Feat(eos_cli_config_gen): Add support for ingress in system.control_plane.ipv4/6_access_group

ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/system.md

@@ -48,16 +48,21 @@ interface Management1
 
 #### Control-Plane Access-Groups
 
-| Protocol | VRF | Access-list |
-| -------- | --- | ------------|
-| IPv4 | default | acl4_1 |
-| IPv4 | red | acl4_2 |
-| IPv4 | red_1 | acl4_2 |
-| IPv4 | default | acl4_3 |
-| IPv6 | default | acl6_1 |
-| IPv6 | blue | acl6_2 |
-| IPv6 | blue_1 | acl6_2 |
-| IPv6 | default | acl6_3 |
+| Protocol | VRF | Access-list | Ingress-default |
+| -------- | --- | ------------| --------------- |
+| IPv4 | default | acl4_1 | - |
+| IPv4 | red | acl4_2 | - |
+| IPv4 | red_1 | acl4_2 | - |
+| IPv4 | default | acl4_3 | - |
+| IPv4 | red_2 | acl4_4 | True |
+| IPv4 | red_3 | acl4_5 | False |
+| IPv4 | red_4 | ingress | - |
+| IPv6 | default | acl6_1 | - |
+| IPv6 | blue | acl6_2 | - |
+| IPv6 | blue_1 | acl6_2 | - |
+| IPv6 | default | acl6_3 | - |
+| IPv6 | default | acl6_4 | True |
+| IPv6 | blue_2 | ingress | - |
 
 #### System Control-Plane Device Configuration
 
@@ -66,13 +71,18 @@ interface Management1
 system control-plane
    tcp mss ceiling ipv4 1344 ipv6 1366
    ip access-group acl4_1 in
-   ip access-group acl4_3 vrf default in
    ip access-group acl4_2 vrf red in
    ip access-group acl4_2 vrf red_1 in
+   ip access-group acl4_3 vrf default in
+   ip access-group ingress default acl4_4
+   ip access-group acl4_5 vrf red_3 in
+   ip access-group ingress vrf red_4 in
    ipv6 access-group acl6_1 in
-   ipv6 access-group acl6_3 vrf default in
    ipv6 access-group acl6_2 vrf blue in
    ipv6 access-group acl6_2 vrf blue_1 in
+   ipv6 access-group acl6_3 vrf default in
+   ipv6 access-group ingress default acl6_4
+   ipv6 access-group ingress vrf blue_2 in
 ```
 
 ## System L1

ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/system.cfg

@@ -11,10 +11,15 @@ interface Management1
 system control-plane
    tcp mss ceiling ipv4 1344 ipv6 1366
    ip access-group acl4_1 in
-   ip access-group acl4_3 vrf default in
    ip access-group acl4_2 vrf red in
    ip access-group acl4_2 vrf red_1 in
+   ip access-group acl4_3 vrf default in
+   ip access-group ingress default acl4_4
+   ip access-group acl4_5 vrf red_3 in
+   ip access-group ingress vrf red_4 in
    ipv6 access-group acl6_1 in
-   ipv6 access-group acl6_3 vrf default in
    ipv6 access-group acl6_2 vrf blue in
    ipv6 access-group acl6_2 vrf blue_1 in
+   ipv6 access-group acl6_3 vrf default in
+   ipv6 access-group ingress default acl6_4
+   ipv6 access-group ingress vrf blue_2 in

ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/system.yml

@@ -11,6 +11,14 @@ system:
         vrf: red_1
       - acl_name: "acl4_3"
         vrf: default
+      - acl_name: "acl4_4"
+        vrf: red_2
+        ingress_default: true
+      - acl_name: "acl4_5"
+        vrf: red_3
+        ingress_default: false
+      - acl_name: "ingress"
+        vrf: red_4
     ipv6_access_groups:
       - acl_name: "acl6_1"
       - acl_name: "acl6_2"
@@ -19,6 +27,10 @@ system:
         vrf: blue_1
       - acl_name: "acl6_3"
         vrf: default
+      - acl_name: "acl6_4"
+        ingress_default: true
+      - acl_name: "ingress"
+        vrf: blue_2
   l1:
     unsupported_speed_action: warn
     unsupported_error_correction_action: error

python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/system.j2

@@ -24,15 +24,15 @@
 
 #### Control-Plane Access-Groups
 
-| Protocol | VRF | Access-list |
-| -------- | --- | ------------|
+| Protocol | VRF | Access-list | Ingress-default |
+| -------- | --- | ------------| --------------- |
 {#         IPv4 Access-groups #}
 {%         for acl_set in system.control_plane.ipv4_access_groups | arista.avd.natural_sort %}
-| IPv4 | {{ acl_set.vrf | arista.avd.default('default') }} | {{ acl_set.acl_name }} |
+| IPv4 | {{ acl_set.vrf | arista.avd.default('default') }} | {{ acl_set.acl_name }} | {{ acl_set.ingress_default | arista.avd.default('-') }} |
 {%         endfor %}
 {#         IPv6 Access-groups #}
 {%         for acl_set in system.control_plane.ipv6_access_groups | arista.avd.natural_sort %}
-| IPv6 | {{ acl_set.vrf | arista.avd.default('default') }} | {{ acl_set.acl_name }} |
+| IPv6 | {{ acl_set.vrf | arista.avd.default('default') }} | {{ acl_set.acl_name }} | {{ acl_set.ingress_default | arista.avd.default('-') }} |
 {%         endfor %}
 {%     endif %}
 

python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/system.j2

@@ -25,12 +25,16 @@ system control-plane
 {%         set with_vrf_default = system.control_plane.ipv4_access_groups | selectattr('vrf', 'arista.avd.defined') | selectattr('vrf', 'equalto', 'default') | arista.avd.natural_sort %}
 {%         set sorted_ipv4_access_groups =  without_vrf | list + with_vrf_default | list + with_vrf_non_default | list %}
 {%     endif %}
-{%     for acl_set in sorted_ipv4_access_groups | arista.avd.default([]) %}
-{%         set cp_ipv4_access_grp = "ip access-group " ~ acl_set.acl_name %}
-{%         if acl_set.vrf is arista.avd.defined %}
-{%             set cp_ipv4_access_grp = cp_ipv4_access_grp ~ " vrf " ~ acl_set.vrf %}
+{%     for acl_set in system.control_plane.ipv4_access_groups | arista.avd.natural_sort %}
+{%         if acl_set.ingress_default is arista.avd.defined(true) %}
+{%             set cp_ipv4_access_grp = "ip access-group ingress default " ~ acl_set.acl_name %}
+{%         else %}
+{%             set cp_ipv4_access_grp = "ip access-group " ~ acl_set.acl_name %}
+{%             if acl_set.vrf is arista.avd.defined %}
+{%                 set cp_ipv4_access_grp = cp_ipv4_access_grp ~ " vrf " ~ acl_set.vrf %}
+{%             endif %}
+{%             set cp_ipv4_access_grp = cp_ipv4_access_grp ~ " in" %}
 {%         endif %}
-{%         set cp_ipv4_access_grp = cp_ipv4_access_grp ~ " in" %}
    {{ cp_ipv4_access_grp }}
 {%     endfor %}
 {#     control_plane access_groups ipv6 #}
@@ -40,12 +44,16 @@ system control-plane
 {%         set with_vrf_default = system.control_plane.ipv6_access_groups | selectattr('vrf', 'arista.avd.defined') | selectattr('vrf', 'equalto', 'default') | arista.avd.natural_sort %}
 {%         set sorted_ipv6_access_groups =  without_vrf | list + with_vrf_default | list + with_vrf_non_default | list %}
 {%     endif %}
-{%     for acl_set in sorted_ipv6_access_groups | arista.avd.default([]) %}
-{%         set cp_ipv6_access_grp = "ipv6 access-group " ~ acl_set.acl_name %}
-{%         if acl_set.vrf is arista.avd.defined %}
-{%             set cp_ipv6_access_grp = cp_ipv6_access_grp ~ " vrf " ~ acl_set.vrf %}
+{%     for acl_set in system.control_plane.ipv6_access_groups | arista.avd.natural_sort %}
+{%         if acl_set.ingress_default is arista.avd.defined(true) %}
+{%             set cp_ipv6_access_grp = "ipv6 access-group ingress default " ~ acl_set.acl_name %}
+{%         else %}
+{%             set cp_ipv6_access_grp = "ipv6 access-group " ~ acl_set.acl_name %}
+{%             if acl_set.vrf is arista.avd.defined %}
+{%                 set cp_ipv6_access_grp = cp_ipv6_access_grp ~ " vrf " ~ acl_set.vrf %}
+{%             endif %}
+{%             set cp_ipv6_access_grp = cp_ipv6_access_grp ~ " in" %}
 {%         endif %}
-{%         set cp_ipv6_access_grp = cp_ipv6_access_grp ~ " in" %}
    {{ cp_ipv6_access_grp }}
 {%     endfor %}
 {% endif %}

python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/system.schema.yml

@@ -32,10 +32,17 @@ keys:
                 acl_name:
                   type: str
                   required: true
+                  description: |-
+                    Access list name.
+                    String "ingress" could be access list name as well.
                 vrf:
                   type: str
                   convert_types:
                     - int
+                  description: Keys `vrf` and `ingress_default` are mutually exclusive.
+                ingress_default:
+                  type: bool
+                  description: Keys `vrf` and `ingress_default` are mutually exclusive.
           ipv6_access_groups:
             type: list
             unique_keys:
@@ -50,6 +57,10 @@ keys:
                   type: str
                   convert_types:
                     - int
+                  description: "'vrf' and 'ingress_default' are mutually exclusive."
+                ingress_default:
+                  type: bool
+                  description: "'vrf' and 'ingress_default' are mutually exclusive."
       l1:
         type: dict
         keys:

python-avd/pyavd/_eos_designs/structured_config/core_interfaces_and_l3_edge/utils.py

@@ -310,6 +310,8 @@ def _get_port_channel_member_cfg(self: AvdStructuredConfigCoreInterfacesAndL3Edg
         Return partial structured_config for one p2p_link.
 
         Covers config for ethernet interfaces that are port-channel members.
+
+        TODO: Change description for members to be the physical peer interface instead of port-channel
         """
         return {
             "name": member["interface"],