Support for IPv4/v6 in SVIs and the SVIs are running at underlay and talk to the other service nodes, e.g. Firewalls

[forcecity]

Enhancement summary

It would be great that we could configure the IPv4/v6 services in SVIs, but at underlay network (vrf default, but not through evpn vxlan tunnel).
VLANs/SVIs at underlay network (vrf default but without rd/rt, evpn related stuffs)
BGP neighbors at underlay. Could establish the peers with other network nodes.

Which component of AVD is impacted

eos_designs

Use case example

Some of our switches are managed or accessed from underlay networks (via loopback 0) and the mgmt system could be in different VRFs, the FW will control the access acrossing the different VRFs, so an underlay SVIs for the FWs are needed to dump the traffic of the switches' management at the underlay.
For now, I use the "structured_config" in nodes settings:

l3leaf:
  defaults:
    uplink_switches: <omit>
    uplink_interfaces: <omit>
    ... ...
  node_groups:
    - group: leaf-pair
      filter:
        tags:
          - < omit.. >
      bgp_as: xxxxxx
      structured_config:
        router_bgp:
          neighbors:
            - ip_address: xx.xxx.xxx.10
              peer_group: FWs-PEER-GP   # it is defined in Network_services
              description: fw_bgp_underlay
      nodes:
        - name: leaf-a
          id: 1
          uplink_switch_interfaces:
            - Ethernet1
            - Ethernet2
            - Ethernet3
            - Ethernet4
          structured_config:
            vlans:
              - id: 10
                name: fw_bgp_underlay
            vlan_interfaces:
              - name: Vlan10
                shutdown: false
                description: fw_bgp_underlay
                ip_address: xx.xxx.xxx.11/28
                arp_gratuitous_accept: true
                mtu: 9100
        - name: leaf-b
          id: 2
          uplink_switch_interfaces:
            - Ethernet1
            - Ethernet2
            - Ethernet3
            - Ethernet4
          structured_config:
            vlans:
              - id: 10
                name: fw_bgp_underlay
            vlan_interfaces:
              - name: Vlan10
                shutdown: false
                description: fw_bgp_underlay
                ip_address: xx.xxx.xxx.12/28
                arp_gratuitous_accept: true
                mtu: 9100

Describe the solution you would like

At the network service section, would it be possible to create a "Network services SVIs configuration without VRF", similar to other SVIs in VRFs but located the global instance.

Describe alternatives you have considered

Or probably a new section dedicated to the underlay services configs (like, the services for l3_edge) which could include the services of SVIs or l3_interfaces or subinterfaces, etc... These services are all related to the network which will go through the vxlan fabric, and will provide the network services at underlay (or so to say pure l3 networks).

Additional context

No response

Contributing Guide

• I agree to follow this project's Code of Conduct

[ClausHolbechArista]

We have improved a lot in AVD 5.0 (pending release hopefully this Friday) for services in VRF default. This means you can define your SVIs, BGP peers etc under network services for the default VRF. If you don't want it to be EVPN enabled, you can set address_families: [] under the VRF (this trick should work already in 4.x).

Please give it a try and let me know what you are missing.

[forcecity]

Hello Claus,

Thank you for you reply.

Yes, i just tried your workaround to set address_families: []. The SVIs were created succesfully as what we want and no evpn stuff or ip-prefix stuffs now.

but I didn't find a way to configure the bgp peers (peer groups) for the neighbors in the underlay.. The bgp_peers: or bgp.structured_config: are not rendered when they are located in VRF default. Would you mind to also give me a hint how I can configure this part in network_services or it is not possible now?

Now I still put this part into Node type settings:

  node_groups:
    - group: leaf-pair
      filter:
        tags:
          - < omit.. >
      bgp_as: xxxxxx
      structured_config:
        router_bgp:
          neighbors:
            - ip_address: xx.xxx.xxx.10
              peer_group: FWs-PEER-GP   # it is defined in Network_services
              description: fw_bgp_underlay

[ClausHolbechArista]

This will work much better in AVD 5.0, but for 4.x we have a temporary "nerd-knob" you an try: new_network_services_bgp_vrf_config: true.

[forcecity]

Hi Claus,
I think when i change this knob, the vrf default will be generated in bgp configs, but not as we expected, it treated default as a new vrf instead of putting neighbor configs directly globally (like IPv4-Underlay-peers).

router bgp xxxxxxxxxx
   vrf default
      update wait-install
      neighbor xx.xxx.xxx.10 peer group FWs-PEER-GP
      neighbor xx.xxx.xxx.10 description fw_bgp_underlay
      !
      address-family ipv4
         neighbor xx.xxx.xxx.10 activate

So I think I will leave this point here and when 5.0 is released, i will test it again. Thank you for your answer.