WAN preview¶

Warning

The integration of WAN designs to eos_designs role is in preview mode.

Everything is subject to change, is not supported and may not be complete.

If you have any questions, please leverage the GitHub discussions board

Overview¶

The intention is to support both a single AutoVPN design and CV Pathfinder.

Design points¶

The intent is to be able to support having the different WAN participating devices in different inventories.
Only iBGP is supported as an overlay_routing_protocol.
On the AutoVPN Route Reflectors and Pathfinders, a listen range statement is used for BGP to allow for point number 1.
The default VRF is being configured by default on all WAN devices with a vni_id of 1. To override this, it is necessary to configure the default VRF in a tenant in network_services.
When configuring HA on a site, the path-group ID 65535 is reserved for the path-group called LAN_HA.
The policies definition works as follow:
- The policies are defined under wan_virtual_topologies.policies. For AutoVPN mode, the policies are configured under router path-selection, for CV Pathfinder, they are configured under router adaptive-virtual-topology.
- A policy is composed of a list of application_virtual_topologies and one default_virtual_topology.
- The application_virtual_topologies entries and the default_virtual_topology key are used to create the policy match statement, the AVT profile (when wan_mode is CV Pathfinder) and the load balancing policy.
- The default_virtual_topology is used as the default match in the policy. To prevent configuring it, the drop_unmatched boolean must be set to true otherwise, at least one path-group must be configured or AVD will raise an error.
- Policies are assigned to VRFs using the list wan_virtual_topologies.vrfs. A policy can be reused in multiple VRFs.
- If no policy is assigned for the default VRF policy, AVD auto generates one with one default_virtual_topology entry configured to use all available local path-groups.
- For the policy defined for VRF default (or the auto-generared one), an extra match statement is injected in the policy to match the traffic towards the Pathfinders or AutoVPN RRs, the name of the application-profile is hardcoded as CONTROL-PLANE-APPLICATION-PROFILE. A special policy is created by appending -WITH-CP at the end of the targetted policy name.

Known limitations¶

Zones are not configurable for CV Pathfinder. All sites are being configured in a default zone DEFAULT-ZONE with ID 1.
Because of the previous point, in eos_designs, the transit node type is always configured as transit region.

For cv-pathfinder mode, the following flow-tracking configuration is applied without any customization possible:

flow tracking hardware
   tracker WAN-FLOW-TRACKER
    record export on inactive timeout 70000
    record export on interval 5000
    exporter DPI-EXPORTER
     collector 127.0.0.1
     local interface Loopback0
     template interval 5000

No IPv6 support
For WAN interfaces, NAT IP on the Pathfinder side can be supported using the wan_route_servers.path_groups.interfaces key.
Path-group ID is currently required under wan_path_groups until an algorithm is implemented to auto generate IDs.

Future work¶

As of now, only the fundations of the eos_designs functionality for WAN is being introduced without any support for LAN interfaces.
Auto generation of Path-group IDs and other IDs.
HA for sites will be covered in a future PR

`eos_cli_config_gen` support¶

eos_cli_config_gen schema should support all of the required keys to configure a WAN network, whether AutoVPN or Pathfinder. If you find any missing functionality, please open an issue on Github.

Input variables¶

Warning

All the keys in this section marked as PREVIEW or children of a key marked as PREVIEW are subject to change and are not supported.

New node types in L3LS eos_designs¶

wan_edge: Edge routers for AutoVPN or Pathfinder depending on the wan_mode value.
wan_transit: Transit routers in Pathfinder context, not supported for AutoVPN.
wan_rr: AutoVPN RR or Pathfinder depending on the wan_mode value.

The following table indicates the settings:

Node Type Key	Underlay Router	Uplink Type	Default EVPN Role	L2 Network Services	L3 Network Services	VTEP	MLAG Support	Connected Endpoints	Defaut WAN Role	Default CV Pathfinder Role
wan_rr	✅	p2p	server	✘	✅	✅	✘	✘	server	pathfinder
wan_edge	✅	p2p	client	✘	✅	✅	✘	✘	client	edge
wan_transit	✅	p2p	client	✘	✅	✅	✘	✘	client	transit region

All these node types are defined with default_underlay_routing_protocol: none and default_overlay_routing_protocol: ibgp.

WAN Settings¶

Top level keys¶

TableYAML

Variable	Type	Required	Default	Value Restrictions	Description
`wan_ipsec_profiles`	Dictionary				PREVIEW: This key is currently not supported Define IPsec profiles parameters for WAN configuration.
`control_plane`	Dictionary	Required			PREVIEW: This key is currently not supported
`ike_policy_name`	String		`CP-IKE-POLICY`		Name of the IKE policy.
`sa_policy_name`	String		`CP-SA-POLICY`		Name of the SA policy.
`profile_name`	String		`CP-PROFILE`		Name of the IPSec profile.
`shared_key`	String	Required			The IPSec shared key. This variable is sensitive and SHOULD be configured using some vault mechanism.
`data_plane`	Dictionary				If `data_plane` is not defined, `control_plane` information is used for both.
`ike_policy_name`	String		`DP-IKE-POLICY`		Name of the IKE policy.
`sa_policy_name`	String		`DP-SA-POLICY`		Name of the SA policy.
`profile_name`	String		`DP-PROFILE`		Name of the IPSec profile.
`shared_key`	String	Required			The type 7 encrypted IPSec shared key. This variable is sensitive and should be configured using some vault mechanism.
`wan_mode`	String		`cv-pathfinder`	Valid Values: - `autovpn` - `cv-pathfinder`	PREVIEW: This key is currently not supported Select if the WAN should be run using CV Pathfinder or Auto VPN only.
`wan_route_servers`	List, items: Dictionary				PREVIEW: This key is currently not supported List of the AutoVPN RRs when using `wan_mode`=`autovpn`, or the Pathfinders when using `wan_mode`=`cv-pathfinder`, to which the device should connect to. When the route server is part of the same inventory as the WAN routers, only the name is required.
`- hostname`	String	Required, Unique			Route-Reflector hostname.
`vtep_ip`	String				Route-Reflector VTEP IP Address. This is usually the IP address under `interface Dps1`.
`path_groups`	List, items: Dictionary				Path-groups through which the Route Reflector/Pathfinder is reached.
`- name`	String	Required, Unique			Path-group name.
`interfaces`	List, items: Dictionary	Required		Min Length: 1
`- name`	String	Required, Unique			Interface name.
`ip_address`	String				The public IP address of the Route Reflector for this path-group.

# PREVIEW: This key is currently not supported

# Define IPsec profiles parameters for WAN configuration.
wan_ipsec_profiles:

  # PREVIEW: This key is currently not supported
  control_plane: # required

    # Name of the IKE policy.
    ike_policy_name: <str; default="CP-IKE-POLICY">

    # Name of the SA policy.
    sa_policy_name: <str; default="CP-SA-POLICY">

    # Name of the IPSec profile.
    profile_name: <str; default="CP-PROFILE">

    # The IPSec shared key.
    # This variable is sensitive and SHOULD be configured using some vault mechanism.
    shared_key: <str; required>

  # If `data_plane` is not defined, `control_plane` information is used for both.
  data_plane:

    # Name of the IKE policy.
    ike_policy_name: <str; default="DP-IKE-POLICY">

    # Name of the SA policy.
    sa_policy_name: <str; default="DP-SA-POLICY">

    # Name of the IPSec profile.
    profile_name: <str; default="DP-PROFILE">

    # The type 7 encrypted IPSec shared key.
    # This variable is sensitive and should be configured using some vault mechanism.
    shared_key: <str; required>

# PREVIEW: This key is currently not supported

# Select if the WAN should be run using CV Pathfinder or Auto VPN only.
wan_mode: <str; "autovpn" | "cv-pathfinder"; default="cv-pathfinder">

# PREVIEW: This key is currently not supported

# List of the AutoVPN RRs when using `wan_mode`=`autovpn`, or the Pathfinders
# when using `wan_mode`=`cv-pathfinder`, to which the device should connect to.

# When the route server is part of the same inventory as the WAN routers,
# only the name is required.
wan_route_servers:

    # Route-Reflector hostname.
  - hostname: <str; required; unique>

    # Route-Reflector VTEP IP Address. This is usually the IP address under `interface Dps1`.
    vtep_ip: <str>

    # Path-groups through which the Route Reflector/Pathfinder is reached.
    path_groups:

        # Path-group name.
      - name: <str; required; unique>
        interfaces: # >=1 items; required

            # Interface name.
          - name: <str; required; unique>

            # The public IP address of the Route Reflector for this path-group.
            ip_address: <str>

WAN path-groups¶

TableYAML

Variable	Type	Required	Default	Description
`wan_path_groups`	List, items: Dictionary			PREVIEW: This key is currently not supported List of path-groups used for the WAN configuration.
`- name`	String	Required, Unique		Path-group name.
`id`	Integer	Required		Path-group id. TODO: Required until an auto ID algorithm is implemented.
`description`	String			Additional information about the path-group for documentation purposes.
`ipsec`	Boolean		`True`	Flag to configure IPsec at the path-group level. When set to `true`, IPsec is enabled for both the static and dynamic peers.
`import_path_groups`	List, items: Dictionary			List of [ath-groups to import in this path-group.
`- remote`	String			Remote path-group to import.
`local`	String			Optional, if not set, the path-group `name` is used as local.

# PREVIEW: This key is currently not supported
# List of path-groups used for the WAN configuration.
wan_path_groups:

    # Path-group name.
  - name: <str; required; unique>

    # Path-group id.

    # TODO: Required until an auto ID algorithm is implemented.
    id: <int; required>

    # Additional information about the path-group for documentation purposes.
    description: <str>

    # Flag to configure IPsec at the path-group level.

    # When set to `true`, IPsec is enabled for both the static and dynamic peers.
    ipsec: <bool; default=True>

    # List of [ath-groups to import in this path-group.
    import_path_groups:

        # Remote path-group to import.
      - remote: <str>

        # Optional, if not set, the path-group `name` is used as local.
        local: <str>

WAN carriers¶

TableYAML

Variable	Type	Required	Description
`wan_carriers`	List, items: Dictionary		PREVIEW: This key is currently not supported List of carriers used for the WAN configuration and their mapping to path-groups.
`- name`	String	Required, Unique	Carrier name.
`description`	String		Additional information about the carrier for documentation purposes.
`path_group`	String	Required	The path-group to which this carrier belongs.

# PREVIEW: This key is currently not supported

# List of carriers used for the WAN configuration and their mapping to path-groups.
wan_carriers:

    # Carrier name.
  - name: <str; required; unique>

    # Additional information about the carrier for documentation purposes.
    description: <str>

    # The path-group to which this carrier belongs.
    path_group: <str; required>

WAN hierarchy¶

Note

This section is only relevant for CV Pathfinder and not for AutoVPN

TableYAML

Variable	Type	Required	Value Restrictions	Description
`cv_pathfinder_regions`	List, items: Dictionary			PREVIEW: This key is currently not supported Define the SDWAN hierarchy for the device.
`- description`	String
`id`	Integer	Required	Min: 1 Max: 255	The region ID must be unique for the whole WAN deployment.
`sites`	List, items: Dictionary			All sites are placed in a default zone called DEFAULT-ZONE with ID 1.
`- description`	String
`id`	Integer	Required	Min: 1 Max: 10000	The site ID must be unique within a zone. Given that all the sites are placed in the DEFAULT-ZONE, the site ID must be unique within a region.
`location`	String			Will be interpreted
`site_contact`	String
`site_after_hours_contact`	String
`name`	String	Required, Unique
`name`	String	Required, Unique

# PREVIEW: This key is currently not supported
# Define the SDWAN hierarchy for the device.
cv_pathfinder_regions:
  - description: <str>

    # The region ID must be unique for the whole WAN deployment.
    id: <int; 1-255; required>

    # All sites are placed in a default zone called DEFAULT-ZONE with ID 1.
    sites:
      - description: <str>

        # The site ID must be unique within a zone.
        # Given that all the sites are placed in the DEFAULT-ZONE, the site ID must be unique within a region.
        id: <int; 1-10000; required>

        # Will be interpreted
        location: <str>
        site_contact: <str>
        site_after_hours_contact: <str>
        name: <str; required; unique>
    name: <str; required; unique>

WAN interfaces¶

TableYAML

Variable	Type	Required	Default	Value Restrictions	Description
`<node_type_keys.key>`	Dictionary
`defaults`	Dictionary				Define variables for all nodes of this type.
`l3_interfaces`	List, items: Dictionary				PREVIEW: This key is currently not supported L3 Interfaces currently only use for WAN interfaces.
`- profile`	String				L3 interface profile name. Profile defined under `l3_interface_profiles`.
`name`	String	Required, Unique		Pattern: Ethernet[\d/]+(.[\d]+)?	Ethernet interface name like ‘Ethernet2’ or subinterface name like ‘Ethernet2.42’ For a subinterface, the parent physical interface is automatically created.
`description`	String				Interface description. If not set a default description will be configured with ‘[[ ]]’
`ip_address`	String				Node IPv4 address/Mask or ‘dhcp’.
`encapsulation_dot1q_vlan`	Integer			Min: 1 Max: 4094	For subinterfaces the dot1q vlan is derived from the interface name by default, but can also be specified.
`dhcp_accept_default_route`	Boolean		`False`		Accept a default route from DHCP if `ip_address` is set to `dhcp`.
`enabled`	Boolean		`True`		Enable or Shutdown the interface.
`speed`	String				Speed should be set in the format `<interface_speed>` or `forced <interface_speed>` or `auto <interface_speed>`.
`peer`	String				The peer device name. Used for description and documentation
`peer_interface`	String				The peer device interface. Used for description and documentation
`peer_ip`	String				The peer device IPv4 address (no mask). Used as default route gateway if `set_default_route` is true and `ip` is an IP address.
`static_routes`	List, items: Dictionary			Min Length: 1	Configure IPv4 static routes pointing to `peer_ip`.
`- prefix`	String	Required			IPv4_network/Mask
`qos_profile`	String				QOS service profile.
`wan_carrier`	String				The WAN Carrier this interface is connected to. This is used to infer the path-groups in which this interface should be configured.
`wan_circuit_id`	String				The WAN Circuit ID for this interface. This is not rendered in the configuration but used for WAN designs.
`connected_to_pathfinder`	Boolean		`True`		For a WAN interface (`wan_path_group` is set), allow to disable the static tunnel towards Pathfinders.
`raw_eos_cli`	String				EOS CLI rendered directly on the interface in the final EOS configuration.
`structured_config`	Dictionary				Custom structured config for the Ethernet interface.
`node_groups`	List, items: Dictionary				Define variables related to all nodes part of this group.
`- group`	String	Required, Unique			The Node Group Name is used for MLAG domain unless set with ‘mlag_domain_id’. The Node Group Name is also used for peer description on downstream switches’ uplinks.
`nodes`	List, items: Dictionary				Define variables per node.
`- name`	String	Required, Unique			The Node Name is used as “hostname”.
`l3_interfaces`	List, items: Dictionary				PREVIEW: This key is currently not supported L3 Interfaces currently only use for WAN interfaces.
`- profile`	String				L3 interface profile name. Profile defined under `l3_interface_profiles`.
`name`	String	Required, Unique		Pattern: Ethernet[\d/]+(.[\d]+)?	Ethernet interface name like ‘Ethernet2’ or subinterface name like ‘Ethernet2.42’ For a subinterface, the parent physical interface is automatically created.
`description`	String				Interface description. If not set a default description will be configured with ‘[[ ]]’
`ip_address`	String				Node IPv4 address/Mask or ‘dhcp’.
`encapsulation_dot1q_vlan`	Integer			Min: 1 Max: 4094	For subinterfaces the dot1q vlan is derived from the interface name by default, but can also be specified.
`dhcp_accept_default_route`	Boolean		`False`		Accept a default route from DHCP if `ip_address` is set to `dhcp`.
`enabled`	Boolean		`True`		Enable or Shutdown the interface.
`speed`	String				Speed should be set in the format `<interface_speed>` or `forced <interface_speed>` or `auto <interface_speed>`.
`peer`	String				The peer device name. Used for description and documentation
`peer_interface`	String				The peer device interface. Used for description and documentation
`peer_ip`	String				The peer device IPv4 address (no mask). Used as default route gateway if `set_default_route` is true and `ip` is an IP address.
`static_routes`	List, items: Dictionary			Min Length: 1	Configure IPv4 static routes pointing to `peer_ip`.
`- prefix`	String	Required			IPv4_network/Mask
`qos_profile`	String				QOS service profile.
`wan_carrier`	String				The WAN Carrier this interface is connected to. This is used to infer the path-groups in which this interface should be configured.
`wan_circuit_id`	String				The WAN Circuit ID for this interface. This is not rendered in the configuration but used for WAN designs.
`connected_to_pathfinder`	Boolean		`True`		For a WAN interface (`wan_path_group` is set), allow to disable the static tunnel towards Pathfinders.
`raw_eos_cli`	String				EOS CLI rendered directly on the interface in the final EOS configuration.
`structured_config`	Dictionary				Custom structured config for the Ethernet interface.
`l3_interfaces`	List, items: Dictionary				PREVIEW: This key is currently not supported L3 Interfaces currently only use for WAN interfaces.
`- profile`	String				L3 interface profile name. Profile defined under `l3_interface_profiles`.
`name`	String	Required, Unique		Pattern: Ethernet[\d/]+(.[\d]+)?	Ethernet interface name like ‘Ethernet2’ or subinterface name like ‘Ethernet2.42’ For a subinterface, the parent physical interface is automatically created.
`description`	String				Interface description. If not set a default description will be configured with ‘[[ ]]’
`ip_address`	String				Node IPv4 address/Mask or ‘dhcp’.
`encapsulation_dot1q_vlan`	Integer			Min: 1 Max: 4094	For subinterfaces the dot1q vlan is derived from the interface name by default, but can also be specified.
`dhcp_accept_default_route`	Boolean		`False`		Accept a default route from DHCP if `ip_address` is set to `dhcp`.
`enabled`	Boolean		`True`		Enable or Shutdown the interface.
`speed`	String				Speed should be set in the format `<interface_speed>` or `forced <interface_speed>` or `auto <interface_speed>`.
`peer`	String				The peer device name. Used for description and documentation
`peer_interface`	String				The peer device interface. Used for description and documentation
`peer_ip`	String				The peer device IPv4 address (no mask). Used as default route gateway if `set_default_route` is true and `ip` is an IP address.
`static_routes`	List, items: Dictionary			Min Length: 1	Configure IPv4 static routes pointing to `peer_ip`.
`- prefix`	String	Required			IPv4_network/Mask
`qos_profile`	String				QOS service profile.
`wan_carrier`	String				The WAN Carrier this interface is connected to. This is used to infer the path-groups in which this interface should be configured.
`wan_circuit_id`	String				The WAN Circuit ID for this interface. This is not rendered in the configuration but used for WAN designs.
`connected_to_pathfinder`	Boolean		`True`		For a WAN interface (`wan_path_group` is set), allow to disable the static tunnel towards Pathfinders.
`raw_eos_cli`	String				EOS CLI rendered directly on the interface in the final EOS configuration.
`structured_config`	Dictionary				Custom structured config for the Ethernet interface.
`nodes`	List, items: Dictionary				Define variables per node.
`- name`	String	Required, Unique			The Node Name is used as “hostname”.
`l3_interfaces`	List, items: Dictionary				PREVIEW: This key is currently not supported L3 Interfaces currently only use for WAN interfaces.
`- profile`	String				L3 interface profile name. Profile defined under `l3_interface_profiles`.
`name`	String	Required, Unique		Pattern: Ethernet[\d/]+(.[\d]+)?	Ethernet interface name like ‘Ethernet2’ or subinterface name like ‘Ethernet2.42’ For a subinterface, the parent physical interface is automatically created.
`description`	String				Interface description. If not set a default description will be configured with ‘[[ ]]’
`ip_address`	String				Node IPv4 address/Mask or ‘dhcp’.
`encapsulation_dot1q_vlan`	Integer			Min: 1 Max: 4094	For subinterfaces the dot1q vlan is derived from the interface name by default, but can also be specified.
`dhcp_accept_default_route`	Boolean		`False`		Accept a default route from DHCP if `ip_address` is set to `dhcp`.
`enabled`	Boolean		`True`		Enable or Shutdown the interface.
`speed`	String				Speed should be set in the format `<interface_speed>` or `forced <interface_speed>` or `auto <interface_speed>`.
`peer`	String				The peer device name. Used for description and documentation
`peer_interface`	String				The peer device interface. Used for description and documentation
`peer_ip`	String				The peer device IPv4 address (no mask). Used as default route gateway if `set_default_route` is true and `ip` is an IP address.
`static_routes`	List, items: Dictionary			Min Length: 1	Configure IPv4 static routes pointing to `peer_ip`.
`- prefix`	String	Required			IPv4_network/Mask
`qos_profile`	String				QOS service profile.
`wan_carrier`	String				The WAN Carrier this interface is connected to. This is used to infer the path-groups in which this interface should be configured.
`wan_circuit_id`	String				The WAN Circuit ID for this interface. This is not rendered in the configuration but used for WAN designs.
`connected_to_pathfinder`	Boolean		`True`		For a WAN interface (`wan_path_group` is set), allow to disable the static tunnel towards Pathfinders.
`raw_eos_cli`	String				EOS CLI rendered directly on the interface in the final EOS configuration.
`structured_config`	Dictionary				Custom structured config for the Ethernet interface.
`l3_interface_profiles`	List, items: Dictionary				PREVIEW: This key is currently not supported Profiles to inherit common settings for l3_interfaces defined under the node type key. These profiles will not work for `l3_interfaces` defined under `vrfs`.
`- profile`	String	Required, Unique			L3 interface profile name. Any variable supported under `l3_interfaces` can be inherited from a profile.
`name`	String			Pattern: Ethernet[\d/]+(.[\d]+)?	Ethernet interface name like ‘Ethernet2’ or subinterface name like ‘Ethernet2.42’ For a subinterface, the parent physical interface is automatically created.
`description`	String				Interface description. If not set a default description will be configured with ‘[[ ]]’
`ip_address`	String				Node IPv4 address/Mask or ‘dhcp’.
`encapsulation_dot1q_vlan`	Integer			Min: 1 Max: 4094	For subinterfaces the dot1q vlan is derived from the interface name by default, but can also be specified.
`dhcp_accept_default_route`	Boolean		`False`		Accept a default route from DHCP if `ip_address` is set to `dhcp`.
`enabled`	Boolean		`True`		Enable or Shutdown the interface.
`speed`	String				Speed should be set in the format `<interface_speed>` or `forced <interface_speed>` or `auto <interface_speed>`.
`peer`	String				The peer device name. Used for description and documentation
`peer_interface`	String				The peer device interface. Used for description and documentation
`peer_ip`	String				The peer device IPv4 address (no mask). Used as default route gateway if `set_default_route` is true and `ip` is an IP address.
`static_routes`	List, items: Dictionary			Min Length: 1	Configure IPv4 static routes pointing to `peer_ip`.
`- prefix`	String	Required			IPv4_network/Mask
`qos_profile`	String				QOS service profile.
`wan_carrier`	String				The WAN Carrier this interface is connected to. This is used to infer the path-groups in which this interface should be configured.
`wan_circuit_id`	String				The WAN Circuit ID for this interface. This is not rendered in the configuration but used for WAN designs.
`connected_to_pathfinder`	Boolean		`True`		For a WAN interface (`wan_path_group` is set), allow to disable the static tunnel towards Pathfinders.
`raw_eos_cli`	String				EOS CLI rendered directly on the interface in the final EOS configuration.
`structured_config`	Dictionary				Custom structured config for the Ethernet interface.

<node_type_keys.key>:

  # Define variables for all nodes of this type.
  defaults:

    # PREVIEW: This key is currently not supported

    # L3 Interfaces currently only use for WAN interfaces.
    l3_interfaces:

        # L3 interface profile name. Profile defined under `l3_interface_profiles`.
      - profile: <str>

        # Ethernet interface name like 'Ethernet2' or subinterface name like 'Ethernet2.42'
        # For a subinterface, the parent physical interface is automatically created.
        name: <str; required; unique>

        # Interface description.
        # If not set a default description will be configured with '[<peer>[ <peer_interface>]]'
        description: <str>

        # Node IPv4 address/Mask or 'dhcp'.
        ip_address: <str>

        # For subinterfaces the dot1q vlan is derived from the interface name by default, but can also be specified.
        encapsulation_dot1q_vlan: <int; 1-4094>

        # Accept a default route from DHCP if `ip_address` is set to `dhcp`.
        dhcp_accept_default_route: <bool; default=False>

        # Enable or Shutdown the interface.
        enabled: <bool; default=True>

        # Speed should be set in the format `<interface_speed>` or `forced <interface_speed>` or `auto <interface_speed>`.
        speed: <str>

        # The peer device name. Used for description and documentation
        peer: <str>

        # The peer device interface. Used for description and documentation
        peer_interface: <str>

        # The peer device IPv4 address (no mask). Used as default route gateway if `set_default_route` is true and `ip` is an IP address.
        peer_ip: <str>

        # Configure IPv4 static routes pointing to `peer_ip`.
        static_routes: # >=1 items

            # IPv4_network/Mask
          - prefix: <str; required>

        # QOS service profile.
        qos_profile: <str>

        # The WAN Carrier this interface is connected to.
        # This is used to infer the path-groups in which this interface should be configured.
        wan_carrier: <str>

        # The WAN Circuit ID for this interface.
        # This is not rendered in the configuration but used for WAN designs.
        wan_circuit_id: <str>

        # For a WAN interface (`wan_path_group` is set), allow to disable the static tunnel towards Pathfinders.
        connected_to_pathfinder: <bool; default=True>

        # EOS CLI rendered directly on the interface in the final EOS configuration.
        raw_eos_cli: <str>

        # Custom structured config for the Ethernet interface.
        structured_config: <dict>

  # Define variables related to all nodes part of this group.
  node_groups:

      # The Node Group Name is used for MLAG domain unless set with 'mlag_domain_id'.
      # The Node Group Name is also used for peer description on downstream switches' uplinks.
    - group: <str; required; unique>

      # Define variables per node.
      nodes:

          # The Node Name is used as "hostname".
        - name: <str; required; unique>

          # PREVIEW: This key is currently not supported

          # L3 Interfaces currently only use for WAN interfaces.
          l3_interfaces:

              # L3 interface profile name. Profile defined under `l3_interface_profiles`.
            - profile: <str>

              # Ethernet interface name like 'Ethernet2' or subinterface name like 'Ethernet2.42'
              # For a subinterface, the parent physical interface is automatically created.
              name: <str; required; unique>

              # Interface description.
              # If not set a default description will be configured with '[<peer>[ <peer_interface>]]'
              description: <str>

              # Node IPv4 address/Mask or 'dhcp'.
              ip_address: <str>

              # For subinterfaces the dot1q vlan is derived from the interface name by default, but can also be specified.
              encapsulation_dot1q_vlan: <int; 1-4094>

              # Accept a default route from DHCP if `ip_address` is set to `dhcp`.
              dhcp_accept_default_route: <bool; default=False>

              # Enable or Shutdown the interface.
              enabled: <bool; default=True>

              # Speed should be set in the format `<interface_speed>` or `forced <interface_speed>` or `auto <interface_speed>`.
              speed: <str>

              # The peer device name. Used for description and documentation
              peer: <str>

              # The peer device interface. Used for description and documentation
              peer_interface: <str>

              # The peer device IPv4 address (no mask). Used as default route gateway if `set_default_route` is true and `ip` is an IP address.
              peer_ip: <str>

              # Configure IPv4 static routes pointing to `peer_ip`.
              static_routes: # >=1 items

                  # IPv4_network/Mask
                - prefix: <str; required>

              # QOS service profile.
              qos_profile: <str>

              # The WAN Carrier this interface is connected to.
              # This is used to infer the path-groups in which this interface should be configured.
              wan_carrier: <str>

              # The WAN Circuit ID for this interface.
              # This is not rendered in the configuration but used for WAN designs.
              wan_circuit_id: <str>

              # For a WAN interface (`wan_path_group` is set), allow to disable the static tunnel towards Pathfinders.
              connected_to_pathfinder: <bool; default=True>

              # EOS CLI rendered directly on the interface in the final EOS configuration.
              raw_eos_cli: <str>

              # Custom structured config for the Ethernet interface.
              structured_config: <dict>

      # PREVIEW: This key is currently not supported

      # L3 Interfaces currently only use for WAN interfaces.
      l3_interfaces:

          # L3 interface profile name. Profile defined under `l3_interface_profiles`.
        - profile: <str>

          # Ethernet interface name like 'Ethernet2' or subinterface name like 'Ethernet2.42'
          # For a subinterface, the parent physical interface is automatically created.
          name: <str; required; unique>

          # Interface description.
          # If not set a default description will be configured with '[<peer>[ <peer_interface>]]'
          description: <str>

          # Node IPv4 address/Mask or 'dhcp'.
          ip_address: <str>

          # For subinterfaces the dot1q vlan is derived from the interface name by default, but can also be specified.
          encapsulation_dot1q_vlan: <int; 1-4094>

          # Accept a default route from DHCP if `ip_address` is set to `dhcp`.
          dhcp_accept_default_route: <bool; default=False>

          # Enable or Shutdown the interface.
          enabled: <bool; default=True>

          # Speed should be set in the format `<interface_speed>` or `forced <interface_speed>` or `auto <interface_speed>`.
          speed: <str>

          # The peer device name. Used for description and documentation
          peer: <str>

          # The peer device interface. Used for description and documentation
          peer_interface: <str>

          # The peer device IPv4 address (no mask). Used as default route gateway if `set_default_route` is true and `ip` is an IP address.
          peer_ip: <str>

          # Configure IPv4 static routes pointing to `peer_ip`.
          static_routes: # >=1 items

              # IPv4_network/Mask
            - prefix: <str; required>

          # QOS service profile.
          qos_profile: <str>

          # The WAN Carrier this interface is connected to.
          # This is used to infer the path-groups in which this interface should be configured.
          wan_carrier: <str>

          # The WAN Circuit ID for this interface.
          # This is not rendered in the configuration but used for WAN designs.
          wan_circuit_id: <str>

          # For a WAN interface (`wan_path_group` is set), allow to disable the static tunnel towards Pathfinders.
          connected_to_pathfinder: <bool; default=True>

          # EOS CLI rendered directly on the interface in the final EOS configuration.
          raw_eos_cli: <str>

          # Custom structured config for the Ethernet interface.
          structured_config: <dict>

  # Define variables per node.
  nodes:

      # The Node Name is used as "hostname".
    - name: <str; required; unique>

      # PREVIEW: This key is currently not supported

      # L3 Interfaces currently only use for WAN interfaces.
      l3_interfaces:

          # L3 interface profile name. Profile defined under `l3_interface_profiles`.
        - profile: <str>

          # Ethernet interface name like 'Ethernet2' or subinterface name like 'Ethernet2.42'
          # For a subinterface, the parent physical interface is automatically created.
          name: <str; required; unique>

          # Interface description.
          # If not set a default description will be configured with '[<peer>[ <peer_interface>]]'
          description: <str>

          # Node IPv4 address/Mask or 'dhcp'.
          ip_address: <str>

          # For subinterfaces the dot1q vlan is derived from the interface name by default, but can also be specified.
          encapsulation_dot1q_vlan: <int; 1-4094>

          # Accept a default route from DHCP if `ip_address` is set to `dhcp`.
          dhcp_accept_default_route: <bool; default=False>

          # Enable or Shutdown the interface.
          enabled: <bool; default=True>

          # Speed should be set in the format `<interface_speed>` or `forced <interface_speed>` or `auto <interface_speed>`.
          speed: <str>

          # The peer device name. Used for description and documentation
          peer: <str>

          # The peer device interface. Used for description and documentation
          peer_interface: <str>

          # The peer device IPv4 address (no mask). Used as default route gateway if `set_default_route` is true and `ip` is an IP address.
          peer_ip: <str>

          # Configure IPv4 static routes pointing to `peer_ip`.
          static_routes: # >=1 items

              # IPv4_network/Mask
            - prefix: <str; required>

          # QOS service profile.
          qos_profile: <str>

          # The WAN Carrier this interface is connected to.
          # This is used to infer the path-groups in which this interface should be configured.
          wan_carrier: <str>

          # The WAN Circuit ID for this interface.
          # This is not rendered in the configuration but used for WAN designs.
          wan_circuit_id: <str>

          # For a WAN interface (`wan_path_group` is set), allow to disable the static tunnel towards Pathfinders.
          connected_to_pathfinder: <bool; default=True>

          # EOS CLI rendered directly on the interface in the final EOS configuration.
          raw_eos_cli: <str>

          # Custom structured config for the Ethernet interface.
          structured_config: <dict>

# PREVIEW: This key is currently not supported

# Profiles to inherit common settings for l3_interfaces defined under the node type key.
# These profiles will *not* work for `l3_interfaces` defined under `vrfs`.
l3_interface_profiles:

    # L3 interface profile name. Any variable supported under `l3_interfaces` can be inherited from a profile.
  - profile: <str; required; unique>

    # Ethernet interface name like 'Ethernet2' or subinterface name like 'Ethernet2.42'
    # For a subinterface, the parent physical interface is automatically created.
    name: <str>

    # Interface description.
    # If not set a default description will be configured with '[<peer>[ <peer_interface>]]'
    description: <str>

    # Node IPv4 address/Mask or 'dhcp'.
    ip_address: <str>

    # For subinterfaces the dot1q vlan is derived from the interface name by default, but can also be specified.
    encapsulation_dot1q_vlan: <int; 1-4094>

    # Accept a default route from DHCP if `ip_address` is set to `dhcp`.
    dhcp_accept_default_route: <bool; default=False>

    # Enable or Shutdown the interface.
    enabled: <bool; default=True>

    # Speed should be set in the format `<interface_speed>` or `forced <interface_speed>` or `auto <interface_speed>`.
    speed: <str>

    # The peer device name. Used for description and documentation
    peer: <str>

    # The peer device interface. Used for description and documentation
    peer_interface: <str>

    # The peer device IPv4 address (no mask). Used as default route gateway if `set_default_route` is true and `ip` is an IP address.
    peer_ip: <str>

    # Configure IPv4 static routes pointing to `peer_ip`.
    static_routes: # >=1 items

        # IPv4_network/Mask
      - prefix: <str; required>

    # QOS service profile.
    qos_profile: <str>

    # The WAN Carrier this interface is connected to.
    # This is used to infer the path-groups in which this interface should be configured.
    wan_carrier: <str>

    # The WAN Circuit ID for this interface.
    # This is not rendered in the configuration but used for WAN designs.
    wan_circuit_id: <str>

    # For a WAN interface (`wan_path_group` is set), allow to disable the static tunnel towards Pathfinders.
    connected_to_pathfinder: <bool; default=True>

    # EOS CLI rendered directly on the interface in the final EOS configuration.
    raw_eos_cli: <str>

    # Custom structured config for the Ethernet interface.
    structured_config: <dict>

WAN Virtual topologies¶

TableYAML

Variable	Type	Required	Default	Value Restrictions	Description
`wan_virtual_topologies`	Dictionary				PREVIEW: WAN Preview Configure Virtual Topologies for CV Pathfinder and AutoVPN. Auto create a control plane profile/policy/application and enforce it being first in the default VRF.
`vrfs`	List, items: Dictionary				Map a VRF that exists in network_services to an AVT policy. TODO: missing default VRF behavior
`- name`	String	Required, Unique			VRF name.
`policy`	String				Name of the AVT policy to apply to this VRF.
`control_plane_virtual_topology`	Dictionary				Always injected into the default VRF policy as the first entry. By default, if no path-groups are specified, all locally available path-groups are used in the generated load-balance policy. ID is hardcoded to 254 for the AVT profile in CV Pathfinder mode.
`name`	String				Optional name, if not set `CONTROL-PLANE-PROFILE` is used.
`traffic_class`	Integer			Min: 0 Max: 7	Set traffic-class for matched traffic.
`dscp`	Integer			Min: 0 Max: 63	Set DSCP for matched traffic.
`constraints`	Dictionary
`jitter`	Integer			Min: 0 Max: 10000	Jitter requirement for this load balance policy in milliseconds.
`latency`	Integer			Min: 0 Max: 10000	One way delay requirement for this load balance policy in milliseconds.
`loss_rate`	String			Pattern: ^\d+(.\d{1,2})?$	Loss Rate requirement in percentage for this load balance policy. Value between 0.00 and 100.00.
`path_groups`	List, items: Dictionary			Min Length: 1
`- names`	List, items: String	Required		Min Length: 1	List of path-group names.
`- <str>`	String
`preference`	String		`preferred`		Valid values are 1-255
`policies`	List, items: Dictionary				List of virtual toplogies policies. For AutoVPN, each item in the list creates: * one policy with: * one `match` entry per `application_virtual_topologies` item they are indexed using `10 * <list_index>` where `list_index` starts at `1`. * one `default-match` * one load-balance policy per `application_virtual_topologies` and one for the `default_virtual_topology`. * if the policy is associated with the default VRF, a special control-plane rule is injected in the policy with index `1` referring to a control-plane load-balance policy as defined under `control_plane_virtual_topology`. For CV Pathfinder, each item in the list creates: * one policy with: * one `match` entry per `application_virtual_topologies` item ordered as in the model. * one last match entry for the `default` application-profile using `default_virtual_topology` information. * one profile per `application_virtual_topologies` item. * one profile for the `default_virtual_topology`.. * one load-balance policy per `application_virtual_topologies`. * one load_balance policy for the `default_virtual_topology`. * if the policy is associated with the default VRF, a special control-plane profile is configured and injected first in the policy assigned to the `default` VRF. This profile points to a control-plane load-balance policy as defined under `control_plane_virtual_topology`.
`- name`	String	Required, Unique			Name of the AVT policy.
`application_virtual_topologies`	List, items: Dictionary				List of application specific virtual topologies.
`- application_profile`	String	Required, Unique			The application profile to use for this virtual topology. It must be a defined `application_profile`.
`name`	String				Optional name, if not set `<policy_name>-<application_profile>` is used.
`id`	Integer			Min: 2 Max: 253	ID of the AVT in each VRFs. ID must be unique across all virtual topologies in a policy. ID 1 is reserved for the default_virtual_toplogy. ID 254 is reserved for the control_plane_virtual_topology.
`traffic_class`	Integer			Min: 0 Max: 7	Set traffic-class for matched traffic.
`dscp`	Integer			Min: 0 Max: 63	Set DSCP for matched traffic.
`constraints`	Dictionary
`jitter`	Integer			Min: 0 Max: 10000	Jitter requirement for this load balance policy in milliseconds.
`latency`	Integer			Min: 0 Max: 10000	One way delay requirement for this load balance policy in milliseconds.
`loss_rate`	String			Pattern: ^\d+(.\d{1,2})?$	Loss Rate requirement in percentage for this load balance policy. Value between 0.00 and 100.00.
`path_groups`	List, items: Dictionary			Min Length: 1
`- names`	List, items: String	Required		Min Length: 1	List of path-group names.
`- <str>`	String
`preference`	String		`preferred`		Valid values are 1-255
`default_virtual_topology`	Dictionary	Required			Default match for the policy. If no default match should be configured, set `drop_unmatched` to `true`. Otherwise, in CV Pathfinder mode, a default AVT profile will be configured with ID 1.
`name`	String				Optional name, if not set `<policy_name>-DEFAULT` is used.
`drop_unmatched`	Boolean		`False`		When set, no `catch-all` match is configured for the policy and unmatched traffic is dropped.
`traffic_class`	Integer			Min: 0 Max: 7	Set traffic-class for matched traffic.
`dscp`	Integer			Min: 0 Max: 63	Set DSCP for matched traffic.
`constraints`	Dictionary
`jitter`	Integer			Min: 0 Max: 10000	Jitter requirement for this load balance policy in milliseconds.
`latency`	Integer			Min: 0 Max: 10000	One way delay requirement for this load balance policy in milliseconds.
`loss_rate`	String			Pattern: ^\d+(.\d{1,2})?$	Loss Rate requirement in percentage for this load balance policy. Value between 0.00 and 100.00.
`path_groups`	List, items: Dictionary			Min Length: 1
`- names`	List, items: String	Required		Min Length: 1	List of path-group names.
`- <str>`	String
`preference`	String		`preferred`		Valid values are 1-255

# PREVIEW: WAN Preview

# Configure Virtual Topologies for CV Pathfinder and AutoVPN.

# Auto create a control plane profile/policy/application and enforce it being first in the default VRF.
wan_virtual_topologies:

  # Map a VRF that exists in network_services to an AVT policy.
  # TODO: missing default VRF behavior
  vrfs:

      # VRF name.
    - name: <str; required; unique>

      # Name of the AVT policy to apply to this VRF.
      policy: <str>

  # Always injected into the default VRF policy as the first entry.

  # By default, if no path-groups are specified, all locally available path-groups
  # are used in the generated load-balance policy.
  # ID is hardcoded to 254 for the AVT profile in CV Pathfinder mode.
  control_plane_virtual_topology:

    # Optional name, if not set `CONTROL-PLANE-PROFILE` is used.
    name: <str>

    # Set traffic-class for matched traffic.
    traffic_class: <int; 0-7>

    # Set DSCP for matched traffic.
    dscp: <int; 0-63>
    constraints:

      # Jitter requirement for this load balance policy in milliseconds.
      jitter: <int; 0-10000>

      # One way delay requirement for this load balance policy in milliseconds.
      latency: <int; 0-10000>

      # Loss Rate requirement in percentage for this load balance policy.
      # Value between 0.00 and 100.00.
      loss_rate: <str>
    path_groups: # >=1 items

        # List of path-group names.
      - names: # >=1 items; required
          - <str>

        # Valid values are 1-255 | preferred | alternate.

        # preferred is converted to priority 1.
        # alternate is converted to priority 2.
        preference: <str; default="preferred">

  # List of virtual toplogies policies.

  # For AutoVPN, each item in the list creates:
  #   * one policy with:
  #       * one `match` entry per `application_virtual_topologies` item
  #         they are indexed using `10 * <list_index>` where `list_index` starts at `1`.
  #       * one `default-match`
  #   * one load-balance policy per `application_virtual_topologies` and one for the `default_virtual_topology`.
  #   * if the policy is associated with the default VRF, a special control-plane rule is injected
  #     in the policy with index `1` referring to a control-plane load-balance policy as defined under
  #     `control_plane_virtual_topology`.


  # For CV Pathfinder, each item in the list creates:
  #   * one policy with:
  #       * one `match` entry per `application_virtual_topologies` item ordered as in the model.
  #       * one last match entry for the `default` application-profile using `default_virtual_topology` information.
  #   * one profile per `application_virtual_topologies` item.
  #   * one profile for the `default_virtual_topology`..
  #   * one load-balance policy per `application_virtual_topologies`.
  #   * one load_balance policy for the `default_virtual_topology`.
  #   * if the policy is associated with the default VRF, a special control-plane profile is configured
  #     and injected first in the policy assigned to the `default` VRF. This profile points to a
  #     control-plane load-balance policy as defined under `control_plane_virtual_topology`.
  policies:

      # Name of the AVT policy.
    - name: <str; required; unique>

      # List of application specific virtual topologies.
      application_virtual_topologies:

          # The application profile to use for this virtual topology. It must be a defined `application_profile`.
        - application_profile: <str; required; unique>

          # Optional name, if not set `<policy_name>-<application_profile>` is used.
          name: <str>

          # ID of the AVT in each VRFs. ID must be unique across all virtual topologies in a policy.
          # ID 1 is reserved for the default_virtual_toplogy.
          # ID 254 is reserved for the control_plane_virtual_topology.
          id: <int; 2-253>

          # Set traffic-class for matched traffic.
          traffic_class: <int; 0-7>

          # Set DSCP for matched traffic.
          dscp: <int; 0-63>
          constraints:

            # Jitter requirement for this load balance policy in milliseconds.
            jitter: <int; 0-10000>

            # One way delay requirement for this load balance policy in milliseconds.
            latency: <int; 0-10000>

            # Loss Rate requirement in percentage for this load balance policy.
            # Value between 0.00 and 100.00.
            loss_rate: <str>
          path_groups: # >=1 items

              # List of path-group names.
            - names: # >=1 items; required
                - <str>

              # Valid values are 1-255 | preferred | alternate.

              # preferred is converted to priority 1.
              # alternate is converted to priority 2.
              preference: <str; default="preferred">

      # Default match for the policy.
      # If no default match should be configured, set `drop_unmatched` to `true`.
      # Otherwise, in CV Pathfinder mode, a default AVT profile will be configured with ID 1.
      default_virtual_topology: # required

        # Optional name, if not set `<policy_name>-DEFAULT` is used.
        name: <str>

        # When set, no `catch-all` match is configured for the policy and unmatched traffic is dropped.
        drop_unmatched: <bool; default=False>

        # Set traffic-class for matched traffic.
        traffic_class: <int; 0-7>

        # Set DSCP for matched traffic.
        dscp: <int; 0-63>
        constraints:

          # Jitter requirement for this load balance policy in milliseconds.
          jitter: <int; 0-10000>

          # One way delay requirement for this load balance policy in milliseconds.
          latency: <int; 0-10000>

          # Loss Rate requirement in percentage for this load balance policy.
          # Value between 0.00 and 100.00.
          loss_rate: <str>
        path_groups: # >=1 items

            # List of path-group names.
          - names: # >=1 items; required
              - <str>

            # Valid values are 1-255 | preferred | alternate.

            # preferred is converted to priority 1.
            # alternate is converted to priority 2.
            preference: <str; default="preferred">

Application Classification¶

TableYAML

Variable	Type	Required	Value Restrictions	Description
`application_classification`	Dictionary			PREVIEW: WAN Preview
`categories`	List, items: Dictionary			List of categories.
`- name`	String	Required, Unique		Category name.
`applications`	List, items: Dictionary			List of applications.
`- name`	String			Application name.
`service`	String		Valid Values: - `audio-video` - `chat` - `default` - `file-transfer` - `networking-protocols` - `peer-to-peer` - `software-update`	Service Name. Specific service to target for this application. If no service is specified, all supported services of the application are matched. Not all valid values are valid for all applications, check on EOS CLI.
`field_sets`	Dictionary
`l4_ports`	List, items: Dictionary			L4 port field-set.
`- name`	String	Required, Unique		L4 port field-set name.
`port_values`	List, items: String
`- <str>`	String			Port values or range of port values. Port values are between 0 and 65535.
`ipv4_prefixes`	List, items: Dictionary			IPv4 prefix field set.
`- name`	String	Required, Unique		IPv4 prefix field-set name.
`prefix_values`	List, items: String
`- <str>`	String			IP prefix (ex 1.2.3.0/24).
`applications`	Dictionary
`ipv4_applications`	List, items: Dictionary			List of user defined IPv4 applications.
`- name`	String	Required, Unique		Application name.
`src_prefix_set_name`	String			Source prefix set name.
`dest_prefix_set_name`	String			Destination prefix set name.
`protocols`	List, items: String			List of protocols to consider for this application. To use port field-sets (source, destination or both), the list must contain only one or two protocols, either `tcp` or `udp`. When using both protocols, one line is rendered for each in the configuration, hence the field-sets must have the same value for `tcp_src_port_set_name` and `udp_src_port_set_name` and for `tcp_dest_port_set_name` and `udp_dest_port_set_name` if set in order to generate valid configuration in EOS.
`- <str>`	String		Valid Values: - `ahp` - `esp` - `icmp` - `igmp` - `ospf` - `pim` - `rsvp` - `tcp` - `udp` - `vrrp`
`protocol_ranges`	List, items: String			Acccept protocol value(s) or range(s). Protocol values can be between 1 and 255.
`- <str>`	String
`udp_src_port_set_name`	String			Name of field set for UDP source ports. When the `protocols` list contain both `tcp` and `udp`, this key value must be the same as `tcp_src_port_set_name`.
`tcp_src_port_set_name`	String			Name of field set for TCP source ports. When the `protocols` list contain both `tcp` and `udp`, this key value must be the same as `udp_src_port_set_name`.
`udp_dest_port_set_name`	String			Name of field set for UDP destination ports. When the `protocols` list contain both `tcp` and `udp`, this key value must be the same as `tcp_dest_port_set_name`.
`tcp_dest_port_set_name`	String			Name of field set for TCP destination ports. When the `protocols` list contain both `tcp` and `udp`, this key value must be the same as `udp_dest_port_set_name`.
`application_profiles`	List, items: Dictionary			Group of applications.
`- name`	String			Application Profile name.
`applications`	List, items: Dictionary			List of applications part of the application profile.
`- name`	String			Application Name.
`service`	String		Valid Values: - `audio-video` - `chat` - `default` - `file-transfer` - `networking-protocols` - `peer-to-peer` - `software-update`	Service Name. Specific service to target for this application. If no service is specified, all supported services of the application are matched. Not all valid values are valid for all applications, check on EOS CLI.
`application_transports`	List, items: String			List of transport protocols.
`- <str>`	String		Valid Values: - `http` - `https` - `udp` - `tcp` - `ip` - `ip6` - `ssl` - `rtp` - `sctp` - `quic`	Transport name.
`categories`	List, items: Dictionary			Categories under this application profile.
`- name`	String			Name of a category.
`service`	String		Valid Values: - `audio-video` - `chat` - `default` - `file-transfer` - `networking-protocols` - `peer-to-peer` - `software-update`	Service Name. Specific service to target for this application. If no service is specified, all supported services of the application are matched. Not all valid values are valid for all applications, check on EOS CLI.

# PREVIEW: WAN Preview
application_classification:

  # List of categories.
  categories:

      # Category name.
    - name: <str; required; unique>

      # List of applications.
      applications:

          # Application name.
        - name: <str>

          # Service Name.
          # Specific service to target for this application.
          # If no service is specified, all supported services of the application are matched.
          # Not all valid values are valid for all applications, check on EOS CLI.
          service: <str; "audio-video" | "chat" | "default" | "file-transfer" | "networking-protocols" | "peer-to-peer" | "software-update">
  field_sets:

    # L4 port field-set.
    l4_ports:

        # L4 port field-set name.
      - name: <str; required; unique>
        port_values:

            # Port values or range of port values.
            # Port values are between 0 and 65535.
          - <str>

    # IPv4 prefix field set.
    ipv4_prefixes:

        # IPv4 prefix field-set name.
      - name: <str; required; unique>
        prefix_values:

            # IP prefix (ex 1.2.3.0/24).
          - <str>
  applications:

    # List of user defined IPv4 applications.
    ipv4_applications:

        # Application name.
      - name: <str; required; unique>

        # Source prefix set name.
        src_prefix_set_name: <str>

        # Destination prefix set name.
        dest_prefix_set_name: <str>

        # List of protocols to consider for this application.

        # To use port field-sets (source, destination or both), the list
        # must contain only one or two protocols, either `tcp` or `udp`.
        # When using both protocols, one line is rendered for each in the configuration,
        # hence the field-sets must have the same value for `tcp_src_port_set_name` and
        # `udp_src_port_set_name` and for `tcp_dest_port_set_name` and `udp_dest_port_set_name`
        # if set in order to generate valid configuration in EOS.
        protocols:
          - <str; "ahp" | "esp" | "icmp" | "igmp" | "ospf" | "pim" | "rsvp" | "tcp" | "udp" | "vrrp">

        # Acccept protocol value(s) or range(s).
        # Protocol values can be between 1 and 255.
        protocol_ranges:
          - <str>

        # Name of field set for UDP source ports.

        # When the `protocols` list contain both `tcp` and `udp`, this key value
        # must be the same as `tcp_src_port_set_name`.
        udp_src_port_set_name: <str>

        # Name of field set for TCP source ports.

        # When the `protocols` list contain both `tcp` and `udp`, this key value
        # must be the same as `udp_src_port_set_name`.
        tcp_src_port_set_name: <str>

        # Name of field set for UDP destination ports.

        # When the `protocols` list contain both `tcp` and `udp`, this key value
        # must be the same as `tcp_dest_port_set_name`.
        udp_dest_port_set_name: <str>

        # Name of field set for TCP destination ports.

        # When the `protocols` list contain both `tcp` and `udp`, this key value
        # must be the same as `udp_dest_port_set_name`.
        tcp_dest_port_set_name: <str>

  # Group of applications.
  application_profiles:

      # Application Profile name.
    - name: <str>

      # List of applications part of the application profile.
      applications:

          # Application Name.
        - name: <str>

          # Service Name.
          # Specific service to target for this application.
          # If no service is specified, all supported services of the application are matched.
          # Not all valid values are valid for all applications, check on EOS CLI.
          service: <str; "audio-video" | "chat" | "default" | "file-transfer" | "networking-protocols" | "peer-to-peer" | "software-update">

      # List of transport protocols.
      application_transports:

          # Transport name.
        - <str; "http" | "https" | "udp" | "tcp" | "ip" | "ip6" | "ssl" | "rtp" | "sctp" | "quic">

      # Categories under this application profile.
      categories:

          # Name of a category.
        - name: <str>

          # Service Name.
          # Specific service to target for this application.
          # If no service is specified, all supported services of the application are matched.
          # Not all valid values are valid for all applications, check on EOS CLI.
          service: <str; "audio-video" | "chat" | "default" | "file-transfer" | "networking-protocols" | "peer-to-peer" | "software-update">

New BGP peer-group¶

TableYAML

Variable	Type	Default	Description
`bgp_peer_groups`	Dictionary		Leverage an Arista EOS switch to generate the encrypted password using the correct peer group name. Note that the name of the peer groups use ‘-’ instead of ‘_’ in EOS configuration.
`wan_overlay_peers`	Dictionary		PREVIEW: This key is currently not supported
`name`	String	`WAN-OVERLAY-PEERS`	Name of peer group.
`password`	String		Type 7 encrypted password.
`bfd`	Boolean	`False`
`listen_range_prefixes`	List, items: String		Only used for nodes where `wan_role` is `server` like AutoVPN RRs and Pathfinders. For clients, AVD will raise an error if the Loopback0 IP is not in any listen range.
`- <str>`	String		The prefixes to use in listen_range.
`structured_config`	Dictionary		Custom structured config added under router_bgp.peer_groups.[name=] for eos_cli_config_gen.
`wan_rr_overlay_peers`	Dictionary		PREVIEW: This key is currently not supported Configuration options for the peer-group created to peer between AutoVPN RRs or CV-Pathfinders.
`name`	String	`WAN-RR-OVERLAY-PEERS`	Name of peer group.
`password`	String		Type 7 encrypted password.
`bfd`	Boolean	`True`
`structured_config`	Dictionary		Custom structured config added under router_bgp.peer_groups.[name=] for eos_cli_config_gen.

# Leverage an Arista EOS switch to generate the encrypted password using the correct peer group name.
# Note that the name of the peer groups use '-' instead of '_' in EOS configuration.
bgp_peer_groups:

  # PREVIEW: This key is currently not supported
  wan_overlay_peers:

    # Name of peer group.
    name: <str; default="WAN-OVERLAY-PEERS">

    # Type 7 encrypted password.
    password: <str>
    bfd: <bool; default=False>

    # Only used for nodes where `wan_role` is `server` like AutoVPN RRs and Pathfinders.
    # For clients, AVD will raise an error if the Loopback0 IP is not in any listen range.
    listen_range_prefixes:

        # The prefixes to use in listen_range.
      - <str>

    # Custom structured config added under router_bgp.peer_groups.[name=<name>] for eos_cli_config_gen.
    structured_config: <dict>

  # PREVIEW: This key is currently not supported
  # Configuration options for the peer-group created to peer between
  # AutoVPN RRs or CV-Pathfinders.
  wan_rr_overlay_peers:

    # Name of peer group.
    name: <str; default="WAN-RR-OVERLAY-PEERS">

    # Type 7 encrypted password.
    password: <str>
    bfd: <bool; default=True>

    # Custom structured config added under router_bgp.peer_groups.[name=<name>] for eos_cli_config_gen.
    structured_config: <dict>

New node keys¶

TableYAML

Variable	Type	Required	Default	Value Restrictions	Description
`<node_type_keys.key>`	Dictionary
`defaults`	Dictionary				Define variables for all nodes of this type.
`wan_role`	String			Valid Values: - `client` - `server`	PREVIEW: This key is currently not supported Override the default WAN role. This is used both for AutoVPN and Pathfinder designs. That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. Only supported if `overlay_routing_protocol` is set to `ibgp`.
`cv_pathfinder_role`	String			Valid Values: - `edge` - `transit region` - `pathfinder`	PREVIEW: This key is currently not supported Override the default CV Pathfinder role. This key is used for Pathfinder designs only when the `wan_mode` root key is set to `cv_pathfinder`. `pathfinder` is only a valid if `wan_role` is `server`. `edge` and `transit region` are only valid if `wan_role` is `client`.
`cv_pathfinder_region`	String				PREVIEW: This key is currently not supported The CV Pathfinder region name.
`cv_pathfinder_site`	String				PREVIEW: This key is currently not supported The CV Pathfinder site name.
`dps_mss_ipv4`	String		`auto`		PREVIEW: This key is currently not supported IPv4 MSS value configured under “router path-selection” on WAN Devices.
`node_groups`	List, items: Dictionary				Define variables related to all nodes part of this group.
`- group`	String	Required, Unique			The Node Group Name is used for MLAG domain unless set with ‘mlag_domain_id’. The Node Group Name is also used for peer description on downstream switches’ uplinks.
`nodes`	List, items: Dictionary				Define variables per node.
`- name`	String	Required, Unique			The Node Name is used as “hostname”.
`wan_role`	String			Valid Values: - `client` - `server`	PREVIEW: This key is currently not supported Override the default WAN role. This is used both for AutoVPN and Pathfinder designs. That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. Only supported if `overlay_routing_protocol` is set to `ibgp`.
`cv_pathfinder_role`	String			Valid Values: - `edge` - `transit region` - `pathfinder`	PREVIEW: This key is currently not supported Override the default CV Pathfinder role. This key is used for Pathfinder designs only when the `wan_mode` root key is set to `cv_pathfinder`. `pathfinder` is only a valid if `wan_role` is `server`. `edge` and `transit region` are only valid if `wan_role` is `client`.
`cv_pathfinder_region`	String				PREVIEW: This key is currently not supported The CV Pathfinder region name.
`cv_pathfinder_site`	String				PREVIEW: This key is currently not supported The CV Pathfinder site name.
`dps_mss_ipv4`	String		`auto`		PREVIEW: This key is currently not supported IPv4 MSS value configured under “router path-selection” on WAN Devices.
`wan_role`	String			Valid Values: - `client` - `server`	PREVIEW: This key is currently not supported Override the default WAN role. This is used both for AutoVPN and Pathfinder designs. That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. Only supported if `overlay_routing_protocol` is set to `ibgp`.
`cv_pathfinder_role`	String			Valid Values: - `edge` - `transit region` - `pathfinder`	PREVIEW: This key is currently not supported Override the default CV Pathfinder role. This key is used for Pathfinder designs only when the `wan_mode` root key is set to `cv_pathfinder`. `pathfinder` is only a valid if `wan_role` is `server`. `edge` and `transit region` are only valid if `wan_role` is `client`.
`cv_pathfinder_region`	String				PREVIEW: This key is currently not supported The CV Pathfinder region name.
`cv_pathfinder_site`	String				PREVIEW: This key is currently not supported The CV Pathfinder site name.
`dps_mss_ipv4`	String		`auto`		PREVIEW: This key is currently not supported IPv4 MSS value configured under “router path-selection” on WAN Devices.
`nodes`	List, items: Dictionary				Define variables per node.
`- name`	String	Required, Unique			The Node Name is used as “hostname”.
`wan_role`	String			Valid Values: - `client` - `server`	PREVIEW: This key is currently not supported Override the default WAN role. This is used both for AutoVPN and Pathfinder designs. That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. Only supported if `overlay_routing_protocol` is set to `ibgp`.
`cv_pathfinder_role`	String			Valid Values: - `edge` - `transit region` - `pathfinder`	PREVIEW: This key is currently not supported Override the default CV Pathfinder role. This key is used for Pathfinder designs only when the `wan_mode` root key is set to `cv_pathfinder`. `pathfinder` is only a valid if `wan_role` is `server`. `edge` and `transit region` are only valid if `wan_role` is `client`.
`cv_pathfinder_region`	String				PREVIEW: This key is currently not supported The CV Pathfinder region name.
`cv_pathfinder_site`	String				PREVIEW: This key is currently not supported The CV Pathfinder site name.
`dps_mss_ipv4`	String		`auto`		PREVIEW: This key is currently not supported IPv4 MSS value configured under “router path-selection” on WAN Devices.

<node_type_keys.key>:

  # Define variables for all nodes of this type.
  defaults:

    # PREVIEW: This key is currently not supported
    # Override the default WAN role.

    # This is used both for AutoVPN and Pathfinder designs.
    # That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
    # `server` indicates that the router is a route-reflector.

    # Only supported if `overlay_routing_protocol` is set to `ibgp`.
    wan_role: <str; "client" | "server">

    # PREVIEW: This key is currently not supported
    # Override the default CV Pathfinder role.

    # This key is used for Pathfinder designs only when the `wan_mode` root
    # key is set to `cv_pathfinder`.

    # `pathfinder` is only a valid if `wan_role` is `server`.
    # `edge` and `transit region` are only valid if `wan_role` is `client`.
    cv_pathfinder_role: <str; "edge" | "transit region" | "pathfinder">

    # PREVIEW: This key is currently not supported

    # The CV Pathfinder region name.
    cv_pathfinder_region: <str>

    # PREVIEW: This key is currently not supported

    # The CV Pathfinder site name.
    cv_pathfinder_site: <str>

    # PREVIEW: This key is currently not supported

    # IPv4 MSS value configured under "router path-selection" on WAN Devices.
    dps_mss_ipv4: <str; default="auto">

  # Define variables related to all nodes part of this group.
  node_groups:

      # The Node Group Name is used for MLAG domain unless set with 'mlag_domain_id'.
      # The Node Group Name is also used for peer description on downstream switches' uplinks.
    - group: <str; required; unique>

      # Define variables per node.
      nodes:

          # The Node Name is used as "hostname".
        - name: <str; required; unique>

          # PREVIEW: This key is currently not supported
          # Override the default WAN role.

          # This is used both for AutoVPN and Pathfinder designs.
          # That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
          # `server` indicates that the router is a route-reflector.

          # Only supported if `overlay_routing_protocol` is set to `ibgp`.
          wan_role: <str; "client" | "server">

          # PREVIEW: This key is currently not supported
          # Override the default CV Pathfinder role.

          # This key is used for Pathfinder designs only when the `wan_mode` root
          # key is set to `cv_pathfinder`.

          # `pathfinder` is only a valid if `wan_role` is `server`.
          # `edge` and `transit region` are only valid if `wan_role` is `client`.
          cv_pathfinder_role: <str; "edge" | "transit region" | "pathfinder">

          # PREVIEW: This key is currently not supported

          # The CV Pathfinder region name.
          cv_pathfinder_region: <str>

          # PREVIEW: This key is currently not supported

          # The CV Pathfinder site name.
          cv_pathfinder_site: <str>

          # PREVIEW: This key is currently not supported

          # IPv4 MSS value configured under "router path-selection" on WAN Devices.
          dps_mss_ipv4: <str; default="auto">

      # PREVIEW: This key is currently not supported
      # Override the default WAN role.

      # This is used both for AutoVPN and Pathfinder designs.
      # That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
      # `server` indicates that the router is a route-reflector.

      # Only supported if `overlay_routing_protocol` is set to `ibgp`.
      wan_role: <str; "client" | "server">

      # PREVIEW: This key is currently not supported
      # Override the default CV Pathfinder role.

      # This key is used for Pathfinder designs only when the `wan_mode` root
      # key is set to `cv_pathfinder`.

      # `pathfinder` is only a valid if `wan_role` is `server`.
      # `edge` and `transit region` are only valid if `wan_role` is `client`.
      cv_pathfinder_role: <str; "edge" | "transit region" | "pathfinder">

      # PREVIEW: This key is currently not supported

      # The CV Pathfinder region name.
      cv_pathfinder_region: <str>

      # PREVIEW: This key is currently not supported

      # The CV Pathfinder site name.
      cv_pathfinder_site: <str>

      # PREVIEW: This key is currently not supported

      # IPv4 MSS value configured under "router path-selection" on WAN Devices.
      dps_mss_ipv4: <str; default="auto">

  # Define variables per node.
  nodes:

      # The Node Name is used as "hostname".
    - name: <str; required; unique>

      # PREVIEW: This key is currently not supported
      # Override the default WAN role.

      # This is used both for AutoVPN and Pathfinder designs.
      # That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
      # `server` indicates that the router is a route-reflector.

      # Only supported if `overlay_routing_protocol` is set to `ibgp`.
      wan_role: <str; "client" | "server">

      # PREVIEW: This key is currently not supported
      # Override the default CV Pathfinder role.

      # This key is used for Pathfinder designs only when the `wan_mode` root
      # key is set to `cv_pathfinder`.

      # `pathfinder` is only a valid if `wan_role` is `server`.
      # `edge` and `transit region` are only valid if `wan_role` is `client`.
      cv_pathfinder_role: <str; "edge" | "transit region" | "pathfinder">

      # PREVIEW: This key is currently not supported

      # The CV Pathfinder region name.
      cv_pathfinder_region: <str>

      # PREVIEW: This key is currently not supported

      # The CV Pathfinder site name.
      cv_pathfinder_site: <str>

      # PREVIEW: This key is currently not supported

      # IPv4 MSS value configured under "router path-selection" on WAN Devices.
      dps_mss_ipv4: <str; default="auto">

New node type keys¶

TableYAML

Variable	Type	Required	Value Restrictions	Description
`node_type_keys`	List, items: Dictionary			Define Node Type Keys, to specify the properties of each node type in the fabric. This allows for complete customization of the fabric layout and functionality. `node_type_keys` should be defined in top level group_var for the fabric. The default values will be overridden if defining this key, so it is recommended to copy the defaults and modify them.
`- key`	String	Required, Unique
`default_wan_role`	String		Valid Values: - `client` - `server`	PREVIEW: This key is currently not supported Set the default WAN role. This is used both for AutoVPN and Pathfinder designs. That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`. `server` indicates that the router is a route-reflector. Only supported if `overlay_routing_protocol` is set to `ibgp`.
`default_cv_pathfinder_role`	String		Valid Values: - `edge` - `transit region` - `pathfinder`	PREVIEW: This key is currently not supported Set the default CV Pathfinder role. This key is used for Pathfinder designs only when the `wan_mode` root key is set to `cv-pathfinder`. `pathfinder` is only a valid if `wan_role` is `server`. `edge` and `transit` are only valid if `wan_role` is `client`.

# Define Node Type Keys, to specify the properties of each node type in the fabric.
# This allows for complete customization of the fabric layout and functionality.
# `node_type_keys` should be defined in top level group_var for the fabric.
# The default values will be overridden if defining this key, so it is recommended to copy the defaults and modify them.
node_type_keys:
  - key: <str; required; unique>

    # PREVIEW: This key is currently not supported
    # Set the default WAN role.

    # This is used both for AutoVPN and Pathfinder designs.
    # That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
    # `server` indicates that the router is a route-reflector.

    # Only supported if `overlay_routing_protocol` is set to `ibgp`.
    default_wan_role: <str; "client" | "server">

    # PREVIEW: This key is currently not supported
    # Set the default CV Pathfinder role.

    # This key is used for Pathfinder designs only when the `wan_mode` root
    # key is set to `cv-pathfinder`.

    # `pathfinder` is only a valid if `wan_role` is `server`.
    # `edge` and `transit` are only valid if `wan_role` is `client`.
    default_cv_pathfinder_role: <str; "edge" | "transit region" | "pathfinder">

CloudVision Tags¶

arista.avd.eos_designs will generate CloudVision Tags that assist CloudVision with visualizing the WAN.

Device Tags¶

Tag Name	Source of information
`Region`	`cv_pathfinder_region` if `cv_pathfinder_role` is set but not `pathfinder`
`Zone`	`DEFAULT-ZONE` if `cv_pathfinder_role` is set but not `pathfinder`
`Site`	`cv_pathfinder_site` if `cv_pathfinder_role` is set but not `pathfinder`
`PathfinderSet`	name of `node_group` or default `PATHFINDERS` if `cv_pathfinder_role` is `pathfinder`
`Role`	`cv_pathfinder_role` if set

Interface Tags¶

Hint Tag Name	Source of information
`Type`	`lan` or `wan` if `cv_pathfinder_role` is set
`Carrier`	`wan_carrier` if `cv_pathfinder_role` is set and this is a WAN interface
`Circuit`	`wan_circiot_id` if `cv_pathfinder_role` is set and this is a LAN interface

Getting started with WAN¶

Global settings¶

TODO - cover here WAN hierarchy, wan mode, route-servers, path-groups and carriers and how they are linked together.

WAN interfaces¶

TODO

Defining policies¶

TODO

WAN preview¶

Overview¶

Design points¶

Known limitations¶

Future work¶

eos_cli_config_gen support¶

Input variables¶

New node types in L3LS eos_designs¶

WAN Settings¶

Top level keys¶

WAN path-groups¶

WAN carriers¶

WAN hierarchy¶

WAN interfaces¶

WAN Virtual topologies¶

Application Classification¶

New BGP peer-group¶

New node keys¶

New node type keys¶

CloudVision Tags¶

Device Tags¶

Interface Tags¶

Getting started with WAN¶

Global settings¶

WAN interfaces¶

Defining policies¶

`eos_cli_config_gen` support¶