Skip to content

Input variables for eos_cli_config_gen

This document describes the supported input variables for the role arista.avd.eos_cli_config_gen.

Since several data models have changed between AVD versions 4.x and 5.x, it is recommended to study the Porting Guide for AVD 5.x.x for existing deployments.

The input variables are documented below in tables and YAML.

All values are optional.

Note

All input variables are validated by a schema. If additional custom keys are desired, a key starting with an underscore _, will be ignored.

Warning

Available features and variables may vary by platforms, refer to documentation on arista.com for specifics.

Authentication

AAA accounting

Variable Type Required Default Value Restrictions Description
aaa_accounting Dictionary
  exec Dictionary
    console Dictionary
      type String Valid Values:
- none
- start-stop
- stop-only
      group String Group Name.
      logging Boolean
    default Dictionary
      type String Valid Values:
- none
- start-stop
- stop-only
      group String Group Name.
      logging Boolean
  system Dictionary
    default Dictionary
      type String Valid Values:
- none
- start-stop
- stop-only
      group String Group Name.
  dot1x Dictionary
    default Dictionary
      type String Valid Values:
- start-stop
- stop-only
      group String Group Name.
  commands Dictionary
    console List, items: Dictionary
      - commands String Privilege level ‘all’ or 0-15.
        type String Valid Values:
- none
- start-stop
- stop-only
        group String Group Name.
        logging Boolean
    default List, items: Dictionary
      - commands String Privilege level ‘all’ or 0-15.
        type String Valid Values:
- none
- start-stop
- stop-only
        group String Group Name.
        logging Boolean
aaa_accounting:
  exec:
    console:
      type: <str; "none" | "start-stop" | "stop-only">

      # Group Name.
      group: <str>
      logging: <bool>
    default:
      type: <str; "none" | "start-stop" | "stop-only">

      # Group Name.
      group: <str>
      logging: <bool>
  system:
    default:
      type: <str; "none" | "start-stop" | "stop-only">

      # Group Name.
      group: <str>
  dot1x:
    default:
      type: <str; "start-stop" | "stop-only">

      # Group Name.
      group: <str>
  commands:
    console:

        # Privilege level 'all' or 0-15.
      - commands: <str>
        type: <str; "none" | "start-stop" | "stop-only">

        # Group Name.
        group: <str>
        logging: <bool>
    default:

        # Privilege level 'all' or 0-15.
      - commands: <str>
        type: <str; "none" | "start-stop" | "stop-only">

        # Group Name.
        group: <str>
        logging: <bool>

AAA authentication

Variable Type Required Default Value Restrictions Description
aaa_authentication Dictionary
  login Dictionary
    default String Login authentication method(s) as a string.
Examples:
- “group tacacs+ local”
- “group MYGROUP none”
- “group radius group MYGROUP local”
    console String Console authentication method(s) as a string.
Examples:
- “group tacacs+ local”
- “group MYGROUP none”
- “group radius group MYGROUP local”
  enable Dictionary
    default String Enable authentication method(s) as a string.
Examples:
- “group tacacs+ local”
- “group MYGROUP none”
- “group radius group MYGROUP local”
  dot1x Dictionary
    default String 802.1x authentication method(s) as a string.
Examples:
- “group radius”
- “group MYGROUP group radius”
  policies Dictionary
    on_failure_log Boolean
    on_success_log Boolean
    local Dictionary
      allow_nopassword Boolean
    lockout Dictionary
      failure Integer Min: 1
Max: 255
      duration Integer Min: 1
Max: 4294967295
      window Integer Min: 1
Max: 4294967295
aaa_authentication:
  login:

    # Login authentication method(s) as a string.
    # Examples:
    # - "group tacacs+ local"
    # - "group MYGROUP none"
    # - "group radius group MYGROUP local"
    default: <str>

    # Console authentication method(s) as a string.
    # Examples:
    # - "group tacacs+ local"
    # - "group MYGROUP none"
    # - "group radius group MYGROUP local"
    console: <str>
  enable:

    # Enable authentication method(s) as a string.
    # Examples:
    # - "group tacacs+ local"
    # - "group MYGROUP none"
    # - "group radius group MYGROUP local"
    default: <str>
  dot1x:

    # 802.1x authentication method(s) as a string.
    # Examples:
    # - "group radius"
    # - "group MYGROUP group radius"
    default: <str>
  policies:
    on_failure_log: <bool>
    on_success_log: <bool>
    local:
      allow_nopassword: <bool>
    lockout:
      failure: <int; 1-255>
      duration: <int; 1-4294967295>
      window: <int; 1-4294967295>

AAA authorization

Variable Type Required Default Value Restrictions Description
aaa_authorization Dictionary
  policy Dictionary
    local_default_role String
  exec Dictionary
    default String Exec authorization method(s) as a string.
Examples:
- “group tacacs+ local”
- “group MYGROUP none”
- “group radius group MYGROUP local”
  config_commands Boolean
  serial_console Boolean
  dynamic Dictionary
    dot1x_additional_groups List, items: String Min Length: 1
      - <str> String
  commands Dictionary
    all_default String Command authorization method(s) as a string.
Examples:
- “group tacacs+ local”
- “group MYGROUP none”
- “group tacacs+ group MYGROUP local
    privilege List, items: Dictionary
      - level String Privilege level(s) 0-15.
        default String Command authorization method(s) as a string.
Examples:
- “group tacacs+ local”
- “group MYGROUP none”
- “group tacacs+ group MYGROUP local”
aaa_authorization:
  policy:
    local_default_role: <str>
  exec:

    # Exec authorization method(s) as a string.
    # Examples:
    # - "group tacacs+ local"
    # - "group MYGROUP none"
    # - "group radius group MYGROUP local"
    default: <str>
  config_commands: <bool>
  serial_console: <bool>
  dynamic:
    dot1x_additional_groups: # >=1 items
      - <str>
  commands:

    # Command authorization method(s) as a string.
    # Examples:
    # - "group tacacs+ local"
    # - "group MYGROUP none"
    # - "group tacacs+ group MYGROUP local
    all_default: <str>
    privilege:

        # Privilege level(s) 0-15.
      - level: <str>

        # Command authorization method(s) as a string.
        # Examples:
        # - "group tacacs+ local"
        # - "group MYGROUP none"
        # - "group tacacs+ group MYGROUP local"
        default: <str>

AAA root

Variable Type Required Default Value Restrictions Description
aaa_root Dictionary
  disabled Boolean Set to true to configure no aaa root which is the EOS default.
  secret Dictionary
    sha512_password String
aaa_root:

  # Set to `true` to configure `no aaa root` which is the EOS default.
  disabled: <bool>
  secret:
    sha512_password: <str>

AAA server groups

Variable Type Required Default Value Restrictions Description
aaa_server_groups List, items: Dictionary
  - name String Required, Unique Group name.
    type String Valid Values:
- tacacs+
- radius
- ldap
    servers List, items: Dictionary
      - server String Hostname or IP address.
        vrf String VRF name.
aaa_server_groups:

    # Group name.
  - name: <str; required; unique>
    type: <str; "tacacs+" | "radius" | "ldap">
    servers:

        # Hostname or IP address.
      - server: <str>

        # VRF name.
        vrf: <str>

Enable password

Variable Type Required Default Value Restrictions Description
enable_password Dictionary
  disabled Boolean Set to true to configure no enable password which is the EOS default.
  hash_algorithm String Valid Values:
- md5
- sha512
  key String Must be the hash of the password using the specified algorithm.
By default EOS salts the password, so the simplest is to generate the hash on an EOS device.
enable_password:

  # Set to `true` to configure `no enable password` which is the EOS default.
  disabled: <bool>
  hash_algorithm: <str; "md5" | "sha512">

  # Must be the hash of the password using the specified algorithm.
  # By default EOS salts the password, so the simplest is to generate the hash on an EOS device.
  key: <str>

IP radius source-interfaces

Variable Type Required Default Value Restrictions Description
ip_radius_source_interfaces List, items: Dictionary
  - name String Interface Name.
    vrf String VRF Name.
ip_radius_source_interfaces:

    # Interface Name.
  - name: <str>

    # VRF Name.
    vrf: <str>

IP tacacs source-interfaces

Variable Type Required Default Value Restrictions Description
ip_tacacs_source_interfaces List, items: Dictionary
  - name String Interface name.
    vrf String
ip_tacacs_source_interfaces:

    # Interface name.
  - name: <str>
    vrf: <str>

Local users

Variable Type Required Default Value Restrictions Description
local_users List, items: Dictionary
  - name String Required, Unique Username.
    disabled Boolean If true, the user will be removed and all other settings are ignored.
Useful for removing the default “admin” user.
    privilege Integer Min: 0
Max: 15
Initial privilege level with local EXEC authorization.
    role String EOS RBAC Role to be assigned to the user such as “network-admin” or “network-operator”.
    sha512_password String SHA512 Hash of Password.
Must be the hash of the password. By default EOS salts the password with the username, so the simplest is to generate the hash on an EOS device using the same username.
    no_password Boolean If set a password will not be configured for this user. “sha512_password” MUST not be defined for this user.
    ssh_key String
    secondary_ssh_key String
    shell String Valid Values:
- /bin/bash
- /bin/sh
- /sbin/nologin
Specify shell for the user.
local_users:

    # Username.
  - name: <str; required; unique>

    # If true, the user will be removed and all other settings are ignored.
    # Useful for removing the default "admin" user.
    disabled: <bool>

    # Initial privilege level with local EXEC authorization.
    privilege: <int; 0-15>

    # EOS RBAC Role to be assigned to the user such as "network-admin" or "network-operator".
    role: <str>

    # SHA512 Hash of Password.
    # Must be the hash of the password. By default EOS salts the password with the username, so the simplest is to generate the hash on an EOS device using the same username.
    sha512_password: <str>

    # If set a password will not be configured for this user. "sha512_password" MUST not be defined for this user.
    no_password: <bool>
    ssh_key: <str>
    secondary_ssh_key: <str>

    # Specify shell for the user.
    shell: <str; "/bin/bash" | "/bin/sh" | "/sbin/nologin">

Radius server

Variable Type Required Default Value Restrictions Description
radius_server Dictionary
  attribute_32_include_in_access_req Dictionary
    hostname Boolean
    format String Specify the format of the NAS-Identifier. If ‘hostname’ is set, this is ignored.
  deadtime Integer Min: 1
Max: 1000
Time to skip a non-responsive server in minutes.
  dynamic_authorization Dictionary
    port Integer Min: 0
Max: 65535
TCP Port.
    tls_ssl_profile String Name of TLS profile.
  hosts List, items: Dictionary
    - host String Required, Unique Host IP address or name.
      vrf String
      tls Dictionary When TLS is configured, key is ignored..
        enabled Boolean Enable TLS for radius-server.
        ssl_profile String Name of TLS profile.
        port Integer Min: 0
Max: 65535
TCP Port used for TLS. EOS default is 2083.
      timeout Integer Min: 1
Max: 1000
      retransmit Integer Min: 0
Max: 100
      key String Encrypted key - only type 7 supported.
When TLS is configured, key is ignored.
  tls_ssl_profile String Name of global TLS profile.
radius_servers removed List This key was removed. Support was removed in AVD version v5.0.0. Use radius_server.hosts instead.
radius_server:
  attribute_32_include_in_access_req:
    hostname: <bool>

    # Specify the format of the NAS-Identifier. If 'hostname' is set, this is ignored.
    format: <str>

  # Time to skip a non-responsive server in minutes.
  deadtime: <int; 1-1000>
  dynamic_authorization:

    # TCP Port.
    port: <int; 0-65535>

    # Name of TLS profile.
    tls_ssl_profile: <str>
  hosts:

      # Host IP address or name.
    - host: <str; required; unique>
      vrf: <str>

      # When TLS is configured, `key` is ignored..
      tls:

        # Enable TLS for radius-server.
        enabled: <bool>

        # Name of TLS profile.
        ssl_profile: <str>

        # TCP Port used for TLS. EOS default is 2083.
        port: <int; 0-65535>
      timeout: <int; 1-1000>
      retransmit: <int; 0-100>

      # Encrypted key - only type 7 supported.
      # When TLS is configured, `key` is ignored.
      key: <str>

  # Name of global TLS profile.
  tls_ssl_profile: <str>

Roles

Variable Type Required Default Value Restrictions Description
roles List, items: Dictionary
  - name String Required, Unique Role name.
    sequence_numbers List, items: Dictionary
      - sequence Integer Sequence number.
        action String Valid Values:
- permit
- deny
        mode String “config”, “config-all”, “exec” or mode key as string.
        command String Command as string.
roles:

    # Role name.
  - name: <str; required; unique>
    sequence_numbers:

        # Sequence number.
      - sequence: <int>
        action: <str; "permit" | "deny">

        # "config", "config-all", "exec" or mode key as string.
        mode: <str>

        # Command as string.
        command: <str>

Tacacs servers

Variable Type Required Default Value Restrictions Description
tacacs_servers Dictionary
  timeout Integer Min: 1
Max: 1000
Timeout in seconds.
  hosts List, items: Dictionary
    - host String Host IP address or name.
      vrf String
      key String Encrypted key.
      key_type String 7 Valid Values:
- 0
- 7
- 8a
      single_connection Boolean
      timeout Integer Min: 1
Max: 1000
Timeout in seconds.
  policy_unknown_mandatory_attribute_ignore Boolean
tacacs_servers:

  # Timeout in seconds.
  timeout: <int; 1-1000>
  hosts:

      # Host IP address or name.
    - host: <str>
      vrf: <str>

      # Encrypted key.
      key: <str>
      key_type: <str; "0" | "7" | "8a"; default="7">
      single_connection: <bool>

      # Timeout in seconds.
      timeout: <int; 1-1000>
  policy_unknown_mandatory_attribute_ignore: <bool>

ACLs

IP Extended access-lists

AVD currently supports two different data models for extended ACLs:

  • The legacy access_lists data model, for compatibility with existing deployments
  • The improved ip_access_lists data model, for access to more EOS features

Both data models can coexists without conflicts, as different keys are used: access_lists vs ip_access_lists. Access list names must be unique.

The legacy data model supports simplified ACL definition with sequence to action mapping:

Variable Type Required Default Value Restrictions Description
access_lists List, items: Dictionary
  - name String Required, Unique Access-list Name.
    counters_per_entry Boolean
    permit_response_traffic String Valid Values:
- nat
Permit response traffic automatically based on NAT translations.
Minimum EOS version requirement 4.32.2F.
    sequence_numbers List, items: Dictionary Required
      - sequence Integer Required, Unique Sequence ID.
        action String Required Action as string.
Example: “deny ip any any”
access_lists:

    # Access-list Name.
  - name: <str; required; unique>
    counters_per_entry: <bool>

    # Permit response traffic automatically based on NAT translations.
    # Minimum EOS version requirement 4.32.2F.
    permit_response_traffic: <str; "nat">
    sequence_numbers: # required

        # Sequence ID.
      - sequence: <int; required; unique>

        # Action as string.
        # Example: "deny ip any any"
        action: <str; required>

The improved data model has a more sophisticated design documented below:

Variable Type Required Default Value Restrictions Description
ip_access_lists List, items: Dictionary
  - name String Required, Unique Access-list Name.
    counters_per_entry Boolean
    entries List, items: Dictionary ACL Entries.
      - sequence Integer ACL entry sequence number.
        remark String Comment up to 100 characters.
If remark is defined, other keys in the ACL entry will be ignored.
        action String Valid Values:
- permit
- deny
ACL action.
Required except for remarks.
        protocol String “ip”, “tcp”, “udp”, “icmp” or other protocol name or number.
Required except for remarks.
        source String “any”, “/” or ““.
” without a mask means host.
Required except for remarks.
        source_ports_match String eq Valid Values:
- eq
- gt
- lt
- neq
- range
        source_ports List, items: String Min Length: 1
          - <str> String TCP/UDP source port name or number.
        destination String “any”, “/” or ““.
” without a mask means host.
Required except for remarks.
        destination_ports_match String eq Valid Values:
- eq
- gt
- lt
- neq
- range
        destination_ports List, items: String Min Length: 1
          - <str> String TCP/UDP destination port name or number.
        tcp_flags List, items: String
          - <str> String TCP Flag Name.
        fragments Boolean Match non-head fragment packets.
        log Boolean Log matches against this rule.
        ttl Integer Min: 0
Max: 255
TTL value.
        ttl_match String eq Valid Values:
- eq
- gt
- lt
- neq
        icmp_type String Message type name/number for ICMP packets.
        icmp_code String Message code for ICMP packets.
        nexthop_group String nexthop-group name.
        tracked Boolean Match packets in existing ICMP/UDP/TCP connections.
        dscp String DSCP value or name.
        vlan_number Integer
        vlan_inner Boolean False
        vlan_mask String 0x000-0xFFF VLAN mask.
    permit_response_traffic String Valid Values:
- nat
Permit response traffic automatically based on NAT translations.
Minimum EOS version requirement 4.32.2F.
ip_access_lists:

    # Access-list Name.
  - name: <str; required; unique>
    counters_per_entry: <bool>

    # ACL Entries.
    entries:

        # ACL entry sequence number.
      - sequence: <int>

        # Comment up to 100 characters.
        # If remark is defined, other keys in the ACL entry will be ignored.
        remark: <str>

        # ACL action.
        # Required except for remarks.
        action: <str; "permit" | "deny">

        # "ip", "tcp", "udp", "icmp" or other protocol name or number.
        # Required except for remarks.
        protocol: <str>

        # "any", "<ip>/<mask>" or "<ip>".
        # "<ip>" without a mask means host.
        # Required except for remarks.
        source: <str>
        source_ports_match: <str; "eq" | "gt" | "lt" | "neq" | "range"; default="eq">
        source_ports: # >=1 items

            # TCP/UDP source port name or number.
          - <str>

        # "any", "<ip>/<mask>" or "<ip>".
        # "<ip>" without a mask means host.
        # Required except for remarks.
        destination: <str>
        destination_ports_match: <str; "eq" | "gt" | "lt" | "neq" | "range"; default="eq">
        destination_ports: # >=1 items

            # TCP/UDP destination port name or number.
          - <str>
        tcp_flags:

            # TCP Flag Name.
          - <str>

        # Match non-head fragment packets.
        fragments: <bool>

        # Log matches against this rule.
        log: <bool>

        # TTL value.
        ttl: <int; 0-255>
        ttl_match: <str; "eq" | "gt" | "lt" | "neq"; default="eq">

        # Message type name/number for ICMP packets.
        icmp_type: <str>

        # Message code for ICMP packets.
        icmp_code: <str>

        # nexthop-group name.
        nexthop_group: <str>

        # Match packets in existing ICMP/UDP/TCP connections.
        tracked: <bool>

        # DSCP value or name.
        dscp: <str>
        vlan_number: <int>
        vlan_inner: <bool; default=False>

        # 0x000-0xFFF VLAN mask.
        vlan_mask: <str>

    # Permit response traffic automatically based on NAT translations.
    # Minimum EOS version requirement 4.32.2F.
    permit_response_traffic: <str; "nat">

The improved data model allows to limit the number of ACL entries that AVD is allowed to generate by defining ip_access_lists_max_entries. Only normal entries under ip_access_lists will be counted, remarks will be ignored. If the number is above the limit, the playbook will fail. This provides a simplified control over hardware utilization. The numbers must be based on the hardware tests and AVD does not provide any guidance. Note that other EOS features may use the same hardware resources and affect the supported scale.

Variable Type Required Default Value Restrictions Description
ip_access_lists_max_entries Integer Limit ACL entries defined under the ip_access_lists.
# Limit ACL entries defined under the `ip_access_lists`.
ip_access_lists_max_entries: <int>

IPv6 access-lists

Variable Type Required Default Value Restrictions Description
ipv6_access_lists List, items: Dictionary
  - name String Required, Unique IPv6 Access-list Name.
    counters_per_entry Boolean
    sequence_numbers List, items: Dictionary Required
      - sequence Integer Required, Unique Sequence ID.
        action String Required Action as string.
Example: “deny ipv6 any any”
ipv6_access_lists:

    # IPv6 Access-list Name.
  - name: <str; required; unique>
    counters_per_entry: <bool>
    sequence_numbers: # required

        # Sequence ID.
      - sequence: <int; required; unique>

        # Action as string.
        # Example: "deny ipv6 any any"
        action: <str; required>

IPv6 standard access-lists

Variable Type Required Default Value Restrictions Description
ipv6_standard_access_lists List, items: Dictionary
  - name String Required, Unique Access-list Name.
    counters_per_entry Boolean
    sequence_numbers List, items: Dictionary Required
      - sequence Integer Required, Unique Sequence ID.
        action String Required Action as string.
Example: “deny ipv6 any any”
ipv6_standard_access_lists:

    # Access-list Name.
  - name: <str; required; unique>
    counters_per_entry: <bool>
    sequence_numbers: # required

        # Sequence ID.
      - sequence: <int; required; unique>

        # Action as string.
        # Example: "deny ipv6 any any"
        action: <str; required>

MAC access-lists

Variable Type Required Default Value Restrictions Description
mac_access_lists List, items: Dictionary
  - name String Required, Unique MAC Access-list Name.
    counters_per_entry Boolean
    entries List, items: Dictionary
      - sequence Integer
        action String
mac_access_lists:

    # MAC Access-list Name.
  - name: <str; required; unique>
    counters_per_entry: <bool>
    entries:
      - sequence: <int>
        action: <str>

Standard access-lists

Variable Type Required Default Value Restrictions Description
standard_access_lists List, items: Dictionary
  - name String Required, Unique Access-list Name.
    counters_per_entry Boolean
    sequence_numbers List, items: Dictionary Required
      - sequence Integer Required, Unique Sequence ID.
        action String Required Action as string.
Example: “deny ip any any”
standard_access_lists:

    # Access-list Name.
  - name: <str; required; unique>
    counters_per_entry: <bool>
    sequence_numbers: # required

        # Sequence ID.
      - sequence: <int; required; unique>

        # Action as string.
        # Example: "deny ip any any"
        action: <str; required>

Endpoint Security

Address-locking

Variable Type Required Default Value Restrictions Description
address_locking Dictionary
  dhcp_servers_ipv4 List, items: String
    - <str> String DHCP server IPv4 address.
  disabled Boolean Disable IP locking on configured ports.
  leases List, items: Dictionary
    - ip String Required IP address.
      mac String Required MAC address (hhhh.hhhh.hhhh or hh:hh:hh:hh:hh:hh).
  local_interface String
  locked_address Dictionary
    expiration_mac_disabled Boolean Configure deauthorizing locked addresses upon MAC aging out.
    ipv4_enforcement_disabled Boolean Configure enforcement for locked IPv4 addresses.
    ipv6_enforcement_disabled Boolean Configure enforcement for locked IPv6 addresses.
address_locking:
  dhcp_servers_ipv4:

      # DHCP server IPv4 address.
    - <str>

  # Disable IP locking on configured ports.
  disabled: <bool>
  leases:

      # IP address.
    - ip: <str; required>

      # MAC address (hhhh.hhhh.hhhh or hh:hh:hh:hh:hh:hh).
      mac: <str; required>
  local_interface: <str>
  locked_address:

    # Configure deauthorizing locked addresses upon MAC aging out.
    expiration_mac_disabled: <bool>

    # Configure enforcement for locked IPv4 addresses.
    ipv4_enforcement_disabled: <bool>

    # Configure enforcement for locked IPv6 addresses.
    ipv6_enforcement_disabled: <bool>

Dot1x

Variable Type Required Default Value Restrictions Description
dot1x Dictionary
  system_auth_control Boolean
  protocol_lldp_bypass Boolean
  protocol_bpdu_bypass Boolean
  dynamic_authorization Boolean
  mac_based_authentication Dictionary
    delay Integer Min: 0
Max: 300
    hold_period Integer Min: 1
Max: 300
  radius_av_pair_username_format Dictionary RADIUS AV-pair username settings.
    delimiter String Required Valid Values:
- colon
- hyphen
- none
- period
Delimiter to use in MAC address string.
    mac_string_case String Required Valid Values:
- lowercase
- uppercase
MAC address string in lowercase/uppercase.
  radius_av_pair Dictionary
    service_type Boolean
    framed_mtu Integer Min: 68
Max: 9236
    lldp Dictionary
      system_name Dictionary LLDP system name (LLDP TLV 5) av-pair.
        enabled Boolean Required
        auth_only Boolean
      system_description Dictionary LLDP system description (LLDP TLV 6) av-pair.
        enabled Boolean Required
        auth_only Boolean
    dhcp Dictionary
      hostname Dictionary Hostname (DHCP Option 12).
        enabled Boolean Required
        auth_only Boolean
      parameter_request_list Dictionary Parameters requested by host (DHCP Option 55).
        enabled Boolean Required
        auth_only Boolean
      vendor_class_id Dictionary Vendor class identifier (DHCP Option 60).
        enabled Boolean Required
        auth_only Boolean
  aaa Dictionary Configure AAA parameters.
    unresponsive Dictionary Configure AAA timeout options.
      eap_response String Valid Values:
- success
- disabled
EAP response to send.
      action Dictionary Set action for supplicant when AAA times out.
        apply_cached_results Boolean Use results from a previous AAA response.
        cached_results_timeout Dictionary
          time_duration Integer Min: 1 Enable caching for a specific duration -
<1-10000> duration in days
<1-14400000> duration in minutes
<1-240000> duration in hours
<1-864000000> duration in seconds
          time_duration_unit String Required Valid Values:
- days
- hours
- minutes
- seconds
        apply_alternate Boolean Apply alternate action if primary action fails.
eg. aaa unresponsive action apply cached-results else traffic allow
        traffic_allow Boolean Set action for supplicant traffic when AAA times out.
        traffic_allow_vlan Integer Min: 1
Max: 4094
      phone_action Dictionary Set action for supplicant when AAA times out.
        apply_cached_results Boolean Use results from a previous AAA response.
        cached_results_timeout Dictionary
          time_duration Integer Min: 1 Enable caching for a specific duration -
<1-10000> duration in days
<1-14400000> duration in minutes
<1-240000> duration in hours
<1-864000000> duration in seconds
          time_duration_unit String Required Valid Values:
- days
- hours
- minutes
- seconds
        apply_alternate Boolean Apply alternate action if primary action fails.
eg. aaa unresponsive phone action apply cached-results else traffic allow
        traffic_allow Boolean Set action for supplicant traffic when AAA times out.
      recovery_action_reauthenticate Boolean
    accounting_update_interval Integer Min: 5
Max: 65535
Interval period in seconds.
  captive_portal Dictionary Web authentication feature authenticates a supplicant through a web page, referred to as a captive portal.
    enabled Boolean Required
    url String Supported URL type:
- http: http://[:]
- https: https://[:]
    ssl_profile String
    start_limit_infinite Boolean Set captive-portal start limit to infinite.
    access_list_ipv4 String Standard access-list name.
  supplicant Dictionary
    profiles List, items: Dictionary Dot1x supplicant profiles.
      - name String Required, Unique
        eap_method String Valid Values:
- fast
- tls
Extensible Authentication Protocol method:
- EAP Flexible Authentication via Secure Tunneling.
- EAP with Transport Layer Security.
        identity String User identity.
        passphrase_type String 7 Valid Values:
- 0
- 7
- 8a
        passphrase String Extensible Authentication Protocol password.
        ssl_profile String
    logging Boolean Enable supplicant logging.
    disconnect_cached_results_timeout Integer Min: 60
Max: 65535
Timeout in seconds for removing a disconnected supplicant.
dot1x:
  system_auth_control: <bool>
  protocol_lldp_bypass: <bool>
  protocol_bpdu_bypass: <bool>
  dynamic_authorization: <bool>
  mac_based_authentication:
    delay: <int; 0-300>
    hold_period: <int; 1-300>

  # RADIUS AV-pair username settings.
  radius_av_pair_username_format:

    # Delimiter to use in MAC address string.
    delimiter: <str; "colon" | "hyphen" | "none" | "period"; required>

    # MAC address string in lowercase/uppercase.
    mac_string_case: <str; "lowercase" | "uppercase"; required>
  radius_av_pair:
    service_type: <bool>
    framed_mtu: <int; 68-9236>
    lldp:

      # LLDP system name (LLDP TLV 5) av-pair.
      system_name:
        enabled: <bool; required>
        auth_only: <bool>

      # LLDP system description (LLDP TLV 6) av-pair.
      system_description:
        enabled: <bool; required>
        auth_only: <bool>
    dhcp:

      # Hostname (DHCP Option 12).
      hostname:
        enabled: <bool; required>
        auth_only: <bool>

      # Parameters requested by host (DHCP Option 55).
      parameter_request_list:
        enabled: <bool; required>
        auth_only: <bool>

      # Vendor class identifier (DHCP Option 60).
      vendor_class_id:
        enabled: <bool; required>
        auth_only: <bool>

  # Configure AAA parameters.
  aaa:

    # Configure AAA timeout options.
    unresponsive:

      # EAP response to send.
      eap_response: <str; "success" | "disabled">

      # Set action for supplicant when AAA times out.
      action:

        # Use results from a previous AAA response.
        apply_cached_results: <bool>
        cached_results_timeout:

          # Enable caching for a specific duration -
          # <1-10000>      duration in days
          # <1-14400000>   duration in minutes
          # <1-240000>     duration in hours
          # <1-864000000>  duration in seconds
          time_duration: <int; >=1>
          time_duration_unit: <str; "days" | "hours" | "minutes" | "seconds"; required>

        # Apply alternate action if primary action fails.
        # eg. aaa unresponsive action apply cached-results else traffic allow
        apply_alternate: <bool>

        # Set action for supplicant traffic when AAA times out.
        traffic_allow: <bool>
        traffic_allow_vlan: <int; 1-4094>

      # Set action for supplicant when AAA times out.
      phone_action:

        # Use results from a previous AAA response.
        apply_cached_results: <bool>
        cached_results_timeout:

          # Enable caching for a specific duration -
          # <1-10000>      duration in days
          # <1-14400000>   duration in minutes
          # <1-240000>     duration in hours
          # <1-864000000>  duration in seconds
          time_duration: <int; >=1>
          time_duration_unit: <str; "days" | "hours" | "minutes" | "seconds"; required>

        # Apply alternate action if primary action fails.
        # eg. aaa unresponsive phone action apply cached-results else traffic allow
        apply_alternate: <bool>

        # Set action for supplicant traffic when AAA times out.
        traffic_allow: <bool>
      recovery_action_reauthenticate: <bool>

    # Interval period in seconds.
    accounting_update_interval: <int; 5-65535>

  # Web authentication feature authenticates a supplicant through a web page, referred to as a captive portal.
  captive_portal:
    enabled: <bool; required>

    # Supported URL type:
    #   - http: http://<hostname>[:<port>]
    #   - https: https://<hostname>[:<port>]
    url: <str>
    ssl_profile: <str>

    # Set captive-portal start limit to infinite.
    start_limit_infinite: <bool>

    # Standard access-list name.
    access_list_ipv4: <str>
  supplicant:

    # Dot1x supplicant profiles.
    profiles:
      - name: <str; required; unique>

        # Extensible Authentication Protocol method:
        #   - EAP Flexible Authentication via Secure Tunneling.
        #   - EAP with Transport Layer Security.
        eap_method: <str; "fast" | "tls">

        # User identity.
        identity: <str>
        passphrase_type: <str; "0" | "7" | "8a"; default="7">

        # Extensible Authentication Protocol password.
        passphrase: <str>
        ssl_profile: <str>

    # Enable supplicant logging.
    logging: <bool>

    # Timeout in seconds for removing a disconnected supplicant.
    disconnect_cached_results_timeout: <int; 60-65535>

MAC security

Variable Type Required Default Value Restrictions Description
mac_security Dictionary
  license Dictionary
    license_name String Required
    license_key String Required
  fips_restrictions Boolean
  profiles List, items: Dictionary
    - name String Required, Unique Profile-Name.
      cipher String Valid Values:
- aes128-gcm
- aes128-gcm-xpn
- aes256-gcm
- aes256-gcm-xpn
      connection_keys List, items: Dictionary
        - id String Required, Unique
          encrypted_key String
          fallback Boolean
      mka Dictionary
        key_server_priority Integer Min: 0
Max: 255
        session Dictionary
          rekey_period Integer Min: 30
Max: 100000
Rekey period in seconds.
      sci Boolean
      l2_protocols Dictionary
        ethernet_flow_control Dictionary
          mode String Required Valid Values:
- encrypt
- bypass
        lldp Dictionary
          mode String Required Valid Values:
- bypass
- bypass unauthorized
      traffic_unprotected Dictionary
        action String Required Valid Values:
- allow
- drop
Allow/drop the transmit/receive of unprotected traffic.
        allow_active_sak Boolean Allow transmit/receive of encrypted traffic using operational SAK and block otherwise.
mac_security:
  license:
    license_name: <str; required>
    license_key: <str; required>
  fips_restrictions: <bool>
  profiles:

      # Profile-Name.
    - name: <str; required; unique>
      cipher: <str; "aes128-gcm" | "aes128-gcm-xpn" | "aes256-gcm" | "aes256-gcm-xpn">
      connection_keys:
        - id: <str; required; unique>
          encrypted_key: <str>
          fallback: <bool>
      mka:
        key_server_priority: <int; 0-255>
        session:

          # Rekey period in seconds.
          rekey_period: <int; 30-100000>
      sci: <bool>
      l2_protocols:
        ethernet_flow_control:
          mode: <str; "encrypt" | "bypass"; required>
        lldp:
          mode: <str; "bypass" | "bypass unauthorized"; required>
      traffic_unprotected:

        # Allow/drop the transmit/receive of unprotected traffic.
        action: <str; "allow" | "drop"; required>

        # Allow transmit/receive of encrypted traffic using operational SAK and block otherwise.
        allow_active_sak: <bool>

Filters and policies

AS path

Variable Type Required Default Value Restrictions Description
as_path Dictionary
  regex_mode String Valid Values:
- asn
- string
  access_lists List, items: Dictionary
    - name String Required, Unique Access List Name.
      entries List, items: Dictionary
        - type String Valid Values:
- permit
- deny
          match String Regex To Match.
          origin String any Valid Values:
- any
- egp
- igp
- incomplete
as_path:
  regex_mode: <str; "asn" | "string">
  access_lists:

      # Access List Name.
    - name: <str; required; unique>
      entries:
        - type: <str; "permit" | "deny">

          # Regex To Match.
          match: <str>
          origin: <str; "any" | "egp" | "igp" | "incomplete"; default="any">

Class-maps

Variable Type Required Default Value Restrictions Description
class_maps Dictionary
  pbr List, items: Dictionary
    - name String Required, Unique Class-Map Name.
      ip Dictionary
        access_group String Standard Access-List Name.
  qos List, items: Dictionary
    - name String Required, Unique Class-Map Name.
      vlan String VLAN value(s) or range(s) of VLAN values.
      cos String CoS value(s) or range(s) of CoS values.
      ip Dictionary
        access_group String IPv4 Access-List Name.
      ipv6 Dictionary
        access_group String IPv6 Access-List Name.
class_maps:
  pbr:

      # Class-Map Name.
    - name: <str; required; unique>
      ip:

        # Standard Access-List Name.
        access_group: <str>
  qos:

      # Class-Map Name.
    - name: <str; required; unique>

      # VLAN value(s) or range(s) of VLAN values.
      vlan: <str>

      # CoS value(s) or range(s) of CoS values.
      cos: <str>
      ip:

        # IPv4 Access-List Name.
        access_group: <str>
      ipv6:

        # IPv6 Access-List Name.
        access_group: <str>

Dynamic prefix lists

Variable Type Required Default Value Restrictions Description
dynamic_prefix_lists List, items: Dictionary
  - name String Dynamic prefix-list name.
    match_map String Route-map name.
    prefix_list Dictionary
      ipv4 String Prefix-list name.
      ipv6 String Prefix-list name.
dynamic_prefix_lists:

    # Dynamic prefix-list name.
  - name: <str>

    # Route-map name.
    match_map: <str>
    prefix_list:

      # Prefix-list name.
      ipv4: <str>

      # Prefix-list name.
      ipv6: <str>

IP community lists

AVD currently supports two different data models for community lists:

  • The legacy community_lists data model that can be used for compatibility with the existing deployments.
  • The improved ip_community_lists data model.

Both data models can coexist without conflicts, as different keys are used: community_lists vs ip_community_lists. Community list names must be unique.

The legacy data model supports simplified community list definition that only allows a single action to be defined as string:

Variable Type Required Default Value Restrictions Description
community_lists deprecated List, items: Dictionary This key is deprecated. Support will be removed in AVD version 6.0.0. Use ip_community_lists instead.
  - name String Required, Unique Community-list Name.
    action String Required Action as string.
Example: “permit GSHUT 65123:123”
# This key is deprecated.
# Support will be removed in AVD version 6.0.0.
# Use <samp>ip_community_lists</samp> instead.
community_lists:

    # Community-list Name.
  - name: <str; required; unique>

    # Action as string.
    # Example: "permit GSHUT 65123:123"
    action: <str; required>

The improved data model has a better design documented below:

Variable Type Required Default Value Restrictions Description
ip_community_lists List, items: Dictionary Communities and regexp entries MUST not be configured in the same community-list.
  - name String Required, Unique IP Community-list Name.
    entries List, items: Dictionary Required
      - action String Required Valid Values:
- permit
- deny
        communities List, items: String If defined, a standard community-list will be configured.
Supported community strings (case insensitive):
- GSHUT
- internet
- local-as
- no-advertise
- no-export
- <1-4294967040>
- aa:nn
          - <str> String
        regexp String Regular Expression.
If defined, a regex community-list will be configured.
# Communities and regexp entries MUST not be configured in the same community-list.
ip_community_lists:

    # IP Community-list Name.
  - name: <str; required; unique>
    entries: # required
      - action: <str; "permit" | "deny"; required>

        # If defined, a standard community-list will be configured.
        # Supported community strings (case insensitive):
        # - GSHUT
        # - internet
        # - local-as
        # - no-advertise
        # - no-export
        # - <1-4294967040>
        # - aa:nn
        communities:
          - <str>

        # Regular Expression.
        # If defined, a regex community-list will be configured.
        regexp: <str>

IP extcommunity-lists

Variable Type Required Default Value Restrictions Description
ip_extcommunity_lists List, items: Dictionary
  - name String Required, Unique Community-list Name.
    entries List, items: Dictionary Required
      - type String Required Valid Values:
- permit
- deny
        extcommunities String Required Communities as string.
Example: “65000:65000”
ip_extcommunity_lists:

    # Community-list Name.
  - name: <str; required; unique>
    entries: # required
      - type: <str; "permit" | "deny"; required>

        # Communities as string.
        # Example: "65000:65000"
        extcommunities: <str; required>

IP extcommunity-lists-regexp

Variable Type Required Default Value Restrictions Description
ip_extcommunity_lists_regexp List, items: Dictionary
  - name String Required, Unique Community-list Name.
    entries List, items: Dictionary Required
      - type String Required Valid Values:
- permit
- deny
        regexp String Required Regular Expression.
ip_extcommunity_lists_regexp:

    # Community-list Name.
  - name: <str; required; unique>
    entries: # required
      - type: <str; "permit" | "deny"; required>

        # Regular Expression.
        regexp: <str; required>

IPv6 prefix-lists

Variable Type Required Default Value Restrictions Description
ipv6_prefix_lists List, items: Dictionary
  - name String Required, Unique Prefix-list Name.
    sequence_numbers List, items: Dictionary Required
      - sequence Integer Required, Unique Sequence ID.
        action String Required Action as string.
Example: “permit 1b11:3a00:22b0:0082::/64 eq 128”
ipv6_prefix_lists:

    # Prefix-list Name.
  - name: <str; required; unique>
    sequence_numbers: # required

        # Sequence ID.
      - sequence: <int; required; unique>

        # Action as string.
        # Example: "permit 1b11:3a00:22b0:0082::/64 eq 128"
        action: <str; required>

Match list input

Variable Type Required Default Value Restrictions Description
match_list_input Dictionary
  prefix_ipv4 List, items: Dictionary
    - name String Required, Unique Prefix-List Name.
      prefixes List, items: String Required Min Length: 1 List of IPv4 prefixes (with the subnet mask e.g. 192.0.2.0/24).
        - <str> String
  prefix_ipv6 List, items: Dictionary
    - name String Required, Unique Prefix-List Name.
      prefixes List, items: String Required Min Length: 1 List of IPv6 prefixes (with the subnet mask e.g. 2001:db8:abcd:0013::/64).
        - <str> String
  string List, items: Dictionary
    - name String Required, Unique Match-list Name.
      sequence_numbers List, items: Dictionary Required
        - sequence Integer Required, Unique Sequence ID.
          match_regex String Required Regular Expression.
match_list_input:
  prefix_ipv4:

      # Prefix-List Name.
    - name: <str; required; unique>

      # List of IPv4 prefixes (with the subnet mask e.g. 192.0.2.0/24).
      prefixes: # >=1 items; required
        - <str>
  prefix_ipv6:

      # Prefix-List Name.
    - name: <str; required; unique>

      # List of IPv6 prefixes (with the subnet mask e.g. 2001:db8:abcd:0013::/64).
      prefixes: # >=1 items; required
        - <str>
  string:

      # Match-list Name.
    - name: <str; required; unique>
      sequence_numbers: # required

          # Sequence ID.
        - sequence: <int; required; unique>

          # Regular Expression.
          match_regex: <str; required>

Peer-filters

Variable Type Required Default Value Restrictions Description
peer_filters List, items: Dictionary
  - name String Required, Unique Peer-filter Name.
    sequence_numbers List, items: Dictionary Required
      - sequence Integer Required, Unique Sequence ID.
        match String Required Match as string.
Example: “as-range 1-100 result accept”
peer_filters:

    # Peer-filter Name.
  - name: <str; required; unique>
    sequence_numbers: # required

        # Sequence ID.
      - sequence: <int; required; unique>

        # Match as string.
        # Example: "as-range 1-100 result accept"
        match: <str; required>

Policy-maps

Variable Type Required Default Value Restrictions Description
policy_maps Dictionary
  pbr List, items: Dictionary PBR Policy-Maps.
    - name String Required, Unique Policy-Map Name.
      classes List, items: Dictionary
        - name String Required, Unique Class Name.
          index Integer
          drop Boolean ‘drop’ and ‘set’ are mutually exclusive.
          set Dictionary Set Nexthop
‘drop’ and ‘set’ are mutually exclusive.
            nexthop Dictionary
              ip_address String IPv4 or IPv6 Address.
              recursive Boolean
  qos List, items: Dictionary QOS Policy-Maps.
    - name String Required, Unique Policy-Map Name.
      classes List, items: Dictionary
        - name String Required, Unique Class Name.
          set Dictionary
            cos Integer
            dscp String
            traffic_class Integer
            drop_precedence Integer
          police Dictionary
            rate Integer Specify rate.
Range in kbps <8-200000000>.
            rate_unit String bps Valid Values:
- bps
- kbps
- mbps
- pps
            rate_burst_size Integer Range in bytes <256-128000000>.
            rate_burst_size_unit String bytes Valid Values:
- bytes
- kbytes
- mbytes
- packets
            action Dictionary
              type String Valid Values:
- dscp
- drop-precedence
Set action for policed traffic.
              dscp_value String Set when action.type is set to “dscp”.
            higher_rate Integer Specify higher rate.
Range in kbps .
            higher_rate_unit String bps Valid Values:
- bps
- kbps
- mbps
- pps
            higher_rate_burst_size Integer Range in bytes <256-128000000>.
            higher_rate_burst_size_unit String bytes Valid Values:
- bytes
- kbytes
- mbytes
- packets
  copp_system_policy Dictionary Control-plane policy configuration.
    classes List, items: Dictionary
      - name String Required, Unique
        shape Integer Min: 0
Max: 10000000
Maximum rate limit.
        bandwidth Integer Min: 0
Max: 10000000
Minimum bandwidth.
        rate_unit String Valid Values:
- pps
- kbps
The rate_unit must be defined for shape and bandwidth.
policy_maps:

  # PBR Policy-Maps.
  pbr:

      # Policy-Map Name.
    - name: <str; required; unique>
      classes:

          # Class Name.
        - name: <str; required; unique>
          index: <int>

          # 'drop' and 'set' are mutually exclusive.
          drop: <bool>

          # Set Nexthop
          # 'drop' and 'set' are mutually exclusive.
          set:
            nexthop:

              # IPv4 or IPv6 Address.
              ip_address: <str>
              recursive: <bool>

  # QOS Policy-Maps.
  qos:

      # Policy-Map Name.
    - name: <str; required; unique>
      classes:

          # Class Name.
        - name: <str; required; unique>
          set:
            cos: <int>
            dscp: <str>
            traffic_class: <int>
            drop_precedence: <int>
          police:

            # Specify rate.
            # Range in kbps <8-200000000>.
            rate: <int>
            rate_unit: <str; "bps" | "kbps" | "mbps" | "pps"; default="bps">

            # Range in bytes <256-128000000>.
            rate_burst_size: <int>
            rate_burst_size_unit: <str; "bytes" | "kbytes" | "mbytes" | "packets"; default="bytes">
            action:

              # Set action for policed traffic.
              type: <str; "dscp" | "drop-precedence">

              # Set when action.type is set to "dscp".
              dscp_value: <str>

            # Specify higher rate.
            # Range in kbps <lower_rate in kbps + 8 - lower_rate in kbps + 200000000>.
            higher_rate: <int>
            higher_rate_unit: <str; "bps" | "kbps" | "mbps" | "pps"; default="bps">

            # Range in bytes <256-128000000>.
            higher_rate_burst_size: <int>
            higher_rate_burst_size_unit: <str; "bytes" | "kbytes" | "mbytes" | "packets"; default="bytes">

  # Control-plane policy configuration.
  copp_system_policy:
    classes:
      - name: <str; required; unique>

        # Maximum rate limit.
        shape: <int; 0-10000000>

        # Minimum bandwidth.
        bandwidth: <int; 0-10000000>

        # The `rate_unit` must be defined for `shape` and `bandwidth`.
        rate_unit: <str; "pps" | "kbps">

Prefix-lists

Variable Type Required Default Value Restrictions Description
prefix_lists List, items: Dictionary
  - name String Required, Unique Prefix-list Name.
    sequence_numbers List, items: Dictionary
      - sequence Integer Required, Unique Sequence ID.
        action String Required Action as string.
Example: “permit 10.255.0.0/27 eq 32”
prefix_lists:

    # Prefix-list Name.
  - name: <str; required; unique>
    sequence_numbers:

        # Sequence ID.
      - sequence: <int; required; unique>

        # Action as string.
        # Example: "permit 10.255.0.0/27 eq 32"
        action: <str; required>

Route-maps

Variable Type Required Default Value Restrictions Description
route_maps List, items: Dictionary
  - name String Required, Unique Route-map Name.
    sequence_numbers List, items: Dictionary Required
      - sequence Integer Required, Unique Sequence ID.
        type String Required Valid Values:
- permit
- deny
        description String
        match List, items: String List of “match” statements.
          - <str> String Match as string.
Example: “ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY”
        set List, items: String List of “set” statements.
          - <str> String Set as string.
Example: “origin incomplete”
        sub_route_map String Name of Sub-Route-map.
        continue Dictionary
          enabled Boolean
          sequence_number Integer
route_maps:

    # Route-map Name.
  - name: <str; required; unique>
    sequence_numbers: # required

        # Sequence ID.
      - sequence: <int; required; unique>
        type: <str; "permit" | "deny"; required>
        description: <str>

        # List of "match" statements.
        match:

            # Match as string.
            # Example: "ip address prefix-list PL-LOOPBACKS-EVPN-OVERLAY"
          - <str>

        # List of "set" statements.
        set:

            # Set as string.
            # Example: "origin incomplete"
          - <str>

        # Name of Sub-Route-map.
        sub_route_map: <str>
        continue:
          enabled: <bool>
          sequence_number: <int>

Trackers

Variable Type Required Default Value Restrictions Description
trackers List, items: Dictionary
  - name String Required, Unique Name of tracker object.
    interface String Required Name of tracked interface.
    tracked_property String line-protocol Property to track.
trackers:

    # Name of tracker object.
  - name: <str; required; unique>

    # Name of tracked interface.
    interface: <str; required>

    # Property to track.
    tracked_property: <str; default="line-protocol">

Traffic policies

Variable Type Required Default Value Restrictions Description
traffic_policies Dictionary
  options Dictionary
    counter_per_interface Boolean
  field_sets Dictionary
    ipv4 List, items: Dictionary
      - name String Required, Unique IPv4 Prefix Field Set Name.
        prefixes List, items: String
          - <str> String IPv4 Prefix.
    ipv6 List, items: Dictionary
      - name String Required, Unique IPv6 Prefix Field Set Name.
        prefixes List, items: String
          - <str> String IPv6 Prefix.
    ports List, items: Dictionary
      - name String Required, Unique L4 Port Field Set Name.
        port_range String Example: ‘10,20,80,440-450’
  policies List, items: Dictionary
    - name String Required, Unique Traffic Policy Name.
      matches List, items: Dictionary
        - name String Required, Unique Traffic Policy Item.
          type String Required Valid Values:
- ipv4
- ipv6
          source Dictionary
            prefixes List, items: String
              - <str> String IP address or prefix.
            prefix_lists List, items: String Field-set prefix lists.
              - <str> String
          destination Dictionary
            prefixes List, items: String
              - <str> String IP address or prefix.
            prefix_lists List, items: String Field-set prefix lists.
              - <str> String
          ttl String TTL range.
          fragment Dictionary The ‘fragment’ command is not supported when ‘source port’
or ‘destination port’ command is configured.
            offset String Fragment offset range.
          protocols List, items: Dictionary
            - protocol String Required, Unique
              src_port String Port range.
              dst_port String Port range.
              src_field String L4 port range field set.
              dst_field String L4 port range field set.
              flags List, items: String
                - <str> String Valid Values:
- established
- initial
              icmp_type List, items: String
                - <str> String
              enforce_gtsm Boolean Enforce the GTSM for BGP speakers. Only supported when protocol is set to ‘neighbors’.
          actions Dictionary
            dscp Integer
            traffic_class Integer Traffic class ID.
            count String Counter name.
            drop Boolean
            log Boolean Only supported when action is set to drop.
      default_actions Dictionary
        ipv4 Dictionary
          dscp Integer
          traffic_class Integer Traffic class ID.
          count String Counter name.
          drop Boolean
          log Boolean Only supported when action is set to drop.
        ipv6 Dictionary
          dscp Integer
          traffic_class Integer Traffic class ID.
          count String Counter name.
          drop Boolean
          log Boolean Only supported when action is set to drop.
traffic_policies:
  options:
    counter_per_interface: <bool>
  field_sets:
    ipv4:

        # IPv4 Prefix Field Set Name.
      - name: <str; required; unique>
        prefixes:

            # IPv4 Prefix.
          - <str>
    ipv6:

        # IPv6 Prefix Field Set Name.
      - name: <str; required; unique>
        prefixes:

            # IPv6 Prefix.
          - <str>
    ports:

        # L4 Port Field Set Name.
      - name: <str; required; unique>

        # Example: '10,20,80,440-450'
        port_range: <str>
  policies:

      # Traffic Policy Name.
    - name: <str; required; unique>
      matches:

          # Traffic Policy Item.
        - name: <str; required; unique>
          type: <str; "ipv4" | "ipv6"; required>
          source:
            prefixes:

                # IP address or prefix.
              - <str>

            # Field-set prefix lists.
            prefix_lists:
              - <str>
          destination:
            prefixes:

                # IP address or prefix.
              - <str>

            # Field-set prefix lists.
            prefix_lists:
              - <str>

          # TTL range.
          ttl: <str>

          # The 'fragment' command is not supported when 'source port'
          # or 'destination port' command is configured.
          fragment:

            # Fragment offset range.
            offset: <str>
          protocols:
            - protocol: <str; required; unique>

              # Port range.
              src_port: <str>

              # Port range.
              dst_port: <str>

              # L4 port range field set.
              src_field: <str>

              # L4 port range field set.
              dst_field: <str>
              flags:
                - <str; "established" | "initial">
              icmp_type:
                - <str>

              # Enforce the GTSM for BGP speakers. Only supported when protocol is set to 'neighbors'.
              enforce_gtsm: <bool>
          actions:
            dscp: <int>

            # Traffic class ID.
            traffic_class: <int>

            # Counter name.
            count: <str>
            drop: <bool>

            # Only supported when action is set to drop.
            log: <bool>
      default_actions:
        ipv4:
          dscp: <int>

          # Traffic class ID.
          traffic_class: <int>

          # Counter name.
          count: <str>
          drop: <bool>

          # Only supported when action is set to drop.
          log: <bool>
        ipv6:
          dscp: <int>

          # Traffic class ID.
          traffic_class: <int>

          # Counter name.
          count: <str>
          drop: <bool>

          # Only supported when action is set to drop.
          log: <bool>

Interfaces

DPS interfaces

Variable Type Required Default Value Restrictions Description
dps_interfaces List, items: Dictionary Min Length: 1
Max Length: 1
  - name String Required, Unique Valid Values:
- Dps1
“Dps1” is currently the only supported interface.
    description String
    shutdown Boolean
    mtu Integer Min: 68
Max: 65535
Maximum Transmission Unit in bytes.
    ip_address String IPv4 address/mask.
    flow_tracker Dictionary
      sampled String Sampled flow tracker name.
      hardware String Hardware flow tracker name,
    tcp_mss_ceiling Dictionary
      ipv4 Integer Min: 64
Max: 65495
Segment Size for IPv4.
      ipv6 Integer Min: 64
Max: 65475
Segment Size for IPv6.
      direction String Valid Values:
- ingress
- egress
Optional direction (‘ingress’, ‘egress’) for tcp mss ceiling.
    eos_cli String Multiline String with EOS CLI rendered directly on the Dps interface in the final EOS configuration.
dps_interfaces: # 1-1 items

    # "Dps1" is currently the only supported interface.
  - name: <str; "Dps1"; required; unique>
    description: <str>
    shutdown: <bool>

    # Maximum Transmission Unit in bytes.
    mtu: <int; 68-65535>

    # IPv4 address/mask.
    ip_address: <str>
    flow_tracker:

      # Sampled flow tracker name.
      sampled: <str>

      # Hardware flow tracker name,
      hardware: <str>
    tcp_mss_ceiling:

      # Segment Size for IPv4.
      ipv4: <int; 64-65495>

      # Segment Size for IPv6.
      ipv6: <int; 64-65475>

      # Optional direction ('ingress', 'egress')  for tcp mss ceiling.
      direction: <str; "ingress" | "egress">

    # Multiline String with EOS CLI rendered directly on the Dps interface in the final EOS configuration.
    eos_cli: <str>

Errdisable

Variable Type Required Default Value Restrictions Description
errdisable Dictionary
  detect Dictionary
    causes List, items: String
      - <str> String Valid Values:
- acl
- arp-inspection
- dot1x
- link-change
- tapagg
- xcvr-misconfigured
- xcvr-overheat
- xcvr-power-unsupported
  recovery Dictionary
    causes List, items: String
      - <str> String Valid Values:
- arp-inspection
- bpduguard
- dot1x
- hitless-reload-down
- lacp-rate-limit
- link-flap
- no-internal-vlan
- portchannelguard
- portsec
- speed-misconfigured
- tap-port-init
- tapagg
- uplink-failure-detection
- xcvr-misconfigured
- xcvr-overheat
- xcvr-power-unsupported
- xcvr-unsupported
    interval Integer 300 Min: 30
Max: 86400
Interval in seconds.
errdisable:
  detect:
    causes:
      - <str; "acl" | "arp-inspection" | "dot1x" | "link-change" | "tapagg" | "xcvr-misconfigured" | "xcvr-overheat" | "xcvr-power-unsupported">
  recovery:
    causes:
      - <str; "arp-inspection" | "bpduguard" | "dot1x" | "hitless-reload-down" | "lacp-rate-limit" | "link-flap" | "no-internal-vlan" | "portchannelguard" | "portsec" | "speed-misconfigured" | "tap-port-init" | "tapagg" | "uplink-failure-detection" | "xcvr-misconfigured" | "xcvr-overheat" | "xcvr-power-unsupported" | "xcvr-unsupported">

    # Interval in seconds.
    interval: <int; 30-86400; default=300>

Ethernet interfaces

Variable Type Required Default Value Restrictions Description
ethernet_interfaces List, items: Dictionary
  - name String Required, Unique
    description String
    shutdown Boolean
    load_interval Integer Min: 0
Max: 600
Interval in seconds for updating interface counters.
    speed String Speed should be set in the format <interface_speed> or forced <interface_speed> or auto <interface_speed>.
    mtu Integer Min: 68
Max: 65535
    l2_mtu Integer Min: 68
Max: 65535
“l2_mtu” should only be defined for platforms supporting the “l2 mtu” CLI.
    l2_mru Integer Min: 68
Max: 65535
“l2_mru” should only be defined for platforms supporting the “l2 mru” CLI.
    vlans deprecated String List of switchport vlans as string.
For a trunk port this would be a range like “1-200,300”.
For an access port this would be a single vlan “123”.
This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.access_vlan or switchport.trunk.allowed_vlan instead.
    native_vlan deprecated Integer This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.trunk.native_vlan instead.
    native_vlan_tag deprecated Boolean If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence.This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.trunk.native_vlan_tag instead.
    mode deprecated String Valid Values:
- access
- dot1q-tunnel
- trunk
- trunk phone
This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.mode instead.
    phone deprecated Dictionary This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.phone instead.
      trunk String Valid Values:
- tagged
- tagged phone
- untagged
- untagged phone
      vlan Integer Min: 1
Max: 4094
    l2_protocol Dictionary
      encapsulation_dot1q_vlan Integer Vlan tag to configure on sub-interface.
      forwarding_profile String L2 protocol forwarding profile.
    mac_timestamp String Valid Values:
- before-fcs
- replace-fcs
- header
header: Insert timestamp in ethernet header. Supported on platforms like 7500E/R and 7280E/R.
before-fcs: Insert timestamp before fcs field. Supported on platforms like 7150.
replace-fcs: Replace fcs field with timestamp.
    trunk_groups deprecated List, items: String This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.trunk.groups instead.
      - <str> String
    type deprecated String Valid Values:
- routed
- switched
- l3dot1q
- l2dot1q
- port-channel-member
l3dot1q and l2dot1q are used for sub-interfaces. The parent interface should be defined as routed.
The type = switched/routed should not be combined with switchport.
This key is deprecated. Support will be removed in AVD version 6.0.0. See here for details.
    snmp_trap_link_change Boolean
    address_locking Dictionary
      ipv4 Boolean Enable address locking for IPv4.
      ipv6 Boolean Enable address locking for IPv6.
    flowcontrol Dictionary
      received String Valid Values:
- desired
- on
- off
    vrf String VRF name.
    flow_tracker Dictionary
      sampled String Sampled flow tracker name.
      hardware String Hardware flow tracker name.
    error_correction_encoding Dictionary
      enabled Boolean True
      fire_code Boolean
      reed_solomon Boolean
    link_tracking_groups List, items: Dictionary
      - name String Required, Unique Group name.
        direction String Valid Values:
- upstream
- downstream
    link_tracking Dictionary
      direction String Valid Values:
- upstream
- downstream
      groups List, items: String Link state group(s) an interface belongs to.
        - <str> String Group names.
    evpn_ethernet_segment Dictionary
      identifier String EVPN Ethernet Segment Identifier (Type 1 format).
      redundancy String Valid Values:
- all-active
- single-active
      designated_forwarder_election Dictionary
        algorithm String Valid Values:
- modulus
- preference
        preference_value Integer Min: 0
Max: 65535
Preference_value is only used when “algorithm” is “preference”.
        dont_preempt Boolean Dont_preempt is only used when “algorithm” is “preference”.
        hold_time Integer
        subsequent_hold_time Integer
        candidate_reachability_required Boolean
      mpls Dictionary
        shared_index Integer Min: 1
Max: 1024
        tunnel_flood_filter_time Integer
      route_target String EVPN Route Target for ESI with format xx:xx:xx:xx:xx:xx.
    encapsulation_dot1q_vlan deprecated Integer VLAN tag to configure on sub-interface.This key is deprecated. Support will be removed in AVD version 6.0.0. Use encapsulation_dot1q.vlan instead.
    encapsulation_dot1q Dictionary Warning: encapsulation_dot1q should not be combined with ethernet_interfaces[].type: l3dot1q or ethernet_interfaces[].type: l2dot1q.
      vlan Integer Required Min: 1
Max: 4094
VLAD ID.
      inner_vlan Integer Min: 1
Max: 4094
Inner VLAN ID. This setting can only be applied to sub-interfaces on EOS.
    encapsulation_vlan Dictionary This setting can only be applied to sub-interfaces on EOS.
Warning: encapsulation_vlan should not be combined with ethernet_interfaces[].type: l3dot1q or ethernet_interfaces[].type: l2dot1q.
      client Dictionary
        dot1q deprecated Dictionary This key is deprecated. Support will be removed in AVD version 6.0.0.
          vlan Integer Min: 1
Max: 4094
Client VLAN ID.
          outer Integer Min: 1
Max: 4094
Client Outer VLAN ID.
          inner Integer Client Inner VLAN ID.
        unmatched deprecated Boolean This key is deprecated. Support will be removed in AVD version 6.0.0.
        encapsulation String Valid Values:
- dot1q
- dot1ad
- unmatched
- untagged
        vlan Integer Min: 1
Max: 4094
Client VLAN ID. Not applicable for encapsulation: untagged or encapsulation: unmatched.
        outer_vlan Integer Min: 1
Max: 4094
Client Outer VLAN ID. Not applicable for encapsulation: untagged or encapsulation: unmatched.
        inner_vlan Integer Min: 1
Max: 4094
Client Inner VLAN ID. Not applicable for encapsulation: untagged or encapsulation: unmatched.
        inner_encapsulation String Valid Values:
- dot1q
- dot1ad
      network Dictionary Network encapsulations are all optional and skipped if using client unmatched.
        dot1q deprecated Dictionary This key is deprecated. Support will be removed in AVD version 6.0.0.
          vlan Integer Min: 1
Max: 4094
Network VLAN ID.
          outer Integer Min: 1
Max: 4094
Network outer VLAN ID.
          inner Integer Min: 1
Max: 4094
Network inner VLAN ID.
        client deprecated Boolean This key is deprecated. Support will be removed in AVD version 6.0.0.
        encapsulation String Valid Values:
- dot1q
- dot1ad
- client
- client inner
- untagged
untagged (no encapsulation) is applicable for untagged client only.
client and client inner (retain client encapsulation) is not applicable for untagged client.
        vlan Integer Min: 1
Max: 4094
Network VLAN ID. Not applicable for encapsulation: untagged or encapsulation: client.
        outer_vlan Integer Min: 1
Max: 4094
Network outer VLAN ID. Not applicable for encapsulation: untagged or encapsulation: client.
        inner_vlan Integer Min: 1
Max: 4094
Network inner VLAN ID. Not applicable for encapsulation: untagged or encapsulation: client.
        inner_encapsulation String Valid Values:
- dot1q
- dot1ad
    vlan_id Integer Min: 1
Max: 4094
This setting can only be applied to sub-interfaces on EOS.
Warning: vlan_id should not be combined with ethernet_interfaces[].type == l2dot1q.
    ip_address String IPv4 address/mask or “dhcp”.
    ip_address_secondaries List, items: String
      - <str> String
    ip_verify_unicast_source_reachable_via String Valid Values:
- any
- rx
    dhcp_client_accept_default_route Boolean Install default-route obtained via DHCP.
    dhcp_server_ipv4 Boolean Enable IPv4 DHCP server.
    dhcp_server_ipv6 Boolean Enable IPv6 DHCP server.
    ip_helpers List, items: Dictionary
      - ip_helper String Required, Unique
        source_interface String Source interface name.
        vrf String VRF name.
    ip_nat Dictionary
      service_profile String NAT interface profile.
      destination Dictionary
        dynamic List, items: Dictionary
          - access_list String Required, Unique
            comment String
            pool_name String Required
            priority Integer Min: 0
Max: 4294967295
        static List, items: Dictionary
          - access_list String ‘access_list’ and ‘group’ are mutual exclusive.
            comment String
            direction String Valid Values:
- egress
- ingress
Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform.
EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW.
            group Integer Min: 1
Max: 65535
‘access_list’ and ‘group’ are mutual exclusive.
            original_ip String IPv4 address. The combination of original_ip and original_port must be unique.
            original_port Integer Min: 1
Max: 65535
TCP/UDP port. The combination of original_ip and original_port must be unique.
            priority Integer Min: 0
Max: 4294967295
            protocol String Valid Values:
- udp
- tcp
            translated_ip String Required IPv4 address.
            translated_port Integer Min: 1
Max: 65535
requires ‘original_port’.
      source Dictionary
        dynamic List, items: Dictionary
          - access_list String Required, Unique
            comment String
            nat_type String Required Valid Values:
- overload
- pool
- pool-address-only
- pool-full-cone
            pool_name String required if ‘nat_type’ is pool, pool-address-only or pool-full-cone.
ignored if ‘nat_type’ is overload.
            priority Integer Min: 0
Max: 4294967295
        static List, items: Dictionary
          - access_list String ‘access_list’ and ‘group’ are mutual exclusive.
            comment String
            direction String Valid Values:
- egress
- ingress
Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform.
EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW.
            group Integer Min: 1
Max: 65535
‘access_list’ and ‘group’ are mutual exclusive.
            original_ip String IPv4 address. The combination of original_ip and original_port must be unique.
            original_port Integer Min: 1
Max: 65535
TCP/UDP port. The combination of original_ip and original_port must be unique.
            priority Integer Min: 0
Max: 4294967295
            protocol String Valid Values:
- udp
- tcp
            translated_ip String Required IPv4 address.
            translated_port Integer Min: 1
Max: 65535
requires ‘original_port’.
    ipv6_enable Boolean
    ipv6_address String
    ipv6_address_link_local String Link local IPv6 address/mask.
    ipv6_nd_ra_disabled Boolean
    ipv6_nd_managed_config_flag Boolean
    ipv6_nd_prefixes List, items: Dictionary
      - ipv6_prefix String Required, Unique
        valid_lifetime String Infinite or lifetime in seconds.
        preferred_lifetime String Infinite or lifetime in seconds.
        no_autoconfig_flag Boolean
    ipv6_dhcp_relay_destinations List, items: Dictionary
      - address String Required, Unique DHCP server’s IPv6 address.
        vrf String
        local_interface String Local interface to communicate with DHCP server - mutually exclusive to source_address.
        source_address String Source IPv6 address to communicate with DHCP server - mutually exclusive to local_interface.
        link_address String Override the default link address specified in the relayed DHCP packet.
    access_group_in String Access list name.
    access_group_out String Access list name.
    ipv6_access_group_in String IPv6 access list name.
    ipv6_access_group_out String IPv6 access list name.
    mac_access_group_in String MAC access list name.
    mac_access_group_out String MAC access list name.
    multicast Dictionary Boundaries can be either 1 ACL or a list of multicast IP address_range(s)/prefix but not combination of both.
      ipv4 Dictionary
        boundaries List, items: Dictionary
          - boundary String ACL name or multicast IP subnet.
            out Boolean
        static Boolean
      ipv6 Dictionary
        boundaries List, items: Dictionary
          - boundary String ACL name or multicast IP subnet.
        static Boolean
    ospf_network_point_to_point Boolean
    ospf_area String
    ospf_cost Integer
    ospf_authentication String Valid Values:
- none
- simple
- message-digest
    ospf_authentication_key String Encrypted password - only type 7 supported.
    ospf_message_digest_keys List, items: Dictionary
      - id Integer Required, Unique
        hash_algorithm String Valid Values:
- md5
- sha1
- sha256
- sha384
- sha512
        key String Encrypted password - only type 7 supported.
    pim Dictionary
      ipv4 Dictionary
        border_router Boolean Configure PIM border router. EOS default is false.
        dr_priority Integer Min: 0
Max: 429467295
        sparse_mode Boolean
        bfd Boolean Set the default for whether Bidirectional Forwarding Detection is enabled for PIM.
        bidirectional Boolean
        hello Dictionary
          count String Number of missed hellos after which the neighbor expires. Range <1.5-65535>.
          interval Integer Min: 1
Max: 65535
PIM hello interval in seconds.
    mac_security Dictionary
      profile String
    tcp_mss_ceiling Dictionary The TCP MSS clamping feature involves clamping the maximum segment size (MSS) in the TCP header
of TCP SYN packets if it exceeds the configured MSS ceiling limit for the interface.
      ipv4_segment_size Integer Min: 64
Max: 65475
      ipv6_segment_size Integer Min: 64
Max: 65475
      direction String Valid Values:
- egress
- ingress
    channel_group Dictionary
      id Integer
      mode String Valid Values:
- on
- active
- passive
    isis_enable String ISIS instance.
    isis_bfd Boolean Enable BFD for ISIS.
    isis_passive Boolean
    isis_metric Integer
    isis_network_point_to_point Boolean
    isis_circuit_type String Valid Values:
- level-1-2
- level-1
- level-2
    isis_hello_padding Boolean
    isis_authentication_mode deprecated String Valid Values:
- text
- md5
This key is deprecated. Support will be removed in AVD version v6.0.0. Use isis_authentication.both.mode or isis_authentication.level_1.mode or isis_authentication.level_2.mode instead.
    isis_authentication_key deprecated String Type-7 encrypted password.This key is deprecated. Support will be removed in AVD version v6.0.0. Use isis_authentication.both.key or isis_authentication.level_1.key or isis_authentication.level_2.key instead.
    isis_authentication Dictionary This key should not be mixed with ethernet_interfaces[].isis_authentication_mode or ethernet_interfaces[].isis_authentication_key.
      both Dictionary Authentication settings for level-1 and level-2. ‘both’ takes precedence over ‘level_1’ and ‘level_2’ settings.
        key_type String Valid Values:
- 0
- 7
- 8a
Configure authentication key type.
        key String Password string. key_type is required for this setting.
        key_ids List, items: Dictionary
          - id Integer Required, Unique Min: 1
Max: 65535
Configure authentication key-id.
            algorithm String Required Valid Values:
- sha-1
- sha-224
- sha-256
- sha-384
- sha-512
            key_type String Required Valid Values:
- 0
- 7
- 8a
Configure authentication key type.
            key String Required Password string.
            rfc_5310 Boolean SHA digest computation according to rfc5310.
        mode String Valid Values:
- md5
- sha
- text
- shared-secret
Authentication mode.
        sha Dictionary Required settings for authentication mode ‘sha’.
          key_id Integer Required Min: 1
Max: 65535
        shared_secret Dictionary Required settings for authentication mode ‘shared_secret’.
          profile String Required
          algorithm String Required Valid Values:
- md5
- sha-1
- sha-224
- sha-256
- sha-384
- sha-512
        rx_disabled Boolean Disable authentication check on the receive side.
      level_1 Dictionary Authentication settings for level-1. ‘both’ takes precedence over ‘level_1’ and ‘level_2’ settings.
        key_type String Valid Values:
- 0
- 7
- 8a
Configure authentication key type.
        key String Password string. key_type is required for this setting.
        key_ids List, items: Dictionary
          - id Integer Required, Unique Min: 1
Max: 65535
Configure authentication key-id.
            algorithm String Required Valid Values:
- sha-1
- sha-224
- sha-256
- sha-384
- sha-512
            key_type String Required Valid Values:
- 0
- 7
- 8a
Configure authentication key type.
            key String Required Password string.
            rfc_5310 Boolean SHA digest computation according to rfc5310.
        mode String Valid Values:
- md5
- sha
- text
- shared-secret
Authentication mode.
        sha Dictionary Required settings for authentication mode ‘sha’.
          key_id Integer Required Min: 1
Max: 65535
        shared_secret Dictionary Required settings for authentication mode ‘shared_secret’.
          profile String Required
          algorithm String Required Valid Values:
- md5
- sha-1
- sha-224
- sha-256
- sha-384
- sha-512
        rx_disabled Boolean Disable authentication check on the receive side.
      level_2 Dictionary Authentication settings for level-2. ‘both’ takes precedence over ‘level_1’ and ‘level_2’ settings.
        key_type String Valid Values:
- 0
- 7
- 8a
Configure authentication key type.
        key String Password string. key_type is required for this setting.
        key_ids List, items: Dictionary
          - id Integer Required, Unique Min: 1
Max: 65535
Configure authentication key-id.
            algorithm String Required Valid Values:
- sha-1
- sha-224
- sha-256
- sha-384
- sha-512
            key_type String Required Valid Values:
- 0
- 7
- 8a
Configure authentication key type.
            key String Required Password string.
            rfc_5310 Boolean SHA digest computation according to rfc5310.
        mode String Valid Values:
- md5
- sha
- text
- shared-secret
Authentication mode.
        sha Dictionary Required settings for authentication mode ‘sha’.
          key_id Integer Required Min: 1
Max: 65535
        shared_secret Dictionary Required settings for authentication mode ‘shared_secret’.
          profile String Required
          algorithm String Required Valid Values:
- md5
- sha-1
- sha-224
- sha-256
- sha-384
- sha-512
        rx_disabled Boolean Disable authentication check on the receive side.
    poe Dictionary
      disabled Boolean False Disable PoE on a POE capable port. PoE is enabled on all ports that support it by default in EOS.
      priority String Valid Values:
- critical
- high
- medium
- low
Prioritize a port’s power in the event that one of the switch’s power supplies loses power.
      reboot Dictionary Set the PoE power behavior for a PoE port when the system is rebooted.
        action String Valid Values:
- maintain
- power-off
PoE action for interface.
      link_down Dictionary Set the PoE power behavior for a PoE port when the port goes down.
        action String Valid Values:
- maintain
- power-off
PoE action for interface.
        power_off_delay Integer Min: 1
Max: 86400
Number of seconds to delay shutting the power off after a link down event occurs. Default value is 5 seconds in EOS.
      shutdown Dictionary Set the PoE power behavior for a PoE port when the port is admin down.
        action String Valid Values:
- maintain
- power-off
PoE action for interface.
      limit Dictionary Override the hardware-negotiated power limit using either wattage or a power class. Note that if using a power class, AVD will automatically convert the class value to the wattage value corresponding to that power class.
        class Integer Min: 0
Max: 8
        watts String
        fixed Boolean Set to ignore hardware classification.
      negotiation_lldp Boolean Disable to prevent port from negotiating power with powered devices over LLDP. Enabled by default in EOS.
      legacy_detect Boolean Allow a subset of legacy devices to work with the PoE switch. Disabled by default in EOS because it can cause false positive detections.
    ptp Dictionary
      enable Boolean
      announce Dictionary
        interval Integer
        timeout Integer
      delay_req Integer
      delay_mechanism String Valid Values:
- e2e
- p2p
      profile Dictionary
        g8275_1 Dictionary
          destination_mac_address String Valid Values:
- forwardable
- non-forwardable
      sync_message Dictionary
        interval Integer
      role String Valid Values:
- master
- dynamic
      vlan String VLAN can be ‘all’ or list of vlans as string.
      transport String Valid Values:
- ipv4
- ipv6
- layer2
    profile String Interface profile.
    storm_control Dictionary
      all Dictionary
        level String Configure maximum storm-control level.
        unit String percent Valid Values:
- percent
- pps
Optional field and is hardware dependent.
      broadcast Dictionary
        level String Configure maximum storm-control level.
        unit String percent Valid Values:
- percent
- pps
Optional field and is hardware dependent.
      multicast Dictionary
        level String Configure maximum storm-control level.
        unit String percent Valid Values:
- percent
- pps
Optional field and is hardware dependent.
      unknown_unicast Dictionary
        level String Configure maximum storm-control level.
        unit String percent Valid Values:
- percent
- pps
Optional field and is hardware dependent.
    logging Dictionary
      event Dictionary
        link_status Boolean
        congestion_drops Boolean
        spanning_tree Boolean
        storm_control_discards Boolean Discards due to storm-control.
    lldp Dictionary
      transmit Boolean
      receive Boolean
      ztp_vlan Integer ZTP vlan number.
    trunk_private_vlan_secondary deprecated Boolean This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.trunk.private_vlan_secondary instead.
    pvlan_mapping deprecated String List of vlans as string.This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.pvlan_mapping instead.
    vlan_translations deprecated List, items: Dictionary This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.vlan_translations instead.
      - from String List of vlans as string (only one vlan if direction is “both”).
        to Integer VLAN ID.
        direction String both Valid Values:
- in
- out
- both
    dot1x Dictionary 802.1x
      port_control String Valid Values:
- auto
- force-authorized
- force-unauthorized
      port_control_force_authorized_phone Boolean
      reauthentication Boolean
      pae Dictionary
        mode String Valid Values:
- authenticator
      authentication_failure Dictionary
        action String Valid Values:
- allow
- drop
        allow_vlan Integer Min: 1
Max: 4094
      host_mode Dictionary
        mode String Valid Values:
- multi-host
- single-host
        multi_host_authenticated Boolean
      mac_based_authentication Dictionary
        enabled Boolean
        always Boolean
        host_mode_common Boolean
      mac_based_access_list Boolean Operate interface in per-mac access-list mode.
      timeout Dictionary
        idle_host Integer Min: 10
Max: 65535
        quiet_period Integer Min: 1
Max: 65535
        reauth_period String Value can be 60-4294967295 or ‘server’.
        reauth_timeout_ignore Boolean
        tx_period Integer Min: 1
Max: 65535
      reauthorization_request_limit Integer Min: 1
Max: 10
      unauthorized Dictionary
        access_vlan_membership_egress Boolean
        native_vlan_membership_egress Boolean
      eapol Dictionary
        disabled Boolean
        authentication_failure_fallback_mba Dictionary
          enabled Boolean
          timeout Integer Min: 0
Max: 65535
      aaa Dictionary
        unresponsive Dictionary Configure AAA timeout options.
          eap_response String Valid Values:
- success
- disabled
EAP response to send. EOS default is success.
          action Dictionary Set action for supplicant when AAA times out.
            traffic_allow_access_list String Name of standard access-list to apply when AAA times out.
            apply_cached_results Boolean Use results from a previous AAA response.
            cached_results_timeout Dictionary
              time_duration Integer Min: 1 Enable caching for a specific duration -
<1-10000> duration in days
<1-14400000> duration in minutes
<1-240000> duration in hours
<1-864000000> duration in seconds
              time_duration_unit String Required Valid Values:
- days
- hours
- minutes
- seconds
            apply_alternate Boolean Apply alternate action if primary action fails.
eg. aaa unresponsive action apply cached-results else traffic allow
            traffic_allow Boolean Set action for supplicant traffic when AAA times out.
            traffic_allow_vlan Integer Min: 1
Max: 4094
          phone_action Dictionary Set action for supplicant when AAA times out.
            apply_cached_results Boolean Use results from a previous AAA response.
            cached_results_timeout Dictionary
              time_duration Integer Min: 1 Enable caching for a specific duration -
<1-10000> duration in days
<1-14400000> duration in minutes
<1-240000> duration in hours
<1-864000000> duration in seconds
              time_duration_unit String Required Valid Values:
- days
- hours
- minutes
- seconds
            apply_alternate Boolean Apply alternate action if primary action fails.
eg. aaa unresponsive phone action apply cached-results else traffic allow
            traffic_allow Boolean Set action for supplicant traffic when AAA times out.
    service_profile String QOS profile.
    shape Dictionary
      rate String Rate in kbps, pps or percent.
Supported options are platform dependent.
Examples:
- “5000 kbps”
- “1000 pps”
- “20 percent”
    qos Dictionary
      trust String Valid Values:
- dscp
- cos
- disabled
      dscp Integer DSCP value.
      cos Integer COS value.
    spanning_tree_bpdufilter String Valid Values:
- enabled
- disabled
- True
- False
- true
- false
    spanning_tree_bpduguard String Valid Values:
- enabled
- disabled
- True
- False
- true
- false
    spanning_tree_guard String Valid Values:
- loop
- root
- disabled
    spanning_tree_portfast String Valid Values:
- edge
- network
    vmtracer Boolean
    priority_flow_control Dictionary
      enabled Boolean
      priorities List, items: Dictionary
        - priority Integer Required, Unique Min: 0
Max: 7
          no_drop Boolean
    bfd Dictionary
      echo Boolean
      interval Integer Interval in milliseconds.
      min_rx Integer Rate in milliseconds.
      multiplier Integer Min: 3
Max: 50
    service_policy Dictionary
      pbr Dictionary
        input String Policy Based Routing Policy-map name.
      qos Dictionary
        input String Required Quality of Service Policy-map name.
    mpls Dictionary
      ip Boolean
      ldp Dictionary
        interface Boolean
        igp_sync Boolean
    lacp_timer Dictionary
      mode String Valid Values:
- fast
- normal
      multiplier Integer Min: 3
Max: 3000
    lacp_port_priority Integer Min: 0
Max: 65535
    transceiver Dictionary
      frequency String Transceiver Laser Frequency in GHz (min 190000, max 200000).
      frequency_unit String Valid Values:
- ghz
Unit of Transceiver Laser Frequency.
      media Dictionary
        override String Transceiver type.
    ip_proxy_arp Boolean
    traffic_policy Dictionary
      input String Ingress traffic policy.
      output String Egress traffic policy.
    bgp Dictionary
      session_tracker String Name of session tracker.
    ip_igmp_host_proxy Dictionary
      enabled Boolean
      groups List, items: Dictionary
        - group String Required, Unique Multicast Address.
          exclude List, items: Dictionary The same source must not be present both in exclude and include list.
            - source String Required, Unique
          include List, items: Dictionary The same source must not be present both in exclude and include list.
            - source String Required, Unique
      report_interval Integer Min: 1
Max: 31744
Time interval between unsolicited reports.
      access_lists List, items: Dictionary Non-standard Access List name.
        - name String Required, Unique
      version Integer Min: 1
Max: 3
IGMP version on IGMP host-proxy interface.
    peer String Key only used for documentation or validation purposes.
    peer_interface String Key only used for documentation or validation purposes.
    peer_type String Key only used for documentation or validation purposes.
    sflow Dictionary
      enable Boolean
      egress Dictionary
        enable Boolean
        unmodified_enable Boolean
    sync_e Dictionary
      enable Boolean
      priority String The priority is used to influence the reference clock selection. The EOS default priority is 127. The priority can be configured to any integer between 1-255, or set to disabled.
    port_profile String Key only used for documentation or validation purposes.
    uc_tx_queues List, items: Dictionary
      - id Integer Required, Unique TX-Queue ID.
        random_detect Dictionary
          ecn Dictionary Explicit Congestion Notification.
            count Boolean Enable counter for random-detect ECNs.
            threshold Dictionary
              units String Required Valid Values:
- segments
- bytes
- kbytes
- mbytes
- milliseconds
Indicate the units to be used for the threshold values.
              min Integer Required Min: 1
Max: 256000000
Set the random-detect ECN minimum-threshold.
              max Integer Required Min: 1
Max: 256000000
Set the random-detect ECN maximum-threshold.
              max_probability Integer Min: 1
Max: 100
Set the random-detect ECN max-mark-probability.
              weight Integer Min: 0
Max: 15
Set the random-detect ECN weight.
    tx_queues List, items: Dictionary
      - id Integer Required, Unique TX-Queue ID.
        random_detect Dictionary
          ecn Dictionary Explicit Congestion Notification.
            count Boolean Enable counter for random-detect ECNs.
            threshold Dictionary
              units String Required Valid Values:
- segments
- bytes
- kbytes
- mbytes
- milliseconds
Indicate the units to be used for the threshold values.
              min Integer Min: 1
Max: 256000000
Set the random-detect ECN minimum-threshold.
              max Integer Required Min: 1
Max: 256000000
Set the random-detect ECN maximum-threshold.
              max_probability Integer Required Min: 1
Max: 100
Set the random-detect ECN max-mark-probability.
              weight Integer Min: 0
Max: 15
Set the random-detect ECN weight.
    vrrp_ids List, items: Dictionary VRRP model.
      - id Integer Required, Unique VRID.
        priority_level Integer Min: 1
Max: 254
Instance priority.
        advertisement Dictionary
          interval Integer Min: 1
Max: 255
Interval in seconds.
        preempt Dictionary
          enabled Boolean Required
          delay Dictionary
            minimum Integer Min: 0
Max: 3600
Minimum preempt delay in seconds.
            reload Integer Min: 0
Max: 3600
Reload preempt delay in seconds.
        timers Dictionary
          delay Dictionary
            reload Integer Min: 0
Max: 3600
Delay after reload in seconds.
        tracked_object List, items: Dictionary
          - name String Required, Unique Tracked object name.
            decrement Integer Min: 1
Max: 254
Decrement VRRP priority by 1-254.
            shutdown Boolean
        ipv4 Dictionary
          address String Required Virtual IPv4 address.
          version Integer Valid Values:
- 2
- 3
        ipv6 Dictionary
          address String Required Virtual IPv6 address.
    validate_state Boolean Set to false to disable interface state and LLDP topology validation performed by the eos_validate_state role.
    validate_lldp Boolean Set to false to disable the LLDP topology validation performed by the eos_validate_state role.
    switchport Dictionary This should not be combined with ethernet_interfaces[].type = switched/routed.
      enabled Boolean Warning: This should not be combined with ethernet_interfaces[].type = routed.
      mode String Valid Values:
- access
- dot1q-tunnel
- trunk
- trunk phone
Warning: This should not be combined with ethernet_interfaces[].mode.
      access_vlan Integer Min: 1
Max: 4094
Set VLAN when interface is in access mode.
Warning: This should not be combined with ethernet_interfaces[].mode = access/dot1q-tunnel and ethernet_interface[].vlans.
      trunk Dictionary
        allowed_vlan String VLAN ID or range(s) of VLAN IDs.
Warning: This should not be combined with ethernet_interfaces[].mode = trunk and ethernet_interface[].vlans.
        native_vlan Integer Min: 1
Max: 4094
Set native VLAN when interface is in trunking mode.
Warning: This should not be combined with ethernet_interfaces[].native_vlan.
        native_vlan_tag Boolean If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence.
Warning: This should not be combined with ethernet_interfaces[].native_vlan_tag.
        private_vlan_secondary Boolean Enable secondary VLAN mapping for a private vlan.
Warning: This should not be combined with ethernet_ineterfaces[].trunk_private_vlan_secondary.
        groups List, items: String Warning: This should not be combined with ethernet_ineterfaces[].trunk_groups.
          - <str> String Trunk group name.
      phone Dictionary Warning: This should not be combined with ethernet_interfaces[].phone.
        vlan Integer Min: 1
Max: 4094
Warning: This should not be combined with ethernet_interfaces[].phone.vlan.
        trunk String Valid Values:
- tagged
- tagged phone
- untagged
- untagged phone
Warning: This should not be combined with ethernet_interfaces[].phone.trunk.
      pvlan_mapping String Secondary VLAN IDs of the private VLAN mapping.
Warning: This should not be combined with ethernet_interfaces[].pvlan_mapping.
      dot1q Dictionary
        ethertype Integer Min: 1536
Max: 65535
Ethertype/TPID (Tag Protocol IDentifier) for VLAN tagged frames.
        vlan_tag String Valid Values:
- disallowed
- required
Allow/disallow VLAN tagged frames.
      source_interface String Valid Values:
- tx
- tx multicast
tx: Allow bridged traffic to go out of the source interface.
tx multicast: Allow multicast traffic only to go out of the source interface.
      vlan_translations Dictionary VLAN Translation mappings.
Warning: This should not be combined with ethernet_interfaces[].vlan_translations.
        in_required Boolean Drop the ingress traffic that do not match any VLAN mapping.
        out_required Boolean Drop the egress traffic that do not match any VLAN mapping.
        direction_in List, items: Dictionary Map ingress traffic only.
          - from String Required VLAN ID or range of VLAN IDs to map from. Range 1-4094.
            to Integer Required Min: 1
Max: 4094
VLAN ID to map to.
            dot1q_tunnel Boolean
            inner_vlan_from Integer Min: 1
Max: 4094
Inner VLAN ID to map from.
        direction_out List, items: Dictionary Map egress traffic only.
          - from String Required VLAN ID or range of VLAN IDs to map from. Range 1-4094.
            to Integer Min: 1
Max: 4094
VLAN ID to map to.
            dot1q_tunnel_to String VLAN ID or range of VLAN IDs or “all”. Range 1-4094.
This takes precedence over to and inner_vlan_to.
            inner_vlan_to Integer Min: 1
Max: 4094
Inner VLAN ID to map to.
        direction_both List, items: Dictionary Map both egress and ingress traffic.
          - from String Required VLAN ID or range of VLAN IDs to map from. Range 1-4094.
            to Integer Required Min: 1
Max: 4094
VLAN ID to map to.
            dot1q_tunnel Boolean
            inner_vlan_from Integer Min: 1
Max: 4094
Inner VLAN ID to map from.
            network Boolean Enable use of network-side VLAN ID.
This setting can only be enabled when inner_vlan_from is defined.
      vlan_forwarding_accept_all Boolean
      backup_link Dictionary
        interface String Backup interface. Example - Ethernet4, Vlan10 etc.
        prefer_vlan String VLANs to carry on the backup interface (1-4094).
      backup Dictionary The backup_link is required for this setting.
        dest_macaddr String Format: mac Destination MAC address for MAC move updates.
The mac address should be multicast or broadcast.
Example: 01:00:00:00:00:00
        initial_mac_move_delay Integer Min: 0
Max: 65535
Initial MAC move delay in milliseconds.
        mac_move_burst Integer Min: 0
Max: 65535
Size of MAC move bursts.
        mac_move_burst_interval Integer Min: 0
Max: 65535
MAC move burst interval in milliseconds.
        preemption_delay Integer Min: 0
Max: 65535
Preemption delay in milliseconds.
      port_security Dictionary
        enabled Boolean
        mac_address_maximum Dictionary Maximum number of MAC addresses allowed on the interface.
          disabled Boolean Disable port level check for port security (only in violation ‘shutdown’ mode).
          limit Integer Min: 1
Max: 1000
MAC address limit.
        violation Dictionary Configure violation mode (shutdown or protect), EOS default is ‘shutdown’.
          mode String Valid Values:
- shutdown
- protect
Configure port security mode.
          protect_log Boolean Log new addresses seen after limit is reached in protect mode.
        vlan_default_mac_address_maximum Integer Min: 0
Max: 1000
Default maximum MAC addresses for all VLANs on this interface.
        vlans List, items: Dictionary
          - range String Required, Unique VLAN ID or range(s) of VLAN IDs, <1-4094>.
Example:
- 3
- 1,3
- 1-10
            mac_address_maximum Integer Required
    eos_cli String Multiline EOS CLI rendered directly on the ethernet interface in the final EOS configuration.
ethernet_interfaces:
  - name: <str; required; unique>
    description: <str>
    shutdown: <bool>

    # Interval in seconds for updating interface counters.
    load_interval: <int; 0-600>

    # Speed should be set in the format `<interface_speed>` or `forced <interface_speed>` or `auto <interface_speed>`.
    speed: <str>
    mtu: <int; 68-65535>

    # "l2_mtu" should only be defined for platforms supporting the "l2 mtu" CLI.
    l2_mtu: <int; 68-65535>

    # "l2_mru" should only be defined for platforms supporting the "l2 mru" CLI.
    l2_mru: <int; 68-65535>

    # List of switchport vlans as string.
    # For a trunk port this would be a range like "1-200,300".
    # For an access port this would be a single vlan "123".
    # This key is deprecated.
    # Support will be removed in AVD version 6.0.0.
    # Use <samp>switchport.access_vlan or switchport.trunk.allowed_vlan</samp> instead.
    vlans: <str>
    # This key is deprecated.
    # Support will be removed in AVD version 6.0.0.
    # Use <samp>switchport.trunk.native_vlan</samp> instead.
    native_vlan: <int>

    # If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence.
    # This key is deprecated.
    # Support will be removed in AVD version 6.0.0.
    # Use <samp>switchport.trunk.native_vlan_tag</samp> instead.
    native_vlan_tag: <bool>
    # This key is deprecated.
    # Support will be removed in AVD version 6.0.0.
    # Use <samp>switchport.mode</samp> instead.
    mode: <str; "access" | "dot1q-tunnel" | "trunk" | "trunk phone">
    # This key is deprecated.
    # Support will be removed in AVD version 6.0.0.
    # Use <samp>switchport.phone</samp> instead.
    phone:
      trunk: <str; "tagged" | "tagged phone" | "untagged" | "untagged phone">
      vlan: <int; 1-4094>
    l2_protocol:

      # Vlan tag to configure on sub-interface.
      encapsulation_dot1q_vlan: <int>

      # L2 protocol forwarding profile.
      forwarding_profile: <str>

    # header: Insert timestamp in ethernet header. Supported on platforms like 7500E/R and 7280E/R.
    # before-fcs: Insert timestamp before fcs field. Supported on platforms like 7150.
    # replace-fcs: Replace fcs field with timestamp.
    mac_timestamp: <str; "before-fcs" | "replace-fcs" | "header">
    # This key is deprecated.
    # Support will be removed in AVD version 6.0.0.
    # Use <samp>switchport.trunk.groups</samp> instead.
    trunk_groups:
      - <str>

    # l3dot1q and l2dot1q are used for sub-interfaces. The parent interface should be defined as routed.
    # The `type = switched/routed` should not be combined with `switchport`.
    # This key is deprecated.
    # Support will be removed in AVD version 6.0.0.
    # See [here](https://avd.arista.com/5.x/docs/porting-guides/5.x.x.html#removal-of-type-key-dependency-for-rendering-ethernetport-channel-interfaces-configuration-and-documentation) for details.
    type: <str; "routed" | "switched" | "l3dot1q" | "l2dot1q" | "port-channel-member">
    snmp_trap_link_change: <bool>
    address_locking:

      # Enable address locking for IPv4.
      ipv4: <bool>

      # Enable address locking for IPv6.
      ipv6: <bool>
    flowcontrol:
      received: <str; "desired" | "on" | "off">

    # VRF name.
    vrf: <str>
    flow_tracker:

      # Sampled flow tracker name.
      sampled: <str>

      # Hardware flow tracker name.
      hardware: <str>
    error_correction_encoding:
      enabled: <bool; default=True>
      fire_code: <bool>
      reed_solomon: <bool>
    link_tracking_groups:

        # Group name.
      - name: <str; required; unique>
        direction: <str; "upstream" | "downstream">
    link_tracking:
      direction: <str; "upstream" | "downstream">

      # Link state group(s) an interface belongs to.
      groups:

          # Group names.
        - <str>
    evpn_ethernet_segment:

      # EVPN Ethernet Segment Identifier (Type 1 format).
      identifier: <str>
      redundancy: <str; "all-active" | "single-active">
      designated_forwarder_election:
        algorithm: <str; "modulus" | "preference">

        # Preference_value is only used when "algorithm" is "preference".
        preference_value: <int; 0-65535>

        # Dont_preempt is only used when "algorithm" is "preference".
        dont_preempt: <bool>
        hold_time: <int>
        subsequent_hold_time: <int>
        candidate_reachability_required: <bool>
      mpls:
        shared_index: <int; 1-1024>
        tunnel_flood_filter_time: <int>

      # EVPN Route Target for ESI with format xx:xx:xx:xx:xx:xx.
      route_target: <str>

    # VLAN tag to configure on sub-interface.
    # This key is deprecated.
    # Support will be removed in AVD version 6.0.0.
    # Use <samp>encapsulation_dot1q.vlan</samp> instead.
    encapsulation_dot1q_vlan: <int>

    # Warning: `encapsulation_dot1q` should not be combined with `ethernet_interfaces[].type: l3dot1q` or `ethernet_interfaces[].type: l2dot1q`.
    encapsulation_dot1q:

      # VLAD ID.
      vlan: <int; 1-4094; required>

      # Inner VLAN ID. This setting can only be applied to sub-interfaces on EOS.
      inner_vlan: <int; 1-4094>

    # This setting can only be applied to sub-interfaces on EOS.
    # Warning: `encapsulation_vlan` should not be combined with `ethernet_interfaces[].type: l3dot1q` or `ethernet_interfaces[].type: l2dot1q`.
    encapsulation_vlan:
      client:
        # This key is deprecated.
        # Support will be removed in AVD version 6.0.0.
        dot1q:

          # Client VLAN ID.
          vlan: <int; 1-4094>

          # Client Outer VLAN ID.
          outer: <int; 1-4094>

          # Client Inner VLAN ID.
          inner: <int>
        # This key is deprecated.
        # Support will be removed in AVD version 6.0.0.
        unmatched: <bool>
        encapsulation: <str; "dot1q" | "dot1ad" | "unmatched" | "untagged">

        # Client VLAN ID. Not applicable for `encapsulation: untagged` or `encapsulation: unmatched`.
        vlan: <int; 1-4094>

        # Client Outer VLAN ID. Not applicable for `encapsulation: untagged` or `encapsulation: unmatched`.
        outer_vlan: <int; 1-4094>

        # Client Inner VLAN ID. Not applicable for `encapsulation: untagged` or `encapsulation: unmatched`.
        inner_vlan: <int; 1-4094>
        inner_encapsulation: <str; "dot1q" | "dot1ad">

      # Network encapsulations are all optional and skipped if using client unmatched.
      network:
        # This key is deprecated.
        # Support will be removed in AVD version 6.0.0.
        dot1q:

          # Network VLAN ID.
          vlan: <int; 1-4094>

          # Network outer VLAN ID.
          outer: <int; 1-4094>

          # Network inner VLAN ID.
          inner: <int; 1-4094>
        # This key is deprecated.
        # Support will be removed in AVD version 6.0.0.
        client: <bool>

        # `untagged` (no encapsulation) is applicable for `untagged` client only.
        # `client` and `client inner` (retain client encapsulation) is not applicable for `untagged` client.
        encapsulation: <str; "dot1q" | "dot1ad" | "client" | "client inner" | "untagged">

        # Network VLAN ID. Not applicable for `encapsulation: untagged` or `encapsulation: client`.
        vlan: <int; 1-4094>

        # Network outer VLAN ID. Not applicable for `encapsulation: untagged` or `encapsulation: client`.
        outer_vlan: <int; 1-4094>

        # Network inner VLAN ID.  Not applicable for `encapsulation: untagged` or `encapsulation: client`.
        inner_vlan: <int; 1-4094>
        inner_encapsulation: <str; "dot1q" | "dot1ad">

    # This setting can only be applied to sub-interfaces on EOS.
    # Warning: `vlan_id` should not be combined with `ethernet_interfaces[].type == l2dot1q`.
    vlan_id: <int; 1-4094>

    # IPv4 address/mask or "dhcp".
    ip_address: <str>
    ip_address_secondaries:
      - <str>
    ip_verify_unicast_source_reachable_via: <str; "any" | "rx">

    # Install default-route obtained via DHCP.
    dhcp_client_accept_default_route: <bool>

    # Enable IPv4 DHCP server.
    dhcp_server_ipv4: <bool>

    # Enable IPv6 DHCP server.
    dhcp_server_ipv6: <bool>
    ip_helpers:
      - ip_helper: <str; required; unique>

        # Source interface name.
        source_interface: <str>

        # VRF name.
        vrf: <str>
    ip_nat:

      # NAT interface profile.
      service_profile: <str>
      destination:
        dynamic:
          - access_list: <str; required; unique>
            comment: <str>
            pool_name: <str; required>
            priority: <int; 0-4294967295>
        static:

            # 'access_list' and 'group' are mutual exclusive.
          - access_list: <str>
            comment: <str>

            # Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform.
            # EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW.
            direction: <str; "egress" | "ingress">

            # 'access_list' and 'group' are mutual exclusive.
            group: <int; 1-65535>

            # IPv4 address. The combination of `original_ip` and `original_port` must be unique.
            original_ip: <str>

            # TCP/UDP port. The combination of `original_ip` and `original_port` must be unique.
            original_port: <int; 1-65535>
            priority: <int; 0-4294967295>
            protocol: <str; "udp" | "tcp">

            # IPv4 address.
            translated_ip: <str; required>

            # requires 'original_port'.
            translated_port: <int; 1-65535>
      source:
        dynamic:
          - access_list: <str; required; unique>
            comment: <str>
            nat_type: <str; "overload" | "pool" | "pool-address-only" | "pool-full-cone"; required>

            # required if 'nat_type' is pool, pool-address-only or pool-full-cone.
            # ignored if 'nat_type' is overload.
            pool_name: <str>
            priority: <int; 0-4294967295>
        static:

            # 'access_list' and 'group' are mutual exclusive.
          - access_list: <str>
            comment: <str>

            # Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform.
            # EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW.
            direction: <str; "egress" | "ingress">

            # 'access_list' and 'group' are mutual exclusive.
            group: <int; 1-65535>

            # IPv4 address. The combination of `original_ip` and `original_port` must be unique.
            original_ip: <str>

            # TCP/UDP port. The combination of `original_ip` and `original_port` must be unique.
            original_port: <int; 1-65535>
            priority: <int; 0-4294967295>
            protocol: <str; "udp" | "tcp">

            # IPv4 address.
            translated_ip: <str; required>

            # requires 'original_port'.
            translated_port: <int; 1-65535>
    ipv6_enable: <bool>
    ipv6_address: <str>

    # Link local IPv6 address/mask.
    ipv6_address_link_local: <str>
    ipv6_nd_ra_disabled: <bool>
    ipv6_nd_managed_config_flag: <bool>
    ipv6_nd_prefixes:
      - ipv6_prefix: <str; required; unique>

        # Infinite or lifetime in seconds.
        valid_lifetime: <str>

        # Infinite or lifetime in seconds.
        preferred_lifetime: <str>
        no_autoconfig_flag: <bool>
    ipv6_dhcp_relay_destinations:

        # DHCP server's IPv6 address.
      - address: <str; required; unique>
        vrf: <str>

        # Local interface to communicate with DHCP server - mutually exclusive to source_address.
        local_interface: <str>

        # Source IPv6 address to communicate with DHCP server - mutually exclusive to local_interface.
        source_address: <str>

        # Override the default link address specified in the relayed DHCP packet.
        link_address: <str>

    # Access list name.
    access_group_in: <str>

    # Access list name.
    access_group_out: <str>

    # IPv6 access list name.
    ipv6_access_group_in: <str>

    # IPv6 access list name.
    ipv6_access_group_out: <str>

    # MAC access list name.
    mac_access_group_in: <str>

    # MAC access list name.
    mac_access_group_out: <str>

    # Boundaries can be either 1 ACL or a list of multicast IP address_range(s)/prefix but not combination of both.
    multicast:
      ipv4:
        boundaries:

            # ACL name or multicast IP subnet.
          - boundary: <str>
            out: <bool>
        static: <bool>
      ipv6:
        boundaries:

            # ACL name or multicast IP subnet.
          - boundary: <str>
        static: <bool>
    ospf_network_point_to_point: <bool>
    ospf_area: <str>
    ospf_cost: <int>
    ospf_authentication: <str; "none" | "simple" | "message-digest">

    # Encrypted password - only type 7 supported.
    ospf_authentication_key: <str>
    ospf_message_digest_keys:
      - id: <int; required; unique>
        hash_algorithm: <str; "md5" | "sha1" | "sha256" | "sha384" | "sha512">

        # Encrypted password - only type 7 supported.
        key: <str>
    pim:
      ipv4:

        # Configure PIM border router. EOS default is false.
        border_router: <bool>
        dr_priority: <int; 0-429467295>
        sparse_mode: <bool>

        # Set the default for whether Bidirectional Forwarding Detection is enabled for PIM.
        bfd: <bool>
        bidirectional: <bool>
        hello:

          # Number of missed hellos after which the neighbor expires. Range <1.5-65535>.
          count: <str>

          # PIM hello interval in seconds.
          interval: <int; 1-65535>
    mac_security:
      profile: <str>

    # The TCP MSS clamping feature involves clamping the maximum segment size (MSS) in the TCP header
    # of TCP SYN packets if it exceeds the configured MSS ceiling limit for the interface.
    tcp_mss_ceiling:
      ipv4_segment_size: <int; 64-65475>
      ipv6_segment_size: <int; 64-65475>
      direction: <str; "egress" | "ingress">
    channel_group:
      id: <int>
      mode: <str; "on" | "active" | "passive">

    # ISIS instance.
    isis_enable: <str>

    # Enable BFD for ISIS.
    isis_bfd: <bool>
    isis_passive: <bool>
    isis_metric: <int>
    isis_network_point_to_point: <bool>
    isis_circuit_type: <str; "level-1-2" | "level-1" | "level-2">
    isis_hello_padding: <bool>
    # This key is deprecated.
    # Support will be removed in AVD version v6.0.0.
    # Use <samp>isis_authentication.both.mode or isis_authentication.level_1.mode or isis_authentication.level_2.mode</samp> instead.
    isis_authentication_mode: <str; "text" | "md5">

    # Type-7 encrypted password.
    # This key is deprecated.
    # Support will be removed in AVD version v6.0.0.
    # Use <samp>isis_authentication.both.key or isis_authentication.level_1.key or isis_authentication.level_2.key</samp> instead.
    isis_authentication_key: <str>

    # This key should not be mixed with ethernet_interfaces[].isis_authentication_mode or ethernet_interfaces[].isis_authentication_key.
    isis_authentication:

      # Authentication settings for level-1 and level-2. 'both' takes precedence over 'level_1' and 'level_2' settings.
      both:

        # Configure authentication key type.
        key_type: <str; "0" | "7" | "8a">

        # Password string. `key_type` is required for this setting.
        key: <str>
        key_ids:

            # Configure authentication key-id.
          - id: <int; 1-65535; required; unique>
            algorithm: <str; "sha-1" | "sha-224" | "sha-256" | "sha-384" | "sha-512"; required>

            # Configure authentication key type.
            key_type: <str; "0" | "7" | "8a"; required>

            # Password string.
            key: <str; required>

            # SHA digest computation according to rfc5310.
            rfc_5310: <bool>

        # Authentication mode.
        mode: <str; "md5" | "sha" | "text" | "shared-secret">

        # Required settings for authentication mode 'sha'.
        sha:
          key_id: <int; 1-65535; required>

        # Required settings for authentication mode 'shared_secret'.
        shared_secret:
          profile: <str; required>
          algorithm: <str; "md5" | "sha-1" | "sha-224" | "sha-256" | "sha-384" | "sha-512"; required>

        # Disable authentication check on the receive side.
        rx_disabled: <bool>

      # Authentication settings for level-1. 'both' takes precedence over 'level_1' and 'level_2' settings.
      level_1:

        # Configure authentication key type.
        key_type: <str; "0" | "7" | "8a">

        # Password string. `key_type` is required for this setting.
        key: <str>
        key_ids:

            # Configure authentication key-id.
          - id: <int; 1-65535; required; unique>
            algorithm: <str; "sha-1" | "sha-224" | "sha-256" | "sha-384" | "sha-512"; required>

            # Configure authentication key type.
            key_type: <str; "0" | "7" | "8a"; required>

            # Password string.
            key: <str; required>

            # SHA digest computation according to rfc5310.
            rfc_5310: <bool>

        # Authentication mode.
        mode: <str; "md5" | "sha" | "text" | "shared-secret">

        # Required settings for authentication mode 'sha'.
        sha:
          key_id: <int; 1-65535; required>

        # Required settings for authentication mode 'shared_secret'.
        shared_secret:
          profile: <str; required>
          algorithm: <str; "md5" | "sha-1" | "sha-224" | "sha-256" | "sha-384" | "sha-512"; required>

        # Disable authentication check on the receive side.
        rx_disabled: <bool>

      # Authentication settings for level-2. 'both' takes precedence over 'level_1' and 'level_2' settings.
      level_2:

        # Configure authentication key type.
        key_type: <str; "0" | "7" | "8a">

        # Password string. `key_type` is required for this setting.
        key: <str>
        key_ids:

            # Configure authentication key-id.
          - id: <int; 1-65535; required; unique>
            algorithm: <str; "sha-1" | "sha-224" | "sha-256" | "sha-384" | "sha-512"; required>

            # Configure authentication key type.
            key_type: <str; "0" | "7" | "8a"; required>

            # Password string.
            key: <str; required>

            # SHA digest computation according to rfc5310.
            rfc_5310: <bool>

        # Authentication mode.
        mode: <str; "md5" | "sha" | "text" | "shared-secret">

        # Required settings for authentication mode 'sha'.
        sha:
          key_id: <int; 1-65535; required>

        # Required settings for authentication mode 'shared_secret'.
        shared_secret:
          profile: <str; required>
          algorithm: <str; "md5" | "sha-1" | "sha-224" | "sha-256" | "sha-384" | "sha-512"; required>

        # Disable authentication check on the receive side.
        rx_disabled: <bool>
    poe:

      # Disable PoE on a POE capable port. PoE is enabled on all ports that support it by default in EOS.
      disabled: <bool; default=False>

      # Prioritize a port's power in the event that one of the switch's power supplies loses power.
      priority: <str; "critical" | "high" | "medium" | "low">

      # Set the PoE power behavior for a PoE port when the system is rebooted.
      reboot:

        # PoE action for interface.
        action: <str; "maintain" | "power-off">

      # Set the PoE power behavior for a PoE port when the port goes down.
      link_down:

        # PoE action for interface.
        action: <str; "maintain" | "power-off">

        # Number of seconds to delay shutting the power off after a link down event occurs. Default value is 5 seconds in EOS.
        power_off_delay: <int; 1-86400>

      # Set the PoE power behavior for a PoE port when the port is admin down.
      shutdown:

        # PoE action for interface.
        action: <str; "maintain" | "power-off">

      # Override the hardware-negotiated power limit using either wattage or a power class. Note that if using a power class, AVD will automatically convert the class value to the wattage value corresponding to that power class.
      limit:
        class: <int; 0-8>
        watts: <str>

        # Set to ignore hardware classification.
        fixed: <bool>

      # Disable to prevent port from negotiating power with powered devices over LLDP. Enabled by default in EOS.
      negotiation_lldp: <bool>

      # Allow a subset of legacy devices to work with the PoE switch. Disabled by default in EOS because it can cause false positive detections.
      legacy_detect: <bool>
    ptp:
      enable: <bool>
      announce:
        interval: <int>
        timeout: <int>
      delay_req: <int>
      delay_mechanism: <str; "e2e" | "p2p">
      profile:
        g8275_1:
          destination_mac_address: <str; "forwardable" | "non-forwardable">
      sync_message:
        interval: <int>
      role: <str; "master" | "dynamic">

      # VLAN can be 'all' or list of vlans as string.
      vlan: <str>
      transport: <str; "ipv4" | "ipv6" | "layer2">

    # Interface profile.
    profile: <str>
    storm_control:
      all:

        # Configure maximum storm-control level.
        level: <str>

        # Optional field and is hardware dependent.
        unit: <str; "percent" | "pps"; default="percent">
      broadcast:

        # Configure maximum storm-control level.
        level: <str>

        # Optional field and is hardware dependent.
        unit: <str; "percent" | "pps"; default="percent">
      multicast:

        # Configure maximum storm-control level.
        level: <str>

        # Optional field and is hardware dependent.
        unit: <str; "percent" | "pps"; default="percent">
      unknown_unicast:

        # Configure maximum storm-control level.
        level: <str>

        # Optional field and is hardware dependent.
        unit: <str; "percent" | "pps"; default="percent">
    logging:
      event:
        link_status: <bool>
        congestion_drops: <bool>
        spanning_tree: <bool>

        # Discards due to storm-control.
        storm_control_discards: <bool>
    lldp:
      transmit: <bool>
      receive: <bool>

      # ZTP vlan number.
      ztp_vlan: <int>
    # This key is deprecated.
    # Support will be removed in AVD version 6.0.0.
    # Use <samp>switchport.trunk.private_vlan_secondary</samp> instead.
    trunk_private_vlan_secondary: <bool>

    # List of vlans as string.
    # This key is deprecated.
    # Support will be removed in AVD version 6.0.0.
    # Use <samp>switchport.pvlan_mapping</samp> instead.
    pvlan_mapping: <str>
    # This key is deprecated.
    # Support will be removed in AVD version 6.0.0.
    # Use <samp>switchport.vlan_translations</samp> instead.
    vlan_translations:

        # List of vlans as string (only one vlan if direction is "both").
      - from: <str>

        # VLAN ID.
        to: <int>
        direction: <str; "in" | "out" | "both"; default="both">

    # 802.1x
    dot1x:
      port_control: <str; "auto" | "force-authorized" | "force-unauthorized">
      port_control_force_authorized_phone: <bool>
      reauthentication: <bool>
      pae:
        mode: <str; "authenticator">
      authentication_failure:
        action: <str; "allow" | "drop">
        allow_vlan: <int; 1-4094>
      host_mode:
        mode: <str; "multi-host" | "single-host">
        multi_host_authenticated: <bool>
      mac_based_authentication:
        enabled: <bool>
        always: <bool>
        host_mode_common: <bool>

      # Operate interface in per-mac access-list mode.
      mac_based_access_list: <bool>
      timeout:
        idle_host: <int; 10-65535>
        quiet_period: <int; 1-65535>

        # Value can be 60-4294967295 or 'server'.
        reauth_period: <str>
        reauth_timeout_ignore: <bool>
        tx_period: <int; 1-65535>
      reauthorization_request_limit: <int; 1-10>
      unauthorized:
        access_vlan_membership_egress: <bool>
        native_vlan_membership_egress: <bool>
      eapol:
        disabled: <bool>
        authentication_failure_fallback_mba:
          enabled: <bool>
          timeout: <int; 0-65535>
      aaa:

        # Configure AAA timeout options.
        unresponsive:

          # EAP response to send. EOS default is `success`.
          eap_response: <str; "success" | "disabled">

          # Set action for supplicant when AAA times out.
          action:

            # Name of standard access-list to apply when AAA times out.
            traffic_allow_access_list: <str>

            # Use results from a previous AAA response.
            apply_cached_results: <bool>
            cached_results_timeout:

              # Enable caching for a specific duration -
              # <1-10000>      duration in days
              # <1-14400000>   duration in minutes
              # <1-240000>     duration in hours
              # <1-864000000>  duration in seconds
              time_duration: <int; >=1>
              time_duration_unit: <str; "days" | "hours" | "minutes" | "seconds"; required>

            # Apply alternate action if primary action fails.
            # eg. aaa unresponsive action apply cached-results else traffic allow
            apply_alternate: <bool>

            # Set action for supplicant traffic when AAA times out.
            traffic_allow: <bool>
            traffic_allow_vlan: <int; 1-4094>

          # Set action for supplicant when AAA times out.
          phone_action:

            # Use results from a previous AAA response.
            apply_cached_results: <bool>
            cached_results_timeout:

              # Enable caching for a specific duration -
              # <1-10000>      duration in days
              # <1-14400000>   duration in minutes
              # <1-240000>     duration in hours
              # <1-864000000>  duration in seconds
              time_duration: <int; >=1>
              time_duration_unit: <str; "days" | "hours" | "minutes" | "seconds"; required>

            # Apply alternate action if primary action fails.
            # eg. aaa unresponsive phone action apply cached-results else traffic allow
            apply_alternate: <bool>

            # Set action for supplicant traffic when AAA times out.
            traffic_allow: <bool>

    # QOS profile.
    service_profile: <str>
    shape:

      # Rate in kbps, pps or percent.
      # Supported options are platform dependent.
      # Examples:
      # - "5000 kbps"
      # - "1000 pps"
      # - "20 percent"
      rate: <str>
    qos:
      trust: <str; "dscp" | "cos" | "disabled">

      # DSCP value.
      dscp: <int>

      # COS value.
      cos: <int>
    spanning_tree_bpdufilter: <str; "enabled" | "disabled" | "True" | "False" | "true" | "false">
    spanning_tree_bpduguard: <str; "enabled" | "disabled" | "True" | "False" | "true" | "false">
    spanning_tree_guard: <str; "loop" | "root" | "disabled">
    spanning_tree_portfast: <str; "edge" | "network">
    vmtracer: <bool>
    priority_flow_control:
      enabled: <bool>
      priorities:
        - priority: <int; 0-7; required; unique>
          no_drop: <bool>
    bfd:
      echo: <bool>

      # Interval in milliseconds.
      interval: <int>

      # Rate in milliseconds.
      min_rx: <int>
      multiplier: <int; 3-50>
    service_policy:
      pbr:

        # Policy Based Routing Policy-map name.
        input: <str>
      qos:

        # Quality of Service Policy-map name.
        input: <str; required>
    mpls:
      ip: <bool>
      ldp:
        interface: <bool>
        igp_sync: <bool>
    lacp_timer:
      mode: <str; "fast" | "normal">
      multiplier: <int; 3-3000>
    lacp_port_priority: <int; 0-65535>
    transceiver:

      # Transceiver Laser Frequency in GHz (min 190000, max 200000).
      frequency: <str>

      # Unit of Transceiver Laser Frequency.
      frequency_unit: <str; "ghz">
      media:

        # Transceiver type.
        override: <str>
    ip_proxy_arp: <bool>
    traffic_policy:

      # Ingress traffic policy.
      input: <str>

      # Egress traffic policy.
      output: <str>
    bgp:

      # Name of session tracker.
      session_tracker: <str>
    ip_igmp_host_proxy:
      enabled: <bool>
      groups:

          # Multicast Address.
        - group: <str; required; unique>

          # The same source must not be present both in `exclude` and `include` list.
          exclude:
            - source: <str; required; unique>

          # The same source must not be present both in `exclude` and `include` list.
          include:
            - source: <str; required; unique>

      # Time interval between unsolicited reports.
      report_interval: <int; 1-31744>

      # Non-standard Access List name.
      access_lists:
        - name: <str; required; unique>

      # IGMP version on IGMP host-proxy interface.
      version: <int; 1-3>

    # Key only used for documentation or validation purposes.
    peer: <str>

    # Key only used for documentation or validation purposes.
    peer_interface: <str>

    # Key only used for documentation or validation purposes.
    peer_type: <str>
    sflow:
      enable: <bool>
      egress:
        enable: <bool>
        unmodified_enable: <bool>
    sync_e:
      enable: <bool>

      # The priority is used to influence the reference clock selection. The EOS default priority is 127. The priority can be configured to any integer between 1-255, or set to `disabled`.
      priority: <str>

    # Key only used for documentation or validation purposes.
    port_profile: <str>
    uc_tx_queues:

        # TX-Queue ID.
      - id: <int; required; unique>
        random_detect:

          # Explicit Congestion Notification.
          ecn:

            # Enable counter for random-detect ECNs.
            count: <bool>
            threshold:

              # Indicate the units to be used for the threshold values.
              units: <str; "segments" | "bytes" | "kbytes" | "mbytes" | "milliseconds"; required>

              # Set the random-detect ECN minimum-threshold.
              min: <int; 1-256000000; required>

              # Set the random-detect ECN maximum-threshold.
              max: <int; 1-256000000; required>

              # Set the random-detect ECN max-mark-probability.
              max_probability: <int; 1-100>

              # Set the random-detect ECN weight.
              weight: <int; 0-15>
    tx_queues:

        # TX-Queue ID.
      - id: <int; required; unique>
        random_detect:

          # Explicit Congestion Notification.
          ecn:

            # Enable counter for random-detect ECNs.
            count: <bool>
            threshold:

              # Indicate the units to be used for the threshold values.
              units: <str; "segments" | "bytes" | "kbytes" | "mbytes" | "milliseconds"; required>

              # Set the random-detect ECN minimum-threshold.
              min: <int; 1-256000000>

              # Set the random-detect ECN maximum-threshold.
              max: <int; 1-256000000; required>

              # Set the random-detect ECN max-mark-probability.
              max_probability: <int; 1-100; required>

              # Set the random-detect ECN weight.
              weight: <int; 0-15>

    # VRRP model.
    vrrp_ids:

        # VRID.
      - id: <int; required; unique>

        # Instance priority.
        priority_level: <int; 1-254>
        advertisement:

          # Interval in seconds.
          interval: <int; 1-255>
        preempt:
          enabled: <bool; required>
          delay:

            # Minimum preempt delay in seconds.
            minimum: <int; 0-3600>

            # Reload preempt delay in seconds.
            reload: <int; 0-3600>
        timers:
          delay:

            # Delay after reload in seconds.
            reload: <int; 0-3600>
        tracked_object:

            # Tracked object name.
          - name: <str; required; unique>

            # Decrement VRRP priority by 1-254.
            decrement: <int; 1-254>
            shutdown: <bool>
        ipv4:

          # Virtual IPv4 address.
          address: <str; required>
          version: <int; 2 | 3>
        ipv6:

          # Virtual IPv6 address.
          address: <str; required>

    # Set to false to disable interface state and LLDP topology validation performed by the `eos_validate_state` role.
    validate_state: <bool>

    # Set to false to disable the LLDP topology validation performed by the `eos_validate_state` role.
    validate_lldp: <bool>

    # This should not be combined with `ethernet_interfaces[].type = switched/routed`.
    switchport:

      # Warning: This should not be combined with `ethernet_interfaces[].type = routed`.
      enabled: <bool>

      # Warning: This should not be combined with `ethernet_interfaces[].mode`.
      mode: <str; "access" | "dot1q-tunnel" | "trunk" | "trunk phone">

      # Set VLAN when interface is in access mode.
      # Warning: This should not be combined with `ethernet_interfaces[].mode = access/dot1q-tunnel` and `ethernet_interface[].vlans`.
      access_vlan: <int; 1-4094>
      trunk:

        # VLAN ID or range(s) of VLAN IDs.
        # Warning: This should not be combined with `ethernet_interfaces[].mode = trunk` and `ethernet_interface[].vlans`.
        allowed_vlan: <str>

        # Set native VLAN when interface is in trunking mode.
        # Warning: This should not be combined with `ethernet_interfaces[].native_vlan`.
        native_vlan: <int; 1-4094>

        # If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence.
        # Warning: This should not be combined with `ethernet_interfaces[].native_vlan_tag`.
        native_vlan_tag: <bool>

        # Enable secondary VLAN mapping for a private vlan.
        # Warning: This should not be combined with `ethernet_ineterfaces[].trunk_private_vlan_secondary`.
        private_vlan_secondary: <bool>

        # Warning: This should not be combined with `ethernet_ineterfaces[].trunk_groups`.
        groups:

            # Trunk group name.
          - <str>

      # Warning: This should not be combined with `ethernet_interfaces[].phone`.
      phone:

        # Warning: This should not be combined with `ethernet_interfaces[].phone.vlan`.
        vlan: <int; 1-4094>

        # Warning: This should not be combined with `ethernet_interfaces[].phone.trunk`.
        trunk: <str; "tagged" | "tagged phone" | "untagged" | "untagged phone">

      # Secondary VLAN IDs of the private VLAN mapping.
      # Warning: This should not be combined with `ethernet_interfaces[].pvlan_mapping`.
      pvlan_mapping: <str>
      dot1q:

        # Ethertype/TPID (Tag Protocol IDentifier) for VLAN tagged frames.
        ethertype: <int; 1536-65535>

        # Allow/disallow VLAN tagged frames.
        vlan_tag: <str; "disallowed" | "required">

      # tx: Allow bridged traffic to go out of the source interface.
      # tx multicast: Allow multicast traffic only to go out of the source interface.
      source_interface: <str; "tx" | "tx multicast">

      # VLAN Translation mappings.
      # Warning: This should not be combined with `ethernet_interfaces[].vlan_translations`.
      vlan_translations:

        # Drop the ingress traffic that do not match any VLAN mapping.
        in_required: <bool>

        # Drop the egress traffic that do not match any VLAN mapping.
        out_required: <bool>

        # Map ingress traffic only.
        direction_in:

            # VLAN ID or range of VLAN IDs to map from. Range 1-4094.
          - from: <str; required>

            # VLAN ID to map to.
            to: <int; 1-4094; required>
            dot1q_tunnel: <bool>

            # Inner VLAN ID to map from.
            inner_vlan_from: <int; 1-4094>

        # Map egress traffic only.
        direction_out:

            # VLAN ID or range of VLAN IDs to map from. Range 1-4094.
          - from: <str; required>

            # VLAN ID to map to.
            to: <int; 1-4094>

            # VLAN ID or range of VLAN IDs or "all". Range 1-4094.
            # This takes precedence over `to` and `inner_vlan_to`.
            dot1q_tunnel_to: <str>

            # Inner VLAN ID to map to.
            inner_vlan_to: <int; 1-4094>

        # Map both egress and ingress traffic.
        direction_both:

            # VLAN ID or range of VLAN IDs to map from. Range 1-4094.
          - from: <str; required>

            # VLAN ID to map to.
            to: <int; 1-4094; required>
            dot1q_tunnel: <bool>

            # Inner VLAN ID to map from.
            inner_vlan_from: <int; 1-4094>

            # Enable use of network-side VLAN ID.
            # This setting can only be enabled when `inner_vlan_from` is defined.
            network: <bool>
      vlan_forwarding_accept_all: <bool>
      backup_link:

        # Backup interface. Example - Ethernet4, Vlan10 etc.
        interface: <str>

        # VLANs to carry on the backup interface (1-4094).
        prefer_vlan: <str>

      # The `backup_link` is required for this setting.
      backup:

        # Destination MAC address for MAC move updates.
        # The mac address should be multicast or broadcast.
        # Example: 01:00:00:00:00:00
        dest_macaddr: <str>

        # Initial MAC move delay in milliseconds.
        initial_mac_move_delay: <int; 0-65535>

        # Size of MAC move bursts.
        mac_move_burst: <int; 0-65535>

        # MAC move burst interval in milliseconds.
        mac_move_burst_interval: <int; 0-65535>

        # Preemption delay in milliseconds.
        preemption_delay: <int; 0-65535>
      port_security:
        enabled: <bool>

        # Maximum number of MAC addresses allowed on the interface.
        mac_address_maximum:

          # Disable port level check for port security (only in violation 'shutdown' mode).
          disabled: <bool>

          # MAC address limit.
          limit: <int; 1-1000>

        # Configure violation mode (shutdown or protect), EOS default is 'shutdown'.
        violation:

          # Configure port security mode.
          mode: <str; "shutdown" | "protect">

          # Log new addresses seen after limit is reached in protect mode.
          protect_log: <bool>

        # Default maximum MAC addresses for all VLANs on this interface.
        vlan_default_mac_address_maximum: <int; 0-1000>
        vlans:

            # VLAN ID or range(s) of VLAN IDs, <1-4094>.
            # Example:
            #   - 3
            #   - 1,3
            #   - 1-10
          - range: <str; required; unique>
            mac_address_maximum: <int; required>

    # Multiline EOS CLI rendered directly on the ethernet interface in the final EOS configuration.
    eos_cli: <str>

Interface defaults

Variable Type Required Default Value Restrictions Description
interface_defaults Dictionary
  ethernet Dictionary
    shutdown Boolean
  mtu Integer
interface_defaults:
  ethernet:
    shutdown: <bool>
  mtu: <int>

Interface profiles

Variable Type Required Default Value Restrictions Description
interface_profiles List, items: Dictionary
  - name String Required, Unique Interface-Profile Name.
    commands List, items: String Required
      - <str> String EOS CLI interface command.
Example: “switchport mode access”
interface_profiles:

    # Interface-Profile Name.
  - name: <str; required; unique>
    commands: # required

        # EOS CLI interface command.
        # Example: "switchport mode access"
      - <str>

LACP

Variable Type Required Default Value Restrictions Description
lacp Dictionary Set Link Aggregation Control Protocol (LACP) parameters.
  port_id Dictionary LACP port-ID range configuration.
    range Dictionary
      begin Integer Minimum LACP port-ID range.
      end Integer Maximum LACP port-ID range.
  rate_limit Dictionary Set LACPDU rate limit options.
    default Boolean Enable LACPDU rate limiting by default on all ports.
  system_priority Integer Min: 0
Max: 65535
Set local system LACP priority.
# Set Link Aggregation Control Protocol (LACP) parameters.
lacp:

  # LACP port-ID range configuration.
  port_id:
    range:

      # Minimum LACP port-ID range.
      begin: <int>

      # Maximum LACP port-ID range.
      end: <int>

  # Set LACPDU rate limit options.
  rate_limit:

    # Enable LACPDU rate limiting by default on all ports.
    default: <bool>

  # Set local system LACP priority.
  system_priority: <int; 0-65535>
Variable Type Required Default Value Restrictions Description
link_tracking_groups List, items: Dictionary
  - name String Required, Unique
    links_minimum Integer Min: 1
Max: 100000
    recovery_delay Integer Min: 0
Max: 3600
link_tracking_groups:
  - name: <str; required; unique>
    links_minimum: <int; 1-100000>
    recovery_delay: <int; 0-3600>

LLDP

Variable Type Required Default Value Restrictions Description
lldp Dictionary
  timer Integer
  timer_reinitialization String
  holdtime Integer
  management_address String
  vrf String
  receive_packet_tagged_drop String
  tlvs List, items: Dictionary
    - name String Required, Unique Valid Values:
- link-aggregation
- management-address
- max-frame-size
- med
- port-description
- port-vlan
- power-via-mdi
- system-capabilities
- system-description
- system-name
- vlan-name
      transmit Boolean
  run Boolean
lldp:
  timer: <int>
  timer_reinitialization: <str>
  holdtime: <int>
  management_address: <str>
  vrf: <str>
  receive_packet_tagged_drop: <str>
  tlvs:
    - name: <str; "link-aggregation" | "management-address" | "max-frame-size" | "med" | "port-description" | "port-vlan" | "power-via-mdi" | "system-capabilities" | "system-description" | "system-name" | "vlan-name"; required; unique>
      transmit: <bool>
  run: <bool>

Loopback interfaces

Variable Type Required Default Value Restrictions Description
loopback_interfaces List, items: Dictionary
  - name String Required, Unique Loopback interface name e.g. “Loopback0”.
    description String
    shutdown Boolean
    vrf String VRF name.
    ip_address String IPv4_address/Mask.
    ip_address_secondaries List, items: String
      - <str> String IPv4_address/Mask.
    ipv6_enable Boolean
    ipv6_address String IPv6_address/Mask.
    ip_proxy_arp Boolean
    ospf_area String
    mpls Dictionary
      ldp Dictionary
        interface Boolean
    isis_enable String ISIS instance name.
    isis_bfd Boolean Enable BFD for ISIS.
    isis_passive Boolean
    isis_metric Integer
    isis_network_point_to_point Boolean
    node_segment Dictionary
      ipv4_index Integer
      ipv6_index Integer
    eos_cli String EOS CLI rendered directly on the loopback interface in the final EOS configuration.
loopback_interfaces:

    # Loopback interface name e.g. "Loopback0".
  - name: <str; required; unique>
    description: <str>
    shutdown: <bool>

    # VRF name.
    vrf: <str>

    # IPv4_address/Mask.
    ip_address: <str>
    ip_address_secondaries:

        # IPv4_address/Mask.
      - <str>
    ipv6_enable: <bool>

    # IPv6_address/Mask.
    ipv6_address: <str>
    ip_proxy_arp: <bool>
    ospf_area: <str>
    mpls:
      ldp:
        interface: <bool>

    # ISIS instance name.
    isis_enable: <str>

    # Enable BFD for ISIS.
    isis_bfd: <bool>
    isis_passive: <bool>
    isis_metric: <int>
    isis_network_point_to_point: <bool>
    node_segment:
      ipv4_index: <int>
      ipv6_index: <int>

    # EOS CLI rendered directly on the loopback interface in the final EOS configuration.
    eos_cli: <str>

Management interfaces

Variable Type Required Default Value Restrictions Description
management_interfaces List, items: Dictionary
  - name String Required, Unique Management Interface Name.
    description String
    shutdown Boolean
    speed String Speed should be set in the format <interface_speed> or forced <interface_speed> or auto <interface_speed>.
    mtu Integer
    vrf String VRF Name.
    ip_address String IPv4_address/Mask.
    ipv6_enable Boolean
    ipv6_address String IPv6_address/Mask.
    type String oob Valid Values:
- oob
- inband
For documentation purposes only.
    gateway String IPv4 address of default gateway in management VRF.
    ipv6_gateway String IPv6 address of default gateway in management VRF.
    mac_address String MAC address.
    lldp Dictionary
      transmit Boolean
      receive Boolean
      ztp_vlan Integer ZTP vlan number.
    eos_cli String Multiline EOS CLI rendered directly on the management interface in the final EOS configuration.
management_interfaces:

    # Management Interface Name.
  - name: <str; required; unique>
    description: <str>
    shutdown: <bool>

    # Speed should be set in the format `<interface_speed>` or `forced <interface_speed>` or `auto <interface_speed>`.
    speed: <str>
    mtu: <int>

    # VRF Name.
    vrf: <str>

    # IPv4_address/Mask.
    ip_address: <str>
    ipv6_enable: <bool>

    # IPv6_address/Mask.
    ipv6_address: <str>

    # For documentation purposes only.
    type: <str; "oob" | "inband"; default="oob">

    # IPv4 address of default gateway in management VRF.
    gateway: <str>

    # IPv6 address of default gateway in management VRF.
    ipv6_gateway: <str>

    # MAC address.
    mac_address: <str>
    lldp:
      transmit: <bool>
      receive: <bool>

      # ZTP vlan number.
      ztp_vlan: <int>

    # Multiline EOS CLI rendered directly on the management interface in the final EOS configuration.
    eos_cli: <str>

Patch panel

Variable Type Required Default Value Restrictions Description
patch_panel Dictionary
  connector Dictionary
    interface Dictionary
      patch Dictionary
        bgp_vpws_remote_failure_errdisable Boolean
      recovery Dictionary
        review_delay Dictionary
          min Integer Required Min: 10
Max: 600
Minimum delay.
          max Integer Required Min: 15
Max: 900
Maximum delay.
  patches List, items: Dictionary
    - name String Required, Unique
      enabled Boolean
      connectors List, items: Dictionary Min Length: 2
Max Length: 2
Must have exactly two connectors to a patch of which at least one must be of type “interface”.
        - id String Required, Unique
          type String Required Valid Values:
- interface
- pseudowire
          endpoint String Required String with relevant endpoint depending on type.
Examples:
- “Ethernet1”
- “Ethernet1 dot1q vlan 123”
- “bgp vpws TENANT_A pseudowire VPWS_PW_1”
- “ldp LDP_PW_1”
patch_panel:
  connector:
    interface:
      patch:
        bgp_vpws_remote_failure_errdisable: <bool>
      recovery:
        review_delay:

          # Minimum delay.
          min: <int; 10-600; required>

          # Maximum delay.
          max: <int; 15-900; required>
  patches:
    - name: <str; required; unique>
      enabled: <bool>

      # Must have exactly two connectors to a patch of which at least one must be of type "interface".
      connectors: # 2-2 items
        - id: <str; required; unique>
          type: <str; "interface" | "pseudowire"; required>

          # String with relevant endpoint depending on type.
          # Examples:
          # - "Ethernet1"
          # - "Ethernet1 dot1q vlan 123"
          # - "bgp vpws TENANT_A pseudowire VPWS_PW_1"
          # - "ldp LDP_PW_1"
          endpoint: <str; required>

Port-channel interfaces

Variable Type Required Default Value Restrictions Description
port_channel_interfaces List, items: Dictionary
  - name String Required, Unique
    description String
    profile String Interface profile.
    logging Dictionary
      event Dictionary
        link_status Boolean
        storm_control_discards Boolean Discards due to storm-control.
    shutdown Boolean
    l2_mtu Integer Min: 68
Max: 65535
“l2_mtu” should only be defined for platforms supporting the “l2 mtu” CLI.
    l2_mru Integer Min: 68
Max: 65535
“l2_mru” should only be defined for platforms supporting the “l2 mru” CLI.
    vlans deprecated String List of switchport vlans as string.
For a trunk port this would be a range like “1-200,300”.
For an access port this would be a single vlan “123”.
This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.access_vlan or switchport.trunk.allowed_vlan instead.
    snmp_trap_link_change Boolean
    type deprecated String Valid Values:
- routed
- switched
- l3dot1q
- l2dot1q
l3dot1q and l2dot1q are used for sub-interfaces. The parent interface should be defined as routed.
Interface will not be listed in device documentation, unless “type” is set.
This key is deprecated. Support will be removed in AVD version 6.0.0. See here for details.
    encapsulation_dot1q_vlan deprecated Integer VLAN tag to configure on sub-interface.This key is deprecated. Support will be removed in AVD version 6.0.0. Use encapsulation_dot1q.vlan instead.
    encapsulation_dot1q Dictionary Warning: encapsulation_dot1q should not be combined with ethernet_interfaces[].type: l3dot1q or ethernet_interfaces[].type: l2dot1q.
      vlan Integer Required Min: 1
Max: 4094
VLAD ID.
      inner_vlan Integer Min: 1
Max: 4094
Inner VLAN ID. This setting can only be applied to sub-interfaces on EOS.
    vrf String VRF name.
    encapsulation_vlan Dictionary This setting can only be applied to sub-interfaces on EOS.
Warning: encapsulation_vlan should not be combined with ethernet_interfaces[].type: l3dot1q or ethernet_interfaces[].type: l2dot1q.
      client Dictionary
        dot1q deprecated Dictionary This key is deprecated. Support will be removed in AVD version 6.0.0.
          vlan Integer Client VLAN ID.
          outer Integer Min: 1
Max: 4094
Client Outer VLAN ID.
          inner Integer Min: 1
Max: 4094
Client Inner VLAN ID.
        unmatched deprecated Boolean This key is deprecated. Support will be removed in AVD version 6.0.0.
        encapsulation String Valid Values:
- dot1q
- dot1ad
- unmatched
- untagged
        vlan Integer Min: 1
Max: 4094
Client VLAN ID. Not applicable for encapsulation: untagged or encapsulation: unmatched.
        outer_vlan Integer Min: 1
Max: 4094
Client Outer VLAN ID. Not applicable for encapsulation: untagged or encapsulation: unmatched.
        inner_vlan Integer Min: 1
Max: 4094
Client Inner VLAN ID. Not applicable for encapsulation: untagged or encapsulation: unmatched.
        inner_encapsulation String Valid Values:
- dot1q
- dot1ad
      network Dictionary Network encapsulation are all optional, and skipped if using client unmatched.
        dot1q deprecated Dictionary This key is deprecated. Support will be removed in AVD version 6.0.0.
          vlan Integer Min: 1
Max: 4094
Network VLAN ID.
          outer Integer Min: 1
Max: 4094
Network Outer VLAN ID.
          inner Integer Min: 1
Max: 4094
Network Inner VLAN ID.
        client deprecated Boolean This key is deprecated. Support will be removed in AVD version 6.0.0.
        encapsulation String Valid Values:
- dot1q
- dot1ad
- client
- client inner
- untagged
untagged (no encapsulation) is applicable for untagged client only.
client and client inner (retain client encapsulation) is not applicable for untagged client.
        vlan Integer Min: 1
Max: 4094
Network VLAN ID. Not applicable for encapsulation: untagged or encapsulation: client.
        outer_vlan Integer Min: 1
Max: 4094
Network outer VLAN ID. Not applicable for encapsulation: untagged or encapsulation: client.
        inner_vlan Integer Min: 1
Max: 4094
Network inner VLAN ID. Not applicable for encapsulation: untagged or encapsulation: client.
        inner_encapsulation String Valid Values:
- dot1q
- dot1ad
    vlan_id Integer Min: 1
Max: 4094
This setting can only be applied to sub-interfaces on EOS.
Warning: vlan_id should not be combined with ethernet_interfaces[].type == l2dot1q.
    mode deprecated String Valid Values:
- access
- dot1q-tunnel
- trunk
- trunk phone
This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.mode instead.
    native_vlan deprecated Integer If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence.This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.trunk.native_vlan instead.
    native_vlan_tag deprecated Boolean If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence.This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.trunk.native_vlan_tag instead.
    link_tracking_groups List, items: Dictionary
      - name String Required, Unique Group name.
        direction String Valid Values:
- upstream
- downstream
    link_tracking Dictionary
      direction String Valid Values:
- upstream
- downstream
      groups List, items: String Link state group(s) an interface belongs to.
        - <str> String Group names.
    phone deprecated Dictionary This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.phone instead.
      trunk String Valid Values:
- tagged
- untagged
      vlan Integer Min: 1
Max: 4094
    l2_protocol Dictionary
      encapsulation_dot1q_vlan Integer Vlan tag to configure on sub-interface.
      forwarding_profile String L2 protocol forwarding profile.
    mtu Integer Min: 68
Max: 65535
    mlag Integer Min: 1
Max: 2000
MLAG ID.
    trunk_groups deprecated List, items: String This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.trunk.groups instead.
      - <str> String
    lacp_fallback_timeout Integer Min: 0
Max: 300
Timeout in seconds. EOS default is 90 seconds.
    lacp_fallback_mode String Valid Values:
- individual
- static
    qos Dictionary
      trust String Valid Values:
- dscp
- cos
- disabled
      dscp Integer DSCP value.
      cos Integer COS value.
    bfd Dictionary
      echo Boolean
      interval Integer Interval in milliseconds.
      min_rx Integer Rate in milliseconds.
      multiplier Integer Min: 3
Max: 50
      neighbor String IPv4 or IPv6 address. When the Port-channel is a L2 interface, a local L3 BFD address (router_bfd.local_address) has to be defined globally on the switch.
      per_link Dictionary
        enabled Boolean
        rfc_7130 Boolean
    service_policy Dictionary
      pbr Dictionary
        input String Policy Based Routing Policy-map name.
      qos Dictionary
        input String Required Quality of Service Policy-map name.
    mpls Dictionary
      ip Boolean
      ldp Dictionary
        interface Boolean
        igp_sync Boolean
    trunk_private_vlan_secondary deprecated Boolean This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.trunk.private_vlan_secondary instead.
    pvlan_mapping deprecated String List of vlans as string.This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.pvlan_mapping instead.
    vlan_translations deprecated List, items: Dictionary This key is deprecated. Support will be removed in AVD version 6.0.0. Use switchport.vlan_translations instead.
      - from String List of vlans as string (only one vlan if direction is “both”).
        to Integer VLAN ID.
        direction String both Valid Values:
- in
- out
- both
    shape Dictionary
      rate String Rate in kbps, pps or percent.
Supported options are platform dependent.
Examples:
- “5000 kbps”
- “1000 pps”
- “20 percent”
    storm_control Dictionary
      all Dictionary
        level String Configure maximum storm-control level.
        unit String percent Valid Values:
- percent
- pps
Optional field and is hardware dependent.
      broadcast Dictionary
        level String Configure maximum storm-control level.
        unit String percent Valid Values:
- percent
- pps
Optional field and is hardware dependent.
      multicast Dictionary
        level String Configure maximum storm-control level.
        unit String percent Valid Values:
- percent
- pps
Optional field and is hardware dependent.
      unknown_unicast Dictionary
        level String Configure maximum storm-control level.
        unit String percent Valid Values:
- percent
- pps
Optional field and is hardware dependent.
    ip_proxy_arp Boolean
    isis_enable String ISIS instance.
    isis_bfd Boolean Enable BFD for ISIS.
    isis_passive Boolean
    isis_metric Integer
    isis_network_point_to_point Boolean
    isis_circuit_type String Valid Values:
- level-1-2
- level-1
- level-2
    isis_hello_padding Boolean
    isis_authentication_mode deprecated String Valid Values:
- text
- md5
This key is deprecated. Support will be removed in AVD version v6.0.0. Use port_channel_interfaces[].isis_authentication.both.mode or port_channel_interfaces[].isis_authentication.level_1.mode or port_channel_interfaces[].isis_authentication.level_2.mode instead.
    isis_authentication_key deprecated String Type-7 encrypted password.This key is deprecated. Support will be removed in AVD version v6.0.0. Use port_channel_interfaces[].isis_authentication.both.key or port_channel_interfaces[].isis_authentication.level_1.key or port_channel_interfaces[].isis_authentication.level_2.key instead.
    isis_authentication Dictionary This key should not be mixed with port_channel_interfaces[].isis_authentication_mode or ethernet_interfaces[].isis_authentication_key.
      both Dictionary Authentication settings for level-1 and level-2. ‘both’ takes precedence over ‘level_1’ and ‘level_2’ settings.
        key_type String Valid Values:
- 0
- 7
- 8a
Configure authentication key type.
        key String Password string. key_type is required for this setting.
        key_ids List, items: Dictionary
          - id Integer Required, Unique Min: 1
Max: 65535
Configure authentication key-id.
            algorithm String Required Valid Values:
- sha-1
- sha-224
- sha-256
- sha-384
- sha-512
            key_type String Required Valid Values:
- 0
- 7
- 8a
Configure authentication key type.
            key String Required Password string.
            rfc_5310 Boolean SHA digest computation according to rfc5310.
        mode String Valid Values:
- md5
- sha
- text
- shared-secret
Authentication mode.
        sha Dictionary Required settings for authentication mode ‘sha’.
          key_id Integer Required Min: 1
Max: 65535
        shared_secret Dictionary Required settings for authentication mode ‘shared_secret’.
          profile String Required
          algorithm String Required Valid Values:
- md5
- sha-1
- sha-224
- sha-256
- sha-384
- sha-512
        rx_disabled Boolean Disable authentication check on the receive side.
      level_1 Dictionary Authentication settings for level-1. ‘both’ takes precedence over ‘level_1’ and ‘level_2’ settings.
        key_type String Valid Values:
- 0
- 7
- 8a
Configure authentication key type.
        key String Password string. key_type is required for this setting.
        key_ids List, items: Dictionary
          - id Integer Required, Unique Min: 1
Max: 65535
Configure authentication key-id.
            algorithm String Required Valid Values:
- sha-1
- sha-224
- sha-256
- sha-384
- sha-512
            key_type String Required Valid Values:
- 0
- 7
- 8a
Configure authentication key type.
            key String Required Password string.
            rfc_5310 Boolean SHA digest computation according to rfc5310.
        mode String Valid Values:
- md5
- sha
- text
- shared-secret
Authentication mode.
        sha Dictionary Required settings for authentication mode ‘sha’.
          key_id Integer Required Min: 1
Max: 65535
        shared_secret Dictionary Required settings for authentication mode ‘shared_secret’.
          profile String Required
          algorithm String Required Valid Values:
- md5
- sha-1
- sha-224
- sha-256
- sha-384
- sha-512
        rx_disabled Boolean Disable authentication check on the receive side.
      level_2 Dictionary Authentication settings for level-2. ‘both’ takes precedence over ‘level_1’ and ‘level_2’ settings.
        key_type String Valid Values:
- 0
- 7
- 8a
Configure authentication key type.
        key String Password string. key_type is required for this setting.
        key_ids List, items: Dictionary
          - id Integer Required, Unique Min: 1
Max: 65535
Configure authentication key-id.
            algorithm String Required Valid Values:
- sha-1
- sha-224
- sha-256
- sha-384
- sha-512
            key_type String Required Valid Values:
- 0
- 7
- 8a
Configure authentication key type.
            key String Required Password string.
            rfc_5310 Boolean SHA digest computation according to rfc5310.
        mode String Valid Values:
- md5
- sha
- text
- shared-secret
Authentication mode.
        sha Dictionary Required settings for authentication mode ‘sha’.
          key_id Integer Required Min: 1
Max: 65535
        shared_secret Dictionary Required settings for authentication mode ‘shared_secret’.
          profile String Required
          algorithm String Required Valid Values:
- md5
- sha-1
- sha-224
- sha-256
- sha-384
- sha-512
        rx_disabled Boolean Disable authentication check on the receive side.
    traffic_policy Dictionary
      input String Ingress traffic policy.
      output String Egress traffic policy.
    evpn_ethernet_segment Dictionary
      identifier String EVPN Ethernet Segment Identifier (Type 1 format).
      redundancy String Valid Values:
- all-active
- single-active
      designated_forwarder_election Dictionary
        algorithm String Valid Values:
- modulus
- preference
        preference_value Integer Min: 0
Max: 65535
Preference_value is only used when “algorithm” is “preference”.
        dont_preempt Boolean False Dont_preempt is only used when “algorithm” is “preference”.
        hold_time Integer
        subsequent_hold_time Integer
        candidate_reachability_required Boolean
      mpls Dictionary
        shared_index Integer Min: 1
Max: 1024
        tunnel_flood_filter_time Integer
      route_target String EVPN Route Target for ESI with format xx:xx:xx:xx:xx:xx.
    lacp_id String LACP ID with format xxxx.xxxx.xxxx.
    spanning_tree_bpdufilter String Valid Values:
- enabled
- disabled
- True
- False
- true
- false
    spanning_tree_bpduguard String Valid Values:
- enabled
- disabled
- True
- False
- true
- false
    spanning_tree_guard String Valid Values:
- loop
- root
- disabled
    spanning_tree_portfast String Valid Values:
- edge
- network
    vmtracer Boolean
    ptp Dictionary
      enable Boolean
      announce Dictionary
        interval Integer
        timeout Integer
      delay_req Integer
      delay_mechanism String Valid Values:
- e2e
- p2p
      profile Dictionary
        g8275_1 Dictionary
          destination_mac_address String Valid Values:
- forwardable
- non-forwardable
      sync_message Dictionary
        interval Integer
      role String Valid Values:
- master
- dynamic
      vlan String VLAN can be ‘all’ or list of vlans as string.
      transport String Valid Values:
- ipv4
- ipv6
- layer2
      mpass Boolean When MPASS is enabled on an MLAG port-channel, MLAG peers coordinate to function as a single PTP logical device.
Arista PTP enabled devices always place PTP messages on the same physical link within the port-channel.
Hence, MPASS is needed only on MLAG port-channels connected to non-Arista devices.
    ip_address String IPv4 address/mask.
    ip_verify_unicast_source_reachable_via String Valid Values:
- any
- rx
    ip_nat Dictionary
      destination Dictionary
        dynamic List, items: Dictionary
          - access_list String Required, Unique
            comment String
            pool_name String Required
            priority Integer Min: 0
Max: 4294967295
        static List, items: Dictionary
          - access_list String ‘access_list’ and ‘group’ are mutual exclusive.
            comment String
            direction String Valid Values:
- egress
- ingress
Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform.
EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW.
            group Integer Min: 1
Max: 65535
‘access_list’ and ‘group’ are mutual exclusive.
            original_ip String IPv4 address. The combination of original_ip and original_port must be unique.
            original_port Integer Min: 1
Max: 65535
TCP/UDP port. The combination of original_ip and original_port must be unique.
            priority Integer Min: 0
Max: 4294967295
            protocol String Valid Values:
- udp
- tcp
            translated_ip String Required IPv4 address.
            translated_port Integer Min: 1
Max: 65535
requires ‘original_port’.
      source Dictionary
        dynamic List, items: Dictionary
          - access_list String Required, Unique
            comment String
            nat_type String Required Valid Values:
- overload
- pool
- pool-address-only
- pool-full-cone
            pool_name String required if ‘nat_type’ is pool, pool-address-only or pool-full-cone.
ignored if ‘nat_type’ is overload.
            priority Integer Min: 0
Max: 4294967295
        static List, items: Dictionary
          - access_list String ‘access_list’ and ‘group’ are mutual exclusive.
            comment String
            direction String Valid Values:
- egress
- ingress
Egress or ingress can be the default. This depends on source/destination, EOS version, and hardware platform.
EOS might remove this keyword in the configuration. So, check the configuration on targeted HW/SW.
            group Integer Min: 1
Max: 65535
‘access_list’ and ‘group’ are mutual exclusive.
            original_ip String IPv4 address. The combination of original_ip and original_port must be unique.
            original_port Integer Min: 1
Max: 65535
TCP/UDP port. The combination of original_ip and original_port must be unique.
            priority Integer Min: 0
Max: 4294967295
            protocol String Valid Values:
- udp
- tcp
            translated_ip String Required IPv4 address.
            translated_port Integer Min: 1
Max: 65535
requires ‘original_port’.
    ipv6_enable Boolean
    ipv6_address String IPv6 address/mask.
    ipv6_address_link_local String Link local IPv6 address/mask.
    ipv6_nd_ra_disabled Boolean
    ipv6_nd_managed_config_flag Boolean
    ipv6_nd_prefixes List, items: Dictionary
      - ipv6_prefix String Required, Unique
        valid_lifetime String Infinite or lifetime in seconds.
        preferred_lifetime String Infinite or lifetime in seconds.
        no_autoconfig_flag Boolean
    access_group_in String Access list name.
    access_group_out String Access list name.
    ipv6_access_group_in String IPv6 access list name.
    ipv6_access_group_out String IPv6 access list name.
    mac_access_group_in String MAC access list name.
    mac_access_group_out String MAC access list name.
    pim Dictionary
      ipv4 Dictionary
        border_router Boolean Configure PIM border router. EOS default is false.
        dr_priority Integer Min: 0
Max: 429467295
        sparse_mode Boolean
        bfd Boolean Set the default for whether Bidirectional Forwarding Detection is enabled for PIM.
        bidirectional Boolean
        hello Dictionary
          count String Number of missed hellos after which the neighbor expires. Range <1.5-65535>.
          interval Integer Min: 1
Max: 65535
PIM hello interval in seconds.
    service_profile String QOS profile.
    ospf_network_point_to_point Boolean
    ospf_area String
    ospf_cost Integer
    ospf_authentication String Valid Values:
- none
- simple
- message-digest
    ospf_authentication_key String Encrypted password.
    ospf_message_digest_keys List, items: Dictionary
      - id Integer Required, Unique
        hash_algorithm String Valid Values:
- md5
- sha1
- sha256
- sha384
- sha512
        key String Encrypted password.
    flow_tracker Dictionary
      sampled String Sampled flow tracker name.
      hardware String Hardware flow tracker name.
    bgp Dictionary
      session_tracker String Name of session tracker.
    ip_igmp_host_proxy Dictionary
      enabled Boolean
      groups List, items: Dictionary
        - group String Required, Unique Multicast Address.
          exclude List, items: Dictionary The same source must not be present both in exclude and include list.
            - source String Required, Unique
          include List, items: Dictionary The same source must not be present both in exclude and include list.
            - source String Required, Unique
      report_interval Integer Min: 1
Max: 31744
Time interval between unsolicited reports.
      access_lists List, items: Dictionary Non-standard Access List name.
        - name String Required, Unique
      version Integer Min: 1
Max: 3
IGMP version on IGMP host-proxy interface.
    peer String Key only used for documentation or validation purposes.
    peer_interface String Key only used for documentation or validation purposes.
    peer_type String Key only used for documentation or validation purposes.
    sflow Dictionary
      enable Boolean
      egress Dictionary
        enable Boolean
        unmodified_enable Boolean
    switchport Dictionary
      enabled Boolean Warning: This should not be combined with port_channel_interfaces[].type = routed.
      mode String Valid Values:
- access
- dot1q-tunnel
- trunk
- trunk phone
Warning: This should not be combined with port_channel_interfaces[].mode
      access_vlan Integer Min: 1
Max: 4094
Set VLAN when interface is in access mode.
Warning: This should not be combined with port_channel_interfaces[].mode = access/dot1q-tunnel and port_channel_interface.vlans.
      trunk Dictionary
        allowed_vlan String VLAN ID or range(s) of VLAN IDs (1-4094).
Warning: This should not be combined with port_channel_interfaces[].mode = trunk and port_channel_interfaces[].vlans.
        native_vlan Integer Min: 1
Max: 4094
Set native VLAN when interface is in trunking mode.
Warning: This should not be combined with port_channel_interfaces[].native_vlan.
        native_vlan_tag Boolean If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence.
Warning: This should not be combined with port_channel_interfaces[].native_vlan_tag.
        private_vlan_secondary Boolean Enable secondary VLAN mapping for a private vlan.
Warning: This should not be combined with port_channel_interfaces[].trunk_private_vlan_secondary.
        groups List, items: String Warning: This should not be combined with port_channel_interfaces[].trunk_groups.
          - <str> String Trunk group name.
      phone Dictionary
        vlan Integer Min: 1
Max: 4094
Warning: This should not be combined with port_channel_interfaces[].phone.vlan.
        trunk String Valid Values:
- tagged
- tagged phone
- untagged
- untagged phone
Warning: This should not be combined with port_channel_interfaces[].phone.trunk
      pvlan_mapping String Secondary VLAN IDs of the private VLAN mapping.
Warning: This should not be combined with port_channel_interfaces[].pvlan_mapping.
      dot1q Dictionary
        ethertype Integer Min: 1536
Max: 65535
Ethertype/TPID (Tag Protocol IDentifier) for VLAN tagged frames.
        vlan_tag String Valid Values:
- disallowed
- required
      source_interface String Valid Values:
- tx
- tx multicast
tx: Allow bridged traffic to go out of the source interface.
tx multicast: Allow multicast traffic only to go out of the source interface.
      vlan_translations Dictionary VLAN Translation mappings.
Warning: This should not be combined with port_channel_interfaces[].vlan_translations.
        in_required Boolean Drop the ingress traffic that do not match any VLAN mapping.
        out_required Boolean Drop the egress traffic that do not match any VLAN mapping.
        direction_in List, items: Dictionary Map ingress traffic only.
          - from String VLAN ID or range of VLAN IDs to map from. Range 1-4094.
            to Integer Min: 1
Max: 4094
VLAN ID to map to.
            dot1q_tunnel Boolean
            inner_vlan_from Integer Min: 1
Max: 4094
Inner VLAN ID to map from.
        direction_out List, items: Dictionary Map egress traffic only.
          - from String Required VLAN ID or range of VLAN IDs to map from. Range 1-4094.
            to Integer Min: 1
Max: 4094
VLAN ID to map to.
            dot1q_tunnel_to String VLAN ID or range of VLAN IDs or “all”. Range 1-4094.
This takes precedence over to and inner_vlan_to.
            inner_vlan_to Integer Min: 1
Max: 4094
Inner VLAN ID to map to.
        direction_both List, items: Dictionary Map both egress and ingress traffic.
          - from String Required VLAN ID or range of VLAN IDs to map from. Range 1-4094.
            to Integer Required Min: 1
Max: 4094
VLAN ID to map to.
            dot1q_tunnel Boolean
            inner_vlan_from Integer Min: 1
Max: 4094
Inner VLAN ID to map from.
            network Boolean Enable use of network-side VLAN ID.
This setting can only be enabled when inner_vlan_from is defined.
      vlan_forwarding_accept_all Boolean
      backup_link Dictionary
        interface String Required Backup interface. Example - Ethernet4, Vlan10 etc.
        prefer_vlan String VLANs to carry on the backup interface (1-4094).
      backup Dictionary The backup_link is required for this setting.
        dest_macaddr String Format: mac Destination MAC address for MAC move updates.
The mac address should be multicast or broadcast.
Example: 01:00:00:00:00:00
        initial_mac_move_delay Integer Min: 0
Max: 65535
Initial MAC move delay in milliseconds.
        mac_move_burst Integer Min: 0
Max: 65535
Size of MAC move bursts.
        mac_move_burst_interval Integer Min: 0
Max: 65535
MAC move burst interval in milliseconds.
        preemption_delay Integer Min: 0
Max: 65535
Preemption delay in milliseconds.
      port_security Dictionary
        enabled Boolean
        mac_address_maximum Dictionary Maximum number of MAC addresses allowed on the interface.
          disabled Boolean Disable port level check for port security (only in violation ‘shutdown’ mode).
          limit Integer Min: 1
Max: 1000
MAC address limit.
        violation Dictionary Configure violation mode (shutdown or protect), EOS default is ‘shutdown’.
          mode String Valid Values:
- shutdown
- protect
Configure port security mode.
          protect_log Boolean Log new addresses seen after limit is reached in protect mode.
        vlan_default_mac_address_maximum Integer Min: 0
Max: 1000
Default maximum MAC addresses for all VLANs on this interface.
        vlans List, items: Dictionary
          - range String Required, Unique VLAN ID or range(s) of VLAN IDs, <1-4094>.
Example:
- 3
- 1,3
- 1-10
            mac_address_maximum Integer
    validate_state Boolean Set to false to disable interface state and LLDP topology validation performed by the eos_validate_state role.
    validate_lldp Boolean Set to false to disable the LLDP topology validation performed by the eos_validate_state role.
    eos_cli String Multiline EOS CLI rendered directly on the port-channel interface in the final EOS configuration.
    esi removed String EVPN Ethernet Segment Identifier (Type 1 format).
This key was removed. Support was removed in AVD version 5.0.0. Use evpn_ethernet_segment.identifier instead.
    rt removed String EVPN Route Target for ESI with format xx:xx:xx:xx:xx:xx.
This key was removed. Support was removed in AVD version 5.0.0. Use evpn_ethernet_segment.route_target instead.
port_channel_interfaces:
  - name: <str; required; unique>
    description: <str>

    # Interface profile.
    profile: <str>
    logging:
      event:
        link_status: <bool>

        # Discards due to storm-control.
        storm_control_discards: <bool>
    shutdown: <bool>

    # "l2_mtu" should only be defined for platforms supporting the "l2 mtu" CLI.
    l2_mtu: <int; 68-65535>

    # "l2_mru" should only be defined for platforms supporting the "l2 mru" CLI.
    l2_mru: <int; 68-65535>

    # List of switchport vlans as string.
    # For a trunk port this would be a range like "1-200,300".
    # For an access port this would be a single vlan "123".
    # This key is deprecated.
    # Support will be removed in AVD version 6.0.0.
    # Use <samp>switchport.access_vlan or switchport.trunk.allowed_vlan</samp> instead.
    vlans: <str>
    snmp_trap_link_change: <bool>

    # l3dot1q and l2dot1q are used for sub-interfaces. The parent interface should be defined as routed.
    # Interface will not be listed in device documentation, unless "type" is set.
    # This key is deprecated.
    # Support will be removed in AVD version 6.0.0.
    # See [here](https://avd.arista.com/5.x/docs/porting-guides/5.x.x.html#removal-of-type-key-dependency-for-rendering-ethernetport-channel-interfaces-configuration-and-documentation) for details.
    type: <str; "routed" | "switched" | "l3dot1q" | "l2dot1q">

    # VLAN tag to configure on sub-interface.
    # This key is deprecated.
    # Support will be removed in AVD version 6.0.0.
    # Use <samp>encapsulation_dot1q.vlan</samp> instead.
    encapsulation_dot1q_vlan: <int>

    # Warning: `encapsulation_dot1q` should not be combined with `ethernet_interfaces[].type: l3dot1q` or `ethernet_interfaces[].type: l2dot1q`.
    encapsulation_dot1q:

      # VLAD ID.
      vlan: <int; 1-4094; required>

      # Inner VLAN ID. This setting can only be applied to sub-interfaces on EOS.
      inner_vlan: <int; 1-4094>

    # VRF name.
    vrf: <str>

    # This setting can only be applied to sub-interfaces on EOS.
    # Warning: `encapsulation_vlan` should not be combined with `ethernet_interfaces[].type: l3dot1q` or `ethernet_interfaces[].type: l2dot1q`.
    encapsulation_vlan:
      client:
        # This key is deprecated.
        # Support will be removed in AVD version 6.0.0.
        dot1q:

          # Client VLAN ID.
          vlan: <int>

          # Client Outer VLAN ID.
          outer: <int; 1-4094>

          # Client Inner VLAN ID.
          inner: <int; 1-4094>
        # This key is deprecated.
        # Support will be removed in AVD version 6.0.0.
        unmatched: <bool>
        encapsulation: <str; "dot1q" | "dot1ad" | "unmatched" | "untagged">

        # Client VLAN ID. Not applicable for `encapsulation: untagged` or `encapsulation: unmatched`.
        vlan: <int; 1-4094>

        # Client Outer VLAN ID. Not applicable for `encapsulation: untagged` or `encapsulation: unmatched`.
        outer_vlan: <int; 1-4094>

        # Client Inner VLAN ID. Not applicable for `encapsulation: untagged` or `encapsulation: unmatched`.
        inner_vlan: <int; 1-4094>
        inner_encapsulation: <str; "dot1q" | "dot1ad">

      # Network encapsulation are all optional, and skipped if using client unmatched.
      network:
        # This key is deprecated.
        # Support will be removed in AVD version 6.0.0.
        dot1q:

          # Network VLAN ID.
          vlan: <int; 1-4094>

          # Network Outer VLAN ID.
          outer: <int; 1-4094>

          # Network Inner VLAN ID.
          inner: <int; 1-4094>
        # This key is deprecated.
        # Support will be removed in AVD version 6.0.0.
        client: <bool>

        # `untagged` (no encapsulation) is applicable for `untagged` client only.
        # `client` and `client inner` (retain client encapsulation) is not applicable for `untagged` client.
        encapsulation: <str; "dot1q" | "dot1ad" | "client" | "client inner" | "untagged">

        # Network VLAN ID. Not applicable for `encapsulation: untagged` or `encapsulation: client`.
        vlan: <int; 1-4094>

        # Network outer VLAN ID. Not applicable for `encapsulation: untagged` or `encapsulation: client`.
        outer_vlan: <int; 1-4094>

        # Network inner VLAN ID. Not applicable for `encapsulation: untagged` or `encapsulation: client`.
        inner_vlan: <int; 1-4094>
        inner_encapsulation: <str; "dot1q" | "dot1ad">

    # This setting can only be applied to sub-interfaces on EOS.
    # Warning: `vlan_id` should not be combined with `ethernet_interfaces[].type == l2dot1q`.
    vlan_id: <int; 1-4094>
    # This key is deprecated.
    # Support will be removed in AVD version 6.0.0.
    # Use <samp>switchport.mode</samp> instead.
    mode: <str; "access" | "dot1q-tunnel" | "trunk" | "trunk phone">

    # If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence.
    # This key is deprecated.
    # Support will be removed in AVD version 6.0.0.
    # Use <samp>switchport.trunk.native_vlan</samp> instead.
    native_vlan: <int>

    # If setting both native_vlan and native_vlan_tag, native_vlan_tag takes precedence.
    # This key is deprecated.
    # Support will be removed in AVD version 6.0.0.
    # Use <samp>switchport.trunk.native_vlan_tag</samp> instead.
    native_vlan_tag: <bool>
    link_tracking_groups:

        # Group name.
      - name: <str; required; unique>
        direction: <str; "upstream" | "downstream">
    link_tracking:
      direction: <str; "upstream" | "downstream">

      # Link state group(s) an interface belongs to.
      groups:

          # Group names.
        - <str>
    # This key is deprecated.
    # Support will be removed in AVD version 6.0.0.
    # Use <samp>switchport.phone</samp> instead.
    phone:
      trunk: <str; "tagged" | "untagged">
      vlan: <int; 1-4094>
    l2_protocol:

      # Vlan tag to configure on sub-interface.
      encapsulation_dot1q_vlan: <int>

      # L2 protocol forwarding profile.
      forwarding_profile: <str>
    mtu: <int; 68-65535>

    # MLAG ID.
    mlag: <int; 1-2000>
    # This key is deprecated.
    # Support will be removed in AVD version 6.0.0.
    # Use <samp>switchport.trunk.groups</samp> instead.
    trunk_groups:
      - <str>

    # Timeout in seconds. EOS default is 90 seconds.
    lacp_fallback_timeout: <int; 0-300>
    lacp_fallback_mode: <str; "individual" | "static">
    qos:
      trust: <str; "dscp" | "cos" | "disabled">

      # DSCP value.
      dscp: <int>

      # COS value.
      cos: <int>
    bfd:
      echo: <bool>

      # Interval in milliseconds.
      interval: <int>

      # Rate in milliseconds.
      min_rx: <int>
      multiplier: <int; 3-50>

      # IPv4 or IPv6 address. When the Port-channel is a L2 interface, a local L3 BFD address (router_bfd.local_address) has to be defined globally on the switch.
      neighbor: <str>
      per_link:
        enabled: <bool>
        rfc_7130: <bool>
    service_policy:
      pbr:

        # Policy Based Routing Policy-map name.
        input: <str>
      qos:

        # Quality of Service Policy-map name.
        input: <str; required>
    mpls:
      ip: <bool>
      ldp:
        interface: <bool>
        igp_sync: <bool>
    # This key is deprecated.
    # Support will be removed in AVD version 6.0.0.
    # Use <samp>switchport.trunk.private_vlan_secondary</samp> instead.
    trunk_private_vlan_secondary: <bool>

    # List of vlans as string.
    # This key is deprecated.
    # Support will be removed in AVD version 6.0.0.
    # Use <samp>switchport.pvlan_mapping</samp> instead.
    pvlan_mapping: <str>
    # This key is deprecated.
    # Support will be removed in AVD version 6.0.0.
    # Use <samp>switchport.vlan_translations</samp> instead.
    vlan_translations:

        # List of vlans as string (only one vlan if direction is "both").
      - from: <str>

        # VLAN ID.
        to: <int>
        direction: <str; "in" | "out" | "both"; default="both">
    shape:

      # Rate in kbps, pps or percent.
      # Supported options are platform dependent.
      # Examples:
      # - "5000 kbps"
      # - "1000 pps"
      # - "20 percent"
      rate: <str>