eos_validate_state¶
Overview¶
eos_validate_state is a role leveraged to validate Arista EOS devices’ operational states.
eos_validate_state role:
- Consumes structured EOS configuration file, the same input as the role eos_cli_config_gen. This input is considered the system of record (the desired state).
- Leverages Arista Network Test Automation (ANTA) framework to:
- Connect to EOS devices via eAPI to collect operational states (actual state). This requires access to the configured devices.
- Compare the actual states against the desired state.
- Generates CSV and Markdown reports of the results.
- Supports Ansible
check
mode. When running incheck
mode,eos_validate_state
produces a report of tests that would be performed without running the tests on your network. Tests will be marked asNOT RUN
in the final reports. This can be useful to inspect which tests are going to be run.
- This role supports additional level of verbosity in Ansible. In particular, when run with
-v
, logs gives visibility on which test categories are being removed from a device catalog by AVD according to the structured configurations.
Role Inputs and Outputs¶
Figure 1 below provides a visualization of the role’s inputs, outputs, and tasks in order executed by the role.
Inputs:
- Devices’ structured configurations generated by abstraction role.
- Device state (collected during ANTA test execution).
- Custom ANTA test catalogs (optional).
Outputs:
- JSON test results (per device).
- ANTA test catalog (per device, optional).
- CSV report.
- Markdown report.
Tasks:
- Include devices’ structured configurations.
- Generate per-device test catalogs:
- Optionally store catalogs
- Execute tests using ANTA
- Store results as JSON
- Generate CSV and Markdown reports.
Tip
You can provide your own custom ANTA catalogs using any of the available ANTA tests to the AVD eos_validate_state
role. Please refer to the Custom ANTA catalog section for more details.
Test categories¶
- AvdTestHardware
- VerifyEnvironmentPower: Validate environment power supplies status.
- VerifyEnvironmentCooling: Validate environment fan status.
- VerifyTemperature: Validate environment temperature.
- VerifyTransceiversManufacturers: Validate transceivers manufacturer.
- AvdTestNTP
- VerifyNTP: Validate NTP status.
- AvdTestInterfacesState
- VerifyInterfacesStatus: Validate interfaces status. To skip tests for specific interfaces, set validate_state to False.
- Ethernet interfaces
- Port-channel interfaces
- Vlan interfaces
- Loopback interfaces
- Vxlan1 interface
- DPS interfaces
- VerifyInterfacesStatus: Validate interfaces status. To skip tests for specific interfaces, set validate_state to False.
- AvdTestP2PIPReachability
- VerifyReachability: Validate IP reachability for point-to-point l3 ethernet interfaces.
- AvdTestInbandReachability
- VerifyReachability: Validate loopback reachability from the inband management VLAN interface.
- AvdTestLoopback0Reachability
- VerifyReachability: Validate loopback reachability between devices.
- AvdTestDpsReachability
- VerifyReachability: Validate DPS reachability between devices.
- AvdTestLLDPTopology
- VerifyLLDPNeighbors: Validate LLDP topology. To skip tests for specific Ethernet interfaces, set validate_state to False.
- AvdTestMLAG
- VerifyMlagStatus: Validate MLAG status.
- AvdTestRoutingTable
- VerifyRoutingTableEntry: Validate remote Loopback0 address and source interface for Vxlan1 interface are in the routing table.
- AvdTestBGP
- VerifyBGPSpecificPeers: Validate IP BGP and BGP EVPN sessions state.
- VerifyRoutingProtocolModel: Validate ArBGP is configured and operating.
- AvdTestReloadCause
- VerifyReloadCause: Validate last reload cause. (Optional)
- AvdTestAPIHttpsSSL
- VerifyAPIHttpsSSL: Validate eAPI HTTPS SSL profile status.
- AvdTestIPSecurity
- VerifySpecificIPSecConn: Validates the establishment of IP security connections for a peer within the default VRF. In its current state, the test validates only IPsec connections defined as static peers under the
router path-selection
section of the configuration.
- VerifySpecificIPSecConn: Validates the establishment of IP security connections for a peer within the default VRF. In its current state, the test validates only IPsec connections defined as static peers under the
- AvdTestStun
- VerifyStunClient: Validates the presence of a STUN client translation for a given source IPv4 address and port for WAN scenarios. The list of expected translations for each device is built by searching local interfaces in each path-group.
- AvdTestAvtRole
- VerifyAVTRole: Validate the Adaptive Virtual Topology (AVT) role of a device.
- VerifyAVTSpecificPath: Validate that the status is active and the type is direct for an Adaptive Virtual Topology (AVT) path in a specified VRF for the static peers.
Input Variables¶
The following input variables are available for the role. When a default value exists, it is indicated.
# Root directory.
root_dir: <str; | default="{{ inventory_dir }}">
# Output directory.
output_dir_name: <str; | default="intended">
output_dir: <str; | default="{{ root_dir }}/{{ output_dir_name }}">
# Output for test catalog YAML files if save_catalog is set to true.
test_catalogs_dir_name: "<str; | default="test_catalogs">
test_catalogs_dir: <str; | default="{{ output_dir }}/{{ test_catalogs_dir_name }}">
# Output directory for eos_validate_state reports.
eos_validate_state_name: <str; | default="reports">
eos_validate_state_dir: <str; | default="{{ root_dir }}/{{ eos_validate_state_name }}">
# Output for test results JSON files if save_results is set to true.
test_results_dir_name: <str; | default="test_results">
test_results_dir: <str; | default="{{ eos_validate_state_dir }}/{{ test_results_dir_name }}">
# Reports name.
eos_validate_state_md_report_path: <str; | default="{{ eos_validate_state_dir }}/{{ fabric_name }}-state.md">
eos_validate_state_csv_report_path: <str; | default="{{ eos_validate_state_dir }}/{{ fabric_name }}-state.csv">
# Input directory for structured configuration files.
structured_dir_name: <str; | default="structured_configs">
structured_dir: <str; | default="{{ output_dir }}/{{ structured_dir_name }}">
# Structured configuration files format.
avd_structured_config_file_format: "yml"
# Input directory for custom ANTA catalogs.
custom_anta_catalogs_dir_name: <str; | default="custom_anta_catalogs">
custom_anta_catalogs_dir: <str; | default="{{ root_dir }}/{{ custom_anta_catalogs_dir_name }}">
# Allow different manufacturers.
accepted_xcvr_manufacturers: <list; | default="['Arastra, Inc.', 'Arista Networks']">
# Allow different states for power supplies.
accepted_pwr_supply_states: <list; default=['ok']>
# Allow different states for fans.
accepted_fan_states: <list; default=['ok']">
# Generate CSV results file.
validation_report_csv: <bool; default=True>
# Generate MD results file.
validation_report_md: <bool; default=True>
# Print only FAILED tests.
only_failed_tests: <bool; default=False>
# Save each device test catalog to 'test_catalogs_dir'.
save_catalog: <bool; default=False>
# Logging level for the ANTA libraries.
logging_level: <str; "INFO" | "WARNING" | "ERROR" | "CRITICAL" | "DEBUG"; default="WARNING">
# The variable `skip_tests` can be used for running/skipping test categories.
# Examples
# skip_tests:
# - category: AvdTestHardware
#
# or to skip specific tests (ANTA test names) in a given category for more granularity:
# skip_tests:
# - category: AvdTestHardware
# tests:
# - VerifyEnvironmentCooling
# - VerifyTemperature
# - category: AvdTestBGP
# tests:
# - VerifyBGPSpecificPeers
skip_tests:
- category: <str>
# Optional tests
tests:
- <str>
The default accepted manufacturers are “Arastra, Inc.” and “Arista Networks.” To change this, use accepted_xcvr_manufacturers
.
By default, all fans and power supplies are expected to be in the ok
state. However chassis switches may intentionally be missing some fans or power supplies as they are not fully populated. In this case, accepted_fan_states
and accepted_pwr_supply_states
can be updated to include the notInserted
state to avoid failures on missing fans/power supplies.
Two user-defined variables control the generation of CSV and MD reports. These are validation_report_csv
and validation_report_md
respectively.
The variable only_failed_tests
is used to limit the number of tests shown in the reports. When set, all reports will only show failed tests.
Requirements¶
Requirements are located here: avd-requirements
Custom ANTA catalog¶
You can provide custom ANTA catalogs to the AVD eos_validate_state
role. By default, AVD will search for catalog YAML files in the custom_anta_catalogs
directory and incorporate these tests into the existing dynamically created catalog from AVD. The custom catalog files must be named as follows:
<hostname>.yml
or<hostname>.yaml
<group>.yml
or<group>.yaml
When specifying a group, it must be a group from the Ansible inventory. The custom tests will then be added to all devices that are part of this group. You can also use the all
group to target all the devices in your inventory. The directory where the custom catalogs are stored can be changed with the custom_anta_catalogs_dir
variable.
Warning
The skip_tests
variable will ONLY skip the dynamically generated tests from the AVD validate state role. It will not skip tests added from custom catalogs.
Info
The final catalog will be validated by ANTA before running the tests on your network. Duplicate tests with the same inputs will be automatically removed. Therefore, dynamically generated tests by AVD will never be overwritten. To overwrite them, you should first skip them using the skip_tests
variable and provide your own tests with inputs via a custom catalog.
Example Playbook¶
---
- name: validate states on EOS devices using ANTA
hosts: DC1
gather_facts: false
tasks:
- name: validate states on EOS devices
ansible.builtin.import_role:
name: arista.avd.eos_validate_state
vars:
# Optionally save catalogs
save_catalog: true
Input example¶
inventory/inventory.ini¶
---
all:
children:
DC1:
children:
DC1_FABRIC:
children:
DC1_SPINES:
hosts:
switch2:
ansible_host: 10.83.28.190
DC1_L3LEAFS:
children:
DC1_LEAF1:
hosts:
switch1:
ansible_host: 10.83.28.216
DC1_LEAF2:
hosts:
switch3:
ansible_host: 10.83.28.191
inventory/group_vars/DC1.yml¶
ansible_user: arista
ansible_password: arista
ansible_network_os: eos
ansible_become: yes
ansible_become_method: enable
ansible_become_password: arista
ansible_connection: httpapi
fabric_name: "DC1"
accepted_xcvr_manufacturers:
- Manufacturer 1
- Manufacturer 2
accepted_pwr_supply_states:
- ok
- notInserted
accepted_fan_states:
- ok
- notInserted
inventory/intended/structured_configs/switch1.yml¶
router_bgp:
neighbors:
- ip_address: 10.10.10.1
remote_as: 65002
- ip_address: 10.10.10.3
remote_as: 65003
ethernet_interfaces:
- name: Ethernet2
peer: switch3
peer_interface: Ethernet4
ip_address: 10.10.10.2/31
type: routed
- name: Ethernet5
peer: switch2
peer_interface: Ethernet5
ip_address: 10.10.10.0/31
type: routed
mlag_configuration:
domain_id: MLAG12
local_interface: Vlan4094
peer_address: 172.16.12.1
peer_link: Port-Channel10
reload_delay_mlag: 300
reload_delay_non_mlag: 330
ntp:
local_interface:
interface: Management1
vrf: MGMT
servers:
- name: 0.fr.pool.ntp.org
vrf: MGMT
- name: 1.fr.pool.ntp.org
vrf: MGMT
dns_domain: lab.local
Usage example¶
License¶
Project is published under Apache 2.0 License
Known issues¶
[__NSCFConstantString initialize] may have been in progress in another thread when fork() was called.
This issue affects OSX users only and is covered in Ansible documentation: https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#running-on-macos-as-a-control-node.