Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feat(eos_cli_config_gen): Add support for connection tx-interface match source-ip for ip security #4844

Open
wants to merge 7 commits into
base: devel
Choose a base branch
from
Open

Feat(eos_cli_config_gen): Add support for connection tx-interface match source-ip for ip security #4844

wants to merge 7 commits into from

Conversation

laxmikantchintakindi
Copy link
Contributor

@laxmikantchintakindi laxmikantchintakindi commented Dec 27, 2024
edited
Loading

Change Summary

Add support for connection tx-interface match source-ip for ip security

Related Issue(s)

Fixes #4841

Component(s) name

arista.avd.eos_cli_config_gen

Proposed changes

In CV Pathfinder solution, if there is ECMP route pointing via more than one nexthop-interface to reach the destination endpoint, it was not selecting the proper source-interface to send out the packets. This was fixed in the recent version.

This configuration is required in the latest versions for the Fix to work.
We need to check the possible method to integrate this command in the CV Pathfinder AVD configs.

ip security
   connection tx-interface match source-ip

How to test

Checklist

User Checklist

  • N/A

Repository Checklist

  • My code has been rebased from devel before I start
  • I have read the CONTRIBUTING document.
  • My change requires a change to the documentation and documentation have been updated accordingly.
  • I have updated molecule CI testing accordingly. (check the box if not applicable)

@github-actions GitHub Actions
Copy link

Review docs on Read the Docs

To test this pull request:

# Create virtual environment for this testing below the current directory
python -m venv test-avd-pr-4844
# Activate the virtual environment
source test-avd-pr-4844/bin/activate
# Install all requirements including PyAVD
pip install "pyavd[ansible] @ git+https://github.com/laxmikantchintakindi/avd.git@feat/eos_cli/ip_security#subdirectory=python-avd" --force
# Point Ansible collections path to the Python virtual environment
export ANSIBLE_COLLECTIONS_PATH=$VIRTUAL_ENV/ansible_collections
# Install Ansible collection
ansible-galaxy collection install git+https://github.com/laxmikantchintakindi/avd.git#/ansible_collections/arista/avd/,feat/eos_cli/ip_security --force
# Optional: Install AVD examples
cd test-avd-pr-4844
ansible-playbook arista.avd.install_examples

@github-actions github-actions bot added role: eos_cli_config_gen issue related to eos_cli_config_gen role state: CI Updated CI scenario have been updated in the PR state: Documentation role Updated labels Dec 27, 2024
Vibhu-gslab
Vibhu-gslab reviewed Jan 3, 2025
View reviewed changes
...collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/host1/ip-security.yml
@@ -80,3 +80,4 @@ ip_security:
key_controller:
profile: Profile-1
hardware_encryption_disabled: true
connection_tx_interface_match_source_ip: true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't see cli config of the input

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in latest commit.

@MaheshGSLAB MaheshGSLAB marked this pull request as ready for review January 6, 2025 07:38
@MaheshGSLAB MaheshGSLAB requested review from a team as code owners January 6, 2025 07:38
ClausHolbechArista
ClausHolbechArista reviewed Jan 6, 2025
View reviewed changes
python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/ip-security.j2
@@ -89,4 +89,7 @@ ip security
{% if ip_security.hardware_encryption_disabled is arista.avd.defined(true) %}
hardware encryption disabled
{% endif %}
{% if ip_security.connection_tx_interface_match_source_ip is arista.avd.defined(true) %}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are you sure about the ordering here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

ip security 
    profile Profile-4
      connection add
      no shared-key
      no pki-profile
      no dpd
      no flow parallelization encapsulation
      mode tunnel
      !
      flow entropy udp
   !
   key controller
      profile Profile-1
      dh-group 14
      lifetime 8 hours
   connection tx-interface match source-ip
   no fips restrictions

I am seeing this in output. hardware encryption disabled is not reflecting in show run and show run all.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Vibhu-gslab Vibhu-gslab Vibhu-gslab left review comments

@ClausHolbechArista ClausHolbechArista ClausHolbechArista left review comments

@MaheshGSLAB MaheshGSLAB MaheshGSLAB approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees

@laxmikantchintakindi laxmikantchintakindi

Labels
role: eos_cli_config_gen issue related to eos_cli_config_gen role state: CI Updated CI scenario have been updated in the PR state: Documentation role Updated
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Feat(eos_cli_config_gen): Add support for connection tx-interface match source-ip for ip security
5 participants
@laxmikantchintakindi @ClausHolbechArista @Vibhu-gslab @MaheshGSLAB @gmuloc