Skip to content

Input variables for eos_cli_config_gen

This document describes the supported input variables for the role arista.avd.eos_cli_config_gen.

Since several data models have changed between AVD versions 3.x and 4.x, it is recommended to study the Porting Guide for AVD 4.x.x for existing deployments.

The input variables are documented below in tables and YAML.

All values are optional.

Note

All input variables are validated by a schema. If additional custom keys are desired, a key starting with an underscore _, will be ignored.

Warning

Available features and variables may vary by platforms, refer to documentation on arista.com for specifics.

Authentication

AAA accounting

Variable Type Required Default Value Restrictions Description
aaa_accounting Dictionary
  exec Dictionary
    console Dictionary
      type String Valid Values:
- none
- start-stop
- stop-only
      group String Group Name.
      logging Boolean
    default Dictionary
      type String Valid Values:
- none
- start-stop
- stop-only
      group String Group Name.
      logging Boolean
  system Dictionary
    default Dictionary
      type String Valid Values:
- none
- start-stop
- stop-only
      group String Group Name.
  dot1x Dictionary
    default Dictionary
      type String Valid Values:
- start-stop
- stop-only
      group String Group Name.
  commands Dictionary
    console List, items: Dictionary
      - commands String Privilege level ‘all’ or 0-15.
        type String Valid Values:
- none
- start-stop
- stop-only
        group String Group Name.
        logging Boolean
    default List, items: Dictionary
      - commands String Privilege level ‘all’ or 0-15.
        type String Valid Values:
- none
- start-stop
- stop-only
        group String Group Name.
        logging Boolean
aaa_accounting:
  exec:
    console:
      type: <str; "none" | "start-stop" | "stop-only">

      # Group Name.
      group: <str>
      logging: <bool>
    default:
      type: <str; "none" | "start-stop" | "stop-only">

      # Group Name.
      group: <str>
      logging: <bool>
  system:
    default:
      type: <str; "none" | "start-stop" | "stop-only">

      # Group Name.
      group: <str>
  dot1x:
    default:
      type: <str; "start-stop" | "stop-only">

      # Group Name.
      group: <str>
  commands:
    console:

        # Privilege level 'all' or 0-15.
      - commands: <str>
        type: <str; "none" | "start-stop" | "stop-only">

        # Group Name.
        group: <str>
        logging: <bool>
    default:

        # Privilege level 'all' or 0-15.
      - commands: <str>
        type: <str; "none" | "start-stop" | "stop-only">

        # Group Name.
        group: <str>
        logging: <bool>

AAA authentication

Variable Type Required Default Value Restrictions Description
aaa_authentication Dictionary
  login Dictionary
    default String Login authentication method(s) as a string.
Examples:
- “group tacacs+ local”
- “group MYGROUP none”
- “group radius group MYGROUP local”
    console String Console authentication method(s) as a string.
Examples:
- “group tacacs+ local”
- “group MYGROUP none”
- “group radius group MYGROUP local”
  enable Dictionary
    default String Enable authentication method(s) as a string.
Examples:
- “group tacacs+ local”
- “group MYGROUP none”
- “group radius group MYGROUP local”
  dot1x Dictionary
    default String 802.1x authentication method(s) as a string.
Examples:
- “group radius”
- “group MYGROUP group radius”
  policies Dictionary
    on_failure_log Boolean
    on_success_log Boolean
    local Dictionary
      allow_nopassword Boolean
    lockout Dictionary
      failure Integer Min: 1
Max: 255
      duration Integer Min: 1
Max: 4294967295
      window Integer Min: 1
Max: 4294967295
aaa_authentication:
  login:

    # Login authentication method(s) as a string.
    # Examples:
    # - "group tacacs+ local"
    # - "group MYGROUP none"
    # - "group radius group MYGROUP local"
    default: <str>

    # Console authentication method(s) as a string.
    # Examples:
    # - "group tacacs+ local"
    # - "group MYGROUP none"
    # - "group radius group MYGROUP local"
    console: <str>
  enable:

    # Enable authentication method(s) as a string.
    # Examples:
    # - "group tacacs+ local"
    # - "group MYGROUP none"
    # - "group radius group MYGROUP local"
    default: <str>
  dot1x:

    # 802.1x authentication method(s) as a string.
    # Examples:
    # - "group radius"
    # - "group MYGROUP group radius"
    default: <str>
  policies:
    on_failure_log: <bool>
    on_success_log: <bool>
    local:
      allow_nopassword: <bool>
    lockout:
      failure: <int; 1-255>
      duration: <int; 1-4294967295>
      window: <int; 1-4294967295>

AAA authorization

Variable Type Required Default Value Restrictions Description
aaa_authorization Dictionary
  policy Dictionary
    local_default_role String
  exec Dictionary
    default String Exec authorization method(s) as a string.
Examples:
- “group tacacs+ local”
- “group MYGROUP none”
- “group radius group MYGROUP local”
  config_commands Boolean
  serial_console Boolean
  dynamic Dictionary
    dot1x_additional_groups List, items: String Min Length: 1
      - <str> String
  commands Dictionary
    all_default String Command authorization method(s) as a string.
Examples:
- “group tacacs+ local”
- “group MYGROUP none”
- “group tacacs+ group MYGROUP local
    privilege List, items: Dictionary
      - level String Privilege level(s) 0-15.
        default String Command authorization method(s) as a string.
Examples:
- “group tacacs+ local”
- “group MYGROUP none”
- “group tacacs+ group MYGROUP local”
aaa_authorization:
  policy:
    local_default_role: <str>
  exec:

    # Exec authorization method(s) as a string.
    # Examples:
    # - "group tacacs+ local"
    # - "group MYGROUP none"
    # - "group radius group MYGROUP local"
    default: <str>
  config_commands: <bool>
  serial_console: <bool>
  dynamic:
    dot1x_additional_groups: # >=1 items
      - <str>
  commands:

    # Command authorization method(s) as a string.
    # Examples:
    # - "group tacacs+ local"
    # - "group MYGROUP none"
    # - "group tacacs+ group MYGROUP local
    all_default: <str>
    privilege:

        # Privilege level(s) 0-15.
      - level: <str>

        # Command authorization method(s) as a string.
        # Examples:
        # - "group tacacs+ local"
        # - "group MYGROUP none"
        # - "group tacacs+ group MYGROUP local"
        default: <str>

AAA root

Variable Type Required Default Value Restrictions Description
aaa_root Dictionary
  secret Dictionary
    sha512_password String
aaa_root:
  secret:
    sha512_password: <str>

AAA server groups

Variable Type Required Default Value Restrictions Description
aaa_server_groups List, items: Dictionary
  - name String Group name.
    type String Valid Values:
- tacacs+
- radius
- ldap
    servers List, items: Dictionary
      - server String Hostname or IP address.
        vrf String VRF name.
aaa_server_groups:

    # Group name.
  - name: <str>
    type: <str; "tacacs+" | "radius" | "ldap">
    servers:

        # Hostname or IP address.
      - server: <str>

        # VRF name.
        vrf: <str>

Enable password

Variable Type Required Default Value Restrictions Description
enable_password Dictionary
  hash_algorithm String Valid Values:
- md5
- sha512
  key String Must be the hash of the password using the specified algorithm.
By default EOS salts the password, so the simplest is to generate the hash on an EOS device.
enable_password:
  hash_algorithm: <str; "md5" | "sha512">

  # Must be the hash of the password using the specified algorithm.
  # By default EOS salts the password, so the simplest is to generate the hash on an EOS device.
  key: <str>

IP radius source-interfaces

Variable Type Required Default Value Restrictions Description
ip_radius_source_interfaces List, items: Dictionary
  - name String Interface Name.
    vrf String VRF Name.
ip_radius_source_interfaces:

    # Interface Name.
  - name: <str>

    # VRF Name.
    vrf: <str>

IP tacacs source-interfaces

Variable Type Required Default Value Restrictions Description
ip_tacacs_source_interfaces List, items: Dictionary
  - name String Interface name.
    vrf String
ip_tacacs_source_interfaces:

    # Interface name.
  - name: <str>
    vrf: <str>

Local users

Variable Type Required Default Value Restrictions Description
local_users List, items: Dictionary
  - name String Required, Unique Username.
    disabled Boolean If true, the user will be removed and all other settings are ignored.
Useful for removing the default “admin” user.
    privilege Integer Min: 0
Max: 15
Initial privilege level with local EXEC authorization.
    role String EOS RBAC Role to be assigned to the user such as “network-admin” or “network-operator”.
    sha512_password String SHA512 Hash of Password.
Must be the hash of the password. By default EOS salts the password with the username, so the simplest is to generate the hash on an EOS device using the same username.
    no_password Boolean If set a password will not be configured for this user. “sha512_password” MUST not be defined for this user.
    ssh_key String
    secondary_ssh_key String
    shell String Valid Values:
- /bin/bash
- /bin/sh
- /sbin/nologin
Specify shell for the user.
local_users:

    # Username.
  - name: <str; required; unique>

    # If true, the user will be removed and all other settings are ignored.
    # Useful for removing the default "admin" user.
    disabled: <bool>

    # Initial privilege level with local EXEC authorization.
    privilege: <int; 0-15>

    # EOS RBAC Role to be assigned to the user such as "network-admin" or "network-operator".
    role: <str>

    # SHA512 Hash of Password.
    # Must be the hash of the password. By default EOS salts the password with the username, so the simplest is to generate the hash on an EOS device using the same username.
    sha512_password: <str>

    # If set a password will not be configured for this user. "sha512_password" MUST not be defined for this user.
    no_password: <bool>
    ssh_key: <str>
    secondary_ssh_key: <str>

    # Specify shell for the user.
    shell: <str; "/bin/bash" | "/bin/sh" | "/sbin/nologin">

Radius server

Variable Type Required Default Value Restrictions Description
radius_server Dictionary
  attribute_32_include_in_access_req Dictionary
    hostname Boolean
    format String Specify the format of the NAS-Identifier. If ‘hostname’ is set, this is ignored.
  dynamic_authorization Dictionary
    port Integer Min: 0
Max: 65535
TCP Port.
    tls_ssl_profile String Name of TLS profile.
  hosts List, items: Dictionary
    - host String Required, Unique Host IP address or name.
      vrf String
      tls Dictionary When TLS is configured, key is ignored..
        enabled Boolean Enable TLS for radius-server.
        ssl_profile String Name of TLS profile.
        port Integer Min: 0
Max: 65535
TCP Port used for TLS. EOS default is 2083.
      timeout Integer Min: 1
Max: 1000
      retransmit Integer Min: 0
Max: 100
      key String Encrypted key - only type 7 supported.
When TLS is configured, key is ignored.
  tls_ssl_profile String Name of global TLS profile.
radius_server:
  attribute_32_include_in_access_req:
    hostname: <bool>

    # Specify the format of the NAS-Identifier. If 'hostname' is set, this is ignored.
    format: <str>
  dynamic_authorization:

    # TCP Port.
    port: <int; 0-65535>

    # Name of TLS profile.
    tls_ssl_profile: <str>
  hosts:

      # Host IP address or name.
    - host: <str; required; unique>
      vrf: <str>

      # When TLS is configured, `key` is ignored..
      tls:

        # Enable TLS for radius-server.
        enabled: <bool>

        # Name of TLS profile.
        ssl_profile: <str>

        # TCP Port used for TLS. EOS default is 2083.
        port: <int; 0-65535>
      timeout: <int; 1-1000>
      retransmit: <int; 0-100>

      # Encrypted key - only type 7 supported.
      # When TLS is configured, `key` is ignored.
      key: <str>

  # Name of global TLS profile.
  tls_ssl_profile: <str>

Radius servers

Variable Type Required Default Value Restrictions Description
radius_servers deprecated List, items: Dictionary This key is deprecated. Support will be removed in AVD version v5.0.0. Use radius_server.hosts instead.
  - host String Host IP address or name.
    vrf String
    key String Encrypted key.
# This key is deprecated.
# Support will be removed in AVD version v5.0.0.
# Use <samp>radius_server.hosts</samp> instead.
radius_servers:

    # Host IP address or name.
  - host: <str>
    vrf: <str>

    # Encrypted key.
    key: <str>

Roles

Variable Type Required Default Value Restrictions Description
roles List, items: Dictionary
  - name String Role name.
    sequence_numbers List, items: Dictionary
      - sequence Integer Sequence number.
        action String Valid Values:
- permit
- deny
        mode String “config”, “config-all”, “exec” or mode key as string.
        command String Command as string.
roles:

    # Role name.
  - name: <str>
    sequence_numbers:

        # Sequence number.
      - sequence: <int>
        action: <str; "permit" | "deny">

        # "config", "config-all", "exec" or mode key as string.
        mode: <str>

        # Command as string.
        command: <str>

Tacacs servers

Variable Type Required Default Value Restrictions Description
tacacs_servers Dictionary
  timeout Integer Min: 1
Max: 1000
Timeout in seconds.
  hosts List, items: Dictionary
    - host String Host IP address or name.
      vrf String
      key String Encrypted key.
      key_type String 7 Valid Values:
- 0
- 7
- 8a
      single_connection Boolean
      timeout Integer Min: 1
Max: 1000
Timeout in seconds.
  policy_unknown_mandatory_attribute_ignore Boolean
tacacs_servers:

  # Timeout in seconds.
  timeout: <int; 1-1000>
  hosts:

      # Host IP address or name.
    - host: <str>
      vrf: <str>

      # Encrypted key.
      key: <str>
      key_type: <str; "0" | "7" | "8a"; default="7">
      single_connection: <bool>

      # Timeout in seconds.
      timeout: <int; 1-1000>
  policy_unknown_mandatory_attribute_ignore: <bool>

ACLs

IP Extended access-lists

AVD currently supports two different data models for extended ACLs:

  • The legacy access_lists data model, for compatibility with existing deployments
  • The improved ip_access_lists data model, for access to more EOS features

Both data models can coexists without conflicts, as different keys are used: access_lists vs ip_access_lists. Access list names must be unique.

The legacy data model supports simplified ACL definition with sequence to action mapping:

Variable Type Required Default Value Restrictions Description
access_lists List, items: Dictionary
  - name String Required, Unique Access-list Name.
    counters_per_entry Boolean
    permit_response_traffic String Valid Values:
- nat
Permit response traffic automatically based on NAT translations.
Minimum EOS version requirement 4.32.2F.
    sequence_numbers List, items: Dictionary Required
      - sequence Integer Required, Unique Sequence ID.
        action String Required Action as string.
Example: “deny ip any any”
access_lists:

    # Access-list Name.
  - name: <str; required; unique>
    counters_per_entry: <bool>

    # Permit response traffic automatically based on NAT translations.
    # Minimum EOS version requirement 4.32.2F.
    permit_response_traffic: <str; "nat">
    sequence_numbers: # required

        # Sequence ID.
      - sequence: <int; required; unique>

        # Action as string.
        # Example: "deny ip any any"
        action: <str; required>

The improved data model has a more sophisticated design documented below:

Variable Type Required Default Value Restrictions Description
ip_access_lists List, items: Dictionary
  - name String Required, Unique Access-list Name.
    counters_per_entry Boolean
    entries List, items: Dictionary ACL Entries.
      - sequence Integer ACL entry sequence number.
        remark String Comment up to 100 characters.
If remark is defined, other keys in the ACL entry will be ignored.
        action String Valid Values:
- permit
- deny
ACL action.
Required except for remarks.
        protocol String “ip”, “tcp”, “udp”, “icmp” or other protocol name or number.
Required except for remarks.
        source String “any”, “/” or ““.
” without a mask means host.
Required except for remarks.
        source_ports_match String eq Valid Values:
- eq
- gt
- lt
- neq
- range
        source_ports List, items: String
          - <str> String TCP/UDP source port name or number.
        destination String “any”, “/” or ““.
” without a mask means host.
Required except for remarks.
        destination_ports_match String eq Valid Values:
- eq
- gt
- lt
- neq
- range
        destination_ports List, items: String
          - <str> String TCP/UDP destination port name or number.
        tcp_flags List, items: String
          - <str> String TCP Flag Name.
        fragments Boolean Match non-head fragment packets.
        log Boolean Log matches against this rule.
        ttl Integer Min: 0
Max: 255
TTL value.
        ttl_match String eq Valid Values:
- eq
- gt
- lt
- neq
        icmp_type String Message type name/number for ICMP packets.
        icmp_code String Message code for ICMP packets.
        nexthop_group String nexthop-group name.
        tracked Boolean Match packets in existing ICMP/UDP/TCP connections.
        dscp String DSCP value or name.
        vlan_number Integer
        vlan_inner Boolean False
        vlan_mask String 0x000-0xFFF VLAN mask.
ip_access_lists:

    # Access-list Name.
  - name: <str; required; unique>
    counters_per_entry: <bool>

    # ACL Entries.
    entries:

        # ACL entry sequence number.
      - sequence: <int>

        # Comment up to 100 characters.
        # If remark is defined, other keys in the ACL entry will be ignored.
        remark: <str>

        # ACL action.
        # Required except for remarks.
        action: <str; "permit" | "deny">

        # "ip", "tcp", "udp", "icmp" or other protocol name or number.
        # Required except for remarks.
        protocol: <str>

        # "any", "<ip>/<mask>" or "<ip>".
        # "<ip>" without a mask means host.
        # Required except for remarks.
        source: <str>
        source_ports_match: <str; "eq" | "gt" | "lt" | "neq" | "range"; default="eq">
        source_ports:

            # TCP/UDP source port name or number.
          - <str>

        # "any", "<ip>/<mask>" or "<ip>".
        # "<ip>" without a mask means host.
        # Required except for remarks.
        destination: <str>
        destination_ports_match: <str; "eq" | "gt" | "lt" | "neq" | "range"; default="eq">
        destination_ports:

            # TCP/UDP destination port name or number.
          - <str>
        tcp_flags:

            # TCP Flag Name.
          - <str>

        # Match non-head fragment packets.
        fragments: <bool>

        # Log matches against this rule.
        log: <bool>

        # TTL value.
        ttl: <int; 0-255>
        ttl_match: <str; "eq" | "gt" | "lt" | "neq"; default="eq">

        # Message type name/number for ICMP packets.
        icmp_type: <str>

        # Message code for ICMP packets.
        icmp_code: <str>

        # nexthop-group name.
        nexthop_group: <str>

        # Match packets in existing ICMP/UDP/TCP connections.
        tracked: <bool>

        # DSCP value or name.
        dscp: <str>
        vlan_number: <int>
        vlan_inner: <bool; default=False>

        # 0x000-0xFFF VLAN mask.
        vlan_mask: <str>

The improved data model allows to limit the number of ACL entries that AVD is allowed to generate by defining ip_access_lists_max_entries. Only normal entries under ip_access_lists will be counted, remarks will be ignored. If the number is above the limit, the playbook will fail. This provides a simplified control over hardware utilization. The numbers must be based on the hardware tests and AVD does not provide any guidance. Note that other EOS features may use the same hardware resources and affect the supported scale.

Variable Type Required Default Value Restrictions Description
ip_access_lists_max_entries Integer Limit ACL entries defined under the ip_access_lists.
# Limit ACL entries defined under the `ip_access_lists`.
ip_access_lists_max_entries: <int>

IPv6 access-lists

Variable Type Required Default Value Restrictions Description
ipv6_access_lists List, items: Dictionary
  - name String Required, Unique IPv6 Access-list Name.
    counters_per_entry Boolean
    sequence_numbers List, items: Dictionary Required
      - sequence Integer Required, Unique Sequence ID.
        action String Required Action as string.
Example: “deny ipv6 any any”
ipv6_access_lists:

    # IPv6 Access-list Name.
  - name: <str; required; unique>
    counters_per_entry: <bool>
    sequence_numbers: # required

        # Sequence ID.
      - sequence: <int; required; unique>

        # Action as string.
        # Example: "deny ipv6 any any"
        action: <str; required>

IPv6 standard access-lists

Variable Type Required Default Value Restrictions Description
ipv6_standard_access_lists List, items: Dictionary
  - name String Required, Unique Access-list Name.
    counters_per_entry Boolean
    sequence_numbers List, items: Dictionary Required
      - sequence Integer Required, Unique Sequence ID.
        action String Required Action as string.
Example: “deny ipv6 any any”
ipv6_standard_access_lists:

    # Access-list Name.
  - name: <str; required; unique>
    counters_per_entry: <bool>
    sequence_numbers: # required

        # Sequence ID.
      - sequence: <int; required; unique>

        # Action as string.
        # Example: "deny ipv6 any any"
        action: <str; required>

MAC access-lists

Variable Type Required Default Value Restrictions Description
mac_access_lists List, items: Dictionary
  - name String Required, Unique MAC Access-list Name.
    counters_per_entry Boolean
    entries List, items: Dictionary
      - sequence Integer
        action String
mac_access_lists:

    # MAC Access-list Name.
  - name: <str; required; unique>
    counters_per_entry: <bool>
    entries:
      - sequence: <int>
        action: <str>

Standard access-lists

Variable Type Required Default Value Restrictions Description
standard_access_lists List, items: Dictionary
  - name String Required, Unique Access-list Name.
    counters_per_entry Boolean
    sequence_numbers List, items: Dictionary Required
      - sequence Integer Required, Unique Sequence ID.
        action String Required Action as string.
Example: “deny ip any any”
standard_access_lists:

    # Access-list Name.
  - name: <str; required; unique>
    counters_per_entry: <bool>
    sequence_numbers: # required

        # Sequence ID.
      - sequence: <int; required; unique>

        # Action as string.
        # Example: "deny ip any any"
        action: <str; required>

Endpoint Security

Address-locking

Variable Type Required Default Value Restrictions Description
address_locking Dictionary
  dhcp_servers_ipv4 List, items: String
    - <str> String DHCP server IPv4 address.
  disabled Boolean Disable IP locking on configured ports.
  leases List, items: Dictionary
    - ip String Required IP address.
      mac String Required MAC address (hhhh.hhhh.hhhh or hh:hh:hh:hh:hh:hh).
  local_interface String
  locked_address Dictionary
    expiration_mac_disabled Boolean Configure deauthorizing locked addresses upon MAC aging out.
    ipv4_enforcement_disabled Boolean Configure enforcement for locked IPv4 addresses.
    ipv6_enforcement_disabled Boolean Configure enforcement for locked IPv6 addresses.
address_locking:
  dhcp_servers_ipv4:

      # DHCP server IPv4 address.
    - <str>

  # Disable IP locking on configured ports.
  disabled: <bool>
  leases:

      # IP address.
    - ip: <str; required>

      # MAC address (hhhh.hhhh.hhhh or hh:hh:hh:hh:hh:hh).
      mac: <str; required>
  local_interface: <str>
  locked_address:

    # Configure deauthorizing locked addresses upon MAC aging out.
    expiration_mac_disabled: <bool>

    # Configure enforcement for locked IPv4 addresses.
    ipv4_enforcement_disabled: <bool>

    # Configure enforcement for locked IPv6 addresses.
    ipv6_enforcement_disabled: <bool>

Dot1x

Variable Type Required Default Value Restrictions Description
dot1x Dictionary
  system_auth_control Boolean
  protocol_lldp_bypass Boolean
  protocol_bpdu_bypass Boolean
  dynamic_authorization Boolean
  mac_based_authentication Dictionary
    delay Integer Min: 0
Max: 300
    hold_period Integer Min: 1
Max: 300
  radius_av_pair Dictionary
    service_type Boolean
    framed_mtu Integer Min: 68
Max: 9236
  aaa Dictionary Configure AAA parameters.
    unresponsive Dictionary Configure AAA timeout options.
      eap_response String Valid Values:
- success
- disabled
EAP response to send.
      action Dictionary Set action for supplicant when AAA times out.
        apply_cached_results Boolean Use results from a previous AAA response.
        cached_results_timeout Dictionary
          time_duration Integer Min: 1 Enable caching for a specific duration -
<1-10000> duration in days
<1-14400000> duration in minutes
<1-240000> duration in hours
<1-864000000> duration in seconds
          time_duration_unit String Required Valid Values:
- days
- hours
- minutes
- seconds
        apply_alternate Boolean Apply alternate action if primary action fails.
eg. aaa unresponsive action apply cached-results else traffic allow
        traffic_allow Boolean Set action for supplicant traffic when AAA times out.
        traffic_allow_vlan Integer Min: 1
Max: 4094
      phone_action Dictionary Set action for supplicant when AAA times out.
        apply_cached_results Boolean Use results from a previous AAA response.
        cached_results_timeout Dictionary
          time_duration Integer Min: 1 Enable caching for a specific duration -
<1-10000> duration in days
<1-14400000> duration in minutes
<1-240000> duration in hours
<1-864000000> duration in seconds
          time_duration_unit String Required Valid Values:
- days
- hours
- minutes
- seconds
        apply_alternate Boolean Apply alternate action if primary action fails.
eg. aaa unresponsive phone action apply cached-results else traffic allow
        traffic_allow Boolean Set action for supplicant traffic when AAA times out.
      recovery_action_reauthenticate Boolean
    accounting_update_interval Integer Min: 5
Max: 65535
Interval period in seconds.
  captive_portal Dictionary Web authentication feature authenticates a supplicant through a web page, referred to as a captive portal.
    enabled Boolean Required
    url String Supported URL type:
- http: http://[:]
- https: https://[:]
    ssl_profile String
    start_limit_infinite Boolean Set captive-portal start limit to infinte.
    access_list_ipv4 String Standard access-list name.
  supplicant Dictionary
    profiles List, items: Dictionary Dot1x supplicant profiles.
      - name String Required, Unique
        eap_method String Valid Values:
- fast
- tls
Extensible Authentication Protocol method:
- EAP Flexible Authentication via Secure Tunneling.
- EAP with Transport Layer Security.
        identity String User identity.
        passphrase_type String 7 Valid Values:
- 0
- 7
- 8a
        passphrase String Extensible Authentication Protocol password.
        ssl_profile String
    logging Boolean Enable supplicant logging.
    disconnect_cached_results_timeout Integer Min: 60
Max: 65535
Timeout in seconds for removing a disconnected supplicant.
dot1x:
  system_auth_control: <bool>
  protocol_lldp_bypass: <bool>
  protocol_bpdu_bypass: <bool>
  dynamic_authorization: <bool>
  mac_based_authentication:
    delay: <int; 0-300>
    hold_period: <int; 1-300>
  radius_av_pair:
    service_type: <bool>
    framed_mtu: <int; 68-9236>

  # Configure AAA parameters.
  aaa:

    # Configure AAA timeout options.
    unresponsive:

      # EAP response to send.
      eap_response: <str; "success" | "disabled">

      # Set action for supplicant when AAA times out.
      action:

        # Use results from a previous AAA response.
        apply_cached_results: <bool>
        cached_results_timeout:

          # Enable caching for a specific duration -
          # <1-10000>      duration in days
          # <1-14400000>   duration in minutes
          # <1-240000>     duration in hours
          # <1-864000000>  duration in seconds
          time_duration: <int; >=1>
          time_duration_unit: <str; "days" | "hours" | "minutes" | "seconds"; required>

        # Apply alternate action if primary action fails.
        # eg. aaa unresponsive action apply cached-results else traffic allow
        apply_alternate: <bool>

        # Set action for supplicant traffic when AAA times out.
        traffic_allow: <bool>
        traffic_allow_vlan: <int; 1-4094>

      # Set action for supplicant when AAA times out.
      phone_action:

        # Use results from a previous AAA response.
        apply_cached_results: <bool>
        cached_results_timeout:

          # Enable caching for a specific duration -
          # <1-10000>      duration in days
          # <1-14400000>   duration in minutes
          # <1-240000>     duration in hours
          # <1-864000000>  duration in seconds
          time_duration: <int; >=1>
          time_duration_unit: <str; "days" | "hours" | "minutes" | "seconds"; required>

        # Apply alternate action if primary action fails.
        # eg. aaa unresponsive phone action apply cached-results else traffic allow
        apply_alternate: <bool>

        # Set action for supplicant traffic when AAA times out.
        traffic_allow: <bool>
      recovery_action_reauthenticate: <bool>

    # Interval period in seconds.
    accounting_update_interval: <int; 5-65535>

  # Web authentication feature authenticates a supplicant through a web page, referred to as a captive portal.
  captive_portal:
    enabled: <bool; required>

    # Supported URL type:
    #   - http: http://<hostname>[:<port>]
    #   - https: https://<hostname>[:<port>]
    url: <str>
    ssl_profile: <str>

    # Set captive-portal start limit to infinte.
    start_limit_infinite: <bool>

    # Standard access-list name.
    access_list_ipv4: <str>
  supplicant:

    # Dot1x supplicant profiles.
    profiles:
      - name: <str; required; unique>

        # Extensible Authentication Protocol method:
        #   - EAP Flexible Authentication via Secure Tunneling.
        #   - EAP with Transport Layer Security.
        eap_method: <str; "fast" | "tls">

        # User identity.
        identity: <str>
        passphrase_type: <str; "0" | "7" | "8a"; default="7">

        # Extensible Authentication Protocol password.
        passphrase: <str>
        ssl_profile: <str>

    # Enable supplicant logging.
    logging: <bool>

    # Timeout in seconds for removing a disconnected supplicant.
    disconnect_cached_results_timeout: <int; 60-65535>

MAC security

Variable Type Required Default Value Restrictions Description
mac_security Dictionary
  license Dictionary
    license_name String Required
    license_key String Required
  fips_restrictions Boolean
  profiles List, items: Dictionary
    - name String Required, Unique Profile-Name.
      cipher String Valid Values:
- aes128-gcm
- aes128-gcm-xpn
- aes256-gcm
- aes256-gcm-xpn
      connection_keys List, items: Dictionary
        - id String Required, Unique
          encrypted_key String
          fallback Boolean
      mka Dictionary
        key_server_priority Integer Min: 0
Max: 255
        session Dictionary
          rekey_period Integer Min: 30
Max: 100000
Rekey period in seconds.
      sci Boolean
      l2_protocols Dictionary
        ethernet_flow_control Dictionary
          mode String Required Valid Values:
- encrypt
- bypass
        lldp Dictionary
          mode String Required Valid Values:
- bypass
- bypass unauthorized
      traffic_unprotected Dictionary
        action String Required Valid Values:
- allow
- drop
Allow/drop the transmit/receive of unprotected traffic.
        allow_active_sak Boolean Allow transmit/receive of encrypted traffic using operational SAK and block otherwise.
mac_security:
  license:
    license_name: <str; required>
    license_key: <str; required>
  fips_restrictions: <bool>
  profiles:

      # Profile-Name.
    - name: <str; required; unique>
      cipher: <str; "aes128-gcm" | "aes128-gcm-xpn" | "aes256-gcm" | "aes256-gcm-xpn">
      connection_keys:
        - id: <str; required; unique>
          encrypted_key: <str>
          fallback: <bool>
      mka:
        key_server_priority: <int; 0-255>
        session:

          # Rekey period in seconds.
          rekey_period: <int; 30-100000>
      sci: <bool>
      l2_protocols:
        ethernet_flow_control:
          mode: <str; "encrypt" | "bypass"; required>
        lldp:
          mode: <str; "bypass" | "bypass unauthorized"; required>
      traffic_unprotected:

        # Allow/drop the transmit/receive of unprotected traffic.
        action: <str; "allow" | "drop"; required>

        # Allow transmit/receive of encrypted traffic using operational SAK and block otherwise.
        allow_active_sak: <bool>

Filters and policies

AS path

Variable Type Required Default Value Restrictions Description
as_path Dictionary
  regex_mode String Valid Values:
- asn
- string
  access_lists List, items: Dictionary
    - name String Access List Name.
      entries List, items: Dictionary
        - type String Valid Values:
- permit
- deny
          match String Regex To Match.
          origin String any Valid Values:
- any
- egp
- igp
- incomplete
as_path:
  regex_mode: <str; "asn" | "string">
  access_lists:

      # Access List Name.
    - name: <str>
      entries:
        - type: <str; "permit" | "deny">

          # Regex To Match.
          match: <str>
          origin: <str; "any" | "egp" | "igp" | "incomplete"; default="any">

Class-maps

Variable Type Required Default Value Restrictions Description
class_maps Dictionary
  pbr List, items: Dictionary
    - name String Required, Unique Class-Map Name.
      ip Dictionary
        access_group String Standard Access-List Name.
  qos List, items: Dictionary
    - name String Required, Unique Class-Map Name.
      vlan String VLAN value(s) or range(s) of VLAN values.
      cos String CoS value(s) or range(s) of CoS values.
      ip Dictionary
        access_group String IPv4 Access-List Name.
      ipv6 Dictionary
        access_group String IPv6 Access-List Name.
class_maps:
  pbr:

      # Class-Map Name.
    - name: <str; required; unique>
      ip:

        # Standard Access-List Name.
        access_group: <str>
  qos:

      # Class-Map Name.
    - name: <str; required; unique>

      # VLAN value(s) or range(s) of VLAN values.
      vlan: <str>

      # CoS value(s) or range(s) of CoS values.
      cos: <str>
      ip:

        # IPv4 Access-List Name.
        access_group: <str>
      ipv6:

        # IPv6 Access-List Name.
        access_group: <str>

Dynamic prefix lists

Variable Type Required Default Value Restrictions Description
dynamic_prefix_lists List, items: Dictionary
  - name String Dynamic prefix-list name.
    match_map String Route-map name.
    prefix_list Dictionary
      ipv4 String Prefix-list name.
      ipv6 String Prefix-list name.
dynamic_prefix_lists:

    # Dynamic prefix-list name.
  - name: <str>

    # Route-map name.
    match_map: <str>
    prefix_list:

      # Prefix-list name.
      ipv4: <str>

      # Prefix-list name.
      ipv6: <str>

IP community lists

AVD currently supports two different data models for community lists:

  • The legacy community_lists data model that can be used for compatibility with the existing deployments.
  • The improved ip_community_lists data model.

Both data models can coexist without conflicts, as different keys are used: community_lists vs ip_community_lists. Community list names must be unique.

The legacy data model supports simplified community list definition that only allows a single action to be defined as string:

Variable Type Required Default Value Restrictions Description
community_lists List, items: Dictionary
  - name String Required, Unique Community-list Name.
    action String Required Action as string.
Example: “permit GSHUT 65123:123”
community_lists:

    # Community-list Name.
  - name: <str; required; unique>

    # Action as string.
    # Example: "permit GSHUT 65123:123"
    action: <str; required>

The improved data model has a better design documented below:

Variable Type Required Default Value Restrictions Description
ip_community_lists List, items: Dictionary Communities and regexp entries MUST not be configured in the same community-list.
  - name String Required, Unique IP Community-list Name.
    entries List, items: Dictionary Required
      - action String Required Valid Values:
- permit
- deny
        communities List, items: String If defined, a standard community-list will be configured.
Supported community strings (case insensitive):
- GSHUT
- internet
- local-as
- no-advertise
- no-export
- <1-4294967040>
- aa:nn
          - <str> String
        regexp String Regular Expression.
If defined, a regex community-list will be configured.
# Communities and regexp entries MUST not be configured in the same community-list.
ip_community_lists:

    # IP Community-list Name.
  - name: <str; required; unique>
    entries: # required
      - action: <str; "permit" | "deny"; required>

        # If defined, a standard community-list will be configured.
        # Supported community strings (case insensitive):
        # - GSHUT
        # - internet
        # - local-as
        # - no-advertise
        # - no-export
        # - <1-4294967040>
        # - aa:nn
        communities:
          - <str>

        # Regular Expression.
        # If defined, a regex community-list will be configured.
        regexp: <str>

IP extcommunity-lists

Variable Type Required Default Value Restrictions Description
ip_extcommunity_lists List, items: Dictionary
  - name String Required, Unique Community-list Name.
    entries List, items: Dictionary Required
      - type String Required Valid Values:
- permit
- deny
        extcommunities String Required Communities as string.
Example: “65000:65000”
ip_extcommunity_lists:

    # Community-list Name.
  - name: <str; required; unique>
    entries: # required
      - type: <str; "permit" | "deny"; required>

        # Communities as string.
        # Example: "65000:65000"
        extcommunities: <str; required>

IP extcommunity-lists-regexp

Variable Type Required Default Value Restrictions Description
ip_extcommunity_lists_regexp List, items: Dictionary
  - name String Required, Unique Community-list Name.
    entries List, items: Dictionary Required
      - type String Required Valid Values:
- permit
- deny
        regexp String Required Regular Expression.
ip_extcommunity_lists_regexp:

    # Community-list Name.
  - name: <str; required; unique>
    entries: # required
      - type: <str; "permit" | "deny"; required>

        # Regular Expression.
        regexp: <str; required>

IPv6 prefix-lists

Variable Type Required Default Value Restrictions Description
ipv6_prefix_lists List, items: Dictionary
  - name String Required, Unique Prefix-list Name.
    sequence_numbers List, items: Dictionary Required
      - sequence Integer Required, Unique Sequence ID.
        action String Required Action as string.
Example: “permit 1b11:3a00:22b0:0082::/64 eq 128”
ipv6_prefix_lists:

    # Prefix-list Name.
  - name: <str; required; unique>
    sequence_numbers: # required

        # Sequence ID.
      - sequence: <int; required; unique>

        # Action as string.
        # Example: "permit 1b11:3a00:22b0:0082::/64 eq 128"
        action: <str; required>

Match list input

Variable Type Required Default Value Restrictions Description
match_list_input Dictionary
  prefix_ipv4 List, items: Dictionary
    - name String Required, Unique Prefix-List Name.
      prefixes List, items: String Required Min Length: 1 List of IPv4 prefixes (with the subnet mask e.g. 192.0.2.0/24).
        - <str> String
  prefix_ipv6 List, items: Dictionary
    - name String Required, Unique Prefix-List Name.
      prefixes List, items: String Required Min Length: 1 List of IPv6 prefixes (with the subnet mask e.g. 2001:db8:abcd:0013::/64).
        - <str> String
  string List, items: Dictionary
    - name String Required, Unique Match-list Name.
      sequence_numbers List, items: Dictionary Required
        - sequence Integer Required, Unique Sequence ID.
          match_regex String Required Regular Expression.
match_list_input:
  prefix_ipv4:

      # Prefix-List Name.
    - name: <str; required; unique>

      # List of IPv4 prefixes (with the subnet mask e.g. 192.0.2.0/24).
      prefixes: # >=1 items; required
        - <str>
  prefix_ipv6:

      # Prefix-List Name.
    - name: <str; required; unique>

      # List of IPv6 prefixes (with the subnet mask e.g. 2001:db8:abcd:0013::/64).
      prefixes: # >=1 items; required
        - <str>
  string:

      # Match-list Name.
    - name: <str; required; unique>
      sequence_numbers: # required

          # Sequence ID.
        - sequence: <int; required; unique>

          # Regular Expression.
          match_regex: <str; required>

Peer-filters

Variable Type Required Default Value Restrictions Description
peer_filters List, items: Dictionary
  - name String Required, Unique Peer-filter Name.
    sequence_numbers List, items: Dictionary Required
      - sequence Integer Required, Unique Sequence ID.
        match String Required Match as string.
Example: “as-range 1-100 result accept”
peer_filters:

    # Peer-filter Name.
  - name: <str; required; unique>
    sequence_numbers: # required

        # Sequence ID.
      - sequence: <int; required; unique>

        # Match as string.
        # Example: "as-range 1-100 result accept"
        match: <str; required>

Policy-maps

Variable Type Required Default Value Restrictions Description
policy_maps Dictionary
  pbr List, items: Dictionary PBR Policy-Maps.
    - name String Required, Unique Policy-Map Name.
      classes List, items: Dictionary
        - name String Required, Unique Class Name.
          index Integer
          drop Boolean ‘drop’ and ‘set’ are mutually exclusive.
          set Dictionary Set Nexthop
‘drop’ and ‘set’ are mutually exclusive.
            nexthop Dictionary
              ip_address String IPv4 or IPv6 Address.
              recursive Boolean
  qos List, items: Dictionary QOS Policy-Maps.
    - name String Required, Unique Policy-Map Name.
      classes List, items: Dictionary
        - name String Required, Unique Class Name.
          set Dictionary
            cos Integer
            dscp String
            traffic_class Integer
            drop_precedence Integer
          police Dictionary
            rate Integer Specify rate.
Range in kbps <8-200000000>.
            rate_unit String bps Valid Values:
- bps
- kbps
- mbps
- pps
            rate_burst_size Integer Range in bytes <256-128000000>.
            rate_burst_size_unit String bytes Valid Values:
- bytes
- kbytes
- mbytes
- packets
            action Dictionary
              type String Valid Values:
- dscp
- drop-precedence
Set action for policed traffic.
              dscp_value String Set when action.type is set to “dscp”.
            higher_rate Integer Specify higher rate.
Range in kbps .
            higher_rate_unit String bps Valid Values:
- bps
- kbps
- mbps
- pps
            higher_rate_burst_size Integer Range in bytes <256-128000000>.
            higher_rate_burst_size_unit String bytes Valid Values:
- bytes
- kbytes
- mbytes
- packets
  copp_system_policy Dictionary Control-plane policy configuration.
    classes List, items: Dictionary
      - name String Required, Unique
        shape Integer Min: 0
Max: 10000000
Maximum rate limit.
        bandwidth Integer Min: 0
Max: 10000000
Minimum bandwidth.
        rate_unit String Valid Values:
- pps
- kbps
The rate_unit must be defined for shape and bandwidth.
policy_maps:

  # PBR Policy-Maps.
  pbr:

      # Policy-Map Name.
    - name: <str; required; unique>
      classes:

          # Class Name.
        - name: <str; required; unique>
          index: <int>

          # 'drop' and 'set' are mutually exclusive.
          drop: <bool>

          # Set Nexthop
          # 'drop' and 'set' are mutually exclusive.
          set:
            nexthop:

              # IPv4 or IPv6 Address.
              ip_address: <str>
              recursive: <bool>

  # QOS Policy-Maps.
  qos:

      # Policy-Map Name.
    - name: <str; required; unique>
      classes:

          # Class Name.
        - name: <str; required; unique>
          set:
            cos: <int>
            dscp: <str>
            traffic_class: <int>
            drop_precedence: <int>
          police:

            # Specify rate.
            # Range in kbps <8-200000000>.
            rate: <int>
            rate_unit: <str; "bps" | "kbps" | "mbps" | "pps"; default="bps">

            # Range in bytes <256-128000000>.
            rate_burst_size: <int>
            rate_burst_size_unit: <str; "bytes" | "kbytes" | "mbytes" | "packets"; default="bytes">
            action:

              # Set action for policed traffic.
              type: <str; "dscp" | "drop-precedence">

              # Set when action.type is set to "dscp".
              dscp_value: <str>

            # Specify higher rate.
            # Range in kbps <lower_rate in kbps + 8 - lower_rate in kbps + 200000000>.
            higher_rate: <int>
            higher_rate_unit: <str; "bps" | "kbps" | "mbps" | "pps"; default="bps">

            # Range in bytes <256-128000000>.
            higher_rate_burst_size: <int>
            higher_rate_burst_size_unit: <str; "bytes" | "kbytes" | "mbytes" | "packets"; default="bytes">

  # Control-plane policy configuration.
  copp_system_policy:
    classes:
      - name: <str; required; unique>

        # Maximum rate limit.
        shape: <int; 0-10000000>

        # Minimum bandwidth.
        bandwidth: <int; 0-10000000>

        # The `rate_unit` must be defined for `shape` and `bandwidth`.
        rate_unit: <str; "pps" | "kbps">

Prefix-lists

Variable Type Required Default Value Restrictions Description
prefix_lists List, items: Dictionary
  - name String Required, Unique Prefix-list Name.
    sequence_numbers List, items: Dictionary
      - sequence Integer Required, Unique Sequence ID.
        action String Required Action as string.
Example: “permit 10.255.0.0/27 eq 32”
prefix_lists:

    # Prefix-list Name.
  - name: <str; required; unique>
    sequence_numbers:

        # Sequence ID.
      - sequence: <int; required; unique>

        # Action as string.
        # Example: "permit 10.255.0.0/27 eq 32"
        action: <str; required>

Route-maps

Variable Type Required Default Value Restrictions Description
route_maps List, items: Dictionary
  - name String Required, Unique Route-map Name.
    sequence_numbers List, items: Dictionary Required
      - sequence Integer Required, Unique Sequence ID.
        type String Required Valid Values:
- permit
- deny
        description String
        match List, items: String List of “match” statements.
          - <str> String Match as string.
Example: “ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY”
        set List, items: String List of “set” statements.
          - <str> String Set as string.
Example: “origin incomplete”
        sub_route_map String Name of Sub-Route-map.
        continue Dictionary
          enabled Boolean
          sequence_number Integer
route_maps:

    # Route-map Name.
  - name: <str; required; unique>
    sequence_numbers: # required

        # Sequence ID.
      - sequence: <int; required; unique>
        type: <str; "permit" | "deny"; required>
        description: <str>

        # List of "match" statements.
        match:

            # Match as string.
            # Example: "ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY"
          - <str>

        # List of "set" statements.
        set:

            # Set as string.
            # Example: "origin incomplete"
          - <str>

        # Name of Sub-Route-map.
        sub_route_map: <str>
        continue:
          enabled: <bool>
          sequence_number: <int>

Trackers

Variable Type Required Default Value Restrictions Description
trackers List, items: Dictionary
  - name String Required, Unique Name of tracker object.
    interface String Required Name of tracked interface.
    tracked_property String line-protocol Property to track.
trackers:

    # Name of tracker object.
  - name: <str; required; unique>

    # Name of tracked interface.
    interface: <str; required>

    # Property to track.
    tracked_property: <str; default="line-protocol">

Traffic policies

Variable Type Required Default Value Restrictions Description
traffic_policies Dictionary
  options Dictionary
    counter_per_interface Boolean
  field_sets Dictionary
    ipv4 List, items: Dictionary
      - name String Required, Unique IPv4 Prefix Field Set Name.
        prefixes List, items: String
          - <str> String IPv4 Prefix.
    ipv6 List, items: Dictionary
      - name String Required, Unique IPv6 Prefix Field Set Name.
        prefixes List, items: String
          - <str> String IPv6 Prefix.
    ports List, items: Dictionary
      - name String Required, Unique L4 Port Field Set Name.
        port_range String Example: ‘10,20,80,440-450’
  policies List, items: Dictionary
    - name String Required, Unique Traffic Policy Name.
      matches List, items: Dictionary
        - name String Required, Unique Traffic Policy Item.
          type String Valid Values:
- ipv4
- ipv6
          source Dictionary
            prefixes List, items: String
              - <str> String IP address or prefix.
            prefix_lists List, items: String Field-set prefix lists.
              - <str> String
          destination Dictionary
            prefixes List, items: String
              - <str> String IP address or prefix.
            prefix_lists List, items: String Field-set prefix lists.
              - <str> String
          ttl String TTL range.
          fragment Dictionary The ‘fragment’ command is not supported when ‘source port’
or ‘destination port’ command is configured.
            offset String Fragment offset range.
          protocols List, items: Dictionary
            - protocol String Required, Unique
              src_port String Port range.
              dst_port String Port range.
              src_field String L4 port range field set.
              dst_field String L4 port range field set.
              flags List, items: String
                - <str> String Valid Values:
- established
- initial
              icmp_type List, items: String
                - <str> String
          actions Dictionary
            dscp Integer
            traffic_class Integer Traffic class ID.
            count String Counter name.
            drop Boolean
            log Boolean Only supported when action is set to drop.
      default_actions Dictionary
        ipv4 Dictionary
          dscp Integer
          traffic_class Integer Traffic class ID.
          count String Counter name.
          drop Boolean
          log Boolean Only supported when action is set to drop.
        ipv6 Dictionary
          dscp Integer
          traffic_class Integer Traffic class ID.
          count String Counter name.
          drop Boolean
          log Boolean Only supported when action is set to drop.
traffic_policies:
  options:
    counter_per_interface: <bool>
  field_sets:
    ipv4:

        # IPv4 Prefix Field Set Name.
      - name: <str; required; unique>
        prefixes:

            # IPv4 Prefix.
          - <str>
    ipv6:

        # IPv6 Prefix Field Set Name.
      - name: <str; required; unique>
        prefixes:

            # IPv6 Prefix.
          - <str>
    ports:

        # L4 Port Field Set Name.
      - name: <str; required; unique>

        # Example: '10,20,80,440-450'
        port_range: <str>
  policies:

      # Traffic Policy Name.
    - name: <str; required; unique>
      matches:

          # Traffic Policy Item.
        - name: <str; required; unique>
          type: <str; "ipv4" | "ipv6">
          source:
            prefixes:

                # IP address or prefix.
              - <str>

            # Field-set prefix lists.
            prefix_lists:
              - <str>
          destination:
            prefixes:

                # IP address or prefix.
              - <str>

            # Field-set prefix lists.
            prefix_lists:
              - <str>

          # TTL range.
          ttl: <str>

          # The 'fragment' command is not supported when 'source port'
          # or 'destination port' command is configured.
          fragment:

            # Fragment offset range.
            offset: <str>
          protocols:
            - protocol: <str; required; unique>

              # Port range.
              src_port: <str>

              # Port range.
              dst_port: <str>

              # L4 port range field set.
              src_field: <str>

              # L4 port range field set.
              dst_field: <str>
              flags:
                - <str; "established" | "initial">
              icmp_type:
                - <str>
          actions:
            dscp: <int>

            # Traffic class ID.
            traffic_class: <int>

            # Counter name.
            count: <str>
            drop: <bool>

            # Only supported when action is set to drop.
            log: <bool>
      default_actions:
        ipv4:
          dscp: <int>

          # Traffic class ID.
          traffic_class: <int>

          # Counter name.
          count: <str>
          drop: <bool>

          # Only supported when action is set to drop.
          log: <bool>
        ipv6:
          dscp: <int>

          # Traffic class ID.
          traffic_class: <int>

          # Counter name.
          count: <str>
          drop: <bool>

          # Only supported when action is set to drop.
          log: <bool>

Interfaces

DPS interfaces

Variable Type Required Default Value Restrictions Description
dps_interfaces List, items: Dictionary Min Length: 1
Max Length: 1
  - name String Required, Unique Valid Values:
- Dps1
“Dps1” is currently the only supported interface.
    description String
    shutdown Boolean
    mtu Integer Min: 68
Max: 65535
Maximum Transmission Unit in bytes.
    ip_address String IPv4 address/mask.
    flow_tracker Dictionary
      sampled String Sampled flow tracker name.
      hardware String Hardware flow tracker name,
    tcp_mss_ceiling Dictionary
      ipv4 Integer Min: 64
Max: 65495
Segment Size for IPv4.
      ipv6 Integer Min: 64
Max: 65475
Segment Size for IPv6.
      direction String Valid Values:
- ingress
- egress
Optional direction (‘ingress’, ‘egress’) for tcp mss ceiling.
    eos_cli String Multiline String with EOS CLI rendered directly on the Dps interface in the final EOS configuration.
dps_interfaces: # 1-1 items

    # "Dps1" is currently the only supported interface.
  - name: <str; "Dps1"; required; unique>
    description: <str>
    shutdown: <bool>

    # Maximum Transmission Unit in bytes.
    mtu: <int; 68-65535>

    # IPv4 address/mask.
    ip_address: <str>
    flow_tracker:

      # Sampled flow tracker name.
      sampled: <str>

      # Hardware flow tracker name,
      hardware: <str>
    tcp_mss_ceiling:

      # Segment Size for IPv4.
      ipv4: <int; 64-65495>

      # Segment Size for IPv6.
      ipv6: <int; 64-65475>

      # Optional direction ('ingress', 'egress')  for tcp mss ceiling.
      direction: <str; "ingress" | "egress">

    # Multiline String with EOS CLI rendered directly on the Dps interface in the final EOS configuration.
    eos_cli: <str>

Errdisable

Variable Type Required Default Value Restrictions Description
errdisable Dictionary
  detect Dictionary
    causes List, items: String
      - <str> String Valid Values:
- acl
- arp-inspection
- dot1x
- link-change
- tapagg
- xcvr-misconfigured
- xcvr-overheat
- xcvr-power-unsupported
  recovery Dictionary
    causes List, items: String
      - <str> String Valid Values:
- arp-inspection
- bpduguard
- dot1x
- hitless-reload-down
- lacp-rate-limit
- link-flap
- no-internal-vlan
- portchannelguard
- portsec
- speed-misconfigured
- tap-port-init
- tapagg
- uplink-failure-detection
- xcvr-misconfigured
- xcvr-overheat
- xcvr-power-unsupported
- xcvr-unsupported
    interval Integer 300 Min: 30
Max: 86400
Interval in seconds.
errdisable:
  detect:
    causes:
      - <str; "acl" | "arp-inspection" | "dot1x" | "link-change" | "tapagg" | "xcvr-misconfigured" | "xcvr-overheat" | "xcvr-power-unsupported">
  recovery:
    causes:
      - <str; "arp-inspection" | "bpduguard" | "dot1x" | "hitless-reload-down" | "lacp-rate-limit" | "link-flap" | "no-internal-vlan" | "portchannelguard" | "portsec" | "speed-misconfigured" | "tap-port-init" | "tapagg" | "uplink-failure-detection" | "xcvr-misconfigured" | "xcvr-overheat" | "xcvr-power-unsupported" | "xcvr-unsupported">

    # Interval in seconds.
    interval: <int; 30-86400; default=300>

Ethernet interfaces

Variable Type Required Default Value Restrictions Description
ethernet_interfaces List, items: Dictionary
  - name String Required, Unique
    description String
    shutdown Boolean
    load_interval Integer Min: 0
Max: 600
Interval in seconds for updating interface counters.
    speed String Speed should be set in the format <interface_speed> or forced <interface_speed> or auto <interface_speed>.
    mtu Integer Min: 68
Max: 65535
    l2_mtu Integer Min: 68
Max: 65535
“l2_mtu” should only be defined for platforms supporting the “l2 mtu” CLI.
    l2_mru Integer Min: 68
Max: 65535
“l2_mru” should only be defined for platforms supporting the “l2 mru” CLI.
    vlans String List of switchport vlans as string.
For a trunk port this would be a range like “1-200,300”.
For an access port this would be a single vlan “123”.
    native_vlan Integer
    native_vlan_tag Boolean If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence.
    mode String Valid Values:
- access
- dot1q-tunnel
- trunk
- trunk phone
    phone Dictionary
      trunk String Valid Values:
- tagged
- tagged phone
- untagged
- untagged phone
      vlan Integer Min: 1
Max: 4094
    l2_protocol Dictionary
      encapsulation_dot1q_vlan Integer Vlan tag to configure on sub-interface.
      forwarding_profile String L2 protocol forwarding profile.
    trunk_groups List, items: String
      - <str> String
    type String Valid Values:
- routed
- switched
- l3dot1q
- l2dot1q
- port-channel-member
l3dot1q and l2dot1q are used for sub-interfaces. The parent interface should be defined as routed.
Interface will not be listed in device documentation, unless “type” is set.
    snmp_trap_link_change Boolean
    address_locking Dictionary
      ipv4 Boolean Enable address locking for IPv4.
      ipv6 Boolean Enable address locking for IPv6.
    flowcontrol Dictionary
      received String Valid Values:
- desired
- on
- off
    vrf String VRF name.
    flow_tracker Dictionary
      sampled String Sampled flow tracker name.
      hardware String Hardware flow tracker name.
    error_correction_encoding Dictionary
      enabled Boolean True
      fire_code Boolean
      reed_solomon Boolean
    link_tracking_groups List, items: Dictionary
      - name String Required, Unique Group name.
        direction String Valid Values:
- upstream
- downstream
    evpn_ethernet_segment Dictionary
      identifier String EVPN Ethernet Segment Identifier (Type 1 format).
      redundancy String Valid Values:
- all-active
- single-active
      designated_forwarder_election Dictionary
        algorithm String Valid Values:
- modulus
- preference
        preference_value Integer Min: 0
Max: 65535
Preference_value is only used when “algorithm” is “preference”.
        dont_preempt Boolean Dont_preempt is only used when “algorithm” is “preference”.
        hold_time Integer
        subsequent_hold_time Integer
        candidate_reachability_required Boolean
      mpls Dictionary
        shared_index Integer Min: 1
Max: 1024
        tunnel_flood_filter_time Integer
      route_target String EVPN Route Target for ESI with format xx:xx:xx:xx:xx:xx.
    encapsulation_dot1q_vlan Integer VLAN tag to configure on sub-interface.
    encapsulation_vlan Dictionary
      client Dictionary
        dot1q Dictionary
          vlan Integer Client VLAN ID.
          outer Integer Client Outer VLAN ID.
          inner Integer Client Inner VLAN ID.
        unmatched Boolean
      network Dictionary Network encapsulations are all optional and skipped if using client unmatched.
        dot1q Dictionary
          vlan Integer Network VLAN ID.
          outer Integer Network outer VLAN ID.
          inner Integer Network inner VLAN ID.
        client Boolean
    vlan_id Integer Min: 1
Max: 4094
    ip_address String IPv4 address/mask or “dhcp”.
    ip_address_secondaries List, items: String
      - <str> String
    ip_verify_unicast_source_reachable_via String Valid Values:
- any
- rx
    dhcp_client_accept_default_route Boolean Install default-route obtained via DHCP.
    dhcp_server_ipv4 Boolean Enable IPv4 DHCP server.
    dhcp_server_ipv6 Boolean Enable IPv6 DHCP server.
    ip_helpers List, items: Dictionary
      - ip_helper String Required, Unique
        source_interface String Source interface name.
        vrf String VRF name.
    ip_nat Dictionary
      service_profile String NAT interface profile.
      destination Dictionary
        dynamic List, items: Dictionary
          - access_list String Required, Unique
            comment String
            pool_name String Required
            priority Integer Min: 0
Max: 4294967295
        static List, items: Dictionary
          - access_list String ‘access_list’ and ‘group’ are mutual exclusive.
            comment String
            direction String Valid Values:
- egress
- ingress
Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform.
EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW.
            group Integer Min: 1
Max: 65535
‘access_list’ and ‘group’ are mutual exclusive.
            original_ip String IPv4 address. The combination of original_ip and original_port must be unique.
            original_port Integer Min: 1
Max: 65535
TCP/UDP port. The combination of original_ip and original_port must be unique.
            priority Integer Min: 0
Max: 4294967295
            protocol String Valid Values:
- udp
- tcp
            translated_ip String Required IPv4 address.
            translated_port Integer Min: 1
Max: 65535
requires ‘original_port’.
      source Dictionary
        dynamic List, items: Dictionary
          - access_list String Required, Unique
            comment String
            nat_type String Required Valid Values:
- overload
- pool
- pool-address-only
- pool-full-cone
            pool_name String required if ‘nat_type’ is pool, pool-address-only or pool-full-cone.
ignored if ‘nat_type’ is overload.
            priority Integer Min: 0
Max: 4294967295
        static List, items: Dictionary
          - access_list String ‘access_list’ and ‘group’ are mutual exclusive.
            comment String
            direction String Valid Values:
- egress
- ingress
Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform.
EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW.
            group Integer Min: 1
Max: 65535
‘access_list’ and ‘group’ are mutual exclusive.
            original_ip String IPv4 address. The combination of original_ip and original_port must be unique.
            original_port Integer Min: 1
Max: 65535
TCP/UDP port. The combination of original_ip and original_port must be unique.
            priority Integer Min: 0
Max: 4294967295
            protocol String Valid Values:
- udp
- tcp
            translated_ip String Required IPv4 address.
            translated_port Integer Min: 1
Max: 65535
requires ‘original_port’.
    ipv6_enable Boolean
    ipv6_address String
    ipv6_address_link_local String Link local IPv6 address/mask.
    ipv6_nd_ra_disabled Boolean
    ipv6_nd_managed_config_flag Boolean
    ipv6_nd_prefixes List, items: Dictionary
      - ipv6_prefix String Required, Unique
        valid_lifetime String Infinite or lifetime in seconds.
        preferred_lifetime String Infinite or lifetime in seconds.
        no_autoconfig_flag Boolean
    ipv6_dhcp_relay_destinations List, items: Dictionary
      - address String Required, Unique DHCP server’s IPv6 address.
        vrf String
        local_interface String Local interface to communicate with DHCP server - mutually exclusive to source_address.
        source_address String Source IPv6 address to communicate with DHCP server - mutually exclusive to local_interface.
        link_address String Override the default link address specified in the relayed DHCP packet.
    access_group_in String Access list name.
    access_group_out String Access list name.
    ipv6_access_group_in String IPv6 access list name.
    ipv6_access_group_out String IPv6 access list name.
    mac_access_group_in String MAC access list name.
    mac_access_group_out String MAC access list name.
    multicast Dictionary Boundaries can be either 1 ACL or a list of multicast IP address_range(s)/prefix but not combination of both.
      ipv4 Dictionary
        boundaries List, items: Dictionary
          - boundary String ACL name or multicast IP subnet.
            out Boolean
        static Boolean
      ipv6 Dictionary
        boundaries List, items: Dictionary
          - boundary String ACL name or multicast IP subnet.
        static Boolean
    ospf_network_point_to_point Boolean
    ospf_area String
    ospf_cost Integer
    ospf_authentication String Valid Values:
- none
- simple
- message-digest
    ospf_authentication_key String Encrypted password - only type 7 supported.
    ospf_message_digest_keys List, items: Dictionary
      - id Integer Required, Unique
        hash_algorithm String Valid Values:
- md5
- sha1
- sha256
- sha384
- sha512
        key String Encrypted password - only type 7 supported.
    pim Dictionary
      ipv4 Dictionary
        border_router Boolean Configure PIM border router. EOS default is false.
        dr_priority Integer Min: 0
Max: 429467295
        sparse_mode Boolean
        bfd Boolean Set the default for whether Bidirectional Forwarding Detection is enabled for PIM.
        bidirectional Boolean
        hello Dictionary
          count String Number of missed hellos after which the neighbor expires. Range <1.5-65535>.
          interval Integer Min: 1
Max: 65535
PIM hello interval in seconds.
    mac_security Dictionary
      profile String
    tcp_mss_ceiling Dictionary The TCP MSS clamping feature involves clamping the maximum segment size (MSS) in the TCP header
of TCP SYN packets if it exceeds the configured MSS ceiling limit for the interface.
      ipv4_segment_size Integer Min: 64
Max: 65475
      ipv6_segment_size Integer Min: 64
Max: 65475
      direction String Valid Values:
- egress
- ingress
    channel_group Dictionary
      id Integer
      mode String Valid Values:
- on
- active
- passive
    isis_enable String ISIS instance.
    isis_bfd Boolean Enable BFD for ISIS.
    isis_passive Boolean
    isis_metric Integer
    isis_network_point_to_point Boolean
    isis_circuit_type String Valid Values:
- level-1-2
- level-1
- level-2
    isis_hello_padding Boolean
    isis_authentication_mode String Valid Values:
- text
- md5
    isis_authentication_key String Type-7 encrypted password.
    poe Dictionary
      disabled Boolean False Disable PoE on a POE capable port. PoE is enabled on all ports that support it by default in EOS.
      priority String Valid Values:
- critical
- high
- medium
- low
Prioritize a port’s power in the event that one of the switch’s power supplies loses power.
      reboot Dictionary Set the PoE power behavior for a PoE port when the system is rebooted.
        action String Valid Values:
- maintain
- power-off
PoE action for interface.
      link_down Dictionary Set the PoE power behavior for a PoE port when the port goes down.
        action String Valid Values:
- maintain
- power-off
PoE action for interface.
        power_off_delay Integer Min: 1
Max: 86400
Number of seconds to delay shutting the power off after a link down event occurs. Default value is 5 seconds in EOS.
      shutdown Dictionary Set the PoE power behavior for a PoE port when the port is admin down.
        action String Valid Values:
- maintain
- power-off
PoE action for interface.
      limit Dictionary Override the hardware-negotiated power limit using either wattage or a power class. Note that if using a power class, AVD will automatically convert the class value to the wattage value corresponding to that power class.
        class Integer Min: 0
Max: 8
        watts String
        fixed Boolean Set to ignore hardware classification.
      negotiation_lldp Boolean Disable to prevent port from negotiating power with powered devices over LLDP. Enabled by default in EOS.
      legacy_detect Boolean Allow a subset of legacy devices to work with the PoE switch. Disabled by default in EOS because it can cause false positive detections.
    ptp Dictionary
      enable Boolean
      announce Dictionary
        interval Integer
        timeout Integer
      delay_req Integer
      delay_mechanism String Valid Values:
- e2e
- p2p
      profile Dictionary
        g8275_1 Dictionary
          destination_mac_address String Valid Values:
- forwardable
- non-forwardable
      sync_message Dictionary
        interval Integer
      role String Valid Values:
- master
- dynamic
      vlan String VLAN can be ‘all’ or list of vlans as string.
      transport String Valid Values:
- ipv4
- ipv6
- layer2
    profile String Interface profile.
    storm_control Dictionary
      all Dictionary
        level String Configure maximum storm-control level.
        unit String percent Valid Values:
- percent
- pps
Optional field and is hardware dependent.
      broadcast Dictionary
        level String Configure maximum storm-control level.
        unit String percent Valid Values:
- percent
- pps
Optional field and is hardware dependent.
      multicast Dictionary
        level String Configure maximum storm-control level.
        unit String percent Valid Values:
- percent
- pps
Optional field and is hardware dependent.
      unknown_unicast Dictionary
        level String Configure maximum storm-control level.
        unit String percent Valid Values:
- percent
- pps
Optional field and is hardware dependent.
    logging Dictionary
      event Dictionary
        link_status Boolean
        congestion_drops Boolean
        spanning_tree Boolean
        storm_control_discards Boolean Discards due to storm-control.
    lldp Dictionary
      transmit Boolean
      receive Boolean
      ztp_vlan Integer ZTP vlan number.
    trunk_private_vlan_secondary Boolean
    pvlan_mapping String List of vlans as string.
    vlan_translations List, items: Dictionary
      - from String List of vlans as string (only one vlan if direction is “both”).
        to Integer VLAN ID.
        direction String both Valid Values:
- in
- out
- both
    dot1x Dictionary
      port_control String Valid Values:
- auto
- force-authorized
- force-unauthorized
      port_control_force_authorized_phone Boolean
      reauthentication Boolean
      pae Dictionary
        mode String Valid Values:
- authenticator
      authentication_failure Dictionary
        action String Valid Values:
- allow
- drop
        allow_vlan Integer Min: 1
Max: 4094
      host_mode Dictionary
        mode String Valid Values:
- multi-host
- single-host
        multi_host_authenticated Boolean
      mac_based_authentication Dictionary
        enabled Boolean
        always Boolean
        host_mode_common Boolean
      timeout Dictionary
        idle_host Integer Min: 10
Max: 65535
        quiet_period Integer Min: 1
Max: 65535
        reauth_period String Value can be 60-4294967295 or ‘server’.
        reauth_timeout_ignore Boolean
        tx_period Integer Min: 1
Max: 65535
      reauthorization_request_limit Integer Min: 1
Max: 10
      unauthorized Dictionary
        access_vlan_membership_egress Boolean
        native_vlan_membership_egress Boolean
      eapol Dictionary
        disabled Boolean
        authentication_failure_fallback_mba Dictionary
          enabled Boolean
          timeout Integer Min: 0
Max: 65535
    service_profile String QOS profile.
    shape Dictionary
      rate String Rate in kbps, pps or percent.
Supported options are platform dependent.
Examples:
- “5000 kbps”
- “1000 pps”
- “20 percent”
    qos Dictionary
      trust String Valid Values:
- dscp
- cos
- disabled
      dscp Integer DSCP value.
      cos Integer COS value.
    spanning_tree_bpdufilter String Valid Values:
- enabled
- disabled
- True
- False
- true
- false
    spanning_tree_bpduguard String Valid Values:
- enabled
- disabled
- True
- False
- true
- false
    spanning_tree_guard String Valid Values:
- loop
- root
- disabled
    spanning_tree_portfast String Valid Values:
- edge
- network
    vmtracer Boolean
    priority_flow_control Dictionary
      enabled Boolean
      priorities List, items: Dictionary
        - priority Integer Required, Unique Min: 0
Max: 7
          no_drop Boolean
    bfd Dictionary
      echo Boolean
      interval Integer Interval in milliseconds.
      min_rx Integer Rate in milliseconds.
      multiplier Integer Min: 3
Max: 50
    service_policy Dictionary
      pbr Dictionary
        input String Policy Based Routing Policy-map name.
      qos Dictionary
        input String Required Quality of Service Policy-map name.
    mpls Dictionary
      ip Boolean
      ldp Dictionary
        interface Boolean
        igp_sync Boolean
    lacp_timer Dictionary
      mode String Valid Values:
- fast
- normal
      multiplier Integer Min: 3
Max: 3000
    lacp_port_priority Integer Min: 0
Max: 65535
    transceiver Dictionary
      frequency String Transceiver Laser Frequency in GHz (min 190000, max 200000).
      frequency_unit String Valid Values:
- ghz
Unit of Transceiver Laser Frequency.
      media Dictionary
        override String Transceiver type.
    ip_proxy_arp Boolean
    traffic_policy Dictionary
      input String Ingress traffic policy.
      output String Egress traffic policy.
    bgp Dictionary
      session_tracker String Name of session tracker.
    ip_igmp_host_proxy Dictionary
      enabled Boolean
      groups List, items: Dictionary
        - group String Required, Unique Multicast Address.
          exclude List, items: Dictionary The same source must not be present both in exclude and include list.
            - source String Required, Unique
          include List, items: Dictionary The same source must not be present both in exclude and include list.
            - source String Required, Unique
      report_interval Integer Min: 1
Max: 31744
Time interval between unsolicited reports.
      access_lists List, items: Dictionary Non-standard Access List name.
        - name String Required, Unique
      version Integer Min: 1
Max: 3
IGMP version on IGMP host-proxy interface.
    peer String Key only used for documentation or validation purposes.
    peer_interface String Key only used for documentation or validation purposes.
    peer_type String Key only used for documentation or validation purposes.
    sflow Dictionary
      enable Boolean
      egress Dictionary
        enable Boolean
        unmodified_enable Boolean
    sync_e Dictionary
      enable Boolean
      priority String The priority is used to influence the reference clock selection. The EOS default priority is 127. The priority can be configured to any integer between 1-255, or set to disabled.
    port_profile String Key only used for documentation or validation purposes.
    uc_tx_queues List, items: Dictionary
      - id Integer Required, Unique TX-Queue ID.
        random_detect Dictionary
          ecn Dictionary Explicit Congestion Notification.
            count Boolean Enable counter for random-detect ECNs.
            threshold Dictionary
              units String Required Valid Values:
- segments
- bytes
- kbytes
- mbytes
- milliseconds
Indicate the units to be used for the threshold values.
              min Integer Required Min: 1
Max: 256000000
Set the random-detect ECN minimum-threshold.
              max Integer Required Min: 1
Max: 256000000
Set the random-detect ECN maximum-threshold.
              max_probability Integer Min: 1
Max: 100
Set the random-detect ECN max-mark-probability.
              weight Integer Min: 0
Max: 15
Set the random-detect ECN weight.
    tx_queues List, items: Dictionary
      - id Integer Required, Unique TX-Queue ID.
        random_detect Dictionary
          ecn Dictionary Explicit Congestion Notification.
            count Boolean Enable counter for random-detect ECNs.
            threshold Dictionary
              units String Required Valid Values:
- segments
- bytes
- kbytes
- mbytes
- milliseconds
Indicate the units to be used for the threshold values.
              min Integer Min: 1
Max: 256000000
Set the random-detect ECN minimum-threshold.
              max Integer Required Min: 1
Max: 256000000
Set the random-detect ECN maximum-threshold.
              max_probability Integer Required Min: 1
Max: 100
Set the random-detect ECN max-mark-probability.
              weight Integer Min: 0
Max: 15
Set the random-detect ECN weight.
    vrrp_ids List, items: Dictionary VRRP model.
      - id Integer Required, Unique VRID.
        priority_level Integer Min: 1
Max: 254
Instance priority.
        advertisement Dictionary
          interval Integer Min: 1
Max: 255
Interval in seconds.
        preempt Dictionary
          enabled Boolean Required
          delay Dictionary
            minimum Integer Min: 0
Max: 3600
Minimum preempt delay in seconds.
            reload Integer Min: 0
Max: 3600
Reload preempt delay in seconds.
        timers Dictionary
          delay Dictionary
            reload Integer Min: 0
Max: 3600
Delay after reload in seconds.
        tracked_object List, items: Dictionary
          - name String Required, Unique Tracked object name.
            decrement Integer Min: 1
Max: 254
Decrement VRRP priority by 1-254.
            shutdown Boolean
        ipv4 Dictionary
          address String Required Virtual IPv4 address.
          version Integer Valid Values:
- 2
- 3
        ipv6 Dictionary
          address String Required Virtual IPv6 address.
    validate_state Boolean Set to false to disable interface validation by the eos_validate_state role.
    switchport Dictionary
      port_security Dictionary
        enabled Boolean
        mac_address_maximum Dictionary Maximum number of MAC addresses allowed on the interface.
          disabled Boolean Disable port level check for port security (only in violation ‘shutdown’ mode).
          limit Integer Min: 1
Max: 1000
MAC address limit.
        violation Dictionary Configure violation mode (shutdown or protect), EOS default is ‘shutdown’.
          mode String Valid Values:
- shutdown
- protect
Configure port security mode.
          protect_log Boolean Log new addresses seen after limit is reached in protect mode.
        vlan_default_mac_address_maximum Integer Min: 0
Max: 1000
Default maximum MAC addresses for all VLANs on this interface.
        vlans List, items: Dictionary
          - range String Required, Unique VLAN ID or range(s) of VLAN IDs, <1-4094>.
Example:
- 3
- 1,3
- 1-10
            mac_address_maximum Integer
    eos_cli String Multiline EOS CLI rendered directly on the ethernet interface in the final EOS configuration.
ethernet_interfaces:
  - name: <str; required; unique>
    description: <str>
    shutdown: <bool>

    # Interval in seconds for updating interface counters.
    load_interval: <int; 0-600>

    # Speed should be set in the format `<interface_speed>` or `forced <interface_speed>` or `auto <interface_speed>`.
    speed: <str>
    mtu: <int; 68-65535>

    # "l2_mtu" should only be defined for platforms supporting the "l2 mtu" CLI.
    l2_mtu: <int; 68-65535>

    # "l2_mru" should only be defined for platforms supporting the "l2 mru" CLI.
    l2_mru: <int; 68-65535>

    # List of switchport vlans as string.
    # For a trunk port this would be a range like "1-200,300".
    # For an access port this would be a single vlan "123".
    vlans: <str>
    native_vlan: <int>

    # If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence.
    native_vlan_tag: <bool>
    mode: <str; "access" | "dot1q-tunnel" | "trunk" | "trunk phone">
    phone:
      trunk: <str; "tagged" | "tagged phone" | "untagged" | "untagged phone">
      vlan: <int; 1-4094>
    l2_protocol:

      # Vlan tag to configure on sub-interface.
      encapsulation_dot1q_vlan: <int>

      # L2 protocol forwarding profile.
      forwarding_profile: <str>
    trunk_groups:
      - <str>

    # l3dot1q and l2dot1q are used for sub-interfaces. The parent interface should be defined as routed.
    # Interface will not be listed in device documentation, unless "type" is set.
    type: <str; "routed" | "switched" | "l3dot1q" | "l2dot1q" | "port-channel-member">
    snmp_trap_link_change: <bool>
    address_locking:

      # Enable address locking for IPv4.
      ipv4: <bool>

      # Enable address locking for IPv6.
      ipv6: <bool>
    flowcontrol:
      received: <str; "desired" | "on" | "off">

    # VRF name.
    vrf: <str>
    flow_tracker:

      # Sampled flow tracker name.
      sampled: <str>

      # Hardware flow tracker name.
      hardware: <str>
    error_correction_encoding:
      enabled: <bool; default=True>
      fire_code: <bool>
      reed_solomon: <bool>
    link_tracking_groups:

        # Group name.
      - name: <str; required; unique>
        direction: <str; "upstream" | "downstream">
    evpn_ethernet_segment:

      # EVPN Ethernet Segment Identifier (Type 1 format).
      identifier: <str>
      redundancy: <str; "all-active" | "single-active">
      designated_forwarder_election:
        algorithm: <str; "modulus" | "preference">

        # Preference_value is only used when "algorithm" is "preference".
        preference_value: <int; 0-65535>

        # Dont_preempt is only used when "algorithm" is "preference".
        dont_preempt: <bool>
        hold_time: <int>
        subsequent_hold_time: <int>
        candidate_reachability_required: <bool>
      mpls:
        shared_index: <int; 1-1024>
        tunnel_flood_filter_time: <int>

      # EVPN Route Target for ESI with format xx:xx:xx:xx:xx:xx.
      route_target: <str>

    # VLAN tag to configure on sub-interface.
    encapsulation_dot1q_vlan: <int>
    encapsulation_vlan:
      client:
        dot1q:

          # Client VLAN ID.
          vlan: <int>

          # Client Outer VLAN ID.
          outer: <int>

          # Client Inner VLAN ID.
          inner: <int>
        unmatched: <bool>

      # Network encapsulations are all optional and skipped if using client unmatched.
      network:
        dot1q:

          # Network VLAN ID.
          vlan: <int>

          # Network outer VLAN ID.
          outer: <int>

          # Network inner VLAN ID.
          inner: <int>
        client: <bool>
    vlan_id: <int; 1-4094>

    # IPv4 address/mask or "dhcp".
    ip_address: <str>
    ip_address_secondaries:
      - <str>
    ip_verify_unicast_source_reachable_via: <str; "any" | "rx">

    # Install default-route obtained via DHCP.
    dhcp_client_accept_default_route: <bool>

    # Enable IPv4 DHCP server.
    dhcp_server_ipv4: <bool>

    # Enable IPv6 DHCP server.
    dhcp_server_ipv6: <bool>
    ip_helpers:
      - ip_helper: <str; required; unique>

        # Source interface name.
        source_interface: <str>

        # VRF name.
        vrf: <str>
    ip_nat:

      # NAT interface profile.
      service_profile: <str>
      destination:
        dynamic:
          - access_list: <str; required; unique>
            comment: <str>
            pool_name: <str; required>
            priority: <int; 0-4294967295>
        static:

            # 'access_list' and 'group' are mutual exclusive.
          - access_list: <str>
            comment: <str>

            # Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform.
            # EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW.
            direction: <str; "egress" | "ingress">

            # 'access_list' and 'group' are mutual exclusive.
            group: <int; 1-65535>

            # IPv4 address. The combination of `original_ip` and `original_port` must be unique.
            original_ip: <str>

            # TCP/UDP port. The combination of `original_ip` and `original_port` must be unique.
            original_port: <int; 1-65535>
            priority: <int; 0-4294967295>
            protocol: <str; "udp" | "tcp">

            # IPv4 address.
            translated_ip: <str; required>

            # requires 'original_port'.
            translated_port: <int; 1-65535>
      source:
        dynamic:
          - access_list: <str; required; unique>
            comment: <str>
            nat_type: <str; "overload" | "pool" | "pool-address-only" | "pool-full-cone"; required>

            # required if 'nat_type' is pool, pool-address-only or pool-full-cone.
            # ignored if 'nat_type' is overload.
            pool_name: <str>
            priority: <int; 0-4294967295>
        static:

            # 'access_list' and 'group' are mutual exclusive.
          - access_list: <str>
            comment: <str>

            # Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform.
            # EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW.
            direction: <str; "egress" | "ingress">

            # 'access_list' and 'group' are mutual exclusive.
            group: <int; 1-65535>

            # IPv4 address. The combination of `original_ip` and `original_port` must be unique.
            original_ip: <str>

            # TCP/UDP port. The combination of `original_ip` and `original_port` must be unique.
            original_port: <int; 1-65535>
            priority: <int; 0-4294967295>
            protocol: <str; "udp" | "tcp">

            # IPv4 address.
            translated_ip: <str; required>

            # requires 'original_port'.
            translated_port: <int; 1-65535>
    ipv6_enable: <bool>
    ipv6_address: <str>

    # Link local IPv6 address/mask.
    ipv6_address_link_local: <str>
    ipv6_nd_ra_disabled: <bool>
    ipv6_nd_managed_config_flag: <bool>
    ipv6_nd_prefixes:
      - ipv6_prefix: <str; required; unique>

        # Infinite or lifetime in seconds.
        valid_lifetime: <str>

        # Infinite or lifetime in seconds.
        preferred_lifetime: <str>
        no_autoconfig_flag: <bool>
    ipv6_dhcp_relay_destinations:

        # DHCP server's IPv6 address.
      - address: <str; required; unique>
        vrf: <str>

        # Local interface to communicate with DHCP server - mutually exclusive to source_address.
        local_interface: <str>

        # Source IPv6 address to communicate with DHCP server - mutually exclusive to local_interface.
        source_address: <str>

        # Override the default link address specified in the relayed DHCP packet.
        link_address: <str>

    # Access list name.
    access_group_in: <str>

    # Access list name.
    access_group_out: <str>

    # IPv6 access list name.
    ipv6_access_group_in: <str>

    # IPv6 access list name.
    ipv6_access_group_out: <str>

    # MAC access list name.
    mac_access_group_in: <str>

    # MAC access list name.
    mac_access_group_out: <str>

    # Boundaries can be either 1 ACL or a list of multicast IP address_range(s)/prefix but not combination of both.
    multicast:
      ipv4:
        boundaries:

            # ACL name or multicast IP subnet.
          - boundary: <str>
            out: <bool>
        static: <bool>
      ipv6:
        boundaries:

            # ACL name or multicast IP subnet.
          - boundary: <str>
        static: <bool>
    ospf_network_point_to_point: <bool>
    ospf_area: <str>
    ospf_cost: <int>
    ospf_authentication: <str; "none" | "simple" | "message-digest">

    # Encrypted password - only type 7 supported.
    ospf_authentication_key: <str>
    ospf_message_digest_keys:
      - id: <int; required; unique>
        hash_algorithm: <str; "md5" | "sha1" | "sha256" | "sha384" | "sha512">

        # Encrypted password - only type 7 supported.
        key: <str>
    pim:
      ipv4:

        # Configure PIM border router. EOS default is false.
        border_router: <bool>
        dr_priority: <int; 0-429467295>
        sparse_mode: <bool>

        # Set the default for whether Bidirectional Forwarding Detection is enabled for PIM.
        bfd: <bool>
        bidirectional: <bool>
        hello:

          # Number of missed hellos after which the neighbor expires. Range <1.5-65535>.
          count: <str>

          # PIM hello interval in seconds.
          interval: <int; 1-65535>
    mac_security:
      profile: <str>

    # The TCP MSS clamping feature involves clamping the maximum segment size (MSS) in the TCP header
    # of TCP SYN packets if it exceeds the configured MSS ceiling limit for the interface.
    tcp_mss_ceiling:
      ipv4_segment_size: <int; 64-65475>
      ipv6_segment_size: <int; 64-65475>
      direction: <str; "egress" | "ingress">
    channel_group:
      id: <int>
      mode: <str; "on" | "active" | "passive">

    # ISIS instance.
    isis_enable: <str>

    # Enable BFD for ISIS.
    isis_bfd: <bool>
    isis_passive: <bool>
    isis_metric: <int>
    isis_network_point_to_point: <bool>
    isis_circuit_type: <str; "level-1-2" | "level-1" | "level-2">
    isis_hello_padding: <bool>
    isis_authentication_mode: <str; "text" | "md5">

    # Type-7 encrypted password.
    isis_authentication_key: <str>
    poe:

      # Disable PoE on a POE capable port. PoE is enabled on all ports that support it by default in EOS.
      disabled: <bool; default=False>

      # Prioritize a port's power in the event that one of the switch's power supplies loses power.
      priority: <str; "critical" | "high" | "medium" | "low">

      # Set the PoE power behavior for a PoE port when the system is rebooted.
      reboot:

        # PoE action for interface.
        action: <str; "maintain" | "power-off">

      # Set the PoE power behavior for a PoE port when the port goes down.
      link_down:

        # PoE action for interface.
        action: <str; "maintain" | "power-off">

        # Number of seconds to delay shutting the power off after a link down event occurs. Default value is 5 seconds in EOS.
        power_off_delay: <int; 1-86400>

      # Set the PoE power behavior for a PoE port when the port is admin down.
      shutdown:

        # PoE action for interface.
        action: <str; "maintain" | "power-off">

      # Override the hardware-negotiated power limit using either wattage or a power class. Note that if using a power class, AVD will automatically convert the class value to the wattage value corresponding to that power class.
      limit:
        class: <int; 0-8>
        watts: <str>

        # Set to ignore hardware classification.
        fixed: <bool>

      # Disable to prevent port from negotiating power with powered devices over LLDP. Enabled by default in EOS.
      negotiation_lldp: <bool>

      # Allow a subset of legacy devices to work with the PoE switch. Disabled by default in EOS because it can cause false positive detections.
      legacy_detect: <bool>
    ptp:
      enable: <bool>
      announce:
        interval: <int>
        timeout: <int>
      delay_req: <int>
      delay_mechanism: <str; "e2e" | "p2p">
      profile:
        g8275_1:
          destination_mac_address: <str; "forwardable" | "non-forwardable">
      sync_message:
        interval: <int>
      role: <str; "master" | "dynamic">

      # VLAN can be 'all' or list of vlans as string.
      vlan: <str>
      transport: <str; "ipv4" | "ipv6" | "layer2">

    # Interface profile.
    profile: <str>
    storm_control:
      all:

        # Configure maximum storm-control level.
        level: <str>

        # Optional field and is hardware dependent.
        unit: <str; "percent" | "pps"; default="percent">
      broadcast:

        # Configure maximum storm-control level.
        level: <str>

        # Optional field and is hardware dependent.
        unit: <str; "percent" | "pps"; default="percent">
      multicast:

        # Configure maximum storm-control level.
        level: <str>

        # Optional field and is hardware dependent.
        unit: <str; "percent" | "pps"; default="percent">
      unknown_unicast:

        # Configure maximum storm-control level.
        level: <str>

        # Optional field and is hardware dependent.
        unit: <str; "percent" | "pps"; default="percent">
    logging:
      event:
        link_status: <bool>
        congestion_drops: <bool>
        spanning_tree: <bool>

        # Discards due to storm-control.
        storm_control_discards: <bool>
    lldp:
      transmit: <bool>
      receive: <bool>

      # ZTP vlan number.
      ztp_vlan: <int>
    trunk_private_vlan_secondary: <bool>

    # List of vlans as string.
    pvlan_mapping: <str>
    vlan_translations:

        # List of vlans as string (only one vlan if direction is "both").
      - from: <str>

        # VLAN ID.
        to: <int>
        direction: <str; "in" | "out" | "both"; default="both">
    dot1x:
      port_control: <str; "auto" | "force-authorized" | "force-unauthorized">
      port_control_force_authorized_phone: <bool>
      reauthentication: <bool>
      pae:
        mode: <str; "authenticator">
      authentication_failure:
        action: <str; "allow" | "drop">
        allow_vlan: <int; 1-4094>
      host_mode:
        mode: <str; "multi-host" | "single-host">
        multi_host_authenticated: <bool>
      mac_based_authentication:
        enabled: <bool>
        always: <bool>
        host_mode_common: <bool>
      timeout:
        idle_host: <int; 10-65535>
        quiet_period: <int; 1-65535>

        # Value can be 60-4294967295 or 'server'.
        reauth_period: <str>
        reauth_timeout_ignore: <bool>
        tx_period: <int; 1-65535>
      reauthorization_request_limit: <int; 1-10>
      unauthorized:
        access_vlan_membership_egress: <bool>
        native_vlan_membership_egress: <bool>
      eapol:
        disabled: <bool>
        authentication_failure_fallback_mba:
          enabled: <bool>
          timeout: <int; 0-65535>

    # QOS profile.
    service_profile: <str>
    shape:

      # Rate in kbps, pps or percent.
      # Supported options are platform dependent.
      # Examples:
      # - "5000 kbps"
      # - "1000 pps"
      # - "20 percent"
      rate: <str>
    qos:
      trust: <str; "dscp" | "cos" | "disabled">

      # DSCP value.
      dscp: <int>

      # COS value.
      cos: <int>
    spanning_tree_bpdufilter: <str; "enabled" | "disabled" | "True" | "False" | "true" | "false">
    spanning_tree_bpduguard: <str; "enabled" | "disabled" | "True" | "False" | "true" | "false">
    spanning_tree_guard: <str; "loop" | "root" | "disabled">
    spanning_tree_portfast: <str; "edge" | "network">
    vmtracer: <bool>
    priority_flow_control:
      enabled: <bool>
      priorities:
        - priority: <int; 0-7; required; unique>
          no_drop: <bool>
    bfd:
      echo: <bool>

      # Interval in milliseconds.
      interval: <int>

      # Rate in milliseconds.
      min_rx: <int>
      multiplier: <int; 3-50>
    service_policy:
      pbr:

        # Policy Based Routing Policy-map name.
        input: <str>
      qos:

        # Quality of Service Policy-map name.
        input: <str; required>
    mpls:
      ip: <bool>
      ldp:
        interface: <bool>
        igp_sync: <bool>
    lacp_timer:
      mode: <str; "fast" | "normal">
      multiplier: <int; 3-3000>
    lacp_port_priority: <int; 0-65535>
    transceiver:

      # Transceiver Laser Frequency in GHz (min 190000, max 200000).
      frequency: <str>

      # Unit of Transceiver Laser Frequency.
      frequency_unit: <str; "ghz">
      media:

        # Transceiver type.
        override: <str>
    ip_proxy_arp: <bool>
    traffic_policy:

      # Ingress traffic policy.
      input: <str>

      # Egress traffic policy.
      output: <str>
    bgp:

      # Name of session tracker.
      session_tracker: <str>
    ip_igmp_host_proxy:
      enabled: <bool>
      groups:

          # Multicast Address.
        - group: <str; required; unique>

          # The same source must not be present both in `exclude` and `include` list.
          exclude:
            - source: <str; required; unique>

          # The same source must not be present both in `exclude` and `include` list.
          include:
            - source: <str; required; unique>

      # Time interval between unsolicited reports.
      report_interval: <int; 1-31744>

      # Non-standard Access List name.
      access_lists:
        - name: <str; required; unique>

      # IGMP version on IGMP host-proxy interface.
      version: <int; 1-3>

    # Key only used for documentation or validation purposes.
    peer: <str>

    # Key only used for documentation or validation purposes.
    peer_interface: <str>

    # Key only used for documentation or validation purposes.
    peer_type: <str>
    sflow:
      enable: <bool>
      egress:
        enable: <bool>
        unmodified_enable: <bool>
    sync_e:
      enable: <bool>

      # The priority is used to influence the reference clock selection. The EOS default priority is 127. The priority can be configured to any integer between 1-255, or set to `disabled`.
      priority: <str>

    # Key only used for documentation or validation purposes.
    port_profile: <str>
    uc_tx_queues:

        # TX-Queue ID.
      - id: <int; required; unique>
        random_detect:

          # Explicit Congestion Notification.
          ecn:

            # Enable counter for random-detect ECNs.
            count: <bool>
            threshold:

              # Indicate the units to be used for the threshold values.
              units: <str; "segments" | "bytes" | "kbytes" | "mbytes" | "milliseconds"; required>

              # Set the random-detect ECN minimum-threshold.
              min: <int; 1-256000000; required>

              # Set the random-detect ECN maximum-threshold.
              max: <int; 1-256000000; required>

              # Set the random-detect ECN max-mark-probability.
              max_probability: <int; 1-100>

              # Set the random-detect ECN weight.
              weight: <int; 0-15>
    tx_queues:

        # TX-Queue ID.
      - id: <int; required; unique>
        random_detect:

          # Explicit Congestion Notification.
          ecn:

            # Enable counter for random-detect ECNs.
            count: <bool>
            threshold:

              # Indicate the units to be used for the threshold values.
              units: <str; "segments" | "bytes" | "kbytes" | "mbytes" | "milliseconds"; required>

              # Set the random-detect ECN minimum-threshold.
              min: <int; 1-256000000>

              # Set the random-detect ECN maximum-threshold.
              max: <int; 1-256000000; required>

              # Set the random-detect ECN max-mark-probability.
              max_probability: <int; 1-100; required>

              # Set the random-detect ECN weight.
              weight: <int; 0-15>

    # VRRP model.
    vrrp_ids:

        # VRID.
      - id: <int; required; unique>

        # Instance priority.
        priority_level: <int; 1-254>
        advertisement:

          # Interval in seconds.
          interval: <int; 1-255>
        preempt:
          enabled: <bool; required>
          delay:

            # Minimum preempt delay in seconds.
            minimum: <int; 0-3600>

            # Reload preempt delay in seconds.
            reload: <int; 0-3600>
        timers:
          delay:

            # Delay after reload in seconds.
            reload: <int; 0-3600>
        tracked_object:

            # Tracked object name.
          - name: <str; required; unique>

            # Decrement VRRP priority by 1-254.
            decrement: <int; 1-254>
            shutdown: <bool>
        ipv4:

          # Virtual IPv4 address.
          address: <str; required>
          version: <int; 2 | 3>
        ipv6:

          # Virtual IPv6 address.
          address: <str; required>

    # Set to false to disable interface validation by the `eos_validate_state` role.
    validate_state: <bool>
    switchport:
      port_security:
        enabled: <bool>

        # Maximum number of MAC addresses allowed on the interface.
        mac_address_maximum:

          # Disable port level check for port security (only in violation 'shutdown' mode).
          disabled: <bool>

          # MAC address limit.
          limit: <int; 1-1000>

        # Configure violation mode (shutdown or protect), EOS default is 'shutdown'.
        violation:

          # Configure port security mode.
          mode: <str; "shutdown" | "protect">

          # Log new addresses seen after limit is reached in protect mode.
          protect_log: <bool>

        # Default maximum MAC addresses for all VLANs on this interface.
        vlan_default_mac_address_maximum: <int; 0-1000>
        vlans:

            # VLAN ID or range(s) of VLAN IDs, <1-4094>.
            # Example:
            #   - 3
            #   - 1,3
            #   - 1-10
          - range: <str; required; unique>
            mac_address_maximum: <int>

    # Multiline EOS CLI rendered directly on the ethernet interface in the final EOS configuration.
    eos_cli: <str>

Interface defaults

Variable Type Required Default Value Restrictions Description
interface_defaults Dictionary
  ethernet Dictionary
    shutdown Boolean
  mtu Integer
interface_defaults:
  ethernet:
    shutdown: <bool>
  mtu: <int>

Interface profiles

Variable Type Required Default Value Restrictions Description
interface_profiles List, items: Dictionary
  - name String Required, Unique Interface-Profile Name.
    commands List, items: String Required
      - <str> String EOS CLI interface command.
Example: “switchport mode access”
interface_profiles:

    # Interface-Profile Name.
  - name: <str; required; unique>
    commands: # required

        # EOS CLI interface command.
        # Example: "switchport mode access"
      - <str>

LACP

Variable Type Required Default Value Restrictions Description
lacp Dictionary Set Link Aggregation Control Protocol (LACP) parameters.
  port_id Dictionary LACP port-ID range configuration.
    range Dictionary
      begin Integer Minimum LACP port-ID range.
      end Integer Maximum LACP port-ID range.
  rate_limit Dictionary Set LACPDU rate limit options.
    default Boolean Enable LACPDU rate limiting by default on all ports.
  system_priority Integer Min: 0
Max: 65535
Set local system LACP priority.
# Set Link Aggregation Control Protocol (LACP) parameters.
lacp:

  # LACP port-ID range configuration.
  port_id:
    range:

      # Minimum LACP port-ID range.
      begin: <int>

      # Maximum LACP port-ID range.
      end: <int>

  # Set LACPDU rate limit options.
  rate_limit:

    # Enable LACPDU rate limiting by default on all ports.
    default: <bool>

  # Set local system LACP priority.
  system_priority: <int; 0-65535>
Variable Type Required Default Value Restrictions Description
link_tracking_groups List, items: Dictionary
  - name String Required, Unique
    links_minimum Integer Min: 1
Max: 100000
    recovery_delay Integer Min: 0
Max: 3600
link_tracking_groups:
  - name: <str; required; unique>
    links_minimum: <int; 1-100000>
    recovery_delay: <int; 0-3600>

LLDP

Variable Type Required Default Value Restrictions Description
lldp Dictionary
  timer Integer
  timer_reinitialization String
  holdtime Integer
  management_address String
  vrf String
  receive_packet_tagged_drop String
  tlvs List, items: Dictionary
    - name String Required, Unique Valid Values:
- link-aggregation
- management-address
- max-frame-size
- med
- port-description
- port-vlan
- power-via-mdi
- system-capabilities
- system-description
- system-name
- vlan-name
      transmit Boolean
  run Boolean
lldp:
  timer: <int>
  timer_reinitialization: <str>
  holdtime: <int>
  management_address: <str>
  vrf: <str>
  receive_packet_tagged_drop: <str>
  tlvs:
    - name: <str; "link-aggregation" | "management-address" | "max-frame-size" | "med" | "port-description" | "port-vlan" | "power-via-mdi" | "system-capabilities" | "system-description" | "system-name" | "vlan-name"; required; unique>
      transmit: <bool>
  run: <bool>

Loopback interfaces

Variable Type Required Default Value Restrictions Description
loopback_interfaces List, items: Dictionary
  - name String Required, Unique Loopback interface name e.g. “Loopback0”.
    description String
    shutdown Boolean
    vrf String VRF name.
    ip_address String IPv4_address/Mask.
    ip_address_secondaries List, items: String
      - <str> String IPv4_address/Mask.
    ipv6_enable Boolean
    ipv6_address String IPv6_address/Mask.
    ip_proxy_arp Boolean
    ospf_area String
    mpls Dictionary
      ldp Dictionary
        interface Boolean
    isis_enable String ISIS instance name.
    isis_bfd Boolean Enable BFD for ISIS.
    isis_passive Boolean
    isis_metric Integer
    isis_network_point_to_point Boolean
    node_segment Dictionary
      ipv4_index Integer
      ipv6_index Integer
    eos_cli String EOS CLI rendered directly on the loopback interface in the final EOS configuration.
loopback_interfaces:

    # Loopback interface name e.g. "Loopback0".
  - name: <str; required; unique>
    description: <str>
    shutdown: <bool>

    # VRF name.
    vrf: <str>

    # IPv4_address/Mask.
    ip_address: <str>
    ip_address_secondaries:

        # IPv4_address/Mask.
      - <str>
    ipv6_enable: <bool>

    # IPv6_address/Mask.
    ipv6_address: <str>
    ip_proxy_arp: <bool>
    ospf_area: <str>
    mpls:
      ldp:
        interface: <bool>

    # ISIS instance name.
    isis_enable: <str>

    # Enable BFD for ISIS.
    isis_bfd: <bool>
    isis_passive: <bool>
    isis_metric: <int>
    isis_network_point_to_point: <bool>
    node_segment:
      ipv4_index: <int>
      ipv6_index: <int>

    # EOS CLI rendered directly on the loopback interface in the final EOS configuration.
    eos_cli: <str>

Management interfaces

Variable Type Required Default Value Restrictions Description
management_interfaces List, items: Dictionary
  - name String Required, Unique Management Interface Name.
    description String
    shutdown Boolean
    speed String Speed should be set in the format <interface_speed> or forced <interface_speed> or auto <interface_speed>.
    mtu Integer
    vrf String VRF Name.
    ip_address String IPv4_address/Mask.
    ipv6_enable Boolean
    ipv6_address String IPv6_address/Mask.
    type String oob Valid Values:
- oob
- inband
For documentation purposes only.
    gateway String IPv4 address of default gateway in management VRF.
    ipv6_gateway String IPv6 address of default gateway in management VRF.
    mac_address String MAC address.
    lldp Dictionary
      transmit Boolean
      receive Boolean
      ztp_vlan Integer ZTP vlan number.
    eos_cli String Multiline EOS CLI rendered directly on the management interface in the final EOS configuration.
management_interfaces:

    # Management Interface Name.
  - name: <str; required; unique>
    description: <str>
    shutdown: <bool>

    # Speed should be set in the format `<interface_speed>` or `forced <interface_speed>` or `auto <interface_speed>`.
    speed: <str>
    mtu: <int>

    # VRF Name.
    vrf: <str>

    # IPv4_address/Mask.
    ip_address: <str>
    ipv6_enable: <bool>

    # IPv6_address/Mask.
    ipv6_address: <str>

    # For documentation purposes only.
    type: <str; "oob" | "inband"; default="oob">

    # IPv4 address of default gateway in management VRF.
    gateway: <str>

    # IPv6 address of default gateway in management VRF.
    ipv6_gateway: <str>

    # MAC address.
    mac_address: <str>
    lldp:
      transmit: <bool>
      receive: <bool>

      # ZTP vlan number.
      ztp_vlan: <int>

    # Multiline EOS CLI rendered directly on the management interface in the final EOS configuration.
    eos_cli: <str>

Patch panel

Variable Type Required Default Value Restrictions Description
patch_panel Dictionary
  connector Dictionary
    interface Dictionary
      patch Dictionary
        bgp_vpws_remote_failure_errdisable Boolean
      recovery Dictionary
        review_delay Dictionary
          min Integer Required Min: 10
Max: 600
Minimum delay.
          max Integer Required Min: 15
Max: 900
Maximum delay.
  patches List, items: Dictionary
    - name String Required, Unique
      enabled Boolean
      connectors List, items: Dictionary Min Length: 2
Max Length: 2
Must have exactly two connectors to a patch of which at least one must be of type “interface”.
        - id String Required, Unique
          type String Required Valid Values:
- interface
- pseudowire
          endpoint String Required String with relevant endpoint depending on type.
Examples:
- “Ethernet1”
- “Ethernet1 dot1q vlan 123”
- “bgp vpws TENANT_A pseudowire VPWS_PW_1”
- “ldp LDP_PW_1”
patch_panel:
  connector:
    interface:
      patch:
        bgp_vpws_remote_failure_errdisable: <bool>
      recovery:
        review_delay:

          # Minimum delay.
          min: <int; 10-600; required>

          # Maximum delay.
          max: <int; 15-900; required>
  patches:
    - name: <str; required; unique>
      enabled: <bool>

      # Must have exactly two connectors to a patch of which at least one must be of type "interface".
      connectors: # 2-2 items
        - id: <str; required; unique>
          type: <str; "interface" | "pseudowire"; required>

          # String with relevant endpoint depending on type.
          # Examples:
          # - "Ethernet1"
          # - "Ethernet1 dot1q vlan 123"
          # - "bgp vpws TENANT_A pseudowire VPWS_PW_1"
          # - "ldp LDP_PW_1"
          endpoint: <str; required>

Port-channel interfaces

Variable Type Required Default Value Restrictions Description
port_channel_interfaces List, items: Dictionary
  - name String Required, Unique
    description String
    logging Dictionary
      event Dictionary
        link_status Boolean
        storm_control_discards Boolean Discards due to storm-control.
    shutdown Boolean
    l2_mtu Integer Min: 68
Max: 65535
“l2_mtu” should only be defined for platforms supporting the “l2 mtu” CLI.
    l2_mru Integer Min: 68
Max: 65535
“l2_mru” should only be defined for platforms supporting the “l2 mru” CLI.
    vlans String List of switchport vlans as string.
For a trunk port this would be a range like “1-200,300”.
For an access port this would be a single vlan “123”.
    snmp_trap_link_change Boolean
    type String Valid Values:
- routed
- switched
- l3dot1q
- l2dot1q
l3dot1q and l2dot1q are used for sub-interfaces. The parent interface should be defined as routed.
Interface will not be listed in device documentation, unless “type” is set.
    encapsulation_dot1q_vlan Integer VLAN tag to configure on sub-interface.
    vrf String VRF name.
    encapsulation_vlan Dictionary
      client Dictionary
        dot1q Dictionary
          vlan Integer Client VLAN ID.
          outer Integer Client Outer VLAN ID.
          inner Integer Client Inner VLAN ID.
        unmatched Boolean
      network Dictionary Network encapsulation are all optional, and skipped if using client unmatched.
        dot1q Dictionary
          vlan Integer Network VLAN ID.
          outer Integer Network Outer VLAN ID.
          inner Integer Network Inner VLAN ID.
        client Boolean
    vlan_id Integer Min: 1
Max: 4094
    mode String Valid Values:
- access
- dot1q-tunnel
- trunk
- trunk phone
    native_vlan Integer If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence.
    native_vlan_tag Boolean False If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence.
    link_tracking_groups List, items: Dictionary
      - name String Required, Unique Group name.
        direction String Valid Values:
- upstream
- downstream
    phone Dictionary
      trunk String Valid Values:
- tagged
- untagged
      vlan Integer Min: 1
Max: 4094
    l2_protocol Dictionary
      encapsulation_dot1q_vlan Integer Vlan tag to configure on sub-interface.
      forwarding_profile String L2 protocol forwarding profile.
    mtu Integer Min: 68
Max: 65535
    mlag Integer Min: 1
Max: 2000
MLAG ID.
    trunk_groups List, items: String
      - <str> String
    lacp_fallback_timeout Integer 90 Min: 0
Max: 300
Timeout in seconds.
    lacp_fallback_mode String Valid Values:
- individual
- static
    qos Dictionary
      trust String Valid Values:
- dscp
- cos
- disabled
      dscp Integer DSCP value.
      cos Integer COS value.
    bfd Dictionary
      echo Boolean
      interval Integer Interval in milliseconds.
      min_rx Integer Rate in milliseconds.
      multiplier Integer Min: 3
Max: 50
      neighbor String IPv4 or IPv6 address. When the Port-channel is a L2 interface, a local L3 BFD address (router_bfd.local_address) has to be defined globally on the switch.
      per_link Dictionary
        enabled Boolean
        rfc_7130 Boolean
    service_policy Dictionary
      pbr Dictionary
        input String Policy Based Routing Policy-map name.
      qos Dictionary
        input String Required Quality of Service Policy-map name.
    mpls Dictionary
      ip Boolean
      ldp Dictionary
        interface Boolean
        igp_sync Boolean
    trunk_private_vlan_secondary Boolean
    pvlan_mapping String List of vlans as string.
    vlan_translations List, items: Dictionary
      - from String List of vlans as string (only one vlan if direction is “both”).
        to Integer VLAN ID.
        direction String both Valid Values:
- in
- out
- both
    shape Dictionary
      rate String Rate in kbps, pps or percent.
Supported options are platform dependent.
Examples:
- “5000 kbps”
- “1000 pps”
- “20 percent”
    storm_control Dictionary
      all Dictionary
        level String Configure maximum storm-control level.
        unit String percent Valid Values:
- percent
- pps
Optional field and is hardware dependent.
      broadcast Dictionary
        level String Configure maximum storm-control level.
        unit String percent Valid Values:
- percent
- pps
Optional field and is hardware dependent.
      multicast Dictionary
        level String Configure maximum storm-control level.
        unit String percent Valid Values:
- percent
- pps
Optional field and is hardware dependent.
      unknown_unicast Dictionary
        level String Configure maximum storm-control level.
        unit String percent Valid Values:
- percent
- pps
Optional field and is hardware dependent.
    ip_proxy_arp Boolean
    isis_enable String ISIS instance.
    isis_bfd Boolean Enable BFD for ISIS.
    isis_passive Boolean
    isis_metric Integer
    isis_network_point_to_point Boolean
    isis_circuit_type String Valid Values:
- level-1-2
- level-1
- level-2
    isis_hello_padding Boolean
    isis_authentication_mode String Valid Values:
- text
- md5
    isis_authentication_key String Type-7 encrypted password.
    traffic_policy Dictionary
      input String Ingress traffic policy.
      output String Egress traffic policy.
    evpn_ethernet_segment Dictionary
      identifier String EVPN Ethernet Segment Identifier (Type 1 format).
      redundancy String Valid Values:
- all-active
- single-active
      designated_forwarder_election Dictionary
        algorithm String Valid Values:
- modulus
- preference
        preference_value Integer Min: 0
Max: 65535
Preference_value is only used when “algorithm” is “preference”.
        dont_preempt Boolean False Dont_preempt is only used when “algorithm” is “preference”.
        hold_time Integer
        subsequent_hold_time Integer
        candidate_reachability_required Boolean
      mpls Dictionary
        shared_index Integer Min: 1
Max: 1024
        tunnel_flood_filter_time Integer
      route_target String EVPN Route Target for ESI with format xx:xx:xx:xx:xx:xx.
    esi deprecated String EVPN Ethernet Segment Identifier (Type 1 format).
If both “esi” and “evpn_ethernet_segment.identifier” are defined, the new variable takes precedence.
This key is deprecated. Support will be removed in AVD version 5.0.0. Use evpn_ethernet_segment.identifier instead.
    rt deprecated String EVPN Route Target for ESI with format xx:xx:xx:xx:xx:xx.
If both “rt” and “evpn_ethernet_segment.route_target” are defined, the new variable takes precedence.
This key is deprecated. Support will be removed in AVD version 5.0.0. Use evpn_ethernet_segment.route_target instead.
    lacp_id String LACP ID with format xxxx.xxxx.xxxx.
    spanning_tree_bpdufilter String Valid Values:
- enabled
- disabled
- True
- False
- true
- false
    spanning_tree_bpduguard String Valid Values:
- enabled
- disabled
- True
- False
- true
- false
    spanning_tree_guard String Valid Values:
- loop
- root
- disabled
    spanning_tree_portfast String Valid Values:
- edge
- network
    vmtracer Boolean
    ptp Dictionary
      enable Boolean
      announce Dictionary
        interval Integer
        timeout Integer
      delay_req Integer
      delay_mechanism String Valid Values:
- e2e
- p2p
      profile Dictionary
        g8275_1 Dictionary
          destination_mac_address String Valid Values:
- forwardable
- non-forwardable
      sync_message Dictionary
        interval Integer
      role String Valid Values:
- master
- dynamic
      vlan String VLAN can be ‘all’ or list of vlans as string.
      transport String Valid Values:
- ipv4
- ipv6
- layer2
      mpass Boolean When MPASS is enabled on an MLAG port-channel, MLAG peers coordinate to function as a single PTP logical device.
Arista PTP enabled devices always place PTP messages on the same physical link within the port-channel.
Hence, MPASS is needed only on MLAG port-channels connected to non-Arista devices.
    ip_address String IPv4 address/mask.
    ip_verify_unicast_source_reachable_via String Valid Values:
- any
- rx
    ip_nat Dictionary
      destination Dictionary
        dynamic List, items: Dictionary
          - access_list String Required, Unique
            comment String
            pool_name String Required
            priority Integer Min: 0
Max: 4294967295
        static List, items: Dictionary
          - access_list String ‘access_list’ and ‘group’ are mutual exclusive.
            comment String
            direction String Valid Values:
- egress
- ingress
Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform.
EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW.
            group Integer Min: 1
Max: 65535
‘access_list’ and ‘group’ are mutual exclusive.
            original_ip String IPv4 address. The combination of original_ip and original_port must be unique.
            original_port Integer Min: 1
Max: 65535
TCP/UDP port. The combination of original_ip and original_port must be unique.
            priority Integer Min: 0
Max: 4294967295
            protocol String Valid Values:
- udp
- tcp
            translated_ip String Required IPv4 address.
            translated_port Integer Min: 1
Max: 65535
requires ‘original_port’.
      source Dictionary
        dynamic List, items: Dictionary
          - access_list String Required, Unique
            comment String
            nat_type String Required Valid Values:
- overload
- pool
- pool-address-only
- pool-full-cone
            pool_name String required if ‘nat_type’ is pool, pool-address-only or pool-full-cone.
ignored if ‘nat_type’ is overload.
            priority Integer Min: 0
Max: 4294967295
        static List, items: Dictionary
          - access_list String ‘access_list’ and ‘group’ are mutual exclusive.
            comment String
            direction String Valid Values:
- egress
- ingress
Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform.
EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW.
            group Integer Min: 1
Max: 65535
‘access_list’ and ‘group’ are mutual exclusive.
            original_ip String IPv4 address. The combination of original_ip and original_port must be unique.
            original_port Integer Min: 1
Max: 65535
TCP/UDP port. The combination of original_ip and original_port must be unique.
            priority Integer Min: 0
Max: 4294967295
            protocol String Valid Values:
- udp
- tcp
            translated_ip String Required IPv4 address.
            translated_port Integer Min: 1
Max: 65535
requires ‘original_port’.
    ipv6_enable Boolean
    ipv6_address String IPv6 address/mask.
    ipv6_address_link_local String Link local IPv6 address/mask.
    ipv6_nd_ra_disabled Boolean
    ipv6_nd_managed_config_flag Boolean
    ipv6_nd_prefixes List, items: Dictionary
      - ipv6_prefix String Required, Unique
        valid_lifetime String Infinite or lifetime in seconds.
        preferred_lifetime String Infinite or lifetime in seconds.
        no_autoconfig_flag Boolean
    access_group_in String Access list name.
    access_group_out String Access list name.
    ipv6_access_group_in String IPv6 access list name.
    ipv6_access_group_out String IPv6 access list name.
    mac_access_group_in String MAC access list name.
    mac_access_group_out String MAC access list name.
    pim Dictionary
      ipv4 Dictionary
        border_router Boolean Configure PIM border router. EOS default is false.
        dr_priority Integer Min: 0
Max: 429467295
        sparse_mode Boolean
        bfd Boolean Set the default for whether Bidirectional Forwarding Detection is enabled for PIM.
        bidirectional Boolean
        hello Dictionary
          count String Number of missed hellos after which the neighbor expires. Range <1.5-65535>.
          interval Integer Min: 1
Max: 65535
PIM hello interval in seconds.
    service_profile String QOS profile.
    ospf_network_point_to_point Boolean
    ospf_area String
    ospf_cost Integer
    ospf_authentication String Valid Values:
- none
- simple
- message-digest
    ospf_authentication_key String Encrypted password.
    ospf_message_digest_keys List, items: Dictionary
      - id Integer Required, Unique
        hash_algorithm String Valid Values:
- md5
- sha1
- sha256
- sha384
- sha512
        key String Encrypted password.
    flow_tracker Dictionary
      sampled String Sampled flow tracker name.
      hardware String Hardware flow tracker name.
    bgp Dictionary
      session_tracker String Name of session tracker.
    ip_igmp_host_proxy Dictionary
      enabled Boolean
      groups List, items: Dictionary
        - group String Required, Unique Multicast Address.
          exclude List, items: Dictionary The same source must not be present both in exclude and include list.
            - source String Required, Unique
          include List, items: Dictionary The same source must not be present both in exclude and include list.
            - source String Required, Unique
      report_interval Integer Min: 1
Max: 31744
Time interval between unsolicited reports.
      access_lists List, items: Dictionary Non-standard Access List name.
        - name String Required, Unique
      version Integer Min: 1
Max: 3
IGMP version on IGMP host-proxy interface.
    peer String Key only used for documentation or validation purposes.
    peer_interface String Key only used for documentation or validation purposes.
    peer_type String Key only used for documentation or validation purposes.
    sflow Dictionary
      enable Boolean
      egress Dictionary
        enable Boolean
        unmodified_enable Boolean
    validate_state Boolean Set to false to disable interface validation by the eos_validate_state role.
    eos_cli String Multiline EOS CLI rendered directly on the port-channel interface in the final EOS configuration.
port_channel_interfaces:
  - name: <str; required; unique>
    description: <str>
    logging:
      event:
        link_status: <bool>

        # Discards due to storm-control.
        storm_control_discards: <bool>
    shutdown: <bool>

    # "l2_mtu" should only be defined for platforms supporting the "l2 mtu" CLI.
    l2_mtu: <int; 68-65535>

    # "l2_mru" should only be defined for platforms supporting the "l2 mru" CLI.
    l2_mru: <int; 68-65535>

    # List of switchport vlans as string.
    # For a trunk port this would be a range like "1-200,300".
    # For an access port this would be a single vlan "123".
    vlans: <str>
    snmp_trap_link_change: <bool>

    # l3dot1q and l2dot1q are used for sub-interfaces. The parent interface should be defined as routed.
    # Interface will not be listed in device documentation, unless "type" is set.
    type: <str; "routed" | "switched" | "l3dot1q" | "l2dot1q">

    # VLAN tag to configure on sub-interface.
    encapsulation_dot1q_vlan: <int>

    # VRF name.
    vrf: <str>
    encapsulation_vlan:
      client:
        dot1q:

          # Client VLAN ID.
          vlan: <int>

          # Client Outer VLAN ID.
          outer: <int>

          # Client Inner VLAN ID.
          inner: <int>
        unmatched: <bool>

      # Network encapsulation are all optional, and skipped if using client unmatched.
      network:
        dot1q:

          # Network VLAN ID.
          vlan: <int>

          # Network Outer VLAN ID.
          outer: <int>

          # Network Inner VLAN ID.
          inner: <int>
        client: <bool>
    vlan_id: <int; 1-4094>
    mode: <str; "access" | "dot1q-tunnel" | "trunk" | "trunk phone">

    # If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence.
    native_vlan: <int>

    # If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence.
    native_vlan_tag: <bool; default=False>
    link_tracking_groups:

        # Group name.
      - name: <str; required; unique>
        direction: <str; "upstream" | "downstream">
    phone:
      trunk: <str; "tagged" | "untagged">
      vlan: <int; 1-4094>
    l2_protocol:

      # Vlan tag to configure on sub-interface.
      encapsulation_dot1q_vlan: <int>

      # L2 protocol forwarding profile.
      forwarding_profile: <str>
    mtu: <int; 68-65535>

    # MLAG ID.
    mlag: <int; 1-2000>
    trunk_groups:
      - <str>

    # Timeout in seconds.
    lacp_fallback_timeout: <int; 0-300; default=90>
    lacp_fallback_mode: <str; "individual" | "static">
    qos:
      trust: <str; "dscp" | "cos" | "disabled">

      # DSCP value.
      dscp: <int>

      # COS value.
      cos: <int>
    bfd:
      echo: <bool>

      # Interval in milliseconds.
      interval: <int>

      # Rate in milliseconds.
      min_rx: <int>
      multiplier: <int; 3-50>

      # IPv4 or IPv6 address. When the Port-channel is a L2 interface, a local L3 BFD address (router_bfd.local_address) has to be defined globally on the switch.
      neighbor: <str>
      per_link:
        enabled: <bool>
        rfc_7130: <bool>
    service_policy:
      pbr:

        # Policy Based Routing Policy-map name.
        input: <str>
      qos:

        # Quality of Service Policy-map name.
        input: <str; required>
    mpls:
      ip: <bool>
      ldp:
        interface: <bool>
        igp_sync: <bool>
    trunk_private_vlan_secondary: <bool>

    # List of vlans as string.
    pvlan_mapping: <str>
    vlan_translations:

        # List of vlans as string (only one vlan if direction is "both").
      - from: <str>

        # VLAN ID.
        to: <int>
        direction: <str; "in" | "out" | "both"; default="both">
    shape:

      # Rate in kbps, pps or percent.
      # Supported options are platform dependent.
      # Examples:
      # - "5000 kbps"
      # - "1000 pps"
      # - "20 percent"
      rate: <str>
    storm_control:
      all:

        # Configure maximum storm-control level.
        level: <str>

        # Optional field and is hardware dependent.
        unit: <str; "percent" | "pps"; default="percent">
      broadcast:

        # Configure maximum storm-control level.
        level: <str>

        # Optional field and is hardware dependent.
        unit: <str; "percent" | "pps"; default="percent">
      multicast:

        # Configure maximum storm-control level.
        level: <str>

        # Optional field and is hardware dependent.
        unit: <str; "percent" | "pps"; default="percent">
      unknown_unicast:

        # Configure maximum storm-control level.
        level: <str>

        # Optional field and is hardware dependent.
        unit: <str; "percent" | "pps"; default="percent">
    ip_proxy_arp: <bool>

    # ISIS instance.
    isis_enable: <str>

    # Enable BFD for ISIS.
    isis_bfd: <bool>
    isis_passive: <bool>
    isis_metric: <int>
    isis_network_point_to_point: <bool>
    isis_circuit_type: <str; "level-1-2" | "level-1" | "level-2">
    isis_hello_padding: <bool>
    isis_authentication_mode: <str; "text" | "md5">

    # Type-7 encrypted password.
    isis_authentication_key: <str>
    traffic_policy:

      # Ingress traffic policy.
      input: <str>

      # Egress traffic policy.
      output: <str>
    evpn_ethernet_segment:

      # EVPN Ethernet Segment Identifier (Type 1 format).
      identifier: <str>
      redundancy: <str; "all-active" | "single-active">
      designated_forwarder_election:
        algorithm: <str; "modulus" | "preference">

        # Preference_value is only used when "algorithm" is "preference".
        preference_value: <int; 0-65535>

        # Dont_preempt is only used when "algorithm" is "preference".
        dont_preempt: <bool; default=False>
        hold_time: <int>
        subsequent_hold_time: <int>
        candidate_reachability_required: <bool>
      mpls:
        shared_index: <int; 1-1024>
        tunnel_flood_filter_time: <int>

      # EVPN Route Target for ESI with format xx:xx:xx:xx:xx:xx.
      route_target: <str>

    # EVPN Ethernet Segment Identifier (Type 1 format).
    # If both "esi" and "evpn_ethernet_segment.identifier" are defined, the new variable takes precedence.
    # This key is deprecated.
    # Support will be removed in AVD version 5.0.0.
    # Use <samp>evpn_ethernet_segment.identifier</samp> instead.
    esi: <str>

    # EVPN Route Target for ESI with format xx:xx:xx:xx:xx:xx.
    # If both "rt" and "evpn_ethernet_segment.route_target" are defined, the new variable takes precedence.
    # This key is deprecated.
    # Support will be removed in AVD version 5.0.0.
    # Use <samp>evpn_ethernet_segment.route_target</samp> instead.
    rt: <str>

    # LACP ID with format xxxx.xxxx.xxxx.
    lacp_id: <str>
    spanning_tree_bpdufilter: <str; "enabled" | "disabled" | "True" | "False" | "true" | "false">
    spanning_tree_bpduguard: <str; "enabled" | "disabled" | "True" | "False" | "true" | "false">
    spanning_tree_guard: <str; "loop" | "root" | "disabled">
    spanning_tree_portfast: <str; "edge" | "network">
    vmtracer: <bool>
    ptp:
      enable: <bool>
      announce:
        interval: <int>
        timeout: <int>
      delay_req: <int>
      delay_mechanism: <str; "e2e" | "p2p">
      profile:
        g8275_1:
          destination_mac_address: <str; "forwardable" | "non-forwardable">
      sync_message:
        interval: <int>
      role: <str; "master" | "dynamic">

      # VLAN can be 'all' or list of vlans as string.
      vlan: <str>
      transport: <str; "ipv4" | "ipv6" | "layer2">

      # When MPASS is enabled on an MLAG port-channel, MLAG peers coordinate to function as a single PTP logical device.
      # Arista PTP enabled devices always place PTP messages on the same physical link within the port-channel.
      # Hence, MPASS is needed only on MLAG port-channels connected to non-Arista devices.
      mpass: <bool>

    # IPv4 address/mask.
    ip_address: <str>
    ip_verify_unicast_source_reachable_via: <str; "any" | "rx">
    ip_nat:
      destination:
        dynamic:
          - access_list: <str; required; unique>
            comment: <str>
            pool_name: <str; required>
            priority: <int; 0-4294967295>
        static:

            # 'access_list' and 'group' are mutual exclusive.
          - access_list: <str>
            comment: <str>

            # Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform.
            # EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW.
            direction: <str; "egress" | "ingress">

            # 'access_list' and 'group' are mutual exclusive.
            group: <int; 1-65535>

            # IPv4 address. The combination of `original_ip` and `original_port` must be unique.
            original_ip: <str>

            # TCP/UDP port. The combination of `original_ip` and `original_port` must be unique.
            original_port: <int; 1-65535>
            priority: <int; 0-4294967295>
            protocol: <str; "udp" | "tcp">

            # IPv4 address.
            translated_ip: <str; required>

            # requires 'original_port'.
            translated_port: <int; 1-65535>
      source:
        dynamic:
          - access_list: <str; required; unique>
            comment: <str>
            nat_type: <str; "overload" | "pool" | "pool-address-only" | "pool-full-cone"; required>

            # required if 'nat_type' is pool, pool-address-only or pool-full-cone.
            # ignored if 'nat_type' is overload.
            pool_name: <str>
            priority: <int; 0-4294967295>
        static:

            # 'access_list' and 'group' are mutual exclusive.
          - access_list: <str>
            comment: <str>

            # Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform.
            # EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW.
            direction: <str; "egress" | "ingress">

            # 'access_list' and 'group' are mutual exclusive.
            group: <int; 1-65535>

            # IPv4 address. The combination of `original_ip` and `original_port` must be unique.
            original_ip: <str>

            # TCP/UDP port. The combination of `original_ip` and `original_port` must be unique.
            original_port: <int; 1-65535>
            priority: <int; 0-4294967295>
            protocol: <str; "udp" | "tcp">

            # IPv4 address.
            translated_ip: <str; required>

            # requires 'original_port'.
            translated_port: <int; 1-65535>
    ipv6_enable: <bool>

    # IPv6 address/mask.
    ipv6_address: <str>

    # Link local IPv6 address/mask.
    ipv6_address_link_local: <str>
    ipv6_nd_ra_disabled: <bool>
    ipv6_nd_managed_config_flag: <bool>
    ipv6_nd_prefixes:
      - ipv6_prefix: <str; required; unique>

        # Infinite or lifetime in seconds.
        valid_lifetime: <str>

        # Infinite or lifetime in seconds.
        preferred_lifetime: <str>
        no_autoconfig_flag: <bool>

    # Access list name.
    access_group_in: <str>

    # Access list name.
    access_group_out: <str>

    # IPv6 access list name.
    ipv6_access_group_in: <str>

    # IPv6 access list name.
    ipv6_access_group_out: <str>

    # MAC access list name.
    mac_access_group_in: <str>

    # MAC access list name.
    mac_access_group_out: <str>
    pim:
      ipv4:

        # Configure PIM border router. EOS default is false.
        border_router: <bool>
        dr_priority: <int; 0-429467295>
        sparse_mode: <bool>

        # Set the default for whether Bidirectional Forwarding Detection is enabled for PIM.
        bfd: <bool>
        bidirectional: <bool>
        hello:

          # Number of missed hellos after which the neighbor expires. Range <1.5-65535>.
          count: <str>

          # PIM hello interval in seconds.
          interval: <int; 1-65535>

    # QOS profile.
    service_profile: <str>
    ospf_network_point_to_point: <bool>
    ospf_area: <str>
    ospf_cost: <int>
    ospf_authentication: <str; "none" | "simple" | "message-digest">

    # Encrypted password.
    ospf_authentication_key: <str>
    ospf_message_digest_keys:
      - id: <int; required; unique>
        hash_algorithm: <str; "md5" | "sha1" | "sha256" | "sha384" | "sha512">

        # Encrypted password.
        key: <str>
    flow_tracker:

      # Sampled flow tracker name.
      sampled: <str>

      # Hardware flow tracker name.
      hardware: <str>
    bgp:

      # Name of session tracker.
      session_tracker: <str>
    ip_igmp_host_proxy:
      enabled: <bool>
      groups:

          # Multicast Address.
        - group: <str; required; unique>

          # The same source must not be present both in `exclude` and `include` list.
          exclude:
            - source: <str; required; unique>

          # The same source must not be present both in `exclude` and `include` list.
          include:
            - source: <str; required; unique>

      # Time interval between unsolicited reports.
      report_interval: <int; 1-31744>

      # Non-standard Access List name.
      access_lists:
        - name: <str; required; unique>

      # IGMP version on IGMP host-proxy interface.
      version: <int; 1-3>

    # Key only used for documentation or validation purposes.
    peer: <str>

    # Key only used for documentation or validation purposes.
    peer_interface: <str>

    # Key only used for documentation or validation purposes.
    peer_type: <str>
    sflow:
      enable: <bool>
      egress:
        enable: <bool>
        unmodified_enable: <bool>

    # Set to false to disable interface validation by the `eos_validate_state` role.
    validate_state: <bool>

    # Multiline EOS CLI rendered directly on the port-channel interface in the final EOS configuration.
    eos_cli: <str>

Switchport default

Variable Type Required Default Value Restrictions Description
switchport_default Dictionary
  mode String Valid Values:
- routed
- access
  phone Dictionary
    cos Integer Min: 0
Max: 7
    trunk String Valid Values:
- tagged
- untagged
    vlan Integer Min: 1
Max: 4094
VLAN ID.
switchport_default:
  mode: <str; "routed" | "access">
  phone:
    cos: <int; 0-7>
    trunk: <str; "tagged" | "untagged">

    # VLAN ID.
    vlan: <int; 1-4094>

Switchport port security

Variable Type Required Default Value Restrictions Description
switchport_port_security Dictionary
  mac_address Dictionary
    aging Boolean
    moveable Boolean
  persistence_disabled Boolean
  violation_protect_chip_based Boolean
switchport_port_security:
  mac_address:
    aging: <bool>
    moveable: <bool>
  persistence_disabled: <bool>
  violation_protect_chip_based: <bool>

Transceiver QSFP default mode 4x10

Variable Type Required Default Value Restrictions Description
transceiver_qsfp_default_mode_4x10 Boolean True On all front panel ports which support this feature, the following global configuration command changes the QSFP mode from 40G to 4x10G (default). When set to false the command reverts the default QSFP mode back to 40G.
# On all front panel ports which support this feature, the following global configuration command changes the QSFP mode from 40G to 4x10G (default). When set to false the command reverts the default QSFP mode back to 40G.
transceiver_qsfp_default_mode_4x10: <bool; default=True>

Tunnel interfaces

Variable Type Required Default Value Restrictions Description
tunnel_interfaces List, items: Dictionary
  - name String Required, Unique Tunnel Interface Name.
    description String
    shutdown Boolean
    mtu Integer Min: 68
Max: 65535
    vrf String VRF Name.
    underlay_vrf String Underlay VRF Name.
    ip_address String Format: ipv4_cidr IPv4_address/Mask.
    ipv6_enable Boolean
    ipv6_address String Format: ipv6_cidr IPv6_address/Mask.
    access_group_in String IPv4 ACL Name for ingress.
    access_group_out String IPv4 ACL Name for egress.
    ipv6_access_group_in String IPv6 ACL Name for ingress.
    ipv6_access_group_out String IPv6 ACL Name for egress.
    tcp_mss_ceiling Dictionary
      ipv4 Integer Min: 64
Max: 65495
Segment Size for IPv4.
      ipv6 Integer Min: 64
Max: 65475
Segment Size for IPv6.
      direction String Valid Values:
- ingress
- egress
Optional direction (‘ingress’, ‘egress’) for tcp mss ceiling.
    tunnel_mode String Valid Values:
- gre
- ipsec
Tunnel encapsulation method.
gre: Generic route encapsulation protocol,
ipsec: IPsec-over-IP encapsulation.
    source_interface String Tunnel Source Interface Name.
    destination String IPv4 or IPv6 Address Tunnel Destination.
    path_mtu_discovery Boolean Enable Path MTU Discovery On Tunnel.
    ipsec_profile String Used only when tunnel_mode is set to ipsec.
It must target a defined IPsec profile.
    nat_profile String NAT interface profile.
    eos_cli String Multiline String with EOS CLI rendered directly on the Tunnel interface in the final EOS configuration.
tunnel_interfaces:

    # Tunnel Interface Name.
  - name: <str; required; unique>
    description: <str>
    shutdown: <bool>
    mtu: <int; 68-65535>

    # VRF Name.
    vrf: <str>

    # Underlay VRF Name.
    underlay_vrf: <str>

    # IPv4_address/Mask.
    ip_address: <str>
    ipv6_enable: <bool>

    # IPv6_address/Mask.
    ipv6_address: <str>

    # IPv4 ACL Name for ingress.
    access_group_in: <str>

    # IPv4 ACL Name for egress.
    access_group_out: <str>

    # IPv6 ACL Name for ingress.
    ipv6_access_group_in: <str>

    # IPv6 ACL Name for egress.
    ipv6_access_group_out: <str>
    tcp_mss_ceiling:

      # Segment Size for IPv4.
      ipv4: <int; 64-65495>

      # Segment Size for IPv6.
      ipv6: <int; 64-65475>

      # Optional direction ('ingress', 'egress')  for tcp mss ceiling.
      direction: <str; "ingress" | "egress">

    # Tunnel encapsulation method.
    # `gre`: Generic route encapsulation protocol,
    # `ipsec`: IPsec-over-IP encapsulation.
    tunnel_mode: <str; "gre" | "ipsec">

    # Tunnel Source Interface Name.
    source_interface: <str>

    # IPv4 or IPv6 Address Tunnel Destination.
    destination: <str>

    # Enable Path MTU Discovery On Tunnel.
    path_mtu_discovery: <bool>

    # Used only when `tunnel_mode` is set to `ipsec`.
    # It must target a defined IPsec profile.
    ipsec_profile: <str>

    # NAT interface profile.
    nat_profile: <str>

    # Multiline String with EOS CLI rendered directly on the Tunnel interface in the final EOS configuration.
    eos_cli: <str>

VLAN interfaces

Variable Type Required Default Value Restrictions Description
vlan_interfaces List, items: Dictionary
  - name String Required, Unique VLAN interface name like “Vlan123”.
    description String
    logging Dictionary
      event Dictionary
        link_status Boolean
    shutdown Boolean
    vrf String VRF name.
    arp_aging_timeout Integer Min: 1
Max: 65535
In seconds.
    arp_cache_dynamic_capacity Integer Min: 0
Max: 4294967295
    arp_gratuitous_accept Boolean
    arp_monitor_mac_address Boolean
    ip_proxy_arp Boolean
    ip_directed_broadcast Boolean
    ip_address String IPv4_address/Mask.
    ip_address_secondaries List, items: String
      - <str> String IPv4_address/Mask.
    ip_virtual_router_addresses List, items: String
      - <str> String IPv4 address or IPv4_address/Mask.
    ip_address_virtual String IPv4_address/Mask.
    ip_address_virtual_secondaries List, items: String
      - <str> String IPv4_address/Mask.
    ip_verify_unicast_source_reachable_via String Valid Values:
- any
- rx
    ip_igmp Boolean
    ip_igmp_version Integer Min: 1
Max: 3
    ip_igmp_host_proxy Dictionary
      enabled Boolean
      groups List, items: Dictionary
        - group String Required, Unique Multicast Address.
          exclude List, items: Dictionary The same source must not be present both in exclude and include list.
            - source String Required, Unique
          include List, items: Dictionary The same source must not be present both in exclude and include list.
            - source String Required, Unique
      report_interval Integer Min: 1
Max: 31744
Time interval between unsolicited reports.
      access_lists List, items: Dictionary Non-standard Access List name.
        - name String Required, Unique
      version Integer Min: 1
Max: 3
IGMP version on IGMP host-proxy interface.
    ip_helpers List, items: Dictionary List of DHCP servers.
      - ip_helper String Required, Unique IP address or hostname of DHCP server.
        source_interface String Interface used as source for forwarded DHCP packets.
        vrf String VRF where DHCP server can be reached.
    ip_dhcp_relay_all_subnets Boolean Allow forwarding requests with secondary IP addresses in the gateway address “giaddr” field.
    ip_nat Dictionary
      destination Dictionary
        dynamic List, items: Dictionary
          - access_list String Required, Unique
            comment String
            pool_name String Required
            priority Integer Min: 0
Max: 4294967295
        static List, items: Dictionary
          - access_list String ‘access_list’ and ‘group’ are mutual exclusive.
            comment String
            direction String Valid Values:
- egress
- ingress
Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform.
EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW.
            group Integer Min: 1
Max: 65535
‘access_list’ and ‘group’ are mutual exclusive.
            original_ip String IPv4 address. The combination of original_ip and original_port must be unique.
            original_port Integer Min: 1
Max: 65535
TCP/UDP port. The combination of original_ip and original_port must be unique.
            priority Integer Min: 0
Max: 4294967295
            protocol String Valid Values:
- udp
- tcp
            translated_ip String Required IPv4 address.
            translated_port Integer Min: 1
Max: 65535
requires ‘original_port’.
      source Dictionary
        dynamic List, items: Dictionary
          - access_list String Required, Unique
            comment String
            nat_type String Required Valid Values:
- overload
- pool
- pool-address-only
- pool-full-cone
            pool_name String required if ‘nat_type’ is pool, pool-address-only or pool-full-cone.
ignored if ‘nat_type’ is overload.
            priority Integer Min: 0
Max: 4294967295
        static List, items: Dictionary
          - access_list String ‘access_list’ and ‘group’ are mutual exclusive.
            comment String
            direction String Valid Values:
- egress
- ingress
Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform.
EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW.
            group Integer Min: 1
Max: 65535
‘access_list’ and ‘group’ are mutual exclusive.
            original_ip String IPv4 address. The combination of original_ip and original_port must be unique.
            original_port Integer Min: 1
Max: 65535
TCP/UDP port. The combination of original_ip and original_port must be unique.
            priority Integer Min: 0
Max: 4294967295
            protocol String Valid Values:
- udp
- tcp
            translated_ip String Required IPv4 address.
            translated_port Integer Min: 1
Max: 65535
requires ‘original_port’.
    ipv6_enable Boolean
    ipv6_address String IPv6_address/Mask.
    ipv6_address_virtual deprecated String IPv6_address/Mask.
If both “ipv6_address_virtual” and “ipv6_address_virtuals” are set, all addresses will be configured.
This key is deprecated. Support will be removed in AVD version 5.0.0. Use ipv6_address_virtuals instead.
    ipv6_address_virtuals List, items: String The new “ipv6_address_virtuals” key support multiple virtual ipv6 addresses.
      - <str> String IPv6_address/Mask.
    ipv6_address_link_local String IPv6_address/Mask.
    ipv6_virtual_router_address deprecated String “ipv6_virtual_router_address” should not be mixed with
the new “ipv6_virtual_router_addresses” key below to avoid conflicts.
This key is deprecated. Support will be removed in AVD version 5.0.0. Use ipv6_virtual_router_addresses instead.
    ipv6_virtual_router_addresses List, items: String Improved “VARPv6” data model to support multiple VARPv6 addresses.
      - <str> String IPv6 address or IPv6_address/Mask.
    ipv6_nd_ra_disabled Boolean
    ipv6_nd_managed_config_flag Boolean
    ipv6_nd_other_config_flag Boolean Set the “other stateful configuration” flag in IPv6 router advertisements.
    ipv6_nd_cache Dictionary IPv6 neighbor cache options.
      dynamic_capacity Integer Min: 0
Max: 4294967295
Capacity of dynamic cache entries.
      expire Integer Min: 1
Max: 65535
Cache entries expirery in seconds.
      refresh_always Boolean Force refresh on cache expiry.
    ipv6_nd_prefixes List, items: Dictionary
      - ipv6_prefix String Required, Unique IPv6_address/Mask.
        valid_lifetime String In seconds <0-4294967295> or infinite.
        preferred_lifetime String In seconds <0-4294967295> or infinite.
        no_autoconfig_flag Boolean
    ipv6_dhcp_relay_destinations List, items: Dictionary
      - address String Required, Unique DHCP server’s IPv6 address.
        vrf String
        local_interface String Local interface to communicate with DHCP server - mutually exclusive to source_address.
        source_address String Source IPv6 address to communicate with DHCP server - mutually exclusive to local_interface.
        link_address String Override the default link address specified in the relayed DHCP packet.
    ipv6_dhcp_relay_all_subnets Boolean Allow forwarding requests with additional IPv6 addresses in the gateway address “giaddr” field.
    access_group_in String IPv4 access-list name.
    access_group_out String IPv4 access-list name.
    ipv6_access_group_in String IPv6 access-list name.
    ipv6_access_group_out String IPv6 access-list name.
    multicast Dictionary
      ipv4 Dictionary
        boundaries List, items: Dictionary Boundaries can be either 1 ACL or a list of multicast IP address_range(s)/prefix but not combination of both.
          - boundary String Required, Unique IPv4 access-list name or IPv4 multicast group prefix with mask.
            out Boolean
        source_route_export Dictionary
          enabled Boolean Required
          administrative_distance Integer Min: 1
Max: 255
        static Boolean
      ipv6 Dictionary
        boundaries List, items: Dictionary Boundaries can be either 1 ACL or a list of multicast IP address_range(s)/prefix but not combination of both.
          - boundary String Required, Unique IPv6 access-list name or IPv6 multicast group prefix with mask.
        source_route_export Dictionary
          enabled Boolean Required
          administrative_distance Integer Min: 1
Max: 255
        static Boolean
    ospf_network_point_to_point Boolean
    ospf_area String
    ospf_cost Integer
    ospf_authentication String Valid Values:
- none
- simple
- message-digest
    ospf_authentication_key String Encrypted password used for simple authentication.
    ospf_message_digest_keys List, items: Dictionary Keys used for message-digest authentication.
      - id Integer Required, Unique
        hash_algorithm String Valid Values:
- md5
- sha1
- sha256
- sha384
- sha512
        key String Encrypted password.
    pim Dictionary
      ipv4 Dictionary
        border_router Boolean Configure PIM border router. EOS default is false.
        dr_priority Integer Min: 0
Max: 429467295
        sparse_mode Boolean
        local_interface String
        bfd Boolean Set the default for whether Bidirectional Forwarding Detection is enabled for PIM.
        bidirectional Boolean
        hello Dictionary
          count String Number of missed hellos after which the neighbor expires. Range <1.5-65535>.
          interval Integer Min: 1
Max: 65535
PIM hello interval in seconds.
    isis_enable String ISIS instance name.
    isis_bfd Boolean Enable BFD for ISIS.
    isis_passive Boolean
    isis_metric Integer
    isis_network_point_to_point Boolean
    mtu Integer
    no_autostate Boolean
    vrrp_ids List, items: Dictionary Improved “vrrp” data model to support multiple VRRP IDs.
      - id Integer Required, Unique VRID.
        priority_level Integer Min: 1
Max: 254
Instance priority.
        advertisement Dictionary
          interval Integer Min: 1
Max: 255
Interval in seconds.
        preempt Dictionary
          enabled Boolean Required
          delay Dictionary
            minimum Integer Min: 0
Max: 3600
Minimum preempt delay in seconds.
            reload Integer Min: 0
Max: 3600
Reload preempt delay in seconds.
        timers Dictionary
          delay Dictionary
            reload Integer Min: 0
Max: 3600
Delay after reload in seconds.
        tracked_object List, items: Dictionary
          - name String Required, Unique Tracked object name.
            decrement Integer Min: 1
Max: 254
Decrement VRRP priority by 1-254.
            shutdown Boolean
        ipv4 Dictionary
          address String Required Virtual IPv4 address.
          version Integer Valid Values:
- 2
- 3
        ipv6 Dictionary
          address String Required Virtual IPv6 address.
    vrrp deprecated Dictionary “vrrp” should not be mixed with the new “vrrp_ids” key above to avoid conflicts.
This key is deprecated. Support will be removed in AVD version 5.0.0. Use vrrp_ids instead.
      virtual_router String Virtual Router ID.
      priority Integer Instance priority.
      advertisement_interval Integer
      preempt_delay_minimum Integer
      ipv4 String Virtual IPv4 address.
      ipv6 String Virtual IPv6 address.
    ip_attached_host_route_export Dictionary
      enabled Boolean Required
      distance Integer Min: 1
Max: 255
    ipv6_attached_host_route_export Dictionary
      enabled Boolean Required
      distance Integer Min: 1
Max: 255
Administrative distance for generated routes.
      prefix_length Integer Min: 0
Max: 128
Prefix length for generated routes.
    bfd Dictionary
      echo Boolean
      interval Integer Rate in milliseconds.
      min_rx Integer Minimum RX hold time in milliseconds.
      multiplier Integer Min: 3
Max: 50
    service_policy Dictionary
      pbr Dictionary
        input String Name of policy-map used for policy based routing.
    pvlan_mapping String List of VLANs as string.
    tenant String Key only used for documentation or validation purposes.
    tags List, items: String Key only used for documentation or validation purposes.
      - <str> String
    type String Key only used for documentation or validation purposes.
    eos_cli String Multiline EOS CLI rendered directly on the VLAN interface in the final EOS configuration.
vlan_interfaces:

    # VLAN interface name like "Vlan123".
  - name: <str; required; unique>
    description: <str>
    logging:
      event:
        link_status: <bool>
    shutdown: <bool>

    # VRF name.
    vrf: <str>

    # In seconds.
    arp_aging_timeout: <int; 1-65535>
    arp_cache_dynamic_capacity: <int; 0-4294967295>
    arp_gratuitous_accept: <bool>
    arp_monitor_mac_address: <bool>
    ip_proxy_arp: <bool>
    ip_directed_broadcast: <bool>

    # IPv4_address/Mask.
    ip_address: <str>
    ip_address_secondaries:

        # IPv4_address/Mask.
      - <str>
    ip_virtual_router_addresses:

        # IPv4 address or IPv4_address/Mask.
      - <str>

    # IPv4_address/Mask.
    ip_address_virtual: <str>
    ip_address_virtual_secondaries:

        # IPv4_address/Mask.
      - <str>
    ip_verify_unicast_source_reachable_via: <str; "any" | "rx">
    ip_igmp: <bool>
    ip_igmp_version: <int; 1-3>
    ip_igmp_host_proxy:
      enabled: <bool>
      groups:

          # Multicast Address.
        - group: <str; required; unique>

          # The same source must not be present both in `exclude` and `include` list.
          exclude:
            - source: <str; required; unique>

          # The same source must not be present both in `exclude` and `include` list.
          include:
            - source: <str; required; unique>

      # Time interval between unsolicited reports.
      report_interval: <int; 1-31744>

      # Non-standard Access List name.
      access_lists:
        - name: <str; required; unique>

      # IGMP version on IGMP host-proxy interface.
      version: <int; 1-3>

    # List of DHCP servers.
    ip_helpers:

        # IP address or hostname of DHCP server.
      - ip_helper: <str; required; unique>

        # Interface used as source for forwarded DHCP packets.
        source_interface: <str>

        # VRF where DHCP server can be reached.
        vrf: <str>

    # Allow forwarding requests with secondary IP addresses in the gateway address "giaddr" field.
    ip_dhcp_relay_all_subnets: <bool>
    ip_nat:
      destination:
        dynamic:
          - access_list: <str; required; unique>
            comment: <str>
            pool_name: <str; required>
            priority: <int; 0-4294967295>
        static:

            # 'access_list' and 'group' are mutual exclusive.
          - access_list: <str>
            comment: <str>

            # Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform.
            # EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW.
            direction: <str; "egress" | "ingress">

            # 'access_list' and 'group' are mutual exclusive.
            group: <int; 1-65535>

            # IPv4 address. The combination of `original_ip` and `original_port` must be unique.
            original_ip: <str>

            # TCP/UDP port. The combination of `original_ip` and `original_port` must be unique.
            original_port: <int; 1-65535>
            priority: <int; 0-4294967295>
            protocol: <str; "udp" | "tcp">

            # IPv4 address.
            translated_ip: <str; required>

            # requires 'original_port'.
            translated_port: <int; 1-65535>
      source:
        dynamic:
          - access_list: <str; required; unique>
            comment: <str>
            nat_type: <str; "overload" | "pool" | "pool-address-only" | "pool-full-cone"; required>

            # required if 'nat_type' is pool, pool-address-only or pool-full-cone.
            # ignored if 'nat_type' is overload.
            pool_name: <str>
            priority: <int; 0-4294967295>
        static:

            # 'access_list' and 'group' are mutual exclusive.
          - access_list: <str>
            comment: <str>

            # Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform.
            # EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW.
            direction: <str; "egress" | "ingress">

            # 'access_list' and 'group' are mutual exclusive.
            group: <int; 1-65535>

            # IPv4 address. The combination of `original_ip` and `original_port` must be unique.
            original_ip: <str>

            # TCP/UDP port. The combination of `original_ip` and `original_port` must be unique.
            original_port: <int; 1-65535>
            priority: <int; 0-4294967295>
            protocol: <str; "udp" | "tcp">

            # IPv4 address.
            translated_ip: <str; required>

            # requires 'original_port'.
            translated_port: <int; 1-65535>
    ipv6_enable: <bool>

    # IPv6_address/Mask.
    ipv6_address: <str>

    # IPv6_address/Mask.
    # If both "ipv6_address_virtual" and "ipv6_address_virtuals" are set, all addresses will be configured.
    # This key is deprecated.
    # Support will be removed in AVD version 5.0.0.
    # Use <samp>ipv6_address_virtuals</samp> instead.
    ipv6_address_virtual: <str>

    # The new "ipv6_address_virtuals" key support multiple virtual ipv6 addresses.