From 92ec3a8df8a7ce2f478e45e4aaf83e2df528936d Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 20 Aug 2024 07:52:08 +0200 Subject: [PATCH 1/4] Bump: pre-commit autoupdate (#4378) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> Co-authored-by: Claus Holbech --- .pre-commit-config.yaml | 2 +- pyproject.toml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9231e4e5fab..bdf241ce9ea 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -75,7 +75,7 @@ repos: - repo: https://github.com/astral-sh/ruff-pre-commit # Ruff version. - rev: v0.5.7 + rev: v0.6.1 hooks: # Run the linter. - id: ruff diff --git a/pyproject.toml b/pyproject.toml index c2bf7ee9541..37c2053fa0e 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -54,6 +54,7 @@ ignore = [ "PLR2004", # Magic value used in comparison - TODO: Evaluate "DTZ005", # `datetime.datetime.now()` called without a `tz` argument - TODO: Improve code "UP038", # UP038 Use `X | Y` in `isinstance` call instead of `(X, Y)` - Why would I? It impacts performance. + "ASYNC109",# async-function-with-timeout: Our async functions call several other async functions and we need each of those calls to be governed by the configurable timeout. ] [tool.ruff.lint.pydocstyle] From 5cbb15f2ec94cc6cef761dcf215bcc00c69c9522 Mon Sep 17 00:00:00 2001 From: Mahesh Kumar <122076792+MaheshGSLAB@users.noreply.github.com> Date: Tue, 20 Aug 2024 18:36:52 +0530 Subject: [PATCH 2/4] Refactor(eos_designs)!: Change the default value of `mlag_on_orphan_port_channel_downlink` to `false` (#4371) --- .../arista/avd/docs/porting-guides/5.x.x.md | 9 +++++++++ .../intended/configs/SL-LEAF0B.cfg | 2 ++ .../intended/configs/SL-LEAF1A.cfg | 1 + .../intended/configs/UNDERLAY-MULTICAST-L3LEAF1A.cfg | 1 - .../intended/structured_configs/SL-LEAF0B.yml | 2 ++ .../intended/structured_configs/SL-LEAF1A.yml | 1 + .../structured_configs/UNDERLAY-MULTICAST-L3LEAF1A.yml | 1 - .../inventory/group_vars/SINGLE_LINK_TO_MLAG_PAIR.yml | 2 +- .../roles/eos_designs/docs/tables/fabric-settings.md | 9 ++++----- .../pyavd/_eos_designs/schema/eos_designs.schema.yml | 10 ++++------ .../mlag_on_orphan_port_channel_downlink.schema.yml | 8 +++----- .../underlay/port_channel_interfaces.py | 2 +- 12 files changed, 28 insertions(+), 20 deletions(-) diff --git a/ansible_collections/arista/avd/docs/porting-guides/5.x.x.md b/ansible_collections/arista/avd/docs/porting-guides/5.x.x.md index 4db3f02ed64..428cb7aef95 100644 --- a/ansible_collections/arista/avd/docs/porting-guides/5.x.x.md +++ b/ansible_collections/arista/avd/docs/porting-guides/5.x.x.md @@ -204,6 +204,15 @@ It can be added if required by using `config_comment`: +config_comment: "RANCID-CONTENT-TYPE: arista" ``` +### Default value of `mlag_on_orphan_port_channel_downlink` is changed to `false` + +The default value `true` of data model `mlag_on_orphan_port_channel_downlink` has been changed to `false`, so it is now required to set `mlag_on_orphan_port_channel_downlink: true` to configure the MLAG ID on a downlink Port-Channel even if the downlink is only on one node in the MLAG pair. +By default an MLAG ID will only be configured on Port-Channel downlinks dual-homed to two MLAG switches. + +```diff ++ mlag_on_orphan_port_channel_downlink: true +``` + ## Changes to role `arista.avd.eos_cli_config_gen` TODO: Level 3 sections for each change with details on how to migrate diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/SL-LEAF0B.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/SL-LEAF0B.cfg index 1d66749af9a..fce91dddb22 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/SL-LEAF0B.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/SL-LEAF0B.cfg @@ -31,6 +31,7 @@ interface Port-Channel27 switchport switchport trunk allowed vlan none switchport mode trunk + mlag 27 ! interface Port-Channel41 description SL-LEAF2_Po41 @@ -38,6 +39,7 @@ interface Port-Channel41 switchport switchport trunk allowed vlan none switchport mode trunk + mlag 41 ! interface Ethernet25 description MLAG_PEER_SL-LEAF0A_Ethernet25 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/SL-LEAF1A.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/SL-LEAF1A.cfg index 2618b34e345..16b6af8114a 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/SL-LEAF1A.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/SL-LEAF1A.cfg @@ -39,6 +39,7 @@ interface Port-Channel28 switchport switchport trunk allowed vlan none switchport mode trunk + mlag 28 ! interface Ethernet25 description MLAG_PEER_SL-LEAF1B_Ethernet25 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/UNDERLAY-MULTICAST-L3LEAF1A.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/UNDERLAY-MULTICAST-L3LEAF1A.cfg index feda6a51a37..c757219f72f 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/UNDERLAY-MULTICAST-L3LEAF1A.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/UNDERLAY-MULTICAST-L3LEAF1A.cfg @@ -36,7 +36,6 @@ interface Port-Channel6 switchport switchport trunk allowed vlan none switchport mode trunk - mlag 6 ! interface Ethernet1 description P2P_LINK_TO_UNDERLAY-MULTICAST-SPINE1_Ethernet1 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/SL-LEAF0B.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/SL-LEAF0B.yml index 77292704fe9..3482e5a90c3 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/SL-LEAF0B.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/SL-LEAF0B.yml @@ -48,12 +48,14 @@ port_channel_interfaces: shutdown: false mode: trunk vlans: none + mlag: 27 - name: Port-Channel41 description: SL-LEAF2_Po41 type: switched shutdown: false mode: trunk vlans: none + mlag: 41 ethernet_interfaces: - name: Ethernet25 peer: SL-LEAF0A diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/SL-LEAF1A.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/SL-LEAF1A.yml index d0e639c5807..d9e49705701 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/SL-LEAF1A.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/SL-LEAF1A.yml @@ -55,6 +55,7 @@ port_channel_interfaces: shutdown: false mode: trunk vlans: none + mlag: 28 ethernet_interfaces: - name: Ethernet25 peer: SL-LEAF1B diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/UNDERLAY-MULTICAST-L3LEAF1A.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/UNDERLAY-MULTICAST-L3LEAF1A.yml index 8728d649794..b556d0af181 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/UNDERLAY-MULTICAST-L3LEAF1A.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/UNDERLAY-MULTICAST-L3LEAF1A.yml @@ -149,7 +149,6 @@ port_channel_interfaces: shutdown: false mode: trunk vlans: none - mlag: 6 ethernet_interfaces: - name: Ethernet3 peer: UNDERLAY-MULTICAST-L3LEAF1B diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/SINGLE_LINK_TO_MLAG_PAIR.yml b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/SINGLE_LINK_TO_MLAG_PAIR.yml index 4b1608bdaae..47674a8c03d 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/SINGLE_LINK_TO_MLAG_PAIR.yml +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/SINGLE_LINK_TO_MLAG_PAIR.yml @@ -3,7 +3,7 @@ fabric_name: SINGLE_LINK_TO_MLAG_PAIR type: l2leaf -mlag_on_orphan_port_channel_downlink: false +mlag_on_orphan_port_channel_downlink: true l2leaf: defaults: diff --git a/ansible_collections/arista/avd/roles/eos_designs/docs/tables/fabric-settings.md b/ansible_collections/arista/avd/roles/eos_designs/docs/tables/fabric-settings.md index 9a466d70285..2d6fe6dcac5 100644 --- a/ansible_collections/arista/avd/roles/eos_designs/docs/tables/fabric-settings.md +++ b/ansible_collections/arista/avd/roles/eos_designs/docs/tables/fabric-settings.md @@ -8,7 +8,7 @@ | Variable | Type | Required | Default | Value Restrictions | Description | | -------- | ---- | -------- | ------- | ------------------ | ----------- | | [enable_trunk_groups](## "enable_trunk_groups") | Boolean | | `False` | | Enable Trunk Group support across eos_designs.
Warning: Because of the nature of the EOS Trunk Group feature, enabling this is "all or nothing".
*All* vlans and *all* trunks towards connected endpoints must be using trunk groups as well.
If trunk groups are not assigned to a trunk, no vlans will be enabled on that trunk.
See "Details on enable_trunk_groups" below before enabling this feature.
| - | [mlag_on_orphan_port_channel_downlink](## "mlag_on_orphan_port_channel_downlink") | Boolean | | `True` | | If `true` (default) an MLAG ID will always be configured on a Port-Channel downlink even if the downlink is only on one node in the MLAG pair.
If `false` an MLAG ID will only be configured on Port-Channel downlinks dual-homed to two MLAG switches.
Note the default value will change to `false` in AVD version 5.0 | + | [mlag_on_orphan_port_channel_downlink](## "mlag_on_orphan_port_channel_downlink") | Boolean | | `False` | | If `true` an MLAG ID will always be configured on a Port-Channel downlink even if the downlink is only on one node in the MLAG pair.
If `false` (default) an MLAG ID will only be configured on Port-Channel downlinks dual-homed to two MLAG switches. | | [only_local_vlan_trunk_groups](## "only_local_vlan_trunk_groups") | Boolean | | `False` | | A vlan can have many trunk_groups assigned.
To avoid unneeded configuration changes on all leaf switches when a new trunk group is added,
this feature will only configure the vlan trunk groups matched with local connected_endpoints.
See "Details on only_local_vlan_trunk_groups" below.
Requires "enable_trunk_groups: true".
| | [p2p_uplinks_mtu](## "p2p_uplinks_mtu") | Integer | | `9214` | Min: 68
Max: 65535 | Point to Point Links MTU. | | [p2p_uplinks_qos_profile](## "p2p_uplinks_qos_profile") | String | | | | QOS Profile assigned on all infrastructure links. | @@ -51,10 +51,9 @@ # See "Details on enable_trunk_groups" below before enabling this feature. enable_trunk_groups: - # If `true` (default) an MLAG ID will always be configured on a Port-Channel downlink even if the downlink is only on one node in the MLAG pair. - # If `false` an MLAG ID will only be configured on Port-Channel downlinks dual-homed to two MLAG switches. - # Note the default value will change to `false` in AVD version 5.0 - mlag_on_orphan_port_channel_downlink: + # If `true` an MLAG ID will always be configured on a Port-Channel downlink even if the downlink is only on one node in the MLAG pair. + # If `false` (default) an MLAG ID will only be configured on Port-Channel downlinks dual-homed to two MLAG switches. + mlag_on_orphan_port_channel_downlink: # A vlan can have many trunk_groups assigned. # To avoid unneeded configuration changes on all leaf switches when a new trunk group is added, diff --git a/python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml b/python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml index eee75242456..ed3ba56e805 100644 --- a/python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml +++ b/python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml @@ -2000,14 +2000,12 @@ keys: type: bool documentation_options: table: fabric-settings - description: 'If `true` (default) an MLAG ID will always be configured on a Port-Channel + description: 'If `true` an MLAG ID will always be configured on a Port-Channel downlink even if the downlink is only on one node in the MLAG pair. - If `false` an MLAG ID will only be configured on Port-Channel downlinks dual-homed - to two MLAG switches. - - Note the default value will change to `false` in AVD version 5.0' - default: true + If `false` (default) an MLAG ID will only be configured on Port-Channel downlinks + dual-homed to two MLAG switches.' + default: false name_servers: documentation_options: table: management-settings diff --git a/python-avd/pyavd/_eos_designs/schema/schema_fragments/mlag_on_orphan_port_channel_downlink.schema.yml b/python-avd/pyavd/_eos_designs/schema/schema_fragments/mlag_on_orphan_port_channel_downlink.schema.yml index d7ff2b6dd26..2741405f398 100644 --- a/python-avd/pyavd/_eos_designs/schema/schema_fragments/mlag_on_orphan_port_channel_downlink.schema.yml +++ b/python-avd/pyavd/_eos_designs/schema/schema_fragments/mlag_on_orphan_port_channel_downlink.schema.yml @@ -11,8 +11,6 @@ keys: documentation_options: table: fabric-settings description: |- - If `true` (default) an MLAG ID will always be configured on a Port-Channel downlink even if the downlink is only on one node in the MLAG pair. - If `false` an MLAG ID will only be configured on Port-Channel downlinks dual-homed to two MLAG switches. - Note the default value will change to `false` in AVD version 5.0 - # TODO: AVD5.0 change default to false and remove the note from the description. - default: true + If `true` an MLAG ID will always be configured on a Port-Channel downlink even if the downlink is only on one node in the MLAG pair. + If `false` (default) an MLAG ID will only be configured on Port-Channel downlinks dual-homed to two MLAG switches. + default: false diff --git a/python-avd/pyavd/_eos_designs/structured_config/underlay/port_channel_interfaces.py b/python-avd/pyavd/_eos_designs/structured_config/underlay/port_channel_interfaces.py index ad60ac42e7c..f615d9e8ece 100644 --- a/python-avd/pyavd/_eos_designs/structured_config/underlay/port_channel_interfaces.py +++ b/python-avd/pyavd/_eos_designs/structured_config/underlay/port_channel_interfaces.py @@ -66,7 +66,7 @@ def port_channel_interfaces(self: AvdStructuredConfigUnderlay) -> list | None: port_channel_interface["vlans"] = vlans # Configure MLAG on MLAG switches if either 'mlag_on_orphan_port_channel_downlink' or 'link.mlag' is True - if self.shared_utils.mlag is True and any([get(self._hostvars, "mlag_on_orphan_port_channel_downlink", default=True), link.get("mlag", True)]): + if self.shared_utils.mlag is True and any([get(self._hostvars, "mlag_on_orphan_port_channel_downlink", default=False), link.get("mlag", True)]): port_channel_interface["mlag"] = int(link.get("channel_group_id")) if (short_esi := link.get("short_esi")) is not None: From 55d72973af6791c1610d04d1d18aa6eae49aa154 Mon Sep 17 00:00:00 2001 From: laxmikantchintakindi <159624484+laxmikantchintakindi@users.noreply.github.com> Date: Tue, 20 Aug 2024 18:44:24 +0530 Subject: [PATCH 3/4] Feat(eos_cli_config_gen): Add support for isis authentication on vlan interfaces (#4254) --- .../documentation/devices/router-isis-new.md | 6 +- .../documentation/devices/router-isis.md | 6 +- .../documentation/devices/vlan-interfaces.md | 62 +++++- .../intended/configs/vlan-interfaces.cfg | 45 +++++ .../inventory/host_vars/vlan-interfaces.yml | 187 ++++++++++++++++++ .../documentation/devices/DC1-BL1A.md | 6 +- .../documentation/devices/DC1-BL1B.md | 6 +- .../documentation/devices/DC1-LEAF2A.md | 6 +- .../documentation/devices/DC1-LEAF2B.md | 6 +- .../documentation/devices/DC1-SVC3A.md | 6 +- .../documentation/devices/DC1-SVC3B.md | 6 +- .../docs/tables/router-isis.md | 36 ++-- .../docs/tables/vlan-interfaces.md | 164 +++++++++++++++ .../documentation/vlan-interfaces.j2 | 15 +- .../j2templates/eos/vlan-interfaces.j2 | 106 ++++++++++ .../schema/eos_cli_config_gen.schema.yml | 9 +- .../schema_fragments/router_isis.schema.yml | 5 +- .../vlan_interfaces.schema.yml | 3 + 18 files changed, 630 insertions(+), 50 deletions(-) diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/router-isis-new.md b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/router-isis-new.md index e586c230aca..24ea42f289c 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/router-isis-new.md +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/router-isis-new.md @@ -155,9 +155,9 @@ interface Loopback1 ##### ISIS -| Interface | ISIS Instance | ISIS BFD | ISIS Metric | Mode | -| --------- | ------------- | -------- | ----------- | ---- | -| Vlan4093 | EVPN_UNDERLAY | - | 50 | point-to-point | +| Interface | ISIS Instance | ISIS BFD | ISIS Metric | Mode | ISIS Authentication Mode | +| --------- | ------------- | -------- | ----------- | ---- | ------------------------ | +| Vlan4093 | EVPN_UNDERLAY | - | 50 | point-to-point | - | #### VLAN Interfaces Device Configuration diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/router-isis.md b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/router-isis.md index 896e9aa69f8..fe7763dacb6 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/router-isis.md +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/router-isis.md @@ -240,9 +240,9 @@ interface Loopback2 ##### ISIS -| Interface | ISIS Instance | ISIS BFD | ISIS Metric | Mode | -| --------- | ------------- | -------- | ----------- | ---- | -| Vlan4093 | EVPN_UNDERLAY | - | 50 | point-to-point | +| Interface | ISIS Instance | ISIS BFD | ISIS Metric | Mode | ISIS Authentication Mode | +| --------- | ------------- | -------- | ----------- | ---- | ------------------------ | +| Vlan4093 | EVPN_UNDERLAY | - | 50 | point-to-point | - | #### VLAN Interfaces Device Configuration diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/vlan-interfaces.md b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/vlan-interfaces.md index f95e86b8da5..a6eb2b19de8 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/vlan-interfaces.md +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/vlan-interfaces.md @@ -185,9 +185,20 @@ interface Management1 ##### ISIS -| Interface | ISIS Instance | ISIS BFD | ISIS Metric | Mode | -| --------- | ------------- | -------- | ----------- | ---- | -| Vlan2002 | EVPN_UNDERLAY | True | - | - | +| Interface | ISIS Instance | ISIS BFD | ISIS Metric | Mode | ISIS Authentication Mode | +| --------- | ------------- | -------- | ----------- | ---- | ------------------------ | +| Vlan42 | EVPN_UNDERLAY | - | - | - | Level-1: sha | +| Vlan83 | EVPN_UNDERLAY | - | - | - | md5 | +| Vlan84 | EVPN_UNDERLAY | - | - | - | sha | +| Vlan85 | EVPN_UNDERLAY | - | - | - | sha | +| Vlan86 | EVPN_UNDERLAY | - | - | - | shared-secret | +| Vlan87 | EVPN_UNDERLAY | - | - | - | shared-secret | +| Vlan88 | EVPN_UNDERLAY | - | - | - | Level-1: md5
Level-2: text | +| Vlan90 | EVPN_UNDERLAY | - | - | - | Level-1: shared-secret
Level-2: shared-secret | +| Vlan91 | EVPN_UNDERLAY | - | - | - | Level-1: md5
Level-2: text | +| Vlan92 | EVPN_UNDERLAY | - | - | - | Level-1: shared-secret
Level-2: shared-secret | +| Vlan2002 | EVPN_UNDERLAY | True | - | - | md5 | +| Vlan4094 | EVPN_UNDERLAY | - | - | - | Level-1: sha
Level-2: sha | ##### Multicast Routing @@ -246,6 +257,8 @@ interface Vlan42 ip helper-address 10.10.64.150 source-interface Loopback0 ip helper-address 10.10.96.150 source-interface Loopback0 ip helper-address 10.10.96.151 source-interface Loopback0 + isis enable EVPN_UNDERLAY + isis authentication mode sha key-id 5 level-1 ip address virtual 10.10.42.1/24 ! interface Vlan43 @@ -253,6 +266,13 @@ interface Vlan43 no shutdown ipv6 dhcp relay destination a0::2 vrf TEST local-interface Loopback44 link-address a0::4 ipv6 address a0::1/64 + isis authentication key-id 2 algorithm sha-512 key 0 password + isis authentication key-id 3 algorithm sha-512 rfc-5310 key 0 password1 + isis authentication key-id 1 algorithm sha-1 key 0 password level-1 + isis authentication key-id 4 algorithm sha-1 rfc-5310 key 0 password level-1 + isis authentication key-id 5 algorithm sha-1 key 0 password3 level-1 + isis authentication key-id 1 algorithm sha-1 key 0 password level-2 + isis authentication key-id 5 algorithm sha-1 rfc-5310 key 0 password level-2 ! interface Vlan44 description SVI Description @@ -267,6 +287,8 @@ interface Vlan50 ip nat source dynamic access-list ACL2 pool POOL2 ip nat destination static 1.0.0.1 2.0.0.1 ip nat destination dynamic access-list ACL1 pool POOL1 + isis authentication mode text rx-disabled level-2 + isis authentication key 0 password level-2 ! interface Vlan75 description SVI Description @@ -294,6 +316,9 @@ interface Vlan81 interface Vlan83 description SVI Description no shutdown + isis enable EVPN_UNDERLAY + isis authentication mode md5 + isis authentication key 0 password ip address virtual 10.10.83.1/24 ip address virtual 10.11.83.1/24 secondary ip address virtual 10.11.84.1/24 secondary @@ -303,6 +328,9 @@ interface Vlan84 arp gratuitous accept arp monitor mac-address ip address 10.10.84.1/24 + isis enable EVPN_UNDERLAY + isis authentication mode sha key-id 2 rx-disabled + isis authentication key 0 password ip virtual-router address 10.10.84.254 ip virtual-router address 10.11.84.254/24 ! @@ -310,12 +338,17 @@ interface Vlan85 description SVI Description arp cache dynamic capacity 50000 ip address 10.10.84.1/24 + isis enable EVPN_UNDERLAY + isis authentication mode sha key-id 2 + isis authentication key 0 password bfd interval 500 min-rx 500 multiplier 5 bfd echo ! interface Vlan86 description SVI Description ip address 10.10.83.1/24 + isis enable EVPN_UNDERLAY + isis authentication mode shared-secret profile profile1 algorithm sha-1 rx-disabled ip attached-host route export 10 ! interface Vlan87 @@ -324,10 +357,17 @@ interface Vlan87 ip address 10.10.87.1/24 ip access-group ACL_IN in ip access-group ACL_OUT out + isis enable EVPN_UNDERLAY + isis authentication mode shared-secret profile profile1 algorithm sha-1 ! interface Vlan88 description SVI Description shutdown + isis enable EVPN_UNDERLAY + isis authentication mode md5 rx-disabled level-1 + isis authentication mode text rx-disabled level-2 + isis authentication key 0 password level-1 + isis authentication key 0 password level-2 ip address virtual 10.10.87.1/23 ! interface Vlan89 @@ -354,11 +394,19 @@ interface Vlan89 interface Vlan90 description SVI Description ip address 10.10.83.1/24 + isis enable EVPN_UNDERLAY + isis authentication mode shared-secret profile profile2 algorithm sha-1 level-1 + isis authentication mode shared-secret profile profile1 algorithm sha-256 level-2 ip attached-host route export ! interface Vlan91 description PBR Description shutdown + isis enable EVPN_UNDERLAY + isis authentication mode md5 level-1 + isis authentication mode text level-2 + isis authentication key 0 password level-1 + isis authentication key 0 password level-2 service-policy type pbr input MyServicePolicy ! interface Vlan92 @@ -366,6 +414,9 @@ interface Vlan92 ip proxy-arp ip directed-broadcast ip address 10.10.92.1/24 + isis enable EVPN_UNDERLAY + isis authentication mode shared-secret profile profile2 algorithm sha-1 rx-disabled level-1 + isis authentication mode shared-secret profile profile1 algorithm sha-256 rx-disabled level-2 ! interface Vlan110 description PVLAN Primary with vlan mapping @@ -493,6 +544,8 @@ interface Vlan2002 ip verify unicast source reachable-via rx isis enable EVPN_UNDERLAY isis bfd + isis authentication mode md5 rx-disabled + isis authentication key 0 password ip address virtual 10.2.2.1/24 ! interface Vlan4094 @@ -506,6 +559,9 @@ interface Vlan4094 pim ipv4 hello count 3.5 pim ipv4 dr-priority 200 pim ipv4 bfd + isis enable EVPN_UNDERLAY + isis authentication mode sha key-id 5 rx-disabled level-1 + isis authentication mode sha key-id 10 rx-disabled level-2 ``` ## BFD diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/vlan-interfaces.cfg b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/vlan-interfaces.cfg index 3a4658e5049..3263d8506a4 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/vlan-interfaces.cfg +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/vlan-interfaces.cfg @@ -46,6 +46,8 @@ interface Vlan42 ip helper-address 10.10.64.150 source-interface Loopback0 ip helper-address 10.10.96.150 source-interface Loopback0 ip helper-address 10.10.96.151 source-interface Loopback0 + isis enable EVPN_UNDERLAY + isis authentication mode sha key-id 5 level-1 ip address virtual 10.10.42.1/24 ! interface Vlan43 @@ -53,6 +55,13 @@ interface Vlan43 no shutdown ipv6 dhcp relay destination a0::2 vrf TEST local-interface Loopback44 link-address a0::4 ipv6 address a0::1/64 + isis authentication key-id 2 algorithm sha-512 key 0 password + isis authentication key-id 3 algorithm sha-512 rfc-5310 key 0 password1 + isis authentication key-id 1 algorithm sha-1 key 0 password level-1 + isis authentication key-id 4 algorithm sha-1 rfc-5310 key 0 password level-1 + isis authentication key-id 5 algorithm sha-1 key 0 password3 level-1 + isis authentication key-id 1 algorithm sha-1 key 0 password level-2 + isis authentication key-id 5 algorithm sha-1 rfc-5310 key 0 password level-2 ! interface Vlan44 description SVI Description @@ -67,6 +76,8 @@ interface Vlan50 ip nat source dynamic access-list ACL2 pool POOL2 ip nat destination static 1.0.0.1 2.0.0.1 ip nat destination dynamic access-list ACL1 pool POOL1 + isis authentication mode text rx-disabled level-2 + isis authentication key 0 password level-2 ! interface Vlan75 description SVI Description @@ -94,6 +105,9 @@ interface Vlan81 interface Vlan83 description SVI Description no shutdown + isis enable EVPN_UNDERLAY + isis authentication mode md5 + isis authentication key 0 password ip address virtual 10.10.83.1/24 ip address virtual 10.11.83.1/24 secondary ip address virtual 10.11.84.1/24 secondary @@ -103,6 +117,9 @@ interface Vlan84 arp gratuitous accept arp monitor mac-address ip address 10.10.84.1/24 + isis enable EVPN_UNDERLAY + isis authentication mode sha key-id 2 rx-disabled + isis authentication key 0 password ip virtual-router address 10.10.84.254 ip virtual-router address 10.11.84.254/24 ! @@ -110,12 +127,17 @@ interface Vlan85 description SVI Description arp cache dynamic capacity 50000 ip address 10.10.84.1/24 + isis enable EVPN_UNDERLAY + isis authentication mode sha key-id 2 + isis authentication key 0 password bfd interval 500 min-rx 500 multiplier 5 bfd echo ! interface Vlan86 description SVI Description ip address 10.10.83.1/24 + isis enable EVPN_UNDERLAY + isis authentication mode shared-secret profile profile1 algorithm sha-1 rx-disabled ip attached-host route export 10 ! interface Vlan87 @@ -124,10 +146,17 @@ interface Vlan87 ip address 10.10.87.1/24 ip access-group ACL_IN in ip access-group ACL_OUT out + isis enable EVPN_UNDERLAY + isis authentication mode shared-secret profile profile1 algorithm sha-1 ! interface Vlan88 description SVI Description shutdown + isis enable EVPN_UNDERLAY + isis authentication mode md5 rx-disabled level-1 + isis authentication mode text rx-disabled level-2 + isis authentication key 0 password level-1 + isis authentication key 0 password level-2 ip address virtual 10.10.87.1/23 ! interface Vlan89 @@ -154,11 +183,19 @@ interface Vlan89 interface Vlan90 description SVI Description ip address 10.10.83.1/24 + isis enable EVPN_UNDERLAY + isis authentication mode shared-secret profile profile2 algorithm sha-1 level-1 + isis authentication mode shared-secret profile profile1 algorithm sha-256 level-2 ip attached-host route export ! interface Vlan91 description PBR Description shutdown + isis enable EVPN_UNDERLAY + isis authentication mode md5 level-1 + isis authentication mode text level-2 + isis authentication key 0 password level-1 + isis authentication key 0 password level-2 service-policy type pbr input MyServicePolicy ! interface Vlan92 @@ -166,6 +203,9 @@ interface Vlan92 ip proxy-arp ip directed-broadcast ip address 10.10.92.1/24 + isis enable EVPN_UNDERLAY + isis authentication mode shared-secret profile profile2 algorithm sha-1 rx-disabled level-1 + isis authentication mode shared-secret profile profile1 algorithm sha-256 rx-disabled level-2 ! interface Vlan110 description PVLAN Primary with vlan mapping @@ -293,6 +333,8 @@ interface Vlan2002 ip verify unicast source reachable-via rx isis enable EVPN_UNDERLAY isis bfd + isis authentication mode md5 rx-disabled + isis authentication key 0 password ip address virtual 10.2.2.1/24 ! interface Vlan4094 @@ -306,3 +348,6 @@ interface Vlan4094 pim ipv4 hello count 3.5 pim ipv4 dr-priority 200 pim ipv4 bfd + isis enable EVPN_UNDERLAY + isis authentication mode sha key-id 5 rx-disabled level-1 + isis authentication mode sha key-id 10 rx-disabled level-2 diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/vlan-interfaces.yml b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/vlan-interfaces.yml index ce6784b94bf..4bf70adf432 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/vlan-interfaces.yml +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/vlan-interfaces.yml @@ -21,6 +21,23 @@ vlan_interfaces: isis_enable: "EVPN_UNDERLAY" isis_bfd: true ip_verify_unicast_source_reachable_via: rx + # Test isis authentication both md5 rx + isis_authentication: + both: + key_type: 0 + key: password + mode: md5 + rx_disabled: true + level_1: + key_type: 0 + key: password + mode: md5 + rx_disabled: true + level_2: + key_type: 0 + key: password + mode: text + rx_disabled: true - name: Vlan81 description: IPv6 Virtual Address @@ -39,6 +56,13 @@ vlan_interfaces: ip_address_virtual_secondaries: - 10.11.83.1/24 - 10.11.84.1/24 + # Test isis auth both md5 + isis_enable: "EVPN_UNDERLAY" + isis_authentication: + both: + key_type: 0 + key: password + mode: md5 - name: Vlan84 description: SVI Description @@ -48,6 +72,16 @@ vlan_interfaces: - 10.11.84.254/24 arp_gratuitous_accept: true arp_monitor_mac_address: true + isis_enable: "EVPN_UNDERLAY" + # Test isis auth both sha rx + isis_authentication: + both: + key_type: 0 + key: password + mode: sha + sha: + key_id: 2 + rx_disabled: true - name: Vlan85 description: SVI Description @@ -58,6 +92,15 @@ vlan_interfaces: interval: 500 min_rx: 500 multiplier: 5 + # Test isis auth both sha + isis_enable: "EVPN_UNDERLAY" + isis_authentication: + both: + key_type: 0 + key: password + mode: sha + sha: + key_id: 2 - name: Vlan86 description: SVI Description @@ -65,6 +108,15 @@ vlan_interfaces: ip_attached_host_route_export: enabled: true distance: 10 + # Test isis auth both shared secret rx + isis_enable: "EVPN_UNDERLAY" + isis_authentication: + both: + mode: shared-secret + shared_secret: + profile: profile1 + algorithm: sha-1 + rx_disabled: true - name: Vlan87 description: SVI Description @@ -72,11 +124,32 @@ vlan_interfaces: ip_address: 10.10.87.1/24 access_group_in: ACL_IN access_group_out: ACL_OUT + # Test isis auth both shared secret + isis_enable: "EVPN_UNDERLAY" + isis_authentication: + both: + mode: shared-secret + shared_secret: + profile: profile1 + algorithm: sha-1 - name: Vlan88 description: SVI Description shutdown: true ip_address_virtual: 10.10.87.1/23 + # Test isis auth both l1l2 md5 text rx + isis_enable: "EVPN_UNDERLAY" + isis_authentication: + level_1: + key_type: 0 + key: password + mode: md5 + rx_disabled: true + level_2: + key_type: 0 + key: password + mode: text + rx_disabled: true - name: Vlan91 description: PBR Description @@ -84,18 +157,57 @@ vlan_interfaces: service_policy: pbr: input: MyServicePolicy + # Test isis auth l1l2 md5 text + isis_enable: "EVPN_UNDERLAY" + isis_authentication: + level_1: + key_type: 0 + key: password + mode: md5 + level_2: + key_type: 0 + key: password + mode: text - name: Vlan90 description: SVI Description ip_address: 10.10.83.1/24 ip_attached_host_route_export: enabled: true + # Test isis auth l1l2 shared secret + isis_enable: "EVPN_UNDERLAY" + isis_authentication: + level_1: + mode: shared-secret + shared_secret: + profile: profile2 + algorithm: sha-1 + level_2: + mode: shared-secret + shared_secret: + profile: profile1 + algorithm: sha-256 - name: Vlan92 description: SVI Description ip_address: 10.10.92.1/24 ip_proxy_arp: true ip_directed_broadcast: true + # Test isis auth l1l2 shared secret rx + isis_enable: "EVPN_UNDERLAY" + isis_authentication: + level_1: + mode: shared-secret + shared_secret: + profile: profile2 + algorithm: sha-1 + rx_disabled: true + level_2: + mode: shared-secret + shared_secret: + profile: profile1 + algorithm: sha-256 + rx_disabled: true # MCAST Configuration @@ -113,6 +225,19 @@ vlan_interfaces: hello: count: 3.5 interval: 10 + # Test isis auth l1l2 sha rx + isis_enable: "EVPN_UNDERLAY" + isis_authentication: + level_1: + mode: sha + sha: + key_id: 5 + rx_disabled: true + level_2: + mode: sha + sha: + key_id: 10 + rx_disabled: true # Helpers on SVI @@ -161,6 +286,13 @@ vlan_interfaces: source_interface: Loopback0 - ip_helper: 10.10.64.150 source_interface: Loopback0 + # Test isis auth l1l2 sha + isis_enable: "EVPN_UNDERLAY" + isis_authentication: + level_1: + mode: sha + sha: + key_id: 5 - name: Vlan43 description: SVI Description @@ -171,6 +303,55 @@ vlan_interfaces: vrf: TEST local_interface: Loopback44 link_address: a0::4 + isis_authentication: + both: + key_ids: + - id: 2 + algorithm: sha-512 + key_type: 0 + key: password + rfc_5310: false + - id: 3 + algorithm: sha-512 + key_type: 0 + key: password1 + rfc_5310: true + level_1: + key_ids: + - id: 1 + algorithm: sha-1 + key_type: 0 + key: password + rfc_5310: false + - id: 4 + algorithm: sha-1 + key_type: 0 + key: password + rfc_5310: true + - id: 3 + algorithm: sha-1 + key_type: 0 + key: password3 + - id: 5 + algorithm: sha-1 + key_type: 0 + key: password3 + level_2: + key_ids: + - id: 1 + algorithm: sha-1 + key_type: 0 + key: password + rfc_5310: false + - id: 5 + algorithm: sha-1 + key_type: 0 + key: password + rfc_5310: true + - id: 3 + algorithm: sha-1 + key_type: 0 + key: password2 - name: Vlan44 description: SVI Description @@ -201,6 +382,12 @@ vlan_interfaces: static: - original_ip: 3.0.0.1 translated_ip: 4.0.0.1 + isis_authentication: + level_2: + key_type: 0 + key: password + mode: text + rx_disabled: true # IPv6 SVI configuration diff --git a/ansible_collections/arista/avd/molecule/evpn_underlay_isis_overlay_ibgp/documentation/devices/DC1-BL1A.md b/ansible_collections/arista/avd/molecule/evpn_underlay_isis_overlay_ibgp/documentation/devices/DC1-BL1A.md index 27f5300b0fd..dc6ec463f7d 100644 --- a/ansible_collections/arista/avd/molecule/evpn_underlay_isis_overlay_ibgp/documentation/devices/DC1-BL1A.md +++ b/ansible_collections/arista/avd/molecule/evpn_underlay_isis_overlay_ibgp/documentation/devices/DC1-BL1A.md @@ -467,9 +467,9 @@ interface Loopback1 ##### ISIS -| Interface | ISIS Instance | ISIS BFD | ISIS Metric | Mode | -| --------- | ------------- | -------- | ----------- | ---- | -| Vlan4093 | EVPN_UNDERLAY | True | 50 | point-to-point | +| Interface | ISIS Instance | ISIS BFD | ISIS Metric | Mode | ISIS Authentication Mode | +| --------- | ------------- | -------- | ----------- | ---- | ------------------------ | +| Vlan4093 | EVPN_UNDERLAY | True | 50 | point-to-point | - | #### VLAN Interfaces Device Configuration diff --git a/ansible_collections/arista/avd/molecule/evpn_underlay_isis_overlay_ibgp/documentation/devices/DC1-BL1B.md b/ansible_collections/arista/avd/molecule/evpn_underlay_isis_overlay_ibgp/documentation/devices/DC1-BL1B.md index 18e9b6271b5..90058586fa5 100644 --- a/ansible_collections/arista/avd/molecule/evpn_underlay_isis_overlay_ibgp/documentation/devices/DC1-BL1B.md +++ b/ansible_collections/arista/avd/molecule/evpn_underlay_isis_overlay_ibgp/documentation/devices/DC1-BL1B.md @@ -452,9 +452,9 @@ interface Loopback1 ##### ISIS -| Interface | ISIS Instance | ISIS BFD | ISIS Metric | Mode | -| --------- | ------------- | -------- | ----------- | ---- | -| Vlan4093 | EVPN_UNDERLAY | True | 50 | point-to-point | +| Interface | ISIS Instance | ISIS BFD | ISIS Metric | Mode | ISIS Authentication Mode | +| --------- | ------------- | -------- | ----------- | ---- | ------------------------ | +| Vlan4093 | EVPN_UNDERLAY | True | 50 | point-to-point | - | #### VLAN Interfaces Device Configuration diff --git a/ansible_collections/arista/avd/molecule/evpn_underlay_isis_overlay_ibgp/documentation/devices/DC1-LEAF2A.md b/ansible_collections/arista/avd/molecule/evpn_underlay_isis_overlay_ibgp/documentation/devices/DC1-LEAF2A.md index 2f9113a50b3..b9fe50b4171 100644 --- a/ansible_collections/arista/avd/molecule/evpn_underlay_isis_overlay_ibgp/documentation/devices/DC1-LEAF2A.md +++ b/ansible_collections/arista/avd/molecule/evpn_underlay_isis_overlay_ibgp/documentation/devices/DC1-LEAF2A.md @@ -467,9 +467,9 @@ interface Loopback10 ##### ISIS -| Interface | ISIS Instance | ISIS BFD | ISIS Metric | Mode | -| --------- | ------------- | -------- | ----------- | ---- | -| Vlan4093 | EVPN_UNDERLAY | True | 50 | point-to-point | +| Interface | ISIS Instance | ISIS BFD | ISIS Metric | Mode | ISIS Authentication Mode | +| --------- | ------------- | -------- | ----------- | ---- | ------------------------ | +| Vlan4093 | EVPN_UNDERLAY | True | 50 | point-to-point | - | #### VLAN Interfaces Device Configuration diff --git a/ansible_collections/arista/avd/molecule/evpn_underlay_isis_overlay_ibgp/documentation/devices/DC1-LEAF2B.md b/ansible_collections/arista/avd/molecule/evpn_underlay_isis_overlay_ibgp/documentation/devices/DC1-LEAF2B.md index b5bce0b50c4..3b084431e62 100644 --- a/ansible_collections/arista/avd/molecule/evpn_underlay_isis_overlay_ibgp/documentation/devices/DC1-LEAF2B.md +++ b/ansible_collections/arista/avd/molecule/evpn_underlay_isis_overlay_ibgp/documentation/devices/DC1-LEAF2B.md @@ -467,9 +467,9 @@ interface Loopback10 ##### ISIS -| Interface | ISIS Instance | ISIS BFD | ISIS Metric | Mode | -| --------- | ------------- | -------- | ----------- | ---- | -| Vlan4093 | EVPN_UNDERLAY | True | 50 | point-to-point | +| Interface | ISIS Instance | ISIS BFD | ISIS Metric | Mode | ISIS Authentication Mode | +| --------- | ------------- | -------- | ----------- | ---- | ------------------------ | +| Vlan4093 | EVPN_UNDERLAY | True | 50 | point-to-point | - | #### VLAN Interfaces Device Configuration diff --git a/ansible_collections/arista/avd/molecule/evpn_underlay_isis_overlay_ibgp/documentation/devices/DC1-SVC3A.md b/ansible_collections/arista/avd/molecule/evpn_underlay_isis_overlay_ibgp/documentation/devices/DC1-SVC3A.md index 216e81ecc67..f2227753fea 100644 --- a/ansible_collections/arista/avd/molecule/evpn_underlay_isis_overlay_ibgp/documentation/devices/DC1-SVC3A.md +++ b/ansible_collections/arista/avd/molecule/evpn_underlay_isis_overlay_ibgp/documentation/devices/DC1-SVC3A.md @@ -466,9 +466,9 @@ interface Loopback1 ##### ISIS -| Interface | ISIS Instance | ISIS BFD | ISIS Metric | Mode | -| --------- | ------------- | -------- | ----------- | ---- | -| Vlan4094 | EVPN_UNDERLAY | True | 50 | point-to-point | +| Interface | ISIS Instance | ISIS BFD | ISIS Metric | Mode | ISIS Authentication Mode | +| --------- | ------------- | -------- | ----------- | ---- | ------------------------ | +| Vlan4094 | EVPN_UNDERLAY | True | 50 | point-to-point | - | #### VLAN Interfaces Device Configuration diff --git a/ansible_collections/arista/avd/molecule/evpn_underlay_isis_overlay_ibgp/documentation/devices/DC1-SVC3B.md b/ansible_collections/arista/avd/molecule/evpn_underlay_isis_overlay_ibgp/documentation/devices/DC1-SVC3B.md index 8bc359be02c..61bce37e328 100644 --- a/ansible_collections/arista/avd/molecule/evpn_underlay_isis_overlay_ibgp/documentation/devices/DC1-SVC3B.md +++ b/ansible_collections/arista/avd/molecule/evpn_underlay_isis_overlay_ibgp/documentation/devices/DC1-SVC3B.md @@ -466,9 +466,9 @@ interface Loopback1 ##### ISIS -| Interface | ISIS Instance | ISIS BFD | ISIS Metric | Mode | -| --------- | ------------- | -------- | ----------- | ---- | -| Vlan4094 | EVPN_UNDERLAY | True | 50 | point-to-point | +| Interface | ISIS Instance | ISIS BFD | ISIS Metric | Mode | ISIS Authentication Mode | +| --------- | ------------- | -------- | ----------- | ---- | ------------------------ | +| Vlan4094 | EVPN_UNDERLAY | True | 50 | point-to-point | - | #### VLAN Interfaces Device Configuration diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/router-isis.md b/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/router-isis.md index bfecb34b22a..ca89fa7e776 100644 --- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/router-isis.md +++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/router-isis.md @@ -27,8 +27,8 @@ | [        timeout](## "router_isis.set_overload_bit.on_startup.wait_for_bgp.timeout") | Integer | | | | Number of seconds. | | [  authentication](## "router_isis.authentication") | Dictionary | | | | | | [    both](## "router_isis.authentication.both") | Dictionary | | | | Authentication settings for level-1 and level-2. 'both' takes precedence over 'level_1' and 'level_2' settings. | - | [      key_type](## "router_isis.authentication.both.key_type") | String | | | Valid Values:
- 0
- 7
- 8a | Configure authentication key type. Default key_id is 0. | - | [      key](## "router_isis.authentication.both.key") | String | | | | Password string. | + | [      key_type](## "router_isis.authentication.both.key_type") | String | | | Valid Values:
- 0
- 7
- 8a | Configure authentication key type. | + | [      key](## "router_isis.authentication.both.key") | String | | | | Password string. `key_type` is required for this setting. | | [      key_ids](## "router_isis.authentication.both.key_ids") | List, items: Dictionary | | | | | | [        - id](## "router_isis.authentication.both.key_ids.[].id") | Integer | Required, Unique | | Min: 1
Max: 65535 | Configure authentication key-id. | | [          algorithm](## "router_isis.authentication.both.key_ids.[].algorithm") | String | Required | | Valid Values:
- sha-1
- sha-224
- sha-256
- sha-384
- sha-512 | | @@ -41,10 +41,10 @@ | [      shared_secret](## "router_isis.authentication.both.shared_secret") | Dictionary | | | | Required settings for authentication mode 'shared_secret'. | | [        profile](## "router_isis.authentication.both.shared_secret.profile") | String | Required | | | | | [        algorithm](## "router_isis.authentication.both.shared_secret.algorithm") | String | Required | | Valid Values:
- md5
- sha-1
- sha-224
- sha-256
- sha-384
- sha-512 | | - | [      rx_disabled](## "router_isis.authentication.both.rx_disabled") | Boolean | | | | | + | [      rx_disabled](## "router_isis.authentication.both.rx_disabled") | Boolean | | | | Disable authentication check on the receive side. | | [    level_1](## "router_isis.authentication.level_1") | Dictionary | | | | Authentication settings for level-1. 'both' takes precedence over 'level_1' and 'level_2' settings. | - | [      key_type](## "router_isis.authentication.level_1.key_type") | String | | | Valid Values:
- 0
- 7
- 8a | Configure authentication key type. Default key_id is 0. | - | [      key](## "router_isis.authentication.level_1.key") | String | | | | Password string. | + | [      key_type](## "router_isis.authentication.level_1.key_type") | String | | | Valid Values:
- 0
- 7
- 8a | Configure authentication key type. | + | [      key](## "router_isis.authentication.level_1.key") | String | | | | Password string. `key_type` is required for this setting. | | [      key_ids](## "router_isis.authentication.level_1.key_ids") | List, items: Dictionary | | | | | | [        - id](## "router_isis.authentication.level_1.key_ids.[].id") | Integer | Required, Unique | | Min: 1
Max: 65535 | Configure authentication key-id. | | [          algorithm](## "router_isis.authentication.level_1.key_ids.[].algorithm") | String | Required | | Valid Values:
- sha-1
- sha-224
- sha-256
- sha-384
- sha-512 | | @@ -57,10 +57,10 @@ | [      shared_secret](## "router_isis.authentication.level_1.shared_secret") | Dictionary | | | | Required settings for authentication mode 'shared_secret'. | | [        profile](## "router_isis.authentication.level_1.shared_secret.profile") | String | Required | | | | | [        algorithm](## "router_isis.authentication.level_1.shared_secret.algorithm") | String | Required | | Valid Values:
- md5
- sha-1
- sha-224
- sha-256
- sha-384
- sha-512 | | - | [      rx_disabled](## "router_isis.authentication.level_1.rx_disabled") | Boolean | | | | | + | [      rx_disabled](## "router_isis.authentication.level_1.rx_disabled") | Boolean | | | | Disable authentication check on the receive side. | | [    level_2](## "router_isis.authentication.level_2") | Dictionary | | | | Authentication settings for level-2. 'both' takes precedence over 'level_1' and 'level_2' settings. | - | [      key_type](## "router_isis.authentication.level_2.key_type") | String | | | Valid Values:
- 0
- 7
- 8a | Configure authentication key type. Default key_id is 0. | - | [      key](## "router_isis.authentication.level_2.key") | String | | | | Password string. | + | [      key_type](## "router_isis.authentication.level_2.key_type") | String | | | Valid Values:
- 0
- 7
- 8a | Configure authentication key type. | + | [      key](## "router_isis.authentication.level_2.key") | String | | | | Password string. `key_type` is required for this setting. | | [      key_ids](## "router_isis.authentication.level_2.key_ids") | List, items: Dictionary | | | | | | [        - id](## "router_isis.authentication.level_2.key_ids.[].id") | Integer | Required, Unique | | Min: 1
Max: 65535 | Configure authentication key-id. | | [          algorithm](## "router_isis.authentication.level_2.key_ids.[].algorithm") | String | Required | | Valid Values:
- sha-1
- sha-224
- sha-256
- sha-384
- sha-512 | | @@ -73,7 +73,7 @@ | [      shared_secret](## "router_isis.authentication.level_2.shared_secret") | Dictionary | | | | Required settings for authentication mode 'shared_secret'. | | [        profile](## "router_isis.authentication.level_2.shared_secret.profile") | String | Required | | | | | [        algorithm](## "router_isis.authentication.level_2.shared_secret.algorithm") | String | Required | | Valid Values:
- md5
- sha-1
- sha-224
- sha-256
- sha-384
- sha-512 | | - | [      rx_disabled](## "router_isis.authentication.level_2.rx_disabled") | Boolean | | | | | + | [      rx_disabled](## "router_isis.authentication.level_2.rx_disabled") | Boolean | | | | Disable authentication check on the receive side. | | [  advertise](## "router_isis.advertise") | Dictionary | | | | | | [    passive_only](## "router_isis.advertise.passive_only") | Boolean | | | | | | [  redistribute_routes](## "router_isis.redistribute_routes") | List, items: Dictionary | | | | | @@ -163,10 +163,10 @@ # Authentication settings for level-1 and level-2. 'both' takes precedence over 'level_1' and 'level_2' settings. both: - # Configure authentication key type. Default key_id is 0. + # Configure authentication key type. key_type: - # Password string. + # Password string. `key_type` is required for this setting. key: key_ids: @@ -194,15 +194,17 @@ shared_secret: profile: algorithm: + + # Disable authentication check on the receive side. rx_disabled: # Authentication settings for level-1. 'both' takes precedence over 'level_1' and 'level_2' settings. level_1: - # Configure authentication key type. Default key_id is 0. + # Configure authentication key type. key_type: - # Password string. + # Password string. `key_type` is required for this setting. key: key_ids: @@ -230,15 +232,17 @@ shared_secret: profile: algorithm: + + # Disable authentication check on the receive side. rx_disabled: # Authentication settings for level-2. 'both' takes precedence over 'level_1' and 'level_2' settings. level_2: - # Configure authentication key type. Default key_id is 0. + # Configure authentication key type. key_type: - # Password string. + # Password string. `key_type` is required for this setting. key: key_ids: @@ -266,6 +270,8 @@ shared_secret: profile: algorithm: + + # Disable authentication check on the receive side. rx_disabled: advertise: passive_only: diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/vlan-interfaces.md b/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/vlan-interfaces.md index 340f8c05327..64116a93aa3 100644 --- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/vlan-interfaces.md +++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/vlan-interfaces.md @@ -156,6 +156,55 @@ | [    isis_passive](## "vlan_interfaces.[].isis_passive") | Boolean | | | | | | [    isis_metric](## "vlan_interfaces.[].isis_metric") | Integer | | | | | | [    isis_network_point_to_point](## "vlan_interfaces.[].isis_network_point_to_point") | Boolean | | | | | + | [    isis_authentication](## "vlan_interfaces.[].isis_authentication") | Dictionary | | | | | + | [      both](## "vlan_interfaces.[].isis_authentication.both") | Dictionary | | | | Authentication settings for level-1 and level-2. 'both' takes precedence over 'level_1' and 'level_2' settings. | + | [        key_type](## "vlan_interfaces.[].isis_authentication.both.key_type") | String | | | Valid Values:
- 0
- 7
- 8a | Configure authentication key type. | + | [        key](## "vlan_interfaces.[].isis_authentication.both.key") | String | | | | Password string. `key_type` is required for this setting. | + | [        key_ids](## "vlan_interfaces.[].isis_authentication.both.key_ids") | List, items: Dictionary | | | | | + | [          - id](## "vlan_interfaces.[].isis_authentication.both.key_ids.[].id") | Integer | Required, Unique | | Min: 1
Max: 65535 | Configure authentication key-id. | + | [            algorithm](## "vlan_interfaces.[].isis_authentication.both.key_ids.[].algorithm") | String | Required | | Valid Values:
- sha-1
- sha-224
- sha-256
- sha-384
- sha-512 | | + | [            key_type](## "vlan_interfaces.[].isis_authentication.both.key_ids.[].key_type") | String | Required | | Valid Values:
- 0
- 7
- 8a | Configure authentication key type. | + | [            key](## "vlan_interfaces.[].isis_authentication.both.key_ids.[].key") | String | Required | | | Password string. | + | [            rfc_5310](## "vlan_interfaces.[].isis_authentication.both.key_ids.[].rfc_5310") | Boolean | | | | SHA digest computation according to rfc5310. | + | [        mode](## "vlan_interfaces.[].isis_authentication.both.mode") | String | | | Valid Values:
- md5
- sha
- text
- shared-secret | Authentication mode. | + | [        sha](## "vlan_interfaces.[].isis_authentication.both.sha") | Dictionary | | | | Required settings for authentication mode 'sha'. | + | [          key_id](## "vlan_interfaces.[].isis_authentication.both.sha.key_id") | Integer | Required | | Min: 1
Max: 65535 | | + | [        shared_secret](## "vlan_interfaces.[].isis_authentication.both.shared_secret") | Dictionary | | | | Required settings for authentication mode 'shared_secret'. | + | [          profile](## "vlan_interfaces.[].isis_authentication.both.shared_secret.profile") | String | Required | | | | + | [          algorithm](## "vlan_interfaces.[].isis_authentication.both.shared_secret.algorithm") | String | Required | | Valid Values:
- md5
- sha-1
- sha-224
- sha-256
- sha-384
- sha-512 | | + | [        rx_disabled](## "vlan_interfaces.[].isis_authentication.both.rx_disabled") | Boolean | | | | Disable authentication check on the receive side. | + | [      level_1](## "vlan_interfaces.[].isis_authentication.level_1") | Dictionary | | | | Authentication settings for level-1. 'both' takes precedence over 'level_1' and 'level_2' settings. | + | [        key_type](## "vlan_interfaces.[].isis_authentication.level_1.key_type") | String | | | Valid Values:
- 0
- 7
- 8a | Configure authentication key type. | + | [        key](## "vlan_interfaces.[].isis_authentication.level_1.key") | String | | | | Password string. `key_type` is required for this setting. | + | [        key_ids](## "vlan_interfaces.[].isis_authentication.level_1.key_ids") | List, items: Dictionary | | | | | + | [          - id](## "vlan_interfaces.[].isis_authentication.level_1.key_ids.[].id") | Integer | Required, Unique | | Min: 1
Max: 65535 | Configure authentication key-id. | + | [            algorithm](## "vlan_interfaces.[].isis_authentication.level_1.key_ids.[].algorithm") | String | Required | | Valid Values:
- sha-1
- sha-224
- sha-256
- sha-384
- sha-512 | | + | [            key_type](## "vlan_interfaces.[].isis_authentication.level_1.key_ids.[].key_type") | String | Required | | Valid Values:
- 0
- 7
- 8a | Configure authentication key type. | + | [            key](## "vlan_interfaces.[].isis_authentication.level_1.key_ids.[].key") | String | Required | | | Password string. | + | [            rfc_5310](## "vlan_interfaces.[].isis_authentication.level_1.key_ids.[].rfc_5310") | Boolean | | | | SHA digest computation according to rfc5310. | + | [        mode](## "vlan_interfaces.[].isis_authentication.level_1.mode") | String | | | Valid Values:
- md5
- sha
- text
- shared-secret | Authentication mode. | + | [        sha](## "vlan_interfaces.[].isis_authentication.level_1.sha") | Dictionary | | | | Required settings for authentication mode 'sha'. | + | [          key_id](## "vlan_interfaces.[].isis_authentication.level_1.sha.key_id") | Integer | Required | | Min: 1
Max: 65535 | | + | [        shared_secret](## "vlan_interfaces.[].isis_authentication.level_1.shared_secret") | Dictionary | | | | Required settings for authentication mode 'shared_secret'. | + | [          profile](## "vlan_interfaces.[].isis_authentication.level_1.shared_secret.profile") | String | Required | | | | + | [          algorithm](## "vlan_interfaces.[].isis_authentication.level_1.shared_secret.algorithm") | String | Required | | Valid Values:
- md5
- sha-1
- sha-224
- sha-256
- sha-384
- sha-512 | | + | [        rx_disabled](## "vlan_interfaces.[].isis_authentication.level_1.rx_disabled") | Boolean | | | | Disable authentication check on the receive side. | + | [      level_2](## "vlan_interfaces.[].isis_authentication.level_2") | Dictionary | | | | Authentication settings for level-2. 'both' takes precedence over 'level_1' and 'level_2' settings. | + | [        key_type](## "vlan_interfaces.[].isis_authentication.level_2.key_type") | String | | | Valid Values:
- 0
- 7
- 8a | Configure authentication key type. | + | [        key](## "vlan_interfaces.[].isis_authentication.level_2.key") | String | | | | Password string. `key_type` is required for this setting. | + | [        key_ids](## "vlan_interfaces.[].isis_authentication.level_2.key_ids") | List, items: Dictionary | | | | | + | [          - id](## "vlan_interfaces.[].isis_authentication.level_2.key_ids.[].id") | Integer | Required, Unique | | Min: 1
Max: 65535 | Configure authentication key-id. | + | [            algorithm](## "vlan_interfaces.[].isis_authentication.level_2.key_ids.[].algorithm") | String | Required | | Valid Values:
- sha-1
- sha-224
- sha-256
- sha-384
- sha-512 | | + | [            key_type](## "vlan_interfaces.[].isis_authentication.level_2.key_ids.[].key_type") | String | Required | | Valid Values:
- 0
- 7
- 8a | Configure authentication key type. | + | [            key](## "vlan_interfaces.[].isis_authentication.level_2.key_ids.[].key") | String | Required | | | Password string. | + | [            rfc_5310](## "vlan_interfaces.[].isis_authentication.level_2.key_ids.[].rfc_5310") | Boolean | | | | SHA digest computation according to rfc5310. | + | [        mode](## "vlan_interfaces.[].isis_authentication.level_2.mode") | String | | | Valid Values:
- md5
- sha
- text
- shared-secret | Authentication mode. | + | [        sha](## "vlan_interfaces.[].isis_authentication.level_2.sha") | Dictionary | | | | Required settings for authentication mode 'sha'. | + | [          key_id](## "vlan_interfaces.[].isis_authentication.level_2.sha.key_id") | Integer | Required | | Min: 1
Max: 65535 | | + | [        shared_secret](## "vlan_interfaces.[].isis_authentication.level_2.shared_secret") | Dictionary | | | | Required settings for authentication mode 'shared_secret'. | + | [          profile](## "vlan_interfaces.[].isis_authentication.level_2.shared_secret.profile") | String | Required | | | | + | [          algorithm](## "vlan_interfaces.[].isis_authentication.level_2.shared_secret.algorithm") | String | Required | | Valid Values:
- md5
- sha-1
- sha-224
- sha-256
- sha-384
- sha-512 | | + | [        rx_disabled](## "vlan_interfaces.[].isis_authentication.level_2.rx_disabled") | Boolean | | | | Disable authentication check on the receive side. | | [    mtu](## "vlan_interfaces.[].mtu") | Integer | | | | | | [    no_autostate](## "vlan_interfaces.[].no_autostate") | Boolean | | | | | | [    vrrp_ids](## "vlan_interfaces.[].vrrp_ids") | List, items: Dictionary | | | | Improved "vrrp" data model to support multiple VRRP IDs. | @@ -500,6 +549,121 @@ isis_passive: isis_metric: isis_network_point_to_point: + isis_authentication: + + # Authentication settings for level-1 and level-2. 'both' takes precedence over 'level_1' and 'level_2' settings. + both: + + # Configure authentication key type. + key_type: + + # Password string. `key_type` is required for this setting. + key: + key_ids: + + # Configure authentication key-id. + - id: + algorithm: + + # Configure authentication key type. + key_type: + + # Password string. + key: + + # SHA digest computation according to rfc5310. + rfc_5310: + + # Authentication mode. + mode: + + # Required settings for authentication mode 'sha'. + sha: + key_id: + + # Required settings for authentication mode 'shared_secret'. + shared_secret: + profile: + algorithm: + + # Disable authentication check on the receive side. + rx_disabled: + + # Authentication settings for level-1. 'both' takes precedence over 'level_1' and 'level_2' settings. + level_1: + + # Configure authentication key type. + key_type: + + # Password string. `key_type` is required for this setting. + key: + key_ids: + + # Configure authentication key-id. + - id: + algorithm: + + # Configure authentication key type. + key_type: + + # Password string. + key: + + # SHA digest computation according to rfc5310. + rfc_5310: + + # Authentication mode. + mode: + + # Required settings for authentication mode 'sha'. + sha: + key_id: + + # Required settings for authentication mode 'shared_secret'. + shared_secret: + profile: + algorithm: + + # Disable authentication check on the receive side. + rx_disabled: + + # Authentication settings for level-2. 'both' takes precedence over 'level_1' and 'level_2' settings. + level_2: + + # Configure authentication key type. + key_type: + + # Password string. `key_type` is required for this setting. + key: + key_ids: + + # Configure authentication key-id. + - id: + algorithm: + + # Configure authentication key type. + key_type: + + # Password string. + key: + + # SHA digest computation according to rfc5310. + rfc_5310: + + # Authentication mode. + mode: + + # Required settings for authentication mode 'sha'. + sha: + key_id: + + # Required settings for authentication mode 'shared_secret'. + shared_secret: + profile: + algorithm: + + # Disable authentication check on the receive side. + rx_disabled: mtu: no_autostate: diff --git a/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/vlan-interfaces.j2 b/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/vlan-interfaces.j2 index 87d994c6dd3..a5e71268ab4 100644 --- a/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/vlan-interfaces.j2 +++ b/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/vlan-interfaces.j2 @@ -139,9 +139,18 @@ ##### ISIS -| Interface | ISIS Instance | ISIS BFD | ISIS Metric | Mode | -| --------- | ------------- | -------- | ----------- | ---- | +| Interface | ISIS Instance | ISIS BFD | ISIS Metric | Mode | ISIS Authentication Mode | +| --------- | ------------- | -------- | ----------- | ---- | ------------------------ | {% for vlan_interface in vlan_interfaces | arista.avd.natural_sort('name') %} +{% if vlan_interface.isis_authentication.both.mode is arista.avd.defined %} +{% set isis_authentication_mode = vlan_interface.isis_authentication.both.mode %} +{% elif vlan_interface.isis_authentication.level_1.mode is arista.avd.defined and vlan_interface.isis_authentication.level_2.mode is arista.avd.defined %} +{% set isis_authentication_mode = "Level-1: " ~ vlan_interface.isis_authentication.level_1.mode ~ "
" ~ "Level-2: " ~ vlan_interface.isis_authentication.level_2.mode %} +{% elif vlan_interface.isis_authentication.level_1.mode is arista.avd.defined %} +{% set isis_authentication_mode = "Level-1: " ~ vlan_interface.isis_authentication.level_1.mode %} +{% elif vlan_interface.isis_authentication.level_2.mode is arista.avd.defined %} +{% set isis_authentication_mode = "Level-2: " ~ vlan_interface.isis_authentication.level_2.mode %} +{% endif %} {% if vlan_interface.isis_enable is arista.avd.defined %} {% set isis_metric = vlan_interface.isis_metric | arista.avd.default('-') %} {% if vlan_interface.isis_network_point_to_point is arista.avd.defined %} @@ -151,7 +160,7 @@ {% else %} {% set mode = "-" %} {% endif %} -| {{ vlan_interface.name }} | {{ vlan_interface.isis_enable }} | {{ vlan_interface.isis_bfd | arista.avd.default("-") }} | {{ isis_metric }} | {{ mode }} | +| {{ vlan_interface.name }} | {{ vlan_interface.isis_enable }} | {{ vlan_interface.isis_bfd | arista.avd.default("-") }} | {{ isis_metric }} | {{ mode }} | {{ isis_authentication_mode | arista.avd.default("-") }} | {% endif %} {% endfor %} {% endif %} diff --git a/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/vlan-interfaces.j2 b/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/vlan-interfaces.j2 index 87a2a5a8b45..d3f03471974 100644 --- a/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/vlan-interfaces.j2 +++ b/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/vlan-interfaces.j2 @@ -306,6 +306,112 @@ interface {{ vlan_interface.name }} {% if vlan_interface.isis_network_point_to_point is arista.avd.defined(true) %} isis network point-to-point {% endif %} +{% if vlan_interface.isis_authentication.both.mode is arista.avd.defined + and (vlan_interface.isis_authentication.both.mode in ["md5", "text"] + or (vlan_interface.isis_authentication.both.mode == "sha" and vlan_interface.isis_authentication.both.sha.key_id is arista.avd.defined) + or (vlan_interface.isis_authentication.both.mode == "shared-secret" + and vlan_interface.isis_authentication.both.shared_secret.profile is arista.avd.defined + and vlan_interface.isis_authentication.both.shared_secret.algorithm is arista.avd.defined)) %} +{% set isis_auth_cli = "isis authentication mode " ~ vlan_interface.isis_authentication.both.mode %} +{% if vlan_interface.isis_authentication.both.mode == "sha" %} +{% set isis_auth_cli = isis_auth_cli ~ " key-id " ~ vlan_interface.isis_authentication.both.sha.key_id %} +{% elif vlan_interface.isis_authentication.both.mode == "shared-secret" %} +{% set isis_auth_cli = isis_auth_cli ~ " profile " ~ vlan_interface.isis_authentication.both.shared_secret.profile ~ " algorithm " ~ vlan_interface.isis_authentication.both.shared_secret.algorithm %} +{% endif %} +{% if vlan_interface.isis_authentication.both.rx_disabled is arista.avd.defined(true) %} +{% set isis_auth_cli = isis_auth_cli ~ " rx-disabled" %} +{% endif %} + {{ isis_auth_cli }} +{% else %} +{% if vlan_interface.isis_authentication.level_1.mode is arista.avd.defined + and (vlan_interface.isis_authentication.level_1.mode in ["md5", "text"] + or (vlan_interface.isis_authentication.level_1.mode == "sha" and vlan_interface.isis_authentication.level_1.sha.key_id is arista.avd.defined) + or (vlan_interface.isis_authentication.level_1.mode == "shared-secret" + and vlan_interface.isis_authentication.level_1.shared_secret.profile is arista.avd.defined + and vlan_interface.isis_authentication.level_1.shared_secret.algorithm is arista.avd.defined)) %} +{% set isis_auth_cli = "isis authentication mode " ~ vlan_interface.isis_authentication.level_1.mode %} +{% if vlan_interface.isis_authentication.level_1.mode == "sha" %} +{% set isis_auth_cli = isis_auth_cli ~ " key-id " ~ vlan_interface.isis_authentication.level_1.sha.key_id %} +{% elif vlan_interface.isis_authentication.level_1.mode == "shared-secret" %} +{% set isis_auth_cli = isis_auth_cli ~ " profile " ~ vlan_interface.isis_authentication.level_1.shared_secret.profile ~ " algorithm " ~ vlan_interface.isis_authentication.level_1.shared_secret.algorithm %} +{% endif %} +{% if vlan_interface.isis_authentication.level_1.rx_disabled is arista.avd.defined(true) %} +{% set isis_auth_cli = isis_auth_cli ~ " rx-disabled" %} +{% endif %} + {{ isis_auth_cli }} level-1 +{% endif %} +{% if vlan_interface.isis_authentication.level_2.mode is arista.avd.defined + and (vlan_interface.isis_authentication.level_2.mode in ["md5", "text"] + or (vlan_interface.isis_authentication.level_2.mode == "sha" and vlan_interface.isis_authentication.level_2.sha.key_id is arista.avd.defined) + or (vlan_interface.isis_authentication.level_2.mode == "shared-secret" + and vlan_interface.isis_authentication.level_2.shared_secret.profile is arista.avd.defined + and vlan_interface.isis_authentication.level_2.shared_secret.algorithm is arista.avd.defined)) %} +{% set isis_auth_cli = "isis authentication mode " ~ vlan_interface.isis_authentication.level_2.mode %} +{% if vlan_interface.isis_authentication.level_2.mode == "sha" %} +{% set isis_auth_cli = isis_auth_cli ~ " key-id " ~ vlan_interface.isis_authentication.level_2.sha.key_id %} +{% elif vlan_interface.isis_authentication.level_2.mode == "shared-secret" %} +{% set isis_auth_cli = isis_auth_cli ~ " profile " ~ vlan_interface.isis_authentication.level_2.shared_secret.profile ~ " algorithm " ~ vlan_interface.isis_authentication.level_2.shared_secret.algorithm %} +{% endif %} +{% if vlan_interface.isis_authentication.level_2.rx_disabled is arista.avd.defined(true) %} +{% set isis_auth_cli = isis_auth_cli ~ " rx-disabled" %} +{% endif %} + {{ isis_auth_cli }} level-2 +{% endif %} +{% endif %} +{% if vlan_interface.isis_authentication is arista.avd.defined %} +{% set both_key_ids = [] %} +{% if vlan_interface.isis_authentication.both.key_ids is arista.avd.defined %} +{% for auth_key in vlan_interface.isis_authentication.both.key_ids | arista.avd.natural_sort("id") %} +{% if auth_key.id is arista.avd.defined + and auth_key.algorithm is arista.avd.defined + and auth_key.key_type is arista.avd.defined + and auth_key.key is arista.avd.defined %} +{% do both_key_ids.append(auth_key.id) %} +{% if auth_key.rfc_5310 is arista.avd.defined(true) %} + isis authentication key-id {{ auth_key.id }} algorithm {{ auth_key.algorithm }} rfc-5310 key {{ auth_key.key_type }} {{ auth_key.key }} +{% else %} + isis authentication key-id {{ auth_key.id }} algorithm {{ auth_key.algorithm }} key {{ auth_key.key_type }} {{ auth_key.key }} +{% endif %} +{% endif %} +{% endfor %} +{% endif %} +{% for auth_key in vlan_interface.isis_authentication.level_1.key_ids | arista.avd.natural_sort("id") %} +{% if auth_key.id is arista.avd.defined + and auth_key.id not in both_key_ids + and auth_key.algorithm is arista.avd.defined + and auth_key.key_type is arista.avd.defined + and auth_key.key is arista.avd.defined %} +{% if auth_key.rfc_5310 is arista.avd.defined(true) %} + isis authentication key-id {{ auth_key.id }} algorithm {{ auth_key.algorithm }} rfc-5310 key {{ auth_key.key_type }} {{ auth_key.key }} level-1 +{% else %} + isis authentication key-id {{ auth_key.id }} algorithm {{ auth_key.algorithm }} key {{ auth_key.key_type }} {{ auth_key.key }} level-1 +{% endif %} +{% endif %} +{% endfor %} +{% for auth_key in vlan_interface.isis_authentication.level_2.key_ids | arista.avd.natural_sort("id") %} +{% if auth_key.id is arista.avd.defined + and auth_key.id not in both_key_ids + and auth_key.algorithm is arista.avd.defined + and auth_key.key_type is arista.avd.defined + and auth_key.key is arista.avd.defined %} +{% if auth_key.rfc_5310 is arista.avd.defined(true) %} + isis authentication key-id {{ auth_key.id }} algorithm {{ auth_key.algorithm }} rfc-5310 key {{ auth_key.key_type }} {{ auth_key.key }} level-2 +{% else %} + isis authentication key-id {{ auth_key.id }} algorithm {{ auth_key.algorithm }} key {{ auth_key.key_type }} {{ auth_key.key }} level-2 +{% endif %} +{% endif %} +{% endfor %} +{% if vlan_interface.isis_authentication.both.key_type is arista.avd.defined and vlan_interface.isis_authentication.both.key is arista.avd.defined %} + isis authentication key {{ vlan_interface.isis_authentication.both.key_type }} {{ vlan_interface.isis_authentication.both.key }} +{% else %} +{% if vlan_interface.isis_authentication.level_1.key_type is arista.avd.defined and vlan_interface.isis_authentication.level_1.key is arista.avd.defined %} + isis authentication key {{ vlan_interface.isis_authentication.level_1.key_type }} {{ vlan_interface.isis_authentication.level_1.key }} level-1 +{% endif %} +{% if vlan_interface.isis_authentication.level_2.key_type is arista.avd.defined and vlan_interface.isis_authentication.level_2.key is arista.avd.defined %} + isis authentication key {{ vlan_interface.isis_authentication.level_2.key_type }} {{ vlan_interface.isis_authentication.level_2.key }} level-2 +{% endif %} +{% endif %} +{% endif %} {% if vlan_interface.vrrp_ids is arista.avd.defined %} {% for vrid in vlan_interface.vrrp_ids | arista.avd.natural_sort('id') if vrid.id is arista.avd.defined %} {% if vrid.priority_level is arista.avd.defined %} diff --git a/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml b/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml index 82b8d757eb2..e1f03b65e6c 100644 --- a/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml +++ b/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml @@ -14336,11 +14336,10 @@ keys: - '0' - '7' - 8a - description: Configure authentication key type. Default key_id is - 0. + description: Configure authentication key type. key: type: str - description: Password string. + description: Password string. `key_type` is required for this setting. key_ids: type: list primary_key: id @@ -14419,6 +14418,7 @@ keys: - sha-512 rx_disabled: type: bool + description: Disable authentication check on the receive side. level_1: type: dict description: Authentication settings for level-1. 'both' takes precedence @@ -17700,6 +17700,9 @@ keys: - str isis_network_point_to_point: type: bool + isis_authentication: + type: dict + $ref: eos_cli_config_gen#/keys/router_isis/keys/authentication mtu: type: int convert_types: diff --git a/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/router_isis.schema.yml b/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/router_isis.schema.yml index 89f7bcf569b..436b1b49851 100644 --- a/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/router_isis.schema.yml +++ b/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/router_isis.schema.yml @@ -82,10 +82,10 @@ keys: - '0' - '7' - '8a' - description: Configure authentication key type. Default key_id is 0. + description: Configure authentication key type. key: type: str - description: Password string. + description: Password string. `key_type` is required for this setting. key_ids: type: list primary_key: id @@ -164,6 +164,7 @@ keys: - sha-512 rx_disabled: type: bool + description: Disable authentication check on the receive side. level_1: type: dict description: Authentication settings for level-1. 'both' takes precedence over 'level_1' and 'level_2' settings. diff --git a/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/vlan_interfaces.schema.yml b/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/vlan_interfaces.schema.yml index 46bc4d23038..b034967de75 100644 --- a/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/vlan_interfaces.schema.yml +++ b/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/vlan_interfaces.schema.yml @@ -432,6 +432,9 @@ keys: - str isis_network_point_to_point: type: bool + isis_authentication: + type: dict + $ref: "eos_cli_config_gen#/keys/router_isis/keys/authentication" mtu: type: int convert_types: From 3cc019521a80cb56385f4ae05389085c8eea1dc2 Mon Sep 17 00:00:00 2001 From: Guillaume Mulocher Date: Wed, 21 Aug 2024 10:03:34 +0200 Subject: [PATCH 4/4] Fix(eos_cli_config_gen): Sort IPsec SA, IKE policies and profiles (#4227) Co-authored-by: Claus Holbech --- .../documentation/devices/ip-security.md | 6 +++++ .../intended/configs/ip-security.cfg | 4 ++++ .../inventory/host_vars/ip-security.yml | 7 +++++- ...der-custom-control-plane-policy-edge-1.cfg | 18 +++++++------- ...der-custom-control-plane-policy-edge-2.cfg | 18 +++++++------- ...der-custom-control-plane-policy-edge-3.cfg | 18 +++++++------- ...-pathfinder-edge-custom-default-policy.cfg | 18 +++++++------- .../cv-pathfinder-edge-no-default-policy.cfg | 18 +++++++------- .../intended/configs/cv-pathfinder-edge.cfg | 18 +++++++------- .../intended/configs/cv-pathfinder-edge1.cfg | 18 +++++++------- .../intended/configs/cv-pathfinder-edge2A.cfg | 24 +++++++++---------- .../intended/configs/cv-pathfinder-edge2B.cfg | 24 +++++++++---------- .../intended/configs/cv-pathfinder-edge3A.cfg | 24 +++++++++---------- .../intended/configs/cv-pathfinder-edge3B.cfg | 24 +++++++++---------- .../configs/cv-pathfinder-transit1A.cfg | 18 +++++++------- .../configs/cv-pathfinder-transit1B.cfg | 18 +++++++------- .../j2templates/documentation/ip-security.j2 | 6 ++--- .../j2templates/eos/ip-security.j2 | 6 ++--- 18 files changed, 151 insertions(+), 136 deletions(-) diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/ip-security.md b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/ip-security.md index f4ae837efbe..aa47f4dcb9f 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/ip-security.md +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/ip-security.md @@ -62,6 +62,7 @@ interface Management1 | SA-4 | md5 | 3des | - | - | | SA-5 | sha512 | - | - | - | | SA-6 | sha384 | - | - | - | +| SA-7 | - | - | - | - | ### IPSec profiles @@ -70,6 +71,7 @@ interface Management1 | Profile-1 | IKE-1 | SA-1 | start | - | - | - | transport | - | | Profile-2 | - | SA-2 | start | - | - | - | tunnel | False | | Profile-3 | - | SA-3 | start | - | - | - | tunnel | True | +| Profile-4 | - | - | - | - | - | - | - | - | ### Key controller @@ -122,6 +124,8 @@ ip security sa policy SA-6 esp integrity sha384 ! + sa policy SA-7 + ! profile Profile-1 ike-policy IKE-1 sa-policy SA-1 @@ -143,6 +147,8 @@ ip security flow parallelization encapsulation udp mode tunnel ! + profile Profile-4 + ! key controller profile Profile-1 hardware encryption disabled diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/ip-security.cfg b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/ip-security.cfg index 4a33e4e8335..606a57670ca 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/ip-security.cfg +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/ip-security.cfg @@ -40,6 +40,8 @@ ip security sa policy SA-6 esp integrity sha384 ! + sa policy SA-7 + ! profile Profile-1 ike-policy IKE-1 sa-policy SA-1 @@ -61,6 +63,8 @@ ip security flow parallelization encapsulation udp mode tunnel ! + profile Profile-4 + ! key controller profile Profile-1 hardware encryption disabled diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/ip-security.yml b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/ip-security.yml index 87d93c88087..25c55f746e8 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/ip-security.yml +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/ip-security.yml @@ -1,12 +1,13 @@ ### IP Security ### ip_security: ike_policies: + # Testing sorting + - name: IKE-2 - name: IKE-1 local_id: 192.168.100.1 ike_lifetime: 24 encryption: aes256 dh_group: 20 - - name: IKE-2 - name: IKE-FQDN local_id_fqdn: fqdn.local - name: IKE-UFQDN @@ -14,6 +15,8 @@ ip_security: # local_id won't be rendered as local_id_fqdn takes precedence local_id: 192.168.42.42 sa_policies: + # Testing sorting + - name: SA-7 - name: SA-1 esp: encryption: aes128 @@ -44,6 +47,8 @@ ip_security: esp: integrity: sha384 profiles: + # testing sorting + - name: Profile-4 - name: Profile-1 ike_policy: IKE-1 sa_policy: SA-1 diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-custom-control-plane-policy-edge-1.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-custom-control-plane-policy-edge-1.cfg index c1b0c945007..53323c98e1c 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-custom-control-plane-policy-edge-1.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-custom-control-plane-policy-edge-1.cfg @@ -108,21 +108,14 @@ ip security ike policy CP-IKE-POLICY local-id 192.168.142.1 ! - sa policy DP-SA-POLICY + sa policy CP-SA-POLICY esp encryption aes256gcm128 pfs dh-group 14 ! - sa policy CP-SA-POLICY + sa policy DP-SA-POLICY esp encryption aes256gcm128 pfs dh-group 14 ! - profile DP-PROFILE - sa-policy DP-SA-POLICY - connection start - shared-key 7 ABCDEF1234567890666 - dpd 10 50 clear - mode transport - ! profile CP-PROFILE ike-policy CP-IKE-POLICY sa-policy CP-SA-POLICY @@ -131,6 +124,13 @@ ip security dpd 10 50 clear mode transport ! + profile DP-PROFILE + sa-policy DP-SA-POLICY + connection start + shared-key 7 ABCDEF1234567890666 + dpd 10 50 clear + mode transport + ! key controller profile DP-PROFILE ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-custom-control-plane-policy-edge-2.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-custom-control-plane-policy-edge-2.cfg index 38ccedd709c..cd795d9a03e 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-custom-control-plane-policy-edge-2.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-custom-control-plane-policy-edge-2.cfg @@ -108,21 +108,14 @@ ip security ike policy CP-IKE-POLICY local-id 192.168.142.2 ! - sa policy DP-SA-POLICY + sa policy CP-SA-POLICY esp encryption aes256gcm128 pfs dh-group 14 ! - sa policy CP-SA-POLICY + sa policy DP-SA-POLICY esp encryption aes256gcm128 pfs dh-group 14 ! - profile DP-PROFILE - sa-policy DP-SA-POLICY - connection start - shared-key 7 ABCDEF1234567890666 - dpd 10 50 clear - mode transport - ! profile CP-PROFILE ike-policy CP-IKE-POLICY sa-policy CP-SA-POLICY @@ -131,6 +124,13 @@ ip security dpd 10 50 clear mode transport ! + profile DP-PROFILE + sa-policy DP-SA-POLICY + connection start + shared-key 7 ABCDEF1234567890666 + dpd 10 50 clear + mode transport + ! key controller profile DP-PROFILE ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-custom-control-plane-policy-edge-3.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-custom-control-plane-policy-edge-3.cfg index 5473b026afc..ac3bd588de0 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-custom-control-plane-policy-edge-3.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-custom-control-plane-policy-edge-3.cfg @@ -108,21 +108,14 @@ ip security ike policy CP-IKE-POLICY local-id 192.168.142.3 ! - sa policy DP-SA-POLICY + sa policy CP-SA-POLICY esp encryption aes256gcm128 pfs dh-group 14 ! - sa policy CP-SA-POLICY + sa policy DP-SA-POLICY esp encryption aes256gcm128 pfs dh-group 14 ! - profile DP-PROFILE - sa-policy DP-SA-POLICY - connection start - shared-key 7 ABCDEF1234567890666 - dpd 10 50 clear - mode transport - ! profile CP-PROFILE ike-policy CP-IKE-POLICY sa-policy CP-SA-POLICY @@ -131,6 +124,13 @@ ip security dpd 10 50 clear mode transport ! + profile DP-PROFILE + sa-policy DP-SA-POLICY + connection start + shared-key 7 ABCDEF1234567890666 + dpd 10 50 clear + mode transport + ! key controller profile DP-PROFILE ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-custom-default-policy.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-custom-default-policy.cfg index 83aabe89710..a92e1a28dc6 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-custom-default-policy.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-custom-default-policy.cfg @@ -120,21 +120,14 @@ ip security ike policy CP-IKE-POLICY local-id 192.168.255.1 ! - sa policy DP-SA-POLICY + sa policy CP-SA-POLICY esp encryption aes256gcm128 pfs dh-group 14 ! - sa policy CP-SA-POLICY + sa policy DP-SA-POLICY esp encryption aes256gcm128 pfs dh-group 14 ! - profile DP-PROFILE - sa-policy DP-SA-POLICY - connection start - shared-key 7 ABCDEF1234567890666 - dpd 10 50 clear - mode transport - ! profile CP-PROFILE ike-policy CP-IKE-POLICY sa-policy CP-SA-POLICY @@ -143,6 +136,13 @@ ip security dpd 10 50 clear mode transport ! + profile DP-PROFILE + sa-policy DP-SA-POLICY + connection start + shared-key 7 ABCDEF1234567890666 + dpd 10 50 clear + mode transport + ! key controller profile DP-PROFILE ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-no-default-policy.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-no-default-policy.cfg index 9df51905143..2ad94ff80d9 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-no-default-policy.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-no-default-policy.cfg @@ -114,21 +114,14 @@ ip security ike policy CP-IKE-POLICY local-id 192.168.255.1 ! - sa policy DP-SA-POLICY + sa policy CP-SA-POLICY esp encryption aes256gcm128 pfs dh-group 14 ! - sa policy CP-SA-POLICY + sa policy DP-SA-POLICY esp encryption aes256gcm128 pfs dh-group 14 ! - profile DP-PROFILE - sa-policy DP-SA-POLICY - connection start - shared-key 7 ABCDEF1234567890666 - dpd 10 50 clear - mode transport - ! profile CP-PROFILE ike-policy CP-IKE-POLICY sa-policy CP-SA-POLICY @@ -137,6 +130,13 @@ ip security dpd 10 50 clear mode transport ! + profile DP-PROFILE + sa-policy DP-SA-POLICY + connection start + shared-key 7 ABCDEF1234567890666 + dpd 10 50 clear + mode transport + ! key controller profile DP-PROFILE ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge.cfg index d9a733d02c8..e658aec376a 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge.cfg @@ -254,11 +254,11 @@ ip security encryption aes256 dh-group 24 ! - sa policy DP-SA-POLICY + sa policy CP-SA-POLICY esp encryption aes256gcm128 pfs dh-group 14 ! - sa policy CP-SA-POLICY + sa policy DP-SA-POLICY esp encryption aes256gcm128 pfs dh-group 14 ! @@ -268,13 +268,6 @@ ip security sa lifetime 8 hours pfs dh-group 24 ! - profile DP-PROFILE - sa-policy DP-SA-POLICY - connection start - shared-key 7 ABCDEF1234567890666 - dpd 10 50 clear - mode transport - ! profile CP-PROFILE ike-policy CP-IKE-POLICY sa-policy CP-SA-POLICY @@ -283,6 +276,13 @@ ip security dpd 10 50 clear mode transport ! + profile DP-PROFILE + sa-policy DP-SA-POLICY + connection start + shared-key 7 ABCDEF1234567890666 + dpd 10 50 clear + mode transport + ! profile IE-ZSCALER-EXIT-POLICY-1-PROFILE ike-policy IE-ZSCALER-EXIT-POLICY-1-IKE-POLICY sa-policy IE-ZSCALER-EXIT-POLICY-1-SA-POLICY diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge1.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge1.cfg index 1886e8547ac..360d601745e 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge1.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge1.cfg @@ -259,11 +259,11 @@ ip security encryption aes256 dh-group 24 ! - sa policy DP-SA-POLICY + sa policy CP-SA-POLICY esp encryption aes256gcm128 pfs dh-group 14 ! - sa policy CP-SA-POLICY + sa policy DP-SA-POLICY esp encryption aes256gcm128 pfs dh-group 14 ! @@ -279,13 +279,6 @@ ip security sa lifetime 8 hours pfs dh-group 24 ! - profile DP-PROFILE - sa-policy DP-SA-POLICY - connection start - shared-key 7 ABCDEF1234567890666 - dpd 10 50 clear - mode transport - ! profile CP-PROFILE ike-policy CP-IKE-POLICY sa-policy CP-SA-POLICY @@ -294,6 +287,13 @@ ip security dpd 10 50 clear mode transport ! + profile DP-PROFILE + sa-policy DP-SA-POLICY + connection start + shared-key 7 ABCDEF1234567890666 + dpd 10 50 clear + mode transport + ! profile IE-ZSCALER-EXIT-POLICY-1-PROFILE ike-policy IE-ZSCALER-EXIT-POLICY-1-IKE-POLICY sa-policy IE-ZSCALER-EXIT-POLICY-1-SA-POLICY diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge2A.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge2A.cfg index 27669e20e6e..aa51af63608 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge2A.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge2A.cfg @@ -175,28 +175,20 @@ vrf instance PROD ! ip security ! - ike policy DP-IKE-POLICY + ike policy CP-IKE-POLICY local-id 192.168.142.2 ! - ike policy CP-IKE-POLICY + ike policy DP-IKE-POLICY local-id 192.168.142.2 ! - sa policy DP-SA-POLICY + sa policy CP-SA-POLICY esp encryption aes256gcm128 pfs dh-group 14 ! - sa policy CP-SA-POLICY + sa policy DP-SA-POLICY esp encryption aes256gcm128 pfs dh-group 14 ! - profile DP-PROFILE - ike-policy DP-IKE-POLICY - sa-policy DP-SA-POLICY - connection start - shared-key 7 ABCDEF1234567890666 - dpd 10 50 clear - mode transport - ! profile CP-PROFILE ike-policy CP-IKE-POLICY sa-policy CP-SA-POLICY @@ -205,6 +197,14 @@ ip security dpd 10 50 clear mode transport ! + profile DP-PROFILE + ike-policy DP-IKE-POLICY + sa-policy DP-SA-POLICY + connection start + shared-key 7 ABCDEF1234567890666 + dpd 10 50 clear + mode transport + ! key controller profile DP-PROFILE ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge2B.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge2B.cfg index 430ac9f54bd..73cba8e7f54 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge2B.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge2B.cfg @@ -186,28 +186,20 @@ vrf instance PROD ! ip security ! - ike policy DP-IKE-POLICY + ike policy CP-IKE-POLICY local-id 192.168.142.3 ! - ike policy CP-IKE-POLICY + ike policy DP-IKE-POLICY local-id 192.168.142.3 ! - sa policy DP-SA-POLICY + sa policy CP-SA-POLICY esp encryption aes256gcm128 pfs dh-group 14 ! - sa policy CP-SA-POLICY + sa policy DP-SA-POLICY esp encryption aes256gcm128 pfs dh-group 14 ! - profile DP-PROFILE - ike-policy DP-IKE-POLICY - sa-policy DP-SA-POLICY - connection start - shared-key 7 ABCDEF1234567890666 - dpd 10 50 clear - mode transport - ! profile CP-PROFILE ike-policy CP-IKE-POLICY sa-policy CP-SA-POLICY @@ -216,6 +208,14 @@ ip security dpd 10 50 clear mode transport ! + profile DP-PROFILE + ike-policy DP-IKE-POLICY + sa-policy DP-SA-POLICY + connection start + shared-key 7 ABCDEF1234567890666 + dpd 10 50 clear + mode transport + ! key controller profile DP-PROFILE ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge3A.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge3A.cfg index 7d3b93dac8f..3d2f41c25f7 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge3A.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge3A.cfg @@ -152,28 +152,20 @@ vrf instance PROD ! ip security ! - ike policy DP-IKE-POLICY + ike policy CP-IKE-POLICY local-id 192.168.142.6 ! - ike policy CP-IKE-POLICY + ike policy DP-IKE-POLICY local-id 192.168.142.6 ! - sa policy DP-SA-POLICY + sa policy CP-SA-POLICY esp encryption aes256gcm128 pfs dh-group 14 ! - sa policy CP-SA-POLICY + sa policy DP-SA-POLICY esp encryption aes256gcm128 pfs dh-group 14 ! - profile DP-PROFILE - ike-policy DP-IKE-POLICY - sa-policy DP-SA-POLICY - connection start - shared-key 7 ABCDEF1234567890666 - dpd 10 50 clear - mode transport - ! profile CP-PROFILE ike-policy CP-IKE-POLICY sa-policy CP-SA-POLICY @@ -182,6 +174,14 @@ ip security dpd 10 50 clear mode transport ! + profile DP-PROFILE + ike-policy DP-IKE-POLICY + sa-policy DP-SA-POLICY + connection start + shared-key 7 ABCDEF1234567890666 + dpd 10 50 clear + mode transport + ! key controller profile DP-PROFILE ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge3B.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge3B.cfg index 6479b5780c0..fc6d0c0ee8b 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge3B.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge3B.cfg @@ -163,28 +163,20 @@ vrf instance PROD ! ip security ! - ike policy DP-IKE-POLICY + ike policy CP-IKE-POLICY local-id 192.168.142.7 ! - ike policy CP-IKE-POLICY + ike policy DP-IKE-POLICY local-id 192.168.142.7 ! - sa policy DP-SA-POLICY + sa policy CP-SA-POLICY esp encryption aes256gcm128 pfs dh-group 14 ! - sa policy CP-SA-POLICY + sa policy DP-SA-POLICY esp encryption aes256gcm128 pfs dh-group 14 ! - profile DP-PROFILE - ike-policy DP-IKE-POLICY - sa-policy DP-SA-POLICY - connection start - shared-key 7 ABCDEF1234567890666 - dpd 10 50 clear - mode transport - ! profile CP-PROFILE ike-policy CP-IKE-POLICY sa-policy CP-SA-POLICY @@ -193,6 +185,14 @@ ip security dpd 10 50 clear mode transport ! + profile DP-PROFILE + ike-policy DP-IKE-POLICY + sa-policy DP-SA-POLICY + connection start + shared-key 7 ABCDEF1234567890666 + dpd 10 50 clear + mode transport + ! key controller profile DP-PROFILE ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-transit1A.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-transit1A.cfg index 985503a0979..061e07dad9b 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-transit1A.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-transit1A.cfg @@ -257,21 +257,14 @@ ip security ike policy CP-IKE-POLICY local-id 192.168.143.1 ! - sa policy DP-SA-POLICY + sa policy CP-SA-POLICY esp encryption aes256gcm128 pfs dh-group 14 ! - sa policy CP-SA-POLICY + sa policy DP-SA-POLICY esp encryption aes256gcm128 pfs dh-group 14 ! - profile DP-PROFILE - sa-policy DP-SA-POLICY - connection start - shared-key 7 ABCDEF1234567890666 - dpd 10 50 clear - mode transport - ! profile CP-PROFILE ike-policy CP-IKE-POLICY sa-policy CP-SA-POLICY @@ -280,6 +273,13 @@ ip security dpd 10 50 clear mode transport ! + profile DP-PROFILE + sa-policy DP-SA-POLICY + connection start + shared-key 7 ABCDEF1234567890666 + dpd 10 50 clear + mode transport + ! key controller profile DP-PROFILE ! diff --git a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-transit1B.cfg b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-transit1B.cfg index ffd3bffef64..ef02ebbe627 100644 --- a/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-transit1B.cfg +++ b/ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-transit1B.cfg @@ -238,21 +238,14 @@ ip security ike policy CP-IKE-POLICY local-id 192.168.143.2 ! - sa policy DP-SA-POLICY + sa policy CP-SA-POLICY esp encryption aes256gcm128 pfs dh-group 14 ! - sa policy CP-SA-POLICY + sa policy DP-SA-POLICY esp encryption aes256gcm128 pfs dh-group 14 ! - profile DP-PROFILE - sa-policy DP-SA-POLICY - connection start - shared-key 7 ABCDEF1234567890666 - dpd 10 50 clear - mode transport - ! profile CP-PROFILE ike-policy CP-IKE-POLICY sa-policy CP-SA-POLICY @@ -261,6 +254,13 @@ ip security dpd 10 50 clear mode transport ! + profile DP-PROFILE + sa-policy DP-SA-POLICY + connection start + shared-key 7 ABCDEF1234567890666 + dpd 10 50 clear + mode transport + ! key controller profile DP-PROFILE ! diff --git a/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/ip-security.j2 b/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/ip-security.j2 index aabcc77660b..d6753c834f7 100644 --- a/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/ip-security.j2 +++ b/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/ip-security.j2 @@ -17,7 +17,7 @@ | Policy name | IKE lifetime | Encryption | DH group | Local ID | | ----------- | ------------ | ---------- | -------- | -------- | -{% for ike_policy in ip_security.ike_policies | arista.avd.default([]) %} +{% for ike_policy in ip_security.ike_policies | arista.avd.natural_sort('name') %} | {{ ike_policy.name }} | {{ ike_policy.ike_lifetime | arista.avd.default("-") }} | {{ ike_policy.encryption | arista.avd.default("-") }} | {{ ike_policy.dh_group | arista.avd.default("-") }} | {{ ike_policy.local_id_fqdn | arista.avd.default(ike_policy.local_id, "-") }} | {% endfor %} {% endif %} @@ -27,7 +27,7 @@ | Policy name | ESP Integrity | ESP Encryption | Lifetime | PFS DH Group | | ----------- | ------------- | -------------- | -------- | ------------ | -{% for sa_policy in ip_security.sa_policies | arista.avd.default([]) %} +{% for sa_policy in ip_security.sa_policies | arista.avd.natural_sort('name') %} {% if sa_policy.sa_lifetime.value is arista.avd.defined %} {% set lifetime = sa_policy.sa_lifetime.value ~ " " ~ sa_policy.sa_lifetime.unit | arista.avd.default("hours") %} {% endif %} @@ -40,7 +40,7 @@ | Profile name | IKE policy | SA policy | Connection | DPD Interval | DPD Time | DPD action | Mode | Flow Parallelization | | ------------ | ---------- | ----------| ---------- | ------------ | -------- | ---------- | ---- | -------------------- | -{% for profile in ip_security.profiles | arista.avd.default([]) %} +{% for profile in ip_security.profiles | arista.avd.natural_sort('name') %} {% set ike_policy = profile.ike_policy | arista.avd.default("-") %} {% set sa_policy = profile.sa_policy | arista.avd.default("-") %} {% set connection = profile.connection | arista.avd.default("-") %} diff --git a/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/ip-security.j2 b/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/ip-security.j2 index d9b47798724..ad2188df51f 100644 --- a/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/ip-security.j2 +++ b/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/ip-security.j2 @@ -7,7 +7,7 @@ {% if ip_security is arista.avd.defined %} ! ip security -{% for ike_policy in ip_security.ike_policies | arista.avd.default([]) %} +{% for ike_policy in ip_security.ike_policies | arista.avd.natural_sort('name') %} ! ike policy {{ ike_policy.name }} {% if ike_policy.local_id_fqdn is arista.avd.defined %} @@ -25,7 +25,7 @@ ip security dh-group {{ ike_policy.dh_group }} {% endif %} {% endfor %} -{% for sa_policy in ip_security.sa_policies | arista.avd.default([]) %} +{% for sa_policy in ip_security.sa_policies | arista.avd.natural_sort('name') %} ! sa policy {{ sa_policy.name }} {% if sa_policy.esp.integrity is arista.avd.defined %} @@ -49,7 +49,7 @@ ip security pfs dh-group {{ sa_policy.pfs_dh_group }} {% endif %} {% endfor %} -{% for profile in ip_security.profiles | arista.avd.default([]) %} +{% for profile in ip_security.profiles | arista.avd.natural_sort('name') %} ! profile {{ profile.name }} {% if profile.ike_policy is arista.avd.defined %}