Feat(eos_designs): Add support to add access-groups on l3-interfaces through network-services

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/DC1-BL1A.cfg

@@ -147,6 +147,26 @@ interface Ethernet11
    vrf Tenant_A_L3_VRF_Zone
    ip address 10.10.30.10/24
 !
+interface Ethernet12
+   description test l3 interfaces acls
+   no shutdown
+   mtu 9000
+   no switchport
+   vrf Tenant_A_L3_VRF_Zone
+   ip address 10.10.40.10/24
+   ip access-group TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet12 in
+   ip access-group TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet12 out
+!
+interface Ethernet13
+   description test l3 interfaces acls
+   no shutdown
+   mtu 9000
+   no switchport
+   vrf Tenant_A_L3_VRF_Zone
+   ip address 10.10.40.20/24
+   ip access-group TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet13 in
+   ip access-group TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet13 out
+!
 interface Ethernet4000
    description My test
    no shutdown
@@ -220,6 +240,20 @@ event-handler evpn-blacklist-recovery
    delay 300
    asynchronous
 !
+ip access-list TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet12
+   15 deny ip any host 10.10.40.10
+!
+ip access-list TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet13
+   15 deny ip any host 10.10.40.20
+!
+ip access-list TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet12
+   remark Some remark will not require source and destination fields.
+   permit ip host 10.10.40.10 any
+!
+ip access-list TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet13
+   remark Some remark will not require source and destination fields.
+   permit ip host 10.10.40.20 any
+!
 ip routing
 no ip routing vrf MGMT
 ip routing vrf Tenant_A_L3_VRF_Zone

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/DC1-BL1B.cfg

@@ -138,6 +138,26 @@ interface Ethernet11
    vrf Tenant_A_L3_VRF_Zone
    ip address 10.10.40.20/24
 !
+interface Ethernet12
+   description test l3 interfaces acls
+   no shutdown
+   mtu 9000
+   no switchport
+   vrf Tenant_A_L3_VRF_Zone
+   ip address 10.10.50.10/24
+   ip access-group TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet12 in
+   ip access-group TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet12 out
+!
+interface Ethernet13
+   description test l3 interfaces acls
+   no shutdown
+   mtu 9000
+   no switchport
+   vrf Tenant_A_L3_VRF_Zone
+   ip address 10.10.50.20/24
+   ip access-group TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet13 in
+   ip access-group TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet13 out
+!
 interface Ethernet4000
    description My second test
    no shutdown
@@ -201,6 +221,20 @@ hardware tcam
 !
 ip virtual-router mac-address 00:dc:00:00:00:0a
 !
+ip access-list TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet12
+   15 deny ip any host 10.10.50.10
+!
+ip access-list TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet13
+   15 deny ip any host 10.10.50.20
+!
+ip access-list TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet12
+   remark Some remark will not require source and destination fields.
+   permit ip host 10.10.50.10 any
+!
+ip access-list TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet13
+   remark Some remark will not require source and destination fields.
+   permit ip host 10.10.50.20 any
+!
 ip routing
 no ip routing vrf MGMT
 ip routing vrf Tenant_A_L3_VRF_Zone

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/DC1-BL1A.yml

@@ -476,6 +476,26 @@ ethernet_interfaces:
   description: DC1-BL1A descriptions preferred over single description
   type: routed
   vrf: Tenant_A_L3_VRF_Zone
+- name: Ethernet12
+  peer_type: l3_interface
+  ip_address: 10.10.40.10/24
+  mtu: 9000
+  shutdown: false
+  description: test l3 interfaces acls
+  access_group_in: TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet12
+  access_group_out: TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet12
+  type: routed
+  vrf: Tenant_A_L3_VRF_Zone
+- name: Ethernet13
+  peer_type: l3_interface
+  ip_address: 10.10.40.20/24
+  mtu: 9000
+  shutdown: false
+  description: test l3 interfaces acls
+  access_group_in: TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet13
+  access_group_out: TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet13
+  type: routed
+  vrf: Tenant_A_L3_VRF_Zone
 - name: Ethernet7
   peer_type: l3_interface
   ip_address: 10.10.10.10/24
@@ -558,6 +578,35 @@ vlans:
 - id: 350
   name: Tenant_C_WAN_Zone_1
   tenant: Tenant_C
+ip_access_lists:
+- name: TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet12
+  entries:
+  - sequence: 15
+    action: deny
+    protocol: ip
+    source: any
+    destination: 10.10.40.10
+- name: TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet13
+  entries:
+  - sequence: 15
+    action: deny
+    protocol: ip
+    source: any
+    destination: 10.10.40.20
+- name: TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet12
+  entries:
+  - remark: Some remark will not require source and destination fields.
+  - action: permit
+    protocol: ip
+    source: 10.10.40.10
+    destination: any
+- name: TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet13
+  entries:
+  - remark: Some remark will not require source and destination fields.
+  - action: permit
+    protocol: ip
+    source: 10.10.40.20
+    destination: any
 ip_igmp_snooping:
   globally_enabled: true
 ip_virtual_router_mac_address: 00:dc:00:00:00:0a

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/DC1-BL1B.yml

@@ -464,6 +464,26 @@ ethernet_interfaces:
   description: DC1-BL1B descriptions preferred over single description
   type: routed
   vrf: Tenant_A_L3_VRF_Zone
+- name: Ethernet12
+  peer_type: l3_interface
+  ip_address: 10.10.50.10/24
+  mtu: 9000
+  shutdown: false
+  description: test l3 interfaces acls
+  access_group_in: TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet12
+  access_group_out: TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet12
+  type: routed
+  vrf: Tenant_A_L3_VRF_Zone
+- name: Ethernet13
+  peer_type: l3_interface
+  ip_address: 10.10.50.20/24
+  mtu: 9000
+  shutdown: false
+  description: test l3 interfaces acls
+  access_group_in: TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet13
+  access_group_out: TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet13
+  type: routed
+  vrf: Tenant_A_L3_VRF_Zone
 - name: Ethernet7
   peer_type: l3_interface
   ip_address: 10.10.20.20/24
@@ -531,6 +551,35 @@ vlans:
 - id: 350
   name: Tenant_C_WAN_Zone_1
   tenant: Tenant_C
+ip_access_lists:
+- name: TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet12
+  entries:
+  - sequence: 15
+    action: deny
+    protocol: ip
+    source: any
+    destination: 10.10.50.10
+- name: TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet13
+  entries:
+  - sequence: 15
+    action: deny
+    protocol: ip
+    source: any
+    destination: 10.10.50.20
+- name: TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet12
+  entries:
+  - remark: Some remark will not require source and destination fields.
+  - action: permit
+    protocol: ip
+    source: 10.10.50.10
+    destination: any
+- name: TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet13
+  entries:
+  - remark: Some remark will not require source and destination fields.
+  - action: permit
+    protocol: ip
+    source: 10.10.50.20
+    destination: any
 ip_igmp_snooping:
   globally_enabled: true
 ip_virtual_router_mac_address: 00:dc:00:00:00:0a

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/DC1_TENANTS_NETWORKS/Tenant_A.yml

@@ -255,6 +255,14 @@ tenant_a:
             enabled: True
             description: "Single description"
             descriptions: ["DC1-BL1A descriptions preferred over single description", "DC1-BL1B descriptions preferred over single description"]
+          - interfaces: [Ethernet12, Ethernet13, Ethernet12, Ethernet13]
+            ip_addresses: [10.10.40.10/24, 10.10.40.20/24, 10.10.50.10/24, 10.10.50.20/24]
+            nodes: [DC1-BL1A, DC1-BL1A, DC1-BL1B, DC1-BL1B]
+            mtu: 9000
+            enabled: True
+            description: "test l3 interfaces acls"
+            ipv4_acl_in: TEST-IPV4-ACL-WITH-IP-FIELDS-IN
+            ipv4_acl_out: TEST-IPV4-ACL-WITH-IP-FIELDS-OUT
             # no description nor descriptions is tested in Tenant_OSPF below
       - name: Tenant_A_OSPF
         vrf_id: 16

python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml

@@ -6365,6 +6365,14 @@ $defs:
                       type: int
                       convert_types:
                       - str
+                    ipv4_acl_in:
+                      type: str
+                      convert_types:
+                      - int
+                    ipv4_acl_out:
+                      type: str
+                      convert_types:
+                      - int
                     ospf:
                       type: dict
                       description: OSPF interface configuration.

python-avd/pyavd/_eos_designs/schema/schema_fragments/defs_network_services.schema.yml

@@ -691,6 +691,14 @@ $defs:
                       type: int
                       convert_types:
                         - str
+                    ipv4_acl_in:
+                      type: str
+                      convert_types:
+                        - int
+                    ipv4_acl_out:
+                      type: str
+                      convert_types:
+                        - int
                     ospf:
                       type: dict
                       description: OSPF interface configuration.

python-avd/pyavd/_eos_designs/structured_config/network_services/ethernet_interfaces.py

@@ -75,6 +75,14 @@ def ethernet_interfaces(self: AvdStructuredConfigNetworkServices) -> list | None
                                 "flow_tracker": self.shared_utils.get_flow_tracker(l3_interface, "l3_interfaces"),
                             }
 
+                            if self._l3_interface_acls is not None:
+                                interface.update(
+                                    {
+                                        "access_group_in": get(self._l3_interface_acls, f"{interface_name}..ipv4_acl_in..name", separator=".."),
+                                        "access_group_out": get(self._l3_interface_acls, f"{interface_name}..ipv4_acl_out..name", separator=".."),
+                                    }
+                                )
+
                             if "." in interface_name:
                                 # This is a subinterface so we need to ensure that the parent is created
                                 parent_interface_name, subif_id = interface_name.split(".", maxsplit=1)

python-avd/pyavd/_eos_designs/structured_config/network_services/ip_access_lists.py

@@ -111,6 +111,12 @@ def ip_access_lists(self: AvdStructuredConfigNetworkServices) -> list | None:
                 for acl in interface_acls.values():
                     append_if_not_duplicate(ip_access_lists, "name", acl, context="IPv4 Access lists for SVI", context_keys=["name"])
 
+        if self._l3_interface_acls:
+            l3_interface_acls = self._l3_interface_acls
+            for l3_interface_acl in l3_interface_acls.values():
+                for acl in l3_interface_acl.values():
+                    append_if_not_duplicate(ip_access_lists, "name", acl, context="IPv4 Access lists for L3 interface", context_keys=["name"])
+
         for ie_policy_type in self._filtered_internet_exit_policy_types:
             acls = self._acl_internet_exit(ie_policy_type)
             if acls:

python-avd/pyavd/_eos_designs/structured_config/network_services/utils.py

@@ -686,6 +686,51 @@ def get_internet_exit_nat_pool_and_profile(
     def _filtered_internet_exit_policy_types(self: AvdStructuredConfigNetworkServices) -> list:
         return sorted(set(internet_exit_policy["type"] for internet_exit_policy in self._filtered_internet_exit_policies))
 
+    @cached_property
+    def _l3_interface_acls(self: AvdStructuredConfigNetworkServices):
+        """
+        Returns a dict of interfaces and ACLs set on the interfaces.
+            {
+                <interface_name>: {
+                "ipv4_acl_in": <generated_ipv4_acl>,
+                "ipv4_acl_out": <generated_ipv4_acl>,
+                }
+            }
+        Only contains interfaces with ACLs and only the ACLs that are set,
+        so use `get(self._l3_interface_acls, f"{interface_name}..ipv4_acl_in", separator="..")` to get the value.
+        """
+
+        if not self.shared_utils.network_services_l3:
+            return None
+
+        l3_interface_acls = {}
+        for tenant in self.shared_utils.filtered_tenants:
+            for vrf in tenant["vrfs"]:
+                for l3_interface in vrf["l3_interfaces"]:
+                    for interface_idx, interface in enumerate(l3_interface["interfaces"]):
+                        ipv4_acl_in = get(l3_interface, "ipv4_acl_in")
+                        ipv4_acl_out = get(l3_interface, "ipv4_acl_out")
+                        if ipv4_acl_in is None and ipv4_acl_out is None:
+                            continue
+                        interface_name = interface
+                        interface_ip: str | None = l3_interface["ip_addresses"][interface_idx]
+                        interface_ip = str(ipaddress.ip_interface(interface_ip).ip)
+                        node = l3_interface["nodes"][interface_idx]
+                        if node == self.shared_utils.hostname:
+                            if ipv4_acl_in is not None:
+                                l3_interface_acls.setdefault(interface_name, {})["ipv4_acl_in"] = self.shared_utils.get_ipv4_acl(
+                                    name=ipv4_acl_in,
+                                    interface_name=interface_name,
+                                    interface_ip=interface_ip,
+                                )
+                            if ipv4_acl_out is not None:
+                                l3_interface_acls.setdefault(interface_name, {})["ipv4_acl_out"] = self.shared_utils.get_ipv4_acl(
+                                    name=ipv4_acl_out,
+                                    interface_name=interface_name,
+                                    interface_ip=interface_ip,
+                                )
+        return l3_interface_acls
+
     @cached_property
     def _filtered_internet_exit_policies(self: AvdStructuredConfigNetworkServices) -> list:
         """