Skip to content

WAN preview

Warning

The integration of WAN designs to eos_designs role is in preview mode.

Everything is subject to change, is not supported and may not be complete.

If you have any questions, please leverage the GitHub discussions board

Overview

The intention is to support both a single AutoVPN design and CV Pathfinder.

Design points

  • The intent is to be able to support having the different WAN participating devices in different inventories.
  • Only iBGP is supported as an overlay_routing_protocol.
  • On the AutoVPN Route Reflectors and Pathfinders, a listen range statement is used for BGP to allow for point number 1.
  • The default VRF is being configured by default on all WAN devices with a vni_id of 1. To override this, it is necessary to configure the default VRF in a tenant in network_services.
  • When configuring HA on a site, the path-group ID 65535 is reserved for the path-group called LAN_HA.
  • The policies definition works as follow:

    • The policies are defined under wan_virtual_topologies.policies. For AutoVPN mode, the policies are configured under router path-selection, for CV Pathfinder, they are configured under router adaptive-virtual-topology.
    • A policy is composed of a list of application_virtual_topologies and one default_virtual_topology.
    • The application_virtual_topologies entries and the default_virtual_topology key are used to create the policy match statement, the AVT profile (when wan_mode is CV Pathfinder) and the load balancing policy.
    • The default_virtual_topology is used as the default match in the policy. To prevent configuring it, the drop_unmatched boolean must be set to true otherwise, at least one path-group must be configured or AVD will raise an error.
    • Policies are assigned to VRFs using the list wan_virtual_topologies.vrfs. A policy can be reused in multiple VRFs.
    • If no policy is assigned for the default VRF policy, AVD auto generates one with one default_virtual_topology entry configured to use all available local path-groups.
    • For the policy defined for VRF default (or the auto-generared one), an extra match statement is injected in the policy to match the traffic towards the Pathfinders or AutoVPN RRs, the name of the application-profile is hardcoded as CONTROL-PLANE-APPLICATION-PROFILE. A special policy is created by appending -WITH-CP at the end of the targetted policy name.

Known limitations

  • Zones are not configurable for CV Pathfinder. All sites are being configured in a default zone DEFAULT-ZONE with ID 1.
  • Because of the previous point, in eos_designs, the transit node type is always configured as transit region.
  • For cv-pathfinder mode, the following flow-tracking configuration is applied without any customization possible:
    flow tracking hardware
       tracker WAN-FLOW-TRACKER
        record export on inactive timeout 70000
        record export on interval 5000
        exporter DPI-EXPORTER
         collector 127.0.0.1
         local interface Loopback0
         template interval 5000
    
  • No IPv6 support
  • For WAN interfaces, NAT IP on the Pathfinder side can be supported using the wan_route_servers.path_groups.interfaces key.
  • Path-group ID is currently required under wan_path_groups until an algorithm is implemented to auto generate IDs.

Future work

  • As of now, only the fundations of the eos_designs functionality for WAN is being introduced without any support for LAN interfaces.
  • Auto generation of Path-group IDs and other IDs.
  • HA for sites will be covered in a future PR

eos_cli_config_gen support

  • eos_cli_config_gen schema should support all of the required keys to configure a WAN network, whether AutoVPN or Pathfinder. If you find any missing functionality, please open an issue on Github.

Input variables

Warning

All the keys in this section marked as PREVIEW or children of a key marked as PREVIEW are subject to change and are not supported.

New node types in L3LS eos_designs

  • wan_edge: Edge routers for AutoVPN or Pathfinder depending on the wan_mode value.
  • wan_transit: Transit routers in Pathfinder context, not supported for AutoVPN.
  • wan_rr: AutoVPN RR or Pathfinder depending on the wan_mode value.

The following table indicates the settings:

Node Type Key Underlay Router Uplink Type Default EVPN Role L2 Network Services L3 Network Services VTEP MLAG Support Connected Endpoints Defaut WAN Role Default CV Pathfinder Role
wan_rr p2p server server pathfinder
wan_edge p2p client client edge
wan_transit p2p client client transit region

All these node types are defined with default_underlay_routing_protocol: none and default_overlay_routing_protocol: ibgp.

WAN Settings

Top level keys

Variable Type Required Default Value Restrictions Description
wan_ipsec_profiles Dictionary PREVIEW: This key is currently not supported

Define IPsec profiles parameters for WAN configuration.
  control_plane Dictionary Required PREVIEW: This key is currently not supported
    ike_policy_name String CP-IKE-POLICY Name of the IKE policy.
    sa_policy_name String CP-SA-POLICY Name of the SA policy.
    profile_name String CP-PROFILE Name of the IPSec profile.
    shared_key String Required The IPSec shared key.
This variable is sensitive and SHOULD be configured using some vault mechanism.
  data_plane Dictionary If data_plane is not defined, control_plane information is used for both.
    ike_policy_name String DP-IKE-POLICY Name of the IKE policy.
    sa_policy_name String DP-SA-POLICY Name of the SA policy.
    profile_name String DP-PROFILE Name of the IPSec profile.
    shared_key String Required The type 7 encrypted IPSec shared key.
This variable is sensitive and should be configured using some vault mechanism.
wan_mode String cv-pathfinder Valid Values:
- autovpn
- cv-pathfinder
PREVIEW: This key is currently not supported

Select if the WAN should be run using CV Pathfinder or Auto VPN only.
wan_route_servers List, items: Dictionary PREVIEW: This key is currently not supported

List of the AutoVPN RRs when using wan_mode=autovpn, or the Pathfinders
when using wan_mode=cv-pathfinder, to which the device should connect to.

When the route server is part of the same inventory as the WAN routers,
only the name is required.
  - hostname String Required, Unique Route-Reflector hostname.
    vtep_ip String Route-Reflector VTEP IP Address. This is usually the IP address under interface Dps1.
    path_groups List, items: Dictionary Path-groups through which the Route Reflector/Pathfinder is reached.
      - name String Required, Unique Path-group name.
        interfaces List, items: Dictionary Required Min Length: 1
          - name String Required, Unique Interface name.
            ip_address String The public IP address of the Route Reflector for this path-group.
# PREVIEW: This key is currently not supported

# Define IPsec profiles parameters for WAN configuration.
wan_ipsec_profiles:

  # PREVIEW: This key is currently not supported
  control_plane: # required

    # Name of the IKE policy.
    ike_policy_name: <str; default="CP-IKE-POLICY">

    # Name of the SA policy.
    sa_policy_name: <str; default="CP-SA-POLICY">

    # Name of the IPSec profile.
    profile_name: <str; default="CP-PROFILE">

    # The IPSec shared key.
    # This variable is sensitive and SHOULD be configured using some vault mechanism.
    shared_key: <str; required>

  # If `data_plane` is not defined, `control_plane` information is used for both.
  data_plane:

    # Name of the IKE policy.
    ike_policy_name: <str; default="DP-IKE-POLICY">

    # Name of the SA policy.
    sa_policy_name: <str; default="DP-SA-POLICY">

    # Name of the IPSec profile.
    profile_name: <str; default="DP-PROFILE">

    # The type 7 encrypted IPSec shared key.
    # This variable is sensitive and should be configured using some vault mechanism.
    shared_key: <str; required>

# PREVIEW: This key is currently not supported

# Select if the WAN should be run using CV Pathfinder or Auto VPN only.
wan_mode: <str; "autovpn" | "cv-pathfinder"; default="cv-pathfinder">

# PREVIEW: This key is currently not supported

# List of the AutoVPN RRs when using `wan_mode`=`autovpn`, or the Pathfinders
# when using `wan_mode`=`cv-pathfinder`, to which the device should connect to.

# When the route server is part of the same inventory as the WAN routers,
# only the name is required.
wan_route_servers:

    # Route-Reflector hostname.
  - hostname: <str; required; unique>

    # Route-Reflector VTEP IP Address. This is usually the IP address under `interface Dps1`.
    vtep_ip: <str>

    # Path-groups through which the Route Reflector/Pathfinder is reached.
    path_groups:

        # Path-group name.
      - name: <str; required; unique>
        interfaces: # >=1 items; required

            # Interface name.
          - name: <str; required; unique>

            # The public IP address of the Route Reflector for this path-group.
            ip_address: <str>
WAN path-groups
Variable Type Required Default Value Restrictions Description
wan_path_groups List, items: Dictionary PREVIEW: This key is currently not supported
List of path-groups used for the WAN configuration.
  - name String Required, Unique Path-group name.
    id Integer Required Path-group id.

TODO: Required until an auto ID algorithm is implemented.
    description String Additional information about the path-group for documentation purposes.
    ipsec Boolean True Flag to configure IPsec at the path-group level.

When set to true, IPsec is enabled for both the static and dynamic peers.
    import_path_groups List, items: Dictionary List of [ath-groups to import in this path-group.
      - remote String Remote path-group to import.
        local String Optional, if not set, the path-group name is used as local.
# PREVIEW: This key is currently not supported
# List of path-groups used for the WAN configuration.
wan_path_groups:

    # Path-group name.
  - name: <str; required; unique>

    # Path-group id.

    # TODO: Required until an auto ID algorithm is implemented.
    id: <int; required>

    # Additional information about the path-group for documentation purposes.
    description: <str>

    # Flag to configure IPsec at the path-group level.

    # When set to `true`, IPsec is enabled for both the static and dynamic peers.
    ipsec: <bool; default=True>

    # List of [ath-groups to import in this path-group.
    import_path_groups:

        # Remote path-group to import.
      - remote: <str>

        # Optional, if not set, the path-group `name` is used as local.
        local: <str>
WAN carriers
Variable Type Required Default Value Restrictions Description
wan_carriers List, items: Dictionary PREVIEW: This key is currently not supported

List of carriers used for the WAN configuration and their mapping to path-groups.
  - name String Required, Unique Carrier name.
    description String Additional information about the carrier for documentation purposes.
    path_group String Required The path-group to which this carrier belongs.
# PREVIEW: This key is currently not supported

# List of carriers used for the WAN configuration and their mapping to path-groups.
wan_carriers:

    # Carrier name.
  - name: <str; required; unique>

    # Additional information about the carrier for documentation purposes.
    description: <str>

    # The path-group to which this carrier belongs.
    path_group: <str; required>
WAN hierarchy

Note

This section is only relevant for CV Pathfinder and not for AutoVPN

Variable Type Required Default Value Restrictions Description
cv_pathfinder_regions List, items: Dictionary PREVIEW: This key is currently not supported
Define the SDWAN hierarchy for the device.
  - description String
    id Integer Required Min: 1
Max: 255
The region ID must be unique for the whole WAN deployment.
    sites List, items: Dictionary All sites are placed in a default zone called DEFAULT-ZONE with ID 1.
      - description String
        id Integer Required Min: 1
Max: 10000
The site ID must be unique within a zone.
Given that all the sites are placed in the DEFAULT-ZONE, the site ID must be unique within a region.
        location String Will be interpreted
        site_contact String
        site_after_hours_contact String
        name String Required, Unique
    name String Required, Unique
# PREVIEW: This key is currently not supported
# Define the SDWAN hierarchy for the device.
cv_pathfinder_regions:
  - description: <str>

    # The region ID must be unique for the whole WAN deployment.
    id: <int; 1-255; required>

    # All sites are placed in a default zone called DEFAULT-ZONE with ID 1.
    sites:
      - description: <str>

        # The site ID must be unique within a zone.
        # Given that all the sites are placed in the DEFAULT-ZONE, the site ID must be unique within a region.
        id: <int; 1-10000; required>

        # Will be interpreted
        location: <str>
        site_contact: <str>
        site_after_hours_contact: <str>
        name: <str; required; unique>
    name: <str; required; unique>

WAN interfaces

Variable Type Required Default Value Restrictions Description
<node_type_keys.key> Dictionary
  defaults Dictionary Define variables for all nodes of this type.
    l3_interfaces List, items: Dictionary PREVIEW: This key is currently not supported

L3 Interfaces currently only use for WAN interfaces.
      - profile String L3 interface profile name. Profile defined under l3_interface_profiles.
        name String Required, Unique Pattern: Ethernet[\d/]+(.[\d]+)? Ethernet interface name like ‘Ethernet2’ or subinterface name like ‘Ethernet2.42’
For a subinterface, the parent physical interface is automatically created.
        description String Interface description.
If not set a default description will be configured with ‘[[ ]]’
        ip_address String Node IPv4 address/Mask or ‘dhcp’.
        encapsulation_dot1q_vlan Integer Min: 1
Max: 4094
For subinterfaces the dot1q vlan is derived from the interface name by default, but can also be specified.
        dhcp_accept_default_route Boolean False Accept a default route from DHCP if ip_address is set to dhcp.
        enabled Boolean True Enable or Shutdown the interface.
        speed String Speed should be set in the format <interface_speed> or forced <interface_speed> or auto <interface_speed>.
        peer String The peer device name. Used for description and documentation
        peer_interface String The peer device interface. Used for description and documentation
        peer_ip String The peer device IPv4 address (no mask). Used as default route gateway if set_default_route is true and ip is an IP address.
        static_routes List, items: Dictionary Min Length: 1 Configure IPv4 static routes pointing to peer_ip.
          - prefix String Required IPv4_network/Mask
        qos_profile String QOS service profile.
        wan_carrier String The WAN Carrier this interface is connected to.
This is used to infer the path-groups in which this interface should be configured.
        wan_circuit_id String The WAN Circuit ID for this interface.
This is not rendered in the configuration but used for WAN designs.
        connected_to_pathfinder Boolean True For a WAN interface (wan_path_group is set), allow to disable the static tunnel towards Pathfinders.
        raw_eos_cli String EOS CLI rendered directly on the interface in the final EOS configuration.
        structured_config Dictionary Custom structured config for the Ethernet interface.
  node_groups List, items: Dictionary Define variables related to all nodes part of this group.
    - group String Required, Unique The Node Group Name is used for MLAG domain unless set with ‘mlag_domain_id’.
The Node Group Name is also used for peer description on downstream switches’ uplinks.
      nodes List, items: Dictionary Define variables per node.
        - name String Required, Unique The Node Name is used as “hostname”.
          l3_interfaces List, items: Dictionary PREVIEW: This key is currently not supported

L3 Interfaces currently only use for WAN interfaces.
            - profile String L3 interface profile name. Profile defined under l3_interface_profiles.
              name String Required, Unique Pattern: Ethernet[\d/]+(.[\d]+)? Ethernet interface name like ‘Ethernet2’ or subinterface name like ‘Ethernet2.42’
For a subinterface, the parent physical interface is automatically created.
              description String Interface description.
If not set a default description will be configured with ‘[[ ]]’
              ip_address String Node IPv4 address/Mask or ‘dhcp’.
              encapsulation_dot1q_vlan Integer Min: 1
Max: 4094
For subinterfaces the dot1q vlan is derived from the interface name by default, but can also be specified.
              dhcp_accept_default_route Boolean False Accept a default route from DHCP if ip_address is set to dhcp.
              enabled Boolean True Enable or Shutdown the interface.
              speed String Speed should be set in the format <interface_speed> or forced <interface_speed> or auto <interface_speed>.
              peer String The peer device name. Used for description and documentation
              peer_interface String The peer device interface. Used for description and documentation
              peer_ip String The peer device IPv4 address (no mask). Used as default route gateway if set_default_route is true and ip is an IP address.
              static_routes List, items: Dictionary Min Length: 1 Configure IPv4 static routes pointing to peer_ip.
                - prefix String Required IPv4_network/Mask
              qos_profile String QOS service profile.
              wan_carrier String The WAN Carrier this interface is connected to.
This is used to infer the path-groups in which this interface should be configured.
              wan_circuit_id String The WAN Circuit ID for this interface.
This is not rendered in the configuration but used for WAN designs.
              connected_to_pathfinder Boolean True For a WAN interface (wan_path_group is set), allow to disable the static tunnel towards Pathfinders.
              raw_eos_cli String EOS CLI rendered directly on the interface in the final EOS configuration.
              structured_config Dictionary Custom structured config for the Ethernet interface.
      l3_interfaces List, items: Dictionary PREVIEW: This key is currently not supported

L3 Interfaces currently only use for WAN interfaces.
        - profile String L3 interface profile name. Profile defined under l3_interface_profiles.
          name String Required, Unique Pattern: Ethernet[\d/]+(.[\d]+)? Ethernet interface name like ‘Ethernet2’ or subinterface name like ‘Ethernet2.42’
For a subinterface, the parent physical interface is automatically created.
          description String Interface description.
If not set a default description will be configured with ‘[[ ]]’
          ip_address String Node IPv4 address/Mask or ‘dhcp’.
          encapsulation_dot1q_vlan Integer Min: 1
Max: 4094
For subinterfaces the dot1q vlan is derived from the interface name by default, but can also be specified.
          dhcp_accept_default_route Boolean False Accept a default route from DHCP if ip_address is set to dhcp.
          enabled Boolean True Enable or Shutdown the interface.
          speed String Speed should be set in the format <interface_speed> or forced <interface_speed> or auto <interface_speed>.
          peer String The peer device name. Used for description and documentation
          peer_interface String The peer device interface. Used for description and documentation
          peer_ip String The peer device IPv4 address (no mask). Used as default route gateway if set_default_route is true and ip is an IP address.
          static_routes List, items: Dictionary Min Length: 1 Configure IPv4 static routes pointing to peer_ip.
            - prefix String Required IPv4_network/Mask
          qos_profile String QOS service profile.
          wan_carrier String The WAN Carrier this interface is connected to.
This is used to infer the path-groups in which this interface should be configured.
          wan_circuit_id String The WAN Circuit ID for this interface.
This is not rendered in the configuration but used for WAN designs.
          connected_to_pathfinder Boolean True For a WAN interface (wan_path_group is set), allow to disable the static tunnel towards Pathfinders.
          raw_eos_cli String EOS CLI rendered directly on the interface in the final EOS configuration.
          structured_config Dictionary Custom structured config for the Ethernet interface.
  nodes List, items: Dictionary Define variables per node.
    - name String Required, Unique The Node Name is used as “hostname”.
      l3_interfaces List, items: Dictionary PREVIEW: This key is currently not supported

L3 Interfaces currently only use for WAN interfaces.
        - profile String L3 interface profile name. Profile defined under l3_interface_profiles.
          name String Required, Unique Pattern: Ethernet[\d/]+(.[\d]+)? Ethernet interface name like ‘Ethernet2’ or subinterface name like ‘Ethernet2.42’
For a subinterface, the parent physical interface is automatically created.
          description String Interface description.
If not set a default description will be configured with ‘[[ ]]’
          ip_address String Node IPv4 address/Mask or ‘dhcp’.
          encapsulation_dot1q_vlan Integer Min: 1
Max: 4094
For subinterfaces the dot1q vlan is derived from the interface name by default, but can also be specified.
          dhcp_accept_default_route Boolean False Accept a default route from DHCP if ip_address is set to dhcp.
          enabled Boolean True Enable or Shutdown the interface.
          speed String Speed should be set in the format <interface_speed> or forced <interface_speed> or auto <interface_speed>.
          peer String The peer device name. Used for description and documentation
          peer_interface String The peer device interface. Used for description and documentation
          peer_ip String The peer device IPv4 address (no mask). Used as default route gateway if set_default_route is true and ip is an IP address.
          static_routes List, items: Dictionary Min Length: 1 Configure IPv4 static routes pointing to peer_ip.
            - prefix String Required IPv4_network/Mask
          qos_profile String QOS service profile.
          wan_carrier String The WAN Carrier this interface is connected to.
This is used to infer the path-groups in which this interface should be configured.
          wan_circuit_id String The WAN Circuit ID for this interface.
This is not rendered in the configuration but used for WAN designs.
          connected_to_pathfinder Boolean True For a WAN interface (wan_path_group is set), allow to disable the static tunnel towards Pathfinders.
          raw_eos_cli String EOS CLI rendered directly on the interface in the final EOS configuration.
          structured_config Dictionary Custom structured config for the Ethernet interface.
l3_interface_profiles List, items: Dictionary PREVIEW: This key is currently not supported

Profiles to inherit common settings for l3_interfaces defined under the node type key.
These profiles will not work for l3_interfaces defined under vrfs.
  - profile String Required, Unique L3 interface profile name. Any variable supported under l3_interfaces can be inherited from a profile.
    name String Pattern: Ethernet[\d/]+(.[\d]+)? Ethernet interface name like ‘Ethernet2’ or subinterface name like ‘Ethernet2.42’
For a subinterface, the parent physical interface is automatically created.
    description String Interface description.
If not set a default description will be configured with ‘[[ ]]’
    ip_address String Node IPv4 address/Mask or ‘dhcp’.
    encapsulation_dot1q_vlan Integer Min: 1
Max: 4094
For subinterfaces the dot1q vlan is derived from the interface name by default, but can also be specified.
    dhcp_accept_default_route Boolean False Accept a default route from DHCP if ip_address is set to dhcp.
    enabled Boolean True Enable or Shutdown the interface.
    speed String Speed should be set in the format <interface_speed> or forced <interface_speed> or auto <interface_speed>.
    peer String The peer device name. Used for description and documentation
    peer_interface String The peer device interface. Used for description and documentation
    peer_ip String The peer device IPv4 address (no mask). Used as default route gateway if set_default_route is true and ip is an IP address.
    static_routes List, items: Dictionary Min Length: 1 Configure IPv4 static routes pointing to peer_ip.
      - prefix String Required IPv4_network/Mask
    qos_profile String QOS service profile.
    wan_carrier String The WAN Carrier this interface is connected to.
This is used to infer the path-groups in which this interface should be configured.
    wan_circuit_id String The WAN Circuit ID for this interface.
This is not rendered in the configuration but used for WAN designs.
    connected_to_pathfinder Boolean True For a WAN interface (wan_path_group is set), allow to disable the static tunnel towards Pathfinders.
    raw_eos_cli String EOS CLI rendered directly on the interface in the final EOS configuration.
    structured_config Dictionary Custom structured config for the Ethernet interface.
<node_type_keys.key>:

  # Define variables for all nodes of this type.
  defaults:

    # PREVIEW: This key is currently not supported

    # L3 Interfaces currently only use for WAN interfaces.
    l3_interfaces:

        # L3 interface profile name. Profile defined under `l3_interface_profiles`.
      - profile: <str>

        # Ethernet interface name like 'Ethernet2' or subinterface name like 'Ethernet2.42'
        # For a subinterface, the parent physical interface is automatically created.
        name: <str; required; unique>

        # Interface description.
        # If not set a default description will be configured with '[<peer>[ <peer_interface>]]'
        description: <str>

        # Node IPv4 address/Mask or 'dhcp'.
        ip_address: <str>

        # For subinterfaces the dot1q vlan is derived from the interface name by default, but can also be specified.
        encapsulation_dot1q_vlan: <int; 1-4094>

        # Accept a default route from DHCP if `ip_address` is set to `dhcp`.
        dhcp_accept_default_route: <bool; default=False>

        # Enable or Shutdown the interface.
        enabled: <bool; default=True>

        # Speed should be set in the format `<interface_speed>` or `forced <interface_speed>` or `auto <interface_speed>`.
        speed: <str>

        # The peer device name. Used for description and documentation
        peer: <str>

        # The peer device interface. Used for description and documentation
        peer_interface: <str>

        # The peer device IPv4 address (no mask). Used as default route gateway if `set_default_route` is true and `ip` is an IP address.
        peer_ip: <str>

        # Configure IPv4 static routes pointing to `peer_ip`.
        static_routes: # >=1 items

            # IPv4_network/Mask
          - prefix: <str; required>

        # QOS service profile.
        qos_profile: <str>

        # The WAN Carrier this interface is connected to.
        # This is used to infer the path-groups in which this interface should be configured.
        wan_carrier: <str>

        # The WAN Circuit ID for this interface.
        # This is not rendered in the configuration but used for WAN designs.
        wan_circuit_id: <str>

        # For a WAN interface (`wan_path_group` is set), allow to disable the static tunnel towards Pathfinders.
        connected_to_pathfinder: <bool; default=True>

        # EOS CLI rendered directly on the interface in the final EOS configuration.
        raw_eos_cli: <str>

        # Custom structured config for the Ethernet interface.
        structured_config: <dict>

  # Define variables related to all nodes part of this group.
  node_groups:

      # The Node Group Name is used for MLAG domain unless set with 'mlag_domain_id'.
      # The Node Group Name is also used for peer description on downstream switches' uplinks.
    - group: <str; required; unique>

      # Define variables per node.
      nodes:

          # The Node Name is used as "hostname".
        - name: <str; required; unique>

          # PREVIEW: This key is currently not supported

          # L3 Interfaces currently only use for WAN interfaces.
          l3_interfaces:

              # L3 interface profile name. Profile defined under `l3_interface_profiles`.
            - profile: <str>

              # Ethernet interface name like 'Ethernet2' or subinterface name like 'Ethernet2.42'
              # For a subinterface, the parent physical interface is automatically created.
              name: <str; required; unique>

              # Interface description.
              # If not set a default description will be configured with '[<peer>[ <peer_interface>]]'
              description: <str>

              # Node IPv4 address/Mask or 'dhcp'.
              ip_address: <str>

              # For subinterfaces the dot1q vlan is derived from the interface name by default, but can also be specified.
              encapsulation_dot1q_vlan: <int; 1-4094>

              # Accept a default route from DHCP if `ip_address` is set to `dhcp`.
              dhcp_accept_default_route: <bool; default=False>

              # Enable or Shutdown the interface.
              enabled: <bool; default=True>

              # Speed should be set in the format `<interface_speed>` or `forced <interface_speed>` or `auto <interface_speed>`.
              speed: <str>

              # The peer device name. Used for description and documentation
              peer: <str>

              # The peer device interface. Used for description and documentation
              peer_interface: <str>

              # The peer device IPv4 address (no mask). Used as default route gateway if `set_default_route` is true and `ip` is an IP address.
              peer_ip: <str>

              # Configure IPv4 static routes pointing to `peer_ip`.
              static_routes: # >=1 items

                  # IPv4_network/Mask
                - prefix: <str; required>

              # QOS service profile.
              qos_profile: <str>

              # The WAN Carrier this interface is connected to.
              # This is used to infer the path-groups in which this interface should be configured.
              wan_carrier: <str>

              # The WAN Circuit ID for this interface.
              # This is not rendered in the configuration but used for WAN designs.
              wan_circuit_id: <str>

              # For a WAN interface (`wan_path_group` is set), allow to disable the static tunnel towards Pathfinders.
              connected_to_pathfinder: <bool; default=True>

              # EOS CLI rendered directly on the interface in the final EOS configuration.
              raw_eos_cli: <str>

              # Custom structured config for the Ethernet interface.
              structured_config: <dict>

      # PREVIEW: This key is currently not supported

      # L3 Interfaces currently only use for WAN interfaces.
      l3_interfaces:

          # L3 interface profile name. Profile defined under `l3_interface_profiles`.
        - profile: <str>

          # Ethernet interface name like 'Ethernet2' or subinterface name like 'Ethernet2.42'
          # For a subinterface, the parent physical interface is automatically created.
          name: <str; required; unique>

          # Interface description.
          # If not set a default description will be configured with '[<peer>[ <peer_interface>]]'
          description: <str>

          # Node IPv4 address/Mask or 'dhcp'.
          ip_address: <str>

          # For subinterfaces the dot1q vlan is derived from the interface name by default, but can also be specified.
          encapsulation_dot1q_vlan: <int; 1-4094>

          # Accept a default route from DHCP if `ip_address` is set to `dhcp`.
          dhcp_accept_default_route: <bool; default=False>

          # Enable or Shutdown the interface.
          enabled: <bool; default=True>

          # Speed should be set in the format `<interface_speed>` or `forced <interface_speed>` or `auto <interface_speed>`.
          speed: <str>

          # The peer device name. Used for description and documentation
          peer: <str>

          # The peer device interface. Used for description and documentation
          peer_interface: <str>

          # The peer device IPv4 address (no mask). Used as default route gateway if `set_default_route` is true and `ip` is an IP address.
          peer_ip: <str>

          # Configure IPv4 static routes pointing to `peer_ip`.
          static_routes: # >=1 items

              # IPv4_network/Mask
            - prefix: <str; required>

          # QOS service profile.
          qos_profile: <str>

          # The WAN Carrier this interface is connected to.
          # This is used to infer the path-groups in which this interface should be configured.
          wan_carrier: <str>

          # The WAN Circuit ID for this interface.
          # This is not rendered in the configuration but used for WAN designs.
          wan_circuit_id: <str>

          # For a WAN interface (`wan_path_group` is set), allow to disable the static tunnel towards Pathfinders.
          connected_to_pathfinder: <bool; default=True>

          # EOS CLI rendered directly on the interface in the final EOS configuration.
          raw_eos_cli: <str>

          # Custom structured config for the Ethernet interface.
          structured_config: <dict>

  # Define variables per node.
  nodes:

      # The Node Name is used as "hostname".
    - name: <str; required; unique>

      # PREVIEW: This key is currently not supported

      # L3 Interfaces currently only use for WAN interfaces.
      l3_interfaces:

          # L3 interface profile name. Profile defined under `l3_interface_profiles`.
        - profile: <str>

          # Ethernet interface name like 'Ethernet2' or subinterface name like 'Ethernet2.42'
          # For a subinterface, the parent physical interface is automatically created.
          name: <str; required; unique>

          # Interface description.
          # If not set a default description will be configured with '[<peer>[ <peer_interface>]]'
          description: <str>

          # Node IPv4 address/Mask or 'dhcp'.
          ip_address: <str>

          # For subinterfaces the dot1q vlan is derived from the interface name by default, but can also be specified.
          encapsulation_dot1q_vlan: <int; 1-4094>

          # Accept a default route from DHCP if `ip_address` is set to `dhcp`.
          dhcp_accept_default_route: <bool; default=False>

          # Enable or Shutdown the interface.
          enabled: <bool; default=True>

          # Speed should be set in the format `<interface_speed>` or `forced <interface_speed>` or `auto <interface_speed>`.
          speed: <str>

          # The peer device name. Used for description and documentation
          peer: <str>

          # The peer device interface. Used for description and documentation
          peer_interface: <str>

          # The peer device IPv4 address (no mask). Used as default route gateway if `set_default_route` is true and `ip` is an IP address.
          peer_ip: <str>

          # Configure IPv4 static routes pointing to `peer_ip`.
          static_routes: # >=1 items

              # IPv4_network/Mask
            - prefix: <str; required>

          # QOS service profile.
          qos_profile: <str>

          # The WAN Carrier this interface is connected to.
          # This is used to infer the path-groups in which this interface should be configured.
          wan_carrier: <str>

          # The WAN Circuit ID for this interface.
          # This is not rendered in the configuration but used for WAN designs.
          wan_circuit_id: <str>

          # For a WAN interface (`wan_path_group` is set), allow to disable the static tunnel towards Pathfinders.
          connected_to_pathfinder: <bool; default=True>

          # EOS CLI rendered directly on the interface in the final EOS configuration.
          raw_eos_cli: <str>

          # Custom structured config for the Ethernet interface.
          structured_config: <dict>

# PREVIEW: This key is currently not supported

# Profiles to inherit common settings for l3_interfaces defined under the node type key.
# These profiles will *not* work for `l3_interfaces` defined under `vrfs`.
l3_interface_profiles:

    # L3 interface profile name. Any variable supported under `l3_interfaces` can be inherited from a profile.
  - profile: <str; required; unique>

    # Ethernet interface name like 'Ethernet2' or subinterface name like 'Ethernet2.42'
    # For a subinterface, the parent physical interface is automatically created.
    name: <str>

    # Interface description.
    # If not set a default description will be configured with '[<peer>[ <peer_interface>]]'
    description: <str>

    # Node IPv4 address/Mask or 'dhcp'.
    ip_address: <str>

    # For subinterfaces the dot1q vlan is derived from the interface name by default, but can also be specified.
    encapsulation_dot1q_vlan: <int; 1-4094>

    # Accept a default route from DHCP if `ip_address` is set to `dhcp`.
    dhcp_accept_default_route: <bool; default=False>

    # Enable or Shutdown the interface.
    enabled: <bool; default=True>

    # Speed should be set in the format `<interface_speed>` or `forced <interface_speed>` or `auto <interface_speed>`.
    speed: <str>

    # The peer device name. Used for description and documentation
    peer: <str>

    # The peer device interface. Used for description and documentation
    peer_interface: <str>

    # The peer device IPv4 address (no mask). Used as default route gateway if `set_default_route` is true and `ip` is an IP address.
    peer_ip: <str>

    # Configure IPv4 static routes pointing to `peer_ip`.
    static_routes: # >=1 items

        # IPv4_network/Mask
      - prefix: <str; required>

    # QOS service profile.
    qos_profile: <str>

    # The WAN Carrier this interface is connected to.
    # This is used to infer the path-groups in which this interface should be configured.
    wan_carrier: <str>

    # The WAN Circuit ID for this interface.
    # This is not rendered in the configuration but used for WAN designs.
    wan_circuit_id: <str>

    # For a WAN interface (`wan_path_group` is set), allow to disable the static tunnel towards Pathfinders.
    connected_to_pathfinder: <bool; default=True>

    # EOS CLI rendered directly on the interface in the final EOS configuration.
    raw_eos_cli: <str>

    # Custom structured config for the Ethernet interface.
    structured_config: <dict>

WAN Virtual topologies

Variable Type Required Default Value Restrictions Description
wan_virtual_topologies Dictionary PREVIEW: WAN Preview

Configure Virtual Topologies for CV Pathfinder and AutoVPN.

Auto create a control plane profile/policy/application and enforce it being first in the default VRF.
  vrfs List, items: Dictionary Map a VRF that exists in network_services to an AVT policy.
TODO: missing default VRF behavior
    - name String Required, Unique VRF name.
      policy String Name of the AVT policy to apply to this VRF.
  control_plane_virtual_topology Dictionary Always injected into the default VRF policy as the first entry.

By default, if no path-groups are specified, all locally available path-groups
are used in the generated load-balance policy.
ID is hardcoded to 254 for the AVT profile in CV Pathfinder mode.
    name String Optional name, if not set CONTROL-PLANE-PROFILE is used.
    traffic_class Integer Min: 0
Max: 7
Set traffic-class for matched traffic.
    dscp Integer Min: 0
Max: 63
Set DSCP for matched traffic.
    constraints Dictionary
      jitter Integer Min: 0
Max: 10000
Jitter requirement for this load balance policy in milliseconds.
      latency Integer Min: 0
Max: 10000
One way delay requirement for this load balance policy in milliseconds.
      loss_rate String Pattern: ^\d+(.\d{1,2})?$ Loss Rate requirement in percentage for this load balance policy.
Value between 0.00 and 100.00.
    path_groups List, items: Dictionary Min Length: 1
      - names List, items: String Required Min Length: 1 List of path-group names.
          - <str> String
        preference String preferred Valid values are 1-255
  policies List, items: Dictionary List of virtual toplogies policies.

For AutoVPN, each item in the list creates:
* one policy with:
* one match entry per application_virtual_topologies item
they are indexed using 10 * <list_index> where list_index starts at 1.
* one default-match
* one load-balance policy per application_virtual_topologies and one for the default_virtual_topology.
* if the policy is associated with the default VRF, a special control-plane rule is injected
in the policy with index 1 referring to a control-plane load-balance policy as defined under
control_plane_virtual_topology.


For CV Pathfinder, each item in the list creates:
* one policy with:
* one match entry per application_virtual_topologies item ordered as in the model.
* one last match entry for the default application-profile using default_virtual_topology information.
* one profile per application_virtual_topologies item.
* one profile for the default_virtual_topology..
* one load-balance policy per application_virtual_topologies.
* one load_balance policy for the default_virtual_topology.
* if the policy is associated with the default VRF, a special control-plane profile is configured
and injected first in the policy assigned to the default VRF. This profile points to a
control-plane load-balance policy as defined under control_plane_virtual_topology.
    - name String Required, Unique Name of the AVT policy.
      application_virtual_topologies List, items: Dictionary List of application specific virtual topologies.
        - application_profile String Required, Unique The application profile to use for this virtual topology. It must be a defined application_profile.
          name String Optional name, if not set <policy_name>-<application_profile> is used.
          id Integer Min: 2
Max: 253
ID of the AVT in each VRFs. ID must be unique across all virtual topologies in a policy.
ID 1 is reserved for the default_virtual_toplogy.
ID 254 is reserved for the control_plane_virtual_topology.
          traffic_class Integer Min: 0
Max: 7
Set traffic-class for matched traffic.
          dscp Integer Min: 0
Max: 63
Set DSCP for matched traffic.
          constraints Dictionary
            jitter Integer Min: 0
Max: 10000
Jitter requirement for this load balance policy in milliseconds.
            latency Integer Min: 0
Max: 10000
One way delay requirement for this load balance policy in milliseconds.
            loss_rate String Pattern: ^\d+(.\d{1,2})?$ Loss Rate requirement in percentage for this load balance policy.
Value between 0.00 and 100.00.
          path_groups List, items: Dictionary Min Length: 1
            - names List, items: String Required Min Length: 1 List of path-group names.
                - <str> String
              preference String preferred Valid values are 1-255
      default_virtual_topology Dictionary Required Default match for the policy.
If no default match should be configured, set drop_unmatched to true.
Otherwise, in CV Pathfinder mode, a default AVT profile will be configured with ID 1.
        name String Optional name, if not set <policy_name>-DEFAULT is used.
        drop_unmatched Boolean False When set, no catch-all match is configured for the policy and unmatched traffic is dropped.
        traffic_class Integer Min: 0
Max: 7
Set traffic-class for matched traffic.
        dscp Integer Min: 0
Max: 63
Set DSCP for matched traffic.
        constraints Dictionary
          jitter Integer Min: 0
Max: 10000
Jitter requirement for this load balance policy in milliseconds.
          latency Integer Min: 0
Max: 10000
One way delay requirement for this load balance policy in milliseconds.
          loss_rate String Pattern: ^\d+(.\d{1,2})?$ Loss Rate requirement in percentage for this load balance policy.
Value between 0.00 and 100.00.
        path_groups List, items: Dictionary Min Length: 1
          - names List, items: String Required Min Length: 1 List of path-group names.
              - <str> String
            preference String preferred Valid values are 1-255
# PREVIEW: WAN Preview

# Configure Virtual Topologies for CV Pathfinder and AutoVPN.

# Auto create a control plane profile/policy/application and enforce it being first in the default VRF.
wan_virtual_topologies:

  # Map a VRF that exists in network_services to an AVT policy.
  # TODO: missing default VRF behavior
  vrfs:

      # VRF name.
    - name: <str; required; unique>

      # Name of the AVT policy to apply to this VRF.
      policy: <str>

  # Always injected into the default VRF policy as the first entry.

  # By default, if no path-groups are specified, all locally available path-groups
  # are used in the generated load-balance policy.
  # ID is hardcoded to 254 for the AVT profile in CV Pathfinder mode.
  control_plane_virtual_topology:

    # Optional name, if not set `CONTROL-PLANE-PROFILE` is used.
    name: <str>

    # Set traffic-class for matched traffic.
    traffic_class: <int; 0-7>

    # Set DSCP for matched traffic.
    dscp: <int; 0-63>
    constraints:

      # Jitter requirement for this load balance policy in milliseconds.
      jitter: <int; 0-10000>

      # One way delay requirement for this load balance policy in milliseconds.
      latency: <int; 0-10000>

      # Loss Rate requirement in percentage for this load balance policy.
      # Value between 0.00 and 100.00.
      loss_rate: <str>
    path_groups: # >=1 items

        # List of path-group names.
      - names: # >=1 items; required
          - <str>

        # Valid values are 1-255 | preferred | alternate.

        # preferred is converted to priority 1.
        # alternate is converted to priority 2.
        preference: <str; default="preferred">

  # List of virtual toplogies policies.

  # For AutoVPN, each item in the list creates:
  #   * one policy with:
  #       * one `match` entry per `application_virtual_topologies` item
  #         they are indexed using `10 * <list_index>` where `list_index` starts at `1`.
  #       * one `default-match`
  #   * one load-balance policy per `application_virtual_topologies` and one for the `default_virtual_topology`.
  #   * if the policy is associated with the default VRF, a special control-plane rule is injected
  #     in the policy with index `1` referring to a control-plane load-balance policy as defined under
  #     `control_plane_virtual_topology`.


  # For CV Pathfinder, each item in the list creates:
  #   * one policy with:
  #       * one `match` entry per `application_virtual_topologies` item ordered as in the model.
  #       * one last match entry for the `default` application-profile using `default_virtual_topology` information.
  #   * one profile per `application_virtual_topologies` item.
  #   * one profile for the `default_virtual_topology`..
  #   * one load-balance policy per `application_virtual_topologies`.
  #   * one load_balance policy for the `default_virtual_topology`.
  #   * if the policy is associated with the default VRF, a special control-plane profile is configured
  #     and injected first in the policy assigned to the `default` VRF. This profile points to a
  #     control-plane load-balance policy as defined under `control_plane_virtual_topology`.
  policies:

      # Name of the AVT policy.
    - name: <str; required; unique>

      # List of application specific virtual topologies.
      application_virtual_topologies:

          # The application profile to use for this virtual topology. It must be a defined `application_profile`.
        - application_profile: <str; required; unique>

          # Optional name, if not set `<policy_name>-<application_profile>` is used.
          name: <str>

          # ID of the AVT in each VRFs. ID must be unique across all virtual topologies in a policy.
          # ID 1 is reserved for the default_virtual_toplogy.
          # ID 254 is reserved for the control_plane_virtual_topology.
          id: <int; 2-253>

          # Set traffic-class for matched traffic.
          traffic_class: <int; 0-7>

          # Set DSCP for matched traffic.
          dscp: <int; 0-63>
          constraints:

            # Jitter requirement for this load balance policy in milliseconds.
            jitter: <int; 0-10000>

            # One way delay requirement for this load balance policy in milliseconds.
            latency: <int; 0-10000>

            # Loss Rate requirement in percentage for this load balance policy.
            # Value between 0.00 and 100.00.
            loss_rate: <str>
          path_groups: # >=1 items

              # List of path-group names.
            - names: # >=1 items; required
                - <str>

              # Valid values are 1-255 | preferred | alternate.

              # preferred is converted to priority 1.
              # alternate is converted to priority 2.
              preference: <str; default="preferred">

      # Default match for the policy.
      # If no default match should be configured, set `drop_unmatched` to `true`.
      # Otherwise, in CV Pathfinder mode, a default AVT profile will be configured with ID 1.
      default_virtual_topology: # required

        # Optional name, if not set `<policy_name>-DEFAULT` is used.
        name: <str>

        # When set, no `catch-all` match is configured for the policy and unmatched traffic is dropped.
        drop_unmatched: <bool; default=False>

        # Set traffic-class for matched traffic.
        traffic_class: <int; 0-7>

        # Set DSCP for matched traffic.
        dscp: <int; 0-63>
        constraints:

          # Jitter requirement for this load balance policy in milliseconds.
          jitter: <int; 0-10000>

          # One way delay requirement for this load balance policy in milliseconds.
          latency: <int; 0-10000>

          # Loss Rate requirement in percentage for this load balance policy.
          # Value between 0.00 and 100.00.
          loss_rate: <str>
        path_groups: # >=1 items

            # List of path-group names.
          - names: # >=1 items; required
              - <str>

            # Valid values are 1-255 | preferred | alternate.

            # preferred is converted to priority 1.
            # alternate is converted to priority 2.
            preference: <str; default="preferred">

Application Classification

Variable Type Required Default Value Restrictions Description
application_classification Dictionary PREVIEW: WAN Preview
  categories List, items: Dictionary List of categories.
    - name String Required, Unique Category name.
      applications List, items: Dictionary List of applications.
        - name String Application name.
          service String Valid Values:
- audio-video
- chat
- default
- file-transfer
- networking-protocols
- peer-to-peer
- software-update
Service Name.
Specific service to target for this application.
If no service is specified, all supported services of the application are matched.
Not all valid values are valid for all applications, check on EOS CLI.
  field_sets Dictionary
    l4_ports List, items: Dictionary L4 port field-set.
      - name String Required, Unique L4 port field-set name.
        port_values List, items: String
          - <str> String Port values or range of port values.
Port values are between 0 and 65535.
    ipv4_prefixes List, items: Dictionary IPv4 prefix field set.
      - name String Required, Unique IPv4 prefix field-set name.
        prefix_values List, items: String
          - <str> String IP prefix (ex 1.2.3.0/24).
  applications Dictionary
    ipv4_applications List, items: Dictionary List of user defined IPv4 applications.
      - name String Required, Unique Application name.
        src_prefix_set_name String Source prefix set name.
        dest_prefix_set_name String Destination prefix set name.
        protocols List, items: String List of protocols to consider for this application.

To use port field-sets (source, destination or both), the list
must contain only one or two protocols, either tcp or udp.
When using both protocols, one line is rendered for each in the configuration,
hence the field-sets must have the same value for tcp_src_port_set_name and
udp_src_port_set_name and for tcp_dest_port_set_name and udp_dest_port_set_name
if set in order to generate valid configuration in EOS.
          - <str> String Valid Values:
- ahp
- esp
- icmp
- igmp
- ospf
- pim
- rsvp
- tcp
- udp
- vrrp
        protocol_ranges List, items: String Acccept protocol value(s) or range(s).
Protocol values can be between 1 and 255.
          - <str> String
        udp_src_port_set_name String Name of field set for UDP source ports.

When the protocols list contain both tcp and udp, this key value
must be the same as tcp_src_port_set_name.
        tcp_src_port_set_name String Name of field set for TCP source ports.

When the protocols list contain both tcp and udp, this key value
must be the same as udp_src_port_set_name.
        udp_dest_port_set_name String Name of field set for UDP destination ports.

When the protocols list contain both tcp and udp, this key value
must be the same as tcp_dest_port_set_name.
        tcp_dest_port_set_name String Name of field set for TCP destination ports.

When the protocols list contain both tcp and udp, this key value
must be the same as udp_dest_port_set_name.
  application_profiles List, items: Dictionary Group of applications.
    - name String Application Profile name.
      applications List, items: Dictionary List of applications part of the application profile.
        - name String Application Name.
          service String Valid Values:
- audio-video
- chat
- default
- file-transfer
- networking-protocols
- peer-to-peer
- software-update
Service Name.
Specific service to target for this application.
If no service is specified, all supported services of the application are matched.
Not all valid values are valid for all applications, check on EOS CLI.
      application_transports List, items: String List of transport protocols.
        - <str> String Valid Values:
- http
- https
- udp
- tcp
- ip
- ip6
- ssl
- rtp
- sctp
- quic
Transport name.
      categories List, items: Dictionary Categories under this application profile.
        - name String Name of a category.
          service String Valid Values:
- audio-video
- chat
- default
- file-transfer
- networking-protocols
- peer-to-peer
- software-update
Service Name.
Specific service to target for this application.
If no service is specified, all supported services of the application are matched.
Not all valid values are valid for all applications, check on EOS CLI.
# PREVIEW: WAN Preview
application_classification:

  # List of categories.
  categories:

      # Category name.
    - name: <str; required; unique>

      # List of applications.
      applications:

          # Application name.
        - name: <str>

          # Service Name.
          # Specific service to target for this application.
          # If no service is specified, all supported services of the application are matched.
          # Not all valid values are valid for all applications, check on EOS CLI.
          service: <str; "audio-video" | "chat" | "default" | "file-transfer" | "networking-protocols" | "peer-to-peer" | "software-update">
  field_sets:

    # L4 port field-set.
    l4_ports:

        # L4 port field-set name.
      - name: <str; required; unique>
        port_values:

            # Port values or range of port values.
            # Port values are between 0 and 65535.
          - <str>

    # IPv4 prefix field set.
    ipv4_prefixes:

        # IPv4 prefix field-set name.
      - name: <str; required; unique>
        prefix_values:

            # IP prefix (ex 1.2.3.0/24).
          - <str>
  applications:

    # List of user defined IPv4 applications.
    ipv4_applications:

        # Application name.
      - name: <str; required; unique>

        # Source prefix set name.
        src_prefix_set_name: <str>

        # Destination prefix set name.
        dest_prefix_set_name: <str>

        # List of protocols to consider for this application.

        # To use port field-sets (source, destination or both), the list
        # must contain only one or two protocols, either `tcp` or `udp`.
        # When using both protocols, one line is rendered for each in the configuration,
        # hence the field-sets must have the same value for `tcp_src_port_set_name` and
        # `udp_src_port_set_name` and for `tcp_dest_port_set_name` and `udp_dest_port_set_name`
        # if set in order to generate valid configuration in EOS.
        protocols:
          - <str; "ahp" | "esp" | "icmp" | "igmp" | "ospf" | "pim" | "rsvp" | "tcp" | "udp" | "vrrp">

        # Acccept protocol value(s) or range(s).
        # Protocol values can be between 1 and 255.
        protocol_ranges:
          - <str>

        # Name of field set for UDP source ports.

        # When the `protocols` list contain both `tcp` and `udp`, this key value
        # must be the same as `tcp_src_port_set_name`.
        udp_src_port_set_name: <str>

        # Name of field set for TCP source ports.

        # When the `protocols` list contain both `tcp` and `udp`, this key value
        # must be the same as `udp_src_port_set_name`.
        tcp_src_port_set_name: <str>

        # Name of field set for UDP destination ports.

        # When the `protocols` list contain both `tcp` and `udp`, this key value
        # must be the same as `tcp_dest_port_set_name`.
        udp_dest_port_set_name: <str>

        # Name of field set for TCP destination ports.

        # When the `protocols` list contain both `tcp` and `udp`, this key value
        # must be the same as `udp_dest_port_set_name`.
        tcp_dest_port_set_name: <str>

  # Group of applications.
  application_profiles:

      # Application Profile name.
    - name: <str>

      # List of applications part of the application profile.
      applications:

          # Application Name.
        - name: <str>

          # Service Name.
          # Specific service to target for this application.
          # If no service is specified, all supported services of the application are matched.
          # Not all valid values are valid for all applications, check on EOS CLI.
          service: <str; "audio-video" | "chat" | "default" | "file-transfer" | "networking-protocols" | "peer-to-peer" | "software-update">

      # List of transport protocols.
      application_transports:

          # Transport name.
        - <str; "http" | "https" | "udp" | "tcp" | "ip" | "ip6" | "ssl" | "rtp" | "sctp" | "quic">

      # Categories under this application profile.
      categories:

          # Name of a category.
        - name: <str>

          # Service Name.
          # Specific service to target for this application.
          # If no service is specified, all supported services of the application are matched.
          # Not all valid values are valid for all applications, check on EOS CLI.
          service: <str; "audio-video" | "chat" | "default" | "file-transfer" | "networking-protocols" | "peer-to-peer" | "software-update">

New BGP peer-group

Variable Type Required Default Value Restrictions Description
bgp_peer_groups Dictionary Leverage an Arista EOS switch to generate the encrypted password using the correct peer group name.
Note that the name of the peer groups use ‘-’ instead of ‘_’ in EOS configuration.
  wan_overlay_peers Dictionary PREVIEW: This key is currently not supported
    name String WAN-OVERLAY-PEERS Name of peer group.
    password String Type 7 encrypted password.
    bfd Boolean False
    listen_range_prefixes List, items: String Only used for nodes where wan_role is server like AutoVPN RRs and Pathfinders.
For clients, AVD will raise an error if the Loopback0 IP is not in any listen range.
      - <str> String The prefixes to use in listen_range.
    structured_config Dictionary Custom structured config added under router_bgp.peer_groups.[name=] for eos_cli_config_gen.
  wan_rr_overlay_peers Dictionary PREVIEW: This key is currently not supported
Configuration options for the peer-group created to peer between
AutoVPN RRs or CV-Pathfinders.
    name String WAN-RR-OVERLAY-PEERS Name of peer group.
    password String Type 7 encrypted password.
    bfd Boolean True
    structured_config Dictionary Custom structured config added under router_bgp.peer_groups.[name=] for eos_cli_config_gen.
# Leverage an Arista EOS switch to generate the encrypted password using the correct peer group name.
# Note that the name of the peer groups use '-' instead of '_' in EOS configuration.
bgp_peer_groups:

  # PREVIEW: This key is currently not supported
  wan_overlay_peers:

    # Name of peer group.
    name: <str; default="WAN-OVERLAY-PEERS">

    # Type 7 encrypted password.
    password: <str>
    bfd: <bool; default=False>

    # Only used for nodes where `wan_role` is `server` like AutoVPN RRs and Pathfinders.
    # For clients, AVD will raise an error if the Loopback0 IP is not in any listen range.
    listen_range_prefixes:

        # The prefixes to use in listen_range.
      - <str>

    # Custom structured config added under router_bgp.peer_groups.[name=<name>] for eos_cli_config_gen.
    structured_config: <dict>

  # PREVIEW: This key is currently not supported
  # Configuration options for the peer-group created to peer between
  # AutoVPN RRs or CV-Pathfinders.
  wan_rr_overlay_peers:

    # Name of peer group.
    name: <str; default="WAN-RR-OVERLAY-PEERS">

    # Type 7 encrypted password.
    password: <str>
    bfd: <bool; default=True>

    # Custom structured config added under router_bgp.peer_groups.[name=<name>] for eos_cli_config_gen.
    structured_config: <dict>

New node keys

Variable Type Required Default Value Restrictions Description
<node_type_keys.key> Dictionary
  defaults Dictionary Define variables for all nodes of this type.
    wan_role String Valid Values:
- client
- server
PREVIEW: This key is currently not supported
Override the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if wan_mode root key is set to autovpn or cv-pathfinder.
server indicates that the router is a route-reflector.

Only supported if overlay_routing_protocol is set to ibgp.
    cv_pathfinder_role String Valid Values:
- edge
- transit region
- pathfinder
PREVIEW: This key is currently not supported
Override the default CV Pathfinder role.

This key is used for Pathfinder designs only when the wan_mode root
key is set to cv_pathfinder.

pathfinder is only a valid if wan_role is server.
edge and transit region are only valid if wan_role is client.
    cv_pathfinder_region String PREVIEW: This key is currently not supported

The CV Pathfinder region name.
    cv_pathfinder_site String PREVIEW: This key is currently not supported

The CV Pathfinder site name.
    dps_mss_ipv4 String auto PREVIEW: This key is currently not supported

IPv4 MSS value configured under “router path-selection” on WAN Devices.
  node_groups List, items: Dictionary Define variables related to all nodes part of this group.
    - group String Required, Unique The Node Group Name is used for MLAG domain unless set with ‘mlag_domain_id’.
The Node Group Name is also used for peer description on downstream switches’ uplinks.
      nodes List, items: Dictionary Define variables per node.
        - name String Required, Unique The Node Name is used as “hostname”.
          wan_role String Valid Values:
- client
- server
PREVIEW: This key is currently not supported
Override the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if wan_mode root key is set to autovpn or cv-pathfinder.
server indicates that the router is a route-reflector.

Only supported if overlay_routing_protocol is set to ibgp.
          cv_pathfinder_role String Valid Values:
- edge
- transit region
- pathfinder
PREVIEW: This key is currently not supported
Override the default CV Pathfinder role.

This key is used for Pathfinder designs only when the wan_mode root
key is set to cv_pathfinder.

pathfinder is only a valid if wan_role is server.
edge and transit region are only valid if wan_role is client.
          cv_pathfinder_region String PREVIEW: This key is currently not supported

The CV Pathfinder region name.
          cv_pathfinder_site String PREVIEW: This key is currently not supported

The CV Pathfinder site name.
          dps_mss_ipv4 String auto PREVIEW: This key is currently not supported

IPv4 MSS value configured under “router path-selection” on WAN Devices.
      wan_role String Valid Values:
- client
- server
PREVIEW: This key is currently not supported
Override the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if wan_mode root key is set to autovpn or cv-pathfinder.
server indicates that the router is a route-reflector.

Only supported if overlay_routing_protocol is set to ibgp.
      cv_pathfinder_role String Valid Values:
- edge
- transit region
- pathfinder
PREVIEW: This key is currently not supported
Override the default CV Pathfinder role.

This key is used for Pathfinder designs only when the wan_mode root
key is set to cv_pathfinder.

pathfinder is only a valid if wan_role is server.
edge and transit region are only valid if wan_role is client.
      cv_pathfinder_region String PREVIEW: This key is currently not supported

The CV Pathfinder region name.
      cv_pathfinder_site String PREVIEW: This key is currently not supported

The CV Pathfinder site name.
      dps_mss_ipv4 String auto PREVIEW: This key is currently not supported

IPv4 MSS value configured under “router path-selection” on WAN Devices.
  nodes List, items: Dictionary Define variables per node.
    - name String Required, Unique The Node Name is used as “hostname”.
      wan_role String Valid Values:
- client
- server
PREVIEW: This key is currently not supported
Override the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if wan_mode root key is set to autovpn or cv-pathfinder.
server indicates that the router is a route-reflector.

Only supported if overlay_routing_protocol is set to ibgp.
      cv_pathfinder_role String Valid Values:
- edge
- transit region
- pathfinder
PREVIEW: This key is currently not supported
Override the default CV Pathfinder role.

This key is used for Pathfinder designs only when the wan_mode root
key is set to cv_pathfinder.

pathfinder is only a valid if wan_role is server.
edge and transit region are only valid if wan_role is client.
      cv_pathfinder_region String PREVIEW: This key is currently not supported

The CV Pathfinder region name.
      cv_pathfinder_site String PREVIEW: This key is currently not supported

The CV Pathfinder site name.
      dps_mss_ipv4 String auto PREVIEW: This key is currently not supported

IPv4 MSS value configured under “router path-selection” on WAN Devices.
<node_type_keys.key>:

  # Define variables for all nodes of this type.
  defaults:

    # PREVIEW: This key is currently not supported
    # Override the default WAN role.

    # This is used both for AutoVPN and Pathfinder designs.
    # That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
    # `server` indicates that the router is a route-reflector.

    # Only supported if `overlay_routing_protocol` is set to `ibgp`.
    wan_role: <str; "client" | "server">

    # PREVIEW: This key is currently not supported
    # Override the default CV Pathfinder role.

    # This key is used for Pathfinder designs only when the `wan_mode` root
    # key is set to `cv_pathfinder`.

    # `pathfinder` is only a valid if `wan_role` is `server`.
    # `edge` and `transit region` are only valid if `wan_role` is `client`.
    cv_pathfinder_role: <str; "edge" | "transit region" | "pathfinder">

    # PREVIEW: This key is currently not supported

    # The CV Pathfinder region name.
    cv_pathfinder_region: <str>

    # PREVIEW: This key is currently not supported

    # The CV Pathfinder site name.
    cv_pathfinder_site: <str>

    # PREVIEW: This key is currently not supported

    # IPv4 MSS value configured under "router path-selection" on WAN Devices.
    dps_mss_ipv4: <str; default="auto">

  # Define variables related to all nodes part of this group.
  node_groups:

      # The Node Group Name is used for MLAG domain unless set with 'mlag_domain_id'.
      # The Node Group Name is also used for peer description on downstream switches' uplinks.
    - group: <str; required; unique>

      # Define variables per node.
      nodes:

          # The Node Name is used as "hostname".
        - name: <str; required; unique>

          # PREVIEW: This key is currently not supported
          # Override the default WAN role.

          # This is used both for AutoVPN and Pathfinder designs.
          # That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
          # `server` indicates that the router is a route-reflector.

          # Only supported if `overlay_routing_protocol` is set to `ibgp`.
          wan_role: <str; "client" | "server">

          # PREVIEW: This key is currently not supported
          # Override the default CV Pathfinder role.

          # This key is used for Pathfinder designs only when the `wan_mode` root
          # key is set to `cv_pathfinder`.

          # `pathfinder` is only a valid if `wan_role` is `server`.
          # `edge` and `transit region` are only valid if `wan_role` is `client`.
          cv_pathfinder_role: <str; "edge" | "transit region" | "pathfinder">

          # PREVIEW: This key is currently not supported

          # The CV Pathfinder region name.
          cv_pathfinder_region: <str>

          # PREVIEW: This key is currently not supported

          # The CV Pathfinder site name.
          cv_pathfinder_site: <str>

          # PREVIEW: This key is currently not supported

          # IPv4 MSS value configured under "router path-selection" on WAN Devices.
          dps_mss_ipv4: <str; default="auto">

      # PREVIEW: This key is currently not supported
      # Override the default WAN role.

      # This is used both for AutoVPN and Pathfinder designs.
      # That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
      # `server` indicates that the router is a route-reflector.

      # Only supported if `overlay_routing_protocol` is set to `ibgp`.
      wan_role: <str; "client" | "server">

      # PREVIEW: This key is currently not supported
      # Override the default CV Pathfinder role.

      # This key is used for Pathfinder designs only when the `wan_mode` root
      # key is set to `cv_pathfinder`.

      # `pathfinder` is only a valid if `wan_role` is `server`.
      # `edge` and `transit region` are only valid if `wan_role` is `client`.
      cv_pathfinder_role: <str; "edge" | "transit region" | "pathfinder">

      # PREVIEW: This key is currently not supported

      # The CV Pathfinder region name.
      cv_pathfinder_region: <str>

      # PREVIEW: This key is currently not supported

      # The CV Pathfinder site name.
      cv_pathfinder_site: <str>

      # PREVIEW: This key is currently not supported

      # IPv4 MSS value configured under "router path-selection" on WAN Devices.
      dps_mss_ipv4: <str; default="auto">

  # Define variables per node.
  nodes:

      # The Node Name is used as "hostname".
    - name: <str; required; unique>

      # PREVIEW: This key is currently not supported
      # Override the default WAN role.

      # This is used both for AutoVPN and Pathfinder designs.
      # That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
      # `server` indicates that the router is a route-reflector.

      # Only supported if `overlay_routing_protocol` is set to `ibgp`.
      wan_role: <str; "client" | "server">

      # PREVIEW: This key is currently not supported
      # Override the default CV Pathfinder role.

      # This key is used for Pathfinder designs only when the `wan_mode` root
      # key is set to `cv_pathfinder`.

      # `pathfinder` is only a valid if `wan_role` is `server`.
      # `edge` and `transit region` are only valid if `wan_role` is `client`.
      cv_pathfinder_role: <str; "edge" | "transit region" | "pathfinder">

      # PREVIEW: This key is currently not supported

      # The CV Pathfinder region name.
      cv_pathfinder_region: <str>

      # PREVIEW: This key is currently not supported

      # The CV Pathfinder site name.
      cv_pathfinder_site: <str>

      # PREVIEW: This key is currently not supported

      # IPv4 MSS value configured under "router path-selection" on WAN Devices.
      dps_mss_ipv4: <str; default="auto">

New node type keys

Variable Type Required Default Value Restrictions Description
node_type_keys List, items: Dictionary Define Node Type Keys, to specify the properties of each node type in the fabric.
This allows for complete customization of the fabric layout and functionality.
node_type_keys should be defined in top level group_var for the fabric.
The default values will be overridden if defining this key, so it is recommended to copy the defaults and modify them.
  - key String Required, Unique
    default_wan_role String Valid Values:
- client
- server
PREVIEW: This key is currently not supported
Set the default WAN role.

This is used both for AutoVPN and Pathfinder designs.
That means if wan_mode root key is set to autovpn or cv-pathfinder.
server indicates that the router is a route-reflector.

Only supported if overlay_routing_protocol is set to ibgp.
    default_cv_pathfinder_role String Valid Values:
- edge
- transit region
- pathfinder
PREVIEW: This key is currently not supported
Set the default CV Pathfinder role.

This key is used for Pathfinder designs only when the wan_mode root
key is set to cv-pathfinder.

pathfinder is only a valid if wan_role is server.
edge and transit are only valid if wan_role is client.
# Define Node Type Keys, to specify the properties of each node type in the fabric.
# This allows for complete customization of the fabric layout and functionality.
# `node_type_keys` should be defined in top level group_var for the fabric.
# The default values will be overridden if defining this key, so it is recommended to copy the defaults and modify them.
node_type_keys:
  - key: <str; required; unique>

    # PREVIEW: This key is currently not supported
    # Set the default WAN role.

    # This is used both for AutoVPN and Pathfinder designs.
    # That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
    # `server` indicates that the router is a route-reflector.

    # Only supported if `overlay_routing_protocol` is set to `ibgp`.
    default_wan_role: <str; "client" | "server">

    # PREVIEW: This key is currently not supported
    # Set the default CV Pathfinder role.

    # This key is used for Pathfinder designs only when the `wan_mode` root
    # key is set to `cv-pathfinder`.

    # `pathfinder` is only a valid if `wan_role` is `server`.
    # `edge` and `transit` are only valid if `wan_role` is `client`.
    default_cv_pathfinder_role: <str; "edge" | "transit region" | "pathfinder">

CloudVision Tags

arista.avd.eos_designs will generate CloudVision Tags that assist CloudVision with visualizing the WAN.

Device Tags

Tag Name Source of information
Region cv_pathfinder_region if cv_pathfinder_role is set but not pathfinder
Zone DEFAULT-ZONE if cv_pathfinder_role is set but not pathfinder
Site cv_pathfinder_site if cv_pathfinder_role is set but not pathfinder
PathfinderSet name of node_group or default PATHFINDERS if cv_pathfinder_role is pathfinder
Role cv_pathfinder_role if set

Interface Tags

Hint Tag Name Source of information
Type lan or wan if cv_pathfinder_role is set
Carrier wan_carrier if cv_pathfinder_role is set and this is a WAN interface
Circuit wan_circiot_id if cv_pathfinder_role is set and this is a LAN interface

Getting started with WAN

Global settings

TODO - cover here WAN hierarchy, wan mode, route-servers, path-groups and carriers and how they are linked together.

WAN interfaces

TODO

Defining policies

TODO