diff --git a/ansible_collections/arista/avd/examples/cv-pathfinder/intended/structured_configs/pf1.yml b/ansible_collections/arista/avd/examples/cv-pathfinder/intended/structured_configs/pf1.yml index a825787e0fe..de767e0c1ed 100644 --- a/ansible_collections/arista/avd/examples/cv-pathfinder/intended/structured_configs/pf1.yml +++ b/ansible_collections/arista/avd/examples/cv-pathfinder/intended/structured_configs/pf1.yml @@ -571,10 +571,10 @@ router_bgp: route_map: RM-CONN-2-BGP address_family_evpn: peer_groups: - - name: WAN-RR-OVERLAY-PEERS + - name: WAN-OVERLAY-PEERS activate: true encapsulation: path-selection - - name: WAN-OVERLAY-PEERS + - name: WAN-RR-OVERLAY-PEERS activate: true encapsulation: path-selection next_hop: diff --git a/ansible_collections/arista/avd/examples/cv-pathfinder/intended/structured_configs/pf2.yml b/ansible_collections/arista/avd/examples/cv-pathfinder/intended/structured_configs/pf2.yml index 9ce7f83c14b..ec26c6b99ff 100644 --- a/ansible_collections/arista/avd/examples/cv-pathfinder/intended/structured_configs/pf2.yml +++ b/ansible_collections/arista/avd/examples/cv-pathfinder/intended/structured_configs/pf2.yml @@ -571,10 +571,10 @@ router_bgp: route_map: RM-CONN-2-BGP address_family_evpn: peer_groups: - - name: WAN-RR-OVERLAY-PEERS + - name: WAN-OVERLAY-PEERS activate: true encapsulation: path-selection - - name: WAN-OVERLAY-PEERS + - name: WAN-RR-OVERLAY-PEERS activate: true encapsulation: path-selection next_hop: diff --git a/ansible_collections/arista/avd/molecule/eos_designs_negative_unit_tests/inventory/host_vars/invalid-wan-role-overlay-routing-protocol.yml b/ansible_collections/arista/avd/molecule/eos_designs_negative_unit_tests/inventory/host_vars/invalid-wan-role-overlay-routing-protocol.yml deleted file mode 100644 index 26f78e6f2ce..00000000000 --- a/ansible_collections/arista/avd/molecule/eos_designs_negative_unit_tests/inventory/host_vars/invalid-wan-role-overlay-routing-protocol.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -wan_mode: autovpn -type: wan_router -fabric_name: FABRIC_WAN_ROLE_OVERLAY_ROUTING_PROTOCOL - -# Not ibgp -overlay_routing_protocol: none - -wan_router: - defaults: - loopback_ipv4_pool: 192.168.0.0/24 - vtep_loopback_ipv4_pool: 192.168.1.0/24 - nodes: - - name: invalid-wan-role-overlay-routing-protocol - id: 1 - l3_interfaces: - - name: Ethernet1 - wan_carrier: TEST - ip_address: dhcp - -wan_carriers: - - name: TEST - path_group: TEST - trusted: true - -wan_path_groups: - - name: TEST - id: 42 - -expected_error_message: >- - Only 'ibgp' is supported as 'overlay_routing_protocol' for WAN nodes. diff --git a/ansible_collections/arista/avd/molecule/eos_designs_negative_unit_tests/inventory/hosts.yml b/ansible_collections/arista/avd/molecule/eos_designs_negative_unit_tests/inventory/hosts.yml index f06d98e4406..de2e9e2516d 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_negative_unit_tests/inventory/hosts.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_negative_unit_tests/inventory/hosts.yml @@ -40,9 +40,6 @@ all: invalid-uplink-port-channel-id-3-l3leaf-1: invalid-uplink-port-channel-id-3-l3leaf-2: invalid-uplink-port-channel-id-3-l2leaf-2: - FABRIC_WAN_ROLE_OVERLAY_ROUTING_PROTOCOL: - hosts: - invalid-wan-role-overlay-routing-protocol: FABRIC_P2P_VRFS: hosts: invalid-uplink-type-p2p-vrfs-underlay-router-false: diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-edge.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-edge.cfg index daf7e66fb6b..2bb27fc9b66 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-edge.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-edge.cfg @@ -83,6 +83,9 @@ router path-selection ! vrf PROD path-selection-policy PROD-AUTOVPN-POLICY + ! + vrf WAN-VRF-NO-AF + path-selection-policy PROD-AUTOVPN-POLICY ! spanning-tree mode none ! @@ -92,6 +95,8 @@ vrf instance MGMT ! vrf instance PROD ! +vrf instance WAN-VRF-NO-AF +! management api http-commands protocol https no shutdown @@ -146,6 +151,7 @@ interface Vxlan1 vxlan udp-port 4789 vxlan vrf default vni 1 vxlan vrf PROD vni 42 + vxlan vrf WAN-VRF-NO-AF vni 200 ! application traffic recognition ! @@ -168,6 +174,7 @@ ip routing ip routing vrf IT no ip routing vrf MGMT ip routing vrf PROD +ip routing vrf WAN-VRF-NO-AF ! ip extcommunity-list ECL-EVPN-SOO permit soo 192.168.30.1:0 ! @@ -238,6 +245,13 @@ router bgp 65000 route-target export evpn 42:42 router-id 192.168.30.1 redistribute connected + ! + vrf WAN-VRF-NO-AF + rd 192.168.30.1:200 + route-target import evpn 200:200 + route-target export evpn 200:200 + router-id 192.168.30.1 + redistribute connected ! stun client diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr1.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr1.cfg index 81ad7865faf..7221d6f48d0 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr1.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr1.cfg @@ -74,6 +74,9 @@ router path-selection ! vrf PROD path-selection-policy PROD-AUTOVPN-POLICY + ! + vrf WAN-VRF-NO-AF + path-selection-policy PROD-AUTOVPN-POLICY ! platform sfe data-plane cpu allocation maximum 2 ! @@ -126,6 +129,7 @@ interface Vxlan1 vxlan udp-port 4789 vxlan vrf default vni 1 vxlan vrf PROD vni 42 + vxlan vrf WAN-VRF-NO-AF vni 200 ! application traffic recognition ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr2.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr2.cfg index 84941e98c10..d9470065bbf 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr2.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr2.cfg @@ -74,6 +74,9 @@ router path-selection ! vrf PROD path-selection-policy PROD-AUTOVPN-POLICY + ! + vrf WAN-VRF-NO-AF + path-selection-policy PROD-AUTOVPN-POLICY ! platform sfe data-plane cpu allocation maximum 2 ! @@ -125,6 +128,7 @@ interface Vxlan1 vxlan udp-port 4789 vxlan vrf default vni 1 vxlan vrf PROD vni 42 + vxlan vrf WAN-VRF-NO-AF vni 200 ! application traffic recognition ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.cfg new file mode 100644 index 00000000000..5a8727ddf6d --- /dev/null +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.cfg @@ -0,0 +1,372 @@ +! +no enable password +no aaa root +! +agent KernelFib environment KERNELFIB_PROGRAM_ALL_ECMP=1 +! +flow tracking hardware + tracker FLOW-TRACKER + record export on inactive timeout 70000 + record export on interval 300000 + exporter CV-TELEMETRY + collector 127.0.0.1 + local interface Loopback0 + template interval 3600000 + no shutdown +! +service routing protocols model multi-agent +! +hostname cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan +! +router adaptive-virtual-topology + topology role edge + region AVD_Land_West id 42 + zone AVD_Land_West-ZONE id 1 + site Site12 id 12 + ! + policy DEFAULT-AVT-POLICY-WITH-CP + ! + match application-profile APP-PROFILE-CONTROL-PLANE + avt profile DEFAULT-AVT-POLICY-CONTROL-PLANE + ! + match application-profile VIDEO + avt profile DEFAULT-AVT-POLICY-VIDEO + ! + match application-profile default + avt profile DEFAULT-AVT-POLICY-DEFAULT + ! + policy PROD-AVT-POLICY + ! + match application-profile VOICE + avt profile PROD-AVT-POLICY-VOICE + ! + match application-profile VIDEO + avt profile PROD-AVT-POLICY-VIDEO + ! + match application-profile default + avt profile PROD-AVT-POLICY-DEFAULT + ! + profile DEFAULT-AVT-POLICY-CONTROL-PLANE + path-selection load-balance LB-DEFAULT-AVT-POLICY-CONTROL-PLANE + ! + profile DEFAULT-AVT-POLICY-DEFAULT + path-selection load-balance LB-DEFAULT-AVT-POLICY-DEFAULT + ! + profile DEFAULT-AVT-POLICY-VIDEO + path-selection load-balance LB-DEFAULT-AVT-POLICY-VIDEO + ! + profile PROD-AVT-POLICY-DEFAULT + path-selection load-balance LB-PROD-AVT-POLICY-DEFAULT + ! + profile PROD-AVT-POLICY-VIDEO + path-selection load-balance LB-PROD-AVT-POLICY-VIDEO + ! + profile PROD-AVT-POLICY-VOICE + path-selection load-balance LB-PROD-AVT-POLICY-VOICE + ! + vrf default + avt policy DEFAULT-AVT-POLICY-WITH-CP + avt profile DEFAULT-AVT-POLICY-DEFAULT id 1 + avt profile DEFAULT-AVT-POLICY-VIDEO id 3 + avt profile DEFAULT-AVT-POLICY-CONTROL-PLANE id 254 + ! + vrf PROD + avt policy PROD-AVT-POLICY + avt profile PROD-AVT-POLICY-DEFAULT id 1 + avt profile PROD-AVT-POLICY-VOICE id 2 + avt profile PROD-AVT-POLICY-VIDEO id 4 + ! + vrf WAN-VRF-NO-AF + avt policy PROD-AVT-POLICY + avt profile PROD-AVT-POLICY-DEFAULT id 1 + avt profile PROD-AVT-POLICY-VOICE id 2 + avt profile PROD-AVT-POLICY-VIDEO id 4 +! +router path-selection + tcp mss ceiling ipv4 ingress + ! + path-group INET id 101 + ipsec profile CP-PROFILE + ! + local interface Ethernet1 + stun server-profile INET-cv-pathfinder-pathfinder-Ethernet1 INET-cv-pathfinder-pathfinder-Ethernet3 + ! + peer dynamic + ! + peer static router-ip 192.168.144.1 + name cv-pathfinder-pathfinder + ipv4 address 172.17.7.7 + ipv4 address 10.9.9.9 + ! + load-balance policy LB-DEFAULT-AVT-POLICY-CONTROL-PLANE + path-group INET + ! + load-balance policy LB-DEFAULT-AVT-POLICY-DEFAULT + path-group INET + ! + load-balance policy LB-DEFAULT-AVT-POLICY-VIDEO + path-group INET + ! + load-balance policy LB-PROD-AVT-POLICY-DEFAULT + path-group INET + ! + load-balance policy LB-PROD-AVT-POLICY-VIDEO + loss-rate 42.0 + path-group INET priority 2 + ! + load-balance policy LB-PROD-AVT-POLICY-VOICE + jitter 42 + hop count lowest + path-group INET priority 2 +! +spanning-tree mode none +! +vrf instance MGMT +! +vrf instance PROD +! +vrf instance VRF-NO-WAN +! +vrf instance VRF-NO-WAN-NO-AF +! +vrf instance WAN-VRF-NO-AF +! +management api http-commands + protocol https + no shutdown + ! + vrf MGMT + no shutdown +! +management security + ! + ssl profile profileA + tls versions 1.2 + trust certificate aristaDeviceCertProvisionerDefaultRootCA.crt + certificate profileA.crt key profileA.key +! +ip security + ike policy CP-IKE-POLICY + local-id 192.168.142.14 + ! + sa policy CP-SA-POLICY + esp encryption aes256gcm128 + pfs dh-group 14 + ! + sa policy DP-SA-POLICY + esp encryption aes256gcm128 + pfs dh-group 14 + ! + profile CP-PROFILE + ike-policy CP-IKE-POLICY + sa-policy CP-SA-POLICY + connection start + shared-key 7 ABCDEF1234567890 + dpd 10 50 clear + mode transport + ! + profile DP-PROFILE + sa-policy DP-SA-POLICY + connection start + shared-key 7 ABCDEF1234567890666 + dpd 10 50 clear + mode transport + ! + key controller + profile DP-PROFILE +! +interface Dps1 + description DPS Interface + mtu 9194 + flow tracker hardware FLOW-TRACKER + ip address 192.168.142.14/32 +! +interface Ethernet1 + description ATT_666 + no shutdown + no switchport + ip address dhcp + dhcp client accept default-route +! +interface Ethernet52 + description P2P_leaf-wan-use-evpn-on-lan_Ethernet2 + no shutdown + mtu 9214 + no switchport + ip address 172.18.0.27/31 +! +interface Loopback0 + description ROUTER_ID + no shutdown + ip address 192.168.42.14/32 +! +interface Vxlan1 + description cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan_VTEP + vxlan source-interface Dps1 + vxlan udp-port 4789 + vxlan vrf default vni 1 + vxlan vrf PROD vni 42 + vxlan vrf VRF-NO-WAN vni 300 + vxlan vrf WAN-VRF-NO-AF vni 200 +! +application traffic recognition + ! + application ipv4 APP-CONTROL-PLANE + destination prefix field-set PFX-PATHFINDERS + ! + application ipv4 CUSTOM-APPLICATION-1 + source prefix field-set CUSTOM-SRC-PREFIX-1 + destination prefix field-set CUSTOM-DEST-PREFIX-1 + protocol tcp + ! + application ipv4 CUSTOM-APPLICATION-2 + protocol tcp source port field-set TCP-SRC-2 destination port field-set TCP-DEST-2 + ! + application ipv4 CUSTOM-DSCP-APPLICATION + dscp ef 12-14 cs6 42 + ! + category VIDEO1 + application CUSTOM-APPLICATION-2 + application CUSTOM-DSCP-APPLICATION + application microsoft-teams + ! + application-profile APP-PROFILE-CONTROL-PLANE + application APP-CONTROL-PLANE + ! + application-profile VIDEO + application CUSTOM-APPLICATION-1 + application skype + application rtp transport + category VIDEO1 + ! + application-profile VOICE + application CUSTOM-VOICE-APPLICATION + ! + field-set ipv4 prefix CUSTOM-DEST-PREFIX-1 + 6.6.6.0/24 + ! + field-set ipv4 prefix CUSTOM-SRC-PREFIX-1 + 42.42.42.0/24 + ! + field-set ipv4 prefix PFX-PATHFINDERS + 192.168.144.1/32 + ! + field-set l4-port TCP-DEST-2 + 666, 777 + ! + field-set l4-port TCP-SRC-2 + 42 +! +ip routing +no ip routing vrf MGMT +ip routing vrf PROD +ip routing vrf VRF-NO-WAN +ip routing vrf VRF-NO-WAN-NO-AF +ip routing vrf WAN-VRF-NO-AF +! +ip extcommunity-list ECL-EVPN-SOO permit soo 192.168.42.14:12 +! +ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY + seq 10 permit 192.168.42.0/24 eq 32 +! +route-map RM-BGP-UNDERLAY-PEERS-IN permit 40 + description Mark prefixes originated from the LAN + set extcommunity soo 192.168.42.14:12 additive +! +route-map RM-CONN-2-BGP permit 10 + match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + set extcommunity soo 192.168.42.14:12 additive +! +route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 10 + match extcommunity ECL-EVPN-SOO +! +route-map RM-EVPN-SOO-IN deny 10 + match extcommunity ECL-EVPN-SOO +! +route-map RM-EVPN-SOO-IN permit 20 +! +route-map RM-EVPN-SOO-OUT permit 10 + set extcommunity soo 192.168.42.14:12 additive +! +router bfd + multihop interval 300 min-rx 300 multiplier 3 +! +router bgp 65000 + router-id 192.168.42.14 + update wait-install + no bgp default ipv4-unicast + maximum-paths 16 + neighbor IPv4-UNDERLAY-PEERS peer group + neighbor IPv4-UNDERLAY-PEERS route-map RM-BGP-UNDERLAY-PEERS-IN in + neighbor IPv4-UNDERLAY-PEERS send-community + neighbor IPv4-UNDERLAY-PEERS maximum-routes 12000 + neighbor WAN-OVERLAY-PEERS peer group + neighbor WAN-OVERLAY-PEERS remote-as 65000 + neighbor WAN-OVERLAY-PEERS update-source Dps1 + neighbor WAN-OVERLAY-PEERS bfd + neighbor WAN-OVERLAY-PEERS bfd interval 1000 min-rx 1000 multiplier 10 + neighbor WAN-OVERLAY-PEERS ttl maximum-hops 1 + neighbor WAN-OVERLAY-PEERS password 7 htm4AZe9mIQOO1uiMuGgYQ== + neighbor WAN-OVERLAY-PEERS send-community + neighbor WAN-OVERLAY-PEERS maximum-routes 0 + neighbor 172.18.0.26 peer group IPv4-UNDERLAY-PEERS + neighbor 172.18.0.26 remote-as 65042 + neighbor 172.18.0.26 description leaf-wan-use-evpn-on-lan_Ethernet2 + neighbor 192.168.144.1 peer group WAN-OVERLAY-PEERS + neighbor 192.168.144.1 description cv-pathfinder-pathfinder_Dps1 + redistribute connected route-map RM-CONN-2-BGP + ! + address-family evpn + neighbor WAN-OVERLAY-PEERS activate + neighbor WAN-OVERLAY-PEERS route-map RM-EVPN-SOO-IN in + neighbor WAN-OVERLAY-PEERS route-map RM-EVPN-SOO-OUT out + neighbor WAN-OVERLAY-PEERS encapsulation path-selection + ! + address-family ipv4 + neighbor IPv4-UNDERLAY-PEERS activate + no neighbor WAN-OVERLAY-PEERS activate + ! + address-family ipv4 sr-te + neighbor WAN-OVERLAY-PEERS activate + ! + address-family link-state + neighbor WAN-OVERLAY-PEERS activate + path-selection + ! + address-family path-selection + bgp additional-paths receive + bgp additional-paths send any + neighbor WAN-OVERLAY-PEERS activate + ! + vrf default + rd 192.168.42.14:1 + route-target import evpn 1:1 + route-target export evpn 1:1 + route-target export evpn route-map RM-EVPN-EXPORT-VRF-DEFAULT + ! + vrf PROD + rd 192.168.42.14:142 + route-target import evpn 142:142 + route-target export evpn 142:142 + router-id 192.168.42.14 + redistribute connected + ! + vrf WAN-VRF-NO-AF + rd 192.168.42.14:200 + route-target import evpn 200:200 + route-target export evpn 200:200 + router-id 192.168.42.14 + redistribute connected +! +router traffic-engineering +! +stun + client + server-profile INET-cv-pathfinder-pathfinder-Ethernet1 + ip address 172.17.7.7 + ssl profile profileA + server-profile INET-cv-pathfinder-pathfinder-Ethernet3 + ip address 10.9.9.9 + ssl profile profileA +! +end diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan.cfg new file mode 100644 index 00000000000..6d8d264b2fe --- /dev/null +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-wan-use-evpn-on-lan.cfg @@ -0,0 +1,378 @@ +! +no enable password +no aaa root +! +agent KernelFib environment KERNELFIB_PROGRAM_ALL_ECMP=1 +! +flow tracking hardware + tracker FLOW-TRACKER + record export on inactive timeout 70000 + record export on interval 300000 + exporter CV-TELEMETRY + collector 127.0.0.1 + local interface Loopback0 + template interval 3600000 + no shutdown +! +service routing protocols model multi-agent +! +hostname cv-pathfinder-edge-wan-use-evpn-on-lan +! +router adaptive-virtual-topology + topology role edge + region AVD_Land_West id 42 + zone AVD_Land_West-ZONE id 1 + site Site12 id 12 + ! + policy DEFAULT-AVT-POLICY-WITH-CP + ! + match application-profile APP-PROFILE-CONTROL-PLANE + avt profile DEFAULT-AVT-POLICY-CONTROL-PLANE + ! + match application-profile VIDEO + avt profile DEFAULT-AVT-POLICY-VIDEO + ! + match application-profile default + avt profile DEFAULT-AVT-POLICY-DEFAULT + ! + policy PROD-AVT-POLICY + ! + match application-profile VOICE + avt profile PROD-AVT-POLICY-VOICE + ! + match application-profile VIDEO + avt profile PROD-AVT-POLICY-VIDEO + ! + match application-profile default + avt profile PROD-AVT-POLICY-DEFAULT + ! + profile DEFAULT-AVT-POLICY-CONTROL-PLANE + path-selection load-balance LB-DEFAULT-AVT-POLICY-CONTROL-PLANE + ! + profile DEFAULT-AVT-POLICY-DEFAULT + path-selection load-balance LB-DEFAULT-AVT-POLICY-DEFAULT + ! + profile DEFAULT-AVT-POLICY-VIDEO + path-selection load-balance LB-DEFAULT-AVT-POLICY-VIDEO + ! + profile PROD-AVT-POLICY-DEFAULT + path-selection load-balance LB-PROD-AVT-POLICY-DEFAULT + ! + profile PROD-AVT-POLICY-VIDEO + path-selection load-balance LB-PROD-AVT-POLICY-VIDEO + ! + profile PROD-AVT-POLICY-VOICE + path-selection load-balance LB-PROD-AVT-POLICY-VOICE + ! + vrf default + avt policy DEFAULT-AVT-POLICY-WITH-CP + avt profile DEFAULT-AVT-POLICY-DEFAULT id 1 + avt profile DEFAULT-AVT-POLICY-VIDEO id 3 + avt profile DEFAULT-AVT-POLICY-CONTROL-PLANE id 254 + ! + vrf PROD + avt policy PROD-AVT-POLICY + avt profile PROD-AVT-POLICY-DEFAULT id 1 + avt profile PROD-AVT-POLICY-VOICE id 2 + avt profile PROD-AVT-POLICY-VIDEO id 4 + ! + vrf WAN-VRF-NO-AF + avt policy PROD-AVT-POLICY + avt profile PROD-AVT-POLICY-DEFAULT id 1 + avt profile PROD-AVT-POLICY-VOICE id 2 + avt profile PROD-AVT-POLICY-VIDEO id 4 +! +router path-selection + tcp mss ceiling ipv4 ingress + ! + path-group INET id 101 + ipsec profile CP-PROFILE + ! + local interface Ethernet1 + stun server-profile INET-cv-pathfinder-pathfinder-Ethernet1 INET-cv-pathfinder-pathfinder-Ethernet3 + ! + peer dynamic + ! + peer static router-ip 192.168.144.1 + name cv-pathfinder-pathfinder + ipv4 address 172.17.7.7 + ipv4 address 10.9.9.9 + ! + load-balance policy LB-DEFAULT-AVT-POLICY-CONTROL-PLANE + path-group INET + ! + load-balance policy LB-DEFAULT-AVT-POLICY-DEFAULT + path-group INET + ! + load-balance policy LB-DEFAULT-AVT-POLICY-VIDEO + path-group INET + ! + load-balance policy LB-PROD-AVT-POLICY-DEFAULT + path-group INET + ! + load-balance policy LB-PROD-AVT-POLICY-VIDEO + loss-rate 42.0 + path-group INET priority 2 + ! + load-balance policy LB-PROD-AVT-POLICY-VOICE + jitter 42 + hop count lowest + path-group INET priority 2 +! +spanning-tree mode none +! +vrf instance MGMT +! +vrf instance PROD +! +vrf instance VRF-NO-WAN +! +vrf instance VRF-NO-WAN-NO-AF +! +vrf instance WAN-VRF-NO-AF +! +management api http-commands + protocol https + no shutdown + ! + vrf MGMT + no shutdown +! +management security + ! + ssl profile profileA + tls versions 1.2 + trust certificate aristaDeviceCertProvisionerDefaultRootCA.crt + certificate profileA.crt key profileA.key +! +ip security + ike policy CP-IKE-POLICY + local-id 192.168.142.12 + ! + sa policy CP-SA-POLICY + esp encryption aes256gcm128 + pfs dh-group 14 + ! + sa policy DP-SA-POLICY + esp encryption aes256gcm128 + pfs dh-group 14 + ! + profile CP-PROFILE + ike-policy CP-IKE-POLICY + sa-policy CP-SA-POLICY + connection start + shared-key 7 ABCDEF1234567890 + dpd 10 50 clear + mode transport + ! + profile DP-PROFILE + sa-policy DP-SA-POLICY + connection start + shared-key 7 ABCDEF1234567890666 + dpd 10 50 clear + mode transport + ! + key controller + profile DP-PROFILE +! +interface Dps1 + description DPS Interface + mtu 9194 + flow tracker hardware FLOW-TRACKER + ip address 192.168.142.12/32 +! +interface Ethernet1 + description ATT_666 + no shutdown + no switchport + ip address dhcp + dhcp client accept default-route +! +interface Ethernet52 + description P2P_leaf-wan-use-evpn-on-lan_Ethernet1 + no shutdown + mtu 9214 + no switchport + ip address 172.18.0.23/31 +! +interface Loopback0 + description ROUTER_ID + no shutdown + ip address 192.168.42.12/32 +! +interface Vxlan1 + description cv-pathfinder-edge-wan-use-evpn-on-lan_VTEP + vxlan source-interface Dps1 + vxlan udp-port 4789 + vxlan vrf default vni 1 + vxlan vrf PROD vni 42 + vxlan vrf VRF-NO-WAN vni 300 + vxlan vrf WAN-VRF-NO-AF vni 200 +! +application traffic recognition + ! + application ipv4 APP-CONTROL-PLANE + destination prefix field-set PFX-PATHFINDERS + ! + application ipv4 CUSTOM-APPLICATION-1 + source prefix field-set CUSTOM-SRC-PREFIX-1 + destination prefix field-set CUSTOM-DEST-PREFIX-1 + protocol tcp + ! + application ipv4 CUSTOM-APPLICATION-2 + protocol tcp source port field-set TCP-SRC-2 destination port field-set TCP-DEST-2 + ! + application ipv4 CUSTOM-DSCP-APPLICATION + dscp ef 12-14 cs6 42 + ! + category VIDEO1 + application CUSTOM-APPLICATION-2 + application CUSTOM-DSCP-APPLICATION + application microsoft-teams + ! + application-profile APP-PROFILE-CONTROL-PLANE + application APP-CONTROL-PLANE + ! + application-profile VIDEO + application CUSTOM-APPLICATION-1 + application skype + application rtp transport + category VIDEO1 + ! + application-profile VOICE + application CUSTOM-VOICE-APPLICATION + ! + field-set ipv4 prefix CUSTOM-DEST-PREFIX-1 + 6.6.6.0/24 + ! + field-set ipv4 prefix CUSTOM-SRC-PREFIX-1 + 42.42.42.0/24 + ! + field-set ipv4 prefix PFX-PATHFINDERS + 192.168.144.1/32 + ! + field-set l4-port TCP-DEST-2 + 666, 777 + ! + field-set l4-port TCP-SRC-2 + 42 +! +ip routing +no ip routing vrf MGMT +ip routing vrf PROD +ip routing vrf VRF-NO-WAN +ip routing vrf VRF-NO-WAN-NO-AF +ip routing vrf WAN-VRF-NO-AF +! +ip extcommunity-list ECL-EVPN-SOO permit soo 192.168.42.12:12 +! +ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY + seq 10 permit 192.168.42.0/24 eq 32 +! +route-map RM-BGP-UNDERLAY-PEERS-IN permit 40 + description Mark prefixes originated from the LAN + set extcommunity soo 192.168.42.12:12 additive +! +route-map RM-CONN-2-BGP permit 10 + match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + set extcommunity soo 192.168.42.12:12 additive +! +route-map RM-EVPN-EXPORT-VRF-DEFAULT permit 10 + match extcommunity ECL-EVPN-SOO +! +router bfd + multihop interval 300 min-rx 300 multiplier 3 +! +router bgp 65000 + router-id 192.168.42.12 + update wait-install + no bgp default ipv4-unicast + maximum-paths 16 + neighbor EVPN-OVERLAY-PEERS peer group + neighbor EVPN-OVERLAY-PEERS update-source Loopback0 + neighbor EVPN-OVERLAY-PEERS bfd + neighbor EVPN-OVERLAY-PEERS ebgp-multihop 3 + neighbor EVPN-OVERLAY-PEERS send-community + neighbor EVPN-OVERLAY-PEERS maximum-routes 0 + neighbor IPv4-UNDERLAY-PEERS peer group + neighbor IPv4-UNDERLAY-PEERS route-map RM-BGP-UNDERLAY-PEERS-IN in + neighbor IPv4-UNDERLAY-PEERS send-community + neighbor IPv4-UNDERLAY-PEERS maximum-routes 12000 + neighbor WAN-OVERLAY-PEERS peer group + neighbor WAN-OVERLAY-PEERS remote-as 65000 + neighbor WAN-OVERLAY-PEERS update-source Dps1 + neighbor WAN-OVERLAY-PEERS bfd + neighbor WAN-OVERLAY-PEERS bfd interval 1000 min-rx 1000 multiplier 10 + neighbor WAN-OVERLAY-PEERS ttl maximum-hops 1 + neighbor WAN-OVERLAY-PEERS password 7 htm4AZe9mIQOO1uiMuGgYQ== + neighbor WAN-OVERLAY-PEERS send-community + neighbor WAN-OVERLAY-PEERS maximum-routes 0 + neighbor 172.18.0.22 peer group IPv4-UNDERLAY-PEERS + neighbor 172.18.0.22 remote-as 65042 + neighbor 172.18.0.22 description leaf-wan-use-evpn-on-lan_Ethernet1 + neighbor 192.168.144.1 peer group WAN-OVERLAY-PEERS + neighbor 192.168.144.1 description cv-pathfinder-pathfinder_Dps1 + redistribute connected route-map RM-CONN-2-BGP + ! + address-family evpn + neighbor EVPN-OVERLAY-PEERS activate + neighbor WAN-OVERLAY-PEERS activate + neighbor WAN-OVERLAY-PEERS route-map RM-EVPN-SOO-IN in + neighbor WAN-OVERLAY-PEERS route-map RM-EVPN-SOO-OUT out + neighbor WAN-OVERLAY-PEERS encapsulation path-selection + ! + address-family ipv4 + neighbor IPv4-UNDERLAY-PEERS activate + no neighbor WAN-OVERLAY-PEERS activate + ! + address-family ipv4 sr-te + neighbor WAN-OVERLAY-PEERS activate + ! + address-family link-state + neighbor WAN-OVERLAY-PEERS activate + path-selection + ! + address-family path-selection + bgp additional-paths receive + bgp additional-paths send any + neighbor WAN-OVERLAY-PEERS activate + ! + vrf default + rd 192.168.42.12:1 + route-target import evpn 1:1 + route-target export evpn 1:1 + route-target export evpn route-map RM-EVPN-EXPORT-VRF-DEFAULT + ! + vrf PROD + rd 192.168.42.12:142 + route-target import evpn 142:142 + route-target export evpn 142:142 + router-id 192.168.42.12 + redistribute connected + ! + vrf VRF-NO-WAN + rd 192.168.42.12:300 + route-target import evpn 300:300 + route-target export evpn 300:300 + router-id 192.168.42.12 + redistribute connected + ! + vrf WAN-VRF-NO-AF + rd 192.168.42.12:200 + route-target import evpn 200:200 + route-target export evpn 200:200 + router-id 192.168.42.12 + redistribute connected +! +router traffic-engineering +! +stun + client + server-profile INET-cv-pathfinder-pathfinder-Ethernet1 + ip address 172.17.7.7 + ssl profile profileA + server-profile INET-cv-pathfinder-pathfinder-Ethernet3 + ip address 10.9.9.9 + ssl profile profileA +! +end diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder.cfg index a010e84d82f..b38ece45826 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder.cfg @@ -123,6 +123,13 @@ router adaptive-virtual-topology avt policy TRANSIT-AVT-POLICY avt profile TRANSIT-AVT-POLICY-DEFAULT id 1 avt profile CUSTOM-VOICE-PROFILE-NAME id 42 + ! + vrf WAN-VRF-NO-AF + avt policy PROD-AVT-POLICY + avt profile PROD-AVT-POLICY-DEFAULT id 1 + avt profile PROD-AVT-POLICY-VOICE id 2 + avt profile PROD-AVT-POLICY-VIDEO id 4 + avt profile PROD-AVT-POLICY-MPLS-ONLY id 5 ! router path-selection peer dynamic source stun @@ -286,6 +293,7 @@ interface Vxlan1 vxlan vrf IT vni 100 vxlan vrf PROD vni 42 vxlan vrf TRANSIT vni 66 + vxlan vrf WAN-VRF-NO-AF vni 200 ! application traffic recognition ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder1.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder1.cfg index a722345ab23..00ec610112f 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder1.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder1.cfg @@ -123,6 +123,13 @@ router adaptive-virtual-topology avt policy TRANSIT-AVT-POLICY avt profile TRANSIT-AVT-POLICY-DEFAULT id 1 avt profile CUSTOM-VOICE-PROFILE-NAME id 42 + ! + vrf WAN-VRF-NO-AF + avt policy PROD-AVT-POLICY + avt profile PROD-AVT-POLICY-DEFAULT id 1 + avt profile PROD-AVT-POLICY-VOICE id 2 + avt profile PROD-AVT-POLICY-VIDEO id 4 + avt profile PROD-AVT-POLICY-MPLS-ONLY id 5 ! router path-selection peer dynamic source stun @@ -277,6 +284,7 @@ interface Vxlan1 vxlan vrf IT vni 100 vxlan vrf PROD vni 42 vxlan vrf TRANSIT vni 66 + vxlan vrf WAN-VRF-NO-AF vni 200 ! application traffic recognition ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder2.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder2.cfg index f5cef9139e2..e77c6f227a2 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder2.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder2.cfg @@ -123,6 +123,13 @@ router adaptive-virtual-topology avt policy TRANSIT-AVT-POLICY avt profile TRANSIT-AVT-POLICY-DEFAULT id 1 avt profile CUSTOM-VOICE-PROFILE-NAME id 42 + ! + vrf WAN-VRF-NO-AF + avt policy PROD-AVT-POLICY + avt profile PROD-AVT-POLICY-DEFAULT id 1 + avt profile PROD-AVT-POLICY-VOICE id 2 + avt profile PROD-AVT-POLICY-VIDEO id 4 + avt profile PROD-AVT-POLICY-MPLS-ONLY id 5 ! router path-selection peer dynamic source stun @@ -290,6 +297,7 @@ interface Vxlan1 vxlan vrf IT vni 100 vxlan vrf PROD vni 42 vxlan vrf TRANSIT vni 66 + vxlan vrf WAN-VRF-NO-AF vni 200 ! application traffic recognition ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/leaf-wan-use-evpn-on-lan.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/leaf-wan-use-evpn-on-lan.cfg new file mode 100644 index 00000000000..c0ed5a58ee8 --- /dev/null +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/leaf-wan-use-evpn-on-lan.cfg @@ -0,0 +1,205 @@ +! +no enable password +no aaa root +! +vlan internal order ascending range 1006 1199 +! +transceiver qsfp default-mode 4x10G +! +service routing protocols model multi-agent +! +hostname leaf-wan-use-evpn-on-lan +! +vlan 100 + name VLAN100 +! +vlan 101 + name VLAN101 +! +vlan 666 + name VLAN666 +! +vlan 1000 + name VLAN1000 +! +vrf instance ATTRACTED-VRF-FROM-UPLINK +! +vrf instance IT +! +vrf instance MGMT +! +vrf instance PROD +! +vrf instance VRF-NO-WAN +! +vrf instance VRF-NO-WAN-NO-AF +! +vrf instance WAN-VRF-NO-AF +! +management api http-commands + protocol https + no shutdown + ! + vrf MGMT + no shutdown +! +interface Ethernet1 + description P2P_cv-pathfinder-edge-wan-use-evpn-on-lan_Ethernet52 + no shutdown + mtu 9214 + no switchport + ip address 172.18.0.22/31 +! +interface Ethernet2 + description P2P_cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan_Ethernet52 + no shutdown + mtu 9214 + no switchport + ip address 172.18.0.26/31 +! +interface Loopback0 + description ROUTER_ID + no shutdown + ip address 192.168.45.13/32 +! +interface Loopback1 + description VXLAN_TUNNEL_SOURCE + no shutdown + ip address 192.168.255.13/32 +! +interface Vlan100 + description VLAN100 + shutdown + vrf PROD + ip address virtual 10.0.100.1/24 +! +interface Vlan666 + description VLAN666 + shutdown + vrf ATTRACTED-VRF-FROM-UPLINK + ip address virtual 10.66.66.66/24 +! +interface Vlan1000 + description VLAN1000 + shutdown + vrf IT + ip address virtual 10.0.100.1/24 +! +interface Vxlan1 + description leaf-wan-use-evpn-on-lan_VTEP + vxlan source-interface Loopback1 + vxlan udp-port 4789 + vxlan vlan 100 vni 1100 + vxlan vlan 101 vni 1101 + vxlan vlan 666 vni 1666 + vxlan vlan 1000 vni 2000 + vxlan vrf ATTRACTED-VRF-FROM-UPLINK vni 666 + vxlan vrf default vni 1 + vxlan vrf IT vni 1000 + vxlan vrf PROD vni 142 + vxlan vrf VRF-NO-WAN vni 300 +! +ip virtual-router mac-address 00:1c:73:00:00:01 +! +ip routing +ip routing vrf ATTRACTED-VRF-FROM-UPLINK +ip routing vrf IT +no ip routing vrf MGMT +ip routing vrf PROD +ip routing vrf VRF-NO-WAN +ip routing vrf VRF-NO-WAN-NO-AF +ip routing vrf WAN-VRF-NO-AF +! +ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY + seq 10 permit 192.168.45.0/24 eq 32 + seq 20 permit 192.168.255.0/24 eq 32 +! +route-map RM-CONN-2-BGP permit 10 + match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY +! +router bfd + multihop interval 300 min-rx 300 multiplier 3 +! +router bgp 65042 + router-id 192.168.45.13 + update wait-install + no bgp default ipv4-unicast + maximum-paths 4 ecmp 4 + neighbor EVPN-OVERLAY-PEERS peer group + neighbor EVPN-OVERLAY-PEERS update-source Loopback0 + neighbor EVPN-OVERLAY-PEERS bfd + neighbor EVPN-OVERLAY-PEERS ebgp-multihop 3 + neighbor EVPN-OVERLAY-PEERS send-community + neighbor EVPN-OVERLAY-PEERS maximum-routes 0 + neighbor IPv4-UNDERLAY-PEERS peer group + neighbor IPv4-UNDERLAY-PEERS send-community + neighbor IPv4-UNDERLAY-PEERS maximum-routes 12000 + neighbor 172.18.0.23 peer group IPv4-UNDERLAY-PEERS + neighbor 172.18.0.23 remote-as 65000 + neighbor 172.18.0.23 description cv-pathfinder-edge-wan-use-evpn-on-lan_Ethernet52 + neighbor 172.18.0.27 peer group IPv4-UNDERLAY-PEERS + neighbor 172.18.0.27 remote-as 65000 + neighbor 172.18.0.27 description cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan_Ethernet52 + redistribute connected route-map RM-CONN-2-BGP + ! + vlan 100 + rd 192.168.45.13:1100 + route-target both 1100:1100 + redistribute learned + ! + vlan 101 + rd 192.168.45.13:1101 + route-target both 1101:1101 + redistribute learned + ! + vlan 666 + rd 192.168.45.13:1666 + route-target both 1666:1666 + redistribute learned + ! + vlan 1000 + rd 192.168.45.13:2000 + route-target both 2000:2000 + redistribute learned + ! + address-family evpn + neighbor EVPN-OVERLAY-PEERS activate + ! + address-family ipv4 + no neighbor EVPN-OVERLAY-PEERS activate + neighbor IPv4-UNDERLAY-PEERS activate + ! + vrf ATTRACTED-VRF-FROM-UPLINK + rd 192.168.45.13:666 + route-target import evpn 666:666 + route-target export evpn 666:666 + router-id 192.168.45.13 + redistribute connected + ! + vrf default + rd 192.168.45.13:1 + route-target import evpn 1:1 + route-target export evpn 1:1 + ! + vrf IT + rd 192.168.45.13:1000 + route-target import evpn 1000:1000 + route-target export evpn 1000:1000 + router-id 192.168.45.13 + redistribute connected + ! + vrf PROD + rd 192.168.45.13:142 + route-target import evpn 142:142 + route-target export evpn 142:142 + router-id 192.168.45.13 + redistribute connected + ! + vrf VRF-NO-WAN + rd 192.168.45.13:300 + route-target import evpn 300:300 + route-target export evpn 300:300 + router-id 192.168.45.13 + redistribute connected +! +end diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-disabled-leaf.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-disabled-leaf.cfg index 490539ef7b3..6d86b26c54c 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-disabled-leaf.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-disabled-leaf.cfg @@ -19,6 +19,9 @@ vlan 101 vlan 666 name VLAN666 ! +vlan 1000 + name VLAN1000 +! vrf instance ATTRACTED-VRF-FROM-UPLINK ! vrf instance IT @@ -119,6 +122,12 @@ interface Vlan666 ip address 10.66.66.1 ip address virtual 10.66.66.66/24 ! +interface Vlan1000 + description VLAN1000 + shutdown + vrf IT + ip address virtual 10.0.100.1/24 +! interface Vxlan1 description site-ha-disabled-leaf_VTEP vxlan source-interface Loopback1 @@ -126,6 +135,7 @@ interface Vxlan1 vxlan vlan 100 vni 1100 vxlan vlan 101 vni 1101 vxlan vlan 666 vni 1666 + vxlan vlan 1000 vni 2000 vxlan vrf ATTRACTED-VRF-FROM-UPLINK vni 666 vxlan vrf default vni 1 vxlan vrf IT vni 1000 @@ -186,6 +196,11 @@ router bgp 65199 route-target both 1666:1666 redistribute learned ! + vlan 1000 + rd 192.168.45.4:2000 + route-target both 2000:2000 + redistribute learned + ! address-family evpn neighbor EVPN-OVERLAY-PEERS activate ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf1.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf1.cfg index ba119b221cb..82ba5c1e551 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf1.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf1.cfg @@ -19,6 +19,9 @@ vlan 101 vlan 666 name VLAN666 ! +vlan 1000 + name VLAN1000 +! vrf instance ATTRACTED-VRF-FROM-UPLINK ! vrf instance IT @@ -118,6 +121,12 @@ interface Vlan666 vrf ATTRACTED-VRF-FROM-UPLINK ip address virtual 10.66.66.66/24 ! +interface Vlan1000 + description VLAN1000 + shutdown + vrf IT + ip address virtual 10.0.100.1/24 +! interface Vxlan1 description site-ha-enabled-leaf1_VTEP vxlan source-interface Loopback1 @@ -125,6 +134,7 @@ interface Vxlan1 vxlan vlan 100 vni 1100 vxlan vlan 101 vni 1101 vxlan vlan 666 vni 1666 + vxlan vlan 1000 vni 2000 vxlan vrf ATTRACTED-VRF-FROM-UPLINK vni 666 vxlan vrf default vni 1 vxlan vrf IT vni 1000 @@ -185,6 +195,11 @@ router bgp 65199 route-target both 1666:1666 redistribute learned ! + vlan 1000 + rd 192.168.45.1:2000 + route-target both 2000:2000 + redistribute learned + ! address-family evpn neighbor EVPN-OVERLAY-PEERS activate ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf2A.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf2A.cfg index 6c5caa1e8f8..fb107287979 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf2A.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf2A.cfg @@ -19,6 +19,9 @@ vlan 101 vlan 666 name VLAN666 ! +vlan 1000 + name VLAN1000 +! vrf instance ATTRACTED-VRF-FROM-UPLINK ! vrf instance IT @@ -118,6 +121,12 @@ interface Vlan666 vrf ATTRACTED-VRF-FROM-UPLINK ip address virtual 10.66.66.66/24 ! +interface Vlan1000 + description VLAN1000 + shutdown + vrf IT + ip address virtual 10.0.100.1/24 +! interface Vxlan1 description site-ha-enabled-leaf2A_VTEP vxlan source-interface Loopback1 @@ -125,6 +134,7 @@ interface Vxlan1 vxlan vlan 100 vni 1100 vxlan vlan 101 vni 1101 vxlan vlan 666 vni 1666 + vxlan vlan 1000 vni 2000 vxlan vrf ATTRACTED-VRF-FROM-UPLINK vni 666 vxlan vrf default vni 1 vxlan vrf IT vni 1000 @@ -185,6 +195,11 @@ router bgp 65199 route-target both 1666:1666 redistribute learned ! + vlan 1000 + rd 192.168.45.2:2000 + route-target both 2000:2000 + redistribute learned + ! address-family evpn neighbor EVPN-OVERLAY-PEERS activate ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf2B.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf2B.cfg index 919dcdc700b..83b92a16dad 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf2B.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/site-ha-enabled-leaf2B.cfg @@ -19,6 +19,9 @@ vlan 101 vlan 666 name VLAN666 ! +vlan 1000 + name VLAN1000 +! vrf instance ATTRACTED-VRF-FROM-UPLINK ! vrf instance IT @@ -118,6 +121,12 @@ interface Vlan666 vrf ATTRACTED-VRF-FROM-UPLINK ip address virtual 10.66.66.66/24 ! +interface Vlan1000 + description VLAN1000 + shutdown + vrf IT + ip address virtual 10.0.100.1/24 +! interface Vxlan1 description site-ha-enabled-leaf2B_VTEP vxlan source-interface Loopback1 @@ -125,6 +134,7 @@ interface Vxlan1 vxlan vlan 100 vni 1100 vxlan vlan 101 vni 1101 vxlan vlan 666 vni 1666 + vxlan vlan 1000 vni 2000 vxlan vrf ATTRACTED-VRF-FROM-UPLINK vni 666 vxlan vrf default vni 1 vxlan vrf IT vni 1000 @@ -185,6 +195,11 @@ router bgp 65199 route-target both 1666:1666 redistribute learned ! + vlan 1000 + rd 192.168.45.3:2000 + route-target both 2000:2000 + redistribute learned + ! address-family evpn neighbor EVPN-OVERLAY-PEERS activate ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-edge.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-edge.yml index ed8e46e9298..e5b5e4441fa 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-edge.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-edge.yml @@ -224,6 +224,21 @@ router_bgp: redistribute: connected: enabled: true + - name: WAN-VRF-NO-AF + rd: 192.168.30.1:200 + route_targets: + import: + - address_family: evpn + route_targets: + - 200:200 + export: + - address_family: evpn + route_targets: + - 200:200 + router_id: 192.168.30.1 + redistribute: + connected: + enabled: true router_path_selection: path_groups: - name: INET @@ -297,6 +312,8 @@ router_path_selection: path_selection_policy: DEFAULT-AUTOVPN-POLICY-WITH-CP - name: PROD path_selection_policy: PROD-AUTOVPN-POLICY + - name: WAN-VRF-NO-AF + path_selection_policy: PROD-AUTOVPN-POLICY tcp_mss_ceiling: ipv4_segment_size: auto service_routing_protocols_model: multi-agent @@ -319,6 +336,9 @@ vrfs: - name: PROD ip_routing: true tenant: TenantA +- name: WAN-VRF-NO-AF + ip_routing: true + tenant: TenantA vxlan_interface: vxlan1: description: autovpn-edge_VTEP @@ -330,3 +350,5 @@ vxlan_interface: vni: 1 - name: PROD vni: 42 + - name: WAN-VRF-NO-AF + vni: 200 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr1.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr1.yml index 31829f301a8..52a092d8e9a 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr1.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr1.yml @@ -173,10 +173,10 @@ router_bgp: route_map: RM-CONN-2-BGP address_family_evpn: peer_groups: - - name: WAN-RR-OVERLAY-PEERS + - name: WAN-OVERLAY-PEERS activate: true encapsulation: path-selection - - name: WAN-OVERLAY-PEERS + - name: WAN-RR-OVERLAY-PEERS activate: true encapsulation: path-selection next_hop: @@ -271,6 +271,8 @@ router_path_selection: path_selection_policy: DEFAULT-AUTOVPN-POLICY-WITH-CP - name: PROD path_selection_policy: PROD-AUTOVPN-POLICY + - name: WAN-VRF-NO-AF + path_selection_policy: PROD-AUTOVPN-POLICY tcp_mss_ceiling: ipv4_segment_size: auto service_routing_protocols_model: multi-agent @@ -295,3 +297,5 @@ vxlan_interface: vni: 1 - name: PROD vni: 42 + - name: WAN-VRF-NO-AF + vni: 200 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr2.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr2.yml index 02eeb47fa29..1e3112d0a98 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr2.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr2.yml @@ -172,10 +172,10 @@ router_bgp: route_map: RM-CONN-2-BGP address_family_evpn: peer_groups: - - name: WAN-RR-OVERLAY-PEERS + - name: WAN-OVERLAY-PEERS activate: true encapsulation: path-selection - - name: WAN-OVERLAY-PEERS + - name: WAN-RR-OVERLAY-PEERS activate: true encapsulation: path-selection next_hop: @@ -270,6 +270,8 @@ router_path_selection: path_selection_policy: DEFAULT-AUTOVPN-POLICY-WITH-CP - name: PROD path_selection_policy: PROD-AUTOVPN-POLICY + - name: WAN-VRF-NO-AF + path_selection_policy: PROD-AUTOVPN-POLICY tcp_mss_ceiling: ipv4_segment_size: auto service_routing_protocols_model: multi-agent @@ -297,3 +299,5 @@ vxlan_interface: vni: 1 - name: PROD vni: 42 + - name: WAN-VRF-NO-AF + vni: 200 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-custom-control-plane-policy-pathfinder-1.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-custom-control-plane-policy-pathfinder-1.yml index 1260da57436..8e2c48bacc3 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-custom-control-plane-policy-pathfinder-1.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-custom-control-plane-policy-pathfinder-1.yml @@ -255,6 +255,10 @@ metadata: name: Site423 location: address: Somewhere-warm + - id: 12 + name: Site12 + location: + address: 12 Downing Street, London - id: 43 name: AVD_Land_East zones: @@ -510,10 +514,10 @@ router_bgp: route_map: RM-CONN-2-BGP address_family_evpn: peer_groups: - - name: WAN-RR-OVERLAY-PEERS + - name: WAN-OVERLAY-PEERS activate: true encapsulation: path-selection - - name: WAN-OVERLAY-PEERS + - name: WAN-RR-OVERLAY-PEERS activate: true encapsulation: path-selection next_hop: diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.yml new file mode 100644 index 00000000000..37fc5e5ea20 --- /dev/null +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.yml @@ -0,0 +1,535 @@ +aaa_root: + disabled: true +agents: +- name: KernelFib + environment_variables: + - name: KERNELFIB_PROGRAM_ALL_ECMP + value: '1' +application_traffic_recognition: + categories: + - name: VIDEO1 + applications: + - name: CUSTOM-APPLICATION-2 + - name: CUSTOM-DSCP-APPLICATION + - name: microsoft-teams + field_sets: + l4_ports: + - name: TCP-SRC-2 + port_values: + - '42' + - name: TCP-DEST-2 + port_values: + - '666' + - '777' + ipv4_prefixes: + - name: CUSTOM-SRC-PREFIX-1 + prefix_values: + - 42.42.42.0/24 + - name: CUSTOM-DEST-PREFIX-1 + prefix_values: + - 6.6.6.0/24 + - name: PFX-PATHFINDERS + prefix_values: + - 192.168.144.1/32 + applications: + ipv4_applications: + - name: CUSTOM-APPLICATION-1 + src_prefix_set_name: CUSTOM-SRC-PREFIX-1 + dest_prefix_set_name: CUSTOM-DEST-PREFIX-1 + protocols: + - tcp + - name: CUSTOM-APPLICATION-2 + protocols: + - tcp + tcp_src_port_set_name: TCP-SRC-2 + tcp_dest_port_set_name: TCP-DEST-2 + - name: CUSTOM-DSCP-APPLICATION + dscp_ranges: + - ef + - 12-14 + - cs6 + - '42' + - name: APP-CONTROL-PLANE + dest_prefix_set_name: PFX-PATHFINDERS + application_profiles: + - name: VIDEO + applications: + - name: CUSTOM-APPLICATION-1 + - name: skype + application_transports: + - rtp + categories: + - name: VIDEO1 + - name: VOICE + applications: + - name: CUSTOM-VOICE-APPLICATION + - name: APP-PROFILE-CONTROL-PLANE + applications: + - name: APP-CONTROL-PLANE +config_end: true +dps_interfaces: +- name: Dps1 + description: DPS Interface + mtu: 9194 + ip_address: 192.168.142.14/32 + flow_tracker: + hardware: FLOW-TRACKER +enable_password: + disabled: true +ethernet_interfaces: +- name: Ethernet52 + description: P2P_leaf-wan-use-evpn-on-lan_Ethernet2 + shutdown: false + mtu: 9214 + ip_address: 172.18.0.27/31 + peer: leaf-wan-use-evpn-on-lan + peer_interface: Ethernet2 + peer_type: l3leaf + switchport: + enabled: false +- name: Ethernet1 + description: ATT_666 + shutdown: false + ip_address: dhcp + dhcp_client_accept_default_route: true + peer_type: l3_interface + switchport: + enabled: false +flow_tracking: + hardware: + trackers: + - name: FLOW-TRACKER + record_export: + on_inactive_timeout: 70000 + on_interval: 300000 + exporters: + - name: CV-TELEMETRY + collector: + host: 127.0.0.1 + local_interface: Loopback0 + template_interval: 3600000 + shutdown: false +hostname: cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan +ip_extcommunity_lists: +- name: ECL-EVPN-SOO + entries: + - type: permit + extcommunities: soo 192.168.42.14:12 +ip_routing: true +ip_security: + ike_policies: + - name: CP-IKE-POLICY + local_id: 192.168.142.14 + sa_policies: + - name: DP-SA-POLICY + esp: + encryption: aes256gcm128 + pfs_dh_group: 14 + - name: CP-SA-POLICY + esp: + encryption: aes256gcm128 + pfs_dh_group: 14 + profiles: + - name: DP-PROFILE + sa_policy: DP-SA-POLICY + connection: start + shared_key: ABCDEF1234567890666 + dpd: + interval: 10 + time: 50 + action: clear + mode: transport + - name: CP-PROFILE + ike_policy: CP-IKE-POLICY + sa_policy: CP-SA-POLICY + connection: start + shared_key: ABCDEF1234567890 + dpd: + interval: 10 + time: 50 + action: clear + mode: transport + key_controller: + profile: DP-PROFILE +is_deployed: true +loopback_interfaces: +- name: Loopback0 + description: ROUTER_ID + shutdown: false + ip_address: 192.168.42.14/32 +management_api_http: + enable_https: true + enable_vrfs: + - name: MGMT +management_security: + ssl_profiles: + - name: profileA + tls_versions: '1.2' + trust_certificate: + certificates: + - aristaDeviceCertProvisionerDefaultRootCA.crt + certificate: + file: profileA.crt + key: profileA.key +metadata: + fabric_name: EOS_DESIGNS_UNIT_TESTS + cv_tags: + device_tags: + - name: Role + value: edge + - name: Region + value: AVD_Land_West + - name: Zone + value: AVD_Land_West-ZONE + - name: Site + value: Site12 + interface_tags: + - interface: Ethernet52 + tags: + - name: Type + value: lan + - interface: Ethernet1 + tags: + - name: Type + value: wan + - name: Carrier + value: ATT + - name: Circuit + value: '666' + cv_pathfinder: + role: edge + region: AVD_Land_West + zone: AVD_Land_West-ZONE + site: Site12 + vtep_ip: 192.168.142.14 + ssl_profile: profileA + pathfinders: + - vtep_ip: 192.168.144.1 + interfaces: + - name: Ethernet1 + carrier: ATT + circuit_id: '666' + pathgroup: INET +prefix_lists: +- name: PL-LOOPBACKS-EVPN-OVERLAY + sequence_numbers: + - sequence: 10 + action: permit 192.168.42.0/24 eq 32 +route_maps: +- name: RM-CONN-2-BGP + sequence_numbers: + - sequence: 10 + type: permit + match: + - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + set: + - extcommunity soo 192.168.42.14:12 additive +- name: RM-BGP-UNDERLAY-PEERS-IN + sequence_numbers: + - sequence: 40 + type: permit + description: Mark prefixes originated from the LAN + set: + - extcommunity soo 192.168.42.14:12 additive +- name: RM-EVPN-SOO-IN + sequence_numbers: + - sequence: 10 + type: deny + match: + - extcommunity ECL-EVPN-SOO + - sequence: 20 + type: permit +- name: RM-EVPN-SOO-OUT + sequence_numbers: + - sequence: 10 + type: permit + set: + - extcommunity soo 192.168.42.14:12 additive +- name: RM-EVPN-EXPORT-VRF-DEFAULT + sequence_numbers: + - sequence: 10 + type: permit + match: + - extcommunity ECL-EVPN-SOO +router_adaptive_virtual_topology: + topology_role: edge + region: + name: AVD_Land_West + id: 42 + zone: + name: AVD_Land_West-ZONE + id: 1 + site: + name: Site12 + id: 12 + profiles: + - name: DEFAULT-AVT-POLICY-CONTROL-PLANE + load_balance_policy: LB-DEFAULT-AVT-POLICY-CONTROL-PLANE + - name: DEFAULT-AVT-POLICY-VIDEO + load_balance_policy: LB-DEFAULT-AVT-POLICY-VIDEO + - name: DEFAULT-AVT-POLICY-DEFAULT + load_balance_policy: LB-DEFAULT-AVT-POLICY-DEFAULT + - name: PROD-AVT-POLICY-VOICE + load_balance_policy: LB-PROD-AVT-POLICY-VOICE + - name: PROD-AVT-POLICY-VIDEO + load_balance_policy: LB-PROD-AVT-POLICY-VIDEO + - name: PROD-AVT-POLICY-DEFAULT + load_balance_policy: LB-PROD-AVT-POLICY-DEFAULT + policies: + - name: DEFAULT-AVT-POLICY-WITH-CP + matches: + - application_profile: APP-PROFILE-CONTROL-PLANE + avt_profile: DEFAULT-AVT-POLICY-CONTROL-PLANE + - application_profile: VIDEO + avt_profile: DEFAULT-AVT-POLICY-VIDEO + - application_profile: default + avt_profile: DEFAULT-AVT-POLICY-DEFAULT + - name: PROD-AVT-POLICY + matches: + - application_profile: VOICE + avt_profile: PROD-AVT-POLICY-VOICE + - application_profile: VIDEO + avt_profile: PROD-AVT-POLICY-VIDEO + - application_profile: default + avt_profile: PROD-AVT-POLICY-DEFAULT + vrfs: + - name: default + policy: DEFAULT-AVT-POLICY-WITH-CP + profiles: + - name: DEFAULT-AVT-POLICY-CONTROL-PLANE + id: 254 + - name: DEFAULT-AVT-POLICY-VIDEO + id: 3 + - name: DEFAULT-AVT-POLICY-DEFAULT + id: 1 + - name: PROD + policy: PROD-AVT-POLICY + profiles: + - name: PROD-AVT-POLICY-VOICE + id: 2 + - name: PROD-AVT-POLICY-VIDEO + id: 4 + - name: PROD-AVT-POLICY-DEFAULT + id: 1 + - name: WAN-VRF-NO-AF + policy: PROD-AVT-POLICY + profiles: + - name: PROD-AVT-POLICY-VOICE + id: 2 + - name: PROD-AVT-POLICY-VIDEO + id: 4 + - name: PROD-AVT-POLICY-DEFAULT + id: 1 +router_bfd: + multihop: + interval: 300 + min_rx: 300 + multiplier: 3 +router_bgp: + as: '65000' + router_id: 192.168.42.14 + maximum_paths: + paths: 16 + updates: + wait_install: true + bgp: + default: + ipv4_unicast: false + peer_groups: + - name: IPv4-UNDERLAY-PEERS + type: ipv4 + send_community: all + maximum_routes: 12000 + route_map_in: RM-BGP-UNDERLAY-PEERS-IN + - name: WAN-OVERLAY-PEERS + type: wan + remote_as: '65000' + update_source: Dps1 + bfd: true + bfd_timers: + interval: 1000 + min_rx: 1000 + multiplier: 10 + password: htm4AZe9mIQOO1uiMuGgYQ== + send_community: all + maximum_routes: 0 + ttl_maximum_hops: 1 + neighbors: + - ip_address: 172.18.0.26 + peer_group: IPv4-UNDERLAY-PEERS + remote_as: '65042' + peer: leaf-wan-use-evpn-on-lan + description: leaf-wan-use-evpn-on-lan_Ethernet2 + - ip_address: 192.168.144.1 + peer_group: WAN-OVERLAY-PEERS + peer: cv-pathfinder-pathfinder + description: cv-pathfinder-pathfinder_Dps1 + redistribute: + connected: + enabled: true + route_map: RM-CONN-2-BGP + address_family_evpn: + peer_groups: + - name: WAN-OVERLAY-PEERS + activate: true + route_map_in: RM-EVPN-SOO-IN + route_map_out: RM-EVPN-SOO-OUT + encapsulation: path-selection + address_family_ipv4: + peer_groups: + - name: IPv4-UNDERLAY-PEERS + activate: true + - name: WAN-OVERLAY-PEERS + activate: false + address_family_ipv4_sr_te: + peer_groups: + - name: WAN-OVERLAY-PEERS + activate: true + address_family_link_state: + peer_groups: + - name: WAN-OVERLAY-PEERS + activate: true + path_selection: + roles: + producer: true + address_family_path_selection: + bgp: + additional_paths: + receive: true + send: any + peer_groups: + - name: WAN-OVERLAY-PEERS + activate: true + vrfs: + - name: default + rd: 192.168.42.14:1 + route_targets: + import: + - address_family: evpn + route_targets: + - '1:1' + export: + - address_family: evpn + route_targets: + - '1:1' + - route-map RM-EVPN-EXPORT-VRF-DEFAULT + - name: PROD + rd: 192.168.42.14:142 + route_targets: + import: + - address_family: evpn + route_targets: + - 142:142 + export: + - address_family: evpn + route_targets: + - 142:142 + router_id: 192.168.42.14 + redistribute: + connected: + enabled: true + - name: WAN-VRF-NO-AF + rd: 192.168.42.14:200 + route_targets: + import: + - address_family: evpn + route_targets: + - 200:200 + export: + - address_family: evpn + route_targets: + - 200:200 + router_id: 192.168.42.14 + redistribute: + connected: + enabled: true +router_path_selection: + path_groups: + - name: INET + id: 101 + ipsec_profile: CP-PROFILE + local_interfaces: + - name: Ethernet1 + stun: + server_profiles: + - INET-cv-pathfinder-pathfinder-Ethernet1 + - INET-cv-pathfinder-pathfinder-Ethernet3 + dynamic_peers: + enabled: true + static_peers: + - router_ip: 192.168.144.1 + name: cv-pathfinder-pathfinder + ipv4_addresses: + - 172.17.7.7 + - 10.9.9.9 + load_balance_policies: + - name: LB-DEFAULT-AVT-POLICY-CONTROL-PLANE + path_groups: + - name: INET + - name: LB-DEFAULT-AVT-POLICY-VIDEO + path_groups: + - name: INET + - name: LB-DEFAULT-AVT-POLICY-DEFAULT + path_groups: + - name: INET + - name: LB-PROD-AVT-POLICY-VOICE + lowest_hop_count: true + jitter: 42 + path_groups: + - name: INET + priority: 2 + - name: LB-PROD-AVT-POLICY-VIDEO + loss_rate: '42.0' + path_groups: + - name: INET + priority: 2 + - name: LB-PROD-AVT-POLICY-DEFAULT + path_groups: + - name: INET + tcp_mss_ceiling: + ipv4_segment_size: auto +router_traffic_engineering: + enabled: true +service_routing_protocols_model: multi-agent +spanning_tree: + mode: none +stun: + client: + server_profiles: + - name: INET-cv-pathfinder-pathfinder-Ethernet1 + ip_address: 172.17.7.7 + ssl_profile: profileA + - name: INET-cv-pathfinder-pathfinder-Ethernet3 + ip_address: 10.9.9.9 + ssl_profile: profileA +transceiver_qsfp_default_mode_4x10: false +vrfs: +- name: MGMT + ip_routing: false +- name: PROD + ip_routing: true + tenant: TenantA +- name: VRF-NO-WAN + ip_routing: true + tenant: TenantD +- name: VRF-NO-WAN-NO-AF + ip_routing: true + tenant: TenantD +- name: WAN-VRF-NO-AF + ip_routing: true + tenant: TenantD +vxlan_interface: + vxlan1: + description: cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan_VTEP + vxlan: + source_interface: Dps1 + udp_port: 4789 + vrfs: + - name: default + vni: 1 + - name: PROD + vni: 42 + - name: VRF-NO-WAN + vni: 300 + - name: WAN-VRF-NO-AF + vni: 200 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan.yml new file mode 100644 index 00000000000..3c2de65d653 --- /dev/null +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-wan-use-evpn-on-lan.yml @@ -0,0 +1,545 @@ +aaa_root: + disabled: true +agents: +- name: KernelFib + environment_variables: + - name: KERNELFIB_PROGRAM_ALL_ECMP + value: '1' +application_traffic_recognition: + categories: + - name: VIDEO1 + applications: + - name: CUSTOM-APPLICATION-2 + - name: CUSTOM-DSCP-APPLICATION + - name: microsoft-teams + field_sets: + l4_ports: + - name: TCP-SRC-2 + port_values: + - '42' + - name: TCP-DEST-2 + port_values: + - '666' + - '777' + ipv4_prefixes: + - name: CUSTOM-SRC-PREFIX-1 + prefix_values: + - 42.42.42.0/24 + - name: CUSTOM-DEST-PREFIX-1 + prefix_values: + - 6.6.6.0/24 + - name: PFX-PATHFINDERS + prefix_values: + - 192.168.144.1/32 + applications: + ipv4_applications: + - name: CUSTOM-APPLICATION-1 + src_prefix_set_name: CUSTOM-SRC-PREFIX-1 + dest_prefix_set_name: CUSTOM-DEST-PREFIX-1 + protocols: + - tcp + - name: CUSTOM-APPLICATION-2 + protocols: + - tcp + tcp_src_port_set_name: TCP-SRC-2 + tcp_dest_port_set_name: TCP-DEST-2 + - name: CUSTOM-DSCP-APPLICATION + dscp_ranges: + - ef + - 12-14 + - cs6 + - '42' + - name: APP-CONTROL-PLANE + dest_prefix_set_name: PFX-PATHFINDERS + application_profiles: + - name: VIDEO + applications: + - name: CUSTOM-APPLICATION-1 + - name: skype + application_transports: + - rtp + categories: + - name: VIDEO1 + - name: VOICE + applications: + - name: CUSTOM-VOICE-APPLICATION + - name: APP-PROFILE-CONTROL-PLANE + applications: + - name: APP-CONTROL-PLANE +config_end: true +dps_interfaces: +- name: Dps1 + description: DPS Interface + mtu: 9194 + ip_address: 192.168.142.12/32 + flow_tracker: + hardware: FLOW-TRACKER +enable_password: + disabled: true +ethernet_interfaces: +- name: Ethernet52 + description: P2P_leaf-wan-use-evpn-on-lan_Ethernet1 + shutdown: false + mtu: 9214 + ip_address: 172.18.0.23/31 + peer: leaf-wan-use-evpn-on-lan + peer_interface: Ethernet1 + peer_type: l3leaf + switchport: + enabled: false +- name: Ethernet1 + description: ATT_666 + shutdown: false + ip_address: dhcp + dhcp_client_accept_default_route: true + peer_type: l3_interface + switchport: + enabled: false +flow_tracking: + hardware: + trackers: + - name: FLOW-TRACKER + record_export: + on_inactive_timeout: 70000 + on_interval: 300000 + exporters: + - name: CV-TELEMETRY + collector: + host: 127.0.0.1 + local_interface: Loopback0 + template_interval: 3600000 + shutdown: false +hostname: cv-pathfinder-edge-wan-use-evpn-on-lan +ip_extcommunity_lists: +- name: ECL-EVPN-SOO + entries: + - type: permit + extcommunities: soo 192.168.42.12:12 +ip_routing: true +ip_security: + ike_policies: + - name: CP-IKE-POLICY + local_id: 192.168.142.12 + sa_policies: + - name: DP-SA-POLICY + esp: + encryption: aes256gcm128 + pfs_dh_group: 14 + - name: CP-SA-POLICY + esp: + encryption: aes256gcm128 + pfs_dh_group: 14 + profiles: + - name: DP-PROFILE + sa_policy: DP-SA-POLICY + connection: start + shared_key: ABCDEF1234567890666 + dpd: + interval: 10 + time: 50 + action: clear + mode: transport + - name: CP-PROFILE + ike_policy: CP-IKE-POLICY + sa_policy: CP-SA-POLICY + connection: start + shared_key: ABCDEF1234567890 + dpd: + interval: 10 + time: 50 + action: clear + mode: transport + key_controller: + profile: DP-PROFILE +is_deployed: true +loopback_interfaces: +- name: Loopback0 + description: ROUTER_ID + shutdown: false + ip_address: 192.168.42.12/32 +management_api_http: + enable_https: true + enable_vrfs: + - name: MGMT +management_security: + ssl_profiles: + - name: profileA + tls_versions: '1.2' + trust_certificate: + certificates: + - aristaDeviceCertProvisionerDefaultRootCA.crt + certificate: + file: profileA.crt + key: profileA.key +metadata: + fabric_name: EOS_DESIGNS_UNIT_TESTS + cv_tags: + device_tags: + - name: Role + value: edge + - name: Region + value: AVD_Land_West + - name: Zone + value: AVD_Land_West-ZONE + - name: Site + value: Site12 + interface_tags: + - interface: Ethernet52 + tags: + - name: Type + value: lan + - interface: Ethernet1 + tags: + - name: Type + value: wan + - name: Carrier + value: ATT + - name: Circuit + value: '666' + cv_pathfinder: + role: edge + region: AVD_Land_West + zone: AVD_Land_West-ZONE + site: Site12 + vtep_ip: 192.168.142.12 + ssl_profile: profileA + pathfinders: + - vtep_ip: 192.168.144.1 + interfaces: + - name: Ethernet1 + carrier: ATT + circuit_id: '666' + pathgroup: INET +prefix_lists: +- name: PL-LOOPBACKS-EVPN-OVERLAY + sequence_numbers: + - sequence: 10 + action: permit 192.168.42.0/24 eq 32 +route_maps: +- name: RM-CONN-2-BGP + sequence_numbers: + - sequence: 10 + type: permit + match: + - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY + set: + - extcommunity soo 192.168.42.12:12 additive +- name: RM-BGP-UNDERLAY-PEERS-IN + sequence_numbers: + - sequence: 40 + type: permit + description: Mark prefixes originated from the LAN + set: + - extcommunity soo 192.168.42.12:12 additive +- name: RM-EVPN-EXPORT-VRF-DEFAULT + sequence_numbers: + - sequence: 10 + type: permit + match: + - extcommunity ECL-EVPN-SOO +router_adaptive_virtual_topology: + topology_role: edge + region: + name: AVD_Land_West + id: 42 + zone: + name: AVD_Land_West-ZONE + id: 1 + site: + name: Site12 + id: 12 + profiles: + - name: DEFAULT-AVT-POLICY-CONTROL-PLANE + load_balance_policy: LB-DEFAULT-AVT-POLICY-CONTROL-PLANE + - name: DEFAULT-AVT-POLICY-VIDEO + load_balance_policy: LB-DEFAULT-AVT-POLICY-VIDEO + - name: DEFAULT-AVT-POLICY-DEFAULT + load_balance_policy: LB-DEFAULT-AVT-POLICY-DEFAULT + - name: PROD-AVT-POLICY-VOICE + load_balance_policy: LB-PROD-AVT-POLICY-VOICE + - name: PROD-AVT-POLICY-VIDEO + load_balance_policy: LB-PROD-AVT-POLICY-VIDEO + - name: PROD-AVT-POLICY-DEFAULT + load_balance_policy: LB-PROD-AVT-POLICY-DEFAULT + policies: + - name: DEFAULT-AVT-POLICY-WITH-CP + matches: + - application_profile: APP-PROFILE-CONTROL-PLANE + avt_profile: DEFAULT-AVT-POLICY-CONTROL-PLANE + - application_profile: VIDEO + avt_profile: DEFAULT-AVT-POLICY-VIDEO + - application_profile: default + avt_profile: DEFAULT-AVT-POLICY-DEFAULT + - name: PROD-AVT-POLICY + matches: + - application_profile: VOICE + avt_profile: PROD-AVT-POLICY-VOICE + - application_profile: VIDEO + avt_profile: PROD-AVT-POLICY-VIDEO + - application_profile: default + avt_profile: PROD-AVT-POLICY-DEFAULT + vrfs: + - name: default + policy: DEFAULT-AVT-POLICY-WITH-CP + profiles: + - name: DEFAULT-AVT-POLICY-CONTROL-PLANE + id: 254 + - name: DEFAULT-AVT-POLICY-VIDEO + id: 3 + - name: DEFAULT-AVT-POLICY-DEFAULT + id: 1 + - name: PROD + policy: PROD-AVT-POLICY + profiles: + - name: PROD-AVT-POLICY-VOICE + id: 2 + - name: PROD-AVT-POLICY-VIDEO + id: 4 + - name: PROD-AVT-POLICY-DEFAULT + id: 1 + - name: WAN-VRF-NO-AF + policy: PROD-AVT-POLICY + profiles: + - name: PROD-AVT-POLICY-VOICE + id: 2 + - name: PROD-AVT-POLICY-VIDEO + id: 4 + - name: PROD-AVT-POLICY-DEFAULT + id: 1 +router_bfd: + multihop: + interval: 300 + min_rx: 300 + multiplier: 3 +router_bgp: + as: '65000' + router_id: 192.168.42.12 + maximum_paths: + paths: 16 + updates: + wait_install: true + bgp: + default: + ipv4_unicast: false + peer_groups: + - name: IPv4-UNDERLAY-PEERS + type: ipv4 + send_community: all + maximum_routes: 12000 + route_map_in: RM-BGP-UNDERLAY-PEERS-IN + - name: EVPN-OVERLAY-PEERS + type: evpn + update_source: Loopback0 + bfd: true + ebgp_multihop: 3 + send_community: all + maximum_routes: 0 + - name: WAN-OVERLAY-PEERS + type: wan + remote_as: '65000' + update_source: Dps1 + bfd: true + bfd_timers: + interval: 1000 + min_rx: 1000 + multiplier: 10 + password: htm4AZe9mIQOO1uiMuGgYQ== + send_community: all + maximum_routes: 0 + ttl_maximum_hops: 1 + neighbors: + - ip_address: 172.18.0.22 + peer_group: IPv4-UNDERLAY-PEERS + remote_as: '65042' + peer: leaf-wan-use-evpn-on-lan + description: leaf-wan-use-evpn-on-lan_Ethernet1 + - ip_address: 192.168.144.1 + peer_group: WAN-OVERLAY-PEERS + peer: cv-pathfinder-pathfinder + description: cv-pathfinder-pathfinder_Dps1 + redistribute: + connected: + enabled: true + route_map: RM-CONN-2-BGP + address_family_evpn: + peer_groups: + - name: WAN-OVERLAY-PEERS + activate: true + route_map_in: RM-EVPN-SOO-IN + route_map_out: RM-EVPN-SOO-OUT + encapsulation: path-selection + - name: EVPN-OVERLAY-PEERS + activate: true + address_family_ipv4: + peer_groups: + - name: IPv4-UNDERLAY-PEERS + activate: true + - name: WAN-OVERLAY-PEERS + activate: false + address_family_ipv4_sr_te: + peer_groups: + - name: WAN-OVERLAY-PEERS + activate: true + address_family_link_state: + peer_groups: + - name: WAN-OVERLAY-PEERS + activate: true + path_selection: + roles: + producer: true + address_family_path_selection: + bgp: + additional_paths: + receive: true + send: any + peer_groups: + - name: WAN-OVERLAY-PEERS + activate: true + vrfs: + - name: default + rd: 192.168.42.12:1 + route_targets: + import: + - address_family: evpn + route_targets: + - '1:1' + export: + - address_family: evpn + route_targets: + - '1:1' + - route-map RM-EVPN-EXPORT-VRF-DEFAULT + - name: PROD + rd: 192.168.42.12:142 + route_targets: + import: + - address_family: evpn + route_targets: + - 142:142 + export: + - address_family: evpn + route_targets: + - 142:142 + router_id: 192.168.42.12 + redistribute: + connected: + enabled: true + - name: VRF-NO-WAN + rd: 192.168.42.12:300 + route_targets: + import: + - address_family: evpn + route_targets: + - 300:300 + export: + - address_family: evpn + route_targets: + - 300:300 + router_id: 192.168.42.12 + redistribute: + connected: + enabled: true + - name: WAN-VRF-NO-AF + rd: 192.168.42.12:200 + route_targets: + import: + - address_family: evpn + route_targets: + - 200:200 + export: + - address_family: evpn + route_targets: + - 200:200 + router_id: 192.168.42.12 + redistribute: + connected: + enabled: true +router_path_selection: + path_groups: + - name: INET + id: 101 + ipsec_profile: CP-PROFILE + local_interfaces: + - name: Ethernet1 + stun: + server_profiles: + - INET-cv-pathfinder-pathfinder-Ethernet1 + - INET-cv-pathfinder-pathfinder-Ethernet3 + dynamic_peers: + enabled: true + static_peers: + - router_ip: 192.168.144.1 + name: cv-pathfinder-pathfinder + ipv4_addresses: + - 172.17.7.7 + - 10.9.9.9 + load_balance_policies: + - name: LB-DEFAULT-AVT-POLICY-CONTROL-PLANE + path_groups: + - name: INET + - name: LB-DEFAULT-AVT-POLICY-VIDEO + path_groups: + - name: INET + - name: LB-DEFAULT-AVT-POLICY-DEFAULT + path_groups: + - name: INET + - name: LB-PROD-AVT-POLICY-VOICE + lowest_hop_count: true + jitter: 42 + path_groups: + - name: INET + priority: 2 + - name: LB-PROD-AVT-POLICY-VIDEO + loss_rate: '42.0' + path_groups: + - name: INET + priority: 2 + - name: LB-PROD-AVT-POLICY-DEFAULT + path_groups: + - name: INET + tcp_mss_ceiling: + ipv4_segment_size: auto +router_traffic_engineering: + enabled: true +service_routing_protocols_model: multi-agent +spanning_tree: + mode: none +stun: + client: + server_profiles: + - name: INET-cv-pathfinder-pathfinder-Ethernet1 + ip_address: 172.17.7.7 + ssl_profile: profileA + - name: INET-cv-pathfinder-pathfinder-Ethernet3 + ip_address: 10.9.9.9 + ssl_profile: profileA +transceiver_qsfp_default_mode_4x10: false +vrfs: +- name: MGMT + ip_routing: false +- name: PROD + ip_routing: true + tenant: TenantA +- name: VRF-NO-WAN + ip_routing: true + tenant: TenantD +- name: VRF-NO-WAN-NO-AF + ip_routing: true + tenant: TenantD +- name: WAN-VRF-NO-AF + ip_routing: true + tenant: TenantD +vxlan_interface: + vxlan1: + description: cv-pathfinder-edge-wan-use-evpn-on-lan_VTEP + vxlan: + source_interface: Dps1 + udp_port: 4789 + vrfs: + - name: default + vni: 1 + - name: PROD + vni: 42 + - name: VRF-NO-WAN + vni: 300 + - name: WAN-VRF-NO-AF + vni: 200 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder.yml index 18066ced230..e69b97e2d4a 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder.yml @@ -261,6 +261,10 @@ metadata: name: Site423 location: address: Somewhere-warm + - id: 12 + name: Site12 + location: + address: 12 Downing Street, London - id: 43 name: AVD_Land_East zones: @@ -434,6 +438,56 @@ metadata: preference: alternate - name: LAN_HA preference: preferred + - name: WAN-VRF-NO-AF + vni: 200 + avts: + - constraints: + jitter: 42 + hop_count: lowest + id: 2 + name: PROD-AVT-POLICY-VOICE + pathgroups: + - name: MPLS + preference: preferred + - name: INET + preference: alternate + - name: LAN_HA + preference: preferred + application_profiles: + - VOICE + - constraints: + lossrate: '42.0' + id: 4 + name: PROD-AVT-POLICY-VIDEO + pathgroups: + - name: MPLS + preference: preferred + - name: LTE + preference: preferred + - name: INET + preference: alternate + - name: LAN_HA + preference: preferred + application_profiles: + - VIDEO + - id: 5 + name: PROD-AVT-POLICY-MPLS-ONLY + pathgroups: + - name: MPLS + preference: preferred + - name: LAN_HA + preference: preferred + application_profiles: + - MPLS-ONLY + - id: 1 + name: PROD-AVT-POLICY-DEFAULT + pathgroups: + - name: INET + preference: preferred + - name: MPLS + preference: alternate + - name: LAN_HA + preference: preferred applications: profiles: - name: VIDEO @@ -582,6 +636,17 @@ router_adaptive_virtual_topology: profiles: - name: DEFAULT-POLICY-DEFAULT id: 1 + - name: WAN-VRF-NO-AF + policy: PROD-AVT-POLICY + profiles: + - name: PROD-AVT-POLICY-VOICE + id: 2 + - name: PROD-AVT-POLICY-VIDEO + id: 4 + - name: PROD-AVT-POLICY-MPLS-ONLY + id: 5 + - name: PROD-AVT-POLICY-DEFAULT + id: 1 router_bfd: multihop: interval: 300 @@ -815,3 +880,5 @@ vxlan_interface: vni: 66 - name: ATTRACTED-VRF-FROM-UPLINK vni: 166 + - name: WAN-VRF-NO-AF + vni: 200 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder1.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder1.yml index 9a67f8ae42e..cbcd93588f0 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder1.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder1.yml @@ -224,6 +224,10 @@ metadata: name: Site423 location: address: Somewhere-warm + - id: 12 + name: Site12 + location: + address: 12 Downing Street, London - id: 43 name: AVD_Land_East zones: @@ -397,6 +401,56 @@ metadata: preference: alternate - name: LAN_HA preference: preferred + - name: WAN-VRF-NO-AF + vni: 200 + avts: + - constraints: + jitter: 42 + hop_count: lowest + id: 2 + name: PROD-AVT-POLICY-VOICE + pathgroups: + - name: MPLS + preference: preferred + - name: INET + preference: alternate + - name: LAN_HA + preference: preferred + application_profiles: + - VOICE + - constraints: + lossrate: '42.0' + id: 4 + name: PROD-AVT-POLICY-VIDEO + pathgroups: + - name: MPLS + preference: preferred + - name: LTE + preference: preferred + - name: INET + preference: alternate + - name: LAN_HA + preference: preferred + application_profiles: + - VIDEO + - id: 5 + name: PROD-AVT-POLICY-MPLS-ONLY + pathgroups: + - name: MPLS + preference: preferred + - name: LAN_HA + preference: preferred + application_profiles: + - MPLS-ONLY + - id: 1 + name: PROD-AVT-POLICY-DEFAULT + pathgroups: + - name: INET + preference: preferred + - name: MPLS + preference: alternate + - name: LAN_HA + preference: preferred applications: profiles: - name: VIDEO @@ -545,6 +599,17 @@ router_adaptive_virtual_topology: profiles: - name: DEFAULT-POLICY-DEFAULT id: 1 + - name: WAN-VRF-NO-AF + policy: PROD-AVT-POLICY + profiles: + - name: PROD-AVT-POLICY-VOICE + id: 2 + - name: PROD-AVT-POLICY-VIDEO + id: 4 + - name: PROD-AVT-POLICY-MPLS-ONLY + id: 5 + - name: PROD-AVT-POLICY-DEFAULT + id: 1 router_bfd: multihop: interval: 300 @@ -616,10 +681,10 @@ router_bgp: route_map: RM-CONN-2-BGP address_family_evpn: peer_groups: - - name: WAN-RR-OVERLAY-PEERS + - name: WAN-OVERLAY-PEERS activate: true encapsulation: path-selection - - name: WAN-OVERLAY-PEERS + - name: WAN-RR-OVERLAY-PEERS activate: true encapsulation: path-selection next_hop: @@ -809,3 +874,5 @@ vxlan_interface: vni: 66 - name: ATTRACTED-VRF-FROM-UPLINK vni: 166 + - name: WAN-VRF-NO-AF + vni: 200 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder2.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder2.yml index 5a98350cdfe..d1b8395cd07 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder2.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder2.yml @@ -242,6 +242,10 @@ metadata: name: Site423 location: address: Somewhere-warm + - id: 12 + name: Site12 + location: + address: 12 Downing Street, London - id: 43 name: AVD_Land_East zones: @@ -415,6 +419,56 @@ metadata: preference: alternate - name: LAN_HA preference: preferred + - name: WAN-VRF-NO-AF + vni: 200 + avts: + - constraints: + jitter: 42 + hop_count: lowest + id: 2 + name: PROD-AVT-POLICY-VOICE + pathgroups: + - name: MPLS + preference: preferred + - name: INET + preference: alternate + - name: LAN_HA + preference: preferred + application_profiles: + - VOICE + - constraints: + lossrate: '42.0' + id: 4 + name: PROD-AVT-POLICY-VIDEO + pathgroups: + - name: MPLS + preference: preferred + - name: LTE + preference: preferred + - name: INET + preference: alternate + - name: LAN_HA + preference: preferred + application_profiles: + - VIDEO + - id: 5 + name: PROD-AVT-POLICY-MPLS-ONLY + pathgroups: + - name: MPLS + preference: preferred + - name: LAN_HA + preference: preferred + application_profiles: + - MPLS-ONLY + - id: 1 + name: PROD-AVT-POLICY-DEFAULT + pathgroups: + - name: INET + preference: preferred + - name: MPLS + preference: alternate + - name: LAN_HA + preference: preferred applications: profiles: - name: VIDEO @@ -563,6 +617,17 @@ router_adaptive_virtual_topology: profiles: - name: DEFAULT-POLICY-DEFAULT id: 1 + - name: WAN-VRF-NO-AF + policy: PROD-AVT-POLICY + profiles: + - name: PROD-AVT-POLICY-VOICE + id: 2 + - name: PROD-AVT-POLICY-VIDEO + id: 4 + - name: PROD-AVT-POLICY-MPLS-ONLY + id: 5 + - name: PROD-AVT-POLICY-DEFAULT + id: 1 router_bfd: multihop: interval: 300 @@ -634,10 +699,10 @@ router_bgp: route_map: RM-CONN-2-BGP address_family_evpn: peer_groups: - - name: WAN-RR-OVERLAY-PEERS + - name: WAN-OVERLAY-PEERS activate: true encapsulation: path-selection - - name: WAN-OVERLAY-PEERS + - name: WAN-RR-OVERLAY-PEERS activate: true encapsulation: path-selection next_hop: @@ -838,3 +903,5 @@ vxlan_interface: vni: 66 - name: ATTRACTED-VRF-FROM-UPLINK vni: 166 + - name: WAN-VRF-NO-AF + vni: 200 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/leaf-wan-use-evpn-on-lan.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/leaf-wan-use-evpn-on-lan.yml new file mode 100644 index 00000000000..8ae72a65152 --- /dev/null +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/leaf-wan-use-evpn-on-lan.yml @@ -0,0 +1,305 @@ +aaa_root: + disabled: true +config_end: true +enable_password: + disabled: true +ethernet_interfaces: +- name: Ethernet1 + description: P2P_cv-pathfinder-edge-wan-use-evpn-on-lan_Ethernet52 + shutdown: false + mtu: 9214 + ip_address: 172.18.0.22/31 + peer: cv-pathfinder-edge-wan-use-evpn-on-lan + peer_interface: Ethernet52 + peer_type: wan_router + switchport: + enabled: false +- name: Ethernet2 + description: P2P_cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan_Ethernet52 + shutdown: false + mtu: 9214 + ip_address: 172.18.0.26/31 + peer: cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan + peer_interface: Ethernet52 + peer_type: wan_router + switchport: + enabled: false +hostname: leaf-wan-use-evpn-on-lan +ip_igmp_snooping: + globally_enabled: true +ip_routing: true +ip_virtual_router_mac_address: 00:1c:73:00:00:01 +is_deployed: true +loopback_interfaces: +- name: Loopback0 + description: ROUTER_ID + shutdown: false + ip_address: 192.168.45.13/32 +- name: Loopback1 + description: VXLAN_TUNNEL_SOURCE + shutdown: false + ip_address: 192.168.255.13/32 +management_api_http: + enable_https: true + enable_vrfs: + - name: MGMT +metadata: + fabric_name: EOS_DESIGNS_UNIT_TESTS +prefix_lists: +- name: PL-LOOPBACKS-EVPN-OVERLAY + sequence_numbers: + - sequence: 10 + action: permit 192.168.45.0/24 eq 32 + - sequence: 20 + action: permit 192.168.255.0/24 eq 32 +route_maps: +- name: RM-CONN-2-BGP + sequence_numbers: + - sequence: 10 + type: permit + match: + - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY +router_bfd: + multihop: + interval: 300 + min_rx: 300 + multiplier: 3 +router_bgp: + as: '65042' + router_id: 192.168.45.13 + maximum_paths: + paths: 4 + ecmp: 4 + updates: + wait_install: true + bgp: + default: + ipv4_unicast: false + peer_groups: + - name: IPv4-UNDERLAY-PEERS + type: ipv4 + send_community: all + maximum_routes: 12000 + - name: EVPN-OVERLAY-PEERS + type: evpn + update_source: Loopback0 + bfd: true + ebgp_multihop: 3 + send_community: all + maximum_routes: 0 + neighbors: + - ip_address: 172.18.0.23 + peer_group: IPv4-UNDERLAY-PEERS + remote_as: '65000' + peer: cv-pathfinder-edge-wan-use-evpn-on-lan + description: cv-pathfinder-edge-wan-use-evpn-on-lan_Ethernet52 + - ip_address: 172.18.0.27 + peer_group: IPv4-UNDERLAY-PEERS + remote_as: '65000' + peer: cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan + description: cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan_Ethernet52 + redistribute: + connected: + enabled: true + route_map: RM-CONN-2-BGP + vlans: + - id: 1000 + tenant: TenantA + rd: 192.168.45.13:2000 + route_targets: + both: + - 2000:2000 + redistribute_routes: + - learned + - id: 100 + tenant: TenantA + rd: 192.168.45.13:1100 + route_targets: + both: + - 1100:1100 + redistribute_routes: + - learned + - id: 101 + tenant: TenantA + rd: 192.168.45.13:1101 + route_targets: + both: + - 1101:1101 + redistribute_routes: + - learned + - id: 666 + tenant: TenantC + rd: 192.168.45.13:1666 + route_targets: + both: + - 1666:1666 + redistribute_routes: + - learned + address_family_evpn: + peer_groups: + - name: EVPN-OVERLAY-PEERS + activate: true + address_family_ipv4: + peer_groups: + - name: IPv4-UNDERLAY-PEERS + activate: true + - name: EVPN-OVERLAY-PEERS + activate: false + vrfs: + - name: default + rd: 192.168.45.13:1 + route_targets: + import: + - address_family: evpn + route_targets: + - '1:1' + export: + - address_family: evpn + route_targets: + - '1:1' + - name: IT + rd: 192.168.45.13:1000 + route_targets: + import: + - address_family: evpn + route_targets: + - 1000:1000 + export: + - address_family: evpn + route_targets: + - 1000:1000 + router_id: 192.168.45.13 + redistribute: + connected: + enabled: true + - name: PROD + rd: 192.168.45.13:142 + route_targets: + import: + - address_family: evpn + route_targets: + - 142:142 + export: + - address_family: evpn + route_targets: + - 142:142 + router_id: 192.168.45.13 + redistribute: + connected: + enabled: true + - name: ATTRACTED-VRF-FROM-UPLINK + rd: 192.168.45.13:666 + route_targets: + import: + - address_family: evpn + route_targets: + - 666:666 + export: + - address_family: evpn + route_targets: + - 666:666 + router_id: 192.168.45.13 + redistribute: + connected: + enabled: true + - name: VRF-NO-WAN + rd: 192.168.45.13:300 + route_targets: + import: + - address_family: evpn + route_targets: + - 300:300 + export: + - address_family: evpn + route_targets: + - 300:300 + router_id: 192.168.45.13 + redistribute: + connected: + enabled: true +service_routing_protocols_model: multi-agent +transceiver_qsfp_default_mode_4x10: true +vlan_interfaces: +- name: Vlan1000 + description: VLAN1000 + shutdown: true + vrf: IT + ip_address_virtual: 10.0.100.1/24 + tenant: TenantA +- name: Vlan100 + description: VLAN100 + shutdown: true + vrf: PROD + ip_address_virtual: 10.0.100.1/24 + tenant: TenantA +- name: Vlan666 + description: VLAN666 + shutdown: true + vrf: ATTRACTED-VRF-FROM-UPLINK + ip_address_virtual: 10.66.66.66/24 + tenant: TenantC +vlan_internal_order: + allocation: ascending + range: + beginning: 1006 + ending: 1199 +vlans: +- id: 1000 + name: VLAN1000 + tenant: TenantA +- id: 100 + name: VLAN100 + tenant: TenantA +- id: 101 + name: VLAN101 + tenant: TenantA +- id: 666 + name: VLAN666 + tenant: TenantC +vrfs: +- name: MGMT + ip_routing: false +- name: IT + ip_routing: true + tenant: TenantA +- name: PROD + ip_routing: true + tenant: TenantA +- name: ATTRACTED-VRF-FROM-UPLINK + ip_routing: true + tenant: TenantC +- name: VRF-NO-WAN + ip_routing: true + tenant: TenantD +- name: VRF-NO-WAN-NO-AF + ip_routing: true + tenant: TenantD +- name: WAN-VRF-NO-AF + ip_routing: true + tenant: TenantD +vxlan_interface: + vxlan1: + description: leaf-wan-use-evpn-on-lan_VTEP + vxlan: + source_interface: Loopback1 + udp_port: 4789 + vlans: + - id: 1000 + vni: 2000 + - id: 100 + vni: 1100 + - id: 101 + vni: 1101 + - id: 666 + vni: 1666 + vrfs: + - name: default + vni: 1 + - name: IT + vni: 1000 + - name: PROD + vni: 142 + - name: ATTRACTED-VRF-FROM-UPLINK + vni: 666 + - name: VRF-NO-WAN + vni: 300 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-disabled-leaf.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-disabled-leaf.yml index e7607bec68a..4ab5ba99166 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-disabled-leaf.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-disabled-leaf.yml @@ -169,6 +169,14 @@ router_bgp: enabled: true route_map: RM-CONN-2-BGP vlans: + - id: 1000 + tenant: TenantA + rd: 192.168.45.4:2000 + route_targets: + both: + - 2000:2000 + redistribute_routes: + - learned - id: 100 tenant: TenantA rd: 192.168.45.4:1100 @@ -290,6 +298,12 @@ router_bgp: service_routing_protocols_model: multi-agent transceiver_qsfp_default_mode_4x10: true vlan_interfaces: +- name: Vlan1000 + description: VLAN1000 + shutdown: true + vrf: IT + ip_address_virtual: 10.0.100.1/24 + tenant: TenantA - name: Vlan100 description: VLAN100 shutdown: true @@ -309,6 +323,9 @@ vlan_internal_order: beginning: 1006 ending: 1199 vlans: +- id: 1000 + name: VLAN1000 + tenant: TenantA - id: 100 name: VLAN100 tenant: TenantA @@ -337,6 +354,8 @@ vxlan_interface: source_interface: Loopback1 udp_port: 4789 vlans: + - id: 1000 + vni: 2000 - id: 100 vni: 1100 - id: 101 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf1.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf1.yml index 89d1fa00274..a96fadd8d8c 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf1.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf1.yml @@ -169,6 +169,14 @@ router_bgp: enabled: true route_map: RM-CONN-2-BGP vlans: + - id: 1000 + tenant: TenantA + rd: 192.168.45.1:2000 + route_targets: + both: + - 2000:2000 + redistribute_routes: + - learned - id: 100 tenant: TenantA rd: 192.168.45.1:1100 @@ -290,6 +298,12 @@ router_bgp: service_routing_protocols_model: multi-agent transceiver_qsfp_default_mode_4x10: true vlan_interfaces: +- name: Vlan1000 + description: VLAN1000 + shutdown: true + vrf: IT + ip_address_virtual: 10.0.100.1/24 + tenant: TenantA - name: Vlan100 description: VLAN100 shutdown: true @@ -308,6 +322,9 @@ vlan_internal_order: beginning: 1006 ending: 1199 vlans: +- id: 1000 + name: VLAN1000 + tenant: TenantA - id: 100 name: VLAN100 tenant: TenantA @@ -336,6 +353,8 @@ vxlan_interface: source_interface: Loopback1 udp_port: 4789 vlans: + - id: 1000 + vni: 2000 - id: 100 vni: 1100 - id: 101 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf2A.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf2A.yml index 19b4471e640..fcc8b561a30 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf2A.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf2A.yml @@ -169,6 +169,14 @@ router_bgp: enabled: true route_map: RM-CONN-2-BGP vlans: + - id: 1000 + tenant: TenantA + rd: 192.168.45.2:2000 + route_targets: + both: + - 2000:2000 + redistribute_routes: + - learned - id: 100 tenant: TenantA rd: 192.168.45.2:1100 @@ -290,6 +298,12 @@ router_bgp: service_routing_protocols_model: multi-agent transceiver_qsfp_default_mode_4x10: true vlan_interfaces: +- name: Vlan1000 + description: VLAN1000 + shutdown: true + vrf: IT + ip_address_virtual: 10.0.100.1/24 + tenant: TenantA - name: Vlan100 description: VLAN100 shutdown: true @@ -308,6 +322,9 @@ vlan_internal_order: beginning: 1006 ending: 1199 vlans: +- id: 1000 + name: VLAN1000 + tenant: TenantA - id: 100 name: VLAN100 tenant: TenantA @@ -336,6 +353,8 @@ vxlan_interface: source_interface: Loopback1 udp_port: 4789 vlans: + - id: 1000 + vni: 2000 - id: 100 vni: 1100 - id: 101 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf2B.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf2B.yml index 81ce797ff5c..4fae30e5f36 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf2B.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/site-ha-enabled-leaf2B.yml @@ -169,6 +169,14 @@ router_bgp: enabled: true route_map: RM-CONN-2-BGP vlans: + - id: 1000 + tenant: TenantA + rd: 192.168.45.3:2000 + route_targets: + both: + - 2000:2000 + redistribute_routes: + - learned - id: 100 tenant: TenantA rd: 192.168.45.3:1100 @@ -290,6 +298,12 @@ router_bgp: service_routing_protocols_model: multi-agent transceiver_qsfp_default_mode_4x10: true vlan_interfaces: +- name: Vlan1000 + description: VLAN1000 + shutdown: true + vrf: IT + ip_address_virtual: 10.0.100.1/24 + tenant: TenantA - name: Vlan100 description: VLAN100 shutdown: true @@ -308,6 +322,9 @@ vlan_internal_order: beginning: 1006 ending: 1199 vlans: +- id: 1000 + name: VLAN1000 + tenant: TenantA - id: 100 name: VLAN100 tenant: TenantA @@ -336,6 +353,8 @@ vxlan_interface: source_interface: Loopback1 udp_port: 4789 vlans: + - id: 1000 + vni: 2000 - id: 100 vni: 1100 - id: 101 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/AUTOVPN_TESTS.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/AUTOVPN_TESTS.yml index 46d42ebde5d..02d4786b345 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/AUTOVPN_TESTS.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/AUTOVPN_TESTS.yml @@ -124,6 +124,13 @@ tenants: ip_address_virtual: 10.0.100.1/24 - name: IT vrf_id: 100 + # Removing the default address family with the vrf NOT defined under wan_virtual_topologies.vrfs + # and the knob wan_use_evpn_node_settings_for_lan: False + address_families: [] + - name: WAN-VRF-NO-AF + vrf_id: 200 + # Removing the default address family with the vrf defined under wan_virtual_topologies.vrfs + # and the knob wan_use_evpn_node_settings_for_lan: False address_families: [] l2vlans: - id: 101 @@ -137,6 +144,10 @@ wan_virtual_topologies: - name: PROD policy: PROD-AUTOVPN-POLICY wan_vni: 42 + - name: WAN-VRF-NO-AF + # using same policy to avoid noise + policy: PROD-AUTOVPN-POLICY + wan_vni: 200 policies: - name: PROD-AUTOVPN-POLICY default_virtual_topology: diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml index d68dd43849a..f25b92a051e 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_TESTS.yml @@ -34,6 +34,9 @@ cv_pathfinder_regions: - name: Site423 id: 423 location: Somewhere-warm + - name: Site12 + id: 12 + location: 12 Downing Street, London - name: AVD_Land_East id: 43 description: AVD Region @@ -105,8 +108,8 @@ wan_router: # cv-pathfinder-edge is not configured on cv-pathfinder-edge1 - group: Site511 uplink_type: p2p-vrfs - uplink_switches: [ site-ha-disabled-leaf ] - uplink_interfaces: [ Ethernet52 ] + uplink_switches: [site-ha-disabled-leaf] + uplink_interfaces: [Ethernet52] cv_pathfinder_region: AVD_Land_East cv_pathfinder_site: Site511 wan_ha: @@ -220,8 +223,8 @@ wan_router: cv_pathfinder_region: AVD_Land_West cv_pathfinder_site: Site423 uplink_type: p2p-vrfs - uplink_switches: [ site-ha-enabled-leaf2A, site-ha-enabled-leaf2B ] - uplink_interfaces: [ Ethernet52, Ethernet53 ] + uplink_switches: [site-ha-enabled-leaf2A, site-ha-enabled-leaf2B] + uplink_interfaces: [Ethernet52, Ethernet53] wan_ha: enabled: true # TODO AVD4.8.0: Remove once WAN HA is GA. nodes: @@ -251,8 +254,8 @@ wan_router: always_include_vrfs_in_tenants: [TenantA, TenantB] uplink_ipv4_pool: 172.17.0.0/16 uplink_type: p2p-vrfs - uplink_switches: [ site-ha-enabled-leaf1 ] - uplink_interfaces: [ Ethernet52 ] + uplink_switches: [site-ha-enabled-leaf1] + uplink_interfaces: [Ethernet52] cv_pathfinder_transit_mode: region # Disable HA IPsec wan_ha: @@ -520,6 +523,10 @@ tenants: ip_address_virtual: 10.0.100.1/24 - name: IT vrf_id: 1000 + svis: + - id: 1000 + name: VLAN1000 + ip_address_virtual: 10.0.100.1/24 l2vlans: - id: 101 name: VLAN101 @@ -549,6 +556,25 @@ tenants: nodes: - node: site-ha-disabled-leaf ip_address: 10.66.66.1 + - name: TenantD + # Tenant used to test VRFs + # knob wan_use_evpn_node_settings_for_lan: true + mac_vrf_vni_base: 1000 + vrfs: + - name: WAN-VRF-NO-AF + vrf_id: 200 + # Setting address families under tenant to empty list + # and checking the VRF is still added on the WAN when the knob is true + # and the VRF is defined under wan_virtual_topologies.vrfs + address_families: [] + - name: VRF-NO-WAN + vrf_id: 300 + # keeping default address family "evpn" and verifying we do not raise + # when the knob is true. The VRF should be configured. + - name: VRF-NO-WAN-NO-AF + vrf_id: 400 + # when the knob is true. The VRF should not be configured. + address_families: [] wan_virtual_topologies: vrfs: @@ -568,6 +594,10 @@ wan_virtual_topologies: wan_vni: 66 - name: ATTRACTED-VRF-FROM-UPLINK wan_vni: 166 + - name: WAN-VRF-NO-AF + # Using PROD policy to avoid extra noise + policy: PROD-AVT-POLICY + wan_vni: 200 policies: - name: PROD-AVT-POLICY default_virtual_topology: diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.yml new file mode 100644 index 00000000000..f83de091784 --- /dev/null +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan.yml @@ -0,0 +1,37 @@ +--- +# Testing CV pathfinder edge using new toggle wan_use_evpn_node_settings_for_lan +wan_use_evpn_node_settings_for_lan: true +# not enabling any overlay protocol on WAN to see impact on "LAN only VRFs" +# none is alreeady the default +overlay_routing_protocol: none + +bgp_as: 65000 + +wan_route_servers: + - hostname: cv-pathfinder-pathfinder + +wan_router: + defaults: + loopback_ipv4_pool: 192.168.42.0/24 + vtep_loopback_ipv4_pool: 192.168.142.0/24 + filter: + always_include_vrfs_in_tenants: [TenantA, TenantD] + deny_vrfs: [IT] + nodes: + - name: cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan + cv_pathfinder_region: AVD_Land_West + cv_pathfinder_site: Site12 + # Adding uplink to leaf for EVPN + uplink_switches: [leaf-wan-use-evpn-on-lan] + uplink_type: p2p + uplink_interfaces: [Ethernet52] + uplink_switch_interfaces: [Ethernet2] + uplink_ipv4_pool: 172.18.0.0/24 + evpn_role: client + id: 14 + l3_interfaces: + - name: Ethernet1 + wan_carrier: ATT + wan_circuit_id: 666 + dhcp_accept_default_route: true + ip_address: dhcp diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan.yml new file mode 100644 index 00000000000..b0048ee3509 --- /dev/null +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-wan-use-evpn-on-lan.yml @@ -0,0 +1,36 @@ +--- +# Testing CV pathfinder edge using new toggle wan_use_evpn_node_settings_for_lan +wan_use_evpn_node_settings_for_lan: true +# enabling EVPN on LAN +overlay_routing_protocol: ebgp + +bgp_as: 65000 + +wan_route_servers: + - hostname: cv-pathfinder-pathfinder + +wan_router: + defaults: + loopback_ipv4_pool: 192.168.42.0/24 + vtep_loopback_ipv4_pool: 192.168.142.0/24 + filter: + always_include_vrfs_in_tenants: [TenantA, TenantD] + deny_vrfs: [IT] + nodes: + - name: cv-pathfinder-edge-wan-use-evpn-on-lan + cv_pathfinder_region: AVD_Land_West + cv_pathfinder_site: Site12 + # Adding uplink to leaf for EVPN + uplink_switches: [leaf-wan-use-evpn-on-lan] + uplink_type: p2p + uplink_interfaces: [Ethernet52] + uplink_switch_interfaces: [Ethernet1] + uplink_ipv4_pool: 172.18.0.0/24 + evpn_role: client + id: 12 + l3_interfaces: + - name: Ethernet1 + wan_carrier: ATT + wan_circuit_id: 666 + dhcp_accept_default_route: true + ip_address: dhcp diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/leaf-wan-use-evpn-on-lan.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/leaf-wan-use-evpn-on-lan.yml new file mode 100644 index 00000000000..1bab418e260 --- /dev/null +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/leaf-wan-use-evpn-on-lan.yml @@ -0,0 +1,14 @@ +--- +type: l3leaf + +l3leaf: + defaults: + bgp_as: 65042 + loopback_ipv4_pool: 192.168.45.0/24 + vtep_loopback_ipv4_pool: 192.168.255.0/24 + virtual_router_mac_address: 00:1c:73:00:00:01 + filter: + always_include_vrfs_in_tenants: [TenantA, TenantD] + nodes: + - name: leaf-wan-use-evpn-on-lan + id: 13 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/hosts.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/hosts.yml index dd347a9704b..b77707f1b31 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/hosts.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/hosts.yml @@ -402,6 +402,11 @@ all: cv-pathfinder-edge: cv-pathfinder-edge1: site-ha-disabled-leaf: + SITE_EVPN: + hosts: + cv-pathfinder-edge-wan-use-evpn-on-lan: + cv-pathfinder-edge-wan-use-evpn-on-lan-no-overlay-on-lan: + leaf-wan-use-evpn-on-lan: CV_PATHFINDERS: hosts: cv-pathfinder-pathfinder: @@ -419,11 +424,19 @@ all: cv-pathfinder-custom-control-plane-policy-edge-2: # Edge 3 overrides the profile name and also defines the profile cv-pathfinder-custom-control-plane-policy-edge-3: + CV_PATHFINDER_TESTS_LEAFS: + hosts: + site-ha-enabled-leaf2A: + site-ha-enabled-leaf2B: + site-ha-enabled-leaf1: + site-ha-disabled-leaf: + leaf-wan-use-evpn-on-lan: WAN_UNIT_TESTS: hosts: autovpn-edge-no-default-policy: cv-pathfinder-edge-no-default-policy: cv-pathfinder-edge-custom-default-policy: + cv-pathfinder-edge-wan-use-evpn-on-lan: UPLINK_P2P_VRFS_TESTS: hosts: UPLINK_P2P_VRFS_TESTS_SPINE1: diff --git a/ansible_collections/arista/avd/roles/eos_designs/docs/how-to/wan.md b/ansible_collections/arista/avd/roles/eos_designs/docs/how-to/wan.md index 8fb877adec1..0bd6171ac03 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/docs/how-to/wan.md +++ b/ansible_collections/arista/avd/roles/eos_designs/docs/how-to/wan.md @@ -33,10 +33,10 @@ Please familiarize yourself with the Arista WAN terminology before proceeding: - When deploying CV Pathfinder, the assumption is that the deployment is using CVaaS. - The intent is to be able to support having the different WAN participating devices in different inventories. -- Only iBGP is supported as an overlay_routing_protocol. - On the AutoVPN Route Reflectors and Pathfinders, a listen range statement is used for BGP to allow for distributed Ansible inventories. - VRF `default` is being configured by default on all WAN devices with a `wan_vni` of 1. To override this, it is necessary to configure VRF `default` in a tenant in `network_services`. - Path-group ID `65535` is reserved for the path-group called `LAN_HA`. +- iBGP is configured over the WAN for the overlay. The `overlay_routing_protocol` key is considered only on the LAN side. !!! info "CV Pathfinder & CloudVision" @@ -102,21 +102,21 @@ Please familiarize yourself with the Arista WAN terminology before proceeding: The following table list the `eos_designs` top level keys used for WAN and how they should be set: -| Key | Must be the same for all the WAN routers | Comment | -| --- | ---------------------------------------- | ------- | -| `wan_mode` | ✅ | Two possible modes, `autovpn` and `cv-pathfinder` (default). | -| `wan_encapsulation` | ✅ | Two possible encapsulations, `vxlan` and `path-selection` (default). | -| `wan_virtual_topologies` | ✅ | to define the Policies and the VRF to policy mappings. | -| `wan_path_groups` | ✅ | to define the list of path-groups in the network. | -| `wan_carriers` | ✅ | to define the list of carriers in the network, each carrier is assigned to a path-group. | -| `wan_ipsec_profiles` | ✅ | to define the shared key for the Control Plane and Data Plane IPSec profiles. | -| `cv_pathfinder_regions` | ✅ | to define the Region/Zone/Site hierarchy, not required for AutoVPN. | -| `tenants` | ✅ | the default tenant key from `network_services` or any other key for tenant that would hold some WAN VRF information. | -| `wan_stun_dtls_disable` | ✅ | disable dTLS for STUN for instance for lab. (**NOT** recommended in production). | -| `application_classification` | ✅ | to define the specific traffic classification required for the WAN if any. | -| `cv_pathfinder_internet_exit_policies` | ✅ | to define the internet-exit policies. | -| `wan_route_servers` | ✘| Indicate to which WAN route servers the WAN router should connect to. This key is also used to tell every WAN Route Reflectors with which other RRs it should peer with. | -| `ipv4_acls` | ✘| List of IPv4 access-lists to be assigned to WAN interfaces. | +| Key | Must be the same for all the WAN routers | Comment | +| -------------------------------------- | ---------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| `wan_mode` | ✅ | Two possible modes, `autovpn` and `cv-pathfinder` (default). | +| `wan_encapsulation` | ✅ | Two possible encapsulations, `vxlan` and `path-selection` (default). | +| `wan_virtual_topologies` | ✅ | to define the Policies and the VRF to policy mappings. | +| `wan_path_groups` | ✅ | to define the list of path-groups in the network. | +| `wan_carriers` | ✅ | to define the list of carriers in the network, each carrier is assigned to a path-group. | +| `wan_ipsec_profiles` | ✅ | to define the shared key for the Control Plane and Data Plane IPSec profiles. | +| `cv_pathfinder_regions` | ✅ | to define the Region/Zone/Site hierarchy, not required for AutoVPN. | +| `tenants` | ✅ | the default tenant key from `network_services` or any other key for tenant that would hold some WAN VRF information. | +| `wan_stun_dtls_disable` | ✅ | disable dTLS for STUN for instance for lab. (**NOT** recommended in production). | +| `application_classification` | ✅ | to define the specific traffic classification required for the WAN if any. | +| `cv_pathfinder_internet_exit_policies` | ✅ | to define the internet-exit policies. | +| `wan_route_servers` | ✘ | Indicate to which WAN route servers the WAN router should connect to. This key is also used to tell every WAN Route Reflectors with which other RRs it should peer with. | +| `ipv4_acls` | ✘ | List of IPv4 access-lists to be assigned to WAN interfaces. | Additionally, following keys must be set for the WAN route servers for the connectivity to work: @@ -182,7 +182,7 @@ wan_route_servers: # (1)! ``` 1. A `wan_router` with this configuration will establish BGP peering to all the `wan_route_servers` in the list if it has a common path-group. - A `wan_rr` with this configuration will establish BGP peerings to every other `wan_route_servers` in the list if they have a common path-group. + A `wan_rr` with this configuration will establish BGP peerings to every other `wan_route_servers` in the list if they have a common path-group. !!! note @@ -193,7 +193,7 @@ However, if the WAN route servers are in a different inventory, it is then neces #### WAN STUN handling -WAN STUN connections are configured by default authenticated and secured with DTLS by default. A security profile is configured with an hardcoded root certificate and matching a certificate `.crt` and key `.key`: +WAN STUN connections are configured by default authenticated and secured with DTLS by default. A security profile is configured with an hardcoded root certificate and matching a certificate `.crt` and key `.key`: ```eos management security @@ -207,7 +207,7 @@ These values can be overwritten using `custom_structured_configuration`. This configuration requires certificates to be distributed on the WAN devices to be able to authenticate themselves: -- For CV Pathinder deployments, CloudVision will automatically generate and deploy the certificates on the devices once AVD configs and metadata have been pushed. +- For CV Pathinder deployments, CloudVision will automatically generate and deploy the certificates on the devices once AVD configs and metadata have been pushed. - For AutoVPN, the certificates must be generated and deployed to the devices for the STUN connections to work. !!! Danger "Disabling STUN" @@ -252,7 +252,7 @@ cv_pathfinder_regions: ``` !!! Note - Site IDs and names must be unique per region. +Site IDs and names must be unique per region. And then for each `wan_router`: @@ -398,7 +398,7 @@ wan_router: # Configure BGP peering with peer bgp: peer_as: 65042 - ipv4_prefix_list_in: ALLOW-DEFAULT # (4)! + ipv4_prefix_list_in: ALLOW-DEFAULT # (4)! # This is NOT a WAN interface - name: Ethernet3 ip_address: 172.20.20.20/31 @@ -412,7 +412,7 @@ ipv4_prefix_list_catalog: 1. `peer` and `peer_interface` are optionals and used for description. 2. `wan_circuit_id` is optional and used for description. 3. Configure IPv4 ACLs in and out for the L3 interface. The access lists must - be defined under `ipv4_acls` top level key. + be defined under `ipv4_acls` top level key. 4. For BGP peering for WAN interfaces, the `ipv4_prefix_list_in` is mandatory for security reaasons. It is defined in the `ipv4_prefix_list_catalog`. ### WAN policies @@ -422,7 +422,7 @@ The policies definition works as follow: - The policies are defined under `wan_virtual_topologies.policies`. For AutoVPN mode, the policies are configured under `router path-selection`, for CV Pathfinder, they are configured under `router adaptive-virtual-topology`. - A policy is composed of a list of `application_virtual_topologies` and one `default_virtual_topology`. - The `application_virtual_topologies` entries and the `default_virtual_topology` key are used to create the policy match statement, the AVT profile (when `wan_mode` is CV Pathfinder) and the load balancing policy. -- The `default_virtual_topology` is used as the default match in the policy. To prevent configuring it, the `drop_unmatched` boolean must be set to `true` otherwise, at least one `path-group` must be configured or AVD will raise an error. +- The `default_virtual_topology` is used as the default match in the policy. To prevent configuring it, the `drop_unmatched` boolean must be set to `true` otherwise, at least one `path-group` must be configured or AVD will raise an error. - Policies are assigned to VRFs using the list `wan_virtual_topologies.vrfs`. A policy can be reused in multiple VRFs. - If no policy is assigned for the `default` VRF policy, AVD auto generates one with one `default_virtual_topology` entry configured to use all available local path-groups. - For the policy defined for VRF `default` (or the auto-generared one), an extra match statement is injected in the policy to match the traffic towards the Pathfinders or AutoVPN RRs, the name of the application-profile is hardcoded as `APP-PROFILE-CONTROL-PLANE`. A special policy is created by appending `-WITH-CP` at the end of the targeted policy name. @@ -431,13 +431,13 @@ The policies definition works as follow: ```yaml wan_virtual_topologies: vrfs: - - name: PROD # (1)! + - name: PROD # (1)! policy: PROD-AVT-POLICY wan_vni: 42 - name: default # (2)! wan_vni: 1 policies: - - name: PROD-AVT-POLICY # (3)! + - name: PROD-AVT-POLICY # (3)! default_virtual_topology: # (4)! path_groups: - names: [INET] @@ -478,7 +478,7 @@ wan_virtual_topologies: 2. VRF `default` will use the AVD auto-generated `DEFAULT-POLICY` as no policy is set. 3. Define the `PROD-AVT-POLICY` 4. `default_virtual_topology` is used to configure the default match in the policy. - In this case, default traffic will use INET path-group first and MPLS as backup. + In this case, default traffic will use INET path-group first and MPLS as backup. 5. This list element configures the policy to apply to traffic the `VOICE` application profile. This block of configuration will configure the Load Balance policy, the match statement in the policy (in `router path-selection` for AutoVPN or `router adaptive-virtual-topology` for CV-Pathfinder) and for CV-Pathfinder, the AVT profile. The application profile must be defined under `application_classification.application_profiles`. @@ -530,12 +530,11 @@ cv_pathfinder_internet_exit_policies: # [...] type specific options ``` -An Application Virtual Topology policy is composed of multiple profiles. An AVT profile can be assigned an Internet-policy as follow: +An Application Virtual Topology policy is composed of multiple profiles. An AVT profile can be assigned an Internet-policy as follow: ```yaml wan_virtual_topologies: - vrfs: - [...] + vrfs: [...] policies: - name: PROD-AVT-POLICY default_virtual_topology: @@ -633,7 +632,7 @@ AVD `eos_designs` will fetch Zscaler integration information from Cloudvision. ```yaml # Variables used by eos_designs to connect to Cloudvision -cv_server: +cv_server: cv_token: ``` @@ -642,21 +641,21 @@ For each `zscaler` type Internet-policies, AVD uses the `cv_pathinfder_internet_ The `cv_pathinfder_internet_exit_policies[name=].zscaler` dictionary has additonnal options to configure the policy parameters shared with Zscaler through Cloudvision. ```yaml - # PREVIEW: These keys are in preview mode. - cv_pathfinder_internet_exit_policies: - - name: - type: - fallback_to_system_default: - zscaler: - ipsec_key_salt: - domain_name: - encrypt_traffic: - download_bandwidth: - upload_bandwidth: - firewall: - enabled: - ips: - acceptable_use_policy: +# PREVIEW: These keys are in preview mode. +cv_pathfinder_internet_exit_policies: + - name: + type: + fallback_to_system_default: + zscaler: + ipsec_key_salt: + domain_name: + encrypt_traffic: + download_bandwidth: + upload_bandwidth: + firewall: + enabled: + ips: + acceptable_use_policy: ``` !!! tip "IPsec" @@ -682,9 +681,9 @@ The following LAN scenarios are supported: Some design points: - The Site of Origin (SOO) extended community is configured as `:` - note: site id is unique per zone (only a default zone supported today). - for HA site, the SOO is set as `:` where `router1` is - the first router defined in the group. + note: site id is unique per zone (only a default zone supported today). + for HA site, the SOO is set as `:` where `router1` is + the first router defined in the group. - HA is not supported for more than two routers for CV Pathfinders. - The routes to be advertised towards the WAN must be marked with the site SOO. - The connected routes and static routes are marked with the SOO when @@ -692,14 +691,14 @@ Some design points: - the routes redistributed into BGP via the route-map `RM-CONN-2-BGP` are tagged with the SOO. - the routes redistributed into BGP via the route-map `RM-STATIC-2-BGP` are tagged with the SOO. - the routes received from LAN are marked with the SOO when received from - the LAN over BGP or when redistributed into BGP from the LAN protocol. - note: For other connection (e.g. L3 interface with a BGP peering, the - user must mark them with the SOO) + the LAN over BGP or when redistributed into BGP from the LAN protocol. + note: For other connection (e.g. L3 interface with a BGP peering, the + user must mark them with the SOO) - For VRF default, there is a requirement to explicitly redistribute the routes for EVPN. The `RM-EVPN-EXPORT-VRF-DEFAULT` is configured to export the routes tagged with the SOO. - Routes received from the WAN with the local SOO are dropped. - Routes received from the WAN are redistributed / advertised towards the LAN. - For HA, an iBGP session using EVPN Gateway is used to share the routes from - one peer to the other. + one peer to the other. - WAN, LAN and local static routes are sent to the HA peer to cater for various failure scenarii. - The routes received from the HA peer are made less preferred than routes received from the LAN or from the WAN. @@ -794,9 +793,7 @@ The following diagram represents this scenario: - one inbound route-map `RM-BGP-UNDERLAY-PEERS-IN`: - accept routes coming from the LAN and set the SoO extended community on them. -!!! warning - - the Underlay peer group (towards the LAN) is not configured with any outbound route-map. - - For VRF default, there is a requirement to explicitly redistribute the routes for EVPN. The `RM-EVPN-EXPORT-VRF-DEFAULT` is configured to export the routes tagged with the SoO. +!!! warning - the Underlay peer group (towards the LAN) is not configured with any outbound route-map. - For VRF default, there is a requirement to explicitly redistribute the routes for EVPN. The `RM-EVPN-EXPORT-VRF-DEFAULT` is configured to export the routes tagged with the SoO. The following diagram shows the additional route-maps configured to support eBGP on LAN: @@ -863,7 +860,7 @@ In the situation where the LAN is EBGP but HA is configured over a direct link, The HA tunnel will come up properly today but route redistribution will be missing so it is not usable. -- the HA interface(s) is(are) the uplink interface(s) which are automatically included in OSPF. +- the HA interface(s) is(are) the uplink interface(s) which are automatically included in OSPF. #### L2 LAN @@ -1043,16 +1040,16 @@ wan_virtual_topologies: `eos_validate_state` is being enriched to support new tests for WAN designs. The tests listed below are validating WAN designs. -| AVD Test Class | ANTA Test Class | Description | -| -------------- | --------------- | ----------- | -| AvdTestInterfacesState | VerifyInterfacesStatus | Validate the DPS interface status. | -| AvdTestBGP | VerifyBGPSpecificPeers | Validate the state of BGP Address Family sessions, including `Path-Selection` for AutoVPN, `Link-State` and `IPv4/IPv6 SR-TE` for CV Pathfinder. | -| AvdTestIPSecurity | VerifySpecificIPSecConn | Validate the establishment of IP security connections for each static peer under the `router path-selection` section of the configuration. | -| AvdTestStun | VerifyStunClient | Validate the presence of a STUN client translation for a given source IPv4 address and port. The list of expected translations for each device is built by searching local interfaces in each path-group. | -| AvdTestDpsReachability | VerifyReachability | Validate DPS reachability between devices. | -| AvdTestAvtPath | VerifyAVTSpecificPath | Validate that the status is active and the type is direct for an Adaptive Virtual Topology (AVT) path in a specified VRF for the static peers. | -| AvdTestAvtRole | VerifyAVTRole | Validate the Adaptive Virtual Topology (AVT) role of a device. | +| AVD Test Class | ANTA Test Class | Description | +| ---------------------- | ----------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| AvdTestInterfacesState | VerifyInterfacesStatus | Validate the DPS interface status. | +| AvdTestBGP | VerifyBGPSpecificPeers | Validate the state of BGP Address Family sessions, including `Path-Selection` for AutoVPN, `Link-State` and `IPv4/IPv6 SR-TE` for CV Pathfinder. | +| AvdTestIPSecurity | VerifySpecificIPSecConn | Validate the establishment of IP security connections for each static peer under the `router path-selection` section of the configuration. | +| AvdTestStun | VerifyStunClient | Validate the presence of a STUN client translation for a given source IPv4 address and port. The list of expected translations for each device is built by searching local interfaces in each path-group. | +| AvdTestDpsReachability | VerifyReachability | Validate DPS reachability between devices. | +| AvdTestAvtPath | VerifyAVTSpecificPath | Validate that the status is active and the type is direct for an Adaptive Virtual Topology (AVT) path in a specified VRF for the static peers. | +| AvdTestAvtRole | VerifyAVTRole | Validate the Adaptive Virtual Topology (AVT) role of a device. | !!! note - More WAN-related tests are available directly in ANTA and can be added using custom catalogs. - They will be progressively added to `eos_validate_state`. +More WAN-related tests are available directly in ANTA and can be added using custom catalogs. +They will be progressively added to `eos_validate_state`. diff --git a/ansible_collections/arista/avd/roles/eos_designs/docs/tables/node-type-keys.md b/ansible_collections/arista/avd/roles/eos_designs/docs/tables/node-type-keys.md index 24f6b1da3c7..213004057dc 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/docs/tables/node-type-keys.md +++ b/ansible_collections/arista/avd/roles/eos_designs/docs/tables/node-type-keys.md @@ -19,7 +19,7 @@ | [    default_overlay_address_families](## "custom_node_type_keys.[].default_overlay_address_families") | List, items: String | | `['evpn']` | | Set the default overlay address families.
| | [      - <str>](## "custom_node_type_keys.[].default_overlay_address_families.[]") | String | | | Value is converted to lower case.
Valid Values:
- evpn
- vpn-ipv4
- vpn-ipv6 | | | [    default_evpn_encapsulation](## "custom_node_type_keys.[].default_evpn_encapsulation") | String | | `vxlan` | Value is converted to lower case.
Valid Values:
- mpls
- vxlan | Set the default evpn encapsulation.
| - | [    default_wan_role](## "custom_node_type_keys.[].default_wan_role") | String | | | Valid Values:
- client
- server | Set the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector.

Only supported if `overlay_routing_protocol` is set to `ibgp`.
| + | [    default_wan_role](## "custom_node_type_keys.[].default_wan_role") | String | | | Valid Values:
- client
- server | Set the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector.
| | [    default_flow_tracker_type](## "custom_node_type_keys.[].default_flow_tracker_type") | String | | `sampled` | Valid Values:
- sampled
- hardware | Set the default flow tracker type. | | [    mlag_support](## "custom_node_type_keys.[].mlag_support") | Boolean | | `False` | | Can this node type support mlag. | | [    network_services](## "custom_node_type_keys.[].network_services") | Dictionary | | | | Will network services be deployed on this node type. | @@ -69,7 +69,7 @@ | [    default_overlay_address_families](## "node_type_keys.[].default_overlay_address_families") | List, items: String | | `['evpn']` | | Set the default overlay address families.
| | [      - <str>](## "node_type_keys.[].default_overlay_address_families.[]") | String | | | Value is converted to lower case.
Valid Values:
- evpn
- vpn-ipv4
- vpn-ipv6 | | | [    default_evpn_encapsulation](## "node_type_keys.[].default_evpn_encapsulation") | String | | `vxlan` | Value is converted to lower case.
Valid Values:
- mpls
- vxlan | Set the default evpn encapsulation.
| - | [    default_wan_role](## "node_type_keys.[].default_wan_role") | String | | | Valid Values:
- client
- server | Set the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector.

Only supported if `overlay_routing_protocol` is set to `ibgp`.
| + | [    default_wan_role](## "node_type_keys.[].default_wan_role") | String | | | Valid Values:
- client
- server | Set the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector.
| | [    default_flow_tracker_type](## "node_type_keys.[].default_flow_tracker_type") | String | | `sampled` | Valid Values:
- sampled
- hardware | Set the default flow tracker type. | | [    mlag_support](## "node_type_keys.[].mlag_support") | Boolean | | `False` | | Can this node type support mlag. | | [    network_services](## "node_type_keys.[].network_services") | Dictionary | | | | Will network services be deployed on this node type. | @@ -155,8 +155,6 @@ # This is used both for AutoVPN and Pathfinder designs. # That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. # `server` indicates that the router is a route-reflector. - # - # Only supported if `overlay_routing_protocol` is set to `ibgp`. default_wan_role: # Set the default flow tracker type. @@ -335,8 +333,6 @@ # This is used both for AutoVPN and Pathfinder designs. # That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. # `server` indicates that the router is a route-reflector. - # - # Only supported if `overlay_routing_protocol` is set to `ibgp`. default_wan_role: # Set the default flow tracker type. diff --git a/ansible_collections/arista/avd/roles/eos_designs/docs/tables/node-type-wan-configuration.md b/ansible_collections/arista/avd/roles/eos_designs/docs/tables/node-type-wan-configuration.md index 1a282a4d83e..aea9ed2b3d8 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/docs/tables/node-type-wan-configuration.md +++ b/ansible_collections/arista/avd/roles/eos_designs/docs/tables/node-type-wan-configuration.md @@ -9,7 +9,7 @@ | -------- | ---- | -------- | ------- | ------------------ | ----------- | | [<node_type_keys.key>](## "") | Dictionary | | | | | | [  defaults](## ".defaults") | Dictionary | | | | Define variables for all nodes of this type. | - | [    wan_role](## ".defaults.wan_role") | String | | | Valid Values:
- client
- server | Override the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector.

Only supported if `overlay_routing_protocol` is set to `ibgp`. | + | [    wan_role](## ".defaults.wan_role") | String | | | Valid Values:
- client
- server | Override the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector. | | [    cv_pathfinder_transit_mode](## ".defaults.cv_pathfinder_transit_mode") | String | | | Valid Values:
- region
- zone | Configure the transit mode for a WAN client for CV Pathfinder designs
only when the `wan_mode` root key is set to `cv_pathfinder`.

'zone' is currently not supported. | | [    cv_pathfinder_region](## ".defaults.cv_pathfinder_region") | String | | | | The CV Pathfinder region name.
This key is required for WAN routers but optional for pathfinders.
The region name must be defined under 'cv_pathfinder_regions'. | | [    cv_pathfinder_site](## ".defaults.cv_pathfinder_site") | String | | | | The CV Pathfinder site name.
This key is required for WAN routers but optional for pathfinders.
For WAN routers and pathfinders with `cv_pathfinder_region`, the site name must be defined for the relevant region under 'cv_pathfinder_regions'.
For pathfinders without `cv_pathfinder_region` set, the site must be defined under `cv_pathfinder_global_sites`. | @@ -31,7 +31,7 @@ | [    - group](## ".node_groups.[].group") | String | Required, Unique | | | The Node Group Name is used for MLAG domain unless set with 'mlag_domain_id'.
The Node Group Name is also used for peer description on downstream switches' uplinks.
| | [      nodes](## ".node_groups.[].nodes") | List, items: Dictionary | | | | Define variables per node. | | [        - name](## ".node_groups.[].nodes.[].name") | String | Required, Unique | | | The Node Name is used as "hostname". | - | [          wan_role](## ".node_groups.[].nodes.[].wan_role") | String | | | Valid Values:
- client
- server | Override the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector.

Only supported if `overlay_routing_protocol` is set to `ibgp`. | + | [          wan_role](## ".node_groups.[].nodes.[].wan_role") | String | | | Valid Values:
- client
- server | Override the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector. | | [          cv_pathfinder_transit_mode](## ".node_groups.[].nodes.[].cv_pathfinder_transit_mode") | String | | | Valid Values:
- region
- zone | Configure the transit mode for a WAN client for CV Pathfinder designs
only when the `wan_mode` root key is set to `cv_pathfinder`.

'zone' is currently not supported. | | [          cv_pathfinder_region](## ".node_groups.[].nodes.[].cv_pathfinder_region") | String | | | | The CV Pathfinder region name.
This key is required for WAN routers but optional for pathfinders.
The region name must be defined under 'cv_pathfinder_regions'. | | [          cv_pathfinder_site](## ".node_groups.[].nodes.[].cv_pathfinder_site") | String | | | | The CV Pathfinder site name.
This key is required for WAN routers but optional for pathfinders.
For WAN routers and pathfinders with `cv_pathfinder_region`, the site name must be defined for the relevant region under 'cv_pathfinder_regions'.
For pathfinders without `cv_pathfinder_region` set, the site must be defined under `cv_pathfinder_global_sites`. | @@ -49,7 +49,7 @@ | [              enabled](## ".node_groups.[].nodes.[].wan_ha.flow_tracking.enabled") | Boolean | | | | | | [              name](## ".node_groups.[].nodes.[].wan_ha.flow_tracking.name") | String | | | | Flow tracker name as defined in flow_tracking_settings. | | [          dps_mss_ipv4](## ".node_groups.[].nodes.[].dps_mss_ipv4") | String | | `auto` | | IPv4 MSS value configured under "router path-selection" on WAN Devices. | - | [      wan_role](## ".node_groups.[].wan_role") | String | | | Valid Values:
- client
- server | Override the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector.

Only supported if `overlay_routing_protocol` is set to `ibgp`. | + | [      wan_role](## ".node_groups.[].wan_role") | String | | | Valid Values:
- client
- server | Override the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector. | | [      cv_pathfinder_transit_mode](## ".node_groups.[].cv_pathfinder_transit_mode") | String | | | Valid Values:
- region
- zone | Configure the transit mode for a WAN client for CV Pathfinder designs
only when the `wan_mode` root key is set to `cv_pathfinder`.

'zone' is currently not supported. | | [      cv_pathfinder_region](## ".node_groups.[].cv_pathfinder_region") | String | | | | The CV Pathfinder region name.
This key is required for WAN routers but optional for pathfinders.
The region name must be defined under 'cv_pathfinder_regions'. | | [      cv_pathfinder_site](## ".node_groups.[].cv_pathfinder_site") | String | | | | The CV Pathfinder site name.
This key is required for WAN routers but optional for pathfinders.
For WAN routers and pathfinders with `cv_pathfinder_region`, the site name must be defined for the relevant region under 'cv_pathfinder_regions'.
For pathfinders without `cv_pathfinder_region` set, the site must be defined under `cv_pathfinder_global_sites`. | @@ -69,7 +69,7 @@ | [      dps_mss_ipv4](## ".node_groups.[].dps_mss_ipv4") | String | | `auto` | | IPv4 MSS value configured under "router path-selection" on WAN Devices. | | [  nodes](## ".nodes") | List, items: Dictionary | | | | Define variables per node. | | [    - name](## ".nodes.[].name") | String | Required, Unique | | | The Node Name is used as "hostname". | - | [      wan_role](## ".nodes.[].wan_role") | String | | | Valid Values:
- client
- server | Override the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector.

Only supported if `overlay_routing_protocol` is set to `ibgp`. | + | [      wan_role](## ".nodes.[].wan_role") | String | | | Valid Values:
- client
- server | Override the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
`server` indicates that the router is a route-reflector. | | [      cv_pathfinder_transit_mode](## ".nodes.[].cv_pathfinder_transit_mode") | String | | | Valid Values:
- region
- zone | Configure the transit mode for a WAN client for CV Pathfinder designs
only when the `wan_mode` root key is set to `cv_pathfinder`.

'zone' is currently not supported. | | [      cv_pathfinder_region](## ".nodes.[].cv_pathfinder_region") | String | | | | The CV Pathfinder region name.
This key is required for WAN routers but optional for pathfinders.
The region name must be defined under 'cv_pathfinder_regions'. | | [      cv_pathfinder_site](## ".nodes.[].cv_pathfinder_site") | String | | | | The CV Pathfinder site name.
This key is required for WAN routers but optional for pathfinders.
For WAN routers and pathfinders with `cv_pathfinder_region`, the site name must be defined for the relevant region under 'cv_pathfinder_regions'.
For pathfinders without `cv_pathfinder_region` set, the site must be defined under `cv_pathfinder_global_sites`. | @@ -101,8 +101,6 @@ # This is used both for AutoVPN and Pathfinder designs. # That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. # `server` indicates that the router is a route-reflector. - # - # Only supported if `overlay_routing_protocol` is set to `ibgp`. wan_role: # Configure the transit mode for a WAN client for CV Pathfinder designs @@ -192,8 +190,6 @@ # This is used both for AutoVPN and Pathfinder designs. # That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. # `server` indicates that the router is a route-reflector. - # - # Only supported if `overlay_routing_protocol` is set to `ibgp`. wan_role: # Configure the transit mode for a WAN client for CV Pathfinder designs @@ -270,8 +266,6 @@ # This is used both for AutoVPN and Pathfinder designs. # That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. # `server` indicates that the router is a route-reflector. - # - # Only supported if `overlay_routing_protocol` is set to `ibgp`. wan_role: # Configure the transit mode for a WAN client for CV Pathfinder designs @@ -354,8 +348,6 @@ # This is used both for AutoVPN and Pathfinder designs. # That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. # `server` indicates that the router is a route-reflector. - # - # Only supported if `overlay_routing_protocol` is set to `ibgp`. wan_role: # Configure the transit mode for a WAN client for CV Pathfinder designs diff --git a/ansible_collections/arista/avd/roles/eos_designs/docs/tables/wan-settings.md b/ansible_collections/arista/avd/roles/eos_designs/docs/tables/wan-settings.md index a29f74c751e..e30d784f46f 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/docs/tables/wan-settings.md +++ b/ansible_collections/arista/avd/roles/eos_designs/docs/tables/wan-settings.md @@ -24,6 +24,7 @@ | [wan_mode](## "wan_mode") | String | | `cv-pathfinder` | Valid Values:
- autovpn
- cv-pathfinder | Select if the WAN should be run using CV Pathfinder or AutoVPN only. | | [wan_stun_dtls_disable](## "wan_stun_dtls_disable") | Boolean | | `False` | | WAN STUN connections are authenticated and secured with DTLS by default.
For CV Pathfinder deployments CloudVision will automatically deploy certificates on the devices.
In case of AutoVPN the certificates must be deployed manually to all devices.

For LAB environments this can be disabled, if there are no certificates available.
This should NOT be disabled for a WAN network connected to the internet, since it will leave the STUN service exposed with no authentication. | | [wan_stun_dtls_profile_name](## "wan_stun_dtls_profile_name") | String | | `STUN-DTLS` | | Name of the SSL profile used for DTLS on WAN STUN connections.
When using automatic ceritficate deployment via CloudVision this name must be the same on all WAN routers. | + | [wan_use_evpn_node_settings_for_lan](## "wan_use_evpn_node_settings_for_lan") | Boolean | | `False` | | PREVIEW: This key is currently not supported
When true, `eos_designs` will use `overlay_routing_protocol`, `evpn_role` and `vtep`
node settings for LAN side on WAN devices. Otherwise these will be ignored for WAN.
This will be the default in AVD version 6.0.0 and this option will be removed. | === "YAML" @@ -85,4 +86,10 @@ # Name of the SSL profile used for DTLS on WAN STUN connections. # When using automatic ceritficate deployment via CloudVision this name must be the same on all WAN routers. wan_stun_dtls_profile_name: + + # PREVIEW: This key is currently not supported + # When true, `eos_designs` will use `overlay_routing_protocol`, `evpn_role` and `vtep` + # node settings for LAN side on WAN devices. Otherwise these will be ignored for WAN. + # This will be the default in AVD version 6.0.0 and this option will be removed. + wan_use_evpn_node_settings_for_lan: ``` diff --git a/python-avd/pyavd/_eos_designs/eos_designs_facts/overlay.py b/python-avd/pyavd/_eos_designs/eos_designs_facts/overlay.py index 90fd418708c..76bfc7b2845 100644 --- a/python-avd/pyavd/_eos_designs/eos_designs_facts/overlay.py +++ b/python-avd/pyavd/_eos_designs/eos_designs_facts/overlay.py @@ -64,6 +64,6 @@ def overlay(self: EosDesignsFacts) -> dict | None: @cached_property def vtep_ip(self: EosDesignsFacts) -> str | None: """Exposed in avd_switch_facts.""" - if self.shared_utils.vtep: + if self.shared_utils.vtep or self.shared_utils.is_wan_router: return self.shared_utils.vtep_ip return None diff --git a/python-avd/pyavd/_eos_designs/schema/__init__.py b/python-avd/pyavd/_eos_designs/schema/__init__.py index 7b97aab9e76..4938cd01e26 100644 --- a/python-avd/pyavd/_eos_designs/schema/__init__.py +++ b/python-avd/pyavd/_eos_designs/schema/__init__.py @@ -9050,8 +9050,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. """ default_flow_tracker_type: Literal["sampled", "hardware"] """ @@ -9205,8 +9203,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. default_flow_tracker_type: Set the default flow tracker type. mlag_support: Can this node type support mlag. network_services: @@ -9604,8 +9600,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. """ default_flow_tracker_type: Literal["sampled", "hardware"] """ @@ -9759,8 +9753,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. default_flow_tracker_type: Set the default flow tracker type. mlag_support: Can this node type support mlag. network_services: @@ -22371,8 +22363,6 @@ class L3Interfaces(AvdIndexedList[str, L3InterfacesItem]): `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. """ cv_pathfinder_transit_mode: Literal["region", "zone"] | None """ @@ -23071,8 +23061,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. cv_pathfinder_transit_mode: Configure the transit mode for a WAN client for CV Pathfinder designs only when the `wan_mode` root @@ -25928,8 +25916,6 @@ class L3Interfaces(AvdIndexedList[str, L3InterfacesItem]): `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. """ cv_pathfinder_transit_mode: Literal["region", "zone"] | None """ @@ -26637,8 +26623,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. cv_pathfinder_transit_mode: Configure the transit mode for a WAN client for CV Pathfinder designs only when the `wan_mode` root @@ -29430,8 +29414,6 @@ class L3Interfaces(AvdIndexedList[str, L3InterfacesItem]): `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. """ cv_pathfinder_transit_mode: Literal["region", "zone"] | None """ @@ -30141,8 +30123,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. cv_pathfinder_transit_mode: Configure the transit mode for a WAN client for CV Pathfinder designs only when the `wan_mode` root @@ -33000,8 +32980,6 @@ class L3Interfaces(AvdIndexedList[str, L3InterfacesItem]): `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. """ cv_pathfinder_transit_mode: Literal["region", "zone"] | None """ @@ -33709,8 +33687,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. cv_pathfinder_transit_mode: Configure the transit mode for a WAN client for CV Pathfinder designs only when the `wan_mode` root @@ -43416,8 +43392,6 @@ class L3Interfaces(AvdIndexedList[str, L3InterfacesItem]): `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. """ cv_pathfinder_transit_mode: Literal["region", "zone"] | None """ @@ -44116,8 +44090,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. cv_pathfinder_transit_mode: Configure the transit mode for a WAN client for CV Pathfinder designs only when the `wan_mode` root @@ -46973,8 +46945,6 @@ class L3Interfaces(AvdIndexedList[str, L3InterfacesItem]): `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. """ cv_pathfinder_transit_mode: Literal["region", "zone"] | None """ @@ -47682,8 +47652,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. cv_pathfinder_transit_mode: Configure the transit mode for a WAN client for CV Pathfinder designs only when the `wan_mode` root @@ -50475,8 +50443,6 @@ class L3Interfaces(AvdIndexedList[str, L3InterfacesItem]): `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. """ cv_pathfinder_transit_mode: Literal["region", "zone"] | None """ @@ -51186,8 +51152,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. cv_pathfinder_transit_mode: Configure the transit mode for a WAN client for CV Pathfinder designs only when the `wan_mode` root @@ -54045,8 +54009,6 @@ class L3Interfaces(AvdIndexedList[str, L3InterfacesItem]): `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. """ cv_pathfinder_transit_mode: Literal["region", "zone"] | None """ @@ -54754,8 +54716,6 @@ def __init__( `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. cv_pathfinder_transit_mode: Configure the transit mode for a WAN client for CV Pathfinder designs only when the `wan_mode` root @@ -55299,6 +55259,7 @@ def __init__( "wan_route_servers": {"type": WanRouteServers}, "wan_stun_dtls_disable": {"type": bool, "default": False}, "wan_stun_dtls_profile_name": {"type": str, "default": "STUN-DTLS"}, + "wan_use_evpn_node_settings_for_lan": {"type": bool, "default": False}, "wan_virtual_topologies": {"type": WanVirtualTopologies}, "zscaler_endpoints": {"type": ZscalerEndpoints}, "_custom_data": {"type": dict}, @@ -57056,6 +57017,18 @@ def __init__( Default value: `"STUN-DTLS"` """ + wan_use_evpn_node_settings_for_lan: bool + """ + PREVIEW: This key is currently not supported + When true, `eos_designs` will use + `overlay_routing_protocol`, `evpn_role` and `vtep` + node settings for LAN side on WAN devices. + Otherwise these will be ignored for WAN. + This will be the default in AVD version 6.0.0 and this + option will be removed. + + Default value: `False` + """ wan_virtual_topologies: WanVirtualTopologies """ Configure Virtual Topologies for CV Pathfinder and AutoVPN. @@ -57276,6 +57249,7 @@ def __init__( wan_route_servers: WanRouteServers | UndefinedType = Undefined, wan_stun_dtls_disable: bool | UndefinedType = Undefined, wan_stun_dtls_profile_name: str | UndefinedType = Undefined, + wan_use_evpn_node_settings_for_lan: bool | UndefinedType = Undefined, wan_virtual_topologies: WanVirtualTopologies | UndefinedType = Undefined, zscaler_endpoints: ZscalerEndpoints | UndefinedType = Undefined, _custom_data: dict[str, Any] | UndefinedType = Undefined, @@ -58529,6 +58503,14 @@ def __init__( Name of the SSL profile used for DTLS on WAN STUN connections. When using automatic ceritficate deployment via CloudVision this name must be the same on all WAN routers. + wan_use_evpn_node_settings_for_lan: + PREVIEW: This key is currently not supported + When true, `eos_designs` will use + `overlay_routing_protocol`, `evpn_role` and `vtep` + node settings for LAN side on WAN devices. + Otherwise these will be ignored for WAN. + This will be the default in AVD version 6.0.0 and this + option will be removed. wan_virtual_topologies: Configure Virtual Topologies for CV Pathfinder and AutoVPN. Auto create a control plane diff --git a/python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml b/python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml index db3774dc129..81cdd3cfcec 100644 --- a/python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml +++ b/python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml @@ -2580,9 +2580,6 @@ keys: `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. - ' default_flow_tracker_type: type: str @@ -4947,6 +4944,20 @@ keys: When using automatic ceritficate deployment via CloudVision this name must be the same on all WAN routers.' + wan_use_evpn_node_settings_for_lan: + type: bool + documentation_options: + table: wan-settings + default: false + description: 'PREVIEW: This key is currently not supported + + When true, `eos_designs` will use `overlay_routing_protocol`, `evpn_role` and + `vtep` + + node settings for LAN side on WAN devices. Otherwise these will be ignored for + WAN. + + This will be the default in AVD version 6.0.0 and this option will be removed.' wan_virtual_topologies: type: dict description: 'Configure Virtual Topologies for CV Pathfinder and AutoVPN. @@ -9323,10 +9334,7 @@ $defs: That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. - `server` indicates that the router is a route-reflector. - - - Only supported if `overlay_routing_protocol` is set to `ibgp`.' + `server` indicates that the router is a route-reflector.' cv_pathfinder_transit_mode: documentation_options: table: node-type-wan-configuration diff --git a/python-avd/pyavd/_eos_designs/schema/schema_fragments/defs_node_type.schema.yml b/python-avd/pyavd/_eos_designs/schema/schema_fragments/defs_node_type.schema.yml index f00202794a3..42440ef6f3e 100644 --- a/python-avd/pyavd/_eos_designs/schema/schema_fragments/defs_node_type.schema.yml +++ b/python-avd/pyavd/_eos_designs/schema/schema_fragments/defs_node_type.schema.yml @@ -508,9 +508,9 @@ $defs: documentation_options: table: node-type-bgp-configuration description: |- - BGP AS <1-4294967295> or AS number in asdot notation "<1-65535>.<0-65535>". - For asdot notation in YAML inputs, the value must be put in quotes, to prevent it from being interpreted as a float number. - Required with eBGP. + BGP AS <1-4294967295> or AS number in asdot notation "<1-65535>.<0-65535>". + For asdot notation in YAML inputs, the value must be put in quotes, to prevent it from being interpreted as a float number. + Required with eBGP. type: str convert_types: - int @@ -1284,8 +1284,6 @@ $defs: This is used both for AutoVPN and Pathfinder designs. That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. cv_pathfinder_transit_mode: documentation_options: table: node-type-wan-configuration diff --git a/python-avd/pyavd/_eos_designs/schema/schema_fragments/node_type_keys.schema.yml b/python-avd/pyavd/_eos_designs/schema/schema_fragments/node_type_keys.schema.yml index 239453dd715..5849ba031c9 100644 --- a/python-avd/pyavd/_eos_designs/schema/schema_fragments/node_type_keys.schema.yml +++ b/python-avd/pyavd/_eos_designs/schema/schema_fragments/node_type_keys.schema.yml @@ -123,8 +123,6 @@ keys: This is used both for AutoVPN and Pathfinder designs. That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. - - Only supported if `overlay_routing_protocol` is set to `ibgp`. default_flow_tracker_type: type: str valid_values: diff --git a/python-avd/pyavd/_eos_designs/schema/schema_fragments/wan_use_evpn_node_settings_for_lan.schema.yml b/python-avd/pyavd/_eos_designs/schema/schema_fragments/wan_use_evpn_node_settings_for_lan.schema.yml new file mode 100644 index 00000000000..671ce461632 --- /dev/null +++ b/python-avd/pyavd/_eos_designs/schema/schema_fragments/wan_use_evpn_node_settings_for_lan.schema.yml @@ -0,0 +1,19 @@ +# Copyright (c) 2023-2024 Arista Networks, Inc. +# Use of this source code is governed by the Apache License 2.0 +# that can be found in the LICENSE file. +# yaml-language-server: $schema=../../../_schema/avd_meta_schema.json +# Line above is used by RedHat's YAML Schema vscode extension +# Use Ctrl + Space to get suggestions for every field. Autocomplete will pop up after typing 2 letters. +type: dict +keys: + wan_use_evpn_node_settings_for_lan: + type: bool + # TODO: AVD 6.0.0 remove this + documentation_options: + table: wan-settings + default: false + description: |- + PREVIEW: This key is currently not supported + When true, `eos_designs` will use `overlay_routing_protocol`, `evpn_role` and `vtep` + node settings for LAN side on WAN devices. Otherwise these will be ignored for WAN. + This will be the default in AVD version 6.0.0 and this option will be removed. diff --git a/python-avd/pyavd/_eos_designs/shared_utils/filtered_tenants.py b/python-avd/pyavd/_eos_designs/shared_utils/filtered_tenants.py index b6958109dac..b712ce741cf 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/filtered_tenants.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/filtered_tenants.py @@ -66,12 +66,9 @@ def filtered_tenants(self: SharedUtils) -> EosDesigns._DynamicKeys.DynamicNetwor for tenant in filtered_tenants: if "default" not in tenant.vrfs: continue - if "evpn" not in tenant.vrfs["default"].address_families: - msg = "WAN configuration requires EVPN to be enabled for VRF 'default'. Got 'address_families: {vrf_default['address_families']}." - raise AristaAvdError(msg) if self.inputs.underlay_filter_peer_as: msg = "WAN configuration is not compatible with 'underlay_filter_peer_as'" - raise AristaAvdError + raise AristaAvdError(msg) break return filtered_tenants._natural_sorted() @@ -421,6 +418,7 @@ def bgp_enabled_for_vrf(self: SharedUtils, vrf: EosDesigns._DynamicKeys.DynamicN Otherwise we will autodetect: - If the VRF is part of an overlay we will configure BGP for it. + - If the VRF is on a WAN router, we will configure BGP for it. - If any BGP peers are configured we will configure BGP for it. - If uplink type is p2p_vrfs and the vrf is included in uplink VRFs. """ @@ -433,5 +431,6 @@ def bgp_enabled_for_vrf(self: SharedUtils, vrf: EosDesigns._DynamicKeys.DynamicN vrf_address_families, vrf.bgp_peers, (self.uplink_type == "p2p-vrfs" and vrf.name in (self.get_switch_fact("uplink_switch_vrfs", required=False) or [])), + self.is_wan_vrf(vrf), ] ) diff --git a/python-avd/pyavd/_eos_designs/shared_utils/node_type.py b/python-avd/pyavd/_eos_designs/shared_utils/node_type.py index 3db118131e5..95487621f5c 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/node_type.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/node_type.py @@ -137,4 +137,7 @@ def vtep(self: SharedUtils) -> bool: .nodes.[].vtep and node_type_keys..vtep. """ + if self.is_wan_router and not self.inputs.wan_use_evpn_node_settings_for_lan: + # For WAN routers without the knob, vtep should be ignored. + return False return default(self.node_config.vtep, self.node_type_key_data.vtep) diff --git a/python-avd/pyavd/_eos_designs/shared_utils/node_type_keys.py b/python-avd/pyavd/_eos_designs/shared_utils/node_type_keys.py index fd5d74c041e..af161f74ca1 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/node_type_keys.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/node_type_keys.py @@ -149,6 +149,7 @@ "default_evpn_role": "server", "cv_tags_topology_type": "spine", }, + # TODO: AVD 6.0 change default overlay_routing_protocol and evpn_role to none for wan_router and wan_rr. { "key": "wan_router", "type": "wan_router", diff --git a/python-avd/pyavd/_eos_designs/shared_utils/overlay.py b/python-avd/pyavd/_eos_designs/shared_utils/overlay.py index 74af539aa46..e9778d8131c 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/overlay.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/overlay.py @@ -33,6 +33,9 @@ def vtep_loopback(self: SharedUtils) -> str: def evpn_role(self: SharedUtils) -> str | None: if self.underlay_router: default_evpn_role = self.node_type_key_data.default_evpn_role + if self.is_wan_router and not self.inputs.wan_use_evpn_node_settings_for_lan: + # For WAN routers without the knob, evpn_role should be ignored. + return None return default(self.node_config.evpn_role, default_evpn_role) return None diff --git a/python-avd/pyavd/_eos_designs/shared_utils/routing.py b/python-avd/pyavd/_eos_designs/shared_utils/routing.py index af2c522ad5d..bd6358da038 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/routing.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/routing.py @@ -29,6 +29,9 @@ def underlay_routing_protocol(self: SharedUtils) -> str: @cached_property def overlay_routing_protocol(self: SharedUtils) -> str: default_overlay_routing_protocol = self.node_type_key_data.default_overlay_routing_protocol + if self.is_wan_router and not self.inputs.wan_use_evpn_node_settings_for_lan: + # For WAN routers without the knob, overlay_routing_protocol should be ignored. + return None return (self.inputs.overlay_routing_protocol or default_overlay_routing_protocol).lower() @cached_property diff --git a/python-avd/pyavd/_eos_designs/shared_utils/wan.py b/python-avd/pyavd/_eos_designs/shared_utils/wan.py index ba94441bb4c..17109572536 100644 --- a/python-avd/pyavd/_eos_designs/shared_utils/wan.py +++ b/python-avd/pyavd/_eos_designs/shared_utils/wan.py @@ -30,17 +30,7 @@ def wan_role(self: SharedUtils) -> str | None: return None default_wan_role = self.node_type_key_data.default_wan_role - wan_role = self.node_config.wan_role or default_wan_role - if wan_role is not None and self.overlay_routing_protocol != "ibgp": - msg = "Only 'ibgp' is supported as 'overlay_routing_protocol' for WAN nodes." - raise AristaAvdError(msg) - if wan_role == "server" and self.evpn_role != "server": - msg = "'wan_role' server requires 'evpn_role' server." - raise AristaAvdError(msg) - if wan_role == "client" and self.evpn_role != "client": - msg = "'wan_role' client requires 'evpn_role' client." - raise AristaAvdError(msg) - return wan_role + return self.node_config.wan_role or default_wan_role @cached_property def is_wan_router(self: SharedUtils) -> bool: @@ -592,3 +582,22 @@ def wan_stun_dtls_profile_name(self: SharedUtils) -> str | None: return None return self.inputs.wan_stun_dtls_profile_name + + def is_wan_vrf(self: SharedUtils, vrf: EosDesigns._DynamicKeys.DynamicNetworkServicesItem.NetworkServicesItem.VrfsItem) -> bool: + """Returns True is the VRF is a WAN VRF.""" + if not self.is_wan_router: + return False + + configured_as_wan_vrf = vrf.name in self.inputs.wan_virtual_topologies.vrfs or vrf.name == "default" + + # Old behavior where we rely on address_families. + if not self.inputs.wan_use_evpn_node_settings_for_lan and "evpn" in vrf.address_families and not configured_as_wan_vrf: + msg = ( + f"The VRF '{vrf.name}' does not have a `wan_vni` defined under 'wan_virtual_topologies'. " + "If this VRF was not intended to be extended over the WAN, but still required to be configured on the WAN router, " + "set 'address_families: []' under the VRF definition. If this VRF was not intended to be configured on the WAN router, " + "use the VRF filter 'deny_vrfs' under the node settings." + ) + raise AristaAvdInvalidInputsError(msg) + + return configured_as_wan_vrf diff --git a/python-avd/pyavd/_eos_designs/structured_config/base/utils.py b/python-avd/pyavd/_eos_designs/structured_config/base/utils.py index 721d679c8e6..f12f893be44 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/base/utils.py +++ b/python-avd/pyavd/_eos_designs/structured_config/base/utils.py @@ -66,7 +66,7 @@ def _router_bgp_redistribute_routes(self: AvdStructuredConfigBase) -> dict | Non if not (self.shared_utils.underlay_bgp or self.shared_utils.is_wan_router or self.shared_utils.l3_interfaces_bgp_neighbors): return None - if self.shared_utils.overlay_routing_protocol != "none" and self.inputs.underlay_filter_redistribute_connected: + if (self.shared_utils.overlay_routing_protocol != "none" or self.shared_utils.is_wan_router) and self.inputs.underlay_filter_redistribute_connected: # Use route-map for redistribution return {"connected": {"enabled": True, "route_map": "RM-CONN-2-BGP"}} diff --git a/python-avd/pyavd/_eos_designs/structured_config/network_services/router_bgp.py b/python-avd/pyavd/_eos_designs/structured_config/network_services/router_bgp.py index 1dbbefc7e8a..b95147440b1 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/network_services/router_bgp.py +++ b/python-avd/pyavd/_eos_designs/structured_config/network_services/router_bgp.py @@ -149,23 +149,23 @@ def _router_bgp_vrfs(self: AvdStructuredConfigNetworkServices) -> dict: if not self.shared_utils.bgp_enabled_for_vrf(vrf): continue - vrf_name = vrf.name - bgp_vrf = strip_empties_from_dict( - { - "eos_cli": vrf.bgp.raw_eos_cli, - } - ) + bgp_vrf = strip_empties_from_dict({"eos_cli": vrf.bgp.raw_eos_cli}) if vrf.bgp.structured_config: - self.custom_structured_configs.nested.router_bgp.vrfs.obtain(vrf_name)._deepmerge( + self.custom_structured_configs.nested.router_bgp.vrfs.obtain(vrf.name)._deepmerge( vrf.bgp.structured_config, list_merge=self.custom_structured_configs.list_merge_strategy ) - if vrf_address_families := [af for af in vrf.address_families if af in self.shared_utils.overlay_address_families]: + vrf_address_families = {af for af in vrf.address_families if af in self.shared_utils.overlay_address_families} + if self.shared_utils.is_wan_vrf(vrf): + # If the VRF is a WAN VRF, EVPN RTs are needed. + vrf_address_families.add("evpn") + + if vrf_address_families: # The called function in-place updates the bgp_vrf dict. self._update_router_bgp_vrf_evpn_or_mpls_cfg(bgp_vrf, vrf, vrf_address_families) - if vrf_name != "default": + if vrf.name != "default": bgp_vrf["router_id"] = self.get_vrf_router_id(vrf, vrf.bgp.router_id, tenant.name) if vrf.redistribute_connected: @@ -175,7 +175,7 @@ def _router_bgp_vrfs(self: AvdStructuredConfigNetworkServices) -> dict: if vrf.redistribute_static or (vrf.static_routes and vrf.redistribute_static is None): bgp_vrf["redistribute"].update({"static": {"enabled": True}}) - if self.shared_utils.inband_mgmt_vrf == vrf_name and self.shared_utils.inband_management_parent_vlans: + if self.shared_utils.inband_mgmt_vrf == vrf.name and self.shared_utils.inband_management_parent_vlans: bgp_vrf["redistribute"].update({"attached_host": {"enabled": True}}) else: @@ -186,7 +186,7 @@ def _router_bgp_vrfs(self: AvdStructuredConfigNetworkServices) -> dict: append_if_not_duplicate( list_of_dicts=router_bgp["vrfs"], primary_key="name", - new_dict={"name": vrf_name, **bgp_vrf}, + new_dict={"name": vrf.name, **bgp_vrf}, context="BGP VRFs defined under network services", context_keys=["name"], ) @@ -228,7 +228,7 @@ def _router_bgp_vrfs(self: AvdStructuredConfigNetworkServices) -> dict: ) if bgp_peer.set_ipv4_next_hop or bgp_peer.set_ipv6_next_hop: - route_map = f"RM-{vrf_name}-{peer_ip}-SET-NEXT-HOP-OUT" + route_map = f"RM-{vrf.name}-{peer_ip}-SET-NEXT-HOP-OUT" bgp_peer_dict["route_map_out"] = route_map if bgp_peer_dict.get("default_originate") is not None: bgp_peer_dict["default_originate"].setdefault("route_map", route_map) @@ -262,14 +262,14 @@ def _router_bgp_vrfs(self: AvdStructuredConfigNetworkServices) -> dict: if not bgp_vrf: continue - if vrf_name == "default": + if vrf.name == "default": # VRF default is added directly under router_bgp router_bgp.update(bgp_vrf) else: append_if_not_duplicate( list_of_dicts=router_bgp["vrfs"], primary_key="name", - new_dict={"name": vrf_name, **bgp_vrf}, + new_dict={"name": vrf.name, **bgp_vrf}, context="BGP VRFs defined under network services", context_keys=["name"], ) @@ -279,15 +279,14 @@ def _update_router_bgp_vrf_evpn_or_mpls_cfg( self: AvdStructuredConfigNetworkServices, bgp_vrf: dict, vrf: EosDesigns._DynamicKeys.DynamicNetworkServicesItem.NetworkServicesItem.VrfsItem, - vrf_address_families: list[str], + vrf_address_families: set[str], ) -> None: """In-place update EVPN/MPLS part of structured config for *one* VRF under router_bgp.vrfs.""" - vrf_name = vrf.name bgp_vrf["rd"] = self.get_vrf_rd(vrf) vrf_rt = self.get_vrf_rt(vrf) route_targets = {"import": [], "export": []} - for af in vrf_address_families: + for af in sorted(vrf_address_families): if (target := get_item(route_targets["import"], "address_family", af)) is None: route_targets["import"].append({"address_family": af, "route_targets": [vrf_rt]}) else: @@ -306,7 +305,7 @@ def _update_router_bgp_vrf_evpn_or_mpls_cfg( else: target["route_targets"].append(rt.route_target) - if vrf_name == "default" and self._vrf_default_evpn and self._route_maps_vrf_default: + if vrf.name == "default" and self._vrf_default_evpn and self._route_maps_vrf_default: # Special handling of vrf default with evpn. if (target := get_item(route_targets["export"], "address_family", "evpn")) is None: @@ -317,7 +316,7 @@ def _update_router_bgp_vrf_evpn_or_mpls_cfg( bgp_vrf["route_targets"] = route_targets # VRF default - if vrf_name == "default": + if vrf.name == "default": return # Not VRF default diff --git a/python-avd/pyavd/_eos_designs/structured_config/network_services/utils.py b/python-avd/pyavd/_eos_designs/structured_config/network_services/utils.py index e6113514373..f288032808f 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/network_services/utils.py +++ b/python-avd/pyavd/_eos_designs/structured_config/network_services/utils.py @@ -35,7 +35,9 @@ def _local_endpoint_trunk_groups(self: AvdStructuredConfigNetworkServices) -> se @cached_property def _vrf_default_evpn(self: AvdStructuredConfigNetworkServices) -> bool: """Return boolean telling if VRF "default" is running EVPN or not.""" - if not (self.shared_utils.network_services_l3 and self.shared_utils.overlay_vtep and self.shared_utils.overlay_evpn): + if not ( + self.shared_utils.network_services_l3 and ((self.shared_utils.overlay_vtep and self.shared_utils.overlay_evpn) or self.shared_utils.is_wan_router) + ): return False for tenant in self.shared_utils.filtered_tenants: @@ -102,7 +104,7 @@ def _vrf_default_ipv4_static_routes(self: AvdStructuredConfigNetworkServices) -> vrf_default_redistribute_static = default(tenant.vrfs["default"].redistribute_static, vrf_default_redistribute_static) - if self.shared_utils.overlay_evpn and self.shared_utils.overlay_vtep: + if (self.shared_utils.overlay_evpn and self.shared_utils.overlay_vtep) or self.shared_utils.is_wan_router: # This is an EVPN VTEP redistribute_in_underlay = False redistribute_in_overlay = vrf_default_redistribute_static and vrf_default_ipv4_static_routes diff --git a/python-avd/pyavd/_eos_designs/structured_config/network_services/vxlan_interface.py b/python-avd/pyavd/_eos_designs/structured_config/network_services/vxlan_interface.py index abab779eebd..af6709c155d 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/network_services/vxlan_interface.py +++ b/python-avd/pyavd/_eos_designs/structured_config/network_services/vxlan_interface.py @@ -154,26 +154,15 @@ def _get_vxlan_interface_config_for_vrf( context_keys=["id", "vni"], ) - if self.shared_utils.network_services_l3 and self.shared_utils.overlay_evpn_vxlan: + if self.shared_utils.network_services_l3 and (self.shared_utils.overlay_evpn_vxlan or self.shared_utils.is_wan_router): vrf_name = vrf.name + is_wan_vrf = self.shared_utils.is_wan_vrf(vrf) # Only configure VNI for VRF if the VRF is EVPN enabled - if "evpn" not in vrf.address_families: + if "evpn" not in vrf.address_families and not is_wan_vrf: return - if self.shared_utils.is_wan_router: - # Every VRF with EVPN on a WAN router must have a wan_vni defined. - if vrf_name not in self._filtered_wan_vrfs: - msg = ( - f"The VRF '{vrf_name}' does not have a `wan_vni` defined under 'wan_virtual_topologies'. " - "If this VRF was not intended to be extended over the WAN, but still required to be configured on the WAN router, " - "set 'address_families: []' under the VRF definition. If this VRF was not intended to be configured on the WAN router, " - "use the VRF filter 'deny_vrfs' under the node settings." - ) - raise AristaAvdInvalidInputsError(msg) - vni = self._filtered_wan_vrfs[vrf_name].wan_vni - else: - vni = default(vrf.vrf_vni, vrf.vrf_id) + vni = self._filtered_wan_vrfs[vrf_name].wan_vni if is_wan_vrf else default(vrf.vrf_vni, vrf.vrf_id) if vni is None: # Silently ignore if we cannot set a VNI diff --git a/python-avd/pyavd/_eos_designs/structured_config/overlay/ip_extcommunity_lists.py b/python-avd/pyavd/_eos_designs/structured_config/overlay/ip_extcommunity_lists.py index 76847d0499a..060d8bd9283 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/overlay/ip_extcommunity_lists.py +++ b/python-avd/pyavd/_eos_designs/structured_config/overlay/ip_extcommunity_lists.py @@ -22,13 +22,13 @@ class IpExtCommunityListsMixin(UtilsMixin): @cached_property def ip_extcommunity_lists(self: AvdStructuredConfigOverlay) -> list | None: """Return structured config for ip_extcommunity_lists.""" - if self.shared_utils.overlay_routing_protocol != "ibgp": + if self.shared_utils.overlay_routing_protocol != "ibgp" and not self.shared_utils.is_wan_router: return None if self.shared_utils.evpn_role == "server" and not self.shared_utils.is_wan_router: return None - if self.shared_utils.overlay_vtep: + if self.shared_utils.overlay_vtep or self.shared_utils.is_wan_router: return [ { "name": "ECL-EVPN-SOO", diff --git a/python-avd/pyavd/_eos_designs/structured_config/overlay/route_maps.py b/python-avd/pyavd/_eos_designs/structured_config/overlay/route_maps.py index df7e11c796c..ae3848e9729 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/overlay/route_maps.py +++ b/python-avd/pyavd/_eos_designs/structured_config/overlay/route_maps.py @@ -51,7 +51,9 @@ def route_maps(self: AvdStructuredConfigOverlay) -> list | None: }, ) - elif self.shared_utils.overlay_routing_protocol == "ibgp" and self.shared_utils.overlay_vtep and self.shared_utils.evpn_role != "server": + elif ( + self.shared_utils.overlay_routing_protocol == "ibgp" and self.shared_utils.overlay_vtep and self.shared_utils.evpn_role != "server" + ) or self.shared_utils.is_wan_client: # Route-map IN and OUT for SOO route_maps.append( { diff --git a/python-avd/pyavd/_eos_designs/structured_config/overlay/router_bgp.py b/python-avd/pyavd/_eos_designs/structured_config/overlay/router_bgp.py index c34abe424ce..8e6aba0820d 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/overlay/router_bgp.py +++ b/python-avd/pyavd/_eos_designs/structured_config/overlay/router_bgp.py @@ -52,9 +52,10 @@ def router_bgp(self: AvdStructuredConfigOverlay) -> dict | None: return strip_empties_from_dict(router_bgp, strip_values_tuple=(None, "")) def _bgp_cluster_id(self: AvdStructuredConfigOverlay) -> str | None: - if self.shared_utils.overlay_routing_protocol == "ibgp" and ( - self.shared_utils.evpn_role == "server" or self.shared_utils.mpls_overlay_role == "server" - ): + if ( + self.shared_utils.overlay_routing_protocol == "ibgp" + and (self.shared_utils.evpn_role == "server" or self.shared_utils.mpls_overlay_role == "server") + ) or self.shared_utils.is_wan_server: return default(self.shared_utils.node_config.bgp_cluster_id, self.shared_utils.router_id) return None @@ -132,35 +133,38 @@ def _peer_groups(self: AvdStructuredConfigOverlay) -> list | None: peer_groups.append(mpls_peer_group) - if self.shared_utils.overlay_evpn_vxlan is True: + # TODO: AVD 6.0.0 remove the check for WAN routers. + if self.shared_utils.overlay_evpn_vxlan is True and (not self.shared_utils.is_wan_router or self.inputs.wan_use_evpn_node_settings_for_lan): peer_group_config = {"remote_as": self.shared_utils.bgp_as} - if self.shared_utils.is_wan_router: - # WAN OVERLAY peer group - peer_group_config["ttl_maximum_hops"] = self.inputs.bgp_peer_groups.wan_overlay_peers.ttl_maximum_hops - if self.shared_utils.is_wan_server: - peer_group_config["route_reflector_client"] = True - peer_group_config["bfd_timers"] = self.inputs.bgp_peer_groups.wan_overlay_peers.bfd_timers._as_dict(include_default_values=True) - peer_groups.append( - { - **self._generate_base_peer_group("wan", "wan_overlay_peers", update_source=self.shared_utils.vtep_loopback), - **peer_group_config, - }, - ) - else: - # EVPN OVERLAY peer group - also in EBGP.. - if self.shared_utils.evpn_role == "server": - peer_group_config["route_reflector_client"] = True - peer_groups.append( - { - **self._generate_base_peer_group("evpn", "evpn_overlay_peers"), - **peer_group_config, - }, - ) + # EVPN OVERLAY peer group - also in EBGP.. + if self.shared_utils.evpn_role == "server": + peer_group_config["route_reflector_client"] = True + peer_groups.append( + { + **self._generate_base_peer_group("evpn", "evpn_overlay_peers"), + **peer_group_config, + }, + ) # RR Overlay peer group rendered either for MPLS route servers if self._is_mpls_server is True: peer_groups.append({**self._generate_base_peer_group("mpls", "rr_overlay_peers"), "remote_as": self.shared_utils.bgp_as}) + # Always render the WAN routers + # TODO: probably should move from overlay + if self.shared_utils.is_wan_router: + # WAN OVERLAY peer group only is supported iBGP + peer_group_config = {"remote_as": self.shared_utils.bgp_as, "ttl_maximum_hops": self.inputs.bgp_peer_groups.wan_overlay_peers.ttl_maximum_hops} + if self.shared_utils.is_wan_server: + peer_group_config["route_reflector_client"] = True + peer_group_config["bfd_timers"] = self.inputs.bgp_peer_groups.wan_overlay_peers.bfd_timers._as_dict(include_default_values=True) + peer_groups.append( + { + **self._generate_base_peer_group("wan", "wan_overlay_peers", update_source=self.shared_utils.vtep_loopback), + **peer_group_config, + }, + ) + if self._is_wan_server_with_peers: wan_rr_overlay_peer_group = self._generate_base_peer_group("wan", "wan_rr_overlay_peers", update_source=self.shared_utils.vtep_loopback) wan_rr_overlay_peer_group.update( @@ -191,6 +195,8 @@ def _address_family_ipv4(self: AvdStructuredConfigOverlay) -> dict: if self.shared_utils.is_wan_router: peer_groups.append({"name": self.inputs.bgp_peer_groups.wan_overlay_peers.name, "activate": False}) + if self._is_wan_server_with_peers: + peer_groups.append({"name": self.inputs.bgp_peer_groups.wan_rr_overlay_peers.name, "activate": False}) # TODO: no elif elif self.shared_utils.overlay_evpn_vxlan is True: @@ -208,9 +214,6 @@ def _address_family_ipv4(self: AvdStructuredConfigOverlay) -> dict: if self._is_mpls_server is True: peer_groups.append({"name": self.inputs.bgp_peer_groups.rr_overlay_peers.name, "activate": False}) - if self._is_wan_server_with_peers: - peer_groups.append({"name": self.inputs.bgp_peer_groups.wan_rr_overlay_peers.name, "activate": False}) - if self.shared_utils.overlay_ipvpn_gateway is True: peer_groups.append({"name": self.inputs.bgp_peer_groups.ipvpn_gateway_peers.name, "activate": False}) @@ -222,15 +225,23 @@ def _address_family_evpn(self: AvdStructuredConfigOverlay) -> dict | None: peer_groups = [] overlay_peer_group = {} + if self.shared_utils.is_wan_router: + wan_overlay_peer_group = { + "name": self.inputs.bgp_peer_groups.wan_overlay_peers.name, + "activate": True, + "encapsulation": self.inputs.wan_encapsulation, + } + if self.shared_utils.wan_role != "server": + wan_overlay_peer_group.update( + { + "route_map_in": "RM-EVPN-SOO-IN", + "route_map_out": "RM-EVPN-SOO-OUT", + }, + ) + peer_groups.append(wan_overlay_peer_group) + if self.shared_utils.overlay_evpn_vxlan is True: - if self.shared_utils.is_wan_router: - overlay_peer_group = { - "name": self.inputs.bgp_peer_groups.wan_overlay_peers.name, - "activate": True, - "encapsulation": self.inputs.wan_encapsulation, - } - else: - overlay_peer_group = {"name": self.inputs.bgp_peer_groups.evpn_overlay_peers.name, "activate": True} + overlay_peer_group = {"name": self.inputs.bgp_peer_groups.evpn_overlay_peers.name, "activate": True} if self.shared_utils.overlay_routing_protocol == "ebgp": if self.shared_utils.node_config.evpn_gateway.evpn_l2.enabled or self.shared_utils.node_config.evpn_gateway.evpn_l3.enabled: @@ -261,6 +272,7 @@ def _address_family_evpn(self: AvdStructuredConfigOverlay) -> dict | None: if self._is_mpls_server is True: peer_groups.append({"name": self.inputs.bgp_peer_groups.rr_overlay_peers.name, "activate": True}) + # TODO: this is written for matching either evpn_mpls or evpn_vlxan based for iBGP see if we cannot make this better. if self.shared_utils.overlay_vtep is True and self.shared_utils.evpn_role != "server" and overlay_peer_group: overlay_peer_group.update( { @@ -268,16 +280,6 @@ def _address_family_evpn(self: AvdStructuredConfigOverlay) -> dict | None: "route_map_out": "RM-EVPN-SOO-OUT", }, ) - - if self._is_wan_server_with_peers: - peer_groups.append( - { - "name": self.inputs.bgp_peer_groups.wan_rr_overlay_peers.name, - "activate": True, - "encapsulation": self.inputs.wan_encapsulation, - } - ) - if overlay_peer_group: peer_groups.append(overlay_peer_group) @@ -304,6 +306,15 @@ def _address_family_evpn(self: AvdStructuredConfigOverlay) -> dict | None: if self.shared_utils.is_wan_server: address_family_evpn["next_hop"] = {"resolution_disabled": True} + if self._is_wan_server_with_peers: + peer_groups.append( + { + "name": self.inputs.bgp_peer_groups.wan_rr_overlay_peers.name, + "activate": True, + "encapsulation": self.inputs.wan_encapsulation, + } + ) + # Activitating HA iBGP session for WAN HA if self.shared_utils.wan_ha: address_family_evpn["neighbor_default"] = { @@ -484,10 +495,7 @@ def _create_neighbor( ), } - if self.shared_utils.overlay_routing_protocol == "ebgp": - if remote_as is None: - msg = "Configuring eBGP neighbor without a remote_as" - raise AristaAvdError(msg) + if remote_as is not None: neighbor["remote_as"] = remote_as if self.inputs.shutdown_bgp_towards_undeployed_peers and name in self._avd_overlay_peers: @@ -592,43 +600,43 @@ def _neighbors(self: AvdStructuredConfigOverlay) -> list | None: ) neighbors.append(neighbor) - if self.shared_utils.is_wan_client: - if not self._ip_in_listen_ranges(self.shared_utils.vtep_ip, self.shared_utils.wan_listen_ranges): - msg = f"{self.shared_utils.vtep_loopback} IP {self.shared_utils.vtep_ip} is not in the Route Reflector listen range prefixes" - raise AristaAvdError(msg) - for wan_route_server in self.shared_utils.filtered_wan_route_servers: - neighbor = self._create_neighbor( - wan_route_server.vtep_ip, - wan_route_server.hostname, - self.inputs.bgp_peer_groups.wan_overlay_peers.name, - overlay_peering_interface=self.shared_utils.vtep_loopback, - ) - neighbors.append(neighbor) + if self.shared_utils.is_wan_client: + if not self._ip_in_listen_ranges(self.shared_utils.vtep_ip, self.shared_utils.wan_listen_ranges): + msg = f"{self.shared_utils.vtep_loopback} IP {self.shared_utils.vtep_ip} is not in the Route Reflector listen range prefixes" + raise AristaAvdError(msg) + for wan_route_server in self.shared_utils.filtered_wan_route_servers: + neighbor = self._create_neighbor( + wan_route_server.vtep_ip, + wan_route_server.hostname, + self.inputs.bgp_peer_groups.wan_overlay_peers.name, + overlay_peering_interface=self.shared_utils.vtep_loopback, + ) + neighbors.append(neighbor) - if self.shared_utils.wan_ha: - neighbor = { - "ip_address": self._wan_ha_peer_vtep_ip(), - "peer": self.shared_utils.wan_ha_peer, - "description": self.shared_utils.wan_ha_peer, - "remote_as": self.shared_utils.bgp_as, - "update_source": "Dps1", - "route_reflector_client": True, - "send_community": "all", - "route_map_in": "RM-WAN-HA-PEER-IN", - "route_map_out": "RM-WAN-HA-PEER-OUT", - } - neighbors.append(neighbor) + if self.shared_utils.wan_ha: + neighbor = { + "ip_address": self._wan_ha_peer_vtep_ip(), + "peer": self.shared_utils.wan_ha_peer, + "description": self.shared_utils.wan_ha_peer, + "remote_as": self.shared_utils.bgp_as, + "update_source": "Dps1", + "route_reflector_client": True, + "send_community": "all", + "route_map_in": "RM-WAN-HA-PEER-IN", + "route_map_out": "RM-WAN-HA-PEER-OUT", + } + neighbors.append(neighbor) - if self.shared_utils.is_wan_server: - # No neighbor configured on the `wan_overlay_peers` peer group as it is covered by listen ranges - for wan_route_server in self.shared_utils.filtered_wan_route_servers: - neighbor = self._create_neighbor( - wan_route_server.vtep_ip, - wan_route_server.hostname, - self.inputs.bgp_peer_groups.wan_rr_overlay_peers.name, - overlay_peering_interface=self.shared_utils.vtep_loopback, - ) - neighbors.append(neighbor) + elif self.shared_utils.is_wan_server: + # No neighbor configured on the `wan_overlay_peers` peer group as it is covered by listen ranges + for wan_route_server in self.shared_utils.filtered_wan_route_servers: + neighbor = self._create_neighbor( + wan_route_server.vtep_ip, + wan_route_server.hostname, + self.inputs.bgp_peer_groups.wan_rr_overlay_peers.name, + overlay_peering_interface=self.shared_utils.vtep_loopback, + ) + neighbors.append(neighbor) for ipvpn_gw_peer, data in natural_sort(self._ipvpn_gateway_remote_peers.items()): neighbor = self._create_neighbor( diff --git a/python-avd/pyavd/_eos_designs/structured_config/underlay/prefix_lists.py b/python-avd/pyavd/_eos_designs/structured_config/underlay/prefix_lists.py index 6c9930d25ca..376e64bca9a 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/underlay/prefix_lists.py +++ b/python-avd/pyavd/_eos_designs/structured_config/underlay/prefix_lists.py @@ -29,7 +29,7 @@ def prefix_lists(self: AvdStructuredConfigUnderlay) -> list | None: if self.shared_utils.underlay_bgp is not True and not self.shared_utils.is_wan_router: return None - if self.shared_utils.overlay_routing_protocol == "none": + if self.shared_utils.overlay_routing_protocol == "none" and not self.shared_utils.is_wan_router: return None if not self.inputs.underlay_filter_redistribute_connected: diff --git a/python-avd/pyavd/_eos_designs/structured_config/underlay/route_maps.py b/python-avd/pyavd/_eos_designs/structured_config/underlay/route_maps.py index 71b9da1e8c2..10841a02dff 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/underlay/route_maps.py +++ b/python-avd/pyavd/_eos_designs/structured_config/underlay/route_maps.py @@ -35,7 +35,7 @@ def route_maps(self: AvdStructuredConfigUnderlay) -> list | None: route_maps = [] - if self.shared_utils.overlay_routing_protocol != "none" and self.inputs.underlay_filter_redistribute_connected: + if (self.shared_utils.overlay_routing_protocol != "none" or self.shared_utils.is_wan_router) and self.inputs.underlay_filter_redistribute_connected: # RM-CONN-2-BGP sequence_10 = { "sequence": 10, diff --git a/python-avd/pyavd/_eos_designs/structured_config/underlay/router_bgp.py b/python-avd/pyavd/_eos_designs/structured_config/underlay/router_bgp.py index 3289ed049e9..cd55279c064 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/underlay/router_bgp.py +++ b/python-avd/pyavd/_eos_designs/structured_config/underlay/router_bgp.py @@ -43,7 +43,7 @@ def router_bgp(self: AvdStructuredConfigUnderlay) -> dict | None: self.inputs.bgp_peer_groups.ipv4_underlay_peers.structured_config, list_merge=self.custom_structured_configs.list_merge_strategy ) - if self.shared_utils.overlay_routing_protocol == "ibgp" and self.shared_utils.is_cv_pathfinder_router: + if self.shared_utils.is_cv_pathfinder_router: peer_group["route_map_in"] = "RM-BGP-UNDERLAY-PEERS-IN" if self.shared_utils.wan_ha: peer_group["route_map_out"] = "RM-BGP-UNDERLAY-PEERS-OUT"