Feat(eos_cli_config_gen): Add support for ingress in system.control_plane.ipv4/6_access_group #4481
Conversation
github-actions
bot
added
role: eos_cli_config_gen
|
Review docs on Read the Docs To test this pull request: # Create virtual environment for this testing below the current directory
python -m venv test-avd-pr-4481
# Activate the virtual environment
source test-avd-pr-4481/bin/activate
# Install all requirements including PyAVD
pip install "pyavd[ansible] @ git+https://github.com/Vibhu-gslab/avd.git@ingress#subdirectory=python-avd" --force
# Point Ansible collections path to the Python virtual environment
export ANSIBLE_COLLECTIONS_PATH=$VIRTUAL_ENV/ansible_collections
# Install Ansible collection
ansible-galaxy collection install git+https://github.com/Vibhu-gslab/avd.git#/ansible_collections/arista/avd/,ingress --force
# Optional: Install AVD examples
cd test-avd-pr-4481
ansible-playbook arista.avd.install_examples |
Vibhu-gslab
changed the title
Vibhu-gslab
force-pushed
the
ingress
branch
from
c3a5661
to
b0e17eb
Compare
python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/system.schema.yml
Show resolved
Hide resolved
Vibhu-gslab
force-pushed
the
ingress
branch
2 times, most recently
from
ae22994
to
b6f6e0f
Compare
python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/system.schema.yml
Outdated
Show resolved
Hide resolved
…l_plane.ipv4/6_access_group
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
| {% set cp_ipv4_access_grp = "ip access-group " ~ acl_set.acl_name %} | ||
| {% if acl_set.vrf is arista.avd.defined %} | ||
| {% set cp_ipv4_access_grp = cp_ipv4_access_grp ~ " vrf " ~ acl_set.vrf %} | ||
| {% for acl_set in system.control_plane.ipv4_access_groups | arista.avd.natural_sort %} |
There was a problem hiding this comment.
can you fix the j2 template for vrf default and none case. So if vrf is default or none then we have to render the only last command.
Like from your example
ipv4_access_groups:
- acl_name: "acl4_1"
- acl_name: "acl4_3"
vrf: default
it should render the only below config:
ip access-group acl4_3 in
There was a problem hiding this comment.
We can as well optionally simply pick first IPv4 and IPv6 out of all with either "missing" VRF or those where it is set to default. EoS takes last line from overlapping commands pushed to conf or conf session because it simply overwrites previous ones. As we generate designed configuration state for the device - we should probably avoid generating commands which would be overwriting each other (although EoS would be OK with it).
| ip access-group acl4_3 vrf default in | ||
| ip access-group ingress default acl4_4 | ||
| ip access-group acl4_5 vrf red_3 in | ||
| ip access-group ingress vrf red_4 in |
There was a problem hiding this comment.
order is not correct
s1-leaf1(config-system-cp)#sh ac
system control-plane
tcp mss ceiling ipv4 1344 ipv6 1366
ip access-group ingress default acl4_4
ip access-group acl4_3 in
ip access-group acl4_2 vrf red in
ip access-group acl4_2 vrf red_1 in
ip access-group acl4_5 vrf red_3 in
ip access-group ingress vrf red_4 in
ipv6 access-group ingress default acl6_4
ipv6 access-group acl6_3 in
ipv6 access-group acl6_2 vrf blue in
ipv6 access-group acl6_2 vrf blue_1 in
ipv6 access-group ingress vrf blue_2 in
s1-leaf1(config-system-cp)#
ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/system.md
Outdated
Show resolved
Hide resolved
| {% set cp_ipv4_access_grp = cp_ipv4_access_grp ~ " vrf " ~ acl_set.vrf %} | ||
| {% for acl_set in system.control_plane.ipv4_access_groups | arista.avd.natural_sort %} | ||
| {% if acl_set.ingress_default is arista.avd.defined(true) %} | ||
| {% set cp_ipv4_access_grp = "ip access-group ingress default " ~ acl_set.acl_name %} |
There was a problem hiding this comment.
- Right now neither schema nor J2 enforces only one default ingress ACL for IPv4 and IPv6 (although EoS will only allow one, because there can be only one implicit per ipv4/iv6).
Defining multiple ACLs as ingress_default: true renders all lines:
ipv4_access_groups:
- acl_name: "acl4_4"
vrf: red_2
ingress_default: true
- acl_name: "acl4_6"
vrf: red_5
ingress_default: true
ipv6_access_groups:
- acl_name: "acl6_4"
ingress_default: true
- acl_name: "acl6_6"
ingress_default: true ip access-group ingress default acl4_4
ip access-group ingress default acl4_6
ipv6 access-group ingress default acl6_4
ipv6 access-group ingress default acl6_6
Maybe we could at least only render first "ingress default" per address family, and treat all others as regular (per-vrf ACLs)
# Line 8
+ {% set ns = namespace(ipv4_ingress_default_set=false, ipv6_ingress_default_set=false) %}
# Line [29:]
-{% for acl_set in system.control_plane.ipv4_access_groups | arista.avd.natural_sort %}
+{% for acl_set in sorted_ipv4_access_groups | arista.avd.natural_sort %}
-{% if acl_set.ingress_default is arista.avd.defined(true) %}
+{% if acl_set.ingress_default is arista.avd.defined(true) and ns.ipv4_ingress_default_set is not arista.avd.defined(true) %}
{% set cp_ipv4_access_grp = "ip access-group ingress default " ~ acl_set.acl_name %}
+{% set ns.ipv4_ingress_default_set = true %}
{% else %}
{% set cp_ipv4_access_grp = "ip access-group " ~ acl_set.acl_name %}
{% if acl_set.vrf is arista.avd.defined %}
{% set cp_ipv4_access_grp = cp_ipv4_access_grp ~ " vrf " ~ acl_set.vrf %}
{% endif %}
{% set cp_ipv4_access_grp = cp_ipv4_access_grp ~ " in" %}
{% endif %}
{{ cp_ipv4_access_grp }}
{% endfor %}
{# control_plane access_groups ipv6 #}
{% if system.control_plane.ipv6_access_groups is arista.avd.defined %}
{% set with_vrf_non_default = system.control_plane.ipv6_access_groups | selectattr('vrf', 'arista.avd.defined') | rejectattr('vrf', 'equalto', 'default') | arista.avd.natural_sort | arista.avd.natural_sort('vrf') %}
{% set without_vrf = system.control_plane.ipv6_access_groups | rejectattr('vrf', 'arista.avd.defined') | arista.avd.natural_sort %}
{% set with_vrf_default = system.control_plane.ipv6_access_groups | selectattr('vrf', 'arista.avd.defined') | selectattr('vrf', 'equalto', 'default') | arista.avd.natural_sort %}
{% set sorted_ipv6_access_groups = without_vrf | list + with_vrf_default | list + with_vrf_non_default | list %}
{% endif %}
-{% for acl_set in system.control_plane.ipv6_access_groups | arista.avd.natural_sort %}
+{% for acl_set in sorted_ipv6_access_groups | arista.avd.natural_sort %}
-{% if acl_set.ingress_default is arista.avd.defined(true) %}
+{% if acl_set.ingress_default is arista.avd.defined(true) and ns.ipv6_ingress_default_set is not arista.avd.defined(true) %}
{% set cp_ipv6_access_grp = "ipv6 access-group ingress default " ~ acl_set.acl_name %}
+{% set ns.ipv6_ingress_default_set = true %}
{% else %}
{% set cp_ipv6_access_grp = "ipv6 access-group " ~ acl_set.acl_name %}
{% if acl_set.vrf is arista.avd.defined %}
{% set cp_ipv6_access_grp = cp_ipv6_access_grp ~ " vrf " ~ acl_set.vrf %}
{% endif %}
{% set cp_ipv6_access_grp = cp_ipv6_access_grp ~ " in" %}
{% endif %}
{{ cp_ipv6_access_grp }}
{% endfor %}
There was a problem hiding this comment.
The default here is the default VRF, so I think there are some misunderstandings about the data model and EOS CLI.
EDIT:
So there are
[no|default] ip access-group ACL_NAME [ ( VRF_VRF_KW ( VRF_VRF_DYNAMIC | VRF_VRF_DEFAULT ) ) ] in
[no|default] ip access-group ingress default ACL_NAME
[no|default] ipv6 access-group ACL_NAME [ ( VRF_VRF_KW ( VRF_VRF_DYNAMIC | VRF_VRF_DEFAULT ) ) ] in
[no|default] ipv6 access-group ingress default ACL_NAME
We should have ipv4_access_group_ingress_default: <str> and ipv6_access_group_ingress_default: <str>.
And then keep the vrf access groups as they are Today.
| ip access-group acl4_3 vrf default in | ||
| ip access-group ingress default acl4_4 | ||
| ip access-group acl4_5 vrf red_3 in | ||
| ip access-group ingress vrf red_4 in |
There was a problem hiding this comment.
Just to add to this comment:
- EoS treats missing VRF and VRF
defaultas the same.
ip access-group acl4_1 in
ip access-group acl4_3 vrf default in
will end up in running-config as ip access-group acl4_3 in (last command overwrites previous ones)
- Order seems to be the following:
tcp mss ceiling.*ip access-group ingress default.*ip access-group <IPv4_ACL_NAME> in# IPv4 ACL for default` VRF. Can be only oneip access-group <IPv4_ACL_NAME> vrf <VRF_NAME> in# Sorted by VRF name
Same ordering applies to IPv6.
Example:
avd-ci-leaf2(config-s-s19)#system control-plane
avd-ci-leaf2(config-s-s19-system-cp)# tcp mss ceiling ipv4 1344 ipv6 1366
avd-ci-leaf2(config-s-s19-system-cp)# ip access-group acl4_1 in
avd-ci-leaf2(config-s-s19-system-cp)# ip access-group acl4_2 vrf red in
avd-ci-leaf2(config-s-s19-system-cp)# ip access-group acl4_2 vrf red_1 in
avd-ci-leaf2(config-s-s19-system-cp)# ip access-group acl4_3 vrf default in
avd-ci-leaf2(config-s-s19-system-cp)# ip access-group ingress default acl4_4
avd-ci-leaf2(config-s-s19-system-cp)# ip access-group acl4_5 vrf red_3 in
avd-ci-leaf2(config-s-s19-system-cp)# ip access-group acl4_6 vrf red_5 in
avd-ci-leaf2(config-s-s19-system-cp)# ip access-group ingress vrf red_4 in
avd-ci-leaf2(config-s-s19-system-cp)# ipv6 access-group acl6_1 in
avd-ci-leaf2(config-s-s19-system-cp)# ipv6 access-group acl6_2 vrf blue in
avd-ci-leaf2(config-s-s19-system-cp)# ipv6 access-group acl6_2 vrf blue_1 in
avd-ci-leaf2(config-s-s19-system-cp)# ipv6 access-group acl6_3 vrf default in
avd-ci-leaf2(config-s-s19-system-cp)# ipv6 access-group ingress default acl6_4
avd-ci-leaf2(config-s-s19-system-cp)# ipv6 access-group acl6_6 in
avd-ci-leaf2(config-s-s19-system-cp)# ipv6 access-group ingress vrf blue_2 in
avd-ci-leaf2(config-s-s19-system-cp)#show session-config diffs
--- system:/running-config
+++ session:/s19-session-config
+system control-plane
+ tcp mss ceiling ipv4 1344 ipv6 1366
+ ip access-group ingress default acl4_4
+ ip access-group acl4_3 in
+ ip access-group acl4_2 vrf red in
+ ip access-group acl4_2 vrf red_1 in
+ ip access-group acl4_5 vrf red_3 in
+ ip access-group ingress vrf red_4 in
+ ip access-group acl4_6 vrf red_5 in
+ ipv6 access-group ingress default acl6_4
+ ipv6 access-group acl6_6 in
+ ipv6 access-group acl6_2 vrf blue in
+ ipv6 access-group acl6_2 vrf blue_1 in
+ ipv6 access-group ingress vrf blue_2 in
avd-ci-leaf2(config-s-s19-system-cp)#
| {% set cp_ipv4_access_grp = "ip access-group " ~ acl_set.acl_name %} | ||
| {% if acl_set.vrf is arista.avd.defined %} | ||
| {% set cp_ipv4_access_grp = cp_ipv4_access_grp ~ " vrf " ~ acl_set.vrf %} | ||
| {% for acl_set in system.control_plane.ipv4_access_groups | arista.avd.natural_sort %} |
There was a problem hiding this comment.
We can as well optionally simply pick first IPv4 and IPv6 out of all with either "missing" VRF or those where it is set to default. EoS takes last line from overlapping commands pushed to conf or conf session because it simply overwrites previous ones. As we generate designed configuration state for the device - we should probably avoid generating commands which would be overwriting each other (although EoS would be OK with it).
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
|
ClausHolbechArista
changed the title
|
Moving to draft since we the changes needs to be reworked to match EOS CLI. Reach out if we need to discuss. |
|
Closing this PR and fixing the issue in PR: #4710 |
Change Summary
Add support for ingress in system.control_plane.ipv4/6_access_group
Related Issue(s)
Fixes #4467
Component(s) name
arista.avd.eos_cli_config_genHow to test
CI
Checklist
Repository Checklist