Feat(eos_cli_config_gen): Add support for `connection tx-interface ma…

…tch source-ip` for `ip security` (aristanetworks#4844) Co-authored-by: Laxmikant Chintakindi <[email protected]> Co-authored-by: Guillaume Mulocher <[email protected]> Co-authored-by: Mahesh Kumar <[email protected]> Co-authored-by: Claus Holbech <[email protected]>
Vibhu-gslab · Jan 7, 2025 · 5ce2fa5 · 5ce2fa5
1 parent cd39961
commit 5ce2fa5
Show file tree

Hide file tree

Showing 9 changed files with 27 additions and 0 deletions.
diff --git a/...llections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host1.md b/...llections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host1.md
@@ -3242,6 +3242,8 @@ mac address-table notification host-flap detection moves 2
 
 - Hardware encryption is disabled
 
+- Match source interface of the IPSec connection is enabled
+
 ### IKE policies
 
 | Policy name | IKE lifetime | Encryption | DH group | Local ID | Integrity |
@@ -3352,6 +3354,7 @@ ip security
    key controller
       profile Profile-1
    hardware encryption disabled
+   connection tx-interface match source-ip
 ```
 
 ## Interfaces

diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/host1.cfg b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/host1.cfg
@@ -1600,6 +1600,7 @@ ip security
    key controller
       profile Profile-1
    hardware encryption disabled
+   connection tx-interface match source-ip
 !
 mac security
    license license1 123456

diff --git a/...lections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/host1/ip-security.yml b/...lections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/host1/ip-security.yml
@@ -80,3 +80,4 @@ ip_security:
   key_controller:
     profile: Profile-1
   hardware_encryption_disabled: true
+  connection_tx_interface_match_source_ip: true
diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/ip-security.md b/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/ip-security.md
diff --git a/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/ip-security.j2 b/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/ip-security.j2
@@ -11,6 +11,10 @@
 
 - Hardware encryption is disabled
 {%     endif %}
+{%     if ip_security.connection_tx_interface_match_source_ip is arista.avd.defined(true) %}
+
+- Match source interface of the IPSec connection is enabled
+{%     endif %}
 {%     if ip_security.ike_policies is arista.avd.defined %}
 
 ### IKE policies

diff --git a/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/ip-security.j2 b/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/ip-security.j2
@@ -89,4 +89,7 @@ ip security
 {%     if ip_security.hardware_encryption_disabled is arista.avd.defined(true) %}
    hardware encryption disabled
 {%     endif %}
+{%     if ip_security.connection_tx_interface_match_source_ip is arista.avd.defined(true) %}
+   connection tx-interface match source-ip
+{%     endif %}
 {% endif %}
diff --git a/python-avd/pyavd/_eos_cli_config_gen/schema/__init__.py b/python-avd/pyavd/_eos_cli_config_gen/schema/__init__.py
diff --git a/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml b/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml
diff --git a/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/ip_security.schema.yml b/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/ip_security.schema.yml
@@ -198,3 +198,6 @@ keys:
         description: |-
           Disable hardware encryption.
           An SFE restart is needed for this change to take effect.
+      connection_tx_interface_match_source_ip:
+        type: bool
+        description: Match source interface of the IPsec connection.