stack-orchestrator/playbooks/ashburn-relay-was-sw01.yml

---
# Configure laconic-was-sw01 for full validator traffic relay
#
# Replaces the old SHRED-RELAY (TVU-only, port 20000) with VALIDATOR-RELAY
# covering all validator ports (8001, 9000-9025). Adds Loopback101 for
# 137.239.194.65.
#
# Uses EOS config session with 5-minute auto-revert for safety.
# After verification, run with -e commit=true to finalize.
#
# Usage:
#   ansible-playbook -i inventory/switches.yml playbooks/ashburn-relay-was-sw01.yml
#   ansible-playbook -i inventory/switches.yml playbooks/ashburn-relay-was-sw01.yml -e commit=true
#   ansible-playbook -i inventory/switches.yml playbooks/ashburn-relay-was-sw01.yml -e rollback=true

- name: Configure was-sw01 inbound validator relay
  hosts: was-sw01
  gather_facts: false

  vars:
    ashburn_ip: 137.239.194.65
    commit: false
    rollback: false
    session_name: validator-relay
    checkpoint_name: pre-validator-relay

  tasks:
    # ------------------------------------------------------------------
    # Rollback path
    # ------------------------------------------------------------------
    - name: Rollback to checkpoint
      when: rollback | bool
      block:
        - name: Execute rollback
          arista.eos.eos_command:
            commands:
              - "rollback running-config checkpoint {{ checkpoint_name }}"
              - write memory
          register: rollback_result

        - name: Show rollback result
          ansible.builtin.debug:
            var: rollback_result.stdout_lines

        - name: End play after rollback
          ansible.builtin.meta: end_play

    # ------------------------------------------------------------------
    # Commit finalization
    # ------------------------------------------------------------------
    - name: Finalize pending session
      when: commit | bool
      block:
        - name: Commit session and write memory
          arista.eos.eos_command:
            commands:
              - "configure session {{ session_name }} commit"
              - write memory
          register: commit_result

        - name: Show commit result
          ansible.builtin.debug:
            var: commit_result.stdout_lines

        - name: End play after commit
          ansible.builtin.meta: end_play

    # ------------------------------------------------------------------
    # Pre-checks
    # ------------------------------------------------------------------
    - name: Show current traffic-policy on Et1/1
      arista.eos.eos_command:
        commands:
          - show running-config interfaces Ethernet1/1
      register: et1_config

    - name: Show current config
      ansible.builtin.debug:
        var: et1_config.stdout_lines

    - name: Show existing PBR policy on Et1/1
      arista.eos.eos_command:
        commands:
          - "show running-config | include service-policy"
      register: existing_pbr

    - name: Show existing PBR config
      ansible.builtin.debug:
        var: existing_pbr.stdout_lines

    # ------------------------------------------------------------------
    # Save checkpoint
    # ------------------------------------------------------------------
    - name: Save checkpoint for rollback
      arista.eos.eos_command:
        commands:
          - "configure checkpoint save {{ checkpoint_name }}"
      register: checkpoint_result

    - name: Show checkpoint result
      ansible.builtin.debug:
        var: checkpoint_result.stdout_lines

    # ------------------------------------------------------------------
    # Apply via config session with 5-minute auto-revert
    #
    # eos_config writes directly to running-config, bypassing sessions.
    # Use eos_command with raw CLI to get the safety net.
    # ------------------------------------------------------------------
    - name: Apply config session with auto-revert
      arista.eos.eos_command:
        commands:
          # Enter named config session
          - command: "configure session {{ session_name }}"
          # Loopback101 for Ashburn IP
          - command: interface Loopback101
          - command: "ip address {{ ashburn_ip }}/32"
          - command: exit
          # ACL covering all validator ports
          - command: ip access-list VALIDATOR-RELAY-ACL
          - command: 10 permit udp any any eq 8001
          - command: 20 permit udp any any range 9000 9025
          - command: 30 permit tcp any any eq 8001
          - command: exit
          # PBR class-map referencing the ACL
          - command: class-map type pbr match-any VALIDATOR-RELAY-CLASS
          - command: match ip access-group VALIDATOR-RELAY-ACL
          - command: exit
          # PBR policy-map with nexthop redirect
          - command: policy-map type pbr VALIDATOR-RELAY
          - command: class VALIDATOR-RELAY-CLASS
          - command: "set nexthop {{ backbone_peer }}"
          - command: exit
          - command: exit
          # Apply PBR policy on Et1/1
          - command: interface Ethernet1/1
          - command: service-policy type pbr input VALIDATOR-RELAY
          - command: exit
      tags: [config]

    - name: Show session diff
      arista.eos.eos_command:
        commands:
          - "configure session {{ session_name }}"
          - show session-config diffs
          - exit
      register: session_diff

    - name: Display session diff
      ansible.builtin.debug:
        var: session_diff.stdout_lines

    - name: Commit with 5-minute auto-revert
      arista.eos.eos_command:
        commands:
          - "configure session {{ session_name }} commit timer 00:05:00"
      tags: [config]

    # ------------------------------------------------------------------
    # Verify
    # ------------------------------------------------------------------
    - name: Show PBR policy on Et1/1
      arista.eos.eos_command:
        commands:
          - show running-config interfaces Ethernet1/1
          - show running-config section policy-map
          - show ip interface Loopback101
      register: pbr_interface

    - name: Display verification
      ansible.builtin.debug:
        var: pbr_interface.stdout_lines

    - name: Show Loopback101
      arista.eos.eos_command:
        commands:
          - show ip interface Loopback101
      register: lo101

    - name: Display Loopback101
      ansible.builtin.debug:
        var: lo101.stdout_lines

    - name: Reminder
      ansible.builtin.debug:
        msg: |
          === Config applied with 5-minute auto-revert ===
          Session: {{ session_name }}
          Checkpoint: {{ checkpoint_name }}

          The config will auto-revert in 5 minutes unless committed.
          Verify PBR policy is applied, then commit from the switch CLI:
            configure session {{ session_name }} commit
            write memory

          To revert immediately:
            ansible-playbook ... -e rollback=true
feat: ashburn validator relay playbooks Three playbooks for routing all validator traffic through 137.239.194.65: - was-sw01: Loopback101 + PBR redirect on Et1/1 (already applied/committed) Will be simplified to a static route in next iteration. - mia-sw01: ACL permit for src 137.239.194.65 on Tunnel500 + default route in vrf1 via egress-vrf default to was-sw01 backbone. No PBR needed — per-tunnel ACLs already scope what enters vrf1. - biscayne: DNAT inbound (137.239.194.65 → kind node), SNAT + policy routing outbound (validator sport 8001,9000-9025 → doublezero0 GRE). Inbound already applied. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-06 21:08:48 +00:00			`---`
			`# Configure laconic-was-sw01 for full validator traffic relay`
			`#`
			`# Replaces the old SHRED-RELAY (TVU-only, port 20000) with VALIDATOR-RELAY`
			`# covering all validator ports (8001, 9000-9025). Adds Loopback101 for`
			`# 137.239.194.65.`
			`#`
			`# Uses EOS config session with 5-minute auto-revert for safety.`
			`# After verification, run with -e commit=true to finalize.`
			`#`
			`# Usage:`
			`# ansible-playbook -i inventory/switches.yml playbooks/ashburn-relay-was-sw01.yml`
			`# ansible-playbook -i inventory/switches.yml playbooks/ashburn-relay-was-sw01.yml -e commit=true`
			`# ansible-playbook -i inventory/switches.yml playbooks/ashburn-relay-was-sw01.yml -e rollback=true`

			`- name: Configure was-sw01 inbound validator relay`
			`hosts: was-sw01`
			`gather_facts: false`

			`vars:`
			`ashburn_ip: 137.239.194.65`
			`commit: false`
			`rollback: false`
			`session_name: validator-relay`
			`checkpoint_name: pre-validator-relay`

			`tasks:`
			`# ------------------------------------------------------------------`
			`# Rollback path`
			`# ------------------------------------------------------------------`
			`- name: Rollback to checkpoint`
			`when: rollback \| bool`
			`block:`
			`- name: Execute rollback`
			`arista.eos.eos_command:`
			`commands:`
			`- "rollback running-config checkpoint {{ checkpoint_name }}"`
			`- write memory`
			`register: rollback_result`

			`- name: Show rollback result`
			`ansible.builtin.debug:`
			`var: rollback_result.stdout_lines`

			`- name: End play after rollback`
			`ansible.builtin.meta: end_play`

			`# ------------------------------------------------------------------`
			`# Commit finalization`
			`# ------------------------------------------------------------------`
			`- name: Finalize pending session`
			`when: commit \| bool`
			`block:`
			`- name: Commit session and write memory`
			`arista.eos.eos_command:`
			`commands:`
			`- "configure session {{ session_name }} commit"`
			`- write memory`
			`register: commit_result`

			`- name: Show commit result`
			`ansible.builtin.debug:`
			`var: commit_result.stdout_lines`

			`- name: End play after commit`
			`ansible.builtin.meta: end_play`

			`# ------------------------------------------------------------------`
			`# Pre-checks`
			`# ------------------------------------------------------------------`
			`- name: Show current traffic-policy on Et1/1`
			`arista.eos.eos_command:`
			`commands:`
			`- show running-config interfaces Ethernet1/1`
			`register: et1_config`

			`- name: Show current config`
			`ansible.builtin.debug:`
			`var: et1_config.stdout_lines`

			`- name: Show existing PBR policy on Et1/1`
			`arista.eos.eos_command:`
			`commands:`
			`- "show running-config \| include service-policy"`
			`register: existing_pbr`

			`- name: Show existing PBR config`
			`ansible.builtin.debug:`
			`var: existing_pbr.stdout_lines`

			`# ------------------------------------------------------------------`
			`# Save checkpoint`
			`# ------------------------------------------------------------------`
			`- name: Save checkpoint for rollback`
			`arista.eos.eos_command:`
			`commands:`
			`- "configure checkpoint save {{ checkpoint_name }}"`
			`register: checkpoint_result`

			`- name: Show checkpoint result`
			`ansible.builtin.debug:`
			`var: checkpoint_result.stdout_lines`

			`# ------------------------------------------------------------------`
			`# Apply via config session with 5-minute auto-revert`
			`#`
			`# eos_config writes directly to running-config, bypassing sessions.`
			`# Use eos_command with raw CLI to get the safety net.`
			`# ------------------------------------------------------------------`
			`- name: Apply config session with auto-revert`
			`arista.eos.eos_command:`
			`commands:`
			`# Enter named config session`
			`- command: "configure session {{ session_name }}"`
			`# Loopback101 for Ashburn IP`
			`- command: interface Loopback101`
			`- command: "ip address {{ ashburn_ip }}/32"`
			`- command: exit`
			`# ACL covering all validator ports`
			`- command: ip access-list VALIDATOR-RELAY-ACL`
			`- command: 10 permit udp any any eq 8001`
			`- command: 20 permit udp any any range 9000 9025`
			`- command: 30 permit tcp any any eq 8001`
			`- command: exit`
			`# PBR class-map referencing the ACL`
			`- command: class-map type pbr match-any VALIDATOR-RELAY-CLASS`
			`- command: match ip access-group VALIDATOR-RELAY-ACL`
			`- command: exit`
			`# PBR policy-map with nexthop redirect`
			`- command: policy-map type pbr VALIDATOR-RELAY`
			`- command: class VALIDATOR-RELAY-CLASS`
			`- command: "set nexthop {{ backbone_peer }}"`
			`- command: exit`
			`- command: exit`
			`# Apply PBR policy on Et1/1`
			`- command: interface Ethernet1/1`
			`- command: service-policy type pbr input VALIDATOR-RELAY`
			`- command: exit`
			`tags: [config]`

			`- name: Show session diff`
			`arista.eos.eos_command:`
			`commands:`
			`- "configure session {{ session_name }}"`
			`- show session-config diffs`
			`- exit`
			`register: session_diff`

			`- name: Display session diff`
			`ansible.builtin.debug:`
			`var: session_diff.stdout_lines`

			`- name: Commit with 5-minute auto-revert`
			`arista.eos.eos_command:`
			`commands:`
			`- "configure session {{ session_name }} commit timer 00:05:00"`
			`tags: [config]`

			`# ------------------------------------------------------------------`
			`# Verify`
			`# ------------------------------------------------------------------`
			`- name: Show PBR policy on Et1/1`
			`arista.eos.eos_command:`
			`commands:`
			`- show running-config interfaces Ethernet1/1`
			`- show running-config section policy-map`
			`- show ip interface Loopback101`
			`register: pbr_interface`

			`- name: Display verification`
			`ansible.builtin.debug:`
			`var: pbr_interface.stdout_lines`

			`- name: Show Loopback101`
			`arista.eos.eos_command:`
			`commands:`
			`- show ip interface Loopback101`
			`register: lo101`

			`- name: Display Loopback101`
			`ansible.builtin.debug:`
			`var: lo101.stdout_lines`

			`- name: Reminder`
			`ansible.builtin.debug:`
			`msg: \|`
			`=== Config applied with 5-minute auto-revert ===`
			`Session: {{ session_name }}`
			`Checkpoint: {{ checkpoint_name }}`

			`The config will auto-revert in 5 minutes unless committed.`
			`Verify PBR policy is applied, then commit from the switch CLI:`
			`configure session {{ session_name }} commit`
			`write memory`

			`To revert immediately:`
			`ansible-playbook ... -e rollback=true`