Feat(eos_designs): Add support to add access-groups on l3-interfaces …

…through network-services (#4163)
aristanetworks · Jul 26, 2024 · 1504059 · 1504059
1 parent 48445a4
commit 1504059
Show file tree

Hide file tree

Showing 11 changed files with 271 additions and 0 deletions.
diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/DC1-BL1A.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/DC1-BL1A.cfg
@@ -147,6 +147,30 @@ interface Ethernet11
    vrf Tenant_A_L3_VRF_Zone
    ip address 10.10.30.10/24
 !
+interface Ethernet12
+   description test l3 interfaces acls
+   no shutdown
+   mtu 9000
+   no switchport
+   vrf Tenant_A_L3_VRF_Zone
+   ip address 10.10.40.10/24
+   ip access-group TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet12 in
+   ip access-group TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet12 out
+!
+interface Ethernet13
+   no shutdown
+   no switchport
+!
+interface Ethernet13.10
+   description test l3 interfaces acls
+   no shutdown
+   mtu 9000
+   encapsulation dot1q vlan 10
+   vrf Tenant_A_L3_VRF_Zone
+   ip address 10.10.40.20/24
+   ip access-group TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet13.10 in
+   ip access-group TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet13.10 out
+!
 interface Ethernet4000
    description My test
    no shutdown
@@ -220,6 +244,20 @@ event-handler evpn-blacklist-recovery
    delay 300
    asynchronous
 !
+ip access-list TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet12
+   15 deny ip any host 10.10.40.10
+!
+ip access-list TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet13.10
+   15 deny ip any host 10.10.40.20
+!
+ip access-list TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet12
+   remark Some remark will not require source and destination fields.
+   permit ip host 10.10.40.10 any
+!
+ip access-list TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet13.10
+   remark Some remark will not require source and destination fields.
+   permit ip host 10.10.40.20 any
+!
 ip routing
 no ip routing vrf MGMT
 ip routing vrf Tenant_A_L3_VRF_Zone

diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/DC1-BL1B.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/DC1-BL1B.cfg
@@ -138,6 +138,30 @@ interface Ethernet11
    vrf Tenant_A_L3_VRF_Zone
    ip address 10.10.40.20/24
 !
+interface Ethernet12
+   description test l3 interfaces acls
+   no shutdown
+   mtu 9000
+   no switchport
+   vrf Tenant_A_L3_VRF_Zone
+   ip address 10.10.50.10/24
+   ip access-group TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet12 in
+   ip access-group TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet12 out
+!
+interface Ethernet13
+   no shutdown
+   no switchport
+!
+interface Ethernet13.10
+   description test l3 interfaces acls
+   no shutdown
+   mtu 9000
+   encapsulation dot1q vlan 10
+   vrf Tenant_A_L3_VRF_Zone
+   ip address 10.10.50.20/24
+   ip access-group TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet13.10 in
+   ip access-group TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet13.10 out
+!
 interface Ethernet4000
    description My second test
    no shutdown
@@ -201,6 +225,20 @@ hardware tcam
 !
 ip virtual-router mac-address 00:dc:00:00:00:0a
 !
+ip access-list TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet12
+   15 deny ip any host 10.10.50.10
+!
+ip access-list TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet13.10
+   15 deny ip any host 10.10.50.20
+!
+ip access-list TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet12
+   remark Some remark will not require source and destination fields.
+   permit ip host 10.10.50.10 any
+!
+ip access-list TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet13.10
+   remark Some remark will not require source and destination fields.
+   permit ip host 10.10.50.20 any
+!
 ip routing
 no ip routing vrf MGMT
 ip routing vrf Tenant_A_L3_VRF_Zone

diff --git a/...tions/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/DC1-BL1A.yml b/...tions/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/DC1-BL1A.yml
@@ -476,6 +476,27 @@ ethernet_interfaces:
   description: DC1-BL1A descriptions preferred over single description
   type: routed
   vrf: Tenant_A_L3_VRF_Zone
+- name: Ethernet12
+  peer_type: l3_interface
+  ip_address: 10.10.40.10/24
+  mtu: 9000
+  shutdown: false
+  description: test l3 interfaces acls
+  access_group_in: TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet12
+  access_group_out: TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet12
+  type: routed
+  vrf: Tenant_A_L3_VRF_Zone
+- name: Ethernet13.10
+  peer_type: l3_interface
+  ip_address: 10.10.40.20/24
+  mtu: 9000
+  shutdown: false
+  description: test l3 interfaces acls
+  access_group_in: TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet13.10
+  access_group_out: TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet13.10
+  type: l3dot1q
+  encapsulation_dot1q_vlan: 10
+  vrf: Tenant_A_L3_VRF_Zone
 - name: Ethernet7
   peer_type: l3_interface
   ip_address: 10.10.10.10/24
@@ -495,6 +516,10 @@ ethernet_interfaces:
   - id: 2
     hash_algorithm: sha512
     key: AQQvKeimxJu+uGQ/yYvv9w==
+- name: Ethernet13
+  type: routed
+  peer_type: l3_interface
+  shutdown: false
 - name: Ethernet4000
   description: My test
   ip_address: 10.3.2.1/21
@@ -558,6 +583,35 @@ vlans:
 - id: 350
   name: Tenant_C_WAN_Zone_1
   tenant: Tenant_C
+ip_access_lists:
+- name: TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet12
+  entries:
+  - sequence: 15
+    action: deny
+    protocol: ip
+    source: any
+    destination: 10.10.40.10
+- name: TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet13.10
+  entries:
+  - sequence: 15
+    action: deny
+    protocol: ip
+    source: any
+    destination: 10.10.40.20
+- name: TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet12
+  entries:
+  - remark: Some remark will not require source and destination fields.
+  - action: permit
+    protocol: ip
+    source: 10.10.40.10
+    destination: any
+- name: TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet13.10
+  entries:
+  - remark: Some remark will not require source and destination fields.
+  - action: permit
+    protocol: ip
+    source: 10.10.40.20
+    destination: any
 ip_igmp_snooping:
   globally_enabled: true
 ip_virtual_router_mac_address: 00:dc:00:00:00:0a

diff --git a/...tions/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/DC1-BL1B.yml b/...tions/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/DC1-BL1B.yml
@@ -464,6 +464,27 @@ ethernet_interfaces:
   description: DC1-BL1B descriptions preferred over single description
   type: routed
   vrf: Tenant_A_L3_VRF_Zone
+- name: Ethernet12
+  peer_type: l3_interface
+  ip_address: 10.10.50.10/24
+  mtu: 9000
+  shutdown: false
+  description: test l3 interfaces acls
+  access_group_in: TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet12
+  access_group_out: TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet12
+  type: routed
+  vrf: Tenant_A_L3_VRF_Zone
+- name: Ethernet13.10
+  peer_type: l3_interface
+  ip_address: 10.10.50.20/24
+  mtu: 9000
+  shutdown: false
+  description: test l3 interfaces acls
+  access_group_in: TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet13.10
+  access_group_out: TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet13.10
+  type: l3dot1q
+  encapsulation_dot1q_vlan: 10
+  vrf: Tenant_A_L3_VRF_Zone
 - name: Ethernet7
   peer_type: l3_interface
   ip_address: 10.10.20.20/24
@@ -472,6 +493,10 @@ ethernet_interfaces:
   description: test
   type: routed
   vrf: Tenant_A_WAN_Zone
+- name: Ethernet13
+  type: routed
+  peer_type: l3_interface
+  shutdown: false
 - name: Ethernet4000
   description: My second test
   ip_address: 10.1.2.3/12
@@ -531,6 +556,35 @@ vlans:
 - id: 350
   name: Tenant_C_WAN_Zone_1
   tenant: Tenant_C
+ip_access_lists:
+- name: TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet12
+  entries:
+  - sequence: 15
+    action: deny
+    protocol: ip
+    source: any
+    destination: 10.10.50.10
+- name: TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet13.10
+  entries:
+  - sequence: 15
+    action: deny
+    protocol: ip
+    source: any
+    destination: 10.10.50.20
+- name: TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet12
+  entries:
+  - remark: Some remark will not require source and destination fields.
+  - action: permit
+    protocol: ip
+    source: 10.10.50.10
+    destination: any
+- name: TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet13.10
+  entries:
+  - remark: Some remark will not require source and destination fields.
+  - action: permit
+    protocol: ip
+    source: 10.10.50.20
+    destination: any
 ip_igmp_snooping:
   globally_enabled: true
 ip_virtual_router_mac_address: 00:dc:00:00:00:0a

diff --git a/...vd/molecule/eos_designs_unit_tests/inventory/group_vars/DC1_TENANTS_NETWORKS/Tenant_A.yml b/...vd/molecule/eos_designs_unit_tests/inventory/group_vars/DC1_TENANTS_NETWORKS/Tenant_A.yml
@@ -255,6 +255,14 @@ tenant_a:
             enabled: True
             description: "Single description"
             descriptions: ["DC1-BL1A descriptions preferred over single description", "DC1-BL1B descriptions preferred over single description"]
+          - interfaces: [Ethernet12, Ethernet13.10, Ethernet12, Ethernet13.10]
+            ip_addresses: [10.10.40.10/24, 10.10.40.20/24, 10.10.50.10/24, 10.10.50.20/24]
+            nodes: [DC1-BL1A, DC1-BL1A, DC1-BL1B, DC1-BL1B]
+            mtu: 9000
+            enabled: True
+            description: "test l3 interfaces acls"
+            ipv4_acl_in: TEST-IPV4-ACL-WITH-IP-FIELDS-IN
+            ipv4_acl_out: TEST-IPV4-ACL-WITH-IP-FIELDS-OUT
             # no description nor descriptions is tested in Tenant_OSPF below
       - name: Tenant_A_OSPF
         vrf_id: 16

diff --git a/...d/roles/eos_designs/docs/tables/network-services-vrfs-l3-interfaces-settings.md b/...d/roles/eos_designs/docs/tables/network-services-vrfs-l3-interfaces-settings.md
diff --git a/python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml b/python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml
@@ -6387,6 +6387,14 @@ $defs:
                       type: int
                       convert_types:
                       - str
+                    ipv4_acl_in:
+                      type: str
+                      convert_types:
+                      - int
+                    ipv4_acl_out:
+                      type: str
+                      convert_types:
+                      - int
                     ospf:
                       type: dict
                       description: OSPF interface configuration.

diff --git a/python-avd/pyavd/_eos_designs/schema/schema_fragments/defs_network_services.schema.yml b/python-avd/pyavd/_eos_designs/schema/schema_fragments/defs_network_services.schema.yml
@@ -691,6 +691,14 @@ $defs:
                       type: int
                       convert_types:
                         - str
+                    ipv4_acl_in:
+                      type: str
+                      convert_types:
+                        - int
+                    ipv4_acl_out:
+                      type: str
+                      convert_types:
+                        - int
                     ospf:
                       type: dict
                       description: OSPF interface configuration.

diff --git a/python-avd/pyavd/_eos_designs/structured_config/network_services/ethernet_interfaces.py b/python-avd/pyavd/_eos_designs/structured_config/network_services/ethernet_interfaces.py
@@ -75,6 +75,14 @@ def ethernet_interfaces(self: AvdStructuredConfigNetworkServices) -> list | None
                                 "flow_tracker": self.shared_utils.get_flow_tracker(l3_interface, "l3_interfaces"),
                             }
 
+                            if self._l3_interface_acls is not None:
+                                interface.update(
+                                    {
+                                        "access_group_in": get(self._l3_interface_acls, f"{interface_name}..ipv4_acl_in..name", separator=".."),
+                                        "access_group_out": get(self._l3_interface_acls, f"{interface_name}..ipv4_acl_out..name", separator=".."),
+                                    }
+                                )
+
                             if "." in interface_name:
                                 # This is a subinterface so we need to ensure that the parent is created
                                 parent_interface_name, subif_id = interface_name.split(".", maxsplit=1)

diff --git a/python-avd/pyavd/_eos_designs/structured_config/network_services/ip_access_lists.py b/python-avd/pyavd/_eos_designs/structured_config/network_services/ip_access_lists.py
@@ -111,6 +111,11 @@ def ip_access_lists(self: AvdStructuredConfigNetworkServices) -> list | None:
                 for acl in interface_acls.values():
                     append_if_not_duplicate(ip_access_lists, "name", acl, context="IPv4 Access lists for SVI", context_keys=["name"])
 
+        if self._l3_interface_acls:
+            for l3_interface_acl in self._l3_interface_acls.values():
+                for acl in l3_interface_acl.values():
+                    append_if_not_duplicate(ip_access_lists, "name", acl, context="IPv4 Access lists for L3 interface", context_keys=["name"])
+
         for ie_policy_type in self._filtered_internet_exit_policy_types:
             acls = self._acl_internet_exit(ie_policy_type)
             if acls:

diff --git a/python-avd/pyavd/_eos_designs/structured_config/network_services/utils.py b/python-avd/pyavd/_eos_designs/structured_config/network_services/utils.py
@@ -686,6 +686,52 @@ def get_internet_exit_nat_pool_and_profile(
     def _filtered_internet_exit_policy_types(self: AvdStructuredConfigNetworkServices) -> list:
         return sorted(set(internet_exit_policy["type"] for internet_exit_policy in self._filtered_internet_exit_policies))
 
+    @cached_property
+    def _l3_interface_acls(self: AvdStructuredConfigNetworkServices) -> dict | None:
+        """
+        Returns a dict of interfaces and ACLs set on the interfaces.
+            {
+                <interface_name>: {
+                "ipv4_acl_in": <generated_ipv4_acl>,
+                "ipv4_acl_out": <generated_ipv4_acl>,
+                }
+            }
+        Only contains interfaces with ACLs and only the ACLs that are set,
+        so use `get(self._l3_interface_acls, f"{interface_name}..ipv4_acl_in", separator="..")` to get the value.
+        """
+
+        if not self.shared_utils.network_services_l3:
+            return None
+
+        l3_interface_acls = {}
+        for tenant in self.shared_utils.filtered_tenants:
+            for vrf in tenant["vrfs"]:
+                for l3_interface in vrf["l3_interfaces"]:
+                    for interface_idx, interface in enumerate(l3_interface["interfaces"]):
+                        if l3_interface["nodes"][interface_idx] != self.shared_utils.hostname:
+                            continue
+
+                        ipv4_acl_in = get(l3_interface, "ipv4_acl_in")
+                        ipv4_acl_out = get(l3_interface, "ipv4_acl_out")
+                        if ipv4_acl_in is None and ipv4_acl_out is None:
+                            continue
+                        interface_name = interface
+                        interface_ip: str | None = l3_interface["ip_addresses"][interface_idx]
+                        interface_ip = str(ipaddress.ip_interface(interface_ip).ip)
+                        if ipv4_acl_in is not None:
+                            l3_interface_acls.setdefault(interface_name, {})["ipv4_acl_in"] = self.shared_utils.get_ipv4_acl(
+                                name=ipv4_acl_in,
+                                interface_name=interface_name,
+                                interface_ip=interface_ip,
+                            )
+                        if ipv4_acl_out is not None:
+                            l3_interface_acls.setdefault(interface_name, {})["ipv4_acl_out"] = self.shared_utils.get_ipv4_acl(
+                                name=ipv4_acl_out,
+                                interface_name=interface_name,
+                                interface_ip=interface_ip,
+                            )
+        return l3_interface_acls
+
     @cached_property
     def _filtered_internet_exit_policies(self: AvdStructuredConfigNetworkServices) -> list:
         """