CI(eos_cli_config_gen): Restructured the molecule host vars foracl, standard-acl, ip-nat, and ipv4/ipv6 access-list
#4659
Conversation
|
Review docs on Read the Docs To test this pull request: # Create virtual environment for this testing below the current directory
python -m venv test-avd-pr-4659
# Activate the virtual environment
source test-avd-pr-4659/bin/activate
# Install all requirements including PyAVD
pip install "pyavd[ansible] @ git+https://github.com/MaheshGSLAB/ansible-avd.git@cli-restructure-part2#subdirectory=python-avd" --force
# Point Ansible collections path to the Python virtual environment
export ANSIBLE_COLLECTIONS_PATH=$VIRTUAL_ENV/ansible_collections
# Install Ansible collection
ansible-galaxy collection install git+https://github.com/MaheshGSLAB/ansible-avd.git#/ansible_collections/arista/avd/,cli-restructure-part2 --force
# Optional: Install AVD examples
cd test-avd-pr-4659
ansible-playbook arista.avd.install_examples |
github-actions
bot
added
the
state: CI Updated
python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/ip-nat.j2
Show resolved
Hide resolved
| @@ -53,19 +53,119 @@ interface Management1 | |||
| vrf MGMT | |||
There was a problem hiding this comment.
below commands are not supported on EOS
ip nat source ingress static 3.0.0.8 4.0.0.8
ip nat destination egress static 239.0.0.1 239.0.0.2
permit response traffic nat
permit ip any any nexthop-group NH_TEST
There was a problem hiding this comment.
permit response traffic nat
this is supported on newer versions at least on CloudEOS please make sure to use latest versions and to check across different platforms
ip access-list BL
permit response traffic nat
permit ip any any nexthop-group NH_TEST
not supported on CloudEOS but still supported in CLI on my version
site2-wan1(config-acl-BL)#permit ip any any n
nexthop-group not supported on this hardware platform
There was a problem hiding this comment.
With respect to cvp change control i see below errors on 4.32.2F-38195967.4322F (engineering build)
41 Configuration Errors
AVD_s1-leaf1, line: 0 - > ip nat translation address selection any % Unavailable command (not supported on this hardware platform) (at token 5: 'any')
AVD_s1-leaf1, line: 0 - > ip nat profile NAT-PROFILE-NO-VRF-1 % Unavailable command (not supported on this hardware platform) (at token 2: 'profile')
AVD_s1-leaf1, line: 0 - > ip nat profile NAT-PROFILE-NO-VRF-2 % Unavailable command (not supported on this hardware platform) (at token 2: 'profile')
AVD_s1-leaf1, line: 0 - > ip nat destination static 1.0.0.1 2.0.0.1 % Unavailable command (not supported on this hardware platform) (at token 2: 'destination')
AVD_s1-leaf1, line: 0 - > ip nat destination static 1.0.0.2 22 2.0.0.2 % Unavailable command (not supported on this hardware platform) (at token 2: 'destination')
AVD_s1-leaf1, line: 0 - > ip nat destination static 1.0.0.2 23 2.0.0.3 23 % Unavailable command (not supported on this hardware platform) (at token 2: 'destination')
AVD_s1-leaf1, line: 0 - > ip nat destination static 1.0.0.4 22 2.0.0.4 23 protocol udp % Unavailable command (not supported on this hardware platform) (at token 2: 'destination')
AVD_s1-leaf1, line: 0 - > ip nat destination static 1.0.0.7 access-list ACL21 2.0.0.7 % Unavailable command (not supported on this hardware platform) (at token 2: 'destination')
AVD_s1-leaf1, line: 0 - > ip nat source static 3.0.0.1 4.0.0.1 % Unavailable command (not supported on this hardware platform) (at token 2: 'source')
AVD_s1-leaf1, line: 0 - > ip nat source static 3.0.0.2 22 4.0.0.2 % Unavailable command (not supported on this hardware platform) (at token 2: 'source')
AVD_s1-leaf1, line: 0 - > ip nat source static 3.0.0.3 22 4.0.0.3 23 % Unavailable command (not supported on this hardware platform) (at token 2: 'source')
AVD_s1-leaf1, line: 0 - > ip nat source static 3.0.0.4 22 4.0.0.4 23 protocol udp % Unavailable command (not supported on this hardware platform) (at token 2: 'source')
AVD_s1-leaf1, line: 0 - > ip nat source static 3.0.0.7 access-list ACL21 4.0.0.7 % Unavailable command (not supported on this hardware platform) (at token 2: 'source')
AVD_s1-leaf1, line: 0 - > ip nat source ingress static 3.0.0.8 4.0.0.8 % Unavailable command (not supported on this hardware platform) (at token 2: 'source')
AVD_s1-leaf1, line: 0 - > ip nat destination egress static 239.0.0.1 239.0.0.2 % Unavailable command (not supported on this hardware platform) (at token 2: 'destination')
AVD_s1-leaf1, line: 0 - > ip nat source static 3.0.0.5 22 4.0.0.5 23 protocol tcp group 1 % Unavailable command (not supported on this hardware platform) (at token 2: 'source')
AVD_s1-leaf1, line: 0 - > ip nat destination static 1.0.0.5 22 2.0.0.5 23 protocol tcp group 1 % Unavailable command (not supported on this hardware platform) (at token 2: 'destination')
AVD_s1-leaf1, line: 0 - > ip nat source static 3.0.0.6 22 4.0.0.6 23 protocol tcp group 2 comment Comment Test % Unavailable command (not supported on this hardware platform) (at token 2: 'source')
AVD_s1-leaf1, line: 0 - > ip nat destination static 1.0.0.6 22 2.0.0.6 23 protocol tcp group 2 comment Comment Test % Unavailable command (not supported on this hardware platform) (at token 2: 'destination')
AVD_s1-leaf1, line: 0 - > ip nat destination dynamic access-list ACL1 pool POOL1 % Unavailable command (not supported on this hardware platform) (at token 2: 'destination')
AVD_s1-leaf1, line: 0 - > ip nat source dynamic access-list ACL11 pool POOL11 % Unavailable command (not supported on this hardware platform) (at token 2: 'source')
AVD_s1-leaf1, line: 0 - > ip nat source dynamic access-list ACL12 pool POOL11 comment POOL11 shared with ACL11/12 % Unavailable command (not supported on this hardware platform) (at token 2: 'source')
AVD_s1-leaf1, line: 0 - > ip nat source dynamic access-list ACL13 pool POOL13 priority 10 % Unavailable command (not supported on this hardware platform) (at token 2: 'source')
AVD_s1-leaf1, line: 0 - > ip nat source dynamic access-list ACL14 pool POOL14 priority 1 comment Priority low end % Unavailable command (not supported on this hardware platform) (at token 2: 'source')
AVD_s1-leaf1, line: 0 - > ip nat source dynamic access-list ACL15 pool POOL15 priority 4294967295 comment Priority high end % Unavailable command (not supported on this hardware platform) (at token 2: 'source')
AVD_s1-leaf1, line: 0 - > ip nat source dynamic access-list ACL16 pool POOL16 comment Priority default % Unavailable command (not supported on this hardware platform) (at token 2: 'source')
AVD_s1-leaf1, line: 0 - > ip nat source dynamic access-list ACL17 overload priority 10 comment Priority_10 % Unavailable command (not supported on this hardware platform) (at token 2: 'source')
AVD_s1-leaf1, line: 0 - > ip nat source dynamic access-list ACL18 pool POOL18 address-only priority 10 comment Priority_10 % Unavailable command (not supported on this hardware platform) (at token 2: 'source')
AVD_s1-leaf1, line: 0 - > ip nat source dynamic access-list ACL19 pool POOL19 full-cone priority 10 comment Priority_10 % Unavailable command (not supported on this hardware platform) (at token 2: 'source')
AVD_s1-leaf1, line: 0 - > ip nat destination dynamic access-list ACL2 pool POOL1 comment POOL1 shared with ACL1/2 % Unavailable command (not supported on this hardware platform) (at token 2: 'destination')
AVD_s1-leaf1, line: 0 - > ip nat destination dynamic access-list ACL3 pool POOL3 priority 10 % Unavailable command (not supported on this hardware platform) (at token 2: 'destination')
AVD_s1-leaf1, line: 0 - > ip nat destination dynamic access-list ACL4 pool POOL4 priority 1 comment Priority low end % Unavailable command (not supported on this hardware platform) (at token 2: 'destination')
AVD_s1-leaf1, line: 0 - > ip nat destination dynamic access-list ACL5 pool POOL5 priority 4294967295 comment Priority high end % Unavailable command (not supported on this hardware platform) (at token 2: 'destination')
AVD_s1-leaf1, line: 0 - > ip nat destination dynamic access-list ACL6 pool POOL6 comment Priority default % Unavailable command (not supported on this hardware platform) (at token 2: 'destination')
AVD_s1-leaf1, line: 0 - > ip nat profile NAT-PROFILE-TEST-VRF vrf TEST % Unavailable command (not supported on this hardware platform) (at token 2: 'profile')
AVD_s1-leaf1, line: 0 - > permit response traffic nat % Unavailable command (not supported on this hardware platform) (at token 1: 'response')
AVD_s1-leaf1, line: 0 - > permit response traffic nat % Unavailable command (not supported on this hardware platform) (at token 1: 'response')
AVD_s1-leaf1, line: 0 - > permit response traffic nat % Unavailable command (not supported on this hardware platform) (at token 1: 'response')
AVD_s1-leaf1, line: 0 - > ip nat pool port_only_1 port-only % Unavailable command (not supported on this hardware platform) (at token 4: 'port-only')
AVD_s1-leaf1, line: 0 - > ip nat pool port_only_2 port-only % Unavailable command (not supported on this hardware platform) (at token 4: 'port-only')
AVD_s1-leaf1, line: 0 - > port range 1024 65535 % Invalid input (at token 0: 'port')
There was a problem hiding this comment.
Majority of these commands are supported on the CloudEOS, AWE 5510 and AWE 5310 (might be others as well).
Example (Arista AWE-5310-F | 4.33.0F):
cbl431(config-s-s7)#sh session-config diffs
--- system:/running-config
+++ session:/s7-session-config
+ip nat translation address selection any
+!
+ip nat profile NAT-PROFILE-NO-VRF-1
+!
+ip nat profile NAT-PROFILE-NO-VRF-2
+ ip nat destination static 1.0.0.1 2.0.0.1
+ ip nat destination static 1.0.0.2 22 2.0.0.2
+ ip nat destination static 1.0.0.2 23 2.0.0.3 23
+ ip nat destination static 1.0.0.4 22 2.0.0.4 23 protocol udp
+ ip nat destination static 1.0.0.7 access-list ACL21 2.0.0.7
+ ip nat source static 3.0.0.1 4.0.0.1
+ ip nat source static 3.0.0.2 22 4.0.0.2
+ ip nat source static 3.0.0.3 22 4.0.0.3 23
+ ip nat source static 3.0.0.4 22 4.0.0.4 23 protocol udp
+ ip nat source static 3.0.0.7 access-list ACL21 4.0.0.7
+ ip nat source static 3.0.0.5 22 4.0.0.5 23 protocol tcp group 1
+ ip nat destination static 1.0.0.5 22 2.0.0.5 23 protocol tcp group 1
+ ip nat source static 3.0.0.6 22 4.0.0.6 23 protocol tcp group 2 comment Comment Test
+ ip nat destination static 1.0.0.6 22 2.0.0.6 23 protocol tcp group 2 comment Comment Test
+ ip nat destination dynamic access-list ACL1 pool POOL1
+ ip nat source dynamic access-list ACL11 pool POOL11
+ ip nat source dynamic access-list ACL12 pool POOL11 comment POOL11 shared with ACL11/12
+ ip nat source dynamic access-list ACL13 pool POOL13 priority 10
+ ip nat source dynamic access-list ACL14 pool POOL14 priority 1 comment Priority low end
+ ip nat source dynamic access-list ACL15 pool POOL15 priority 4294967295 comment Priority high end
+ ip nat source dynamic access-list ACL16 pool POOL16 comment Priority default
+ ip nat source dynamic access-list ACL17 overload priority 10 comment Priority_10
+ ip nat source dynamic access-list ACL18 pool POOL18 address-only priority 10 comment Priority_10
+ ip nat source dynamic access-list ACL19 pool POOL19 full-cone priority 10 comment Priority_10
+ ip nat destination dynamic access-list ACL2 pool POOL1 comment POOL1 shared with ACL1/2
+ ip nat destination dynamic access-list ACL3 pool POOL3 priority 10
+ ip nat destination dynamic access-list ACL4 pool POOL4 priority 1 comment Priority low end
+ ip nat destination dynamic access-list ACL5 pool POOL5 priority 4294967295 comment Priority high end
+ ip nat destination dynamic access-list ACL6 pool POOL6 comment Priority default
+!
+ip nat profile NAT-PROFILE-TEST-VRF vrf TEST
!
+ip access-list ACL-02
+ counters per-entry
+ 10 remark ACL to restrict access RFC1918 addresses
+ 20 permit ip 10.0.0.0/8 any
+ 30 permit ip 192.0.2.0/24 any
+ permit response traffic nat
+!
+ip access-list ACL-04
+ counters per-entry
+ 20 deny ip 12.0.0.0/8 any
+ 30 permit ip 194.0.2.0/24 any
+ permit response traffic nat
+!
+ip access-list ACL_SEQUENCE_AND_COUNTERS
+ counters per-entry
+ 10 remark test acl with sequence numbers
+ 20 permit ip 10.0.0.0/8 any
+ 30 permit tcp host 192.168.122.22 any established
+ 40 permit tcp any gt 1023 host 172.16.16.16 eq ssh
+ 50 permit tcp any range 1000 1100 any range 10 ftp-data
+ 4294967295 deny ip any any
+ permit response traffic nat
cbl431(config-s-s7)#
We should probably move this config (and it's source vars) to a dedicated inventory host (so that we can test it against proper HW+SW DUT) and maybe explicitly label input vars file with info about a proper targeted HW+SW
There was a problem hiding this comment.
@alexeygorbunov As you said most of command works for me when i use FastCli and push the commands via CLI but face issue via CVP as it simply check the hardware compatibly.
ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/host1.cfg
Outdated
Show resolved
Hide resolved
| ip nat pool port_only_1 port-only | ||
| ip nat pool port_only_2 port-only | ||
| port range 10 15 |
There was a problem hiding this comment.
Need to remove this range as it impact the port-range in ip nat synchronization
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
1 similar comment
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/host1/acl.yml
Show resolved
Hide resolved
ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/host1/ip-nat.yml
Outdated
Show resolved
Hide resolved
| --- | ||
| ip_access_lists: | ||
| - name: ACL_SEQUENCE_AND_COUNTERS | ||
| counters_per_entry: true | ||
| entries: | ||
| - sequence: 10 | ||
| remark: test acl with sequence numbers | ||
| - sequence: 20 | ||
| action: permit | ||
| protocol: ip | ||
| source: 10.0.0.0/8 | ||
| destination: any |
There was a problem hiding this comment.
Do we need to test this ACL on host2? It seems to be repeating the beginning of the same ACL on host1
There was a problem hiding this comment.
Removed this file
| --- | ||
| ### IP NAT ### | ||
| ip_nat: | ||
| kernel_buffer_size: 64 |
There was a problem hiding this comment.
This setting is already covered by host1. Do we need it here?
| pools: | ||
| - name: prefix_32 | ||
| type: ip-port | ||
| prefix_length: 32 | ||
| ranges: | ||
| - first_port: 1024 | ||
| last_port: 65535 | ||
| - name: prefix_21 | ||
| prefix_length: 21 | ||
| - name: port-only2 | ||
| type: port-only | ||
| ranges: | ||
| - first_port: 10 |
There was a problem hiding this comment.
Are there any issues (beside requirement to rename) preventing us from having these use cases under host1?
Also, the following block seem to be repeating host1:
- name: prefix_21
prefix_length: 21
| - name: ACL_WITHOUT_ENTRIES | ||
| counters_per_entry: false |
There was a problem hiding this comment.
(Not an issue of this PR. More a general issue/question)
This ACL is not getting into the rendered config due to the fact that ip_access_lists[].entries is treated in J2 as a mandatory field (although not set as required in schema).
{% for acl in ip_access_lists | arista.avd.natural_sort('name') %}
{% if not (acl.name is arista.avd.defined) or
not (acl.entries is arista.avd.defined) %}
{# break cycle if mandatory keys are not defined #}
{% continue %}
This is not aligned with EoS behavior. ACL with no entries on EOS always have an implicit deny any any. Why do we not allow this in our J2?
avd-ci-leaf2(config-s-s3d)#ip access-list ACL_WITHOUT_ENTRIES
avd-ci-leaf2(config-s-s3d-acl-ACL_WITHOUT_ENTRIES)#exit
avd-ci-leaf2(config-s-s3d)#show session-config diffs
--- system:/running-config
+++ session:/s3d-session-config
+ip access-list ACL_WITHOUT_ENTRIES
avd-ci-leaf2(config-s-s3d)#commit timer 00:05:00
avd-ci-leaf2#sh ip access-lists ACL_WITHOUT_ENTRIES
IP Access List ACL_WITHOUT_ENTRIES
(implicit) deny ip any any
avd-ci-leaf2#sh run sec ACL_WITHOUT_ENTRIES
ip access-list ACL_WITHOUT_ENTRIES
avd-ci-leaf2#
There was a problem hiding this comment.
So for the first comment where in j2 entries is treated as required but not mentioned in schema so yes there are some gaps which we note down and fix it in future.
About the second point where if we not give any entries EOS render the the config as deny any any so thats the EOS default behaviour which we generally avoid it in AVD(cc @ClausHolbechArista). But yes we should render the ACL name if entries key is not defined as you shown in above config.
There was a problem hiding this comment.
We had some user ask about this as well (acl without entries). I thought we made it optional a while back.
Please focus on the molecule restructure in this PR and not general template issues (great that you catch them, but then create new issues).
Re EOS implicit/default stuff we don't render that.
| @@ -53,19 +53,119 @@ interface Management1 | |||
| vrf MGMT | |||
There was a problem hiding this comment.
Majority of these commands are supported on the CloudEOS, AWE 5510 and AWE 5310 (might be others as well).
Example (Arista AWE-5310-F | 4.33.0F):
cbl431(config-s-s7)#sh session-config diffs
--- system:/running-config
+++ session:/s7-session-config
+ip nat translation address selection any
+!
+ip nat profile NAT-PROFILE-NO-VRF-1
+!
+ip nat profile NAT-PROFILE-NO-VRF-2
+ ip nat destination static 1.0.0.1 2.0.0.1
+ ip nat destination static 1.0.0.2 22 2.0.0.2
+ ip nat destination static 1.0.0.2 23 2.0.0.3 23
+ ip nat destination static 1.0.0.4 22 2.0.0.4 23 protocol udp
+ ip nat destination static 1.0.0.7 access-list ACL21 2.0.0.7
+ ip nat source static 3.0.0.1 4.0.0.1
+ ip nat source static 3.0.0.2 22 4.0.0.2
+ ip nat source static 3.0.0.3 22 4.0.0.3 23
+ ip nat source static 3.0.0.4 22 4.0.0.4 23 protocol udp
+ ip nat source static 3.0.0.7 access-list ACL21 4.0.0.7
+ ip nat source static 3.0.0.5 22 4.0.0.5 23 protocol tcp group 1
+ ip nat destination static 1.0.0.5 22 2.0.0.5 23 protocol tcp group 1
+ ip nat source static 3.0.0.6 22 4.0.0.6 23 protocol tcp group 2 comment Comment Test
+ ip nat destination static 1.0.0.6 22 2.0.0.6 23 protocol tcp group 2 comment Comment Test
+ ip nat destination dynamic access-list ACL1 pool POOL1
+ ip nat source dynamic access-list ACL11 pool POOL11
+ ip nat source dynamic access-list ACL12 pool POOL11 comment POOL11 shared with ACL11/12
+ ip nat source dynamic access-list ACL13 pool POOL13 priority 10
+ ip nat source dynamic access-list ACL14 pool POOL14 priority 1 comment Priority low end
+ ip nat source dynamic access-list ACL15 pool POOL15 priority 4294967295 comment Priority high end
+ ip nat source dynamic access-list ACL16 pool POOL16 comment Priority default
+ ip nat source dynamic access-list ACL17 overload priority 10 comment Priority_10
+ ip nat source dynamic access-list ACL18 pool POOL18 address-only priority 10 comment Priority_10
+ ip nat source dynamic access-list ACL19 pool POOL19 full-cone priority 10 comment Priority_10
+ ip nat destination dynamic access-list ACL2 pool POOL1 comment POOL1 shared with ACL1/2
+ ip nat destination dynamic access-list ACL3 pool POOL3 priority 10
+ ip nat destination dynamic access-list ACL4 pool POOL4 priority 1 comment Priority low end
+ ip nat destination dynamic access-list ACL5 pool POOL5 priority 4294967295 comment Priority high end
+ ip nat destination dynamic access-list ACL6 pool POOL6 comment Priority default
+!
+ip nat profile NAT-PROFILE-TEST-VRF vrf TEST
!
+ip access-list ACL-02
+ counters per-entry
+ 10 remark ACL to restrict access RFC1918 addresses
+ 20 permit ip 10.0.0.0/8 any
+ 30 permit ip 192.0.2.0/24 any
+ permit response traffic nat
+!
+ip access-list ACL-04
+ counters per-entry
+ 20 deny ip 12.0.0.0/8 any
+ 30 permit ip 194.0.2.0/24 any
+ permit response traffic nat
+!
+ip access-list ACL_SEQUENCE_AND_COUNTERS
+ counters per-entry
+ 10 remark test acl with sequence numbers
+ 20 permit ip 10.0.0.0/8 any
+ 30 permit tcp host 192.168.122.22 any established
+ 40 permit tcp any gt 1023 host 172.16.16.16 eq ssh
+ 50 permit tcp any range 1000 1100 any range 10 ftp-data
+ 4294967295 deny ip any any
+ permit response traffic nat
cbl431(config-s-s7)#
We should probably move this config (and it's source vars) to a dedicated inventory host (so that we can test it against proper HW+SW DUT) and maybe explicitly label input vars file with info about a proper targeted HW+SW
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
| - name: NAT-PROFILE-TEST-VRF | ||
| vrf: TEST | ||
| vrf: TEST |
There was a problem hiding this comment.
missing newline at the end.
| - name: ACL_WITHOUT_ENTRIES | ||
| counters_per_entry: false |
There was a problem hiding this comment.
We had some user ask about this as well (acl without entries). I thought we made it optional a while back.
Please focus on the molecule restructure in this PR and not general template issues (great that you catch them, but then create new issues).
Re EOS implicit/default stuff we don't render that.
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
|
Change Summary
Restructured the molecule host vars for
acl,standard-acl,ip-nat, andipv4/ipv6 access-list.Related Issue(s)
Fixes #https://github.com/aristanetworks/avd-internal/issues/171
Component(s) name
arista.avd.eos_cli_config_genProposed changes
Restructured the molecule host vars for
acl,standard-acl,ip-nat, andipv4/ipv6 access-listto move in host1 and host2 folder.How to test
Run eos_cli_config_gen molecule then run tox command to generate the coverage report.
molecule converge -s eos_cli_config_gen
tox -e coverage,report
Checklist
User Checklist
Repository Checklist