Fix(eos_designs): WAN Exclude interface IP address from direct intern…

…et-exit NAT ACL (#4096) Co-authored-by: Guillaume Mulocher <[email protected]> Co-authored-by: Claus Holbech <[email protected]>
aristanetworks · Jul 2, 2024 · 972cb49 · 972cb49
1 parent 8acc27a
commit 972cb49
Show file tree

Hide file tree

Showing 12 changed files with 297 additions and 127 deletions.
diff --git a/...ctions/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge.cfg b/...ctions/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge.cfg
@@ -15,11 +15,11 @@ flow tracking hardware
 service routing protocols model multi-agent
 !
 !
-ip nat profile IE-DIRECT-NAT
-   ip nat source dynamic access-list ALLOW-ALL overload
+ip nat profile NAT-IE-DIRECT
+   ip nat source dynamic access-list ACL-NAT-IE-DIRECT overload
 !
-ip nat profile IE-ZSCALER-NAT
-   ip nat source dynamic access-list ALLOW-ALL pool PORT-ONLY-POOL
+ip nat profile NAT-IE-ZSCALER
+   ip nat source dynamic access-list ACL-NAT-IE-ZSCALER pool PORT-ONLY-POOL
 !
 hostname cv-pathfinder-edge
 !
@@ -313,14 +313,14 @@ interface Ethernet2
    no shutdown
    no switchport
    ip address 172.15.5.5/31
-   ip nat service-profile IE-DIRECT-NAT
+   ip nat service-profile NAT-IE-DIRECT
 !
 interface Ethernet2/1
    description Colt_10555
    no shutdown
    no switchport
    ip address 172.15.5.6/31
-   ip nat service-profile IE-DIRECT-NAT
+   ip nat service-profile NAT-IE-DIRECT
 !
 interface Ethernet3
    description Comcast-5G_AF830
@@ -368,7 +368,7 @@ interface Tunnel100
    description Internet Exit ZSCALER-EXIT-POLICY-1 PRI
    mtu 1394
    ip address unnumbered Loopback0
-   ip nat service-profile IE-ZSCALER-NAT
+   ip nat service-profile NAT-IE-ZSCALER
    tunnel mode ipsec
    tunnel source interface Ethernet3
    tunnel destination 10.37.121.1
@@ -378,7 +378,7 @@ interface Tunnel101
    description Internet Exit ZSCALER-EXIT-POLICY-1 SEC
    mtu 1394
    ip address unnumbered Loopback0
-   ip nat service-profile IE-ZSCALER-NAT
+   ip nat service-profile NAT-IE-ZSCALER
    tunnel mode ipsec
    tunnel source interface Ethernet3
    tunnel destination 10.39.77.1
@@ -388,7 +388,7 @@ interface Tunnel102
    description Internet Exit ZSCALER-EXIT-POLICY-1 TER
    mtu 1394
    ip address unnumbered Loopback0
-   ip nat service-profile IE-ZSCALER-NAT
+   ip nat service-profile NAT-IE-ZSCALER
    tunnel mode ipsec
    tunnel source interface Ethernet3
    tunnel destination 10.50.9.1
@@ -489,7 +489,12 @@ monitor connectivity
       ip 10.50.9.1
       url http://gateway.zscalerbeta.net/vpntest
 !
-ip access-list ALLOW-ALL
+ip access-list ACL-NAT-IE-DIRECT
+   10 deny ip host 172.15.5.5 any
+   20 deny ip host 172.15.5.6 any
+   30 permit ip any any
+!
+ip access-list ACL-NAT-IE-ZSCALER
    10 permit ip any any
 !
 ip routing

diff --git a/...tions/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge1.cfg b/...tions/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge1.cfg
@@ -15,11 +15,11 @@ flow tracking hardware
 service routing protocols model multi-agent
 !
 !
-ip nat profile IE-DIRECT-NAT
-   ip nat source dynamic access-list ALLOW-ALL overload
+ip nat profile NAT-IE-DIRECT
+   ip nat source dynamic access-list ACL-NAT-IE-DIRECT overload
 !
-ip nat profile IE-ZSCALER-NAT
-   ip nat source dynamic access-list ALLOW-ALL pool PORT-ONLY-POOL
+ip nat profile NAT-IE-ZSCALER
+   ip nat source dynamic access-list ACL-NAT-IE-ZSCALER pool PORT-ONLY-POOL
 !
 hostname cv-pathfinder-edge1
 !
@@ -342,7 +342,7 @@ interface Ethernet3
    no switchport
    ip address dhcp
    dhcp client accept default-route
-   ip nat service-profile IE-DIRECT-NAT
+   ip nat service-profile NAT-IE-DIRECT
 !
 interface Ethernet52
    description P2P_LINK_TO_SITE-HA-DISABLED-LEAF_Ethernet2
@@ -384,7 +384,7 @@ interface Tunnel100
    description Internet Exit ZSCALER-EXIT-POLICY-1 PRI
    mtu 1394
    ip address unnumbered Loopback0
-   ip nat service-profile IE-ZSCALER-NAT
+   ip nat service-profile NAT-IE-ZSCALER
    tunnel mode ipsec
    tunnel source interface Ethernet3
    tunnel destination 10.37.121.1
@@ -394,7 +394,7 @@ interface Tunnel101
    description Internet Exit ZSCALER-EXIT-POLICY-1 SEC
    mtu 1394
    ip address unnumbered Loopback0
-   ip nat service-profile IE-ZSCALER-NAT
+   ip nat service-profile NAT-IE-ZSCALER
    tunnel mode ipsec
    tunnel source interface Ethernet3
    tunnel destination 10.39.77.1
@@ -404,7 +404,7 @@ interface Tunnel102
    description Internet Exit ZSCALER-EXIT-POLICY-1 TER
    mtu 1394
    ip address unnumbered Loopback0
-   ip nat service-profile IE-ZSCALER-NAT
+   ip nat service-profile NAT-IE-ZSCALER
    tunnel mode ipsec
    tunnel source interface Ethernet3
    tunnel destination 10.50.9.1
@@ -414,7 +414,7 @@ interface Tunnel110
    description Internet Exit ZSCALER-EXIT-POLICY-2 PRI
    mtu 1394
    ip address unnumbered Loopback0
-   ip nat service-profile IE-ZSCALER-NAT
+   ip nat service-profile NAT-IE-ZSCALER
    tunnel mode ipsec
    tunnel source interface Ethernet3
    tunnel destination 10.37.121.1
@@ -424,7 +424,7 @@ interface Tunnel111
    description Internet Exit ZSCALER-EXIT-POLICY-2 SEC
    mtu 1394
    ip address unnumbered Loopback0
-   ip nat service-profile IE-ZSCALER-NAT
+   ip nat service-profile NAT-IE-ZSCALER
    tunnel mode ipsec
    tunnel source interface Ethernet3
    tunnel destination 10.39.77.1
@@ -434,7 +434,7 @@ interface Tunnel112
    description Internet Exit ZSCALER-EXIT-POLICY-2 TER
    mtu 1394
    ip address unnumbered Loopback0
-   ip nat service-profile IE-ZSCALER-NAT
+   ip nat service-profile NAT-IE-ZSCALER
    tunnel mode ipsec
    tunnel source interface Ethernet3
    tunnel destination 10.50.9.1
@@ -554,8 +554,13 @@ ip access-list TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet1_49.3
    15 deny ip any host 172.24.49.3
    permit ip host 172.24.49.2 host 172.24.49.3
 !
-ip access-list ALLOW-ALL
-   10 permit ip any any
+ip access-list ACL-NAT-IE-DIRECT
+   10 deny ip any 5.0.0.0/24
+   20 permit ip any any
+!
+ip access-list ACL-NAT-IE-ZSCALER
+   10 permit ip any 10.0.0.0/24
+   20 deny ip any any
 !
 ip routing
 ip routing vrf ATTRACTED-VRF-FROM-UPLINK

diff --git a/...s/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-transit1A.cfg b/...s/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-transit1A.cfg
@@ -17,8 +17,8 @@ service routing protocols model multi-agent
 ip as-path access-list ASPATH-WAN permit 65000 any
 !
 !
-ip nat profile IE-DIRECT-NAT
-   ip nat source dynamic access-list ALLOW-ALL overload
+ip nat profile NAT-IE-DIRECT
+   ip nat source dynamic access-list ACL-NAT-IE-DIRECT overload
 !
 hostname cv-pathfinder-transit1A
 !
@@ -310,7 +310,7 @@ interface Ethernet2.42
    no shutdown
    encapsulation dot1q vlan 666
    ip address 172.16.6.6/31
-   ip nat service-profile IE-DIRECT-NAT
+   ip nat service-profile NAT-IE-DIRECT
 !
 interface Ethernet52
    description P2P_LINK_TO_SITE-HA-ENABLED-LEAF1_Ethernet1
@@ -413,8 +413,9 @@ monitor connectivity
       local-interfaces SET-Ethernet2.42
       ip 123.12.3.4
 !
-ip access-list ALLOW-ALL
-   10 permit ip any any
+ip access-list ACL-NAT-IE-DIRECT
+   10 deny ip host 172.16.6.6 any
+   20 permit ip any any
 !
 ip routing
 ip routing vrf ATTRACTED-VRF-FROM-UPLINK

diff --git a/...ta/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge.yml b/...ta/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge.yml
@@ -229,15 +229,15 @@ ethernet_interfaces:
   type: routed
   description: Colt_10555
   ip_nat:
-    service_profile: IE-DIRECT-NAT
+    service_profile: NAT-IE-DIRECT
 - name: Ethernet2/1
   peer_type: l3_interface
   ip_address: 172.15.5.6/31
   shutdown: false
   type: routed
   description: Colt_10555
   ip_nat:
-    service_profile: IE-DIRECT-NAT
+    service_profile: NAT-IE-DIRECT
 - name: Ethernet3
   peer_type: l3_interface
   ip_address: 172.20.20.20/31
@@ -653,7 +653,24 @@ application_traffic_recognition:
       prefix_values:
       - 192.168.144.1/32
 ip_access_lists:
-- name: ALLOW-ALL
+- name: ACL-NAT-IE-DIRECT
+  entries:
+  - sequence: 10
+    action: deny
+    protocol: ip
+    source: 172.15.5.5
+    destination: any
+  - sequence: 20
+    action: deny
+    protocol: ip
+    source: 172.15.5.6
+    destination: any
+  - sequence: 30
+    action: permit
+    protocol: ip
+    source: any
+    destination: any
+- name: ACL-NAT-IE-ZSCALER
   entries:
   - sequence: 10
     action: permit
@@ -662,15 +679,15 @@ ip_access_lists:
     destination: any
 ip_nat:
   profiles:
-  - name: IE-DIRECT-NAT
+  - name: NAT-IE-DIRECT
     source:
       dynamic:
-      - access_list: ALLOW-ALL
+      - access_list: ACL-NAT-IE-DIRECT
         nat_type: overload
-  - name: IE-ZSCALER-NAT
+  - name: NAT-IE-ZSCALER
     source:
       dynamic:
-      - access_list: ALLOW-ALL
+      - access_list: ACL-NAT-IE-ZSCALER
         pool_name: PORT-ONLY-POOL
         nat_type: pool
   pools:
@@ -760,7 +777,7 @@ tunnel_interfaces:
   source_interface: Ethernet3
   destination: 10.37.121.1
   ipsec_profile: IE-ZSCALER-EXIT-POLICY-1-PROFILE
-  nat_profile: IE-ZSCALER-NAT
+  nat_profile: NAT-IE-ZSCALER
 - name: Tunnel101
   description: Internet Exit ZSCALER-EXIT-POLICY-1 SEC
   mtu: 1394
@@ -769,7 +786,7 @@ tunnel_interfaces:
   source_interface: Ethernet3
   destination: 10.39.77.1
   ipsec_profile: IE-ZSCALER-EXIT-POLICY-1-PROFILE
-  nat_profile: IE-ZSCALER-NAT
+  nat_profile: NAT-IE-ZSCALER
 - name: Tunnel102
   description: Internet Exit ZSCALER-EXIT-POLICY-1 TER
   mtu: 1394
@@ -778,7 +795,7 @@ tunnel_interfaces:
   source_interface: Ethernet3
   destination: 10.50.9.1
   ipsec_profile: IE-ZSCALER-EXIT-POLICY-1-PROFILE
-  nat_profile: IE-ZSCALER-NAT
+  nat_profile: NAT-IE-ZSCALER
 monitor_connectivity:
   interface_sets:
   - name: SET-Ethernet2