From 11cde437933e4e8dc30298ed0970d5a351c46576 Mon Sep 17 00:00:00 2001 From: Guillaume Mulocher Date: Tue, 20 Feb 2024 11:18:59 +0100 Subject: [PATCH] Feat(eos_designs): Implement WAN/LAN redistribution for eBGP LAN (#3602) Co-authored-by: Claus Holbech --- .../autovpn-edge-no-default-policy.cfg | 17 +- .../intended/configs/autovpn-edge.cfg | 17 +- .../intended/configs/autovpn-rr1.cfg | 8 +- .../intended/configs/autovpn-rr2.cfg | 8 +- .../intended/configs/bgp-peer-groups-2.cfg | 12 - ...v-pathfinder-edge-no-common-path-group.cfg | 98 +++++-- .../cv-pathfinder-edge-no-default-policy.cfg | 21 +- .../intended/configs/cv-pathfinder-edge.cfg | 89 +++++- .../configs/cv-pathfinder-pathfinder.cfg | 16 +- .../configs/cv-pathfinder-pathfinder1.cfg | 16 +- .../configs/cv-pathfinder-pathfinder2.cfg | 16 +- .../configs/cv-pathfinder-transit.cfg | 45 ++- .../configs/site-ha-disabled-leaf.cfg | 192 +++++++++++++ .../autovpn-edge-no-default-policy.yml | 27 +- .../structured_configs/autovpn-edge.yml | 27 +- .../structured_configs/autovpn-rr1.yml | 12 +- .../structured_configs/autovpn-rr2.yml | 12 +- .../structured_configs/bgp-peer-groups-2.yml | 21 -- ...v-pathfinder-edge-no-common-path-group.yml | 229 +++++++++++---- .../cv-pathfinder-edge-no-default-policy.yml | 30 +- .../structured_configs/cv-pathfinder-edge.yml | 218 +++++++++++--- .../cv-pathfinder-pathfinder.yml | 58 ++-- .../cv-pathfinder-pathfinder1.yml | 62 ++-- .../cv-pathfinder-pathfinder2.yml | 62 ++-- .../cv-pathfinder-transit.yml | 82 +++++- .../site-ha-disabled-leaf.yml | 270 ++++++++++++++++++ .../inventory/group_vars/AUTOVPN_TESTS.yml | 2 + .../group_vars/CV_PATHFINDER_TESTS.yml | 84 +++++- .../autovpn-edge-no-default-policy.yml | 2 + .../cv-pathfinder-edge-no-default-policy.yml | 2 + .../inventory/hosts.yml | 14 +- .../node_type_keys.py | 3 - .../eos_designs_shared_utils/overlay.py | 21 ++ .../eos_designs_shared_utils/wan.py | 20 +- .../docs/tables/fabric-settings.md | 7 +- .../eos_designs/docs/tables/node-type-keys.md | 4 +- .../avd/roles/eos_designs/docs/wan-preview.md | 49 +++- .../network_services/dps_interfaces.py | 2 +- .../network_services/route_maps.py | 86 ++++-- .../network_services/router_bgp.py | 15 +- .../python_modules/network_services/utils.py | 3 + .../python_modules/overlay/flow_tracking.py | 2 +- .../overlay/ip_extcommunity_lists.py | 4 +- .../python_modules/overlay/ip_security.py | 9 +- .../python_modules/overlay/route_maps.py | 71 ++--- .../python_modules/overlay/router_bgp.py | 3 +- .../overlay/router_path_selection.py | 27 +- .../python_modules/underlay/as_path.py | 42 +++ .../underlay/avdstructuredconfig.py | 2 + .../underlay/ethernet_interfaces.py | 13 + .../python_modules/underlay/route_maps.py | 63 +++- .../python_modules/underlay/router_bgp.py | 5 + .../python_modules/underlay/utils.py | 2 +- .../schemas/eos_designs.jsonschema.json | 8 +- .../schemas/eos_designs.schema.yml | 23 +- .../node_type_keys.schema.yml | 13 +- .../underlay_routing_protocol.schema.yml | 6 +- 57 files changed, 1825 insertions(+), 447 deletions(-) create mode 100644 ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-disabled-leaf.cfg create mode 100644 ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-disabled-leaf.yml create mode 100644 ansible_collections/arista/avd/roles/eos_designs/python_modules/underlay/as_path.py diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-edge-no-default-policy.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-edge-no-default-policy.cfg index abfdcbc3793..1afaa772920 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-edge-no-default-policy.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-edge-no-default-policy.cfg @@ -107,14 +107,25 @@ ip routing vrf IT no ip routing vrf MGMT ip routing vrf PROD ! +ip extcommunity-list ECL-EVPN-SOO permit soo 192.168.30.1:0 +! ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY seq 10 permit 192.168.30.0/24 eq 32 ! route-map RM-CONN-2-BGP permit 10 match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + set extcommunity soo 192.168.30.1:0 additive ! -route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 30 - match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY +route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 10 + match extcommunity ECL-EVPN-SOO +! +route-map RM-EVPN-SOO-IN deny 10 + match extcommunity ECL-EVPN-SOO +! +route-map RM-EVPN-SOO-IN permit 20 +! +route-map RM-EVPN-SOO-OUT permit 10 + set extcommunity soo 192.168.30.1:0 additive ! router bfd multihop interval 300 min-rx 300 multiplier 3 @@ -137,6 +148,8 @@ router bgp 65000 redistribute connected route-map RM-CONN-2-BGP ! address-family evpn + neighbor WAN-OVERLAY-PEERS route-map RM-EVPN-SOO-IN in + neighbor WAN-OVERLAY-PEERS route-map RM-EVPN-SOO-OUT out neighbor WAN-OVERLAY-PEERS activate ! address-family ipv4 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-edge.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-edge.cfg index 7faa32aef79..535167a2b46 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-edge.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-edge.cfg @@ -137,14 +137,25 @@ ip routing vrf IT no ip routing vrf MGMT ip routing vrf PROD ! +ip extcommunity-list ECL-EVPN-SOO permit soo 192.168.30.1:0 +! ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY seq 10 permit 192.168.30.0/24 eq 32 ! route-map RM-CONN-2-BGP permit 10 match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + set extcommunity soo 192.168.30.1:0 additive ! -route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 30 - match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY +route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 10 + match extcommunity ECL-EVPN-SOO +! +route-map RM-EVPN-SOO-IN deny 10 + match extcommunity ECL-EVPN-SOO +! +route-map RM-EVPN-SOO-IN permit 20 +! +route-map RM-EVPN-SOO-OUT permit 10 + set extcommunity soo 192.168.30.1:0 additive ! router bfd multihop interval 300 min-rx 300 multiplier 3 @@ -169,6 +180,8 @@ router bgp 65000 redistribute connected route-map RM-CONN-2-BGP ! address-family evpn + neighbor WAN-OVERLAY-PEERS route-map RM-EVPN-SOO-IN in + neighbor WAN-OVERLAY-PEERS route-map RM-EVPN-SOO-OUT out neighbor WAN-OVERLAY-PEERS activate ! address-family ipv4 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr1.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr1.cfg index 7585bd85e75..27433ada7a9 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr1.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr1.cfg @@ -22,7 +22,6 @@ router path-selection ipv4 address 10.8.8.8 ! path-group LTE id 102 - ipsec profile AUTOVPN ! path-group MPLS id 100 ! @@ -128,14 +127,17 @@ application traffic recognition ip routing no ip routing vrf MGMT ! +ip extcommunity-list ECL-EVPN-SOO permit soo 192.168.31.1:0 +! ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY seq 10 permit 192.168.31.0/24 eq 32 ! route-map RM-CONN-2-BGP permit 10 match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + set extcommunity soo 192.168.31.1:0 additive ! -route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 30 - match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY +route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 10 + match extcommunity ECL-EVPN-SOO ! router bfd multihop interval 300 min-rx 300 multiplier 3 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr2.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr2.cfg index fbf31f1aced..f7d72f1ad9a 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr2.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr2.cfg @@ -22,7 +22,6 @@ router path-selection ipv4 address 10.7.7.7 ! path-group LTE id 102 - ipsec profile AUTOVPN ! path-group MPLS id 100 ! @@ -127,6 +126,8 @@ application traffic recognition ip routing no ip routing vrf MGMT ! +ip extcommunity-list ECL-EVPN-SOO permit soo 192.168.31.2:0 +! ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY seq 10 permit 192.168.31.0/24 eq 32 ! @@ -134,9 +135,10 @@ ip route 0.0.0.0/0 10.8.8.9 ! route-map RM-CONN-2-BGP permit 10 match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + set extcommunity soo 192.168.31.2:0 additive ! -route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 30 - match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY +route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 10 + match extcommunity ECL-EVPN-SOO ! router bfd multihop interval 300 min-rx 300 multiplier 3 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/bgp-peer-groups-2.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/bgp-peer-groups-2.cfg index 78c4d6d8a46..a7f683fee3a 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/bgp-peer-groups-2.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/bgp-peer-groups-2.cfg @@ -58,8 +58,6 @@ interface Vxlan1 ip routing no ip routing vrf MGMT ! -ip extcommunity-list ECL-EVPN-SOO permit soo 192.168.254.111:1 -! ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY seq 10 permit 192.168.255.0/24 eq 32 seq 20 permit 192.168.254.0/24 eq 32 @@ -77,14 +75,6 @@ ip route vrf MGMT 0.0.0.0/0 192.168.0.1 route-map RM-CONN-2-BGP permit 10 match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY ! -route-map RM-EVPN-SOO-IN deny 10 - match extcommunity ECL-EVPN-SOO -! -route-map RM-EVPN-SOO-IN permit 20 -! -route-map RM-EVPN-SOO-OUT permit 10 - set extcommunity soo 192.168.254.111:1 additive -! route-map RM-MLAG-PEER-IN permit 10 description Make routes learned over MLAG Peer-link less preferred on spines to ensure optimal routing set origin incomplete @@ -131,8 +121,6 @@ router bgp 65001 redistribute connected route-map RM-CONN-2-BGP ! address-family evpn - neighbor EVPN-OVERLAY-PEERS route-map RM-EVPN-SOO-IN in - neighbor EVPN-OVERLAY-PEERS route-map RM-EVPN-SOO-OUT out neighbor EVPN-OVERLAY-PEERS activate neighbor RR-OVERLAY-PEERS activate ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-no-common-path-group.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-no-common-path-group.cfg index 167b5b1c6cc..a68ac484034 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-no-common-path-group.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-no-common-path-group.cfg @@ -16,13 +16,15 @@ transceiver qsfp default-mode 4x10G ! service routing protocols model multi-agent ! +ip as-path access-list ASPATH-WAN permit 65000 any +! hostname cv-pathfinder-edge-no-common-path-group ! router adaptive-virtual-topology topology role edge region AVD_Land_East id 43 zone DEFAULT-ZONE id 1 - site Site512 id 512 + site Site511 id 511 ! policy DEFAULT-AVT-POLICY ! @@ -127,11 +129,8 @@ vrf instance PROD ! ip security ! - ike policy DP-IKE-POLICY - local-id 192.168.142.6 - ! ike policy CP-IKE-POLICY - local-id 192.168.142.6 + local-id 192.168.142.2 ! sa policy DP-SA-POLICY esp encryption aes128 @@ -142,7 +141,6 @@ ip security pfs dh-group 14 ! profile DP-PROFILE - ike-policy DP-IKE-POLICY sa-policy DP-SA-POLICY connection start shared-key 7 ABCDEF1234567890666 @@ -164,7 +162,7 @@ interface Dps1 description DPS Interface mtu 9214 flow tracker hardware WAN-FLOW-TRACKER - ip address 192.168.142.6/32 + ip address 192.168.142.2/32 ! interface Ethernet1 no shutdown @@ -173,10 +171,34 @@ interface Ethernet1 ip address dhcp dhcp client accept default-route ! +interface Ethernet52 + description P2P_LINK_TO_SITE-HA-DISABLED-LEAF_Ethernet2 + no shutdown + mtu 9214 + no switchport + flow tracker hardware WAN-FLOW-TRACKER + ip address 172.17.0.3/31 +! +interface Ethernet52.42 + description P2P_LINK_TO_SITE-HA-DISABLED-LEAF_Ethernet2.42_vrf_PROD + no shutdown + mtu 9214 + encapsulation dot1q vlan 42 + vrf PROD + ip address 172.17.0.3/31 +! +interface Ethernet52.100 + description P2P_LINK_TO_SITE-HA-DISABLED-LEAF_Ethernet2.100_vrf_IT + no shutdown + mtu 9214 + encapsulation dot1q vlan 100 + vrf IT + ip address 172.17.0.3/31 +! interface Loopback0 description Router_ID no shutdown - ip address 192.168.42.6/32 + ip address 192.168.42.2/32 ! interface Vxlan1 description cv-pathfinder-edge-no-common-path-group_VTEP @@ -233,23 +255,55 @@ ip routing vrf IT no ip routing vrf MGMT ip routing vrf PROD ! +ip extcommunity-list ECL-EVPN-SOO permit soo 192.168.42.2:511 +! ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY seq 10 permit 192.168.42.0/24 eq 32 ! +route-map RM-BGP-UNDERLAY-PEERS-IN deny 20 + description Deny prefixes from WAN + match as-path ASPATH-WAN +! +route-map RM-BGP-UNDERLAY-PEERS-IN permit 30 + description Mark prefixes originated from the LAN + set extcommunity soo 192.168.42.2:511 additive +! +route-map RM-BGP-UNDERLAY-PEERS-OUT permit 10 + description Advertise local routes towards LAN + match extcommunity ECL-EVPN-SOO +! +route-map RM-BGP-UNDERLAY-PEERS-OUT permit 20 + description Advertise routes received from WAN iBGP towards LAN + match route-type internal +! route-map RM-CONN-2-BGP permit 10 match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + set extcommunity soo 192.168.42.2:511 additive ! -route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 30 - match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY +route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 10 + match extcommunity ECL-EVPN-SOO +! +route-map RM-EVPN-SOO-IN deny 10 + match extcommunity ECL-EVPN-SOO +! +route-map RM-EVPN-SOO-IN permit 20 +! +route-map RM-EVPN-SOO-OUT permit 10 + set extcommunity soo 192.168.42.2:511 additive ! router bfd multihop interval 300 min-rx 300 multiplier 3 ! router bgp 65000 - router-id 192.168.42.6 + router-id 192.168.42.2 maximum-paths 16 update wait-install no bgp default ipv4-unicast + neighbor IPv4-UNDERLAY-PEERS peer group + neighbor IPv4-UNDERLAY-PEERS send-community + neighbor IPv4-UNDERLAY-PEERS maximum-routes 12000 + neighbor IPv4-UNDERLAY-PEERS route-map RM-BGP-UNDERLAY-PEERS-IN in + neighbor IPv4-UNDERLAY-PEERS route-map RM-BGP-UNDERLAY-PEERS-OUT out neighbor WAN-OVERLAY-PEERS peer group neighbor WAN-OVERLAY-PEERS remote-as 65000 neighbor WAN-OVERLAY-PEERS update-source Dps1 @@ -258,12 +312,18 @@ router bgp 65000 neighbor WAN-OVERLAY-PEERS password 7 htm4AZe9mIQOO1uiMuGgYQ== neighbor WAN-OVERLAY-PEERS send-community neighbor WAN-OVERLAY-PEERS maximum-routes 0 + neighbor 172.17.0.2 peer group IPv4-UNDERLAY-PEERS + neighbor 172.17.0.2 remote-as 65000 + neighbor 172.17.0.2 description site-ha-disabled-leaf_Ethernet2 redistribute connected route-map RM-CONN-2-BGP ! address-family evpn + neighbor WAN-OVERLAY-PEERS route-map RM-EVPN-SOO-IN in + neighbor WAN-OVERLAY-PEERS route-map RM-EVPN-SOO-OUT out neighbor WAN-OVERLAY-PEERS activate ! address-family ipv4 + neighbor IPv4-UNDERLAY-PEERS activate no neighbor WAN-OVERLAY-PEERS activate ! address-family ipv4 sr-te @@ -279,23 +339,29 @@ router bgp 65000 neighbor WAN-OVERLAY-PEERS activate ! vrf default - rd 192.168.42.6:1 + rd 192.168.42.2:1 route-target import evpn 1:1 route-target export evpn 1:1 route-target export evpn route-map RM-EVPN-EXPORT-VRF-DEFAULT ! vrf IT - rd 192.168.42.6:100 + rd 192.168.42.2:100 route-target import evpn 100:100 route-target export evpn 100:100 - router-id 192.168.42.6 + router-id 192.168.42.2 + neighbor 172.17.0.2 remote-as 65000 + neighbor 172.17.0.2 peer group IPv4-UNDERLAY-PEERS + neighbor 172.17.0.2 description site-ha-disabled-leaf_Ethernet2.100_vrf_IT redistribute connected ! vrf PROD - rd 192.168.42.6:42 + rd 192.168.42.2:42 route-target import evpn 42:42 route-target export evpn 42:42 - router-id 192.168.42.6 + router-id 192.168.42.2 + neighbor 172.17.0.2 remote-as 65000 + neighbor 172.17.0.2 peer group IPv4-UNDERLAY-PEERS + neighbor 172.17.0.2 description site-ha-disabled-leaf_Ethernet2.42_vrf_PROD redistribute connected ! router traffic-engineering diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-no-default-policy.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-no-default-policy.cfg index 9c37e1e85c4..4d075bb4762 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-no-default-policy.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-no-default-policy.cfg @@ -99,9 +99,6 @@ vrf instance PROD ! ip security ! - ike policy DP-IKE-POLICY - local-id 192.168.255.1 - ! ike policy CP-IKE-POLICY local-id 192.168.255.1 ! @@ -114,7 +111,6 @@ ip security pfs dh-group 14 ! profile DP-PROFILE - ike-policy DP-IKE-POLICY sa-policy DP-SA-POLICY connection start shared-key 7 ABCDEF1234567890666 @@ -186,14 +182,25 @@ ip routing vrf IT no ip routing vrf MGMT ip routing vrf PROD ! +ip extcommunity-list ECL-EVPN-SOO permit soo 192.168.42.1:511 +! ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY seq 10 permit 192.168.42.0/24 eq 32 ! route-map RM-CONN-2-BGP permit 10 match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + set extcommunity soo 192.168.42.1:511 additive ! -route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 30 - match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY +route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 10 + match extcommunity ECL-EVPN-SOO +! +route-map RM-EVPN-SOO-IN deny 10 + match extcommunity ECL-EVPN-SOO +! +route-map RM-EVPN-SOO-IN permit 20 +! +route-map RM-EVPN-SOO-OUT permit 10 + set extcommunity soo 192.168.42.1:511 additive ! router bfd multihop interval 300 min-rx 300 multiplier 3 @@ -216,6 +223,8 @@ router bgp 65000 redistribute connected route-map RM-CONN-2-BGP ! address-family evpn + neighbor WAN-OVERLAY-PEERS route-map RM-EVPN-SOO-IN in + neighbor WAN-OVERLAY-PEERS route-map RM-EVPN-SOO-OUT out neighbor WAN-OVERLAY-PEERS activate ! address-family ipv4 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge.cfg index d4ce637e851..9c07e52fc82 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge.cfg @@ -16,6 +16,8 @@ transceiver qsfp default-mode 4x10G ! service routing protocols model multi-agent ! +ip as-path access-list ASPATH-WAN permit 65000 any +! hostname cv-pathfinder-edge ! router adaptive-virtual-topology @@ -163,9 +165,6 @@ vrf instance PROD ! ip security ! - ike policy DP-IKE-POLICY - local-id 192.168.142.1 - ! ike policy CP-IKE-POLICY local-id 192.168.142.1 ! @@ -178,7 +177,6 @@ ip security pfs dh-group 14 ! profile DP-PROFILE - ike-policy DP-IKE-POLICY sa-policy DP-SA-POLICY connection start shared-key 7 ABCDEF1234567890666 @@ -221,6 +219,30 @@ interface Ethernet3 flow tracker hardware WAN-FLOW-TRACKER ip address 172.20.20.20/31 ! +interface Ethernet52 + description P2P_LINK_TO_SITE-HA-DISABLED-LEAF_Ethernet1 + no shutdown + mtu 9214 + no switchport + flow tracker hardware WAN-FLOW-TRACKER + ip address 172.17.0.1/31 +! +interface Ethernet52.42 + description P2P_LINK_TO_SITE-HA-DISABLED-LEAF_Ethernet1.42_vrf_PROD + no shutdown + mtu 9214 + encapsulation dot1q vlan 42 + vrf PROD + ip address 172.17.0.1/31 +! +interface Ethernet52.100 + description P2P_LINK_TO_SITE-HA-DISABLED-LEAF_Ethernet1.100_vrf_IT + no shutdown + mtu 9214 + encapsulation dot1q vlan 100 + vrf IT + ip address 172.17.0.1/31 +! interface Loopback0 description Router_ID no shutdown @@ -282,14 +304,51 @@ ip routing vrf IT no ip routing vrf MGMT ip routing vrf PROD ! +ip extcommunity-list ECL-EVPN-SOO permit soo 192.168.42.1:511 +! ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY seq 10 permit 192.168.42.0/24 eq 32 ! +ip prefix-list PL-STATIC-VRF-DEFAULT + seq 10 permit 66.66.66.0/24 +! +ip route 172.16.0.0/16 172.16.5.4 +ip route 66.66.66.0/24 172.17.0.0 +! +route-map RM-BGP-UNDERLAY-PEERS-IN deny 20 + description Deny prefixes from WAN + match as-path ASPATH-WAN +! +route-map RM-BGP-UNDERLAY-PEERS-IN permit 30 + description Mark prefixes originated from the LAN + set extcommunity soo 192.168.42.1:511 additive +! +route-map RM-BGP-UNDERLAY-PEERS-OUT permit 10 + description Advertise local routes towards LAN + match extcommunity ECL-EVPN-SOO +! +route-map RM-BGP-UNDERLAY-PEERS-OUT permit 20 + description Advertise routes received from WAN iBGP towards LAN + match route-type internal +! route-map RM-CONN-2-BGP permit 10 match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + set extcommunity soo 192.168.42.1:511 additive ! -route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 30 - match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY +route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 10 + match extcommunity ECL-EVPN-SOO +! +route-map RM-EVPN-SOO-IN deny 10 + match extcommunity ECL-EVPN-SOO +! +route-map RM-EVPN-SOO-IN permit 20 +! +route-map RM-EVPN-SOO-OUT permit 10 + set extcommunity soo 192.168.42.1:511 additive +! +route-map RM-STATIC-2-BGP permit 10 + match ip address prefix-list PL-STATIC-VRF-DEFAULT + set extcommunity soo 192.168.42.1:511 additive ! router bfd multihop interval 300 min-rx 300 multiplier 3 @@ -299,6 +358,11 @@ router bgp 65000 maximum-paths 16 update wait-install no bgp default ipv4-unicast + neighbor IPv4-UNDERLAY-PEERS peer group + neighbor IPv4-UNDERLAY-PEERS send-community + neighbor IPv4-UNDERLAY-PEERS maximum-routes 12000 + neighbor IPv4-UNDERLAY-PEERS route-map RM-BGP-UNDERLAY-PEERS-IN in + neighbor IPv4-UNDERLAY-PEERS route-map RM-BGP-UNDERLAY-PEERS-OUT out neighbor WAN-OVERLAY-PEERS peer group neighbor WAN-OVERLAY-PEERS remote-as 65000 neighbor WAN-OVERLAY-PEERS update-source Dps1 @@ -307,14 +371,21 @@ router bgp 65000 neighbor WAN-OVERLAY-PEERS password 7 htm4AZe9mIQOO1uiMuGgYQ== neighbor WAN-OVERLAY-PEERS send-community neighbor WAN-OVERLAY-PEERS maximum-routes 0 + neighbor 172.17.0.0 peer group IPv4-UNDERLAY-PEERS + neighbor 172.17.0.0 remote-as 65000 + neighbor 172.17.0.0 description site-ha-disabled-leaf_Ethernet1 neighbor 192.168.144.1 peer group WAN-OVERLAY-PEERS neighbor 192.168.144.1 description cv-pathfinder-pathfinder redistribute connected route-map RM-CONN-2-BGP + redistribute static route-map RM-STATIC-2-BGP ! address-family evpn + neighbor WAN-OVERLAY-PEERS route-map RM-EVPN-SOO-IN in + neighbor WAN-OVERLAY-PEERS route-map RM-EVPN-SOO-OUT out neighbor WAN-OVERLAY-PEERS activate ! address-family ipv4 + neighbor IPv4-UNDERLAY-PEERS activate no neighbor WAN-OVERLAY-PEERS activate ! address-family ipv4 sr-te @@ -340,6 +411,9 @@ router bgp 65000 route-target import evpn 100:100 route-target export evpn 100:100 router-id 192.168.42.1 + neighbor 172.17.0.0 remote-as 65000 + neighbor 172.17.0.0 peer group IPv4-UNDERLAY-PEERS + neighbor 172.17.0.0 description site-ha-disabled-leaf_Ethernet1.100_vrf_IT redistribute connected ! vrf PROD @@ -347,6 +421,9 @@ router bgp 65000 route-target import evpn 42:42 route-target export evpn 42:42 router-id 192.168.42.1 + neighbor 172.17.0.0 remote-as 65000 + neighbor 172.17.0.0 peer group IPv4-UNDERLAY-PEERS + neighbor 172.17.0.0 description site-ha-disabled-leaf_Ethernet1.42_vrf_PROD redistribute connected ! router traffic-engineering diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder.cfg index c35f7fc33cb..83050de528d 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder.cfg @@ -110,7 +110,6 @@ router path-selection tcp mss ceiling ipv4 ingress ! path-group Equinix id 103 - ipsec profile CP-PROFILE ! path-group INET id 101 ipsec profile CP-PROFILE @@ -120,14 +119,12 @@ router path-selection local interface Ethernet3 ! path-group LTE id 102 - ipsec profile CP-PROFILE ! path-group MPLS id 100 ! local interface Ethernet2 ! path-group Satellite id 104 - ipsec profile CP-PROFILE ! load-balance policy LB-CONTROL-PLANE-PROFILE path-group INET @@ -272,6 +269,8 @@ application traffic recognition ip routing no ip routing vrf MGMT ! +ip extcommunity-list ECL-EVPN-SOO permit soo 192.168.44.1:0 +! ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY seq 10 permit 192.168.44.0/24 eq 32 ! @@ -279,9 +278,10 @@ ip route 0.0.0.0/0 10.7.7.6 ! route-map RM-CONN-2-BGP permit 10 match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + set extcommunity soo 192.168.44.1:0 additive ! -route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 30 - match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY +route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 10 + match extcommunity ECL-EVPN-SOO ! router bfd multihop interval 300 min-rx 300 multiplier 3 @@ -294,6 +294,11 @@ router bgp 65000 bgp cluster-id 192.168.44.1 bgp listen range 192.168.142.0/24 peer-group WAN-OVERLAY-PEERS remote-as 65000 bgp listen range 192.168.143.0/24 peer-group WAN-OVERLAY-PEERS remote-as 65000 + neighbor IPv4-UNDERLAY-PEERS peer group + neighbor IPv4-UNDERLAY-PEERS send-community + neighbor IPv4-UNDERLAY-PEERS maximum-routes 12000 + neighbor IPv4-UNDERLAY-PEERS route-map RM-BGP-UNDERLAY-PEERS-IN in + neighbor IPv4-UNDERLAY-PEERS route-map RM-BGP-UNDERLAY-PEERS-OUT out neighbor WAN-OVERLAY-PEERS peer group neighbor WAN-OVERLAY-PEERS remote-as 65000 neighbor WAN-OVERLAY-PEERS update-source Dps1 @@ -310,6 +315,7 @@ router bgp 65000 next-hop resolution disabled ! address-family ipv4 + neighbor IPv4-UNDERLAY-PEERS activate no neighbor WAN-OVERLAY-PEERS activate ! address-family ipv4 sr-te diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder1.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder1.cfg index 3cbaa00f6b5..ec8816dd656 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder1.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder1.cfg @@ -110,7 +110,6 @@ router path-selection tcp mss ceiling ipv4 ingress ! path-group Equinix id 103 - ipsec profile CP-PROFILE ! path-group INET id 101 ipsec profile CP-PROFILE @@ -126,12 +125,10 @@ router path-selection ipv4 address 10.9.9.9 ! path-group LTE id 102 - ipsec profile CP-PROFILE ! path-group MPLS id 100 ! path-group Satellite id 104 - ipsec profile CP-PROFILE ! load-balance policy LB-CONTROL-PLANE-PROFILE path-group INET @@ -263,14 +260,17 @@ application traffic recognition ip routing no ip routing vrf MGMT ! +ip extcommunity-list ECL-EVPN-SOO permit soo 192.168.44.2:0 +! ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY seq 10 permit 192.168.44.0/24 eq 32 ! route-map RM-CONN-2-BGP permit 10 match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + set extcommunity soo 192.168.44.2:0 additive ! -route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 30 - match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY +route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 10 + match extcommunity ECL-EVPN-SOO ! router bfd multihop interval 300 min-rx 300 multiplier 3 @@ -283,6 +283,11 @@ router bgp 65000 bgp cluster-id 192.168.44.2 bgp listen range 192.168.142.0/24 peer-group WAN-OVERLAY-PEERS remote-as 65000 bgp listen range 192.168.143.0/24 peer-group WAN-OVERLAY-PEERS remote-as 65000 + neighbor IPv4-UNDERLAY-PEERS peer group + neighbor IPv4-UNDERLAY-PEERS send-community + neighbor IPv4-UNDERLAY-PEERS maximum-routes 12000 + neighbor IPv4-UNDERLAY-PEERS route-map RM-BGP-UNDERLAY-PEERS-IN in + neighbor IPv4-UNDERLAY-PEERS route-map RM-BGP-UNDERLAY-PEERS-OUT out neighbor WAN-OVERLAY-PEERS peer group neighbor WAN-OVERLAY-PEERS remote-as 65000 neighbor WAN-OVERLAY-PEERS update-source Dps1 @@ -311,6 +316,7 @@ router bgp 65000 next-hop resolution disabled ! address-family ipv4 + neighbor IPv4-UNDERLAY-PEERS activate no neighbor WAN-OVERLAY-PEERS activate no neighbor WAN-RR-OVERLAY-PEERS activate ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder2.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder2.cfg index 23be64bcfaa..3c3c9ed5031 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder2.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder2.cfg @@ -110,7 +110,6 @@ router path-selection tcp mss ceiling ipv4 ingress ! path-group Equinix id 103 - ipsec profile CP-PROFILE ! path-group INET id 101 ipsec profile CP-PROFILE @@ -126,7 +125,6 @@ router path-selection ipv4 address 10.8.8.8 ! path-group LTE id 102 - ipsec profile CP-PROFILE ! path-group MPLS id 100 ! @@ -137,7 +135,6 @@ router path-selection ipv4 address 172.17.17.17 ! path-group Satellite id 104 - ipsec profile CP-PROFILE ! load-balance policy LB-CONTROL-PLANE-PROFILE path-group INET @@ -276,14 +273,17 @@ application traffic recognition ip routing no ip routing vrf MGMT ! +ip extcommunity-list ECL-EVPN-SOO permit soo 192.168.44.3:0 +! ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY seq 10 permit 192.168.44.0/24 eq 32 ! route-map RM-CONN-2-BGP permit 10 match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + set extcommunity soo 192.168.44.3:0 additive ! -route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 30 - match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY +route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 10 + match extcommunity ECL-EVPN-SOO ! router bfd multihop interval 300 min-rx 300 multiplier 3 @@ -296,6 +296,11 @@ router bgp 65000 bgp cluster-id 192.168.44.3 bgp listen range 192.168.142.0/24 peer-group WAN-OVERLAY-PEERS remote-as 65000 bgp listen range 192.168.143.0/24 peer-group WAN-OVERLAY-PEERS remote-as 65000 + neighbor IPv4-UNDERLAY-PEERS peer group + neighbor IPv4-UNDERLAY-PEERS send-community + neighbor IPv4-UNDERLAY-PEERS maximum-routes 12000 + neighbor IPv4-UNDERLAY-PEERS route-map RM-BGP-UNDERLAY-PEERS-IN in + neighbor IPv4-UNDERLAY-PEERS route-map RM-BGP-UNDERLAY-PEERS-OUT out neighbor WAN-OVERLAY-PEERS peer group neighbor WAN-OVERLAY-PEERS remote-as 65000 neighbor WAN-OVERLAY-PEERS update-source Dps1 @@ -324,6 +329,7 @@ router bgp 65000 next-hop resolution disabled ! address-family ipv4 + neighbor IPv4-UNDERLAY-PEERS activate no neighbor WAN-OVERLAY-PEERS activate no neighbor WAN-RR-OVERLAY-PEERS activate ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-transit.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-transit.cfg index c1f786e5224..e17d1bb1a2d 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-transit.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-transit.cfg @@ -16,6 +16,8 @@ transceiver qsfp default-mode 4x10G ! service routing protocols model multi-agent ! +ip as-path access-list ASPATH-WAN permit 65000 any +! hostname cv-pathfinder-transit ! router adaptive-virtual-topology @@ -184,9 +186,6 @@ vrf instance TRANSIT ! ip security ! - ike policy DP-IKE-POLICY - local-id 192.168.143.1 - ! ike policy CP-IKE-POLICY local-id 192.168.143.1 ! @@ -199,7 +198,6 @@ ip security pfs dh-group 14 ! profile DP-PROFILE - ike-policy DP-IKE-POLICY sa-policy DP-SA-POLICY connection start shared-key 7 ABCDEF1234567890666 @@ -307,14 +305,41 @@ no ip routing vrf MGMT ip routing vrf PROD ip routing vrf TRANSIT ! +ip extcommunity-list ECL-EVPN-SOO permit soo 192.168.43.1:422 +! ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY seq 10 permit 192.168.43.0/24 eq 32 ! +route-map RM-BGP-UNDERLAY-PEERS-IN deny 20 + description Deny prefixes from WAN + match as-path ASPATH-WAN +! +route-map RM-BGP-UNDERLAY-PEERS-IN permit 30 + description Mark prefixes originated from the LAN + set extcommunity soo 192.168.43.1:422 additive +! +route-map RM-BGP-UNDERLAY-PEERS-OUT permit 10 + description Advertise local routes towards LAN + match extcommunity ECL-EVPN-SOO +! +route-map RM-BGP-UNDERLAY-PEERS-OUT permit 20 + description Advertise routes received from WAN iBGP towards LAN + match route-type internal +! route-map RM-CONN-2-BGP permit 10 match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + set extcommunity soo 192.168.43.1:422 additive ! -route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 30 - match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY +route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 10 + match extcommunity ECL-EVPN-SOO +! +route-map RM-EVPN-SOO-IN deny 10 + match extcommunity ECL-EVPN-SOO +! +route-map RM-EVPN-SOO-IN permit 20 +! +route-map RM-EVPN-SOO-OUT permit 10 + set extcommunity soo 192.168.43.1:422 additive ! router bfd multihop interval 300 min-rx 300 multiplier 3 @@ -324,6 +349,11 @@ router bgp 65000 maximum-paths 16 update wait-install no bgp default ipv4-unicast + neighbor IPv4-UNDERLAY-PEERS peer group + neighbor IPv4-UNDERLAY-PEERS send-community + neighbor IPv4-UNDERLAY-PEERS maximum-routes 12000 + neighbor IPv4-UNDERLAY-PEERS route-map RM-BGP-UNDERLAY-PEERS-IN in + neighbor IPv4-UNDERLAY-PEERS route-map RM-BGP-UNDERLAY-PEERS-OUT out neighbor WAN-OVERLAY-PEERS peer group neighbor WAN-OVERLAY-PEERS remote-as 65000 neighbor WAN-OVERLAY-PEERS update-source Dps1 @@ -337,9 +367,12 @@ router bgp 65000 redistribute connected route-map RM-CONN-2-BGP ! address-family evpn + neighbor WAN-OVERLAY-PEERS route-map RM-EVPN-SOO-IN in + neighbor WAN-OVERLAY-PEERS route-map RM-EVPN-SOO-OUT out neighbor WAN-OVERLAY-PEERS activate ! address-family ipv4 + neighbor IPv4-UNDERLAY-PEERS activate no neighbor WAN-OVERLAY-PEERS activate ! address-family ipv4 sr-te diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-disabled-leaf.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-disabled-leaf.cfg new file mode 100644 index 00000000000..7677a416156 --- /dev/null +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-disabled-leaf.cfg @@ -0,0 +1,192 @@ +!RANCID-CONTENT-TYPE: arista +! +vlan internal order ascending range 1006 1199 +! +transceiver qsfp default-mode 4x10G +! +service routing protocols model multi-agent +! +hostname site-ha-disabled-leaf +! +no enable password +no aaa root +! +vlan 100 + name VLAN100 +! +vlan 101 + name VLAN101 +! +vrf instance IT +! +vrf instance MGMT +! +vrf instance PROD +! +interface Ethernet1 + description P2P_LINK_TO_CV-PATHFINDER-EDGE_Ethernet52 + no shutdown + mtu 9214 + no switchport + ip address 172.17.0.0/31 +! +interface Ethernet1.42 + description P2P_LINK_TO_CV-PATHFINDER-EDGE_Ethernet52.42_vrf_PROD + no shutdown + mtu 9214 + encapsulation dot1q vlan 42 + vrf PROD + ip address 172.17.0.0/31 +! +interface Ethernet1.100 + description P2P_LINK_TO_CV-PATHFINDER-EDGE_Ethernet52.100_vrf_IT + no shutdown + mtu 9214 + encapsulation dot1q vlan 100 + vrf IT + ip address 172.17.0.0/31 +! +interface Ethernet2 + description P2P_LINK_TO_CV-PATHFINDER-EDGE-NO-COMMON-PATH-GROUP_Ethernet52 + no shutdown + mtu 9214 + no switchport + ip address 172.17.0.2/31 +! +interface Ethernet2.42 + description P2P_LINK_TO_CV-PATHFINDER-EDGE-NO-COMMON-PATH-GROUP_Ethernet52.42_vrf_PROD + no shutdown + mtu 9214 + encapsulation dot1q vlan 42 + vrf PROD + ip address 172.17.0.2/31 +! +interface Ethernet2.100 + description P2P_LINK_TO_CV-PATHFINDER-EDGE-NO-COMMON-PATH-GROUP_Ethernet52.100_vrf_IT + no shutdown + mtu 9214 + encapsulation dot1q vlan 100 + vrf IT + ip address 172.17.0.2/31 +! +interface Loopback0 + description EVPN_Overlay_Peering + no shutdown + ip address 192.168.45.3/32 +! +interface Loopback1 + description VTEP_VXLAN_Tunnel_Source + no shutdown + ip address 192.168.255.3/32 +! +interface Vlan100 + description VLAN100 + shutdown + vrf PROD + ip address virtual 10.0.100.1/24 +! +interface Vxlan1 + description site-ha-disabled-leaf_VTEP + vxlan source-interface Loopback1 + vxlan udp-port 4789 + vxlan vlan 100 vni 1100 + vxlan vlan 101 vni 1101 + vxlan vrf default vni 1 + vxlan vrf IT vni 100 + vxlan vrf PROD vni 42 +! +ip virtual-router mac-address 00:1c:73:00:00:01 +! +ip routing +ip routing vrf IT +no ip routing vrf MGMT +ip routing vrf PROD +! +ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY + seq 10 permit 192.168.45.0/24 eq 32 + seq 20 permit 192.168.255.0/24 eq 32 +! +route-map RM-CONN-2-BGP permit 10 + match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY +! +router bfd + multihop interval 300 min-rx 300 multiplier 3 +! +router bgp 65000 + router-id 192.168.45.3 + maximum-paths 4 ecmp 4 + update wait-install + no bgp default ipv4-unicast + neighbor EVPN-OVERLAY-PEERS peer group + neighbor EVPN-OVERLAY-PEERS update-source Loopback0 + neighbor EVPN-OVERLAY-PEERS bfd + neighbor EVPN-OVERLAY-PEERS ebgp-multihop 3 + neighbor EVPN-OVERLAY-PEERS send-community + neighbor EVPN-OVERLAY-PEERS maximum-routes 0 + neighbor IPv4-UNDERLAY-PEERS peer group + neighbor IPv4-UNDERLAY-PEERS send-community + neighbor IPv4-UNDERLAY-PEERS maximum-routes 12000 + neighbor 172.17.0.1 peer group IPv4-UNDERLAY-PEERS + neighbor 172.17.0.1 remote-as 65000 + neighbor 172.17.0.1 description cv-pathfinder-edge_Ethernet52 + neighbor 172.17.0.3 peer group IPv4-UNDERLAY-PEERS + neighbor 172.17.0.3 remote-as 65000 + neighbor 172.17.0.3 description cv-pathfinder-edge-no-common-path-group_Ethernet52 + redistribute connected route-map RM-CONN-2-BGP + ! + vlan 100 + rd 192.168.45.3:1100 + route-target both 1100:1100 + redistribute learned + ! + vlan 101 + rd 192.168.45.3:1101 + route-target both 1101:1101 + redistribute learned + ! + address-family evpn + neighbor EVPN-OVERLAY-PEERS activate + ! + address-family ipv4 + no neighbor EVPN-OVERLAY-PEERS activate + neighbor IPv4-UNDERLAY-PEERS activate + ! + vrf default + rd 192.168.45.3:1 + route-target import evpn 1:1 + route-target export evpn 1:1 + ! + vrf IT + rd 192.168.45.3:100 + route-target import evpn 100:100 + route-target export evpn 100:100 + router-id 192.168.45.3 + neighbor 172.17.0.1 remote-as 65000 + neighbor 172.17.0.1 peer group IPv4-UNDERLAY-PEERS + neighbor 172.17.0.1 description cv-pathfinder-edge_Ethernet52.100_vrf_IT + neighbor 172.17.0.3 remote-as 65000 + neighbor 172.17.0.3 peer group IPv4-UNDERLAY-PEERS + neighbor 172.17.0.3 description cv-pathfinder-edge-no-common-path-group_Ethernet52.100_vrf_IT + redistribute connected + ! + vrf PROD + rd 192.168.45.3:42 + route-target import evpn 42:42 + route-target export evpn 42:42 + router-id 192.168.45.3 + neighbor 172.17.0.1 remote-as 65000 + neighbor 172.17.0.1 peer group IPv4-UNDERLAY-PEERS + neighbor 172.17.0.1 description cv-pathfinder-edge_Ethernet52.42_vrf_PROD + neighbor 172.17.0.3 remote-as 65000 + neighbor 172.17.0.3 peer group IPv4-UNDERLAY-PEERS + neighbor 172.17.0.3 description cv-pathfinder-edge-no-common-path-group_Ethernet52.42_vrf_PROD + redistribute connected +! +management api http-commands + protocol https + no shutdown + ! + vrf MGMT + no shutdown +! +end diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-edge-no-default-policy.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-edge-no-default-policy.yml index ac215efe188..97e489e9744 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-edge-no-default-policy.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-edge-no-default-policy.yml @@ -27,6 +27,8 @@ router_bgp: peer_groups: - name: WAN-OVERLAY-PEERS activate: true + route_map_in: RM-EVPN-SOO-IN + route_map_out: RM-EVPN-SOO-OUT address_family_ipv4: peer_groups: - name: WAN-OVERLAY-PEERS @@ -132,12 +134,33 @@ route_maps: type: permit match: - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + set: + - extcommunity soo 192.168.30.1:0 additive +- name: RM-EVPN-SOO-IN + sequence_numbers: + - sequence: 10 + type: deny + match: + - extcommunity ECL-EVPN-SOO + - sequence: 20 + type: permit +- name: RM-EVPN-SOO-OUT + sequence_numbers: + - sequence: 10 + type: permit + set: + - extcommunity soo 192.168.30.1:0 additive - name: RM-EVPN-EXPORT-VRF-DEFAULT sequence_numbers: - - sequence: 30 + - sequence: 10 type: permit match: - - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + - extcommunity ECL-EVPN-SOO +ip_extcommunity_lists: +- name: ECL-EVPN-SOO + entries: + - type: permit + extcommunities: soo 192.168.30.1:0 ip_security: ike_policies: - name: AUTOVPN-IKE diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-edge.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-edge.yml index 6ab5ee49462..f849638862b 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-edge.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-edge.yml @@ -27,6 +27,8 @@ router_bgp: peer_groups: - name: WAN-OVERLAY-PEERS activate: true + route_map_in: RM-EVPN-SOO-IN + route_map_out: RM-EVPN-SOO-OUT address_family_ipv4: peer_groups: - name: WAN-OVERLAY-PEERS @@ -136,12 +138,33 @@ route_maps: type: permit match: - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + set: + - extcommunity soo 192.168.30.1:0 additive +- name: RM-EVPN-SOO-IN + sequence_numbers: + - sequence: 10 + type: deny + match: + - extcommunity ECL-EVPN-SOO + - sequence: 20 + type: permit +- name: RM-EVPN-SOO-OUT + sequence_numbers: + - sequence: 10 + type: permit + set: + - extcommunity soo 192.168.30.1:0 additive - name: RM-EVPN-EXPORT-VRF-DEFAULT sequence_numbers: - - sequence: 30 + - sequence: 10 type: permit match: - - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + - extcommunity ECL-EVPN-SOO +ip_extcommunity_lists: +- name: ECL-EVPN-SOO + entries: + - type: permit + extcommunities: soo 192.168.30.1:0 ip_security: ike_policies: - name: AUTOVPN-IKE diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr1.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr1.yml index a36fae1e6da..a57d1b1e0ce 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr1.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr1.yml @@ -123,12 +123,19 @@ route_maps: type: permit match: - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + set: + - extcommunity soo 192.168.31.1:0 additive - name: RM-EVPN-EXPORT-VRF-DEFAULT sequence_numbers: - - sequence: 30 + - sequence: 10 type: permit match: - - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + - extcommunity ECL-EVPN-SOO +ip_extcommunity_lists: +- name: ECL-EVPN-SOO + entries: + - type: permit + extcommunities: soo 192.168.31.1:0 ip_security: ike_policies: - name: AUTOVPN-IKE @@ -169,7 +176,6 @@ router_path_selection: ipsec_profile: AUTOVPN - name: LTE id: 102 - ipsec_profile: AUTOVPN peer_dynamic_source: stun load_balance_policies: - name: LB-CONTROL-PLANE-PROFILE diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr2.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr2.yml index a5f9fd266cd..7ac551e5da5 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr2.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr2.yml @@ -122,15 +122,22 @@ route_maps: type: permit match: - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + set: + - extcommunity soo 192.168.31.2:0 additive - name: RM-EVPN-EXPORT-VRF-DEFAULT sequence_numbers: - - sequence: 30 + - sequence: 10 type: permit match: - - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + - extcommunity ECL-EVPN-SOO static_routes: - destination_address_prefix: 0.0.0.0/0 gateway: 10.8.8.9 +ip_extcommunity_lists: +- name: ECL-EVPN-SOO + entries: + - type: permit + extcommunities: soo 192.168.31.2:0 ip_security: ike_policies: - name: AUTOVPN-IKE @@ -171,7 +178,6 @@ router_path_selection: ipsec_profile: AUTOVPN - name: LTE id: 102 - ipsec_profile: AUTOVPN peer_dynamic_source: stun load_balance_policies: - name: LB-CONTROL-PLANE-PROFILE diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/bgp-peer-groups-2.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/bgp-peer-groups-2.yml index e06feed6735..6a65737492f 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/bgp-peer-groups-2.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/bgp-peer-groups-2.yml @@ -71,8 +71,6 @@ router_bgp: peer_groups: - name: EVPN-OVERLAY-PEERS activate: true - route_map_in: RM-EVPN-SOO-IN - route_map_out: RM-EVPN-SOO-OUT - name: RR-OVERLAY-PEERS activate: true address_family_vpn_ipv4: @@ -153,20 +151,6 @@ route_maps: type: permit match: - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY -- name: RM-EVPN-SOO-IN - sequence_numbers: - - sequence: 10 - type: deny - match: - - extcommunity ECL-EVPN-SOO - - sequence: 20 - type: permit -- name: RM-EVPN-SOO-OUT - sequence_numbers: - - sequence: 10 - type: permit - set: - - extcommunity soo 192.168.254.111:1 additive loopback_interfaces: - name: Loopback0 description: MPLS_Overlay_peering @@ -183,11 +167,6 @@ prefix_lists: action: permit 192.168.255.0/24 eq 32 - sequence: 20 action: permit 192.168.254.0/24 eq 32 -ip_extcommunity_lists: -- name: ECL-EVPN-SOO - entries: - - type: permit - extcommunities: soo 192.168.254.111:1 router_bfd: multihop: interval: 300 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-no-common-path-group.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-no-common-path-group.yml index 6b10d5b111e..4fd75dbe016 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-no-common-path-group.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-no-common-path-group.yml @@ -2,7 +2,7 @@ hostname: cv-pathfinder-edge-no-common-path-group is_deployed: true router_bgp: as: '65000' - router_id: 192.168.42.6 + router_id: 192.168.42.2 bgp: default: ipv4_unicast: false @@ -10,10 +10,13 @@ router_bgp: paths: 16 updates: wait_install: true - redistribute_routes: - - source_protocol: connected - route_map: RM-CONN-2-BGP peer_groups: + - name: IPv4-UNDERLAY-PEERS + type: ipv4 + maximum_routes: 12000 + send_community: all + route_map_in: RM-BGP-UNDERLAY-PEERS-IN + route_map_out: RM-BGP-UNDERLAY-PEERS-OUT - name: WAN-OVERLAY-PEERS type: wan update_source: Dps1 @@ -23,50 +26,30 @@ router_bgp: maximum_routes: 0 remote_as: '65000' ttl_maximum_hops: 1 - address_family_evpn: - peer_groups: - - name: WAN-OVERLAY-PEERS - activate: true address_family_ipv4: peer_groups: - - name: WAN-OVERLAY-PEERS - activate: false - address_family_ipv4_sr_te: - peer_groups: - - name: WAN-OVERLAY-PEERS - activate: true - address_family_link_state: - peer_groups: - - name: WAN-OVERLAY-PEERS + - name: IPv4-UNDERLAY-PEERS activate: true - path_selection: - roles: - producer: true - address_family_path_selection: - peer_groups: - name: WAN-OVERLAY-PEERS - activate: true - bgp: - additional_paths: - receive: true - send: - any: true + activate: false + redistribute_routes: + - source_protocol: connected + route_map: RM-CONN-2-BGP + neighbors: + - ip_address: 172.17.0.2 + peer_group: IPv4-UNDERLAY-PEERS + remote_as: '65000' + peer: site-ha-disabled-leaf + description: site-ha-disabled-leaf_Ethernet2 vrfs: - - name: default - rd: 192.168.42.6:1 - route_targets: - import: - - address_family: evpn - route_targets: - - '1:1' - export: - - address_family: evpn - route_targets: - - '1:1' - - route-map RM-EVPN-EXPORT-VRF-DEFAULT - name: IT - router_id: 192.168.42.6 - rd: 192.168.42.6:100 + router_id: 192.168.42.2 + neighbors: + - ip_address: 172.17.0.2 + peer_group: IPv4-UNDERLAY-PEERS + remote_as: '65000' + description: site-ha-disabled-leaf_Ethernet2.100_vrf_IT + rd: 192.168.42.2:100 route_targets: import: - address_family: evpn @@ -79,8 +62,13 @@ router_bgp: redistribute_routes: - source_protocol: connected - name: PROD - router_id: 192.168.42.6 - rd: 192.168.42.6:42 + router_id: 192.168.42.2 + neighbors: + - ip_address: 172.17.0.2 + peer_group: IPv4-UNDERLAY-PEERS + remote_as: '65000' + description: site-ha-disabled-leaf_Ethernet2.42_vrf_PROD + rd: 192.168.42.2:42 route_targets: import: - address_family: evpn @@ -92,6 +80,44 @@ router_bgp: - '42:42' redistribute_routes: - source_protocol: connected + - name: default + rd: 192.168.42.2:1 + route_targets: + import: + - address_family: evpn + route_targets: + - '1:1' + export: + - address_family: evpn + route_targets: + - '1:1' + - route-map RM-EVPN-EXPORT-VRF-DEFAULT + address_family_evpn: + peer_groups: + - name: WAN-OVERLAY-PEERS + activate: true + route_map_in: RM-EVPN-SOO-IN + route_map_out: RM-EVPN-SOO-OUT + address_family_ipv4_sr_te: + peer_groups: + - name: WAN-OVERLAY-PEERS + activate: true + address_family_link_state: + peer_groups: + - name: WAN-OVERLAY-PEERS + activate: true + path_selection: + roles: + producer: true + address_family_path_selection: + peer_groups: + - name: WAN-OVERLAY-PEERS + activate: true + bgp: + additional_paths: + receive: true + send: + any: true service_routing_protocols_model: multi-agent ip_routing: true vlan_internal_order: @@ -115,6 +141,39 @@ management_api_http: - name: MGMT enable_https: true ethernet_interfaces: +- name: Ethernet52 + peer: site-ha-disabled-leaf + peer_interface: Ethernet2 + peer_type: l3leaf + description: P2P_LINK_TO_SITE-HA-DISABLED-LEAF_Ethernet2 + shutdown: false + mtu: 9214 + type: routed + ip_address: 172.17.0.3/31 + flow_tracker: + hardware: WAN-FLOW-TRACKER +- name: Ethernet52.100 + peer: site-ha-disabled-leaf + peer_interface: Ethernet2.100 + peer_type: l3leaf + vrf: IT + description: P2P_LINK_TO_SITE-HA-DISABLED-LEAF_Ethernet2.100_vrf_IT + shutdown: false + type: l3dot1q + encapsulation_dot1q_vlan: 100 + mtu: 9214 + ip_address: 172.17.0.3/31 +- name: Ethernet52.42 + peer: site-ha-disabled-leaf + peer_interface: Ethernet2.42 + peer_type: l3leaf + vrf: PROD + description: P2P_LINK_TO_SITE-HA-DISABLED-LEAF_Ethernet2.42_vrf_PROD + shutdown: false + type: l3dot1q + encapsulation_dot1q_vlan: 42 + mtu: 9214 + ip_address: 172.17.0.3/31 - name: Ethernet1 peer_type: l3_interface ip_address: dhcp @@ -127,7 +186,13 @@ loopback_interfaces: - name: Loopback0 description: Router_ID shutdown: false - ip_address: 192.168.42.6/32 + ip_address: 192.168.42.2/32 +as_path: + access_lists: + - name: ASPATH-WAN + entries: + - type: permit + match: '65000' prefix_lists: - name: PL-LOOPBACKS-EVPN-OVERLAY sequence_numbers: @@ -140,12 +205,52 @@ route_maps: type: permit match: - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY -- name: RM-EVPN-EXPORT-VRF-DEFAULT + set: + - extcommunity soo 192.168.42.2:511 additive +- name: RM-BGP-UNDERLAY-PEERS-IN sequence_numbers: + - sequence: 20 + type: deny + description: Deny prefixes from WAN + match: + - as-path ASPATH-WAN - sequence: 30 type: permit + description: Mark prefixes originated from the LAN + set: + - extcommunity soo 192.168.42.2:511 additive +- name: RM-BGP-UNDERLAY-PEERS-OUT + sequence_numbers: + - sequence: 10 + type: permit + description: Advertise local routes towards LAN match: - - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + - extcommunity ECL-EVPN-SOO + - sequence: 20 + type: permit + description: Advertise routes received from WAN iBGP towards LAN + match: + - route-type internal +- name: RM-EVPN-SOO-IN + sequence_numbers: + - sequence: 10 + type: deny + match: + - extcommunity ECL-EVPN-SOO + - sequence: 20 + type: permit +- name: RM-EVPN-SOO-OUT + sequence_numbers: + - sequence: 10 + type: permit + set: + - extcommunity soo 192.168.42.2:511 additive +- name: RM-EVPN-EXPORT-VRF-DEFAULT + sequence_numbers: + - sequence: 10 + type: permit + match: + - extcommunity ECL-EVPN-SOO flow_tracking: hardware: trackers: @@ -160,12 +265,15 @@ flow_tracking: local_interface: Loopback0 template_interval: 5000 shutdown: false +ip_extcommunity_lists: +- name: ECL-EVPN-SOO + entries: + - type: permit + extcommunities: soo 192.168.42.2:511 ip_security: ike_policies: - - name: DP-IKE-POLICY - local_id: 192.168.142.6 - name: CP-IKE-POLICY - local_id: 192.168.142.6 + local_id: 192.168.142.2 sa_policies: - name: DP-SA-POLICY esp: @@ -177,7 +285,6 @@ ip_security: pfs_dh_group: 14 profiles: - name: DP-PROFILE - ike_policy: DP-IKE-POLICY sa_policy: DP-SA-POLICY connection: start shared_key: ABCDEF1234567890666 @@ -207,8 +314,8 @@ router_adaptive_virtual_topology: name: DEFAULT-ZONE id: 1 site: - name: Site512 - id: 512 + name: Site511 + id: 511 profiles: - name: CONTROL-PLANE-PROFILE load_balance_policy: LB-CONTROL-PLANE-PROFILE @@ -354,7 +461,7 @@ dps_interfaces: - name: Dps1 description: DPS Interface mtu: 9214 - ip_address: 192.168.142.6/32 + ip_address: 192.168.142.2/32 flow_tracker: hardware: WAN-FLOW-TRACKER vxlan_interface: @@ -380,8 +487,12 @@ metadata: - name: Zone value: DEFAULT-ZONE - name: Site - value: Site512 + value: Site511 interface_tags: + - interface: Ethernet52 + tags: + - name: Type + value: lan - interface: Ethernet1 tags: - name: Type @@ -389,15 +500,15 @@ metadata: - name: Carrier value: Inmrasat - name: Circuit - value: S512 + value: S511 cv_pathfinder: role: edge - vtep_ip: 192.168.142.6 + vtep_ip: 192.168.142.2 region: AVD_Land_East zone: DEFAULT-ZONE - site: Site512 + site: Site511 interfaces: - name: Ethernet1 carrier: Inmrasat - circuit_id: S512 + circuit_id: S511 pathgroup: Satellite diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-no-default-policy.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-no-default-policy.yml index 4c553592763..ebb5939ee03 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-no-default-policy.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-no-default-policy.yml @@ -27,6 +27,8 @@ router_bgp: peer_groups: - name: WAN-OVERLAY-PEERS activate: true + route_map_in: RM-EVPN-SOO-IN + route_map_out: RM-EVPN-SOO-OUT address_family_ipv4: peer_groups: - name: WAN-OVERLAY-PEERS @@ -159,12 +161,28 @@ route_maps: type: permit match: - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + set: + - extcommunity soo 192.168.42.1:511 additive +- name: RM-EVPN-SOO-IN + sequence_numbers: + - sequence: 10 + type: deny + match: + - extcommunity ECL-EVPN-SOO + - sequence: 20 + type: permit +- name: RM-EVPN-SOO-OUT + sequence_numbers: + - sequence: 10 + type: permit + set: + - extcommunity soo 192.168.42.1:511 additive - name: RM-EVPN-EXPORT-VRF-DEFAULT sequence_numbers: - - sequence: 30 + - sequence: 10 type: permit match: - - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + - extcommunity ECL-EVPN-SOO flow_tracking: hardware: trackers: @@ -179,10 +197,13 @@ flow_tracking: local_interface: Loopback0 template_interval: 5000 shutdown: false +ip_extcommunity_lists: +- name: ECL-EVPN-SOO + entries: + - type: permit + extcommunities: soo 192.168.42.1:511 ip_security: ike_policies: - - name: DP-IKE-POLICY - local_id: 192.168.255.1 - name: CP-IKE-POLICY local_id: 192.168.255.1 sa_policies: @@ -196,7 +217,6 @@ ip_security: pfs_dh_group: 14 profiles: - name: DP-PROFILE - ike_policy: DP-IKE-POLICY sa_policy: DP-SA-POLICY connection: start shared_key: ABCDEF1234567890666 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge.yml index 5346ab15669..f0d9fe3f667 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge.yml @@ -10,10 +10,13 @@ router_bgp: paths: 16 updates: wait_install: true - redistribute_routes: - - source_protocol: connected - route_map: RM-CONN-2-BGP peer_groups: + - name: IPv4-UNDERLAY-PEERS + type: ipv4 + maximum_routes: 12000 + send_community: all + route_map_in: RM-BGP-UNDERLAY-PEERS-IN + route_map_out: RM-BGP-UNDERLAY-PEERS-OUT - name: WAN-OVERLAY-PEERS type: wan update_source: Dps1 @@ -23,54 +26,35 @@ router_bgp: maximum_routes: 0 remote_as: '65000' ttl_maximum_hops: 1 - address_family_evpn: - peer_groups: - - name: WAN-OVERLAY-PEERS - activate: true address_family_ipv4: peer_groups: - - name: WAN-OVERLAY-PEERS - activate: false - address_family_ipv4_sr_te: - peer_groups: - - name: WAN-OVERLAY-PEERS - activate: true - address_family_link_state: - peer_groups: - - name: WAN-OVERLAY-PEERS + - name: IPv4-UNDERLAY-PEERS activate: true - path_selection: - roles: - producer: true - address_family_path_selection: - peer_groups: - name: WAN-OVERLAY-PEERS - activate: true - bgp: - additional_paths: - receive: true - send: - any: true + activate: false + redistribute_routes: + - source_protocol: connected + route_map: RM-CONN-2-BGP + - source_protocol: static + route_map: RM-STATIC-2-BGP neighbors: + - ip_address: 172.17.0.0 + peer_group: IPv4-UNDERLAY-PEERS + remote_as: '65000' + peer: site-ha-disabled-leaf + description: site-ha-disabled-leaf_Ethernet1 - ip_address: 192.168.144.1 peer_group: WAN-OVERLAY-PEERS peer: cv-pathfinder-pathfinder description: cv-pathfinder-pathfinder vrfs: - - name: default - rd: 192.168.42.1:1 - route_targets: - import: - - address_family: evpn - route_targets: - - '1:1' - export: - - address_family: evpn - route_targets: - - '1:1' - - route-map RM-EVPN-EXPORT-VRF-DEFAULT - name: IT router_id: 192.168.42.1 + neighbors: + - ip_address: 172.17.0.0 + peer_group: IPv4-UNDERLAY-PEERS + remote_as: '65000' + description: site-ha-disabled-leaf_Ethernet1.100_vrf_IT rd: 192.168.42.1:100 route_targets: import: @@ -85,6 +69,11 @@ router_bgp: - source_protocol: connected - name: PROD router_id: 192.168.42.1 + neighbors: + - ip_address: 172.17.0.0 + peer_group: IPv4-UNDERLAY-PEERS + remote_as: '65000' + description: site-ha-disabled-leaf_Ethernet1.42_vrf_PROD rd: 192.168.42.1:42 route_targets: import: @@ -97,6 +86,44 @@ router_bgp: - '42:42' redistribute_routes: - source_protocol: connected + - name: default + rd: 192.168.42.1:1 + route_targets: + import: + - address_family: evpn + route_targets: + - '1:1' + export: + - address_family: evpn + route_targets: + - '1:1' + - route-map RM-EVPN-EXPORT-VRF-DEFAULT + address_family_evpn: + peer_groups: + - name: WAN-OVERLAY-PEERS + activate: true + route_map_in: RM-EVPN-SOO-IN + route_map_out: RM-EVPN-SOO-OUT + address_family_ipv4_sr_te: + peer_groups: + - name: WAN-OVERLAY-PEERS + activate: true + address_family_link_state: + peer_groups: + - name: WAN-OVERLAY-PEERS + activate: true + path_selection: + roles: + producer: true + address_family_path_selection: + peer_groups: + - name: WAN-OVERLAY-PEERS + activate: true + bgp: + additional_paths: + receive: true + send: + any: true service_routing_protocols_model: multi-agent ip_routing: true vlan_internal_order: @@ -120,6 +147,39 @@ management_api_http: - name: MGMT enable_https: true ethernet_interfaces: +- name: Ethernet52 + peer: site-ha-disabled-leaf + peer_interface: Ethernet1 + peer_type: l3leaf + description: P2P_LINK_TO_SITE-HA-DISABLED-LEAF_Ethernet1 + shutdown: false + mtu: 9214 + type: routed + ip_address: 172.17.0.1/31 + flow_tracker: + hardware: WAN-FLOW-TRACKER +- name: Ethernet52.100 + peer: site-ha-disabled-leaf + peer_interface: Ethernet1.100 + peer_type: l3leaf + vrf: IT + description: P2P_LINK_TO_SITE-HA-DISABLED-LEAF_Ethernet1.100_vrf_IT + shutdown: false + type: l3dot1q + encapsulation_dot1q_vlan: 100 + mtu: 9214 + ip_address: 172.17.0.1/31 +- name: Ethernet52.42 + peer: site-ha-disabled-leaf + peer_interface: Ethernet1.42 + peer_type: l3leaf + vrf: PROD + description: P2P_LINK_TO_SITE-HA-DISABLED-LEAF_Ethernet1.42_vrf_PROD + shutdown: false + type: l3dot1q + encapsulation_dot1q_vlan: 42 + mtu: 9214 + ip_address: 172.17.0.1/31 - name: Ethernet1 peer_type: l3_interface ip_address: dhcp @@ -147,11 +207,21 @@ loopback_interfaces: description: Router_ID shutdown: false ip_address: 192.168.42.1/32 +as_path: + access_lists: + - name: ASPATH-WAN + entries: + - type: permit + match: '65000' prefix_lists: - name: PL-LOOPBACKS-EVPN-OVERLAY sequence_numbers: - sequence: 10 action: permit 192.168.42.0/24 eq 32 +- name: PL-STATIC-VRF-DEFAULT + sequence_numbers: + - sequence: 10 + action: permit 66.66.66.0/24 route_maps: - name: RM-CONN-2-BGP sequence_numbers: @@ -159,12 +229,66 @@ route_maps: type: permit match: - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY -- name: RM-EVPN-EXPORT-VRF-DEFAULT + set: + - extcommunity soo 192.168.42.1:511 additive +- name: RM-BGP-UNDERLAY-PEERS-IN sequence_numbers: + - sequence: 20 + type: deny + description: Deny prefixes from WAN + match: + - as-path ASPATH-WAN - sequence: 30 type: permit + description: Mark prefixes originated from the LAN + set: + - extcommunity soo 192.168.42.1:511 additive +- name: RM-BGP-UNDERLAY-PEERS-OUT + sequence_numbers: + - sequence: 10 + type: permit + description: Advertise local routes towards LAN match: - - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + - extcommunity ECL-EVPN-SOO + - sequence: 20 + type: permit + description: Advertise routes received from WAN iBGP towards LAN + match: + - route-type internal +- name: RM-EVPN-SOO-IN + sequence_numbers: + - sequence: 10 + type: deny + match: + - extcommunity ECL-EVPN-SOO + - sequence: 20 + type: permit +- name: RM-EVPN-SOO-OUT + sequence_numbers: + - sequence: 10 + type: permit + set: + - extcommunity soo 192.168.42.1:511 additive +- name: RM-EVPN-EXPORT-VRF-DEFAULT + sequence_numbers: + - sequence: 10 + type: permit + match: + - extcommunity ECL-EVPN-SOO +- name: RM-STATIC-2-BGP + sequence_numbers: + - sequence: 10 + type: permit + match: + - ip address prefix-list PL-STATIC-VRF-DEFAULT + set: + - extcommunity soo 192.168.42.1:511 additive +static_routes: +- destination_address_prefix: 172.16.0.0/16 + gateway: 172.16.5.4 +- destination_address_prefix: 66.66.66.0/24 + gateway: 172.17.0.0 + vrf: default flow_tracking: hardware: trackers: @@ -179,10 +303,13 @@ flow_tracking: local_interface: Loopback0 template_interval: 5000 shutdown: false +ip_extcommunity_lists: +- name: ECL-EVPN-SOO + entries: + - type: permit + extcommunities: soo 192.168.42.1:511 ip_security: ike_policies: - - name: DP-IKE-POLICY - local_id: 192.168.142.1 - name: CP-IKE-POLICY local_id: 192.168.142.1 sa_policies: @@ -196,7 +323,6 @@ ip_security: pfs_dh_group: 14 profiles: - name: DP-PROFILE - ike_policy: DP-IKE-POLICY sa_policy: DP-SA-POLICY connection: start shared_key: ABCDEF1234567890666 @@ -464,6 +590,10 @@ metadata: - name: Site value: Site511 interface_tags: + - interface: Ethernet52 + tags: + - name: Type + value: lan - interface: Ethernet1 tags: - name: Type diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder.yml index f1d8b131603..47e32aa0193 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder.yml @@ -10,18 +10,13 @@ router_bgp: paths: 16 updates: wait_install: true - redistribute_routes: - - source_protocol: connected - route_map: RM-CONN-2-BGP - bgp_cluster_id: 192.168.44.1 - listen_ranges: - - prefix: 192.168.142.0/24 - peer_group: WAN-OVERLAY-PEERS - remote_as: '65000' - - prefix: 192.168.143.0/24 - peer_group: WAN-OVERLAY-PEERS - remote_as: '65000' peer_groups: + - name: IPv4-UNDERLAY-PEERS + type: ipv4 + maximum_routes: 12000 + send_community: all + route_map_in: RM-BGP-UNDERLAY-PEERS-IN + route_map_out: RM-BGP-UNDERLAY-PEERS-OUT - name: WAN-OVERLAY-PEERS type: wan update_source: Dps1 @@ -32,16 +27,29 @@ router_bgp: remote_as: '65000' ttl_maximum_hops: 1 route_reflector_client: true + address_family_ipv4: + peer_groups: + - name: IPv4-UNDERLAY-PEERS + activate: true + - name: WAN-OVERLAY-PEERS + activate: false + redistribute_routes: + - source_protocol: connected + route_map: RM-CONN-2-BGP + bgp_cluster_id: 192.168.44.1 + listen_ranges: + - prefix: 192.168.142.0/24 + peer_group: WAN-OVERLAY-PEERS + remote_as: '65000' + - prefix: 192.168.143.0/24 + peer_group: WAN-OVERLAY-PEERS + remote_as: '65000' address_family_evpn: peer_groups: - name: WAN-OVERLAY-PEERS activate: true next_hop: resolution_disabled: true - address_family_ipv4: - peer_groups: - - name: WAN-OVERLAY-PEERS - activate: false address_family_ipv4_sr_te: peer_groups: - name: WAN-OVERLAY-PEERS @@ -136,12 +144,14 @@ route_maps: type: permit match: - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + set: + - extcommunity soo 192.168.44.1:0 additive - name: RM-EVPN-EXPORT-VRF-DEFAULT sequence_numbers: - - sequence: 30 + - sequence: 10 type: permit match: - - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + - extcommunity ECL-EVPN-SOO static_routes: - destination_address_prefix: 0.0.0.0/0 gateway: 10.7.7.6 @@ -159,6 +169,11 @@ flow_tracking: local_interface: Loopback0 template_interval: 5000 shutdown: false +ip_extcommunity_lists: +- name: ECL-EVPN-SOO + entries: + - type: permit + extcommunities: soo 192.168.44.1:0 ip_security: ike_policies: - name: CP-IKE-POLICY @@ -281,13 +296,10 @@ router_path_selection: ipsec_profile: CP-PROFILE - name: LTE id: 102 - ipsec_profile: CP-PROFILE - name: Equinix id: 103 - ipsec_profile: CP-PROFILE - name: Satellite id: 104 - ipsec_profile: CP-PROFILE peer_dynamic_source: stun load_balance_policies: - name: LB-CONTROL-PLANE-PROFILE @@ -490,6 +502,10 @@ metadata: id: 422 location: address: Somewhere + - name: Site423 + id: 423 + location: + address: Somewhere-warm - name: AVD_Land_East id: 43 zones: @@ -498,8 +514,6 @@ metadata: sites: - name: Site511 id: 511 - - name: Site512 - id: 512 vrfs: - name: default vni: 1 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder1.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder1.yml index 57738be9bec..140b421ecb6 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder1.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder1.yml @@ -10,18 +10,13 @@ router_bgp: paths: 16 updates: wait_install: true - redistribute_routes: - - source_protocol: connected - route_map: RM-CONN-2-BGP - bgp_cluster_id: 192.168.44.2 - listen_ranges: - - prefix: 192.168.142.0/24 - peer_group: WAN-OVERLAY-PEERS - remote_as: '65000' - - prefix: 192.168.143.0/24 - peer_group: WAN-OVERLAY-PEERS - remote_as: '65000' peer_groups: + - name: IPv4-UNDERLAY-PEERS + type: ipv4 + maximum_routes: 12000 + send_community: all + route_map_in: RM-BGP-UNDERLAY-PEERS-IN + route_map_out: RM-BGP-UNDERLAY-PEERS-OUT - name: WAN-OVERLAY-PEERS type: wan update_source: Dps1 @@ -40,6 +35,25 @@ router_bgp: maximum_routes: 0 remote_as: '65000' ttl_maximum_hops: 42 + address_family_ipv4: + peer_groups: + - name: IPv4-UNDERLAY-PEERS + activate: true + - name: WAN-OVERLAY-PEERS + activate: false + - name: WAN-RR-OVERLAY-PEERS + activate: false + redistribute_routes: + - source_protocol: connected + route_map: RM-CONN-2-BGP + bgp_cluster_id: 192.168.44.2 + listen_ranges: + - prefix: 192.168.142.0/24 + peer_group: WAN-OVERLAY-PEERS + remote_as: '65000' + - prefix: 192.168.143.0/24 + peer_group: WAN-OVERLAY-PEERS + remote_as: '65000' address_family_evpn: peer_groups: - name: WAN-OVERLAY-PEERS @@ -48,12 +62,6 @@ router_bgp: activate: true next_hop: resolution_disabled: true - address_family_ipv4: - peer_groups: - - name: WAN-OVERLAY-PEERS - activate: false - - name: WAN-RR-OVERLAY-PEERS - activate: false address_family_ipv4_sr_te: peer_groups: - name: WAN-OVERLAY-PEERS @@ -149,12 +157,14 @@ route_maps: type: permit match: - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + set: + - extcommunity soo 192.168.44.2:0 additive - name: RM-EVPN-EXPORT-VRF-DEFAULT sequence_numbers: - - sequence: 30 + - sequence: 10 type: permit match: - - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + - extcommunity ECL-EVPN-SOO flow_tracking: hardware: trackers: @@ -169,6 +179,11 @@ flow_tracking: local_interface: Loopback0 template_interval: 5000 shutdown: false +ip_extcommunity_lists: +- name: ECL-EVPN-SOO + entries: + - type: permit + extcommunities: soo 192.168.44.2:0 ip_security: ike_policies: - name: CP-IKE-POLICY @@ -297,13 +312,10 @@ router_path_selection: ipsec_profile: CP-PROFILE - name: LTE id: 102 - ipsec_profile: CP-PROFILE - name: Equinix id: 103 - ipsec_profile: CP-PROFILE - name: Satellite id: 104 - ipsec_profile: CP-PROFILE peer_dynamic_source: stun load_balance_policies: - name: LB-CONTROL-PLANE-PROFILE @@ -477,6 +489,10 @@ metadata: id: 422 location: address: Somewhere + - name: Site423 + id: 423 + location: + address: Somewhere-warm - name: AVD_Land_East id: 43 zones: @@ -485,8 +501,6 @@ metadata: sites: - name: Site511 id: 511 - - name: Site512 - id: 512 vrfs: - name: default vni: 1 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder2.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder2.yml index 87f77a1104e..c06ff65339e 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder2.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder2.yml @@ -10,18 +10,13 @@ router_bgp: paths: 16 updates: wait_install: true - redistribute_routes: - - source_protocol: connected - route_map: RM-CONN-2-BGP - bgp_cluster_id: 192.168.44.3 - listen_ranges: - - prefix: 192.168.142.0/24 - peer_group: WAN-OVERLAY-PEERS - remote_as: '65000' - - prefix: 192.168.143.0/24 - peer_group: WAN-OVERLAY-PEERS - remote_as: '65000' peer_groups: + - name: IPv4-UNDERLAY-PEERS + type: ipv4 + maximum_routes: 12000 + send_community: all + route_map_in: RM-BGP-UNDERLAY-PEERS-IN + route_map_out: RM-BGP-UNDERLAY-PEERS-OUT - name: WAN-OVERLAY-PEERS type: wan update_source: Dps1 @@ -40,6 +35,25 @@ router_bgp: maximum_routes: 0 remote_as: '65000' ttl_maximum_hops: 42 + address_family_ipv4: + peer_groups: + - name: IPv4-UNDERLAY-PEERS + activate: true + - name: WAN-OVERLAY-PEERS + activate: false + - name: WAN-RR-OVERLAY-PEERS + activate: false + redistribute_routes: + - source_protocol: connected + route_map: RM-CONN-2-BGP + bgp_cluster_id: 192.168.44.3 + listen_ranges: + - prefix: 192.168.142.0/24 + peer_group: WAN-OVERLAY-PEERS + remote_as: '65000' + - prefix: 192.168.143.0/24 + peer_group: WAN-OVERLAY-PEERS + remote_as: '65000' address_family_evpn: peer_groups: - name: WAN-OVERLAY-PEERS @@ -48,12 +62,6 @@ router_bgp: activate: true next_hop: resolution_disabled: true - address_family_ipv4: - peer_groups: - - name: WAN-OVERLAY-PEERS - activate: false - - name: WAN-RR-OVERLAY-PEERS - activate: false address_family_ipv4_sr_te: peer_groups: - name: WAN-OVERLAY-PEERS @@ -156,12 +164,14 @@ route_maps: type: permit match: - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + set: + - extcommunity soo 192.168.44.3:0 additive - name: RM-EVPN-EXPORT-VRF-DEFAULT sequence_numbers: - - sequence: 30 + - sequence: 10 type: permit match: - - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + - extcommunity ECL-EVPN-SOO flow_tracking: hardware: trackers: @@ -176,6 +186,11 @@ flow_tracking: local_interface: Loopback0 template_interval: 5000 shutdown: false +ip_extcommunity_lists: +- name: ECL-EVPN-SOO + entries: + - type: permit + extcommunities: soo 192.168.44.3:0 ip_security: ike_policies: - name: CP-IKE-POLICY @@ -311,13 +326,10 @@ router_path_selection: ipsec_profile: CP-PROFILE - name: LTE id: 102 - ipsec_profile: CP-PROFILE - name: Equinix id: 103 - ipsec_profile: CP-PROFILE - name: Satellite id: 104 - ipsec_profile: CP-PROFILE peer_dynamic_source: stun load_balance_policies: - name: LB-CONTROL-PLANE-PROFILE @@ -506,6 +518,10 @@ metadata: id: 422 location: address: Somewhere + - name: Site423 + id: 423 + location: + address: Somewhere-warm - name: AVD_Land_East id: 43 zones: @@ -514,8 +530,6 @@ metadata: sites: - name: Site511 id: 511 - - name: Site512 - id: 512 vrfs: - name: default vni: 1 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-transit.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-transit.yml index 7f56aefc3a1..28fcf4937c8 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-transit.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-transit.yml @@ -10,10 +10,13 @@ router_bgp: paths: 16 updates: wait_install: true - redistribute_routes: - - source_protocol: connected - route_map: RM-CONN-2-BGP peer_groups: + - name: IPv4-UNDERLAY-PEERS + type: ipv4 + maximum_routes: 12000 + send_community: all + route_map_in: RM-BGP-UNDERLAY-PEERS-IN + route_map_out: RM-BGP-UNDERLAY-PEERS-OUT - name: WAN-OVERLAY-PEERS type: wan update_source: Dps1 @@ -23,14 +26,21 @@ router_bgp: maximum_routes: 0 remote_as: '65000' ttl_maximum_hops: 1 - address_family_evpn: - peer_groups: - - name: WAN-OVERLAY-PEERS - activate: true address_family_ipv4: peer_groups: + - name: IPv4-UNDERLAY-PEERS + activate: true - name: WAN-OVERLAY-PEERS activate: false + redistribute_routes: + - source_protocol: connected + route_map: RM-CONN-2-BGP + address_family_evpn: + peer_groups: + - name: WAN-OVERLAY-PEERS + activate: true + route_map_in: RM-EVPN-SOO-IN + route_map_out: RM-EVPN-SOO-OUT address_family_ipv4_sr_te: peer_groups: - name: WAN-OVERLAY-PEERS @@ -167,6 +177,12 @@ loopback_interfaces: description: Router_ID shutdown: false ip_address: 192.168.43.1/32 +as_path: + access_lists: + - name: ASPATH-WAN + entries: + - type: permit + match: '65000' prefix_lists: - name: PL-LOOPBACKS-EVPN-OVERLAY sequence_numbers: @@ -179,12 +195,52 @@ route_maps: type: permit match: - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY -- name: RM-EVPN-EXPORT-VRF-DEFAULT + set: + - extcommunity soo 192.168.43.1:422 additive +- name: RM-BGP-UNDERLAY-PEERS-IN sequence_numbers: + - sequence: 20 + type: deny + description: Deny prefixes from WAN + match: + - as-path ASPATH-WAN - sequence: 30 type: permit + description: Mark prefixes originated from the LAN + set: + - extcommunity soo 192.168.43.1:422 additive +- name: RM-BGP-UNDERLAY-PEERS-OUT + sequence_numbers: + - sequence: 10 + type: permit + description: Advertise local routes towards LAN match: - - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + - extcommunity ECL-EVPN-SOO + - sequence: 20 + type: permit + description: Advertise routes received from WAN iBGP towards LAN + match: + - route-type internal +- name: RM-EVPN-SOO-IN + sequence_numbers: + - sequence: 10 + type: deny + match: + - extcommunity ECL-EVPN-SOO + - sequence: 20 + type: permit +- name: RM-EVPN-SOO-OUT + sequence_numbers: + - sequence: 10 + type: permit + set: + - extcommunity soo 192.168.43.1:422 additive +- name: RM-EVPN-EXPORT-VRF-DEFAULT + sequence_numbers: + - sequence: 10 + type: permit + match: + - extcommunity ECL-EVPN-SOO flow_tracking: hardware: trackers: @@ -199,10 +255,13 @@ flow_tracking: local_interface: Loopback0 template_interval: 5000 shutdown: false +ip_extcommunity_lists: +- name: ECL-EVPN-SOO + entries: + - type: permit + extcommunities: soo 192.168.43.1:422 ip_security: ike_policies: - - name: DP-IKE-POLICY - local_id: 192.168.143.1 - name: CP-IKE-POLICY local_id: 192.168.143.1 sa_policies: @@ -216,7 +275,6 @@ ip_security: pfs_dh_group: 14 profiles: - name: DP-PROFILE - ike_policy: DP-IKE-POLICY sa_policy: DP-SA-POLICY connection: start shared_key: ABCDEF1234567890666 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-disabled-leaf.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-disabled-leaf.yml new file mode 100644 index 00000000000..e8768da5e3f --- /dev/null +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-disabled-leaf.yml @@ -0,0 +1,270 @@ +hostname: site-ha-disabled-leaf +is_deployed: true +router_bgp: + as: '65000' + router_id: 192.168.45.3 + bgp: + default: + ipv4_unicast: false + maximum_paths: + paths: 4 + ecmp: 4 + updates: + wait_install: true + peer_groups: + - name: IPv4-UNDERLAY-PEERS + type: ipv4 + maximum_routes: 12000 + send_community: all + - name: EVPN-OVERLAY-PEERS + type: evpn + update_source: Loopback0 + bfd: true + send_community: all + maximum_routes: 0 + ebgp_multihop: 3 + address_family_ipv4: + peer_groups: + - name: IPv4-UNDERLAY-PEERS + activate: true + - name: EVPN-OVERLAY-PEERS + activate: false + redistribute_routes: + - source_protocol: connected + route_map: RM-CONN-2-BGP + neighbors: + - ip_address: 172.17.0.1 + peer_group: IPv4-UNDERLAY-PEERS + remote_as: '65000' + peer: cv-pathfinder-edge + description: cv-pathfinder-edge_Ethernet52 + - ip_address: 172.17.0.3 + peer_group: IPv4-UNDERLAY-PEERS + remote_as: '65000' + peer: cv-pathfinder-edge-no-common-path-group + description: cv-pathfinder-edge-no-common-path-group_Ethernet52 + vrfs: + - name: IT + router_id: 192.168.45.3 + neighbors: + - ip_address: 172.17.0.1 + peer_group: IPv4-UNDERLAY-PEERS + remote_as: '65000' + description: cv-pathfinder-edge_Ethernet52.100_vrf_IT + - ip_address: 172.17.0.3 + peer_group: IPv4-UNDERLAY-PEERS + remote_as: '65000' + description: cv-pathfinder-edge-no-common-path-group_Ethernet52.100_vrf_IT + rd: 192.168.45.3:100 + route_targets: + import: + - address_family: evpn + route_targets: + - 100:100 + export: + - address_family: evpn + route_targets: + - 100:100 + redistribute_routes: + - source_protocol: connected + - name: PROD + router_id: 192.168.45.3 + neighbors: + - ip_address: 172.17.0.1 + peer_group: IPv4-UNDERLAY-PEERS + remote_as: '65000' + description: cv-pathfinder-edge_Ethernet52.42_vrf_PROD + - ip_address: 172.17.0.3 + peer_group: IPv4-UNDERLAY-PEERS + remote_as: '65000' + description: cv-pathfinder-edge-no-common-path-group_Ethernet52.42_vrf_PROD + rd: 192.168.45.3:42 + route_targets: + import: + - address_family: evpn + route_targets: + - '42:42' + export: + - address_family: evpn + route_targets: + - '42:42' + redistribute_routes: + - source_protocol: connected + - name: default + rd: 192.168.45.3:1 + route_targets: + import: + - address_family: evpn + route_targets: + - '1:1' + export: + - address_family: evpn + route_targets: + - '1:1' + address_family_evpn: + peer_groups: + - name: EVPN-OVERLAY-PEERS + activate: true + vlans: + - id: 100 + tenant: TenantA + rd: 192.168.45.3:1100 + route_targets: + both: + - 1100:1100 + redistribute_routes: + - learned + - id: 101 + tenant: TenantA + rd: 192.168.45.3:1101 + route_targets: + both: + - 1101:1101 + redistribute_routes: + - learned +service_routing_protocols_model: multi-agent +ip_routing: true +vlan_internal_order: + allocation: ascending + range: + beginning: 1006 + ending: 1199 +vrfs: +- name: MGMT + ip_routing: false +- name: IT + tenant: TenantA + ip_routing: true +- name: PROD + tenant: TenantA + ip_routing: true +management_api_http: + enable_vrfs: + - name: MGMT + enable_https: true +ethernet_interfaces: +- name: Ethernet1 + peer: cv-pathfinder-edge + peer_interface: Ethernet52 + peer_type: wan_edge + description: P2P_LINK_TO_CV-PATHFINDER-EDGE_Ethernet52 + shutdown: false + mtu: 9214 + type: routed + ip_address: 172.17.0.0/31 +- name: Ethernet1.100 + peer: cv-pathfinder-edge + peer_interface: Ethernet52.100 + peer_type: wan_edge + vrf: IT + description: P2P_LINK_TO_CV-PATHFINDER-EDGE_Ethernet52.100_vrf_IT + shutdown: false + type: l3dot1q + encapsulation_dot1q_vlan: 100 + mtu: 9214 + ip_address: 172.17.0.0/31 +- name: Ethernet1.42 + peer: cv-pathfinder-edge + peer_interface: Ethernet52.42 + peer_type: wan_edge + vrf: PROD + description: P2P_LINK_TO_CV-PATHFINDER-EDGE_Ethernet52.42_vrf_PROD + shutdown: false + type: l3dot1q + encapsulation_dot1q_vlan: 42 + mtu: 9214 + ip_address: 172.17.0.0/31 +- name: Ethernet2 + peer: cv-pathfinder-edge-no-common-path-group + peer_interface: Ethernet52 + peer_type: wan_edge + description: P2P_LINK_TO_CV-PATHFINDER-EDGE-NO-COMMON-PATH-GROUP_Ethernet52 + shutdown: false + mtu: 9214 + type: routed + ip_address: 172.17.0.2/31 +- name: Ethernet2.100 + peer: cv-pathfinder-edge-no-common-path-group + peer_interface: Ethernet52.100 + peer_type: wan_edge + vrf: IT + description: P2P_LINK_TO_CV-PATHFINDER-EDGE-NO-COMMON-PATH-GROUP_Ethernet52.100_vrf_IT + shutdown: false + type: l3dot1q + encapsulation_dot1q_vlan: 100 + mtu: 9214 + ip_address: 172.17.0.2/31 +- name: Ethernet2.42 + peer: cv-pathfinder-edge-no-common-path-group + peer_interface: Ethernet52.42 + peer_type: wan_edge + vrf: PROD + description: P2P_LINK_TO_CV-PATHFINDER-EDGE-NO-COMMON-PATH-GROUP_Ethernet52.42_vrf_PROD + shutdown: false + type: l3dot1q + encapsulation_dot1q_vlan: 42 + mtu: 9214 + ip_address: 172.17.0.2/31 +loopback_interfaces: +- name: Loopback0 + description: EVPN_Overlay_Peering + shutdown: false + ip_address: 192.168.45.3/32 +- name: Loopback1 + description: VTEP_VXLAN_Tunnel_Source + shutdown: false + ip_address: 192.168.255.3/32 +prefix_lists: +- name: PL-LOOPBACKS-EVPN-OVERLAY + sequence_numbers: + - sequence: 10 + action: permit 192.168.45.0/24 eq 32 + - sequence: 20 + action: permit 192.168.255.0/24 eq 32 +route_maps: +- name: RM-CONN-2-BGP + sequence_numbers: + - sequence: 10 + type: permit + match: + - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY +router_bfd: + multihop: + interval: 300 + min_rx: 300 + multiplier: 3 +vlans: +- id: 100 + name: VLAN100 + tenant: TenantA +- id: 101 + name: VLAN101 + tenant: TenantA +ip_igmp_snooping: + globally_enabled: true +ip_virtual_router_mac_address: 00:1c:73:00:00:01 +vlan_interfaces: +- name: Vlan100 + tenant: TenantA + description: VLAN100 + shutdown: true + ip_address_virtual: 10.0.100.1/24 + vrf: PROD +vxlan_interface: + Vxlan1: + description: site-ha-disabled-leaf_VTEP + vxlan: + udp_port: 4789 + source_interface: Loopback1 + vlans: + - id: 100 + vni: 1100 + - id: 101 + vni: 1101 + vrfs: + - name: default + vni: 1 + - name: IT + vni: 100 + - name: PROD + vni: 42 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/AUTOVPN_TESTS.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/AUTOVPN_TESTS.yml index 95255d58adc..c119f807637 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/AUTOVPN_TESTS.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/AUTOVPN_TESTS.yml @@ -1,6 +1,8 @@ --- # Testing autovpn wan_mode: autovpn +# Disabling underlay for tests +underlay_routing_protocol: none bgp_as: 65000 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml index 183c641435a..2ce0d52cf49 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml @@ -12,14 +12,15 @@ cv_pathfinder_regions: - name: Site422 id: 422 location: Somewhere + - name: Site423 + id: 423 + location: Somewhere-warm - name: AVD_Land_East id: 43 description: AVD Region sites: - name: Site511 id: 511 - - name: Site512 - id: 512 bgp_peer_groups: wan_overlay_peers: @@ -48,6 +49,9 @@ default_node_types: - node_type: wan_edge match_hostnames: - "cv-pathfinder-edge.*" + - node_type: l3leaf + match_hostnames: + - ".*leaf.*" wan_edge: defaults: @@ -55,8 +59,13 @@ wan_edge: vtep_loopback_ipv4_pool: 192.168.142.0/24 filter: always_include_vrfs_in_tenants: [TenantA] - nodes: - - name: cv-pathfinder-edge + uplink_ipv4_pool: 172.17.0.0/16 + node_groups: + # SITE_HA_DISABLED + - group: Site511 + uplink_type: p2p-vrfs + uplink_switches: [ site-ha-disabled-leaf ] + uplink_interfaces: [ Ethernet52 ] cv_pathfinder_region: AVD_Land_East cv_pathfinder_site: Site511 id: 1 @@ -75,16 +84,58 @@ wan_edge: wan_circuit_id: AF830 ip_address: 172.20.20.20/31 connected_to_pathfinder: False - - name: cv-pathfinder-edge-no-common-path-group - cv_pathfinder_region: AVD_Land_East - cv_pathfinder_site: Site512 - id: 6 - l3_interfaces: - - name: Ethernet1 - wan_carrier: Inmrasat - wan_circuit_id: S512 - dhcp_accept_default_route: true - ip_address: dhcp + # Disabling HA - TODO once implemented, for now it is disabled by default + # wan_ha: + # enabled: False + nodes: + - name: cv-pathfinder-edge + id: 1 + uplink_switch_interfaces: [Ethernet1] + l3_interfaces: + - name: Ethernet1 + wan_carrier: ATT + wan_circuit_id: 666 + dhcp_accept_default_route: true + ip_address: dhcp + - name: Ethernet2 + wan_carrier: Colt + wan_circuit_id: 10555 + ip_address: 172.15.5.5/31 + peer_ip: 172.16.5.4 + static_routes: + - prefix: 172.16.0.0/16 + - name: Ethernet3 + wan_carrier: Comcast-5G + wan_circuit_id: AF830 + ip_address: 172.20.20.20/31 + connected_to_pathfinder: False + - name: cv-pathfinder-edge-no-common-path-group + id: 2 + uplink_switch_interfaces: [Ethernet2] + l3_interfaces: + - name: Ethernet1 + wan_carrier: Inmrasat + wan_circuit_id: S511 + dhcp_accept_default_route: true + ip_address: dhcp + +# Fake DC1 +l3leaf: + defaults: + bgp_as: 65199 + loopback_ipv4_pool: 192.168.45.0/24 + vtep_loopback_ipv4_pool: 192.168.255.0/24 + virtual_router_mac_address: 00:1c:73:00:00:01 + filter: + always_include_vrfs_in_tenants: [TenantA] + nodes: + # Used for HA in HA PR + #- name: site-ha-enabled-leaf1 + # id: 1 + #- name: site-ha-enabled-leaf2 + # id: 2 + - name: site-ha-disabled-leaf + id: 3 wan_transit: defaults: @@ -191,9 +242,14 @@ wan_carriers: tenants: - name: TenantA + mac_vrf_vni_base: 1000 vrfs: - name: default vrf_id: 1 + static_routes: + - destination_address_prefix: 66.66.66.0/24 + gateway: 172.17.0.0 + nodes: [cv-pathfinder-edge] - name: PROD vrf_id: 42 svis: diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/autovpn-edge-no-default-policy.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/autovpn-edge-no-default-policy.yml index d6f8503b116..820e1f4fb0e 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/autovpn-edge-no-default-policy.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/autovpn-edge-no-default-policy.yml @@ -2,6 +2,8 @@ # Testing autovpn edge with no policy in VRF default to make sure the correct # default policy is auto generated by AVD wan_mode: autovpn +# Disabling underlay for tests +underlay_routing_protocol: none bgp_as: 65000 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-no-default-policy.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-no-default-policy.yml index d9486d293a8..aa9db2cb24e 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-no-default-policy.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-no-default-policy.yml @@ -2,6 +2,8 @@ # Testing CV pathfinder edge with no policy in VRF default to make sure the correct # default policy is auto generated by AVD wan_mode: cv-pathfinder +# Disabling underlay for tests +underlay_routing_protocol: none bgp_as: 65000 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/hosts.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/hosts.yml index 22d5fa797c5..eff19b32db9 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/hosts.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/hosts.yml @@ -291,10 +291,20 @@ all: autovpn-edge: CV_PATHFINDER_TESTS: hosts: - cv-pathfinder-edge: - cv-pathfinder-edge-no-common-path-group: cv-pathfinder-transit: children: + # TODO HA PR + #SITE_HA_ENABLED: + # hosts: + # cv-pathfinder-edge2: + # cv-pathfinder-edge3: + # site-ha-enabled-leaf1: + # site-ha-enabled-leaf2: + SITE_HA_DISABLED: + hosts: + cv-pathfinder-edge: + cv-pathfinder-edge-no-common-path-group: + site-ha-disabled-leaf: CV_PATHFINDERS: hosts: cv-pathfinder-pathfinder: diff --git a/ansible_collections/arista/avd/plugins/plugin_utils/eos_designs_shared_utils/node_type_keys.py b/ansible_collections/arista/avd/plugins/plugin_utils/eos_designs_shared_utils/node_type_keys.py index 49e92cc9a13..21580a540e6 100644 --- a/ansible_collections/arista/avd/plugins/plugin_utils/eos_designs_shared_utils/node_type_keys.py +++ b/ansible_collections/arista/avd/plugins/plugin_utils/eos_designs_shared_utils/node_type_keys.py @@ -67,7 +67,6 @@ "default_wan_role": "client", "default_cv_pathfinder_role": "edge", "default_overlay_routing_protocol": "ibgp", - "default_underlay_routing_protocol": "none", "vtep": True, "network_services": { "l3": True, @@ -80,7 +79,6 @@ "default_wan_role": "client", "default_cv_pathfinder_role": "transit region", "default_overlay_routing_protocol": "ibgp", - "default_underlay_routing_protocol": "none", "vtep": True, "network_services": { "l3": True, @@ -93,7 +91,6 @@ "default_wan_role": "server", "default_cv_pathfinder_role": "pathfinder", "default_overlay_routing_protocol": "ibgp", - "default_underlay_routing_protocol": "none", "vtep": True, "network_services": { "l3": True, diff --git a/ansible_collections/arista/avd/plugins/plugin_utils/eos_designs_shared_utils/overlay.py b/ansible_collections/arista/avd/plugins/plugin_utils/eos_designs_shared_utils/overlay.py index ccb10202e62..6f798976994 100644 --- a/ansible_collections/arista/avd/plugins/plugin_utils/eos_designs_shared_utils/overlay.py +++ b/ansible_collections/arista/avd/plugins/plugin_utils/eos_designs_shared_utils/overlay.py @@ -134,6 +134,27 @@ def evpn_encapsulation(self: SharedUtils) -> str: """ return get(self.hostvars, "fabric_evpn_encapsulation", default=get(self.node_type_key_data, "default_evpn_encapsulation", default="vxlan")) + @cached_property + def evpn_soo(self: SharedUtils) -> str: + """ + Site-Of-Origin used as BGP extended community. + - For regular VTEPs this is :1 + - For WAN routers this is : + - Otherwise this is :1 + + TODO: Implement HA logic for WAN + TODO: Reconsider if suffix should just be :1 for all WAN routers. + """ + if self.wan_role: + if self.is_cv_pathfinder_edge_or_transit: + return f"{self.router_id}:{self.wan_site['id']}" + return f"{self.router_id}:0" + + if self.overlay_vtep: + return f"{self.vtep_ip}:1" + + return f"{self.router_id}:1" + @cached_property def overlay_evpn(self: SharedUtils) -> bool: # Set overlay_evpn to enable EVPN on the node diff --git a/ansible_collections/arista/avd/plugins/plugin_utils/eos_designs_shared_utils/wan.py b/ansible_collections/arista/avd/plugins/plugin_utils/eos_designs_shared_utils/wan.py index 0d96dd515ac..a724a0e8fff 100644 --- a/ansible_collections/arista/avd/plugins/plugin_utils/eos_designs_shared_utils/wan.py +++ b/ansible_collections/arista/avd/plugins/plugin_utils/eos_designs_shared_utils/wan.py @@ -42,7 +42,7 @@ def wan_role(self: SharedUtils) -> str | None: return wan_role @cached_property - def wan_listen_ranges(self) -> list: + def wan_listen_ranges(self: SharedUtils) -> list: return get( self.bgp_peer_groups["wan_overlay_peers"], "listen_range_prefixes", @@ -345,3 +345,21 @@ def should_connect_to_wan_rs(self: SharedUtils, path_groups: list) -> bool: local_path_group["name"] in path_groups and any(wan_interface["connected_to_pathfinder"] for wan_interface in local_path_group["interfaces"]) for local_path_group in self.wan_local_path_groups ) + + @cached_property + def wan_ha_flow_tracker_name(self: SharedUtils) -> str: + """ + Return the name of the WAN flow tracking object + Used in both network services, underlay and overlay python modules. + + TODO make this configurable + TODO may need to return exporter name also later + """ + return "WAN-FLOW-TRACKER" + + @cached_property + def is_cv_pathfinder_edge_or_transit(self: SharedUtils) -> bool: + """ + Return True is the current wan_mode is cv-pathfinder and the device is either an edge or a transit device + """ + return self.wan_mode == "cv-pathfinder" and self.cv_pathfinder_role in ["edge", "transit region"] diff --git a/ansible_collections/arista/avd/roles/eos_designs/docs/tables/fabric-settings.md b/ansible_collections/arista/avd/roles/eos_designs/docs/tables/fabric-settings.md index 173063d6949..bab26d8affb 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/docs/tables/fabric-settings.md +++ b/ansible_collections/arista/avd/roles/eos_designs/docs/tables/fabric-settings.md @@ -36,7 +36,7 @@ | [      - <str>](## "underlay_multicast_rps.[].groups.[]") | String | | | | Multicast Group IPv4 prefix/mask. | | [    access_list_name](## "underlay_multicast_rps.[].access_list_name") | String | | | | Name of standard Access-List.
| | [underlay_rfc5549](## "underlay_rfc5549") | Boolean | | `False` | | Point to Point Underlay with RFC 5549(eBGP), i.e. IPv6 Unnumbered.
Requires "underlay_routing_protocol: ebgp".
| - | [underlay_routing_protocol](## "underlay_routing_protocol") | String | | | Value is converted to lower case.
Valid Values:
- ebgp
- ospf
- isis
- isis-sr
- isis-ldp
- isis-sr-ldp
- ospf-ldp | - The following underlay routing protocols are supported:
- EBGP (default for l3ls-evpn)
- OSPF.
- ISIS.
- ISIS-SR*.
- ISIS-LDP*.
- ISIS-SR-LDP*.
- OSPF-LDP*.
- The variables should be applied to all devices in the fabric.
*Only supported with core_interfaces data model.
| + | [underlay_routing_protocol](## "underlay_routing_protocol") | String | | | Value is converted to lower case.
Valid Values:
- ebgp
- ospf
- ospf-ldp
- isis
- isis-sr
- isis-ldp
- isis-sr-ldp
- none | - The following underlay routing protocols are supported:
- EBGP (default for l3ls-evpn)
- OSPF.
- OSPF-LDP*.
- ISIS.
- ISIS-SR*.
- ISIS-LDP*.
- ISIS-SR-LDP*.
- No underlay routing protocol (none)
- The variables should be applied to all devices in the fabric.
*Only supported with core_interfaces data model.
| | [uplink_ptp](## "uplink_ptp") | Dictionary | | | | Enable PTP on all infrastructure links. | | [  enable](## "uplink_ptp.enable") | Boolean | | `False` | | | @@ -164,14 +164,15 @@ # - The following underlay routing protocols are supported: # - EBGP (default for l3ls-evpn) # - OSPF. + # - OSPF-LDP*. # - ISIS. # - ISIS-SR*. # - ISIS-LDP*. # - ISIS-SR-LDP*. - # - OSPF-LDP*. + # - No underlay routing protocol (none) # - The variables should be applied to all devices in the fabric. # *Only supported with core_interfaces data model. - underlay_routing_protocol: + underlay_routing_protocol: # Enable PTP on all infrastructure links. uplink_ptp: diff --git a/ansible_collections/arista/avd/roles/eos_designs/docs/tables/node-type-keys.md b/ansible_collections/arista/avd/roles/eos_designs/docs/tables/node-type-keys.md index 6442462ce1f..5d3525dca09 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/docs/tables/node-type-keys.md +++ b/ansible_collections/arista/avd/roles/eos_designs/docs/tables/node-type-keys.md @@ -13,7 +13,7 @@ | [    connected_endpoints](## "node_type_keys.[].connected_endpoints") | Boolean | | `False` | | Are endpoints connected to this node type. | | [    default_evpn_role](## "node_type_keys.[].default_evpn_role") | String | | `none` | Valid Values:
- none
- client
- server | Default evpn_role. Can be overridden in topology vars. | | [    default_ptp_priority1](## "node_type_keys.[].default_ptp_priority1") | Integer | | `127` | Min: 0
Max: 255 | Default PTP priority 1 | - | [    default_underlay_routing_protocol](## "node_type_keys.[].default_underlay_routing_protocol") | String | | `ebgp` | Value is converted to lower case.
Valid Values:
- ebgp
- ibgp
- ospf
- ospf-ldp
- isis
- isis-sr
- isis-ldp
- isis-sr-ldp
- none | Set the default underlay routing_protocol.
Can be overridden by setting "underlay_routing_protocol" host/group_vars.
| + | [    default_underlay_routing_protocol](## "node_type_keys.[].default_underlay_routing_protocol") | String | | `ebgp` | Value is converted to lower case.
Valid Values:
- ebgp
- ospf
- ospf-ldp
- isis
- isis-sr
- isis-ldp
- isis-sr-ldp
- none | Set the default underlay routing_protocol.
Can be overridden by setting "underlay_routing_protocol" host/group_vars.
| | [    default_overlay_routing_protocol](## "node_type_keys.[].default_overlay_routing_protocol") | String | | `ebgp` | Value is converted to lower case.
Valid Values:
- ebgp
- ibgp
- her
- cvx
- none | Set the default overlay routing_protocol.
Can be overridden by setting "overlay_routing_protocol" host/group_vars.
| | [    default_mpls_overlay_role](## "node_type_keys.[].default_mpls_overlay_role") | String | | | Valid Values:
- client
- server
- none | Set the default mpls overlay role.
Acting role in overlay control plane.
| | [    default_overlay_address_families](## "node_type_keys.[].default_overlay_address_families") | List, items: String | | | | Set the default overlay address families.
| @@ -79,7 +79,7 @@ # Set the default underlay routing_protocol. # Can be overridden by setting "underlay_routing_protocol" host/group_vars. - default_underlay_routing_protocol: + default_underlay_routing_protocol: # Set the default overlay routing_protocol. # Can be overridden by setting "overlay_routing_protocol" host/group_vars. diff --git a/ansible_collections/arista/avd/roles/eos_designs/docs/wan-preview.md b/ansible_collections/arista/avd/roles/eos_designs/docs/wan-preview.md index 4d2c074c128..c3700dc5e9c 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/docs/wan-preview.md +++ b/ansible_collections/arista/avd/roles/eos_designs/docs/wan-preview.md @@ -39,6 +39,44 @@ The intention is to support both a single [AutoVPN design](https://www.arista.co - If no policy is assigned for the `default` VRF policy, AVD auto generates one with one `default_virtual_topology` entry configured to use all available local path-groups. - For the policy defined for VRF `default` (or the auto-generared one), an extra match statement is injected in the policy to match the traffic towards the Pathfinders or AutoVPN RRs, the name of the application-profile is hardcoded as `CONTROL-PLANE-APPLICATION-PROFILE`. A special policy is created by appending `-WITH-CP` at the end of the targetted policy name. +#### LAN Designs + +!!! note + + An important design point to keep in mind is that the current CV Pathfinder and AutoVPN + solutions require the Dps1 interface to be in VRF default. + This implies that all the WAN interfaces also live in VRF default. + And the LAN interfaces also have subnets in the default VRF. + All of this means VRF default routing must be handled with care. + +!!! warning + + AVD does not yet configure any route-map to filter potential routes received + from the WAN for a WAN interface purpose (e.g. internet) to be advertised + towards the LAN. The plan is to add an inbound route-map set the + no-advertise community on the received routes. + + Similarly there is no current prevention to prevent advertising the LAN routes towards the WAN, + The plan is to apply an outbound route-map preventing any routes to be advertised. + +##### EBGP LAN + +- the Site of Origin (SoO) extended community is configured as : + note: site id is unique per zone (only a default zone supported today). +- the routes redistributed into BGP via the route-map `RM-CONN-2-BGP` are tagged with the SoO. +- the Underlay peer group (towards the LAN) is configured with two route-maps reused from existing designed but configured differently + - one outbound route-map `RM-BGP-UNDERLAY-PEERS-OUT`: + - advertised the local routes tagged with the SoO extended community. + - advertised the routes received from iBGP (WAN) towards the LAN + - one outbound route-map `RM-BGP-UNDERLAY-PEERS-IN`: + - deny routes received from LAN that already contain the WAN AS in the path. + - accept routes coming from the LAN and set the SoO extended community on them. +- For VRF default, there is a requirement to explicitly redistribute the routes for EVPN. The `RM-EVPN-EXPORT-VRF-DEFAULT` is configured to export the routes tagged with the SoO. + +###### HA + +To Be Implemented. + ## Known limitations - Zones are not configurable for CV Pathfinder. All sites are being configured in a default zone `DEFAULT-ZONE` with ID `1`. @@ -57,15 +95,22 @@ The intention is to support both a single [AutoVPN design](https://www.arista.co template interval 5000 ``` +- All Pathfinders must be able to create a full mesh - No IPv6 support +- For WAN interfaces only physical interfaces are supported today under `node.l3_interfaces` - For WAN interfaces, NAT IP on the Pathfinder side can be supported using the `wan_route_servers.path_groups.interfaces` key. - Path-group ID is currently required under `wan_path_groups` until an algorithm is implemented to auto generate IDs. +- The name of the AVT policies and AVT profiles are configurable in the input variables. The Load Balance policies are named `LB-` and are not configurable. +- For LAN, the current supported funcitonality is to use `uplink_type: p2p-vrfs` on the WAN routers and to have the relevant VRFs present on the uplink switches via `network_services`. Other LAN scenarios will come with time. ## Future work -- As of now, only the fundations of the `eos_designs` functionality for WAN is being introduced without any support for LAN interfaces. - Auto generation of Path-group IDs and other IDs. -- HA for sites will be covered in a future PR +- New LAN scenarios (L2, ..) +- HA for eBGP +- HA for AutoVPN +- Proper OSPF-BGP redistribution in VRF default. +- Support for OSPF subinterfaces. ## `eos_cli_config_gen` support diff --git a/ansible_collections/arista/avd/roles/eos_designs/python_modules/network_services/dps_interfaces.py b/ansible_collections/arista/avd/roles/eos_designs/python_modules/network_services/dps_interfaces.py index 9b061d8695c..c4ff915f8c1 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/python_modules/network_services/dps_interfaces.py +++ b/ansible_collections/arista/avd/roles/eos_designs/python_modules/network_services/dps_interfaces.py @@ -38,6 +38,6 @@ def dps_interfaces(self) -> list | None: # When needed - need a default value if different than IPv4 if self.shared_utils.cv_pathfinder_role: - dps1["flow_tracker"] = {"hardware": "WAN-FLOW-TRACKER"} + dps1["flow_tracker"] = {"hardware": self.shared_utils.wan_ha_flow_tracker_name} return [dps1] diff --git a/ansible_collections/arista/avd/roles/eos_designs/python_modules/network_services/route_maps.py b/ansible_collections/arista/avd/roles/eos_designs/python_modules/network_services/route_maps.py index 423dabee662..45b2eadb94c 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/python_modules/network_services/route_maps.py +++ b/ansible_collections/arista/avd/roles/eos_designs/python_modules/network_services/route_maps.py @@ -96,7 +96,12 @@ def _route_maps_vrf_default(self) -> list | None: return None route_maps = strip_empties_from_list( - [self._evpn_export_vrf_default_route_map(), self._bgp_underlay_peers_route_map(), self._redistribute_connected_to_bgp_route_map()] + [ + self._evpn_export_vrf_default_route_map(), + self._bgp_underlay_peers_route_map(), + self._redistribute_connected_to_bgp_route_map(), + self._redistribute_static_to_bgp_route_map(), + ] ) return route_maps or None @@ -145,35 +150,37 @@ def _evpn_export_vrf_default_route_map(self) -> dict | None: Match the following prefixes to be exported in EVPN for VRF default: * SVI subnets in VRF default * Static routes subnets in VRF default - * for WAN routers, the loopbacks in VRF default. + + * for WAN routers, all the routes matching the SOO (which includes the two above) """ sequence_numbers = [] - if self._vrf_default_ipv4_subnets: - sequence_numbers.append( - { - "sequence": 10, - "type": "permit", - "match": ["ip address prefix-list PL-SVI-VRF-DEFAULT"], - } - ) - - if self._vrf_default_ipv4_static_routes["static_routes"]: - sequence_numbers.append( - { - "sequence": 20, - "type": "permit", - "match": ["ip address prefix-list PL-STATIC-VRF-DEFAULT"], - } - ) - if self.shared_utils.wan_role: sequence_numbers.append( { - "sequence": 30, + "sequence": 10, "type": "permit", - "match": ["ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY"], + "match": ["extcommunity ECL-EVPN-SOO"], } ) + else: + # TODO refactor existing behavior to SoO? + if self._vrf_default_ipv4_subnets: + sequence_numbers.append( + { + "sequence": 10, + "type": "permit", + "match": ["ip address prefix-list PL-SVI-VRF-DEFAULT"], + } + ) + + if self._vrf_default_ipv4_static_routes["static_routes"]: + sequence_numbers.append( + { + "sequence": 20, + "type": "permit", + "match": ["ip address prefix-list PL-STATIC-VRF-DEFAULT"], + } + ) if not sequence_numbers: return None @@ -235,15 +242,36 @@ def _redistribute_connected_to_bgp_route_map(self) -> dict | None: if self._vrf_default_ipv4_subnets: # Add subnets to redistribution in default VRF - sequence_numbers.append( - { - "sequence": 30, - "type": "permit", - "match": ["ip address prefix-list PL-SVI-VRF-DEFAULT"], - }, - ) + sequence_30 = { + "sequence": 30, + "type": "permit", + "match": ["ip address prefix-list PL-SVI-VRF-DEFAULT"], + } + if self.shared_utils.wan_role: + sequence_30["set"] = [f"extcommunity soo {self.shared_utils.evpn_soo} additive"] + + sequence_numbers.append(sequence_30) if not sequence_numbers: return None return {"name": "RM-CONN-2-BGP", "sequence_numbers": sequence_numbers} + + def _redistribute_static_to_bgp_route_map(self) -> dict | None: + """ + Append network services relevant entries to the route-map used to redistribute static routes to BGP + """ + if not (self.shared_utils.wan_role and self._vrf_default_ipv4_static_routes["redistribute_in_overlay"]): + return None + + return { + "name": "RM-STATIC-2-BGP", + "sequence_numbers": [ + { + "sequence": 10, + "type": "permit", + "match": ["ip address prefix-list PL-STATIC-VRF-DEFAULT"], + "set": [f"extcommunity soo {self.shared_utils.evpn_soo} additive"], + } + ], + } diff --git a/ansible_collections/arista/avd/roles/eos_designs/python_modules/network_services/router_bgp.py b/ansible_collections/arista/avd/roles/eos_designs/python_modules/network_services/router_bgp.py index 2e966bbd169..124b0c4f3df 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/python_modules/network_services/router_bgp.py +++ b/ansible_collections/arista/avd/roles/eos_designs/python_modules/network_services/router_bgp.py @@ -734,12 +734,19 @@ def _router_bgp_redistribute_routes(self) -> list | None: Add redistribute static to default if either "redistribute_in_overlay" is set or "redistribute_in_underlay" and underlay protocol is BGP. """ - if self._vrf_default_ipv4_static_routes["redistribute_in_overlay"] or ( - self._vrf_default_ipv4_static_routes["redistribute_in_underlay"] and self.shared_utils.underlay_bgp + if not ( + self._vrf_default_ipv4_static_routes["redistribute_in_overlay"] + or (self._vrf_default_ipv4_static_routes["redistribute_in_underlay"] and self.shared_utils.underlay_bgp) ): - return [{"source_protocol": "static"}] + return None - return None + if self.shared_utils.wan_role: + # For WAN routers we only wish to redistribute static routes defined under the tenants to BGP. + if self._vrf_default_ipv4_static_routes["redistribute_in_overlay"]: + return [{"source_protocol": "static", "route_map": "RM-STATIC-2-BGP"}] + return None + + return [{"source_protocol": "static"}] @cached_property def _router_bgp_vpws(self) -> list[dict] | None: diff --git a/ansible_collections/arista/avd/roles/eos_designs/python_modules/network_services/utils.py b/ansible_collections/arista/avd/roles/eos_designs/python_modules/network_services/utils.py index e2b6e13d8d0..92bffe495fc 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/python_modules/network_services/utils.py +++ b/ansible_collections/arista/avd/roles/eos_designs/python_modules/network_services/utils.py @@ -199,6 +199,8 @@ def _wan_control_plane_profile(self) -> str: def _wan_control_plane_application_profile(self) -> str: """ Control plane application profile name + + TODO: make this configurable """ return "CONTROL-PLANE-APPLICATION-PROFILE" @@ -249,6 +251,7 @@ def _generate_wan_load_balance_policy(self, name: str, input_dict: dict, context } wan_load_balance_policy["path_groups"].append(path_group) + if not at_least_one_priority_1_found: raise AristaAvdError(f"At least one path-group must be configured with preference '1' or 'preferred' for {context_path}'.") diff --git a/ansible_collections/arista/avd/roles/eos_designs/python_modules/overlay/flow_tracking.py b/ansible_collections/arista/avd/roles/eos_designs/python_modules/overlay/flow_tracking.py index db6b5906aca..7359483a57d 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/python_modules/overlay/flow_tracking.py +++ b/ansible_collections/arista/avd/roles/eos_designs/python_modules/overlay/flow_tracking.py @@ -28,7 +28,7 @@ def flow_tracking(self) -> dict | None: "hardware": { "trackers": [ { - "name": "WAN-FLOW-TRACKER", + "name": self.shared_utils.wan_ha_flow_tracker_name, "record_export": {"on_inactive_timeout": 70000, "on_interval": 5000}, "exporters": [{"name": "DPI-EXPORTER", "collector": {"host": "127.0.0.1"}, "local_interface": "Loopback0", "template_interval": 5000}], } diff --git a/ansible_collections/arista/avd/roles/eos_designs/python_modules/overlay/ip_extcommunity_lists.py b/ansible_collections/arista/avd/roles/eos_designs/python_modules/overlay/ip_extcommunity_lists.py index 5f63400c0a7..633bf35abfb 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/python_modules/overlay/ip_extcommunity_lists.py +++ b/ansible_collections/arista/avd/roles/eos_designs/python_modules/overlay/ip_extcommunity_lists.py @@ -22,7 +22,7 @@ def ip_extcommunity_lists(self) -> list | None: if self.shared_utils.overlay_routing_protocol != "ibgp": return None - if self.shared_utils.wan_role is not None: + if self.shared_utils.evpn_role == "server" and not self.shared_utils.wan_role: return None if self.shared_utils.overlay_vtep: @@ -32,7 +32,7 @@ def ip_extcommunity_lists(self) -> list | None: "entries": [ { "type": "permit", - "extcommunities": f"soo {self.shared_utils.vtep_ip}:1", + "extcommunities": f"soo {self.shared_utils.evpn_soo}", }, ], } diff --git a/ansible_collections/arista/avd/roles/eos_designs/python_modules/overlay/ip_security.py b/ansible_collections/arista/avd/roles/eos_designs/python_modules/overlay/ip_security.py index ac6025582b6..e4bd6c2476f 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/python_modules/overlay/ip_security.py +++ b/ansible_collections/arista/avd/roles/eos_designs/python_modules/overlay/ip_security.py @@ -46,14 +46,13 @@ def _append_data_plane(self, ip_security: dict, data_plane_config: dict) -> None """ In place update of ip_security """ - ike_policy_name = get(data_plane_config, "ike_policy_name", default="DP-IKE-POLICY") sa_policy_name = get(data_plane_config, "sa_policy_name", default="DP-SA-POLICY") profile_name = get(data_plane_config, "profile_name", default="DP-PROFILE") key = get(data_plane_config, "shared_key", required=True) - ip_security["ike_policies"].append(self._ike_policy(ike_policy_name)) + # IKE policy for data-plane is not required for dynamic tunnels except for HA cases ip_security["sa_policies"].append(self._sa_policy(sa_policy_name)) - ip_security["profiles"].append(self._profile(profile_name, ike_policy_name, sa_policy_name, key)) + ip_security["profiles"].append(self._profile(profile_name, None, sa_policy_name, key)) # For data plane, adding key_controller by default ip_security["key_controller"] = self._key_controller(profile_name) @@ -97,9 +96,11 @@ def _sa_policy(self, name: str) -> dict | None: sa_policy["pfs_dh_group"] = 14 return sa_policy - def _profile(self, profile_name: str, ike_policy_name: str, sa_policy_name: str, key: str) -> dict | None: + def _profile(self, profile_name: str, ike_policy_name: str | None, sa_policy_name: str, key: str) -> dict | None: """ Return one IPsec Profile + + The expectation is that potential None values are stripped later. """ return { "name": profile_name, diff --git a/ansible_collections/arista/avd/roles/eos_designs/python_modules/overlay/route_maps.py b/ansible_collections/arista/avd/roles/eos_designs/python_modules/overlay/route_maps.py index d7212ac1eef..304660c4d5e 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/python_modules/overlay/route_maps.py +++ b/ansible_collections/arista/avd/roles/eos_designs/python_modules/overlay/route_maps.py @@ -20,20 +20,11 @@ class RouteMapsMixin(UtilsMixin): def route_maps(self) -> list | None: """ Return structured config for route_maps - - TODO """ if self.shared_utils.overlay_cvx: return None - if self.shared_utils.overlay_mpls is True: - # some logic - pass - if self.shared_utils.overlay_evpn is True: - # some logic - pass - route_maps = [] if self.shared_utils.overlay_routing_protocol == "ebgp": @@ -58,39 +49,37 @@ def route_maps(self) -> list | None: } ) - elif self.shared_utils.overlay_routing_protocol == "ibgp": - if self.shared_utils.overlay_vtep and self.shared_utils.wan_role is None: - # Route-map IN and OUT for SOO, not rendered for WAN routers - route_maps.append( - { - "name": "RM-EVPN-SOO-IN", - "sequence_numbers": [ - { - "sequence": 10, - "type": "deny", - "match": ["extcommunity ECL-EVPN-SOO"], - }, - { - "sequence": 20, - "type": "permit", - }, - ], - } - ) - route_maps.append( - { - "name": "RM-EVPN-SOO-OUT", - "sequence_numbers": [ - { - "sequence": 10, - "type": "permit", - "set": [f"extcommunity soo {self.shared_utils.vtep_ip}:1 additive"], - }, - ], - } - ) + elif self.shared_utils.overlay_routing_protocol == "ibgp" and self.shared_utils.overlay_vtep and self.shared_utils.evpn_role != "server": + # Route-map IN and OUT for SOO + route_maps.append( + { + "name": "RM-EVPN-SOO-IN", + "sequence_numbers": [ + { + "sequence": 10, + "type": "deny", + "match": ["extcommunity ECL-EVPN-SOO"], + }, + { + "sequence": 20, + "type": "permit", + }, + ], + } + ) + route_maps.append( + { + "name": "RM-EVPN-SOO-OUT", + "sequence_numbers": [ + { + "sequence": 10, + "type": "permit", + "set": [f"extcommunity soo {self.shared_utils.evpn_soo} additive"], + }, + ], + } + ) - # TODO - maybe need to clean None if route_maps: return route_maps diff --git a/ansible_collections/arista/avd/roles/eos_designs/python_modules/overlay/router_bgp.py b/ansible_collections/arista/avd/roles/eos_designs/python_modules/overlay/router_bgp.py index 603f8a87900..8644c92e7fd 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/python_modules/overlay/router_bgp.py +++ b/ansible_collections/arista/avd/roles/eos_designs/python_modules/overlay/router_bgp.py @@ -238,8 +238,7 @@ def _address_family_evpn(self) -> dict: address_family_evpn["neighbor_default"]["next_hop_self_source_interface"] = "Loopback0" # partly duplicate with ebgp - # Do not render the route-maps if it is a WAN router - if self.shared_utils.overlay_vtep is True and self.shared_utils.wan_role is None: + if self.shared_utils.overlay_vtep is True and self.shared_utils.evpn_role != "server": if (peer_group := get_item(peer_groups, "name", overlay_peer_group_name)) is not None: peer_group.update( { diff --git a/ansible_collections/arista/avd/roles/eos_designs/python_modules/overlay/router_path_selection.py b/ansible_collections/arista/avd/roles/eos_designs/python_modules/overlay/router_path_selection.py index 7e86021d217..059cdb6132d 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/python_modules/overlay/router_path_selection.py +++ b/ansible_collections/arista/avd/roles/eos_designs/python_modules/overlay/router_path_selection.py @@ -36,21 +36,35 @@ def router_path_selection(self) -> dict | None: return strip_empties_from_dict(router_path_selection) + @cached_property + def _cp_ipsec_profile_name(self) -> str: + """ + Returns the IPsec profile name to use for Control-Plane + """ + return get(self._hostvars, "wan_ipsec_profiles.control_plane.profile_name", default="CP-PROFILE") + + @cached_property + def _dp_ipsec_profile_name(self) -> str: + """ + Returns the IPsec profile name to use for Data-Plane + """ + # TODO need to use CP one if 'wan_ipsec_profiles.data_plane' not present + return get(self._hostvars, "wan_ipsec_profiles.data_plane.profile_name", default="DP-PROFILE") + def _get_path_groups(self) -> list: """ Generate the required path-groups locally """ path_groups = [] - # TODO - need to have default value in one place only -> maybe facts / shared_utils ? - ipsec_profile_name = get(self._hostvars, "wan_ipsec_profiles.control_plane.profile_name", default="CP-PROFILE") - if self.shared_utils.wan_role == "server": # Configure all path-groups on Pathfinders and AutoVPN RRs path_groups_to_configure = self.shared_utils.wan_path_groups else: path_groups_to_configure = self.shared_utils.wan_local_path_groups + local_path_groups_names = [path_group["name"] for path_group in self.shared_utils.wan_local_path_groups] + for path_group in path_groups_to_configure: pg_name = path_group.get("name") @@ -62,8 +76,9 @@ def _get_path_groups(self) -> list: "static_peers": self._get_static_peers_for_path_group(pg_name), } - if path_group.get("ipsec", True): - path_group_data["ipsec_profile"] = ipsec_profile_name + # On pathfinder IPsec profile is not required for non local path_groups + if pg_name in local_path_groups_names and path_group.get("ipsec", True): + path_group_data["ipsec_profile"] = self._cp_ipsec_profile_name path_groups.append(path_group_data) @@ -114,7 +129,7 @@ def _get_dynamic_peers(self) -> dict | None: def _get_static_peers_for_path_group(self, path_group_name: str) -> list | None: """ - TODO + Retrieves the static peers to configure for a given path-group based on the connected nodes. """ if not self.shared_utils.wan_role: return None diff --git a/ansible_collections/arista/avd/roles/eos_designs/python_modules/underlay/as_path.py b/ansible_collections/arista/avd/roles/eos_designs/python_modules/underlay/as_path.py new file mode 100644 index 00000000000..667a51d8ce1 --- /dev/null +++ b/ansible_collections/arista/avd/roles/eos_designs/python_modules/underlay/as_path.py @@ -0,0 +1,42 @@ +# Copyright (c) 2023-2024 Arista Networks, Inc. +# Use of this source code is governed by the Apache License 2.0 +# that can be found in the LICENSE file. +from __future__ import annotations + +from functools import cached_property + +from .utils import UtilsMixin + + +class AsPathMixin(UtilsMixin): + """ + Mixin Class used to generate structured config for one key. + Class should only be used as Mixin to a AvdStructuredConfig class + """ + + @cached_property + def as_path(self) -> list | None: + """ + Return structured config for as_path. + """ + if self.shared_utils.underlay_routing_protocol != "ebgp": + return None + + access_lists = [] + if self.shared_utils.is_cv_pathfinder_edge_or_transit: + access_lists.append( + { + "name": "ASPATH-WAN", + "entries": [ + { + "type": "permit", + "match": self.shared_utils.bgp_as, + }, + ], + } + ) + + if access_lists: + return {"access_lists": access_lists} + + return None diff --git a/ansible_collections/arista/avd/roles/eos_designs/python_modules/underlay/avdstructuredconfig.py b/ansible_collections/arista/avd/roles/eos_designs/python_modules/underlay/avdstructuredconfig.py index 282fb13017a..5c9f274e67a 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/python_modules/underlay/avdstructuredconfig.py +++ b/ansible_collections/arista/avd/roles/eos_designs/python_modules/underlay/avdstructuredconfig.py @@ -3,6 +3,7 @@ # that can be found in the LICENSE file. from ansible_collections.arista.avd.plugins.plugin_utils.avdfacts import AvdFacts +from .as_path import AsPathMixin from .ethernet_interfaces import EthernetInterfacesMixin from .loopback_interfaces import LoopbackInterfacesMixin from .mpls import MplsMixin @@ -26,6 +27,7 @@ class AvdStructuredConfigUnderlay( PortChannelInterfacesMixin, LoopbackInterfacesMixin, RouterBgpMixin, + AsPathMixin, RouterOspfMixin, PrefixListsMixin, RouteMapsMixin, diff --git a/ansible_collections/arista/avd/roles/eos_designs/python_modules/underlay/ethernet_interfaces.py b/ansible_collections/arista/avd/roles/eos_designs/python_modules/underlay/ethernet_interfaces.py index 4064982926f..98105b5ad85 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/python_modules/underlay/ethernet_interfaces.py +++ b/ansible_collections/arista/avd/roles/eos_designs/python_modules/underlay/ethernet_interfaces.py @@ -110,6 +110,10 @@ def ethernet_interfaces(self) -> list | None: if link.get("underlay_multicast") is True: ethernet_interface["pim"] = {"ipv4": {"sparse_mode": True}} + # Configuring flow tracking on LAN interfaces + if self.shared_utils.wan_mode == "cv-pathfinder" and self.shared_utils.wan_role == "client": + ethernet_interface["flow_tracker"] = {"hardware": self.shared_utils.wan_ha_flow_tracker_name} + # Structured Config ethernet_interface["struct_cfg"] = link.get("structured_config") @@ -179,6 +183,10 @@ def ethernet_interfaces(self) -> list | None: if subinterface.get("ip_address") is not None: ethernet_subinterface.update({"ip_address": f"{subinterface['ip_address']}/{subinterface['prefix_length']}"}), + # Configuring flow tracking on LAN interfaces + if self.shared_utils.wan_mode == "cv-pathfinder" and self.shared_utils.wan_role == "client": + ethernet_interface["flow_tracker"] = {"hardware": self.shared_utils.wan_ha_flow_tracker_name} + ethernet_subinterface = {key: value for key, value in ethernet_subinterface.items() if value is not None} append_if_not_duplicate( list_of_dicts=ethernet_interfaces, @@ -216,6 +224,11 @@ def ethernet_interfaces(self) -> list | None: "peer_type": "l3_interface", "shutdown": False, } + + # Configuring flow tracking on LAN interfaces + if self.shared_utils.wan_mode == "cv-pathfinder" and self.shared_utils.wan_role == "client": + ethernet_interface["flow_tracker"] = {"hardware": self.shared_utils.wan_ha_flow_tracker_name} + append_if_not_duplicate( list_of_dicts=ethernet_interfaces, primary_key="name", diff --git a/ansible_collections/arista/avd/roles/eos_designs/python_modules/underlay/route_maps.py b/ansible_collections/arista/avd/roles/eos_designs/python_modules/underlay/route_maps.py index e0359193deb..68b11a08eec 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/python_modules/underlay/route_maps.py +++ b/ansible_collections/arista/avd/roles/eos_designs/python_modules/underlay/route_maps.py @@ -31,13 +31,15 @@ def route_maps(self) -> list | None: if self.shared_utils.overlay_routing_protocol != "none" and self.shared_utils.underlay_filter_redistribute_connected: # RM-CONN-2-BGP sequence_numbers = [] - sequence_numbers.append( - { - "sequence": 10, - "type": "permit", - "match": ["ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY"], - } - ) + sequence_10 = { + "sequence": 10, + "type": "permit", + "match": ["ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY"], + } + if self.shared_utils.wan_role: + sequence_10["set"] = [f"extcommunity soo {self.shared_utils.evpn_soo} additive"] + + sequence_numbers.append(sequence_10) # SEQ 20 is set by inband management if applicable, so avoid setting that here @@ -59,6 +61,8 @@ def route_maps(self) -> list | None: } ) + # TODO in WAN HA PR, use 50 for PL-WAN-HA-INTERFACES + route_maps.append({"name": "RM-CONN-2-BGP", "sequence_numbers": sequence_numbers}) # RM-BGP-AS{{ asn }}-OUT @@ -81,6 +85,51 @@ def route_maps(self) -> list | None: } ) + # Route-map IN and OUT for SOO, rendered for WAN routers + if self.shared_utils.underlay_routing_protocol == "ebgp" and self.shared_utils.wan_role == "client": + route_maps.append( + { + "name": "RM-BGP-UNDERLAY-PEERS-IN", + "sequence_numbers": [ + # TODO sequence 10 is left to match prefixes from HA PEER + # on which SOO will be have been set by peer + { + "sequence": 20, + "type": "deny", + "description": "Deny prefixes from WAN", + "match": ["as-path ASPATH-WAN"], + }, + { + "sequence": 30, + "type": "permit", + "description": "Mark prefixes originated from the LAN", + "set": [f"extcommunity soo {self.shared_utils.evpn_soo} additive"], + }, + ], + } + ) + + route_maps.append( + { + "name": "RM-BGP-UNDERLAY-PEERS-OUT", + "sequence_numbers": [ + { + "sequence": 10, + "type": "permit", + "description": "Advertise local routes towards LAN", + "match": ["extcommunity ECL-EVPN-SOO"], + }, + { + "sequence": 20, + "type": "permit", + "description": "Advertise routes received from WAN iBGP towards LAN", + "match": ["route-type internal"], + }, + # TODO match local HA prefix and mark them with SOO + ], + } + ) + if route_maps: return route_maps diff --git a/ansible_collections/arista/avd/roles/eos_designs/python_modules/underlay/router_bgp.py b/ansible_collections/arista/avd/roles/eos_designs/python_modules/underlay/router_bgp.py index 400cbf41e73..e48816f73e2 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/python_modules/underlay/router_bgp.py +++ b/ansible_collections/arista/avd/roles/eos_designs/python_modules/underlay/router_bgp.py @@ -43,6 +43,11 @@ def router_bgp(self) -> dict | None: "struct_cfg": self.shared_utils.bgp_peer_groups["ipv4_underlay_peers"]["structured_config"], } + # For HA will need to add allowas_in 1 + if self.shared_utils.overlay_routing_protocol == "ibgp" and self.shared_utils.wan_mode == "cv-pathfinder" and self.shared_utils.wan_role is not None: + peer_group["route_map_in"] = "RM-BGP-UNDERLAY-PEERS-IN" + peer_group["route_map_out"] = "RM-BGP-UNDERLAY-PEERS-OUT" + router_bgp["peer_groups"] = [strip_empties_from_dict(peer_group)] # Address Families diff --git a/ansible_collections/arista/avd/roles/eos_designs/python_modules/underlay/utils.py b/ansible_collections/arista/avd/roles/eos_designs/python_modules/underlay/utils.py index f4fda7f3b7d..7f6b28840b4 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/python_modules/underlay/utils.py +++ b/ansible_collections/arista/avd/roles/eos_designs/python_modules/underlay/utils.py @@ -181,6 +181,6 @@ def _get_l3_interface_cfg(self, l3_interface: dict) -> dict | None: interface["dhcp_client_accept_default_route"] = True if self.shared_utils.cv_pathfinder_role: - interface["flow_tracker"] = {"hardware": "WAN-FLOW-TRACKER"} + interface["flow_tracker"] = {"hardware": self.shared_utils.wan_ha_flow_tracker_name} return strip_empties_from_dict(interface) diff --git a/ansible_collections/arista/avd/roles/eos_designs/schemas/eos_designs.jsonschema.json b/ansible_collections/arista/avd/roles/eos_designs/schemas/eos_designs.jsonschema.json index a0fd60d92f4..ae413707b2f 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/schemas/eos_designs.jsonschema.json +++ b/ansible_collections/arista/avd/roles/eos_designs/schemas/eos_designs.jsonschema.json @@ -13923,9 +13923,9 @@ "default_underlay_routing_protocol": { "type": "string", "default": "ebgp", + "description": "Set the default underlay routing_protocol.\nCan be overridden by setting \"underlay_routing_protocol\" host/group_vars.\n", "enum": [ "ebgp", - "ibgp", "ospf", "ospf-ldp", "isis", @@ -13934,7 +13934,6 @@ "isis-sr-ldp", "none" ], - "description": "Set the default underlay routing_protocol.\nCan be overridden by setting \"underlay_routing_protocol\" host/group_vars.\n", "title": "Default Underlay Routing Protocol" }, "default_overlay_routing_protocol": { @@ -24490,15 +24489,16 @@ }, "underlay_routing_protocol": { "type": "string", - "description": "- The following underlay routing protocols are supported:\n - EBGP (default for l3ls-evpn)\n - OSPF.\n - ISIS.\n - ISIS-SR*.\n - ISIS-LDP*.\n - ISIS-SR-LDP*.\n - OSPF-LDP*.\n- The variables should be applied to all devices in the fabric.\n*Only supported with core_interfaces data model.\n", + "description": "- The following underlay routing protocols are supported:\n - EBGP (default for l3ls-evpn)\n - OSPF.\n - OSPF-LDP*.\n - ISIS.\n - ISIS-SR*.\n - ISIS-LDP*.\n - ISIS-SR-LDP*.\n - No underlay routing protocol (none)\n- The variables should be applied to all devices in the fabric.\n*Only supported with core_interfaces data model.\n", "enum": [ "ebgp", "ospf", + "ospf-ldp", "isis", "isis-sr", "isis-ldp", "isis-sr-ldp", - "ospf-ldp" + "none" ], "title": "Underlay Routing Protocol" }, diff --git a/ansible_collections/arista/avd/roles/eos_designs/schemas/eos_designs.schema.yml b/ansible_collections/arista/avd/roles/eos_designs/schemas/eos_designs.schema.yml index 39e7005075b..7b91821746a 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/schemas/eos_designs.schema.yml +++ b/ansible_collections/arista/avd/roles/eos_designs/schemas/eos_designs.schema.yml @@ -1647,19 +1647,12 @@ keys: default: 127 description: Default PTP priority 1 default_underlay_routing_protocol: + documentation_options: + table: node-type-keys type: str default: ebgp convert_to_lower_case: true - valid_values: - - ebgp - - ibgp - - ospf - - ospf-ldp - - isis - - isis-sr - - isis-ldp - - isis-sr-ldp - - none + $ref: eos_designs#/keys/underlay_routing_protocol description: 'Set the default underlay routing_protocol. Can be overridden by setting "underlay_routing_protocol" host/group_vars. @@ -3434,17 +3427,19 @@ keys: type: str convert_to_lower_case: true description: "- The following underlay routing protocols are supported:\n - EBGP - (default for l3ls-evpn)\n - OSPF.\n - ISIS.\n - ISIS-SR*.\n - ISIS-LDP*.\n - \ - ISIS-SR-LDP*.\n - OSPF-LDP*.\n- The variables should be applied to all - devices in the fabric.\n*Only supported with core_interfaces data model.\n" + (default for l3ls-evpn)\n - OSPF.\n - OSPF-LDP*.\n - ISIS.\n - ISIS-SR*.\n + \ - ISIS-LDP*.\n - ISIS-SR-LDP*.\n - No underlay routing protocol (none)\n- + The variables should be applied to all devices in the fabric.\n*Only supported + with core_interfaces data model.\n" valid_values: - ebgp - ospf + - ospf-ldp - isis - isis-sr - isis-ldp - isis-sr-ldp - - ospf-ldp + - none uplink_ptp: documentation_options: table: fabric-settings diff --git a/ansible_collections/arista/avd/roles/eos_designs/schemas/schema_fragments/node_type_keys.schema.yml b/ansible_collections/arista/avd/roles/eos_designs/schemas/schema_fragments/node_type_keys.schema.yml index 140bd213ff0..8e481274edf 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/schemas/schema_fragments/node_type_keys.schema.yml +++ b/ansible_collections/arista/avd/roles/eos_designs/schemas/schema_fragments/node_type_keys.schema.yml @@ -43,19 +43,12 @@ keys: default: 127 description: Default PTP priority 1 default_underlay_routing_protocol: + documentation_options: + table: node-type-keys type: str default: "ebgp" convert_to_lower_case: true - valid_values: - - "ebgp" - - "ibgp" - - "ospf" - - "ospf-ldp" - - "isis" - - "isis-sr" - - "isis-ldp" - - "isis-sr-ldp" - - "none" + $ref: "eos_designs#/keys/underlay_routing_protocol" description: | Set the default underlay routing_protocol. Can be overridden by setting "underlay_routing_protocol" host/group_vars. diff --git a/ansible_collections/arista/avd/roles/eos_designs/schemas/schema_fragments/underlay_routing_protocol.schema.yml b/ansible_collections/arista/avd/roles/eos_designs/schemas/schema_fragments/underlay_routing_protocol.schema.yml index 20436b78d26..38ba5c88c3f 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/schemas/schema_fragments/underlay_routing_protocol.schema.yml +++ b/ansible_collections/arista/avd/roles/eos_designs/schemas/schema_fragments/underlay_routing_protocol.schema.yml @@ -15,18 +15,20 @@ keys: - The following underlay routing protocols are supported: - EBGP (default for l3ls-evpn) - OSPF. + - OSPF-LDP*. - ISIS. - ISIS-SR*. - ISIS-LDP*. - ISIS-SR-LDP*. - - OSPF-LDP*. + - No underlay routing protocol (none) - The variables should be applied to all devices in the fabric. *Only supported with core_interfaces data model. valid_values: - "ebgp" - "ospf" + - "ospf-ldp" - "isis" - "isis-sr" - "isis-ldp" - "isis-sr-ldp" - - "ospf-ldp" + - "none"