Input variables for eos_cli_config_gen¶
This document describes the supported input variables for the role arista.avd.eos_cli_config_gen
.
Since several data models have changed between AVD versions 4.x and 5.x, it is recommended to study the Porting Guide for AVD 5.x.x for existing deployments.
The input variables are documented below in tables and YAML.
All values are optional.
Note
All input variables are validated by a schema. If additional custom keys are desired, a key starting with an underscore _
, will be ignored.
Warning
Available features and variables may vary by platforms, refer to documentation on arista.com for specifics.
Authentication¶
AAA accounting¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
aaa_accounting | Dictionary | ||||
exec | Dictionary | ||||
console | Dictionary | ||||
type | String | Valid Values: - none - start-stop - stop-only |
|||
group | String | Group Name. | |||
logging | Boolean | ||||
default | Dictionary | ||||
type | String | Valid Values: - none - start-stop - stop-only |
|||
group | String | Group Name. | |||
logging | Boolean | ||||
system | Dictionary | ||||
default | Dictionary | ||||
type | String | Valid Values: - none - start-stop - stop-only |
|||
group | String | Group Name. | |||
dot1x | Dictionary | ||||
default | Dictionary | ||||
type | String | Valid Values: - start-stop - stop-only |
|||
group | String | Group Name. | |||
commands | Dictionary | ||||
console | List, items: Dictionary | ||||
- commands | String | Privilege level ‘all’ or 0-15. | |||
type | String | Valid Values: - none - start-stop - stop-only |
|||
group | String | Group Name. | |||
logging | Boolean | ||||
default | List, items: Dictionary | ||||
- commands | String | Privilege level ‘all’ or 0-15. | |||
type | String | Valid Values: - none - start-stop - stop-only |
|||
group | String | Group Name. | |||
logging | Boolean |
aaa_accounting:
exec:
console:
type: <str; "none" | "start-stop" | "stop-only">
# Group Name.
group: <str>
logging: <bool>
default:
type: <str; "none" | "start-stop" | "stop-only">
# Group Name.
group: <str>
logging: <bool>
system:
default:
type: <str; "none" | "start-stop" | "stop-only">
# Group Name.
group: <str>
dot1x:
default:
type: <str; "start-stop" | "stop-only">
# Group Name.
group: <str>
commands:
console:
# Privilege level 'all' or 0-15.
- commands: <str>
type: <str; "none" | "start-stop" | "stop-only">
# Group Name.
group: <str>
logging: <bool>
default:
# Privilege level 'all' or 0-15.
- commands: <str>
type: <str; "none" | "start-stop" | "stop-only">
# Group Name.
group: <str>
logging: <bool>
AAA authentication¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
aaa_authentication | Dictionary | ||||
login | Dictionary | ||||
default | String | Login authentication method(s) as a string. Examples: - “group tacacs+ local” - “group MYGROUP none” - “group radius group MYGROUP local” |
|||
console | String | Console authentication method(s) as a string. Examples: - “group tacacs+ local” - “group MYGROUP none” - “group radius group MYGROUP local” |
|||
enable | Dictionary | ||||
default | String | Enable authentication method(s) as a string. Examples: - “group tacacs+ local” - “group MYGROUP none” - “group radius group MYGROUP local” |
|||
dot1x | Dictionary | ||||
default | String | 802.1x authentication method(s) as a string. Examples: - “group radius” - “group MYGROUP group radius” |
|||
policies | Dictionary | ||||
on_failure_log | Boolean | ||||
on_success_log | Boolean | ||||
local | Dictionary | ||||
allow_nopassword | Boolean | ||||
lockout | Dictionary | ||||
failure | Integer | Min: 1 Max: 255 |
|||
duration | Integer | Min: 1 Max: 4294967295 |
|||
window | Integer | Min: 1 Max: 4294967295 |
aaa_authentication:
login:
# Login authentication method(s) as a string.
# Examples:
# - "group tacacs+ local"
# - "group MYGROUP none"
# - "group radius group MYGROUP local"
default: <str>
# Console authentication method(s) as a string.
# Examples:
# - "group tacacs+ local"
# - "group MYGROUP none"
# - "group radius group MYGROUP local"
console: <str>
enable:
# Enable authentication method(s) as a string.
# Examples:
# - "group tacacs+ local"
# - "group MYGROUP none"
# - "group radius group MYGROUP local"
default: <str>
dot1x:
# 802.1x authentication method(s) as a string.
# Examples:
# - "group radius"
# - "group MYGROUP group radius"
default: <str>
policies:
on_failure_log: <bool>
on_success_log: <bool>
local:
allow_nopassword: <bool>
lockout:
failure: <int; 1-255>
duration: <int; 1-4294967295>
window: <int; 1-4294967295>
AAA authorization¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
aaa_authorization | Dictionary | ||||
policy | Dictionary | ||||
local_default_role | String | ||||
exec | Dictionary | ||||
default | String | Exec authorization method(s) as a string. Examples: - “group tacacs+ local” - “group MYGROUP none” - “group radius group MYGROUP local” |
|||
config_commands | Boolean | ||||
serial_console | Boolean | ||||
dynamic | Dictionary | ||||
dot1x_additional_groups | List, items: String | Min Length: 1 | |||
- <str> | String | ||||
commands | Dictionary | ||||
all_default | String | Command authorization method(s) as a string. Examples: - “group tacacs+ local” - “group MYGROUP none” - “group tacacs+ group MYGROUP local |
|||
privilege | List, items: Dictionary | ||||
- level | String | Privilege level(s) 0-15. | |||
default | String | Command authorization method(s) as a string. Examples: - “group tacacs+ local” - “group MYGROUP none” - “group tacacs+ group MYGROUP local” |
aaa_authorization:
policy:
local_default_role: <str>
exec:
# Exec authorization method(s) as a string.
# Examples:
# - "group tacacs+ local"
# - "group MYGROUP none"
# - "group radius group MYGROUP local"
default: <str>
config_commands: <bool>
serial_console: <bool>
dynamic:
dot1x_additional_groups: # >=1 items
- <str>
commands:
# Command authorization method(s) as a string.
# Examples:
# - "group tacacs+ local"
# - "group MYGROUP none"
# - "group tacacs+ group MYGROUP local
all_default: <str>
privilege:
# Privilege level(s) 0-15.
- level: <str>
# Command authorization method(s) as a string.
# Examples:
# - "group tacacs+ local"
# - "group MYGROUP none"
# - "group tacacs+ group MYGROUP local"
default: <str>
AAA root¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
aaa_root | Dictionary | ||||
disabled | Boolean | Set to true to configure no aaa root which is the EOS default. |
|||
secret | Dictionary | ||||
sha512_password | String |
AAA server groups¶
Enable password¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
enable_password | Dictionary | ||||
disabled | Boolean | Set to true to configure no enable password which is the EOS default. |
|||
hash_algorithm | String | Valid Values: - md5 - sha512 |
|||
key | String | Must be the hash of the password using the specified algorithm. By default EOS salts the password, so the simplest is to generate the hash on an EOS device. |
enable_password:
# Set to `true` to configure `no enable password` which is the EOS default.
disabled: <bool>
hash_algorithm: <str; "md5" | "sha512">
# Must be the hash of the password using the specified algorithm.
# By default EOS salts the password, so the simplest is to generate the hash on an EOS device.
key: <str>
IP radius source-interfaces¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
ip_radius_source_interfaces | List, items: Dictionary | ||||
- name | String | Interface Name. | |||
vrf | String | VRF Name. |
IP tacacs source-interfaces¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
ip_tacacs_source_interfaces | List, items: Dictionary | ||||
- name | String | Interface name. | |||
vrf | String |
Local users¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
local_users | List, items: Dictionary | ||||
- name | String | Required, Unique | Username. | ||
disabled | Boolean | If true, the user will be removed and all other settings are ignored. Useful for removing the default “admin” user. |
|||
privilege | Integer | Min: 0 Max: 15 |
Initial privilege level with local EXEC authorization. |
||
role | String | EOS RBAC Role to be assigned to the user such as “network-admin” or “network-operator”. |
|||
sha512_password | String | SHA512 Hash of Password. Must be the hash of the password. By default EOS salts the password with the username, so the simplest is to generate the hash on an EOS device using the same username. |
|||
no_password | Boolean | If set a password will not be configured for this user. “sha512_password” MUST not be defined for this user. |
|||
ssh_key | String | ||||
secondary_ssh_key | String | ||||
shell | String | Valid Values: - /bin/bash - /bin/sh - /sbin/nologin |
Specify shell for the user. |
local_users:
# Username.
- name: <str; required; unique>
# If true, the user will be removed and all other settings are ignored.
# Useful for removing the default "admin" user.
disabled: <bool>
# Initial privilege level with local EXEC authorization.
privilege: <int; 0-15>
# EOS RBAC Role to be assigned to the user such as "network-admin" or "network-operator".
role: <str>
# SHA512 Hash of Password.
# Must be the hash of the password. By default EOS salts the password with the username, so the simplest is to generate the hash on an EOS device using the same username.
sha512_password: <str>
# If set a password will not be configured for this user. "sha512_password" MUST not be defined for this user.
no_password: <bool>
ssh_key: <str>
secondary_ssh_key: <str>
# Specify shell for the user.
shell: <str; "/bin/bash" | "/bin/sh" | "/sbin/nologin">
Radius server¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
radius_server | Dictionary | ||||
attribute_32_include_in_access_req | Dictionary | ||||
hostname | Boolean | ||||
format | String | Specify the format of the NAS-Identifier. If ‘hostname’ is set, this is ignored. | |||
deadtime | Integer | Min: 1 Max: 1000 |
Time to skip a non-responsive server in minutes. | ||
dynamic_authorization | Dictionary | ||||
port | Integer | Min: 0 Max: 65535 |
TCP Port. | ||
tls_ssl_profile | String | Name of TLS profile. | |||
hosts | List, items: Dictionary | ||||
- host | String | Required, Unique | Host IP address or name. | ||
vrf | String | ||||
tls | Dictionary | When TLS is configured, key is ignored.. |
|||
enabled | Boolean | Enable TLS for radius-server. | |||
ssl_profile | String | Name of TLS profile. | |||
port | Integer | Min: 0 Max: 65535 |
TCP Port used for TLS. EOS default is 2083. | ||
timeout | Integer | Min: 1 Max: 1000 |
|||
retransmit | Integer | Min: 0 Max: 100 |
|||
key | String | Encrypted key - only type 7 supported. When TLS is configured, key is ignored. |
|||
tls_ssl_profile | String | Name of global TLS profile. | |||
radius_servers removed | List | This key was removed. Support was removed in AVD version v5.0.0. Use radius_server.hosts instead. |
radius_server:
attribute_32_include_in_access_req:
hostname: <bool>
# Specify the format of the NAS-Identifier. If 'hostname' is set, this is ignored.
format: <str>
# Time to skip a non-responsive server in minutes.
deadtime: <int; 1-1000>
dynamic_authorization:
# TCP Port.
port: <int; 0-65535>
# Name of TLS profile.
tls_ssl_profile: <str>
hosts:
# Host IP address or name.
- host: <str; required; unique>
vrf: <str>
# When TLS is configured, `key` is ignored..
tls:
# Enable TLS for radius-server.
enabled: <bool>
# Name of TLS profile.
ssl_profile: <str>
# TCP Port used for TLS. EOS default is 2083.
port: <int; 0-65535>
timeout: <int; 1-1000>
retransmit: <int; 0-100>
# Encrypted key - only type 7 supported.
# When TLS is configured, `key` is ignored.
key: <str>
# Name of global TLS profile.
tls_ssl_profile: <str>
Roles¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
roles | List, items: Dictionary | ||||
- name | String | Required, Unique | Role name. | ||
sequence_numbers | List, items: Dictionary | ||||
- sequence | Integer | Sequence number. | |||
action | String | Valid Values: - permit - deny |
|||
mode | String | “config”, “config-all”, “exec” or mode key as string. |
|||
command | String | Command as string. |
Tacacs servers¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
tacacs_servers | Dictionary | ||||
timeout | Integer | Min: 1 Max: 1000 |
Timeout in seconds. | ||
hosts | List, items: Dictionary | ||||
- host | String | Host IP address or name. | |||
vrf | String | ||||
key | String | Encrypted key. | |||
key_type | String | 7 |
Valid Values: - 0 - 7 - 8a |
||
single_connection | Boolean | ||||
timeout | Integer | Min: 1 Max: 1000 |
Timeout in seconds. | ||
policy_unknown_mandatory_attribute_ignore | Boolean |
tacacs_servers:
# Timeout in seconds.
timeout: <int; 1-1000>
hosts:
# Host IP address or name.
- host: <str>
vrf: <str>
# Encrypted key.
key: <str>
key_type: <str; "0" | "7" | "8a"; default="7">
single_connection: <bool>
# Timeout in seconds.
timeout: <int; 1-1000>
policy_unknown_mandatory_attribute_ignore: <bool>
ACLs¶
IP Extended access-lists¶
AVD currently supports two different data models for extended ACLs:
- The legacy
access_lists
data model, for compatibility with existing deployments - The improved
ip_access_lists
data model, for access to more EOS features
Both data models can coexists without conflicts, as different keys are used: access_lists
vs ip_access_lists
.
Access list names must be unique.
The legacy data model supports simplified ACL definition with sequence
to action
mapping:
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
access_lists | List, items: Dictionary | ||||
- name | String | Required, Unique | Access-list Name. | ||
counters_per_entry | Boolean | ||||
permit_response_traffic | String | Valid Values: - nat |
Permit response traffic automatically based on NAT translations. Minimum EOS version requirement 4.32.2F. |
||
sequence_numbers | List, items: Dictionary | Required | |||
- sequence | Integer | Required, Unique | Sequence ID. | ||
action | String | Required | Action as string. Example: “deny ip any any” |
access_lists:
# Access-list Name.
- name: <str; required; unique>
counters_per_entry: <bool>
# Permit response traffic automatically based on NAT translations.
# Minimum EOS version requirement 4.32.2F.
permit_response_traffic: <str; "nat">
sequence_numbers: # required
# Sequence ID.
- sequence: <int; required; unique>
# Action as string.
# Example: "deny ip any any"
action: <str; required>
The improved data model has a more sophisticated design documented below:
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
ip_access_lists | List, items: Dictionary | ||||
- name | String | Required, Unique | Access-list Name. | ||
counters_per_entry | Boolean | ||||
entries | List, items: Dictionary | ACL Entries. | |||
- sequence | Integer | ACL entry sequence number. | |||
remark | String | Comment up to 100 characters. If remark is defined, other keys in the ACL entry will be ignored. |
|||
action | String | Valid Values: - permit - deny |
ACL action. Required except for remarks. |
||
protocol | String | “ip”, “tcp”, “udp”, “icmp” or other protocol name or number. Required except for remarks. |
|||
source | String | “any”, “ “ Required except for remarks. |
|||
source_ports_match | String | eq |
Valid Values: - eq - gt - lt - neq - range |
||
source_ports | List, items: String | Min Length: 1 | |||
- <str> | String | TCP/UDP source port name or number. | |||
destination | String | “any”, “ “ Required except for remarks. |
|||
destination_ports_match | String | eq |
Valid Values: - eq - gt - lt - neq - range |
||
destination_ports | List, items: String | Min Length: 1 | |||
- <str> | String | TCP/UDP destination port name or number. | |||
tcp_flags | List, items: String | ||||
- <str> | String | TCP Flag Name. | |||
fragments | Boolean | Match non-head fragment packets. | |||
log | Boolean | Log matches against this rule. | |||
ttl | Integer | Min: 0 Max: 255 |
TTL value. | ||
ttl_match | String | eq |
Valid Values: - eq - gt - lt - neq |
||
icmp_type | String | Message type name/number for ICMP packets. | |||
icmp_code | String | Message code for ICMP packets. | |||
nexthop_group | String | nexthop-group name. | |||
tracked | Boolean | Match packets in existing ICMP/UDP/TCP connections. | |||
dscp | String | DSCP value or name. | |||
vlan_number | Integer | ||||
vlan_inner | Boolean | False |
|||
vlan_mask | String | 0x000-0xFFF VLAN mask. | |||
permit_response_traffic | String | Valid Values: - nat |
Permit response traffic automatically based on NAT translations. Minimum EOS version requirement 4.32.2F. |
ip_access_lists:
# Access-list Name.
- name: <str; required; unique>
counters_per_entry: <bool>
# ACL Entries.
entries:
# ACL entry sequence number.
- sequence: <int>
# Comment up to 100 characters.
# If remark is defined, other keys in the ACL entry will be ignored.
remark: <str>
# ACL action.
# Required except for remarks.
action: <str; "permit" | "deny">
# "ip", "tcp", "udp", "icmp" or other protocol name or number.
# Required except for remarks.
protocol: <str>
# "any", "<ip>/<mask>" or "<ip>".
# "<ip>" without a mask means host.
# Required except for remarks.
source: <str>
source_ports_match: <str; "eq" | "gt" | "lt" | "neq" | "range"; default="eq">
source_ports: # >=1 items
# TCP/UDP source port name or number.
- <str>
# "any", "<ip>/<mask>" or "<ip>".
# "<ip>" without a mask means host.
# Required except for remarks.
destination: <str>
destination_ports_match: <str; "eq" | "gt" | "lt" | "neq" | "range"; default="eq">
destination_ports: # >=1 items
# TCP/UDP destination port name or number.
- <str>
tcp_flags:
# TCP Flag Name.
- <str>
# Match non-head fragment packets.
fragments: <bool>
# Log matches against this rule.
log: <bool>
# TTL value.
ttl: <int; 0-255>
ttl_match: <str; "eq" | "gt" | "lt" | "neq"; default="eq">
# Message type name/number for ICMP packets.
icmp_type: <str>
# Message code for ICMP packets.
icmp_code: <str>
# nexthop-group name.
nexthop_group: <str>
# Match packets in existing ICMP/UDP/TCP connections.
tracked: <bool>
# DSCP value or name.
dscp: <str>
vlan_number: <int>
vlan_inner: <bool; default=False>
# 0x000-0xFFF VLAN mask.
vlan_mask: <str>
# Permit response traffic automatically based on NAT translations.
# Minimum EOS version requirement 4.32.2F.
permit_response_traffic: <str; "nat">
The improved data model allows to limit the number of ACL entries that AVD is allowed to generate by defining ip_access_lists_max_entries
.
Only normal entries under ip_access_lists
will be counted, remarks will be ignored.
If the number is above the limit, the playbook will fail. This provides a simplified control over hardware utilization.
The numbers must be based on the hardware tests and AVD does not provide any guidance. Note that other EOS features may use the same hardware resources and affect the supported scale.
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
ip_access_lists_max_entries | Integer | Limit ACL entries defined under the ip_access_lists . |
IPv6 access-lists¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
ipv6_access_lists | List, items: Dictionary | ||||
- name | String | Required, Unique | IPv6 Access-list Name. | ||
counters_per_entry | Boolean | ||||
sequence_numbers | List, items: Dictionary | Required | |||
- sequence | Integer | Required, Unique | Sequence ID. | ||
action | String | Required | Action as string. Example: “deny ipv6 any any” |
IPv6 standard access-lists¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
ipv6_standard_access_lists | List, items: Dictionary | ||||
- name | String | Required, Unique | Access-list Name. | ||
counters_per_entry | Boolean | ||||
sequence_numbers | List, items: Dictionary | Required | |||
- sequence | Integer | Required, Unique | Sequence ID. | ||
action | String | Required | Action as string. Example: “deny ipv6 any any” |
MAC access-lists¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
mac_access_lists | List, items: Dictionary | ||||
- name | String | Required, Unique | MAC Access-list Name. | ||
counters_per_entry | Boolean | ||||
entries | List, items: Dictionary | ||||
- sequence | Integer | ||||
action | String |
Standard access-lists¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
standard_access_lists | List, items: Dictionary | ||||
- name | String | Required, Unique | Access-list Name. | ||
counters_per_entry | Boolean | ||||
sequence_numbers | List, items: Dictionary | Required | |||
- sequence | Integer | Required, Unique | Sequence ID. | ||
action | String | Required | Action as string. Example: “deny ip any any” |
Endpoint Security¶
Address-locking¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
address_locking | Dictionary | ||||
dhcp_servers_ipv4 | List, items: String | ||||
- <str> | String | DHCP server IPv4 address. | |||
disabled | Boolean | Disable IP locking on configured ports. | |||
leases | List, items: Dictionary | ||||
- ip | String | Required | IP address. | ||
mac | String | Required | MAC address (hhhh.hhhh.hhhh or hh:hh:hh:hh:hh:hh). | ||
local_interface | String | ||||
locked_address | Dictionary | ||||
expiration_mac_disabled | Boolean | Configure deauthorizing locked addresses upon MAC aging out. | |||
ipv4_enforcement_disabled | Boolean | Configure enforcement for locked IPv4 addresses. | |||
ipv6_enforcement_disabled | Boolean | Configure enforcement for locked IPv6 addresses. |
address_locking:
dhcp_servers_ipv4:
# DHCP server IPv4 address.
- <str>
# Disable IP locking on configured ports.
disabled: <bool>
leases:
# IP address.
- ip: <str; required>
# MAC address (hhhh.hhhh.hhhh or hh:hh:hh:hh:hh:hh).
mac: <str; required>
local_interface: <str>
locked_address:
# Configure deauthorizing locked addresses upon MAC aging out.
expiration_mac_disabled: <bool>
# Configure enforcement for locked IPv4 addresses.
ipv4_enforcement_disabled: <bool>
# Configure enforcement for locked IPv6 addresses.
ipv6_enforcement_disabled: <bool>
Dot1x¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
dot1x | Dictionary | ||||
system_auth_control | Boolean | ||||
protocol_lldp_bypass | Boolean | ||||
protocol_bpdu_bypass | Boolean | ||||
dynamic_authorization | Boolean | ||||
mac_based_authentication | Dictionary | ||||
delay | Integer | Min: 0 Max: 300 |
|||
hold_period | Integer | Min: 1 Max: 300 |
|||
radius_av_pair_username_format | Dictionary | RADIUS AV-pair username settings. | |||
delimiter | String | Required | Valid Values: - colon - hyphen - none - period |
Delimiter to use in MAC address string. | |
mac_string_case | String | Required | Valid Values: - lowercase - uppercase |
MAC address string in lowercase/uppercase. | |
radius_av_pair | Dictionary | ||||
service_type | Boolean | ||||
framed_mtu | Integer | Min: 68 Max: 9236 |
|||
lldp | Dictionary | ||||
system_name | Dictionary | LLDP system name (LLDP TLV 5) av-pair. | |||
enabled | Boolean | Required | |||
auth_only | Boolean | ||||
system_description | Dictionary | LLDP system description (LLDP TLV 6) av-pair. | |||
enabled | Boolean | Required | |||
auth_only | Boolean | ||||
dhcp | Dictionary | ||||
hostname | Dictionary | Hostname (DHCP Option 12). | |||
enabled | Boolean | Required | |||
auth_only | Boolean | ||||
parameter_request_list | Dictionary | Parameters requested by host (DHCP Option 55). | |||
enabled | Boolean | Required | |||
auth_only | Boolean | ||||
vendor_class_id | Dictionary | Vendor class identifier (DHCP Option 60). | |||
enabled | Boolean | Required | |||
auth_only | Boolean | ||||
aaa | Dictionary | Configure AAA parameters. | |||
unresponsive | Dictionary | Configure AAA timeout options. | |||
eap_response | String | Valid Values: - success - disabled |
EAP response to send. | ||
action | Dictionary | Set action for supplicant when AAA times out. | |||
apply_cached_results | Boolean | Use results from a previous AAA response. | |||
cached_results_timeout | Dictionary | ||||
time_duration | Integer | Min: 1 | Enable caching for a specific duration - <1-10000> duration in days <1-14400000> duration in minutes <1-240000> duration in hours <1-864000000> duration in seconds |
||
time_duration_unit | String | Required | Valid Values: - days - hours - minutes - seconds |
||
apply_alternate | Boolean | Apply alternate action if primary action fails. eg. aaa unresponsive action apply cached-results else traffic allow |
|||
traffic_allow | Boolean | Set action for supplicant traffic when AAA times out. | |||
traffic_allow_vlan | Integer | Min: 1 Max: 4094 |
|||
phone_action | Dictionary | Set action for supplicant when AAA times out. | |||
apply_cached_results | Boolean | Use results from a previous AAA response. | |||
cached_results_timeout | Dictionary | ||||
time_duration | Integer | Min: 1 | Enable caching for a specific duration - <1-10000> duration in days <1-14400000> duration in minutes <1-240000> duration in hours <1-864000000> duration in seconds |
||
time_duration_unit | String | Required | Valid Values: - days - hours - minutes - seconds |
||
apply_alternate | Boolean | Apply alternate action if primary action fails. eg. aaa unresponsive phone action apply cached-results else traffic allow |
|||
traffic_allow | Boolean | Set action for supplicant traffic when AAA times out. | |||
recovery_action_reauthenticate | Boolean | ||||
accounting_update_interval | Integer | Min: 5 Max: 65535 |
Interval period in seconds. | ||
captive_portal | Dictionary | Web authentication feature authenticates a supplicant through a web page, referred to as a captive portal. | |||
enabled | Boolean | Required | |||
url | String | Supported URL type: - http: http:// - https: https:// |
|||
ssl_profile | String | ||||
start_limit_infinite | Boolean | Set captive-portal start limit to infinite. | |||
access_list_ipv4 | String | Standard access-list name. | |||
supplicant | Dictionary | ||||
profiles | List, items: Dictionary | Dot1x supplicant profiles. | |||
- name | String | Required, Unique | |||
eap_method | String | Valid Values: - fast - tls |
Extensible Authentication Protocol method: - EAP Flexible Authentication via Secure Tunneling. - EAP with Transport Layer Security. |
||
identity | String | User identity. | |||
passphrase_type | String | 7 |
Valid Values: - 0 - 7 - 8a |
||
passphrase | String | Extensible Authentication Protocol password. | |||
ssl_profile | String | ||||
logging | Boolean | Enable supplicant logging. | |||
disconnect_cached_results_timeout | Integer | Min: 60 Max: 65535 |
Timeout in seconds for removing a disconnected supplicant. |
dot1x:
system_auth_control: <bool>
protocol_lldp_bypass: <bool>
protocol_bpdu_bypass: <bool>
dynamic_authorization: <bool>
mac_based_authentication:
delay: <int; 0-300>
hold_period: <int; 1-300>
# RADIUS AV-pair username settings.
radius_av_pair_username_format:
# Delimiter to use in MAC address string.
delimiter: <str; "colon" | "hyphen" | "none" | "period"; required>
# MAC address string in lowercase/uppercase.
mac_string_case: <str; "lowercase" | "uppercase"; required>
radius_av_pair:
service_type: <bool>
framed_mtu: <int; 68-9236>
lldp:
# LLDP system name (LLDP TLV 5) av-pair.
system_name:
enabled: <bool; required>
auth_only: <bool>
# LLDP system description (LLDP TLV 6) av-pair.
system_description:
enabled: <bool; required>
auth_only: <bool>
dhcp:
# Hostname (DHCP Option 12).
hostname:
enabled: <bool; required>
auth_only: <bool>
# Parameters requested by host (DHCP Option 55).
parameter_request_list:
enabled: <bool; required>
auth_only: <bool>
# Vendor class identifier (DHCP Option 60).
vendor_class_id:
enabled: <bool; required>
auth_only: <bool>
# Configure AAA parameters.
aaa:
# Configure AAA timeout options.
unresponsive:
# EAP response to send.
eap_response: <str; "success" | "disabled">
# Set action for supplicant when AAA times out.
action:
# Use results from a previous AAA response.
apply_cached_results: <bool>
cached_results_timeout:
# Enable caching for a specific duration -
# <1-10000> duration in days
# <1-14400000> duration in minutes
# <1-240000> duration in hours
# <1-864000000> duration in seconds
time_duration: <int; >=1>
time_duration_unit: <str; "days" | "hours" | "minutes" | "seconds"; required>
# Apply alternate action if primary action fails.
# eg. aaa unresponsive action apply cached-results else traffic allow
apply_alternate: <bool>
# Set action for supplicant traffic when AAA times out.
traffic_allow: <bool>
traffic_allow_vlan: <int; 1-4094>
# Set action for supplicant when AAA times out.
phone_action:
# Use results from a previous AAA response.
apply_cached_results: <bool>
cached_results_timeout:
# Enable caching for a specific duration -
# <1-10000> duration in days
# <1-14400000> duration in minutes
# <1-240000> duration in hours
# <1-864000000> duration in seconds
time_duration: <int; >=1>
time_duration_unit: <str; "days" | "hours" | "minutes" | "seconds"; required>
# Apply alternate action if primary action fails.
# eg. aaa unresponsive phone action apply cached-results else traffic allow
apply_alternate: <bool>
# Set action for supplicant traffic when AAA times out.
traffic_allow: <bool>
recovery_action_reauthenticate: <bool>
# Interval period in seconds.
accounting_update_interval: <int; 5-65535>
# Web authentication feature authenticates a supplicant through a web page, referred to as a captive portal.
captive_portal:
enabled: <bool; required>
# Supported URL type:
# - http: http://<hostname>[:<port>]
# - https: https://<hostname>[:<port>]
url: <str>
ssl_profile: <str>
# Set captive-portal start limit to infinite.
start_limit_infinite: <bool>
# Standard access-list name.
access_list_ipv4: <str>
supplicant:
# Dot1x supplicant profiles.
profiles:
- name: <str; required; unique>
# Extensible Authentication Protocol method:
# - EAP Flexible Authentication via Secure Tunneling.
# - EAP with Transport Layer Security.
eap_method: <str; "fast" | "tls">
# User identity.
identity: <str>
passphrase_type: <str; "0" | "7" | "8a"; default="7">
# Extensible Authentication Protocol password.
passphrase: <str>
ssl_profile: <str>
# Enable supplicant logging.
logging: <bool>
# Timeout in seconds for removing a disconnected supplicant.
disconnect_cached_results_timeout: <int; 60-65535>
MAC security¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
mac_security | Dictionary | ||||
license | Dictionary | ||||
license_name | String | Required | |||
license_key | String | Required | |||
fips_restrictions | Boolean | ||||
profiles | List, items: Dictionary | ||||
- name | String | Required, Unique | Profile-Name. | ||
cipher | String | Valid Values: - aes128-gcm - aes128-gcm-xpn - aes256-gcm - aes256-gcm-xpn |
|||
connection_keys | List, items: Dictionary | ||||
- id | String | Required, Unique | |||
encrypted_key | String | ||||
fallback | Boolean | ||||
mka | Dictionary | ||||
key_server_priority | Integer | Min: 0 Max: 255 |
|||
session | Dictionary | ||||
rekey_period | Integer | Min: 30 Max: 100000 |
Rekey period in seconds. | ||
sci | Boolean | ||||
l2_protocols | Dictionary | ||||
ethernet_flow_control | Dictionary | ||||
mode | String | Required | Valid Values: - encrypt - bypass |
||
lldp | Dictionary | ||||
mode | String | Required | Valid Values: - bypass - bypass unauthorized |
||
traffic_unprotected | Dictionary | ||||
action | String | Required | Valid Values: - allow - drop |
Allow/drop the transmit/receive of unprotected traffic. | |
allow_active_sak | Boolean | Allow transmit/receive of encrypted traffic using operational SAK and block otherwise. |
mac_security:
license:
license_name: <str; required>
license_key: <str; required>
fips_restrictions: <bool>
profiles:
# Profile-Name.
- name: <str; required; unique>
cipher: <str; "aes128-gcm" | "aes128-gcm-xpn" | "aes256-gcm" | "aes256-gcm-xpn">
connection_keys:
- id: <str; required; unique>
encrypted_key: <str>
fallback: <bool>
mka:
key_server_priority: <int; 0-255>
session:
# Rekey period in seconds.
rekey_period: <int; 30-100000>
sci: <bool>
l2_protocols:
ethernet_flow_control:
mode: <str; "encrypt" | "bypass"; required>
lldp:
mode: <str; "bypass" | "bypass unauthorized"; required>
traffic_unprotected:
# Allow/drop the transmit/receive of unprotected traffic.
action: <str; "allow" | "drop"; required>
# Allow transmit/receive of encrypted traffic using operational SAK and block otherwise.
allow_active_sak: <bool>
Filters and policies¶
AS path¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
as_path | Dictionary | ||||
regex_mode | String | Valid Values: - asn - string |
|||
access_lists | List, items: Dictionary | ||||
- name | String | Required, Unique | Access List Name. | ||
entries | List, items: Dictionary | ||||
- type | String | Valid Values: - permit - deny |
|||
match | String | Regex To Match. | |||
origin | String | any |
Valid Values: - any - egp - igp - incomplete |
Class-maps¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
class_maps | Dictionary | ||||
pbr | List, items: Dictionary | ||||
- name | String | Required, Unique | Class-Map Name. | ||
ip | Dictionary | ||||
access_group | String | Standard Access-List Name. | |||
qos | List, items: Dictionary | ||||
- name | String | Required, Unique | Class-Map Name. | ||
vlan | String | VLAN value(s) or range(s) of VLAN values. | |||
cos | String | CoS value(s) or range(s) of CoS values. | |||
ip | Dictionary | ||||
access_group | String | IPv4 Access-List Name. | |||
ipv6 | Dictionary | ||||
access_group | String | IPv6 Access-List Name. |
class_maps:
pbr:
# Class-Map Name.
- name: <str; required; unique>
ip:
# Standard Access-List Name.
access_group: <str>
qos:
# Class-Map Name.
- name: <str; required; unique>
# VLAN value(s) or range(s) of VLAN values.
vlan: <str>
# CoS value(s) or range(s) of CoS values.
cos: <str>
ip:
# IPv4 Access-List Name.
access_group: <str>
ipv6:
# IPv6 Access-List Name.
access_group: <str>
Dynamic prefix lists¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
dynamic_prefix_lists | List, items: Dictionary | ||||
- name | String | Dynamic prefix-list name. | |||
match_map | String | Route-map name. | |||
prefix_list | Dictionary | ||||
ipv4 | String | Prefix-list name. | |||
ipv6 | String | Prefix-list name. |
IP community lists¶
AVD currently supports two different data models for community lists:
- The legacy
community_lists
data model that can be used for compatibility with the existing deployments. - The improved
ip_community_lists
data model.
Both data models can coexist without conflicts, as different keys are used: community_lists
vs ip_community_lists
.
Community list names must be unique.
The legacy data model supports simplified community list definition that only allows a single action to be defined as string:
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
community_lists deprecated | List, items: Dictionary | This key is deprecated. Support will be removed in AVD version 6.0.0. Use ip_community_lists instead. | |||
- name | String | Required, Unique | Community-list Name. | ||
action | String | Required | Action as string. Example: “permit GSHUT 65123:123” |
The improved data model has a better design documented below:
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
ip_community_lists | List, items: Dictionary | Communities and regexp entries MUST not be configured in the same community-list. |
|||
- name | String | Required, Unique | IP Community-list Name. | ||
entries | List, items: Dictionary | Required | |||
- action | String | Required | Valid Values: - permit - deny |
||
communities | List, items: String | If defined, a standard community-list will be configured. Supported community strings (case insensitive): - GSHUT - internet - local-as - no-advertise - no-export - <1-4294967040> - aa:nn |
|||
- <str> | String | ||||
regexp | String | Regular Expression. If defined, a regex community-list will be configured. |
# Communities and regexp entries MUST not be configured in the same community-list.
ip_community_lists:
# IP Community-list Name.
- name: <str; required; unique>
entries: # required
- action: <str; "permit" | "deny"; required>
# If defined, a standard community-list will be configured.
# Supported community strings (case insensitive):
# - GSHUT
# - internet
# - local-as
# - no-advertise
# - no-export
# - <1-4294967040>
# - aa:nn
communities:
- <str>
# Regular Expression.
# If defined, a regex community-list will be configured.
regexp: <str>
IP extcommunity-lists¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
ip_extcommunity_lists | List, items: Dictionary | ||||
- name | String | Required, Unique | Community-list Name. | ||
entries | List, items: Dictionary | Required | |||
- type | String | Required | Valid Values: - permit - deny |
||
extcommunities | String | Required | Communities as string. Example: “65000:65000” |
IP extcommunity-lists-regexp¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
ip_extcommunity_lists_regexp | List, items: Dictionary | ||||
- name | String | Required, Unique | Community-list Name. | ||
entries | List, items: Dictionary | Required | |||
- type | String | Required | Valid Values: - permit - deny |
||
regexp | String | Required | Regular Expression. |
IPv6 prefix-lists¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
ipv6_prefix_lists | List, items: Dictionary | ||||
- name | String | Required, Unique | Prefix-list Name. | ||
sequence_numbers | List, items: Dictionary | Required | |||
- sequence | Integer | Required, Unique | Sequence ID. | ||
action | String | Required | Action as string. Example: “permit 1b11:3a00:22b0:0082::/64 eq 128” |
Match list input¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
match_list_input | Dictionary | ||||
prefix_ipv4 | List, items: Dictionary | ||||
- name | String | Required, Unique | Prefix-List Name. | ||
prefixes | List, items: String | Required | Min Length: 1 | List of IPv4 prefixes (with the subnet mask e.g. 192.0.2.0/24). | |
- <str> | String | ||||
prefix_ipv6 | List, items: Dictionary | ||||
- name | String | Required, Unique | Prefix-List Name. | ||
prefixes | List, items: String | Required | Min Length: 1 | List of IPv6 prefixes (with the subnet mask e.g. 2001:db8:abcd:0013::/64). | |
- <str> | String | ||||
string | List, items: Dictionary | ||||
- name | String | Required, Unique | Match-list Name. | ||
sequence_numbers | List, items: Dictionary | Required | |||
- sequence | Integer | Required, Unique | Sequence ID. | ||
match_regex | String | Required | Regular Expression. |
match_list_input:
prefix_ipv4:
# Prefix-List Name.
- name: <str; required; unique>
# List of IPv4 prefixes (with the subnet mask e.g. 192.0.2.0/24).
prefixes: # >=1 items; required
- <str>
prefix_ipv6:
# Prefix-List Name.
- name: <str; required; unique>
# List of IPv6 prefixes (with the subnet mask e.g. 2001:db8:abcd:0013::/64).
prefixes: # >=1 items; required
- <str>
string:
# Match-list Name.
- name: <str; required; unique>
sequence_numbers: # required
# Sequence ID.
- sequence: <int; required; unique>
# Regular Expression.
match_regex: <str; required>
Peer-filters¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
peer_filters | List, items: Dictionary | ||||
- name | String | Required, Unique | Peer-filter Name. | ||
sequence_numbers | List, items: Dictionary | Required | |||
- sequence | Integer | Required, Unique | Sequence ID. | ||
match | String | Required | Match as string. Example: “as-range 1-100 result accept” |
Policy-maps¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
policy_maps | Dictionary | ||||
pbr | List, items: Dictionary | PBR Policy-Maps. | |||
- name | String | Required, Unique | Policy-Map Name. | ||
classes | List, items: Dictionary | ||||
- name | String | Required, Unique | Class Name. | ||
index | Integer | ||||
drop | Boolean | ‘drop’ and ‘set’ are mutually exclusive. | |||
set | Dictionary | Set Nexthop ‘drop’ and ‘set’ are mutually exclusive. |
|||
nexthop | Dictionary | ||||
ip_address | String | IPv4 or IPv6 Address. | |||
recursive | Boolean | ||||
qos | List, items: Dictionary | QOS Policy-Maps. | |||
- name | String | Required, Unique | Policy-Map Name. | ||
classes | List, items: Dictionary | ||||
- name | String | Required, Unique | Class Name. | ||
set | Dictionary | ||||
cos | Integer | ||||
dscp | String | ||||
traffic_class | Integer | ||||
drop_precedence | Integer | ||||
police | Dictionary | ||||
rate | Integer | Specify rate. Range in kbps <8-200000000>. |
|||
rate_unit | String | bps |
Valid Values: - bps - kbps - mbps - pps |
||
rate_burst_size | Integer | Range in bytes <256-128000000>. | |||
rate_burst_size_unit | String | bytes |
Valid Values: - bytes - kbytes - mbytes - packets |
||
action | Dictionary | ||||
type | String | Valid Values: - dscp - drop-precedence |
Set action for policed traffic. | ||
dscp_value | String | Set when action.type is set to “dscp”. | |||
higher_rate | Integer | Specify higher rate. Range in kbps |
|||
higher_rate_unit | String | bps |
Valid Values: - bps - kbps - mbps - pps |
||
higher_rate_burst_size | Integer | Range in bytes <256-128000000>. | |||
higher_rate_burst_size_unit | String | bytes |
Valid Values: - bytes - kbytes - mbytes - packets |
||
copp_system_policy | Dictionary | Control-plane policy configuration. | |||
classes | List, items: Dictionary | ||||
- name | String | Required, Unique | |||
shape | Integer | Min: 0 Max: 10000000 |
Maximum rate limit. | ||
bandwidth | Integer | Min: 0 Max: 10000000 |
Minimum bandwidth. | ||
rate_unit | String | Valid Values: - pps - kbps |
The rate_unit must be defined for shape and bandwidth . |
policy_maps:
# PBR Policy-Maps.
pbr:
# Policy-Map Name.
- name: <str; required; unique>
classes:
# Class Name.
- name: <str; required; unique>
index: <int>
# 'drop' and 'set' are mutually exclusive.
drop: <bool>
# Set Nexthop
# 'drop' and 'set' are mutually exclusive.
set:
nexthop:
# IPv4 or IPv6 Address.
ip_address: <str>
recursive: <bool>
# QOS Policy-Maps.
qos:
# Policy-Map Name.
- name: <str; required; unique>
classes:
# Class Name.
- name: <str; required; unique>
set:
cos: <int>
dscp: <str>
traffic_class: <int>
drop_precedence: <int>
police:
# Specify rate.
# Range in kbps <8-200000000>.
rate: <int>
rate_unit: <str; "bps" | "kbps" | "mbps" | "pps"; default="bps">
# Range in bytes <256-128000000>.
rate_burst_size: <int>
rate_burst_size_unit: <str; "bytes" | "kbytes" | "mbytes" | "packets"; default="bytes">
action:
# Set action for policed traffic.
type: <str; "dscp" | "drop-precedence">
# Set when action.type is set to "dscp".
dscp_value: <str>
# Specify higher rate.
# Range in kbps <lower_rate in kbps + 8 - lower_rate in kbps + 200000000>.
higher_rate: <int>
higher_rate_unit: <str; "bps" | "kbps" | "mbps" | "pps"; default="bps">
# Range in bytes <256-128000000>.
higher_rate_burst_size: <int>
higher_rate_burst_size_unit: <str; "bytes" | "kbytes" | "mbytes" | "packets"; default="bytes">
# Control-plane policy configuration.
copp_system_policy:
classes:
- name: <str; required; unique>
# Maximum rate limit.
shape: <int; 0-10000000>
# Minimum bandwidth.
bandwidth: <int; 0-10000000>
# The `rate_unit` must be defined for `shape` and `bandwidth`.
rate_unit: <str; "pps" | "kbps">
Prefix-lists¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
prefix_lists | List, items: Dictionary | ||||
- name | String | Required, Unique | Prefix-list Name. | ||
sequence_numbers | List, items: Dictionary | ||||
- sequence | Integer | Required, Unique | Sequence ID. | ||
action | String | Required | Action as string. Example: “permit 10.255.0.0/27 eq 32” |
Route-maps¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
route_maps | List, items: Dictionary | ||||
- name | String | Required, Unique | Route-map Name. | ||
sequence_numbers | List, items: Dictionary | Required | |||
- sequence | Integer | Required, Unique | Sequence ID. | ||
type | String | Required | Valid Values: - permit - deny |
||
description | String | ||||
match | List, items: String | List of “match” statements. | |||
- <str> | String | Match as string. Example: “ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY” |
|||
set | List, items: String | List of “set” statements. | |||
- <str> | String | Set as string. Example: “origin incomplete” |
|||
sub_route_map | String | Name of Sub-Route-map. | |||
continue | Dictionary | ||||
enabled | Boolean | ||||
sequence_number | Integer |
route_maps:
# Route-map Name.
- name: <str; required; unique>
sequence_numbers: # required
# Sequence ID.
- sequence: <int; required; unique>
type: <str; "permit" | "deny"; required>
description: <str>
# List of "match" statements.
match:
# Match as string.
# Example: "ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY"
- <str>
# List of "set" statements.
set:
# Set as string.
# Example: "origin incomplete"
- <str>
# Name of Sub-Route-map.
sub_route_map: <str>
continue:
enabled: <bool>
sequence_number: <int>
Trackers¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
trackers | List, items: Dictionary | ||||
- name | String | Required, Unique | Name of tracker object. | ||
interface | String | Required | Name of tracked interface. | ||
tracked_property | String | line-protocol |
Property to track. |
Traffic policies¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
traffic_policies | Dictionary | ||||
options | Dictionary | ||||
counter_per_interface | Boolean | ||||
field_sets | Dictionary | ||||
ipv4 | List, items: Dictionary | ||||
- name | String | Required, Unique | IPv4 Prefix Field Set Name. | ||
prefixes | List, items: String | ||||
- <str> | String | IPv4 Prefix. | |||
ipv6 | List, items: Dictionary | ||||
- name | String | Required, Unique | IPv6 Prefix Field Set Name. | ||
prefixes | List, items: String | ||||
- <str> | String | IPv6 Prefix. | |||
ports | List, items: Dictionary | ||||
- name | String | Required, Unique | L4 Port Field Set Name. | ||
port_range | String | Example: ‘10,20,80,440-450’ | |||
policies | List, items: Dictionary | ||||
- name | String | Required, Unique | Traffic Policy Name. | ||
matches | List, items: Dictionary | ||||
- name | String | Required, Unique | Traffic Policy Item. | ||
type | String | Required | Valid Values: - ipv4 - ipv6 |
||
source | Dictionary | ||||
prefixes | List, items: String | ||||
- <str> | String | IP address or prefix. | |||
prefix_lists | List, items: String | Field-set prefix lists. | |||
- <str> | String | ||||
destination | Dictionary | ||||
prefixes | List, items: String | ||||
- <str> | String | IP address or prefix. | |||
prefix_lists | List, items: String | Field-set prefix lists. | |||
- <str> | String | ||||
ttl | String | TTL range. | |||
fragment | Dictionary | The ‘fragment’ command is not supported when ‘source port’ or ‘destination port’ command is configured. |
|||
offset | String | Fragment offset range. | |||
protocols | List, items: Dictionary | ||||
- protocol | String | Required, Unique | |||
src_port | String | Port range. | |||
dst_port | String | Port range. | |||
src_field | String | L4 port range field set. | |||
dst_field | String | L4 port range field set. | |||
flags | List, items: String | ||||
- <str> | String | Valid Values: - established - initial |
|||
icmp_type | List, items: String | ||||
- <str> | String | ||||
enforce_gtsm | Boolean | Enforce the GTSM for BGP speakers. Only supported when protocol is set to ‘neighbors’. | |||
actions | Dictionary | ||||
dscp | Integer | ||||
traffic_class | Integer | Traffic class ID. | |||
count | String | Counter name. | |||
drop | Boolean | ||||
log | Boolean | Only supported when action is set to drop. | |||
default_actions | Dictionary | ||||
ipv4 | Dictionary | ||||
dscp | Integer | ||||
traffic_class | Integer | Traffic class ID. | |||
count | String | Counter name. | |||
drop | Boolean | ||||
log | Boolean | Only supported when action is set to drop. | |||
ipv6 | Dictionary | ||||
dscp | Integer | ||||
traffic_class | Integer | Traffic class ID. | |||
count | String | Counter name. | |||
drop | Boolean | ||||
log | Boolean | Only supported when action is set to drop. |
traffic_policies:
options:
counter_per_interface: <bool>
field_sets:
ipv4:
# IPv4 Prefix Field Set Name.
- name: <str; required; unique>
prefixes:
# IPv4 Prefix.
- <str>
ipv6:
# IPv6 Prefix Field Set Name.
- name: <str; required; unique>
prefixes:
# IPv6 Prefix.
- <str>
ports:
# L4 Port Field Set Name.
- name: <str; required; unique>
# Example: '10,20,80,440-450'
port_range: <str>
policies:
# Traffic Policy Name.
- name: <str; required; unique>
matches:
# Traffic Policy Item.
- name: <str; required; unique>
type: <str; "ipv4" | "ipv6"; required>
source:
prefixes:
# IP address or prefix.
- <str>
# Field-set prefix lists.
prefix_lists:
- <str>
destination:
prefixes:
# IP address or prefix.
- <str>
# Field-set prefix lists.
prefix_lists:
- <str>
# TTL range.
ttl: <str>
# The 'fragment' command is not supported when 'source port'
# or 'destination port' command is configured.
fragment:
# Fragment offset range.
offset: <str>
protocols:
- protocol: <str; required; unique>
# Port range.
src_port: <str>
# Port range.
dst_port: <str>
# L4 port range field set.
src_field: <str>
# L4 port range field set.
dst_field: <str>
flags:
- <str; "established" | "initial">
icmp_type:
- <str>
# Enforce the GTSM for BGP speakers. Only supported when protocol is set to 'neighbors'.
enforce_gtsm: <bool>
actions:
dscp: <int>
# Traffic class ID.
traffic_class: <int>
# Counter name.
count: <str>
drop: <bool>
# Only supported when action is set to drop.
log: <bool>
default_actions:
ipv4:
dscp: <int>
# Traffic class ID.
traffic_class: <int>
# Counter name.
count: <str>
drop: <bool>
# Only supported when action is set to drop.
log: <bool>
ipv6:
dscp: <int>
# Traffic class ID.
traffic_class: <int>
# Counter name.
count: <str>
drop: <bool>
# Only supported when action is set to drop.
log: <bool>
Interfaces¶
DPS interfaces¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
dps_interfaces | List, items: Dictionary | Min Length: 1 Max Length: 1 |
|||
- name | String | Required, Unique | Valid Values: - Dps1 |
“Dps1” is currently the only supported interface. | |
description | String | ||||
shutdown | Boolean | ||||
mtu | Integer | Min: 68 Max: 65535 |
Maximum Transmission Unit in bytes. | ||
ip_address | String | IPv4 address/mask. | |||
flow_tracker | Dictionary | ||||
sampled | String | Sampled flow tracker name. | |||
hardware | String | Hardware flow tracker name, | |||
tcp_mss_ceiling | Dictionary | ||||
ipv4 | Integer | Min: 64 Max: 65495 |
Segment Size for IPv4. | ||
ipv6 | Integer | Min: 64 Max: 65475 |
Segment Size for IPv6. | ||
direction | String | Valid Values: - ingress - egress |
Optional direction (‘ingress’, ‘egress’) for tcp mss ceiling. | ||
eos_cli | String | Multiline String with EOS CLI rendered directly on the Dps interface in the final EOS configuration. |
dps_interfaces: # 1-1 items
# "Dps1" is currently the only supported interface.
- name: <str; "Dps1"; required; unique>
description: <str>
shutdown: <bool>
# Maximum Transmission Unit in bytes.
mtu: <int; 68-65535>
# IPv4 address/mask.
ip_address: <str>
flow_tracker:
# Sampled flow tracker name.
sampled: <str>
# Hardware flow tracker name,
hardware: <str>
tcp_mss_ceiling:
# Segment Size for IPv4.
ipv4: <int; 64-65495>
# Segment Size for IPv6.
ipv6: <int; 64-65475>
# Optional direction ('ingress', 'egress') for tcp mss ceiling.
direction: <str; "ingress" | "egress">
# Multiline String with EOS CLI rendered directly on the Dps interface in the final EOS configuration.
eos_cli: <str>
Errdisable¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
errdisable | Dictionary | ||||
detect | Dictionary | ||||
causes | List, items: String | ||||
- <str> | String | Valid Values: - acl - arp-inspection - dot1x - link-change - tapagg - xcvr-misconfigured - xcvr-overheat - xcvr-power-unsupported |
|||
recovery | Dictionary | ||||
causes | List, items: String | ||||
- <str> | String | Valid Values: - arp-inspection - bpduguard - dot1x - hitless-reload-down - lacp-rate-limit - link-flap - no-internal-vlan - portchannelguard - portsec - speed-misconfigured - tap-port-init - tapagg - uplink-failure-detection - xcvr-misconfigured - xcvr-overheat - xcvr-power-unsupported - xcvr-unsupported |
|||
interval | Integer | 300 |
Min: 30 Max: 86400 |
Interval in seconds. |
errdisable:
detect:
causes:
- <str; "acl" | "arp-inspection" | "dot1x" | "link-change" | "tapagg" | "xcvr-misconfigured" | "xcvr-overheat" | "xcvr-power-unsupported">
recovery:
causes:
- <str; "arp-inspection" | "bpduguard" | "dot1x" | "hitless-reload-down" | "lacp-rate-limit" | "link-flap" | "no-internal-vlan" | "portchannelguard" | "portsec" | "speed-misconfigured" | "tap-port-init" | "tapagg" | "uplink-failure-detection" | "xcvr-misconfigured" | "xcvr-overheat" | "xcvr-power-unsupported" | "xcvr-unsupported">
# Interval in seconds.
interval: <int; 30-86400; default=300>
Ethernet interfaces¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
ethernet_interfaces | List, items: Dictionary | ||||
- name | String | Required, Unique | |||
description | String | ||||
shutdown | Boolean | ||||
load_interval | Integer | Min: 0 Max: 600 |
Interval in seconds for updating interface counters. | ||
speed | String | Speed should be set in the format <interface_speed> or forced <interface_speed> or auto <interface_speed> . |
|||
mtu | Integer | Min: 68 Max: 65535 |
|||
l2_mtu | Integer | Min: 68 Max: 65535 |
“l2_mtu” should only be defined for platforms supporting the “l2 mtu” CLI. |
||
l2_mru | Integer | Min: 68 Max: 65535 |
“l2_mru” should only be defined for platforms supporting the “l2 mru” CLI. |
||
vlans deprecated | String | List of switchport vlans as string. For a trunk port this would be a range like “1-200,300”. For an access port this would be a single vlan “123”. This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.access_vlan or switchport.trunk.allowed_vlan instead. |
|||
native_vlan deprecated | Integer | This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.trunk.native_vlan instead. | |||
native_vlan_tag deprecated | Boolean | If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence.This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.trunk.native_vlan_tag instead. | |||
mode deprecated | String | Valid Values: - access - dot1q-tunnel - trunk - trunk phone |
This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.mode instead. | ||
phone deprecated | Dictionary | This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.phone instead. | |||
trunk | String | Valid Values: - tagged - tagged phone - untagged - untagged phone |
|||
vlan | Integer | Min: 1 Max: 4094 |
|||
l2_protocol | Dictionary | ||||
encapsulation_dot1q_vlan | Integer | Vlan tag to configure on sub-interface. | |||
forwarding_profile | String | L2 protocol forwarding profile. | |||
mac_timestamp | String | Valid Values: - before-fcs - replace-fcs - header |
header: Insert timestamp in ethernet header. Supported on platforms like 7500E/R and 7280E/R. before-fcs: Insert timestamp before fcs field. Supported on platforms like 7150. replace-fcs: Replace fcs field with timestamp. |
||
trunk_groups deprecated | List, items: String | This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.trunk.groups instead. | |||
- <str> | String | ||||
type deprecated | String | Valid Values: - routed - switched - l3dot1q - l2dot1q - port-channel-member |
l3dot1q and l2dot1q are used for sub-interfaces. The parent interface should be defined as routed. The type = switched/routed should not be combined with switchport .This key is deprecated. Support will be removed in AVD version 6.0.0. See here for details. |
||
snmp_trap_link_change | Boolean | ||||
address_locking | Dictionary | ||||
ipv4 | Boolean | Enable address locking for IPv4. | |||
ipv6 | Boolean | Enable address locking for IPv6. | |||
flowcontrol | Dictionary | ||||
received | String | Valid Values: - desired - on - off |
|||
vrf | String | VRF name. | |||
flow_tracker | Dictionary | ||||
sampled | String | Sampled flow tracker name. | |||
hardware | String | Hardware flow tracker name. | |||
error_correction_encoding | Dictionary | ||||
enabled | Boolean | True |
|||
fire_code | Boolean | ||||
reed_solomon | Boolean | ||||
link_tracking_groups | List, items: Dictionary | ||||
- name | String | Required, Unique | Group name. | ||
direction | String | Valid Values: - upstream - downstream |
|||
link_tracking | Dictionary | ||||
direction | String | Valid Values: - upstream - downstream |
|||
groups | List, items: String | Link state group(s) an interface belongs to. | |||
- <str> | String | Group names. | |||
evpn_ethernet_segment | Dictionary | ||||
identifier | String | EVPN Ethernet Segment Identifier (Type 1 format). | |||
redundancy | String | Valid Values: - all-active - single-active |
|||
designated_forwarder_election | Dictionary | ||||
algorithm | String | Valid Values: - modulus - preference |
|||
preference_value | Integer | Min: 0 Max: 65535 |
Preference_value is only used when “algorithm” is “preference”. | ||
dont_preempt | Boolean | Dont_preempt is only used when “algorithm” is “preference”. | |||
hold_time | Integer | ||||
subsequent_hold_time | Integer | ||||
candidate_reachability_required | Boolean | ||||
mpls | Dictionary | ||||
shared_index | Integer | Min: 1 Max: 1024 |
|||
tunnel_flood_filter_time | Integer | ||||
route_target | String | EVPN Route Target for ESI with format xx:xx:xx:xx:xx:xx. | |||
encapsulation_dot1q_vlan deprecated | Integer | VLAN tag to configure on sub-interface.This key is deprecated. Support will be removed in AVD version 6.0.0. Use encapsulation_dot1q.vlan instead. | |||
encapsulation_dot1q | Dictionary | Warning: encapsulation_dot1q should not be combined with ethernet_interfaces[].type: l3dot1q or ethernet_interfaces[].type: l2dot1q . |
|||
vlan | Integer | Required | Min: 1 Max: 4094 |
VLAD ID. | |
inner_vlan | Integer | Min: 1 Max: 4094 |
Inner VLAN ID. This setting can only be applied to sub-interfaces on EOS. | ||
encapsulation_vlan | Dictionary | This setting can only be applied to sub-interfaces on EOS. Warning: encapsulation_vlan should not be combined with ethernet_interfaces[].type: l3dot1q or ethernet_interfaces[].type: l2dot1q . |
|||
client | Dictionary | ||||
dot1q deprecated | Dictionary | This key is deprecated. Support will be removed in AVD version 6.0.0. | |||
vlan | Integer | Min: 1 Max: 4094 |
Client VLAN ID. | ||
outer | Integer | Min: 1 Max: 4094 |
Client Outer VLAN ID. | ||
inner | Integer | Client Inner VLAN ID. | |||
unmatched deprecated | Boolean | This key is deprecated. Support will be removed in AVD version 6.0.0. | |||
encapsulation | String | Valid Values: - dot1q - dot1ad - unmatched - untagged |
|||
vlan | Integer | Min: 1 Max: 4094 |
Client VLAN ID. Not applicable for encapsulation: untagged or encapsulation: unmatched . |
||
outer_vlan | Integer | Min: 1 Max: 4094 |
Client Outer VLAN ID. Not applicable for encapsulation: untagged or encapsulation: unmatched . |
||
inner_vlan | Integer | Min: 1 Max: 4094 |
Client Inner VLAN ID. Not applicable for encapsulation: untagged or encapsulation: unmatched . |
||
inner_encapsulation | String | Valid Values: - dot1q - dot1ad |
|||
network | Dictionary | Network encapsulations are all optional and skipped if using client unmatched. | |||
dot1q deprecated | Dictionary | This key is deprecated. Support will be removed in AVD version 6.0.0. | |||
vlan | Integer | Min: 1 Max: 4094 |
Network VLAN ID. | ||
outer | Integer | Min: 1 Max: 4094 |
Network outer VLAN ID. | ||
inner | Integer | Min: 1 Max: 4094 |
Network inner VLAN ID. | ||
client deprecated | Boolean | This key is deprecated. Support will be removed in AVD version 6.0.0. | |||
encapsulation | String | Valid Values: - dot1q - dot1ad - client - client inner - untagged |
untagged (no encapsulation) is applicable for untagged client only.client and client inner (retain client encapsulation) is not applicable for untagged client. |
||
vlan | Integer | Min: 1 Max: 4094 |
Network VLAN ID. Not applicable for encapsulation: untagged or encapsulation: client . |
||
outer_vlan | Integer | Min: 1 Max: 4094 |
Network outer VLAN ID. Not applicable for encapsulation: untagged or encapsulation: client . |
||
inner_vlan | Integer | Min: 1 Max: 4094 |
Network inner VLAN ID. Not applicable for encapsulation: untagged or encapsulation: client . |
||
inner_encapsulation | String | Valid Values: - dot1q - dot1ad |
|||
vlan_id | Integer | Min: 1 Max: 4094 |
This setting can only be applied to sub-interfaces on EOS. Warning: vlan_id should not be combined with ethernet_interfaces[].type == l2dot1q . |
||
ip_address | String | IPv4 address/mask or “dhcp”. | |||
ip_address_secondaries | List, items: String | ||||
- <str> | String | ||||
ip_verify_unicast_source_reachable_via | String | Valid Values: - any - rx |
|||
dhcp_client_accept_default_route | Boolean | Install default-route obtained via DHCP. | |||
dhcp_server_ipv4 | Boolean | Enable IPv4 DHCP server. | |||
dhcp_server_ipv6 | Boolean | Enable IPv6 DHCP server. | |||
ip_helpers | List, items: Dictionary | ||||
- ip_helper | String | Required, Unique | |||
source_interface | String | Source interface name. | |||
vrf | String | VRF name. | |||
ip_nat | Dictionary | ||||
service_profile | String | NAT interface profile. | |||
destination | Dictionary | ||||
dynamic | List, items: Dictionary | ||||
- access_list | String | Required, Unique | |||
comment | String | ||||
pool_name | String | Required | |||
priority | Integer | Min: 0 Max: 4294967295 |
|||
static | List, items: Dictionary | ||||
- access_list | String | ‘access_list’ and ‘group’ are mutual exclusive. | |||
comment | String | ||||
direction | String | Valid Values: - egress - ingress |
Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform. EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW. |
||
group | Integer | Min: 1 Max: 65535 |
‘access_list’ and ‘group’ are mutual exclusive. | ||
original_ip | String | IPv4 address. The combination of original_ip and original_port must be unique. |
|||
original_port | Integer | Min: 1 Max: 65535 |
TCP/UDP port. The combination of original_ip and original_port must be unique. |
||
priority | Integer | Min: 0 Max: 4294967295 |
|||
protocol | String | Valid Values: - udp - tcp |
|||
translated_ip | String | Required | IPv4 address. | ||
translated_port | Integer | Min: 1 Max: 65535 |
requires ‘original_port’. | ||
source | Dictionary | ||||
dynamic | List, items: Dictionary | ||||
- access_list | String | Required, Unique | |||
comment | String | ||||
nat_type | String | Required | Valid Values: - overload - pool - pool-address-only - pool-full-cone |
||
pool_name | String | required if ‘nat_type’ is pool, pool-address-only or pool-full-cone. ignored if ‘nat_type’ is overload. |
|||
priority | Integer | Min: 0 Max: 4294967295 |
|||
static | List, items: Dictionary | ||||
- access_list | String | ‘access_list’ and ‘group’ are mutual exclusive. | |||
comment | String | ||||
direction | String | Valid Values: - egress - ingress |
Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform. EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW. |
||
group | Integer | Min: 1 Max: 65535 |
‘access_list’ and ‘group’ are mutual exclusive. | ||
original_ip | String | IPv4 address. The combination of original_ip and original_port must be unique. |
|||
original_port | Integer | Min: 1 Max: 65535 |
TCP/UDP port. The combination of original_ip and original_port must be unique. |
||
priority | Integer | Min: 0 Max: 4294967295 |
|||
protocol | String | Valid Values: - udp - tcp |
|||
translated_ip | String | Required | IPv4 address. | ||
translated_port | Integer | Min: 1 Max: 65535 |
requires ‘original_port’. | ||
ipv6_enable | Boolean | ||||
ipv6_address | String | ||||
ipv6_address_link_local | String | Link local IPv6 address/mask. | |||
ipv6_nd_ra_disabled | Boolean | ||||
ipv6_nd_managed_config_flag | Boolean | ||||
ipv6_nd_prefixes | List, items: Dictionary | ||||
- ipv6_prefix | String | Required, Unique | |||
valid_lifetime | String | Infinite or lifetime in seconds. | |||
preferred_lifetime | String | Infinite or lifetime in seconds. | |||
no_autoconfig_flag | Boolean | ||||
ipv6_dhcp_relay_destinations | List, items: Dictionary | ||||
- address | String | Required, Unique | DHCP server’s IPv6 address. | ||
vrf | String | ||||
local_interface | String | Local interface to communicate with DHCP server - mutually exclusive to source_address. | |||
source_address | String | Source IPv6 address to communicate with DHCP server - mutually exclusive to local_interface. | |||
link_address | String | Override the default link address specified in the relayed DHCP packet. | |||
access_group_in | String | Access list name. | |||
access_group_out | String | Access list name. | |||
ipv6_access_group_in | String | IPv6 access list name. | |||
ipv6_access_group_out | String | IPv6 access list name. | |||
mac_access_group_in | String | MAC access list name. | |||
mac_access_group_out | String | MAC access list name. | |||
multicast | Dictionary | Boundaries can be either 1 ACL or a list of multicast IP address_range(s)/prefix but not combination of both. | |||
ipv4 | Dictionary | ||||
boundaries | List, items: Dictionary | ||||
- boundary | String | ACL name or multicast IP subnet. | |||
out | Boolean | ||||
static | Boolean | ||||
ipv6 | Dictionary | ||||
boundaries | List, items: Dictionary | ||||
- boundary | String | ACL name or multicast IP subnet. | |||
static | Boolean | ||||
ospf_network_point_to_point | Boolean | ||||
ospf_area | String | ||||
ospf_cost | Integer | ||||
ospf_authentication | String | Valid Values: - none - simple - message-digest |
|||
ospf_authentication_key | String | Encrypted password - only type 7 supported. | |||
ospf_message_digest_keys | List, items: Dictionary | ||||
- id | Integer | Required, Unique | |||
hash_algorithm | String | Valid Values: - md5 - sha1 - sha256 - sha384 - sha512 |
|||
key | String | Encrypted password - only type 7 supported. | |||
pim | Dictionary | ||||
ipv4 | Dictionary | ||||
border_router | Boolean | Configure PIM border router. EOS default is false. | |||
dr_priority | Integer | Min: 0 Max: 429467295 |
|||
sparse_mode | Boolean | ||||
bfd | Boolean | Set the default for whether Bidirectional Forwarding Detection is enabled for PIM. | |||
bidirectional | Boolean | ||||
hello | Dictionary | ||||
count | String | Number of missed hellos after which the neighbor expires. Range <1.5-65535>. | |||
interval | Integer | Min: 1 Max: 65535 |
PIM hello interval in seconds. | ||
mac_security | Dictionary | ||||
profile | String | ||||
tcp_mss_ceiling | Dictionary | The TCP MSS clamping feature involves clamping the maximum segment size (MSS) in the TCP header of TCP SYN packets if it exceeds the configured MSS ceiling limit for the interface. |
|||
ipv4_segment_size | Integer | Min: 64 Max: 65475 |
|||
ipv6_segment_size | Integer | Min: 64 Max: 65475 |
|||
direction | String | Valid Values: - egress - ingress |
|||
channel_group | Dictionary | ||||
id | Integer | ||||
mode | String | Valid Values: - on - active - passive |
|||
isis_enable | String | ISIS instance. | |||
isis_bfd | Boolean | Enable BFD for ISIS. | |||
isis_passive | Boolean | ||||
isis_metric | Integer | ||||
isis_network_point_to_point | Boolean | ||||
isis_circuit_type | String | Valid Values: - level-1-2 - level-1 - level-2 |
|||
isis_hello_padding | Boolean | ||||
isis_authentication_mode deprecated | String | Valid Values: - text - md5 |
This key is deprecated. Support will be removed in AVD version v6.0.0. Use isis_authentication.both.mode or isis_authentication.level_1.mode or isis_authentication.level_2.mode instead. | ||
isis_authentication_key deprecated | String | Type-7 encrypted password.This key is deprecated. Support will be removed in AVD version v6.0.0. Use isis_authentication.both.key or isis_authentication.level_1.key or isis_authentication.level_2.key instead. | |||
isis_authentication | Dictionary | This key should not be mixed with ethernet_interfaces[].isis_authentication_mode or ethernet_interfaces[].isis_authentication_key. | |||
both | Dictionary | Authentication settings for level-1 and level-2. ‘both’ takes precedence over ‘level_1’ and ‘level_2’ settings. | |||
key_type | String | Valid Values: - 0 - 7 - 8a |
Configure authentication key type. | ||
key | String | Password string. key_type is required for this setting. |
|||
key_ids | List, items: Dictionary | ||||
- id | Integer | Required, Unique | Min: 1 Max: 65535 |
Configure authentication key-id. | |
algorithm | String | Required | Valid Values: - sha-1 - sha-224 - sha-256 - sha-384 - sha-512 |
||
key_type | String | Required | Valid Values: - 0 - 7 - 8a |
Configure authentication key type. | |
key | String | Required | Password string. | ||
rfc_5310 | Boolean | SHA digest computation according to rfc5310. | |||
mode | String | Valid Values: - md5 - sha - text - shared-secret |
Authentication mode. | ||
sha | Dictionary | Required settings for authentication mode ‘sha’. | |||
key_id | Integer | Required | Min: 1 Max: 65535 |
||
shared_secret | Dictionary | Required settings for authentication mode ‘shared_secret’. | |||
profile | String | Required | |||
algorithm | String | Required | Valid Values: - md5 - sha-1 - sha-224 - sha-256 - sha-384 - sha-512 |
||
rx_disabled | Boolean | Disable authentication check on the receive side. | |||
level_1 | Dictionary | Authentication settings for level-1. ‘both’ takes precedence over ‘level_1’ and ‘level_2’ settings. | |||
key_type | String | Valid Values: - 0 - 7 - 8a |
Configure authentication key type. | ||
key | String | Password string. key_type is required for this setting. |
|||
key_ids | List, items: Dictionary | ||||
- id | Integer | Required, Unique | Min: 1 Max: 65535 |
Configure authentication key-id. | |
algorithm | String | Required | Valid Values: - sha-1 - sha-224 - sha-256 - sha-384 - sha-512 |
||
key_type | String | Required | Valid Values: - 0 - 7 - 8a |
Configure authentication key type. | |
key | String | Required | Password string. | ||
rfc_5310 | Boolean | SHA digest computation according to rfc5310. | |||
mode | String | Valid Values: - md5 - sha - text - shared-secret |
Authentication mode. | ||
sha | Dictionary | Required settings for authentication mode ‘sha’. | |||
key_id | Integer | Required | Min: 1 Max: 65535 |
||
shared_secret | Dictionary | Required settings for authentication mode ‘shared_secret’. | |||
profile | String | Required | |||
algorithm | String | Required | Valid Values: - md5 - sha-1 - sha-224 - sha-256 - sha-384 - sha-512 |
||
rx_disabled | Boolean | Disable authentication check on the receive side. | |||
level_2 | Dictionary | Authentication settings for level-2. ‘both’ takes precedence over ‘level_1’ and ‘level_2’ settings. | |||
key_type | String | Valid Values: - 0 - 7 - 8a |
Configure authentication key type. | ||
key | String | Password string. key_type is required for this setting. |
|||
key_ids | List, items: Dictionary | ||||
- id | Integer | Required, Unique | Min: 1 Max: 65535 |
Configure authentication key-id. | |
algorithm | String | Required | Valid Values: - sha-1 - sha-224 - sha-256 - sha-384 - sha-512 |
||
key_type | String | Required | Valid Values: - 0 - 7 - 8a |
Configure authentication key type. | |
key | String | Required | Password string. | ||
rfc_5310 | Boolean | SHA digest computation according to rfc5310. | |||
mode | String | Valid Values: - md5 - sha - text - shared-secret |
Authentication mode. | ||
sha | Dictionary | Required settings for authentication mode ‘sha’. | |||
key_id | Integer | Required | Min: 1 Max: 65535 |
||
shared_secret | Dictionary | Required settings for authentication mode ‘shared_secret’. | |||
profile | String | Required | |||
algorithm | String | Required | Valid Values: - md5 - sha-1 - sha-224 - sha-256 - sha-384 - sha-512 |
||
rx_disabled | Boolean | Disable authentication check on the receive side. | |||
poe | Dictionary | ||||
disabled | Boolean | False |
Disable PoE on a POE capable port. PoE is enabled on all ports that support it by default in EOS. | ||
priority | String | Valid Values: - critical - high - medium - low |
Prioritize a port’s power in the event that one of the switch’s power supplies loses power. | ||
reboot | Dictionary | Set the PoE power behavior for a PoE port when the system is rebooted. | |||
action | String | Valid Values: - maintain - power-off |
PoE action for interface. | ||
link_down | Dictionary | Set the PoE power behavior for a PoE port when the port goes down. | |||
action | String | Valid Values: - maintain - power-off |
PoE action for interface. | ||
power_off_delay | Integer | Min: 1 Max: 86400 |
Number of seconds to delay shutting the power off after a link down event occurs. Default value is 5 seconds in EOS. | ||
shutdown | Dictionary | Set the PoE power behavior for a PoE port when the port is admin down. | |||
action | String | Valid Values: - maintain - power-off |
PoE action for interface. | ||
limit | Dictionary | Override the hardware-negotiated power limit using either wattage or a power class. Note that if using a power class, AVD will automatically convert the class value to the wattage value corresponding to that power class. | |||
class | Integer | Min: 0 Max: 8 |
|||
watts | String | ||||
fixed | Boolean | Set to ignore hardware classification. | |||
negotiation_lldp | Boolean | Disable to prevent port from negotiating power with powered devices over LLDP. Enabled by default in EOS. | |||
legacy_detect | Boolean | Allow a subset of legacy devices to work with the PoE switch. Disabled by default in EOS because it can cause false positive detections. | |||
ptp | Dictionary | ||||
enable | Boolean | ||||
announce | Dictionary | ||||
interval | Integer | ||||
timeout | Integer | ||||
delay_req | Integer | ||||
delay_mechanism | String | Valid Values: - e2e - p2p |
|||
profile | Dictionary | ||||
g8275_1 | Dictionary | ||||
destination_mac_address | String | Valid Values: - forwardable - non-forwardable |
|||
sync_message | Dictionary | ||||
interval | Integer | ||||
role | String | Valid Values: - master - dynamic |
|||
vlan | String | VLAN can be ‘all’ or list of vlans as string. | |||
transport | String | Valid Values: - ipv4 - ipv6 - layer2 |
|||
profile | String | Interface profile. | |||
storm_control | Dictionary | ||||
all | Dictionary | ||||
level | String | Configure maximum storm-control level. | |||
unit | String | percent |
Valid Values: - percent - pps |
Optional field and is hardware dependent. | |
broadcast | Dictionary | ||||
level | String | Configure maximum storm-control level. | |||
unit | String | percent |
Valid Values: - percent - pps |
Optional field and is hardware dependent. | |
multicast | Dictionary | ||||
level | String | Configure maximum storm-control level. | |||
unit | String | percent |
Valid Values: - percent - pps |
Optional field and is hardware dependent. | |
unknown_unicast | Dictionary | ||||
level | String | Configure maximum storm-control level. | |||
unit | String | percent |
Valid Values: - percent - pps |
Optional field and is hardware dependent. | |
logging | Dictionary | ||||
event | Dictionary | ||||
link_status | Boolean | ||||
congestion_drops | Boolean | ||||
spanning_tree | Boolean | ||||
storm_control_discards | Boolean | Discards due to storm-control. |
|||
lldp | Dictionary | ||||
transmit | Boolean | ||||
receive | Boolean | ||||
ztp_vlan | Integer | ZTP vlan number. | |||
trunk_private_vlan_secondary deprecated | Boolean | This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.trunk.private_vlan_secondary instead. | |||
pvlan_mapping deprecated | String | List of vlans as string.This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.pvlan_mapping instead. | |||
vlan_translations deprecated | List, items: Dictionary | This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.vlan_translations instead. | |||
- from | String | List of vlans as string (only one vlan if direction is “both”). | |||
to | Integer | VLAN ID. | |||
direction | String | both |
Valid Values: - in - out - both |
||
dot1x | Dictionary | 802.1x | |||
port_control | String | Valid Values: - auto - force-authorized - force-unauthorized |
|||
port_control_force_authorized_phone | Boolean | ||||
reauthentication | Boolean | ||||
pae | Dictionary | ||||
mode | String | Valid Values: - authenticator |
|||
authentication_failure | Dictionary | ||||
action | String | Valid Values: - allow - drop |
|||
allow_vlan | Integer | Min: 1 Max: 4094 |
|||
host_mode | Dictionary | ||||
mode | String | Valid Values: - multi-host - single-host |
|||
multi_host_authenticated | Boolean | ||||
mac_based_authentication | Dictionary | ||||
enabled | Boolean | ||||
always | Boolean | ||||
host_mode_common | Boolean | ||||
mac_based_access_list | Boolean | Operate interface in per-mac access-list mode. | |||
timeout | Dictionary | ||||
idle_host | Integer | Min: 10 Max: 65535 |
|||
quiet_period | Integer | Min: 1 Max: 65535 |
|||
reauth_period | String | Value can be 60-4294967295 or ‘server’. | |||
reauth_timeout_ignore | Boolean | ||||
tx_period | Integer | Min: 1 Max: 65535 |
|||
reauthorization_request_limit | Integer | Min: 1 Max: 10 |
|||
unauthorized | Dictionary | ||||
access_vlan_membership_egress | Boolean | ||||
native_vlan_membership_egress | Boolean | ||||
eapol | Dictionary | ||||
disabled | Boolean | ||||
authentication_failure_fallback_mba | Dictionary | ||||
enabled | Boolean | ||||
timeout | Integer | Min: 0 Max: 65535 |
|||
aaa | Dictionary | ||||
unresponsive | Dictionary | Configure AAA timeout options. | |||
eap_response | String | Valid Values: - success - disabled |
EAP response to send. EOS default is success . |
||
action | Dictionary | Set action for supplicant when AAA times out. | |||
traffic_allow_access_list | String | Name of standard access-list to apply when AAA times out. | |||
apply_cached_results | Boolean | Use results from a previous AAA response. | |||
cached_results_timeout | Dictionary | ||||
time_duration | Integer | Min: 1 | Enable caching for a specific duration - <1-10000> duration in days <1-14400000> duration in minutes <1-240000> duration in hours <1-864000000> duration in seconds |
||
time_duration_unit | String | Required | Valid Values: - days - hours - minutes - seconds |
||
apply_alternate | Boolean | Apply alternate action if primary action fails. eg. aaa unresponsive action apply cached-results else traffic allow |
|||
traffic_allow | Boolean | Set action for supplicant traffic when AAA times out. | |||
traffic_allow_vlan | Integer | Min: 1 Max: 4094 |
|||
phone_action | Dictionary | Set action for supplicant when AAA times out. | |||
apply_cached_results | Boolean | Use results from a previous AAA response. | |||
cached_results_timeout | Dictionary | ||||
time_duration | Integer | Min: 1 | Enable caching for a specific duration - <1-10000> duration in days <1-14400000> duration in minutes <1-240000> duration in hours <1-864000000> duration in seconds |
||
time_duration_unit | String | Required | Valid Values: - days - hours - minutes - seconds |
||
apply_alternate | Boolean | Apply alternate action if primary action fails. eg. aaa unresponsive phone action apply cached-results else traffic allow |
|||
traffic_allow | Boolean | Set action for supplicant traffic when AAA times out. | |||
service_profile | String | QOS profile. | |||
shape | Dictionary | ||||
rate | String | Rate in kbps, pps or percent. Supported options are platform dependent. Examples: - “5000 kbps” - “1000 pps” - “20 percent” |
|||
qos | Dictionary | ||||
trust | String | Valid Values: - dscp - cos - disabled |
|||
dscp | Integer | DSCP value. | |||
cos | Integer | COS value. | |||
spanning_tree_bpdufilter | String | Valid Values: - enabled - disabled - True - False - true - false |
|||
spanning_tree_bpduguard | String | Valid Values: - enabled - disabled - True - False - true - false |
|||
spanning_tree_guard | String | Valid Values: - loop - root - disabled |
|||
spanning_tree_portfast | String | Valid Values: - edge - network |
|||
vmtracer | Boolean | ||||
priority_flow_control | Dictionary | ||||
enabled | Boolean | ||||
priorities | List, items: Dictionary | ||||
- priority | Integer | Required, Unique | Min: 0 Max: 7 |
||
no_drop | Boolean | ||||
bfd | Dictionary | ||||
echo | Boolean | ||||
interval | Integer | Interval in milliseconds. | |||
min_rx | Integer | Rate in milliseconds. | |||
multiplier | Integer | Min: 3 Max: 50 |
|||
service_policy | Dictionary | ||||
pbr | Dictionary | ||||
input | String | Policy Based Routing Policy-map name. | |||
qos | Dictionary | ||||
input | String | Required | Quality of Service Policy-map name. | ||
mpls | Dictionary | ||||
ip | Boolean | ||||
ldp | Dictionary | ||||
interface | Boolean | ||||
igp_sync | Boolean | ||||
lacp_timer | Dictionary | ||||
mode | String | Valid Values: - fast - normal |
|||
multiplier | Integer | Min: 3 Max: 3000 |
|||
lacp_port_priority | Integer | Min: 0 Max: 65535 |
|||
transceiver | Dictionary | ||||
frequency | String | Transceiver Laser Frequency in GHz (min 190000, max 200000). | |||
frequency_unit | String | Valid Values: - ghz |
Unit of Transceiver Laser Frequency. | ||
media | Dictionary | ||||
override | String | Transceiver type. | |||
ip_proxy_arp | Boolean | ||||
traffic_policy | Dictionary | ||||
input | String | Ingress traffic policy. | |||
output | String | Egress traffic policy. | |||
bgp | Dictionary | ||||
session_tracker | String | Name of session tracker. | |||
ip_igmp_host_proxy | Dictionary | ||||
enabled | Boolean | ||||
groups | List, items: Dictionary | ||||
- group | String | Required, Unique | Multicast Address. | ||
exclude | List, items: Dictionary | The same source must not be present both in exclude and include list. |
|||
- source | String | Required, Unique | |||
include | List, items: Dictionary | The same source must not be present both in exclude and include list. |
|||
- source | String | Required, Unique | |||
report_interval | Integer | Min: 1 Max: 31744 |
Time interval between unsolicited reports. | ||
access_lists | List, items: Dictionary | Non-standard Access List name. | |||
- name | String | Required, Unique | |||
version | Integer | Min: 1 Max: 3 |
IGMP version on IGMP host-proxy interface. | ||
peer | String | Key only used for documentation or validation purposes. | |||
peer_interface | String | Key only used for documentation or validation purposes. | |||
peer_type | String | Key only used for documentation or validation purposes. | |||
sflow | Dictionary | ||||
enable | Boolean | ||||
egress | Dictionary | ||||
enable | Boolean | ||||
unmodified_enable | Boolean | ||||
sync_e | Dictionary | ||||
enable | Boolean | ||||
priority | String | The priority is used to influence the reference clock selection. The EOS default priority is 127. The priority can be configured to any integer between 1-255, or set to disabled . |
|||
port_profile | String | Key only used for documentation or validation purposes. | |||
uc_tx_queues | List, items: Dictionary | ||||
- id | Integer | Required, Unique | TX-Queue ID. | ||
random_detect | Dictionary | ||||
ecn | Dictionary | Explicit Congestion Notification. | |||
count | Boolean | Enable counter for random-detect ECNs. | |||
threshold | Dictionary | ||||
units | String | Required | Valid Values: - segments - bytes - kbytes - mbytes - milliseconds |
Indicate the units to be used for the threshold values. | |
min | Integer | Required | Min: 1 Max: 256000000 |
Set the random-detect ECN minimum-threshold. | |
max | Integer | Required | Min: 1 Max: 256000000 |
Set the random-detect ECN maximum-threshold. | |
max_probability | Integer | Min: 1 Max: 100 |
Set the random-detect ECN max-mark-probability. | ||
weight | Integer | Min: 0 Max: 15 |
Set the random-detect ECN weight. | ||
tx_queues | List, items: Dictionary | ||||
- id | Integer | Required, Unique | TX-Queue ID. | ||
random_detect | Dictionary | ||||
ecn | Dictionary | Explicit Congestion Notification. | |||
count | Boolean | Enable counter for random-detect ECNs. | |||
threshold | Dictionary | ||||
units | String | Required | Valid Values: - segments - bytes - kbytes - mbytes - milliseconds |
Indicate the units to be used for the threshold values. | |
min | Integer | Min: 1 Max: 256000000 |
Set the random-detect ECN minimum-threshold. | ||
max | Integer | Required | Min: 1 Max: 256000000 |
Set the random-detect ECN maximum-threshold. | |
max_probability | Integer | Required | Min: 1 Max: 100 |
Set the random-detect ECN max-mark-probability. | |
weight | Integer | Min: 0 Max: 15 |
Set the random-detect ECN weight. | ||
vrrp_ids | List, items: Dictionary | VRRP model. | |||
- id | Integer | Required, Unique | VRID. | ||
priority_level | Integer | Min: 1 Max: 254 |
Instance priority. | ||
advertisement | Dictionary | ||||
interval | Integer | Min: 1 Max: 255 |
Interval in seconds. | ||
preempt | Dictionary | ||||
enabled | Boolean | Required | |||
delay | Dictionary | ||||
minimum | Integer | Min: 0 Max: 3600 |
Minimum preempt delay in seconds. | ||
reload | Integer | Min: 0 Max: 3600 |
Reload preempt delay in seconds. | ||
timers | Dictionary | ||||
delay | Dictionary | ||||
reload | Integer | Min: 0 Max: 3600 |
Delay after reload in seconds. | ||
tracked_object | List, items: Dictionary | ||||
- name | String | Required, Unique | Tracked object name. | ||
decrement | Integer | Min: 1 Max: 254 |
Decrement VRRP priority by 1-254. | ||
shutdown | Boolean | ||||
ipv4 | Dictionary | ||||
address | String | Required | Virtual IPv4 address. | ||
version | Integer | Valid Values: - 2 - 3 |
|||
ipv6 | Dictionary | ||||
address | String | Required | Virtual IPv6 address. | ||
validate_state | Boolean | Set to false to disable interface state and LLDP topology validation performed by the eos_validate_state role. |
|||
validate_lldp | Boolean | Set to false to disable the LLDP topology validation performed by the eos_validate_state role. |
|||
switchport | Dictionary | This should not be combined with ethernet_interfaces[].type = switched/routed . |
|||
enabled | Boolean | Warning: This should not be combined with ethernet_interfaces[].type = routed . |
|||
mode | String | Valid Values: - access - dot1q-tunnel - trunk - trunk phone |
Warning: This should not be combined with ethernet_interfaces[].mode . |
||
access_vlan | Integer | Min: 1 Max: 4094 |
Set VLAN when interface is in access mode. Warning: This should not be combined with ethernet_interfaces[].mode = access/dot1q-tunnel and ethernet_interface[].vlans . |
||
trunk | Dictionary | ||||
allowed_vlan | String | VLAN ID or range(s) of VLAN IDs. Warning: This should not be combined with ethernet_interfaces[].mode = trunk and ethernet_interface[].vlans . |
|||
native_vlan | Integer | Min: 1 Max: 4094 |
Set native VLAN when interface is in trunking mode. Warning: This should not be combined with ethernet_interfaces[].native_vlan . |
||
native_vlan_tag | Boolean | If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence. Warning: This should not be combined with ethernet_interfaces[].native_vlan_tag . |
|||
private_vlan_secondary | Boolean | Enable secondary VLAN mapping for a private vlan. Warning: This should not be combined with ethernet_ineterfaces[].trunk_private_vlan_secondary . |
|||
groups | List, items: String | Warning: This should not be combined with ethernet_ineterfaces[].trunk_groups . |
|||
- <str> | String | Trunk group name. | |||
phone | Dictionary | Warning: This should not be combined with ethernet_interfaces[].phone . |
|||
vlan | Integer | Min: 1 Max: 4094 |
Warning: This should not be combined with ethernet_interfaces[].phone.vlan . |
||
trunk | String | Valid Values: - tagged - tagged phone - untagged - untagged phone |
Warning: This should not be combined with ethernet_interfaces[].phone.trunk . |
||
pvlan_mapping | String | Secondary VLAN IDs of the private VLAN mapping. Warning: This should not be combined with ethernet_interfaces[].pvlan_mapping . |
|||
dot1q | Dictionary | ||||
ethertype | Integer | Min: 1536 Max: 65535 |
Ethertype/TPID (Tag Protocol IDentifier) for VLAN tagged frames. | ||
vlan_tag | String | Valid Values: - disallowed - required |
Allow/disallow VLAN tagged frames. | ||
source_interface | String | Valid Values: - tx - tx multicast |
tx: Allow bridged traffic to go out of the source interface. tx multicast: Allow multicast traffic only to go out of the source interface. |
||
vlan_translations | Dictionary | VLAN Translation mappings. Warning: This should not be combined with ethernet_interfaces[].vlan_translations . |
|||
in_required | Boolean | Drop the ingress traffic that do not match any VLAN mapping. | |||
out_required | Boolean | Drop the egress traffic that do not match any VLAN mapping. | |||
direction_in | List, items: Dictionary | Map ingress traffic only. | |||
- from | String | Required | VLAN ID or range of VLAN IDs to map from. Range 1-4094. | ||
to | Integer | Required | Min: 1 Max: 4094 |
VLAN ID to map to. | |
dot1q_tunnel | Boolean | ||||
inner_vlan_from | Integer | Min: 1 Max: 4094 |
Inner VLAN ID to map from. | ||
direction_out | List, items: Dictionary | Map egress traffic only. | |||
- from | String | Required | VLAN ID or range of VLAN IDs to map from. Range 1-4094. | ||
to | Integer | Min: 1 Max: 4094 |
VLAN ID to map to. | ||
dot1q_tunnel_to | String | VLAN ID or range of VLAN IDs or “all”. Range 1-4094. This takes precedence over to and inner_vlan_to . |
|||
inner_vlan_to | Integer | Min: 1 Max: 4094 |
Inner VLAN ID to map to. | ||
direction_both | List, items: Dictionary | Map both egress and ingress traffic. | |||
- from | String | Required | VLAN ID or range of VLAN IDs to map from. Range 1-4094. | ||
to | Integer | Required | Min: 1 Max: 4094 |
VLAN ID to map to. | |
dot1q_tunnel | Boolean | ||||
inner_vlan_from | Integer | Min: 1 Max: 4094 |
Inner VLAN ID to map from. | ||
network | Boolean | Enable use of network-side VLAN ID. This setting can only be enabled when inner_vlan_from is defined. |
|||
vlan_forwarding_accept_all | Boolean | ||||
backup_link | Dictionary | ||||
interface | String | Backup interface. Example - Ethernet4, Vlan10 etc. | |||
prefer_vlan | String | VLANs to carry on the backup interface (1-4094). | |||
backup | Dictionary | The backup_link is required for this setting. |
|||
dest_macaddr | String | Format: mac | Destination MAC address for MAC move updates. The mac address should be multicast or broadcast. Example: 01:00:00:00:00:00 |
||
initial_mac_move_delay | Integer | Min: 0 Max: 65535 |
Initial MAC move delay in milliseconds. | ||
mac_move_burst | Integer | Min: 0 Max: 65535 |
Size of MAC move bursts. | ||
mac_move_burst_interval | Integer | Min: 0 Max: 65535 |
MAC move burst interval in milliseconds. | ||
preemption_delay | Integer | Min: 0 Max: 65535 |
Preemption delay in milliseconds. | ||
port_security | Dictionary | ||||
enabled | Boolean | ||||
mac_address_maximum | Dictionary | Maximum number of MAC addresses allowed on the interface. | |||
disabled | Boolean | Disable port level check for port security (only in violation ‘shutdown’ mode). | |||
limit | Integer | Min: 1 Max: 1000 |
MAC address limit. | ||
violation | Dictionary | Configure violation mode (shutdown or protect), EOS default is ‘shutdown’. | |||
mode | String | Valid Values: - shutdown - protect |
Configure port security mode. | ||
protect_log | Boolean | Log new addresses seen after limit is reached in protect mode. | |||
vlan_default_mac_address_maximum | Integer | Min: 0 Max: 1000 |
Default maximum MAC addresses for all VLANs on this interface. | ||
vlans | List, items: Dictionary | ||||
- range | String | Required, Unique | VLAN ID or range(s) of VLAN IDs, <1-4094>. Example: - 3 - 1,3 - 1-10 |
||
mac_address_maximum | Integer | Required | |||
eos_cli | String | Multiline EOS CLI rendered directly on the ethernet interface in the final EOS configuration. |
ethernet_interfaces:
- name: <str; required; unique>
description: <str>
shutdown: <bool>
# Interval in seconds for updating interface counters.
load_interval: <int; 0-600>
# Speed should be set in the format `<interface_speed>` or `forced <interface_speed>` or `auto <interface_speed>`.
speed: <str>
mtu: <int; 68-65535>
# "l2_mtu" should only be defined for platforms supporting the "l2 mtu" CLI.
l2_mtu: <int; 68-65535>
# "l2_mru" should only be defined for platforms supporting the "l2 mru" CLI.
l2_mru: <int; 68-65535>
# List of switchport vlans as string.
# For a trunk port this would be a range like "1-200,300".
# For an access port this would be a single vlan "123".
# This key is deprecated.
# Support will be removed in AVD version 6.0.0.
# Use <samp>switchport.access_vlan or switchport.trunk.allowed_vlan</samp> instead.
vlans: <str>
# This key is deprecated.
# Support will be removed in AVD version 6.0.0.
# Use <samp>switchport.trunk.native_vlan</samp> instead.
native_vlan: <int>
# If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence.
# This key is deprecated.
# Support will be removed in AVD version 6.0.0.
# Use <samp>switchport.trunk.native_vlan_tag</samp> instead.
native_vlan_tag: <bool>
# This key is deprecated.
# Support will be removed in AVD version 6.0.0.
# Use <samp>switchport.mode</samp> instead.
mode: <str; "access" | "dot1q-tunnel" | "trunk" | "trunk phone">
# This key is deprecated.
# Support will be removed in AVD version 6.0.0.
# Use <samp>switchport.phone</samp> instead.
phone:
trunk: <str; "tagged" | "tagged phone" | "untagged" | "untagged phone">
vlan: <int; 1-4094>
l2_protocol:
# Vlan tag to configure on sub-interface.
encapsulation_dot1q_vlan: <int>
# L2 protocol forwarding profile.
forwarding_profile: <str>
# header: Insert timestamp in ethernet header. Supported on platforms like 7500E/R and 7280E/R.
# before-fcs: Insert timestamp before fcs field. Supported on platforms like 7150.
# replace-fcs: Replace fcs field with timestamp.
mac_timestamp: <str; "before-fcs" | "replace-fcs" | "header">
# This key is deprecated.
# Support will be removed in AVD version 6.0.0.
# Use <samp>switchport.trunk.groups</samp> instead.
trunk_groups:
- <str>
# l3dot1q and l2dot1q are used for sub-interfaces. The parent interface should be defined as routed.
# The `type = switched/routed` should not be combined with `switchport`.
# This key is deprecated.
# Support will be removed in AVD version 6.0.0.
# See [here](https://avd.arista.com/5.x/docs/porting-guides/5.x.x.html#removal-of-type-key-dependency-for-rendering-ethernetport-channel-interfaces-configuration-and-documentation) for details.
type: <str; "routed" | "switched" | "l3dot1q" | "l2dot1q" | "port-channel-member">
snmp_trap_link_change: <bool>
address_locking:
# Enable address locking for IPv4.
ipv4: <bool>
# Enable address locking for IPv6.
ipv6: <bool>
flowcontrol:
received: <str; "desired" | "on" | "off">
# VRF name.
vrf: <str>
flow_tracker:
# Sampled flow tracker name.
sampled: <str>
# Hardware flow tracker name.
hardware: <str>
error_correction_encoding:
enabled: <bool; default=True>
fire_code: <bool>
reed_solomon: <bool>
link_tracking_groups:
# Group name.
- name: <str; required; unique>
direction: <str; "upstream" | "downstream">
link_tracking:
direction: <str; "upstream" | "downstream">
# Link state group(s) an interface belongs to.
groups:
# Group names.
- <str>
evpn_ethernet_segment:
# EVPN Ethernet Segment Identifier (Type 1 format).
identifier: <str>
redundancy: <str; "all-active" | "single-active">
designated_forwarder_election:
algorithm: <str; "modulus" | "preference">
# Preference_value is only used when "algorithm" is "preference".
preference_value: <int; 0-65535>
# Dont_preempt is only used when "algorithm" is "preference".
dont_preempt: <bool>
hold_time: <int>
subsequent_hold_time: <int>
candidate_reachability_required: <bool>
mpls:
shared_index: <int; 1-1024>
tunnel_flood_filter_time: <int>
# EVPN Route Target for ESI with format xx:xx:xx:xx:xx:xx.
route_target: <str>
# VLAN tag to configure on sub-interface.
# This key is deprecated.
# Support will be removed in AVD version 6.0.0.
# Use <samp>encapsulation_dot1q.vlan</samp> instead.
encapsulation_dot1q_vlan: <int>
# Warning: `encapsulation_dot1q` should not be combined with `ethernet_interfaces[].type: l3dot1q` or `ethernet_interfaces[].type: l2dot1q`.
encapsulation_dot1q:
# VLAD ID.
vlan: <int; 1-4094; required>
# Inner VLAN ID. This setting can only be applied to sub-interfaces on EOS.
inner_vlan: <int; 1-4094>
# This setting can only be applied to sub-interfaces on EOS.
# Warning: `encapsulation_vlan` should not be combined with `ethernet_interfaces[].type: l3dot1q` or `ethernet_interfaces[].type: l2dot1q`.
encapsulation_vlan:
client:
# This key is deprecated.
# Support will be removed in AVD version 6.0.0.
dot1q:
# Client VLAN ID.
vlan: <int; 1-4094>
# Client Outer VLAN ID.
outer: <int; 1-4094>
# Client Inner VLAN ID.
inner: <int>
# This key is deprecated.
# Support will be removed in AVD version 6.0.0.
unmatched: <bool>
encapsulation: <str; "dot1q" | "dot1ad" | "unmatched" | "untagged">
# Client VLAN ID. Not applicable for `encapsulation: untagged` or `encapsulation: unmatched`.
vlan: <int; 1-4094>
# Client Outer VLAN ID. Not applicable for `encapsulation: untagged` or `encapsulation: unmatched`.
outer_vlan: <int; 1-4094>
# Client Inner VLAN ID. Not applicable for `encapsulation: untagged` or `encapsulation: unmatched`.
inner_vlan: <int; 1-4094>
inner_encapsulation: <str; "dot1q" | "dot1ad">
# Network encapsulations are all optional and skipped if using client unmatched.
network:
# This key is deprecated.
# Support will be removed in AVD version 6.0.0.
dot1q:
# Network VLAN ID.
vlan: <int; 1-4094>
# Network outer VLAN ID.
outer: <int; 1-4094>
# Network inner VLAN ID.
inner: <int; 1-4094>
# This key is deprecated.
# Support will be removed in AVD version 6.0.0.
client: <bool>
# `untagged` (no encapsulation) is applicable for `untagged` client only.
# `client` and `client inner` (retain client encapsulation) is not applicable for `untagged` client.
encapsulation: <str; "dot1q" | "dot1ad" | "client" | "client inner" | "untagged">
# Network VLAN ID. Not applicable for `encapsulation: untagged` or `encapsulation: client`.
vlan: <int; 1-4094>
# Network outer VLAN ID. Not applicable for `encapsulation: untagged` or `encapsulation: client`.
outer_vlan: <int; 1-4094>
# Network inner VLAN ID. Not applicable for `encapsulation: untagged` or `encapsulation: client`.
inner_vlan: <int; 1-4094>
inner_encapsulation: <str; "dot1q" | "dot1ad">
# This setting can only be applied to sub-interfaces on EOS.
# Warning: `vlan_id` should not be combined with `ethernet_interfaces[].type == l2dot1q`.
vlan_id: <int; 1-4094>
# IPv4 address/mask or "dhcp".
ip_address: <str>
ip_address_secondaries:
- <str>
ip_verify_unicast_source_reachable_via: <str; "any" | "rx">
# Install default-route obtained via DHCP.
dhcp_client_accept_default_route: <bool>
# Enable IPv4 DHCP server.
dhcp_server_ipv4: <bool>
# Enable IPv6 DHCP server.
dhcp_server_ipv6: <bool>
ip_helpers:
- ip_helper: <str; required; unique>
# Source interface name.
source_interface: <str>
# VRF name.
vrf: <str>
ip_nat:
# NAT interface profile.
service_profile: <str>
destination:
dynamic:
- access_list: <str; required; unique>
comment: <str>
pool_name: <str; required>
priority: <int; 0-4294967295>
static:
# 'access_list' and 'group' are mutual exclusive.
- access_list: <str>
comment: <str>
# Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform.
# EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW.
direction: <str; "egress" | "ingress">
# 'access_list' and 'group' are mutual exclusive.
group: <int; 1-65535>
# IPv4 address. The combination of `original_ip` and `original_port` must be unique.
original_ip: <str>
# TCP/UDP port. The combination of `original_ip` and `original_port` must be unique.
original_port: <int; 1-65535>
priority: <int; 0-4294967295>
protocol: <str; "udp" | "tcp">
# IPv4 address.
translated_ip: <str; required>
# requires 'original_port'.
translated_port: <int; 1-65535>
source:
dynamic:
- access_list: <str; required; unique>
comment: <str>
nat_type: <str; "overload" | "pool" | "pool-address-only" | "pool-full-cone"; required>
# required if 'nat_type' is pool, pool-address-only or pool-full-cone.
# ignored if 'nat_type' is overload.
pool_name: <str>
priority: <int; 0-4294967295>
static:
# 'access_list' and 'group' are mutual exclusive.
- access_list: <str>
comment: <str>
# Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform.
# EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW.
direction: <str; "egress" | "ingress">
# 'access_list' and 'group' are mutual exclusive.
group: <int; 1-65535>
# IPv4 address. The combination of `original_ip` and `original_port` must be unique.
original_ip: <str>
# TCP/UDP port. The combination of `original_ip` and `original_port` must be unique.
original_port: <int; 1-65535>
priority: <int; 0-4294967295>
protocol: <str; "udp" | "tcp">
# IPv4 address.
translated_ip: <str; required>
# requires 'original_port'.
translated_port: <int; 1-65535>
ipv6_enable: <bool>
ipv6_address: <str>
# Link local IPv6 address/mask.
ipv6_address_link_local: <str>
ipv6_nd_ra_disabled: <bool>
ipv6_nd_managed_config_flag: <bool>
ipv6_nd_prefixes:
- ipv6_prefix: <str; required; unique>
# Infinite or lifetime in seconds.
valid_lifetime: <str>
# Infinite or lifetime in seconds.
preferred_lifetime: <str>
no_autoconfig_flag: <bool>
ipv6_dhcp_relay_destinations:
# DHCP server's IPv6 address.
- address: <str; required; unique>
vrf: <str>
# Local interface to communicate with DHCP server - mutually exclusive to source_address.
local_interface: <str>
# Source IPv6 address to communicate with DHCP server - mutually exclusive to local_interface.
source_address: <str>
# Override the default link address specified in the relayed DHCP packet.
link_address: <str>
# Access list name.
access_group_in: <str>
# Access list name.
access_group_out: <str>
# IPv6 access list name.
ipv6_access_group_in: <str>
# IPv6 access list name.
ipv6_access_group_out: <str>
# MAC access list name.
mac_access_group_in: <str>
# MAC access list name.
mac_access_group_out: <str>
# Boundaries can be either 1 ACL or a list of multicast IP address_range(s)/prefix but not combination of both.
multicast:
ipv4:
boundaries:
# ACL name or multicast IP subnet.
- boundary: <str>
out: <bool>
static: <bool>
ipv6:
boundaries:
# ACL name or multicast IP subnet.
- boundary: <str>
static: <bool>
ospf_network_point_to_point: <bool>
ospf_area: <str>
ospf_cost: <int>
ospf_authentication: <str; "none" | "simple" | "message-digest">
# Encrypted password - only type 7 supported.
ospf_authentication_key: <str>
ospf_message_digest_keys:
- id: <int; required; unique>
hash_algorithm: <str; "md5" | "sha1" | "sha256" | "sha384" | "sha512">
# Encrypted password - only type 7 supported.
key: <str>
pim:
ipv4:
# Configure PIM border router. EOS default is false.
border_router: <bool>
dr_priority: <int; 0-429467295>
sparse_mode: <bool>
# Set the default for whether Bidirectional Forwarding Detection is enabled for PIM.
bfd: <bool>
bidirectional: <bool>
hello:
# Number of missed hellos after which the neighbor expires. Range <1.5-65535>.
count: <str>
# PIM hello interval in seconds.
interval: <int; 1-65535>
mac_security:
profile: <str>
# The TCP MSS clamping feature involves clamping the maximum segment size (MSS) in the TCP header
# of TCP SYN packets if it exceeds the configured MSS ceiling limit for the interface.
tcp_mss_ceiling:
ipv4_segment_size: <int; 64-65475>
ipv6_segment_size: <int; 64-65475>
direction: <str; "egress" | "ingress">
channel_group:
id: <int>
mode: <str; "on" | "active" | "passive">
# ISIS instance.
isis_enable: <str>
# Enable BFD for ISIS.
isis_bfd: <bool>
isis_passive: <bool>
isis_metric: <int>
isis_network_point_to_point: <bool>
isis_circuit_type: <str; "level-1-2" | "level-1" | "level-2">
isis_hello_padding: <bool>
# This key is deprecated.
# Support will be removed in AVD version v6.0.0.
# Use <samp>isis_authentication.both.mode or isis_authentication.level_1.mode or isis_authentication.level_2.mode</samp> instead.
isis_authentication_mode: <str; "text" | "md5">
# Type-7 encrypted password.
# This key is deprecated.
# Support will be removed in AVD version v6.0.0.
# Use <samp>isis_authentication.both.key or isis_authentication.level_1.key or isis_authentication.level_2.key</samp> instead.
isis_authentication_key: <str>
# This key should not be mixed with ethernet_interfaces[].isis_authentication_mode or ethernet_interfaces[].isis_authentication_key.
isis_authentication:
# Authentication settings for level-1 and level-2. 'both' takes precedence over 'level_1' and 'level_2' settings.
both:
# Configure authentication key type.
key_type: <str; "0" | "7" | "8a">
# Password string. `key_type` is required for this setting.
key: <str>
key_ids:
# Configure authentication key-id.
- id: <int; 1-65535; required; unique>
algorithm: <str; "sha-1" | "sha-224" | "sha-256" | "sha-384" | "sha-512"; required>
# Configure authentication key type.
key_type: <str; "0" | "7" | "8a"; required>
# Password string.
key: <str; required>
# SHA digest computation according to rfc5310.
rfc_5310: <bool>
# Authentication mode.
mode: <str; "md5" | "sha" | "text" | "shared-secret">
# Required settings for authentication mode 'sha'.
sha:
key_id: <int; 1-65535; required>
# Required settings for authentication mode 'shared_secret'.
shared_secret:
profile: <str; required>
algorithm: <str; "md5" | "sha-1" | "sha-224" | "sha-256" | "sha-384" | "sha-512"; required>
# Disable authentication check on the receive side.
rx_disabled: <bool>
# Authentication settings for level-1. 'both' takes precedence over 'level_1' and 'level_2' settings.
level_1:
# Configure authentication key type.
key_type: <str; "0" | "7" | "8a">
# Password string. `key_type` is required for this setting.
key: <str>
key_ids:
# Configure authentication key-id.
- id: <int; 1-65535; required; unique>
algorithm: <str; "sha-1" | "sha-224" | "sha-256" | "sha-384" | "sha-512"; required>
# Configure authentication key type.
key_type: <str; "0" | "7" | "8a"; required>
# Password string.
key: <str; required>
# SHA digest computation according to rfc5310.
rfc_5310: <bool>
# Authentication mode.
mode: <str; "md5" | "sha" | "text" | "shared-secret">
# Required settings for authentication mode 'sha'.
sha:
key_id: <int; 1-65535; required>
# Required settings for authentication mode 'shared_secret'.
shared_secret:
profile: <str; required>
algorithm: <str; "md5" | "sha-1" | "sha-224" | "sha-256" | "sha-384" | "sha-512"; required>
# Disable authentication check on the receive side.
rx_disabled: <bool>
# Authentication settings for level-2. 'both' takes precedence over 'level_1' and 'level_2' settings.
level_2:
# Configure authentication key type.
key_type: <str; "0" | "7" | "8a">
# Password string. `key_type` is required for this setting.
key: <str>
key_ids:
# Configure authentication key-id.
- id: <int; 1-65535; required; unique>
algorithm: <str; "sha-1" | "sha-224" | "sha-256" | "sha-384" | "sha-512"; required>
# Configure authentication key type.
key_type: <str; "0" | "7" | "8a"; required>
# Password string.
key: <str; required>
# SHA digest computation according to rfc5310.
rfc_5310: <bool>
# Authentication mode.
mode: <str; "md5" | "sha" | "text" | "shared-secret">
# Required settings for authentication mode 'sha'.
sha:
key_id: <int; 1-65535; required>
# Required settings for authentication mode 'shared_secret'.
shared_secret:
profile: <str; required>
algorithm: <str; "md5" | "sha-1" | "sha-224" | "sha-256" | "sha-384" | "sha-512"; required>
# Disable authentication check on the receive side.
rx_disabled: <bool>
poe:
# Disable PoE on a POE capable port. PoE is enabled on all ports that support it by default in EOS.
disabled: <bool; default=False>
# Prioritize a port's power in the event that one of the switch's power supplies loses power.
priority: <str; "critical" | "high" | "medium" | "low">
# Set the PoE power behavior for a PoE port when the system is rebooted.
reboot:
# PoE action for interface.
action: <str; "maintain" | "power-off">
# Set the PoE power behavior for a PoE port when the port goes down.
link_down:
# PoE action for interface.
action: <str; "maintain" | "power-off">
# Number of seconds to delay shutting the power off after a link down event occurs. Default value is 5 seconds in EOS.
power_off_delay: <int; 1-86400>
# Set the PoE power behavior for a PoE port when the port is admin down.
shutdown:
# PoE action for interface.
action: <str; "maintain" | "power-off">
# Override the hardware-negotiated power limit using either wattage or a power class. Note that if using a power class, AVD will automatically convert the class value to the wattage value corresponding to that power class.
limit:
class: <int; 0-8>
watts: <str>
# Set to ignore hardware classification.
fixed: <bool>
# Disable to prevent port from negotiating power with powered devices over LLDP. Enabled by default in EOS.
negotiation_lldp: <bool>
# Allow a subset of legacy devices to work with the PoE switch. Disabled by default in EOS because it can cause false positive detections.
legacy_detect: <bool>
ptp:
enable: <bool>
announce:
interval: <int>
timeout: <int>
delay_req: <int>
delay_mechanism: <str; "e2e" | "p2p">
profile:
g8275_1:
destination_mac_address: <str; "forwardable" | "non-forwardable">
sync_message:
interval: <int>
role: <str; "master" | "dynamic">
# VLAN can be 'all' or list of vlans as string.
vlan: <str>
transport: <str; "ipv4" | "ipv6" | "layer2">
# Interface profile.
profile: <str>
storm_control:
all:
# Configure maximum storm-control level.
level: <str>
# Optional field and is hardware dependent.
unit: <str; "percent" | "pps"; default="percent">
broadcast:
# Configure maximum storm-control level.
level: <str>
# Optional field and is hardware dependent.
unit: <str; "percent" | "pps"; default="percent">
multicast:
# Configure maximum storm-control level.
level: <str>
# Optional field and is hardware dependent.
unit: <str; "percent" | "pps"; default="percent">
unknown_unicast:
# Configure maximum storm-control level.
level: <str>
# Optional field and is hardware dependent.
unit: <str; "percent" | "pps"; default="percent">
logging:
event:
link_status: <bool>
congestion_drops: <bool>
spanning_tree: <bool>
# Discards due to storm-control.
storm_control_discards: <bool>
lldp:
transmit: <bool>
receive: <bool>
# ZTP vlan number.
ztp_vlan: <int>
# This key is deprecated.
# Support will be removed in AVD version 6.0.0.
# Use <samp>switchport.trunk.private_vlan_secondary</samp> instead.
trunk_private_vlan_secondary: <bool>
# List of vlans as string.
# This key is deprecated.
# Support will be removed in AVD version 6.0.0.
# Use <samp>switchport.pvlan_mapping</samp> instead.
pvlan_mapping: <str>
# This key is deprecated.
# Support will be removed in AVD version 6.0.0.
# Use <samp>switchport.vlan_translations</samp> instead.
vlan_translations:
# List of vlans as string (only one vlan if direction is "both").
- from: <str>
# VLAN ID.
to: <int>
direction: <str; "in" | "out" | "both"; default="both">
# 802.1x
dot1x:
port_control: <str; "auto" | "force-authorized" | "force-unauthorized">
port_control_force_authorized_phone: <bool>
reauthentication: <bool>
pae:
mode: <str; "authenticator">
authentication_failure:
action: <str; "allow" | "drop">
allow_vlan: <int; 1-4094>
host_mode:
mode: <str; "multi-host" | "single-host">
multi_host_authenticated: <bool>
mac_based_authentication:
enabled: <bool>
always: <bool>
host_mode_common: <bool>
# Operate interface in per-mac access-list mode.
mac_based_access_list: <bool>
timeout:
idle_host: <int; 10-65535>
quiet_period: <int; 1-65535>
# Value can be 60-4294967295 or 'server'.
reauth_period: <str>
reauth_timeout_ignore: <bool>
tx_period: <int; 1-65535>
reauthorization_request_limit: <int; 1-10>
unauthorized:
access_vlan_membership_egress: <bool>
native_vlan_membership_egress: <bool>
eapol:
disabled: <bool>
authentication_failure_fallback_mba:
enabled: <bool>
timeout: <int; 0-65535>
aaa:
# Configure AAA timeout options.
unresponsive:
# EAP response to send. EOS default is `success`.
eap_response: <str; "success" | "disabled">
# Set action for supplicant when AAA times out.
action:
# Name of standard access-list to apply when AAA times out.
traffic_allow_access_list: <str>
# Use results from a previous AAA response.
apply_cached_results: <bool>
cached_results_timeout:
# Enable caching for a specific duration -
# <1-10000> duration in days
# <1-14400000> duration in minutes
# <1-240000> duration in hours
# <1-864000000> duration in seconds
time_duration: <int; >=1>
time_duration_unit: <str; "days" | "hours" | "minutes" | "seconds"; required>
# Apply alternate action if primary action fails.
# eg. aaa unresponsive action apply cached-results else traffic allow
apply_alternate: <bool>
# Set action for supplicant traffic when AAA times out.
traffic_allow: <bool>
traffic_allow_vlan: <int; 1-4094>
# Set action for supplicant when AAA times out.
phone_action:
# Use results from a previous AAA response.
apply_cached_results: <bool>
cached_results_timeout:
# Enable caching for a specific duration -
# <1-10000> duration in days
# <1-14400000> duration in minutes
# <1-240000> duration in hours
# <1-864000000> duration in seconds
time_duration: <int; >=1>
time_duration_unit: <str; "days" | "hours" | "minutes" | "seconds"; required>
# Apply alternate action if primary action fails.
# eg. aaa unresponsive phone action apply cached-results else traffic allow
apply_alternate: <bool>
# Set action for supplicant traffic when AAA times out.
traffic_allow: <bool>
# QOS profile.
service_profile: <str>
shape:
# Rate in kbps, pps or percent.
# Supported options are platform dependent.
# Examples:
# - "5000 kbps"
# - "1000 pps"
# - "20 percent"
rate: <str>
qos:
trust: <str; "dscp" | "cos" | "disabled">
# DSCP value.
dscp: <int>
# COS value.
cos: <int>
spanning_tree_bpdufilter: <str; "enabled" | "disabled" | "True" | "False" | "true" | "false">
spanning_tree_bpduguard: <str; "enabled" | "disabled" | "True" | "False" | "true" | "false">
spanning_tree_guard: <str; "loop" | "root" | "disabled">
spanning_tree_portfast: <str; "edge" | "network">
vmtracer: <bool>
priority_flow_control:
enabled: <bool>
priorities:
- priority: <int; 0-7; required; unique>
no_drop: <bool>
bfd:
echo: <bool>
# Interval in milliseconds.
interval: <int>
# Rate in milliseconds.
min_rx: <int>
multiplier: <int; 3-50>
service_policy:
pbr:
# Policy Based Routing Policy-map name.
input: <str>
qos:
# Quality of Service Policy-map name.
input: <str; required>
mpls:
ip: <bool>
ldp:
interface: <bool>
igp_sync: <bool>
lacp_timer:
mode: <str; "fast" | "normal">
multiplier: <int; 3-3000>
lacp_port_priority: <int; 0-65535>
transceiver:
# Transceiver Laser Frequency in GHz (min 190000, max 200000).
frequency: <str>
# Unit of Transceiver Laser Frequency.
frequency_unit: <str; "ghz">
media:
# Transceiver type.
override: <str>
ip_proxy_arp: <bool>
traffic_policy:
# Ingress traffic policy.
input: <str>
# Egress traffic policy.
output: <str>
bgp:
# Name of session tracker.
session_tracker: <str>
ip_igmp_host_proxy:
enabled: <bool>
groups:
# Multicast Address.
- group: <str; required; unique>
# The same source must not be present both in `exclude` and `include` list.
exclude:
- source: <str; required; unique>
# The same source must not be present both in `exclude` and `include` list.
include:
- source: <str; required; unique>
# Time interval between unsolicited reports.
report_interval: <int; 1-31744>
# Non-standard Access List name.
access_lists:
- name: <str; required; unique>
# IGMP version on IGMP host-proxy interface.
version: <int; 1-3>
# Key only used for documentation or validation purposes.
peer: <str>
# Key only used for documentation or validation purposes.
peer_interface: <str>
# Key only used for documentation or validation purposes.
peer_type: <str>
sflow:
enable: <bool>
egress:
enable: <bool>
unmodified_enable: <bool>
sync_e:
enable: <bool>
# The priority is used to influence the reference clock selection. The EOS default priority is 127. The priority can be configured to any integer between 1-255, or set to `disabled`.
priority: <str>
# Key only used for documentation or validation purposes.
port_profile: <str>
uc_tx_queues:
# TX-Queue ID.
- id: <int; required; unique>
random_detect:
# Explicit Congestion Notification.
ecn:
# Enable counter for random-detect ECNs.
count: <bool>
threshold:
# Indicate the units to be used for the threshold values.
units: <str; "segments" | "bytes" | "kbytes" | "mbytes" | "milliseconds"; required>
# Set the random-detect ECN minimum-threshold.
min: <int; 1-256000000; required>
# Set the random-detect ECN maximum-threshold.
max: <int; 1-256000000; required>
# Set the random-detect ECN max-mark-probability.
max_probability: <int; 1-100>
# Set the random-detect ECN weight.
weight: <int; 0-15>
tx_queues:
# TX-Queue ID.
- id: <int; required; unique>
random_detect:
# Explicit Congestion Notification.
ecn:
# Enable counter for random-detect ECNs.
count: <bool>
threshold:
# Indicate the units to be used for the threshold values.
units: <str; "segments" | "bytes" | "kbytes" | "mbytes" | "milliseconds"; required>
# Set the random-detect ECN minimum-threshold.
min: <int; 1-256000000>
# Set the random-detect ECN maximum-threshold.
max: <int; 1-256000000; required>
# Set the random-detect ECN max-mark-probability.
max_probability: <int; 1-100; required>
# Set the random-detect ECN weight.
weight: <int; 0-15>
# VRRP model.
vrrp_ids:
# VRID.
- id: <int; required; unique>
# Instance priority.
priority_level: <int; 1-254>
advertisement:
# Interval in seconds.
interval: <int; 1-255>
preempt:
enabled: <bool; required>
delay:
# Minimum preempt delay in seconds.
minimum: <int; 0-3600>
# Reload preempt delay in seconds.
reload: <int; 0-3600>
timers:
delay:
# Delay after reload in seconds.
reload: <int; 0-3600>
tracked_object:
# Tracked object name.
- name: <str; required; unique>
# Decrement VRRP priority by 1-254.
decrement: <int; 1-254>
shutdown: <bool>
ipv4:
# Virtual IPv4 address.
address: <str; required>
version: <int; 2 | 3>
ipv6:
# Virtual IPv6 address.
address: <str; required>
# Set to false to disable interface state and LLDP topology validation performed by the `eos_validate_state` role.
validate_state: <bool>
# Set to false to disable the LLDP topology validation performed by the `eos_validate_state` role.
validate_lldp: <bool>
# This should not be combined with `ethernet_interfaces[].type = switched/routed`.
switchport:
# Warning: This should not be combined with `ethernet_interfaces[].type = routed`.
enabled: <bool>
# Warning: This should not be combined with `ethernet_interfaces[].mode`.
mode: <str; "access" | "dot1q-tunnel" | "trunk" | "trunk phone">
# Set VLAN when interface is in access mode.
# Warning: This should not be combined with `ethernet_interfaces[].mode = access/dot1q-tunnel` and `ethernet_interface[].vlans`.
access_vlan: <int; 1-4094>
trunk:
# VLAN ID or range(s) of VLAN IDs.
# Warning: This should not be combined with `ethernet_interfaces[].mode = trunk` and `ethernet_interface[].vlans`.
allowed_vlan: <str>
# Set native VLAN when interface is in trunking mode.
# Warning: This should not be combined with `ethernet_interfaces[].native_vlan`.
native_vlan: <int; 1-4094>
# If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence.
# Warning: This should not be combined with `ethernet_interfaces[].native_vlan_tag`.
native_vlan_tag: <bool>
# Enable secondary VLAN mapping for a private vlan.
# Warning: This should not be combined with `ethernet_ineterfaces[].trunk_private_vlan_secondary`.
private_vlan_secondary: <bool>
# Warning: This should not be combined with `ethernet_ineterfaces[].trunk_groups`.
groups:
# Trunk group name.
- <str>
# Warning: This should not be combined with `ethernet_interfaces[].phone`.
phone:
# Warning: This should not be combined with `ethernet_interfaces[].phone.vlan`.
vlan: <int; 1-4094>
# Warning: This should not be combined with `ethernet_interfaces[].phone.trunk`.
trunk: <str; "tagged" | "tagged phone" | "untagged" | "untagged phone">
# Secondary VLAN IDs of the private VLAN mapping.
# Warning: This should not be combined with `ethernet_interfaces[].pvlan_mapping`.
pvlan_mapping: <str>
dot1q:
# Ethertype/TPID (Tag Protocol IDentifier) for VLAN tagged frames.
ethertype: <int; 1536-65535>
# Allow/disallow VLAN tagged frames.
vlan_tag: <str; "disallowed" | "required">
# tx: Allow bridged traffic to go out of the source interface.
# tx multicast: Allow multicast traffic only to go out of the source interface.
source_interface: <str; "tx" | "tx multicast">
# VLAN Translation mappings.
# Warning: This should not be combined with `ethernet_interfaces[].vlan_translations`.
vlan_translations:
# Drop the ingress traffic that do not match any VLAN mapping.
in_required: <bool>
# Drop the egress traffic that do not match any VLAN mapping.
out_required: <bool>
# Map ingress traffic only.
direction_in:
# VLAN ID or range of VLAN IDs to map from. Range 1-4094.
- from: <str; required>
# VLAN ID to map to.
to: <int; 1-4094; required>
dot1q_tunnel: <bool>
# Inner VLAN ID to map from.
inner_vlan_from: <int; 1-4094>
# Map egress traffic only.
direction_out:
# VLAN ID or range of VLAN IDs to map from. Range 1-4094.
- from: <str; required>
# VLAN ID to map to.
to: <int; 1-4094>
# VLAN ID or range of VLAN IDs or "all". Range 1-4094.
# This takes precedence over `to` and `inner_vlan_to`.
dot1q_tunnel_to: <str>
# Inner VLAN ID to map to.
inner_vlan_to: <int; 1-4094>
# Map both egress and ingress traffic.
direction_both:
# VLAN ID or range of VLAN IDs to map from. Range 1-4094.
- from: <str; required>
# VLAN ID to map to.
to: <int; 1-4094; required>
dot1q_tunnel: <bool>
# Inner VLAN ID to map from.
inner_vlan_from: <int; 1-4094>
# Enable use of network-side VLAN ID.
# This setting can only be enabled when `inner_vlan_from` is defined.
network: <bool>
vlan_forwarding_accept_all: <bool>
backup_link:
# Backup interface. Example - Ethernet4, Vlan10 etc.
interface: <str>
# VLANs to carry on the backup interface (1-4094).
prefer_vlan: <str>
# The `backup_link` is required for this setting.
backup:
# Destination MAC address for MAC move updates.
# The mac address should be multicast or broadcast.
# Example: 01:00:00:00:00:00
dest_macaddr: <str>
# Initial MAC move delay in milliseconds.
initial_mac_move_delay: <int; 0-65535>
# Size of MAC move bursts.
mac_move_burst: <int; 0-65535>
# MAC move burst interval in milliseconds.
mac_move_burst_interval: <int; 0-65535>
# Preemption delay in milliseconds.
preemption_delay: <int; 0-65535>
port_security:
enabled: <bool>
# Maximum number of MAC addresses allowed on the interface.
mac_address_maximum:
# Disable port level check for port security (only in violation 'shutdown' mode).
disabled: <bool>
# MAC address limit.
limit: <int; 1-1000>
# Configure violation mode (shutdown or protect), EOS default is 'shutdown'.
violation:
# Configure port security mode.
mode: <str; "shutdown" | "protect">
# Log new addresses seen after limit is reached in protect mode.
protect_log: <bool>
# Default maximum MAC addresses for all VLANs on this interface.
vlan_default_mac_address_maximum: <int; 0-1000>
vlans:
# VLAN ID or range(s) of VLAN IDs, <1-4094>.
# Example:
# - 3
# - 1,3
# - 1-10
- range: <str; required; unique>
mac_address_maximum: <int; required>
# Multiline EOS CLI rendered directly on the ethernet interface in the final EOS configuration.
eos_cli: <str>
Interface defaults¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
interface_defaults | Dictionary | ||||
ethernet | Dictionary | ||||
shutdown | Boolean | ||||
mtu | Integer |
Interface profiles¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
interface_profiles | List, items: Dictionary | ||||
- name | String | Required, Unique | Interface-Profile Name. | ||
commands | List, items: String | Required | |||
- <str> | String | EOS CLI interface command. Example: “switchport mode access” |
LACP¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
lacp | Dictionary | Set Link Aggregation Control Protocol (LACP) parameters. | |||
port_id | Dictionary | LACP port-ID range configuration. | |||
range | Dictionary | ||||
begin | Integer | Minimum LACP port-ID range. | |||
end | Integer | Maximum LACP port-ID range. | |||
rate_limit | Dictionary | Set LACPDU rate limit options. | |||
default | Boolean | Enable LACPDU rate limiting by default on all ports. | |||
system_priority | Integer | Min: 0 Max: 65535 |
Set local system LACP priority. |
# Set Link Aggregation Control Protocol (LACP) parameters.
lacp:
# LACP port-ID range configuration.
port_id:
range:
# Minimum LACP port-ID range.
begin: <int>
# Maximum LACP port-ID range.
end: <int>
# Set LACPDU rate limit options.
rate_limit:
# Enable LACPDU rate limiting by default on all ports.
default: <bool>
# Set local system LACP priority.
system_priority: <int; 0-65535>
Link tracking groups¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
link_tracking_groups | List, items: Dictionary | ||||
- name | String | Required, Unique | |||
links_minimum | Integer | Min: 1 Max: 100000 |
|||
recovery_delay | Integer | Min: 0 Max: 3600 |
LLDP¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
lldp | Dictionary | ||||
timer | Integer | ||||
timer_reinitialization | String | ||||
holdtime | Integer | ||||
management_address | String | ||||
vrf | String | ||||
receive_packet_tagged_drop | String | ||||
tlvs | List, items: Dictionary | ||||
- name | String | Required, Unique | Valid Values: - link-aggregation - management-address - max-frame-size - med - port-description - port-vlan - power-via-mdi - system-capabilities - system-description - system-name - vlan-name |
||
transmit | Boolean | ||||
run | Boolean |
lldp:
timer: <int>
timer_reinitialization: <str>
holdtime: <int>
management_address: <str>
vrf: <str>
receive_packet_tagged_drop: <str>
tlvs:
- name: <str; "link-aggregation" | "management-address" | "max-frame-size" | "med" | "port-description" | "port-vlan" | "power-via-mdi" | "system-capabilities" | "system-description" | "system-name" | "vlan-name"; required; unique>
transmit: <bool>
run: <bool>
Loopback interfaces¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
loopback_interfaces | List, items: Dictionary | ||||
- name | String | Required, Unique | Loopback interface name e.g. “Loopback0”. | ||
description | String | ||||
shutdown | Boolean | ||||
vrf | String | VRF name. | |||
ip_address | String | IPv4_address/Mask. | |||
ip_address_secondaries | List, items: String | ||||
- <str> | String | IPv4_address/Mask. | |||
ipv6_enable | Boolean | ||||
ipv6_address | String | IPv6_address/Mask. | |||
ip_proxy_arp | Boolean | ||||
ospf_area | String | ||||
mpls | Dictionary | ||||
ldp | Dictionary | ||||
interface | Boolean | ||||
isis_enable | String | ISIS instance name. | |||
isis_bfd | Boolean | Enable BFD for ISIS. | |||
isis_passive | Boolean | ||||
isis_metric | Integer | ||||
isis_network_point_to_point | Boolean | ||||
node_segment | Dictionary | ||||
ipv4_index | Integer | ||||
ipv6_index | Integer | ||||
eos_cli | String | EOS CLI rendered directly on the loopback interface in the final EOS configuration. |
loopback_interfaces:
# Loopback interface name e.g. "Loopback0".
- name: <str; required; unique>
description: <str>
shutdown: <bool>
# VRF name.
vrf: <str>
# IPv4_address/Mask.
ip_address: <str>
ip_address_secondaries:
# IPv4_address/Mask.
- <str>
ipv6_enable: <bool>
# IPv6_address/Mask.
ipv6_address: <str>
ip_proxy_arp: <bool>
ospf_area: <str>
mpls:
ldp:
interface: <bool>
# ISIS instance name.
isis_enable: <str>
# Enable BFD for ISIS.
isis_bfd: <bool>
isis_passive: <bool>
isis_metric: <int>
isis_network_point_to_point: <bool>
node_segment:
ipv4_index: <int>
ipv6_index: <int>
# EOS CLI rendered directly on the loopback interface in the final EOS configuration.
eos_cli: <str>
Management interfaces¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
management_interfaces | List, items: Dictionary | ||||
- name | String | Required, Unique | Management Interface Name. | ||
description | String | ||||
shutdown | Boolean | ||||
speed | String | Speed should be set in the format <interface_speed> or forced <interface_speed> or auto <interface_speed> . |
|||
mtu | Integer | ||||
vrf | String | VRF Name. | |||
ip_address | String | IPv4_address/Mask. | |||
ipv6_enable | Boolean | ||||
ipv6_address | String | IPv6_address/Mask. | |||
type | String | oob |
Valid Values: - oob - inband |
For documentation purposes only. | |
gateway | String | IPv4 address of default gateway in management VRF. | |||
ipv6_gateway | String | IPv6 address of default gateway in management VRF. | |||
mac_address | String | MAC address. | |||
lldp | Dictionary | ||||
transmit | Boolean | ||||
receive | Boolean | ||||
ztp_vlan | Integer | ZTP vlan number. | |||
eos_cli | String | Multiline EOS CLI rendered directly on the management interface in the final EOS configuration. |
management_interfaces:
# Management Interface Name.
- name: <str; required; unique>
description: <str>
shutdown: <bool>
# Speed should be set in the format `<interface_speed>` or `forced <interface_speed>` or `auto <interface_speed>`.
speed: <str>
mtu: <int>
# VRF Name.
vrf: <str>
# IPv4_address/Mask.
ip_address: <str>
ipv6_enable: <bool>
# IPv6_address/Mask.
ipv6_address: <str>
# For documentation purposes only.
type: <str; "oob" | "inband"; default="oob">
# IPv4 address of default gateway in management VRF.
gateway: <str>
# IPv6 address of default gateway in management VRF.
ipv6_gateway: <str>
# MAC address.
mac_address: <str>
lldp:
transmit: <bool>
receive: <bool>
# ZTP vlan number.
ztp_vlan: <int>
# Multiline EOS CLI rendered directly on the management interface in the final EOS configuration.
eos_cli: <str>
Patch panel¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
patch_panel | Dictionary | ||||
connector | Dictionary | ||||
interface | Dictionary | ||||
patch | Dictionary | ||||
bgp_vpws_remote_failure_errdisable | Boolean | ||||
recovery | Dictionary | ||||
review_delay | Dictionary | ||||
min | Integer | Required | Min: 10 Max: 600 |
Minimum delay. | |
max | Integer | Required | Min: 15 Max: 900 |
Maximum delay. | |
patches | List, items: Dictionary | ||||
- name | String | Required, Unique | |||
enabled | Boolean | ||||
connectors | List, items: Dictionary | Min Length: 2 Max Length: 2 |
Must have exactly two connectors to a patch of which at least one must be of type “interface”. | ||
- id | String | Required, Unique | |||
type | String | Required | Valid Values: - interface - pseudowire |
||
endpoint | String | Required | String with relevant endpoint depending on type. Examples: - “Ethernet1” - “Ethernet1 dot1q vlan 123” - “bgp vpws TENANT_A pseudowire VPWS_PW_1” - “ldp LDP_PW_1” |
patch_panel:
connector:
interface:
patch:
bgp_vpws_remote_failure_errdisable: <bool>
recovery:
review_delay:
# Minimum delay.
min: <int; 10-600; required>
# Maximum delay.
max: <int; 15-900; required>
patches:
- name: <str; required; unique>
enabled: <bool>
# Must have exactly two connectors to a patch of which at least one must be of type "interface".
connectors: # 2-2 items
- id: <str; required; unique>
type: <str; "interface" | "pseudowire"; required>
# String with relevant endpoint depending on type.
# Examples:
# - "Ethernet1"
# - "Ethernet1 dot1q vlan 123"
# - "bgp vpws TENANT_A pseudowire VPWS_PW_1"
# - "ldp LDP_PW_1"
endpoint: <str; required>
Port-channel interfaces¶
Variable | Type | Required | Default | Value Restrictions | Description |
---|---|---|---|---|---|
port_channel_interfaces | List, items: Dictionary | ||||
- name | String | Required, Unique | |||
description | String | ||||
profile | String | Interface profile. | |||
logging | Dictionary | ||||
event | Dictionary | ||||
link_status | Boolean | ||||
storm_control_discards | Boolean | Discards due to storm-control. |
|||
shutdown | Boolean | ||||
l2_mtu | Integer | Min: 68 Max: 65535 |
“l2_mtu” should only be defined for platforms supporting the “l2 mtu” CLI. |
||
l2_mru | Integer | Min: 68 Max: 65535 |
“l2_mru” should only be defined for platforms supporting the “l2 mru” CLI. |
||
vlans deprecated | String | List of switchport vlans as string. For a trunk port this would be a range like “1-200,300”. For an access port this would be a single vlan “123”. This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.access_vlan or switchport.trunk.allowed_vlan instead. |
|||
snmp_trap_link_change | Boolean | ||||
type deprecated | String | Valid Values: - routed - switched - l3dot1q - l2dot1q |
l3dot1q and l2dot1q are used for sub-interfaces. The parent interface should be defined as routed. Interface will not be listed in device documentation, unless “type” is set. This key is deprecated. Support will be removed in AVD version 6.0.0. See here for details. |
||
encapsulation_dot1q_vlan deprecated | Integer | VLAN tag to configure on sub-interface.This key is deprecated. Support will be removed in AVD version 6.0.0. Use encapsulation_dot1q.vlan instead. | |||
encapsulation_dot1q | Dictionary | Warning: encapsulation_dot1q should not be combined with ethernet_interfaces[].type: l3dot1q or ethernet_interfaces[].type: l2dot1q . |
|||
vlan | Integer | Required | Min: 1 Max: 4094 |
VLAD ID. | |
inner_vlan | Integer | Min: 1 Max: 4094 |
Inner VLAN ID. This setting can only be applied to sub-interfaces on EOS. | ||
vrf | String | VRF name. | |||
encapsulation_vlan | Dictionary | This setting can only be applied to sub-interfaces on EOS. Warning: encapsulation_vlan should not be combined with ethernet_interfaces[].type: l3dot1q or ethernet_interfaces[].type: l2dot1q . |
|||
client | Dictionary | ||||
dot1q deprecated | Dictionary | This key is deprecated. Support will be removed in AVD version 6.0.0. | |||
vlan | Integer | Client VLAN ID. | |||
outer | Integer | Min: 1 Max: 4094 |
Client Outer VLAN ID. | ||
inner | Integer | Min: 1 Max: 4094 |
Client Inner VLAN ID. | ||
unmatched deprecated | Boolean | This key is deprecated. Support will be removed in AVD version 6.0.0. | |||
encapsulation | String | Valid Values: - dot1q - dot1ad - unmatched - untagged |
|||
vlan | Integer | Min: 1 Max: 4094 |
Client VLAN ID. Not applicable for encapsulation: untagged or encapsulation: unmatched . |
||
outer_vlan | Integer | Min: 1 Max: 4094 |
Client Outer VLAN ID. Not applicable for encapsulation: untagged or encapsulation: unmatched . |
||
inner_vlan | Integer | Min: 1 Max: 4094 |
Client Inner VLAN ID. Not applicable for encapsulation: untagged or encapsulation: unmatched . |
||
inner_encapsulation | String | Valid Values: - dot1q - dot1ad |
|||
network | Dictionary | Network encapsulation are all optional, and skipped if using client unmatched. | |||
dot1q deprecated | Dictionary | This key is deprecated. Support will be removed in AVD version 6.0.0. | |||
vlan | Integer | Min: 1 Max: 4094 |
Network VLAN ID. | ||
outer | Integer | Min: 1 Max: 4094 |
Network Outer VLAN ID. | ||
inner | Integer | Min: 1 Max: 4094 |
Network Inner VLAN ID. | ||
client deprecated | Boolean | This key is deprecated. Support will be removed in AVD version 6.0.0. | |||
encapsulation | String | Valid Values: - dot1q - dot1ad - client - client inner - untagged |
untagged (no encapsulation) is applicable for untagged client only.client and client inner (retain client encapsulation) is not applicable for untagged client. |
||
vlan | Integer | Min: 1 Max: 4094 |
Network VLAN ID. Not applicable for encapsulation: untagged or encapsulation: client . |
||
outer_vlan | Integer | Min: 1 Max: 4094 |
Network outer VLAN ID. Not applicable for encapsulation: untagged or encapsulation: client . |
||
inner_vlan | Integer | Min: 1 Max: 4094 |
Network inner VLAN ID. Not applicable for encapsulation: untagged or encapsulation: client . |
||
inner_encapsulation | String | Valid Values: - dot1q - dot1ad |
|||
vlan_id | Integer | Min: 1 Max: 4094 |
This setting can only be applied to sub-interfaces on EOS. Warning: vlan_id should not be combined with ethernet_interfaces[].type == l2dot1q . |
||
mode deprecated | String | Valid Values: - access - dot1q-tunnel - trunk - trunk phone |
This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.mode instead. | ||
native_vlan deprecated | Integer | If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence.This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.trunk.native_vlan instead. | |||
native_vlan_tag deprecated | Boolean | If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence.This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.trunk.native_vlan_tag instead. | |||
link_tracking_groups | List, items: Dictionary | ||||
- name | String | Required, Unique | Group name. | ||
direction | String | Valid Values: - upstream - downstream |
|||
link_tracking | Dictionary | ||||
direction | String | Valid Values: - upstream - downstream |
|||
groups | List, items: String | Link state group(s) an interface belongs to. | |||
- <str> | String | Group names. | |||
phone deprecated | Dictionary | This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.phone instead. | |||
trunk | String | Valid Values: - tagged - untagged |
|||
vlan | Integer | Min: 1 Max: 4094 |
|||
l2_protocol | Dictionary | ||||
encapsulation_dot1q_vlan | Integer | Vlan tag to configure on sub-interface. | |||
forwarding_profile | String | L2 protocol forwarding profile. | |||
mtu | Integer | Min: 68 Max: 65535 |
|||
mlag | Integer | Min: 1 Max: 2000 |
MLAG ID. | ||
trunk_groups deprecated | List, items: String | This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.trunk.groups instead. | |||
- <str> | String | ||||
lacp_fallback_timeout | Integer | Min: 0 Max: 300 |
Timeout in seconds. EOS default is 90 seconds. | ||
lacp_fallback_mode | String | Valid Values: - individual - static |
|||
qos | Dictionary | ||||
trust | String | Valid Values: - dscp - cos - disabled |
|||
dscp | Integer | DSCP value. | |||
cos | Integer | COS value. | |||
bfd | Dictionary | ||||
echo | Boolean | ||||
interval | Integer | Interval in milliseconds. | |||
min_rx | Integer | Rate in milliseconds. | |||
multiplier | Integer | Min: 3 Max: 50 |
|||
neighbor | String | IPv4 or IPv6 address. When the Port-channel is a L2 interface, a local L3 BFD address (router_bfd.local_address) has to be defined globally on the switch. | |||
per_link | Dictionary | ||||
enabled | Boolean | ||||
rfc_7130 | Boolean | ||||
service_policy | Dictionary | ||||
pbr | Dictionary | ||||
input | String | Policy Based Routing Policy-map name. | |||
qos | Dictionary | ||||
input | String | Required | Quality of Service Policy-map name. | ||
mpls | Dictionary | ||||
ip | Boolean | ||||
ldp | Dictionary | ||||
interface | Boolean | ||||
igp_sync | Boolean | ||||
trunk_private_vlan_secondary deprecated | Boolean | This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.trunk.private_vlan_secondary instead. | |||
pvlan_mapping deprecated | String | List of vlans as string.This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.pvlan_mapping instead. | |||
vlan_translations deprecated | List, items: Dictionary | This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.vlan_translations instead. | |||
- from | String | List of vlans as string (only one vlan if direction is “both”). | |||
to | Integer | VLAN ID. | |||
direction | String | both |
Valid Values: - in - out - both |
||
shape | Dictionary | ||||
rate | String | Rate in kbps, pps or percent. Supported options are platform dependent. Examples: - “5000 kbps” - “1000 pps” - “20 percent” |
|||
storm_control | Dictionary | ||||
all | Dictionary | ||||
level | String | Configure maximum storm-control level. | |||
unit | String | percent |
Valid Values: - percent - pps |
Optional field and is hardware dependent. | |
broadcast | Dictionary | ||||
level | String | Configure maximum storm-control level. | |||
unit | String | percent |
Valid Values: - percent - pps |
Optional field and is hardware dependent. | |
multicast | Dictionary | ||||
level | String | Configure maximum storm-control level. | |||
unit | String | percent |
Valid Values: - percent - pps |
Optional field and is hardware dependent. | |
unknown_unicast | Dictionary | ||||
level | String | Configure maximum storm-control level. | |||
unit | String | percent |
Valid Values: - percent - pps |
Optional field and is hardware dependent. | |
ip_proxy_arp | Boolean | ||||
isis_enable | String | ISIS instance. | |||
isis_bfd | Boolean | Enable BFD for ISIS. | |||
isis_passive | Boolean | ||||
isis_metric | Integer | ||||
isis_network_point_to_point | Boolean | ||||
isis_circuit_type | String | Valid Values: - level-1-2 - level-1 - level-2 |
|||
isis_hello_padding | Boolean | ||||
isis_authentication_mode deprecated | String | Valid Values: - text - md5 |
This key is deprecated. Support will be removed in AVD version v6.0.0. Use port_channel_interfaces[].isis_authentication.both.mode or port_channel_interfaces[].isis_authentication.level_1.mode or port_channel_interfaces[].isis_authentication.level_2.mode instead. | ||
isis_authentication_key deprecated | String | Type-7 encrypted password.This key is deprecated. Support will be removed in AVD version v6.0.0. Use port_channel_interfaces[].isis_authentication.both.key or port_channel_interfaces[].isis_authentication.level_1.key or port_channel_interfaces[].isis_authentication.level_2.key instead. | |||
isis_authentication | Dictionary | This key should not be mixed with port_channel_interfaces[].isis_authentication_mode or ethernet_interfaces[].isis_authentication_key. | |||
both | Dictionary | Authentication settings for level-1 and level-2. ‘both’ takes precedence over ‘level_1’ and ‘level_2’ settings. | |||
key_type | String | Valid Values: - 0 - 7 - 8a |
Configure authentication key type. | ||
key | String | Password string. key_type is required for this setting. |
|||
key_ids | List, items: Dictionary | ||||
- id | Integer | Required, Unique | Min: 1 Max: 65535 |
Configure authentication key-id. | |
algorithm | String | Required | Valid Values: - sha-1 - sha-224 - sha-256 - sha-384 - sha-512 |
||
key_type | String | Required | Valid Values: - 0 - 7 - 8a |
Configure authentication key type. | |
key | String | Required | Password string. | ||
rfc_5310 | Boolean | SHA digest computation according to rfc5310. | |||
mode | String | Valid Values: - md5 - sha - text - shared-secret |
Authentication mode. | ||
sha | Dictionary | Required settings for authentication mode ‘sha’. | |||
key_id | Integer | Required | Min: 1 Max: 65535 |
||
shared_secret | Dictionary | Required settings for authentication mode ‘shared_secret’. | |||
profile | String | Required | |||
algorithm | String | Required | Valid Values: - md5 - sha-1 - sha-224 - sha-256 - sha-384 - sha-512 |
||
rx_disabled | Boolean | Disable authentication check on the receive side. | |||
level_1 | Dictionary | Authentication settings for level-1. ‘both’ takes precedence over ‘level_1’ and ‘level_2’ settings. | |||
key_type | String | Valid Values: - 0 - 7 - 8a |
Configure authentication key type. | ||
key | String | Password string. key_type is required for this setting. |
|||
key_ids | List, items: Dictionary | ||||
- id | Integer | Required, Unique | Min: 1 Max: 65535 |
Configure authentication key-id. | |
algorithm | String | Required | Valid Values: - sha-1 - sha-224 - sha-256 - sha-384 - sha-512 |
||
key_type | String | Required | Valid Values: - 0 - 7 - 8a |
Configure authentication key type. | |
key | String | Required | Password string. | ||
rfc_5310 | Boolean | SHA digest computation according to rfc5310. | |||
mode | String | Valid Values: - md5 - sha - text - shared-secret |
Authentication mode. | ||
sha | Dictionary | Required settings for authentication mode ‘sha’. | |||
key_id | Integer | Required | Min: 1 Max: 65535 |
||
shared_secret | Dictionary | Required settings for authentication mode ‘shared_secret’. | |||
profile | String | Required | |||
algorithm | String | Required | Valid Values: - md5 - sha-1 - sha-224 - sha-256 - sha-384 - sha-512 |
||
rx_disabled | Boolean | Disable authentication check on the receive side. | |||
level_2 | Dictionary | Authentication settings for level-2. ‘both’ takes precedence over ‘level_1’ and ‘level_2’ settings. | |||
key_type | String | Valid Values: - 0 - 7 - 8a |
Configure authentication key type. | ||
key | String | Password string. key_type is required for this setting. |
|||
key_ids | List, items: Dictionary | ||||
- id | Integer | Required, Unique | Min: 1 Max: 65535 |
Configure authentication key-id. | |
algorithm | String | Required | Valid Values: - sha-1 - sha-224 - sha-256 - sha-384 - sha-512 |
||
key_type | String | Required | Valid Values: - 0 - 7 - 8a |
Configure authentication key type. | |
key | String | Required | Password string. | ||
rfc_5310 | Boolean | SHA digest computation according to rfc5310. | |||
mode | String | Valid Values: - md5 - sha - text - shared-secret |
Authentication mode. | ||
sha | Dictionary | Required settings for authentication mode ‘sha’. | |||
key_id | Integer | Required | Min: 1 Max: 65535 |
||
shared_secret | Dictionary | Required settings for authentication mode ‘shared_secret’. | |||
profile | String | Required | |||
algorithm | String | Required | Valid Values: - md5 - sha-1 - sha-224 - sha-256 - sha-384 - sha-512 |
||
rx_disabled | Boolean | Disable authentication check on the receive side. | |||
traffic_policy | Dictionary | ||||
input | String | Ingress traffic policy. | |||
output | String | Egress traffic policy. | |||
evpn_ethernet_segment | Dictionary | ||||
identifier | String | EVPN Ethernet Segment Identifier (Type 1 format). | |||
redundancy | String | Valid Values: - all-active - single-active |
|||
designated_forwarder_election | Dictionary | ||||
algorithm | String | Valid Values: - modulus - preference |
|||
preference_value | Integer | Min: 0 Max: 65535 |
Preference_value is only used when “algorithm” is “preference”. | ||
dont_preempt | Boolean | False |
Dont_preempt is only used when “algorithm” is “preference”. | ||
hold_time | Integer | ||||
subsequent_hold_time | Integer | ||||
candidate_reachability_required | Boolean | ||||
mpls | Dictionary | ||||
shared_index | Integer | Min: 1 Max: 1024 |
|||
tunnel_flood_filter_time | Integer | ||||
route_target | String | EVPN Route Target for ESI with format xx:xx:xx:xx:xx:xx. | |||
lacp_id | String | LACP ID with format xxxx.xxxx.xxxx. | |||
spanning_tree_bpdufilter | String | Valid Values: - enabled - disabled - True - False - true - false |
|||
spanning_tree_bpduguard | String | Valid Values: - enabled - disabled - True - False - true - false |
|||
spanning_tree_guard | String | Valid Values: - loop - root - disabled |
|||
spanning_tree_portfast | String | Valid Values: - edge - network |
|||
vmtracer | Boolean | ||||
ptp | Dictionary | ||||
enable | Boolean | ||||
announce | Dictionary | ||||
interval | Integer | ||||
timeout | Integer | ||||
delay_req | Integer | ||||
delay_mechanism | String | Valid Values: - e2e - p2p |
|||
profile | Dictionary | ||||
g8275_1 | Dictionary | ||||
destination_mac_address | String | Valid Values: - forwardable - non-forwardable |
|||
sync_message | Dictionary | ||||
interval | Integer | ||||
role | String | Valid Values: - master - dynamic |
|||
vlan | String | VLAN can be ‘all’ or list of vlans as string. | |||
transport | String | Valid Values: - ipv4 - ipv6 - layer2 |
|||
mpass | Boolean | When MPASS is enabled on an MLAG port-channel, MLAG peers coordinate to function as a single PTP logical device. Arista PTP enabled devices always place PTP messages on the same physical link within the port-channel. Hence, MPASS is needed only on MLAG port-channels connected to non-Arista devices. |
|||
ip_address | String | IPv4 address/mask. | |||
ip_verify_unicast_source_reachable_via | String | Valid Values: - any - rx |
|||
ip_nat | Dictionary | ||||
destination | Dictionary | ||||
dynamic | List, items: Dictionary | ||||
- access_list | String | Required, Unique | |||
comment | String | ||||
pool_name | String | Required | |||
priority | Integer | Min: 0 Max: 4294967295 |
|||
static | List, items: Dictionary | ||||
- access_list | String | ‘access_list’ and ‘group’ are mutual exclusive. | |||
comment | String | ||||
direction | String | Valid Values: - egress - ingress |
Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform. EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW. |
||
group | Integer | Min: 1 Max: 65535 |
‘access_list’ and ‘group’ are mutual exclusive. | ||
original_ip | String | IPv4 address. The combination of original_ip and original_port must be unique. |
|||
original_port | Integer | Min: 1 Max: 65535 |
TCP/UDP port. The combination of original_ip and original_port must be unique. |
||
priority | Integer | Min: 0 Max: 4294967295 |
|||
protocol | String | Valid Values: - udp - tcp |
|||
translated_ip | String | Required | IPv4 address. | ||
translated_port | Integer | Min: 1 Max: 65535 |
requires ‘original_port’. | ||
source | Dictionary | ||||
dynamic | List, items: Dictionary | ||||
- access_list | String | Required, Unique | |||
comment | String | ||||
nat_type | String | Required | Valid Values: - overload - pool - pool-address-only - pool-full-cone |
||
pool_name | String | required if ‘nat_type’ is pool, pool-address-only or pool-full-cone. ignored if ‘nat_type’ is overload. |
|||
priority | Integer | Min: 0 Max: 4294967295 |
|||
static | List, items: Dictionary | ||||
- access_list | String | ‘access_list’ and ‘group’ are mutual exclusive. | |||
comment | String | ||||
direction | String | Valid Values: - egress - ingress |
Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform. EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW. |
||
group | Integer | Min: 1 Max: 65535 |
‘access_list’ and ‘group’ are mutual exclusive. | ||
original_ip | String | IPv4 address. The combination of original_ip and original_port must be unique. |
|||
original_port | Integer | Min: 1 Max: 65535 |
TCP/UDP port. The combination of original_ip and original_port must be unique. |
||
priority | Integer | Min: 0 Max: 4294967295 |
|||
protocol | String | Valid Values: - udp - tcp |
|||
translated_ip | String | Required | IPv4 address. | ||
translated_port | Integer | Min: 1 Max: 65535 |
requires ‘original_port’. | ||
ipv6_enable | Boolean | ||||
ipv6_address | String | IPv6 address/mask. | |||
ipv6_address_link_local | String | Link local IPv6 address/mask. | |||
ipv6_nd_ra_disabled | Boolean | ||||
ipv6_nd_managed_config_flag | Boolean | ||||
ipv6_nd_prefixes | List, items: Dictionary | ||||
- ipv6_prefix | String | Required, Unique | |||
valid_lifetime | String | Infinite or lifetime in seconds. | |||
preferred_lifetime | String | Infinite or lifetime in seconds. | |||
no_autoconfig_flag | Boolean | ||||
access_group_in | String | Access list name. | |||
access_group_out | String | Access list name. | |||
ipv6_access_group_in | String | IPv6 access list name. | |||
ipv6_access_group_out | String | IPv6 access list name. | |||
mac_access_group_in | String | MAC access list name. | |||
mac_access_group_out | String | MAC access list name. | |||
pim | Dictionary | ||||
ipv4 | Dictionary | ||||
border_router | Boolean | Configure PIM border router. EOS default is false. | |||
dr_priority | Integer | Min: 0 Max: 429467295 |
|||
sparse_mode | Boolean | ||||
bfd | Boolean | Set the default for whether Bidirectional Forwarding Detection is enabled for PIM. | |||
bidirectional | Boolean | ||||
hello | Dictionary | ||||
count | String | Number of missed hellos after which the neighbor expires. Range <1.5-65535>. | |||
interval | Integer | Min: 1 Max: 65535 |
PIM hello interval in seconds. | ||
service_profile | String | QOS profile. | |||
ospf_network_point_to_point | Boolean | ||||
ospf_area | String | ||||
ospf_cost | Integer | ||||
ospf_authentication | String | Valid Values: - none - simple - message-digest |
|||
ospf_authentication_key | String | Encrypted password. | |||
ospf_message_digest_keys | List, items: Dictionary | ||||
- id | Integer | Required, Unique | |||
hash_algorithm | String | Valid Values: - md5 - sha1 - sha256 - sha384 - sha512 |
|||
key | String | Encrypted password. | |||
flow_tracker | Dictionary | ||||
sampled | String | Sampled flow tracker name. | |||
hardware | String | Hardware flow tracker name. | |||
bgp | Dictionary | ||||
session_tracker | String | Name of session tracker. | |||
ip_igmp_host_proxy | Dictionary | ||||
enabled | Boolean | ||||
groups | List, items: Dictionary | ||||
- group | String | Required, Unique | Multicast Address. | ||
exclude | List, items: Dictionary | The same source must not be present both in exclude and include list. |
|||
- source | String | Required, Unique | |||
include | List, items: Dictionary | The same source must not be present both in exclude and include list. |
|||
- source | String | Required, Unique | |||
report_interval | Integer | Min: 1 Max: 31744 |
Time interval between unsolicited reports. | ||
access_lists | List, items: Dictionary | Non-standard Access List name. | |||
- name | String | Required, Unique | |||
version | Integer | Min: 1 Max: 3 |
IGMP version on IGMP host-proxy interface. | ||
peer | String | Key only used for documentation or validation purposes. | |||
peer_interface | String | Key only used for documentation or validation purposes. | |||
peer_type | String | Key only used for documentation or validation purposes. | |||
sflow | Dictionary | ||||
enable | Boolean | ||||
egress | Dictionary | ||||
enable | Boolean | ||||
unmodified_enable | Boolean | ||||
switchport | Dictionary | ||||
enabled | Boolean | Warning: This should not be combined with port_channel_interfaces[].type = routed . |
|||
mode | String | Valid Values: - access - dot1q-tunnel - trunk - trunk phone |
Warning: This should not be combined with port_channel_interfaces[].mode |
||
access_vlan | Integer | Min: 1 Max: 4094 |
Set VLAN when interface is in access mode. Warning: This should not be combined with port_channel_interfaces[].mode = access/dot1q-tunnel and port_channel_interface.vlans . |
||
trunk | Dictionary | ||||
allowed_vlan | String | VLAN ID or range(s) of VLAN IDs (1-4094). Warning: This should not be combined with port_channel_interfaces[].mode = trunk and port_channel_interfaces[].vlans . |
|||
native_vlan | Integer | Min: 1 Max: 4094 |
Set native VLAN when interface is in trunking mode. Warning: This should not be combined with port_channel_interfaces[].native_vlan . |
||
native_vlan_tag | Boolean | If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence. Warning: This should not be combined with port_channel_interfaces[].native_vlan_tag . |
|||
private_vlan_secondary | Boolean | Enable secondary VLAN mapping for a private vlan. Warning: This should not be combined with port_channel_interfaces[].trunk_private_vlan_secondary . |
|||
groups | List, items: String | Warning: This should not be combined with port_channel_interfaces[].trunk_groups . |
|||
- <str> | String | Trunk group name. | |||
phone | Dictionary | ||||
vlan | Integer | Min: 1 Max: 4094 |
Warning: This should not be combined with port_channel_interfaces[].phone.vlan . |
||
trunk | String | Valid Values: - tagged - tagged phone - untagged - untagged phone |
Warning: This should not be combined with port_channel_interfaces[].phone.trunk |
||
pvlan_mapping | String | Secondary VLAN IDs of the private VLAN mapping. Warning: This should not be combined with port_channel_interfaces[].pvlan_mapping . |
|||
dot1q | Dictionary | ||||
ethertype | Integer | Min: 1536 Max: 65535 |
Ethertype/TPID (Tag Protocol IDentifier) for VLAN tagged frames. | ||
vlan_tag | String | Valid Values: - disallowed - required |
|||
source_interface | String | Valid Values: - tx - tx multicast |
tx: Allow bridged traffic to go out of the source interface. tx multicast: Allow multicast traffic only to go out of the source interface. |
||
vlan_translations | Dictionary | VLAN Translation mappings. Warning: This should not be combined with port_channel_interfaces[].vlan_translations . |
|||
in_required | Boolean | Drop the ingress traffic that do not match any VLAN mapping. | |||
out_required | Boolean | Drop the egress traffic that do not match any VLAN mapping. | |||
direction_in | List, items: Dictionary | Map ingress traffic only. | |||
- from | String | VLAN ID or range of VLAN IDs to map from. Range 1-4094. | |||
to | Integer | Min: 1 Max: 4094 |
VLAN ID to map to. | ||
dot1q_tunnel | Boolean | ||||
inner_vlan_from | Integer | Min: 1 Max: 4094 |
Inner VLAN ID to map from. | ||
direction_out | List, items: Dictionary | Map egress traffic only. | |||
- from | String | Required | VLAN ID or range of VLAN IDs to map from. Range 1-4094. | ||
to | Integer | Min: 1 Max: 4094 |
VLAN ID to map to. | ||
dot1q_tunnel_to | String | VLAN ID or range of VLAN IDs or “all”. Range 1-4094. This takes precedence over to and inner_vlan_to . |
|||
inner_vlan_to | Integer | Min: 1 Max: 4094 |
Inner VLAN ID to map to. | ||
direction_both | List, items: Dictionary | Map both egress and ingress traffic. | |||
- from | String | Required | VLAN ID or range of VLAN IDs to map from. Range 1-4094. | ||
to | Integer | Required | Min: 1 Max: 4094 |
VLAN ID to map to. | |
dot1q_tunnel | Boolean | ||||
inner_vlan_from | Integer | Min: 1 Max: 4094 |
Inner VLAN ID to map from. | ||
network | Boolean | Enable use of network-side VLAN ID. This setting can only be enabled when inner_vlan_from is defined. |
|||
vlan_forwarding_accept_all | Boolean | ||||
backup_link | Dictionary | ||||
interface | String | Required | Backup interface. Example - Ethernet4, Vlan10 etc. | ||
prefer_vlan | String | VLANs to carry on the backup interface (1-4094). | |||
backup | Dictionary | The backup_link is required for this setting. |
|||
dest_macaddr | String | Format: mac | Destination MAC address for MAC move updates. The mac address should be multicast or broadcast. Example: 01:00:00:00:00:00 |
||
initial_mac_move_delay | Integer | Min: 0 Max: 65535 |
Initial MAC move delay in milliseconds. | ||
mac_move_burst | Integer | Min: 0 Max: 65535 |
Size of MAC move bursts. | ||
mac_move_burst_interval | Integer | Min: 0 Max: 65535 |
MAC move burst interval in milliseconds. | ||
preemption_delay | Integer | Min: 0 Max: 65535 |
Preemption delay in milliseconds. | ||
port_security | Dictionary | ||||
enabled | Boolean | ||||
mac_address_maximum | Dictionary | Maximum number of MAC addresses allowed on the interface. | |||
disabled | Boolean | Disable port level check for port security (only in violation ‘shutdown’ mode). | |||
limit | Integer | Min: 1 Max: 1000 |
MAC address limit. | ||
violation | Dictionary | Configure violation mode (shutdown or protect), EOS default is ‘shutdown’. | |||
mode | String | Valid Values: - shutdown - protect |
Configure port security mode. | ||
protect_log | Boolean | Log new addresses seen after limit is reached in protect mode. | |||
vlan_default_mac_address_maximum | Integer | Min: 0 Max: 1000 |
Default maximum MAC addresses for all VLANs on this interface. | ||
vlans | List, items: Dictionary | ||||
- range | String | Required, Unique | VLAN ID or range(s) of VLAN IDs, <1-4094>. Example: - 3 - 1,3 - 1-10 |
||
mac_address_maximum | Integer | ||||
validate_state | Boolean | Set to false to disable interface state and LLDP topology validation performed by the eos_validate_state role. |
|||
validate_lldp | Boolean | Set to false to disable the LLDP topology validation performed by the eos_validate_state role. |
|||
eos_cli | String | Multiline EOS CLI rendered directly on the port-channel interface in the final EOS configuration. | |||
esi removed | String | EVPN Ethernet Segment Identifier (Type 1 format). This key was removed. Support was removed in AVD version 5.0.0. Use evpn_ethernet_segment.identifier instead. |
|||
rt removed | String | EVPN Route Target for ESI with format xx:xx:xx:xx:xx:xx. This key was removed. Support was removed in AVD version 5.0.0. Use evpn_ethernet_segment.route_target instead. |
port_channel_interfaces:
- name: <str; required; unique>
description: <str>
# Interface profile.
profile: <str>
logging:
event:
link_status: <bool>
# Discards due to storm-control.
storm_control_discards: <bool>
shutdown: <bool>
# "l2_mtu" should only be defined for platforms supporting the "l2 mtu" CLI.
l2_mtu: <int; 68-65535>
# "l2_mru" should only be defined for platforms supporting the "l2 mru" CLI.
l2_mru: <int; 68-65535>
# List of switchport vlans as string.
# For a trunk port this would be a range like "1-200,300".
# For an access port this would be a single vlan "123".
# This key is deprecated.
# Support will be removed in AVD version 6.0.0.
# Use <samp>switchport.access_vlan or switchport.trunk.allowed_vlan</samp> instead.
vlans: <str>
snmp_trap_link_change: <bool>
# l3dot1q and l2dot1q are used for sub-interfaces. The parent interface should be defined as routed.
# Interface will not be listed in device documentation, unless "type" is set.
# This key is deprecated.
# Support will be removed in AVD version 6.0.0.
# See [here](https://avd.arista.com/5.x/docs/porting-guides/5.x.x.html#removal-of-type-key-dependency-for-rendering-ethernetport-channel-interfaces-configuration-and-documentation) for details.
type: <str; "routed" | "switched" | "l3dot1q" | "l2dot1q">
# VLAN tag to configure on sub-interface.
# This key is deprecated.
# Support will be removed in AVD version 6.0.0.
# Use <samp>encapsulation_dot1q.vlan</samp> instead.
encapsulation_dot1q_vlan: <int>
# Warning: `encapsulation_dot1q` should not be combined with `ethernet_interfaces[].type: l3dot1q` or `ethernet_interfaces[].type: l2dot1q`.
encapsulation_dot1q:
# VLAD ID.
vlan: <int; 1-4094; required>
# Inner VLAN ID. This setting can only be applied to sub-interfaces on EOS.
inner_vlan: <int; 1-4094>
# VRF name.
vrf: <str>
# This setting can only be applied to sub-interfaces on EOS.
# Warning: `encapsulation_vlan` should not be combined with `ethernet_interfaces[].type: l3dot1q` or `ethernet_interfaces[].type: l2dot1q`.
encapsulation_vlan:
client:
# This key is deprecated.
# Support will be removed in AVD version 6.0.0.
dot1q:
# Client VLAN ID.
vlan: <int>
# Client Outer VLAN ID.
outer: <int; 1-4094>
# Client Inner VLAN ID.
inner: <int; 1-4094>
# This key is deprecated.
# Support will be removed in AVD version 6.0.0.
unmatched: <bool>
encapsulation: <str; "dot1q" | "dot1ad" | "unmatched" | "untagged">
# Client VLAN ID. Not applicable for `encapsulation: untagged` or `encapsulation: unmatched`.
vlan: <int; 1-4094>
# Client Outer VLAN ID. Not applicable for `encapsulation: untagged` or `encapsulation: unmatched`.
outer_vlan: <int; 1-4094>
# Client Inner VLAN ID. Not applicable for `encapsulation: untagged` or `encapsulation: unmatched`.
inner_vlan: <int; 1-4094>
inner_encapsulation: <str; "dot1q" | "dot1ad">
# Network encapsulation are all optional, and skipped if using client unmatched.
network:
# This key is deprecated.
# Support will be removed in AVD version 6.0.0.
dot1q:
# Network VLAN ID.
vlan: <int; 1-4094>
# Network Outer VLAN ID.
outer: <int; 1-4094>
# Network Inner VLAN ID.
inner: <int; 1-4094>
# This key is deprecated.
# Support will be removed in AVD version 6.0.0.
client: <bool>
# `untagged` (no encapsulation) is applicable for `untagged` client only.
# `client` and `client inner` (retain client encapsulation) is not applicable for `untagged` client.
encapsulation: <str; "dot1q" | "dot1ad" | "client" | "client inner" | "untagged">
# Network VLAN ID. Not applicable for `encapsulation: untagged` or `encapsulation: client`.
vlan: <int; 1-4094>
# Network outer VLAN ID. Not applicable for `encapsulation: untagged` or `encapsulation: client`.
outer_vlan: <int; 1-4094>
# Network inner VLAN ID. Not applicable for `encapsulation: untagged` or `encapsulation: client`.
inner_vlan: <int; 1-4094>
inner_encapsulation: <str; "dot1q" | "dot1ad">
# This setting can only be applied to sub-interfaces on EOS.
# Warning: `vlan_id` should not be combined with `ethernet_interfaces[].type == l2dot1q`.
vlan_id: <int; 1-4094>
# This key is deprecated.
# Support will be removed in AVD version 6.0.0.
# Use <samp>switchport.mode</samp> instead.
mode: <str; "access" | "dot1q-tunnel" | "trunk" | "trunk phone">
# If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence.
# This key is deprecated.
# Support will be removed in AVD version 6.0.0.
# Use <samp>switchport.trunk.native_vlan</samp> instead.
native_vlan: <int>
# If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence.
# This key is deprecated.
# Support will be removed in AVD version 6.0.0.
# Use <samp>switchport.trunk.native_vlan_tag</samp> instead.
native_vlan_tag: <bool>
link_tracking_groups:
# Group name.
- name: <str; required; unique>
direction: <str; "upstream" | "downstream">
link_tracking:
direction: <str; "upstream" | "downstream">
# Link state group(s) an interface belongs to.
groups:
# Group names.
- <str>
# This key is deprecated.
# Support will be removed in AVD version 6.0.0.
# Use <samp>switchport.phone</samp> instead.
phone:
trunk: <str; "tagged" | "untagged">
vlan: <int; 1-4094>
l2_protocol:
# Vlan tag to configure on sub-interface.
encapsulation_dot1q_vlan: <int>
# L2 protocol forwarding profile.
forwarding_profile: <str>
mtu: <int; 68-65535>
# MLAG ID.
mlag: <int; 1-2000>
# This key is deprecated.
# Support will be removed in AVD version 6.0.0.
# Use <samp>switchport.trunk.groups</samp> instead.
trunk_groups:
- <str>
# Timeout in seconds. EOS default is 90 seconds.
lacp_fallback_timeout: <int; 0-300>
lacp_fallback_mode: <str; "individual" | "static">
qos:
trust: <str; "dscp" | "cos" | "disabled">
# DSCP value.
dscp: <int>
# COS value.
cos: <int>
bfd:
echo: <bool>
# Interval in milliseconds.
interval: <int>
# Rate in milliseconds.
min_rx: <int>
multiplier: <int; 3-50>
# IPv4 or IPv6 address. When the Port-channel is a L2 interface, a local L3 BFD address (router_bfd.local_address) has to be defined globally on the switch.
neighbor: <str>
per_link:
enabled: <bool>
rfc_7130: <bool>
service_policy:
pbr:
# Policy Based Routing Policy-map name.
input: <str>
qos:
# Quality of Service Policy-map name.
input: <str; required>
mpls:
ip: <bool>
ldp:
interface: <bool>
igp_sync: <bool>
# This key is deprecated.
# Support will be removed in AVD version 6.0.0.
# Use <samp>switchport.trunk.private_vlan_secondary</samp> instead.
trunk_private_vlan_secondary: <bool>
# List of vlans as string.
# This key is deprecated.
# Support will be removed in AVD version 6.0.0.
# Use <samp>switchport.pvlan_mapping</samp> instead.
pvlan_mapping: <str>
# This key is deprecated.
# Support will be removed in AVD version 6.0.0.
# Use <samp>switchport.vlan_translations</samp> instead.
vlan_translations:
# List of vlans as string (only one vlan if direction is "both").
- from: <str>
# VLAN ID.
to: <int>
direction: <str; "in" | "out" | "both"; default="both">
shape:
# Rate in kbps, pps or percent.
# Supported options are platform dependent.
# Examples:
# - "5000 kbps"
# - "1000 pps"
# - "20 percent"
rate: <str>