Input variables for eos_cli_config_gen¶
This document describes the supported input variables for the role arista.avd.eos_cli_config_gen
.
Since several data models have changed between AVD versions 3.x and 4.x, it is recommended to study the Porting Guide for AVD 4.x.x for existing deployments.
The input variables are documented below in tables and YAML.
All values are optional.
Note
All input variables are validated by a schema. If additional custom keys are desired, a key starting with an underscore _
, will be ignored.
Warning
Available features and variables may vary by platforms, refer to documentation on arista.com for specifics.
Authentication¶
AAA accounting¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
aaa_accounting | Dictionary | ||||
exec | Dictionary | ||||
console | Dictionary | ||||
type | String | Valid Values: - none - start-stop - stop-only |
|||
group | String | Group Name. | |||
logging | Boolean | ||||
default | Dictionary | ||||
type | String | Valid Values: - none - start-stop - stop-only |
|||
group | String | Group Name. | |||
logging | Boolean | ||||
system | Dictionary | ||||
default | Dictionary | ||||
type | String | Valid Values: - none - start-stop - stop-only |
|||
group | String | Group Name. | |||
dot1x | Dictionary | ||||
default | Dictionary | ||||
type | String | Valid Values: - start-stop - stop-only |
|||
group | String | Group Name. | |||
commands | Dictionary | ||||
console | List, items: Dictionary | ||||
- commands | String | Privilege level ‘all’ or 0-15. | |||
type | String | Valid Values: - none - start-stop - stop-only |
|||
group | String | Group Name. | |||
logging | Boolean | ||||
default | List, items: Dictionary | ||||
- commands | String | Privilege level ‘all’ or 0-15. | |||
type | String | Valid Values: - none - start-stop - stop-only |
|||
group | String | Group Name. | |||
logging | Boolean |
aaa_accounting:
exec:
console:
type: <str; "none" | "start-stop" | "stop-only">
# Group Name.
group: <str>
logging: <bool>
default:
type: <str; "none" | "start-stop" | "stop-only">
# Group Name.
group: <str>
logging: <bool>
system:
default:
type: <str; "none" | "start-stop" | "stop-only">
# Group Name.
group: <str>
dot1x:
default:
type: <str; "start-stop" | "stop-only">
# Group Name.
group: <str>
commands:
console:
# Privilege level 'all' or 0-15.
- commands: <str>
type: <str; "none" | "start-stop" | "stop-only">
# Group Name.
group: <str>
logging: <bool>
default:
# Privilege level 'all' or 0-15.
- commands: <str>
type: <str; "none" | "start-stop" | "stop-only">
# Group Name.
group: <str>
logging: <bool>
AAA authentication¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
aaa_authentication | Dictionary | ||||
login | Dictionary | ||||
default | String | Login authentication method(s) as a string. Examples: - “group tacacs+ local” - “group MYGROUP none” - “group radius group MYGROUP local” |
|||
console | String | Console authentication method(s) as a string. Examples: - “group tacacs+ local” - “group MYGROUP none” - “group radius group MYGROUP local” |
|||
enable | Dictionary | ||||
default | String | Enable authentication method(s) as a string. Examples: - “group tacacs+ local” - “group MYGROUP none” - “group radius group MYGROUP local” |
|||
dot1x | Dictionary | ||||
default | String | 802.1x authentication method(s) as a string. Examples: - “group radius” - “group MYGROUP group radius” |
|||
policies | Dictionary | ||||
on_failure_log | Boolean | ||||
on_success_log | Boolean | ||||
local | Dictionary | ||||
allow_nopassword | Boolean | ||||
lockout | Dictionary | ||||
failure | Integer | Min: 1 Max: 255 |
|||
duration | Integer | Min: 1 Max: 4294967295 |
|||
window | Integer | Min: 1 Max: 4294967295 |
aaa_authentication:
login:
# Login authentication method(s) as a string.
# Examples:
# - "group tacacs+ local"
# - "group MYGROUP none"
# - "group radius group MYGROUP local"
default: <str>
# Console authentication method(s) as a string.
# Examples:
# - "group tacacs+ local"
# - "group MYGROUP none"
# - "group radius group MYGROUP local"
console: <str>
enable:
# Enable authentication method(s) as a string.
# Examples:
# - "group tacacs+ local"
# - "group MYGROUP none"
# - "group radius group MYGROUP local"
default: <str>
dot1x:
# 802.1x authentication method(s) as a string.
# Examples:
# - "group radius"
# - "group MYGROUP group radius"
default: <str>
policies:
on_failure_log: <bool>
on_success_log: <bool>
local:
allow_nopassword: <bool>
lockout:
failure: <int; 1-255>
duration: <int; 1-4294967295>
window: <int; 1-4294967295>
AAA authorization¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
aaa_authorization | Dictionary | ||||
policy | Dictionary | ||||
local_default_role | String | ||||
exec | Dictionary | ||||
default | String | Exec authorization method(s) as a string. Examples: - “group tacacs+ local” - “group MYGROUP none” - “group radius group MYGROUP local” |
|||
config_commands | Boolean | ||||
serial_console | Boolean | ||||
dynamic | Dictionary | ||||
dot1x_additional_groups | List, items: String | Min Length: 1 | |||
- <str> | String | ||||
commands | Dictionary | ||||
all_default | String | Command authorization method(s) as a string. Examples: - “group tacacs+ local” - “group MYGROUP none” - “group tacacs+ group MYGROUP local |
|||
privilege | List, items: Dictionary | ||||
- level | String | Privilege level(s) 0-15. | |||
default | String | Command authorization method(s) as a string. Examples: - “group tacacs+ local” - “group MYGROUP none” - “group tacacs+ group MYGROUP local” |
aaa_authorization:
policy:
local_default_role: <str>
exec:
# Exec authorization method(s) as a string.
# Examples:
# - "group tacacs+ local"
# - "group MYGROUP none"
# - "group radius group MYGROUP local"
default: <str>
config_commands: <bool>
serial_console: <bool>
dynamic:
dot1x_additional_groups: # >=1 items
- <str>
commands:
# Command authorization method(s) as a string.
# Examples:
# - "group tacacs+ local"
# - "group MYGROUP none"
# - "group tacacs+ group MYGROUP local
all_default: <str>
privilege:
# Privilege level(s) 0-15.
- level: <str>
# Command authorization method(s) as a string.
# Examples:
# - "group tacacs+ local"
# - "group MYGROUP none"
# - "group tacacs+ group MYGROUP local"
default: <str>
AAA root¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
aaa_root | Dictionary | ||||
secret | Dictionary | ||||
sha512_password | String |
AAA server groups¶
Enable password¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
enable_password | Dictionary | ||||
hash_algorithm | String | Valid Values: - md5 - sha512 |
|||
key | String | Must be the hash of the password using the specified algorithm. By default EOS salts the password, so the simplest is to generate the hash on an EOS device. |
IP radius source-interfaces¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
ip_radius_source_interfaces | List, items: Dictionary | ||||
- name | String | Interface Name. | |||
vrf | String | VRF Name. |
IP tacacs source-interfaces¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
ip_tacacs_source_interfaces | List, items: Dictionary | ||||
- name | String | Interface name. | |||
vrf | String |
Local users¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
local_users | List, items: Dictionary | ||||
- name | String | Required, Unique | Username. | ||
disabled | Boolean | If true, the user will be removed and all other settings are ignored. Useful for removing the default “admin” user. |
|||
privilege | Integer | Min: 0 Max: 15 |
Initial privilege level with local EXEC authorization. |
||
role | String | EOS RBAC Role to be assigned to the user such as “network-admin” or “network-operator”. |
|||
sha512_password | String | SHA512 Hash of Password. Must be the hash of the password. By default EOS salts the password with the username, so the simplest is to generate the hash on an EOS device using the same username. |
|||
no_password | Boolean | If set a password will not be configured for this user. “sha512_password” MUST not be defined for this user. |
|||
ssh_key | String | ||||
secondary_ssh_key | String | ||||
shell | String | Valid Values: - /bin/bash - /bin/sh - /sbin/nologin |
Specify shell for the user. |
local_users:
# Username.
- name: <str; required; unique>
# If true, the user will be removed and all other settings are ignored.
# Useful for removing the default "admin" user.
disabled: <bool>
# Initial privilege level with local EXEC authorization.
privilege: <int; 0-15>
# EOS RBAC Role to be assigned to the user such as "network-admin" or "network-operator".
role: <str>
# SHA512 Hash of Password.
# Must be the hash of the password. By default EOS salts the password with the username, so the simplest is to generate the hash on an EOS device using the same username.
sha512_password: <str>
# If set a password will not be configured for this user. "sha512_password" MUST not be defined for this user.
no_password: <bool>
ssh_key: <str>
secondary_ssh_key: <str>
# Specify shell for the user.
shell: <str; "/bin/bash" | "/bin/sh" | "/sbin/nologin">
Radius server¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
radius_server | Dictionary | ||||
attribute_32_include_in_access_req | Dictionary | ||||
hostname | Boolean | ||||
format | String | Specify the format of the NAS-Identifier. If ‘hostname’ is set, this is ignored. | |||
dynamic_authorization | Dictionary | ||||
port | Integer | Min: 0 Max: 65535 |
TCP Port. | ||
tls_ssl_profile | String | Name of TLS profile. | |||
hosts | List, items: Dictionary | ||||
- host | String | Required, Unique | Host IP address or name. | ||
vrf | String | ||||
tls | Dictionary | When TLS is configured, key is ignored.. |
|||
enabled | Boolean | Enable TLS for radius-server. | |||
ssl_profile | String | Name of TLS profile. | |||
port | Integer | Min: 0 Max: 65535 |
TCP Port used for TLS. EOS default is 2083. | ||
timeout | Integer | Min: 1 Max: 1000 |
|||
retransmit | Integer | Min: 0 Max: 100 |
|||
key | String | Encrypted key - only type 7 supported. When TLS is configured, key is ignored. |
|||
tls_ssl_profile | String | Name of global TLS profile. |
radius_server:
attribute_32_include_in_access_req:
hostname: <bool>
# Specify the format of the NAS-Identifier. If 'hostname' is set, this is ignored.
format: <str>
dynamic_authorization:
# TCP Port.
port: <int; 0-65535>
# Name of TLS profile.
tls_ssl_profile: <str>
hosts:
# Host IP address or name.
- host: <str; required; unique>
vrf: <str>
# When TLS is configured, `key` is ignored..
tls:
# Enable TLS for radius-server.
enabled: <bool>
# Name of TLS profile.
ssl_profile: <str>
# TCP Port used for TLS. EOS default is 2083.
port: <int; 0-65535>
timeout: <int; 1-1000>
retransmit: <int; 0-100>
# Encrypted key - only type 7 supported.
# When TLS is configured, `key` is ignored.
key: <str>
# Name of global TLS profile.
tls_ssl_profile: <str>
Radius servers¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
radius_servers deprecated | List, items: Dictionary | This key is deprecated. Support will be removed in AVD version v5.0.0. Use radius_server.hosts instead. | |||
- host | String | Host IP address or name. | |||
vrf | String | ||||
key | String | Encrypted key. |
Roles¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
roles | List, items: Dictionary | ||||
- name | String | Role name. | |||
sequence_numbers | List, items: Dictionary | ||||
- sequence | Integer | Sequence number. | |||
action | String | Valid Values: - permit - deny |
|||
mode | String | “config”, “config-all”, “exec” or mode key as string. |
|||
command | String | Command as string. |
Tacacs servers¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
tacacs_servers | Dictionary | ||||
timeout | Integer | Min: 1 Max: 1000 |
Timeout in seconds. | ||
hosts | List, items: Dictionary | ||||
- host | String | Host IP address or name. | |||
vrf | String | ||||
key | String | Encrypted key. | |||
key_type | String | 7 |
Valid Values: - 0 - 7 - 8a |
||
single_connection | Boolean | ||||
timeout | Integer | Min: 1 Max: 1000 |
Timeout in seconds. | ||
policy_unknown_mandatory_attribute_ignore | Boolean |
tacacs_servers:
# Timeout in seconds.
timeout: <int; 1-1000>
hosts:
# Host IP address or name.
- host: <str>
vrf: <str>
# Encrypted key.
key: <str>
key_type: <str; "0" | "7" | "8a"; default="7">
single_connection: <bool>
# Timeout in seconds.
timeout: <int; 1-1000>
policy_unknown_mandatory_attribute_ignore: <bool>
ACLs¶
IP Extended access-lists¶
AVD currently supports two different data models for extended ACLs:
- The legacy
access_lists
data model, for compatibility with existing deployments - The improved
ip_access_lists
data model, for access to more EOS features
Both data models can coexists without conflicts, as different keys are used: access_lists
vs ip_access_lists
.
Access list names must be unique.
The legacy data model supports simplified ACL definition with sequence
to action
mapping:
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
access_lists | List, items: Dictionary | ||||
- name | String | Required, Unique | Access-list Name. | ||
counters_per_entry | Boolean | ||||
permit_response_traffic | String | Valid Values: - nat |
Permit response traffic automatically based on NAT translations. Minimum EOS version requirement 4.32.2F. |
||
sequence_numbers | List, items: Dictionary | Required | |||
- sequence | Integer | Required, Unique | Sequence ID. | ||
action | String | Required | Action as string. Example: “deny ip any any” |
access_lists:
# Access-list Name.
- name: <str; required; unique>
counters_per_entry: <bool>
# Permit response traffic automatically based on NAT translations.
# Minimum EOS version requirement 4.32.2F.
permit_response_traffic: <str; "nat">
sequence_numbers: # required
# Sequence ID.
- sequence: <int; required; unique>
# Action as string.
# Example: "deny ip any any"
action: <str; required>
The improved data model has a more sophisticated design documented below:
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
ip_access_lists | List, items: Dictionary | ||||
- name | String | Required, Unique | Access-list Name. | ||
counters_per_entry | Boolean | ||||
entries | List, items: Dictionary | ACL Entries. | |||
- sequence | Integer | ACL entry sequence number. | |||
remark | String | Comment up to 100 characters. If remark is defined, other keys in the ACL entry will be ignored. |
|||
action | String | Valid Values: - permit - deny |
ACL action. Required except for remarks. |
||
protocol | String | “ip”, “tcp”, “udp”, “icmp” or other protocol name or number. Required except for remarks. |
|||
source | String | “any”, “ “ Required except for remarks. |
|||
source_ports_match | String | eq |
Valid Values: - eq - gt - lt - neq - range |
||
source_ports | List, items: String | ||||
- <str> | String | TCP/UDP source port name or number. | |||
destination | String | “any”, “ “ Required except for remarks. |
|||
destination_ports_match | String | eq |
Valid Values: - eq - gt - lt - neq - range |
||
destination_ports | List, items: String | ||||
- <str> | String | TCP/UDP destination port name or number. | |||
tcp_flags | List, items: String | ||||
- <str> | String | TCP Flag Name. | |||
fragments | Boolean | Match non-head fragment packets. | |||
log | Boolean | Log matches against this rule. | |||
ttl | Integer | Min: 0 Max: 255 |
TTL value. | ||
ttl_match | String | eq |
Valid Values: - eq - gt - lt - neq |
||
icmp_type | String | Message type name/number for ICMP packets. | |||
icmp_code | String | Message code for ICMP packets. | |||
nexthop_group | String | nexthop-group name. | |||
tracked | Boolean | Match packets in existing ICMP/UDP/TCP connections. | |||
dscp | String | DSCP value or name. | |||
vlan_number | Integer | ||||
vlan_inner | Boolean | False |
|||
vlan_mask | String | 0x000-0xFFF VLAN mask. |
ip_access_lists:
# Access-list Name.
- name: <str; required; unique>
counters_per_entry: <bool>
# ACL Entries.
entries:
# ACL entry sequence number.
- sequence: <int>
# Comment up to 100 characters.
# If remark is defined, other keys in the ACL entry will be ignored.
remark: <str>
# ACL action.
# Required except for remarks.
action: <str; "permit" | "deny">
# "ip", "tcp", "udp", "icmp" or other protocol name or number.
# Required except for remarks.
protocol: <str>
# "any", "<ip>/<mask>" or "<ip>".
# "<ip>" without a mask means host.
# Required except for remarks.
source: <str>
source_ports_match: <str; "eq" | "gt" | "lt" | "neq" | "range"; default="eq">
source_ports:
# TCP/UDP source port name or number.
- <str>
# "any", "<ip>/<mask>" or "<ip>".
# "<ip>" without a mask means host.
# Required except for remarks.
destination: <str>
destination_ports_match: <str; "eq" | "gt" | "lt" | "neq" | "range"; default="eq">
destination_ports:
# TCP/UDP destination port name or number.
- <str>
tcp_flags:
# TCP Flag Name.
- <str>
# Match non-head fragment packets.
fragments: <bool>
# Log matches against this rule.
log: <bool>
# TTL value.
ttl: <int; 0-255>
ttl_match: <str; "eq" | "gt" | "lt" | "neq"; default="eq">
# Message type name/number for ICMP packets.
icmp_type: <str>
# Message code for ICMP packets.
icmp_code: <str>
# nexthop-group name.
nexthop_group: <str>
# Match packets in existing ICMP/UDP/TCP connections.
tracked: <bool>
# DSCP value or name.
dscp: <str>
vlan_number: <int>
vlan_inner: <bool; default=False>
# 0x000-0xFFF VLAN mask.
vlan_mask: <str>
The improved data model allows to limit the number of ACL entries that AVD is allowed to generate by defining ip_access_lists_max_entries
.
Only normal entries under ip_access_lists
will be counted, remarks will be ignored.
If the number is above the limit, the playbook will fail. This provides a simplified control over hardware utilization.
The numbers must be based on the hardware tests and AVD does not provide any guidance. Note that other EOS features may use the same hardware resources and affect the supported scale.
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
ip_access_lists_max_entries | Integer | Limit ACL entries defined under the ip_access_lists . |
IPv6 access-lists¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
ipv6_access_lists | List, items: Dictionary | ||||
- name | String | Required, Unique | IPv6 Access-list Name. | ||
counters_per_entry | Boolean | ||||
sequence_numbers | List, items: Dictionary | Required | |||
- sequence | Integer | Required, Unique | Sequence ID. | ||
action | String | Required | Action as string. Example: “deny ipv6 any any” |
IPv6 standard access-lists¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
ipv6_standard_access_lists | List, items: Dictionary | ||||
- name | String | Required, Unique | Access-list Name. | ||
counters_per_entry | Boolean | ||||
sequence_numbers | List, items: Dictionary | Required | |||
- sequence | Integer | Required, Unique | Sequence ID. | ||
action | String | Required | Action as string. Example: “deny ipv6 any any” |
MAC access-lists¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
mac_access_lists | List, items: Dictionary | ||||
- name | String | Required, Unique | MAC Access-list Name. | ||
counters_per_entry | Boolean | ||||
entries | List, items: Dictionary | ||||
- sequence | Integer | ||||
action | String |
Standard access-lists¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
standard_access_lists | List, items: Dictionary | ||||
- name | String | Required, Unique | Access-list Name. | ||
counters_per_entry | Boolean | ||||
sequence_numbers | List, items: Dictionary | Required | |||
- sequence | Integer | Required, Unique | Sequence ID. | ||
action | String | Required | Action as string. Example: “deny ip any any” |
Endpoint Security¶
Address-locking¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
address_locking | Dictionary | ||||
dhcp_servers_ipv4 | List, items: String | ||||
- <str> | String | DHCP server IPv4 address. | |||
disabled | Boolean | Disable IP locking on configured ports. | |||
leases | List, items: Dictionary | ||||
- ip | String | Required | IP address. | ||
mac | String | Required | MAC address (hhhh.hhhh.hhhh or hh:hh:hh:hh:hh:hh). | ||
local_interface | String | ||||
locked_address | Dictionary | ||||
expiration_mac_disabled | Boolean | Configure deauthorizing locked addresses upon MAC aging out. | |||
ipv4_enforcement_disabled | Boolean | Configure enforcement for locked IPv4 addresses. | |||
ipv6_enforcement_disabled | Boolean | Configure enforcement for locked IPv6 addresses. |
address_locking:
dhcp_servers_ipv4:
# DHCP server IPv4 address.
- <str>
# Disable IP locking on configured ports.
disabled: <bool>
leases:
# IP address.
- ip: <str; required>
# MAC address (hhhh.hhhh.hhhh or hh:hh:hh:hh:hh:hh).
mac: <str; required>
local_interface: <str>
locked_address:
# Configure deauthorizing locked addresses upon MAC aging out.
expiration_mac_disabled: <bool>
# Configure enforcement for locked IPv4 addresses.
ipv4_enforcement_disabled: <bool>
# Configure enforcement for locked IPv6 addresses.
ipv6_enforcement_disabled: <bool>
Dot1x¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
dot1x | Dictionary | ||||
system_auth_control | Boolean | ||||
protocol_lldp_bypass | Boolean | ||||
protocol_bpdu_bypass | Boolean | ||||
dynamic_authorization | Boolean | ||||
mac_based_authentication | Dictionary | ||||
delay | Integer | Min: 0 Max: 300 |
|||
hold_period | Integer | Min: 1 Max: 300 |
|||
radius_av_pair | Dictionary | ||||
service_type | Boolean | ||||
framed_mtu | Integer | Min: 68 Max: 9236 |
|||
aaa | Dictionary | Configure AAA parameters. | |||
unresponsive | Dictionary | Configure AAA timeout options. | |||
eap_response | String | Valid Values: - success - disabled |
EAP response to send. | ||
action | Dictionary | Set action for supplicant when AAA times out. | |||
apply_cached_results | Boolean | Use results from a previous AAA response. | |||
cached_results_timeout | Dictionary | ||||
time_duration | Integer | Min: 1 | Enable caching for a specific duration - <1-10000> duration in days <1-14400000> duration in minutes <1-240000> duration in hours <1-864000000> duration in seconds |
||
time_duration_unit | String | Required | Valid Values: - days - hours - minutes - seconds |
||
apply_alternate | Boolean | Apply alternate action if primary action fails. eg. aaa unresponsive action apply cached-results else traffic allow |
|||
traffic_allow | Boolean | Set action for supplicant traffic when AAA times out. | |||
traffic_allow_vlan | Integer | Min: 1 Max: 4094 |
|||
phone_action | Dictionary | Set action for supplicant when AAA times out. | |||
apply_cached_results | Boolean | Use results from a previous AAA response. | |||
cached_results_timeout | Dictionary | ||||
time_duration | Integer | Min: 1 | Enable caching for a specific duration - <1-10000> duration in days <1-14400000> duration in minutes <1-240000> duration in hours <1-864000000> duration in seconds |
||
time_duration_unit | String | Required | Valid Values: - days - hours - minutes - seconds |
||
apply_alternate | Boolean | Apply alternate action if primary action fails. eg. aaa unresponsive phone action apply cached-results else traffic allow |
|||
traffic_allow | Boolean | Set action for supplicant traffic when AAA times out. | |||
recovery_action_reauthenticate | Boolean | ||||
accounting_update_interval | Integer | Min: 5 Max: 65535 |
Interval period in seconds. | ||
captive_portal | Dictionary | Web authentication feature authenticates a supplicant through a web page, referred to as a captive portal. | |||
enabled | Boolean | Required | |||
url | String | Supported URL type: - http: http:// - https: https:// |
|||
ssl_profile | String | ||||
start_limit_infinite | Boolean | Set captive-portal start limit to infinte. | |||
access_list_ipv4 | String | Standard access-list name. | |||
supplicant | Dictionary | ||||
profiles | List, items: Dictionary | Dot1x supplicant profiles. | |||
- name | String | Required, Unique | |||
eap_method | String | Valid Values: - fast - tls |
Extensible Authentication Protocol method: - EAP Flexible Authentication via Secure Tunneling. - EAP with Transport Layer Security. |
||
identity | String | User identity. | |||
passphrase_type | String | 7 |
Valid Values: - 0 - 7 - 8a |
||
passphrase | String | Extensible Authentication Protocol password. | |||
ssl_profile | String | ||||
logging | Boolean | Enable supplicant logging. | |||
disconnect_cached_results_timeout | Integer | Min: 60 Max: 65535 |
Timeout in seconds for removing a disconnected supplicant. |
dot1x:
system_auth_control: <bool>
protocol_lldp_bypass: <bool>
protocol_bpdu_bypass: <bool>
dynamic_authorization: <bool>
mac_based_authentication:
delay: <int; 0-300>
hold_period: <int; 1-300>
radius_av_pair:
service_type: <bool>
framed_mtu: <int; 68-9236>
# Configure AAA parameters.
aaa:
# Configure AAA timeout options.
unresponsive:
# EAP response to send.
eap_response: <str; "success" | "disabled">
# Set action for supplicant when AAA times out.
action:
# Use results from a previous AAA response.
apply_cached_results: <bool>
cached_results_timeout:
# Enable caching for a specific duration -
# <1-10000> duration in days
# <1-14400000> duration in minutes
# <1-240000> duration in hours
# <1-864000000> duration in seconds
time_duration: <int; >=1>
time_duration_unit: <str; "days" | "hours" | "minutes" | "seconds"; required>
# Apply alternate action if primary action fails.
# eg. aaa unresponsive action apply cached-results else traffic allow
apply_alternate: <bool>
# Set action for supplicant traffic when AAA times out.
traffic_allow: <bool>
traffic_allow_vlan: <int; 1-4094>
# Set action for supplicant when AAA times out.
phone_action:
# Use results from a previous AAA response.
apply_cached_results: <bool>
cached_results_timeout:
# Enable caching for a specific duration -
# <1-10000> duration in days
# <1-14400000> duration in minutes
# <1-240000> duration in hours
# <1-864000000> duration in seconds
time_duration: <int; >=1>
time_duration_unit: <str; "days" | "hours" | "minutes" | "seconds"; required>
# Apply alternate action if primary action fails.
# eg. aaa unresponsive phone action apply cached-results else traffic allow
apply_alternate: <bool>
# Set action for supplicant traffic when AAA times out.
traffic_allow: <bool>
recovery_action_reauthenticate: <bool>
# Interval period in seconds.
accounting_update_interval: <int; 5-65535>
# Web authentication feature authenticates a supplicant through a web page, referred to as a captive portal.
captive_portal:
enabled: <bool; required>
# Supported URL type:
# - http: http://<hostname>[:<port>]
# - https: https://<hostname>[:<port>]
url: <str>
ssl_profile: <str>
# Set captive-portal start limit to infinte.
start_limit_infinite: <bool>
# Standard access-list name.
access_list_ipv4: <str>
supplicant:
# Dot1x supplicant profiles.
profiles:
- name: <str; required; unique>
# Extensible Authentication Protocol method:
# - EAP Flexible Authentication via Secure Tunneling.
# - EAP with Transport Layer Security.
eap_method: <str; "fast" | "tls">
# User identity.
identity: <str>
passphrase_type: <str; "0" | "7" | "8a"; default="7">
# Extensible Authentication Protocol password.
passphrase: <str>
ssl_profile: <str>
# Enable supplicant logging.
logging: <bool>
# Timeout in seconds for removing a disconnected supplicant.
disconnect_cached_results_timeout: <int; 60-65535>
MAC security¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
mac_security | Dictionary | ||||
license | Dictionary | ||||
license_name | String | Required | |||
license_key | String | Required | |||
fips_restrictions | Boolean | ||||
profiles | List, items: Dictionary | ||||
- name | String | Required, Unique | Profile-Name. | ||
cipher | String | Valid Values: - aes128-gcm - aes128-gcm-xpn - aes256-gcm - aes256-gcm-xpn |
|||
connection_keys | List, items: Dictionary | ||||
- id | String | Required, Unique | |||
encrypted_key | String | ||||
fallback | Boolean | ||||
mka | Dictionary | ||||
key_server_priority | Integer | Min: 0 Max: 255 |
|||
session | Dictionary | ||||
rekey_period | Integer | Min: 30 Max: 100000 |
Rekey period in seconds. | ||
sci | Boolean | ||||
l2_protocols | Dictionary | ||||
ethernet_flow_control | Dictionary | ||||
mode | String | Required | Valid Values: - encrypt - bypass |
||
lldp | Dictionary | ||||
mode | String | Required | Valid Values: - bypass - bypass unauthorized |
||
traffic_unprotected | Dictionary | ||||
action | String | Required | Valid Values: - allow - drop |
Allow/drop the transmit/receive of unprotected traffic. | |
allow_active_sak | Boolean | Allow transmit/receive of encrypted traffic using operational SAK and block otherwise. |
mac_security:
license:
license_name: <str; required>
license_key: <str; required>
fips_restrictions: <bool>
profiles:
# Profile-Name.
- name: <str; required; unique>
cipher: <str; "aes128-gcm" | "aes128-gcm-xpn" | "aes256-gcm" | "aes256-gcm-xpn">
connection_keys:
- id: <str; required; unique>
encrypted_key: <str>
fallback: <bool>
mka:
key_server_priority: <int; 0-255>
session:
# Rekey period in seconds.
rekey_period: <int; 30-100000>
sci: <bool>
l2_protocols:
ethernet_flow_control:
mode: <str; "encrypt" | "bypass"; required>
lldp:
mode: <str; "bypass" | "bypass unauthorized"; required>
traffic_unprotected:
# Allow/drop the transmit/receive of unprotected traffic.
action: <str; "allow" | "drop"; required>
# Allow transmit/receive of encrypted traffic using operational SAK and block otherwise.
allow_active_sak: <bool>
Filters and policies¶
AS path¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
as_path | Dictionary | ||||
regex_mode | String | Valid Values: - asn - string |
|||
access_lists | List, items: Dictionary | ||||
- name | String | Access List Name. | |||
entries | List, items: Dictionary | ||||
- type | String | Valid Values: - permit - deny |
|||
match | String | Regex To Match. | |||
origin | String | any |
Valid Values: - any - egp - igp - incomplete |
Class-maps¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
class_maps | Dictionary | ||||
pbr | List, items: Dictionary | ||||
- name | String | Required, Unique | Class-Map Name. | ||
ip | Dictionary | ||||
access_group | String | Standard Access-List Name. | |||
qos | List, items: Dictionary | ||||
- name | String | Required, Unique | Class-Map Name. | ||
vlan | String | VLAN value(s) or range(s) of VLAN values. | |||
cos | String | CoS value(s) or range(s) of CoS values. | |||
ip | Dictionary | ||||
access_group | String | IPv4 Access-List Name. | |||
ipv6 | Dictionary | ||||
access_group | String | IPv6 Access-List Name. |
class_maps:
pbr:
# Class-Map Name.
- name: <str; required; unique>
ip:
# Standard Access-List Name.
access_group: <str>
qos:
# Class-Map Name.
- name: <str; required; unique>
# VLAN value(s) or range(s) of VLAN values.
vlan: <str>
# CoS value(s) or range(s) of CoS values.
cos: <str>
ip:
# IPv4 Access-List Name.
access_group: <str>
ipv6:
# IPv6 Access-List Name.
access_group: <str>
Dynamic prefix lists¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
dynamic_prefix_lists | List, items: Dictionary | ||||
- name | String | Dynamic prefix-list name. | |||
match_map | String | Route-map name. | |||
prefix_list | Dictionary | ||||
ipv4 | String | Prefix-list name. | |||
ipv6 | String | Prefix-list name. |
IP community lists¶
AVD currently supports two different data models for community lists:
- The legacy
community_lists
data model that can be used for compatibility with the existing deployments. - The improved
ip_community_lists
data model.
Both data models can coexist without conflicts, as different keys are used: community_lists
vs ip_community_lists
.
Community list names must be unique.
The legacy data model supports simplified community list definition that only allows a single action to be defined as string:
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
community_lists | List, items: Dictionary | ||||
- name | String | Required, Unique | Community-list Name. | ||
action | String | Required | Action as string. Example: “permit GSHUT 65123:123” |
The improved data model has a better design documented below:
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
ip_community_lists | List, items: Dictionary | Communities and regexp entries MUST not be configured in the same community-list. |
|||
- name | String | Required, Unique | IP Community-list Name. | ||
entries | List, items: Dictionary | Required | |||
- action | String | Required | Valid Values: - permit - deny |
||
communities | List, items: String | If defined, a standard community-list will be configured. Supported community strings (case insensitive): - GSHUT - internet - local-as - no-advertise - no-export - <1-4294967040> - aa:nn |
|||
- <str> | String | ||||
regexp | String | Regular Expression. If defined, a regex community-list will be configured. |
# Communities and regexp entries MUST not be configured in the same community-list.
ip_community_lists:
# IP Community-list Name.
- name: <str; required; unique>
entries: # required
- action: <str; "permit" | "deny"; required>
# If defined, a standard community-list will be configured.
# Supported community strings (case insensitive):
# - GSHUT
# - internet
# - local-as
# - no-advertise
# - no-export
# - <1-4294967040>
# - aa:nn
communities:
- <str>
# Regular Expression.
# If defined, a regex community-list will be configured.
regexp: <str>
IP extcommunity-lists¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
ip_extcommunity_lists | List, items: Dictionary | ||||
- name | String | Required, Unique | Community-list Name. | ||
entries | List, items: Dictionary | Required | |||
- type | String | Required | Valid Values: - permit - deny |
||
extcommunities | String | Required | Communities as string. Example: “65000:65000” |
IP extcommunity-lists-regexp¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
ip_extcommunity_lists_regexp | List, items: Dictionary | ||||
- name | String | Required, Unique | Community-list Name. | ||
entries | List, items: Dictionary | Required | |||
- type | String | Required | Valid Values: - permit - deny |
||
regexp | String | Required | Regular Expression. |
IPv6 prefix-lists¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
ipv6_prefix_lists | List, items: Dictionary | ||||
- name | String | Required, Unique | Prefix-list Name. | ||
sequence_numbers | List, items: Dictionary | Required | |||
- sequence | Integer | Required, Unique | Sequence ID. | ||
action | String | Required | Action as string. Example: “permit 1b11:3a00:22b0:0082::/64 eq 128” |
Match list input¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
match_list_input | Dictionary | ||||
prefix_ipv4 | List, items: Dictionary | ||||
- name | String | Required, Unique | Prefix-List Name. | ||
prefixes | List, items: String | Required | Min Length: 1 | List of IPv4 prefixes (with the subnet mask e.g. 192.0.2.0/24). | |
- <str> | String | ||||
prefix_ipv6 | List, items: Dictionary | ||||
- name | String | Required, Unique | Prefix-List Name. | ||
prefixes | List, items: String | Required | Min Length: 1 | List of IPv6 prefixes (with the subnet mask e.g. 2001:db8:abcd:0013::/64). | |
- <str> | String | ||||
string | List, items: Dictionary | ||||
- name | String | Required, Unique | Match-list Name. | ||
sequence_numbers | List, items: Dictionary | Required | |||
- sequence | Integer | Required, Unique | Sequence ID. | ||
match_regex | String | Required | Regular Expression. |
match_list_input:
prefix_ipv4:
# Prefix-List Name.
- name: <str; required; unique>
# List of IPv4 prefixes (with the subnet mask e.g. 192.0.2.0/24).
prefixes: # >=1 items; required
- <str>
prefix_ipv6:
# Prefix-List Name.
- name: <str; required; unique>
# List of IPv6 prefixes (with the subnet mask e.g. 2001:db8:abcd:0013::/64).
prefixes: # >=1 items; required
- <str>
string:
# Match-list Name.
- name: <str; required; unique>
sequence_numbers: # required
# Sequence ID.
- sequence: <int; required; unique>
# Regular Expression.
match_regex: <str; required>
Peer-filters¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
peer_filters | List, items: Dictionary | ||||
- name | String | Required, Unique | Peer-filter Name. | ||
sequence_numbers | List, items: Dictionary | Required | |||
- sequence | Integer | Required, Unique | Sequence ID. | ||
match | String | Required | Match as string. Example: “as-range 1-100 result accept” |
Policy-maps¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
policy_maps | Dictionary | ||||
pbr | List, items: Dictionary | PBR Policy-Maps. | |||
- name | String | Required, Unique | Policy-Map Name. | ||
classes | List, items: Dictionary | ||||
- name | String | Required, Unique | Class Name. | ||
index | Integer | ||||
drop | Boolean | ‘drop’ and ‘set’ are mutually exclusive. | |||
set | Dictionary | Set Nexthop ‘drop’ and ‘set’ are mutually exclusive. |
|||
nexthop | Dictionary | ||||
ip_address | String | IPv4 or IPv6 Address. | |||
recursive | Boolean | ||||
qos | List, items: Dictionary | QOS Policy-Maps. | |||
- name | String | Required, Unique | Policy-Map Name. | ||
classes | List, items: Dictionary | ||||
- name | String | Required, Unique | Class Name. | ||
set | Dictionary | ||||
cos | Integer | ||||
dscp | String | ||||
traffic_class | Integer | ||||
drop_precedence | Integer | ||||
police | Dictionary | ||||
rate | Integer | Specify rate. Range in kbps <8-200000000>. |
|||
rate_unit | String | bps |
Valid Values: - bps - kbps - mbps - pps |
||
rate_burst_size | Integer | Range in bytes <256-128000000>. | |||
rate_burst_size_unit | String | bytes |
Valid Values: - bytes - kbytes - mbytes - packets |
||
action | Dictionary | ||||
type | String | Valid Values: - dscp - drop-precedence |
Set action for policed traffic. | ||
dscp_value | String | Set when action.type is set to “dscp”. | |||
higher_rate | Integer | Specify higher rate. Range in kbps |
|||
higher_rate_unit | String | bps |
Valid Values: - bps - kbps - mbps - pps |
||
higher_rate_burst_size | Integer | Range in bytes <256-128000000>. | |||
higher_rate_burst_size_unit | String | bytes |
Valid Values: - bytes - kbytes - mbytes - packets |
||
copp_system_policy | Dictionary | Control-plane policy configuration. | |||
classes | List, items: Dictionary | ||||
- name | String | Required, Unique | |||
shape | Integer | Min: 0 Max: 10000000 |
Maximum rate limit. | ||
bandwidth | Integer | Min: 0 Max: 10000000 |
Minimum bandwidth. | ||
rate_unit | String | Valid Values: - pps - kbps |
The rate_unit must be defined for shape and bandwidth . |
policy_maps:
# PBR Policy-Maps.
pbr:
# Policy-Map Name.
- name: <str; required; unique>
classes:
# Class Name.
- name: <str; required; unique>
index: <int>
# 'drop' and 'set' are mutually exclusive.
drop: <bool>
# Set Nexthop
# 'drop' and 'set' are mutually exclusive.
set:
nexthop:
# IPv4 or IPv6 Address.
ip_address: <str>
recursive: <bool>
# QOS Policy-Maps.
qos:
# Policy-Map Name.
- name: <str; required; unique>
classes:
# Class Name.
- name: <str; required; unique>
set:
cos: <int>
dscp: <str>
traffic_class: <int>
drop_precedence: <int>
police:
# Specify rate.
# Range in kbps <8-200000000>.
rate: <int>
rate_unit: <str; "bps" | "kbps" | "mbps" | "pps"; default="bps">
# Range in bytes <256-128000000>.
rate_burst_size: <int>
rate_burst_size_unit: <str; "bytes" | "kbytes" | "mbytes" | "packets"; default="bytes">
action:
# Set action for policed traffic.
type: <str; "dscp" | "drop-precedence">
# Set when action.type is set to "dscp".
dscp_value: <str>
# Specify higher rate.
# Range in kbps <lower_rate in kbps + 8 - lower_rate in kbps + 200000000>.
higher_rate: <int>
higher_rate_unit: <str; "bps" | "kbps" | "mbps" | "pps"; default="bps">
# Range in bytes <256-128000000>.
higher_rate_burst_size: <int>
higher_rate_burst_size_unit: <str; "bytes" | "kbytes" | "mbytes" | "packets"; default="bytes">
# Control-plane policy configuration.
copp_system_policy:
classes:
- name: <str; required; unique>
# Maximum rate limit.
shape: <int; 0-10000000>
# Minimum bandwidth.
bandwidth: <int; 0-10000000>
# The `rate_unit` must be defined for `shape` and `bandwidth`.
rate_unit: <str; "pps" | "kbps">
Prefix-lists¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
prefix_lists | List, items: Dictionary | ||||
- name | String | Required, Unique | Prefix-list Name. | ||
sequence_numbers | List, items: Dictionary | ||||
- sequence | Integer | Required, Unique | Sequence ID. | ||
action | String | Required | Action as string. Example: “permit 10.255.0.0/27 eq 32” |
Route-maps¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
route_maps | List, items: Dictionary | ||||
- name | String | Required, Unique | Route-map Name. | ||
sequence_numbers | List, items: Dictionary | Required | |||
- sequence | Integer | Required, Unique | Sequence ID. | ||
type | String | Required | Valid Values: - permit - deny |
||
description | String | ||||
match | List, items: String | List of “match” statements. | |||
- <str> | String | Match as string. Example: “ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY” |
|||
set | List, items: String | List of “set” statements. | |||
- <str> | String | Set as string. Example: “origin incomplete” |
|||
sub_route_map | String | Name of Sub-Route-map. | |||
continue | Dictionary | ||||
enabled | Boolean | ||||
sequence_number | Integer |
route_maps:
# Route-map Name.
- name: <str; required; unique>
sequence_numbers: # required
# Sequence ID.
- sequence: <int; required; unique>
type: <str; "permit" | "deny"; required>
description: <str>
# List of "match" statements.
match:
# Match as string.
# Example: "ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY"
- <str>
# List of "set" statements.
set:
# Set as string.
# Example: "origin incomplete"
- <str>
# Name of Sub-Route-map.
sub_route_map: <str>
continue:
enabled: <bool>
sequence_number: <int>
Trackers¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
trackers | List, items: Dictionary | ||||
- name | String | Required, Unique | Name of tracker object. | ||
interface | String | Required | Name of tracked interface. | ||
tracked_property | String | line-protocol |
Property to track. |
Traffic policies¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
traffic_policies | Dictionary | ||||
options | Dictionary | ||||
counter_per_interface | Boolean | ||||
field_sets | Dictionary | ||||
ipv4 | List, items: Dictionary | ||||
- name | String | Required, Unique | IPv4 Prefix Field Set Name. | ||
prefixes | List, items: String | ||||
- <str> | String | IPv4 Prefix. | |||
ipv6 | List, items: Dictionary | ||||
- name | String | Required, Unique | IPv6 Prefix Field Set Name. | ||
prefixes | List, items: String | ||||
- <str> | String | IPv6 Prefix. | |||
ports | List, items: Dictionary | ||||
- name | String | Required, Unique | L4 Port Field Set Name. | ||
port_range | String | Example: ‘10,20,80,440-450’ | |||
policies | List, items: Dictionary | ||||
- name | String | Required, Unique | Traffic Policy Name. | ||
matches | List, items: Dictionary | ||||
- name | String | Required, Unique | Traffic Policy Item. | ||
type | String | Valid Values: - ipv4 - ipv6 |
|||
source | Dictionary | ||||
prefixes | List, items: String | ||||
- <str> | String | IP address or prefix. | |||
prefix_lists | List, items: String | Field-set prefix lists. | |||
- <str> | String | ||||
destination | Dictionary | ||||
prefixes | List, items: String | ||||
- <str> | String | IP address or prefix. | |||
prefix_lists | List, items: String | Field-set prefix lists. | |||
- <str> | String | ||||
ttl | String | TTL range. | |||
fragment | Dictionary | The ‘fragment’ command is not supported when ‘source port’ or ‘destination port’ command is configured. |
|||
offset | String | Fragment offset range. | |||
protocols | List, items: Dictionary | ||||
- protocol | String | Required, Unique | |||
src_port | String | Port range. | |||
dst_port | String | Port range. | |||
src_field | String | L4 port range field set. | |||
dst_field | String | L4 port range field set. | |||
flags | List, items: String | ||||
- <str> | String | Valid Values: - established - initial |
|||
icmp_type | List, items: String | ||||
- <str> | String | ||||
actions | Dictionary | ||||
dscp | Integer | ||||
traffic_class | Integer | Traffic class ID. | |||
count | String | Counter name. | |||
drop | Boolean | ||||
log | Boolean | Only supported when action is set to drop. | |||
default_actions | Dictionary | ||||
ipv4 | Dictionary | ||||
dscp | Integer | ||||
traffic_class | Integer | Traffic class ID. | |||
count | String | Counter name. | |||
drop | Boolean | ||||
log | Boolean | Only supported when action is set to drop. | |||
ipv6 | Dictionary | ||||
dscp | Integer | ||||
traffic_class | Integer | Traffic class ID. | |||
count | String | Counter name. | |||
drop | Boolean | ||||
log | Boolean | Only supported when action is set to drop. |
traffic_policies:
options:
counter_per_interface: <bool>
field_sets:
ipv4:
# IPv4 Prefix Field Set Name.
- name: <str; required; unique>
prefixes:
# IPv4 Prefix.
- <str>
ipv6:
# IPv6 Prefix Field Set Name.
- name: <str; required; unique>
prefixes:
# IPv6 Prefix.
- <str>
ports:
# L4 Port Field Set Name.
- name: <str; required; unique>
# Example: '10,20,80,440-450'
port_range: <str>
policies:
# Traffic Policy Name.
- name: <str; required; unique>
matches:
# Traffic Policy Item.
- name: <str; required; unique>
type: <str; "ipv4" | "ipv6">
source:
prefixes:
# IP address or prefix.
- <str>
# Field-set prefix lists.
prefix_lists:
- <str>
destination:
prefixes:
# IP address or prefix.
- <str>
# Field-set prefix lists.
prefix_lists:
- <str>
# TTL range.
ttl: <str>
# The 'fragment' command is not supported when 'source port'
# or 'destination port' command is configured.
fragment:
# Fragment offset range.
offset: <str>
protocols:
- protocol: <str; required; unique>
# Port range.
src_port: <str>
# Port range.
dst_port: <str>
# L4 port range field set.
src_field: <str>
# L4 port range field set.
dst_field: <str>
flags:
- <str; "established" | "initial">
icmp_type:
- <str>
actions:
dscp: <int>
# Traffic class ID.
traffic_class: <int>
# Counter name.
count: <str>
drop: <bool>
# Only supported when action is set to drop.
log: <bool>
default_actions:
ipv4:
dscp: <int>
# Traffic class ID.
traffic_class: <int>
# Counter name.
count: <str>
drop: <bool>
# Only supported when action is set to drop.
log: <bool>
ipv6:
dscp: <int>
# Traffic class ID.
traffic_class: <int>
# Counter name.
count: <str>
drop: <bool>
# Only supported when action is set to drop.
log: <bool>
Interfaces¶
DPS interfaces¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
dps_interfaces | List, items: Dictionary | Min Length: 1 Max Length: 1 |
|||
- name | String | Required, Unique | Valid Values: - Dps1 |
“Dps1” is currently the only supported interface. | |
description | String | ||||
shutdown | Boolean | ||||
mtu | Integer | Min: 68 Max: 65535 |
Maximum Transmission Unit in bytes. | ||
ip_address | String | IPv4 address/mask. | |||
flow_tracker | Dictionary | ||||
sampled | String | Sampled flow tracker name. | |||
hardware | String | Hardware flow tracker name, | |||
tcp_mss_ceiling | Dictionary | ||||
ipv4 | Integer | Min: 64 Max: 65495 |
Segment Size for IPv4. | ||
ipv6 | Integer | Min: 64 Max: 65475 |
Segment Size for IPv6. | ||
direction | String | Valid Values: - ingress - egress |
Optional direction (‘ingress’, ‘egress’) for tcp mss ceiling. | ||
eos_cli | String | Multiline String with EOS CLI rendered directly on the Dps interface in the final EOS configuration. |
dps_interfaces: # 1-1 items
# "Dps1" is currently the only supported interface.
- name: <str; "Dps1"; required; unique>
description: <str>
shutdown: <bool>
# Maximum Transmission Unit in bytes.
mtu: <int; 68-65535>
# IPv4 address/mask.
ip_address: <str>
flow_tracker:
# Sampled flow tracker name.
sampled: <str>
# Hardware flow tracker name,
hardware: <str>
tcp_mss_ceiling:
# Segment Size for IPv4.
ipv4: <int; 64-65495>
# Segment Size for IPv6.
ipv6: <int; 64-65475>
# Optional direction ('ingress', 'egress') for tcp mss ceiling.
direction: <str; "ingress" | "egress">
# Multiline String with EOS CLI rendered directly on the Dps interface in the final EOS configuration.
eos_cli: <str>
Errdisable¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
errdisable | Dictionary | ||||
detect | Dictionary | ||||
causes | List, items: String | ||||
- <str> | String | Valid Values: - acl - arp-inspection - dot1x - link-change - tapagg - xcvr-misconfigured - xcvr-overheat - xcvr-power-unsupported |
|||
recovery | Dictionary | ||||
causes | List, items: String | ||||
- <str> | String | Valid Values: - arp-inspection - bpduguard - dot1x - hitless-reload-down - lacp-rate-limit - link-flap - no-internal-vlan - portchannelguard - portsec - speed-misconfigured - tap-port-init - tapagg - uplink-failure-detection - xcvr-misconfigured - xcvr-overheat - xcvr-power-unsupported - xcvr-unsupported |
|||
interval | Integer | 300 |
Min: 30 Max: 86400 |
Interval in seconds. |
errdisable:
detect:
causes:
- <str; "acl" | "arp-inspection" | "dot1x" | "link-change" | "tapagg" | "xcvr-misconfigured" | "xcvr-overheat" | "xcvr-power-unsupported">
recovery:
causes:
- <str; "arp-inspection" | "bpduguard" | "dot1x" | "hitless-reload-down" | "lacp-rate-limit" | "link-flap" | "no-internal-vlan" | "portchannelguard" | "portsec" | "speed-misconfigured" | "tap-port-init" | "tapagg" | "uplink-failure-detection" | "xcvr-misconfigured" | "xcvr-overheat" | "xcvr-power-unsupported" | "xcvr-unsupported">
# Interval in seconds.
interval: <int; 30-86400; default=300>
Ethernet interfaces¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
ethernet_interfaces | List, items: Dictionary | ||||
- name | String | Required, Unique | |||
description | String | ||||
shutdown | Boolean | ||||
load_interval | Integer | Min: 0 Max: 600 |
Interval in seconds for updating interface counters. | ||
speed | String | Speed should be set in the format <interface_speed> or forced <interface_speed> or auto <interface_speed> . |
|||
mtu | Integer | Min: 68 Max: 65535 |
|||
l2_mtu | Integer | Min: 68 Max: 65535 |
“l2_mtu” should only be defined for platforms supporting the “l2 mtu” CLI. |
||
l2_mru | Integer | Min: 68 Max: 65535 |
“l2_mru” should only be defined for platforms supporting the “l2 mru” CLI. |
||
vlans | String | List of switchport vlans as string. For a trunk port this would be a range like “1-200,300”. For an access port this would be a single vlan “123”. |
|||
native_vlan | Integer | ||||
native_vlan_tag | Boolean | If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence. | |||
mode | String | Valid Values: - access - dot1q-tunnel - trunk - trunk phone |
|||
phone | Dictionary | ||||
trunk | String | Valid Values: - tagged - tagged phone - untagged - untagged phone |
|||
vlan | Integer | Min: 1 Max: 4094 |
|||
l2_protocol | Dictionary | ||||
encapsulation_dot1q_vlan | Integer | Vlan tag to configure on sub-interface. | |||
forwarding_profile | String | L2 protocol forwarding profile. | |||
trunk_groups | List, items: String | ||||
- <str> | String | ||||
type | String | Valid Values: - routed - switched - l3dot1q - l2dot1q - port-channel-member |
l3dot1q and l2dot1q are used for sub-interfaces. The parent interface should be defined as routed. Interface will not be listed in device documentation, unless “type” is set. |
||
snmp_trap_link_change | Boolean | ||||
address_locking | Dictionary | ||||
ipv4 | Boolean | Enable address locking for IPv4. | |||
ipv6 | Boolean | Enable address locking for IPv6. | |||
flowcontrol | Dictionary | ||||
received | String | Valid Values: - desired - on - off |
|||
vrf | String | VRF name. | |||
flow_tracker | Dictionary | ||||
sampled | String | Sampled flow tracker name. | |||
hardware | String | Hardware flow tracker name. | |||
error_correction_encoding | Dictionary | ||||
enabled | Boolean | True |
|||
fire_code | Boolean | ||||
reed_solomon | Boolean | ||||
link_tracking_groups | List, items: Dictionary | ||||
- name | String | Required, Unique | Group name. | ||
direction | String | Valid Values: - upstream - downstream |
|||
evpn_ethernet_segment | Dictionary | ||||
identifier | String | EVPN Ethernet Segment Identifier (Type 1 format). | |||
redundancy | String | Valid Values: - all-active - single-active |
|||
designated_forwarder_election | Dictionary | ||||
algorithm | String | Valid Values: - modulus - preference |
|||
preference_value | Integer | Min: 0 Max: 65535 |
Preference_value is only used when “algorithm” is “preference”. | ||
dont_preempt | Boolean | Dont_preempt is only used when “algorithm” is “preference”. | |||
hold_time | Integer | ||||
subsequent_hold_time | Integer | ||||
candidate_reachability_required | Boolean | ||||
mpls | Dictionary | ||||
shared_index | Integer | Min: 1 Max: 1024 |
|||
tunnel_flood_filter_time | Integer | ||||
route_target | String | EVPN Route Target for ESI with format xx:xx:xx:xx:xx:xx. | |||
encapsulation_dot1q_vlan | Integer | VLAN tag to configure on sub-interface. | |||
encapsulation_vlan | Dictionary | ||||
client | Dictionary | ||||
dot1q | Dictionary | ||||
vlan | Integer | Client VLAN ID. | |||
outer | Integer | Client Outer VLAN ID. | |||
inner | Integer | Client Inner VLAN ID. | |||
unmatched | Boolean | ||||
network | Dictionary | Network encapsulations are all optional and skipped if using client unmatched. | |||
dot1q | Dictionary | ||||
vlan | Integer | Network VLAN ID. | |||
outer | Integer | Network outer VLAN ID. | |||
inner | Integer | Network inner VLAN ID. | |||
client | Boolean | ||||
vlan_id | Integer | Min: 1 Max: 4094 |
|||
ip_address | String | IPv4 address/mask or “dhcp”. | |||
ip_address_secondaries | List, items: String | ||||
- <str> | String | ||||
ip_verify_unicast_source_reachable_via | String | Valid Values: - any - rx |
|||
dhcp_client_accept_default_route | Boolean | Install default-route obtained via DHCP. | |||
dhcp_server_ipv4 | Boolean | Enable IPv4 DHCP server. | |||
dhcp_server_ipv6 | Boolean | Enable IPv6 DHCP server. | |||
ip_helpers | List, items: Dictionary | ||||
- ip_helper | String | Required, Unique | |||
source_interface | String | Source interface name. | |||
vrf | String | VRF name. | |||
ip_nat | Dictionary | ||||
service_profile | String | NAT interface profile. | |||
destination | Dictionary | ||||
dynamic | List, items: Dictionary | ||||
- access_list | String | Required, Unique | |||
comment | String | ||||
pool_name | String | Required | |||
priority | Integer | Min: 0 Max: 4294967295 |
|||
static | List, items: Dictionary | ||||
- access_list | String | ‘access_list’ and ‘group’ are mutual exclusive. | |||
comment | String | ||||
direction | String | Valid Values: - egress - ingress |
Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform. EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW. |
||
group | Integer | Min: 1 Max: 65535 |
‘access_list’ and ‘group’ are mutual exclusive. | ||
original_ip | String | IPv4 address. The combination of original_ip and original_port must be unique. |
|||
original_port | Integer | Min: 1 Max: 65535 |
TCP/UDP port. The combination of original_ip and original_port must be unique. |
||
priority | Integer | Min: 0 Max: 4294967295 |
|||
protocol | String | Valid Values: - udp - tcp |
|||
translated_ip | String | Required | IPv4 address. | ||
translated_port | Integer | Min: 1 Max: 65535 |
requires ‘original_port’. | ||
source | Dictionary | ||||
dynamic | List, items: Dictionary | ||||
- access_list | String | Required, Unique | |||
comment | String | ||||
nat_type | String | Required | Valid Values: - overload - pool - pool-address-only - pool-full-cone |
||
pool_name | String | required if ‘nat_type’ is pool, pool-address-only or pool-full-cone. ignored if ‘nat_type’ is overload. |
|||
priority | Integer | Min: 0 Max: 4294967295 |
|||
static | List, items: Dictionary | ||||
- access_list | String | ‘access_list’ and ‘group’ are mutual exclusive. | |||
comment | String | ||||
direction | String | Valid Values: - egress - ingress |
Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform. EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW. |
||
group | Integer | Min: 1 Max: 65535 |
‘access_list’ and ‘group’ are mutual exclusive. | ||
original_ip | String | IPv4 address. The combination of original_ip and original_port must be unique. |
|||
original_port | Integer | Min: 1 Max: 65535 |
TCP/UDP port. The combination of original_ip and original_port must be unique. |
||
priority | Integer | Min: 0 Max: 4294967295 |
|||
protocol | String | Valid Values: - udp - tcp |
|||
translated_ip | String | Required | IPv4 address. | ||
translated_port | Integer | Min: 1 Max: 65535 |
requires ‘original_port’. | ||
ipv6_enable | Boolean | ||||
ipv6_address | String | ||||
ipv6_address_link_local | String | Link local IPv6 address/mask. | |||
ipv6_nd_ra_disabled | Boolean | ||||
ipv6_nd_managed_config_flag | Boolean | ||||
ipv6_nd_prefixes | List, items: Dictionary | ||||
- ipv6_prefix | String | Required, Unique | |||
valid_lifetime | String | Infinite or lifetime in seconds. | |||
preferred_lifetime | String | Infinite or lifetime in seconds. | |||
no_autoconfig_flag | Boolean | ||||
ipv6_dhcp_relay_destinations | List, items: Dictionary | ||||
- address | String | Required, Unique | DHCP server’s IPv6 address. | ||
vrf | String | ||||
local_interface | String | Local interface to communicate with DHCP server - mutually exclusive to source_address. | |||
source_address | String | Source IPv6 address to communicate with DHCP server - mutually exclusive to local_interface. | |||
link_address | String | Override the default link address specified in the relayed DHCP packet. | |||
access_group_in | String | Access list name. | |||
access_group_out | String | Access list name. | |||
ipv6_access_group_in | String | IPv6 access list name. | |||
ipv6_access_group_out | String | IPv6 access list name. | |||
mac_access_group_in | String | MAC access list name. | |||
mac_access_group_out | String | MAC access list name. | |||
multicast | Dictionary | Boundaries can be either 1 ACL or a list of multicast IP address_range(s)/prefix but not combination of both. | |||
ipv4 | Dictionary | ||||
boundaries | List, items: Dictionary | ||||
- boundary | String | ACL name or multicast IP subnet. | |||
out | Boolean | ||||
static | Boolean | ||||
ipv6 | Dictionary | ||||
boundaries | List, items: Dictionary | ||||
- boundary | String | ACL name or multicast IP subnet. | |||
static | Boolean | ||||
ospf_network_point_to_point | Boolean | ||||
ospf_area | String | ||||
ospf_cost | Integer | ||||
ospf_authentication | String | Valid Values: - none - simple - message-digest |
|||
ospf_authentication_key | String | Encrypted password - only type 7 supported. | |||
ospf_message_digest_keys | List, items: Dictionary | ||||
- id | Integer | Required, Unique | |||
hash_algorithm | String | Valid Values: - md5 - sha1 - sha256 - sha384 - sha512 |
|||
key | String | Encrypted password - only type 7 supported. | |||
pim | Dictionary | ||||
ipv4 | Dictionary | ||||
border_router | Boolean | Configure PIM border router. EOS default is false. | |||
dr_priority | Integer | Min: 0 Max: 429467295 |
|||
sparse_mode | Boolean | ||||
bfd | Boolean | Set the default for whether Bidirectional Forwarding Detection is enabled for PIM. | |||
bidirectional | Boolean | ||||
hello | Dictionary | ||||
count | String | Number of missed hellos after which the neighbor expires. Range <1.5-65535>. | |||
interval | Integer | Min: 1 Max: 65535 |
PIM hello interval in seconds. | ||
mac_security | Dictionary | ||||
profile | String | ||||
tcp_mss_ceiling | Dictionary | The TCP MSS clamping feature involves clamping the maximum segment size (MSS) in the TCP header of TCP SYN packets if it exceeds the configured MSS ceiling limit for the interface. |
|||
ipv4_segment_size | Integer | Min: 64 Max: 65475 |
|||
ipv6_segment_size | Integer | Min: 64 Max: 65475 |
|||
direction | String | Valid Values: - egress - ingress |
|||
channel_group | Dictionary | ||||
id | Integer | ||||
mode | String | Valid Values: - on - active - passive |
|||
isis_enable | String | ISIS instance. | |||
isis_bfd | Boolean | Enable BFD for ISIS. | |||
isis_passive | Boolean | ||||
isis_metric | Integer | ||||
isis_network_point_to_point | Boolean | ||||
isis_circuit_type | String | Valid Values: - level-1-2 - level-1 - level-2 |
|||
isis_hello_padding | Boolean | ||||
isis_authentication_mode | String | Valid Values: - text - md5 |
|||
isis_authentication_key | String | Type-7 encrypted password. | |||
poe | Dictionary | ||||
disabled | Boolean | False |
Disable PoE on a POE capable port. PoE is enabled on all ports that support it by default in EOS. | ||
priority | String | Valid Values: - critical - high - medium - low |
Prioritize a port’s power in the event that one of the switch’s power supplies loses power. | ||
reboot | Dictionary | Set the PoE power behavior for a PoE port when the system is rebooted. | |||
action | String | Valid Values: - maintain - power-off |
PoE action for interface. | ||
link_down | Dictionary | Set the PoE power behavior for a PoE port when the port goes down. | |||
action | String | Valid Values: - maintain - power-off |
PoE action for interface. | ||
power_off_delay | Integer | Min: 1 Max: 86400 |
Number of seconds to delay shutting the power off after a link down event occurs. Default value is 5 seconds in EOS. | ||
shutdown | Dictionary | Set the PoE power behavior for a PoE port when the port is admin down. | |||
action | String | Valid Values: - maintain - power-off |
PoE action for interface. | ||
limit | Dictionary | Override the hardware-negotiated power limit using either wattage or a power class. Note that if using a power class, AVD will automatically convert the class value to the wattage value corresponding to that power class. | |||
class | Integer | Min: 0 Max: 8 |
|||
watts | String | ||||
fixed | Boolean | Set to ignore hardware classification. | |||
negotiation_lldp | Boolean | Disable to prevent port from negotiating power with powered devices over LLDP. Enabled by default in EOS. | |||
legacy_detect | Boolean | Allow a subset of legacy devices to work with the PoE switch. Disabled by default in EOS because it can cause false positive detections. | |||
ptp | Dictionary | ||||
enable | Boolean | ||||
announce | Dictionary | ||||
interval | Integer | ||||
timeout | Integer | ||||
delay_req | Integer | ||||
delay_mechanism | String | Valid Values: - e2e - p2p |
|||
profile | Dictionary | ||||
g8275_1 | Dictionary | ||||
destination_mac_address | String | Valid Values: - forwardable - non-forwardable |
|||
sync_message | Dictionary | ||||
interval | Integer | ||||
role | String | Valid Values: - master - dynamic |
|||
vlan | String | VLAN can be ‘all’ or list of vlans as string. | |||
transport | String | Valid Values: - ipv4 - ipv6 - layer2 |
|||
profile | String | Interface profile. | |||
storm_control | Dictionary | ||||
all | Dictionary | ||||
level | String | Configure maximum storm-control level. | |||
unit | String | percent |
Valid Values: - percent - pps |
Optional field and is hardware dependent. | |
broadcast | Dictionary | ||||
level | String | Configure maximum storm-control level. | |||
unit | String | percent |
Valid Values: - percent - pps |
Optional field and is hardware dependent. | |
multicast | Dictionary | ||||
level | String | Configure maximum storm-control level. | |||
unit | String | percent |
Valid Values: - percent - pps |
Optional field and is hardware dependent. | |
unknown_unicast | Dictionary | ||||
level | String | Configure maximum storm-control level. | |||
unit | String | percent |
Valid Values: - percent - pps |
Optional field and is hardware dependent. | |
logging | Dictionary | ||||
event | Dictionary | ||||
link_status | Boolean | ||||
congestion_drops | Boolean | ||||
spanning_tree | Boolean | ||||
storm_control_discards | Boolean | Discards due to storm-control. |
|||
lldp | Dictionary | ||||
transmit | Boolean | ||||
receive | Boolean | ||||
ztp_vlan | Integer | ZTP vlan number. | |||
trunk_private_vlan_secondary | Boolean | ||||
pvlan_mapping | String | List of vlans as string. | |||
vlan_translations | List, items: Dictionary | ||||
- from | String | List of vlans as string (only one vlan if direction is “both”). | |||
to | Integer | VLAN ID. | |||
direction | String | both |
Valid Values: - in - out - both |
||
dot1x | Dictionary | ||||
port_control | String | Valid Values: - auto - force-authorized - force-unauthorized |
|||
port_control_force_authorized_phone | Boolean | ||||
reauthentication | Boolean | ||||
pae | Dictionary | ||||
mode | String | Valid Values: - authenticator |
|||
authentication_failure | Dictionary | ||||
action | String | Valid Values: - allow - drop |
|||
allow_vlan | Integer | Min: 1 Max: 4094 |
|||
host_mode | Dictionary | ||||
mode | String | Valid Values: - multi-host - single-host |
|||
multi_host_authenticated | Boolean | ||||
mac_based_authentication | Dictionary | ||||
enabled | Boolean | ||||
always | Boolean | ||||
host_mode_common | Boolean | ||||
timeout | Dictionary | ||||
idle_host | Integer | Min: 10 Max: 65535 |
|||
quiet_period | Integer | Min: 1 Max: 65535 |
|||
reauth_period | String | Value can be 60-4294967295 or ‘server’. | |||
reauth_timeout_ignore | Boolean | ||||
tx_period | Integer | Min: 1 Max: 65535 |
|||
reauthorization_request_limit | Integer | Min: 1 Max: 10 |
|||
unauthorized | Dictionary | ||||
access_vlan_membership_egress | Boolean | ||||
native_vlan_membership_egress | Boolean | ||||
eapol | Dictionary | ||||
disabled | Boolean | ||||
authentication_failure_fallback_mba | Dictionary | ||||
enabled | Boolean | ||||
timeout | Integer | Min: 0 Max: 65535 |
|||
service_profile | String | QOS profile. | |||
shape | Dictionary | ||||
rate | String | Rate in kbps, pps or percent. Supported options are platform dependent. Examples: - “5000 kbps” - “1000 pps” - “20 percent” |
|||
qos | Dictionary | ||||
trust | String | Valid Values: - dscp - cos - disabled |
|||
dscp | Integer | DSCP value. | |||
cos | Integer | COS value. | |||
spanning_tree_bpdufilter | String | Valid Values: - enabled - disabled - True - False - true - false |
|||
spanning_tree_bpduguard | String | Valid Values: - enabled - disabled - True - False - true - false |
|||
spanning_tree_guard | String | Valid Values: - loop - root - disabled |
|||
spanning_tree_portfast | String | Valid Values: - edge - network |
|||
vmtracer | Boolean | ||||
priority_flow_control | Dictionary | ||||
enabled | Boolean | ||||
priorities | List, items: Dictionary | ||||
- priority | Integer | Required, Unique | Min: 0 Max: 7 |
||
no_drop | Boolean | ||||
bfd | Dictionary | ||||
echo | Boolean | ||||
interval | Integer | Interval in milliseconds. | |||
min_rx | Integer | Rate in milliseconds. | |||
multiplier | Integer | Min: 3 Max: 50 |
|||
service_policy | Dictionary | ||||
pbr | Dictionary | ||||
input | String | Policy Based Routing Policy-map name. | |||
qos | Dictionary | ||||
input | String | Required | Quality of Service Policy-map name. | ||
mpls | Dictionary | ||||
ip | Boolean | ||||
ldp | Dictionary | ||||
interface | Boolean | ||||
igp_sync | Boolean | ||||
lacp_timer | Dictionary | ||||
mode | String | Valid Values: - fast - normal |
|||
multiplier | Integer | Min: 3 Max: 3000 |
|||
lacp_port_priority | Integer | Min: 0 Max: 65535 |
|||
transceiver | Dictionary | ||||
frequency | String | Transceiver Laser Frequency in GHz (min 190000, max 200000). | |||
frequency_unit | String | Valid Values: - ghz |
Unit of Transceiver Laser Frequency. | ||
media | Dictionary | ||||
override | String | Transceiver type. | |||
ip_proxy_arp | Boolean | ||||
traffic_policy | Dictionary | ||||
input | String | Ingress traffic policy. | |||
output | String | Egress traffic policy. | |||
bgp | Dictionary | ||||
session_tracker | String | Name of session tracker. | |||
ip_igmp_host_proxy | Dictionary | ||||
enabled | Boolean | ||||
groups | List, items: Dictionary | ||||
- group | String | Required, Unique | Multicast Address. | ||
exclude | List, items: Dictionary | The same source must not be present both in exclude and include list. |
|||
- source | String | Required, Unique | |||
include | List, items: Dictionary | The same source must not be present both in exclude and include list. |
|||
- source | String | Required, Unique | |||
report_interval | Integer | Min: 1 Max: 31744 |
Time interval between unsolicited reports. | ||
access_lists | List, items: Dictionary | Non-standard Access List name. | |||
- name | String | Required, Unique | |||
version | Integer | Min: 1 Max: 3 |
IGMP version on IGMP host-proxy interface. | ||
peer | String | Key only used for documentation or validation purposes. | |||
peer_interface | String | Key only used for documentation or validation purposes. | |||
peer_type | String | Key only used for documentation or validation purposes. | |||
sflow | Dictionary | ||||
enable | Boolean | ||||
egress | Dictionary | ||||
enable | Boolean | ||||
unmodified_enable | Boolean | ||||
sync_e | Dictionary | ||||
enable | Boolean | ||||
priority | String | The priority is used to influence the reference clock selection. The EOS default priority is 127. The priority can be configured to any integer between 1-255, or set to disabled . |
|||
port_profile | String | Key only used for documentation or validation purposes. | |||
uc_tx_queues | List, items: Dictionary | ||||
- id | Integer | Required, Unique | TX-Queue ID. | ||
random_detect | Dictionary | ||||
ecn | Dictionary | Explicit Congestion Notification. | |||
count | Boolean | Enable counter for random-detect ECNs. | |||
threshold | Dictionary | ||||
units | String | Required | Valid Values: - segments - bytes - kbytes - mbytes - milliseconds |
Indicate the units to be used for the threshold values. | |
min | Integer | Required | Min: 1 Max: 256000000 |
Set the random-detect ECN minimum-threshold. | |
max | Integer | Required | Min: 1 Max: 256000000 |
Set the random-detect ECN maximum-threshold. | |
max_probability | Integer | Min: 1 Max: 100 |
Set the random-detect ECN max-mark-probability. | ||
weight | Integer | Min: 0 Max: 15 |
Set the random-detect ECN weight. | ||
tx_queues | List, items: Dictionary | ||||
- id | Integer | Required, Unique | TX-Queue ID. | ||
random_detect | Dictionary | ||||
ecn | Dictionary | Explicit Congestion Notification. | |||
count | Boolean | Enable counter for random-detect ECNs. | |||
threshold | Dictionary | ||||
units | String | Required | Valid Values: - segments - bytes - kbytes - mbytes - milliseconds |
Indicate the units to be used for the threshold values. | |
min | Integer | Min: 1 Max: 256000000 |
Set the random-detect ECN minimum-threshold. | ||
max | Integer | Required | Min: 1 Max: 256000000 |
Set the random-detect ECN maximum-threshold. | |
max_probability | Integer | Required | Min: 1 Max: 100 |
Set the random-detect ECN max-mark-probability. | |
weight | Integer | Min: 0 Max: 15 |
Set the random-detect ECN weight. | ||
vrrp_ids | List, items: Dictionary | VRRP model. | |||
- id | Integer | Required, Unique | VRID. | ||
priority_level | Integer | Min: 1 Max: 254 |
Instance priority. | ||
advertisement | Dictionary | ||||
interval | Integer | Min: 1 Max: 255 |
Interval in seconds. | ||
preempt | Dictionary | ||||
enabled | Boolean | Required | |||
delay | Dictionary | ||||
minimum | Integer | Min: 0 Max: 3600 |
Minimum preempt delay in seconds. | ||
reload | Integer | Min: 0 Max: 3600 |
Reload preempt delay in seconds. | ||
timers | Dictionary | ||||
delay | Dictionary | ||||
reload | Integer | Min: 0 Max: 3600 |
Delay after reload in seconds. | ||
tracked_object | List, items: Dictionary | ||||
- name | String | Required, Unique | Tracked object name. | ||
decrement | Integer | Min: 1 Max: 254 |
Decrement VRRP priority by 1-254. | ||
shutdown | Boolean | ||||
ipv4 | Dictionary | ||||
address | String | Required | Virtual IPv4 address. | ||
version | Integer | Valid Values: - 2 - 3 |
|||
ipv6 | Dictionary | ||||
address | String | Required | Virtual IPv6 address. | ||
validate_state | Boolean | Set to false to disable interface validation by the eos_validate_state role. |
|||
switchport | Dictionary | ||||
port_security | Dictionary | ||||
enabled | Boolean | ||||
mac_address_maximum | Dictionary | Maximum number of MAC addresses allowed on the interface. | |||
disabled | Boolean | Disable port level check for port security (only in violation ‘shutdown’ mode). | |||
limit | Integer | Min: 1 Max: 1000 |
MAC address limit. | ||
violation | Dictionary | Configure violation mode (shutdown or protect), EOS default is ‘shutdown’. | |||
mode | String | Valid Values: - shutdown - protect |
Configure port security mode. | ||
protect_log | Boolean | Log new addresses seen after limit is reached in protect mode. | |||
vlan_default_mac_address_maximum | Integer | Min: 0 Max: 1000 |
Default maximum MAC addresses for all VLANs on this interface. | ||
vlans | List, items: Dictionary | ||||
- range | String | Required, Unique | VLAN ID or range(s) of VLAN IDs, <1-4094>. Example: - 3 - 1,3 - 1-10 |
||
mac_address_maximum | Integer | ||||
eos_cli | String | Multiline EOS CLI rendered directly on the ethernet interface in the final EOS configuration. |
ethernet_interfaces:
- name: <str; required; unique>
description: <str>
shutdown: <bool>
# Interval in seconds for updating interface counters.
load_interval: <int; 0-600>
# Speed should be set in the format `<interface_speed>` or `forced <interface_speed>` or `auto <interface_speed>`.
speed: <str>
mtu: <int; 68-65535>
# "l2_mtu" should only be defined for platforms supporting the "l2 mtu" CLI.
l2_mtu: <int; 68-65535>
# "l2_mru" should only be defined for platforms supporting the "l2 mru" CLI.
l2_mru: <int; 68-65535>
# List of switchport vlans as string.
# For a trunk port this would be a range like "1-200,300".
# For an access port this would be a single vlan "123".
vlans: <str>
native_vlan: <int>
# If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence.
native_vlan_tag: <bool>
mode: <str; "access" | "dot1q-tunnel" | "trunk" | "trunk phone">
phone:
trunk: <str; "tagged" | "tagged phone" | "untagged" | "untagged phone">
vlan: <int; 1-4094>
l2_protocol:
# Vlan tag to configure on sub-interface.
encapsulation_dot1q_vlan: <int>
# L2 protocol forwarding profile.
forwarding_profile: <str>
trunk_groups:
- <str>
# l3dot1q and l2dot1q are used for sub-interfaces. The parent interface should be defined as routed.
# Interface will not be listed in device documentation, unless "type" is set.
type: <str; "routed" | "switched" | "l3dot1q" | "l2dot1q" | "port-channel-member">
snmp_trap_link_change: <bool>
address_locking:
# Enable address locking for IPv4.
ipv4: <bool>
# Enable address locking for IPv6.
ipv6: <bool>
flowcontrol:
received: <str; "desired" | "on" | "off">
# VRF name.
vrf: <str>
flow_tracker:
# Sampled flow tracker name.
sampled: <str>
# Hardware flow tracker name.
hardware: <str>
error_correction_encoding:
enabled: <bool; default=True>
fire_code: <bool>
reed_solomon: <bool>
link_tracking_groups:
# Group name.
- name: <str; required; unique>
direction: <str; "upstream" | "downstream">
evpn_ethernet_segment:
# EVPN Ethernet Segment Identifier (Type 1 format).
identifier: <str>
redundancy: <str; "all-active" | "single-active">
designated_forwarder_election:
algorithm: <str; "modulus" | "preference">
# Preference_value is only used when "algorithm" is "preference".
preference_value: <int; 0-65535>
# Dont_preempt is only used when "algorithm" is "preference".
dont_preempt: <bool>
hold_time: <int>
subsequent_hold_time: <int>
candidate_reachability_required: <bool>
mpls:
shared_index: <int; 1-1024>
tunnel_flood_filter_time: <int>
# EVPN Route Target for ESI with format xx:xx:xx:xx:xx:xx.
route_target: <str>
# VLAN tag to configure on sub-interface.
encapsulation_dot1q_vlan: <int>
encapsulation_vlan:
client:
dot1q:
# Client VLAN ID.
vlan: <int>
# Client Outer VLAN ID.
outer: <int>
# Client Inner VLAN ID.
inner: <int>
unmatched: <bool>
# Network encapsulations are all optional and skipped if using client unmatched.
network:
dot1q:
# Network VLAN ID.
vlan: <int>
# Network outer VLAN ID.
outer: <int>
# Network inner VLAN ID.
inner: <int>
client: <bool>
vlan_id: <int; 1-4094>
# IPv4 address/mask or "dhcp".
ip_address: <str>
ip_address_secondaries:
- <str>
ip_verify_unicast_source_reachable_via: <str; "any" | "rx">
# Install default-route obtained via DHCP.
dhcp_client_accept_default_route: <bool>
# Enable IPv4 DHCP server.
dhcp_server_ipv4: <bool>
# Enable IPv6 DHCP server.
dhcp_server_ipv6: <bool>
ip_helpers:
- ip_helper: <str; required; unique>
# Source interface name.
source_interface: <str>
# VRF name.
vrf: <str>
ip_nat:
# NAT interface profile.
service_profile: <str>
destination:
dynamic:
- access_list: <str; required; unique>
comment: <str>
pool_name: <str; required>
priority: <int; 0-4294967295>
static:
# 'access_list' and 'group' are mutual exclusive.
- access_list: <str>
comment: <str>
# Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform.
# EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW.
direction: <str; "egress" | "ingress">
# 'access_list' and 'group' are mutual exclusive.
group: <int; 1-65535>
# IPv4 address. The combination of `original_ip` and `original_port` must be unique.
original_ip: <str>
# TCP/UDP port. The combination of `original_ip` and `original_port` must be unique.
original_port: <int; 1-65535>
priority: <int; 0-4294967295>
protocol: <str; "udp" | "tcp">
# IPv4 address.
translated_ip: <str; required>
# requires 'original_port'.
translated_port: <int; 1-65535>
source:
dynamic:
- access_list: <str; required; unique>
comment: <str>
nat_type: <str; "overload" | "pool" | "pool-address-only" | "pool-full-cone"; required>
# required if 'nat_type' is pool, pool-address-only or pool-full-cone.
# ignored if 'nat_type' is overload.
pool_name: <str>
priority: <int; 0-4294967295>
static:
# 'access_list' and 'group' are mutual exclusive.
- access_list: <str>
comment: <str>
# Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform.
# EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW.
direction: <str; "egress" | "ingress">
# 'access_list' and 'group' are mutual exclusive.
group: <int; 1-65535>
# IPv4 address. The combination of `original_ip` and `original_port` must be unique.
original_ip: <str>
# TCP/UDP port. The combination of `original_ip` and `original_port` must be unique.
original_port: <int; 1-65535>
priority: <int; 0-4294967295>
protocol: <str; "udp" | "tcp">
# IPv4 address.
translated_ip: <str; required>
# requires 'original_port'.
translated_port: <int; 1-65535>
ipv6_enable: <bool>
ipv6_address: <str>
# Link local IPv6 address/mask.
ipv6_address_link_local: <str>
ipv6_nd_ra_disabled: <bool>
ipv6_nd_managed_config_flag: <bool>
ipv6_nd_prefixes:
- ipv6_prefix: <str; required; unique>
# Infinite or lifetime in seconds.
valid_lifetime: <str>
# Infinite or lifetime in seconds.
preferred_lifetime: <str>
no_autoconfig_flag: <bool>
ipv6_dhcp_relay_destinations:
# DHCP server's IPv6 address.
- address: <str; required; unique>
vrf: <str>
# Local interface to communicate with DHCP server - mutually exclusive to source_address.
local_interface: <str>
# Source IPv6 address to communicate with DHCP server - mutually exclusive to local_interface.
source_address: <str>
# Override the default link address specified in the relayed DHCP packet.
link_address: <str>
# Access list name.
access_group_in: <str>
# Access list name.
access_group_out: <str>
# IPv6 access list name.
ipv6_access_group_in: <str>
# IPv6 access list name.
ipv6_access_group_out: <str>
# MAC access list name.
mac_access_group_in: <str>
# MAC access list name.
mac_access_group_out: <str>
# Boundaries can be either 1 ACL or a list of multicast IP address_range(s)/prefix but not combination of both.
multicast:
ipv4:
boundaries:
# ACL name or multicast IP subnet.
- boundary: <str>
out: <bool>
static: <bool>
ipv6:
boundaries:
# ACL name or multicast IP subnet.
- boundary: <str>
static: <bool>
ospf_network_point_to_point: <bool>
ospf_area: <str>
ospf_cost: <int>
ospf_authentication: <str; "none" | "simple" | "message-digest">
# Encrypted password - only type 7 supported.
ospf_authentication_key: <str>
ospf_message_digest_keys:
- id: <int; required; unique>
hash_algorithm: <str; "md5" | "sha1" | "sha256" | "sha384" | "sha512">
# Encrypted password - only type 7 supported.
key: <str>
pim:
ipv4:
# Configure PIM border router. EOS default is false.
border_router: <bool>
dr_priority: <int; 0-429467295>
sparse_mode: <bool>
# Set the default for whether Bidirectional Forwarding Detection is enabled for PIM.
bfd: <bool>
bidirectional: <bool>
hello:
# Number of missed hellos after which the neighbor expires. Range <1.5-65535>.
count: <str>
# PIM hello interval in seconds.
interval: <int; 1-65535>
mac_security:
profile: <str>
# The TCP MSS clamping feature involves clamping the maximum segment size (MSS) in the TCP header
# of TCP SYN packets if it exceeds the configured MSS ceiling limit for the interface.
tcp_mss_ceiling:
ipv4_segment_size: <int; 64-65475>
ipv6_segment_size: <int; 64-65475>
direction: <str; "egress" | "ingress">
channel_group:
id: <int>
mode: <str; "on" | "active" | "passive">
# ISIS instance.
isis_enable: <str>
# Enable BFD for ISIS.
isis_bfd: <bool>
isis_passive: <bool>
isis_metric: <int>
isis_network_point_to_point: <bool>
isis_circuit_type: <str; "level-1-2" | "level-1" | "level-2">
isis_hello_padding: <bool>
isis_authentication_mode: <str; "text" | "md5">
# Type-7 encrypted password.
isis_authentication_key: <str>
poe:
# Disable PoE on a POE capable port. PoE is enabled on all ports that support it by default in EOS.
disabled: <bool; default=False>
# Prioritize a port's power in the event that one of the switch's power supplies loses power.
priority: <str; "critical" | "high" | "medium" | "low">
# Set the PoE power behavior for a PoE port when the system is rebooted.
reboot:
# PoE action for interface.
action: <str; "maintain" | "power-off">
# Set the PoE power behavior for a PoE port when the port goes down.
link_down:
# PoE action for interface.
action: <str; "maintain" | "power-off">
# Number of seconds to delay shutting the power off after a link down event occurs. Default value is 5 seconds in EOS.
power_off_delay: <int; 1-86400>
# Set the PoE power behavior for a PoE port when the port is admin down.
shutdown:
# PoE action for interface.
action: <str; "maintain" | "power-off">
# Override the hardware-negotiated power limit using either wattage or a power class. Note that if using a power class, AVD will automatically convert the class value to the wattage value corresponding to that power class.
limit:
class: <int; 0-8>
watts: <str>
# Set to ignore hardware classification.
fixed: <bool>
# Disable to prevent port from negotiating power with powered devices over LLDP. Enabled by default in EOS.
negotiation_lldp: <bool>
# Allow a subset of legacy devices to work with the PoE switch. Disabled by default in EOS because it can cause false positive detections.
legacy_detect: <bool>
ptp:
enable: <bool>
announce:
interval: <int>
timeout: <int>
delay_req: <int>
delay_mechanism: <str; "e2e" | "p2p">
profile:
g8275_1:
destination_mac_address: <str; "forwardable" | "non-forwardable">
sync_message:
interval: <int>
role: <str; "master" | "dynamic">
# VLAN can be 'all' or list of vlans as string.
vlan: <str>
transport: <str; "ipv4" | "ipv6" | "layer2">
# Interface profile.
profile: <str>
storm_control:
all:
# Configure maximum storm-control level.
level: <str>
# Optional field and is hardware dependent.
unit: <str; "percent" | "pps"; default="percent">
broadcast:
# Configure maximum storm-control level.
level: <str>
# Optional field and is hardware dependent.
unit: <str; "percent" | "pps"; default="percent">
multicast:
# Configure maximum storm-control level.
level: <str>
# Optional field and is hardware dependent.
unit: <str; "percent" | "pps"; default="percent">
unknown_unicast:
# Configure maximum storm-control level.
level: <str>
# Optional field and is hardware dependent.
unit: <str; "percent" | "pps"; default="percent">
logging:
event:
link_status: <bool>
congestion_drops: <bool>
spanning_tree: <bool>
# Discards due to storm-control.
storm_control_discards: <bool>
lldp:
transmit: <bool>
receive: <bool>
# ZTP vlan number.
ztp_vlan: <int>
trunk_private_vlan_secondary: <bool>
# List of vlans as string.
pvlan_mapping: <str>
vlan_translations:
# List of vlans as string (only one vlan if direction is "both").
- from: <str>
# VLAN ID.
to: <int>
direction: <str; "in" | "out" | "both"; default="both">
dot1x:
port_control: <str; "auto" | "force-authorized" | "force-unauthorized">
port_control_force_authorized_phone: <bool>
reauthentication: <bool>
pae:
mode: <str; "authenticator">
authentication_failure:
action: <str; "allow" | "drop">
allow_vlan: <int; 1-4094>
host_mode:
mode: <str; "multi-host" | "single-host">
multi_host_authenticated: <bool>
mac_based_authentication:
enabled: <bool>
always: <bool>
host_mode_common: <bool>
timeout:
idle_host: <int; 10-65535>
quiet_period: <int; 1-65535>
# Value can be 60-4294967295 or 'server'.
reauth_period: <str>
reauth_timeout_ignore: <bool>
tx_period: <int; 1-65535>
reauthorization_request_limit: <int; 1-10>
unauthorized:
access_vlan_membership_egress: <bool>
native_vlan_membership_egress: <bool>
eapol:
disabled: <bool>
authentication_failure_fallback_mba:
enabled: <bool>
timeout: <int; 0-65535>
# QOS profile.
service_profile: <str>
shape:
# Rate in kbps, pps or percent.
# Supported options are platform dependent.
# Examples:
# - "5000 kbps"
# - "1000 pps"
# - "20 percent"
rate: <str>
qos:
trust: <str; "dscp" | "cos" | "disabled">
# DSCP value.
dscp: <int>
# COS value.
cos: <int>
spanning_tree_bpdufilter: <str; "enabled" | "disabled" | "True" | "False" | "true" | "false">
spanning_tree_bpduguard: <str; "enabled" | "disabled" | "True" | "False" | "true" | "false">
spanning_tree_guard: <str; "loop" | "root" | "disabled">
spanning_tree_portfast: <str; "edge" | "network">
vmtracer: <bool>
priority_flow_control:
enabled: <bool>
priorities:
- priority: <int; 0-7; required; unique>
no_drop: <bool>
bfd:
echo: <bool>
# Interval in milliseconds.
interval: <int>
# Rate in milliseconds.
min_rx: <int>
multiplier: <int; 3-50>
service_policy:
pbr:
# Policy Based Routing Policy-map name.
input: <str>
qos:
# Quality of Service Policy-map name.
input: <str; required>
mpls:
ip: <bool>
ldp:
interface: <bool>
igp_sync: <bool>
lacp_timer:
mode: <str; "fast" | "normal">
multiplier: <int; 3-3000>
lacp_port_priority: <int; 0-65535>
transceiver:
# Transceiver Laser Frequency in GHz (min 190000, max 200000).
frequency: <str>
# Unit of Transceiver Laser Frequency.
frequency_unit: <str; "ghz">
media:
# Transceiver type.
override: <str>
ip_proxy_arp: <bool>
traffic_policy:
# Ingress traffic policy.
input: <str>
# Egress traffic policy.
output: <str>
bgp:
# Name of session tracker.
session_tracker: <str>
ip_igmp_host_proxy:
enabled: <bool>
groups:
# Multicast Address.
- group: <str; required; unique>
# The same source must not be present both in `exclude` and `include` list.
exclude:
- source: <str; required; unique>
# The same source must not be present both in `exclude` and `include` list.
include:
- source: <str; required; unique>
# Time interval between unsolicited reports.
report_interval: <int; 1-31744>
# Non-standard Access List name.
access_lists:
- name: <str; required; unique>
# IGMP version on IGMP host-proxy interface.
version: <int; 1-3>
# Key only used for documentation or validation purposes.
peer: <str>
# Key only used for documentation or validation purposes.
peer_interface: <str>
# Key only used for documentation or validation purposes.
peer_type: <str>
sflow:
enable: <bool>
egress:
enable: <bool>
unmodified_enable: <bool>
sync_e:
enable: <bool>
# The priority is used to influence the reference clock selection. The EOS default priority is 127. The priority can be configured to any integer between 1-255, or set to `disabled`.
priority: <str>
# Key only used for documentation or validation purposes.
port_profile: <str>
uc_tx_queues:
# TX-Queue ID.
- id: <int; required; unique>
random_detect:
# Explicit Congestion Notification.
ecn:
# Enable counter for random-detect ECNs.
count: <bool>
threshold:
# Indicate the units to be used for the threshold values.
units: <str; "segments" | "bytes" | "kbytes" | "mbytes" | "milliseconds"; required>
# Set the random-detect ECN minimum-threshold.
min: <int; 1-256000000; required>
# Set the random-detect ECN maximum-threshold.
max: <int; 1-256000000; required>
# Set the random-detect ECN max-mark-probability.
max_probability: <int; 1-100>
# Set the random-detect ECN weight.
weight: <int; 0-15>
tx_queues:
# TX-Queue ID.
- id: <int; required; unique>
random_detect:
# Explicit Congestion Notification.
ecn:
# Enable counter for random-detect ECNs.
count: <bool>
threshold:
# Indicate the units to be used for the threshold values.
units: <str; "segments" | "bytes" | "kbytes" | "mbytes" | "milliseconds"; required>
# Set the random-detect ECN minimum-threshold.
min: <int; 1-256000000>
# Set the random-detect ECN maximum-threshold.
max: <int; 1-256000000; required>
# Set the random-detect ECN max-mark-probability.
max_probability: <int; 1-100; required>
# Set the random-detect ECN weight.
weight: <int; 0-15>
# VRRP model.
vrrp_ids:
# VRID.
- id: <int; required; unique>
# Instance priority.
priority_level: <int; 1-254>
advertisement:
# Interval in seconds.
interval: <int; 1-255>
preempt:
enabled: <bool; required>
delay:
# Minimum preempt delay in seconds.
minimum: <int; 0-3600>
# Reload preempt delay in seconds.
reload: <int; 0-3600>
timers:
delay:
# Delay after reload in seconds.
reload: <int; 0-3600>
tracked_object:
# Tracked object name.
- name: <str; required; unique>
# Decrement VRRP priority by 1-254.
decrement: <int; 1-254>
shutdown: <bool>
ipv4:
# Virtual IPv4 address.
address: <str; required>
version: <int; 2 | 3>
ipv6:
# Virtual IPv6 address.
address: <str; required>
# Set to false to disable interface validation by the `eos_validate_state` role.
validate_state: <bool>
switchport:
port_security:
enabled: <bool>
# Maximum number of MAC addresses allowed on the interface.
mac_address_maximum:
# Disable port level check for port security (only in violation 'shutdown' mode).
disabled: <bool>
# MAC address limit.
limit: <int; 1-1000>
# Configure violation mode (shutdown or protect), EOS default is 'shutdown'.
violation:
# Configure port security mode.
mode: <str; "shutdown" | "protect">
# Log new addresses seen after limit is reached in protect mode.
protect_log: <bool>
# Default maximum MAC addresses for all VLANs on this interface.
vlan_default_mac_address_maximum: <int; 0-1000>
vlans:
# VLAN ID or range(s) of VLAN IDs, <1-4094>.
# Example:
# - 3
# - 1,3
# - 1-10
- range: <str; required; unique>
mac_address_maximum: <int>
# Multiline EOS CLI rendered directly on the ethernet interface in the final EOS configuration.
eos_cli: <str>
Interface defaults¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
interface_defaults | Dictionary | ||||
ethernet | Dictionary | ||||
shutdown | Boolean | ||||
mtu | Integer |
Interface profiles¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
interface_profiles | List, items: Dictionary | ||||
- name | String | Required, Unique | Interface-Profile Name. | ||
commands | List, items: String | Required | |||
- <str> | String | EOS CLI interface command. Example: “switchport mode access” |
LACP¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
lacp | Dictionary | Set Link Aggregation Control Protocol (LACP) parameters. | |||
port_id | Dictionary | LACP port-ID range configuration. | |||
range | Dictionary | ||||
begin | Integer | Minimum LACP port-ID range. | |||
end | Integer | Maximum LACP port-ID range. | |||
rate_limit | Dictionary | Set LACPDU rate limit options. | |||
default | Boolean | Enable LACPDU rate limiting by default on all ports. | |||
system_priority | Integer | Min: 0 Max: 65535 |
Set local system LACP priority. |
# Set Link Aggregation Control Protocol (LACP) parameters.
lacp:
# LACP port-ID range configuration.
port_id:
range:
# Minimum LACP port-ID range.
begin: <int>
# Maximum LACP port-ID range.
end: <int>
# Set LACPDU rate limit options.
rate_limit:
# Enable LACPDU rate limiting by default on all ports.
default: <bool>
# Set local system LACP priority.
system_priority: <int; 0-65535>
Link tracking groups¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
link_tracking_groups | List, items: Dictionary | ||||
- name | String | Required, Unique | |||
links_minimum | Integer | Min: 1 Max: 100000 |
|||
recovery_delay | Integer | Min: 0 Max: 3600 |
LLDP¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
lldp | Dictionary | ||||
timer | Integer | ||||
timer_reinitialization | String | ||||
holdtime | Integer | ||||
management_address | String | ||||
vrf | String | ||||
receive_packet_tagged_drop | String | ||||
tlvs | List, items: Dictionary | ||||
- name | String | Required, Unique | Valid Values: - link-aggregation - management-address - max-frame-size - med - port-description - port-vlan - power-via-mdi - system-capabilities - system-description - system-name - vlan-name |
||
transmit | Boolean | ||||
run | Boolean |
lldp:
timer: <int>
timer_reinitialization: <str>
holdtime: <int>
management_address: <str>
vrf: <str>
receive_packet_tagged_drop: <str>
tlvs:
- name: <str; "link-aggregation" | "management-address" | "max-frame-size" | "med" | "port-description" | "port-vlan" | "power-via-mdi" | "system-capabilities" | "system-description" | "system-name" | "vlan-name"; required; unique>
transmit: <bool>
run: <bool>
Loopback interfaces¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
loopback_interfaces | List, items: Dictionary | ||||
- name | String | Required, Unique | Loopback interface name e.g. “Loopback0”. | ||
description | String | ||||
shutdown | Boolean | ||||
vrf | String | VRF name. | |||
ip_address | String | IPv4_address/Mask. | |||
ip_address_secondaries | List, items: String | ||||
- <str> | String | IPv4_address/Mask. | |||
ipv6_enable | Boolean | ||||
ipv6_address | String | IPv6_address/Mask. | |||
ip_proxy_arp | Boolean | ||||
ospf_area | String | ||||
mpls | Dictionary | ||||
ldp | Dictionary | ||||
interface | Boolean | ||||
isis_enable | String | ISIS instance name. | |||
isis_bfd | Boolean | Enable BFD for ISIS. | |||
isis_passive | Boolean | ||||
isis_metric | Integer | ||||
isis_network_point_to_point | Boolean | ||||
node_segment | Dictionary | ||||
ipv4_index | Integer | ||||
ipv6_index | Integer | ||||
eos_cli | String | EOS CLI rendered directly on the loopback interface in the final EOS configuration. |
loopback_interfaces:
# Loopback interface name e.g. "Loopback0".
- name: <str; required; unique>
description: <str>
shutdown: <bool>
# VRF name.
vrf: <str>
# IPv4_address/Mask.
ip_address: <str>
ip_address_secondaries:
# IPv4_address/Mask.
- <str>
ipv6_enable: <bool>
# IPv6_address/Mask.
ipv6_address: <str>
ip_proxy_arp: <bool>
ospf_area: <str>
mpls:
ldp:
interface: <bool>
# ISIS instance name.
isis_enable: <str>
# Enable BFD for ISIS.
isis_bfd: <bool>
isis_passive: <bool>
isis_metric: <int>
isis_network_point_to_point: <bool>
node_segment:
ipv4_index: <int>
ipv6_index: <int>
# EOS CLI rendered directly on the loopback interface in the final EOS configuration.
eos_cli: <str>
Management interfaces¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
management_interfaces | List, items: Dictionary | ||||
- name | String | Required, Unique | Management Interface Name. | ||
description | String | ||||
shutdown | Boolean | ||||
speed | String | Speed should be set in the format <interface_speed> or forced <interface_speed> or auto <interface_speed> . |
|||
mtu | Integer | ||||
vrf | String | VRF Name. | |||
ip_address | String | IPv4_address/Mask. | |||
ipv6_enable | Boolean | ||||
ipv6_address | String | IPv6_address/Mask. | |||
type | String | oob |
Valid Values: - oob - inband |
For documentation purposes only. | |
gateway | String | IPv4 address of default gateway in management VRF. | |||
ipv6_gateway | String | IPv6 address of default gateway in management VRF. | |||
mac_address | String | MAC address. | |||
lldp | Dictionary | ||||
transmit | Boolean | ||||
receive | Boolean | ||||
ztp_vlan | Integer | ZTP vlan number. | |||
eos_cli | String | Multiline EOS CLI rendered directly on the management interface in the final EOS configuration. |
management_interfaces:
# Management Interface Name.
- name: <str; required; unique>
description: <str>
shutdown: <bool>
# Speed should be set in the format `<interface_speed>` or `forced <interface_speed>` or `auto <interface_speed>`.
speed: <str>
mtu: <int>
# VRF Name.
vrf: <str>
# IPv4_address/Mask.
ip_address: <str>
ipv6_enable: <bool>
# IPv6_address/Mask.
ipv6_address: <str>
# For documentation purposes only.
type: <str; "oob" | "inband"; default="oob">
# IPv4 address of default gateway in management VRF.
gateway: <str>
# IPv6 address of default gateway in management VRF.
ipv6_gateway: <str>
# MAC address.
mac_address: <str>
lldp:
transmit: <bool>
receive: <bool>
# ZTP vlan number.
ztp_vlan: <int>
# Multiline EOS CLI rendered directly on the management interface in the final EOS configuration.
eos_cli: <str>
Patch panel¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
patch_panel | Dictionary | ||||
connector | Dictionary | ||||
interface | Dictionary | ||||
patch | Dictionary | ||||
bgp_vpws_remote_failure_errdisable | Boolean | ||||
recovery | Dictionary | ||||
review_delay | Dictionary | ||||
min | Integer | Required | Min: 10 Max: 600 |
Minimum delay. | |
max | Integer | Required | Min: 15 Max: 900 |
Maximum delay. | |
patches | List, items: Dictionary | ||||
- name | String | Required, Unique | |||
enabled | Boolean | ||||
connectors | List, items: Dictionary | Min Length: 2 Max Length: 2 |
Must have exactly two connectors to a patch of which at least one must be of type “interface”. | ||
- id | String | Required, Unique | |||
type | String | Required | Valid Values: - interface - pseudowire |
||
endpoint | String | Required | String with relevant endpoint depending on type. Examples: - “Ethernet1” - “Ethernet1 dot1q vlan 123” - “bgp vpws TENANT_A pseudowire VPWS_PW_1” - “ldp LDP_PW_1” |
patch_panel:
connector:
interface:
patch:
bgp_vpws_remote_failure_errdisable: <bool>
recovery:
review_delay:
# Minimum delay.
min: <int; 10-600; required>
# Maximum delay.
max: <int; 15-900; required>
patches:
- name: <str; required; unique>
enabled: <bool>
# Must have exactly two connectors to a patch of which at least one must be of type "interface".
connectors: # 2-2 items
- id: <str; required; unique>
type: <str; "interface" | "pseudowire"; required>
# String with relevant endpoint depending on type.
# Examples:
# - "Ethernet1"
# - "Ethernet1 dot1q vlan 123"
# - "bgp vpws TENANT_A pseudowire VPWS_PW_1"
# - "ldp LDP_PW_1"
endpoint: <str; required>
Port-channel interfaces¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
port_channel_interfaces | List, items: Dictionary | ||||
- name | String | Required, Unique | |||
description | String | ||||
logging | Dictionary | ||||
event | Dictionary | ||||
link_status | Boolean | ||||
storm_control_discards | Boolean | Discards due to storm-control. |
|||
shutdown | Boolean | ||||
l2_mtu | Integer | Min: 68 Max: 65535 |
“l2_mtu” should only be defined for platforms supporting the “l2 mtu” CLI. |
||
l2_mru | Integer | Min: 68 Max: 65535 |
“l2_mru” should only be defined for platforms supporting the “l2 mru” CLI. |
||
vlans | String | List of switchport vlans as string. For a trunk port this would be a range like “1-200,300”. For an access port this would be a single vlan “123”. |
|||
snmp_trap_link_change | Boolean | ||||
type | String | Valid Values: - routed - switched - l3dot1q - l2dot1q |
l3dot1q and l2dot1q are used for sub-interfaces. The parent interface should be defined as routed. Interface will not be listed in device documentation, unless “type” is set. |
||
encapsulation_dot1q_vlan | Integer | VLAN tag to configure on sub-interface. | |||
vrf | String | VRF name. | |||
encapsulation_vlan | Dictionary | ||||
client | Dictionary | ||||
dot1q | Dictionary | ||||
vlan | Integer | Client VLAN ID. | |||
outer | Integer | Client Outer VLAN ID. | |||
inner | Integer | Client Inner VLAN ID. | |||
unmatched | Boolean | ||||
network | Dictionary | Network encapsulation are all optional, and skipped if using client unmatched. | |||
dot1q | Dictionary | ||||
vlan | Integer | Network VLAN ID. | |||
outer | Integer | Network Outer VLAN ID. | |||
inner | Integer | Network Inner VLAN ID. | |||
client | Boolean | ||||
vlan_id | Integer | Min: 1 Max: 4094 |
|||
mode | String | Valid Values: - access - dot1q-tunnel - trunk - trunk phone |
|||
native_vlan | Integer | If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence. | |||
native_vlan_tag | Boolean | False |
If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence. | ||
link_tracking_groups | List, items: Dictionary | ||||
- name | String | Required, Unique | Group name. | ||
direction | String | Valid Values: - upstream - downstream |
|||
phone | Dictionary | ||||
trunk | String | Valid Values: - tagged - untagged |
|||
vlan | Integer | Min: 1 Max: 4094 |
|||
l2_protocol | Dictionary | ||||
encapsulation_dot1q_vlan | Integer | Vlan tag to configure on sub-interface. | |||
forwarding_profile | String | L2 protocol forwarding profile. | |||
mtu | Integer | Min: 68 Max: 65535 |
|||
mlag | Integer | Min: 1 Max: 2000 |
MLAG ID. | ||
trunk_groups | List, items: String | ||||
- <str> | String | ||||
lacp_fallback_timeout | Integer | 90 |
Min: 0 Max: 300 |
Timeout in seconds. | |
lacp_fallback_mode | String | Valid Values: - individual - static |
|||
qos | Dictionary | ||||
trust | String | Valid Values: - dscp - cos - disabled |
|||
dscp | Integer | DSCP value. | |||
cos | Integer | COS value. | |||
bfd | Dictionary | ||||
echo | Boolean | ||||
interval | Integer | Interval in milliseconds. | |||
min_rx | Integer | Rate in milliseconds. | |||
multiplier | Integer | Min: 3 Max: 50 |
|||
neighbor | String | IPv4 or IPv6 address. When the Port-channel is a L2 interface, a local L3 BFD address (router_bfd.local_address) has to be defined globally on the switch. | |||
per_link | Dictionary | ||||
enabled | Boolean | ||||
rfc_7130 | Boolean | ||||
service_policy | Dictionary | ||||
pbr | Dictionary | ||||
input | String | Policy Based Routing Policy-map name. | |||
qos | Dictionary | ||||
input | String | Required | Quality of Service Policy-map name. | ||
mpls | Dictionary | ||||
ip | Boolean | ||||
ldp | Dictionary | ||||
interface | Boolean | ||||
igp_sync | Boolean | ||||
trunk_private_vlan_secondary | Boolean | ||||
pvlan_mapping | String | List of vlans as string. | |||
vlan_translations | List, items: Dictionary | ||||
- from | String | List of vlans as string (only one vlan if direction is “both”). | |||
to | Integer | VLAN ID. | |||
direction | String | both |
Valid Values: - in - out - both |
||
shape | Dictionary | ||||
rate | String | Rate in kbps, pps or percent. Supported options are platform dependent. Examples: - “5000 kbps” - “1000 pps” - “20 percent” |
|||
storm_control | Dictionary | ||||
all | Dictionary | ||||
level | String | Configure maximum storm-control level. | |||
unit | String | percent |
Valid Values: - percent - pps |
Optional field and is hardware dependent. | |
broadcast | Dictionary | ||||
level | String | Configure maximum storm-control level. | |||
unit | String | percent |
Valid Values: - percent - pps |
Optional field and is hardware dependent. | |
multicast | Dictionary | ||||
level | String | Configure maximum storm-control level. | |||
unit | String | percent |
Valid Values: - percent - pps |
Optional field and is hardware dependent. | |
unknown_unicast | Dictionary | ||||
level | String | Configure maximum storm-control level. | |||
unit | String | percent |
Valid Values: - percent - pps |
Optional field and is hardware dependent. | |
ip_proxy_arp | Boolean | ||||
isis_enable | String | ISIS instance. | |||
isis_bfd | Boolean | Enable BFD for ISIS. | |||
isis_passive | Boolean | ||||
isis_metric | Integer | ||||
isis_network_point_to_point | Boolean | ||||
isis_circuit_type | String | Valid Values: - level-1-2 - level-1 - level-2 |
|||
isis_hello_padding | Boolean | ||||
isis_authentication_mode | String | Valid Values: - text - md5 |
|||
isis_authentication_key | String | Type-7 encrypted password. | |||
traffic_policy | Dictionary | ||||
input | String | Ingress traffic policy. | |||
output | String | Egress traffic policy. | |||
evpn_ethernet_segment | Dictionary | ||||
identifier | String | EVPN Ethernet Segment Identifier (Type 1 format). | |||
redundancy | String | Valid Values: - all-active - single-active |
|||
designated_forwarder_election | Dictionary | ||||
algorithm | String | Valid Values: - modulus - preference |
|||
preference_value | Integer | Min: 0 Max: 65535 |
Preference_value is only used when “algorithm” is “preference”. | ||
dont_preempt | Boolean | False |
Dont_preempt is only used when “algorithm” is “preference”. | ||
hold_time | Integer | ||||
subsequent_hold_time | Integer | ||||
candidate_reachability_required | Boolean | ||||
mpls | Dictionary | ||||
shared_index | Integer | Min: 1 Max: 1024 |
|||
tunnel_flood_filter_time | Integer | ||||
route_target | String | EVPN Route Target for ESI with format xx:xx:xx:xx:xx:xx. | |||
esi deprecated | String | EVPN Ethernet Segment Identifier (Type 1 format). If both “esi” and “evpn_ethernet_segment.identifier” are defined, the new variable takes precedence. This key is deprecated. Support will be removed in AVD version 5.0.0. Use evpn_ethernet_segment.identifier instead. |
|||
rt deprecated | String | EVPN Route Target for ESI with format xx:xx:xx:xx:xx:xx. If both “rt” and “evpn_ethernet_segment.route_target” are defined, the new variable takes precedence. This key is deprecated. Support will be removed in AVD version 5.0.0. Use evpn_ethernet_segment.route_target instead. |
|||
lacp_id | String | LACP ID with format xxxx.xxxx.xxxx. | |||
spanning_tree_bpdufilter | String | Valid Values: - enabled - disabled - True - False - true - false |
|||
spanning_tree_bpduguard | String | Valid Values: - enabled - disabled - True - False - true - false |
|||
spanning_tree_guard | String | Valid Values: - loop - root - disabled |
|||
spanning_tree_portfast | String | Valid Values: - edge - network |
|||
vmtracer | Boolean | ||||
ptp | Dictionary | ||||
enable | Boolean | ||||
announce | Dictionary | ||||
interval | Integer | ||||
timeout | Integer | ||||
delay_req | Integer | ||||
delay_mechanism | String | Valid Values: - e2e - p2p |
|||
profile | Dictionary | ||||
g8275_1 | Dictionary | ||||
destination_mac_address | String | Valid Values: - forwardable - non-forwardable |
|||
sync_message | Dictionary | ||||
interval | Integer | ||||
role | String | Valid Values: - master - dynamic |
|||
vlan | String | VLAN can be ‘all’ or list of vlans as string. | |||
transport | String | Valid Values: - ipv4 - ipv6 - layer2 |
|||
mpass | Boolean | When MPASS is enabled on an MLAG port-channel, MLAG peers coordinate to function as a single PTP logical device. Arista PTP enabled devices always place PTP messages on the same physical link within the port-channel. Hence, MPASS is needed only on MLAG port-channels connected to non-Arista devices. |
|||
ip_address | String | IPv4 address/mask. | |||
ip_verify_unicast_source_reachable_via | String | Valid Values: - any - rx |
|||
ip_nat | Dictionary | ||||
destination | Dictionary | ||||
dynamic | List, items: Dictionary | ||||
- access_list | String | Required, Unique | |||
comment | String | ||||
pool_name | String | Required | |||
priority | Integer | Min: 0 Max: 4294967295 |
|||
static | List, items: Dictionary | ||||
- access_list | String | ‘access_list’ and ‘group’ are mutual exclusive. | |||
comment | String | ||||
direction | String | Valid Values: - egress - ingress |
Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform. EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW. |
||
group | Integer | Min: 1 Max: 65535 |
‘access_list’ and ‘group’ are mutual exclusive. | ||
original_ip | String | IPv4 address. The combination of original_ip and original_port must be unique. |
|||
original_port | Integer | Min: 1 Max: 65535 |
TCP/UDP port. The combination of original_ip and original_port must be unique. |
||
priority | Integer | Min: 0 Max: 4294967295 |
|||
protocol | String | Valid Values: - udp - tcp |
|||
translated_ip | String | Required | IPv4 address. | ||
translated_port | Integer | Min: 1 Max: 65535 |
requires ‘original_port’. | ||
source | Dictionary | ||||
dynamic | List, items: Dictionary | ||||
- access_list | String | Required, Unique | |||
comment | String | ||||
nat_type | String | Required | Valid Values: - overload - pool - pool-address-only - pool-full-cone |
||
pool_name | String | required if ‘nat_type’ is pool, pool-address-only or pool-full-cone. ignored if ‘nat_type’ is overload. |
|||
priority | Integer | Min: 0 Max: 4294967295 |
|||
static | List, items: Dictionary | ||||
- access_list | String | ‘access_list’ and ‘group’ are mutual exclusive. | |||
comment | String | ||||
direction | String | Valid Values: - egress - ingress |
Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform. EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW. |
||
group | Integer | Min: 1 Max: 65535 |
‘access_list’ and ‘group’ are mutual exclusive. | ||
original_ip | String | IPv4 address. The combination of original_ip and original_port must be unique. |
|||
original_port | Integer | Min: 1 Max: 65535 |
TCP/UDP port. The combination of original_ip and original_port must be unique. |
||
priority | Integer | Min: 0 Max: 4294967295 |
|||
protocol | String | Valid Values: - udp - tcp |
|||
translated_ip | String | Required | IPv4 address. | ||
translated_port | Integer | Min: 1 Max: 65535 |
requires ‘original_port’. | ||
ipv6_enable | Boolean | ||||
ipv6_address | String | IPv6 address/mask. | |||
ipv6_address_link_local | String | Link local IPv6 address/mask. | |||
ipv6_nd_ra_disabled | Boolean | ||||
ipv6_nd_managed_config_flag | Boolean | ||||
ipv6_nd_prefixes | List, items: Dictionary | ||||
- ipv6_prefix | String | Required, Unique | |||
valid_lifetime | String | Infinite or lifetime in seconds. | |||
preferred_lifetime | String | Infinite or lifetime in seconds. | |||
no_autoconfig_flag | Boolean | ||||
access_group_in | String | Access list name. | |||
access_group_out | String | Access list name. | |||
ipv6_access_group_in | String | IPv6 access list name. | |||
ipv6_access_group_out | String | IPv6 access list name. | |||
mac_access_group_in | String | MAC access list name. | |||
mac_access_group_out | String | MAC access list name. | |||
pim | Dictionary | ||||
ipv4 | Dictionary | ||||
border_router | Boolean | Configure PIM border router. EOS default is false. | |||
dr_priority | Integer | Min: 0 Max: 429467295 |
|||
sparse_mode | Boolean | ||||
bfd | Boolean | Set the default for whether Bidirectional Forwarding Detection is enabled for PIM. | |||
bidirectional | Boolean | ||||
hello | Dictionary | ||||
count | String | Number of missed hellos after which the neighbor expires. Range <1.5-65535>. | |||
interval | Integer | Min: 1 Max: 65535 |
PIM hello interval in seconds. | ||
service_profile | String | QOS profile. | |||
ospf_network_point_to_point | Boolean | ||||
ospf_area | String | ||||
ospf_cost | Integer | ||||
ospf_authentication | String | Valid Values: - none - simple - message-digest |
|||
ospf_authentication_key | String | Encrypted password. | |||
ospf_message_digest_keys | List, items: Dictionary | ||||
- id | Integer | Required, Unique | |||
hash_algorithm | String | Valid Values: - md5 - sha1 - sha256 - sha384 - sha512 |
|||
key | String | Encrypted password. | |||
flow_tracker | Dictionary | ||||
sampled | String | Sampled flow tracker name. | |||
hardware | String | Hardware flow tracker name. | |||
bgp | Dictionary | ||||
session_tracker | String | Name of session tracker. | |||
ip_igmp_host_proxy | Dictionary | ||||
enabled | Boolean | ||||
groups | List, items: Dictionary | ||||
- group | String | Required, Unique | Multicast Address. | ||
exclude | List, items: Dictionary | The same source must not be present both in exclude and include list. |
|||
- source | String | Required, Unique | |||
include | List, items: Dictionary | The same source must not be present both in exclude and include list. |
|||
- source | String | Required, Unique | |||
report_interval | Integer | Min: 1 Max: 31744 |
Time interval between unsolicited reports. | ||
access_lists | List, items: Dictionary | Non-standard Access List name. | |||
- name | String | Required, Unique | |||
version | Integer | Min: 1 Max: 3 |
IGMP version on IGMP host-proxy interface. | ||
peer | String | Key only used for documentation or validation purposes. | |||
peer_interface | String | Key only used for documentation or validation purposes. | |||
peer_type | String | Key only used for documentation or validation purposes. | |||
sflow | Dictionary | ||||
enable | Boolean | ||||
egress | Dictionary | ||||
enable | Boolean | ||||
unmodified_enable | Boolean | ||||
validate_state | Boolean | Set to false to disable interface validation by the eos_validate_state role. |
|||
eos_cli | String | Multiline EOS CLI rendered directly on the port-channel interface in the final EOS configuration. |
port_channel_interfaces:
- name: <str; required; unique>
description: <str>
logging:
event:
link_status: <bool>
# Discards due to storm-control.
storm_control_discards: <bool>
shutdown: <bool>
# "l2_mtu" should only be defined for platforms supporting the "l2 mtu" CLI.
l2_mtu: <int; 68-65535>
# "l2_mru" should only be defined for platforms supporting the "l2 mru" CLI.
l2_mru: <int; 68-65535>
# List of switchport vlans as string.
# For a trunk port this would be a range like "1-200,300".
# For an access port this would be a single vlan "123".
vlans: <str>
snmp_trap_link_change: <bool>
# l3dot1q and l2dot1q are used for sub-interfaces. The parent interface should be defined as routed.
# Interface will not be listed in device documentation, unless "type" is set.
type: <str; "routed" | "switched" | "l3dot1q" | "l2dot1q">
# VLAN tag to configure on sub-interface.
encapsulation_dot1q_vlan: <int>
# VRF name.
vrf: <str>
encapsulation_vlan:
client:
dot1q:
# Client VLAN ID.
vlan: <int>
# Client Outer VLAN ID.
outer: <int>
# Client Inner VLAN ID.
inner: <int>
unmatched: <bool>
# Network encapsulation are all optional, and skipped if using client unmatched.
network:
dot1q:
# Network VLAN ID.
vlan: <int>
# Network Outer VLAN ID.
outer: <int>
# Network Inner VLAN ID.
inner: <int>
client: <bool>
vlan_id: <int; 1-4094>
mode: <str; "access" | "dot1q-tunnel" | "trunk" | "trunk phone">
# If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence.
native_vlan: <int>
# If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence.
native_vlan_tag: <bool; default=False>
link_tracking_groups:
# Group name.
- name: <str; required; unique>
direction: <str; "upstream" | "downstream">
phone:
trunk: <str; "tagged" | "untagged">
vlan: <int; 1-4094>
l2_protocol:
# Vlan tag to configure on sub-interface.
encapsulation_dot1q_vlan: <int>
# L2 protocol forwarding profile.
forwarding_profile: <str>
mtu: <int; 68-65535>
# MLAG ID.
mlag: <int; 1-2000>
trunk_groups:
- <str>
# Timeout in seconds.
lacp_fallback_timeout: <int; 0-300; default=90>
lacp_fallback_mode: <str; "individual" | "static">
qos:
trust: <str; "dscp" | "cos" | "disabled">
# DSCP value.
dscp: <int>
# COS value.
cos: <int>
bfd:
echo: <bool>
# Interval in milliseconds.
interval: <int>
# Rate in milliseconds.
min_rx: <int>
multiplier: <int; 3-50>
# IPv4 or IPv6 address. When the Port-channel is a L2 interface, a local L3 BFD address (router_bfd.local_address) has to be defined globally on the switch.
neighbor: <str>
per_link:
enabled: <bool>
rfc_7130: <bool>
service_policy:
pbr:
# Policy Based Routing Policy-map name.
input: <str>
qos:
# Quality of Service Policy-map name.
input: <str; required>
mpls:
ip: <bool>
ldp:
interface: <bool>
igp_sync: <bool>
trunk_private_vlan_secondary: <bool>
# List of vlans as string.
pvlan_mapping: <str>
vlan_translations:
# List of vlans as string (only one vlan if direction is "both").
- from: <str>
# VLAN ID.
to: <int>
direction: <str; "in" | "out" | "both"; default="both">
shape:
# Rate in kbps, pps or percent.
# Supported options are platform dependent.
# Examples:
# - "5000 kbps"
# - "1000 pps"
# - "20 percent"
rate: <str>
storm_control:
all:
# Configure maximum storm-control level.
level: <str>
# Optional field and is hardware dependent.
unit: <str; "percent" | "pps"; default="percent">
broadcast:
# Configure maximum storm-control level.
level: <str>
# Optional field and is hardware dependent.
unit: <str; "percent" | "pps"; default="percent">
multicast:
# Configure maximum storm-control level.
level: <str>
# Optional field and is hardware dependent.
unit: <str; "percent" | "pps"; default="percent">
unknown_unicast:
# Configure maximum storm-control level.
level: <str>
# Optional field and is hardware dependent.
unit: <str; "percent" | "pps"; default="percent">
ip_proxy_arp: <bool>
# ISIS instance.
isis_enable: <str>
# Enable BFD for ISIS.
isis_bfd: <bool>
isis_passive: <bool>
isis_metric: <int>
isis_network_point_to_point: <bool>
isis_circuit_type: <str; "level-1-2" | "level-1" | "level-2">
isis_hello_padding: <bool>
isis_authentication_mode: <str; "text" | "md5">
# Type-7 encrypted password.
isis_authentication_key: <str>
traffic_policy:
# Ingress traffic policy.
input: <str>
# Egress traffic policy.
output: <str>
evpn_ethernet_segment:
# EVPN Ethernet Segment Identifier (Type 1 format).
identifier: <str>
redundancy: <str; "all-active" | "single-active">
designated_forwarder_election:
algorithm: <str; "modulus" | "preference">
# Preference_value is only used when "algorithm" is "preference".
preference_value: <int; 0-65535>
# Dont_preempt is only used when "algorithm" is "preference".
dont_preempt: <bool; default=False>
hold_time: <int>
subsequent_hold_time: <int>
candidate_reachability_required: <bool>
mpls:
shared_index: <int; 1-1024>
tunnel_flood_filter_time: <int>
# EVPN Route Target for ESI with format xx:xx:xx:xx:xx:xx.
route_target: <str>
# EVPN Ethernet Segment Identifier (Type 1 format).
# If both "esi" and "evpn_ethernet_segment.identifier" are defined, the new variable takes precedence.
# This key is deprecated.
# Support will be removed in AVD version 5.0.0.
# Use <samp>evpn_ethernet_segment.identifier</samp> instead.
esi: <str>
# EVPN Route Target for ESI with format xx:xx:xx:xx:xx:xx.
# If both "rt" and "evpn_ethernet_segment.route_target" are defined, the new variable takes precedence.
# This key is deprecated.
# Support will be removed in AVD version 5.0.0.
# Use <samp>evpn_ethernet_segment.route_target</samp> instead.
rt: <str>
# LACP ID with format xxxx.xxxx.xxxx.
lacp_id: <str>
spanning_tree_bpdufilter: <str; "enabled" | "disabled" | "True" | "False" | "true" | "false">
spanning_tree_bpduguard: <str; "enabled" | "disabled" | "True" | "False" | "true" | "false">
spanning_tree_guard: <str; "loop" | "root" | "disabled">
spanning_tree_portfast: <str; "edge" | "network">
vmtracer: <bool>
ptp:
enable: <bool>
announce:
interval: <int>
timeout: <int>
delay_req: <int>
delay_mechanism: <str; "e2e" | "p2p">
profile:
g8275_1:
destination_mac_address: <str; "forwardable" | "non-forwardable">
sync_message:
interval: <int>
role: <str; "master" | "dynamic">
# VLAN can be 'all' or list of vlans as string.
vlan: <str>
transport: <str; "ipv4" | "ipv6" | "layer2">
# When MPASS is enabled on an MLAG port-channel, MLAG peers coordinate to function as a single PTP logical device.
# Arista PTP enabled devices always place PTP messages on the same physical link within the port-channel.
# Hence, MPASS is needed only on MLAG port-channels connected to non-Arista devices.
mpass: <bool>
# IPv4 address/mask.
ip_address: <str>
ip_verify_unicast_source_reachable_via: <str; "any" | "rx">
ip_nat:
destination:
dynamic:
- access_list: <str; required; unique>
comment: <str>
pool_name: <str; required>
priority: <int; 0-4294967295>
static:
# 'access_list' and 'group' are mutual exclusive.
- access_list: <str>
comment: <str>
# Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform.
# EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW.
direction: <str; "egress" | "ingress">
# 'access_list' and 'group' are mutual exclusive.
group: <int; 1-65535>
# IPv4 address. The combination of `original_ip` and `original_port` must be unique.
original_ip: <str>
# TCP/UDP port. The combination of `original_ip` and `original_port` must be unique.
original_port: <int; 1-65535>
priority: <int; 0-4294967295>
protocol: <str; "udp" | "tcp">
# IPv4 address.
translated_ip: <str; required>
# requires 'original_port'.
translated_port: <int; 1-65535>
source:
dynamic:
- access_list: <str; required; unique>
comment: <str>
nat_type: <str; "overload" | "pool" | "pool-address-only" | "pool-full-cone"; required>
# required if 'nat_type' is pool, pool-address-only or pool-full-cone.
# ignored if 'nat_type' is overload.
pool_name: <str>
priority: <int; 0-4294967295>
static:
# 'access_list' and 'group' are mutual exclusive.
- access_list: <str>
comment: <str>
# Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform.
# EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW.
direction: <str; "egress" | "ingress">
# 'access_list' and 'group' are mutual exclusive.
group: <int; 1-65535>
# IPv4 address. The combination of `original_ip` and `original_port` must be unique.
original_ip: <str>
# TCP/UDP port. The combination of `original_ip` and `original_port` must be unique.
original_port: <int; 1-65535>
priority: <int; 0-4294967295>
protocol: <str; "udp" | "tcp">
# IPv4 address.
translated_ip: <str; required>
# requires 'original_port'.
translated_port: <int; 1-65535>
ipv6_enable: <bool>
# IPv6 address/mask.
ipv6_address: <str>
# Link local IPv6 address/mask.
ipv6_address_link_local: <str>
ipv6_nd_ra_disabled: <bool>
ipv6_nd_managed_config_flag: <bool>
ipv6_nd_prefixes:
- ipv6_prefix: <str; required; unique>
# Infinite or lifetime in seconds.
valid_lifetime: <str>
# Infinite or lifetime in seconds.
preferred_lifetime: <str>
no_autoconfig_flag: <bool>
# Access list name.
access_group_in: <str>
# Access list name.
access_group_out: <str>
# IPv6 access list name.
ipv6_access_group_in: <str>
# IPv6 access list name.
ipv6_access_group_out: <str>
# MAC access list name.
mac_access_group_in: <str>
# MAC access list name.
mac_access_group_out: <str>
pim:
ipv4:
# Configure PIM border router. EOS default is false.
border_router: <bool>
dr_priority: <int; 0-429467295>
sparse_mode: <bool>
# Set the default for whether Bidirectional Forwarding Detection is enabled for PIM.
bfd: <bool>
bidirectional: <bool>
hello:
# Number of missed hellos after which the neighbor expires. Range <1.5-65535>.
count: <str>
# PIM hello interval in seconds.
interval: <int; 1-65535>
# QOS profile.
service_profile: <str>
ospf_network_point_to_point: <bool>
ospf_area: <str>
ospf_cost: <int>
ospf_authentication: <str; "none" | "simple" | "message-digest">
# Encrypted password.
ospf_authentication_key: <str>
ospf_message_digest_keys:
- id: <int; required; unique>
hash_algorithm: <str; "md5" | "sha1" | "sha256" | "sha384" | "sha512">
# Encrypted password.
key: <str>
flow_tracker:
# Sampled flow tracker name.
sampled: <str>
# Hardware flow tracker name.
hardware: <str>
bgp:
# Name of session tracker.
session_tracker: <str>
ip_igmp_host_proxy:
enabled: <bool>
groups:
# Multicast Address.
- group: <str; required; unique>
# The same source must not be present both in `exclude` and `include` list.
exclude:
- source: <str; required; unique>
# The same source must not be present both in `exclude` and `include` list.
include:
- source: <str; required; unique>
# Time interval between unsolicited reports.
report_interval: <int; 1-31744>
# Non-standard Access List name.
access_lists:
- name: <str; required; unique>
# IGMP version on IGMP host-proxy interface.
version: <int; 1-3>
# Key only used for documentation or validation purposes.
peer: <str>
# Key only used for documentation or validation purposes.
peer_interface: <str>
# Key only used for documentation or validation purposes.
peer_type: <str>
sflow:
enable: <bool>
egress:
enable: <bool>
unmodified_enable: <bool>
# Set to false to disable interface validation by the `eos_validate_state` role.
validate_state: <bool>
# Multiline EOS CLI rendered directly on the port-channel interface in the final EOS configuration.
eos_cli: <str>
Switchport default¶
Switchport port security¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
switchport_port_security | Dictionary | ||||
mac_address | Dictionary | ||||
aging | Boolean | ||||
moveable | Boolean | ||||
persistence_disabled | Boolean | ||||
violation_protect_chip_based | Boolean |
Transceiver QSFP default mode 4x10¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
transceiver_qsfp_default_mode_4x10 | Boolean | True |
On all front panel ports which support this feature, the following global configuration command changes the QSFP mode from 40G to 4x10G (default). When set to false the command reverts the default QSFP mode back to 40G. |
Tunnel interfaces¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
tunnel_interfaces | List, items: Dictionary | ||||
- name | String | Required, Unique | Tunnel Interface Name. | ||
description | String | ||||
shutdown | Boolean | ||||
mtu | Integer | Min: 68 Max: 65535 |
|||
vrf | String | VRF Name. | |||
underlay_vrf | String | Underlay VRF Name. | |||
ip_address | String | Format: ipv4_cidr | IPv4_address/Mask. | ||
ipv6_enable | Boolean | ||||
ipv6_address | String | Format: ipv6_cidr | IPv6_address/Mask. | ||
access_group_in | String | IPv4 ACL Name for ingress. | |||
access_group_out | String | IPv4 ACL Name for egress. | |||
ipv6_access_group_in | String | IPv6 ACL Name for ingress. | |||
ipv6_access_group_out | String | IPv6 ACL Name for egress. | |||
tcp_mss_ceiling | Dictionary | ||||
ipv4 | Integer | Min: 64 Max: 65495 |
Segment Size for IPv4. | ||
ipv6 | Integer | Min: 64 Max: 65475 |
Segment Size for IPv6. | ||
direction | String | Valid Values: - ingress - egress |
Optional direction (‘ingress’, ‘egress’) for tcp mss ceiling. |
||
tunnel_mode | String | Valid Values: - gre - ipsec |
Tunnel encapsulation method.gre : Generic route encapsulation protocol,ipsec : IPsec-over-IP encapsulation. |
||
source_interface | String | Tunnel Source Interface Name. | |||
destination | String | IPv4 or IPv6 Address Tunnel Destination. | |||
path_mtu_discovery | Boolean | Enable Path MTU Discovery On Tunnel. | |||
ipsec_profile | String | Used only when tunnel_mode is set to ipsec .It must target a defined IPsec profile. |
|||
nat_profile | String | NAT interface profile. | |||
eos_cli | String | Multiline String with EOS CLI rendered directly on the Tunnel interface in the final EOS configuration. |
tunnel_interfaces:
# Tunnel Interface Name.
- name: <str; required; unique>
description: <str>
shutdown: <bool>
mtu: <int; 68-65535>
# VRF Name.
vrf: <str>
# Underlay VRF Name.
underlay_vrf: <str>
# IPv4_address/Mask.
ip_address: <str>
ipv6_enable: <bool>
# IPv6_address/Mask.
ipv6_address: <str>
# IPv4 ACL Name for ingress.
access_group_in: <str>
# IPv4 ACL Name for egress.
access_group_out: <str>
# IPv6 ACL Name for ingress.
ipv6_access_group_in: <str>
# IPv6 ACL Name for egress.
ipv6_access_group_out: <str>
tcp_mss_ceiling:
# Segment Size for IPv4.
ipv4: <int; 64-65495>
# Segment Size for IPv6.
ipv6: <int; 64-65475>
# Optional direction ('ingress', 'egress') for tcp mss ceiling.
direction: <str; "ingress" | "egress">
# Tunnel encapsulation method.
# `gre`: Generic route encapsulation protocol,
# `ipsec`: IPsec-over-IP encapsulation.
tunnel_mode: <str; "gre" | "ipsec">
# Tunnel Source Interface Name.
source_interface: <str>
# IPv4 or IPv6 Address Tunnel Destination.
destination: <str>
# Enable Path MTU Discovery On Tunnel.
path_mtu_discovery: <bool>
# Used only when `tunnel_mode` is set to `ipsec`.
# It must target a defined IPsec profile.
ipsec_profile: <str>
# NAT interface profile.
nat_profile: <str>
# Multiline String with EOS CLI rendered directly on the Tunnel interface in the final EOS configuration.
eos_cli: <str>
VLAN interfaces¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
vlan_interfaces | List, items: Dictionary | ||||
- name | String | Required, Unique | VLAN interface name like “Vlan123”. | ||
description | String | ||||
logging | Dictionary | ||||
event | Dictionary | ||||
link_status | Boolean | ||||
shutdown | Boolean | ||||
vrf | String | VRF name. | |||
arp_aging_timeout | Integer | Min: 1 Max: 65535 |
In seconds. | ||
arp_cache_dynamic_capacity | Integer | Min: 0 Max: 4294967295 |
|||
arp_gratuitous_accept | Boolean | ||||
arp_monitor_mac_address | Boolean | ||||
ip_proxy_arp | Boolean | ||||
ip_directed_broadcast | Boolean | ||||
ip_address | String | IPv4_address/Mask. | |||
ip_address_secondaries | List, items: String | ||||
- <str> | String | IPv4_address/Mask. | |||
ip_virtual_router_addresses | List, items: String | ||||
- <str> | String | IPv4 address or IPv4_address/Mask. | |||
ip_address_virtual | String | IPv4_address/Mask. | |||
ip_address_virtual_secondaries | List, items: String | ||||
- <str> | String | IPv4_address/Mask. | |||
ip_verify_unicast_source_reachable_via | String | Valid Values: - any - rx |
|||
ip_igmp | Boolean | ||||
ip_igmp_version | Integer | Min: 1 Max: 3 |
|||
ip_igmp_host_proxy | Dictionary | ||||
enabled | Boolean | ||||
groups | List, items: Dictionary | ||||
- group | String | Required, Unique | Multicast Address. | ||
exclude | List, items: Dictionary | The same source must not be present both in exclude and include list. |
|||
- source | String | Required, Unique | |||
include | List, items: Dictionary | The same source must not be present both in exclude and include list. |
|||
- source | String | Required, Unique | |||
report_interval | Integer | Min: 1 Max: 31744 |
Time interval between unsolicited reports. | ||
access_lists | List, items: Dictionary | Non-standard Access List name. | |||
- name | String | Required, Unique | |||
version | Integer | Min: 1 Max: 3 |
IGMP version on IGMP host-proxy interface. | ||
ip_helpers | List, items: Dictionary | List of DHCP servers. | |||
- ip_helper | String | Required, Unique | IP address or hostname of DHCP server. | ||
source_interface | String | Interface used as source for forwarded DHCP packets. | |||
vrf | String | VRF where DHCP server can be reached. | |||
ip_dhcp_relay_all_subnets | Boolean | Allow forwarding requests with secondary IP addresses in the gateway address “giaddr” field. | |||
ip_nat | Dictionary | ||||
destination | Dictionary | ||||
dynamic | List, items: Dictionary | ||||
- access_list | String | Required, Unique | |||
comment | String | ||||
pool_name | String | Required | |||
priority | Integer | Min: 0 Max: 4294967295 |
|||
static | List, items: Dictionary | ||||
- access_list | String | ‘access_list’ and ‘group’ are mutual exclusive. | |||
comment | String | ||||
direction | String | Valid Values: - egress - ingress |
Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform. EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW. |
||
group | Integer | Min: 1 Max: 65535 |
‘access_list’ and ‘group’ are mutual exclusive. | ||
original_ip | String | IPv4 address. The combination of original_ip and original_port must be unique. |
|||
original_port | Integer | Min: 1 Max: 65535 |
TCP/UDP port. The combination of original_ip and original_port must be unique. |
||
priority | Integer | Min: 0 Max: 4294967295 |
|||
protocol | String | Valid Values: - udp - tcp |
|||
translated_ip | String | Required | IPv4 address. | ||
translated_port | Integer | Min: 1 Max: 65535 |
requires ‘original_port’. | ||
source | Dictionary | ||||
dynamic | List, items: Dictionary | ||||
- access_list | String | Required, Unique | |||
comment | String | ||||
nat_type | String | Required | Valid Values: - overload - pool - pool-address-only - pool-full-cone |
||
pool_name | String | required if ‘nat_type’ is pool, pool-address-only or pool-full-cone. ignored if ‘nat_type’ is overload. |
|||
priority | Integer | Min: 0 Max: 4294967295 |
|||
static | List, items: Dictionary | ||||
- access_list | String | ‘access_list’ and ‘group’ are mutual exclusive. | |||
comment | String | ||||
direction | String | Valid Values: - egress - ingress |
Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform. EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW. |
||
group | Integer | Min: 1 Max: 65535 |
‘access_list’ and ‘group’ are mutual exclusive. | ||
original_ip | String | IPv4 address. The combination of original_ip and original_port must be unique. |
|||
original_port | Integer | Min: 1 Max: 65535 |
TCP/UDP port. The combination of original_ip and original_port must be unique. |
||
priority | Integer | Min: 0 Max: 4294967295 |
|||
protocol | String | Valid Values: - udp - tcp |
|||
translated_ip | String | Required | IPv4 address. | ||
translated_port | Integer | Min: 1 Max: 65535 |
requires ‘original_port’. | ||
ipv6_enable | Boolean | ||||
ipv6_address | String | IPv6_address/Mask. | |||
ipv6_address_virtual deprecated | String | IPv6_address/Mask. If both “ipv6_address_virtual” and “ipv6_address_virtuals” are set, all addresses will be configured. This key is deprecated. Support will be removed in AVD version 5.0.0. Use ipv6_address_virtuals instead. |
|||
ipv6_address_virtuals | List, items: String | The new “ipv6_address_virtuals” key support multiple virtual ipv6 addresses. | |||
- <str> | String | IPv6_address/Mask. | |||
ipv6_address_link_local | String | IPv6_address/Mask. | |||
ipv6_virtual_router_address deprecated | String | “ipv6_virtual_router_address” should not be mixed with the new “ipv6_virtual_router_addresses” key below to avoid conflicts. This key is deprecated. Support will be removed in AVD version 5.0.0. Use ipv6_virtual_router_addresses instead. |
|||
ipv6_virtual_router_addresses | List, items: String | Improved “VARPv6” data model to support multiple VARPv6 addresses. | |||
- <str> | String | IPv6 address or IPv6_address/Mask. | |||
ipv6_nd_ra_disabled | Boolean | ||||
ipv6_nd_managed_config_flag | Boolean | ||||
ipv6_nd_other_config_flag | Boolean | Set the “other stateful configuration” flag in IPv6 router advertisements. | |||
ipv6_nd_cache | Dictionary | IPv6 neighbor cache options. | |||
dynamic_capacity | Integer | Min: 0 Max: 4294967295 |
Capacity of dynamic cache entries. | ||
expire | Integer | Min: 1 Max: 65535 |
Cache entries expirery in seconds. | ||
refresh_always | Boolean | Force refresh on cache expiry. | |||
ipv6_nd_prefixes | List, items: Dictionary | ||||
- ipv6_prefix | String | Required, Unique | IPv6_address/Mask. | ||
valid_lifetime | String | In seconds <0-4294967295> or infinite. | |||
preferred_lifetime | String | In seconds <0-4294967295> or infinite. | |||
no_autoconfig_flag | Boolean | ||||
ipv6_dhcp_relay_destinations | List, items: Dictionary | ||||
- address | String | Required, Unique | DHCP server’s IPv6 address. | ||
vrf | String | ||||
local_interface | String | Local interface to communicate with DHCP server - mutually exclusive to source_address. | |||
source_address | String | Source IPv6 address to communicate with DHCP server - mutually exclusive to local_interface. | |||
link_address | String | Override the default link address specified in the relayed DHCP packet. | |||
ipv6_dhcp_relay_all_subnets | Boolean | Allow forwarding requests with additional IPv6 addresses in the gateway address “giaddr” field. | |||
access_group_in | String | IPv4 access-list name. | |||
access_group_out | String | IPv4 access-list name. | |||
ipv6_access_group_in | String | IPv6 access-list name. | |||
ipv6_access_group_out | String | IPv6 access-list name. | |||
multicast | Dictionary | ||||
ipv4 | Dictionary | ||||
boundaries | List, items: Dictionary | Boundaries can be either 1 ACL or a list of multicast IP address_range(s)/prefix but not combination of both. | |||
- boundary | String | Required, Unique | IPv4 access-list name or IPv4 multicast group prefix with mask. | ||
out | Boolean | ||||
source_route_export | Dictionary | ||||
enabled | Boolean | Required | |||
administrative_distance | Integer | Min: 1 Max: 255 |
|||
static | Boolean | ||||
ipv6 | Dictionary | ||||
boundaries | List, items: Dictionary | Boundaries can be either 1 ACL or a list of multicast IP address_range(s)/prefix but not combination of both. | |||
- boundary | String | Required, Unique | IPv6 access-list name or IPv6 multicast group prefix with mask. | ||
source_route_export | Dictionary | ||||
enabled | Boolean | Required | |||
administrative_distance | Integer | Min: 1 Max: 255 |
|||
static | Boolean | ||||
ospf_network_point_to_point | Boolean | ||||
ospf_area | String | ||||
ospf_cost | Integer | ||||
ospf_authentication | String | Valid Values: - none - simple - message-digest |
|||
ospf_authentication_key | String | Encrypted password used for simple authentication. | |||
ospf_message_digest_keys | List, items: Dictionary | Keys used for message-digest authentication. | |||
- id | Integer | Required, Unique | |||
hash_algorithm | String | Valid Values: - md5 - sha1 - sha256 - sha384 - sha512 |
|||
key | String | Encrypted password. | |||
pim | Dictionary | ||||
ipv4 | Dictionary | ||||
border_router | Boolean | Configure PIM border router. EOS default is false. | |||
dr_priority | Integer | Min: 0 Max: 429467295 |
|||
sparse_mode | Boolean | ||||
local_interface | String | ||||
bfd | Boolean | Set the default for whether Bidirectional Forwarding Detection is enabled for PIM. | |||
bidirectional | Boolean | ||||
hello | Dictionary | ||||
count | String | Number of missed hellos after which the neighbor expires. Range <1.5-65535>. | |||
interval | Integer | Min: 1 Max: 65535 |
PIM hello interval in seconds. | ||
isis_enable | String | ISIS instance name. | |||
isis_bfd | Boolean | Enable BFD for ISIS. | |||
isis_passive | Boolean | ||||
isis_metric | Integer | ||||
isis_network_point_to_point | Boolean | ||||
mtu | Integer | ||||
no_autostate | Boolean | ||||
vrrp_ids | List, items: Dictionary | Improved “vrrp” data model to support multiple VRRP IDs. | |||
- id | Integer | Required, Unique | VRID. | ||
priority_level | Integer | Min: 1 Max: 254 |
Instance priority. | ||
advertisement | Dictionary | ||||
interval | Integer | Min: 1 Max: 255 |
Interval in seconds. | ||
preempt | Dictionary | ||||
enabled | Boolean | Required | |||
delay | Dictionary | ||||
minimum | Integer | Min: 0 Max: 3600 |
Minimum preempt delay in seconds. | ||
reload | Integer | Min: 0 Max: 3600 |
Reload preempt delay in seconds. | ||
timers | Dictionary | ||||
delay | Dictionary | ||||
reload | Integer | Min: 0 Max: 3600 |
Delay after reload in seconds. | ||
tracked_object | List, items: Dictionary | ||||
- name | String | Required, Unique | Tracked object name. | ||
decrement | Integer | Min: 1 Max: 254 |
Decrement VRRP priority by 1-254. | ||
shutdown | Boolean | ||||
ipv4 | Dictionary | ||||
address | String | Required | Virtual IPv4 address. | ||
version | Integer | Valid Values: - 2 - 3 |
|||
ipv6 | Dictionary | ||||
address | String | Required | Virtual IPv6 address. | ||
vrrp deprecated | Dictionary | “vrrp” should not be mixed with the new “vrrp_ids” key above to avoid conflicts. This key is deprecated. Support will be removed in AVD version 5.0.0. Use vrrp_ids instead. |
|||
virtual_router | String | Virtual Router ID. | |||
priority | Integer | Instance priority. | |||
advertisement_interval | Integer | ||||
preempt_delay_minimum | Integer | ||||
ipv4 | String | Virtual IPv4 address. | |||
ipv6 | String | Virtual IPv6 address. | |||
ip_attached_host_route_export | Dictionary | ||||
enabled | Boolean | Required | |||
distance | Integer | Min: 1 Max: 255 |
|||
ipv6_attached_host_route_export | Dictionary | ||||
enabled | Boolean | Required | |||
distance | Integer | Min: 1 Max: 255 |
Administrative distance for generated routes. | ||
prefix_length | Integer | Min: 0 Max: 128 |
Prefix length for generated routes. | ||
bfd | Dictionary | ||||
echo | Boolean | ||||
interval | Integer | Rate in milliseconds. | |||
min_rx | Integer | Minimum RX hold time in milliseconds. | |||
multiplier | Integer | Min: 3 Max: 50 |
|||
service_policy | Dictionary | ||||
pbr | Dictionary | ||||
input | String | Name of policy-map used for policy based routing. | |||
pvlan_mapping | String | List of VLANs as string. | |||
tenant | String | Key only used for documentation or validation purposes. | |||
tags | List, items: String | Key only used for documentation or validation purposes. | |||
- <str> | String | ||||
type | String | Key only used for documentation or validation purposes. | |||
eos_cli | String | Multiline EOS CLI rendered directly on the VLAN interface in the final EOS configuration. |
vlan_interfaces:
# VLAN interface name like "Vlan123".
- name: <str; required; unique>
description: <str>
logging:
event:
link_status: <bool>
shutdown: <bool>
# VRF name.
vrf: <str>
# In seconds.
arp_aging_timeout: <int; 1-65535>
arp_cache_dynamic_capacity: <int; 0-4294967295>
arp_gratuitous_accept: <bool>
arp_monitor_mac_address: <bool>
ip_proxy_arp: <bool>
ip_directed_broadcast: <bool>
# IPv4_address/Mask.
ip_address: <str>
ip_address_secondaries:
# IPv4_address/Mask.
- <str>
ip_virtual_router_addresses:
# IPv4 address or IPv4_address/Mask.
- <str>
# IPv4_address/Mask.
ip_address_virtual: <str>
ip_address_virtual_secondaries:
# IPv4_address/Mask.
- <str>
ip_verify_unicast_source_reachable_via: <str; "any" | "rx">
ip_igmp: <bool>
ip_igmp_version: <int; 1-3>
ip_igmp_host_proxy:
enabled: <bool>
groups:
# Multicast Address.
- group: <str; required; unique>
# The same source must not be present both in `exclude` and `include` list.
exclude:
- source: <str; required; unique>
# The same source must not be present both in `exclude` and `include` list.
include:
- source: <str; required; unique>
# Time interval between unsolicited reports.
report_interval: <int; 1-31744>
# Non-standard Access List name.
access_lists:
- name: <str; required; unique>
# IGMP version on IGMP host-proxy interface.
version: <int; 1-3>
# List of DHCP servers.
ip_helpers:
# IP address or hostname of DHCP server.
- ip_helper: <str; required; unique>
# Interface used as source for forwarded DHCP packets.
source_interface: <str>
# VRF where DHCP server can be reached.
vrf: <str>
# Allow forwarding requests with secondary IP addresses in the gateway address "giaddr" field.
ip_dhcp_relay_all_subnets: <bool>
ip_nat:
destination:
dynamic:
- access_list: <str; required; unique>
comment: <str>
pool_name: <str; required>
priority: <int; 0-4294967295>
static:
# 'access_list' and 'group' are mutual exclusive.
- access_list: <str>
comment: <str>
# Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform.
# EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW.
direction: <str; "egress" | "ingress">
# 'access_list' and 'group' are mutual exclusive.
group: <int; 1-65535>
# IPv4 address. The combination of `original_ip` and `original_port` must be unique.
original_ip: <str>
# TCP/UDP port. The combination of `original_ip` and `original_port` must be unique.
original_port: <int; 1-65535>
priority: <int; 0-4294967295>
protocol: <str; "udp" | "tcp">
# IPv4 address.
translated_ip: <str; required>
# requires 'original_port'.
translated_port: <int; 1-65535>
source:
dynamic:
- access_list: <str; required; unique>
comment: <str>
nat_type: <str; "overload" | "pool" | "pool-address-only" | "pool-full-cone"; required>
# required if 'nat_type' is pool, pool-address-only or pool-full-cone.
# ignored if 'nat_type' is overload.
pool_name: <str>
priority: <int; 0-4294967295>
static:
# 'access_list' and 'group' are mutual exclusive.
- access_list: <str>
comment: <str>
# Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform.
# EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW.
direction: <str; "egress" | "ingress">
# 'access_list' and 'group' are mutual exclusive.
group: <int; 1-65535>
# IPv4 address. The combination of `original_ip` and `original_port` must be unique.
original_ip: <str>
# TCP/UDP port. The combination of `original_ip` and `original_port` must be unique.
original_port: <int; 1-65535>
priority: <int; 0-4294967295>
protocol: <str; "udp" | "tcp">
# IPv4 address.
translated_ip: <str; required>
# requires 'original_port'.
translated_port: <int; 1-65535>
ipv6_enable: <bool>
# IPv6_address/Mask.
ipv6_address: <str>
# IPv6_address/Mask.
# If both "ipv6_address_virtual" and "ipv6_address_virtuals" are set, all addresses will be configured.
# This key is deprecated.
# Support will be removed in AVD version 5.0.0.
# Use <samp>ipv6_address_virtuals</samp> instead.
ipv6_address_virtual: <str>
# The new "ipv6_address_virtuals" key support multiple virtual ipv6 addresses.