[TRM] Implement VFI/VPLS Support in Terraform Provider

[camschaecisco]

L2 VFI/VPLS Support

This PR adds support for L2 Virtual Forwarding Instance (VFI) configuration to the terraform-provider-iosxe.

This enhancement introduces the iosxe_l2_vfi resource and data source with the ability to configure VPLS (Virtual Private LAN Service) instances using manual
mode. This feature provides network operators with Layer 2 VPN capabilities, enabling point-to-multipoint Ethernet-based connectivity over MPLS networks. VFI
creates a virtual bridge domain that allows multiple sites to appear as if they are on the same LAN, regardless of their physical location.

CLI Commands Supported

L2 VFI Configuration
l2 vfi {manual | autodiscovery | point-to-point}
vpn id <1-4294967295>
neighbor encapsulation {mpls | l2tpv3}

These commands enable Layer 2 VPN service with the following capabilities:

• manual: Manually configure VFI neighbors and pseudowire parameters
• autodiscovery: Automatically discover VFI neighbors using BGP
• point-to-point: Configure point-to-point VFI connection
• vpn id: Unique VPN identifier for the VFI instance
• neighbor: Configure MPLS or L2TPv3 pseudowire to remote PE router

Benefits

• Enables Layer 2 VPN service for multi-site connectivity over MPLS backbone
• Provides transparent LAN service across geographically distributed locations
• Supports any-to-any connectivity between customer sites (multipoint-to-multipoint)
• Allows bridging of Layer 2 frames across WAN without requiring Layer 3 routing at customer sites
• Facilitates data center interconnect (DCI) and disaster recovery scenarios
• Enables transparent migration of legacy Layer 2 applications across sites
• Supports Ethernet services delivery for service providers
• Provides MAC address learning and forwarding across pseudowires
• Reduces complexity compared to traditional Layer 3 VPN deployments for LAN extension use cases
• Compatible with existing Ethernet infrastructure at customer sites

Platform Compatibility

These features have been validated against:

• Cisco Catalyst 8000V router running IOS-XE 17.15
• Cisco Catalyst 9000 switch running IOS-XE 17.15

Version Requirements

IOS-XE 17.15.1 and later:

• ✅ name (String) - VFI instance name
• ✅ mode (String: "manual", "autodiscovery", or "point-to-point") - VFI mode
• ✅ vpn_id (Number: 1-4294967295) - VPN identifier
• ✅ neighbors (List) - VFI neighbor configuration
  • ip_address (String) - Remote PE router IP address
  • encapsulation (String: "mpls" or "l2tpv3") - Pseudowire encapsulation type

Platform Notes:

• Both Cat8k routers and Cat9k switches support all L2 VFI features
• The implementation uses the Cisco-IOS-XE-l2vpn YANG model augmented to /native/l2
• Tests automatically skip on IOS-XE 17.12 using the IOSXE1715 environment variable tag
• YANG model validation confirms feature availability starting from IOS-XE 17.15.1

Technical Implementation

• Added iosxe_l2_vfi resource with the following attributes:
  • name (String, Required) - VFI instance name
  • mode (String, Optional) - VFI mode: "manual", "autodiscovery", or "point-to-point"
  • vpn_id (Number, Optional) - VPN identifier (range: 1-4294967295)
  • neighbors (List of Objects, Optional) - VFI neighbor pseudowire configuration
    • ip_address (String, Required) - Remote PE router IP address (list key)
    • encapsulation (String, Optional) - Encapsulation type ("mpls" or "l2tpv3")
• Added corresponding iosxe_l2_vfi data source for configuration retrieval
• Correctly mapped RESTCONF path: /restconf/data/Cisco-IOS-XE-native:native/l2/Cisco-IOS-XE-l2vpn:vfi
• Implemented proper YANG model integration with Cisco-IOS-XE-native and Cisco-IOS-XE-l2vpn modules
• Ensured idempotent behavior for all attributes
• Added version-specific test gating using test_tags: [IOSXE1715]
• Used unique VPN ID (20001) in examples to avoid conflicts with existing VFI instances
• Added skip_minimum_test: true due to required mode attribute
• Updated CHANGELOG and documentation with new resource
• Generated comprehensive examples for VFI configuration with MPLS neighbors

Testing

Go Acceptance Tests
=== RUN TestAccIosxeL2VFI
--- PASS: TestAccIosxeL2VFI (3.10s)
PASS
ok github.com/CiscoDevNet/terraform-provider-iosxe/internal/provider 3.110s

Multi-Platform Validation

• Catalyst 8000V (Router, IOS-XE 17.15.1): ✅ VFI with manual mode, VPN ID, and MPLS neighbor validated successfully (3.10s)
• Catalyst 9000 (Switch, IOS-XE 17.15.1): ✅ VFI with manual mode, VPN ID, and MPLS neighbor validated successfully (2.40s)
• Catalyst 8000V (Router, IOS-XE 17.12.1): ✅ Test correctly skipped (0.00s) - Feature not available

Terraform Testing

• ✅ terraform plan - Correctly identifies VFI configuration changes
• ✅ terraform apply - Successfully applies L2 VFI configuration
• ✅ terraform destroy - Cleanly removes L2 VFI configuration
• ✅ State management - Properly tracks resource state across apply/refresh/destroy lifecycle
• ✅ Import support - Terraform import command included in examples

RESTCONF API Validation

• ✅ HTTP 204/201 responses for all configuration operations
• ✅ Proper YANG namespace handling (Cisco-IOS-XE-l2vpn:vfi)
• ✅ Correct JSON payload structure for VFI with neighbors
• ✅ Idempotent updates with no configuration drift
• ✅ Standard PATCH operation works (no put_only required)

YANG Model Validation

• ✅ Verified feature availability in IOS-XE 17.15.1 YANG model (Cisco-IOS-XE-l2vpn.yang)
• ✅ Confirmed feature requires ios-features:l2 which is NOT available in IOS-XE 17.12.1
• ✅ Validated VFI configuration via config-l2-grouping augmented to /native/l2
• ✅ Verified neighbor list structure with router-id key and encapsulation options
• ✅ Compared 17.12.1 vs 17.15.1 YANG models - confirmed VFI structure added in 17.15

Example Usage

resource "iosxe_l2_vfi" "example" {
  name   = "TENANT-A"
  mode   = "manual"
  vpn_id = 20001
  neighbors = [
    {
      ip_address    = "172.16.255.2"
      encapsulation = "mpls"
    }
  ]
}

Resulting CLI Configuration:
l2 vfi TENANT-A manual
 vpn id 20001
 neighbor 172.16.255.2 encapsulation mpls