Feat(eos_designs): RCF-based route filtering for evpn_prevent_readvertise_to_server (#5984)

Co-authored-by: Claus Holbech <[email protected]>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: Guillaume Mulocher <[email protected]>

Author: 4 people

ansible_collections/arista/avd/extensions/molecule/eos_designs_unit_tests/intended/configs/evpn-prevent-readvertise-to-server-2.cfg

@@ -60,6 +60,9 @@ router bgp 65002
    neighbor 192.168.255.116 peer group EVPN-OVERLAY-PEERS
    neighbor 192.168.255.116 remote-as 65005
    neighbor 192.168.255.116 description evpn-prevent-readvertise-to-server-6_Loopback0
+   neighbor 192.168.255.118 peer group EVPN-OVERLAY-PEERS
+   neighbor 192.168.255.118 remote-as 65007
+   neighbor 192.168.255.118 description evpn-prevent-readvertise-to-server-8_Loopback0
    redistribute connected route-map RM-CONN-2-BGP
    !
    address-family evpn

ansible_collections/arista/avd/extensions/molecule/eos_designs_unit_tests/intended/configs/evpn-prevent-readvertise-to-server-3.cfg

@@ -60,6 +60,9 @@ router bgp 65003
    neighbor 192.168.255.116 peer group EVPN-OVERLAY-PEERS
    neighbor 192.168.255.116 remote-as 65005
    neighbor 192.168.255.116 description evpn-prevent-readvertise-to-server-6_Loopback0
+   neighbor 192.168.255.118 peer group EVPN-OVERLAY-PEERS
+   neighbor 192.168.255.118 remote-as 65007
+   neighbor 192.168.255.118 description evpn-prevent-readvertise-to-server-8_Loopback0
    redistribute connected route-map RM-CONN-2-BGP
    !
    address-family evpn

ansible_collections/arista/avd/extensions/molecule/eos_designs_unit_tests/intended/configs/evpn-prevent-readvertise-to-server-5.cfg

@@ -57,6 +57,9 @@ router bgp 65003
    neighbor 192.168.255.116 peer group EVPN-OVERLAY-PEERS
    neighbor 192.168.255.116 remote-as 65005
    neighbor 192.168.255.116 description evpn-prevent-readvertise-to-server-6_Loopback0
+   neighbor 192.168.255.118 peer group EVPN-OVERLAY-PEERS
+   neighbor 192.168.255.118 remote-as 65007
+   neighbor 192.168.255.118 description evpn-prevent-readvertise-to-server-8_Loopback0
    redistribute connected route-map RM-CONN-2-BGP
    !
    address-family evpn

ansible_collections/arista/avd/extensions/molecule/eos_designs_unit_tests/intended/configs/evpn-prevent-readvertise-to-server-8.cfg

@@ -0,0 +1,87 @@
+!
+no enable password
+no aaa root
+!
+vlan internal order ascending range 1006 1199
+!
+transceiver qsfp default-mode 4x10G
+!
+service routing protocols model multi-agent
+!
+hostname evpn-prevent-readvertise-to-server-8
+!
+vrf instance MGMT
+!
+interface Loopback0
+   description ROUTER_ID
+   no shutdown
+   ip address 192.168.255.118/32
+!
+interface Loopback1
+   description VXLAN_TUNNEL_SOURCE
+   no shutdown
+   ip address 192.168.254.118/32
+!
+interface Vxlan1
+   description evpn-prevent-readvertise-to-server-8_VTEP
+   vxlan source-interface Loopback1
+   vxlan udp-port 4789
+!
+ip routing
+no ip routing vrf MGMT
+!
+ip prefix-list PL-LOOPBACKS-EVPN-OVERLAY
+   seq 10 permit 192.168.255.0/24 eq 32
+   seq 20 permit 192.168.254.0/24 eq 32
+!
+ip route vrf MGMT 0.0.0.0/0 192.168.0.1
+!
+route-map RM-CONN-2-BGP permit 10
+   match ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY
+!
+router bfd
+   multihop interval 300 min-rx 300 multiplier 3
+!
+router bgp 65007
+   router-id 192.168.255.118
+   update wait-install
+   no bgp default ipv4-unicast
+   maximum-paths 4
+   neighbor EVPN-OVERLAY-PEERS peer group
+   neighbor EVPN-OVERLAY-PEERS update-source Loopback0
+   neighbor EVPN-OVERLAY-PEERS bfd
+   neighbor EVPN-OVERLAY-PEERS ebgp-multihop 3
+   neighbor EVPN-OVERLAY-PEERS send-community
+   neighbor EVPN-OVERLAY-PEERS maximum-routes 0
+   neighbor 192.168.255.112 peer group EVPN-OVERLAY-PEERS
+   neighbor 192.168.255.112 remote-as 65002
+   neighbor 192.168.255.112 description evpn-prevent-readvertise-to-server-2_Loopback0
+   neighbor 192.168.255.113 peer group EVPN-OVERLAY-PEERS
+   neighbor 192.168.255.113 remote-as 65003
+   neighbor 192.168.255.113 description evpn-prevent-readvertise-to-server-3_Loopback0
+   neighbor 192.168.255.115 peer group EVPN-OVERLAY-PEERS
+   neighbor 192.168.255.115 remote-as 65003
+   neighbor 192.168.255.115 description evpn-prevent-readvertise-to-server-5_Loopback0
+   redistribute connected route-map RM-CONN-2-BGP
+   !
+   address-family evpn
+      neighbor EVPN-OVERLAY-PEERS activate
+      neighbor 192.168.255.112 rcf out RCF_EVPN_FILTER_AS( 65002 )
+      neighbor 192.168.255.113 rcf out RCF_EVPN_FILTER_AS( 65003 )
+      neighbor 192.168.255.115 rcf out RCF_EVPN_FILTER_AS( 65003 )
+   !
+   address-family ipv4
+      no neighbor EVPN-OVERLAY-PEERS activate
+!
+router general
+   control-functions
+      code unit CU_EVPN_FILTER_AS
+         function RCF_EVPN_FILTER_AS( as_number_type $PEER_ASN ) {
+             return as_path has_none { $PEER_ASN };
+         }
+         EOF
+   !
+   exit
+   exit
+!
+end

ansible_collections/arista/avd/extensions/molecule/eos_designs_unit_tests/intended/structured_configs/evpn-prevent-readvertise-to-server-2.yml

@@ -71,6 +71,12 @@ router_bgp:
     metadata:
       peer: evpn-prevent-readvertise-to-server-6
     description: evpn-prevent-readvertise-to-server-6_Loopback0
+  - ip_address: 192.168.255.118
+    peer_group: EVPN-OVERLAY-PEERS
+    remote_as: '65007'
+    metadata:
+      peer: evpn-prevent-readvertise-to-server-8
+    description: evpn-prevent-readvertise-to-server-8_Loopback0
   redistribute:
     connected:
       enabled: true

ansible_collections/arista/avd/extensions/molecule/eos_designs_unit_tests/intended/structured_configs/evpn-prevent-readvertise-to-server-3.yml

@@ -71,6 +71,12 @@ router_bgp:
     metadata:
       peer: evpn-prevent-readvertise-to-server-6
     description: evpn-prevent-readvertise-to-server-6_Loopback0
+  - ip_address: 192.168.255.118
+    peer_group: EVPN-OVERLAY-PEERS
+    remote_as: '65007'
+    metadata:
+      peer: evpn-prevent-readvertise-to-server-8
+    description: evpn-prevent-readvertise-to-server-8_Loopback0
   redistribute:
     connected:
       enabled: true

ansible_collections/arista/avd/extensions/molecule/eos_designs_unit_tests/intended/structured_configs/evpn-prevent-readvertise-to-server-5.yml

@@ -65,6 +65,12 @@ router_bgp:
     metadata:
       peer: evpn-prevent-readvertise-to-server-6
     description: evpn-prevent-readvertise-to-server-6_Loopback0
+  - ip_address: 192.168.255.118
+    peer_group: EVPN-OVERLAY-PEERS
+    remote_as: '65007'
+    metadata:
+      peer: evpn-prevent-readvertise-to-server-8
+    description: evpn-prevent-readvertise-to-server-8_Loopback0
   redistribute:
     connected:
       enabled: true

ansible_collections/arista/avd/extensions/molecule/eos_designs_unit_tests/intended/structured_configs/evpn-prevent-readvertise-to-server-8.yml

@@ -0,0 +1,122 @@
+aaa_root:
+  disabled: true
+config_end: true
+enable_password:
+  disabled: true
+hostname: evpn-prevent-readvertise-to-server-8
+ip_igmp_snooping:
+  globally_enabled: true
+ip_routing: true
+loopback_interfaces:
+- name: Loopback0
+  description: ROUTER_ID
+  shutdown: false
+  ip_address: 192.168.255.118/32
+- name: Loopback1
+  description: VXLAN_TUNNEL_SOURCE
+  shutdown: false
+  ip_address: 192.168.254.118/32
+metadata:
+  is_deployed: true
+  fabric_name: EOS_DESIGNS_UNIT_TESTS
+prefix_lists:
+- name: PL-LOOPBACKS-EVPN-OVERLAY
+  sequence_numbers:
+  - sequence: 10
+    action: permit 192.168.255.0/24 eq 32
+  - sequence: 20
+    action: permit 192.168.254.0/24 eq 32
+route_maps:
+- name: RM-CONN-2-BGP
+  sequence_numbers:
+  - sequence: 10
+    type: permit
+    match:
+    - ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY
+router_bfd:
+  multihop:
+    interval: 300
+    min_rx: 300
+    multiplier: 3
+router_bgp:
+  as: '65007'
+  router_id: 192.168.255.118
+  maximum_paths:
+    paths: 4
+  updates:
+    wait_install: true
+  bgp:
+    default:
+      ipv4_unicast: false
+  peer_groups:
+  - name: EVPN-OVERLAY-PEERS
+    metadata:
+      type: evpn
+    update_source: Loopback0
+    bfd: true
+    ebgp_multihop: 3
+    send_community: all
+    maximum_routes: 0
+  neighbors:
+  - ip_address: 192.168.255.112
+    peer_group: EVPN-OVERLAY-PEERS
+    remote_as: '65002'
+    metadata:
+      peer: evpn-prevent-readvertise-to-server-2
+    description: evpn-prevent-readvertise-to-server-2_Loopback0
+  - ip_address: 192.168.255.113
+    peer_group: EVPN-OVERLAY-PEERS
+    remote_as: '65003'
+    metadata:
+      peer: evpn-prevent-readvertise-to-server-3
+    description: evpn-prevent-readvertise-to-server-3_Loopback0
+  - ip_address: 192.168.255.115
+    peer_group: EVPN-OVERLAY-PEERS
+    remote_as: '65003'
+    metadata:
+      peer: evpn-prevent-readvertise-to-server-5
+    description: evpn-prevent-readvertise-to-server-5_Loopback0
+  redistribute:
+    connected:
+      enabled: true
+      route_map: RM-CONN-2-BGP
+  address_family_evpn:
+    neighbors:
+    - ip_address: 192.168.255.112
+      rcf_out: RCF_EVPN_FILTER_AS( 65002 )
+    - ip_address: 192.168.255.113
+      rcf_out: RCF_EVPN_FILTER_AS( 65003 )
+    - ip_address: 192.168.255.115
+      rcf_out: RCF_EVPN_FILTER_AS( 65003 )
+    peer_groups:
+    - name: EVPN-OVERLAY-PEERS
+      activate: true
+  address_family_ipv4:
+    peer_groups:
+    - name: EVPN-OVERLAY-PEERS
+      activate: false
+router_general:
+  control_functions:
+    code_units:
+    - name: CU_EVPN_FILTER_AS
+      content: "function RCF_EVPN_FILTER_AS( as_number_type $PEER_ASN ) {\n    return as_path has_none { $PEER_ASN };\n}\nEOF"
+service_routing_protocols_model: multi-agent
+static_routes:
+- vrf: MGMT
+  prefix: 0.0.0.0/0
+  next_hop: 192.168.0.1
+transceiver_qsfp_default_mode_4x10: true
+vlan_internal_order:
+  allocation: ascending
+  range:
+    beginning: 1006
+    ending: 1199
+vrfs:
+- name: MGMT
+  ip_routing: false
+vxlan_interface:
+  vxlan1:
+    description: evpn-prevent-readvertise-to-server-8_VTEP
+    vxlan:
+      source_interface: Loopback1
+      udp_port: 4789

ansible_collections/arista/avd/extensions/molecule/eos_designs_unit_tests/inventory/group_vars/EVPN_PREVENT_READVERTISE_TO_SERVER.yml

@@ -39,3 +39,8 @@ l3leaf:
       id: 108
       bgp_as: 65005
       evpn_route_servers: [evpn-prevent-readvertise-to-server-2, evpn-prevent-readvertise-to-server-3, evpn-prevent-readvertise-to-server-5]
+    # Test filtering out EVPN routes using RCF feature
+    - name: evpn-prevent-readvertise-to-server-8
+      id: 110
+      bgp_as: 65007
+      evpn_route_servers: [evpn-prevent-readvertise-to-server-2, evpn-prevent-readvertise-to-server-3, evpn-prevent-readvertise-to-server-5]

ansible_collections/arista/avd/extensions/molecule/eos_designs_unit_tests/inventory/host_vars/evpn-prevent-readvertise-to-server-8.yml

@@ -0,0 +1 @@
+evpn_prevent_readvertise_to_server_mode: rcf