Feat(eos_cli_config_gen): Support for MSS Clamping on ethernet interf…

…aces. (#4018)

ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/ethernet-interfaces.md

@@ -171,6 +171,15 @@ sFlow is disabled.
 | --------- | --------------- | -----------| --------- |
 | Ethernet16 | 111-112 | 110 | out |
 
+##### TCP MSS Clamping
+
+| Interface | Ipv4 Segment Size | Ipv6 Segment Size | Direction |
+| --------- | ----------------- | ----------------- | --------- |
+| Ethernet1 | 70 | 75 | egress |
+| Ethernet2 | 70 | - | ingress |
+| Ethernet3 | - | 65 | - |
+| Ethernet4 | 65 | - | - |
+
 ##### Transceiver Settings
 
 | Interface | Transceiver Frequency | Media Override |
@@ -369,6 +378,7 @@ interface Ethernet1
    ip igmp host-proxy access-list ACL2
    ip igmp host-proxy report-interval 2
    ip igmp host-proxy version 2
+   tcp mss ceiling ipv4 70 ipv6 75 egress
    switchport port-security
    priority-flow-control on
    priority-flow-control priority 5 drop
@@ -383,6 +393,7 @@ interface Ethernet2
    switchport trunk allowed vlan 110-111,210-211
    switchport mode trunk
    switchport
+   tcp mss ceiling ipv4 70 ingress
    multicast ipv4 boundary ACL_MULTICAST
    multicast ipv6 boundary ACL_V6_MULTICAST out
    multicast ipv4 static
@@ -407,6 +418,7 @@ interface Ethernet3
    ipv6 nd prefix 2345:ABCD:3FE0::1/96 infinite 50 no-autoconfig
    ipv6 nd prefix 2345:ABCD:3FE0::2/96 50 infinite
    ipv6 nd prefix 2345:ABCD:3FE0::3/96 100000 no-autoconfig
+   tcp mss ceiling ipv6 65
    switchport port-security
    no switchport port-security mac-address maximum disabled
    switchport port-security vlan 1 mac-address maximum 3
@@ -428,6 +440,7 @@ interface Ethernet4
    ipv6 address FE80:FEA::AB65/64 link-local
    ipv6 nd ra disabled
    ipv6 nd managed-config-flag
+   tcp mss ceiling ipv4 65
    ipv6 access-group IPv6_ACL_IN in
    ipv6 access-group IPv6_ACL_OUT out
    multicast ipv4 boundary 224.0.1.0/24 out

ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/ethernet-interfaces.cfg

@@ -31,6 +31,7 @@ interface Ethernet1
    ip igmp host-proxy access-list ACL2
    ip igmp host-proxy report-interval 2
    ip igmp host-proxy version 2
+   tcp mss ceiling ipv4 70 ipv6 75 egress
    switchport port-security
    priority-flow-control on
    priority-flow-control priority 5 drop
@@ -45,6 +46,7 @@ interface Ethernet2
    switchport trunk allowed vlan 110-111,210-211
    switchport mode trunk
    switchport
+   tcp mss ceiling ipv4 70 ingress
    multicast ipv4 boundary ACL_MULTICAST
    multicast ipv6 boundary ACL_V6_MULTICAST out
    multicast ipv4 static
@@ -69,6 +71,7 @@ interface Ethernet3
    ipv6 nd prefix 2345:ABCD:3FE0::1/96 infinite 50 no-autoconfig
    ipv6 nd prefix 2345:ABCD:3FE0::2/96 50 infinite
    ipv6 nd prefix 2345:ABCD:3FE0::3/96 100000 no-autoconfig
+   tcp mss ceiling ipv6 65
    switchport port-security
    no switchport port-security mac-address maximum disabled
    switchport port-security vlan 1 mac-address maximum 3
@@ -90,6 +93,7 @@ interface Ethernet4
    ipv6 address FE80:FEA::AB65/64 link-local
    ipv6 nd ra disabled
    ipv6 nd managed-config-flag
+   tcp mss ceiling ipv4 65
    ipv6 access-group IPv6_ACL_IN in
    ipv6 access-group IPv6_ACL_OUT out
    multicast ipv4 boundary 224.0.1.0/24 out

ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/ethernet-interfaces.yml

@@ -29,6 +29,10 @@ ethernet_interfaces:
     bgp:
       session_tracker: ST1
     ip_verify_unicast_source_reachable_via: rx
+    tcp_mss_ceiling:
+      ipv4_segment_size: 70
+      ipv6_segment_size: 75
+      direction: egress
     switchport:
       port_security:
         enabled: true
@@ -66,6 +70,9 @@ ethernet_interfaces:
     description: SRV-POD02_Eth1
     mode: trunk
     vlans: 110-111,210-211
+    tcp_mss_ceiling:
+      ipv4_segment_size: 70
+      direction: ingress
     multicast:
       ipv4:
         static: true
@@ -128,6 +135,8 @@ ethernet_interfaces:
     priority_flow_control:
       enabled: false
     spanning_tree_guard: root
+    tcp_mss_ceiling:
+      ipv6_segment_size: 65
     switchport:
       port_security:
         mac_address_maximum:
@@ -155,6 +164,8 @@ ethernet_interfaces:
     priority_flow_control:
       enabled: true
     spanning_tree_guard: disabled
+    tcp_mss_ceiling:
+      ipv4_segment_size: 65
     multicast:
       ipv4:
         static: true

ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/ethernet-interfaces.md

@@ -176,6 +176,10 @@
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;interval</samp>](## "ethernet_interfaces.[].pim.ipv4.hello.interval") | Integer |  |  | Min: 1<br>Max: 65535 | PIM hello interval in seconds. |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;mac_security</samp>](## "ethernet_interfaces.[].mac_security") | Dictionary |  |  |  |  |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;profile</samp>](## "ethernet_interfaces.[].mac_security.profile") | String |  |  |  |  |
+    | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;tcp_mss_ceiling</samp>](## "ethernet_interfaces.[].tcp_mss_ceiling") | Dictionary |  |  |  | The TCP MSS clamping feature involves clamping the maximum segment size (MSS) in the TCP header<br>of TCP SYN packets if it exceeds the configured MSS ceiling limit for the interface. |
+    | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ipv4_segment_size</samp>](## "ethernet_interfaces.[].tcp_mss_ceiling.ipv4_segment_size") | Integer |  |  | Min: 64<br>Max: 65475 |  |
+    | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ipv6_segment_size</samp>](## "ethernet_interfaces.[].tcp_mss_ceiling.ipv6_segment_size") | Integer |  |  | Min: 64<br>Max: 65475 |  |
+    | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;direction</samp>](## "ethernet_interfaces.[].tcp_mss_ceiling.direction") | String |  |  | Valid Values:<br>- <code>egress</code><br>- <code>ingress</code> |  |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;channel_group</samp>](## "ethernet_interfaces.[].channel_group") | Dictionary |  |  |  |  |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;id</samp>](## "ethernet_interfaces.[].channel_group.id") | Integer |  |  |  |  |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mode</samp>](## "ethernet_interfaces.[].channel_group.mode") | String |  |  | Valid Values:<br>- <code>on</code><br>- <code>active</code><br>- <code>passive</code> |  |
@@ -725,6 +729,13 @@
               interval: <int; 1-65535>
         mac_security:
           profile: <str>
+
+        # The TCP MSS clamping feature involves clamping the maximum segment size (MSS) in the TCP header
+        # of TCP SYN packets if it exceeds the configured MSS ceiling limit for the interface.
+        tcp_mss_ceiling:
+          ipv4_segment_size: <int; 64-65475>
+          ipv6_segment_size: <int; 64-65475>
+          direction: <str; "egress" | "ingress">
         channel_group:
           id: <int>
           mode: <str; "on" | "active" | "passive">

ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/schema_fragments/ethernet_interfaces.schema.yml

@@ -497,6 +497,29 @@ keys:
           keys:
             profile:
               type: str
+        tcp_mss_ceiling:
+          type: dict
+          description: |-
+            The TCP MSS clamping feature involves clamping the maximum segment size (MSS) in the TCP header
+            of TCP SYN packets if it exceeds the configured MSS ceiling limit for the interface.
+          keys:
+            ipv4_segment_size:
+              type: int
+              convert_types:
+                - str
+              min: 64
+              max: 65475
+            ipv6_segment_size:
+              type: int
+              convert_types:
+                - str
+              min: 64
+              max: 65475
+            direction:
+              type: str
+              valid_values:
+                - egress
+                - ingress
         channel_group:
           type: dict
           keys:

ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/documentation/ethernet-interfaces.j2

@@ -165,6 +165,30 @@
 {%             endif %}
 {%         endfor %}
 {%     endif %}
+{# TCP MSS Clamping #}
+{%     set tcp_mss_clampings = [] %}
+{%     for ethernet_interface in ethernet_interfaces | arista.avd.natural_sort('name') %}
+{%         if ethernet_interface.tcp_mss_ceiling is arista.avd.defined %}
+{%             do tcp_mss_clampings.append(ethernet_interface) %}
+{%         endif %}
+{%     endfor %}
+{%     if tcp_mss_clampings | length > 0 %}
+
+##### TCP MSS Clamping
+
+| Interface | Ipv4 Segment Size | Ipv6 Segment Size | Direction |
+| --------- | ----------------- | ----------------- | --------- |
+{%         for tcp_mss_clamping in tcp_mss_clampings | arista.avd.natural_sort('name') %}
+{%             set interface = tcp_mss_clamping.name %}
+{%             if tcp_mss_clamping.tcp_mss_ceiling.ipv4_segment_size is arista.avd.defined %}
+{%                 set ipv4_segment_size = tcp_mss_clamping.tcp_mss_ceiling.ipv4_segment_size %}
+{%             endif %}
+{%             if tcp_mss_clamping.tcp_mss_ceiling.ipv6_segment_size is arista.avd.defined %}
+{%                 set ipv6_segment_size = tcp_mss_clamping.tcp_mss_ceiling.ipv6_segment_size %}
+{%             endif %}
+| {{ interface }} | {{ ipv4_segment_size | arista.avd.default("-") }} | {{ ipv6_segment_size | arista.avd.default("-") }} | {{ tcp_mss_clamping.tcp_mss_ceiling.direction | arista.avd.default("-") }} |
+{%         endfor %}
+{%     endif %}
 {# Transceiver Settings #}
 {%     set transceiver_settings = [] %}
 {%     for ethernet_interface in ethernet_interfaces | arista.avd.natural_sort('name') %}

ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/eos/ethernet-interfaces.j2

@@ -438,6 +438,19 @@ interface {{ ethernet_interface.name }}
 {%         endif %}
    {{ destination_cli }}
 {%     endfor %}
+{%     if ethernet_interface.tcp_mss_ceiling.ipv4_segment_size is arista.avd.defined or ethernet_interface.tcp_mss_ceiling.ipv6_segment_size is arista.avd.defined %}
+{%         set tcp_mss_ceiling_cli = "tcp mss ceiling" %}
+{%         if ethernet_interface.tcp_mss_ceiling.ipv4_segment_size is arista.avd.defined %}
+{%             set tcp_mss_ceiling_cli = tcp_mss_ceiling_cli ~ " ipv4 " ~ ethernet_interface.tcp_mss_ceiling.ipv4_segment_size %}
+{%         endif %}
+{%         if ethernet_interface.tcp_mss_ceiling.ipv6_segment_size is arista.avd.defined %}
+{%             set tcp_mss_ceiling_cli = tcp_mss_ceiling_cli ~ " ipv6 " ~ ethernet_interface.tcp_mss_ceiling.ipv6_segment_size %}
+{%         endif %}
+{%         if ethernet_interface.tcp_mss_ceiling.direction is arista.avd.defined %}
+{%             set tcp_mss_ceiling_cli = tcp_mss_ceiling_cli ~ " " ~ ethernet_interface.tcp_mss_ceiling.direction %}
+{%         endif %}
+   {{ tcp_mss_ceiling_cli }}
+{%     endif %}
 {%     if ethernet_interface.channel_group.id is arista.avd.defined and ethernet_interface.channel_group.mode is arista.avd.defined %}
    channel-group {{ ethernet_interface.channel_group.id }} mode {{ ethernet_interface.channel_group.mode }}
 {%         if ethernet_interface.lacp_timer.mode is arista.avd.defined %}