIDEO + avt_profile: DEFAULT-AVT-POLICY-VIDEO - application_profile: default - avt_profile: DEFAULT-POLICY-DEFAULT - - name: DEFAULT-POLICY + avt_profile: DEFAULT-AVT-POLICY-DEFAULT + - name: PROD-AVT-POLICY matches: + - application_profile: VOICE + avt_profile: PROD-AVT-POLICY-VOICE + - application_profile: VIDEO + avt_profile: PROD-AVT-POLICY-VIDEO - application_profile: default - avt_profile: DEFAULT-POLICY-DEFAULT + avt_profile: PROD-AVT-POLICY-DEFAULT vrfs: - name: default - policy: DEFAULT-POLICY-WITH-CP + policy: DEFAULT-AVT-POLICY-WITH-CP profiles: - - name: DEFAULT-POLICY-CONTROL-PLANE + - name: DEFAULT-AVT-POLICY-CONTROL-PLANE id: 254 - - name: DEFAULT-POLICY-DEFAULT + - name: DEFAULT-AVT-POLICY-VIDEO + id: 3 + - name: DEFAULT-AVT-POLICY-DEFAULT id: 1 - name: PROD - policy: DEFAULT-POLICY + policy: PROD-AVT-POLICY profiles: - - name: DEFAULT-POLICY-DEFAULT + - name: PROD-AVT-POLICY-VOICE + id: 2 + - name: PROD-AVT-POLICY-VIDEO + id: 4 + - name: PROD-AVT-POLICY-DEFAULT id: 1 router_bfd: multihop: @@ -212,6 +313,11 @@ router_bgp: default: ipv4_unicast: false peer_groups: + - name: IPv4-UNDERLAY-PEERS + type: ipv4 + send_community: all + maximum_routes: 12000 + route_map_in: RM-BGP-UNDERLAY-PEERS-IN - name: EVPN-OVERLAY-PEERS type: evpn update_source: Loopback0 @@ -231,8 +337,13 @@ router_bgp: password: htm4AZe9mIQOO1uiMuGgYQ== send_community: all maximum_routes: 0 - ttl_maximum_hops: 42 + ttl_maximum_hops: 1 neighbors: + - ip_address: 172.18.0.22 + peer_group: IPv4-UNDERLAY-PEERS + remote_as: '65042' + peer: leaf-wan-use-evpn-on-lan + description: leaf-wan-use-evpn-on-lan_Ethernet1 - ip_address: 192.168.144.1 peer_group: WAN-OVERLAY-PEERS peer: cv-pathfinder-pathfinder @@ -250,6 +361,8 @@ router_bgp: encapsulation: path-selection address_family_ipv4: peer_groups: + - name: IPv4-UNDERLAY-PEERS + activate: true - name: WAN-OVERLAY-PEERS activate: false address_family_ipv4_sr_te: @@ -319,10 +432,27 @@ router_path_selection: - 172.17.7.7 - 10.9.9.9 load_balance_policies: - - name: LB-DEFAULT-POLICY-CONTROL-PLANE + - name: LB-DEFAULT-AVT-POLICY-CONTROL-PLANE + path_groups: + - name: INET + - name: LB-DEFAULT-AVT-POLICY-VIDEO + path_groups: + - name: INET + - name: LB-DEFAULT-AVT-POLICY-DEFAULT + path_groups: + - name: INET + - name: LB-PROD-AVT-POLICY-VOICE + lowest_hop_count: true + jitter: 42 + path_groups: + - name: INET + priority: 2 + - name: LB-PROD-AVT-POLICY-VIDEO + loss_rate: '42.0' path_groups: - name: INET - - name: LB-DEFAULT-POLICY-DEFAULT + priority: 2 + - name: LB-PROD-AVT-POLICY-DEFAULT path_groups: - name: INET tcp_mss_ceiling: @@ -337,10 +467,10 @@ stun: server_profiles: - name: INET-cv-pathfinder-pathfinder-Ethernet1 ip_address: 172.17.7.7 - ssl_profile: STUN-DTLS + ssl_profile: profileA - name: INET-cv-pathfinder-pathfinder-Ethernet3 ip_address: 10.9.9.9 - ssl_profile: STUN-DTLS + ssl_profile: profileA transceiver_qsfp_default_mode_4x10: false vrfs: - name: MGMT diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder.yml index 18066ced230..fb1860325ac 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder.yml @@ -261,6 +261,10 @@ metadata: name: Site423 location: address: Somewhere-warm + - id: 12 + name: Site12 + location: + address: 12 Downing Street, London - id: 43 name: AVD_Land_East zones: diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder1.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder1.yml index aff9edf6374..7dec5953bb2 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder1.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder1.yml @@ -224,6 +224,10 @@ metadata: name: Site423 location: address: Somewhere-warm + - id: 12 + name: Site12 + location: + address: 12 Downing Street, London - id: 43 name: AVD_Land_East zones: diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder2.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder2.yml index 28ac1b7145a..59bf6896d73 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder2.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder2.yml @@ -242,6 +242,10 @@ metadata: name: Site423 location: address: Somewhere-warm + - id: 12 + name: Site12 + location: + address: 12 Downing Street, London - id: 43 name: AVD_Land_East zones: diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/leaf-wan-use-evpn-on-lan.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/leaf-wan-use-evpn-on-lan.yml index 9f3b68b9191..6c059dc395e 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/leaf-wan-use-evpn-on-lan.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/leaf-wan-use-evpn-on-lan.yml @@ -3,6 +3,17 @@ aaa_root: config_end: true enable_password: disabled: true +ethernet_interfaces: +- name: Ethernet1 + description: P2P_cv-pathfinder-edge-wan-use-evpn-on-lan_Ethernet52 + shutdown: false + mtu: 9214 + ip_address: 172.18.0.22/31 + peer: cv-pathfinder-edge-wan-use-evpn-on-lan + peer_interface: Ethernet52 + peer_type: wan_router + switchport: + enabled: false hostname: leaf-wan-use-evpn-on-lan ip_igmp_snooping: globally_enabled: true @@ -66,6 +77,12 @@ router_bgp: ebgp_multihop: 3 send_community: all maximum_routes: 0 + neighbors: + - ip_address: 172.18.0.23 + peer_group: IPv4-UNDERLAY-PEERS + remote_as: '65000' + peer: cv-pathfinder-edge-wan-use-evpn-on-lan + description: cv-pathfinder-edge-wan-use-evpn-on-lan_Ethernet52 redistribute: connected: enabled: true diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-disabled-leaf.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-disabled-leaf.yml index e7607bec68a..4ab5ba99166 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-disabled-leaf.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-disabled-leaf.yml @@ -169,6 +169,14 @@ router_bgp: enabled: true route_map: RM-CONN-2-BGP vlans: + - id: 1000 + tenant: TenantA + rd: 192.168.45.4:2000 + route_targets: + both: + - 2000:2000 + redistribute_routes: + - learned - id: 100 tenant: TenantA rd: 192.168.45.4:1100 @@ -290,6 +298,12 @@ router_bgp: service_routing_protocols_model: multi-agent transceiver_qsfp_default_mode_4x10: true vlan_interfaces: +- name: Vlan1000 + description: VLAN1000 + shutdown: true + vrf: IT + ip_address_virtual: 10.0.100.1/24 + tenant: TenantA - name: Vlan100 description: VLAN100 shutdown: true @@ -309,6 +323,9 @@ vlan_internal_order: beginning: 1006 ending: 1199 vlans: +- id: 1000 + name: VLAN1000 + tenant: TenantA - id: 100 name: VLAN100 tenant: TenantA @@ -337,6 +354,8 @@ vxlan_interface: source_interface: Loopback1 udp_port: 4789 vlans: + - id: 1000 + vni: 2000 - id: 100 vni: 1100 - id: 101 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf1.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf1.yml index 89d1fa00274..a96fadd8d8c 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf1.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf1.yml @@ -169,6 +169,14 @@ router_bgp: enabled: true route_map: RM-CONN-2-BGP vlans: + - id: 1000 + tenant: TenantA + rd: 192.168.45.1:2000 + route_targets: + both: + - 2000:2000 + redistribute_routes: + - learned - id: 100 tenant: TenantA rd: 192.168.45.1:1100 @@ -290,6 +298,12 @@ router_bgp: service_routing_protocols_model: multi-agent transceiver_qsfp_default_mode_4x10: true vlan_interfaces: +- name: Vlan1000 + description: VLAN1000 + shutdown: true + vrf: IT + ip_address_virtual: 10.0.100.1/24 + tenant: TenantA - name: Vlan100 description: VLAN100 shutdown: true @@ -308,6 +322,9 @@ vlan_internal_order: beginning: 1006 ending: 1199 vlans: +- id: 1000 + name: VLAN1000 + tenant: TenantA - id: 100 name: VLAN100 tenant: TenantA @@ -336,6 +353,8 @@ vxlan_interface: source_interface: Loopback1 udp_port: 4789 vlans: + - id: 1000 + vni: 2000 - id: 100 vni: 1100 - id: 101 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf2A.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf2A.yml index 19b4471e640..fcc8b561a30 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf2A.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf2A.yml @@ -169,6 +169,14 @@ router_bgp: enabled: true route_map: RM-CONN-2-BGP vlans: + - id: 1000 + tenant: TenantA + rd: 192.168.45.2:2000 + route_targets: + both: + - 2000:2000 + redistribute_routes: + - learned - id: 100 tenant: TenantA rd: 192.168.45.2:1100 @@ -290,6 +298,12 @@ router_bgp: service_routing_protocols_model: multi-agent transceiver_qsfp_default_mode_4x10: true vlan_interfaces: +- name: Vlan1000 + description: VLAN1000 + shutdown: true + vrf: IT + ip_address_virtual: 10.0.100.1/24 + tenant: TenantA - name: Vlan100 description: VLAN100 shutdown: true @@ -308,6 +322,9 @@ vlan_internal_order: beginning: 1006 ending: 1199 vlans: +- id: 1000 + name: VLAN1000 + tenant: TenantA - id: 100 name: VLAN100 tenant: TenantA @@ -336,6 +353,8 @@ vxlan_interface: source_interface: Loopback1 udp_port: 4789 vlans: + - id: 1000 + vni: 2000 - id: 100 vni: 1100 - id: 101 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf2B.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf2B.yml index 81ce797ff5c..4fae30e5f36 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf2B.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf2B.yml @@ -169,6 +169,14 @@ router_bgp: enabled: true route_map: RM-CONN-2-BGP vlans: + - id: 1000 + tenant: TenantA + rd: 192.168.45.3:2000 + route_targets: + both: + - 2000:2000 + redistribute_routes: + - learned - id: 100 tenant: TenantA rd: 192.168.45.3:1100 @@ -290,6 +298,12 @@ router_bgp: service_routing_protocols_model: multi-agent transceiver_qsfp_default_mode_4x10: true vlan_interfaces: +- name: Vlan1000 + description: VLAN1000 + shutdown: true + vrf: IT + ip_address_virtual: 10.0.100.1/24 + tenant: TenantA - name: Vlan100 description: VLAN100 shutdown: true @@ -308,6 +322,9 @@ vlan_internal_order: beginning: 1006 ending: 1199 vlans: +- id: 1000 + name: VLAN1000 + tenant: TenantA - id: 100 name: VLAN100 tenant: TenantA @@ -336,6 +353,8 @@ vxlan_interface: source_interface: Loopback1 udp_port: 4789 vlans: + - id: 1000 + vni: 2000 - id: 100 vni: 1100 - id: 101 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml index f02f7635cd6..e9449de9995 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml @@ -530,7 +530,7 @@ tenants: name: VLAN1000 ip_address_virtual: 10.0.100.1/24 nodes: - - node: leaf-use-wan-evpn-on-lan + - node: leaf-wan-use-evpn-on-lan l2vlans: - id: 101 name: VLAN101 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan.yml index dad40a114da..8024d73d435 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan.yml @@ -12,7 +12,7 @@ wan_route_servers: wan_router: defaults: loopback_ipv4_pool: 192.168.42.0/24 - vtep_loopback_ipv4_pool: 192.168.255.0/24 + vtep_loopback_ipv4_pool: 192.168.142.0/24 filter: always_include_vrfs_in_tenants: [TenantA] deny_vrfs: [IT] @@ -21,7 +21,7 @@ wan_router: cv_pathfinder_region: AVD_Land_West cv_pathfinder_site: Site12 # Adding uplink to leaf for EVPN - uplink_switches: [leaf-use-wan-evpn-on-lan] + uplink_switches: [leaf-wan-use-evpn-on-lan] uplink_type: p2p uplink_interfaces: [Ethernet52] uplink_switch_interfaces: [Ethernet1] From d13f8a3cc799cdf924475f4bb882a09426e26519 Mon Sep 17 00:00:00 2001 From: gmuloc Date: Mon, 20 Jan 2025 17:59:50 +0100 Subject: [PATCH 11/40] Fix(eos_designs): Logical error --- .../pyavd/_eos_designs/structured_config/overlay/router_bgp.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python-avd/pyavd/_eos_designs/structured_config/overlay/router_bgp.py b/python-avd/pyavd/_eos_designs/structured_config/overlay/router_bgp.py index 34fe1a93039..02af26c3af1 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/overlay/router_bgp.py +++ b/python-avd/pyavd/_eos_designs/structured_config/overlay/router_bgp.py @@ -493,7 +493,7 @@ def _create_neighbor( ), } - if remote_as is None: + if remote_as is not None: neighbor["remote_as"] = remote_as if self.inputs.shutdown_bgp_towards_undeployed_peers and name in self._avd_overlay_peers: From 33b2dd7ad25cea55609b4e114cc49ca004c7e119 Mon Sep 17 00:00:00 2001 From: gmuloc Date: Wed, 22 Jan 2025 00:32:52 +0100 Subject: [PATCH 12/40] Test: Moleculing the molecule --- .../configs/leaf-wan-use-evpn-on-lan.cfg | 178 ++++++++++++++++++ .../configs/site-ha-disabled-leaf.cfg | 15 ++ .../configs/site-ha-enabled-leaf1.cfg | 15 ++ .../configs/site-ha-enabled-leaf2A.cfg | 15 ++ .../configs/site-ha-enabled-leaf2B.cfg | 15 ++ .../group_vars/CV_PATHFINDER_TESTS.yml | 2 - 6 files changed, 238 insertions(+), 2 deletions(-) create mode 100644 ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/leaf-wan-use-evpn-on-lan.cfg diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/leaf-wan-use-evpn-on-lan.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/leaf-wan-use-evpn-on-lan.cfg new file mode 100644 index 00000000000..4212e2ce6fc --- /dev/null +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/leaf-wan-use-evpn-on-lan.cfg @@ -0,0 +1,178 @@ +! +no enable password +no aaa root +! +vlan internal order ascending range 1006 1199 +! +transceiver qsfp default-mode 4x10G +! +service routing protocols model multi-agent +! +hostname leaf-wan-use-evpn-on-lan +! +vlan 100 + name VLAN100 +! +vlan 101 + name VLAN101 +! +vlan 666 + name VLAN666 +! +vlan 1000 + name VLAN1000 +! +vrf instance ATTRACTED-VRF-FROM-UPLINK +! +vrf instance IT +! +vrf instance MGMT +! +vrf instance PROD +! +management api http-commands + protocol https + no shutdown + ! + vrf MGMT + no shutdown +! +interface Ethernet1 + description P2P_cv-pathfinder-edge-wan-use-evpn-on-lan_Ethernet52 + no shutdown + mtu 9214 + no switchport + ip address 172.18.0.22/31 +! +interface Loopback0 + description ROUTER_ID + no shutdown + ip address 192.168.45.13/32 +! +interface Loopback1 + description VXLAN_TUNNEL_SOURCE + no shutdown + ip address 192.168.255.13/32 +! +interface Vlan100 + description VLAN100 + shutdown + vrf PROD + ip address virtual 10.0.100.1/24 +! +interface Vlan666 + description VLAN666 + shutdown + vrf ATTRACTED-VRF-FROM-UPLINK + ip address virtual 10.66.66.66/24 +! +interface Vlan1000 + description VLAN1000 + shutdown + vrf IT + ip address virtual 10.0.100.1/24 +! +interface Vxlan1 + description leaf-wan-use-evpn-on-lan_VTEP + vxlan source-interface Loopback1 + vxlan udp-port 4789 + vxlan vlan 100 vni 1100 + vxlan vlan 101 vni 1101 + vxlan vlan 666 vni 1666 + vxlan vlan 1000 vni 2000 + vxlan vrf ATTRACTED-VRF-FROM-UPLINK vni 666 + vxlan vrf default vni 1 + vxlan vrf IT vni 1000 + vxlan vrf PROD vni 142 +! +ip virtual-router mac-address 00:1c:73:00:00:01 +! +ip routing +ip routing vrf ATTRACTED-VRF-FROM-UPLINK +ip routing vrf IT +no ip routing vrf MGMT +ip routing vrf PROD +! +ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY + seq 10 permit 192.168.45.0/24 eq 32 + seq 20 permit 192.168.255.0/24 eq 32 +! +route-map RM-CONN-2-BGP permit 10 + match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY +! +router bfd + multihop interval 300 min-rx 300 multiplier 3 +! +router bgp 65042 + router-id 192.168.45.13 + update wait-install + no bgp default ipv4-unicast + maximum-paths 4 ecmp 4 + neighbor EVPN-OVERLAY-PEERS peer group + neighbor EVPN-OVERLAY-PEERS update-source Loopback0 + neighbor EVPN-OVERLAY-PEERS bfd + neighbor EVPN-OVERLAY-PEERS ebgp-multihop 3 + neighbor EVPN-OVERLAY-PEERS send-community + neighbor EVPN-OVERLAY-PEERS maximum-routes 0 + neighbor IPv4-UNDERLAY-PEERS peer group + neighbor IPv4-UNDERLAY-PEERS send-community + neighbor IPv4-UNDERLAY-PEERS maximum-routes 12000 + neighbor 172.18.0.23 peer group IPv4-UNDERLAY-PEERS + neighbor 172.18.0.23 remote-as 65000 + neighbor 172.18.0.23 description cv-pathfinder-edge-wan-use-evpn-on-lan_Ethernet52 + redistribute connected route-map RM-CONN-2-BGP + ! + vlan 100 + rd 192.168.45.13:1100 + route-target both 1100:1100 + redistribute learned + ! + vlan 101 + rd 192.168.45.13:1101 + route-target both 1101:1101 + redistribute learned + ! + vlan 666 + rd 192.168.45.13:1666 + route-target both 1666:1666 + redistribute learned + ! + vlan 1000 + rd 192.168.45.13:2000 + route-target both 2000:2000 + redistribute learned + ! + address-family evpn + neighbor EVPN-OVERLAY-PEERS activate + ! + address-family ipv4 + no neighbor EVPN-OVERLAY-PEERS activate + neighbor IPv4-UNDERLAY-PEERS activate + ! + vrf ATTRACTED-VRF-FROM-UPLINK + rd 192.168.45.13:666 + route-target import evpn 666:666 + route-target export evpn 666:666 + router-id 192.168.45.13 + redistribute connected + ! + vrf default + rd 192.168.45.13:1 + route-target import evpn 1:1 + route-target export evpn 1:1 + ! + vrf IT + rd 192.168.45.13:1000 + route-target import evpn 1000:1000 + route-target export evpn 1000:1000 + router-id 192.168.45.13 + redistribute connected + ! + vrf PROD + rd 192.168.45.13:142 + route-target import evpn 142:142 + route-target export evpn 142:142 + router-id 192.168.45.13 + redistribute connected +! +end diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-disabled-leaf.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-disabled-leaf.cfg index 490539ef7b3..6d86b26c54c 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-disabled-leaf.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-disabled-leaf.cfg @@ -19,6 +19,9 @@ vlan 101 vlan 666 name VLAN666 ! +vlan 1000 + name VLAN1000 +! vrf instance ATTRACTED-VRF-FROM-UPLINK ! vrf instance IT @@ -119,6 +122,12 @@ interface Vlan666 ip address 10.66.66.1 ip address virtual 10.66.66.66/24 ! +interface Vlan1000 + description VLAN1000 + shutdown + vrf IT + ip address virtual 10.0.100.1/24 +! interface Vxlan1 description site-ha-disabled-leaf_VTEP vxlan source-interface Loopback1 @@ -126,6 +135,7 @@ interface Vxlan1 vxlan vlan 100 vni 1100 vxlan vlan 101 vni 1101 vxlan vlan 666 vni 1666 + vxlan vlan 1000 vni 2000 vxlan vrf ATTRACTED-VRF-FROM-UPLINK vni 666 vxlan vrf default vni 1 vxlan vrf IT vni 1000 @@ -186,6 +196,11 @@ router bgp 65199 route-target both 1666:1666 redistribute learned ! + vlan 1000 + rd 192.168.45.4:2000 + route-target both 2000:2000 + redistribute learned + ! address-family evpn neighbor EVPN-OVERLAY-PEERS activate ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf1.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf1.cfg index ba119b221cb..82ba5c1e551 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf1.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf1.cfg @@ -19,6 +19,9 @@ vlan 101 vlan 666 name VLAN666 ! +vlan 1000 + name VLAN1000 +! vrf instance ATTRACTED-VRF-FROM-UPLINK ! vrf instance IT @@ -118,6 +121,12 @@ interface Vlan666 vrf ATTRACTED-VRF-FROM-UPLINK ip address virtual 10.66.66.66/24 ! +interface Vlan1000 + description VLAN1000 + shutdown + vrf IT + ip address virtual 10.0.100.1/24 +! interface Vxlan1 description site-ha-enabled-leaf1_VTEP vxlan source-interface Loopback1 @@ -125,6 +134,7 @@ interface Vxlan1 vxlan vlan 100 vni 1100 vxlan vlan 101 vni 1101 vxlan vlan 666 vni 1666 + vxlan vlan 1000 vni 2000 vxlan vrf ATTRACTED-VRF-FROM-UPLINK vni 666 vxlan vrf default vni 1 vxlan vrf IT vni 1000 @@ -185,6 +195,11 @@ router bgp 65199 route-target both 1666:1666 redistribute learned ! + vlan 1000 + rd 192.168.45.1:2000 + route-target both 2000:2000 + redistribute learned + ! address-family evpn neighbor EVPN-OVERLAY-PEERS activate ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf2A.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf2A.cfg index 6c5caa1e8f8..fb107287979 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf2A.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf2A.cfg @@ -19,6 +19,9 @@ vlan 101 vlan 666 name VLAN666 ! +vlan 1000 + name VLAN1000 +! vrf instance ATTRACTED-VRF-FROM-UPLINK ! vrf instance IT @@ -118,6 +121,12 @@ interface Vlan666 vrf ATTRACTED-VRF-FROM-UPLINK ip address virtual 10.66.66.66/24 ! +interface Vlan1000 + description VLAN1000 + shutdown + vrf IT + ip address virtual 10.0.100.1/24 +! interface Vxlan1 description site-ha-enabled-leaf2A_VTEP vxlan source-interface Loopback1 @@ -125,6 +134,7 @@ interface Vxlan1 vxlan vlan 100 vni 1100 vxlan vlan 101 vni 1101 vxlan vlan 666 vni 1666 + vxlan vlan 1000 vni 2000 vxlan vrf ATTRACTED-VRF-FROM-UPLINK vni 666 vxlan vrf default vni 1 vxlan vrf IT vni 1000 @@ -185,6 +195,11 @@ router bgp 65199 route-target both 1666:1666 redistribute learned ! + vlan 1000 + rd 192.168.45.2:2000 + route-target both 2000:2000 + redistribute learned + ! address-family evpn neighbor EVPN-OVERLAY-PEERS activate ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf2B.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf2B.cfg index 919dcdc700b..83b92a16dad 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf2B.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf2B.cfg @@ -19,6 +19,9 @@ vlan 101 vlan 666 name VLAN666 ! +vlan 1000 + name VLAN1000 +! vrf instance ATTRACTED-VRF-FROM-UPLINK ! vrf instance IT @@ -118,6 +121,12 @@ interface Vlan666 vrf ATTRACTED-VRF-FROM-UPLINK ip address virtual 10.66.66.66/24 ! +interface Vlan1000 + description VLAN1000 + shutdown + vrf IT + ip address virtual 10.0.100.1/24 +! interface Vxlan1 description site-ha-enabled-leaf2B_VTEP vxlan source-interface Loopback1 @@ -125,6 +134,7 @@ interface Vxlan1 vxlan vlan 100 vni 1100 vxlan vlan 101 vni 1101 vxlan vlan 666 vni 1666 + vxlan vlan 1000 vni 2000 vxlan vrf ATTRACTED-VRF-FROM-UPLINK vni 666 vxlan vrf default vni 1 vxlan vrf IT vni 1000 @@ -185,6 +195,11 @@ router bgp 65199 route-target both 1666:1666 redistribute learned ! + vlan 1000 + rd 192.168.45.3:2000 + route-target both 2000:2000 + redistribute learned + ! address-family evpn neighbor EVPN-OVERLAY-PEERS activate ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml index e9449de9995..6d192a38534 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml @@ -529,8 +529,6 @@ tenants: - id: 1000 name: VLAN1000 ip_address_virtual: 10.0.100.1/24 - nodes: - - node: leaf-wan-use-evpn-on-lan l2vlans: - id: 101 name: VLAN101 From 5f9716d60bbc894884a800b30fef6763b26ae4f7 Mon Sep 17 00:00:00 2001 From: gmuloc Date: Thu, 23 Jan 2025 15:50:42 +0100 Subject: [PATCH 13/40] Refactor: Address schema comment --- .../eos_designs/docs/tables/wan-settings.md | 8 +++---- .../pyavd/_eos_designs/schema/__init__.py | 22 ++++++++++--------- .../schema/eos_designs.schema.yml | 8 ++++--- ..._use_evpn_node_settings_for_lan.schema.yml | 6 ++--- 4 files changed, 24 insertions(+), 20 deletions(-) diff --git a/ansible_collections/arista/avd/roles/eos_designs/docs/tables/wan-settings.md b/ansible_collections/arista/avd/roles/eos_designs/docs/tables/wan-settings.md index 6040b151198..e30d784f46f 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/docs/tables/wan-settings.md +++ b/ansible_collections/arista/avd/roles/eos_designs/docs/tables/wan-settings.md @@ -24,7 +24,7 @@ | [wan_mode](## "wan_mode") | String | | `cv-pathfinder` | Valid Values:
- autovpn
- cv-pathfinder | Select if the WAN should be run using CV Pathfinder or AutoVPN only. | | [wan_stun_dtls_disable](## "wan_stun_dtls_disable") | Boolean | | `False` | | WAN STUN connections are authenticated and secured with DTLS by default.
For CV Pathfinder deployments CloudVision will automatically deploy certificates on the devices.
In case of AutoVPN the certificates must be deployed manually to all devices.

For LAB environments this can be disabled, if there are no certificates available.
This should NOT be disabled for a WAN network connected to the internet, since it will leave the STUN service exposed with no authentication. | | [wan_stun_dtls_profile_name](## "wan_stun_dtls_profile_name") | String | | `STUN-DTLS` | | Name of the SSL profile used for DTLS on WAN STUN connections.
When using automatic ceritficate deployment via CloudVision this name must be the same on all WAN routers. | - | [wan_use_evpn_node_settings_for_lan](## "wan_use_evpn_node_settings_for_lan") | Boolean | | `False` | | PREVIEW: This key is currently not supported
Setting to start using `overlay_routing_protocol`, `evpn_role` and `vtep`
node settings for LAN side on WAN devices (they were enforced before).
This will be the default starting 6.0.0. | + | [wan_use_evpn_node_settings_for_lan](## "wan_use_evpn_node_settings_for_lan") | Boolean | | `False` | | PREVIEW: This key is currently not supported
When true, `eos_designs` will use `overlay_routing_protocol`, `evpn_role` and `vtep`
node settings for LAN side on WAN devices. Otherwise these will be ignored for WAN.
This will be the default in AVD version 6.0.0 and this option will be removed. | === "YAML" @@ -88,8 +88,8 @@ wan_stun_dtls_profile_name: # PREVIEW: This key is currently not supported - # Setting to start using `overlay_routing_protocol`, `evpn_role` and `vtep` - # node settings for LAN side on WAN devices (they were enforced before). - # This will be the default starting 6.0.0. + # When true, `eos_designs` will use `overlay_routing_protocol`, `evpn_role` and `vtep` + # node settings for LAN side on WAN devices. Otherwise these will be ignored for WAN. + # This will be the default in AVD version 6.0.0 and this option will be removed. wan_use_evpn_node_settings_for_lan: ``` diff --git a/python-avd/pyavd/_eos_designs/schema/__init__.py b/python-avd/pyavd/_eos_designs/schema/__init__.py index ac52dcfef4a..3b440b5a86e 100644 --- a/python-avd/pyavd/_eos_designs/schema/__init__.py +++ b/python-avd/pyavd/_eos_designs/schema/__init__.py @@ -56891,11 +56891,12 @@ def __init__( wan_use_evpn_node_settings_for_lan: bool """ PREVIEW: This key is currently not supported - Setting to start using `overlay_routing_protocol`, - `evpn_role` and `vtep` - node settings for LAN side on WAN devices (they were enforced before). - This - will be the default starting 6.0.0. + When true, `eos_designs` will use + `overlay_routing_protocol`, `evpn_role` and `vtep` + node settings for LAN side on WAN devices. + Otherwise these will be ignored for WAN. + This will be the default in AVD version 6.0.0 and this + option will be removed. Default value: `False` """ @@ -58360,11 +58361,12 @@ def __init__( deployment via CloudVision this name must be the same on all WAN routers. wan_use_evpn_node_settings_for_lan: PREVIEW: This key is currently not supported - Setting to start using `overlay_routing_protocol`, - `evpn_role` and `vtep` - node settings for LAN side on WAN devices (they were enforced before). - This - will be the default starting 6.0.0. + When true, `eos_designs` will use + `overlay_routing_protocol`, `evpn_role` and `vtep` + node settings for LAN side on WAN devices. + Otherwise these will be ignored for WAN. + This will be the default in AVD version 6.0.0 and this + option will be removed. wan_virtual_topologies: Configure Virtual Topologies for CV Pathfinder and AutoVPN. Auto create a control plane diff --git a/python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml b/python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml index ccc2a671a50..1d65f78b0da 100644 --- a/python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml +++ b/python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml @@ -4897,11 +4897,13 @@ keys: default: false description: 'PREVIEW: This key is currently not supported - Setting to start using `overlay_routing_protocol`, `evpn_role` and `vtep` + When true, `eos_designs` will use `overlay_routing_protocol`, `evpn_role` and + `vtep` - node settings for LAN side on WAN devices (they were enforced before). + node settings for LAN side on WAN devices. Otherwise these will be ignored for + WAN. - This will be the default starting 6.0.0.' + This will be the default in AVD version 6.0.0 and this option will be removed.' wan_virtual_topologies: type: dict description: 'Configure Virtual Topologies for CV Pathfinder and AutoVPN. diff --git a/python-avd/pyavd/_eos_designs/schema/schema_fragments/wan_use_evpn_node_settings_for_lan.schema.yml b/python-avd/pyavd/_eos_designs/schema/schema_fragments/wan_use_evpn_node_settings_for_lan.schema.yml index aa099e3353d..671ce461632 100644 --- a/python-avd/pyavd/_eos_designs/schema/schema_fragments/wan_use_evpn_node_settings_for_lan.schema.yml +++ b/python-avd/pyavd/_eos_designs/schema/schema_fragments/wan_use_evpn_node_settings_for_lan.schema.yml @@ -14,6 +14,6 @@ keys: default: false description: |- PREVIEW: This key is currently not supported - Setting to start using `overlay_routing_protocol`, `evpn_role` and `vtep` - node settings for LAN side on WAN devices (they were enforced before). - This will be the default starting 6.0.0. + When true, `eos_designs` will use `overlay_routing_protocol`, `evpn_role` and `vtep` + node settings for LAN side on WAN devices. Otherwise these will be ignored for WAN. + This will be the default in AVD version 6.0.0 and this option will be removed. From db86cab703b4e5c029b9fb766b5d3d2a5b84b9c9 Mon Sep 17 00:00:00 2001 From: gmuloc Date: Thu, 23 Jan 2025 16:30:17 +0100 Subject: [PATCH 14/40] Refactor: Address some PR comments --- .../structured_config/overlay/router_bgp.py | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/python-avd/pyavd/_eos_designs/structured_config/overlay/router_bgp.py b/python-avd/pyavd/_eos_designs/structured_config/overlay/router_bgp.py index 02af26c3af1..8e6aba0820d 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/overlay/router_bgp.py +++ b/python-avd/pyavd/_eos_designs/structured_config/overlay/router_bgp.py @@ -150,7 +150,7 @@ def _peer_groups(self: AvdStructuredConfigOverlay) -> list | None: if self._is_mpls_server is True: peer_groups.append({**self._generate_base_peer_group("mpls", "rr_overlay_peers"), "remote_as": self.shared_utils.bgp_as}) - # Always render WAN routers + # Always render the WAN routers # TODO: probably should move from overlay if self.shared_utils.is_wan_router: # WAN OVERLAY peer group only is supported iBGP @@ -226,19 +226,21 @@ def _address_family_evpn(self: AvdStructuredConfigOverlay) -> dict | None: overlay_peer_group = {} if self.shared_utils.is_wan_router: - overlay_peer_group = { + wan_overlay_peer_group = { "name": self.inputs.bgp_peer_groups.wan_overlay_peers.name, "activate": True, "encapsulation": self.inputs.wan_encapsulation, } if self.shared_utils.wan_role != "server": - overlay_peer_group.update( + wan_overlay_peer_group.update( { "route_map_in": "RM-EVPN-SOO-IN", "route_map_out": "RM-EVPN-SOO-OUT", }, ) - elif self.shared_utils.overlay_evpn_vxlan is True: + peer_groups.append(wan_overlay_peer_group) + + if self.shared_utils.overlay_evpn_vxlan is True: overlay_peer_group = {"name": self.inputs.bgp_peer_groups.evpn_overlay_peers.name, "activate": True} if self.shared_utils.overlay_routing_protocol == "ebgp": @@ -270,6 +272,7 @@ def _address_family_evpn(self: AvdStructuredConfigOverlay) -> dict | None: if self._is_mpls_server is True: peer_groups.append({"name": self.inputs.bgp_peer_groups.rr_overlay_peers.name, "activate": True}) + # TODO: this is written for matching either evpn_mpls or evpn_vlxan based for iBGP see if we cannot make this better. if self.shared_utils.overlay_vtep is True and self.shared_utils.evpn_role != "server" and overlay_peer_group: overlay_peer_group.update( { @@ -277,7 +280,6 @@ def _address_family_evpn(self: AvdStructuredConfigOverlay) -> dict | None: "route_map_out": "RM-EVPN-SOO-OUT", }, ) - if overlay_peer_group: peer_groups.append(overlay_peer_group) @@ -625,7 +627,7 @@ def _neighbors(self: AvdStructuredConfigOverlay) -> list | None: } neighbors.append(neighbor) - if self.shared_utils.is_wan_server: + elif self.shared_utils.is_wan_server: # No neighbor configured on the `wan_overlay_peers` peer group as it is covered by listen ranges for wan_route_server in self.shared_utils.filtered_wan_route_servers: neighbor = self._create_neighbor( From e462d9c57026aae68ebacf4096a38a894734e68f Mon Sep 17 00:00:00 2001 From: gmuloc Date: Fri, 24 Jan 2025 11:15:40 +0100 Subject: [PATCH 15/40] Refactor: Block the 3 target keys in shared utils for WAN routers --- .../configs/cv-pathfinder-edge-wan-use-evpn-on-lan.cfg | 1 + .../cv-pathfinder-edge-wan-use-evpn-on-lan.yml | 2 ++ python-avd/pyavd/_eos_designs/eos_designs_facts/overlay.py | 3 ++- python-avd/pyavd/_eos_designs/shared_utils/node_type.py | 3 +++ python-avd/pyavd/_eos_designs/shared_utils/overlay.py | 5 +++-- python-avd/pyavd/_eos_designs/shared_utils/routing.py | 5 +++-- 6 files changed, 14 insertions(+), 5 deletions(-) diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan.cfg index 02a5285b8b7..94d64494f06 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan.cfg @@ -298,6 +298,7 @@ router bgp 65000 redistribute connected route-map RM-CONN-2-BGP ! address-family evpn + neighbor EVPN-OVERLAY-PEERS activate neighbor WAN-OVERLAY-PEERS activate neighbor WAN-OVERLAY-PEERS route-map RM-EVPN-SOO-IN in neighbor WAN-OVERLAY-PEERS route-map RM-EVPN-SOO-OUT out diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan.yml index 6cb77ea3010..ec42b88ba78 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan.yml @@ -359,6 +359,8 @@ router_bgp: route_map_in: RM-EVPN-SOO-IN route_map_out: RM-EVPN-SOO-OUT encapsulation: path-selection + - name: EVPN-OVERLAY-PEERS + activate: true address_family_ipv4: peer_groups: - name: IPv4-UNDERLAY-PEERS diff --git a/python-avd/pyavd/_eos_designs/eos_designs_facts/overlay.py b/python-avd/pyavd/_eos_designs/eos_designs_facts/overlay.py index 90fd418708c..3a118cc6067 100644 --- a/python-avd/pyavd/_eos_designs/eos_designs_facts/overlay.py +++ b/python-avd/pyavd/_eos_designs/eos_designs_facts/overlay.py @@ -64,6 +64,7 @@ def overlay(self: EosDesignsFacts) -> dict | None: @cached_property def vtep_ip(self: EosDesignsFacts) -> str | None: """Exposed in avd_switch_facts.""" - if self.shared_utils.vtep: + # TODO: Probably need to handle this differently for WAN router - maybe `dps_ip` is needed. + if self.shared_utils.vtep or self.shared_utils.is_wan_router: return self.shared_utils.vtep_ip return None diff --git a/python-avd/pyavd/_eos_designs/shared_utils/node_type.py b/python-avd/pyavd/_eos_designs/shared_utils/node_type.py index 3db118131e5..95487621f5c 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/node_type.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/node_type.py @@ -137,4 +137,7 @@ def vtep(self: SharedUtils) -> bool: .nodes.[].vtep and node_type_keys..vtep. """ + if self.is_wan_router and not self.inputs.wan_use_evpn_node_settings_for_lan: + # For WAN routers without the knob, vtep should be ignored. + return False return default(self.node_config.vtep, self.node_type_key_data.vtep) diff --git a/python-avd/pyavd/_eos_designs/shared_utils/overlay.py b/python-avd/pyavd/_eos_designs/shared_utils/overlay.py index efe00fa6c83..e9778d8131c 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/overlay.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/overlay.py @@ -33,8 +33,9 @@ def vtep_loopback(self: SharedUtils) -> str: def evpn_role(self: SharedUtils) -> str | None: if self.underlay_router: default_evpn_role = self.node_type_key_data.default_evpn_role - if self.is_wan_router and self.inputs.wan_use_evpn_node_settings_for_lan: - default_evpn_role = None + if self.is_wan_router and not self.inputs.wan_use_evpn_node_settings_for_lan: + # For WAN routers without the knob, evpn_role should be ignored. + return None return default(self.node_config.evpn_role, default_evpn_role) return None diff --git a/python-avd/pyavd/_eos_designs/shared_utils/routing.py b/python-avd/pyavd/_eos_designs/shared_utils/routing.py index 2391b6c43d3..76d948010c0 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/routing.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/routing.py @@ -29,8 +29,9 @@ def underlay_routing_protocol(self: SharedUtils) -> str: @cached_property def overlay_routing_protocol(self: SharedUtils) -> str: default_overlay_routing_protocol = self.node_type_key_data.default_overlay_routing_protocol - if self.is_wan_router and self.inputs.wan_use_evpn_node_settings_for_lan: - default_overlay_routing_protocol = "none" + if self.is_wan_router and not self.inputs.wan_use_evpn_node_settings_for_lan: + # For WAN routers without the knob, overlay_routing_protocol should be ignored. + return None return (self.inputs.overlay_routing_protocol or default_overlay_routing_protocol).lower() @cached_property From 6ae4f854f877c118b96877dc44aecbd800f2af1f Mon Sep 17 00:00:00 2001 From: gmuloc Date: Fri, 24 Jan 2025 11:25:02 +0100 Subject: [PATCH 16/40] Refactor: Change shared_utils vrf_wan_vni --- .../pyavd/_eos_designs/shared_utils/filtered_tenants.py | 2 +- python-avd/pyavd/_eos_designs/shared_utils/wan.py | 8 +++++--- .../structured_config/metadata/cv_pathfinder.py | 2 +- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/python-avd/pyavd/_eos_designs/shared_utils/filtered_tenants.py b/python-avd/pyavd/_eos_designs/shared_utils/filtered_tenants.py index 8b321906460..2700d4f3123 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/filtered_tenants.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/filtered_tenants.py @@ -431,7 +431,7 @@ def bgp_enabled_for_vrf(self: SharedUtils, vrf: EosDesigns._DynamicKeys.DynamicN vrf_address_families = [af for af in vrf.address_families if af in self.overlay_address_families] return any( [ - (self.is_wan_router and self.vrf_has_wan_vni(vrf.name)), + (self.is_wan_router and self.vrf_wan_vni(vrf.name) is not None), vrf_address_families, vrf.bgp_peers, (self.uplink_type == "p2p-vrfs" and vrf.name in (self.get_switch_fact("uplink_switch_vrfs", required=False) or [])), diff --git a/python-avd/pyavd/_eos_designs/shared_utils/wan.py b/python-avd/pyavd/_eos_designs/shared_utils/wan.py index 625d1820d90..33363133b2e 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/wan.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/wan.py @@ -583,6 +583,8 @@ def wan_stun_dtls_profile_name(self: SharedUtils) -> str | None: return self.inputs.wan_stun_dtls_profile_name - def vrf_has_wan_vni(self: SharedUtils, vrf_name: str) -> bool: - """Returns True if the VRF `vrf_name` is present under wan_virtual_topologies and wan_vni is set.""" - return vrf_name in self.inputs.wan_virtual_topologies.vrfs and self.inputs.wan_virtual_topologies.vrfs[vrf_name].wan_vni + def vrf_wan_vni(self: SharedUtils, vrf_name: str) -> int | None: + """Returns the VRF WAN VNI or None.""" + if vrf_name not in self.inputs.wan_virtual_topologies.vrfs: + return None + return self.inputs.wan_virtual_topologies.vrfs[vrf_name].wan_vni diff --git a/python-avd/pyavd/_eos_designs/structured_config/metadata/cv_pathfinder.py b/python-avd/pyavd/_eos_designs/structured_config/metadata/cv_pathfinder.py index 244c20508c6..824067f9fd1 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/metadata/cv_pathfinder.py +++ b/python-avd/pyavd/_eos_designs/structured_config/metadata/cv_pathfinder.py @@ -204,7 +204,7 @@ def _metadata_vrfs(self: AvdStructuredConfigMetadata) -> list: return strip_empties_from_list(metadata_vrfs) def _get_vni_for_vrf_name(self: AvdStructuredConfigMetadata, vrf_name: str) -> int: - if vrf_name in self.inputs.wan_virtual_topologies.vrfs and (wan_vni := self.inputs.wan_virtual_topologies.vrfs[vrf_name].wan_vni) is not None: + if (wan_vni := self.shared_utils.vrf_wan_vni(vrf_name)) is not None: return wan_vni if vrf_name == "default": return 1 From 41ca88b68fb3093940f200fe6c356df66a6d9b15 Mon Sep 17 00:00:00 2001 From: gmuloc Date: Fri, 24 Jan 2025 14:43:26 +0100 Subject: [PATCH 17/40] Refactor: Remove ties to overlay_address_families for WAN --- .../_eos_designs/shared_utils/routing.py | 2 +- .../pyavd/_eos_designs/shared_utils/wan.py | 15 +++++++++-- .../router_adaptive_virtual_topology.py | 2 +- .../network_services/router_bgp.py | 27 ++++++++++++++----- .../network_services/router_path_selection.py | 3 ++- .../network_services/utils_wan.py | 17 ++---------- .../network_services/vxlan_interface.py | 6 ++--- 7 files changed, 42 insertions(+), 30 deletions(-) diff --git a/python-avd/pyavd/_eos_designs/shared_utils/routing.py b/python-avd/pyavd/_eos_designs/shared_utils/routing.py index 76d948010c0..bd6358da038 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/routing.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/routing.py @@ -36,7 +36,7 @@ def overlay_routing_protocol(self: SharedUtils) -> str: @cached_property def overlay_address_families(self: SharedUtils) -> list[str]: - if self.overlay_routing_protocol in ["ebgp", "ibgp"] or self.is_wan_router: + if self.overlay_routing_protocol in ["ebgp", "ibgp"]: default_overlay_address_families = self.node_type_key_data.default_overlay_address_families return self.node_config.overlay_address_families._as_list() or default_overlay_address_families._as_list() return [] diff --git a/python-avd/pyavd/_eos_designs/shared_utils/wan.py b/python-avd/pyavd/_eos_designs/shared_utils/wan.py index 33363133b2e..63789276ae3 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/wan.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/wan.py @@ -585,6 +585,17 @@ def wan_stun_dtls_profile_name(self: SharedUtils) -> str | None: def vrf_wan_vni(self: SharedUtils, vrf_name: str) -> int | None: """Returns the VRF WAN VNI or None.""" - if vrf_name not in self.inputs.wan_virtual_topologies.vrfs: + if vrf_name not in self._filtered_wan_vrfs: return None - return self.inputs.wan_virtual_topologies.vrfs[vrf_name].wan_vni + return self._filtered_wan_vrfs[vrf_name].wan_vni + + @cached_property + def _filtered_wan_vrfs(self: AvdStructuredConfigNetworkServices) -> EosDesigns.WanVirtualTopologies.Vrfs: + """Loop through all the VRFs defined under `wan_virtual_topologies.vrfs` and returns a list of mode.""" + wan_vrfs = EosDesigns.WanVirtualTopologies.Vrfs(vrf for vrf in self.inputs.wan_virtual_topologies.vrfs if vrf.name in self.vrfs or self.is_wan_server) + + # Check that default is in the list as it is required everywhere + if "default" not in wan_vrfs: + wan_vrfs.append(EosDesigns.WanVirtualTopologies.VrfsItem(name="default", wan_vni=1)) + + return wan_vrfs diff --git a/python-avd/pyavd/_eos_designs/structured_config/network_services/router_adaptive_virtual_topology.py b/python-avd/pyavd/_eos_designs/structured_config/network_services/router_adaptive_virtual_topology.py index cefb44732a9..99fc767f1d4 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/network_services/router_adaptive_virtual_topology.py +++ b/python-avd/pyavd/_eos_designs/structured_config/network_services/router_adaptive_virtual_topology.py @@ -40,7 +40,7 @@ def _cv_pathfinder_wan_vrfs(self: AvdStructuredConfigNetworkServices) -> list: # For CV Pathfinder, it is required to go through all the AVT profiles in the policy to assign an ID. wan_vrfs = [] - for vrf in self._filtered_wan_vrfs: + for vrf in self.shared_utils._filtered_wan_vrfs: wan_vrf = {"name": vrf.name, "policy": f"{vrf.policy}-WITH-CP" if vrf.name == "default" else vrf.policy, "profiles": []} # Need to allocate an ID for each profile in the policy, for now picked up from the input. diff --git a/python-avd/pyavd/_eos_designs/structured_config/network_services/router_bgp.py b/python-avd/pyavd/_eos_designs/structured_config/network_services/router_bgp.py index f96731f7b80..fbd0c319c34 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/network_services/router_bgp.py +++ b/python-avd/pyavd/_eos_designs/structured_config/network_services/router_bgp.py @@ -150,18 +150,19 @@ def _router_bgp_vrfs(self: AvdStructuredConfigNetworkServices) -> dict: continue vrf_name = vrf.name - bgp_vrf = strip_empties_from_dict( - { - "eos_cli": vrf.bgp.raw_eos_cli, - } - ) + bgp_vrf = { + "name": vrf.name, + "eos_cli": vrf.bgp.raw_eos_cli, + } if vrf.bgp.structured_config: self.custom_structured_configs.nested.router_bgp.vrfs.obtain(vrf_name)._deepmerge( vrf.bgp.structured_config, list_merge=self.custom_structured_configs.list_merge_strategy ) - if vrf_address_families := [af for af in vrf.address_families if af in self.shared_utils.overlay_address_families]: + if ( + vrf_address_families := [af for af in vrf.address_families if af in self.shared_utils.overlay_address_families] + ) or self.shared_utils.vrf_wan_vni(vrf_name) is not None: # The called function in-place updates the bgp_vrf dict. self._update_router_bgp_vrf_evpn_or_mpls_cfg(bgp_vrf, vrf, vrf_address_families) @@ -269,7 +270,7 @@ def _router_bgp_vrfs(self: AvdStructuredConfigNetworkServices) -> dict: append_if_not_duplicate( list_of_dicts=router_bgp["vrfs"], primary_key="name", - new_dict={"name": vrf_name, **bgp_vrf}, + new_dict=bgp_vrf, context="BGP VRFs defined under network services", context_keys=["name"], ) @@ -287,6 +288,18 @@ def _update_router_bgp_vrf_evpn_or_mpls_cfg( vrf_rt = self.get_vrf_rt(vrf) route_targets = {"import": [], "export": []} + # if "evpn" in vrf_address_families the RTs will be added + if self.shared_utils.vrf_wan_vni(bgp_vrf["name"]) and "evpn" not in vrf_address_families: + if (target := get_item(route_targets["import"], "address_family", "evpn")) is None: + route_targets["import"].append({"address_family": "evpn", "route_targets": [vrf_rt]}) + else: + target["route_targets"].append(vrf_rt) + + if (target := get_item(route_targets["export"], "address_family", "evpn")) is None: + route_targets["export"].append({"address_family": "evpn", "route_targets": [vrf_rt]}) + else: + target["route_targets"].append(vrf_rt) + for af in vrf_address_families: if (target := get_item(route_targets["import"], "address_family", af)) is None: route_targets["import"].append({"address_family": af, "route_targets": [vrf_rt]}) diff --git a/python-avd/pyavd/_eos_designs/structured_config/network_services/router_path_selection.py b/python-avd/pyavd/_eos_designs/structured_config/network_services/router_path_selection.py index 7c109bbcff7..136fca6272e 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/network_services/router_path_selection.py +++ b/python-avd/pyavd/_eos_designs/structured_config/network_services/router_path_selection.py @@ -35,7 +35,8 @@ def router_path_selection(self: AvdStructuredConfigNetworkServices) -> dict | No # for AutoVPN, need also vrfs and policies. if self.inputs.wan_mode == "autovpn": vrfs = [ - {"name": vrf.name, "path_selection_policy": f"{vrf.policy}-WITH-CP" if vrf.name == "default" else vrf.policy} for vrf in self._filtered_wan_vrfs + {"name": vrf.name, "path_selection_policy": f"{vrf.policy}-WITH-CP" if vrf.name == "default" else vrf.policy} + for vrf in self.shared_utils._filtered_wan_vrfs ] router_path_selection.update( diff --git a/python-avd/pyavd/_eos_designs/structured_config/network_services/utils_wan.py b/python-avd/pyavd/_eos_designs/structured_config/network_services/utils_wan.py index 5a5d359b0a6..4913895ff8b 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/network_services/utils_wan.py +++ b/python-avd/pyavd/_eos_designs/structured_config/network_services/utils_wan.py @@ -23,19 +23,6 @@ class UtilsWanMixin: Class should only be used as Mixin to a AvdStructuredConfig class. """ - @cached_property - def _filtered_wan_vrfs(self: AvdStructuredConfigNetworkServices) -> EosDesigns.WanVirtualTopologies.Vrfs: - """Loop through all the VRFs defined under `wan_virtual_topologies.vrfs` and returns a list of mode.""" - wan_vrfs = EosDesigns.WanVirtualTopologies.Vrfs( - vrf for vrf in self.inputs.wan_virtual_topologies.vrfs if vrf.name in self.shared_utils.vrfs or self.shared_utils.is_wan_server - ) - - # Check that default is in the list as it is required everywhere - if "default" not in wan_vrfs: - wan_vrfs.append(EosDesigns.WanVirtualTopologies.VrfsItem(name="default", wan_vni=1)) - - return wan_vrfs - @cached_property def _wan_virtual_topologies_policies(self: AvdStructuredConfigNetworkServices) -> EosDesigns.WanVirtualTopologies.Policies: """This function parses the input data and append the default-policy if not already present.""" @@ -62,7 +49,7 @@ def _filtered_wan_policies(self: AvdStructuredConfigNetworkServices) -> list: filtered_policy_names = [] filtered_policies = [] - for vrf in self._filtered_wan_vrfs: + for vrf in self.shared_utils._filtered_wan_vrfs: # Need to handle VRF default differently and lookup for the original policy if vrf.policy not in self._wan_virtual_topologies_policies: msg = ( @@ -401,7 +388,7 @@ def _wan_control_plane_virtual_topology(self: AvdStructuredConfigNetworkServices @cached_property def _wan_control_plane_profile_name(self: AvdStructuredConfigNetworkServices) -> str: """Control plane profile name.""" - vrf_default_policy_name = self._filtered_wan_vrfs["default"].policy + vrf_default_policy_name = self.shared_utils._filtered_wan_vrfs["default"].policy return self._wan_control_plane_virtual_topology.name or f"{vrf_default_policy_name}-CONTROL-PLANE" @cached_property diff --git a/python-avd/pyavd/_eos_designs/structured_config/network_services/vxlan_interface.py b/python-avd/pyavd/_eos_designs/structured_config/network_services/vxlan_interface.py index e73c8464cab..876384b55ed 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/network_services/vxlan_interface.py +++ b/python-avd/pyavd/_eos_designs/structured_config/network_services/vxlan_interface.py @@ -91,7 +91,7 @@ def vxlan_interface(self: AvdStructuredConfigNetworkServices) -> dict | None: if self.shared_utils.is_wan_server: # loop through wan_vrfs and add VRF VNI if not present - for vrf in self._filtered_wan_vrfs: + for vrf in self.shared_utils._filtered_wan_vrfs: # Duplicate check is not done on the actual list of vlans, but instead on our local "vnis" list. # This is necessary to find duplicate VNIs across multiple object types. vrf_data = {"name": vrf.name, "vni": vrf.wan_vni} @@ -163,7 +163,7 @@ def _get_vxlan_interface_config_for_vrf( if self.shared_utils.is_wan_router: # Every VRF with EVPN on a WAN router must have a wan_vni defined. - if vrf_name not in self._filtered_wan_vrfs: + if vrf_name not in self.shared_utils._filtered_wan_vrfs: msg = ( f"The VRF '{vrf_name}' does not have a `wan_vni` defined under 'wan_virtual_topologies'. " "If this VRF was not intended to be extended over the WAN, but still required to be configured on the WAN router, " @@ -171,7 +171,7 @@ def _get_vxlan_interface_config_for_vrf( "use the VRF filter 'deny_vrfs' under the node settings." ) raise AristaAvdInvalidInputsError(msg) - vni = self._filtered_wan_vrfs[vrf_name].wan_vni + vni = self.shared_utils._filtered_wan_vrfs[vrf_name].wan_vni else: vni = default(vrf.vrf_vni, vrf.vrf_id) From 272590e8ba9b6afe27bfa3b65c0eb5012be3cd78 Mon Sep 17 00:00:00 2001 From: gmuloc Date: Mon, 27 Jan 2025 11:51:53 +0100 Subject: [PATCH 18/40] Refactor: Address PR comments --- .../configs/UPLINK_P2P_VRFS_TESTS_LEAF1.cfg | 2 ++ .../configs/bgp-from-network-services-1.cfg | 2 ++ .../UPLINK_P2P_VRFS_TESTS_LEAF1.yml | 1 + .../bgp-from-network-services-1.yml | 2 ++ .../shared_utils/filtered_tenants.py | 7 ++----- .../pyavd/_eos_designs/shared_utils/wan.py | 19 +++--------------- .../metadata/cv_pathfinder.py | 13 ++++++------ .../router_adaptive_virtual_topology.py | 2 +- .../network_services/router_bgp.py | 20 ++++++------------- .../network_services/router_path_selection.py | 3 +-- .../network_services/utils_wan.py | 17 ++++++++++++++-- .../network_services/vxlan_interface.py | 6 +++--- 12 files changed, 45 insertions(+), 49 deletions(-) diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/UPLINK_P2P_VRFS_TESTS_LEAF1.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/UPLINK_P2P_VRFS_TESTS_LEAF1.cfg index 06544e391b2..59a25e58530 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/UPLINK_P2P_VRFS_TESTS_LEAF1.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/UPLINK_P2P_VRFS_TESTS_LEAF1.cfg @@ -131,6 +131,8 @@ router bgp 65000 address-family ipv4 neighbor IPv4-UNDERLAY-PEERS activate ! + vrf default + ! vrf IT router-id 192.168.42.3 neighbor 10.42.42.10 peer group IPv4-UNDERLAY-PEERS diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/bgp-from-network-services-1.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/bgp-from-network-services-1.cfg index 65ef2ca47ad..9aef30e2445 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/bgp-from-network-services-1.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/bgp-from-network-services-1.cfg @@ -121,5 +121,7 @@ router bgp 65001 address-family ipv4 neighbor MLAG-IPv4-UNDERLAY-PEER activate neighbor 10.10.1.2 activate + ! + vrf default ! end diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/UPLINK_P2P_VRFS_TESTS_LEAF1.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/UPLINK_P2P_VRFS_TESTS_LEAF1.yml index dba4c003840..b58a71960ff 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/UPLINK_P2P_VRFS_TESTS_LEAF1.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/UPLINK_P2P_VRFS_TESTS_LEAF1.yml @@ -186,6 +186,7 @@ router_bgp: redistribute: connected: enabled: true + - name: default service_routing_protocols_model: multi-agent transceiver_qsfp_default_mode_4x10: true vlan_interfaces: diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/bgp-from-network-services-1.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/bgp-from-network-services-1.yml index 207546db111..7f220501321 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/bgp-from-network-services-1.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/bgp-from-network-services-1.yml @@ -121,6 +121,8 @@ router_bgp: neighbors: - ip_address: 10.10.1.2 activate: true + vrfs: + - name: default service_routing_protocols_model: multi-agent spanning_tree: mode: none diff --git a/python-avd/pyavd/_eos_designs/shared_utils/filtered_tenants.py b/python-avd/pyavd/_eos_designs/shared_utils/filtered_tenants.py index 2700d4f3123..508e0962830 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/filtered_tenants.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/filtered_tenants.py @@ -66,12 +66,9 @@ def filtered_tenants(self: SharedUtils) -> EosDesigns._DynamicKeys.DynamicNetwor for tenant in filtered_tenants: if "default" not in tenant.vrfs: continue - if "evpn" not in tenant.vrfs["default"].address_families: - msg = "WAN configuration requires EVPN to be enabled for VRF 'default'. Got 'address_families: {vrf_default['address_families']}." - raise AristaAvdError(msg) if self.inputs.underlay_filter_peer_as: msg = "WAN configuration is not compatible with 'underlay_filter_peer_as'" - raise AristaAvdError + raise AristaAvdError(msg) break return filtered_tenants._natural_sorted() @@ -431,9 +428,9 @@ def bgp_enabled_for_vrf(self: SharedUtils, vrf: EosDesigns._DynamicKeys.DynamicN vrf_address_families = [af for af in vrf.address_families if af in self.overlay_address_families] return any( [ - (self.is_wan_router and self.vrf_wan_vni(vrf.name) is not None), vrf_address_families, vrf.bgp_peers, (self.uplink_type == "p2p-vrfs" and vrf.name in (self.get_switch_fact("uplink_switch_vrfs", required=False) or [])), + self.is_wan_vrf(vrf.name), ] ) diff --git a/python-avd/pyavd/_eos_designs/shared_utils/wan.py b/python-avd/pyavd/_eos_designs/shared_utils/wan.py index 63789276ae3..518957a533d 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/wan.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/wan.py @@ -583,19 +583,6 @@ def wan_stun_dtls_profile_name(self: SharedUtils) -> str | None: return self.inputs.wan_stun_dtls_profile_name - def vrf_wan_vni(self: SharedUtils, vrf_name: str) -> int | None: - """Returns the VRF WAN VNI or None.""" - if vrf_name not in self._filtered_wan_vrfs: - return None - return self._filtered_wan_vrfs[vrf_name].wan_vni - - @cached_property - def _filtered_wan_vrfs(self: AvdStructuredConfigNetworkServices) -> EosDesigns.WanVirtualTopologies.Vrfs: - """Loop through all the VRFs defined under `wan_virtual_topologies.vrfs` and returns a list of mode.""" - wan_vrfs = EosDesigns.WanVirtualTopologies.Vrfs(vrf for vrf in self.inputs.wan_virtual_topologies.vrfs if vrf.name in self.vrfs or self.is_wan_server) - - # Check that default is in the list as it is required everywhere - if "default" not in wan_vrfs: - wan_vrfs.append(EosDesigns.WanVirtualTopologies.VrfsItem(name="default", wan_vni=1)) - - return wan_vrfs + def is_wan_vrf(self: SharedUtils, vrf_name: str) -> int | None: + """Returns True is the VRF is a WAN VRF.""" + return all([self.is_wan_router, vrf_name in self.inputs.wan_virtual_topologies.vrfs or vrf_name == "default"]) diff --git a/python-avd/pyavd/_eos_designs/structured_config/metadata/cv_pathfinder.py b/python-avd/pyavd/_eos_designs/structured_config/metadata/cv_pathfinder.py index 824067f9fd1..15ffa97eda7 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/metadata/cv_pathfinder.py +++ b/python-avd/pyavd/_eos_designs/structured_config/metadata/cv_pathfinder.py @@ -204,10 +204,11 @@ def _metadata_vrfs(self: AvdStructuredConfigMetadata) -> list: return strip_empties_from_list(metadata_vrfs) def _get_vni_for_vrf_name(self: AvdStructuredConfigMetadata, vrf_name: str) -> int: - if (wan_vni := self.shared_utils.vrf_wan_vni(vrf_name)) is not None: - return wan_vni - if vrf_name == "default": - return 1 + if vrf_name not in self.inputs.wan_virtual_topologies.vrfs or (wan_vni := self.inputs.wan_virtual_topologies.vrfs[vrf_name].wan_vni) is None: + if vrf_name == "default": + return 1 - msg = f"Unable to find the WAN VNI for VRF {vrf_name} during generation of cv_pathfinder metadata." - raise AristaAvdError(msg) + msg = f"Unable to find the WAN VNI for VRF {vrf_name} during generation of cv_pathfinder metadata." + raise AristaAvdError(msg) + + return wan_vni diff --git a/python-avd/pyavd/_eos_designs/structured_config/network_services/router_adaptive_virtual_topology.py b/python-avd/pyavd/_eos_designs/structured_config/network_services/router_adaptive_virtual_topology.py index 99fc767f1d4..cefb44732a9 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/network_services/router_adaptive_virtual_topology.py +++ b/python-avd/pyavd/_eos_designs/structured_config/network_services/router_adaptive_virtual_topology.py @@ -40,7 +40,7 @@ def _cv_pathfinder_wan_vrfs(self: AvdStructuredConfigNetworkServices) -> list: # For CV Pathfinder, it is required to go through all the AVT profiles in the policy to assign an ID. wan_vrfs = [] - for vrf in self.shared_utils._filtered_wan_vrfs: + for vrf in self._filtered_wan_vrfs: wan_vrf = {"name": vrf.name, "policy": f"{vrf.policy}-WITH-CP" if vrf.name == "default" else vrf.policy, "profiles": []} # Need to allocate an ID for each profile in the policy, for now picked up from the input. diff --git a/python-avd/pyavd/_eos_designs/structured_config/network_services/router_bgp.py b/python-avd/pyavd/_eos_designs/structured_config/network_services/router_bgp.py index fbd0c319c34..5e2ff2049ee 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/network_services/router_bgp.py +++ b/python-avd/pyavd/_eos_designs/structured_config/network_services/router_bgp.py @@ -161,8 +161,8 @@ def _router_bgp_vrfs(self: AvdStructuredConfigNetworkServices) -> dict: ) if ( - vrf_address_families := [af for af in vrf.address_families if af in self.shared_utils.overlay_address_families] - ) or self.shared_utils.vrf_wan_vni(vrf_name) is not None: + vrf_address_families := {af for af in vrf.address_families if af in self.shared_utils.overlay_address_families} + ) or self.shared_utils.is_wan_vrf(vrf_name): # The called function in-place updates the bgp_vrf dict. self._update_router_bgp_vrf_evpn_or_mpls_cfg(bgp_vrf, vrf, vrf_address_families) @@ -280,7 +280,7 @@ def _update_router_bgp_vrf_evpn_or_mpls_cfg( self: AvdStructuredConfigNetworkServices, bgp_vrf: dict, vrf: EosDesigns._DynamicKeys.DynamicNetworkServicesItem.NetworkServicesItem.VrfsItem, - vrf_address_families: list[str], + vrf_address_families: set[str], ) -> None: """In-place update EVPN/MPLS part of structured config for *one* VRF under router_bgp.vrfs.""" vrf_name = vrf.name @@ -288,17 +288,9 @@ def _update_router_bgp_vrf_evpn_or_mpls_cfg( vrf_rt = self.get_vrf_rt(vrf) route_targets = {"import": [], "export": []} - # if "evpn" in vrf_address_families the RTs will be added - if self.shared_utils.vrf_wan_vni(bgp_vrf["name"]) and "evpn" not in vrf_address_families: - if (target := get_item(route_targets["import"], "address_family", "evpn")) is None: - route_targets["import"].append({"address_family": "evpn", "route_targets": [vrf_rt]}) - else: - target["route_targets"].append(vrf_rt) - - if (target := get_item(route_targets["export"], "address_family", "evpn")) is None: - route_targets["export"].append({"address_family": "evpn", "route_targets": [vrf_rt]}) - else: - target["route_targets"].append(vrf_rt) + # If the VRF is a WAN VRF, EVPN RTs are needed. + if self.shared_utils.is_wan_vrf(vrf.name): + vrf_address_families.add("evpn") for af in vrf_address_families: if (target := get_item(route_targets["import"], "address_family", af)) is None: diff --git a/python-avd/pyavd/_eos_designs/structured_config/network_services/router_path_selection.py b/python-avd/pyavd/_eos_designs/structured_config/network_services/router_path_selection.py index 136fca6272e..7c109bbcff7 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/network_services/router_path_selection.py +++ b/python-avd/pyavd/_eos_designs/structured_config/network_services/router_path_selection.py @@ -35,8 +35,7 @@ def router_path_selection(self: AvdStructuredConfigNetworkServices) -> dict | No # for AutoVPN, need also vrfs and policies. if self.inputs.wan_mode == "autovpn": vrfs = [ - {"name": vrf.name, "path_selection_policy": f"{vrf.policy}-WITH-CP" if vrf.name == "default" else vrf.policy} - for vrf in self.shared_utils._filtered_wan_vrfs + {"name": vrf.name, "path_selection_policy": f"{vrf.policy}-WITH-CP" if vrf.name == "default" else vrf.policy} for vrf in self._filtered_wan_vrfs ] router_path_selection.update( diff --git a/python-avd/pyavd/_eos_designs/structured_config/network_services/utils_wan.py b/python-avd/pyavd/_eos_designs/structured_config/network_services/utils_wan.py index 4913895ff8b..5a5d359b0a6 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/network_services/utils_wan.py +++ b/python-avd/pyavd/_eos_designs/structured_config/network_services/utils_wan.py @@ -23,6 +23,19 @@ class UtilsWanMixin: Class should only be used as Mixin to a AvdStructuredConfig class. """ + @cached_property + def _filtered_wan_vrfs(self: AvdStructuredConfigNetworkServices) -> EosDesigns.WanVirtualTopologies.Vrfs: + """Loop through all the VRFs defined under `wan_virtual_topologies.vrfs` and returns a list of mode.""" + wan_vrfs = EosDesigns.WanVirtualTopologies.Vrfs( + vrf for vrf in self.inputs.wan_virtual_topologies.vrfs if vrf.name in self.shared_utils.vrfs or self.shared_utils.is_wan_server + ) + + # Check that default is in the list as it is required everywhere + if "default" not in wan_vrfs: + wan_vrfs.append(EosDesigns.WanVirtualTopologies.VrfsItem(name="default", wan_vni=1)) + + return wan_vrfs + @cached_property def _wan_virtual_topologies_policies(self: AvdStructuredConfigNetworkServices) -> EosDesigns.WanVirtualTopologies.Policies: """This function parses the input data and append the default-policy if not already present.""" @@ -49,7 +62,7 @@ def _filtered_wan_policies(self: AvdStructuredConfigNetworkServices) -> list: filtered_policy_names = [] filtered_policies = [] - for vrf in self.shared_utils._filtered_wan_vrfs: + for vrf in self._filtered_wan_vrfs: # Need to handle VRF default differently and lookup for the original policy if vrf.policy not in self._wan_virtual_topologies_policies: msg = ( @@ -388,7 +401,7 @@ def _wan_control_plane_virtual_topology(self: AvdStructuredConfigNetworkServices @cached_property def _wan_control_plane_profile_name(self: AvdStructuredConfigNetworkServices) -> str: """Control plane profile name.""" - vrf_default_policy_name = self.shared_utils._filtered_wan_vrfs["default"].policy + vrf_default_policy_name = self._filtered_wan_vrfs["default"].policy return self._wan_control_plane_virtual_topology.name or f"{vrf_default_policy_name}-CONTROL-PLANE" @cached_property diff --git a/python-avd/pyavd/_eos_designs/structured_config/network_services/vxlan_interface.py b/python-avd/pyavd/_eos_designs/structured_config/network_services/vxlan_interface.py index 876384b55ed..e73c8464cab 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/network_services/vxlan_interface.py +++ b/python-avd/pyavd/_eos_designs/structured_config/network_services/vxlan_interface.py @@ -91,7 +91,7 @@ def vxlan_interface(self: AvdStructuredConfigNetworkServices) -> dict | None: if self.shared_utils.is_wan_server: # loop through wan_vrfs and add VRF VNI if not present - for vrf in self.shared_utils._filtered_wan_vrfs: + for vrf in self._filtered_wan_vrfs: # Duplicate check is not done on the actual list of vlans, but instead on our local "vnis" list. # This is necessary to find duplicate VNIs across multiple object types. vrf_data = {"name": vrf.name, "vni": vrf.wan_vni} @@ -163,7 +163,7 @@ def _get_vxlan_interface_config_for_vrf( if self.shared_utils.is_wan_router: # Every VRF with EVPN on a WAN router must have a wan_vni defined. - if vrf_name not in self.shared_utils._filtered_wan_vrfs: + if vrf_name not in self._filtered_wan_vrfs: msg = ( f"The VRF '{vrf_name}' does not have a `wan_vni` defined under 'wan_virtual_topologies'. " "If this VRF was not intended to be extended over the WAN, but still required to be configured on the WAN router, " @@ -171,7 +171,7 @@ def _get_vxlan_interface_config_for_vrf( "use the VRF filter 'deny_vrfs' under the node settings." ) raise AristaAvdInvalidInputsError(msg) - vni = self.shared_utils._filtered_wan_vrfs[vrf_name].wan_vni + vni = self._filtered_wan_vrfs[vrf_name].wan_vni else: vni = default(vrf.vrf_vni, vrf.vrf_id) From 453fcc6e173d3496db5451fc016b5d4f41c0e731 Mon Sep 17 00:00:00 2001 From: gmuloc Date: Mon, 27 Jan 2025 12:12:49 +0100 Subject: [PATCH 19/40] Refactor: Fix wrong logic for VRF default --- .../configs/UPLINK_P2P_VRFS_TESTS_LEAF1.cfg | 2 - .../configs/bgp-from-network-services-1.cfg | 2 - .../UPLINK_P2P_VRFS_TESTS_LEAF1.yml | 1 - .../bgp-from-network-services-1.yml | 2 - .../network_services/router_bgp.py | 39 ++++++++----------- 5 files changed, 17 insertions(+), 29 deletions(-) diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/UPLINK_P2P_VRFS_TESTS_LEAF1.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/UPLINK_P2P_VRFS_TESTS_LEAF1.cfg index 59a25e58530..06544e391b2 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/UPLINK_P2P_VRFS_TESTS_LEAF1.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/UPLINK_P2P_VRFS_TESTS_LEAF1.cfg @@ -131,8 +131,6 @@ router bgp 65000 address-family ipv4 neighbor IPv4-UNDERLAY-PEERS activate ! - vrf default - ! vrf IT router-id 192.168.42.3 neighbor 10.42.42.10 peer group IPv4-UNDERLAY-PEERS diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/bgp-from-network-services-1.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/bgp-from-network-services-1.cfg index 9aef30e2445..65ef2ca47ad 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/bgp-from-network-services-1.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/bgp-from-network-services-1.cfg @@ -121,7 +121,5 @@ router bgp 65001 address-family ipv4 neighbor MLAG-IPv4-UNDERLAY-PEER activate neighbor 10.10.1.2 activate - ! - vrf default ! end diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/UPLINK_P2P_VRFS_TESTS_LEAF1.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/UPLINK_P2P_VRFS_TESTS_LEAF1.yml index b58a71960ff..dba4c003840 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/UPLINK_P2P_VRFS_TESTS_LEAF1.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/UPLINK_P2P_VRFS_TESTS_LEAF1.yml @@ -186,7 +186,6 @@ router_bgp: redistribute: connected: enabled: true - - name: default service_routing_protocols_model: multi-agent transceiver_qsfp_default_mode_4x10: true vlan_interfaces: diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/bgp-from-network-services-1.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/bgp-from-network-services-1.yml index 7f220501321..207546db111 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/bgp-from-network-services-1.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/bgp-from-network-services-1.yml @@ -121,8 +121,6 @@ router_bgp: neighbors: - ip_address: 10.10.1.2 activate: true - vrfs: - - name: default service_routing_protocols_model: multi-agent spanning_tree: mode: none diff --git a/python-avd/pyavd/_eos_designs/structured_config/network_services/router_bgp.py b/python-avd/pyavd/_eos_designs/structured_config/network_services/router_bgp.py index 5e2ff2049ee..6cf2ea9b56f 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/network_services/router_bgp.py +++ b/python-avd/pyavd/_eos_designs/structured_config/network_services/router_bgp.py @@ -149,24 +149,24 @@ def _router_bgp_vrfs(self: AvdStructuredConfigNetworkServices) -> dict: if not self.shared_utils.bgp_enabled_for_vrf(vrf): continue - vrf_name = vrf.name - bgp_vrf = { - "name": vrf.name, - "eos_cli": vrf.bgp.raw_eos_cli, - } + bgp_vrf = strip_empties_from_dict({"eos_cli": vrf.bgp.raw_eos_cli}) if vrf.bgp.structured_config: - self.custom_structured_configs.nested.router_bgp.vrfs.obtain(vrf_name)._deepmerge( + self.custom_structured_configs.nested.router_bgp.vrfs.obtain(vrf.name)._deepmerge( vrf.bgp.structured_config, list_merge=self.custom_structured_configs.list_merge_strategy ) - if ( - vrf_address_families := {af for af in vrf.address_families if af in self.shared_utils.overlay_address_families} - ) or self.shared_utils.is_wan_vrf(vrf_name): + + vrf_address_families = {af for af in vrf.address_families if af in self.shared_utils.overlay_address_families} + if self.shared_utils.is_wan_vrf(vrf.name): + # If the VRF is a WAN VRF, EVPN RTs are needed. + vrf_address_families.add("evpn") + + if vrf_address_families: # The called function in-place updates the bgp_vrf dict. self._update_router_bgp_vrf_evpn_or_mpls_cfg(bgp_vrf, vrf, vrf_address_families) - if vrf_name != "default": + if vrf.name != "default": bgp_vrf["router_id"] = self.get_vrf_router_id(vrf, vrf.bgp.router_id, tenant.name) if vrf.redistribute_connected: @@ -176,7 +176,7 @@ def _router_bgp_vrfs(self: AvdStructuredConfigNetworkServices) -> dict: if vrf.redistribute_static or (vrf.static_routes and vrf.redistribute_static is None): bgp_vrf["redistribute"].update({"static": {"enabled": True}}) - if self.shared_utils.inband_mgmt_vrf == vrf_name and self.shared_utils.inband_management_parent_vlans: + if self.shared_utils.inband_mgmt_vrf == vrf.name and self.shared_utils.inband_management_parent_vlans: bgp_vrf["redistribute"].update({"attached_host": {"enabled": True}}) else: @@ -187,7 +187,7 @@ def _router_bgp_vrfs(self: AvdStructuredConfigNetworkServices) -> dict: append_if_not_duplicate( list_of_dicts=router_bgp["vrfs"], primary_key="name", - new_dict={"name": vrf_name, **bgp_vrf}, + new_dict={"name": vrf.name, **bgp_vrf}, context="BGP VRFs defined under network services", context_keys=["name"], ) @@ -229,7 +229,7 @@ def _router_bgp_vrfs(self: AvdStructuredConfigNetworkServices) -> dict: ) if bgp_peer.set_ipv4_next_hop or bgp_peer.set_ipv6_next_hop: - route_map = f"RM-{vrf_name}-{peer_ip}-SET-NEXT-HOP-OUT" + route_map = f"RM-{vrf.name}-{peer_ip}-SET-NEXT-HOP-OUT" bgp_peer_dict["route_map_out"] = route_map if bgp_peer_dict.get("default_originate") is not None: bgp_peer_dict["default_originate"].setdefault("route_map", route_map) @@ -263,14 +263,14 @@ def _router_bgp_vrfs(self: AvdStructuredConfigNetworkServices) -> dict: if not bgp_vrf: continue - if vrf_name == "default": + if vrf.name == "default": # VRF default is added directly under router_bgp router_bgp.update(bgp_vrf) else: append_if_not_duplicate( list_of_dicts=router_bgp["vrfs"], primary_key="name", - new_dict=bgp_vrf, + new_dict={"name": vrf.name, **bgp_vrf}, context="BGP VRFs defined under network services", context_keys=["name"], ) @@ -283,15 +283,10 @@ def _update_router_bgp_vrf_evpn_or_mpls_cfg( vrf_address_families: set[str], ) -> None: """In-place update EVPN/MPLS part of structured config for *one* VRF under router_bgp.vrfs.""" - vrf_name = vrf.name bgp_vrf["rd"] = self.get_vrf_rd(vrf) vrf_rt = self.get_vrf_rt(vrf) route_targets = {"import": [], "export": []} - # If the VRF is a WAN VRF, EVPN RTs are needed. - if self.shared_utils.is_wan_vrf(vrf.name): - vrf_address_families.add("evpn") - for af in vrf_address_families: if (target := get_item(route_targets["import"], "address_family", af)) is None: route_targets["import"].append({"address_family": af, "route_targets": [vrf_rt]}) @@ -311,7 +306,7 @@ def _update_router_bgp_vrf_evpn_or_mpls_cfg( else: target["route_targets"].append(rt.route_target) - if vrf_name == "default" and self._vrf_default_evpn and self._route_maps_vrf_default: + if vrf.name == "default" and self._vrf_default_evpn and self._route_maps_vrf_default: # Special handling of vrf default with evpn. if (target := get_item(route_targets["export"], "address_family", "evpn")) is None: @@ -322,7 +317,7 @@ def _update_router_bgp_vrf_evpn_or_mpls_cfg( bgp_vrf["route_targets"] = route_targets # VRF default - if vrf_name == "default": + if vrf.name == "default": return # Not VRF default From 81152fd4cbb24220ff2bd3b18ea243af44f154ff Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 27 Jan 2025 11:16:08 +0000 Subject: [PATCH 20/40] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- .../structured_config/network_services/router_bgp.py | 1 - 1 file changed, 1 deletion(-) diff --git a/python-avd/pyavd/_eos_designs/structured_config/network_services/router_bgp.py b/python-avd/pyavd/_eos_designs/structured_config/network_services/router_bgp.py index 6cf2ea9b56f..0f7e0211716 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/network_services/router_bgp.py +++ b/python-avd/pyavd/_eos_designs/structured_config/network_services/router_bgp.py @@ -156,7 +156,6 @@ def _router_bgp_vrfs(self: AvdStructuredConfigNetworkServices) -> dict: vrf.bgp.structured_config, list_merge=self.custom_structured_configs.list_merge_strategy ) - vrf_address_families = {af for af in vrf.address_families if af in self.shared_utils.overlay_address_families} if self.shared_utils.is_wan_vrf(vrf.name): # If the VRF is a WAN VRF, EVPN RTs are needed. From 5341ba1c71dabff8549e96d9cbfb7191804738a2 Mon Sep 17 00:00:00 2001 From: gmuloc Date: Mon, 27 Jan 2025 14:36:03 +0100 Subject: [PATCH 21/40] Refactor: Sort the set for idempotency --- .../structured_config/network_services/router_bgp.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python-avd/pyavd/_eos_designs/structured_config/network_services/router_bgp.py b/python-avd/pyavd/_eos_designs/structured_config/network_services/router_bgp.py index 0f7e0211716..d86dbeaeef8 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/network_services/router_bgp.py +++ b/python-avd/pyavd/_eos_designs/structured_config/network_services/router_bgp.py @@ -286,7 +286,7 @@ def _update_router_bgp_vrf_evpn_or_mpls_cfg( vrf_rt = self.get_vrf_rt(vrf) route_targets = {"import": [], "export": []} - for af in vrf_address_families: + for af in sorted(vrf_address_families): if (target := get_item(route_targets["import"], "address_family", af)) is None: route_targets["import"].append({"address_family": af, "route_targets": [vrf_rt]}) else: From 9cd0a43469b0e9d6855eef07da901e6cb2218307 Mon Sep 17 00:00:00 2001 From: gmuloc Date: Mon, 27 Jan 2025 14:38:56 +0100 Subject: [PATCH 22/40] Test: Change test input after refactoring --- .../inventory/group_vars/CV_PATHFINDER_TESTS.yml | 2 -- .../inventory/group_vars/CV_PATHFINDER_TESTS_LEAFS.yml | 3 --- 2 files changed, 5 deletions(-) delete mode 100644 ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS_LEAFS.yml diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml index 6d192a38534..d588151d191 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml @@ -4,8 +4,6 @@ wan_mode: cv-pathfinder # Have all the router in the examples use eBGP as underlay routing protocol - # the default is "none" for WAN routers" underlay_routing_protocol: ebgp -# the default is currently ibgp for WAN routers but need to change it soon. -overlay_routing_protocol: none ipv4_prefix_list_catalog: - name: ALLOW-DEFAULT diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS_LEAFS.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS_LEAFS.yml deleted file mode 100644 index 0f8919e10ed..00000000000 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS_LEAFS.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -# Setting back to ebgp for Leaves -overlay_routing_protocol: ebgp From 4851a13f9c96cac812079635389d262ece4fe6a9 Mon Sep 17 00:00:00 2001 From: gmuloc Date: Tue, 28 Jan 2025 11:27:42 +0100 Subject: [PATCH 23/40] WIP --- .../pyavd/_eos_designs/shared_utils/wan.py | 22 +++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/python-avd/pyavd/_eos_designs/shared_utils/wan.py b/python-avd/pyavd/_eos_designs/shared_utils/wan.py index 518957a533d..bca1229aa44 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/wan.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/wan.py @@ -583,6 +583,24 @@ def wan_stun_dtls_profile_name(self: SharedUtils) -> str | None: return self.inputs.wan_stun_dtls_profile_name - def is_wan_vrf(self: SharedUtils, vrf_name: str) -> int | None: + def is_wan_vrf(self: SharedUtils, vrf) -> bool: """Returns True is the VRF is a WAN VRF.""" - return all([self.is_wan_router, vrf_name in self.inputs.wan_virtual_topologies.vrfs or vrf_name == "default"]) + # TODO: check need to also look at the address_families if new knob is unset + # if new knob is set the implemenetation is enough and will be able to signal later + # using extension mechanism. + # TODO: need to receive the VrfItem object from NetworkServices to decide on this + vrf_name = vrf.name + if not self.is_wan_router: + return False + + if not (vrf_name in self.inputs.wan_virtual_topologies.vrfs or vrf_name == "default"): + if not self.inputs.wan_use_evpn_node_settings_for_lan: + # need to check address families + if "evpn" in vrf.address_families: + raise AristaAvdInvalidInputsError("TODO") + return False + # TODO: check for new signal as we may need to raise + return False + + # TODO: check for new signal + return True From 6e71074e7ea661ba07e75ebcb8140a608aba88a9 Mon Sep 17 00:00:00 2001 From: Claus Holbech Date: Tue, 28 Jan 2025 11:56:24 +0100 Subject: [PATCH 24/40] is_wan_vrf --- .../shared_utils/filtered_tenants.py | 2 +- .../pyavd/_eos_designs/shared_utils/wan.py | 29 +++++++++---------- .../network_services/router_bgp.py | 2 +- .../network_services/vxlan_interface.py | 16 ++-------- 4 files changed, 17 insertions(+), 32 deletions(-) diff --git a/python-avd/pyavd/_eos_designs/shared_utils/filtered_tenants.py b/python-avd/pyavd/_eos_designs/shared_utils/filtered_tenants.py index 508e0962830..b712ce741cf 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/filtered_tenants.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/filtered_tenants.py @@ -431,6 +431,6 @@ def bgp_enabled_for_vrf(self: SharedUtils, vrf: EosDesigns._DynamicKeys.DynamicN vrf_address_families, vrf.bgp_peers, (self.uplink_type == "p2p-vrfs" and vrf.name in (self.get_switch_fact("uplink_switch_vrfs", required=False) or [])), - self.is_wan_vrf(vrf.name), + self.is_wan_vrf(vrf), ] ) diff --git a/python-avd/pyavd/_eos_designs/shared_utils/wan.py b/python-avd/pyavd/_eos_designs/shared_utils/wan.py index bca1229aa44..17109572536 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/wan.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/wan.py @@ -583,24 +583,21 @@ def wan_stun_dtls_profile_name(self: SharedUtils) -> str | None: return self.inputs.wan_stun_dtls_profile_name - def is_wan_vrf(self: SharedUtils, vrf) -> bool: + def is_wan_vrf(self: SharedUtils, vrf: EosDesigns._DynamicKeys.DynamicNetworkServicesItem.NetworkServicesItem.VrfsItem) -> bool: """Returns True is the VRF is a WAN VRF.""" - # TODO: check need to also look at the address_families if new knob is unset - # if new knob is set the implemenetation is enough and will be able to signal later - # using extension mechanism. - # TODO: need to receive the VrfItem object from NetworkServices to decide on this - vrf_name = vrf.name if not self.is_wan_router: return False - if not (vrf_name in self.inputs.wan_virtual_topologies.vrfs or vrf_name == "default"): - if not self.inputs.wan_use_evpn_node_settings_for_lan: - # need to check address families - if "evpn" in vrf.address_families: - raise AristaAvdInvalidInputsError("TODO") - return False - # TODO: check for new signal as we may need to raise - return False + configured_as_wan_vrf = vrf.name in self.inputs.wan_virtual_topologies.vrfs or vrf.name == "default" + + # Old behavior where we rely on address_families. + if not self.inputs.wan_use_evpn_node_settings_for_lan and "evpn" in vrf.address_families and not configured_as_wan_vrf: + msg = ( + f"The VRF '{vrf.name}' does not have a `wan_vni` defined under 'wan_virtual_topologies'. " + "If this VRF was not intended to be extended over the WAN, but still required to be configured on the WAN router, " + "set 'address_families: []' under the VRF definition. If this VRF was not intended to be configured on the WAN router, " + "use the VRF filter 'deny_vrfs' under the node settings." + ) + raise AristaAvdInvalidInputsError(msg) - # TODO: check for new signal - return True + return configured_as_wan_vrf diff --git a/python-avd/pyavd/_eos_designs/structured_config/network_services/router_bgp.py b/python-avd/pyavd/_eos_designs/structured_config/network_services/router_bgp.py index d86dbeaeef8..c2c4adbed82 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/network_services/router_bgp.py +++ b/python-avd/pyavd/_eos_designs/structured_config/network_services/router_bgp.py @@ -157,7 +157,7 @@ def _router_bgp_vrfs(self: AvdStructuredConfigNetworkServices) -> dict: ) vrf_address_families = {af for af in vrf.address_families if af in self.shared_utils.overlay_address_families} - if self.shared_utils.is_wan_vrf(vrf.name): + if self.shared_utils.is_wan_vrf(vrf): # If the VRF is a WAN VRF, EVPN RTs are needed. vrf_address_families.add("evpn") diff --git a/python-avd/pyavd/_eos_designs/structured_config/network_services/vxlan_interface.py b/python-avd/pyavd/_eos_designs/structured_config/network_services/vxlan_interface.py index e73c8464cab..7b30edad9c9 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/network_services/vxlan_interface.py +++ b/python-avd/pyavd/_eos_designs/structured_config/network_services/vxlan_interface.py @@ -158,22 +158,10 @@ def _get_vxlan_interface_config_for_vrf( vrf_name = vrf.name # Only configure VNI for VRF if the VRF is EVPN enabled - if "evpn" not in vrf.address_families: + if "evpn" not in vrf.address_families and not (is_wan_vrf := self.shared_utils.is_wan_vrf(vrf)): return - if self.shared_utils.is_wan_router: - # Every VRF with EVPN on a WAN router must have a wan_vni defined. - if vrf_name not in self._filtered_wan_vrfs: - msg = ( - f"The VRF '{vrf_name}' does not have a `wan_vni` defined under 'wan_virtual_topologies'. " - "If this VRF was not intended to be extended over the WAN, but still required to be configured on the WAN router, " - "set 'address_families: []' under the VRF definition. If this VRF was not intended to be configured on the WAN router, " - "use the VRF filter 'deny_vrfs' under the node settings." - ) - raise AristaAvdInvalidInputsError(msg) - vni = self._filtered_wan_vrfs[vrf_name].wan_vni - else: - vni = default(vrf.vrf_vni, vrf.vrf_id) + vni = self._filtered_wan_vrfs[vrf_name].wan_vni if is_wan_vrf else default(vrf.vrf_vni, vrf.vrf_id) if vni is None: # Silently ignore if we cannot set a VNI From c43d6252638f3e47a7e300c082fdca7e7b41e1b8 Mon Sep 17 00:00:00 2001 From: Guillaume Mulocher Date: Tue, 28 Jan 2025 12:00:33 +0100 Subject: [PATCH 25/40] Update python-avd/pyavd/_eos_designs/eos_designs_facts/overlay.py --- python-avd/pyavd/_eos_designs/eos_designs_facts/overlay.py | 1 - 1 file changed, 1 deletion(-) diff --git a/python-avd/pyavd/_eos_designs/eos_designs_facts/overlay.py b/python-avd/pyavd/_eos_designs/eos_designs_facts/overlay.py index 3a118cc6067..76bfc7b2845 100644 --- a/python-avd/pyavd/_eos_designs/eos_designs_facts/overlay.py +++ b/python-avd/pyavd/_eos_designs/eos_designs_facts/overlay.py @@ -64,7 +64,6 @@ def overlay(self: EosDesignsFacts) -> dict | None: @cached_property def vtep_ip(self: EosDesignsFacts) -> str | None: """Exposed in avd_switch_facts.""" - # TODO: Probably need to handle this differently for WAN router - maybe `dps_ip` is needed. if self.shared_utils.vtep or self.shared_utils.is_wan_router: return self.shared_utils.vtep_ip return None From 46d519f51ba40e8fff2125e361cc0c5f7bf480e0 Mon Sep 17 00:00:00 2001 From: gmuloc Date: Tue, 28 Jan 2025 16:13:24 +0100 Subject: [PATCH 26/40] Test: Add tests to validate absence of address families with and without knob --- .../intended/configs/autovpn-edge.cfg | 14 +++++ .../intended/configs/autovpn-rr1.cfg | 4 ++ .../intended/configs/autovpn-rr2.cfg | 4 ++ ...cv-pathfinder-edge-wan-use-evpn-on-lan.cfg | 20 ++++++ .../configs/cv-pathfinder-pathfinder.cfg | 8 +++ .../configs/cv-pathfinder-pathfinder1.cfg | 8 +++ .../configs/cv-pathfinder-pathfinder2.cfg | 8 +++ .../configs/leaf-wan-use-evpn-on-lan.cfg | 6 ++ .../structured_configs/autovpn-edge.yml | 22 +++++++ .../structured_configs/autovpn-rr1.yml | 4 ++ .../structured_configs/autovpn-rr2.yml | 4 ++ ...cv-pathfinder-edge-wan-use-evpn-on-lan.yml | 32 ++++++++++ .../cv-pathfinder-pathfinder.yml | 63 +++++++++++++++++++ .../cv-pathfinder-pathfinder1.yml | 63 +++++++++++++++++++ .../cv-pathfinder-pathfinder2.yml | 63 +++++++++++++++++++ .../leaf-wan-use-evpn-on-lan.yml | 6 ++ .../inventory/group_vars/AUTOVPN_TESTS.yml | 12 +++- .../group_vars/CV_PATHFINDER_TESTS.yml | 15 +++++ ...cv-pathfinder-edge-wan-use-evpn-on-lan.yml | 2 +- .../host_vars/leaf-wan-use-evpn-on-lan.yml | 2 +- .../network_services/vxlan_interface.py | 3 +- 21 files changed, 359 insertions(+), 4 deletions(-) diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-edge.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-edge.cfg index daf7e66fb6b..2bb27fc9b66 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-edge.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-edge.cfg @@ -83,6 +83,9 @@ router path-selection ! vrf PROD path-selection-policy PROD-AUTOVPN-POLICY + ! + vrf WAN-VRF-NO-AF + path-selection-policy PROD-AUTOVPN-POLICY ! spanning-tree mode none ! @@ -92,6 +95,8 @@ vrf instance MGMT ! vrf instance PROD ! +vrf instance WAN-VRF-NO-AF +! management api http-commands protocol https no shutdown @@ -146,6 +151,7 @@ interface Vxlan1 vxlan udp-port 4789 vxlan vrf default vni 1 vxlan vrf PROD vni 42 + vxlan vrf WAN-VRF-NO-AF vni 200 ! application traffic recognition ! @@ -168,6 +174,7 @@ ip routing ip routing vrf IT no ip routing vrf MGMT ip routing vrf PROD +ip routing vrf WAN-VRF-NO-AF ! ip extcommunity-list ECL-EVPN-SOO permit soo 192.168.30.1:0 ! @@ -238,6 +245,13 @@ router bgp 65000 route-target export evpn 42:42 router-id 192.168.30.1 redistribute connected + ! + vrf WAN-VRF-NO-AF + rd 192.168.30.1:200 + route-target import evpn 200:200 + route-target export evpn 200:200 + router-id 192.168.30.1 + redistribute connected ! stun client diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr1.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr1.cfg index 81ad7865faf..7221d6f48d0 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr1.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr1.cfg @@ -74,6 +74,9 @@ router path-selection ! vrf PROD path-selection-policy PROD-AUTOVPN-POLICY + ! + vrf WAN-VRF-NO-AF + path-selection-policy PROD-AUTOVPN-POLICY ! platform sfe data-plane cpu allocation maximum 2 ! @@ -126,6 +129,7 @@ interface Vxlan1 vxlan udp-port 4789 vxlan vrf default vni 1 vxlan vrf PROD vni 42 + vxlan vrf WAN-VRF-NO-AF vni 200 ! application traffic recognition ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr2.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr2.cfg index 84941e98c10..d9470065bbf 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr2.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr2.cfg @@ -74,6 +74,9 @@ router path-selection ! vrf PROD path-selection-policy PROD-AUTOVPN-POLICY + ! + vrf WAN-VRF-NO-AF + path-selection-policy PROD-AUTOVPN-POLICY ! platform sfe data-plane cpu allocation maximum 2 ! @@ -125,6 +128,7 @@ interface Vxlan1 vxlan udp-port 4789 vxlan vrf default vni 1 vxlan vrf PROD vni 42 + vxlan vrf WAN-VRF-NO-AF vni 200 ! application traffic recognition ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan.cfg index 94d64494f06..be458b77581 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan.cfg @@ -75,6 +75,12 @@ router adaptive-virtual-topology avt profile PROD-AVT-POLICY-DEFAULT id 1 avt profile PROD-AVT-POLICY-VOICE id 2 avt profile PROD-AVT-POLICY-VIDEO id 4 + ! + vrf WAN-VRF-NO-AF + avt policy PROD-AVT-POLICY + avt profile PROD-AVT-POLICY-DEFAULT id 1 + avt profile PROD-AVT-POLICY-VOICE id 2 + avt profile PROD-AVT-POLICY-VIDEO id 4 ! router path-selection tcp mss ceiling ipv4 ingress @@ -119,6 +125,10 @@ vrf instance MGMT ! vrf instance PROD ! +vrf instance VRF-NO-AF-NO-WAN +! +vrf instance WAN-VRF-NO-AF +! management api http-commands protocol https no shutdown @@ -194,6 +204,7 @@ interface Vxlan1 vxlan udp-port 4789 vxlan vrf default vni 1 vxlan vrf PROD vni 42 + vxlan vrf WAN-VRF-NO-AF vni 200 ! application traffic recognition ! @@ -246,6 +257,8 @@ application traffic recognition ip routing no ip routing vrf MGMT ip routing vrf PROD +ip routing vrf VRF-NO-AF-NO-WAN +ip routing vrf WAN-VRF-NO-AF ! ip extcommunity-list ECL-EVPN-SOO permit soo 192.168.42.12:12 ! @@ -332,6 +345,13 @@ router bgp 65000 route-target export evpn 142:142 router-id 192.168.42.12 redistribute connected + ! + vrf WAN-VRF-NO-AF + rd 192.168.42.12:200 + route-target import evpn 200:200 + route-target export evpn 200:200 + router-id 192.168.42.12 + redistribute connected ! router traffic-engineering ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder.cfg index a010e84d82f..b38ece45826 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder.cfg @@ -123,6 +123,13 @@ router adaptive-virtual-topology avt policy TRANSIT-AVT-POLICY avt profile TRANSIT-AVT-POLICY-DEFAULT id 1 avt profile CUSTOM-VOICE-PROFILE-NAME id 42 + ! + vrf WAN-VRF-NO-AF + avt policy PROD-AVT-POLICY + avt profile PROD-AVT-POLICY-DEFAULT id 1 + avt profile PROD-AVT-POLICY-VOICE id 2 + avt profile PROD-AVT-POLICY-VIDEO id 4 + avt profile PROD-AVT-POLICY-MPLS-ONLY id 5 ! router path-selection peer dynamic source stun @@ -286,6 +293,7 @@ interface Vxlan1 vxlan vrf IT vni 100 vxlan vrf PROD vni 42 vxlan vrf TRANSIT vni 66 + vxlan vrf WAN-VRF-NO-AF vni 200 ! application traffic recognition ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder1.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder1.cfg index a722345ab23..00ec610112f 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder1.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder1.cfg @@ -123,6 +123,13 @@ router adaptive-virtual-topology avt policy TRANSIT-AVT-POLICY avt profile TRANSIT-AVT-POLICY-DEFAULT id 1 avt profile CUSTOM-VOICE-PROFILE-NAME id 42 + ! + vrf WAN-VRF-NO-AF + avt policy PROD-AVT-POLICY + avt profile PROD-AVT-POLICY-DEFAULT id 1 + avt profile PROD-AVT-POLICY-VOICE id 2 + avt profile PROD-AVT-POLICY-VIDEO id 4 + avt profile PROD-AVT-POLICY-MPLS-ONLY id 5 ! router path-selection peer dynamic source stun @@ -277,6 +284,7 @@ interface Vxlan1 vxlan vrf IT vni 100 vxlan vrf PROD vni 42 vxlan vrf TRANSIT vni 66 + vxlan vrf WAN-VRF-NO-AF vni 200 ! application traffic recognition ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder2.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder2.cfg index f5cef9139e2..e77c6f227a2 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder2.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder2.cfg @@ -123,6 +123,13 @@ router adaptive-virtual-topology avt policy TRANSIT-AVT-POLICY avt profile TRANSIT-AVT-POLICY-DEFAULT id 1 avt profile CUSTOM-VOICE-PROFILE-NAME id 42 + ! + vrf WAN-VRF-NO-AF + avt policy PROD-AVT-POLICY + avt profile PROD-AVT-POLICY-DEFAULT id 1 + avt profile PROD-AVT-POLICY-VOICE id 2 + avt profile PROD-AVT-POLICY-VIDEO id 4 + avt profile PROD-AVT-POLICY-MPLS-ONLY id 5 ! router path-selection peer dynamic source stun @@ -290,6 +297,7 @@ interface Vxlan1 vxlan vrf IT vni 100 vxlan vrf PROD vni 42 vxlan vrf TRANSIT vni 66 + vxlan vrf WAN-VRF-NO-AF vni 200 ! application traffic recognition ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/leaf-wan-use-evpn-on-lan.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/leaf-wan-use-evpn-on-lan.cfg index 4212e2ce6fc..261d54cca1f 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/leaf-wan-use-evpn-on-lan.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/leaf-wan-use-evpn-on-lan.cfg @@ -30,6 +30,10 @@ vrf instance MGMT ! vrf instance PROD ! +vrf instance VRF-NO-AF-NO-WAN +! +vrf instance WAN-VRF-NO-AF +! management api http-commands protocol https no shutdown @@ -92,6 +96,8 @@ ip routing vrf ATTRACTED-VRF-FROM-UPLINK ip routing vrf IT no ip routing vrf MGMT ip routing vrf PROD +ip routing vrf VRF-NO-AF-NO-WAN +ip routing vrf WAN-VRF-NO-AF ! ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY seq 10 permit 192.168.45.0/24 eq 32 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-edge.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-edge.yml index ed8e46e9298..e5b5e4441fa 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-edge.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-edge.yml @@ -224,6 +224,21 @@ router_bgp: redistribute: connected: enabled: true + - name: WAN-VRF-NO-AF + rd: 192.168.30.1:200 + route_targets: + import: + - address_family: evpn + route_targets: + - 200:200 + export: + - address_family: evpn + route_targets: + - 200:200 + router_id: 192.168.30.1 + redistribute: + connected: + enabled: true router_path_selection: path_groups: - name: INET @@ -297,6 +312,8 @@ router_path_selection: path_selection_policy: DEFAULT-AUTOVPN-POLICY-WITH-CP - name: PROD path_selection_policy: PROD-AUTOVPN-POLICY + - name: WAN-VRF-NO-AF + path_selection_policy: PROD-AUTOVPN-POLICY tcp_mss_ceiling: ipv4_segment_size: auto service_routing_protocols_model: multi-agent @@ -319,6 +336,9 @@ vrfs: - name: PROD ip_routing: true tenant: TenantA +- name: WAN-VRF-NO-AF + ip_routing: true + tenant: TenantA vxlan_interface: vxlan1: description: autovpn-edge_VTEP @@ -330,3 +350,5 @@ vxlan_interface: vni: 1 - name: PROD vni: 42 + - name: WAN-VRF-NO-AF + vni: 200 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr1.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr1.yml index 3ab9e3d94e5..52a092d8e9a 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr1.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr1.yml @@ -271,6 +271,8 @@ router_path_selection: path_selection_policy: DEFAULT-AUTOVPN-POLICY-WITH-CP - name: PROD path_selection_policy: PROD-AUTOVPN-POLICY + - name: WAN-VRF-NO-AF + path_selection_policy: PROD-AUTOVPN-POLICY tcp_mss_ceiling: ipv4_segment_size: auto service_routing_protocols_model: multi-agent @@ -295,3 +297,5 @@ vxlan_interface: vni: 1 - name: PROD vni: 42 + - name: WAN-VRF-NO-AF + vni: 200 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr2.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr2.yml index 35550cae94a..1e3112d0a98 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr2.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr2.yml @@ -270,6 +270,8 @@ router_path_selection: path_selection_policy: DEFAULT-AUTOVPN-POLICY-WITH-CP - name: PROD path_selection_policy: PROD-AUTOVPN-POLICY + - name: WAN-VRF-NO-AF + path_selection_policy: PROD-AUTOVPN-POLICY tcp_mss_ceiling: ipv4_segment_size: auto service_routing_protocols_model: multi-agent @@ -297,3 +299,5 @@ vxlan_interface: vni: 1 - name: PROD vni: 42 + - name: WAN-VRF-NO-AF + vni: 200 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan.yml index ec42b88ba78..f6bb8349cc5 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan.yml @@ -297,6 +297,15 @@ router_adaptive_virtual_topology: id: 4 - name: PROD-AVT-POLICY-DEFAULT id: 1 + - name: WAN-VRF-NO-AF + policy: PROD-AVT-POLICY + profiles: + - name: PROD-AVT-POLICY-VOICE + id: 2 + - name: PROD-AVT-POLICY-VIDEO + id: 4 + - name: PROD-AVT-POLICY-DEFAULT + id: 1 router_bfd: multihop: interval: 300 @@ -414,6 +423,21 @@ router_bgp: redistribute: connected: enabled: true + - name: WAN-VRF-NO-AF + rd: 192.168.42.12:200 + route_targets: + import: + - address_family: evpn + route_targets: + - 200:200 + export: + - address_family: evpn + route_targets: + - 200:200 + router_id: 192.168.42.12 + redistribute: + connected: + enabled: true router_path_selection: path_groups: - name: INET @@ -480,6 +504,12 @@ vrfs: - name: PROD ip_routing: true tenant: TenantA +- name: VRF-NO-AF-NO-WAN + ip_routing: true + tenant: TenantD +- name: WAN-VRF-NO-AF + ip_routing: true + tenant: TenantD vxlan_interface: vxlan1: description: cv-pathfinder-edge-wan-use-evpn-on-lan_VTEP @@ -491,3 +521,5 @@ vxlan_interface: vni: 1 - name: PROD vni: 42 + - name: WAN-VRF-NO-AF + vni: 200 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder.yml index fb1860325ac..e69b97e2d4a 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder.yml @@ -438,6 +438,56 @@ metadata: preference: alternate - name: LAN_HA preference: preferred + - name: WAN-VRF-NO-AF + vni: 200 + avts: + - constraints: + jitter: 42 + hop_count: lowest + id: 2 + name: PROD-AVT-POLICY-VOICE + pathgroups: + - name: MPLS + preference: preferred + - name: INET + preference: alternate + - name: LAN_HA + preference: preferred + application_profiles: + - VOICE + - constraints: + lossrate: '42.0' + id: 4 + name: PROD-AVT-POLICY-VIDEO + pathgroups: + - name: MPLS + preference: preferred + - name: LTE + preference: preferred + - name: INET + preference: alternate + - name: LAN_HA + preference: preferred + application_profiles: + - VIDEO + - id: 5 + name: PROD-AVT-POLICY-MPLS-ONLY + pathgroups: + - name: MPLS + preference: preferred + - name: LAN_HA + preference: preferred + application_profiles: + - MPLS-ONLY + - id: 1 + name: PROD-AVT-POLICY-DEFAULT + pathgroups: + - name: INET + preference: preferred + - name: MPLS + preference: alternate + - name: LAN_HA + preference: preferred applications: profiles: - name: VIDEO @@ -586,6 +636,17 @@ router_adaptive_virtual_topology: profiles: - name: DEFAULT-POLICY-DEFAULT id: 1 + - name: WAN-VRF-NO-AF + policy: PROD-AVT-POLICY + profiles: + - name: PROD-AVT-POLICY-VOICE + id: 2 + - name: PROD-AVT-POLICY-VIDEO + id: 4 + - name: PROD-AVT-POLICY-MPLS-ONLY + id: 5 + - name: PROD-AVT-POLICY-DEFAULT + id: 1 router_bfd: multihop: interval: 300 @@ -819,3 +880,5 @@ vxlan_interface: vni: 66 - name: ATTRACTED-VRF-FROM-UPLINK vni: 166 + - name: WAN-VRF-NO-AF + vni: 200 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder1.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder1.yml index 7dec5953bb2..cbcd93588f0 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder1.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder1.yml @@ -401,6 +401,56 @@ metadata: preference: alternate - name: LAN_HA preference: preferred + - name: WAN-VRF-NO-AF + vni: 200 + avts: + - constraints: + jitter: 42 + hop_count: lowest + id: 2 + name: PROD-AVT-POLICY-VOICE + pathgroups: + - name: MPLS + preference: preferred + - name: INET + preference: alternate + - name: LAN_HA + preference: preferred + application_profiles: + - VOICE + - constraints: + lossrate: '42.0' + id: 4 + name: PROD-AVT-POLICY-VIDEO + pathgroups: + - name: MPLS + preference: preferred + - name: LTE + preference: preferred + - name: INET + preference: alternate + - name: LAN_HA + preference: preferred + application_profiles: + - VIDEO + - id: 5 + name: PROD-AVT-POLICY-MPLS-ONLY + pathgroups: + - name: MPLS + preference: preferred + - name: LAN_HA + preference: preferred + application_profiles: + - MPLS-ONLY + - id: 1 + name: PROD-AVT-POLICY-DEFAULT + pathgroups: + - name: INET + preference: preferred + - name: MPLS + preference: alternate + - name: LAN_HA + preference: preferred applications: profiles: - name: VIDEO @@ -549,6 +599,17 @@ router_adaptive_virtual_topology: profiles: - name: DEFAULT-POLICY-DEFAULT id: 1 + - name: WAN-VRF-NO-AF + policy: PROD-AVT-POLICY + profiles: + - name: PROD-AVT-POLICY-VOICE + id: 2 + - name: PROD-AVT-POLICY-VIDEO + id: 4 + - name: PROD-AVT-POLICY-MPLS-ONLY + id: 5 + - name: PROD-AVT-POLICY-DEFAULT + id: 1 router_bfd: multihop: interval: 300 @@ -813,3 +874,5 @@ vxlan_interface: vni: 66 - name: ATTRACTED-VRF-FROM-UPLINK vni: 166 + - name: WAN-VRF-NO-AF + vni: 200 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder2.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder2.yml index 59bf6896d73..d1b8395cd07 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder2.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder2.yml @@ -419,6 +419,56 @@ metadata: preference: alternate - name: LAN_HA preference: preferred + - name: WAN-VRF-NO-AF + vni: 200 + avts: + - constraints: + jitter: 42 + hop_count: lowest + id: 2 + name: PROD-AVT-POLICY-VOICE + pathgroups: + - name: MPLS + preference: preferred + - name: INET + preference: alternate + - name: LAN_HA + preference: preferred + application_profiles: + - VOICE + - constraints: + lossrate: '42.0' + id: 4 + name: PROD-AVT-POLICY-VIDEO + pathgroups: + - name: MPLS + preference: preferred + - name: LTE + preference: preferred + - name: INET + preference: alternate + - name: LAN_HA + preference: preferred + application_profiles: + - VIDEO + - id: 5 + name: PROD-AVT-POLICY-MPLS-ONLY + pathgroups: + - name: MPLS + preference: preferred + - name: LAN_HA + preference: preferred + application_profiles: + - MPLS-ONLY + - id: 1 + name: PROD-AVT-POLICY-DEFAULT + pathgroups: + - name: INET + preference: preferred + - name: MPLS + preference: alternate + - name: LAN_HA + preference: preferred applications: profiles: - name: VIDEO @@ -567,6 +617,17 @@ router_adaptive_virtual_topology: profiles: - name: DEFAULT-POLICY-DEFAULT id: 1 + - name: WAN-VRF-NO-AF + policy: PROD-AVT-POLICY + profiles: + - name: PROD-AVT-POLICY-VOICE + id: 2 + - name: PROD-AVT-POLICY-VIDEO + id: 4 + - name: PROD-AVT-POLICY-MPLS-ONLY + id: 5 + - name: PROD-AVT-POLICY-DEFAULT + id: 1 router_bfd: multihop: interval: 300 @@ -842,3 +903,5 @@ vxlan_interface: vni: 66 - name: ATTRACTED-VRF-FROM-UPLINK vni: 166 + - name: WAN-VRF-NO-AF + vni: 200 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/leaf-wan-use-evpn-on-lan.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/leaf-wan-use-evpn-on-lan.yml index 6c059dc395e..d80bc5b987c 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/leaf-wan-use-evpn-on-lan.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/leaf-wan-use-evpn-on-lan.yml @@ -238,6 +238,12 @@ vrfs: - name: ATTRACTED-VRF-FROM-UPLINK ip_routing: true tenant: TenantC +- name: VRF-NO-AF-NO-WAN + ip_routing: true + tenant: TenantD +- name: WAN-VRF-NO-AF + ip_routing: true + tenant: TenantD vxlan_interface: vxlan1: description: leaf-wan-use-evpn-on-lan_VTEP diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/AUTOVPN_TESTS.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/AUTOVPN_TESTS.yml index ecdf9677de4..02d4786b345 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/AUTOVPN_TESTS.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/AUTOVPN_TESTS.yml @@ -124,7 +124,13 @@ tenants: ip_address_virtual: 10.0.100.1/24 - name: IT vrf_id: 100 - # Removing the default address family + # Removing the default address family with the vrf NOT defined under wan_virtual_topologies.vrfs + # and the knob wan_use_evpn_node_settings_for_lan: False + address_families: [] + - name: WAN-VRF-NO-AF + vrf_id: 200 + # Removing the default address family with the vrf defined under wan_virtual_topologies.vrfs + # and the knob wan_use_evpn_node_settings_for_lan: False address_families: [] l2vlans: - id: 101 @@ -138,6 +144,10 @@ wan_virtual_topologies: - name: PROD policy: PROD-AUTOVPN-POLICY wan_vni: 42 + - name: WAN-VRF-NO-AF + # using same policy to avoid noise + policy: PROD-AUTOVPN-POLICY + wan_vni: 200 policies: - name: PROD-AUTOVPN-POLICY default_virtual_topology: diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml index d588151d191..140a849592d 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml @@ -556,6 +556,17 @@ tenants: nodes: - node: site-ha-disabled-leaf ip_address: 10.66.66.1 + - name: TenantD + # Tenant used to test VRF without address family set with + # knob wan_use_evpn_node_settings_for_lan: true + mac_vrf_vni_base: 1000 + vrfs: + - name: WAN-VRF-NO-AF + vrf_id: 200 + address_families: [] + - name: VRF-NO-AF-NO-WAN + vrf_id: 300 + address_families: [] wan_virtual_topologies: vrfs: @@ -575,6 +586,10 @@ wan_virtual_topologies: wan_vni: 66 - name: ATTRACTED-VRF-FROM-UPLINK wan_vni: 166 + - name: WAN-VRF-NO-AF + # Using PROD policy to avoid extra noise + policy: PROD-AVT-POLICY + wan_vni: 200 policies: - name: PROD-AVT-POLICY default_virtual_topology: diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan.yml index 8024d73d435..b0048ee3509 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan.yml @@ -14,7 +14,7 @@ wan_router: loopback_ipv4_pool: 192.168.42.0/24 vtep_loopback_ipv4_pool: 192.168.142.0/24 filter: - always_include_vrfs_in_tenants: [TenantA] + always_include_vrfs_in_tenants: [TenantA, TenantD] deny_vrfs: [IT] nodes: - name: cv-pathfinder-edge-wan-use-evpn-on-lan diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/leaf-wan-use-evpn-on-lan.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/leaf-wan-use-evpn-on-lan.yml index 586dcf0ecee..1bab418e260 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/leaf-wan-use-evpn-on-lan.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/leaf-wan-use-evpn-on-lan.yml @@ -8,7 +8,7 @@ l3leaf: vtep_loopback_ipv4_pool: 192.168.255.0/24 virtual_router_mac_address: 00:1c:73:00:00:01 filter: - always_include_vrfs_in_tenants: [TenantA] + always_include_vrfs_in_tenants: [TenantA, TenantD] nodes: - name: leaf-wan-use-evpn-on-lan id: 13 diff --git a/python-avd/pyavd/_eos_designs/structured_config/network_services/vxlan_interface.py b/python-avd/pyavd/_eos_designs/structured_config/network_services/vxlan_interface.py index 7b30edad9c9..af6709c155d 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/network_services/vxlan_interface.py +++ b/python-avd/pyavd/_eos_designs/structured_config/network_services/vxlan_interface.py @@ -156,9 +156,10 @@ def _get_vxlan_interface_config_for_vrf( if self.shared_utils.network_services_l3 and (self.shared_utils.overlay_evpn_vxlan or self.shared_utils.is_wan_router): vrf_name = vrf.name + is_wan_vrf = self.shared_utils.is_wan_vrf(vrf) # Only configure VNI for VRF if the VRF is EVPN enabled - if "evpn" not in vrf.address_families and not (is_wan_vrf := self.shared_utils.is_wan_vrf(vrf)): + if "evpn" not in vrf.address_families and not is_wan_vrf: return vni = self._filtered_wan_vrfs[vrf_name].wan_vni if is_wan_vrf else default(vrf.vrf_vni, vrf.vrf_id) From 49a7c222310acc557d2c9dc226c66ccb4c91a672 Mon Sep 17 00:00:00 2001 From: Guillaume Mulocher Date: Wed, 29 Jan 2025 10:07:51 +0100 Subject: [PATCH 27/40] Update ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml --- .../inventory/group_vars/CV_PATHFINDER_TESTS.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml index 140a849592d..c3db578f3c0 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml @@ -564,9 +564,10 @@ tenants: - name: WAN-VRF-NO-AF vrf_id: 200 address_families: [] - - name: VRF-NO-AF-NO-WAN + - name: VRF-NO-WAN vrf_id: 300 - address_families: [] + # keeping default address family "evpn" and verifying we do not raise + # when the knob is true wan_virtual_topologies: vrfs: From 3a71b019342cc32c6c2c297794ef520f64bf2c21 Mon Sep 17 00:00:00 2001 From: gmuloc Date: Wed, 29 Jan 2025 23:19:24 +0100 Subject: [PATCH 28/40] Test: Moleculing the molecule --- ...cv-pathfinder-edge-wan-use-evpn-on-lan.cfg | 15 +++++++++++-- .../configs/leaf-wan-use-evpn-on-lan.cfg | 15 +++++++++++-- ...cv-pathfinder-edge-wan-use-evpn-on-lan.yml | 22 ++++++++++++++++++- .../leaf-wan-use-evpn-on-lan.yml | 22 ++++++++++++++++++- .../group_vars/CV_PATHFINDER_TESTS.yml | 11 ++++++++-- 5 files changed, 77 insertions(+), 8 deletions(-) diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan.cfg index be458b77581..6d8d264b2fe 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan.cfg @@ -125,7 +125,9 @@ vrf instance MGMT ! vrf instance PROD ! -vrf instance VRF-NO-AF-NO-WAN +vrf instance VRF-NO-WAN +! +vrf instance VRF-NO-WAN-NO-AF ! vrf instance WAN-VRF-NO-AF ! @@ -204,6 +206,7 @@ interface Vxlan1 vxlan udp-port 4789 vxlan vrf default vni 1 vxlan vrf PROD vni 42 + vxlan vrf VRF-NO-WAN vni 300 vxlan vrf WAN-VRF-NO-AF vni 200 ! application traffic recognition @@ -257,7 +260,8 @@ application traffic recognition ip routing no ip routing vrf MGMT ip routing vrf PROD -ip routing vrf VRF-NO-AF-NO-WAN +ip routing vrf VRF-NO-WAN +ip routing vrf VRF-NO-WAN-NO-AF ip routing vrf WAN-VRF-NO-AF ! ip extcommunity-list ECL-EVPN-SOO permit soo 192.168.42.12:12 @@ -346,6 +350,13 @@ router bgp 65000 router-id 192.168.42.12 redistribute connected ! + vrf VRF-NO-WAN + rd 192.168.42.12:300 + route-target import evpn 300:300 + route-target export evpn 300:300 + router-id 192.168.42.12 + redistribute connected + ! vrf WAN-VRF-NO-AF rd 192.168.42.12:200 route-target import evpn 200:200 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/leaf-wan-use-evpn-on-lan.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/leaf-wan-use-evpn-on-lan.cfg index 261d54cca1f..125cea42be4 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/leaf-wan-use-evpn-on-lan.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/leaf-wan-use-evpn-on-lan.cfg @@ -30,7 +30,9 @@ vrf instance MGMT ! vrf instance PROD ! -vrf instance VRF-NO-AF-NO-WAN +vrf instance VRF-NO-WAN +! +vrf instance VRF-NO-WAN-NO-AF ! vrf instance WAN-VRF-NO-AF ! @@ -88,6 +90,7 @@ interface Vxlan1 vxlan vrf default vni 1 vxlan vrf IT vni 1000 vxlan vrf PROD vni 142 + vxlan vrf VRF-NO-WAN vni 300 ! ip virtual-router mac-address 00:1c:73:00:00:01 ! @@ -96,7 +99,8 @@ ip routing vrf ATTRACTED-VRF-FROM-UPLINK ip routing vrf IT no ip routing vrf MGMT ip routing vrf PROD -ip routing vrf VRF-NO-AF-NO-WAN +ip routing vrf VRF-NO-WAN +ip routing vrf VRF-NO-WAN-NO-AF ip routing vrf WAN-VRF-NO-AF ! ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY @@ -180,5 +184,12 @@ router bgp 65042 route-target export evpn 142:142 router-id 192.168.45.13 redistribute connected + ! + vrf VRF-NO-WAN + rd 192.168.45.13:300 + route-target import evpn 300:300 + route-target export evpn 300:300 + router-id 192.168.45.13 + redistribute connected ! end diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan.yml index f6bb8349cc5..3c2de65d653 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan.yml @@ -423,6 +423,21 @@ router_bgp: redistribute: connected: enabled: true + - name: VRF-NO-WAN + rd: 192.168.42.12:300 + route_targets: + import: + - address_family: evpn + route_targets: + - 300:300 + export: + - address_family: evpn + route_targets: + - 300:300 + router_id: 192.168.42.12 + redistribute: + connected: + enabled: true - name: WAN-VRF-NO-AF rd: 192.168.42.12:200 route_targets: @@ -504,7 +519,10 @@ vrfs: - name: PROD ip_routing: true tenant: TenantA -- name: VRF-NO-AF-NO-WAN +- name: VRF-NO-WAN + ip_routing: true + tenant: TenantD +- name: VRF-NO-WAN-NO-AF ip_routing: true tenant: TenantD - name: WAN-VRF-NO-AF @@ -521,5 +539,7 @@ vxlan_interface: vni: 1 - name: PROD vni: 42 + - name: VRF-NO-WAN + vni: 300 - name: WAN-VRF-NO-AF vni: 200 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/leaf-wan-use-evpn-on-lan.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/leaf-wan-use-evpn-on-lan.yml index d80bc5b987c..052a2860210 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/leaf-wan-use-evpn-on-lan.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/leaf-wan-use-evpn-on-lan.yml @@ -187,6 +187,21 @@ router_bgp: redistribute: connected: enabled: true + - name: VRF-NO-WAN + rd: 192.168.45.13:300 + route_targets: + import: + - address_family: evpn + route_targets: + - 300:300 + export: + - address_family: evpn + route_targets: + - 300:300 + router_id: 192.168.45.13 + redistribute: + connected: + enabled: true service_routing_protocols_model: multi-agent transceiver_qsfp_default_mode_4x10: true vlan_interfaces: @@ -238,7 +253,10 @@ vrfs: - name: ATTRACTED-VRF-FROM-UPLINK ip_routing: true tenant: TenantC -- name: VRF-NO-AF-NO-WAN +- name: VRF-NO-WAN + ip_routing: true + tenant: TenantD +- name: VRF-NO-WAN-NO-AF ip_routing: true tenant: TenantD - name: WAN-VRF-NO-AF @@ -268,3 +286,5 @@ vxlan_interface: vni: 142 - name: ATTRACTED-VRF-FROM-UPLINK vni: 666 + - name: VRF-NO-WAN + vni: 300 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml index c3db578f3c0..f25b92a051e 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml @@ -557,17 +557,24 @@ tenants: - node: site-ha-disabled-leaf ip_address: 10.66.66.1 - name: TenantD - # Tenant used to test VRF without address family set with + # Tenant used to test VRFs # knob wan_use_evpn_node_settings_for_lan: true mac_vrf_vni_base: 1000 vrfs: - name: WAN-VRF-NO-AF vrf_id: 200 + # Setting address families under tenant to empty list + # and checking the VRF is still added on the WAN when the knob is true + # and the VRF is defined under wan_virtual_topologies.vrfs address_families: [] - name: VRF-NO-WAN vrf_id: 300 # keeping default address family "evpn" and verifying we do not raise - # when the knob is true + # when the knob is true. The VRF should be configured. + - name: VRF-NO-WAN-NO-AF + vrf_id: 400 + # when the knob is true. The VRF should not be configured. + address_families: [] wan_virtual_topologies: vrfs: From bd1dc08e3a7915edf9904e1cbae9b9e1905844ae Mon Sep 17 00:00:00 2001 From: gmuloc Date: Wed, 29 Jan 2025 23:38:45 +0100 Subject: [PATCH 29/40] Test: Added molecule test for edge with knob without EVPN on LAN --- ...-wan-use-evpn-on-lan-no-overlay-on-lan.cfg | 372 ++++++++++++ .../configs/leaf-wan-use-evpn-on-lan.cfg | 10 + ...-wan-use-evpn-on-lan-no-overlay-on-lan.yml | 535 ++++++++++++++++++ .../leaf-wan-use-evpn-on-lan.yml | 15 + ...-wan-use-evpn-on-lan-no-overlay-on-lan.yml | 37 ++ .../inventory/hosts.yml | 1 + 6 files changed, 970 insertions(+) create mode 100644 ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.cfg create mode 100644 ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.yml create mode 100644 ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.yml diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.cfg new file mode 100644 index 00000000000..5a8727ddf6d --- /dev/null +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.cfg @@ -0,0 +1,372 @@ +! +no enable password +no aaa root +! +agent KernelFib environment KERNELFIB_PROGRAM_ALL_ECMP=1 +! +flow tracking hardware + tracker FLOW-TRACKER + record export on inactive timeout 70000 + record export on interval 300000 + exporter CV-TELEMETRY + collector 127.0.0.1 + local interface Loopback0 + template interval 3600000 + no shutdown +! +service routing protocols model multi-agent +! +hostname cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan +! +router adaptive-virtual-topology + topology role edge + region AVD_Land_West id 42 + zone AVD_Land_West-ZONE id 1 + site Site12 id 12 + ! + policy DEFAULT-AVT-POLICY-WITH-CP + ! + match application-profile APP-PROFILE-CONTROL-PLANE + avt profile DEFAULT-AVT-POLICY-CONTROL-PLANE + ! + match application-profile VIDEO + avt profile DEFAULT-AVT-POLICY-VIDEO + ! + match application-profile default + avt profile DEFAULT-AVT-POLICY-DEFAULT + ! + policy PROD-AVT-POLICY + ! + match application-profile VOICE + avt profile PROD-AVT-POLICY-VOICE + ! + match application-profile VIDEO + avt profile PROD-AVT-POLICY-VIDEO + ! + match application-profile default + avt profile PROD-AVT-POLICY-DEFAULT + ! + profile DEFAULT-AVT-POLICY-CONTROL-PLANE + path-selection load-balance LB-DEFAULT-AVT-POLICY-CONTROL-PLANE + ! + profile DEFAULT-AVT-POLICY-DEFAULT + path-selection load-balance LB-DEFAULT-AVT-POLICY-DEFAULT + ! + profile DEFAULT-AVT-POLICY-VIDEO + path-selection load-balance LB-DEFAULT-AVT-POLICY-VIDEO + ! + profile PROD-AVT-POLICY-DEFAULT + path-selection load-balance LB-PROD-AVT-POLICY-DEFAULT + ! + profile PROD-AVT-POLICY-VIDEO + path-selection load-balance LB-PROD-AVT-POLICY-VIDEO + ! + profile PROD-AVT-POLICY-VOICE + path-selection load-balance LB-PROD-AVT-POLICY-VOICE + ! + vrf default + avt policy DEFAULT-AVT-POLICY-WITH-CP + avt profile DEFAULT-AVT-POLICY-DEFAULT id 1 + avt profile DEFAULT-AVT-POLICY-VIDEO id 3 + avt profile DEFAULT-AVT-POLICY-CONTROL-PLANE id 254 + ! + vrf PROD + avt policy PROD-AVT-POLICY + avt profile PROD-AVT-POLICY-DEFAULT id 1 + avt profile PROD-AVT-POLICY-VOICE id 2 + avt profile PROD-AVT-POLICY-VIDEO id 4 + ! + vrf WAN-VRF-NO-AF + avt policy PROD-AVT-POLICY + avt profile PROD-AVT-POLICY-DEFAULT id 1 + avt profile PROD-AVT-POLICY-VOICE id 2 + avt profile PROD-AVT-POLICY-VIDEO id 4 +! +router path-selection + tcp mss ceiling ipv4 ingress + ! + path-group INET id 101 + ipsec profile CP-PROFILE + ! + local interface Ethernet1 + stun server-profile INET-cv-pathfinder-pathfinder-Ethernet1 INET-cv-pathfinder-pathfinder-Ethernet3 + ! + peer dynamic + ! + peer static router-ip 192.168.144.1 + name cv-pathfinder-pathfinder + ipv4 address 172.17.7.7 + ipv4 address 10.9.9.9 + ! + load-balance policy LB-DEFAULT-AVT-POLICY-CONTROL-PLANE + path-group INET + ! + load-balance policy LB-DEFAULT-AVT-POLICY-DEFAULT + path-group INET + ! + load-balance policy LB-DEFAULT-AVT-POLICY-VIDEO + path-group INET + ! + load-balance policy LB-PROD-AVT-POLICY-DEFAULT + path-group INET + ! + load-balance policy LB-PROD-AVT-POLICY-VIDEO + loss-rate 42.0 + path-group INET priority 2 + ! + load-balance policy LB-PROD-AVT-POLICY-VOICE + jitter 42 + hop count lowest + path-group INET priority 2 +! +spanning-tree mode none +! +vrf instance MGMT +! +vrf instance PROD +! +vrf instance VRF-NO-WAN +! +vrf instance VRF-NO-WAN-NO-AF +! +vrf instance WAN-VRF-NO-AF +! +management api http-commands + protocol https + no shutdown + ! + vrf MGMT + no shutdown +! +management security + ! + ssl profile profileA + tls versions 1.2 + trust certificate aristaDeviceCertProvisionerDefaultRootCA.crt + certificate profileA.crt key profileA.key +! +ip security + ike policy CP-IKE-POLICY + local-id 192.168.142.14 + ! + sa policy CP-SA-POLICY + esp encryption aes256gcm128 + pfs dh-group 14 + ! + sa policy DP-SA-POLICY + esp encryption aes256gcm128 + pfs dh-group 14 + ! + profile CP-PROFILE + ike-policy CP-IKE-POLICY + sa-policy CP-SA-POLICY + connection start + shared-key 7 ABCDEF1234567890 + dpd 10 50 clear + mode transport + ! + profile DP-PROFILE + sa-policy DP-SA-POLICY + connection start + shared-key 7 ABCDEF1234567890666 + dpd 10 50 clear + mode transport + ! + key controller + profile DP-PROFILE +! +interface Dps1 + description DPS Interface + mtu 9194 + flow tracker hardware FLOW-TRACKER + ip address 192.168.142.14/32 +! +interface Ethernet1 + description ATT_666 + no shutdown + no switchport + ip address dhcp + dhcp client accept default-route +! +interface Ethernet52 + description P2P_leaf-wan-use-evpn-on-lan_Ethernet2 + no shutdown + mtu 9214 + no switchport + ip address 172.18.0.27/31 +! +interface Loopback0 + description ROUTER_ID + no shutdown + ip address 192.168.42.14/32 +! +interface Vxlan1 + description cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan_VTEP + vxlan source-interface Dps1 + vxlan udp-port 4789 + vxlan vrf default vni 1 + vxlan vrf PROD vni 42 + vxlan vrf VRF-NO-WAN vni 300 + vxlan vrf WAN-VRF-NO-AF vni 200 +! +application traffic recognition + ! + application ipv4 APP-CONTROL-PLANE + destination prefix field-set PFX-PATHFINDERS + ! + application ipv4 CUSTOM-APPLICATION-1 + source prefix field-set CUSTOM-SRC-PREFIX-1 + destination prefix field-set CUSTOM-DEST-PREFIX-1 + protocol tcp + ! + application ipv4 CUSTOM-APPLICATION-2 + protocol tcp source port field-set TCP-SRC-2 destination port field-set TCP-DEST-2 + ! + application ipv4 CUSTOM-DSCP-APPLICATION + dscp ef 12-14 cs6 42 + ! + category VIDEO1 + application CUSTOM-APPLICATION-2 + application CUSTOM-DSCP-APPLICATION + application microsoft-teams + ! + application-profile APP-PROFILE-CONTROL-PLANE + application APP-CONTROL-PLANE + ! + application-profile VIDEO + application CUSTOM-APPLICATION-1 + application skype + application rtp transport + category VIDEO1 + ! + application-profile VOICE + application CUSTOM-VOICE-APPLICATION + ! + field-set ipv4 prefix CUSTOM-DEST-PREFIX-1 + 6.6.6.0/24 + ! + field-set ipv4 prefix CUSTOM-SRC-PREFIX-1 + 42.42.42.0/24 + ! + field-set ipv4 prefix PFX-PATHFINDERS + 192.168.144.1/32 + ! + field-set l4-port TCP-DEST-2 + 666, 777 + ! + field-set l4-port TCP-SRC-2 + 42 +! +ip routing +no ip routing vrf MGMT +ip routing vrf PROD +ip routing vrf VRF-NO-WAN +ip routing vrf VRF-NO-WAN-NO-AF +ip routing vrf WAN-VRF-NO-AF +! +ip extcommunity-list ECL-EVPN-SOO permit soo 192.168.42.14:12 +! +ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY + seq 10 permit 192.168.42.0/24 eq 32 +! +route-map RM-BGP-UNDERLAY-PEERS-IN permit 40 + description Mark prefixes originated from the LAN + set extcommunity soo 192.168.42.14:12 additive +! +route-map RM-CONN-2-BGP permit 10 + match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + set extcommunity soo 192.168.42.14:12 additive +! +route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 10 + match extcommunity ECL-EVPN-SOO +! +route-map RM-EVPN-SOO-IN deny 10 + match extcommunity ECL-EVPN-SOO +! +route-map RM-EVPN-SOO-IN permit 20 +! +route-map RM-EVPN-SOO-OUT permit 10 + set extcommunity soo 192.168.42.14:12 additive +! +router bfd + multihop interval 300 min-rx 300 multiplier 3 +! +router bgp 65000 + router-id 192.168.42.14 + update wait-install + no bgp default ipv4-unicast + maximum-paths 16 + neighbor IPv4-UNDERLAY-PEERS peer group + neighbor IPv4-UNDERLAY-PEERS route-map RM-BGP-UNDERLAY-PEERS-IN in + neighbor IPv4-UNDERLAY-PEERS send-community + neighbor IPv4-UNDERLAY-PEERS maximum-routes 12000 + neighbor WAN-OVERLAY-PEERS peer group + neighbor WAN-OVERLAY-PEERS remote-as 65000 + neighbor WAN-OVERLAY-PEERS update-source Dps1 + neighbor WAN-OVERLAY-PEERS bfd + neighbor WAN-OVERLAY-PEERS bfd interval 1000 min-rx 1000 multiplier 10 + neighbor WAN-OVERLAY-PEERS ttl maximum-hops 1 + neighbor WAN-OVERLAY-PEERS password 7 htm4AZe9mIQOO1uiMuGgYQ== + neighbor WAN-OVERLAY-PEERS send-community + neighbor WAN-OVERLAY-PEERS maximum-routes 0 + neighbor 172.18.0.26 peer group IPv4-UNDERLAY-PEERS + neighbor 172.18.0.26 remote-as 65042 + neighbor 172.18.0.26 description leaf-wan-use-evpn-on-lan_Ethernet2 + neighbor 192.168.144.1 peer group WAN-OVERLAY-PEERS + neighbor 192.168.144.1 description cv-pathfinder-pathfinder_Dps1 + redistribute connected route-map RM-CONN-2-BGP + ! + address-family evpn + neighbor WAN-OVERLAY-PEERS activate + neighbor WAN-OVERLAY-PEERS route-map RM-EVPN-SOO-IN in + neighbor WAN-OVERLAY-PEERS route-map RM-EVPN-SOO-OUT out + neighbor WAN-OVERLAY-PEERS encapsulation path-selection + ! + address-family ipv4 + neighbor IPv4-UNDERLAY-PEERS activate + no neighbor WAN-OVERLAY-PEERS activate + ! + address-family ipv4 sr-te + neighbor WAN-OVERLAY-PEERS activate + ! + address-family link-state + neighbor WAN-OVERLAY-PEERS activate + path-selection + ! + address-family path-selection + bgp additional-paths receive + bgp additional-paths send any + neighbor WAN-OVERLAY-PEERS activate + ! + vrf default + rd 192.168.42.14:1 + route-target import evpn 1:1 + route-target export evpn 1:1 + route-target export evpn route-map RM-EVPN-EXPORT-VRF-DEFAULT + ! + vrf PROD + rd 192.168.42.14:142 + route-target import evpn 142:142 + route-target export evpn 142:142 + router-id 192.168.42.14 + redistribute connected + ! + vrf WAN-VRF-NO-AF + rd 192.168.42.14:200 + route-target import evpn 200:200 + route-target export evpn 200:200 + router-id 192.168.42.14 + redistribute connected +! +router traffic-engineering +! +stun + client + server-profile INET-cv-pathfinder-pathfinder-Ethernet1 + ip address 172.17.7.7 + ssl profile profileA + server-profile INET-cv-pathfinder-pathfinder-Ethernet3 + ip address 10.9.9.9 + ssl profile profileA +! +end diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/leaf-wan-use-evpn-on-lan.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/leaf-wan-use-evpn-on-lan.cfg index 125cea42be4..c0ed5a58ee8 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/leaf-wan-use-evpn-on-lan.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/leaf-wan-use-evpn-on-lan.cfg @@ -50,6 +50,13 @@ interface Ethernet1 no switchport ip address 172.18.0.22/31 ! +interface Ethernet2 + description P2P_cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan_Ethernet52 + no shutdown + mtu 9214 + no switchport + ip address 172.18.0.26/31 +! interface Loopback0 description ROUTER_ID no shutdown @@ -130,6 +137,9 @@ router bgp 65042 neighbor 172.18.0.23 peer group IPv4-UNDERLAY-PEERS neighbor 172.18.0.23 remote-as 65000 neighbor 172.18.0.23 description cv-pathfinder-edge-wan-use-evpn-on-lan_Ethernet52 + neighbor 172.18.0.27 peer group IPv4-UNDERLAY-PEERS + neighbor 172.18.0.27 remote-as 65000 + neighbor 172.18.0.27 description cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan_Ethernet52 redistribute connected route-map RM-CONN-2-BGP ! vlan 100 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.yml new file mode 100644 index 00000000000..37fc5e5ea20 --- /dev/null +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.yml @@ -0,0 +1,535 @@ +aaa_root: + disabled: true +agents: +- name: KernelFib + environment_variables: + - name: KERNELFIB_PROGRAM_ALL_ECMP + value: '1' +application_traffic_recognition: + categories: + - name: VIDEO1 + applications: + - name: CUSTOM-APPLICATION-2 + - name: CUSTOM-DSCP-APPLICATION + - name: microsoft-teams + field_sets: + l4_ports: + - name: TCP-SRC-2 + port_values: + - '42' + - name: TCP-DEST-2 + port_values: + - '666' + - '777' + ipv4_prefixes: + - name: CUSTOM-SRC-PREFIX-1 + prefix_values: + - 42.42.42.0/24 + - name: CUSTOM-DEST-PREFIX-1 + prefix_values: + - 6.6.6.0/24 + - name: PFX-PATHFINDERS + prefix_values: + - 192.168.144.1/32 + applications: + ipv4_applications: + - name: CUSTOM-APPLICATION-1 + src_prefix_set_name: CUSTOM-SRC-PREFIX-1 + dest_prefix_set_name: CUSTOM-DEST-PREFIX-1 + protocols: + - tcp + - name: CUSTOM-APPLICATION-2 + protocols: + - tcp + tcp_src_port_set_name: TCP-SRC-2 + tcp_dest_port_set_name: TCP-DEST-2 + - name: CUSTOM-DSCP-APPLICATION + dscp_ranges: + - ef + - 12-14 + - cs6 + - '42' + - name: APP-CONTROL-PLANE + dest_prefix_set_name: PFX-PATHFINDERS + application_profiles: + - name: VIDEO + applications: + - name: CUSTOM-APPLICATION-1 + - name: skype + application_transports: + - rtp + categories: + - name: VIDEO1 + - name: VOICE + applications: + - name: CUSTOM-VOICE-APPLICATION + - name: APP-PROFILE-CONTROL-PLANE + applications: + - name: APP-CONTROL-PLANE +config_end: true +dps_interfaces: +- name: Dps1 + description: DPS Interface + mtu: 9194 + ip_address: 192.168.142.14/32 + flow_tracker: + hardware: FLOW-TRACKER +enable_password: + disabled: true +ethernet_interfaces: +- name: Ethernet52 + description: P2P_leaf-wan-use-evpn-on-lan_Ethernet2 + shutdown: false + mtu: 9214 + ip_address: 172.18.0.27/31 + peer: leaf-wan-use-evpn-on-lan + peer_interface: Ethernet2 + peer_type: l3leaf + switchport: + enabled: false +- name: Ethernet1 + description: ATT_666 + shutdown: false + ip_address: dhcp + dhcp_client_accept_default_route: true + peer_type: l3_interface + switchport: + enabled: false +flow_tracking: + hardware: + trackers: + - name: FLOW-TRACKER + record_export: + on_inactive_timeout: 70000 + on_interval: 300000 + exporters: + - name: CV-TELEMETRY + collector: + host: 127.0.0.1 + local_interface: Loopback0 + template_interval: 3600000 + shutdown: false +hostname: cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan +ip_extcommunity_lists: +- name: ECL-EVPN-SOO + entries: + - type: permit + extcommunities: soo 192.168.42.14:12 +ip_routing: true +ip_security: + ike_policies: + - name: CP-IKE-POLICY + local_id: 192.168.142.14 + sa_policies: + - name: DP-SA-POLICY + esp: + encryption: aes256gcm128 + pfs_dh_group: 14 + - name: CP-SA-POLICY + esp: + encryption: aes256gcm128 + pfs_dh_group: 14 + profiles: + - name: DP-PROFILE + sa_policy: DP-SA-POLICY + connection: start + shared_key: ABCDEF1234567890666 + dpd: + interval: 10 + time: 50 + action: clear + mode: transport + - name: CP-PROFILE + ike_policy: CP-IKE-POLICY + sa_policy: CP-SA-POLICY + connection: start + shared_key: ABCDEF1234567890 + dpd: + interval: 10 + time: 50 + action: clear + mode: transport + key_controller: + profile: DP-PROFILE +is_deployed: true +loopback_interfaces: +- name: Loopback0 + description: ROUTER_ID + shutdown: false + ip_address: 192.168.42.14/32 +management_api_http: + enable_https: true + enable_vrfs: + - name: MGMT +management_security: + ssl_profiles: + - name: profileA + tls_versions: '1.2' + trust_certificate: + certificates: + - aristaDeviceCertProvisionerDefaultRootCA.crt + certificate: + file: profileA.crt + key: profileA.key +metadata: + fabric_name: EOS_DESIGNS_UNIT_TESTS + cv_tags: + device_tags: + - name: Role + value: edge + - name: Region + value: AVD_Land_West + - name: Zone + value: AVD_Land_West-ZONE + - name: Site + value: Site12 + interface_tags: + - interface: Ethernet52 + tags: + - name: Type + value: lan + - interface: Ethernet1 + tags: + - name: Type + value: wan + - name: Carrier + value: ATT + - name: Circuit + value: '666' + cv_pathfinder: + role: edge + region: AVD_Land_West + zone: AVD_Land_West-ZONE + site: Site12 + vtep_ip: 192.168.142.14 + ssl_profile: profileA + pathfinders: + - vtep_ip: 192.168.144.1 + interfaces: + - name: Ethernet1 + carrier: ATT + circuit_id: '666' + pathgroup: INET +prefix_lists: +- name: PL-LOOPBACKS-EVPN-OVERLAY + sequence_numbers: + - sequence: 10 + action: permit 192.168.42.0/24 eq 32 +route_maps: +- name: RM-CONN-2-BGP + sequence_numbers: + - sequence: 10 + type: permit + match: + - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + set: + - extcommunity soo 192.168.42.14:12 additive +- name: RM-BGP-UNDERLAY-PEERS-IN + sequence_numbers: + - sequence: 40 + type: permit + description: Mark prefixes originated from the LAN + set: + - extcommunity soo 192.168.42.14:12 additive +- name: RM-EVPN-SOO-IN + sequence_numbers: + - sequence: 10 + type: deny + match: + - extcommunity ECL-EVPN-SOO + - sequence: 20 + type: permit +- name: RM-EVPN-SOO-OUT + sequence_numbers: + - sequence: 10 + type: permit + set: + - extcommunity soo 192.168.42.14:12 additive +- name: RM-EVPN-EXPORT-VRF-DEFAULT + sequence_numbers: + - sequence: 10 + type: permit + match: + - extcommunity ECL-EVPN-SOO +router_adaptive_virtual_topology: + topology_role: edge + region: + name: AVD_Land_West + id: 42 + zone: + name: AVD_Land_West-ZONE + id: 1 + site: + name: Site12 + id: 12 + profiles: + - name: DEFAULT-AVT-POLICY-CONTROL-PLANE + load_balance_policy: LB-DEFAULT-AVT-POLICY-CONTROL-PLANE + - name: DEFAULT-AVT-POLICY-VIDEO + load_balance_policy: LB-DEFAULT-AVT-POLICY-VIDEO + - name: DEFAULT-AVT-POLICY-DEFAULT + load_balance_policy: LB-DEFAULT-AVT-POLICY-DEFAULT + - name: PROD-AVT-POLICY-VOICE + load_balance_policy: LB-PROD-AVT-POLICY-VOICE + - name: PROD-AVT-POLICY-VIDEO + load_balance_policy: LB-PROD-AVT-POLICY-VIDEO + - name: PROD-AVT-POLICY-DEFAULT + load_balance_policy: LB-PROD-AVT-POLICY-DEFAULT + policies: + - name: DEFAULT-AVT-POLICY-WITH-CP + matches: + - application_profile: APP-PROFILE-CONTROL-PLANE + avt_profile: DEFAULT-AVT-POLICY-CONTROL-PLANE + - application_profile: VIDEO + avt_profile: DEFAULT-AVT-POLICY-VIDEO + - application_profile: default + avt_profile: DEFAULT-AVT-POLICY-DEFAULT + - name: PROD-AVT-POLICY + matches: + - application_profile: VOICE + avt_profile: PROD-AVT-POLICY-VOICE + - application_profile: VIDEO + avt_profile: PROD-AVT-POLICY-VIDEO + - application_profile: default + avt_profile: PROD-AVT-POLICY-DEFAULT + vrfs: + - name: default + policy: DEFAULT-AVT-POLICY-WITH-CP + profiles: + - name: DEFAULT-AVT-POLICY-CONTROL-PLANE + id: 254 + - name: DEFAULT-AVT-POLICY-VIDEO + id: 3 + - name: DEFAULT-AVT-POLICY-DEFAULT + id: 1 + - name: PROD + policy: PROD-AVT-POLICY + profiles: + - name: PROD-AVT-POLICY-VOICE + id: 2 + - name: PROD-AVT-POLICY-VIDEO + id: 4 + - name: PROD-AVT-POLICY-DEFAULT + id: 1 + - name: WAN-VRF-NO-AF + policy: PROD-AVT-POLICY + profiles: + - name: PROD-AVT-POLICY-VOICE + id: 2 + - name: PROD-AVT-POLICY-VIDEO + id: 4 + - name: PROD-AVT-POLICY-DEFAULT + id: 1 +router_bfd: + multihop: + interval: 300 + min_rx: 300 + multiplier: 3 +router_bgp: + as: '65000' + router_id: 192.168.42.14 + maximum_paths: + paths: 16 + updates: + wait_install: true + bgp: + default: + ipv4_unicast: false + peer_groups: + - name: IPv4-UNDERLAY-PEERS + type: ipv4 + send_community: all + maximum_routes: 12000 + route_map_in: RM-BGP-UNDERLAY-PEERS-IN + - name: WAN-OVERLAY-PEERS + type: wan + remote_as: '65000' + update_source: Dps1 + bfd: true + bfd_timers: + interval: 1000 + min_rx: 1000 + multiplier: 10 + password: htm4AZe9mIQOO1uiMuGgYQ== + send_community: all + maximum_routes: 0 + ttl_maximum_hops: 1 + neighbors: + - ip_address: 172.18.0.26 + peer_group: IPv4-UNDERLAY-PEERS + remote_as: '65042' + peer: leaf-wan-use-evpn-on-lan + description: leaf-wan-use-evpn-on-lan_Ethernet2 + - ip_address: 192.168.144.1 + peer_group: WAN-OVERLAY-PEERS + peer: cv-pathfinder-pathfinder + description: cv-pathfinder-pathfinder_Dps1 + redistribute: + connected: + enabled: true + route_map: RM-CONN-2-BGP + address_family_evpn: + peer_groups: + - name: WAN-OVERLAY-PEERS + activate: true + route_map_in: RM-EVPN-SOO-IN + route_map_out: RM-EVPN-SOO-OUT + encapsulation: path-selection + address_family_ipv4: + peer_groups: + - name: IPv4-UNDERLAY-PEERS + activate: true + - name: WAN-OVERLAY-PEERS + activate: false + address_family_ipv4_sr_te: + peer_groups: + - name: WAN-OVERLAY-PEERS + activate: true + address_family_link_state: + peer_groups: + - name: WAN-OVERLAY-PEERS + activate: true + path_selection: + roles: + producer: true + address_family_path_selection: + bgp: + additional_paths: + receive: true + send: any + peer_groups: + - name: WAN-OVERLAY-PEERS + activate: true + vrfs: + - name: default + rd: 192.168.42.14:1 + route_targets: + import: + - address_family: evpn + route_targets: + - '1:1' + export: + - address_family: evpn + route_targets: + - '1:1' + - route-map RM-EVPN-EXPORT-VRF-DEFAULT + - name: PROD + rd: 192.168.42.14:142 + route_targets: + import: + - address_family: evpn + route_targets: + - 142:142 + export: + - address_family: evpn + route_targets: + - 142:142 + router_id: 192.168.42.14 + redistribute: + connected: + enabled: true + - name: WAN-VRF-NO-AF + rd: 192.168.42.14:200 + route_targets: + import: + - address_family: evpn + route_targets: + - 200:200 + export: + - address_family: evpn + route_targets: + - 200:200 + router_id: 192.168.42.14 + redistribute: + connected: + enabled: true +router_path_selection: + path_groups: + - name: INET + id: 101 + ipsec_profile: CP-PROFILE + local_interfaces: + - name: Ethernet1 + stun: + server_profiles: + - INET-cv-pathfinder-pathfinder-Ethernet1 + - INET-cv-pathfinder-pathfinder-Ethernet3 + dynamic_peers: + enabled: true + static_peers: + - router_ip: 192.168.144.1 + name: cv-pathfinder-pathfinder + ipv4_addresses: + - 172.17.7.7 + - 10.9.9.9 + load_balance_policies: + - name: LB-DEFAULT-AVT-POLICY-CONTROL-PLANE + path_groups: + - name: INET + - name: LB-DEFAULT-AVT-POLICY-VIDEO + path_groups: + - name: INET + - name: LB-DEFAULT-AVT-POLICY-DEFAULT + path_groups: + - name: INET + - name: LB-PROD-AVT-POLICY-VOICE + lowest_hop_count: true + jitter: 42 + path_groups: + - name: INET + priority: 2 + - name: LB-PROD-AVT-POLICY-VIDEO + loss_rate: '42.0' + path_groups: + - name: INET + priority: 2 + - name: LB-PROD-AVT-POLICY-DEFAULT + path_groups: + - name: INET + tcp_mss_ceiling: + ipv4_segment_size: auto +router_traffic_engineering: + enabled: true +service_routing_protocols_model: multi-agent +spanning_tree: + mode: none +stun: + client: + server_profiles: + - name: INET-cv-pathfinder-pathfinder-Ethernet1 + ip_address: 172.17.7.7 + ssl_profile: profileA + - name: INET-cv-pathfinder-pathfinder-Ethernet3 + ip_address: 10.9.9.9 + ssl_profile: profileA +transceiver_qsfp_default_mode_4x10: false +vrfs: +- name: MGMT + ip_routing: false +- name: PROD + ip_routing: true + tenant: TenantA +- name: VRF-NO-WAN + ip_routing: true + tenant: TenantD +- name: VRF-NO-WAN-NO-AF + ip_routing: true + tenant: TenantD +- name: WAN-VRF-NO-AF + ip_routing: true + tenant: TenantD +vxlan_interface: + vxlan1: + description: cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan_VTEP + vxlan: + source_interface: Dps1 + udp_port: 4789 + vrfs: + - name: default + vni: 1 + - name: PROD + vni: 42 + - name: VRF-NO-WAN + vni: 300 + - name: WAN-VRF-NO-AF + vni: 200 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/leaf-wan-use-evpn-on-lan.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/leaf-wan-use-evpn-on-lan.yml index 052a2860210..8ae72a65152 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/leaf-wan-use-evpn-on-lan.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/leaf-wan-use-evpn-on-lan.yml @@ -14,6 +14,16 @@ ethernet_interfaces: peer_type: wan_router switchport: enabled: false +- name: Ethernet2 + description: P2P_cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan_Ethernet52 + shutdown: false + mtu: 9214 + ip_address: 172.18.0.26/31 + peer: cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan + peer_interface: Ethernet52 + peer_type: wan_router + switchport: + enabled: false hostname: leaf-wan-use-evpn-on-lan ip_igmp_snooping: globally_enabled: true @@ -83,6 +93,11 @@ router_bgp: remote_as: '65000' peer: cv-pathfinder-edge-wan-use-evpn-on-lan description: cv-pathfinder-edge-wan-use-evpn-on-lan_Ethernet52 + - ip_address: 172.18.0.27 + peer_group: IPv4-UNDERLAY-PEERS + remote_as: '65000' + peer: cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan + description: cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan_Ethernet52 redistribute: connected: enabled: true diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.yml new file mode 100644 index 00000000000..f83de091784 --- /dev/null +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.yml @@ -0,0 +1,37 @@ +--- +# Testing CV pathfinder edge using new toggle wan_use_evpn_node_settings_for_lan +wan_use_evpn_node_settings_for_lan: true +# not enabling any overlay protocol on WAN to see impact on "LAN only VRFs" +# none is alreeady the default +overlay_routing_protocol: none + +bgp_as: 65000 + +wan_route_servers: + - hostname: cv-pathfinder-pathfinder + +wan_router: + defaults: + loopback_ipv4_pool: 192.168.42.0/24 + vtep_loopback_ipv4_pool: 192.168.142.0/24 + filter: + always_include_vrfs_in_tenants: [TenantA, TenantD] + deny_vrfs: [IT] + nodes: + - name: cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan + cv_pathfinder_region: AVD_Land_West + cv_pathfinder_site: Site12 + # Adding uplink to leaf for EVPN + uplink_switches: [leaf-wan-use-evpn-on-lan] + uplink_type: p2p + uplink_interfaces: [Ethernet52] + uplink_switch_interfaces: [Ethernet2] + uplink_ipv4_pool: 172.18.0.0/24 + evpn_role: client + id: 14 + l3_interfaces: + - name: Ethernet1 + wan_carrier: ATT + wan_circuit_id: 666 + dhcp_accept_default_route: true + ip_address: dhcp diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/hosts.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/hosts.yml index d7e989123c0..b77707f1b31 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/hosts.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/hosts.yml @@ -405,6 +405,7 @@ all: SITE_EVPN: hosts: cv-pathfinder-edge-wan-use-evpn-on-lan: + cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan: leaf-wan-use-evpn-on-lan: CV_PATHFINDERS: hosts: From 35067f2c42b73430e09666e2e4f265c2a2d5f552 Mon Sep 17 00:00:00 2001 From: gmuloc Date: Wed, 29 Jan 2025 23:38:45 +0100 Subject: [PATCH 30/40] Test: Added molecule test for edge with knob without EVPN on LAN --- .../inventory/group_vars/CV_PATHFINDER_TESTS.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml index f25b92a051e..8dd4027d511 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml @@ -573,7 +573,7 @@ tenants: # when the knob is true. The VRF should be configured. - name: VRF-NO-WAN-NO-AF vrf_id: 400 - # when the knob is true. The VRF should not be configured. + # when the knob is true. The VRF should not be configured under VXLAN and BGP. address_families: [] wan_virtual_topologies: From 744480e09a6b5e6c416b2f16f491cec65ccf3e15 Mon Sep 17 00:00:00 2001 From: gmuloc Date: Thu, 30 Jan 2025 10:34:30 +0100 Subject: [PATCH 31/40] Refactor: Adding dem protocol --- python-avd/pyavd/_eos_designs/shared_utils/wan.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python-avd/pyavd/_eos_designs/shared_utils/wan.py b/python-avd/pyavd/_eos_designs/shared_utils/wan.py index 4da19a1c8ed..462ead9ef04 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/wan.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/wan.py @@ -585,7 +585,7 @@ def wan_stun_dtls_profile_name(self: SharedUtilsProtocol) -> str | None: return self.inputs.wan_stun_dtls_profile_name - def is_wan_vrf(self: SharedUtils, vrf: EosDesigns._DynamicKeys.DynamicNetworkServicesItem.NetworkServicesItem.VrfsItem) -> bool: + def is_wan_vrf(self: SharedUtilsProtocol, vrf: EosDesigns._DynamicKeys.DynamicNetworkServicesItem.NetworkServicesItem.VrfsItem) -> bool: """Returns True is the VRF is a WAN VRF.""" if not self.is_wan_router: return False From 472b096ec60dfa6d8e325e65e90ff55340401d3a Mon Sep 17 00:00:00 2001 From: gmuloc Date: Thu, 30 Jan 2025 10:52:34 +0100 Subject: [PATCH 32/40] Refactor: Fix type --- python-avd/pyavd/_eos_designs/shared_utils/routing.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python-avd/pyavd/_eos_designs/shared_utils/routing.py b/python-avd/pyavd/_eos_designs/shared_utils/routing.py index 924334f5660..c92f68a7034 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/routing.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/routing.py @@ -31,7 +31,7 @@ def overlay_routing_protocol(self: SharedUtilsProtocol) -> str: default_overlay_routing_protocol = self.node_type_key_data.default_overlay_routing_protocol if self.is_wan_router and not self.inputs.wan_use_evpn_node_settings_for_lan: # For WAN routers without the knob, overlay_routing_protocol should be ignored. - return None + return "none" return (self.inputs.overlay_routing_protocol or default_overlay_routing_protocol).lower() @cached_property From 4eb6fecf2d9c237facd10f63b4be3a06632cbc31 Mon Sep 17 00:00:00 2001 From: gmuloc Date: Thu, 30 Jan 2025 11:03:45 +0100 Subject: [PATCH 33/40] Doc: Codespell --- ...cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.yml index f83de091784..3ba6bdb0b35 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.yml @@ -2,7 +2,7 @@ # Testing CV pathfinder edge using new toggle wan_use_evpn_node_settings_for_lan wan_use_evpn_node_settings_for_lan: true # not enabling any overlay protocol on WAN to see impact on "LAN only VRFs" -# none is alreeady the default +# none is already the default overlay_routing_protocol: none bgp_as: 65000 From 600f95d0b2940fb181f5f331c3b49730fd6dc486 Mon Sep 17 00:00:00 2001 From: Guillaume Mulocher Date: Tue, 11 Feb 2025 09:48:05 +0100 Subject: [PATCH 34/40] Update python-avd/pyavd/_eos_designs/schema/schema_fragments/wan_use_evpn_node_settings_for_lan.schema.yml Co-authored-by: Claus Holbech --- .../wan_use_evpn_node_settings_for_lan.schema.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python-avd/pyavd/_eos_designs/schema/schema_fragments/wan_use_evpn_node_settings_for_lan.schema.yml b/python-avd/pyavd/_eos_designs/schema/schema_fragments/wan_use_evpn_node_settings_for_lan.schema.yml index 671ce461632..2918be6acd4 100644 --- a/python-avd/pyavd/_eos_designs/schema/schema_fragments/wan_use_evpn_node_settings_for_lan.schema.yml +++ b/python-avd/pyavd/_eos_designs/schema/schema_fragments/wan_use_evpn_node_settings_for_lan.schema.yml @@ -13,7 +13,7 @@ keys: table: wan-settings default: false description: |- - PREVIEW: This key is currently not supported + PREVIEW: This key is currently not supported and may produce invalid configuration. When true, `eos_designs` will use `overlay_routing_protocol`, `evpn_role` and `vtep` node settings for LAN side on WAN devices. Otherwise these will be ignored for WAN. This will be the default in AVD version 6.0.0 and this option will be removed. From bd105c89ebe222a30c5701898ee6478b06466a4c Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 11 Feb 2025 08:57:39 +0000 Subject: [PATCH 35/40] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- .../eos_designs/docs/tables/wan-settings.md | 4 +-- .../pyavd/_eos_designs/schema/__init__.py | 28 +++++++++---------- .../schema/eos_designs.schema.yml | 3 +- 3 files changed, 18 insertions(+), 17 deletions(-) diff --git a/ansible_collections/arista/avd/roles/eos_designs/docs/tables/wan-settings.md b/ansible_collections/arista/avd/roles/eos_designs/docs/tables/wan-settings.md index e30d784f46f..51e62327b29 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/docs/tables/wan-settings.md +++ b/ansible_collections/arista/avd/roles/eos_designs/docs/tables/wan-settings.md @@ -24,7 +24,7 @@ | [wan_mode](## "wan_mode") | String | | `cv-pathfinder` | Valid Values:
- autovpn
- cv-pathfinder | Select if the WAN should be run using CV Pathfinder or AutoVPN only. | | [wan_stun_dtls_disable](## "wan_stun_dtls_disable") | Boolean | | `False` | | WAN STUN connections are authenticated and secured with DTLS by default.
For CV Pathfinder deployments CloudVision will automatically deploy certificates on the devices.
In case of AutoVPN the certificates must be deployed manually to all devices.

For LAB environments this can be disabled, if there are no certificates available.
This should NOT be disabled for a WAN network connected to the internet, since it will leave the STUN service exposed with no authentication. | | [wan_stun_dtls_profile_name](## "wan_stun_dtls_profile_name") | String | | `STUN-DTLS` | | Name of the SSL profile used for DTLS on WAN STUN connections.
When using automatic ceritficate deployment via CloudVision this name must be the same on all WAN routers. | - | [wan_use_evpn_node_settings_for_lan](## "wan_use_evpn_node_settings_for_lan") | Boolean | | `False` | | PREVIEW: This key is currently not supported
When true, `eos_designs` will use `overlay_routing_protocol`, `evpn_role` and `vtep`
node settings for LAN side on WAN devices. Otherwise these will be ignored for WAN.
This will be the default in AVD version 6.0.0 and this option will be removed. | + | [wan_use_evpn_node_settings_for_lan](## "wan_use_evpn_node_settings_for_lan") | Boolean | | `False` | | PREVIEW: This key is currently not supported and may produce invalid configuration.
When true, `eos_designs` will use `overlay_routing_protocol`, `evpn_role` and `vtep`
node settings for LAN side on WAN devices. Otherwise these will be ignored for WAN.
This will be the default in AVD version 6.0.0 and this option will be removed. | === "YAML" @@ -87,7 +87,7 @@ # When using automatic ceritficate deployment via CloudVision this name must be the same on all WAN routers. wan_stun_dtls_profile_name: - # PREVIEW: This key is currently not supported + # PREVIEW: This key is currently not supported and may produce invalid configuration. # When true, `eos_designs` will use `overlay_routing_protocol`, `evpn_role` and `vtep` # node settings for LAN side on WAN devices. Otherwise these will be ignored for WAN. # This will be the default in AVD version 6.0.0 and this option will be removed. diff --git a/python-avd/pyavd/_eos_designs/schema/__init__.py b/python-avd/pyavd/_eos_designs/schema/__init__.py index 9162b1a2dd5..87841ad3667 100644 --- a/python-avd/pyavd/_eos_designs/schema/__init__.py +++ b/python-avd/pyavd/_eos_designs/schema/__init__.py @@ -57794,13 +57794,13 @@ def __init__( """ wan_use_evpn_node_settings_for_lan: bool """ - PREVIEW: This key is currently not supported - When true, `eos_designs` will use - `overlay_routing_protocol`, `evpn_role` and `vtep` - node settings for LAN side on WAN devices. - Otherwise these will be ignored for WAN. - This will be the default in AVD version 6.0.0 and this - option will be removed. + PREVIEW: This key is currently not supported and may produce invalid configuration. + When true, + `eos_designs` will use `overlay_routing_protocol`, `evpn_role` and `vtep` + node settings for LAN side + on WAN devices. Otherwise these will be ignored for WAN. + This will be the default in AVD version + 6.0.0 and this option will be removed. Default value: `False` """ @@ -59277,13 +59277,13 @@ def __init__( When using automatic ceritficate deployment via CloudVision this name must be the same on all WAN routers. wan_use_evpn_node_settings_for_lan: - PREVIEW: This key is currently not supported - When true, `eos_designs` will use - `overlay_routing_protocol`, `evpn_role` and `vtep` - node settings for LAN side on WAN devices. - Otherwise these will be ignored for WAN. - This will be the default in AVD version 6.0.0 and this - option will be removed. + PREVIEW: This key is currently not supported and may produce invalid configuration. + When true, + `eos_designs` will use `overlay_routing_protocol`, `evpn_role` and `vtep` + node settings for LAN side + on WAN devices. Otherwise these will be ignored for WAN. + This will be the default in AVD version + 6.0.0 and this option will be removed. wan_virtual_topologies: Configure Virtual Topologies for CV Pathfinder and AutoVPN. Auto create a control plane diff --git a/python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml b/python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml index 8f723c2a9a8..7b82f3bbfdc 100644 --- a/python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml +++ b/python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml @@ -4953,7 +4953,8 @@ keys: documentation_options: table: wan-settings default: false - description: 'PREVIEW: This key is currently not supported + description: 'PREVIEW: This key is currently not supported and may produce invalid + configuration. When true, `eos_designs` will use `overlay_routing_protocol`, `evpn_role` and `vtep` From 7d4cd067a2872b75e747051d5e75e22b3aede25e Mon Sep 17 00:00:00 2001 From: gmuloc Date: Tue, 11 Feb 2025 10:44:22 +0100 Subject: [PATCH 36/40] Doc: Refactor Markdown to look better --- .../avd/roles/eos_designs/docs/how-to/wan.md | 90 +++++++++---------- 1 file changed, 45 insertions(+), 45 deletions(-) diff --git a/ansible_collections/arista/avd/roles/eos_designs/docs/how-to/wan.md b/ansible_collections/arista/avd/roles/eos_designs/docs/how-to/wan.md index dfbfd8bd15e..31ed43bde9b 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/docs/how-to/wan.md +++ b/ansible_collections/arista/avd/roles/eos_designs/docs/how-to/wan.md @@ -26,8 +26,8 @@ title: Ansible Collection Role eos_designs - WAN Please familiarize yourself with the Arista WAN terminology before proceeding: -- https://www.arista.com/en/solutions/enterprise-wan -- https://tech-library.arista.com/wan/ (Tech Library access requires an Arista account) +- +- (Tech Library access requires an Arista account) ### Design points @@ -103,21 +103,21 @@ Please familiarize yourself with the Arista WAN terminology before proceeding: The following table list the `eos_designs` top level keys used for WAN and how they should be set: -| Key | Must be the same for all the WAN routers | Comment | -| -------------------------------------- | ---------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `wan_mode` | ✅ | Two possible modes, `autovpn` and `cv-pathfinder` (default). | -| `wan_encapsulation` | ✅ | Two possible encapsulations, `vxlan` and `path-selection` (default). | -| `wan_virtual_topologies` | ✅ | to define the Policies and the VRF to policy mappings. | -| `wan_path_groups` | ✅ | to define the list of path-groups in the network. | -| `wan_carriers` | ✅ | to define the list of carriers in the network, each carrier is assigned to a path-group. | -| `wan_ipsec_profiles` | ✅ | to define the shared key for the Control Plane and Data Plane IPSec profiles. | -| `cv_pathfinder_regions` | ✅ | to define the Region/Zone/Site hierarchy, not required for AutoVPN. | -| `tenants` | ✅ | the default tenant key from `network_services` or any other key for tenant that would hold some WAN VRF information. | -| `wan_stun_dtls_disable` | ✅ | disable dTLS for STUN for instance for lab. (**NOT** recommended in production). | -| `application_classification` | ✅ | to define the specific traffic classification required for the WAN if any. | -| `cv_pathfinder_internet_exit_policies` | ✅ | to define the internet-exit policies. | -| `wan_route_servers` | ✘ | Indicate to which WAN route servers the WAN router should connect to. This key is also used to tell every WAN Route Reflectors with which other RRs it should peer with. | -| `ipv4_acls` | ✘ | List of IPv4 access-lists to be assigned to WAN interfaces. | +| Key | Must be the same for all the WAN routers | Comment | +| --- | ---------------------------------------- | ------- | +| `wan_mode` | ✅ | Two possible modes, `autovpn` and `cv-pathfinder` (default). | +| `wan_encapsulation` | ✅ | Two possible encapsulations, `vxlan` and `path-selection` (default). | +| `wan_virtual_topologies` | ✅ | to define the Policies and the VRF to policy mappings. | +| `wan_path_groups` | ✅ | to define the list of path-groups in the network. | +| `wan_carriers` | ✅ | to define the list of carriers in the network, each carrier is assigned to a path-group. | +| `wan_ipsec_profiles` | ✅ | to define the shared key for the Control Plane and Data Plane IPSec profiles. | +| `cv_pathfinder_regions` | ✅ | to define the Region/Zone/Site hierarchy, not required for AutoVPN. | +| `tenants` | ✅ | the default tenant key from `network_services` or any other key for tenant that would hold some WAN VRF information. | +| `wan_stun_dtls_disable` | ✅ | disable dTLS for STUN for instance for lab. (**NOT** recommended in production). | +| `application_classification` | ✅ | to define the specific traffic classification required for the WAN if any. | +| `cv_pathfinder_internet_exit_policies` | ✅ | to define the internet-exit policies. | +| `wan_route_servers` | ✘ | Indicate to which WAN route servers the WAN router should connect to. This key is also used to tell every WAN Route Reflectors with which other RRs it should peer with. | +| `ipv4_acls` | ✘ | List of IPv4 access-lists to be assigned to WAN interfaces. | Additionally, following keys must be set for the WAN route servers for the connectivity to work: @@ -183,7 +183,7 @@ wan_route_servers: # (1)! ``` 1. A `wan_router` with this configuration will establish BGP peering to all the `wan_route_servers` in the list if it has a common path-group. - A `wan_rr` with this configuration will establish BGP peerings to every other `wan_route_servers` in the list if they have a common path-group. + A `wan_rr` with this configuration will establish BGP peerings to every other `wan_route_servers` in the list if they have a common path-group. !!! note @@ -253,7 +253,8 @@ cv_pathfinder_regions: ``` !!! Note -Site IDs and names must be unique per region. + + Site IDs and names must be unique per region. And then for each `wan_router`: @@ -427,8 +428,7 @@ ipv4_prefix_list_catalog: 1. `peer` and `peer_interface` are optionals and used for description. 2. `wan_circuit_id` is optional and used for description. -3. Configure IPv4 ACLs in and out for the L3 interface. The access lists must - be defined under `ipv4_acls` top level key. +3. Configure IPv4 ACLs in and out for the L3 interface. The access lists must be defined under `ipv4_acls` top level key. 4. For BGP peering for WAN interfaces, the `ipv4_prefix_list_in` is mandatory for security reaasons. It is defined in the `ipv4_prefix_list_catalog`. ### WAN policies @@ -493,8 +493,7 @@ wan_virtual_topologies: 1. Assign the `PROD-AVT-POLICY` to the `PROD` VRF, multiple VRFs can use the same policy. 2. VRF `default` will use the AVD auto-generated `DEFAULT-POLICY` as no policy is set. 3. Define the `PROD-AVT-POLICY` -4. `default_virtual_topology` is used to configure the default match in the policy. - In this case, default traffic will use INET path-group first and MPLS as backup. +4. `default_virtual_topology` is used to configure the default match in the policy. In this case, default traffic will use INET path-group first and MPLS as backup. 5. This list element configures the policy to apply to traffic the `VOICE` application profile. This block of configuration will configure the Load Balance policy, the match statement in the policy (in `router path-selection` for AutoVPN or `router adaptive-virtual-topology` for CV-Pathfinder) and for CV-Pathfinder, the AVT profile. The application profile must be defined under `application_classification.application_profiles`. @@ -550,7 +549,8 @@ An Application Virtual Topology policy is composed of multiple profiles. An AVT ```yaml wan_virtual_topologies: - vrfs: [...] + vrfs: + [...] policies: - name: PROD-AVT-POLICY default_virtual_topology: @@ -697,24 +697,20 @@ The following LAN scenarios are supported: Some design points: - The Site of Origin (SOO) extended community is configured as `:` - note: site id is unique per zone (only a default zone supported today). - for HA site, the SOO is set as `:` where `router1` is - the first router defined in the group. + - site id is unique per zone (only a default zone supported today). + - for HA site, the SOO is set as `:` where `router1` is the first router defined in the group. - HA is not supported for more than two routers for CV Pathfinders. - The routes to be advertised towards the WAN must be marked with the site SOO. - The connected routes and static routes are marked with the SOO when redistributed in BGP - the routes redistributed into BGP via the route-map `RM-CONN-2-BGP` are tagged with the SOO. - the routes redistributed into BGP via the route-map `RM-STATIC-2-BGP` are tagged with the SOO. - - the routes received from LAN are marked with the SOO when received from - the LAN over BGP or when redistributed into BGP from the LAN protocol. - note: For other connection (e.g. L3 interface with a BGP peering, the - user must mark them with the SOO) + - the routes received from LAN are marked with the SOO when received from the LAN over BGP or when redistributed into BGP from the LAN protocol. + - For other connection (e.g. L3 interface with a BGP peering, the user must mark them with the SOO). - For VRF default, there is a requirement to explicitly redistribute the routes for EVPN. The `RM-EVPN-EXPORT-VRF-DEFAULT` is configured to export the routes tagged with the SOO. - Routes received from the WAN with the local SOO are dropped. - Routes received from the WAN are redistributed / advertised towards the LAN. -- For HA, an iBGP session using EVPN Gateway is used to share the routes from - one peer to the other. +- For HA, an iBGP session using EVPN Gateway is used to share the routes from one peer to the other. - WAN, LAN and local static routes are sent to the HA peer to cater for various failure scenarii. - The routes received from the HA peer are made less preferred than routes received from the LAN or from the WAN. @@ -809,7 +805,10 @@ The following diagram represents this scenario: - one inbound route-map `RM-BGP-UNDERLAY-PEERS-IN`: - accept routes coming from the LAN and set the SoO extended community on them. -!!! warning - the Underlay peer group (towards the LAN) is not configured with any outbound route-map. - For VRF default, there is a requirement to explicitly redistribute the routes for EVPN. The `RM-EVPN-EXPORT-VRF-DEFAULT` is configured to export the routes tagged with the SoO. +!!! warning + + - the Underlay peer group (towards the LAN) is not configured with any outbound route-map. + - For VRF default, there is a requirement to explicitly redistribute the routes for EVPN. The `RM-EVPN-EXPORT-VRF-DEFAULT` is configured to export the routes tagged with the SoO. The following diagram shows the additional route-maps configured to support eBGP on LAN: @@ -1056,16 +1055,17 @@ wan_virtual_topologies: `eos_validate_state` is being enriched to support new tests for WAN designs. The tests listed below are validating WAN designs. -| AVD Test Class | ANTA Test Class | Description | -| ---------------------- | ----------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| AvdTestInterfacesState | VerifyInterfacesStatus | Validate the DPS interface status. | -| AvdTestBGP | VerifyBGPSpecificPeers | Validate the state of BGP Address Family sessions, including `Path-Selection` for AutoVPN, `Link-State` and `IPv4/IPv6 SR-TE` for CV Pathfinder. | -| AvdTestIPSecurity | VerifySpecificIPSecConn | Validate the establishment of IP security connections for each static peer under the `router path-selection` section of the configuration. | -| AvdTestStun | VerifyStunClient | Validate the presence of a STUN client translation for a given source IPv4 address and port. The list of expected translations for each device is built by searching local interfaces in each path-group. | -| AvdTestDpsReachability | VerifyReachability | Validate DPS reachability between devices. | -| AvdTestAvtPath | VerifyAVTSpecificPath | Validate that the status is active and the type is direct for an Adaptive Virtual Topology (AVT) path in a specified VRF for the static peers. | -| AvdTestAvtRole | VerifyAVTRole | Validate the Adaptive Virtual Topology (AVT) role of a device. | +| AVD Test Class | ANTA Test Class | Description | +| -------------- | --------------- | ----------- | +| AvdTestInterfacesState | VerifyInterfacesStatus | Validate the DPS interface status. | +| AvdTestBGP | VerifyBGPSpecificPeers | Validate the state of BGP Address Family sessions, including `Path-Selection` for AutoVPN, `Link-State` and `IPv4/IPv6 SR-TE` for CV Pathfinder. | +| AvdTestIPSecurity | VerifySpecificIPSecConn | Validate the establishment of IP security connections for each static peer under the `router path-selection` section of the configuration. | +| AvdTestStun | VerifyStunClient | Validate the presence of a STUN client translation for a given source IPv4 address and port. The list of expected translations for each device is built by searching local interfaces in each path-group. | +| AvdTestDpsReachability | VerifyReachability | Validate DPS reachability between devices. | +| AvdTestAvtPath | VerifyAVTSpecificPath | Validate that the status is active and the type is direct for an Adaptive Virtual Topology (AVT) path in a specified VRF for the static peers. | +| AvdTestAvtRole | VerifyAVTRole | Validate the Adaptive Virtual Topology (AVT) role of a device. | !!! note -More WAN-related tests are available directly in ANTA and can be added using custom catalogs. -They will be progressively added to `eos_validate_state`. + + More WAN-related tests are available directly in ANTA and can be added using custom catalogs. + They will be progressively added to `eos_validate_state`. From 455faecb18e2b019da6d5a99523dd24de5f7a7dd Mon Sep 17 00:00:00 2001 From: gmuloc Date: Tue, 11 Feb 2025 11:01:15 +0100 Subject: [PATCH 37/40] Refactor: Address PR comments --- .../configs/leaf-wan-use-evpn-on-lan.cfg | 15 --------------- .../configs/site-ha-disabled-leaf.cfg | 15 --------------- .../configs/site-ha-enabled-leaf1.cfg | 15 --------------- .../configs/site-ha-enabled-leaf2A.cfg | 15 --------------- .../configs/site-ha-enabled-leaf2B.cfg | 15 --------------- .../leaf-wan-use-evpn-on-lan.yml | 19 ------------------- .../site-ha-disabled-leaf.yml | 19 ------------------- .../site-ha-enabled-leaf1.yml | 19 ------------------- .../site-ha-enabled-leaf2A.yml | 19 ------------------- .../site-ha-enabled-leaf2B.yml | 19 ------------------- .../group_vars/CV_PATHFINDER_TESTS.yml | 4 ---- .../shared_utils/node_type_keys.py | 2 +- .../pyavd/_eos_designs/shared_utils/wan.py | 2 +- 13 files changed, 2 insertions(+), 176 deletions(-) diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/leaf-wan-use-evpn-on-lan.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/leaf-wan-use-evpn-on-lan.cfg index c0ed5a58ee8..3aad67724f0 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/leaf-wan-use-evpn-on-lan.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/leaf-wan-use-evpn-on-lan.cfg @@ -19,9 +19,6 @@ vlan 101 vlan 666 name VLAN666 ! -vlan 1000 - name VLAN1000 -! vrf instance ATTRACTED-VRF-FROM-UPLINK ! vrf instance IT @@ -79,12 +76,6 @@ interface Vlan666 vrf ATTRACTED-VRF-FROM-UPLINK ip address virtual 10.66.66.66/24 ! -interface Vlan1000 - description VLAN1000 - shutdown - vrf IT - ip address virtual 10.0.100.1/24 -! interface Vxlan1 description leaf-wan-use-evpn-on-lan_VTEP vxlan source-interface Loopback1 @@ -92,7 +83,6 @@ interface Vxlan1 vxlan vlan 100 vni 1100 vxlan vlan 101 vni 1101 vxlan vlan 666 vni 1666 - vxlan vlan 1000 vni 2000 vxlan vrf ATTRACTED-VRF-FROM-UPLINK vni 666 vxlan vrf default vni 1 vxlan vrf IT vni 1000 @@ -157,11 +147,6 @@ router bgp 65042 route-target both 1666:1666 redistribute learned ! - vlan 1000 - rd 192.168.45.13:2000 - route-target both 2000:2000 - redistribute learned - ! address-family evpn neighbor EVPN-OVERLAY-PEERS activate ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-disabled-leaf.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-disabled-leaf.cfg index 6d86b26c54c..490539ef7b3 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-disabled-leaf.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-disabled-leaf.cfg @@ -19,9 +19,6 @@ vlan 101 vlan 666 name VLAN666 ! -vlan 1000 - name VLAN1000 -! vrf instance ATTRACTED-VRF-FROM-UPLINK ! vrf instance IT @@ -122,12 +119,6 @@ interface Vlan666 ip address 10.66.66.1 ip address virtual 10.66.66.66/24 ! -interface Vlan1000 - description VLAN1000 - shutdown - vrf IT - ip address virtual 10.0.100.1/24 -! interface Vxlan1 description site-ha-disabled-leaf_VTEP vxlan source-interface Loopback1 @@ -135,7 +126,6 @@ interface Vxlan1 vxlan vlan 100 vni 1100 vxlan vlan 101 vni 1101 vxlan vlan 666 vni 1666 - vxlan vlan 1000 vni 2000 vxlan vrf ATTRACTED-VRF-FROM-UPLINK vni 666 vxlan vrf default vni 1 vxlan vrf IT vni 1000 @@ -196,11 +186,6 @@ router bgp 65199 route-target both 1666:1666 redistribute learned ! - vlan 1000 - rd 192.168.45.4:2000 - route-target both 2000:2000 - redistribute learned - ! address-family evpn neighbor EVPN-OVERLAY-PEERS activate ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf1.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf1.cfg index 82ba5c1e551..ba119b221cb 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf1.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf1.cfg @@ -19,9 +19,6 @@ vlan 101 vlan 666 name VLAN666 ! -vlan 1000 - name VLAN1000 -! vrf instance ATTRACTED-VRF-FROM-UPLINK ! vrf instance IT @@ -121,12 +118,6 @@ interface Vlan666 vrf ATTRACTED-VRF-FROM-UPLINK ip address virtual 10.66.66.66/24 ! -interface Vlan1000 - description VLAN1000 - shutdown - vrf IT - ip address virtual 10.0.100.1/24 -! interface Vxlan1 description site-ha-enabled-leaf1_VTEP vxlan source-interface Loopback1 @@ -134,7 +125,6 @@ interface Vxlan1 vxlan vlan 100 vni 1100 vxlan vlan 101 vni 1101 vxlan vlan 666 vni 1666 - vxlan vlan 1000 vni 2000 vxlan vrf ATTRACTED-VRF-FROM-UPLINK vni 666 vxlan vrf default vni 1 vxlan vrf IT vni 1000 @@ -195,11 +185,6 @@ router bgp 65199 route-target both 1666:1666 redistribute learned ! - vlan 1000 - rd 192.168.45.1:2000 - route-target both 2000:2000 - redistribute learned - ! address-family evpn neighbor EVPN-OVERLAY-PEERS activate ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf2A.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf2A.cfg index fb107287979..6c5caa1e8f8 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf2A.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf2A.cfg @@ -19,9 +19,6 @@ vlan 101 vlan 666 name VLAN666 ! -vlan 1000 - name VLAN1000 -! vrf instance ATTRACTED-VRF-FROM-UPLINK ! vrf instance IT @@ -121,12 +118,6 @@ interface Vlan666 vrf ATTRACTED-VRF-FROM-UPLINK ip address virtual 10.66.66.66/24 ! -interface Vlan1000 - description VLAN1000 - shutdown - vrf IT - ip address virtual 10.0.100.1/24 -! interface Vxlan1 description site-ha-enabled-leaf2A_VTEP vxlan source-interface Loopback1 @@ -134,7 +125,6 @@ interface Vxlan1 vxlan vlan 100 vni 1100 vxlan vlan 101 vni 1101 vxlan vlan 666 vni 1666 - vxlan vlan 1000 vni 2000 vxlan vrf ATTRACTED-VRF-FROM-UPLINK vni 666 vxlan vrf default vni 1 vxlan vrf IT vni 1000 @@ -195,11 +185,6 @@ router bgp 65199 route-target both 1666:1666 redistribute learned ! - vlan 1000 - rd 192.168.45.2:2000 - route-target both 2000:2000 - redistribute learned - ! address-family evpn neighbor EVPN-OVERLAY-PEERS activate ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf2B.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf2B.cfg index 83b92a16dad..919dcdc700b 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf2B.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf2B.cfg @@ -19,9 +19,6 @@ vlan 101 vlan 666 name VLAN666 ! -vlan 1000 - name VLAN1000 -! vrf instance ATTRACTED-VRF-FROM-UPLINK ! vrf instance IT @@ -121,12 +118,6 @@ interface Vlan666 vrf ATTRACTED-VRF-FROM-UPLINK ip address virtual 10.66.66.66/24 ! -interface Vlan1000 - description VLAN1000 - shutdown - vrf IT - ip address virtual 10.0.100.1/24 -! interface Vxlan1 description site-ha-enabled-leaf2B_VTEP vxlan source-interface Loopback1 @@ -134,7 +125,6 @@ interface Vxlan1 vxlan vlan 100 vni 1100 vxlan vlan 101 vni 1101 vxlan vlan 666 vni 1666 - vxlan vlan 1000 vni 2000 vxlan vrf ATTRACTED-VRF-FROM-UPLINK vni 666 vxlan vrf default vni 1 vxlan vrf IT vni 1000 @@ -195,11 +185,6 @@ router bgp 65199 route-target both 1666:1666 redistribute learned ! - vlan 1000 - rd 192.168.45.3:2000 - route-target both 2000:2000 - redistribute learned - ! address-family evpn neighbor EVPN-OVERLAY-PEERS activate ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/leaf-wan-use-evpn-on-lan.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/leaf-wan-use-evpn-on-lan.yml index 8ae72a65152..95e3cdff464 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/leaf-wan-use-evpn-on-lan.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/leaf-wan-use-evpn-on-lan.yml @@ -103,14 +103,6 @@ router_bgp: enabled: true route_map: RM-CONN-2-BGP vlans: - - id: 1000 - tenant: TenantA - rd: 192.168.45.13:2000 - route_targets: - both: - - 2000:2000 - redistribute_routes: - - learned - id: 100 tenant: TenantA rd: 192.168.45.13:1100 @@ -220,12 +212,6 @@ router_bgp: service_routing_protocols_model: multi-agent transceiver_qsfp_default_mode_4x10: true vlan_interfaces: -- name: Vlan1000 - description: VLAN1000 - shutdown: true - vrf: IT - ip_address_virtual: 10.0.100.1/24 - tenant: TenantA - name: Vlan100 description: VLAN100 shutdown: true @@ -244,9 +230,6 @@ vlan_internal_order: beginning: 1006 ending: 1199 vlans: -- id: 1000 - name: VLAN1000 - tenant: TenantA - id: 100 name: VLAN100 tenant: TenantA @@ -284,8 +267,6 @@ vxlan_interface: source_interface: Loopback1 udp_port: 4789 vlans: - - id: 1000 - vni: 2000 - id: 100 vni: 1100 - id: 101 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-disabled-leaf.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-disabled-leaf.yml index 4ab5ba99166..e7607bec68a 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-disabled-leaf.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-disabled-leaf.yml @@ -169,14 +169,6 @@ router_bgp: enabled: true route_map: RM-CONN-2-BGP vlans: - - id: 1000 - tenant: TenantA - rd: 192.168.45.4:2000 - route_targets: - both: - - 2000:2000 - redistribute_routes: - - learned - id: 100 tenant: TenantA rd: 192.168.45.4:1100 @@ -298,12 +290,6 @@ router_bgp: service_routing_protocols_model: multi-agent transceiver_qsfp_default_mode_4x10: true vlan_interfaces: -- name: Vlan1000 - description: VLAN1000 - shutdown: true - vrf: IT - ip_address_virtual: 10.0.100.1/24 - tenant: TenantA - name: Vlan100 description: VLAN100 shutdown: true @@ -323,9 +309,6 @@ vlan_internal_order: beginning: 1006 ending: 1199 vlans: -- id: 1000 - name: VLAN1000 - tenant: TenantA - id: 100 name: VLAN100 tenant: TenantA @@ -354,8 +337,6 @@ vxlan_interface: source_interface: Loopback1 udp_port: 4789 vlans: - - id: 1000 - vni: 2000 - id: 100 vni: 1100 - id: 101 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf1.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf1.yml index a96fadd8d8c..89d1fa00274 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf1.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf1.yml @@ -169,14 +169,6 @@ router_bgp: enabled: true route_map: RM-CONN-2-BGP vlans: - - id: 1000 - tenant: TenantA - rd: 192.168.45.1:2000 - route_targets: - both: - - 2000:2000 - redistribute_routes: - - learned - id: 100 tenant: TenantA rd: 192.168.45.1:1100 @@ -298,12 +290,6 @@ router_bgp: service_routing_protocols_model: multi-agent transceiver_qsfp_default_mode_4x10: true vlan_interfaces: -- name: Vlan1000 - description: VLAN1000 - shutdown: true - vrf: IT - ip_address_virtual: 10.0.100.1/24 - tenant: TenantA - name: Vlan100 description: VLAN100 shutdown: true @@ -322,9 +308,6 @@ vlan_internal_order: beginning: 1006 ending: 1199 vlans: -- id: 1000 - name: VLAN1000 - tenant: TenantA - id: 100 name: VLAN100 tenant: TenantA @@ -353,8 +336,6 @@ vxlan_interface: source_interface: Loopback1 udp_port: 4789 vlans: - - id: 1000 - vni: 2000 - id: 100 vni: 1100 - id: 101 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf2A.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf2A.yml index fcc8b561a30..19b4471e640 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf2A.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf2A.yml @@ -169,14 +169,6 @@ router_bgp: enabled: true route_map: RM-CONN-2-BGP vlans: - - id: 1000 - tenant: TenantA - rd: 192.168.45.2:2000 - route_targets: - both: - - 2000:2000 - redistribute_routes: - - learned - id: 100 tenant: TenantA rd: 192.168.45.2:1100 @@ -298,12 +290,6 @@ router_bgp: service_routing_protocols_model: multi-agent transceiver_qsfp_default_mode_4x10: true vlan_interfaces: -- name: Vlan1000 - description: VLAN1000 - shutdown: true - vrf: IT - ip_address_virtual: 10.0.100.1/24 - tenant: TenantA - name: Vlan100 description: VLAN100 shutdown: true @@ -322,9 +308,6 @@ vlan_internal_order: beginning: 1006 ending: 1199 vlans: -- id: 1000 - name: VLAN1000 - tenant: TenantA - id: 100 name: VLAN100 tenant: TenantA @@ -353,8 +336,6 @@ vxlan_interface: source_interface: Loopback1 udp_port: 4789 vlans: - - id: 1000 - vni: 2000 - id: 100 vni: 1100 - id: 101 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf2B.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf2B.yml index 4fae30e5f36..81ce797ff5c 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf2B.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf2B.yml @@ -169,14 +169,6 @@ router_bgp: enabled: true route_map: RM-CONN-2-BGP vlans: - - id: 1000 - tenant: TenantA - rd: 192.168.45.3:2000 - route_targets: - both: - - 2000:2000 - redistribute_routes: - - learned - id: 100 tenant: TenantA rd: 192.168.45.3:1100 @@ -298,12 +290,6 @@ router_bgp: service_routing_protocols_model: multi-agent transceiver_qsfp_default_mode_4x10: true vlan_interfaces: -- name: Vlan1000 - description: VLAN1000 - shutdown: true - vrf: IT - ip_address_virtual: 10.0.100.1/24 - tenant: TenantA - name: Vlan100 description: VLAN100 shutdown: true @@ -322,9 +308,6 @@ vlan_internal_order: beginning: 1006 ending: 1199 vlans: -- id: 1000 - name: VLAN1000 - tenant: TenantA - id: 100 name: VLAN100 tenant: TenantA @@ -353,8 +336,6 @@ vxlan_interface: source_interface: Loopback1 udp_port: 4789 vlans: - - id: 1000 - vni: 2000 - id: 100 vni: 1100 - id: 101 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml index eef0f47c945..972ef6c08a9 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml @@ -594,10 +594,6 @@ tenants: ip_address_virtual: 10.0.100.1/24 - name: IT vrf_id: 1000 - svis: - - id: 1000 - name: VLAN1000 - ip_address_virtual: 10.0.100.1/24 l2vlans: - id: 101 name: VLAN101 diff --git a/python-avd/pyavd/_eos_designs/shared_utils/node_type_keys.py b/python-avd/pyavd/_eos_designs/shared_utils/node_type_keys.py index 99f804b4289..af66b3f55c1 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/node_type_keys.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/node_type_keys.py @@ -149,7 +149,7 @@ "default_evpn_role": "server", "cv_tags_topology_type": "spine", }, - # TODO: AVD 6.0 change default overlay_routing_protocol and evpn_role to none for wan_router and wan_rr. + # TODO: AVD 6.0 change default overlay_routing_protocol and evpn_role to none and vtep to false for wan_router and wan_rr. { "key": "wan_router", "type": "wan_router", diff --git a/python-avd/pyavd/_eos_designs/shared_utils/wan.py b/python-avd/pyavd/_eos_designs/shared_utils/wan.py index d6dcc5c874c..7f02c4ba04b 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/wan.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/wan.py @@ -646,7 +646,7 @@ def is_wan_vrf(self: SharedUtilsProtocol, vrf: EosDesigns._DynamicKeys.DynamicNe # Old behavior where we rely on address_families. if not self.inputs.wan_use_evpn_node_settings_for_lan and "evpn" in vrf.address_families and not configured_as_wan_vrf: msg = ( - f"The VRF '{vrf.name}' does not have a `wan_vni` defined under 'wan_virtual_topologies'. " + f"The VRF '{vrf.name}' does not have a 'wan_vni' defined under 'wan_virtual_topologies'. " "If this VRF was not intended to be extended over the WAN, but still required to be configured on the WAN router, " "set 'address_families: []' under the VRF definition. If this VRF was not intended to be configured on the WAN router, " "use the VRF filter 'deny_vrfs' under the node settings." From a2bb81969590c1b70b9a3022e1dc0655afde5432 Mon Sep 17 00:00:00 2001 From: Guillaume Mulocher Date: Mon, 17 Feb 2025 16:47:39 +0100 Subject: [PATCH 38/40] Update python-avd/pyavd/_eos_designs/structured_config/overlay/route_maps.py Co-authored-by: ayushmittal-arista <94678581+ayushmittal-arista@users.noreply.github.com> --- .../pyavd/_eos_designs/structured_config/overlay/route_maps.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python-avd/pyavd/_eos_designs/structured_config/overlay/route_maps.py b/python-avd/pyavd/_eos_designs/structured_config/overlay/route_maps.py index ba2ae14783e..66f7b29e37e 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/overlay/route_maps.py +++ b/python-avd/pyavd/_eos_designs/structured_config/overlay/route_maps.py @@ -37,7 +37,7 @@ def route_maps(self: AvdStructuredConfigOverlayProtocol) -> None: route_maps_item.sequence_numbers.append_new(sequence=20, type="permit") self.structured_config.route_maps.append(route_maps_item) - elif ( + if ( self.shared_utils.overlay_routing_protocol == "ibgp" and self.shared_utils.overlay_vtep and self.shared_utils.evpn_role != "server" ) or self.shared_utils.is_wan_client: # Route-map IN and OUT for SOO From d8db8d3b54174f52f8526360b7d72a3d82cfdc88 Mon Sep 17 00:00:00 2001 From: gmuloc Date: Mon, 17 Feb 2025 18:31:14 +0100 Subject: [PATCH 39/40] CI: Make ruff happy again --- .../structured_config/overlay/route_maps.py | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/python-avd/pyavd/_eos_designs/structured_config/overlay/route_maps.py b/python-avd/pyavd/_eos_designs/structured_config/overlay/route_maps.py index 66f7b29e37e..f01e1802b35 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/overlay/route_maps.py +++ b/python-avd/pyavd/_eos_designs/structured_config/overlay/route_maps.py @@ -26,16 +26,15 @@ def route_maps(self: AvdStructuredConfigOverlayProtocol) -> None: if self.shared_utils.overlay_cvx: return - if self.shared_utils.overlay_routing_protocol == "ebgp": - if self.inputs.evpn_prevent_readvertise_to_server: - remote_asns = natural_sort({rs_dict.get("bgp_as") for rs_dict in self._evpn_route_servers.values()}) - for remote_asn in remote_asns: - route_maps_item = EosCliConfigGen.RouteMapsItem(name=f"RM-EVPN-FILTER-AS{remote_asn}") - route_maps_item.sequence_numbers.append_new( - sequence=10, type="deny", match=EosCliConfigGen.RouteMapsItem.SequenceNumbersItem.Match([f"as {remote_asn}"]) - ) - route_maps_item.sequence_numbers.append_new(sequence=20, type="permit") - self.structured_config.route_maps.append(route_maps_item) + if self.shared_utils.overlay_routing_protocol == "ebgp" and self.inputs.evpn_prevent_readvertise_to_server: + remote_asns = natural_sort({rs_dict.get("bgp_as") for rs_dict in self._evpn_route_servers.values()}) + for remote_asn in remote_asns: + route_maps_item = EosCliConfigGen.RouteMapsItem(name=f"RM-EVPN-FILTER-AS{remote_asn}") + route_maps_item.sequence_numbers.append_new( + sequence=10, type="deny", match=EosCliConfigGen.RouteMapsItem.SequenceNumbersItem.Match([f"as {remote_asn}"]) + ) + route_maps_item.sequence_numbers.append_new(sequence=20, type="permit") + self.structured_config.route_maps.append(route_maps_item) if ( self.shared_utils.overlay_routing_protocol == "ibgp" and self.shared_utils.overlay_vtep and self.shared_utils.evpn_role != "server" From 738ab630c226bf9d1cbe965e0b0e1182c84075a4 Mon Sep 17 00:00:00 2001 From: gmuloc Date: Tue, 18 Feb 2025 09:24:23 +0100 Subject: [PATCH 40/40] Test: Moleculing the molecule --- .../cv-pathfinder-edge-wan-use-evpn-on-lan.cfg | 8 ++++++++ .../cv-pathfinder-edge-wan-use-evpn-on-lan.yml | 14 ++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan.cfg index 6d8d264b2fe..da8236079c8 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan.cfg @@ -280,6 +280,14 @@ route-map RM-CONN-2-BGP permit 10 route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 10 match extcommunity ECL-EVPN-SOO ! +route-map RM-EVPN-SOO-IN deny 10 + match extcommunity ECL-EVPN-SOO +! +route-map RM-EVPN-SOO-IN permit 20 +! +route-map RM-EVPN-SOO-OUT permit 10 + set extcommunity soo 192.168.42.12:12 additive +! router bfd multihop interval 300 min-rx 300 multiplier 3 ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan.yml index 3c2de65d653..62e2bd308e3 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan.yml @@ -231,6 +231,20 @@ route_maps: description: Mark prefixes originated from the LAN set: - extcommunity soo 192.168.42.12:12 additive +- name: RM-EVPN-SOO-IN + sequence_numbers: + - sequence: 10 + type: deny + match: + - extcommunity ECL-EVPN-SOO + - sequence: 20 + type: permit +- name: RM-EVPN-SOO-OUT + sequence_numbers: + - sequence: 10 + type: permit + set: + - extcommunity soo 192.168.42.12:12 additive - name: RM-EVPN-EXPORT-VRF-DEFAULT sequence_numbers: - sequence: 10