--- # Configure laconic-was-sw01 for inbound validator traffic relay # # Routes all traffic destined to 137.239.194.65 to mia-sw01 via backbone. # A single static route replaces the previous Loopback101 + PBR approach. # # 137.239.194.65 is already routed to was-sw01 by its covering prefix # (advertised via IS-IS on Loopback100). No loopback needed — the static # route forwards traffic before the switch tries to deliver it locally. # # This playbook also removes the old PBR config if present (Loopback101, # VALIDATOR-RELAY-ACL, VALIDATOR-RELAY-CLASS, VALIDATOR-RELAY policy-map, # service-policy on Et1/1). # # Usage: # ansible-playbook -i inventory/switches.yml playbooks/ashburn-relay-was-sw01.yml # ansible-playbook -i inventory/switches.yml playbooks/ashburn-relay-was-sw01.yml -e apply=true # ansible-playbook -i inventory/switches.yml playbooks/ashburn-relay-was-sw01.yml -e commit=true # ansible-playbook -i inventory/switches.yml playbooks/ashburn-relay-was-sw01.yml -e rollback=true - name: Configure was-sw01 inbound validator relay hosts: was-sw01 gather_facts: false vars: ashburn_ip: 137.239.194.65 apply: false commit: false rollback: false session_name: validator-relay-v2 checkpoint_name: pre-validator-relay-v2 tasks: # ------------------------------------------------------------------ # Rollback path # ------------------------------------------------------------------ - name: Rollback to checkpoint when: rollback | bool block: - name: Execute rollback arista.eos.eos_command: commands: - "rollback running-config checkpoint {{ checkpoint_name }}" - write memory register: rollback_result - name: Show rollback result ansible.builtin.debug: var: rollback_result.stdout_lines - name: End play after rollback ansible.builtin.meta: end_play # ------------------------------------------------------------------ # Commit finalization # ------------------------------------------------------------------ - name: Finalize pending session when: commit | bool block: - name: Commit session and write memory arista.eos.eos_command: commands: - "configure session {{ session_name }} commit" - write memory register: commit_result - name: Show commit result ansible.builtin.debug: var: commit_result.stdout_lines - name: End play after commit ansible.builtin.meta: end_play # ------------------------------------------------------------------ # Pre-flight checks # ------------------------------------------------------------------ - name: Show current Et1/1 config arista.eos.eos_command: commands: - show running-config interfaces Ethernet1/1 register: et1_config tags: [preflight] - name: Display Et1/1 config ansible.builtin.debug: var: et1_config.stdout_lines tags: [preflight] - name: Check for existing Loopback101 and PBR arista.eos.eos_command: commands: - "show running-config interfaces Loopback101" - "show running-config | include service-policy" - "show running-config section policy-map type pbr" - "show ip route {{ ashburn_ip }}" register: existing_config tags: [preflight] - name: Display existing config ansible.builtin.debug: var: existing_config.stdout_lines tags: [preflight] - name: Pre-flight summary when: not (apply | bool) ansible.builtin.debug: msg: | === Pre-flight complete === Review the output above: 1. Does Loopback101 exist with {{ ashburn_ip }}? (will be removed) 2. Is service-policy VALIDATOR-RELAY on Et1/1? (will be removed) 3. Current route for {{ ashburn_ip }} To apply config: ansible-playbook -i inventory/switches.yml playbooks/ashburn-relay-was-sw01.yml \ -e apply=true tags: [preflight] - name: End play if not applying when: not (apply | bool) ansible.builtin.meta: end_play # ------------------------------------------------------------------ # Apply config via session with 5-minute auto-revert # ------------------------------------------------------------------ - name: Save checkpoint arista.eos.eos_command: commands: - "configure checkpoint save {{ checkpoint_name }}" - name: Apply config session arista.eos.eos_command: commands: - command: "configure session {{ session_name }}" # Remove old PBR service-policy from Et1/1 - command: interface Ethernet1/1 - command: no service-policy type pbr input VALIDATOR-RELAY - command: exit # Remove old PBR policy-map, class-map, ACL - command: no policy-map type pbr VALIDATOR-RELAY - command: no class-map type pbr match-any VALIDATOR-RELAY-CLASS - command: no ip access-list VALIDATOR-RELAY-ACL # Remove Loopback101 - command: no interface Loopback101 # Add static route to forward all traffic for ashburn IP to mia-sw01 - command: "ip route {{ ashburn_ip }}/32 {{ backbone_peer }}" - name: Show session diff arista.eos.eos_command: commands: - "configure session {{ session_name }}" - show session-config diffs - exit register: session_diff - name: Display session diff ansible.builtin.debug: var: session_diff.stdout_lines - name: Commit with 5-minute auto-revert arista.eos.eos_command: commands: - "configure session {{ session_name }} commit timer 00:05:00" # ------------------------------------------------------------------ # Verify # ------------------------------------------------------------------ - name: Verify config arista.eos.eos_command: commands: - "show ip route {{ ashburn_ip }}" - show running-config interfaces Ethernet1/1 register: verify - name: Display verification ansible.builtin.debug: var: verify.stdout_lines - name: Reminder ansible.builtin.debug: msg: | === Config applied with 5-minute auto-revert === Session: {{ session_name }} Checkpoint: {{ checkpoint_name }} Changes applied: 1. Removed: Loopback101, VALIDATOR-RELAY PBR (ACL, class-map, policy-map, service-policy) 2. Added: ip route {{ ashburn_ip }}/32 {{ backbone_peer }} The config will auto-revert in 5 minutes unless committed. Verify on the switch, then commit: configure session {{ session_name }} commit write memory To revert immediately: ansible-playbook ... -e rollback=true