Feat(eos_designs): GTSM configuration to limit the TTL permitted for …

…bgp peering to 1 for WAN (aristanetworks#3607)

Co-authored-by: gmuloc <[email protected]>

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-edge-no-default-policy.cfg

@@ -127,6 +127,7 @@ router bgp 65000
    neighbor WAN-OVERLAY-PEERS remote-as 65000
    neighbor WAN-OVERLAY-PEERS update-source Dps1
    neighbor WAN-OVERLAY-PEERS bfd
+   neighbor WAN-OVERLAY-PEERS ttl maximum-hops 1
    neighbor WAN-OVERLAY-PEERS password 7 htm4AZe9mIQOO1uiMuGgYQ==
    neighbor WAN-OVERLAY-PEERS send-community
    neighbor WAN-OVERLAY-PEERS maximum-routes 0

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-edge.cfg

@@ -157,6 +157,7 @@ router bgp 65000
    neighbor WAN-OVERLAY-PEERS remote-as 65000
    neighbor WAN-OVERLAY-PEERS update-source Dps1
    neighbor WAN-OVERLAY-PEERS bfd
+   neighbor WAN-OVERLAY-PEERS ttl maximum-hops 1
    neighbor WAN-OVERLAY-PEERS password 7 htm4AZe9mIQOO1uiMuGgYQ==
    neighbor WAN-OVERLAY-PEERS send-community
    neighbor WAN-OVERLAY-PEERS maximum-routes 0

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr1.cfg

@@ -151,13 +151,15 @@ router bgp 65000
    neighbor WAN-OVERLAY-PEERS update-source Dps1
    neighbor WAN-OVERLAY-PEERS route-reflector-client
    neighbor WAN-OVERLAY-PEERS bfd
+   neighbor WAN-OVERLAY-PEERS ttl maximum-hops 1
    neighbor WAN-OVERLAY-PEERS password 7 htm4AZe9mIQOO1uiMuGgYQ==
    neighbor WAN-OVERLAY-PEERS send-community
    neighbor WAN-OVERLAY-PEERS maximum-routes 0
    neighbor WAN-RR-OVERLAY-PEERS peer group
    neighbor WAN-RR-OVERLAY-PEERS remote-as 65000
    neighbor WAN-RR-OVERLAY-PEERS update-source Dps1
    neighbor WAN-RR-OVERLAY-PEERS bfd
+   neighbor WAN-RR-OVERLAY-PEERS ttl maximum-hops 1
    neighbor WAN-RR-OVERLAY-PEERS send-community
    neighbor WAN-RR-OVERLAY-PEERS maximum-routes 0
    neighbor 192.168.131.2 peer group WAN-RR-OVERLAY-PEERS

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/autovpn-rr2.cfg

@@ -152,13 +152,15 @@ router bgp 65000
    neighbor WAN-OVERLAY-PEERS update-source Dps1
    neighbor WAN-OVERLAY-PEERS route-reflector-client
    neighbor WAN-OVERLAY-PEERS bfd
+   neighbor WAN-OVERLAY-PEERS ttl maximum-hops 1
    neighbor WAN-OVERLAY-PEERS password 7 htm4AZe9mIQOO1uiMuGgYQ==
    neighbor WAN-OVERLAY-PEERS send-community
    neighbor WAN-OVERLAY-PEERS maximum-routes 0
    neighbor WAN-RR-OVERLAY-PEERS peer group
    neighbor WAN-RR-OVERLAY-PEERS remote-as 65000
    neighbor WAN-RR-OVERLAY-PEERS update-source Dps1
    neighbor WAN-RR-OVERLAY-PEERS bfd
+   neighbor WAN-RR-OVERLAY-PEERS ttl maximum-hops 1
    neighbor WAN-RR-OVERLAY-PEERS send-community
    neighbor WAN-RR-OVERLAY-PEERS maximum-routes 0
    neighbor 192.168.131.1 peer group WAN-RR-OVERLAY-PEERS

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-no-common-path-group.cfg

@@ -253,6 +253,7 @@ router bgp 65000
    neighbor WAN-OVERLAY-PEERS remote-as 65000
    neighbor WAN-OVERLAY-PEERS update-source Dps1
    neighbor WAN-OVERLAY-PEERS bfd
+   neighbor WAN-OVERLAY-PEERS ttl maximum-hops 1
    neighbor WAN-OVERLAY-PEERS password 7 htm4AZe9mIQOO1uiMuGgYQ==
    neighbor WAN-OVERLAY-PEERS send-community
    neighbor WAN-OVERLAY-PEERS maximum-routes 0

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge-no-default-policy.cfg

@@ -206,6 +206,7 @@ router bgp 65000
    neighbor WAN-OVERLAY-PEERS remote-as 65000
    neighbor WAN-OVERLAY-PEERS update-source Dps1
    neighbor WAN-OVERLAY-PEERS bfd
+   neighbor WAN-OVERLAY-PEERS ttl maximum-hops 42
    neighbor WAN-OVERLAY-PEERS password 7 htm4AZe9mIQOO1uiMuGgYQ==
    neighbor WAN-OVERLAY-PEERS send-community
    neighbor WAN-OVERLAY-PEERS maximum-routes 0

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-edge.cfg

@@ -302,6 +302,7 @@ router bgp 65000
    neighbor WAN-OVERLAY-PEERS remote-as 65000
    neighbor WAN-OVERLAY-PEERS update-source Dps1
    neighbor WAN-OVERLAY-PEERS bfd
+   neighbor WAN-OVERLAY-PEERS ttl maximum-hops 1
    neighbor WAN-OVERLAY-PEERS password 7 htm4AZe9mIQOO1uiMuGgYQ==
    neighbor WAN-OVERLAY-PEERS send-community
    neighbor WAN-OVERLAY-PEERS maximum-routes 0

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder.cfg

@@ -298,6 +298,7 @@ router bgp 65000
    neighbor WAN-OVERLAY-PEERS update-source Dps1
    neighbor WAN-OVERLAY-PEERS route-reflector-client
    neighbor WAN-OVERLAY-PEERS bfd
+   neighbor WAN-OVERLAY-PEERS ttl maximum-hops 1
    neighbor WAN-OVERLAY-PEERS password 7 htm4AZe9mIQOO1uiMuGgYQ==
    neighbor WAN-OVERLAY-PEERS send-community
    neighbor WAN-OVERLAY-PEERS maximum-routes 0

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder1.cfg

@@ -287,13 +287,15 @@ router bgp 65000
    neighbor WAN-OVERLAY-PEERS update-source Dps1
    neighbor WAN-OVERLAY-PEERS route-reflector-client
    neighbor WAN-OVERLAY-PEERS bfd
+   neighbor WAN-OVERLAY-PEERS ttl maximum-hops 1
    neighbor WAN-OVERLAY-PEERS password 7 htm4AZe9mIQOO1uiMuGgYQ==
    neighbor WAN-OVERLAY-PEERS send-community
    neighbor WAN-OVERLAY-PEERS maximum-routes 0
    neighbor WAN-RR-OVERLAY-PEERS peer group
    neighbor WAN-RR-OVERLAY-PEERS remote-as 65000
    neighbor WAN-RR-OVERLAY-PEERS update-source Dps1
    neighbor WAN-RR-OVERLAY-PEERS bfd
+   neighbor WAN-RR-OVERLAY-PEERS ttl maximum-hops 42
    neighbor WAN-RR-OVERLAY-PEERS send-community
    neighbor WAN-RR-OVERLAY-PEERS maximum-routes 0
    neighbor 6.6.6.6 peer group WAN-RR-OVERLAY-PEERS

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-pathfinder2.cfg

@@ -300,13 +300,15 @@ router bgp 65000
    neighbor WAN-OVERLAY-PEERS update-source Dps1
    neighbor WAN-OVERLAY-PEERS route-reflector-client
    neighbor WAN-OVERLAY-PEERS bfd
+   neighbor WAN-OVERLAY-PEERS ttl maximum-hops 1
    neighbor WAN-OVERLAY-PEERS password 7 htm4AZe9mIQOO1uiMuGgYQ==
    neighbor WAN-OVERLAY-PEERS send-community
    neighbor WAN-OVERLAY-PEERS maximum-routes 0
    neighbor WAN-RR-OVERLAY-PEERS peer group
    neighbor WAN-RR-OVERLAY-PEERS remote-as 65000
    neighbor WAN-RR-OVERLAY-PEERS update-source Dps1
    neighbor WAN-RR-OVERLAY-PEERS bfd
+   neighbor WAN-RR-OVERLAY-PEERS ttl maximum-hops 42
    neighbor WAN-RR-OVERLAY-PEERS send-community
    neighbor WAN-RR-OVERLAY-PEERS maximum-routes 0
    neighbor 6.6.6.6 peer group WAN-RR-OVERLAY-PEERS

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/configs/cv-pathfinder-transit.cfg

@@ -327,6 +327,7 @@ router bgp 65000
    neighbor WAN-OVERLAY-PEERS remote-as 65000
    neighbor WAN-OVERLAY-PEERS update-source Dps1
    neighbor WAN-OVERLAY-PEERS bfd
+   neighbor WAN-OVERLAY-PEERS ttl maximum-hops 1
    neighbor WAN-OVERLAY-PEERS password 7 htm4AZe9mIQOO1uiMuGgYQ==
    neighbor WAN-OVERLAY-PEERS send-community
    neighbor WAN-OVERLAY-PEERS maximum-routes 0

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-edge-no-default-policy.yml

@@ -22,6 +22,7 @@ router_bgp:
     send_community: all
     maximum_routes: 0
     remote_as: '65000'
+    ttl_maximum_hops: 1
   address_family_evpn:
     peer_groups:
     - name: WAN-OVERLAY-PEERS

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-edge.yml

@@ -22,6 +22,7 @@ router_bgp:
     send_community: all
     maximum_routes: 0
     remote_as: '65000'
+    ttl_maximum_hops: 1
   address_family_evpn:
     peer_groups:
     - name: WAN-OVERLAY-PEERS

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr1.yml

@@ -27,6 +27,7 @@ router_bgp:
     send_community: all
     maximum_routes: 0
     remote_as: '65000'
+    ttl_maximum_hops: 1
     route_reflector_client: true
   - name: WAN-RR-OVERLAY-PEERS
     type: wan
@@ -35,6 +36,7 @@ router_bgp:
     send_community: all
     maximum_routes: 0
     remote_as: '65000'
+    ttl_maximum_hops: 1
   address_family_evpn:
     peer_groups:
     - name: WAN-OVERLAY-PEERS

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/autovpn-rr2.yml

@@ -27,6 +27,7 @@ router_bgp:
     send_community: all
     maximum_routes: 0
     remote_as: '65000'
+    ttl_maximum_hops: 1
     route_reflector_client: true
   - name: WAN-RR-OVERLAY-PEERS
     type: wan
@@ -35,6 +36,7 @@ router_bgp:
     send_community: all
     maximum_routes: 0
     remote_as: '65000'
+    ttl_maximum_hops: 1
   address_family_evpn:
     peer_groups:
     - name: WAN-OVERLAY-PEERS

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-no-common-path-group.yml

@@ -22,6 +22,7 @@ router_bgp:
     send_community: all
     maximum_routes: 0
     remote_as: '65000'
+    ttl_maximum_hops: 1
   address_family_evpn:
     peer_groups:
     - name: WAN-OVERLAY-PEERS

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge-no-default-policy.yml

@@ -22,6 +22,7 @@ router_bgp:
     send_community: all
     maximum_routes: 0
     remote_as: '65000'
+    ttl_maximum_hops: 42
   address_family_evpn:
     peer_groups:
     - name: WAN-OVERLAY-PEERS

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-edge.yml

@@ -22,6 +22,7 @@ router_bgp:
     send_community: all
     maximum_routes: 0
     remote_as: '65000'
+    ttl_maximum_hops: 1
   address_family_evpn:
     peer_groups:
     - name: WAN-OVERLAY-PEERS

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder.yml

@@ -30,6 +30,7 @@ router_bgp:
     send_community: all
     maximum_routes: 0
     remote_as: '65000'
+    ttl_maximum_hops: 1
     route_reflector_client: true
   address_family_evpn:
     peer_groups:

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder1.yml

@@ -30,6 +30,7 @@ router_bgp:
     send_community: all
     maximum_routes: 0
     remote_as: '65000'
+    ttl_maximum_hops: 1
     route_reflector_client: true
   - name: WAN-RR-OVERLAY-PEERS
     type: wan
@@ -38,6 +39,7 @@ router_bgp:
     send_community: all
     maximum_routes: 0
     remote_as: '65000'
+    ttl_maximum_hops: 42
   address_family_evpn:
     peer_groups:
     - name: WAN-OVERLAY-PEERS

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-pathfinder2.yml

@@ -30,6 +30,7 @@ router_bgp:
     send_community: all
     maximum_routes: 0
     remote_as: '65000'
+    ttl_maximum_hops: 1
     route_reflector_client: true
   - name: WAN-RR-OVERLAY-PEERS
     type: wan
@@ -38,6 +39,7 @@ router_bgp:
     send_community: all
     maximum_routes: 0
     remote_as: '65000'
+    ttl_maximum_hops: 42
   address_family_evpn:
     peer_groups:
     - name: WAN-OVERLAY-PEERS

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/intended/structured_configs/cv-pathfinder-transit.yml

@@ -22,6 +22,7 @@ router_bgp:
     send_community: all
     maximum_routes: 0
     remote_as: '65000'
+    ttl_maximum_hops: 1
   address_family_evpn:
     peer_groups:
     - name: WAN-OVERLAY-PEERS

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/group_vars/CV_PATHFINDER_MULTI_RR_TESTS.yml

@@ -17,3 +17,13 @@ wan_route_servers:
         interfaces:
           - name: Ethernet2
             ip_address: 10.50.50.50/31
+
+# Overwriting TTL
+bgp_peer_groups:
+  wan_overlay_peers:
+    password: "htm4AZe9mIQOO1uiMuGgYQ=="
+    listen_range_prefixes:
+      - 192.168.142.0/24
+      - 192.168.143.0/24
+  wan_rr_overlay_peers:
+    ttl_maximum_hops: 42

ansible_collections/arista/avd/molecule/eos_designs_unit_tests/inventory/host_vars/cv-pathfinder-edge-no-default-policy.yml

@@ -25,6 +25,8 @@ cv_pathfinder_regions:
 bgp_peer_groups:
   wan_overlay_peers:
     password: "htm4AZe9mIQOO1uiMuGgYQ=="
+    # Overwriting TTL
+    ttl_maximum_hops: 42
     listen_range_prefixes:
       - 192.168.255.0/24
 

ansible_collections/arista/avd/plugins/plugin_utils/eos_designs_shared_utils/bgp_peer_groups.py

@@ -53,5 +53,6 @@ def bgp_peer_groups(self: SharedUtils):
             }
             if key == "wan_overlay_peers" and get(self.hostvars, f"bgp_peer_groups.{key}") is not None:
                 bgp_peer_groups[key]["listen_range_prefixes"] = get(self.hostvars, f"bgp_peer_groups.{key}.listen_range_prefixes", required=True)
-
+            if key == "wan_overlay_peers" or key == "wan_rr_overlay_peers":
+                bgp_peer_groups[key]["ttl_maximum_hops"] = get(self.hostvars, f"bgp_peer_groups.{key}.ttl_maximum_hops", default=1)
         return bgp_peer_groups

ansible_collections/arista/avd/roles/eos_designs/docs/tables/wan-bgp-peer-groups.md

@@ -15,11 +15,13 @@
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;listen_range_prefixes</samp>](## "bgp_peer_groups.wan_overlay_peers.listen_range_prefixes") | List, items: String |  |  |  | Only used for nodes where `wan_role` is `server` like AutoVPN RRs and Pathfinders.<br>For clients, AVD will raise an error if the Loopback0 IP is not in any listen range. |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-&nbsp;&lt;str&gt;</samp>](## "bgp_peer_groups.wan_overlay_peers.listen_range_prefixes.[]") | String |  |  |  | The prefixes to use in listen_range. |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;structured_config</samp>](## "bgp_peer_groups.wan_overlay_peers.structured_config") | Dictionary |  |  |  | Custom structured config added under router_bgp.peer_groups.[name=<name>] for eos_cli_config_gen. |
+    | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;ttl_maximum_hops</samp>](## "bgp_peer_groups.wan_overlay_peers.ttl_maximum_hops") | Integer |  | `1` |  |  |
     | [<samp>&nbsp;&nbsp;wan_rr_overlay_peers</samp>](## "bgp_peer_groups.wan_rr_overlay_peers") | Dictionary |  |  |  | PREVIEW: This key is currently not supported<br>Configuration options for the peer-group created to peer between<br>AutoVPN RRs or CV-Pathfinders. |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;name</samp>](## "bgp_peer_groups.wan_rr_overlay_peers.name") | String |  | `WAN-RR-OVERLAY-PEERS` |  | Name of peer group. |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;password</samp>](## "bgp_peer_groups.wan_rr_overlay_peers.password") | String |  |  |  | Type 7 encrypted password. |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;bfd</samp>](## "bgp_peer_groups.wan_rr_overlay_peers.bfd") | Boolean |  | `True` |  |  |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;structured_config</samp>](## "bgp_peer_groups.wan_rr_overlay_peers.structured_config") | Dictionary |  |  |  | Custom structured config added under router_bgp.peer_groups.[name=<name>] for eos_cli_config_gen. |
+    | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;ttl_maximum_hops</samp>](## "bgp_peer_groups.wan_rr_overlay_peers.ttl_maximum_hops") | Integer |  | `1` |  |  |
 
 === "YAML"
 
@@ -47,6 +49,7 @@
 
         # Custom structured config added under router_bgp.peer_groups.[name=<name>] for eos_cli_config_gen.
         structured_config: <dict>
+        ttl_maximum_hops: <int; default=1>
 
       # PREVIEW: This key is currently not supported
       # Configuration options for the peer-group created to peer between
@@ -62,4 +65,5 @@
 
         # Custom structured config added under router_bgp.peer_groups.[name=<name>] for eos_cli_config_gen.
         structured_config: <dict>
+        ttl_maximum_hops: <int; default=1>
     ```

ansible_collections/arista/avd/roles/eos_designs/python_modules/overlay/router_bgp.py

@@ -122,7 +122,7 @@ def _peer_groups(self) -> list | None:
                 peer_group_config = {"remote_as": self.shared_utils.bgp_as}
                 if self.shared_utils.wan_role:
                     # WAN OVERLAY peer group
-                    # TODO Add TTL max hop to the peer group on the Pathfinder once agreed upon
+                    peer_group_config["ttl_maximum_hops"] = self.shared_utils.bgp_peer_groups["wan_overlay_peers"]["ttl_maximum_hops"]
                     if self.shared_utils.wan_role == "server":
                         peer_group_config["route_reflector_client"] = True
                     peer_groups.append(
@@ -147,12 +147,11 @@ def _peer_groups(self) -> list | None:
                 peer_groups.append({**self._generate_base_peer_group("mpls", "rr_overlay_peers"), "remote_as": self.shared_utils.bgp_as})
 
             if self._is_wan_server_with_peers:
-                peer_groups.append(
-                    {
-                        **self._generate_base_peer_group("wan", "wan_rr_overlay_peers", update_source=self.shared_utils.vtep_loopback),
-                        "remote_as": self.shared_utils.bgp_as,
-                    }
+                wan_rr_overlay_peer_group = self._generate_base_peer_group("wan", "wan_rr_overlay_peers", update_source=self.shared_utils.vtep_loopback)
+                wan_rr_overlay_peer_group.update(
+                    {"remote_as": self.shared_utils.bgp_as, "ttl_maximum_hops": self.shared_utils.bgp_peer_groups["wan_rr_overlay_peers"]["ttl_maximum_hops"]}
                 )
+                peer_groups.append(wan_rr_overlay_peer_group)
 
         # same for ebgp and ibgp
         if self.shared_utils.overlay_ipvpn_gateway is True:

ansible_collections/arista/avd/roles/eos_designs/schemas/schema_fragments/bgp_peer_groups.schema.yml

@@ -178,6 +178,11 @@ keys:
             documentation_options:
               hide_keys: true
             $ref: "eos_cli_config_gen#/keys/router_bgp/keys/peer_groups/items/"
+          ttl_maximum_hops:
+            type: int
+            convert_types:
+              - str
+            default: 1
       wan_rr_overlay_peers:
         type: dict
         documentation_options:
@@ -203,6 +208,11 @@ keys:
             documentation_options:
               hide_keys: true
             $ref: "eos_cli_config_gen#/keys/router_bgp/keys/peer_groups/items/"
+          ttl_maximum_hops:
+            type: int
+            convert_types:
+              - str
+            default: 1
       IPv4_UNDERLAY_PEERS:
         type: dict
         deprecation: