Feat(eos_cli_config_gen): Adding new keys for inner_vlan_mask and inner_vlan_number under ip_access_lists #6776

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

ClausHolbechArista merged 14 commits into aristanetworks:devel from Shivani-gslab:inner_vlan_ip_access_lists

Apr 16, 2026

...rista/avd/extensions/molecule/eos_cli_config_gen/documentation/devices/host1.md

-Original file line number
+Diff line change
@@ Expand Up / @@ -12094,6 +12094,7 @@ ip access-list ACL_NO_SEQUENCE @@
        permit ip any any tracked dscp ef
        permit ip any any nexthop-group NH_TEST
        permit vlan inner 123 0x000 ip any any
+       permit vlan 235 0x1FF inner 124 0x001 tcp any any
        permit vlan 234 0xFFF ip any any
        permit icmp any any
     !
@@ Expand Down @@

..._collections/arista/avd/extensions/molecule/eos_cli_config_gen/intended/configs/host1.cfg

-Original file line number
+Diff line change
@@ Expand Up / @@ -5057,6 +5057,7 @@ ip access-list ACL_NO_SEQUENCE @@
        permit ip any any tracked dscp ef
        permit ip any any nexthop-group NH_TEST
        permit vlan inner 123 0x000 ip any any
+       permit vlan 235 0x1FF inner 124 0x001 tcp any any
        permit vlan 234 0xFFF ip any any
        permit icmp any any
     !
@@ Expand Down @@

.../avd/extensions/molecule/eos_cli_config_gen/inventory/host_vars/host1/ip-access-lists.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -87,12 +87,19 @@ ip_access_lists: @@
             destination: any
             nexthop_group: NH_TEST
           - action: permit
-            vlan_number: 123
-            vlan_inner: true
-            vlan_mask: "0x000"
+            inner_vlan_number: 123
+            inner_vlan_mask: "0x000"
             protocol: ip
             source: any
             destination: any
+          - action: permit
+            inner_vlan_number: 124
+            inner_vlan_mask: "0x001"
+            vlan_number: 235
+            vlan_mask: "0x1FF"
+            protocol: tcp
+            source: any
+            destination: any
           - action: permit
             vlan_number: 234
             vlan_mask: "0xFFF"
@@ Expand Down @@

...ions/molecule/eos_cli_config_gen_deprecated_vars/documentation/devices/host1.md

-Original file line number
+Diff line change
@@ Expand Up / @@ -17,6 +17,7 @@ @@
     - [ACL](#acl)
       - [Standard Access-lists](#standard-access-lists)
       - [Extended Access-lists](#extended-access-lists)
+      - [IP Access-lists](#ip-access-lists)
       - [IPv6 Extended Access-lists](#ipv6-extended-access-lists)
     ## Management
@@ Expand Down Expand Up / @@ -402,6 +403,16 @@ ip access-list acl_qos_tc5_v4 @@
 permit ip any any dscp ef
     ```
+    ### IP Access-lists
+    #### IP Access-lists Device Configuration
+    ```eos
+    !
+    ip access-list ACL_SEQUENCE_AND_COUNTERS
+       permit vlan inner 235 0x1FF ip any any
+    ```
     ### IPv6 Extended Access-lists
     #### IPv6 Extended Access-lists Summary
@@ Expand Down @@

...sta/avd/extensions/molecule/eos_cli_config_gen_deprecated_vars/intended/configs/host1.cfg

-Original file line number
+Diff line change
@@ Expand Up / @@ -96,6 +96,9 @@ ip access-list acl_qos_tc0_v4 @@
     ip access-list acl_qos_tc5_v4
 permit ip any any dscp ef
     !
+    ip access-list ACL_SEQUENCE_AND_COUNTERS
+       permit vlan inner 235 0x1FF ip any any
+    !
     ip access-list standard ACL-API
 remark ACL to restrict access to switch API to CVP and Ansible
 permit host 10.10.10.10
@@ Expand Down @@

...molecule/eos_cli_config_gen_deprecated_vars/inventory/host_vars/host1/ip-access-lists.yml

-Original file line number
+Diff line change
@@ -0,0 +1,12 @@
+    ---
+    # Test for deprecated key vlan_inner
+    ip_access_lists:
+      - name: ACL_SEQUENCE_AND_COUNTERS
+        entries:
+          - action: permit
+            vlan_number: 235
+            vlan_mask: "0x1FF"
+            vlan_inner: true
+            protocol: ip
+            source: any
+            destination: any

...ons/arista/avd/extensions/molecule/eos_designs_deprecated_vars/intended/configs/host1.cfg

-Original file line number
+Diff line change
@@ Expand Up / @@ -63,6 +63,12 @@ aaa group server tacacs+ TACACS1 @@
     aaa group server tacacs+ TACACS2
        server 10.10.10.1 vrf default
     !
+    interface Ethernet1
+       no shutdown
+       no switchport
+       ip address 172.16.0.2/30
+       ip access-group TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet1 in
+    !
     interface Ethernet41
        description P2P_host1_Ethernet42
        no shutdown
@@ Expand Down Expand Up / @@ -112,6 +118,9 @@ interface Vxlan1 @@
     !
     ip virtual-router mac-address 00:1c:73:00:00:01
     !
+    ip access-list TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet1
+       permit vlan inner 123 0x000 ip 172.16.0.1/30 host 172.16.0.2
+    !
     ip routing
     ip routing vrf IGMP_QUERIER_TEST_3
     !
@@ Expand Down @@

...avd/extensions/molecule/eos_designs_deprecated_vars/intended/structured_configs/host1.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -64,7 +64,25 @@ ethernet_interfaces: @@
         peer_type: l3leaf
       switchport:
         enabled: false
+    - name: Ethernet1
+      shutdown: false
+      ip_address: 172.16.0.2/30
+      access_group_in: TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet1
+      metadata:
+        peer_type: l3_interface
+      switchport:
+        enabled: false
     hostname: host1
+    ip_access_lists:
+    - name: TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet1
+      entries:
+      - action: permit
+        protocol: ip
+        source: 172.16.0.1/30
+        destination: 172.16.0.2
+        vlan_inner: true
+        vlan_number: 123
+        vlan_mask: '0x000'
     ip_igmp_snooping:
       globally_enabled: true
       vlans:
@@ Expand Down @@

...d/extensions/molecule/eos_designs_deprecated_vars/inventory/host_vars/host1/ipv4_acls.yml

-Original file line number
+Diff line change
@@ -0,0 +1,14 @@
+    # Test for vlan_inner deprecation in ipv4_acls
+    type: l3leaf
+    ipv4_acls:
+    # ip_access_lists:
+      - name: TEST-IPV4-ACL-WITH-IP-FIELDS-IN
+        entries:
+          - action: permit
+            protocol: ip
+            source: peer_ip
+            destination: interface_ip
+            vlan_number: 123
+            vlan_mask: "0x000"
+            vlan_inner: true

...d/extensions/molecule/eos_designs_deprecated_vars/inventory/host_vars/host1/node_type.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -44,6 +44,11 @@ l3leaf: @@
                   evpn_ethernet_segment:
                     identifier: 0000:0001:0001:0000:0509
                     rt_import: 00:00:00:00:07:09
+              l3_interfaces:
+                - name: Ethernet1
+                  ip_address: 172.16.0.2/30
+                  ipv4_acl_in: TEST-IPV4-ACL-WITH-IP-FIELDS-IN
+                  peer_ip: 172.16.0.1/30
     # Used by source-interfaces test: Testing that the generated source interfaces do not contain the VRF if VRF "default"
     mgmt_interface_vrf: default
@@ Expand Down @@

...ions/arista/avd/extensions/molecule/eos_designs_unit_tests/intended/configs/ipv4-acls.cfg

-Original file line number
+Diff line change
@@ Expand Up / @@ -67,15 +67,15 @@ interface Loopback0 @@
     !
     ip access-list TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet1
 deny ip any host 172.16.0.2
-       permit ip 172.16.0.1/30 host 172.16.0.2
+       permit vlan inner 123 0x000 ip 172.16.0.1/30 host 172.16.0.2
     !
     ip access-list TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet2
 deny ip any host 172.17.17.17
-       permit ip host 172.17.17.1 host 172.17.17.17
+       permit vlan inner 123 0x000 ip host 172.17.17.1 host 172.17.17.17
     !
     ip access-list TEST-IPV4-ACL-WITH-IP-FIELDS-IN_Ethernet5_1
 deny ip any host 172.20.20.0
-       permit ip 172.20.20.1/30 host 172.20.20.0
+       permit vlan inner 123 0x000 ip 172.20.20.1/30 host 172.20.20.0
     !
     ip access-list TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet1
        remark Some remark will not require source and destination fields.
@@ Expand Down @@

.../avd/extensions/molecule/eos_designs_unit_tests/intended/structured_configs/ipv4-acls.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -77,6 +77,8 @@ ip_access_lists: @@
         protocol: ip
         source: 172.16.0.1/30
         destination: 172.16.0.2
+        inner_vlan_number: 123
+        inner_vlan_mask: '0x000'
     - name: TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet1
       entries:
       - remark: Some remark will not require source and destination fields.
@@ Expand All / @@ -95,6 +97,8 @@ ip_access_lists: @@
         protocol: ip
         source: 172.17.17.1
         destination: 172.17.17.17
+        inner_vlan_number: 123
+        inner_vlan_mask: '0x000'
     - name: TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet2
       entries:
       - remark: Some remark will not require source and destination fields.
@@ Expand Down Expand Up / @@ -125,6 +129,8 @@ ip_access_lists: @@
         protocol: ip
         source: 172.20.20.1/30
         destination: 172.20.20.0
+        inner_vlan_number: 123
+        inner_vlan_mask: '0x000'
     - name: TEST-IPV4-ACL-WITH-IP-FIELDS-OUT_Ethernet6_6.6
       entries:
       - remark: Some remark will not require source and destination fields.
@@ Expand Down @@

...s/arista/avd/extensions/molecule/eos_designs_unit_tests/inventory/host_vars/ipv4-acls.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -53,6 +53,8 @@ ipv4_acls: @@
             protocol: ip
             source: peer_ip
             destination: interface_ip
+            inner_vlan_number: 123
+            inner_vlan_mask: "0x000"
       - name: TEST-IPV4-ACL-WITH-IP-FIELDS-OUT
         entries:
           - remark: Some remark will not require source and destination fields.
@@ Expand Down @@

..._collections/arista/avd/roles/eos_cli_config_gen/docs/tables/ip-access-lists.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

...ollections/arista/avd/roles/eos_cli_config_gen/docs/tables/ipv6-access-lists.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

ansible_collections/arista/avd/roles/eos_designs/docs/tables/ipv4-acls.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Feat(eos_cli_config_gen): Adding new keys for inner_vlan_mask and inner_vlan_number under ip_access_lists #6776

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!