WAN preview¶
Warning
The integration of WAN designs to eos_designs
role is in preview mode.
Everything is subject to change, is not supported and may not be complete.
If you have any questions, please leverage the GitHub discussions board
Overview¶
The intention is to support both a single AutoVPN design and CV Pathfinder.
Design points¶
- The intent is to be able to support having the different WAN participating devices in different inventories.
- Only iBGP is supported as an overlay_routing_protocol.
- On the AutoVPN Route Reflectors and Pathfinders, a listen range statement is used for BGP to allow for point number 1.
- The default VRF is being configured by default on all WAN devices with a
vni_id
of 1. To override this, it is necessary to configure thedefault
VRF in a tenant innetwork_services
. - When configuring HA on a site, the path-group ID
65535
is reserved for the path-group calledLAN_HA
. -
The policies definition works as follow:
- The policies are defined under
wan_virtual_topologies.policies
. For AutoVPN mode, the policies are configured underrouter path-selection
, for CV Pathfinder, they are configured underrouter adaptive-virtual-topology
. - A policy is composed of a list of
application_virtual_topologies
and onedefault_virtual_topology
. - The
application_virtual_topologies
entries and thedefault_virtual_topology
key are used to create the policy match statement, the AVT profile (whenwan_mode
is CV Pathfinder) and the load balancing policy. - The
default_virtual_topology
is used as the default match in the policy. To prevent configuring it, thedrop_unmatched
boolean must be set totrue
otherwise, at least onepath-group
must be configured or AVD will raise an error. - Policies are assigned to VRFs using the list
wan_virtual_topologies.vrfs
. A policy can be reused in multiple VRFs. - If no policy is assigned for the
default
VRF policy, AVD auto generates one with onedefault_virtual_topology
entry configured to use all available local path-groups. - For the policy defined for VRF
default
(or the auto-generared one), an extra match statement is injected in the policy to match the traffic towards the Pathfinders or AutoVPN RRs, the name of the application-profile is hardcoded asCONTROL-PLANE-APPLICATION-PROFILE
. A special policy is created by appending-WITH-CP
at the end of the targetted policy name.
- The policies are defined under
Known limitations¶
- Zones are not configurable for CV Pathfinder. All sites are being configured in a default zone
DEFAULT-ZONE
with ID1
. - Because of the previous point, in
eos_designs
, thetransit
node type is always configured astransit region
. - For
cv-pathfinder
mode, the following flow-tracking configuration is applied without any customization possible:
- No IPv6 support
- For WAN interfaces, NAT IP on the Pathfinder side can be supported using the
wan_route_servers.path_groups.interfaces
key. - Path-group ID is currently required under
wan_path_groups
until an algorithm is implemented to auto generate IDs.
Future work¶
- As of now, only the fundations of the
eos_designs
functionality for WAN is being introduced without any support for LAN interfaces. - Auto generation of Path-group IDs and other IDs.
- HA for sites will be covered in a future PR
eos_cli_config_gen
support¶
eos_cli_config_gen
schema should support all of the required keys to configure a WAN network, whether AutoVPN or Pathfinder. If you find any missing functionality, please open an issue on Github.
Input variables¶
Warning
All the keys in this section marked as PREVIEW or children of a key marked as PREVIEW are subject to change and are not supported.
New node types in L3LS eos_designs¶
wan_edge
: Edge routers for AutoVPN or Pathfinder depending on thewan_mode
value.wan_transit
: Transit routers in Pathfinder context, not supported for AutoVPN.wan_rr
: AutoVPN RR or Pathfinder depending on thewan_mode
value.
The following table indicates the settings:
Node Type Key | Underlay Router | Uplink Type | Default EVPN Role | L2 Network Services | L3 Network Services | VTEP | MLAG Support | Connected Endpoints | Defaut WAN Role | Default CV Pathfinder Role |
---|---|---|---|---|---|---|---|---|---|---|
wan_rr | ✅ | p2p | server | ✘ | ✅ | ✅ | ✘ | ✘ | server | pathfinder |
wan_edge | ✅ | p2p | client | ✘ | ✅ | ✅ | ✘ | ✘ | client | edge |
wan_transit | ✅ | p2p | client | ✘ | ✅ | ✅ | ✘ | ✘ | client | transit region |
All these node types are defined with default_underlay_routing_protocol: none
and default_overlay_routing_protocol: ibgp
.
WAN Settings¶
Top level keys¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
wan_ipsec_profiles | Dictionary | PREVIEW: This key is currently not supported Define IPsec profiles parameters for WAN configuration. |
|||
control_plane | Dictionary | Required | PREVIEW: This key is currently not supported | ||
ike_policy_name | String | CP-IKE-POLICY |
Name of the IKE policy. | ||
sa_policy_name | String | CP-SA-POLICY |
Name of the SA policy. | ||
profile_name | String | CP-PROFILE |
Name of the IPSec profile. | ||
shared_key | String | Required | The IPSec shared key. This variable is sensitive and SHOULD be configured using some vault mechanism. |
||
data_plane | Dictionary | If data_plane is not defined, control_plane information is used for both. |
|||
ike_policy_name | String | DP-IKE-POLICY |
Name of the IKE policy. | ||
sa_policy_name | String | DP-SA-POLICY |
Name of the SA policy. | ||
profile_name | String | DP-PROFILE |
Name of the IPSec profile. | ||
shared_key | String | Required | The type 7 encrypted IPSec shared key. This variable is sensitive and should be configured using some vault mechanism. |
||
wan_mode | String | cv-pathfinder |
Valid Values: - autovpn - cv-pathfinder |
PREVIEW: This key is currently not supported Select if the WAN should be run using CV Pathfinder or Auto VPN only. |
|
wan_route_servers | List, items: Dictionary | PREVIEW: This key is currently not supported List of the AutoVPN RRs when using wan_mode =autovpn , or the Pathfinderswhen using wan_mode =cv-pathfinder , to which the device should connect to.When the route server is part of the same inventory as the WAN routers, only the name is required. |
|||
- hostname | String | Required, Unique | Route-Reflector hostname. | ||
vtep_ip | String | Route-Reflector VTEP IP Address. This is usually the IP address under interface Dps1 . |
|||
path_groups | List, items: Dictionary | Path-groups through which the Route Reflector/Pathfinder is reached. | |||
- name | String | Required, Unique | Path-group name. | ||
interfaces | List, items: Dictionary | Required | Min Length: 1 | ||
- name | String | Required, Unique | Interface name. | ||
ip_address | String | The public IP address of the Route Reflector for this path-group. |
# PREVIEW: This key is currently not supported
# Define IPsec profiles parameters for WAN configuration.
wan_ipsec_profiles:
# PREVIEW: This key is currently not supported
control_plane: # required
# Name of the IKE policy.
ike_policy_name: <str; default="CP-IKE-POLICY">
# Name of the SA policy.
sa_policy_name: <str; default="CP-SA-POLICY">
# Name of the IPSec profile.
profile_name: <str; default="CP-PROFILE">
# The IPSec shared key.
# This variable is sensitive and SHOULD be configured using some vault mechanism.
shared_key: <str; required>
# If `data_plane` is not defined, `control_plane` information is used for both.
data_plane:
# Name of the IKE policy.
ike_policy_name: <str; default="DP-IKE-POLICY">
# Name of the SA policy.
sa_policy_name: <str; default="DP-SA-POLICY">
# Name of the IPSec profile.
profile_name: <str; default="DP-PROFILE">
# The type 7 encrypted IPSec shared key.
# This variable is sensitive and should be configured using some vault mechanism.
shared_key: <str; required>
# PREVIEW: This key is currently not supported
# Select if the WAN should be run using CV Pathfinder or Auto VPN only.
wan_mode: <str; "autovpn" | "cv-pathfinder"; default="cv-pathfinder">
# PREVIEW: This key is currently not supported
# List of the AutoVPN RRs when using `wan_mode`=`autovpn`, or the Pathfinders
# when using `wan_mode`=`cv-pathfinder`, to which the device should connect to.
# When the route server is part of the same inventory as the WAN routers,
# only the name is required.
wan_route_servers:
# Route-Reflector hostname.
- hostname: <str; required; unique>
# Route-Reflector VTEP IP Address. This is usually the IP address under `interface Dps1`.
vtep_ip: <str>
# Path-groups through which the Route Reflector/Pathfinder is reached.
path_groups:
# Path-group name.
- name: <str; required; unique>
interfaces: # >=1 items; required
# Interface name.
- name: <str; required; unique>
# The public IP address of the Route Reflector for this path-group.
ip_address: <str>
WAN path-groups¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
wan_path_groups | List, items: Dictionary | PREVIEW: This key is currently not supported List of path-groups used for the WAN configuration. |
|||
- name | String | Required, Unique | Path-group name. | ||
id | Integer | Required | Path-group id. TODO: Required until an auto ID algorithm is implemented. |
||
description | String | Additional information about the path-group for documentation purposes. | |||
ipsec | Boolean | True |
Flag to configure IPsec at the path-group level. When set to true , IPsec is enabled for both the static and dynamic peers. |
||
import_path_groups | List, items: Dictionary | List of [ath-groups to import in this path-group. | |||
- remote | String | Remote path-group to import. | |||
local | String | Optional, if not set, the path-group name is used as local. |
# PREVIEW: This key is currently not supported
# List of path-groups used for the WAN configuration.
wan_path_groups:
# Path-group name.
- name: <str; required; unique>
# Path-group id.
# TODO: Required until an auto ID algorithm is implemented.
id: <int; required>
# Additional information about the path-group for documentation purposes.
description: <str>
# Flag to configure IPsec at the path-group level.
# When set to `true`, IPsec is enabled for both the static and dynamic peers.
ipsec: <bool; default=True>
# List of [ath-groups to import in this path-group.
import_path_groups:
# Remote path-group to import.
- remote: <str>
# Optional, if not set, the path-group `name` is used as local.
local: <str>
WAN carriers¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
wan_carriers | List, items: Dictionary | PREVIEW: This key is currently not supported List of carriers used for the WAN configuration and their mapping to path-groups. |
|||
- name | String | Required, Unique | Carrier name. | ||
description | String | Additional information about the carrier for documentation purposes. | |||
path_group | String | Required | The path-group to which this carrier belongs. |
# PREVIEW: This key is currently not supported
# List of carriers used for the WAN configuration and their mapping to path-groups.
wan_carriers:
# Carrier name.
- name: <str; required; unique>
# Additional information about the carrier for documentation purposes.
description: <str>
# The path-group to which this carrier belongs.
path_group: <str; required>
WAN hierarchy¶
Note
This section is only relevant for CV Pathfinder and not for AutoVPN
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
cv_pathfinder_regions | List, items: Dictionary | PREVIEW: This key is currently not supported Define the SDWAN hierarchy for the device. |
|||
- description | String | ||||
id | Integer | Required | Min: 1 Max: 255 |
The region ID must be unique for the whole WAN deployment. | |
sites | List, items: Dictionary | All sites are placed in a default zone called DEFAULT-ZONE with ID 1. | |||
- description | String | ||||
id | Integer | Required | Min: 1 Max: 10000 |
The site ID must be unique within a zone. Given that all the sites are placed in the DEFAULT-ZONE, the site ID must be unique within a region. |
|
location | String | Will be interpreted | |||
site_contact | String | ||||
site_after_hours_contact | String | ||||
name | String | Required, Unique | |||
name | String | Required, Unique |
# PREVIEW: This key is currently not supported
# Define the SDWAN hierarchy for the device.
cv_pathfinder_regions:
- description: <str>
# The region ID must be unique for the whole WAN deployment.
id: <int; 1-255; required>
# All sites are placed in a default zone called DEFAULT-ZONE with ID 1.
sites:
- description: <str>
# The site ID must be unique within a zone.
# Given that all the sites are placed in the DEFAULT-ZONE, the site ID must be unique within a region.
id: <int; 1-10000; required>
# Will be interpreted
location: <str>
site_contact: <str>
site_after_hours_contact: <str>
name: <str; required; unique>
name: <str; required; unique>
WAN interfaces¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
<node_type_keys.key> | Dictionary | ||||
defaults | Dictionary | Define variables for all nodes of this type. | |||
l3_interfaces | List, items: Dictionary | PREVIEW: This key is currently not supported L3 Interfaces currently only use for WAN interfaces. |
|||
- profile | String | L3 interface profile name. Profile defined under l3_interface_profiles . |
|||
name | String | Required, Unique | Pattern: Ethernet[\d/]+(.[\d]+)? | Ethernet interface name like ‘Ethernet2’ or subinterface name like ‘Ethernet2.42’ For a subinterface, the parent physical interface is automatically created. |
|
description | String | Interface description. If not set a default description will be configured with ‘[ |
|||
ip_address | String | Node IPv4 address/Mask or ‘dhcp’. | |||
encapsulation_dot1q_vlan | Integer | Min: 1 Max: 4094 |
For subinterfaces the dot1q vlan is derived from the interface name by default, but can also be specified. | ||
dhcp_accept_default_route | Boolean | False |
Accept a default route from DHCP if ip_address is set to dhcp . |
||
enabled | Boolean | True |
Enable or Shutdown the interface. | ||
speed | String | Speed should be set in the format <interface_speed> or forced <interface_speed> or auto <interface_speed> . |
|||
peer | String | The peer device name. Used for description and documentation | |||
peer_interface | String | The peer device interface. Used for description and documentation | |||
peer_ip | String | The peer device IPv4 address (no mask). Used as default route gateway if set_default_route is true and ip is an IP address. |
|||
static_routes | List, items: Dictionary | Min Length: 1 | Configure IPv4 static routes pointing to peer_ip . |
||
- prefix | String | Required | IPv4_network/Mask | ||
qos_profile | String | QOS service profile. | |||
wan_carrier | String | The WAN Carrier this interface is connected to. This is used to infer the path-groups in which this interface should be configured. |
|||
wan_circuit_id | String | The WAN Circuit ID for this interface. This is not rendered in the configuration but used for WAN designs. |
|||
connected_to_pathfinder | Boolean | True |
For a WAN interface (wan_path_group is set), allow to disable the static tunnel towards Pathfinders. |
||
raw_eos_cli | String | EOS CLI rendered directly on the interface in the final EOS configuration. | |||
structured_config | Dictionary | Custom structured config for the Ethernet interface. | |||
node_groups | List, items: Dictionary | Define variables related to all nodes part of this group. | |||
- group | String | Required, Unique | The Node Group Name is used for MLAG domain unless set with ‘mlag_domain_id’. The Node Group Name is also used for peer description on downstream switches’ uplinks. |
||
nodes | List, items: Dictionary | Define variables per node. | |||
- name | String | Required, Unique | The Node Name is used as “hostname”. | ||
l3_interfaces | List, items: Dictionary | PREVIEW: This key is currently not supported L3 Interfaces currently only use for WAN interfaces. |
|||
- profile | String | L3 interface profile name. Profile defined under l3_interface_profiles . |
|||
name | String | Required, Unique | Pattern: Ethernet[\d/]+(.[\d]+)? | Ethernet interface name like ‘Ethernet2’ or subinterface name like ‘Ethernet2.42’ For a subinterface, the parent physical interface is automatically created. |
|
description | String | Interface description. If not set a default description will be configured with ‘[ |
|||
ip_address | String | Node IPv4 address/Mask or ‘dhcp’. | |||
encapsulation_dot1q_vlan | Integer | Min: 1 Max: 4094 |
For subinterfaces the dot1q vlan is derived from the interface name by default, but can also be specified. | ||
dhcp_accept_default_route | Boolean | False |
Accept a default route from DHCP if ip_address is set to dhcp . |
||
enabled | Boolean | True |
Enable or Shutdown the interface. | ||
speed | String | Speed should be set in the format <interface_speed> or forced <interface_speed> or auto <interface_speed> . |
|||
peer | String | The peer device name. Used for description and documentation | |||
peer_interface | String | The peer device interface. Used for description and documentation | |||
peer_ip | String | The peer device IPv4 address (no mask). Used as default route gateway if set_default_route is true and ip is an IP address. |
|||
static_routes | List, items: Dictionary | Min Length: 1 | Configure IPv4 static routes pointing to peer_ip . |
||
- prefix | String | Required | IPv4_network/Mask | ||
qos_profile | String | QOS service profile. | |||
wan_carrier | String | The WAN Carrier this interface is connected to. This is used to infer the path-groups in which this interface should be configured. |
|||
wan_circuit_id | String | The WAN Circuit ID for this interface. This is not rendered in the configuration but used for WAN designs. |
|||
connected_to_pathfinder | Boolean | True |
For a WAN interface (wan_path_group is set), allow to disable the static tunnel towards Pathfinders. |
||
raw_eos_cli | String | EOS CLI rendered directly on the interface in the final EOS configuration. | |||
structured_config | Dictionary | Custom structured config for the Ethernet interface. | |||
l3_interfaces | List, items: Dictionary | PREVIEW: This key is currently not supported L3 Interfaces currently only use for WAN interfaces. |
|||
- profile | String | L3 interface profile name. Profile defined under l3_interface_profiles . |
|||
name | String | Required, Unique | Pattern: Ethernet[\d/]+(.[\d]+)? | Ethernet interface name like ‘Ethernet2’ or subinterface name like ‘Ethernet2.42’ For a subinterface, the parent physical interface is automatically created. |
|
description | String | Interface description. If not set a default description will be configured with ‘[ |
|||
ip_address | String | Node IPv4 address/Mask or ‘dhcp’. | |||
encapsulation_dot1q_vlan | Integer | Min: 1 Max: 4094 |
For subinterfaces the dot1q vlan is derived from the interface name by default, but can also be specified. | ||
dhcp_accept_default_route | Boolean | False |
Accept a default route from DHCP if ip_address is set to dhcp . |
||
enabled | Boolean | True |
Enable or Shutdown the interface. | ||
speed | String | Speed should be set in the format <interface_speed> or forced <interface_speed> or auto <interface_speed> . |
|||
peer | String | The peer device name. Used for description and documentation | |||
peer_interface | String | The peer device interface. Used for description and documentation | |||
peer_ip | String | The peer device IPv4 address (no mask). Used as default route gateway if set_default_route is true and ip is an IP address. |
|||
static_routes | List, items: Dictionary | Min Length: 1 | Configure IPv4 static routes pointing to peer_ip . |
||
- prefix | String | Required | IPv4_network/Mask | ||
qos_profile | String | QOS service profile. | |||
wan_carrier | String | The WAN Carrier this interface is connected to. This is used to infer the path-groups in which this interface should be configured. |
|||
wan_circuit_id | String | The WAN Circuit ID for this interface. This is not rendered in the configuration but used for WAN designs. |
|||
connected_to_pathfinder | Boolean | True |
For a WAN interface (wan_path_group is set), allow to disable the static tunnel towards Pathfinders. |
||
raw_eos_cli | String | EOS CLI rendered directly on the interface in the final EOS configuration. | |||
structured_config | Dictionary | Custom structured config for the Ethernet interface. | |||
nodes | List, items: Dictionary | Define variables per node. | |||
- name | String | Required, Unique | The Node Name is used as “hostname”. | ||
l3_interfaces | List, items: Dictionary | PREVIEW: This key is currently not supported L3 Interfaces currently only use for WAN interfaces. |
|||
- profile | String | L3 interface profile name. Profile defined under l3_interface_profiles . |
|||
name | String | Required, Unique | Pattern: Ethernet[\d/]+(.[\d]+)? | Ethernet interface name like ‘Ethernet2’ or subinterface name like ‘Ethernet2.42’ For a subinterface, the parent physical interface is automatically created. |
|
description | String | Interface description. If not set a default description will be configured with ‘[ |
|||
ip_address | String | Node IPv4 address/Mask or ‘dhcp’. | |||
encapsulation_dot1q_vlan | Integer | Min: 1 Max: 4094 |
For subinterfaces the dot1q vlan is derived from the interface name by default, but can also be specified. | ||
dhcp_accept_default_route | Boolean | False |
Accept a default route from DHCP if ip_address is set to dhcp . |
||
enabled | Boolean | True |
Enable or Shutdown the interface. | ||
speed | String | Speed should be set in the format <interface_speed> or forced <interface_speed> or auto <interface_speed> . |
|||
peer | String | The peer device name. Used for description and documentation | |||
peer_interface | String | The peer device interface. Used for description and documentation | |||
peer_ip | String | The peer device IPv4 address (no mask). Used as default route gateway if set_default_route is true and ip is an IP address. |
|||
static_routes | List, items: Dictionary | Min Length: 1 | Configure IPv4 static routes pointing to peer_ip . |
||
- prefix | String | Required | IPv4_network/Mask | ||
qos_profile | String | QOS service profile. | |||
wan_carrier | String | The WAN Carrier this interface is connected to. This is used to infer the path-groups in which this interface should be configured. |
|||
wan_circuit_id | String | The WAN Circuit ID for this interface. This is not rendered in the configuration but used for WAN designs. |
|||
connected_to_pathfinder | Boolean | True |
For a WAN interface (wan_path_group is set), allow to disable the static tunnel towards Pathfinders. |
||
raw_eos_cli | String | EOS CLI rendered directly on the interface in the final EOS configuration. | |||
structured_config | Dictionary | Custom structured config for the Ethernet interface. | |||
l3_interface_profiles | List, items: Dictionary | PREVIEW: This key is currently not supported Profiles to inherit common settings for l3_interfaces defined under the node type key. These profiles will not work for l3_interfaces defined under vrfs . |
|||
- profile | String | Required, Unique | L3 interface profile name. Any variable supported under l3_interfaces can be inherited from a profile. |
||
name | String | Pattern: Ethernet[\d/]+(.[\d]+)? | Ethernet interface name like ‘Ethernet2’ or subinterface name like ‘Ethernet2.42’ For a subinterface, the parent physical interface is automatically created. |
||
description | String | Interface description. If not set a default description will be configured with ‘[ |
|||
ip_address | String | Node IPv4 address/Mask or ‘dhcp’. | |||
encapsulation_dot1q_vlan | Integer | Min: 1 Max: 4094 |
For subinterfaces the dot1q vlan is derived from the interface name by default, but can also be specified. | ||
dhcp_accept_default_route | Boolean | False |
Accept a default route from DHCP if ip_address is set to dhcp . |
||
enabled | Boolean | True |
Enable or Shutdown the interface. | ||
speed | String | Speed should be set in the format <interface_speed> or forced <interface_speed> or auto <interface_speed> . |
|||
peer | String | The peer device name. Used for description and documentation | |||
peer_interface | String | The peer device interface. Used for description and documentation | |||
peer_ip | String | The peer device IPv4 address (no mask). Used as default route gateway if set_default_route is true and ip is an IP address. |
|||
static_routes | List, items: Dictionary | Min Length: 1 | Configure IPv4 static routes pointing to peer_ip . |
||
- prefix | String | Required | IPv4_network/Mask | ||
qos_profile | String | QOS service profile. | |||
wan_carrier | String | The WAN Carrier this interface is connected to. This is used to infer the path-groups in which this interface should be configured. |
|||
wan_circuit_id | String | The WAN Circuit ID for this interface. This is not rendered in the configuration but used for WAN designs. |
|||
connected_to_pathfinder | Boolean | True |
For a WAN interface (wan_path_group is set), allow to disable the static tunnel towards Pathfinders. |
||
raw_eos_cli | String | EOS CLI rendered directly on the interface in the final EOS configuration. | |||
structured_config | Dictionary | Custom structured config for the Ethernet interface. |
<node_type_keys.key>:
# Define variables for all nodes of this type.
defaults:
# PREVIEW: This key is currently not supported
# L3 Interfaces currently only use for WAN interfaces.
l3_interfaces:
# L3 interface profile name. Profile defined under `l3_interface_profiles`.
- profile: <str>
# Ethernet interface name like 'Ethernet2' or subinterface name like 'Ethernet2.42'
# For a subinterface, the parent physical interface is automatically created.
name: <str; required; unique>
# Interface description.
# If not set a default description will be configured with '[<peer>[ <peer_interface>]]'
description: <str>
# Node IPv4 address/Mask or 'dhcp'.
ip_address: <str>
# For subinterfaces the dot1q vlan is derived from the interface name by default, but can also be specified.
encapsulation_dot1q_vlan: <int; 1-4094>
# Accept a default route from DHCP if `ip_address` is set to `dhcp`.
dhcp_accept_default_route: <bool; default=False>
# Enable or Shutdown the interface.
enabled: <bool; default=True>
# Speed should be set in the format `<interface_speed>` or `forced <interface_speed>` or `auto <interface_speed>`.
speed: <str>
# The peer device name. Used for description and documentation
peer: <str>
# The peer device interface. Used for description and documentation
peer_interface: <str>
# The peer device IPv4 address (no mask). Used as default route gateway if `set_default_route` is true and `ip` is an IP address.
peer_ip: <str>
# Configure IPv4 static routes pointing to `peer_ip`.
static_routes: # >=1 items
# IPv4_network/Mask
- prefix: <str; required>
# QOS service profile.
qos_profile: <str>
# The WAN Carrier this interface is connected to.
# This is used to infer the path-groups in which this interface should be configured.
wan_carrier: <str>
# The WAN Circuit ID for this interface.
# This is not rendered in the configuration but used for WAN designs.
wan_circuit_id: <str>
# For a WAN interface (`wan_path_group` is set), allow to disable the static tunnel towards Pathfinders.
connected_to_pathfinder: <bool; default=True>
# EOS CLI rendered directly on the interface in the final EOS configuration.
raw_eos_cli: <str>
# Custom structured config for the Ethernet interface.
structured_config: <dict>
# Define variables related to all nodes part of this group.
node_groups:
# The Node Group Name is used for MLAG domain unless set with 'mlag_domain_id'.
# The Node Group Name is also used for peer description on downstream switches' uplinks.
- group: <str; required; unique>
# Define variables per node.
nodes:
# The Node Name is used as "hostname".
- name: <str; required; unique>
# PREVIEW: This key is currently not supported
# L3 Interfaces currently only use for WAN interfaces.
l3_interfaces:
# L3 interface profile name. Profile defined under `l3_interface_profiles`.
- profile: <str>
# Ethernet interface name like 'Ethernet2' or subinterface name like 'Ethernet2.42'
# For a subinterface, the parent physical interface is automatically created.
name: <str; required; unique>
# Interface description.
# If not set a default description will be configured with '[<peer>[ <peer_interface>]]'
description: <str>
# Node IPv4 address/Mask or 'dhcp'.
ip_address: <str>
# For subinterfaces the dot1q vlan is derived from the interface name by default, but can also be specified.
encapsulation_dot1q_vlan: <int; 1-4094>
# Accept a default route from DHCP if `ip_address` is set to `dhcp`.
dhcp_accept_default_route: <bool; default=False>
# Enable or Shutdown the interface.
enabled: <bool; default=True>
# Speed should be set in the format `<interface_speed>` or `forced <interface_speed>` or `auto <interface_speed>`.
speed: <str>
# The peer device name. Used for description and documentation
peer: <str>
# The peer device interface. Used for description and documentation
peer_interface: <str>
# The peer device IPv4 address (no mask). Used as default route gateway if `set_default_route` is true and `ip` is an IP address.
peer_ip: <str>
# Configure IPv4 static routes pointing to `peer_ip`.
static_routes: # >=1 items
# IPv4_network/Mask
- prefix: <str; required>
# QOS service profile.
qos_profile: <str>
# The WAN Carrier this interface is connected to.
# This is used to infer the path-groups in which this interface should be configured.
wan_carrier: <str>
# The WAN Circuit ID for this interface.
# This is not rendered in the configuration but used for WAN designs.
wan_circuit_id: <str>
# For a WAN interface (`wan_path_group` is set), allow to disable the static tunnel towards Pathfinders.
connected_to_pathfinder: <bool; default=True>
# EOS CLI rendered directly on the interface in the final EOS configuration.
raw_eos_cli: <str>
# Custom structured config for the Ethernet interface.
structured_config: <dict>
# PREVIEW: This key is currently not supported
# L3 Interfaces currently only use for WAN interfaces.
l3_interfaces:
# L3 interface profile name. Profile defined under `l3_interface_profiles`.
- profile: <str>
# Ethernet interface name like 'Ethernet2' or subinterface name like 'Ethernet2.42'
# For a subinterface, the parent physical interface is automatically created.
name: <str; required; unique>
# Interface description.
# If not set a default description will be configured with '[<peer>[ <peer_interface>]]'
description: <str>
# Node IPv4 address/Mask or 'dhcp'.
ip_address: <str>
# For subinterfaces the dot1q vlan is derived from the interface name by default, but can also be specified.
encapsulation_dot1q_vlan: <int; 1-4094>
# Accept a default route from DHCP if `ip_address` is set to `dhcp`.
dhcp_accept_default_route: <bool; default=False>
# Enable or Shutdown the interface.
enabled: <bool; default=True>
# Speed should be set in the format `<interface_speed>` or `forced <interface_speed>` or `auto <interface_speed>`.
speed: <str>
# The peer device name. Used for description and documentation
peer: <str>
# The peer device interface. Used for description and documentation
peer_interface: <str>
# The peer device IPv4 address (no mask). Used as default route gateway if `set_default_route` is true and `ip` is an IP address.
peer_ip: <str>
# Configure IPv4 static routes pointing to `peer_ip`.
static_routes: # >=1 items
# IPv4_network/Mask
- prefix: <str; required>
# QOS service profile.
qos_profile: <str>
# The WAN Carrier this interface is connected to.
# This is used to infer the path-groups in which this interface should be configured.
wan_carrier: <str>
# The WAN Circuit ID for this interface.
# This is not rendered in the configuration but used for WAN designs.
wan_circuit_id: <str>
# For a WAN interface (`wan_path_group` is set), allow to disable the static tunnel towards Pathfinders.
connected_to_pathfinder: <bool; default=True>
# EOS CLI rendered directly on the interface in the final EOS configuration.
raw_eos_cli: <str>
# Custom structured config for the Ethernet interface.
structured_config: <dict>
# Define variables per node.
nodes:
# The Node Name is used as "hostname".
- name: <str; required; unique>
# PREVIEW: This key is currently not supported
# L3 Interfaces currently only use for WAN interfaces.
l3_interfaces:
# L3 interface profile name. Profile defined under `l3_interface_profiles`.
- profile: <str>
# Ethernet interface name like 'Ethernet2' or subinterface name like 'Ethernet2.42'
# For a subinterface, the parent physical interface is automatically created.
name: <str; required; unique>
# Interface description.
# If not set a default description will be configured with '[<peer>[ <peer_interface>]]'
description: <str>
# Node IPv4 address/Mask or 'dhcp'.
ip_address: <str>
# For subinterfaces the dot1q vlan is derived from the interface name by default, but can also be specified.
encapsulation_dot1q_vlan: <int; 1-4094>
# Accept a default route from DHCP if `ip_address` is set to `dhcp`.
dhcp_accept_default_route: <bool; default=False>
# Enable or Shutdown the interface.
enabled: <bool; default=True>
# Speed should be set in the format `<interface_speed>` or `forced <interface_speed>` or `auto <interface_speed>`.
speed: <str>
# The peer device name. Used for description and documentation
peer: <str>
# The peer device interface. Used for description and documentation
peer_interface: <str>
# The peer device IPv4 address (no mask). Used as default route gateway if `set_default_route` is true and `ip` is an IP address.
peer_ip: <str>
# Configure IPv4 static routes pointing to `peer_ip`.
static_routes: # >=1 items
# IPv4_network/Mask
- prefix: <str; required>
# QOS service profile.
qos_profile: <str>
# The WAN Carrier this interface is connected to.
# This is used to infer the path-groups in which this interface should be configured.
wan_carrier: <str>
# The WAN Circuit ID for this interface.
# This is not rendered in the configuration but used for WAN designs.
wan_circuit_id: <str>
# For a WAN interface (`wan_path_group` is set), allow to disable the static tunnel towards Pathfinders.
connected_to_pathfinder: <bool; default=True>
# EOS CLI rendered directly on the interface in the final EOS configuration.
raw_eos_cli: <str>
# Custom structured config for the Ethernet interface.
structured_config: <dict>
# PREVIEW: This key is currently not supported
# Profiles to inherit common settings for l3_interfaces defined under the node type key.
# These profiles will *not* work for `l3_interfaces` defined under `vrfs`.
l3_interface_profiles:
# L3 interface profile name. Any variable supported under `l3_interfaces` can be inherited from a profile.
- profile: <str; required; unique>
# Ethernet interface name like 'Ethernet2' or subinterface name like 'Ethernet2.42'
# For a subinterface, the parent physical interface is automatically created.
name: <str>
# Interface description.
# If not set a default description will be configured with '[<peer>[ <peer_interface>]]'
description: <str>
# Node IPv4 address/Mask or 'dhcp'.
ip_address: <str>
# For subinterfaces the dot1q vlan is derived from the interface name by default, but can also be specified.
encapsulation_dot1q_vlan: <int; 1-4094>
# Accept a default route from DHCP if `ip_address` is set to `dhcp`.
dhcp_accept_default_route: <bool; default=False>
# Enable or Shutdown the interface.
enabled: <bool; default=True>
# Speed should be set in the format `<interface_speed>` or `forced <interface_speed>` or `auto <interface_speed>`.
speed: <str>
# The peer device name. Used for description and documentation
peer: <str>
# The peer device interface. Used for description and documentation
peer_interface: <str>
# The peer device IPv4 address (no mask). Used as default route gateway if `set_default_route` is true and `ip` is an IP address.
peer_ip: <str>
# Configure IPv4 static routes pointing to `peer_ip`.
static_routes: # >=1 items
# IPv4_network/Mask
- prefix: <str; required>
# QOS service profile.
qos_profile: <str>
# The WAN Carrier this interface is connected to.
# This is used to infer the path-groups in which this interface should be configured.
wan_carrier: <str>
# The WAN Circuit ID for this interface.
# This is not rendered in the configuration but used for WAN designs.
wan_circuit_id: <str>
# For a WAN interface (`wan_path_group` is set), allow to disable the static tunnel towards Pathfinders.
connected_to_pathfinder: <bool; default=True>
# EOS CLI rendered directly on the interface in the final EOS configuration.
raw_eos_cli: <str>
# Custom structured config for the Ethernet interface.
structured_config: <dict>
WAN Virtual topologies¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
wan_virtual_topologies | Dictionary | PREVIEW: WAN Preview Configure Virtual Topologies for CV Pathfinder and AutoVPN. Auto create a control plane profile/policy/application and enforce it being first in the default VRF. |
|||
vrfs | List, items: Dictionary | Map a VRF that exists in network_services to an AVT policy. TODO: missing default VRF behavior |
|||
- name | String | Required, Unique | VRF name. | ||
policy | String | Name of the AVT policy to apply to this VRF. | |||
control_plane_virtual_topology | Dictionary | Always injected into the default VRF policy as the first entry. By default, if no path-groups are specified, all locally available path-groups are used in the generated load-balance policy. ID is hardcoded to 254 for the AVT profile in CV Pathfinder mode. |
|||
name | String | Optional name, if not set CONTROL-PLANE-PROFILE is used. |
|||
traffic_class | Integer | Min: 0 Max: 7 |
Set traffic-class for matched traffic. | ||
dscp | Integer | Min: 0 Max: 63 |
Set DSCP for matched traffic. | ||
constraints | Dictionary | ||||
jitter | Integer | Min: 0 Max: 10000 |
Jitter requirement for this load balance policy in milliseconds. | ||
latency | Integer | Min: 0 Max: 10000 |
One way delay requirement for this load balance policy in milliseconds. | ||
loss_rate | String | Pattern: ^\d+(.\d{1,2})?$ | Loss Rate requirement in percentage for this load balance policy. Value between 0.00 and 100.00. |
||
path_groups | List, items: Dictionary | Min Length: 1 | |||
- names | List, items: String | Required | Min Length: 1 | List of path-group names. | |
- <str> | String | ||||
preference | String | preferred |
Valid values are 1-255 | ||
policies | List, items: Dictionary | List of virtual toplogies policies. For AutoVPN, each item in the list creates: * one policy with: * one match entry per application_virtual_topologies itemthey are indexed using 10 * <list_index> where list_index starts at 1 .* one default-match * one load-balance policy per application_virtual_topologies and one for the default_virtual_topology .* if the policy is associated with the default VRF, a special control-plane rule is injected in the policy with index 1 referring to a control-plane load-balance policy as defined undercontrol_plane_virtual_topology .For CV Pathfinder, each item in the list creates: * one policy with: * one match entry per application_virtual_topologies item ordered as in the model.* one last match entry for the default application-profile using default_virtual_topology information.* one profile per application_virtual_topologies item.* one profile for the default_virtual_topology ..* one load-balance policy per application_virtual_topologies .* one load_balance policy for the default_virtual_topology .* if the policy is associated with the default VRF, a special control-plane profile is configured and injected first in the policy assigned to the default VRF. This profile points to acontrol-plane load-balance policy as defined under control_plane_virtual_topology . |
|||
- name | String | Required, Unique | Name of the AVT policy. | ||
application_virtual_topologies | List, items: Dictionary | List of application specific virtual topologies. | |||
- application_profile | String | Required, Unique | The application profile to use for this virtual topology. It must be a defined application_profile . |
||
name | String | Optional name, if not set <policy_name>-<application_profile> is used. |
|||
id | Integer | Min: 2 Max: 253 |
ID of the AVT in each VRFs. ID must be unique across all virtual topologies in a policy. ID 1 is reserved for the default_virtual_toplogy. ID 254 is reserved for the control_plane_virtual_topology. |
||
traffic_class | Integer | Min: 0 Max: 7 |
Set traffic-class for matched traffic. | ||
dscp | Integer | Min: 0 Max: 63 |
Set DSCP for matched traffic. | ||
constraints | Dictionary | ||||
jitter | Integer | Min: 0 Max: 10000 |
Jitter requirement for this load balance policy in milliseconds. | ||
latency | Integer | Min: 0 Max: 10000 |
One way delay requirement for this load balance policy in milliseconds. | ||
loss_rate | String | Pattern: ^\d+(.\d{1,2})?$ | Loss Rate requirement in percentage for this load balance policy. Value between 0.00 and 100.00. |
||
path_groups | List, items: Dictionary | Min Length: 1 | |||
- names | List, items: String | Required | Min Length: 1 | List of path-group names. | |
- <str> | String | ||||
preference | String | preferred |
Valid values are 1-255 | ||
default_virtual_topology | Dictionary | Required | Default match for the policy. If no default match should be configured, set drop_unmatched to true .Otherwise, in CV Pathfinder mode, a default AVT profile will be configured with ID 1. |
||
name | String | Optional name, if not set <policy_name>-DEFAULT is used. |
|||
drop_unmatched | Boolean | False |
When set, no catch-all match is configured for the policy and unmatched traffic is dropped. |
||
traffic_class | Integer | Min: 0 Max: 7 |
Set traffic-class for matched traffic. | ||
dscp | Integer | Min: 0 Max: 63 |
Set DSCP for matched traffic. | ||
constraints | Dictionary | ||||
jitter | Integer | Min: 0 Max: 10000 |
Jitter requirement for this load balance policy in milliseconds. | ||
latency | Integer | Min: 0 Max: 10000 |
One way delay requirement for this load balance policy in milliseconds. | ||
loss_rate | String | Pattern: ^\d+(.\d{1,2})?$ | Loss Rate requirement in percentage for this load balance policy. Value between 0.00 and 100.00. |
||
path_groups | List, items: Dictionary | Min Length: 1 | |||
- names | List, items: String | Required | Min Length: 1 | List of path-group names. | |
- <str> | String | ||||
preference | String | preferred |
Valid values are 1-255 |
# PREVIEW: WAN Preview
# Configure Virtual Topologies for CV Pathfinder and AutoVPN.
# Auto create a control plane profile/policy/application and enforce it being first in the default VRF.
wan_virtual_topologies:
# Map a VRF that exists in network_services to an AVT policy.
# TODO: missing default VRF behavior
vrfs:
# VRF name.
- name: <str; required; unique>
# Name of the AVT policy to apply to this VRF.
policy: <str>
# Always injected into the default VRF policy as the first entry.
# By default, if no path-groups are specified, all locally available path-groups
# are used in the generated load-balance policy.
# ID is hardcoded to 254 for the AVT profile in CV Pathfinder mode.
control_plane_virtual_topology:
# Optional name, if not set `CONTROL-PLANE-PROFILE` is used.
name: <str>
# Set traffic-class for matched traffic.
traffic_class: <int; 0-7>
# Set DSCP for matched traffic.
dscp: <int; 0-63>
constraints:
# Jitter requirement for this load balance policy in milliseconds.
jitter: <int; 0-10000>
# One way delay requirement for this load balance policy in milliseconds.
latency: <int; 0-10000>
# Loss Rate requirement in percentage for this load balance policy.
# Value between 0.00 and 100.00.
loss_rate: <str>
path_groups: # >=1 items
# List of path-group names.
- names: # >=1 items; required
- <str>
# Valid values are 1-255 | preferred | alternate.
# preferred is converted to priority 1.
# alternate is converted to priority 2.
preference: <str; default="preferred">
# List of virtual toplogies policies.
# For AutoVPN, each item in the list creates:
# * one policy with:
# * one `match` entry per `application_virtual_topologies` item
# they are indexed using `10 * <list_index>` where `list_index` starts at `1`.
# * one `default-match`
# * one load-balance policy per `application_virtual_topologies` and one for the `default_virtual_topology`.
# * if the policy is associated with the default VRF, a special control-plane rule is injected
# in the policy with index `1` referring to a control-plane load-balance policy as defined under
# `control_plane_virtual_topology`.
# For CV Pathfinder, each item in the list creates:
# * one policy with:
# * one `match` entry per `application_virtual_topologies` item ordered as in the model.
# * one last match entry for the `default` application-profile using `default_virtual_topology` information.
# * one profile per `application_virtual_topologies` item.
# * one profile for the `default_virtual_topology`..
# * one load-balance policy per `application_virtual_topologies`.
# * one load_balance policy for the `default_virtual_topology`.
# * if the policy is associated with the default VRF, a special control-plane profile is configured
# and injected first in the policy assigned to the `default` VRF. This profile points to a
# control-plane load-balance policy as defined under `control_plane_virtual_topology`.
policies:
# Name of the AVT policy.
- name: <str; required; unique>
# List of application specific virtual topologies.
application_virtual_topologies:
# The application profile to use for this virtual topology. It must be a defined `application_profile`.
- application_profile: <str; required; unique>
# Optional name, if not set `<policy_name>-<application_profile>` is used.
name: <str>
# ID of the AVT in each VRFs. ID must be unique across all virtual topologies in a policy.
# ID 1 is reserved for the default_virtual_toplogy.
# ID 254 is reserved for the control_plane_virtual_topology.
id: <int; 2-253>
# Set traffic-class for matched traffic.
traffic_class: <int; 0-7>
# Set DSCP for matched traffic.
dscp: <int; 0-63>
constraints:
# Jitter requirement for this load balance policy in milliseconds.
jitter: <int; 0-10000>
# One way delay requirement for this load balance policy in milliseconds.
latency: <int; 0-10000>
# Loss Rate requirement in percentage for this load balance policy.
# Value between 0.00 and 100.00.
loss_rate: <str>
path_groups: # >=1 items
# List of path-group names.
- names: # >=1 items; required
- <str>
# Valid values are 1-255 | preferred | alternate.
# preferred is converted to priority 1.
# alternate is converted to priority 2.
preference: <str; default="preferred">
# Default match for the policy.
# If no default match should be configured, set `drop_unmatched` to `true`.
# Otherwise, in CV Pathfinder mode, a default AVT profile will be configured with ID 1.
default_virtual_topology: # required
# Optional name, if not set `<policy_name>-DEFAULT` is used.
name: <str>
# When set, no `catch-all` match is configured for the policy and unmatched traffic is dropped.
drop_unmatched: <bool; default=False>
# Set traffic-class for matched traffic.
traffic_class: <int; 0-7>
# Set DSCP for matched traffic.
dscp: <int; 0-63>
constraints:
# Jitter requirement for this load balance policy in milliseconds.
jitter: <int; 0-10000>
# One way delay requirement for this load balance policy in milliseconds.
latency: <int; 0-10000>
# Loss Rate requirement in percentage for this load balance policy.
# Value between 0.00 and 100.00.
loss_rate: <str>
path_groups: # >=1 items
# List of path-group names.
- names: # >=1 items; required
- <str>
# Valid values are 1-255 | preferred | alternate.
# preferred is converted to priority 1.
# alternate is converted to priority 2.
preference: <str; default="preferred">
Application Classification¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
application_classification | Dictionary | PREVIEW: WAN Preview | |||
categories | List, items: Dictionary | List of categories. | |||
- name | String | Required, Unique | Category name. | ||
applications | List, items: Dictionary | List of applications. | |||
- name | String | Application name. | |||
service | String | Valid Values: - audio-video - chat - default - file-transfer - networking-protocols - peer-to-peer - software-update |
Service Name. Specific service to target for this application. If no service is specified, all supported services of the application are matched. Not all valid values are valid for all applications, check on EOS CLI. |
||
field_sets | Dictionary | ||||
l4_ports | List, items: Dictionary | L4 port field-set. | |||
- name | String | Required, Unique | L4 port field-set name. | ||
port_values | List, items: String | ||||
- <str> | String | Port values or range of port values. Port values are between 0 and 65535. |
|||
ipv4_prefixes | List, items: Dictionary | IPv4 prefix field set. | |||
- name | String | Required, Unique | IPv4 prefix field-set name. | ||
prefix_values | List, items: String | ||||
- <str> | String | IP prefix (ex 1.2.3.0/24). | |||
applications | Dictionary | ||||
ipv4_applications | List, items: Dictionary | List of user defined IPv4 applications. | |||
- name | String | Required, Unique | Application name. | ||
src_prefix_set_name | String | Source prefix set name. | |||
dest_prefix_set_name | String | Destination prefix set name. | |||
protocols | List, items: String | List of protocols to consider for this application. To use port field-sets (source, destination or both), the list must contain only one or two protocols, either tcp or udp .When using both protocols, one line is rendered for each in the configuration, hence the field-sets must have the same value for tcp_src_port_set_name andudp_src_port_set_name and for tcp_dest_port_set_name and udp_dest_port_set_name if set in order to generate valid configuration in EOS. |
|||
- <str> | String | Valid Values: - ahp - esp - icmp - igmp - ospf - pim - rsvp - tcp - udp - vrrp |
|||
protocol_ranges | List, items: String | Acccept protocol value(s) or range(s). Protocol values can be between 1 and 255. |
|||
- <str> | String | ||||
udp_src_port_set_name | String | Name of field set for UDP source ports. When the protocols list contain both tcp and udp , this key valuemust be the same as tcp_src_port_set_name . |
|||
tcp_src_port_set_name | String | Name of field set for TCP source ports. When the protocols list contain both tcp and udp , this key valuemust be the same as udp_src_port_set_name . |
|||
udp_dest_port_set_name | String | Name of field set for UDP destination ports. When the protocols list contain both tcp and udp , this key valuemust be the same as tcp_dest_port_set_name . |
|||
tcp_dest_port_set_name | String | Name of field set for TCP destination ports. When the protocols list contain both tcp and udp , this key valuemust be the same as udp_dest_port_set_name . |
|||
application_profiles | List, items: Dictionary | Group of applications. | |||
- name | String | Application Profile name. | |||
applications | List, items: Dictionary | List of applications part of the application profile. | |||
- name | String | Application Name. | |||
service | String | Valid Values: - audio-video - chat - default - file-transfer - networking-protocols - peer-to-peer - software-update |
Service Name. Specific service to target for this application. If no service is specified, all supported services of the application are matched. Not all valid values are valid for all applications, check on EOS CLI. |
||
application_transports | List, items: String | List of transport protocols. | |||
- <str> | String | Valid Values: - http - https - udp - tcp - ip - ip6 - ssl - rtp - sctp - quic |
Transport name. | ||
categories | List, items: Dictionary | Categories under this application profile. | |||
- name | String | Name of a category. | |||
service | String | Valid Values: - audio-video - chat - default - file-transfer - networking-protocols - peer-to-peer - software-update |
Service Name. Specific service to target for this application. If no service is specified, all supported services of the application are matched. Not all valid values are valid for all applications, check on EOS CLI. |
# PREVIEW: WAN Preview
application_classification:
# List of categories.
categories:
# Category name.
- name: <str; required; unique>
# List of applications.
applications:
# Application name.
- name: <str>
# Service Name.
# Specific service to target for this application.
# If no service is specified, all supported services of the application are matched.
# Not all valid values are valid for all applications, check on EOS CLI.
service: <str; "audio-video" | "chat" | "default" | "file-transfer" | "networking-protocols" | "peer-to-peer" | "software-update">
field_sets:
# L4 port field-set.
l4_ports:
# L4 port field-set name.
- name: <str; required; unique>
port_values:
# Port values or range of port values.
# Port values are between 0 and 65535.
- <str>
# IPv4 prefix field set.
ipv4_prefixes:
# IPv4 prefix field-set name.
- name: <str; required; unique>
prefix_values:
# IP prefix (ex 1.2.3.0/24).
- <str>
applications:
# List of user defined IPv4 applications.
ipv4_applications:
# Application name.
- name: <str; required; unique>
# Source prefix set name.
src_prefix_set_name: <str>
# Destination prefix set name.
dest_prefix_set_name: <str>
# List of protocols to consider for this application.
# To use port field-sets (source, destination or both), the list
# must contain only one or two protocols, either `tcp` or `udp`.
# When using both protocols, one line is rendered for each in the configuration,
# hence the field-sets must have the same value for `tcp_src_port_set_name` and
# `udp_src_port_set_name` and for `tcp_dest_port_set_name` and `udp_dest_port_set_name`
# if set in order to generate valid configuration in EOS.
protocols:
- <str; "ahp" | "esp" | "icmp" | "igmp" | "ospf" | "pim" | "rsvp" | "tcp" | "udp" | "vrrp">
# Acccept protocol value(s) or range(s).
# Protocol values can be between 1 and 255.
protocol_ranges:
- <str>
# Name of field set for UDP source ports.
# When the `protocols` list contain both `tcp` and `udp`, this key value
# must be the same as `tcp_src_port_set_name`.
udp_src_port_set_name: <str>
# Name of field set for TCP source ports.
# When the `protocols` list contain both `tcp` and `udp`, this key value
# must be the same as `udp_src_port_set_name`.
tcp_src_port_set_name: <str>
# Name of field set for UDP destination ports.
# When the `protocols` list contain both `tcp` and `udp`, this key value
# must be the same as `tcp_dest_port_set_name`.
udp_dest_port_set_name: <str>
# Name of field set for TCP destination ports.
# When the `protocols` list contain both `tcp` and `udp`, this key value
# must be the same as `udp_dest_port_set_name`.
tcp_dest_port_set_name: <str>
# Group of applications.
application_profiles:
# Application Profile name.
- name: <str>
# List of applications part of the application profile.
applications:
# Application Name.
- name: <str>
# Service Name.
# Specific service to target for this application.
# If no service is specified, all supported services of the application are matched.
# Not all valid values are valid for all applications, check on EOS CLI.
service: <str; "audio-video" | "chat" | "default" | "file-transfer" | "networking-protocols" | "peer-to-peer" | "software-update">
# List of transport protocols.
application_transports:
# Transport name.
- <str; "http" | "https" | "udp" | "tcp" | "ip" | "ip6" | "ssl" | "rtp" | "sctp" | "quic">
# Categories under this application profile.
categories:
# Name of a category.
- name: <str>
# Service Name.
# Specific service to target for this application.
# If no service is specified, all supported services of the application are matched.
# Not all valid values are valid for all applications, check on EOS CLI.
service: <str; "audio-video" | "chat" | "default" | "file-transfer" | "networking-protocols" | "peer-to-peer" | "software-update">
New BGP peer-group¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
bgp_peer_groups | Dictionary | Leverage an Arista EOS switch to generate the encrypted password using the correct peer group name. Note that the name of the peer groups use ‘-’ instead of ‘_’ in EOS configuration. |
|||
wan_overlay_peers | Dictionary | PREVIEW: This key is currently not supported | |||
name | String | WAN-OVERLAY-PEERS |
Name of peer group. | ||
password | String | Type 7 encrypted password. | |||
bfd | Boolean | False |
|||
listen_range_prefixes | List, items: String | Only used for nodes where wan_role is server like AutoVPN RRs and Pathfinders.For clients, AVD will raise an error if the Loopback0 IP is not in any listen range. |
|||
- <str> | String | The prefixes to use in listen_range. | |||
structured_config | Dictionary | Custom structured config added under router_bgp.peer_groups.[name= |
|||
wan_rr_overlay_peers | Dictionary | PREVIEW: This key is currently not supported Configuration options for the peer-group created to peer between AutoVPN RRs or CV-Pathfinders. |
|||
name | String | WAN-RR-OVERLAY-PEERS |
Name of peer group. | ||
password | String | Type 7 encrypted password. | |||
bfd | Boolean | True |
|||
structured_config | Dictionary | Custom structured config added under router_bgp.peer_groups.[name= |
# Leverage an Arista EOS switch to generate the encrypted password using the correct peer group name.
# Note that the name of the peer groups use '-' instead of '_' in EOS configuration.
bgp_peer_groups:
# PREVIEW: This key is currently not supported
wan_overlay_peers:
# Name of peer group.
name: <str; default="WAN-OVERLAY-PEERS">
# Type 7 encrypted password.
password: <str>
bfd: <bool; default=False>
# Only used for nodes where `wan_role` is `server` like AutoVPN RRs and Pathfinders.
# For clients, AVD will raise an error if the Loopback0 IP is not in any listen range.
listen_range_prefixes:
# The prefixes to use in listen_range.
- <str>
# Custom structured config added under router_bgp.peer_groups.[name=<name>] for eos_cli_config_gen.
structured_config: <dict>
# PREVIEW: This key is currently not supported
# Configuration options for the peer-group created to peer between
# AutoVPN RRs or CV-Pathfinders.
wan_rr_overlay_peers:
# Name of peer group.
name: <str; default="WAN-RR-OVERLAY-PEERS">
# Type 7 encrypted password.
password: <str>
bfd: <bool; default=True>
# Custom structured config added under router_bgp.peer_groups.[name=<name>] for eos_cli_config_gen.
structured_config: <dict>
New node keys¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
<node_type_keys.key> | Dictionary | ||||
defaults | Dictionary | Define variables for all nodes of this type. | |||
wan_role | String | Valid Values: - client - server |
PREVIEW: This key is currently not supported Override the default WAN role. This is used both for AutoVPN and Pathfinder designs. That means if wan_mode root key is set to autovpn or cv-pathfinder .server indicates that the router is a route-reflector.Only supported if overlay_routing_protocol is set to ibgp . |
||
cv_pathfinder_role | String | Valid Values: - edge - transit region - pathfinder |
PREVIEW: This key is currently not supported Override the default CV Pathfinder role. This key is used for Pathfinder designs only when the wan_mode rootkey is set to cv_pathfinder .pathfinder is only a valid if wan_role is server .edge and transit region are only valid if wan_role is client . |
||
cv_pathfinder_region | String | PREVIEW: This key is currently not supported The CV Pathfinder region name. |
|||
cv_pathfinder_site | String | PREVIEW: This key is currently not supported The CV Pathfinder site name. |
|||
dps_mss_ipv4 | String | auto |
PREVIEW: This key is currently not supported IPv4 MSS value configured under “router path-selection” on WAN Devices. |
||
node_groups | List, items: Dictionary | Define variables related to all nodes part of this group. | |||
- group | String | Required, Unique | The Node Group Name is used for MLAG domain unless set with ‘mlag_domain_id’. The Node Group Name is also used for peer description on downstream switches’ uplinks. |
||
nodes | List, items: Dictionary | Define variables per node. | |||
- name | String | Required, Unique | The Node Name is used as “hostname”. | ||
wan_role | String | Valid Values: - client - server |
PREVIEW: This key is currently not supported Override the default WAN role. This is used both for AutoVPN and Pathfinder designs. That means if wan_mode root key is set to autovpn or cv-pathfinder .server indicates that the router is a route-reflector.Only supported if overlay_routing_protocol is set to ibgp . |
||
cv_pathfinder_role | String | Valid Values: - edge - transit region - pathfinder |
PREVIEW: This key is currently not supported Override the default CV Pathfinder role. This key is used for Pathfinder designs only when the wan_mode rootkey is set to cv_pathfinder .pathfinder is only a valid if wan_role is server .edge and transit region are only valid if wan_role is client . |
||
cv_pathfinder_region | String | PREVIEW: This key is currently not supported The CV Pathfinder region name. |
|||
cv_pathfinder_site | String | PREVIEW: This key is currently not supported The CV Pathfinder site name. |
|||
dps_mss_ipv4 | String | auto |
PREVIEW: This key is currently not supported IPv4 MSS value configured under “router path-selection” on WAN Devices. |
||
wan_role | String | Valid Values: - client - server |
PREVIEW: This key is currently not supported Override the default WAN role. This is used both for AutoVPN and Pathfinder designs. That means if wan_mode root key is set to autovpn or cv-pathfinder .server indicates that the router is a route-reflector.Only supported if overlay_routing_protocol is set to ibgp . |
||
cv_pathfinder_role | String | Valid Values: - edge - transit region - pathfinder |
PREVIEW: This key is currently not supported Override the default CV Pathfinder role. This key is used for Pathfinder designs only when the wan_mode rootkey is set to cv_pathfinder .pathfinder is only a valid if wan_role is server .edge and transit region are only valid if wan_role is client . |
||
cv_pathfinder_region | String | PREVIEW: This key is currently not supported The CV Pathfinder region name. |
|||
cv_pathfinder_site | String | PREVIEW: This key is currently not supported The CV Pathfinder site name. |
|||
dps_mss_ipv4 | String | auto |
PREVIEW: This key is currently not supported IPv4 MSS value configured under “router path-selection” on WAN Devices. |
||
nodes | List, items: Dictionary | Define variables per node. | |||
- name | String | Required, Unique | The Node Name is used as “hostname”. | ||
wan_role | String | Valid Values: - client - server |
PREVIEW: This key is currently not supported Override the default WAN role. This is used both for AutoVPN and Pathfinder designs. That means if wan_mode root key is set to autovpn or cv-pathfinder .server indicates that the router is a route-reflector.Only supported if overlay_routing_protocol is set to ibgp . |
||
cv_pathfinder_role | String | Valid Values: - edge - transit region - pathfinder |
PREVIEW: This key is currently not supported Override the default CV Pathfinder role. This key is used for Pathfinder designs only when the wan_mode rootkey is set to cv_pathfinder .pathfinder is only a valid if wan_role is server .edge and transit region are only valid if wan_role is client . |
||
cv_pathfinder_region | String | PREVIEW: This key is currently not supported The CV Pathfinder region name. |
|||
cv_pathfinder_site | String | PREVIEW: This key is currently not supported The CV Pathfinder site name. |
|||
dps_mss_ipv4 | String | auto |
PREVIEW: This key is currently not supported IPv4 MSS value configured under “router path-selection” on WAN Devices. |
<node_type_keys.key>:
# Define variables for all nodes of this type.
defaults:
# PREVIEW: This key is currently not supported
# Override the default WAN role.
# This is used both for AutoVPN and Pathfinder designs.
# That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
# `server` indicates that the router is a route-reflector.
# Only supported if `overlay_routing_protocol` is set to `ibgp`.
wan_role: <str; "client" | "server">
# PREVIEW: This key is currently not supported
# Override the default CV Pathfinder role.
# This key is used for Pathfinder designs only when the `wan_mode` root
# key is set to `cv_pathfinder`.
# `pathfinder` is only a valid if `wan_role` is `server`.
# `edge` and `transit region` are only valid if `wan_role` is `client`.
cv_pathfinder_role: <str; "edge" | "transit region" | "pathfinder">
# PREVIEW: This key is currently not supported
# The CV Pathfinder region name.
cv_pathfinder_region: <str>
# PREVIEW: This key is currently not supported
# The CV Pathfinder site name.
cv_pathfinder_site: <str>
# PREVIEW: This key is currently not supported
# IPv4 MSS value configured under "router path-selection" on WAN Devices.
dps_mss_ipv4: <str; default="auto">
# Define variables related to all nodes part of this group.
node_groups:
# The Node Group Name is used for MLAG domain unless set with 'mlag_domain_id'.
# The Node Group Name is also used for peer description on downstream switches' uplinks.
- group: <str; required; unique>
# Define variables per node.
nodes:
# The Node Name is used as "hostname".
- name: <str; required; unique>
# PREVIEW: This key is currently not supported
# Override the default WAN role.
# This is used both for AutoVPN and Pathfinder designs.
# That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
# `server` indicates that the router is a route-reflector.
# Only supported if `overlay_routing_protocol` is set to `ibgp`.
wan_role: <str; "client" | "server">
# PREVIEW: This key is currently not supported
# Override the default CV Pathfinder role.
# This key is used for Pathfinder designs only when the `wan_mode` root
# key is set to `cv_pathfinder`.
# `pathfinder` is only a valid if `wan_role` is `server`.
# `edge` and `transit region` are only valid if `wan_role` is `client`.
cv_pathfinder_role: <str; "edge" | "transit region" | "pathfinder">
# PREVIEW: This key is currently not supported
# The CV Pathfinder region name.
cv_pathfinder_region: <str>
# PREVIEW: This key is currently not supported
# The CV Pathfinder site name.
cv_pathfinder_site: <str>
# PREVIEW: This key is currently not supported
# IPv4 MSS value configured under "router path-selection" on WAN Devices.
dps_mss_ipv4: <str; default="auto">
# PREVIEW: This key is currently not supported
# Override the default WAN role.
# This is used both for AutoVPN and Pathfinder designs.
# That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
# `server` indicates that the router is a route-reflector.
# Only supported if `overlay_routing_protocol` is set to `ibgp`.
wan_role: <str; "client" | "server">
# PREVIEW: This key is currently not supported
# Override the default CV Pathfinder role.
# This key is used for Pathfinder designs only when the `wan_mode` root
# key is set to `cv_pathfinder`.
# `pathfinder` is only a valid if `wan_role` is `server`.
# `edge` and `transit region` are only valid if `wan_role` is `client`.
cv_pathfinder_role: <str; "edge" | "transit region" | "pathfinder">
# PREVIEW: This key is currently not supported
# The CV Pathfinder region name.
cv_pathfinder_region: <str>
# PREVIEW: This key is currently not supported
# The CV Pathfinder site name.
cv_pathfinder_site: <str>
# PREVIEW: This key is currently not supported
# IPv4 MSS value configured under "router path-selection" on WAN Devices.
dps_mss_ipv4: <str; default="auto">
# Define variables per node.
nodes:
# The Node Name is used as "hostname".
- name: <str; required; unique>
# PREVIEW: This key is currently not supported
# Override the default WAN role.
# This is used both for AutoVPN and Pathfinder designs.
# That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
# `server` indicates that the router is a route-reflector.
# Only supported if `overlay_routing_protocol` is set to `ibgp`.
wan_role: <str; "client" | "server">
# PREVIEW: This key is currently not supported
# Override the default CV Pathfinder role.
# This key is used for Pathfinder designs only when the `wan_mode` root
# key is set to `cv_pathfinder`.
# `pathfinder` is only a valid if `wan_role` is `server`.
# `edge` and `transit region` are only valid if `wan_role` is `client`.
cv_pathfinder_role: <str; "edge" | "transit region" | "pathfinder">
# PREVIEW: This key is currently not supported
# The CV Pathfinder region name.
cv_pathfinder_region: <str>
# PREVIEW: This key is currently not supported
# The CV Pathfinder site name.
cv_pathfinder_site: <str>
# PREVIEW: This key is currently not supported
# IPv4 MSS value configured under "router path-selection" on WAN Devices.
dps_mss_ipv4: <str; default="auto">
New node type keys¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
node_type_keys | List, items: Dictionary | Define Node Type Keys, to specify the properties of each node type in the fabric. This allows for complete customization of the fabric layout and functionality. node_type_keys should be defined in top level group_var for the fabric.The default values will be overridden if defining this key, so it is recommended to copy the defaults and modify them. |
|||
- key | String | Required, Unique | |||
default_wan_role | String | Valid Values: - client - server |
PREVIEW: This key is currently not supported Set the default WAN role. This is used both for AutoVPN and Pathfinder designs. That means if wan_mode root key is set to autovpn or cv-pathfinder .server indicates that the router is a route-reflector.Only supported if overlay_routing_protocol is set to ibgp . |
||
default_cv_pathfinder_role | String | Valid Values: - edge - transit region - pathfinder |
PREVIEW: This key is currently not supported Set the default CV Pathfinder role. This key is used for Pathfinder designs only when the wan_mode rootkey is set to cv-pathfinder .pathfinder is only a valid if wan_role is server .edge and transit are only valid if wan_role is client . |
# Define Node Type Keys, to specify the properties of each node type in the fabric.
# This allows for complete customization of the fabric layout and functionality.
# `node_type_keys` should be defined in top level group_var for the fabric.
# The default values will be overridden if defining this key, so it is recommended to copy the defaults and modify them.
node_type_keys:
- key: <str; required; unique>
# PREVIEW: This key is currently not supported
# Set the default WAN role.
# This is used both for AutoVPN and Pathfinder designs.
# That means if `wan_mode` root key is set to `autovpn` or `cv-pathfinder`.
# `server` indicates that the router is a route-reflector.
# Only supported if `overlay_routing_protocol` is set to `ibgp`.
default_wan_role: <str; "client" | "server">
# PREVIEW: This key is currently not supported
# Set the default CV Pathfinder role.
# This key is used for Pathfinder designs only when the `wan_mode` root
# key is set to `cv-pathfinder`.
# `pathfinder` is only a valid if `wan_role` is `server`.
# `edge` and `transit` are only valid if `wan_role` is `client`.
default_cv_pathfinder_role: <str; "edge" | "transit region" | "pathfinder">
CloudVision Tags¶
arista.avd.eos_designs
will generate CloudVision Tags that assist CloudVision with visualizing the WAN.
Device Tags¶
Tag Name | Source of information |
---|---|
Region |
cv_pathfinder_region if cv_pathfinder_role is set but not pathfinder |
Zone |
DEFAULT-ZONE if cv_pathfinder_role is set but not pathfinder |
Site |
cv_pathfinder_site if cv_pathfinder_role is set but not pathfinder |
PathfinderSet |
name of node_group or default PATHFINDERS if cv_pathfinder_role is pathfinder |
Role |
cv_pathfinder_role if set |
Interface Tags¶
Hint Tag Name | Source of information |
---|---|
Type |
lan or wan if cv_pathfinder_role is set |
Carrier |
wan_carrier if cv_pathfinder_role is set and this is a WAN interface |
Circuit |
wan_circiot_id if cv_pathfinder_role is set and this is a LAN interface |
Getting started with WAN¶
Global settings¶
TODO - cover here WAN hierarchy, wan mode, route-servers, path-groups and carriers and how they are linked together.
WAN interfaces¶
TODO
Defining policies¶
TODO