Feat(eos_designs): Inject default VRF policy with a match-all statement when missing

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-edge.cfg

@@ -29,8 +29,8 @@ router path-selection
    load-balance policy LB-CONTROL-PLANE-PROFILE
       path-group INET
    !
-   load-balance policy LB-DEFAULT-AVT-POLICY-IT
-      path-group INET priority 2
+   load-balance policy LB-DEFAULT-AVT-POLICY-DEFAULT
+      path-group INET
    !
    load-balance policy LB-PROD-AVT-POLICY-DEFAULT
       path-group INET
@@ -42,10 +42,10 @@ router path-selection
       path-group INET
    !
    policy DEFAULT-AVT-POLICY-WITH-CP
+      default-match
+         load-balance LB-DEFAULT-AVT-POLICY-DEFAULT
       10 application-profile CONTROL-PLANE-APPLICATION-PROFILE
          load-balance LB-CONTROL-PLANE-PROFILE
-      20 application-profile IT
-         load-balance LB-DEFAULT-AVT-POLICY-IT
    !
    policy PROD-AVT-POLICY
       default-match
@@ -121,8 +121,6 @@ application traffic recognition
    application-profile CONTROL-PLANE-APPLICATION-PROFILE
       application CONTROL-PLANE-APPLICATION
    !
-   application-profile IT
-   !
    application-profile VIDEO
    !
    application-profile VOICE

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr1.cfg

@@ -28,9 +28,8 @@ router path-selection
    load-balance policy LB-CONTROL-PLANE-PROFILE
       path-group INET
    !
-   load-balance policy LB-DEFAULT-AVT-POLICY-IT
-      path-group MPLS
-      path-group INET priority 2
+   load-balance policy LB-DEFAULT-AVT-POLICY-DEFAULT
+      path-group INET
    !
    load-balance policy LB-PROD-AVT-POLICY-DEFAULT
       path-group INET
@@ -42,10 +41,10 @@ router path-selection
       path-group INET
    !
    policy DEFAULT-AVT-POLICY-WITH-CP
+      default-match
+         load-balance LB-DEFAULT-AVT-POLICY-DEFAULT
       10 application-profile CONTROL-PLANE-APPLICATION-PROFILE
          load-balance LB-CONTROL-PLANE-PROFILE
-      20 application-profile IT
-         load-balance LB-DEFAULT-AVT-POLICY-IT
    !
    policy PROD-AVT-POLICY
       default-match
@@ -114,8 +113,6 @@ application traffic recognition
    application-profile CONTROL-PLANE-APPLICATION-PROFILE
       application CONTROL-PLANE-APPLICATION
    !
-   application-profile IT
-   !
    application-profile VIDEO
    !
    application-profile VOICE

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr2.cfg

@@ -28,9 +28,8 @@ router path-selection
    load-balance policy LB-CONTROL-PLANE-PROFILE
       path-group INET
    !
-   load-balance policy LB-DEFAULT-AVT-POLICY-IT
-      path-group MPLS
-      path-group INET priority 2
+   load-balance policy LB-DEFAULT-AVT-POLICY-DEFAULT
+      path-group INET
    !
    load-balance policy LB-PROD-AVT-POLICY-DEFAULT
       path-group INET
@@ -42,10 +41,10 @@ router path-selection
       path-group INET
    !
    policy DEFAULT-AVT-POLICY-WITH-CP
+      default-match
+         load-balance LB-DEFAULT-AVT-POLICY-DEFAULT
       10 application-profile CONTROL-PLANE-APPLICATION-PROFILE
          load-balance LB-CONTROL-PLANE-PROFILE
-      20 application-profile IT
-         load-balance LB-DEFAULT-AVT-POLICY-IT
    !
    policy PROD-AVT-POLICY
       default-match
@@ -113,8 +112,6 @@ application traffic recognition
    application-profile CONTROL-PLANE-APPLICATION-PROFILE
       application CONTROL-PLANE-APPLICATION
    !
-   application-profile IT
-   !
    application-profile VIDEO
    !
    application-profile VOICE

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-edge.yml

@@ -138,10 +138,9 @@ router_path_selection:
   - name: LB-PROD-AVT-POLICY-DEFAULT
     path_groups:
     - name: INET
-  - name: LB-DEFAULT-AVT-POLICY-IT
+  - name: LB-DEFAULT-AVT-POLICY-DEFAULT
     path_groups:
     - name: INET
-      priority: 2
   policies:
   - name: PROD-AVT-POLICY
     rules:
@@ -158,14 +157,13 @@ router_path_selection:
     - id: 10
       application_profile: CONTROL-PLANE-APPLICATION-PROFILE
       load_balance: LB-CONTROL-PLANE-PROFILE
-    - id: 20
-      application_profile: IT
-      load_balance: LB-DEFAULT-AVT-POLICY-IT
+    default_match:
+      load_balance: LB-DEFAULT-AVT-POLICY-DEFAULT
   vrfs:
-  - name: default
-    path_selection_policy: DEFAULT-AVT-POLICY-WITH-CP
   - name: PROD
     path_selection_policy: PROD-AVT-POLICY
+  - name: default
+    path_selection_policy: DEFAULT-AVT-POLICY-WITH-CP
 stun:
   client:
     server_profiles:
@@ -177,7 +175,6 @@ application_traffic_recognition:
   application_profiles:
   - name: VOICE
   - name: VIDEO
-  - name: IT
   - name: CONTROL-PLANE-APPLICATION-PROFILE
     applications:
     - name: CONTROL-PLANE-APPLICATION

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr1.yml

@@ -146,11 +146,9 @@ router_path_selection:
   - name: LB-PROD-AVT-POLICY-DEFAULT
     path_groups:
     - name: INET
-  - name: LB-DEFAULT-AVT-POLICY-IT
+  - name: LB-DEFAULT-AVT-POLICY-DEFAULT
     path_groups:
-    - name: MPLS
     - name: INET
-      priority: 2
   policies:
   - name: PROD-AVT-POLICY
     rules:
@@ -167,14 +165,13 @@ router_path_selection:
     - id: 10
       application_profile: CONTROL-PLANE-APPLICATION-PROFILE
       load_balance: LB-CONTROL-PLANE-PROFILE
-    - id: 20
-      application_profile: IT
-      load_balance: LB-DEFAULT-AVT-POLICY-IT
+    default_match:
+      load_balance: LB-DEFAULT-AVT-POLICY-DEFAULT
   vrfs:
-  - name: default
-    path_selection_policy: DEFAULT-AVT-POLICY-WITH-CP
   - name: PROD
     path_selection_policy: PROD-AVT-POLICY
+  - name: default
+    path_selection_policy: DEFAULT-AVT-POLICY-WITH-CP
 stun:
   server:
     local_interfaces:
@@ -183,7 +180,6 @@ application_traffic_recognition:
   application_profiles:
   - name: VOICE
   - name: VIDEO
-  - name: IT
   - name: CONTROL-PLANE-APPLICATION-PROFILE
     applications:
     - name: CONTROL-PLANE-APPLICATION

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr2.yml

@@ -148,11 +148,9 @@ router_path_selection:
   - name: LB-PROD-AVT-POLICY-DEFAULT
     path_groups:
     - name: INET
-  - name: LB-DEFAULT-AVT-POLICY-IT
+  - name: LB-DEFAULT-AVT-POLICY-DEFAULT
     path_groups:
-    - name: MPLS
     - name: INET
-      priority: 2
   policies:
   - name: PROD-AVT-POLICY
     rules:
@@ -169,14 +167,13 @@ router_path_selection:
     - id: 10
       application_profile: CONTROL-PLANE-APPLICATION-PROFILE
       load_balance: LB-CONTROL-PLANE-PROFILE
-    - id: 20
-      application_profile: IT
-      load_balance: LB-DEFAULT-AVT-POLICY-IT
+    default_match:
+      load_balance: LB-DEFAULT-AVT-POLICY-DEFAULT
   vrfs:
-  - name: default
-    path_selection_policy: DEFAULT-AVT-POLICY-WITH-CP
   - name: PROD
     path_selection_policy: PROD-AVT-POLICY
+  - name: default
+    path_selection_policy: DEFAULT-AVT-POLICY-WITH-CP
 stun:
   server:
     local_interfaces:
@@ -185,7 +182,6 @@ application_traffic_recognition:
   application_profiles:
   - name: VOICE
   - name: VIDEO
-  - name: IT
   - name: CONTROL-PLANE-APPLICATION-PROFILE
     applications:
     - name: CONTROL-PLANE-APPLICATION

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/AUTOVPN_TESTS.yml

@@ -100,8 +100,7 @@ tenants:
 
 wan_virtual_topologies:
   vrfs:
-    - name: default
-      policy: DEFAULT-AVT-POLICY
+    # Not configuring default VRF policy on purpose to test auto-generation
     - name: PROD
       policy: PROD-AVT-POLICY
   policies:
@@ -119,7 +118,7 @@ wan_virtual_topologies:
           path_groups:
             - names: [INET]
               preference: preferred
-    - name: DEFAULT-AVT-POLICY
+    - name: CUSTOM-DEFAULT-AVT-POLICY
       default_virtual_topology:
         drop_unmatched: true
       application_virtual_topologies:

ansible_collections/arista/avd/roles/eos_designs/docs/wan-preview.md

@@ -36,7 +36,8 @@ The intention is to support both a single [AutoVPN design](https://www.arista.co
   - The `application_virtual_topologies` entries and the `default_virtual_topology` key are used to create the policy match statement, the AVT profile (when `wan_mode` is CV Pathfinder) and the load balancing policy.
   - The `default_virtual_topology` is used as the default match in the policy.  To prevent configuring it, the `drop_unmatched` boolean must be set to `true` otherwise, at least one `path-group` must be configured or AVD will raise an error.
   - Policies are assigned to VRFs using the list `wan_virtual_topologies.vrfs`. A policy can be reused in multiple VRFs.
-  - AVD requires that a policy is assigned for the `default` VRF policy. An extra match statement is injected in the policy to match the traffic towards the Pathfinders or AutoVPN RRs, the name of the application-profile is hardcoded as `CONTROL-PLANE-APPLICATION-PROFILE`. A special policy is created by appending `-WITH-CP` at the end of the targetted policy name.
+  - If no policy is assigned for the `default` VRF policy, AVD auto generates one with one `default_virtual_topology` entry configured to use all available local path-groups.
+  - For the policy defined for VRF `default` (or the auto-generared one), an extra match statement is injected in the policy to match the traffic towards the Pathfinders or AutoVPN RRs, the name of the application-profile is hardcoded as `CONTROL-PLANE-APPLICATION-PROFILE`. A special policy is created by appending `-WITH-CP` at the end of the targetted policy name.
 
 ## Known limitations
 
@@ -57,14 +58,12 @@ The intention is to support both a single [AutoVPN design](https://www.arista.co
     ```
 
 - No IPv6 support
-- For WAN interfaces only `l3_edge.l3_interfaces` is supported  and not `core_interfaces.l3_interfaces`.
 - For WAN interfaces, NAT IP on the Pathfinder side can be supported using the `wan_route_servers.path_groups.interfaces` key.
 - Path-group ID is currently required under `wan_path_groups` until an algorithm is implemented to auto generate IDs.
 
 ## Future work
 
-- As of now, only the fundations of the `eos_designs` functionality for WAN is
-    being introduced without any support for LAN interfaces.
+- As of now, only the fundations of the `eos_designs` functionality for WAN is being introduced without any support for LAN interfaces.
 - Auto generation of Path-group IDs and other IDs.
 - HA for sites will be covered in a future PR
 
@@ -183,3 +182,17 @@ roles/eos_designs/docs/tables/node-type-key-wan-configuration.md
 | `Type`        | `lan` or `wan` if `cv_pathfinder_role` is set                               |
 | `Carrier`     | `wan_carrier` if `cv_pathfinder_role` is set and this is a WAN interface    |
 | `Circuit`     | `wan_circiot_id` if `cv_pathfinder_role` is set and this is a LAN interface |
+
+## Getting started with WAN
+
+### Global settings
+
+TODO - cover here WAN hierarchy, wan mode, route-servers, path-groups and carriers and how they are linked together.
+
+### WAN interfaces
+
+TODO
+
+### Defining policies
+
+TODO

ansible_collections/arista/avd/roles/eos_designs/python_modules/network_services/utils.py

@@ -316,14 +316,21 @@ def _wan_load_balance_policies(self) -> list:
                     context_keys=["name"],
                 )
 
-            default_virtual_topology = get(policy, "default_virtual_topology", required=True)
+            default_virtual_topology = get(
+                policy,
+                "default_virtual_topology",
+                required=True,
+                org_key=f"A 'default_virtual_topology must be defined for policy {policy['name']}. It is possible to disable default-match by setting 'drop_unmatched' to 'true'.",
+            )
             if not get(default_virtual_topology, "drop_unmatched", default=False):
                 name = get(default_virtual_topology, "name", default=f"{policy['name']}-DEFAULT")
                 context_path = f"wan_virtual_topologies.policies[{policy['name']}].default_virtual_topology"
                 append_if_not_duplicate(
                     list_of_dicts=wan_load_balance_policies,
                     primary_key="name",
-                    new_dict=self._generate_wan_load_balance_policy(f"LB-{name}", default_virtual_topology, context_path),
+                    new_dict=self._generate_wan_load_balance_policy(
+                        f"LB-{name}", default_virtual_topology, context_path, default_all=get(default_virtual_topology, "_default_all", default=False)
+                    ),
                     context="Router Path-Selection Load-Balance policies.",
                     context_keys=["name"],
                 )
@@ -391,25 +398,30 @@ def _filtered_wan_policies(self) -> list:
     def _default_vrf_policy(self) -> dict:
         """
         Retrieves the name of the policy used for the default VRF and appending -WITH-CP to its name.
+
+        If not policy is defined for VRF default under 'wan_virtual_topologies.vrfs', use a default policy named DEFAULT-AVT-POLICY-WITH-CP where all
+        traffic is matched in the default category and distributed amongst all path-groups.
         """
         vrfs = get(self._hostvars, "wan_virtual_topologies.vrfs", [])
+        default_vrf = get_item(vrfs, "name", "default", default={})
 
-        if (default_vrf := get_item(vrfs, "name", "default")) is None:
-            # TODO make error message better
-            raise AristaAvdError("A 'default' VRF policy is required")
+        if (vrf_default_policy := get(default_vrf, "policy")) is not None:
+            policies = get(self._hostvars, "wan_virtual_topologies.policies", default=[])
+            # copy is safe here as we change only the name
+            default_policy = get_item(
+                policies,
+                "name",
+                vrf_default_policy,
+                required=True,
+                custom_error_msg=(
+                    f"The policy {vrf_default_policy} defined for vrf default under 'wan_virtual_topologies.vrfs' "
+                    "is not defined under 'wan_virtual_topologies.policies'."
+                ),
+            ).copy()
+        else:
+            # Injecting a hidden key _default_all, used when generating the relevant Load Balance Policy
+            default_policy = {"name": "DEFAULT-AVT-POLICY", "default_virtual_topology": {"_default_all": True}}
 
-        policies = get(self._hostvars, "wan_virtual_topologies.policies", default=[])
-        # copy is safe here as we change only the name
-        vrf_default_policy = get(default_vrf, "policy", required=True, org_key="VRF default under 'wan_virtual_topologies.vrfs' is missing a 'policy'.")
-        default_policy = get_item(
-            policies,
-            "name",
-            vrf_default_policy,
-            required=True,
-            custom_error_msg=(
-                f"The policy {vrf_default_policy} defined for vrf default under 'wan_virtual_topologies.vrfs' "
-                "is not defined under 'wan_virtual_topologies.policies'."
-            ),
-        ).copy()
         default_policy["is_default"] = True
+
         return default_policy