search

aristanetworks / avd

Arista Validated Designs
https://avd.arista.com
Apache License 2.0
270 stars 197 forks source link

Add the ability to add access-group membership in network services #3534

Closed theotherguy2175 closed 1 month ago

theotherguy2175 commented 7 months ago

Enhancement summary

It would be nice when defining a L3 / SVI in network services to also be able to add an access group right there. That was the tags take care of only adding the L3/SVI as it already does but also only add the access group to the devices that need it.

Which component of AVD is impacted

eos_designs

Use case example

It would be nice when defining a L3 / SVI in network services to also be able to add an access group right there. That was the tags take care of only adding the L3/SVI as it already does but also only add the access group to the devices that need it. in-network

Describe the solution you would like

It would be nice when defining a L3 / SVI in network services to also be able to add an access group right there. That was the tags take care of only adding the L3/SVI as it already does but also only add the access group to the devices that need it. in-network

Describe alternatives you have considered

No response

Additional context

No response

Contributing Guide

ClausHolbechArista commented 7 months ago

Thank you for a great idea! I think the simplest implementation would be to have a root-level key for defining the access-lists centrally and then adding them as needed to the devices. Similar to evpn_vlan_bundles. At first we would have to ignore missing access lists, to be non-breaking, but in the next major release of AVD (5.0) we could error out if the access_group_in/out keys are pointing to a missing ACL.

theotherguy2175 commented 7 months ago

Yeah having it defined somewhere like network services and then the ability to tag would be great.

It would just be nice to have only the access list creation and application only be on the devices that are tagged that way

github-actions[bot] commented 3 months ago

This issue is stale because it has been open 90 days with no activity. The issue will be reviewed by a maintainer and may be closed

ClausHolbechArista commented 2 months ago

We have added ipv4_acl_in/ipv4_acl_out in #3791. The ACLs must be defined under the root key ipv4_acls.

So this issue will track the same for l3_interfaces under network services.

gmuloc commented 1 month ago

SVI was implemented in https://github.com/aristanetworks/avd/pull/4096