aristanetworks · gmuloc · Feb 26, 2024 · Feb 22, 2024 · Feb 22, 2024 · Feb 22, 2024
@@ -0,0 +1,76 @@
+!RANCID-CONTENT-TYPE: arista
+!
+vlan internal order ascending range 1006 1199
+!
+transceiver qsfp default-mode 4x10G
+!
+service routing protocols model multi-agent
+!
+hostname filter.vrfs
+!
+no enable password
+no aaa root
+!
+vrf instance MGMT
+!
+vrf instance VRF2
+   description This VRF is attracted by Loopback and will be configured because it is permitted by filter.allow_vrfs
+!
+vrf instance VRF5
+   description This VRF will be configured because of always_include_vrfs_in_tenants and it is permitted by filter.allow_vrfs
+!
+interface Loopback0
+   description EVPN_Overlay_Peering
+   no shutdown
+   ip address 10.0.0.1/32
+!
+interface Loopback2
+   no shutdown
+   vrf VRF2
+   ip address 192.168.1.1/32
+!
+ip routing
+no ip routing vrf MGMT
+ip routing vrf VRF2
+ip routing vrf VRF5
+!
+ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY
+   seq 10 permit 10.0.0.0/24 eq 32
+!
+route-map RM-CONN-2-BGP permit 10
+   match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY
+!
+router bfd
+   multihop interval 300 min-rx 300 multiplier 3
+!
+router bgp 65001
+   router-id 10.0.0.1
+   maximum-paths 4 ecmp 4
+   update wait-install
+   no bgp default ipv4-unicast
+   neighbor EVPN-OVERLAY-PEERS peer group
+   neighbor EVPN-OVERLAY-PEERS update-source Loopback0
+   neighbor EVPN-OVERLAY-PEERS bfd
+   neighbor EVPN-OVERLAY-PEERS ebgp-multihop 3
+   neighbor EVPN-OVERLAY-PEERS send-community
+   neighbor EVPN-OVERLAY-PEERS maximum-routes 0
+   neighbor IPv4-UNDERLAY-PEERS peer group
+   neighbor IPv4-UNDERLAY-PEERS send-community
+   neighbor IPv4-UNDERLAY-PEERS maximum-routes 12000
+   redistribute connected route-map RM-CONN-2-BGP
+   !
+   address-family evpn
+      neighbor EVPN-OVERLAY-PEERS activate
+   !
+   address-family ipv4
+      no neighbor EVPN-OVERLAY-PEERS activate
+      neighbor IPv4-UNDERLAY-PEERS activate
+!
+management api http-commands
+   protocol https
+   no shutdown
+   !
+   vrf MGMT
+      no shutdown
+!
+end
@@ -0,0 +1,88 @@
+hostname: filter.vrfs
+is_deployed: true
+router_bgp:
+  as: '65001'
+  router_id: 10.0.0.1
+  bgp:
+    default:
+      ipv4_unicast: false
+  maximum_paths:
+    paths: 4
+    ecmp: 4
+  updates:
+    wait_install: true
+  peer_groups:
+  - name: IPv4-UNDERLAY-PEERS
+    type: ipv4
+    maximum_routes: 12000
+    send_community: all
+  - name: EVPN-OVERLAY-PEERS
+    type: evpn
+    update_source: Loopback0
+    bfd: true
+    send_community: all
+    maximum_routes: 0
+    ebgp_multihop: 3
+  address_family_ipv4:
+    peer_groups:
+    - name: IPv4-UNDERLAY-PEERS
+      activate: true
+    - name: EVPN-OVERLAY-PEERS
+      activate: false
+  redistribute_routes:
+  - source_protocol: connected
+    route_map: RM-CONN-2-BGP
+  address_family_evpn:
+    peer_groups:
+    - name: EVPN-OVERLAY-PEERS
+      activate: true
+service_routing_protocols_model: multi-agent
+ip_routing: true
+vlan_internal_order:
+  allocation: ascending
+  range:
+    beginning: 1006
+    ending: 1199
+vrfs:
+- name: MGMT
+  ip_routing: false
+- name: VRF2
+  tenant: TENANT1
+  ip_routing: true
+  description: This VRF is attracted by Loopback and will be configured because it is permitted by filter.allow_vrfs
+- name: VRF5
+  tenant: TENANT2
+  ip_routing: true
+  description: This VRF will be configured because of always_include_vrfs_in_tenants and it is permitted by filter.allow_vrfs
+management_api_http:
+  enable_vrfs:
+  - name: MGMT
+  enable_https: true
+loopback_interfaces:
+- name: Loopback0
+  description: EVPN_Overlay_Peering
+  shutdown: false
+  ip_address: 10.0.0.1/32
+- name: Loopback2
+  ip_address: 192.168.1.1/32
+  shutdown: false
+  vrf: VRF2
+prefix_lists:
+- name: PL-LOOPBACKS-EVPN-OVERLAY
+  sequence_numbers:
+  - sequence: 10
+    action: permit 10.0.0.0/24 eq 32
+route_maps:
+- name: RM-CONN-2-BGP
+  sequence_numbers:
+  - sequence: 10
+    type: permit
+    match:
+    - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY
+router_bfd:
+  multihop:
+    interval: 300
+    min_rx: 300
+    multiplier: 3
+ip_igmp_snooping:
+  globally_enabled: true
@@ -0,0 +1,46 @@
+type: l3leaf
+
+l3leaf:
+  nodes:
+    - name: filter.vrfs
+      id: 1
+      loopback_ipv4_pool: 10.0.0.0/24
+      bgp_as: 65001
+      vtep: false
+      filter:
+        # deny_vrfs takes precedence over allow_vrfs, so VRF1 & VRF4 will be denied even when listed under allow_vrfs.
+        deny_vrfs: [VRF1, VRF4]
+        allow_vrfs: [VRF1, VRF2, VRF4, VRF5]
+        always_include_vrfs_in_tenants: [TENANT2]
+tenants:
+  - name: TENANT1
+    vrfs:
+      - name: VRF1
+        description: This VRF would have been configured because it is attracted by Loopback, but it is prevented by filter.deny_vrfs
+        loopbacks:
+          - loopback: 1
+            node: filter.vrfs
+            ip_address: 192.168.1.1/32
+      - name: VRF2
+        description: This VRF is attracted by Loopback and will be configured because it is permitted by filter.allow_vrfs
+        loopbacks:
+          - loopback: 2
+            node: filter.vrfs
+            ip_address: 192.168.1.1/32
+      - name: VRF3
+        description: >-
+          This VRF would have been configured because it is attracted by Loopback,
+          but it is prevented because it is not permitted by filter.allow_vrfs
+        loopbacks:
+          - loopback: 3
+            node: filter.vrfs
+            ip_address: 192.168.1.1/32
+
+  - name: TENANT2
+    vrfs:
+      - name: VRF4
+        description: This VRF would have been configured because of always_include_vrfs_in_tenants, but it is prevented by filter.deny_vrfs
+      - name: VRF5
+        description: This VRF will be configured because of always_include_vrfs_in_tenants and it is permitted by filter.allow_vrfs
+      - name: VRF6
+        description: This VRF will not be configured because it is not permitted by filter.allow_vrfs
@@ -14,6 +14,7 @@ all:
             evpn-vtep-with-default-vrf-not-evpn:
             duplicate-vrfs:
             filter.only_vlans_in_use:
+            filter.vrfs:
             generate-cv-tags-1:
             generate-cv-tags-2:
             ignore-custom-keys-in-data-models:

@@ -157,6 +157,20 @@ def accepted_vlans(self: SharedUtils) -> list[int]:
 
         return accepted_vlans
 
+    def is_accepted_vrf(self: SharedUtils, vrf: dict) -> bool:
+        """
+        Returns True if
+
+        - filter.allow_vrfs == ["all"] OR VRF is included in filter.allow_vrfs.
+
+        AND
+
+        - filter.not_vrfs == [] OR VRF is NOT in filter.deny_vrfs
+        """
+        return ("all" in self.filter_allow_vrfs or vrf["name"] in self.filter_allow_vrfs) and (
+            not self.filter_deny_vrfs or vrf["name"] not in self.filter_deny_vrfs
+        )
+
     def filtered_vrfs(self: SharedUtils, tenant: dict) -> list[dict]:
         """
         Return sorted and filtered vrf list from given tenant.
@@ -169,6 +183,9 @@ def filtered_vrfs(self: SharedUtils, tenant: dict) -> list[dict]:
 
         vrfs: list[dict] = natural_sort(convert_dicts(tenant.get("vrfs", []), "name"), "name")
         for original_vrf in vrfs:
+            if not self.is_accepted_vrf(original_vrf):
+                continue
+
             # Copying original_vrf and setting "tenant" for use by child objects like SVIs
             vrf = {**original_vrf, "tenant": tenant["name"]}
 

@@ -67,6 +67,14 @@ def filter_tags(self: SharedUtils) -> list:
             filter_tags.append(self.group)
         return filter_tags
 
+    @cached_property
+    def filter_allow_vrfs(self: SharedUtils) -> list:
+        return get(self.switch_data_combined, "filter.allow_vrfs", default=["all"])
+
+    @cached_property
+    def filter_deny_vrfs(self: SharedUtils) -> list:
+        return get(self.switch_data_combined, "filter.deny_vrfs", default=[])
+
     @cached_property
     def filter_tenants(self: SharedUtils) -> list:
         return get(self.switch_data_combined, "filter.tenants", default=["all"])