Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feat(plugins): Add ISIS support to encrypt and decrypt filters #3662

Merged
merged 5 commits into from
Feb 28, 2024
Merged

Feat(plugins): Add ISIS support to encrypt and decrypt filters #3662

merged 5 commits into from
Feb 28, 2024

Conversation

ClausHolbechArista
Copy link
Contributor

@ClausHolbechArista ClausHolbechArista commented Feb 26, 2024
edited
Loading

Change Summary

Add ISIS support to encrypt and decrypt filters

Related Issue(s)

Fixes #3624

Component(s) name

arista.avd.eos_designs

Proposed changes

  • Add passwd_type: isis option to arista.avd.encrypt and arista.avd.decrypt filters.
  • Requires key: <isis_instance_name> and mode: <none | text | md5 | sha | sha-1 | sha-224 | sha-256 | sha-384 | sha1-512>

How to test

  • Added unit tests
  • Added integration tests

Checklist

User Checklist

  • N/A

Repository Checklist

  • My code has been rebased from devel before I start
  • I have read the CONTRIBUTING document.
  • My change requires a change to the documentation and documentation have been updated accordingly.
  • I have updated molecule CI testing accordingly. (check the box if not applicable)

@github-actions github-actions bot added type: documentation Improvements or additions to documentation type: Python filters labels Feb 26, 2024
@ClausHolbechArista ClausHolbechArista mentioned this pull request Feb 26, 2024
Closed
1 task
gmuloc
gmuloc approved these changes Feb 27, 2024
View reviewed changes
Copy link
Contributor

@gmuloc gmuloc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@gmuloc gmuloc requested a review from a team February 27, 2024 10:25
@ClausHolbechArista @MaheshGSLAB
Update ansible_collections/arista/avd/tests/unit/plugins/filter/test_…
a667905 
…password.py

Co-authored-by: Mahesh Kumar <122076792+MaheshGSLAB@users.noreply.github.com>
@gmuloc gmuloc added the one approval This PR has one approval and is only missing one more. label Feb 27, 2024
@carlbuchmann
Copy link
Member

@dgonzalez85 - please test and review this PR!

@dgonzalez85
Copy link

Hi, i have done a bit of testing around this, enabling authentication between a couple of links:

  1. note in eos_cli_config_gen we support today text and md5 authentication only according to docs. The plugin function supports addtional hashing methods:
    https://avd.arista.com/4.6/roles/eos_cli_config_gen/docs/input-variables.html#ethernet-interfaces

  2. Just a note regarding probably old comments in this issue, decrypt plugin parameter is "mode" and no "isis_mode"

  3. I used the following configuration to test md5 auth and works great

---
custom_structured_configuration_ethernet_interfaces:
  - name: "Ethernet1"
    isis_authentication_mode: "md5"
    isis_authentication_key: "{{ isis_peerings.password | arista.avd.encrypt(passwd_type='isis', mode='md5', key='EVPN_UNDERLAY') }}"

Which worked fine i could generate the configurations and session is up and MD5 auth enabled:

DC1-CL1#show run int et1
interface Ethernet1
   description P2P_LINK_TO_DC1-SP1_Ethernet1
   no shutdown
   mtu 1500
   speed forced 100gfull
   no switchport
   ip address 192.168.1.1/31
   isis enable EVPN_UNDERLAY
   isis circuit-type level-2
   isis metric 50
   isis network point-to-point
   isis authentication mode md5
   isis authentication key 7 $1c$b5bHgaRyiaJARvaJb6EneQ==
   
DC1-CL1#show isis int et1

IS-IS Instance: EVPN_UNDERLAY VRF: default

  Interface Ethernet1:
    Index: 48 SNPA: P2P
    MTU: 1497 Type: point-to-point
    Supported address families: IPv4
    Area proxy boundary is disabled
    Speed: 100000 mbps
    BFD IPv4 is disabled
    BFD IPv6 is disabled
    Hello padding is enabled
    Level 2:
      Metric: 50, Number of adjacencies: 1
      Link-ID: 30
      Authentication mode: MD5
      TI-LFA protection is disabled for IPv4
      TI-LFA protection is disabled for IPv6
	  
DC1-CL1#show isis nei
 
Instance  VRF      System Id        Type Interface          SNPA              State Hold time   Circuit Id          
EVPN_UNDE default  DC1-SP1          L2   Ethernet1          P2P               UP    25          34                  
EVPN_UNDE default  DC1-SP2          L2   Ethernet2          P2P               UP    24          2C                  
EVPN_UNDE default  DC1-CL2          L2   Vlan4093           P2P               UP    24          24
  1. I used the following configuration to test text auth and also all good:
---
custom_structured_configuration_ethernet_interfaces:
  - name: "Ethernet1"
    isis_authentication_mode: "text"
    isis_authentication_key: "{{ isis_peerings.password | arista.avd.encrypt(passwd_type='isis', mode='text', key='EVPN_UNDERLAY') }}"

DC1-SP1#show isis int et1

IS-IS Instance: EVPN_UNDERLAY VRF: default

  Interface Ethernet1:
    Index: 52 SNPA: P2P
    MTU: 1497 Type: point-to-point
    Supported address families: IPv4
    Area proxy boundary is disabled
    Speed: 100000 mbps
    BFD IPv4 is disabled
    BFD IPv6 is disabled
    Hello padding is enabled
    Level 2:
      Metric: 50, Number of adjacencies: 1
      Link-ID: 34
      Authentication mode: Text
      TI-LFA protection is disabled for IPv4
      TI-LFA protection is disabled for IPv6

DC1-SP1#show run int et1
interface Ethernet1
   description P2P_LINK_TO_DC1-CL1_Ethernet1
   no shutdown
   mtu 1500
   speed forced 100gfull
   no switchport
   ip address 192.168.1.0/31
   isis enable EVPN_UNDERLAY
   isis circuit-type level-2
   isis metric 50
   isis network point-to-point
   isis authentication mode text
   isis authentication key 7 2ewYXSX6oRxJvMW6Qzn1fA==

dgonzalez85
dgonzalez85 approved these changes Feb 28, 2024
View reviewed changes
Copy link

@dgonzalez85 dgonzalez85 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested md5 and text authentication and looking good!

@ClausHolbechArista ClausHolbechArista merged commit 9e48aaf into aristanetworks:devel Feb 28, 2024
38 checks passed
sugetha24 pushed a commit to sugetha24/ansible-avd that referenced this pull request Feb 28, 2024
@ClausHolbechArista @sugetha24
Feat(plugins): Add ISIS support to encrypt and decrypt filters (arist…
d2719ad 
…anetworks#3662)
gmuloc pushed a commit to gmuloc/avd that referenced this pull request Mar 11, 2024
@ClausHolbechArista @gmuloc
Feat(plugins): Add ISIS support to encrypt and decrypt filters (arist…
f6017c9 
…anetworks#3662)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gmuloc gmuloc gmuloc approved these changes

@dgonzalez85 dgonzalez85 dgonzalez85 approved these changes

@MaheshGSLAB MaheshGSLAB MaheshGSLAB approved these changes

Assignees

@ClausHolbechArista ClausHolbechArista

Labels
one approval This PR has one approval and is only missing one more. rn: Feat(plugins) type: documentation Improvements or additions to documentation type: Python filters
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add ISIS support in arista.avd.encrypt plugin
5 participants
@ClausHolbechArista @carlbuchmann @dgonzalez85 @gmuloc @MaheshGSLAB