Feat(eos_designs): Implement WAN/LAN redistribution for eBGP LAN (ari…

…stanetworks#3602) Co-authored-by: Claus Holbech <[email protected]>
Glitchgoomba · Feb 20, 2024 · 11cde43 · 11cde43
1 parent 1d52b10
commit 11cde43
Show file tree

Hide file tree

Showing 57 changed files with 1,825 additions and 447 deletions.
diff --git a/...a/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-edge-no-default-policy.cfg b/...a/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-edge-no-default-policy.cfg
@@ -107,14 +107,25 @@ ip routing vrf IT
 no ip routing vrf MGMT
 ip routing vrf PROD
 !
+ip extcommunity-list ECL-EVPN-SOO permit soo 192.168.30.1:0
+!
 ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY
    seq 10 permit 192.168.30.0/24 eq 32
 !
 route-map RM-CONN-2-BGP permit 10
    match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY
+   set extcommunity soo 192.168.30.1:0 additive
 !
-route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 30
-   match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY
+route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 10
+   match extcommunity ECL-EVPN-SOO
+!
+route-map RM-EVPN-SOO-IN deny 10
+   match extcommunity ECL-EVPN-SOO
+!
+route-map RM-EVPN-SOO-IN permit 20
+!
+route-map RM-EVPN-SOO-OUT permit 10
+   set extcommunity soo 192.168.30.1:0 additive
 !
 router bfd
    multihop interval 300 min-rx 300 multiplier 3
@@ -137,6 +148,8 @@ router bgp 65000
    redistribute connected route-map RM-CONN-2-BGP
    !
    address-family evpn
+      neighbor WAN-OVERLAY-PEERS route-map RM-EVPN-SOO-IN in
+      neighbor WAN-OVERLAY-PEERS route-map RM-EVPN-SOO-OUT out
       neighbor WAN-OVERLAY-PEERS activate
    !
    address-family ipv4

diff --git a/..._collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-edge.cfg b/..._collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-edge.cfg
@@ -137,14 +137,25 @@ ip routing vrf IT
 no ip routing vrf MGMT
 ip routing vrf PROD
 !
+ip extcommunity-list ECL-EVPN-SOO permit soo 192.168.30.1:0
+!
 ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY
    seq 10 permit 192.168.30.0/24 eq 32
 !
 route-map RM-CONN-2-BGP permit 10
    match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY
+   set extcommunity soo 192.168.30.1:0 additive
 !
-route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 30
-   match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY
+route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 10
+   match extcommunity ECL-EVPN-SOO
+!
+route-map RM-EVPN-SOO-IN deny 10
+   match extcommunity ECL-EVPN-SOO
+!
+route-map RM-EVPN-SOO-IN permit 20
+!
+route-map RM-EVPN-SOO-OUT permit 10
+   set extcommunity soo 192.168.30.1:0 additive
 !
 router bfd
    multihop interval 300 min-rx 300 multiplier 3
@@ -169,6 +180,8 @@ router bgp 65000
    redistribute connected route-map RM-CONN-2-BGP
    !
    address-family evpn
+      neighbor WAN-OVERLAY-PEERS route-map RM-EVPN-SOO-IN in
+      neighbor WAN-OVERLAY-PEERS route-map RM-EVPN-SOO-OUT out
       neighbor WAN-OVERLAY-PEERS activate
    !
    address-family ipv4

diff --git a/...e_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr1.cfg b/...e_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr1.cfg
@@ -22,7 +22,6 @@ router path-selection
          ipv4 address 10.8.8.8
    !
    path-group LTE id 102
-      ipsec profile AUTOVPN
    !
    path-group MPLS id 100
    !
@@ -128,14 +127,17 @@ application traffic recognition
 ip routing
 no ip routing vrf MGMT
 !
+ip extcommunity-list ECL-EVPN-SOO permit soo 192.168.31.1:0
+!
 ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY
    seq 10 permit 192.168.31.0/24 eq 32
 !
 route-map RM-CONN-2-BGP permit 10
    match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY
+   set extcommunity soo 192.168.31.1:0 additive
 !
-route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 30
-   match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY
+route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 10
+   match extcommunity ECL-EVPN-SOO
 !
 router bfd
    multihop interval 300 min-rx 300 multiplier 3

diff --git a/...e_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr2.cfg b/...e_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr2.cfg
@@ -22,7 +22,6 @@ router path-selection
          ipv4 address 10.7.7.7
    !
    path-group LTE id 102
-      ipsec profile AUTOVPN
    !
    path-group MPLS id 100
    !
@@ -127,16 +126,19 @@ application traffic recognition
 ip routing
 no ip routing vrf MGMT
 !
+ip extcommunity-list ECL-EVPN-SOO permit soo 192.168.31.2:0
+!
 ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY
    seq 10 permit 192.168.31.0/24 eq 32
 !
 ip route 0.0.0.0/0 10.8.8.9
 !
 route-map RM-CONN-2-BGP permit 10
    match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY
+   set extcommunity soo 192.168.31.2:0 additive
 !
-route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 30
-   match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY
+route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 10
+   match extcommunity ECL-EVPN-SOO
 !
 router bfd
    multihop interval 300 min-rx 300 multiplier 3

diff --git a/...ections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/bgp-peer-groups-2.cfg b/...ections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/bgp-peer-groups-2.cfg
@@ -58,8 +58,6 @@ interface Vxlan1
 ip routing
 no ip routing vrf MGMT
 !
-ip extcommunity-list ECL-EVPN-SOO permit soo 192.168.254.111:1
-!
 ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY
    seq 10 permit 192.168.255.0/24 eq 32
    seq 20 permit 192.168.254.0/24 eq 32
@@ -77,14 +75,6 @@ ip route vrf MGMT 0.0.0.0/0 192.168.0.1
 route-map RM-CONN-2-BGP permit 10
    match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY
 !
-route-map RM-EVPN-SOO-IN deny 10
-   match extcommunity ECL-EVPN-SOO
-!
-route-map RM-EVPN-SOO-IN permit 20
-!
-route-map RM-EVPN-SOO-OUT permit 10
-   set extcommunity soo 192.168.254.111:1 additive
-!
 route-map RM-MLAG-PEER-IN permit 10
    description Make routes learned over MLAG Peer-link less preferred on spines to ensure optimal routing
    set origin incomplete
@@ -131,8 +121,6 @@ router bgp 65001
    redistribute connected route-map RM-CONN-2-BGP
    !
    address-family evpn
-      neighbor EVPN-OVERLAY-PEERS route-map RM-EVPN-SOO-IN in
-      neighbor EVPN-OVERLAY-PEERS route-map RM-EVPN-SOO-OUT out
       neighbor EVPN-OVERLAY-PEERS activate
       neighbor RR-OVERLAY-PEERS activate
    !

diff --git a/...ecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-no-common-path-group.cfg b/...ecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-no-common-path-group.cfg
@@ -16,13 +16,15 @@ transceiver qsfp default-mode 4x10G
 !
 service routing protocols model multi-agent
 !
+ip as-path access-list ASPATH-WAN permit 65000 any
+!
 hostname cv-pathfinder-edge-no-common-path-group
 !
 router adaptive-virtual-topology
    topology role edge
    region AVD_Land_East id 43
    zone DEFAULT-ZONE id 1
-   site Site512 id 512
+   site Site511 id 511
    !
    policy DEFAULT-AVT-POLICY
       !
@@ -127,11 +129,8 @@ vrf instance PROD
 !
 ip security
    !
-   ike policy DP-IKE-POLICY
-      local-id 192.168.142.6
-   !
    ike policy CP-IKE-POLICY
-      local-id 192.168.142.6
+      local-id 192.168.142.2
    !
    sa policy DP-SA-POLICY
       esp encryption aes128
@@ -142,7 +141,6 @@ ip security
       pfs dh-group 14
    !
    profile DP-PROFILE
-      ike-policy DP-IKE-POLICY
       sa-policy DP-SA-POLICY
       connection start
       shared-key 7 ABCDEF1234567890666
@@ -164,7 +162,7 @@ interface Dps1
    description DPS Interface
    mtu 9214
    flow tracker hardware WAN-FLOW-TRACKER
-   ip address 192.168.142.6/32
+   ip address 192.168.142.2/32
 !
 interface Ethernet1
    no shutdown
@@ -173,10 +171,34 @@ interface Ethernet1
    ip address dhcp
    dhcp client accept default-route
 !
+interface Ethernet52
+   description P2P_LINK_TO_SITE-HA-DISABLED-LEAF_Ethernet2
+   no shutdown
+   mtu 9214
+   no switchport
+   flow tracker hardware WAN-FLOW-TRACKER
+   ip address 172.17.0.3/31
+!
+interface Ethernet52.42
+   description P2P_LINK_TO_SITE-HA-DISABLED-LEAF_Ethernet2.42_vrf_PROD
+   no shutdown
+   mtu 9214
+   encapsulation dot1q vlan 42
+   vrf PROD
+   ip address 172.17.0.3/31
+!
+interface Ethernet52.100
+   description P2P_LINK_TO_SITE-HA-DISABLED-LEAF_Ethernet2.100_vrf_IT
+   no shutdown
+   mtu 9214
+   encapsulation dot1q vlan 100
+   vrf IT
+   ip address 172.17.0.3/31
+!
 interface Loopback0
    description Router_ID
    no shutdown
-   ip address 192.168.42.6/32
+   ip address 192.168.42.2/32
 !
 interface Vxlan1
    description cv-pathfinder-edge-no-common-path-group_VTEP
@@ -233,23 +255,55 @@ ip routing vrf IT
 no ip routing vrf MGMT
 ip routing vrf PROD
 !
+ip extcommunity-list ECL-EVPN-SOO permit soo 192.168.42.2:511
+!
 ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY
    seq 10 permit 192.168.42.0/24 eq 32
 !
+route-map RM-BGP-UNDERLAY-PEERS-IN deny 20
+   description Deny prefixes from WAN
+   match as-path ASPATH-WAN
+!
+route-map RM-BGP-UNDERLAY-PEERS-IN permit 30
+   description Mark prefixes originated from the LAN
+   set extcommunity soo 192.168.42.2:511 additive
+!
+route-map RM-BGP-UNDERLAY-PEERS-OUT permit 10
+   description Advertise local routes towards LAN
+   match extcommunity ECL-EVPN-SOO
+!
+route-map RM-BGP-UNDERLAY-PEERS-OUT permit 20
+   description Advertise routes received from WAN iBGP towards LAN
+   match route-type internal
+!
 route-map RM-CONN-2-BGP permit 10
    match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY
+   set extcommunity soo 192.168.42.2:511 additive
 !
-route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 30
-   match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY
+route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 10
+   match extcommunity ECL-EVPN-SOO
+!
+route-map RM-EVPN-SOO-IN deny 10
+   match extcommunity ECL-EVPN-SOO
+!
+route-map RM-EVPN-SOO-IN permit 20
+!
+route-map RM-EVPN-SOO-OUT permit 10
+   set extcommunity soo 192.168.42.2:511 additive
 !
 router bfd
    multihop interval 300 min-rx 300 multiplier 3
 !
 router bgp 65000
-   router-id 192.168.42.6
+   router-id 192.168.42.2
    maximum-paths 16
    update wait-install
    no bgp default ipv4-unicast
+   neighbor IPv4-UNDERLAY-PEERS peer group
+   neighbor IPv4-UNDERLAY-PEERS send-community
+   neighbor IPv4-UNDERLAY-PEERS maximum-routes 12000
+   neighbor IPv4-UNDERLAY-PEERS route-map RM-BGP-UNDERLAY-PEERS-IN in
+   neighbor IPv4-UNDERLAY-PEERS route-map RM-BGP-UNDERLAY-PEERS-OUT out
    neighbor WAN-OVERLAY-PEERS peer group
    neighbor WAN-OVERLAY-PEERS remote-as 65000
    neighbor WAN-OVERLAY-PEERS update-source Dps1
@@ -258,12 +312,18 @@ router bgp 65000
    neighbor WAN-OVERLAY-PEERS password 7 htm4AZe9mIQOO1uiMuGgYQ==
    neighbor WAN-OVERLAY-PEERS send-community
    neighbor WAN-OVERLAY-PEERS maximum-routes 0
+   neighbor 172.17.0.2 peer group IPv4-UNDERLAY-PEERS
+   neighbor 172.17.0.2 remote-as 65000
+   neighbor 172.17.0.2 description site-ha-disabled-leaf_Ethernet2
    redistribute connected route-map RM-CONN-2-BGP
    !
    address-family evpn
+      neighbor WAN-OVERLAY-PEERS route-map RM-EVPN-SOO-IN in
+      neighbor WAN-OVERLAY-PEERS route-map RM-EVPN-SOO-OUT out
       neighbor WAN-OVERLAY-PEERS activate
    !
    address-family ipv4
+      neighbor IPv4-UNDERLAY-PEERS activate
       no neighbor WAN-OVERLAY-PEERS activate
    !
    address-family ipv4 sr-te
@@ -279,23 +339,29 @@ router bgp 65000
       neighbor WAN-OVERLAY-PEERS activate
    !
    vrf default
-      rd 192.168.42.6:1
+      rd 192.168.42.2:1
       route-target import evpn 1:1
       route-target export evpn 1:1
       route-target export evpn route-map RM-EVPN-EXPORT-VRF-DEFAULT
    !
    vrf IT
-      rd 192.168.42.6:100
+      rd 192.168.42.2:100
       route-target import evpn 100:100
       route-target export evpn 100:100
-      router-id 192.168.42.6
+      router-id 192.168.42.2
+      neighbor 172.17.0.2 remote-as 65000
+      neighbor 172.17.0.2 peer group IPv4-UNDERLAY-PEERS
+      neighbor 172.17.0.2 description site-ha-disabled-leaf_Ethernet2.100_vrf_IT
       redistribute connected
    !
    vrf PROD
-      rd 192.168.42.6:42
+      rd 192.168.42.2:42
       route-target import evpn 42:42
       route-target export evpn 42:42
-      router-id 192.168.42.6
+      router-id 192.168.42.2
+      neighbor 172.17.0.2 remote-as 65000
+      neighbor 172.17.0.2 peer group IPv4-UNDERLAY-PEERS
+      neighbor 172.17.0.2 description site-ha-disabled-leaf_Ethernet2.42_vrf_PROD
       redistribute connected
 !
 router traffic-engineering